Home » Blogs » Zed's blog

Commerce Department Will Restrict Computer Access to Foreigners?

Submitted by Zed on Mon, 2005-05-09 20:40.

If my reading is correct, the proposed rule changes by the Bureau of Industry and Security (BIS) in the Department of Commerce that were posted in the March 28 Federal Register contain changes that appear to be designed to prevent many foreigners in the US, specifically including foreign students, from having access to more than very basic computing power. I have written a quick analysis.

Which countries are involved?

There are four tiers of countries with respect to export controls. Tier 1 includes Canada, Mexico and most U.S. allies, and has virtually no restrictions. Tier 2 includes most of South America, Poland, much of Asia, Hungary, the Czech Republic, Slovenia, South Africa and South Korea. This is restricted, but the restrictions are so loose that you have to be working on a specialized multi-million dollar cluster to be affected.

People from countries in Tier 3 and Tier 4 are the ones that are going to be most affected. Tier 3 states include Russia, China, India, Pakistan, Israel, Vietnam and most Middle East, Maghreb, former-Soviet Union and non-NATO Central European states. Computing power available to Tier 3 countries is restricted to 190,000 MTOPS (Million Theoretical Operations per Second, a measure of the government-defined Composite Theoretical Performance, or CTP). Tier 4 countries include Cuba, Iran, Iraq, Libya, Sudan and Syria, and export of any computing power whatsoever is forbidden. As I understand it, if you ship an X-Box to Libya, you go to jail. Under the proposed rules, allow an Iraqi in the US to play an X-Box, you go to jail.

Update: the list of which countries are in which tiers is at http://www.bxa.doc.gov/HPCs/ctpchart.htm.

Who is affected?

The changes in wording in this area are slight, but very significant. Most notably, citizenship or permanent residency in a Tier 1 country will no longer matter if the birth country was in a lower tier:

Quoting the Federal Register:
Current BIS deemed export license requirements are based on a foreign national's most recent citizenship or permanent residency. The OIG expressed concern that this policy allows foreign nationals originally from countries of concern to obtain access to controlled dual-use technology without scrutiny if they maintain current citizenship or permanent resident status in a country to which the export of the technology would not require a license. For example, transfer of technology to an Iranian who has established permanent residency or citizenship in Canada would be treated, for export licensing purposes under the existing guidelines, as a deemed export to a Canadian foreign national. This policy is described in the deemed export guidance provided on the BIS Web site at: http://www.bis.doc.gov/DeemedExports/DeemedExportsFAQs.html.

The OIG recommended that BIS amend its policy to require U.S. organizations to apply for a deemed export license for employees or visitors who are foreign nationals and have access to dual-use controlled technology if they were born in a country where the technology transfer in question would require an export license, regardless of their most recent citizenship or permanent residency.

Also, restrictions on "use" currently define use as:

Quoting section 772.1 of the EAR:
Operation, installation (including on-site installation), maintenance (checking), repair, overhaul, and refurbishing.

Basically, a foreign national would have to own, administer, and maintain the machine personally for it to apply. That is being changed to:

Quoting the proposed revision:
"Use". (All categories and General Technology Note)--Means all aspects of "use," such as: operation, installation (including on-site installation) maintenance (checking), repair, overhaul, or refurbishing.

This catches anyone who does any work at all on a machine, hardware or software, even if you don't even have a login of your own. If you allow someone from a Tier 4 country to check e-mail from your cluster-accessible account, this makes you guilty. If you allow that same person even without an account to replace a fan or a hard drive on a machine in a cluster, this makes you guilty.

The previous wording about academic research also implied that it was okay to allow someone from a lower-tier country to work with larger amounts of computing power if they were involved with pure research, though that appears to have been unintentional:

Quoting the Federal Register:
Question D(1), which falls under the "research, correspondence, and informal scientific exchanges" category, discusses whether a license would be required for a foreign graduate student to "work" in a laboratory. The answer provided in the supplement states, "not if the research on which the foreign student is working qualifies as `fundamental research' * * *" However, because allowing scientists, engineers, or students to work in a laboratory may necessitate their "use" of equipment, the OIG stated that this answer may lead a potential license applicant to assume that "use" of equipment is covered under the fundamental research exemption.

This is being clarified to show that being involved in academic research does not grant an exception:

Quoting the Federal Register:
In its comments on the OIG report, BIS agreed that the answer to question D(1) requires clarification. BIS proposes to revise the answer for D(1) to qualify the statement that no license is required, by stating that, whereas no license is required for the transfer of technology to conduct "fundamental research," a license may be required if, in conducting fundamental research, the foreign graduate student needs access to technology to "use" equipment if the export of the equipment to the student would require a license under the EAR.

