The U.S. Government has issued significant pronouncements related to sanction measures targeting the provision of network surveillance technology ("NST") to Iran.1 These pronouncements follow the recent enactment of the Iran Threat Reduction and Syria Human Rights Act ("ITRA"), which amends the Comprehensive Iran Sanctions, Accountability, and Divestment Act of 2010 ("CISADA") and coincide with the U.S. Government's efforts to increase economic sanctions against Iran for the country's continued development of nuclear weapons and support of international terrorism. A previous Miller & Chevalier ("M&C") Alert on ITRA can be found here and an M&C Alert on ITRA's NST-related provisions can be found here.
The President recently issued Executive Order ("EO") 13628 to implement certain NST-related and other measures in ITRA. In addition, the U.S. Department of Treasury, Office of Foreign Assets Control ("OFAC") promulgated an amended version of the Iranian Transactions Regulations ("ITR") that touches upon NST- and telecommunications-related businesses. OFAC also designated the first set of parties pursuant to EO 13628. Finally, the U.S. Department of State issued policy guidance on the nature and scope of NSTs subject to ITRA and EO 13628. Each of these developments is discussed below.
Executive Order 13628
On October 9, 2012, President Obama issued EO 13628 to implement certain sanctions with respect to Iran, including sanctions outlined in ITRA related to network surveillance and censorship in that country.
Section 2 of EO 13628 implements Section 402(a) of ITRA2 by authorizing the Secretary of the Treasury to block the property of any party that, on or after August 10, 2012, knowingly: 1) transfers or facilitates the transfer of goods or technology likely to be used by or on behalf of an Iranian government entity for human rights abuses in or relating to Iran; or 2) provides services relating to such goods or technology. The phrase "goods or technology likely to be used for human rights abuses" is defined in ITRA Section 402(a) to include firearms, ammunition, rubber bullets, police batons, stun grenades, electroshock weapons, tear gas, surveillance technology, and sensitive technology. The term "sensitive technology" is defined in CISADA Section 106(c) as hardware, software, or technology that: 1) restricts the free flow of unbiased information, or 2) disrupts, monitors, or otherwise restricts speech. The nature and scope of "sensitive technology" is further addressed in the State Department policy guidance discussed below. The term "surveillance technology" is not defined in the EO 13628, ITRA, or CISADA, but potentially-affected parties should refer to the State Department's policy guidance in assessing the nature and scope of that term as well.
Section 3 of EO 13628 implements ITRA Section 403(b)3 by authorizing the Treasury Secretary to block the property of any party that, on or after June 12, 2009, engages in censorship or related activities with respect to Iran that: 1) prohibit, limit, or penalize the exercise of freedom of expression and assembly by Iranian citizens; 2) limit access to print or broadcast media; or 3) facilitate intentional frequency manipulation by an Iranian government entity for jamming or restricting an international signal.
EO 13628 also blocks the property of any party that materially assists or provides financial, material, or technological support for any activity described above.
Both EO 13628 and ITRA build upon Executive Order 13606, titled "Blocking the Property and Suspending Entry into the United States of Certain Persons with Respect to Grave Human Rights Abuses by the Governments of Iran and Syria via Information Technology." That EO blocks the property of any party that sells, leases, or otherwise provides any good, service, or technology to Iran or Syria likely used to facilitate computer or network disruption, monitoring, or tracking for human rights abuses purposes by or on behalf of the Iranian or Syrian Government. EO 13606 contains an initial list of parties found to have engaged in one or more of those activities and thus blocked under the EO. A previous M&C Alert on EO 13606 can be found here. EO 13606 is narrower than EO 13628 and ITRA by applying only to: 1) NSTs and related services and not extending to items such as firearms, ammunition, rubber bullets, or the like; or 2) activities such as those related to censorship. In addition, EO 13606 applies on a strict liability basis, while EO 13628 and ITRA impose a knowledge requirement for the transfer of goods or technology for human rights abuses by or on behalf of the Iranian government.
The Iranian Transactions and Sanctions Regulations
On October 22, 2012, OFAC issued an amended version of the ITR and renamed those regulations the Iranian Transactions and Sanctions Regulations (the "ITSR").4 The new regulations keep intact all of the ITR's prohibitions and add new ones, mostly to reflect recent legislation and Executive Orders related to Iran.
The ITSR also incorporates new provisions relevant to telecommunications and network operations. Specifically, they clarify that:
- the long-standing information and informational materials exemption in ITR/ITSR Section 560.210(c)(3) does not extend to: a) the "provision" of capacity on telecommunications transmission facilities (the "sale" and "lease" of such capacity was already prohibited under the ITR); or b) the provision, sale, or lease of such capacity or the exportation of data transmission items and services to Iran, the Iranian government, an Iranian financial institution, or any other party blocked under ITSR Section 560.211 ("blocked Iranian party");5
- the long-standing authorization for telecommunications and mail transactions in ITR/ITSR Section 560.508 does not extend to the provision, sale, or lease of telecommunications equipment or technology or telecommunications transmission facility capacity to a blocked Iranian party; and
- the term "telecommunications transmission facilities," as used in ITR/ITSR Sections 560.210(c)(3), 560.508(a), 560.540(b)(3), includes "terrestrial network connectivity."
