Handling export controls within a cloud-based infrastructure

David Cartwright Advice
17 Nov, 2011

Does cloud complicate things when it comes to negotiating export controls? There are some rules to bear in mind.

If you're a manufacturing organisation with a healthy export business, you'll already be familiar with the fact that there are rules and regulations that govern where you can send the things you make.

It's not just products that are governed by export laws, though: data is equally relevant in today's export control regulations. The US government in particular has recently started to care more and more about the concept of controlled data being exported from the country – which matters if you're a cloud provider or user with data hosted in the US.

What types of data are controlled?
It's generally obvious which of your data might have some restriction on access. If you're in the defence or aerospace industry, for instance, the chances are that most of what you do is controlled – after all, the government won't want sensitive designs to be sent to countries that are deemed unfriendly. Be careful, though: data doesn't necessarily have to be blatantly sensitive to be controlled – for instance, encryption algorithms are considered sensitive and so you need to be cautious how you deal with them. On the other hand, of course, if data is in the public domain then there's no need to worry: so while a proprietary design might be controlled, as soon as it's patented it'll be in the public domain and is thus freely exportable.

There are ten categories in the US government's Commerce Control List. Many relate primarily to physical things (category 0 concerns nuclear materials, for instance) but categories 4 and 5 are more abstract – computers and telecoms/information security systems. Within the various categories are five product groups; again the most interesting (and abstract) are software and technology. Since the concept of “technology” encompasses ideas and designs, this means that when moving the contents of your computer systems around you need to concern yourself with both the software and the data it processes.

What constitutes an export?
Exports can be blatant or subtle, so we'll start with the obvious one. If you pick up a disk containing controlled data and take it out of the country, that's an obvious export. The same applies if you copy data from a server to your laptop or PDA and then take it out of the country – that's pretty obviously an export too.

But what if you're outside the country when you access the data? Say, for instance, your servers reside in the US and your system management team is in London, or Delhi, or Paris: if you connect remotely from one of these locations into your US-based servers and read sensitive information, you've just exported it, even though the original data hasn't moved an inch. Reading the data outside its country of origin is as much an export as picking up the storage array and putting it on a flight.