How export controls affect research and education at Cornell.
Cornell University Guidelines on Sensitive and Proprietary Research adopted by the Cornell Research Council on May 20, 1985 and subsequently updated by the Office of the Vice President for Research and Innovation states:
Given the open nature of Cornell University, research projects which do not permit the free and open publication, presentation, or discussion of results are not acceptable. Nor will the university enter into any agreements unless the principal and co‐principal investigators have the final authority on what is to be published or presented. In particular, research which is confidential to the sponsor or which is classified for security purposes is not permitted at Cornell University. The university will accept only sponsored research projects which are expected to further the research and educational mission of the institution.
Cornell conducts only research that qualifies as fundamental research. This is defined as basic and applied research in science and engineering that is ordinarily published and shared broadly within the scientific community (EAR 734.8(a)).
Research will not be considered fundamental research if there are restrictions on the publication of scientific and technical information resulting from the project.
Research will not be considered fundamental research if Cornell has accepted any restrictions (such as foreign national participation), due to proprietary or national security reasons.
This is distinguished from “proprietary research” and from “industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary reasons or specific national security reasons” (EAR 15 CFR §734.8)
ITAR further limits fundamental research to research conducted at institutions of higher learning in the U.S. (22 CFR § 120.11 (a)(8)).
Bona fide Employee Exemption (limited use for Cornell faculty)
The ITAR (U.S. 22 CFR §125.4 (b)(10)) authorizes the transfer of unclassified technical data by U.S. institutions of higher learning to foreign persons in the United States who are bona fide, full-time regular employees of that institution. Three criteria are required:
- The employees’ permanent abode throughout the period of employment be in the United States.
- The employee can NOT be listed as a national of a country listed in 126.1 of the ITAR.
- The employee is notified in writing that the technical data may not be transferred to other foreign persons with the prior written approval of the Department of State.
Export Controls do not apply to information that is already public, and the regulations contain exclusions for information that is “publicly available” (EAR) or is in the “public domain” (ITAR).
The “publicly available” exclusion under EAR includes a wide range of obvious categories, such as information that is available in a library, or that has been published, or that is typically taught in for-credit courses.
An important protection for university research is the “Fundamental Research Exclusion.” Fundamental research is defined as ‘basic and applied research in science and engineering where the resulting information is ordinarily published and shared broadly within the scientific community’.
The information that results from fundamental research is excluded from export controls.
If the research is fundamental and the results are ordinarily either published or shared broadly with other scientists, the research results are protected.
Research on Campus
Export control laws have the potential to substantially impact research on the Cornell University campus. If research involves specified technologies, the EAR and/or ITAR may require prior federal approval:
- Before allowing foreign nationals to participate in the research.
- Before partnering with a foreign company.
- Before sharing research results in any manner (including by publication or presentation at conferences) with persons who are not U.S. citizens or permanent resident aliens.
Export regulations apply whether or not the recipient is funded by a grant, contract, or other agreement, and apply whether or not the EAR or ITAR are cited in the award document. If a researcher accepts export-controlled technology or information from a government agency or from industry, the researcher is subject to ITAR or EAR regulations.
Most Cornell research activities are excluded from export controls because of the exception known as “fundamental research” under the export control regulations. By not accepting any restriction on publication or the appointment of foreign nationals to the research, Cornell protects the fundamental research exemption.
- Foreign National Visitors to campus should be screened against the denied entity and SDN lists. International Scholars and students visiting on J-1 VISAS as well as non-students and visiting faculty should be screened to ensure that the individual or the affiliated institution is not included in any U.S. Government lists prohibiting access to certain materials and information on campus.
- Appropriate protections should be put in place to ensure that foreign visitors do not have access to restricted, controlled, or proprietary information or items.
- Foreign visitors, regardless of length of stay, who will collaborate or participate in University research or training in the biological or physical sciences, engineering, mathematics, information security (including encryption), software development, or related technologies and fields, whether or not the collaboration occurs within the scope of a sponsored research agreement, must also undergo screening.
- Screening is not required for students who have applied, been accepted and/or are enrolled in any degree granting program that Cornell University offers.
- Faculty and staff should know who is in their labs at all times. Records should be maintained noting the name and affiliation of all lab visitors, as well as the date(s) and purpose of the visit.
In general, collaborations between Cornell University faculty and scholars at foreign institutions or organizations do not require export licenses unless they involve export controlled or restricted research, or the research involves scholars in sanctioned countries. The University needs to determine if export licenses are required and to verify that the foreign individual and/or organization are not blocked or sanctioned entities prior to engaging in an international collaboration.
