Cloud Computing

Quick Summary

Cloud computing resources such as Dropbox, iCloud, Google Apps, etc. do not offer secure transmission as defined by export control regulations; using these resources may result in an unintended and illegal export, and create legal liability for you and for CU. You can rely on IT resources managed or approved by CU's IT Security personnel to store and transmit your export controlled software and technical data.

US export control regulations prohibit the unauthorized sharing of controlled software and technical data with foreign nationals, and also prohibit transactions with certain foreign individuals and states. This prohibition includes any form of sharing, including the electronic transmission of controlled data, and even includes "theoretical access" to such data by IT administrators or employees who maintain (and potentially could monitor) electronic data storage and transmission systems.

Data storage and transmission using CU resources is not problematic, because CU IT policies ensure that facilities are located in the US and employees are US citizens or permanent residents. However, when you use non-CU resources to store or transmit controlled data, you are essentially sending your data or software on an electronic postcard and you are liable for any access to that data or software by unauthorized foreign nationals. This is the case even if the access is unintentional, and even if you were not aware of the access occurring. It is true even if the data are encrypted.

External providers of "cloud" computing services are especially problematic, because it is often difficult to know where their servers are located, how they route traffic (particularly during peak- or off-times), or whether their procedures prohibit access to your data by foreign nationals. Examples of such services include:

Dropbox, iCloud, SkyDrive and other cloud-based data storage services; Google Apps, SharePoint and other collaborative services; G-mail, Hotmail, Yahoo mail, and other non-CU email providers.


Export-controlled research should include Technology Control Plans that ensure that storage and transmission of controlled data occur on or through IT resources that are maintained by the Office of Information Technology. One example is Large File Transfer, which allows for the secure transfer of files. If these resources will not meet your needs, you should discuss alternative approaches with Dan Jones, CU Director of IT Security (303) 735-6637). General questions about export controls should be directed to Linda Morris.

For further reading, please see: Brookings Institute White Paper