Cloud Computing

Export Control Compliance Cloud Computing Export control compliance cloud computing
Cloud Computing

Cloud Computing – it’s all the rage! Seems like almost everyone is using it. This and digital data storage on remote servers are services that are being promoted as ways to reduce costs as well as to leverage computational capabilities and to facilitate digital data sharing. Generally speaking, cloud computing refers to the use and access of multiple server-based computational resources via a digital network such as the internet. Remote storage refers to services limited to storage and backup of digital data on a third-party server. A third-party server is something that is owned and maintained by someone other than UM.

While cloud computing and remote digital data storage offer the obvious advantages of reducing computational and storage space burdens on local machines and networks, they create the same export control issues as fax, emails, text, and instant messaging. The “deemed export rule” does apply when utilizing cloud computing and remote digital data storage services.

U.S. export control regulations define an “export” to include both a physical shipment of a tangible item out of the U.S. as well as the “transmission” of export controlled information and software by electronic means. Sending export controlled information to a foreign national, either in or outside of the United States territory whether by fax, email, text, or instant message is an export. Similarly, using cloud computing servers or storing digital data on a third-party server which is located in a foreign country are exports. If the information exported is controlled, the exporter (the person who transmitted the data) could face civil and/or criminal prosecution.

Don’t forget contractual obligations. In addition to the requirement to comply with U.S. export regulations, externally funded research and sponsored projects may contain contractual restrictions on the release of information that could include prohibition on the use of cloud computing services or third-party digital data storage. Failure to comply with contractual restrictions could result in a breach of contract and if the contract is federally funded, possible civil or criminal and penalties may be applied.

In 2009 and 2011, the Bureau of Industry and Security (BIS) issued an Advisory Opinion (AO) on the topic of cloud computing and deemed exports. In both reports, the AO put the onus of a potential deemed export on the user of the cloud service. Thus, it is the responsibility of the user to ensure that the technology or technical data stored is not accessible by foreign persons (such as the cloud provider’s foreign IT administrators). In short, the user is completely responsible and can be solely liable for any U.S. export laws that may be violated. Remember that no contractual arrangement with a cloud provider, no matter how carefully drafter, will shift the burden of export compliance to the provider.

What Do You Need To Do?

  • Understand ALL the terms of the agreement you and your project are subject to. If you do not understand these terms, contact the project PI or department administrator. The General Counsel’s office will also be able to explain legalese in simple terms as well.

  • Do not store technology or technical data that is export controlled, or considered proprietary or confidential, outside UM servers. If the data is not public knowledge, do not use cloud computing or remote storage services.

  • Increase the security of your data by adding passwords or encryption to access. Doing this does not mean that it is okay to use cloud computing or remote storage services for your export controlled, confidential or proprietary technology or files.

  • Before entering into agreement with a cloud provider, first check with the University Information Technology department to see what resources are already available.

  • If no other University resources are available to meet your needs, before entering into an agreement with the service provider, ask the following:
    • Where are the servers and routers located? (Get at minimum city, state, country)

    • Ask the provider to highlight in the agreement the measures they have in place to prevent unauthorized foreign nationals from accessing controlled technology and software wherever located.

Questions & Answers*

  • I am traveling internationally, but I am a U.S. Permanent Resident, is accessing my files from the digital storage server which is located in the U.S. still considered an export? Yes. It does not matter that the files are in your account. You are still located in another country and thus you have ‘exported’ the files you access to another country.

  • What if I am a national of India and the servers are located in India, when I travel to India would it still be considered an export? Probably so, since the files were created while you were in the United States and your account is associated with the University of Miami which is in the United States. Further clarification would need to be addressed with the proper Government agency.

  • How am I to share data with my colleague who is in another country if I cannot use these services because the information is too sensitive? If the information is not public knowledge then you should not be using these services at all for your project. Before sharing the information or technology, make sure there are no export restrictions tied to it. Review the terms of the contract / award / grant and then contact the University’s Director, Export Control Compliance for assistance.

  • The agreement with the service provider on the remote storage provider stated that my files will be protected. What do I do if their system is compromised and my sensitive information is stolen? As stated earlier, if it is not public knowledge do not use servers that are not owned and maintained by UM. You must read the terms of the agreement carefully. What the provider has probably stated in the agreement is they have a process in place should the system be compromised. Yet, their marketing scheme states that your files will be protected. What you agree to and what they advertise are two different things. No system is 100% secure – even Fort Knox has had a breach in security. (Reference Reuters article from 9/12/2012 Breach of Security at Fort Knox of Uranium Sets Off Alarms.) This is why it is being stressed that nothing other than what is already considered public knowledge be stored or shared by these online services.

  • The University’s IT Department will not expand our server capacity or give us more room on our shared drives, what are we supposed to do? Many shared drives have a large amount of old files on them that are no longer needed. However, some of these files may also need to be retained for record-keeping purposes. Transfer these files onto a department external drive that is kept secure in your department’s repository. Making this a part of your department’s annual process will ensure that unused files are not taking up storage space that is needed for current activities. In most cases, this resolves the shared drive space issue. Otherwise, the head of your department needs to pursue this issue with the administrators who have the authority to make the changes in order to meet your departmental needs.

* These are hypothetical questions and should not be considered absolute answers or legal advice. Each and every situation should be consulted individually with the appropriate representatives. This section is only meant to provide some additional guidance.