What machines qualify? How much is 190,000 MTOPS?

Currently available PC processors will range from about 4,000 to almost 14,000 MTOPS each, depending on speed and model. Intel has published CTP values for all of their processors (though they are somewhat confusing, as different numbers are sometimes published twice for what appears to be the same processor), and AMD has published CTP values for their Opteron line for reference. (As an odd aside, these numbers may have only a vague real-world relationship to actual performance, but it's the way the government wanted them calculated.)

Assuming the Intel value of over 10,000 MTOPS for a single 2.8 GHz processor (the slowest you can currently order in a Dell server) is correct, you only need 10 dual-processor systems in a cluster to hit the limit. That's not very much. A 1.5 GHz machine from yesteryear still pulls in 4,000 MTOPS; 50 low power machines puts you over the limit.

This is particularly problematic if you have a large number of systems with a single authentication source, so that one account can log into all of them simultaneously. If that is the case, particularly if the machines will accept network-based batch job submissions (as practically all UNIX-based systems will), as you are then effectively running a cluster with the cumulative CTP of every machine on the network. (In ideal cases, this actually does equate to that much computing power, though for most applications your performance will be limited by I/O issues.)

Conclusion:

The net result of this is that under the proposed changes, it may be illegal for universities to provide computer accounts to students from Tier 3 and Tier 4 countries, at least until someone comes up with a mechanism to prevent them from logging into more than one machine at once (a rather difficult task with most operating systems). This isn't yet carved in stone, however; the BIS is soliciting comments until May 27.

To submit comments, you can use one of the following methods:

  1. Submit comments online by following the comments link at the regulations.gov web page for BIS proposals
  2. Send e-mail to:

    with a subject line including "RIN 0694-AD29"

  3. Send a fax to (202) 482-3355
  4. Mail or Hand Delivery/Courier: U.S. Department of Commerce, Bureau of Industry and Security, Regulatory Policy Division, 14th & Pennsylvania Avenue, NW., Room 2705, Washington, DC 20230, ATTN: RIN 0694-AD29.

Credit goes to Nicholas Weaver, via Educated Guesswork, for writing about this originally and bringing it to my attention.

Trackback URL for this post:

http://www.resonant.org/trackback/821
»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

What I wrote to the BIS

Submitted by Zed on Mon, 2005-05-09 21:39.

Quoting myself, Regulations.gov #: EREG - 48:
I am the head system administrator for the Department of Mathematics at LSU, and I am gravely worried by these changes. Most universities have UNIX-based labs with authentication based on a single login, and due to their ability of each machine to receive batch jobs remotely, these labs constitute a de-facto computing cluster. Most operating systems do not have the ability to prevent a user from logging into multiple machines at once, which is what would be necessary to prevent their use as a supercomputing cluster. While this doesn't so much affect anyone from a Tier 2 country, the limits on Tier 3 countries (and obviously Tier 4) are so restrictive that having 20 cheap PCs from Dell (as common Pentium 4 processors are now producing more than 10k MTOPS) in such a lab will mean that universities will be unable to provide accounts (or jobs administering or performing simple maintenance on these machines) to students who were born in Tier 3 or Tier 4 countries -- even if they are now US citizens!

This change in regulation may very well have the net effect of forcing universities to no longer accept students from Tier 3 and Tier 4 countries at all, as access to computing labs has now become a requirement for many courses. I think this will be bad for the United States, and bad for the scientific community in general.

I also believe that this will have little to no effect on securing technology. Anyone capable of turning the computational results from 20 desktop computers into a weapon will also likely have the resources to export that many high-end laptops (or even desktops), simply by leaving the country with them one at a time. I should also note that Intel has manufacturing plants in Israel itself, a Tier-3 country, and thus making university computers unavailable to Israeli students or professors is a futile and wasteful gesture at best.

Cheap clustering technology has made this regulation obsolete; the computers are already available worldwide. I respectfully suggest that rather than attempting to enforce strict rules about usage within the United States that harm those within the United States much more than they harm the enemies of the United States, that you look instead into finding ways for us to better benefit from the full use of our own technology.

»

Any update on the status of the proposed BIS EAR changes?

Submitted by Anonymous on Mon, 2005-09-19 11:32.

I'm unable to find any further information on the proposed changes you describe, and the Federal Register article is gone. Heard anything new?

- Gregg TeHennepe

»

Nothing new

Submitted by Zed on Tue, 2005-09-20 11:16.

I did hear of a presentation at UTexas that said the government was planning to start audits, but I haven't been able to confirm that anywhere else.

»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.