U.S. Government, Companies Can Do More to Promote Internet Freedom in Iran
New OFAC License for GitHub Highlights Shortcomings of General License D1
An Interview with Internet Freedom and Security Expert Amir Rashidi
Key Points:
- Iranians are largely unable to use international communications tools and services because companies won’t sell their products to them or allow them to use their free services due to fears of violating U.S. sanctions.
- This undermines the right to access information and digital security because it means Iranians must rely on communication tools and services produced in Iran that the Iranian authorities censor and surveil.
- This poses grave security risks for users, especially within the activist and dissident communities, who risk state prosecution and imprisonment for online content disapproved of by the state.
- The U.S. government must clarify and update OFAC General License D1, which permits the sale of personal communications tools and services to Iranians; encourage companies to sell and make services available to Iranians; streamline the OFAC licensing process; and designate financial channels for payments by Iranians.
- Companies should pursue sales of communications tools and services and make free services available to Iranians; devote the legal and technical resources to apply for OFAC licenses; and ask the U.S. government to clarify and update D1, streamline the license application process, and establish designated payment channels for Iranians.
While U.S. sanctions on Iran prohibit companies from doing business in the Islamic Republic, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) has exempted from sanctions certain types of transactions. For example, the sale of humanitarian goods is exempt from sanctions, and OFAC’s General License D1 permits the sale of personal communications tools and services to Iranians, in recognition of the vital role such items play in assisting civil society and freedom of expression in repressive countries. OFAC also issues additional licenses, upon request and on a case-by-case basis, to allow activities that might otherwise be prohibited under the sanctions or whose permissibility is unclear.
Despite D1, the use and purchase of international communications tools and services by people in Iran has been severely hampered by companies’ reluctance to sell their goods and services to Iranians or to allow Iranians to access and use their free services. This is largely due to companies’ concerns regarding inadvertent sanctions violations, arising from the lack of specificity, clarity and inclusiveness in the D1 OFAC license, and to the due diligence requirements of doing business in Iran, which raises the costs to companies. Even applying for a license to ensure the permissibility of specific sales has been avoided by companies due to the costly and time-consuming process that such applications have typically required.
As a result, Iranians still do not have access to a broad range of international communication tools and services. This has negatively impacted access to information and digital security throughout Iranian society, because it means Iranians must largely rely on tools and services produced in Iran that are accessible to state monitoring and censorship. This poses significant security risks for users, who must operate in a repressive context where online content disapproved of by the state can land one in prison.
The effect has been particularly harmful for the activist and dissident communities, for whom internet security is of vital importance. That is why OFAC’s recent granting of a license to GitHub, the US-based code hosting platform, which allows the company to sell its full range of services to Iranians, is significant.
In the following conversation, conducted on January 15, 2021, Amir Rashidi, who is the Director of Digital Rights and Security at the New York-based human rights organization Miaan Group and has conducted extensive research on internet access and security in Iran, talked to the Center for Human Rights in Iran (CHRI) about the significance of the OFAC license for GitHub and broader issues regarding digital rights in Iran.
Q: Recently, GitHub, the code hosting platform, announced it had secured a license from the U.S. Treasury’s Office of Foreign Assets Control (OFAC) to allow developers in Iran to use its full range of services. What is the significance of this development?
A: GitHub’s achievement in securing a license from OFAC is significant. First, this was no small undertaking. The company had to go through a time-consuming and expensive process to get this license–it took them two years, involving lawyers and technical teams. They had to prove that access to GitHub was essential to people in Iran and make the case for an OFAC license.
Second, it expanded the discussion on sanctions into important new areas. OFAC’s General License D1 exempts the sale of personal communications tools and services from U.S. sanctions on Iran, in recognition of how important these tools are to access to information and freedom of expression in countries with repressive governments. Up to now, discussions about sanctions have focused on tools and services that enable ordinary people to communicate with each other. But GitHub is not something ordinary people use, it is used by professionals such as developers and people who make software and applications. The GitHub license recognized that tools used by a relatively small number of professionals are equally vital to information access and communication.
