Among the many new security restrictions that have surfaced in recent years, one area that universities and educational institutions need to pay close attention to is U.S. laws that limit whether foreign nationals working or studying at U.S. universities may be exposed to secret or sophisticated technology, otherwise referred to as "deemed exports." Foreign nationals are identified essentially as all persons who are not U.S. citizens or permanent residents. This includes visiting scholars and foreign students.
This issue first became a concern for Americans back in the '50s when attention focused on a talented foreign student who had studied aerospace engineering and mathematics at the Massachusetts Institute of Technology and the California Institute of Technology. That student, Qian Xuesen, later became the "father" of China's nuclear weapons program. The U.S. government has since recognized that little difference exists between exposing a foreign engineer, or even an intern, to sensitive technical data and putting that data directly in the hands of foreign governments. U.S. laws have increased regulations regarding "deemed exports" and relevant agencies are now beginning to implement large fines and criminal penalties and cause companies and universities public embarrassment.
Some experts in this area estimate that federal agents will make between 40 and 60 visits to research universities in coming months to investigate deemed exports. Last year, a Department of Defense study concluded that the Department of Commerce's Bureau of Industry and Security (BIS) does not have "adequate processes to identify unclassified export-controlled technology and to prevent unauthorized disclosure to foreign nationals." The study said that at least two government contractors and a university granted foreign nationals access to unclassified export-controlled technology without an export license or other authorized approval or exemption.
The two federal agencies that administer most of the regulations by which deemed exports are controlled are BIS and the Department of State's Office of Defense Trade Controls (ODTC). Unfortunately, having two different agencies oversee this one area causes a significant amount of confusion and makes the regulations difficult to understand, duplicative, and unnecessarily burdensome.
In a nutshell, the BIS propagates and administers the Export Administration Regulations (EAR) which cover "dual-use exports." These are exports that have both commercial and military or strategic uses as well as exports with wholly civil uses. EAR's definition of the term "export" includes not only tangible goods, but also any "release" of information that could lead to production of nonexportable goods in foreign countries, even if no goods or services are exchanged. A "release" of controlled technology to a foreign national who is not a permanent U.S. resident is thus "deemed" an export. For this reason, American universities and colleges that employ foreign workers or admit foreign students to work on technology research must be conscious of the laws concerning deemed exports.
These regulations apply to foreign nationals working for American companies and universities both abroad and within the U.S. These so-called "deemed export" laws are specifically aimed at foreign nationals, and the knowledge and technological skills they may acquire while working and going to school in the United States. The concern is that this knowledge may go back to a foreign national's country of origin and may eventually be used against the U.S. by an aggressive country. At least one university has been investigated during the past year for exposing foreign nationals to unclassified export-controlled technology without a proper license. The most restricted destinations are embargoed countries and those countries designated as supporting terrorist activities, including Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. However, many other nations of concern, including China and Russia, are also significantly restricted.
Universities that conduct research under contract for private corporations or under U.S. government sponsorship must be very familiar with deemed export requirements. Some of the nation's top research universities, including MIT, Carnegie Mellon (Pa.) and the University of Chicago, are taking steps to properly educate employees and faculty in order to comply with regulations.
If there are no conditions placed on the research and the organization conducting the research intends to publish its findings in scientific literature, that is considered "fundamental research" by the BIS and no license is required. However, if research is considered proprietary, a license will likely be required. This applies to both corporate- and government-sponsored research.
A few areas are basically unaffected by EAR. Among these are any item that is "media," defined as the content of books, recordings, globes, newspapers, and the like. In a related exception, EAR does not reach "publicly available technology and software ... that are already published or will be published," that are the result of fundamental research, or that "are educational" or contained in certain patent applications.
For published material to be exempt from EAR, it must be "generally accessible to the interested public in any form." Publication may be in the medium "available for general distribution to any member of the public or to a community of persons interested in the subject matter, such as those in a scientific or engineering discipline, either free or at a price that does not exceed the cost of reproduction and distribution." The other exempted category of fundamental research is "basic and applied research in science and engineering, where the resulting information is ordinarily published and shared broadly within the scientific community." Fundamental research differs from proprietary research and industrial development because the resulting information is "ordinarily published," whereas the results of proprietary research and industrial development are ordinarily restricted for competitive or national security reasons. Corporate research is thus "fundamental" to the extent that researchers are allowed to publish it without restrictions or delay based on proprietary or security reasons. In addition to fundamental research, technology commonly taught in a university classroom setting need not be licensed, even if some students are from countries to whom domestic exporters are forbidden from selling goods.
In addition to the regulations under BIS, the ODTC also controls exports that could provide sensitive technology to hostile countries through its International Traffic in Arms Regulations (ITAR). These regulations apply only to defense articles on the U.S. Munitions List and to defense services. These regulations are stricter than EAR because exemptions are more limited. Every individual deemed export under the purview of the ITAR requires a license.
Both sets of regulations are functionally identical in their definition of the deemed export of non-proprietary information. ITAR's definition of exports includes the oral or visual disclosure or transfer of "technical data," which includes the training of foreigners in the design and development of defense articles. If an item is on the munitions list, any information required for its design, manufacture, or modification, such as blueprints, photographs, or documentation, may not be transferred without an export license. Like the EAR, information concerning general scientific, mathematical, or engineering principles commonly taught in schools, colleges, and universities or information in the public domain is not included in ITAR.
Universities and other organizations that engage foreign nationals to work in various technological fields must also be aware of the penalties associated with violating these regulations. Organizations caught violating the EAR and ITAR now face fines of up to $10,000 for the unlicensed exporting of technology. Violations involving national security controls may also result in civil penalties of up to $1 million per offense and the denial of export privileges, plus criminal penalties of up to five years in prison. Other penalties include potential debarment from federal contracts and grants--as well as severe damage to the university's reputation. Improved technology used by the Department of Homeland Security and enforcement agencies such as the FBI and State Department allow them to more readily identify organizations' failures to obtain the requisite export control licenses.
In addition to the ITAR and EAR which theoretically cover any technology with military or strategic value, contract law also protects sensitive technology. If a government agency contracts with a university to conduct research for the military, the contract will require secrecy from certain countries' nationals. Breaching these terms could subject a university to damages, and perhaps more devastatingly, prevent it from securing future contracts.
To ensure conformity with these requirements, academic institutions should educate employees about the regulations as part of the implementation of a formal compliance program. Foreign nationals must be informed about U.S. export controls that restrict their access to certain technical data. This information should include which types of technical data require specific authorization and which are available to all employees. Foreign national employees should be informed that any violation could result in penalties for both the organization as well as the employee for causing, aiding, or abetting a violation. Also, foreign national employees should be warned that any unauthorized access to restricted technical data would be grounds for immediate termination of employment.
It's also a good idea to conduct random audits and spot checks on the work areas and local storage media of affected foreign national employees to determine whether any unauthorized data has been copied, viewed, or sent. Of course, these audits must also take into consideration such issues as workplace privacy and discrimination, so consult legal professionals for guidance. Periodic refresher courses should be given to all employees who come in contact with restricted data in order to ensure full understanding of the access restrictions and to uncover and report any unauthorized disclosures.
Bruce J. Casino is an attorney in the Washington, D.C., office of the law firm of Baker & Hostetler, LLP, practicing in the areas of white collar crime, export control, not-for-profit organizations, and business litigation. He is also an adjunct professor at the George Washington University Law School. He can be reached at firstname.lastname@example.org or (202) 861-1640.