Why the Professor Went to Prison in the November 2012 issue of Bloomberg Business Week is worth reading if you know what AECA and ITAR stand for.

Even if you don’t know, you should still be interested because the professor (John Roth, electrical engineering, University of Tennessee at Knoxville) went to prison for violations of the AECA.

Because AECA and ITAR concern the export of defense-related items and because CFD gets used a lot in the defense industry, it behooves us all to know more.

What Are AECA and ITAR?

AECA stands for Arms Export Control Act, an act that gives the U.S. Department of State the authority to regulate the export of defense articles and services. Its legal cousin is ITAR, International Traffic in Arms Regulations.

Prof. Roth was convicted of unlicensed export for using Chinese and Iranian graduate students on restricted research and having restricted data on his computer during a trip to China.

It’s important to note that within the context of AECA and ITAR, “export” doesn’t mean what you usually think – dropping something in a crate and shipping it to a foreign country. It can mean displaying data (a blueprint or an image on a computer screen) to a foreign person in your office right here in the U.S. of A.

ITAR and CFD

Obviously there are a lot of defense applications of CFD. That’s my personal background, having started my career at General Dynamics (now Lockheed Martin) in Fort Worth working on the propulsion flowfields of the F-16 and other aircraft. And while Pointwise is not a manufacturer of defense articles or a provider of defense services, we do have to handle a lot of ITAR-controlled articles provided by our customers. (In other words, they send us an IGES file and their grid for a certain airplane or ship or whatever so we can help them resolve some issue with our software.)

So we’re given these articles by third parties and then have to properly care for them as per the conditions of the AECA and ITAR.

By the way, did I mention that Pointwise employs foreign persons?

Working with ITAR-Controlled Articles

Pointwise maintains a fairly rigorous set of policies and procedures for how we handle and protect customer data. For ITAR it’s all about identification, restriction and segregation of the data. [Note: I am neither an attorney nor an expert in these matters. I am not providing advice. You should seek your own advice from qualified legal counsel.]

But for these systems to work, we have to know what’s ITAR and what’s not.

The Troubles with ITAR

You can’t tell ITAR just by looking at it. We don’t create any ourselves and it’s unreasonable for us to look at customer data and make that call. (Which is why by default we give all customer data special handling.) We rely on the customer to self-identify.

What continues to amaze me is that many engineers with whom we work have no idea whether their data is ITAR-controlled or not. So they may be sending us ITAR-controlled articles and not telling us simply because they themselves don’t know. Their data becomes the proverbial hot potato.

Other engineers don’t appreciate the significance of export-controlled data and don’t see any harm in sending it to us. They don’t understand that it’s in some sort of no-man’s land between proprietary (perhaps covered by a standard non-disclosure agreement) and U.S. government classified (which we absolutely do not accept).

If you’ve ever worked with Uncle Sam before you recognize another pitfall – the U.S. government is terrible at telling you how to do things properly but they will tell you each and every time you do the tiniest thing wrong. Which is why our data security procedures were designed with the help of legal counsel with specialization in AECA-related matters. [See my recent blog post about the importance of having good partners.]

What’s It All Mean?

Whether you like it or not, AECA and ITAR are the law. We’ve spent a great deal of time and money ensuring we operate within the regulations. So if we can do it, so should the professor and his university.

You can also point to the regulations and say they’re too vague and too broad. That very well may be true. From time to time we hear that ITAR will be reformed. But until then, it’s the law.

You may also side with the professor and say that exchange of scientific data needs to be unfettered. Would Bloomberg have written the article if the offender had been an employee at a business rather than a professor at a university? I don’t think so. Nor do I understand that level of differentiation. Most universities these days with their funded research and applied research labs operate more like businesses than a lot of corporations.

That doesn’t mean that the scope of articles to which ITAR applies shouldn’t perhaps be limited in the future. Nor should you infer that I believe that the definitions of ITAR are deterministic – they’re not. But that gray area should make us more cautious not less so.

The Bottom Line

Until things change you must know your data’s provenance and act accordingly. Or suffer the consequences.

Oh, and if you send us some data be prepared to tell us whether it’s ITAR-controlled or not and if it is be prepared to sign an NDA with some very specific language in it.