Skip to main content

Export Controls > Research > Cloud Computing

Cloud Computing

While cloud computing and remote digital data storage offer advantages of reducing computational and storage space burdens on local machines and networks, they create the same export control issues as fax, emails, etc.  The ‘deemed export rule’ does apply when utilizing cloud computing and remote digital data storage services.

U.S. export control regulations define an “export” to include both a physical shipment of a tangible item out of the U.S. as well as the “transmission” of export controlled information and software by electronic means.  Sending export controlled information to a foreign national, either in or outside of the United States territory whether by fax, email, etc. is an export.  Similarly, using cloud computing servers or storing digital data on a third-party server which is located in a foreign country are exports.  If the information exported is controlled, the exporter (the person who transmitted the data) could face civil and/or criminal prosecution. 

There may also be contractual obligations.  In addition to the requirement to comply with U.S. export regulations, externally funded research and sponsored projects may contain contractual restrictions on the release of information that could include prohibition on the use of cloud computing services or third-party digital data storage.  Failure to comply with contractual restrictions could result in a breach of contract and if the contract is federally funded, possible civil or criminal and penalties may be applied. 
It is the responsibility of the user to ensure that the technology or technical data stored on a 3rd party server is not accessible by foreign persons (such as the cloud provider's foreign IT administrators.  The user is completely responsible and can be solely liable for any U.S. export laws that may be violated.   

Researchers should:

  1. Understand ALL the terms of the agreement you and your project are subject to.  If you do not understand these terms, contact the project PI or department administrator.  The General Counsel's office will also be able to explain legalese in simple terms as well.
  2. Do not store technology or technical data that is export controlled, or considered proprietary or confidential, outside of Cornell University servers.  If the data is not public knowledge, you should not use cloud computing or remote storage services.
  3. Increase the security of your data by adding passwords or encryption to access.  Doing this does not mean that it is okay to use cloud computing or remote storage services for your export controlled, confidential or proprietary technology or files.
  4. Before entering into agreement with a cloud provider, first check with CIT to see what resources are already available.
  5. If no other University resources are available to meet your needs, before entering into an agreement with the service provider, ask the following:
    1. Where are the servers and routers located?  (Get at minimum city, state, country)

Ensure the agreement directly addresses the measures they have in place to prevent unauthorized foreign nationals from accessing controlled technology and software wherever located.