So, let’s imagine that your office is in Denver and on August 2 you sent an email to a supplier, also in Denver, with proprietary technical drawings of an export-controlled part. Your supplier has signed an NDA and has also certified that all of its employees are U.S. citizens or permanent residents. You haven’t exported that drawing, right? Or have you?
Consider this interesting bit of information:
For a brief time on Aug. 2, data traffic between two [internet service] providers in Denver didn’t just flow across town as it normally would. Instead the bits went to Iceland first, with stops in London, Montreal, New York, Dallas and Kansas City along the way.
Oh dear. That’s a problem. And it wasn’t something that just happened on one day in Denver.
The attack … targeted large Internet carriers in every major city in the U.S. and numerous major cities in Europe and around the world. …
The first incident took place during most of the month of February, when Internet traffic was silently redirected through an Internet service provider called GlobalOneBel, based in the Belarusian capital, Minsk. The targets of these attacks included financial institutions, government agencies and network service providers.
But that wasn’t the end of it.
These attacks occurred throughout February and into March. Then they stopped for awhile.
The attacks resumed in May, and almost right away the choke point switched from Belarus to Iceland. … Then they stopped again — until July. This time, the venue was again in Iceland. Beginning on July 31, traffic from a large VOIP company — Renesys wouldn’t name it — was diverted through an Internet service provider called Opin Kerfi [in Iceland].
As I’ve pointed out before, both BIS and DDTC have taken the position that any transmission of technical data outside the United States, even for a trillionth of a nanosecond** or less, is an export of the technical data. This, they say, is true even if no one in the foreign country actually sees or intercepts the message. And, even more astoundingly, this is true even if the message is encrypted and would be unintelligible to anyone but the intended domestic recipient. And although the fact that you didn’t intend the email to leave the country is only a defense to criminal charges, that is cold comfort when the civil fines, which don’t require showing intent, are $250,000 per violation.
So you’d better stop emailing technical data and send it by regular mail or bike messenger (as long as the bike messenger is a U.S. citizen or permanent resident, of course). Pneumatic tubes are another possible option for delivery.
All that being said, and given that the Luddite solution of forsaking the Internet may not be terribly practical, this is another reason to encrypt technical data that you are sending by email even if the recipient is a U.S. person firmly planted on U.S. soil. No, the encryption isn’t a defense to the violation, but it is at least a mitigating factor. Remember, as I posted last May, that the U.S. military thinks it can put ITAR-controlled technical data on a Chinese satellite if it’s encrypted; so if you don’t have anything else to say in your defense when an email with export controlled data accidentally wanders through Lithuania, you will at least have that. And maybe one day in the distant future, BIS and DDTC will admit that the Internet exists and that encryption works.
** For less technical readers, a trillionth of a nanosecond is approximately the time between when a red light changes to green and the cab driver behind you honks his horn.