Third, the granting of the GitHub license means that critically needed international professional communications tools can be provided to Iranians. GitHub is a code-sharing website. If one is working on developing software or an application, they can share their work on GitHub so that others can work on it too. There is an open source version and a paid version, where code can be stored and shared with a team. OFAC’s GitHub license was for both the open source and the paid version. If a developer cannot legally access GitHub, then they either have to bypass important security protocols with circumvention tools and fake IDs and other illicit and unsafe methods, or they cannot share their code–and that means they are effectively back in the stone age in terms of software development.
Fourth, it showed other companies that there is a way forward regarding obtaining licenses from OFAC to sell professional tools and services to Iran, despite the sanctions, and that the U.S. government will pay attention to the arguments for professional services. It showed that if a company really wants a license from OFAC, it can get one, it set a precedent for other tech companies to follow suit and this is important given the demonstrated reluctance of companies to go through the application process. Many international communications tools and services, both free and paid, are not being provided to the people of Iran because technology companies are over-complying with the sanctions. These are tools or services that should be allowed under U.S. sanctions exemptions because they meet the intention of D1 to facilitate personal communications, but the companies and their lawyers do not want to undertake the perceived risk or expense. This needs to be addressed. Access to the internet is not a luxury; it is an essential service—and a fundamental right. Now digital rights advocates can bring the GitHub example to companies such as Google, Amazon Web Services (AWS) and DigitalOcean, and show them that licenses to sell their tools and services to Iranians can be obtained. A major effort is needed to reach out to these companies and explain to them the cost to civil society of sanctions over-compliance and the need to pursue sales to the people of Iran.
Q: What kinds of specific things will Iranians be able to do now that they have GitHub?
A: The GitHub license illustrates the range of services that become available to Iranians when a key international tool or service is provided. Iranians can now go to GitHub to use their open source code to develop software, applications, online services and websites for any number of uses—commercial, business, educational, nonprofit, etc. The Iranian government would point out that these types of tools and services are already provided to Iranians through domestic companies. But that’s the point–these domestic Iranian companies and services all present security and access risks to users–anything stored on state servers or state infrastructure can be accessed by the state and is therefore vulnerable to state surveillance and censorship. In a repressive country such as Iran, where the state openly conducts online surveillance and prosecutes people for online content, that is significant. There are also other direct human rights applications for GitHub; for example, IT specialists can use GitHub to access codes that can help develop censorship circumvention tools, as well as tools to make one’s website or online communications more secure from state access and surveillance or hackers, such as firewalls and antivirus software.
Q: Iranians can now legally use Github, but will they be able to pay for it given the reluctance of financial institutions to conduct transactions with anyone in Iran?
A: There will still be problems regarding the ability to pay, as opposed to the legality of paying for GitHub, because of the U.S. financial sanctions that remain on the Islamic Republic. Banks are reluctant to proceed even with legal financial transactions with Iran, due to fears of inadvertently violating sanctions or because they feel the additional due diligence expense required with Iranian transactions is not worth it. But if one can find a way to pay for GitHub, then one will now have the service.
But this decision brings into sharper relief the need to address payment issues with Iran. Irrespective of exemptions and licenses, if Iranians cannot find a way to pay for critically needed international tools and services, they will still not have access to them. Designated mechanisms to facilitate payments for permissible transactions are urgently needed.
Q: Is the U.S. government doing all it can and should to facilitate safe online communications? And what should be the top priorities for the new Biden Administration regarding promoting internet freedom in Iran?
A: There is more the U.S. government should and could be doing to encourage compliance with the spirit of its General License D1, which after all was designed to allow civil society in Iran to have access to communications tools and services.
