Whether it’s the corporate world or the realm of education and research, most organizations are aware of the risk of deemed export violations and take prudent action to safeguard technology, research, and other controlled data.
Limiting visitor access to certain areas of the lab, performing restricted/denied party screening on foreign job applicants or non-U.S. citizens attending a meeting, ensuring laptops and smartphones containing sensitive information are password-protected and always in the owner’s possession when travelling abroad – these are just a few of the ways we adhere to deemed export compliance laws. Yet despite the best laid plans, when collaborating with foreign nationals at home or abroad we may forget that it’s not just what we do that matters, but what we say. That’s why the Federal Bureau of Investigation (FBI) has released a brochure that covers a risk we’re not always cognizant of – the risk of elicitation.
Elicitation is a technique used by spies to discreetly gather information. It’s like drawing the name of a co-worker you don’t know very well for the office “Secret Santa” gift exchange. To find out what this co-worker would like to receive without ruining the surprise, you need to gather information from them without revealing that you’re their holiday benefactor. Casual questions about their weekend, if they’ve tried the new Italian restaurant down the street, where they purchased their new gloves…the answers to these questions can give you what you need to choose that perfect present without giving yourself away. Unfortunately, elicitation can also be used for nefarious purposes – to get you to share sensitive information you had no intention of sharing about your products, your research, your technology and more. Falling prey to elicitation places you – and your organization – at risk of committing an inadvertent deemed export violation.
The FBI has compiled a list of elicitation techniques we should look out for should we find ourselves associating with foreign nationals either on U.S. soil or overseas. Here are a few examples – do you recognize any from conversations you may have had?
- Assumed Knowledge. Pretending to have something (or someone) in common with a person. “According to the computer network guy I used to work with…”
- Flattery. Using praise to coax a person into offering information. “I bet you were the key person in designing this new product.”
- Volunteering Information. Sharing information in hopes that the person will reciprocate. “Our company’s infrared sensors are only accurate 80% of the time at that distance. Are yours any better?”
- Word Repetition. Repeating core words or concepts to encourage a person to expand on what he/she has already said. “3,000 meter range, huh? Interesting.”
- Opposition/Feigned Incredulity. Indicate disbelief to prompt someone to defend their position (and offer information in the process). “There’s no way you could design and produce that product so fast!”
It’s only human, particularly in a social setting, to let one’s guard down while engaged in conversation with someone who (a) is interested in you/your work, (b) is an acknowledged peer or (c) appears to be someone who could benefit you as a customer, research partner or employee. It is possible to avoid becoming a victim to elicitation, though. The FBI’s literature offers some handy deflection tips:
- State that you do not know
- Respond with “Why do you ask?”
- State that you would have to clear such discussions with your security office
- Deflect a question with one of your own
A solid deemed export compliance program includes educating employees about what information may be shared and what is confidential. Learning to recognize elicitation techniques and engaging in role plays to practice deflection of elicitation attempts are excellent ways to prepare for international travel and visitation. If all else fails, play it safe and talk about the weather.
For more information or training, contact the FBI (www.fbi.gov).