Cloud Computing – it’s all the rage! Seems like almost everyone is using it. This and digital data storage on remote servers are services that are being promoted as ways to reduce costs as well as to leverage computational capabilities and to facilitate digital data sharing. Generally speaking, cloud computing refers to the use and access of multiple server-based computational resources via a digital network such as the internet. Remote storage refers to services limited to storage and backup of digital data on a third-party server. A third-party server is something that is owned and maintained by someone other than UM.
Traditionally, Department of Commerce’s Bureau of Industry and Security (BIS) had advised the transmission and storage (outside of the U.S.) of technology or software controlled under the EAR constitutes an export or re-export. Therefore, such transmission or storage could potentially trigger a licensing requirement. Due to the Export Control Reform initiatives and the ever-changing industry of “cloud computing and security”, the United States Government instituted changes for transmission of controlled data for institutions, private and government sectors.
On September 1, 2016, new rules adopted by the Department of Commerce’s Bureau of Industry and Security (BIS) that amended the Export Administration Regulations (EAR) that are now in effect. The EAR regulations updated treatment of electronically transmitted and stored technology and software. The most significant change under the new rules is the decontrol of sending, taking, and storing of certain encrypted technology or software. Under the new rule, sending, taking, or storing this type of technology or software will not constitute an export if the technology or software is:
- Secured using “end-to-end encryption”.
- Secured using cryptographic modules (hardware or software) compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, or other equally or more effective cryptographic means.
- Not intentionally stored in a military-embargoed country (Country Group D:5, per 15 CFR Supplement No. 1 to Part 740) or in the Russian Federation. Note: data in transit via the Internet is not deemed to be stored. (Currently Russia and the “Group D:5” countries Afghanistan, Belarus, Burma (Myanmar), Central African Republic, China, Congo, Cote d’Ivoire, Cuba, Cyprus, Eritrea, Haiti, Iran, Iraq, Lebanon, Liberia, Libya, North Korea, Somalia, Sri Lanka, Sudan, Syria, Venezuela, Vietnam and Zimbabwe.)
- The technology or software will not be in unencrypted form while between the originator and recipient or these parties’ respective “in-country security boundaries”.
- The means of decryption will not be provided to a third party.
Furthermore, the final rule of 2016, includes language which states that “access information,” such as decryption keys, passwords, or other information that allows access to encrypted data sent, taken, or stored under this provision, is subject to the same export control requirements that apply if the data were not encrypted. The EAR also contain an important limitation that releasing decryption keys or other access information that will permit a foreign person access to technology or technical data will constitute an export and be subject to the export control restrictions applicable to the foreign country in question. In addition to maintaining the requisite level of encryption, the university will need to establish ongoing data security practices to take advantage of this provision.
Such revisions make feasible a wider variety of cloud computing and cloud storage solutions, and significantly simplify associated compliance with export controls, relative to EAR controlled technology and software. However, the EAR also contain an important limitation that releasing decryption keys or other access information that will permit a foreign person access to technology or technical data will constitute an export and be subject to the export control restrictions applicable to the foreign country in question.
In addition to maintaining the requisite level of encryption, institutions will need to establish ongoing data security practices to take advantage of this provision. It is important to keep in mind that these changes do not apply to ITAR controlled technical data, with respect to which restrictions on the use of the cloud have not changed. ITAR data may not be placed on shared infrastructure managed by non-US-Persons or alongside other organizations who do not have a license to export as defined in 22 CFR 120.17 and 22 CRF 120.13.
Don’t forget contractual obligations. In addition to the requirement to comply with U.S. export regulations, externally funded research and sponsored projects may contain contractual restrictions on the release of information that could include prohibition on the use of cloud computing services or third-party digital data storage. Failure to comply with contractual restrictions could result in a breach of contract and if the contract is federally funded, possible civil or criminal and penalties may be applied.
- Understand ALL the terms of the agreement you and your project are subject to. If you do not understand these terms, contact the project PI or department administrator. The General Counsel’s office will also be able to explain legalese in simple terms as well.
- Do not store technology or technical data that is export controlled, or considered proprietary or confidential, outside UM servers. If the data is not public knowledge, do not use cloud computing or remote storage services.
- Increase the security of your data by adding passwords or encryption to access. Doing this does not mean that it is okay to use cloud computing or remote storage services for your export controlled, confidential or proprietary technology or files.
- Before entering into agreement with a cloud provider, first check with the University Information Technology department to see what resources are already available.
- If no other University resources are available to meet your needs, before entering into an agreement with the service provider, ask the following:
- Where are the servers and routers located? (Get at minimum city, state, country)
- Ask the provider to highlight in the agreement the measures they have in place to prevent unauthorized foreign nationals from accessing controlled technology and software wherever located.
- I am traveling internationally, but I am a U.S. Permanent Resident, is accessing my files from the digital storage server which is located in the U.S. still considered an export? Yes. It does not matter that the files are in your account. You are still located in another country and thus you have ‘exported’ the files you access to another country.
- What if I am a national of India and the servers are located in India, when I travel to India would it still be considered an export? Probably so, since the files were created while you were in the United States and your account is associated with the University of Miami which is in the United States. Further clarification would need to be addressed with the proper Government agency.
- How am I to share data with my colleague who is in another country if I cannot use these services because the information is too sensitive? If the information is not public knowledge then you should not be using these services at all for your project. Before sharing the information or technology, make sure there are no export restrictions tied to it. Review the terms of the contract / award / grant and then contact the University’s Director, Export Control Compliance for assistance.
- The agreement with the service provider on the remote storage provider stated that my files will be protected. What do I do if their system is compromised and my sensitive information is stolen? As stated earlier, if it is not public knowledge do not use servers that are not owned and maintained by UM. You must read the terms of the agreement carefully. What the provider has probably stated in the agreement is they have a process in place should the system be compromised. Yet, their marketing scheme states that your files will be protected. What you agree to and what they advertise are two different things. No system is 100% secure – even Fort Knox has had a breach in security. (Reference Reuters article from 9/12/2012 Breach of Security at Fort Knox of Uranium Sets Off Alarms.) This is why it is being stressed that nothing other than what is already considered public knowledge be stored or shared by these online services.
- The University’s IT Department will not expand our server capacity or give us more room on our shared drives, what are we supposed to do? Many shared drives have a large amount of old files on them that are no longer needed. However, some of these files may also need to be retained for record-keeping purposes. Transfer these files onto a department external drive that is kept secure in your department’s repository. Making this a part of your department’s annual process will ensure that unused files are not taking up storage space that is needed for current activities. In most cases, this resolves the shared drive space issue. Otherwise, the head of your department needs to pursue this issue with the administrators who have the authority to make the changes in order to meet your departmental needs.
* These are hypothetical questions and should not be considered absolute answers or legal advice. Each and every situation should be consulted individually with the appropriate representatives. This section is only meant to provide some additional guidance.