After a more than one-year wait, the Department of Commerce Bureau of Industry and Security (BIS) has imposed controls on its first 'emerging technology' – software specially designed to automate the analysis of geospatial imagery.(1)
This software now requires a BIS authorisation to be exported or re-exported to any country other than Canada. Companies that develop or use AI to solve geospatial problems or in geospatial applications must review the new rules closely.
Non-US companies that seek to acquire or otherwise invest in US companies involved in such software may need to request US government national security reviews of their proposed transactions by the Committee on Foreign Investment in the United States (CFIUS).
How did BIS impose these new controls?
In an interim final rule effective as of 6 January 2020, BIS imposed export controls on AI which meet the criteria listed below. Comments must be received by 6 March 2020, but the controls begin immediately. BIS added the newly controlled item – certain software specially designed to automate the analysis of geospatial imagery – in the 0Y521 series, which was created in 2012 at the onset of the export control reform.(2)
The new item is controlled under Export Control Classification Number (ECCN) 0D521. The software is controlled for regional stability, which means that an authorisation will be required for export to any country other than Canada. At present, the only applicable licence exception is for exports, re-exports and transfers in-country made by, or consigned to, a department or agency of the US government (Licence Exception GOV, Section 740.11(b)(2)(ii)).
The AI used for analysis of geospatial imagery is controlled only if it meets certain technical specifications – namely, it must:
- be geospatial imagery software specially designed for training a deep convolutional neural network to automate the analysis of geospatial imagery and point clouds;
- ?provide a graphical user interface that enables the user to identify objects (eg, vehicles and houses) from within geospatial imagery and point clouds to extract positive and negative samples of an object of interest;
- reduce pixel variation by performing scale, colour and rotational normalisation on the positive samples;
- train a deep convolutional neural network to detect the object of interest from the positive and negative samples; and
- identify objects in geospatial imagery using the trained deep convolutional neural network by matching the rotational pattern from the positive samples with the rotational pattern of objects in the geospatial imagery.
A 'point cloud' is a collection of data points defined by a given coordinate system (also known as a 'digital surface model').
What does this mean for exporters?
What happens if newly controlled software has already been exported, re-exported or transferred?
If software now controlled by 0D521 was exported, re-exported or transferred in-country before 6 January 2020, there is no violation.
Any further exports, re-exports or transfers will require an authorisation. BIS will review licence applications on a case-by-case basis.
Exporters should heed the following warnings:
- Software travels fast and re-exports and transfers are often frequent. Exporters should pause any further exports, re-exports and transfers for the time being and notify non-US affiliates or non-US customers or suppliers that already have the now-controlled software. Their further export activities may also trigger violations.
- It is advisable to be careful with software updates. While some software updates may be permissible under certain licence exceptions, the only licence exception currently applicable to the new controls is Licence Exception GOV. It is highly likely that a licence will even be required to provide any updates.
What if software developed is fundamental research?
When the software that has been developed is fundamental research, it is not subject to the export administration regulations (EAR). Therefore, AI now classified as 0D521 will not be subject to the EAR if it is in fact fundamental research (the definition of 'fundamental research' is somewhat complicated).
Is CCATS necessary on software now subject to 0D521?
When determining whether a commodity classification determination (CCATS) is needed on software now subject to 0D521, the software should first be self-classified and the reasons should be documented. There is no harm in pursuing a CCATS if it is unclear whether the software is subject to the new control. However, it will likely take some time for BIS to sort out comments and any further clarification to the technical specifications, so the timeline for obtaining a CCATS may be long.
What impact will this have on CFIUS jurisdiction?
Another implication of the new control is that this software is now critical technology under CFIUS regulations, which may subject related transactions to additional scrutiny by CFIUS, as well as require mandatory filings in certain situations. CFIUS has long considered many items on the Department of Commerce Control List (CCL) and the US Munitions List to be critical technologies. However, the Foreign Investment Risk Review Modernisation Act (FIRRMA), enacted in August 2018 (for further details please see "Treasury releases comprehensive rewrite of CFIUS regulations, flood of filings expected 2020"), expanded the types of transaction subject to CFIUS review and operationalised this list of critical technologies as one specific element of CFIUS's jurisdictional test for non-passive, non-controlling minority investments.
FIRRMA is the impetus for the new control (Section 1758 of the Export Control Reform Act (ECRA) mandated that BIS expand controls to include emerging and foundational technologies that are essential to US national security). In November 2018 BIS issued an advance notice of proposed rulemaking (ANPRM) asking for public input on possible emerging technologies to be controlled, and included AI and positioning technologies on its list of 14 general areas that BIS may control. BIS received more than 200 comments across industry and academia on the proposed technologies. However, BIS has taken little action on emerging technologies since the ANPRM (for further details please see "CFIUS 2.0: expansion of jurisdictional scope remains in limbo as tech minority investments emerge"). The exception to this statement is, arguably, the implementation of controls on five emerging technologies (for further details please see "Post-quantum cryptographic algorithms and air launch platforms: BIS adds fives new technologies to CCL") pursuant to the Wassenaar Arrangement, drafted before ECRA's enactment.
This new control may come as an unwelcome surprise for US companies that are involved with this specific type of AI, especially those that intended to raise future capital from a foreign source. These companies would be well served to consult CFIUS counsel on the impact of this new development on any upcoming transactions. Also, in the next several weeks, CFIUS is expected to finalise and publish its comprehensive regulations implementing FIRRMA, which must be in effect by 13 February 2020. It is unclear whether and to what extent those regulations might continue to mandate CFIUS filings for technology deals, as has been the case for the past year under CFIUS's critical technologies pilot programme.
However, what is clear is that by adding software designed to automate the analysis of geospatial imagery to the CCL, BIS has expanded the list of critical technologies and slightly widened the purview of CFIUS.
How will interested stakeholders react to this rule?
Industry and academia will likely raise several issues relating to the interim final rule. Possible comments may be expected to address topics such as:
- additional licence exceptions;
- allow authorisation for the use of Licence Exception TSU (15 CFR §740.13(c)) for updates to software already transferred;
- permitting ongoing deemed exports for non-US persons in the United States that already have access to the software (and may be responsible for developing it); and
- requesting clarification on technical aspects of the ECCN – for example:
- the number of convolutional neural network layers required for a 'deep' convolutional neural network; and
- whether a convolutional neural network that is trained to identify a single type of object, but a plurality of times, fall under this ECCN.
BIS must receive comments by 6 March 2020. Comments may be submitted via:
- the federal rulemaking portal – the identification number for this rulemaking is BIS-2019-0031; or
- mail or delivery to:
Regulatory Policy Division Bureau of Industry and Security, US Department of Commerce Room 2099B 14th Street and Pennsylvania Avenue NW Washington DC 20230.
(Refer to RIN 0694-AH89.)
It should be assumed that comments will be made available in full to the public and other government agencies. As such, no proprietary or sensitive data should be included.
Endnotes
(1) BIS controlled five emerging technologies in May 2019 but as a multilateral export control in relation to the Wassenaar Agreement (for further details please see "Post-quantum cryptographic algorithms and air launch platforms: BIS adds five new technologies to CCL").
(2) Further information is available here.
Sylvia G Costelloe, associate, and Brian J Stevens, associate, assisted in the preparation of this article.
