BIS, DDTC Propose Expanded US Persons Controls, Defense Services Restrictions

The agencies are proposing to add new restrictions on U.S. persons’ support for foreign military intelligence and foreign security end users, revise the export licensing scope of certain defense-related services, and make other changes to both the Directorate of Defense Trade Controls’ U.S. Munitions List and the Bureau of Industry and Security's Commerce Control list, including a new control for exports of artificial intelligence-powered facial recognition technology.

The changes, outlined in more than 80 pages of proposed rules released July 25, were partly needed to implement a provision in the FY 2023 defense spending bill designed to limit exports of U.S. items and expertise to foreign intelligence units (see 2212210032 and 2403270063). BIS published two rules to propose those changes in the Export Administration Regulations, and DDTC published its own “complementary” set of proposed revisions to the International Traffic in Arms Regulations.

Public comments are due Sept. 27.

Foreign-Security End User Restrictions and Crime Controls

One set of BIS proposed changes would create a “foreign-security end user” license requirement, expand existing restrictions to cover certain activities of U.S. persons in connection with those foreign-security end users, create a process for BIS to add entities that are "foreign-security end users" to the Entity List, and place new unilateral export controls on facial recognition systems specially designed for mass surveillance and crowd scanning.

The proposed license requirement for foreign-security end users would apply to certain exports, reexports, and in-country transfers of items subject to the EAR when they are destined to those end users in certain destinations, including countries subject to a U.S. arms embargo. BIS said exporters will need a license if they have “knowledge” that a CCL item is intended for foreign-security end users, which BIS proposed defining as “governmental and other entities with the authority to arrest, detain, monitor, search, or use force in the furtherance of their official duties.”

That includes people or entities “at all levels of the government police and security services, from the national headquarters or the ministry level to all subordinate agencies/bureaus.” The definition also captures “analytic and data centers,” forensic labs, jails, labor camps, reeducation facilities and more, “because government ‘foreign-security end users’ often hire non-government entities to assist in their duties.” The definition doesn’t apply to “civilian emergency medical, firefighting, and search-and-rescue end users.”

This license requirement will apply for exports to nations listed by BIS in Country Groups D:5 and E, which include China, Iran, North Korea, Syria, Cuba, Russia and other nations subject to a U.S. arms embargo under the ITAR. BIS would review license applications on a case-by-case basis to “determine whether the proposed transaction presents an unacceptable risk of enabling human rights violations or abuses.” A case-by-case review policy would also apply to exports of “items necessary for public health or safety, or for other end uses that do not implicate human rights.” Transactions that would pose an “unacceptable risk” would be reviewed under a presumption of denial.

Other proposed changes in the rule would expand existing restrictions to “encompass certain activities of U.S. persons in connection” with those foreign-security end users, and would allow BIS to add entities that are foreign-security end users to the Entity List and designate them with a new “footnote 8.” The footnote would signify that the entity is subject to foreign-security end user license requirements.

BIS is also proposing to add a new control in the CCL for certain facial recognition systems used for mass surveillance and crowd scanning. A license would be required for all exports of those items to countries listed in CC (Crime Control) Column 1 in the BIS Country Chart.

The agency said this control would “further promote and protect human rights throughout the world” because AI-powered facial recognition technology has allowed foreign governments, law enforcement and intelligence agencies to “target victims at a higher rate.” It said this technology “can be weaponized to deploy repressive tactics at lower cost, with greater ease, and larger impact.”

BIS is proposing to amend Export Control Classification Number 3A981 to “include a proposed new item for facial recognition systems,” and facial recognition software would be controlled under ECCN 3D980. “As a result of the proposed changes to ECCN 3A981, facial recognition technology would be controlled under ECCN 3E980,” the agency added.

Military and Intelligence End Uses and End User Controls

Another BIS rule proposes new controls for U.S. persons support for certain military intelligence services, including for military end users, military support end users, military production activities and certain intelligence end users.

Proposed changes could update the agency’s existing definition of “military end user,” including by adding "mercenaries, paramilitary, or irregular forces,” which BIS said would capture private companies, “non-state actors, or parastatal entities that engage in combat or other activities akin to those of traditional armed forces.”

BIS would also expand its military end-use and end-user controls to apply to all items subject to the EAR, and expand the country scope of those controls to apply to all countries identified in Country Group D:5, as well as Macau.

BIS said this would cause all end users on its Military End-User List to be moved to the Entity List with a license requirement that applies to all items subject to the EAR. This “would be implemented in a separate, final rule published in the Federal Register,” the agency said.

The agency also proposed to control specific activities of U.S. persons that “assist defined military end users.” Those activities may include “facilitating a military end user's acquisition or procurement of foreign-origin items,” or “performing basic repair or maintenance services with respect to items owned or employed by a military end user.”

Another control would apply to U.S. persons’ support for “military production activities,” which includes “activities related to dual-use items which if located in the United States would be subject to the EAR.” Examples listed by BIS include helping certain foreign defense contractors make armored vehicles controlled under ECCN 0A606.a, helping those contractors install a light system in a “submersible vessel” controlled under ECCN 8A002.g, or helping certain foreign electronics companies make integrated circuits controlled under ECCN 3A001 if those circuits “have been ordered by the armed services of a targeted country.”

