New U.S. sanctions against Huawei in the escalating U.S. – China trade war have thrown another wrench into the gears of global commerce. But how do these sanctions affect standards organizations and open source development? The high level answer is that the impact will be significant for most standards organizations, and negligible for most open source projects. The major differentiator will be the degree of transparency of the organization in question. The details, and the answer for any given organization, however are much more complicated, and the political landscape remains dynamic and subject to change.
Effective May 16, 2019, the Department of Commerce, Bureau of Industry and Security (“BIS”) added Huawei Technologies Co. Ltd. and 68 of its non-US affiliates (collectively, “Huawei”) to its “Entity List.” BIS then issued a temporary general license (the “Temporary GL”), counteracting part of the impact of the decision just announced and permitting continued engagement with Huawei until August 19, 2019 for four specific purposes set forth in the Temporary GL (described further below).
The significance of being added to the Entity List is that included foreign persons become subject to specific BIS licensing requirements in addition to any other licensing requirements in the Export Administration Regulations (“EAR”). U.S. persons and entities are prohibited from exporting, reexporting and transferring (in country) certain technology goods, services and information to any entity on the Entity List unless the U.S. person or entity first applies for and is granted a specific license from BIS (“BIS License”). The BIS announcement that accompanied the listing of Huawei on the Entity List specified that Huawei is subject to a policy of “presumption of denial” for the issuance of BIS Licenses.
Additionally, on May 15, 2019, the U.S. President issued an Executive Order that relates to information and communication technologies and services (“ICT”), which may also negatively impact interactions with Huawei and certain other foreign companies. The Department of Commerce is required to issue regulations implementing the Executive Order by October 11, 2019.
Taken together, these actions raise significant concerns and questions for U.S.-based standards organizations and some open source projects and foundations. Truly public open source development may have dodged a bullet for the time being.
Organizations and Background
Around the world, the standards development process almost invariably involves the exchange of views, drafts, technical contributions, and other information among a host of international participants, whether conducted through formal standards development organizations or similar membership-oriented consortia and trade groups ( “Organizations”). Through their efforts, most Organizations publish specifications or standards, white papers, and other guidance. Virtually all hold meetings and other events, usually remotely as well as in person, and conduct ongoing development work using collaborative Web platforms. Many also produce software, test tools, test suites, and other materials, and may offer certification services and programs to enable participants to demonstrate compliance.
More often than not, participation in associated development activities, and access to draft work product and related communications, is strictly limited to Organization members only.
By contrast, most discussions relating to open source development occurs on public wikis, and the resulting code and incremental contributions to the code base are posted live to publicly available repositories, such as GitHub and Sourceforge.
The difference is critical, because information that is “Published” (as defined by the EAR) is out of scope for the EAR, and therefore generally (with limited exceptions) can be exported, reexported and transferred without restriction.
What are the EARs?
Through their various provisions, the EAR in effect cover most commercial and some military items, technologies, information and materials, all of which are subject to the BIS Entity List license restrictions. The EAR apply broadly to all “Items,” which are defined as “Commodities,” “Software,” and most importantly for our purposes, “Technology.” In turn, “Technology” includes (among other things), any information necessary to develop, produce, or use other “Items.”
In light of the Entity Listing, essentially all items that are subject to the EAR will require a license for export, reexport or transfer (in country) to Huawei, including (a) all hardware, software and technology that is of U.S. origin or is in the U.S., (b) all non-US origin hardware and software that contains more than 25% controlled U.S. hardware/software by value, and (c) all non-US technology mixed or commingled with U.S. origin technology.
The only Technology-related information that does not require a BIS License to export, re-export or transfer to entities on the Entity List is “Published” information. Under the EAR, information is “Published” “when it has been made available to the public without restrictions upon its further dissemination, such as through any of a number of channels, including by subscription, to libraries, at trade shows, posting at a Web site, and so on.