First, the Biden administration needs to understand that there is an environment of fear surrounding the sanctions, because of a lack of specificity and clarity in the guidance, that has resulted in significant over-compliance by companies. This has resulted in a situation where international tools and services that should be exempt from sanctions because they are vital to safe personal communications are not available to users in Iran. OFAC urgently needs to publish more specific guidelines, with clear and specific examples, making it clear what is a violation of the sanctions and what is not, so that there is no reason for technology companies to over-comply. And importantly, not only should they put out more guidance, the U.S. government needs to talk to companies and provide explicit assurances to them, for example through letters of comfort, regarding permissible sales.
Second, D1 is old; the technology has evolved and changed and D1 needs to be updated and expanded to reflect this. The very definition of “communications” has changed. Under President Obama, communication essentially meant email. Now it has a much broader definition. If you cannot host your website with a secure hosting service or put your website onto a secure data center then you are not able to communicate effectively. Hosting is essential infrastructure for online communications, but access to safe international hosting services has been a big problem for Iranians, as Google Cloud, Amazon Web Services (AWS) and DigitalOcean all still refuse to make their products available to Iranians. D1 needs to be expanded to explicitly reference cloud services and other international infrastructure that Iranians need; only then will companies know these products are included under the sanctions exemptions and be willing to make them available to Iranians. For example, if the U.S. government just explicitly said “Providing access to cloud services is not a sanctions violation” this would go a long way toward addressing tech companies’ over-compliance.
Third, the new administration should provide a way to get an OFAC license more easily. The application process needs to be streamlined so that companies do not have to devote years of time and the resources of their legal and technical teams; that bar is simply too high and it has resulted in unnecessary over-compliance. For small companies, such expenditures are not even a possibility.
Fourth, payment issues need to be addressed. If financial sanctions are preventing companies and banks from processing payments by Iranians, then they cannot access services regardless of whether they are licensed. The U.S. administration urgently needs to address the need for safe, designated payment channels for permissible goods and services to Iranians.
Q: What are the consequences for the people of Iran of not having access to the full range of these types of international communications tools and services?
A: There are two main areas of consequence, one is for Iranians and the second is for the future of the internet.
For all Iranians, the security ramifications are significant. The Iranian government is moving aggressively to fill the space left by the absence of these international companies’ products with its own versions of these tools and services. These Iranian-made products are not equivalent or safe for users in Iran because they use infrastructure that is accessible to the state. The Iranian authorities have openly acknowledged their online surveillance activities and they have prosecuted many activists and dissidents based on their online communications. In such a climate, using state infrastructure is a security risk. The Iranian government is now investing significant resources to create a cloud service in Iran, where users can host their websites, applications or even files. If Iranians cannot use international cloud services then they will have to use these local ones, with very negative impacts on privacy and security. The effects are especially severe for lower-income people, who have neither the money nor the technological sophistication to access circumvention tools and other roundabouts.
Being forced to use local services also means Iranians are more vulnerable to state shutdowns of the global internet inside Iran. The authorities in Iran have shut down access to the global internet when they have wanted to prevent news from getting in or out of the country–such as during the state’s violent crushing of the 2019 street protests, when access to the internet was blocked for a week. When Iran did not have its own domestic versions of these services that it could run on its national internet (the National Information Network, or NIN), the cost of cutting off access to the global internet was high; for example, the functions of banks and government services, which use online services, would be affected. But with the expansion of domestic services, cutting off access to the global internet is much less costly for the Iranian government—and thus more likely.
Forcing Iranians to rely on domestically produced services is also hurting the global internet. The refusal to provide access to international communications tools, services and infrastructure is contributing to the localization of the internet, where national networks that make users vulnerable to state surveillance, hacking and censorship, proliferate. This is not only an Iranian issue because Russia and China are doing the same thing–all these countries are models for each other to learn from, and models for authoritarian governments elsewhere. So, this is not only an issue for Iranians but also for the future of the internet globally. Addressing this should be a global priority. Access to the internet is a right. The Iranian government is violating that right. Sanctions that prevent access are violating that right. Companies that espouse internet freedom, but then do not do what they can to ensure access to all citizens, are violating that right. No matter where you live, under any government, it is a fundamental right. If these tools and services are not provided, Iranians will have to rely on local services—or Chinese ones—and neither of these are safe. You cannot give your data to the Iranian government or the Chinese government without exposing yourself to major security risks.
