Memo to Tech and Social Media Companies: Stop Aiding Iran's War on the Internet
March 15, 2017 —Major technology and social media companies should stop barring Iranians from buying or accessing personal communications tools and services that are not banned by any sanctions, and make immediately available to Iranians the full range of permissible items, the Center for Human Rights in Iran (CHRI) and ASL19 said in a joint statement today.
Firms such as Apple, Twitter, Google, GoDaddy, Facebook, AMD, Norton, Comodo, Oracle and Adobe are denying Iranians the right to purchase or download tools and services that are legal, available to the rest of the world, and essential for allowing Iranians full and safe access to the global internet
“Iranians not only face internet censorship and hacking from their government, but also the denial of the right to purchase and use perfectly legal software and services by private tech firms” said Hadi Ghaemi, executive director of CHRI.”
“These items are not under any sanctions and it is unfair and discriminatory to deny Iranian youth tools that are available to the rest of the world,” continued Ghaemi. “Tech firms are being complicit in denying the right to internet access in Iran.”
These restrictions have impeded Iranians’ access to information, directly endangered the security of journalists, activists and students in the country who face covert state monitoring and hacking, and impeded the growth and expansion of a new generation of Iranian developers and startups.
At least 35 companies offering high tech communications and software development tools have blocked their products (at least 61 items) from domestic use in Iran, according to research carried out by CHRI and ASL 19.
“Barring Iranian users from these tools and services that companies make available to everyone else around the world is not sanctions compliance; it’s voluntary and arbitrary behavior that is discriminatory,” said Ali Bangi, the Co-Director of ASL19.
“We have reminded tech companies again and again that their over-compliance with sanctions not only goes beyond the scope of the law, but also violates fundamental human rights and freedom of speech,” Bangi, added.
This access has been denied even though the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) explicitly exempted personal communications tools and services from sanctions against Iran, allowing Iranians to purchase software, mobile applications, cell phone hardware, personal computers, and others services under General License D-1 in February 2013.
Undermining Online Security
These restrictions harm the public in several areas, perhaps the most critical being security. Internet use is not only extremely restricted in Iran, the state covertly monitors and hacks accounts as well. Internet service providers are also forced to comply with “security” laws that expose their customers’ information and activities.
Online security is imperative because Iranians are vulnerable to prosecution and imprisonment for any online content disapproved of by the authorities. Yet software companies specializing in user security, including antivirus software producer Norton, have blocked Iranians from purchasing their products. These products are not only authorized under General License D-1 (Annex Item 6), but several companies, including Avast, have been able to make their services available in Iran without further problems.
The ability of Iranians to safely host content abroad is also critical, because any content hosted in Iran is vulnerable to state intrusion. Yet some of the largest internet companies, including GoDaddy and Google AppEngine, have banned users in Iranians from purchasing its web hosting services. As a result, Iranians have no choice but to turn to domestic hosting companies that expose them to hacking and cyber attacks by security agencies.
The most basic way to protect online activity and communication is by enabling encrypted web traffic on websites. Yet companies that sell the certificates required to support encryption, including Comodo and GoDaddy, do not offer this security resource to Iranian web administrators or for .IR domains, thereby exposing users in Iran to surveillance by security agencies. Other services such as Let’s Encrypt allow Iranians to use their services.
Iranians also need to access and update basic software. Yet several developers of common internet plugins and desktop software restrict access to update features and block downloads for users in Iran.
For example, access to Oracle’s Java and Adobe’s Flash is blocked, even though these items are commonly shipped with systems or required for certain applications. As a result, Iranians are unable to retrieve security fixes, enabling malicious actors to compromise their computers for surveillance or fraud. Such restrictions by Oracle and Adobe ignore the D-1 authorizations as well as an Interpretative Guidance statement by OFAC in which the office specifically named their products.
Handicapping Start-up Companies and Job Creation
The internet has provided space for a young generation of entrepreneurs to create their own communications platforms and participate in the global economy, and Iranian startups have attracted international attention for their creativity and the inclusiveness of the community. Yet developers are often denied access to common development software, operating systems, databases, open source projects, application markets and other platforms.
For example, Google’s Android development products are restricted, despite the platform’s popularity in the country, as is Oracle’s database software. Many of the items fall within General License D-1, and for products not covered by D-1, companies can apply for specific licenses to make them available.
Hampering Civil Society and Human Rights
Social network giants such as Facebook, Twitter and Google Ads will also not allow anyone to place advertisements in Iran— even though placing ads in specific geographies is routine. Yet blocking the ability to reach the Iranian public undermines civil society. For example, human rights groups cannot share and advertise posts on these networks to inform Iranians about rights abuses, and groups promoting free speech are prevented from sharing educational information on security and privacy techniques, because Iran is not offered as an option for targeted broadcasts.
The internet continues to be one of the primary means by which Iranians can express themselves and communicate free from state control and repression. CHRI and ASL19 urge tech companies to stop aiding the Iranian government in its efforts to restrict Iranians’ access to the global internet and monitor their online activities.
Restrictions that go beyond sanctions compliance have no reasonable justification. For any personal communication tools and services not already permitted under by the D-1 General Export License, the U.S. Department of Treasury has long offered companies authorization processes to provide such items—and has in fact clearly communicated that protecting access to information is a priority for the US Government.
“If companies have compliance concerns, they should seek clarity with OFAC, rather than throw up their hands and abandon their users,” said Ghaemi, adding that, “By doing so, these firms will uphold the letter of the law and the universal right to information access and privacy.”