Cloud computing, the now nearly ubiquitous use of computing power, software and information storage provided by networks of computers, introduces new problems for companies trying to comply with export regulations. Cloud service providers are not always willing to reveal the locations of the computers that make up their clouds, and often cannot even identify the specific computers that are serving a particular client. And providers often outsource the maintenance of their clouds to foreign nationals, who may have access to cloud users' data.
The Bureau of Industry and Security at the Commerce Department recently issued two advisory opinions (found here and here) that help to clarify the application of export regulations to cloud computing, but they leave many questions unanswered. For instance, providing cloud computing services is not considered an export, but transmitting the software or technology that enables cloud computing is subject to the Export Administration Act regulations. Users subject to U.S. jurisdiction, who, even inadvertently, provide their software or technology by uploading it to a cloud that foreign nationals can access, are subject to export regulations. In addition, it appears that users are responsible for securing data through access restrictions, not just cloud service providers. Even if no foreign person actually receives the data in question, cloud users can be subject to penalties for failing to take measures to prevent such access.
What can be done to address the problems posed by cloud computing and information outsourcing generally? Providers of computing services can offer clouds with special access restrictions to meet the needs of users that store regulated information. Users may weight the export control issues and decide to keep certain types of information out of the clouds altogether. The bottom line is that companies need to assess export control issues and incorporate export controls into their information security compliance programs.