Q: Do you expect other tech companies to follow Github’s example?
A: Without rigorous advocacy, there is little chance other companies will follow Github’s example. Tech companies say privately that they need full legal teams to make the case to OFAC for a license and this is too expensive. But resources need to be allocated for this. Github was a success because there was close collaboration between the company’s legal and technical teams, and the legal team brought these arguments to the U.S. government. That kind of collaboration is what’s needed to move forward with other companies.
Q: Which companies are the ones most vital to Iranians?
A: At the top of the list of companies would be Google. They have a lot of services and they are very popular in Iran. Android [owned by Google] is the most popular operating system in Iran so if Google would unlock Android Developers and the many tools and services that are directly and indirectly linked to Android then this would be a huge advance for digital access and security in Iran.
The next priority would be cloud services like Amazon Web Services (AWS) and DigitalOcean. Access to Apple services is also needed. Creating an Apple ID, which is required for downloading Apple applications, receiving updates, etc., requires a phone number but Iranian phone numbers are not accepted by Apple. As a result, Iranians use domestically produced services that are accessible to the state and more vulnerable to hackers. For example, instead of putting their apps on the Apple Store, Iranians have to use their local app store, Cafe Bazaar—but then the store can see what is on the phone, including such things as circumvention tools, and may give this information to the Iranian government. Not only would this pose a risk to users, it would also alert the Iranian authorities as to which tools to block.
Q: What are the obstacles or misconceptions that prevent progress on digital rights and internet freedom in Iran?
A: Companies do not want to undertake what they perceive as risk, and, at least to date, the U.S. government has not prioritized digital rights. Neither have been doing the things they could and should do. Members of Congress have privately relayed to me that they would like to do more to get these tools and services to the people of Iran, but that they did not have a receptive ear during the Trump administration. Hopefully this will change with the new Biden administration. President Biden and his team should consult with and listen to the people with technical and human rights expertise on Iran, and not those with a political agenda. The administration needs to understand the consequences of the inability to access international communications tools for Iranians who are struggling under a very repressive government.
Q: What should companies do?
A: Companies need to be willing to use their resources to advance digital access and rights. Clearly, these companies have the resources, should they choose to prioritize these issues and allocate them.
First, companies need to review the sanctions legislation and pursue the areas of sale that are clearly permissible so that they do not continue to over-comply with the sanctions.
Second, they need to press the U.S. government to clarify, update and expand upon D1 so that it is clearer what is permissible and what is not and so that it reflects the current state of information and communications technology, and they also need to advocate for a more streamlined OFAC application process.
Third, they need to devote the resources for legal and technical teams and apply for OFAC licenses for products that are not clearly exempt but which clearly are reasonable candidates for OFAC licenses because they advance information access and communications. And they need to negotiate and advocate with the U.S. government until they get those licenses.
Fourth, if payment is an issue, then the companies need to also address this issue with the new U.S. administration and state what they need regarding safe, designated payment channels.
Companies claim they respect human rights and promote internet freedom, but they do not demonstrate this with their actions. Tech companies need to understand that by not doing everything they can to promote internet freedom and security in Iran (or in fact any repressive country), they are not only hurting the citizens of that country, they are ultimately undermining internet freedom everywhere, and, in the process, hurting their own business model. The lack of access to international communications tools and services in repressive countries like Iran propels forward the creation of national (or localized) internets where security is deeply compromised and censorship relentlessly practiced. Sooner or later this will hurt the tech companies, too.