BIS would also add a new section and license requirement in the EAR to cover military-support end users, which would help address the “numerous” questions it has gotten about how its existing military end-use and end-user controls apply to people or entities that “provide assistance” to those end users.

“Separate controls are warranted for these entities in recognition of the various types and roles of end users that fall into this category,” BIS said. The agency is proposing to define military-support end users as “any person or entity whose actions or functions support ‘military end uses.’”

The agency is proposing to introduce a license requirement for these military-support end users that would apply to certain exports, reexports, or transfers of items subject to the EAR “that are specified on the CCL.” An exporter would need a license if they have “knowledge” that the item is intended for a “military-support end user” in Macau or a D:5 country, or for certain entities on the Entity List.

License applications would be reviewed under a case-by-case basis, except for Myanmar, China, Cuba, Iran, Macau, North Korea, Syria, and Venezuela, which will be reviewed under a presumption of denial. Applications for Russia and Belarus would be reviewed under a policy of denial.

The agency also wants to change its term for “military-intelligence end user’ by dropping the qualifier “military” and instead using the term “intelligence end user.” This change “would expand the scope of controls to all intelligence end users of the covered countries, instead of only intelligence end users that are part of the armed services or national guard of the covered countries,” BIS said. If finalized, an "intelligence end user" would include “not only military, but also other governmental (e.g., civilian) intelligence and reconnaissance organizations.”

Under the proposed rule, the control would apply to all items subject to the EAR and to nations in Country Groups D and E that are not also listed in Country Groups A:5 and A:6, and create a new license review policy that would mirror the proposed policy for military-support end users.

The rule includes other changes to the EAR and proposes several exclusions from the agency’s restrictions on U.S. persons’ activities. One proposed change would exclude commercial transportation activities -- including the movement of goods by carriers -- from the EAR’s definition of support, but only for the new military- and intelligence-related activity controls proposed in this rule.

“The purpose of this exclusion is to permit ‘U.S. persons’ continued involvement in transportation, shipping, and/or transferring items as part of routine business activities of companies such as freight forwarders and shipping lines,” BIS said. This proposed exclusion is meant to ensure that U.S. persons support controls “do not adversely impact the basic business operations of shipping lines and air carriers, companies that are generally not involved in arranging underlying transactions involving the sale of the items at issue.”

But BIS stressed that license restrictions would apply if a U.S. person “undertakes shipping, transmitting, and transferring activities involving items not subject to the EAR with ‘knowledge’ that such items will support certain military end users, military-production activities, military-support end users, and intelligence end users.”

BIS added that it plans to propose new controls on security end users and support for “foreign maritime nuclear projects” in a separate, future rule.

ITAR Defense Services Controls

The State Department’s proposed rule would revise its definition of defense services and the scope of related controls in the ITAR.

The agency said the change would revise the list of regulated activities that qualify as defense services to include “assistance, including training or consulting, to foreign persons in the development (including, e.g., design), production (including, e.g., engineering and manufacture), assembly, testing, repair, maintenance, modification, disabling, degradation, destruction, operation, processing, use, or demilitarization of a defense article.”

DDTC noted that this proposed list references two new terms -- disabling and degrading -- “to make explicit that the act of harming a military capability through the disabling or degradation of defense articles via any method remains controlled.” It also clarifies that cyber services that “disable and degrade defense articles, but fall short of total destruction or demilitarization,” qualify as a defense service.

Another proposed change is meant to clarify that “assistance includes training or consulting.” DDTC said it doesn't “intend to add a new level of control to its existing control of defense services, but rather intends to clarify that it does not treat training to mean only direct instructional activity.” The proposed definition would “reaffirm that providing the tools or means of furnishing training to a foreign person so that the foreign person may conduct training in lieu of the regulated person is included in the control.”

DDTC is also proposing two new USML entries in Category IX to control defense services “related to intelligence and military assistance.” Category IX, currently titled Military Training Equipment and Training, would be changed to “Military Training Equipment, Intelligence Defense Services, and Military Defense Services” to more accurately describe the new proposed controls, the agency said.

The changes are partly meant to “provide clearer notice to the regulated community, and in particular to U.S. persons with relevant experience, that the ITAR regulates services related to intelligence activities, regardless of nexus to a defense article.”

The agency said the proposed changes would “utilize a method of control sometimes known as ‘catch and release,’ which functions to initially describe a broad range of activities as a ‘catch,’ and then specifies certain limited carve-outs as a ‘release’ from the ‘catch,’” DDTC said. “As applied here, the catch-and-release design establishes that furnishing certain forms of listed assistance to a foreign person is controlled.”

The rule proposes several specific carve-outs under the new USML controls, including one that would carve out the provision of certain information technology services for "intelligence assistance," and another that would carve out training and advice on “general scientific, mathematical, or engineering principles” for "military assistance."