Today, the Commerce Department’s Bureau of Industry and Security (BIS) added four entities, Intellexa S.A. in Greece, Cytrox Holdings Crt in Hungary, Intellexa Limited in Ireland, and Cytrox AD in North Macedonia to the Entity List for trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide.
Recognizing the increasingly key role that surveillance technology plays in enabling campaigns of repression and other human rights abuses, the Commerce Department’s action today targets these entities’ ability to access commodities, software, and technology that could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights.
“This rule reaffirms the protection of human rights worldwide as a fundamental U.S. foreign policy interest,” said Deputy Secretary of Commerce Don Graves. “The Entity List remains a powerful tool in our arsenal to prevent bad actors around the world from using American technology to reach their nefarious goals.”
“We remain laser focused on stemming the proliferation of digital tools for repression,” said Bureau of Industry and Security Under Secretary Alan Estevez. “Considering the impact of surveillance tools and other technologies on international human rights, I am pleased to announce these additions to our Entity List.”
The proliferation and misuse of such commercial surveillance tools, including commercial spyware, pose distinct and growing security risks to the United States, facilitate repression, and enable human rights abuses. Today’s Entity List additions build on the Commerce Department’s prior actions against commercial spyware companies in November 2021.
“The U.S. Government’s commitment to the Code of Conduct for Enhancing Export Controls of Goods and Technology That Could be Misused and Lead to Serious Violations or Abuses of Human Rights as announced during the second Summit for Democracy in March 2023, remains a top priority for BIS,” said Assistant Secretary for Export Administration Thea D. Rozman Kendler. “We will continue to leverage U.S. regulatory tools to control the export of dual-use goods or technologies to end users who seek to misuse them for the purposes of serious violations or abuses of human rights.”
Today’s action reflects the values highlighted in the President’s Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security, as well as the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware, joined by 10 countries and the United States, which demonstrate the U.S. Government’s commitment to the development of an international technology ecosystem that, among other things, protects security, privacy, and human rights.
Today’s Entity List actions build on a number of recent BIS regulations to advance human rights, including:
- An amendment to the Export Administration Regulations (EAR) to confirm that the foreign policy interest of protecting human rights worldwide is a basis for addition to the Entity List.
- An amendment to the EAR implementing controls on cybersecurity items that could be used for surveillance, espionage, or other actions that disrupt, deny, or degrade a network or devices on a network.
- An amendment to EAR licensing policies enabling BIS to review exports of nearly all items subject to the EAR to ensure such items will not be used specifically to violate or abuse human rights.
More information on BIS’s actions to promote human rights and democracy are available online here: https://www.bis.doc.gov/index.php/policy-guidance/promoting-human-rights-and- democracy and FAQs on BIS’s human rights activities are available here: https://www.bis.doc.gov/index.php/documents/pdfs/3239-2023-bis-human-rights-faqs/file.
The text of the rule that was released today includes the full list of entities and is available on the Federal Register’s website here: [link]. The effective date is July 18, 2023.
Additional Background on the Entity List Process
This BIS action was taken under the authority of the Export Control Reform Act of 2018 and its implementing regulations, the EAR.
The Entity List (supplement no. 4 to part 744 of the EAR) identifies entities for which there is reasonable cause to believe, based on specific and articulable facts, that the entities—including businesses, research institutions, government and private organizations, individuals, and other types of legal persons—that have been involved, are involved, or pose a significant risk of being or becoming involved in activities contrary to the national security or foreign policy interests of the United States. Parties on the Entity List are subject to individual licensing requirements and policies supplemental to those found elsewhere in the EAR.
Entity List additions are determined by the interagency End-User Review Committee (ERC), comprised of the Departments of Commerce (Chair), Defense, State, Energy, and where appropriate, the Treasury.