As a result, information that is considered Published for EAR purposes (other than certain published encryption software that is classified under Export Control Classification Number 5D002, which requires notice to BIS and NSA) can be exported, reexported and transferred, regardless of the EAR or the recent Entity Listing.
Additionally, until August 19, 2019, the Temporary GL allows engagement with Huawei to the extent necessary for the following limited purposes (subject to other provisions of the EAR): (1) continued operation of certain existing networks and equipment; (2) provision of support to certain existing handsets; (3) disclosure of certain cybersecurity research and vulnerability information; and (4) development of 5G standards by a duly recognized standards body. Note that in order to rely on the Temporary GL, the exporter, reexporter, or transferor must create and retain an EAR-compliant “certification statement,” which specifies how they meet the scope of the Temporary GL.
It is unfortunate that the Temporary GL mentions only 5G standard setting, as it leaves open the question of whether other types of standards were not deemed to be a problem, or whether all non-public standards development is covered by the new sanction and only 5G standards development should benefit from the exemption. Unless and until the language is clarified, the only thing that can be said with assurance is the 5G standards development is temporarily exempt at the named standards organizations and other “duly recognized” organizations.
The problem for Organizations in which Huawei is involved is that virtually all of the development work occurs in member-only settings prior to the results being “Published.”
So what is an Organization to do?
Among other things, despite some differing views, this suggests that without first securing a BIS License, an Organization should consult with appropriately experienced legal counsel before undertaking any activities involving Huawei. With that broad caveat, the following list of Dos and Don’ts represents some high level guardrails to help guide interactions with Huawei, other entities on the Entity List, and their respective employees and representatives.
1. Do engage in discussions about publicly available information, such as:
- information on the Organization’s public website
- information in the Organization’s published marketing brochures
- other information the Organization has published about its products
- pricing and availability of the Organization’s products, services and membership
2. Do continue to provide access to Published and/or purely non-Technology-related information
3. Do permit Organizational membership to the extent doing so does not involve the provision of information or materials that would require a BIS License.
4. Do permit participation in the open source development process, to the extent that (a) discussion among open source developers is limited to public forums (rather than verbal or otherwise private exchanges), (b) all code contributions are uploaded by their authors to publicly visible, publicly accessible, publicly available repositories, and (c) no other export restrictions apply (such as restrictions on defense articles subject to the ITAR or nuclear technology export controls, and restrictions applicable to 5D002 software).
5. Do permit participation in the Organization’s certification programs for purposes of having their products or services certified. Note, however, that in the process, the Organization must not provide hardware, proprietary software, non-Published information or materials, or other items that otherwise cannot be provided without a BIS License.
6. Do listen (without further discussion) regarding anything they would like to talk about, including technical requirements for products and technology.
7. While the Temporary GL is in place (and consistent with its terms), continue engagement to the extent permitted for the development of 5G standards and other activities as specified in the Temporary GL (after creating an appropriate certification statement).
1. Don’t engage in discussions or provide answers regarding:
- the Organization’s technology or other U.S. technology
- how to accomplish technical requirements for products or services
- questions regarding the Organization’s technology or other U.S.-origin technology
2. Don’t provide any of the following:
- Access to or participation in members’ only or other non-public activities or discussions involving Organization or other U.S. technology, or access to associated meeting minutes, even if the work product is intended to later be made publicly available (e.g., by posting to an open source software repository).
- Access to any draft or other technical or development work product (other than Published materials accessible to anyone without restriction that may be interested)
- Printed information about the Organization’s technology or other U.S. technology (other than Published information accessible to anyone without restriction that may be interested)
- Access to Organization or other U.S. hardware, test tools, software, configurations or test suites
- As noted earlier, interested Organizations may apply for a BIS License, and to the extent granted, the activities covered under the BIS License would be permitted to proceed.
Note: The rules discussed above are very technical and their applicability in any give case is highly fact specific, Moreover, the political and enforcement landscape is changing rapidly. For all these reasons, any entity that believes it may be impacted by the above sanctions and related rules should consult with, and rely upon, the advice of legal counsel rather than this blog post.