The Department of the Treasury’s Office of Foreign Assets Controls (OFAC) administers economic sanctions programs which should be reviewed prior to travel.
For additional guidance regarding working with China, see Engagement with China: FAQ.
These sanctions programs block assets and impose trade restrictions, restricting many transactions. Any subcontracting or collaboration should be reviewed with the Export Controls Office and University Counsel.
U.S. Research Off Campus
The fundamental research exclusion from export controls, changes when research is done off campus.
Research in the scope of the ITAR is not fundamental when it takes place outside “accredited institutions of higher learning in the U.S.” So, research conducted by Cornell researcher at a commercial lab would not be considered fundamental research if the technology is subject to the ITAR.
Research in the scope of the EAR would lose the fundamental research presumption attributed to university-based research, but can still qualify as fundamental so long as there are no restrictions on publication.
Research Outside of the United States
Items and technology originating outside the U.S. become subject to U.S. export controls when in the U.S. This means that results of research outside the U.S., even if conducted by non-U.S. persons, could become ITAR-controlled or EAR-controlled in the U.S. This could potentially restrict the U.S. researcher intending to use them and possibly requiring authorization to export from the U.S.
Research in the scope of the ITAR is not fundamental when it takes place outside “accredited institutions of higher learning in the U.S.” Research conducted by a Cornell researcher outside the U.S. would not be considered fundamental research if the technology is within the scope of the ITAR. Therefore, the results produced by U.S. researchers outside the U.S. would be subject to ITAR controls.
Research in the scope of the EAR is not presumed to be fundamental, as it would be if it occurred at a University in the U.S. However, the research may still qualify as fundamental if the other necessary requirements are met.
The Office of Sponsored Programs performs a thorough review of all proposals and agreements to assist in determining export control risks, and works to remove any language which is in direct conflict with the University’s performance of Fundamental Research.
In addition, OSP performs Restricted Party Screenings on the entities being contracted with, prior to release of award.
During the proposal and agreement review process, OSP looks for:
- any reference to U.S. export regulations
- restriction of non-U.S. entity participation based on country of origin
- restricted access to project information
- receipt of proprietary information
- publication restrictions (including sponsor approval to publish)
- foreign travel
- international collaborations
- international shipment of equipment or materials
- payments to or from OFAC restricted locations
The above list includes indicators that the work may be subject to export control laws. The final determination of the applicability of the regulations depends on the specific details and the specific technology involved in the research. The Grant & Contract Officer and Export Controls Officer will work with the PI to assess the applicability of export control laws to the work.
Sponsor or Third Party Provided Technology
It is critical that incoming items and all proprietary technical information be assessed to determine whether or not they are export controlled.
Usually the provider is the best source of information regarding the export control classification, but ultimately it is the University's responsibility to know what we are accepting and to protect it appropriately.
As per the EAR, the initial transfer of information from an industry sponsor to University researchers is subject to the EAR where the parties have agreed that the sponsor may withhold from publication some or all of the information so provided
Simple operation of EAR controlled items by foreign nationals in the US does not require a license. Access to controlled information may require a license depending on the reasons for control, country of nationality or citizenship, and the availability of an applicable license exception.
A Technology Control Plan (TCP) is required for all research which involves any ITAR controlled items or technology, involves any EAR controlled technology, or otherwise falls outside the Fundamental Research Exclusion (FRE). The TCP shall include:
- A physical and information security plan.
- Personnel screening procedures.
- A process for using and storing the information in a controlled environment.
All TCPs are developed by the faculty and staff involved in the research project, with help from the Export Controls Officer. The Export Controls Officer must approve all TCPs prior to receipt of the controlled information or material.
In addition, all members of the research team will be required to read, understand, and sign the TCP before the project can begin.
While cloud computing and remote digital data storage offer advantages of reducing computational and storage space burdens on local machines and networks, they create the same export control issues as fax, emails, etc. The ‘deemed export rule’ does apply when utilizing cloud computing and remote digital data storage services.
U.S. export control regulations define an “export” to include both a physical shipment of a tangible item out of the U.S. as well as the “transmission” of export controlled information and software by electronic means. Sending export controlled information to a foreign national, either in or outside of the United States territory whether by fax, email, etc. is an export. Similarly, using cloud computing servers or storing digital data on a third-party server which is located in a foreign country are exports. If the information exported is controlled, the exporter (the person who transmitted the data) could face civil and/or criminal prosecution.
There may also be contractual obligations. In addition to the requirement to comply with U.S. export regulations, externally funded research and sponsored projects may contain contractual restrictions on the release of information that could include prohibition on the use of cloud computing services or third-party digital data storage. Failure to comply with contractual restrictions could result in a breach of contract and if the contract is federally funded, possible civil or criminal and penalties may be applied.
It is the responsibility of the user to ensure that the technology or technical data stored on a 3rd party server is not accessible by foreign persons (such as the cloud provider's foreign IT administrators.) The user is completely responsible and can be solely liable for any U.S. export laws that may be violated.
- Understand ALL the terms of the agreement you and your project are subject to. If you do not understand these terms, contact the project PI or department administrator. The General Counsel's office will also be able to explain legalese in simple terms as well.
- Do not store technology or technical data that is export controlled, or considered proprietary or confidential, outside of appropriately protected Cornell University servers. If the data is not public knowledge, you should not use cloud computing or remote storage services.
- Increase the security of your data by adding passwords or encryption to access. Doing this does not mean that it is okay to use cloud computing or remote storage services for your export controlled, confidential or proprietary technology or files.
- Before entering into agreement with a cloud provider, first check with CIT to see what resources are already available.
- If no other University resources are available to meet your needs, before entering into an agreement with the service provider, ask the following:
- Where are the servers and routers located? (Get at minimum city, state, country)
Ensure the agreement directly addresses the measures they have in place to prevent unauthorized foreign nationals from accessing controlled technology and software wherever located.
Transfer of Tangible Materials
Providing controlled materials to foreign nationals may require an export license. The exemption of fundamental university research from export licensing requirements does NOT extend to the export of tangible objects from the U.S.
There are controls, for example, on the export of tangible materials that could possibly be used in chemical or biological weapons, such as human pathogens, zoonoses, toxins and their clones, animal pathogens, genetically modified microorganisms, plant pathogens, radioactive materials, magnetic metals, propellants and ceramic materials.
If you are planning to transfer tangible materials outside the United States that are controlled by the EAR or ITAR, you should work with the Export Controls Officer to obtain the required export license.
In addition to the above, to transfer materials developed at and/or owned by Cornell University, please contact CTL to arrange for the necessary Material Transfer Agreements; for other materials that are not developed at and/or owned by Cornell University, please contact OSP for the appropriate documentations.
Most university courses are excluded from export controls in that the information released in the courses is considered to be publicly available.
- The EAR provides that educational information released by ‘instruction’ in catalog courses and associated teaching laboratories of academic institutions (with some encryption exceptions) is not subject to the EAR [EAR §734.3(b)(3)(iii) ]
- The EAR education exclusion does not extend to the release of information in research labs not associated with catalog courses.
- The ITAR provides that information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities, is not included in the definition of ‘technical data’ subject to the ITAR [§120.10(a)(5)].
SEC. 501. Exclusion of Citizens of Iran Seeking Education Relating to the Nuclear and Energy Sectors of Iran.
(a) IN GENERAL.—The Secretary of State shall deny a visa to, and the Secretary of Homeland Security shall exclude from the United States, any alien who is a citizen of Iran that the Secretary of State determines seeks to enter the United States to participate in coursework at an institution of higher education (as defined in section 101(a) of the Higher Education Act of 1965 (20 U.S.C. 1001(a))) to prepare the alien for a career in the energy sector of Iran or in nuclear science or nuclear engineering or a related field in Iran.
(b) APPLICABILITY.—Subsection (a) applies with respect to visa applications filed on or after the date of the enactment of this Act.
- The EAR considers information released at an open conference, meeting, seminar, trade show, or other open gathering to be published, and so excluded from control.
You can deliver or present the results of your fundamental research at open conferences.
- The ITAR considers information released through unlimited distribution at a conference, meeting, seminar, trade show or exhibition, generally accessible to the public, in the United States to be in the public domain, and so excluded from ITAR control.
- You can deliver or present the results of your fundamental research in the ITAR scope at open conferences in the U.S.
- Outside the US, you can deliver or present the following information in the ITAR scope:
- General system descriptions not considered ITAR technical data per ITAR §120.10(a)(5).
- Public domain information, such as published research results or material previously released in a university course.
Caution: Follow up discussions could be considered a defense service (assisting a non-US person with a defense article), if the information you provide is not in the public domain.
Controlled items, software, or technical data cannot be released in open conferences.