On November 8, 2012, OFAC made its first formal designations pursuant to EO 13628, blocking the property of the following nine parties in Iran for engaging in the censorship and/or related activities described in Section 3 of the EO: 1) Alim Fazli, 2) Rasool Jalili, 3) Reza Taghipour, 4) Amnafzar Gostar-e Sharif, 5) Baqiyattallah University of Medical Sciences, 6) Center to Investigate Organized Crime, 7) Ministry of Culture and Islamic Guidance, 8) Peykasa, and 9) Press Supervisory Board. These parties are identified with the "[IRAN-TRA]" tag on OFAC's Specially Designated Nationals list, which also provides additional information about the parties, including their aliases.
State Department Policy Guidance
On November 13, 2012, the State Department published policy guidance on certain aspects of the Iran sanctions.6 Among other things, the document sets forth guidelines on the nature and scope of technology that may qualify as "sensitive technology" under CISADA Section 106 (the "Guidelines"). Required under ITRA Section 412 and also applying to Syria, the Guidelines are intended to help parties comply with the sanction measures in EO 13628 and ITRA related to NSTs.
As an initial matter, the Guidelines recognize the inherent difficulty in controlling the export of NSTs, citing the "important role" that such technology has, on the one hand, "in holding repressive regimes accountable, assisting people in exercising their human rights and protecting emerging elements of civil society" and, on the other, the "unprecedented capabilities" of the technology "to conduct surveillance on users' communications and movements, and to block or disrupt communications."
The Guidelines establish that, in determining whether a particular NST constitutes sensitive technology, the U.S. government "will closely examine transactions that could provide significant surveillance, censorship, or network disruption capabilities to the Iranian or Syrian governments" based on the end-user, end-use, and the type of technology, essentially mirroring the risk factors that theoretically should be examined for all proposed exports from the United States. In doing so, the government will consider "all available information," including: 1) information obtained through direct communications with the parties to the transaction, 2) whether the seller knew or should have known that the intended end user was likely to misuse the technology, and 3) whether the technology has a history of being misused in Iran or Syria.
Under the Guidelines, the risk posed by the intended end user is the most critical factor affecting whether a particular NST constitutes sensitive technology:
[I]ndividuals or entities sanctioned by the U.S. government related to human rights abuses in Iran and Syria may pose a more apparent risk of misusing technology. Under these circumstances, any hardware, software, or telecommunications equipment provided to persons sanctioned for human rights abuses pose the potential to be considered "sensitive technology" for purposes of CISADA and [I]TRA, any type of support provided to these individuals or entities may subject the provider to sanctions.
Thus, the Guidelines establish an elastic standard that becomes more easily met as the risk associated with the intended end user increases. Consequently, a given product or technology may constitute sensitive technology in the hands of one user but not another. Given this guidance, careful attention should be paid to potential end users designated under EO 13606 and Executive Order 13533 issued in September 2010 and entitled "Blocking Property of Certain Persons with Respect to Serious Human Rights Abuses by the Government of Iran and Taking Certain Other Actions."
The Guidelines also identify the following types of NSTs as sensitive technology "under some, but not all," circumstances: 1) lawful interception; 2) surreptitious listening devices; 3) technology for intercepting wire, oral, or electronic communications or jamming or intercepting the air interface of mobile telecommunications; and 4) keyword list blocking technology that allows persons to block the transmission of content containing certain words.7 The phrase "some, but not all" reinforces the priority placed on factors other than product or technology characteristics, particularly the risk posed by the end user, when identifying sensitive technology, even though many of those products and technologies are widely viewed as predominantly having surveillance, censorship, or network disruption capabilities.
The Guidelines go on to provide an illustrative list of other types of NSTs that "pose the risk of being misused" by the Iranian and Syrian governments and thus "have the potential" to qualify as sensitive technology, such as: 1) key logging technology/spyware, 2) non-consensual tracking/monitoring technology, 3) network disruption technology, and 4) DNS poisoning technology. Potentially-affected companies should review the entire list in the Guidelines.
The Guidelines further identify NSTs that do "not generally" constitute sensitive technology, such as geolocation and other monitoring capabilities and services that track user network addresses and usage patterns. Also included in this category are NSTs for ordinary network operation, personal computing, or private communications that do not offer significant surveillance, censorship, or network disruption capabilities, such as: 1) Wi-Fi access points, 2) network routers, 3) switches and mobile phone base stations, 4) cables, 5) basic network performance monitoring tools, and 6) wireless antennas. Potentially-affected companies should review the entire list. While the list should put such companies at ease for excluding many common items theoretically captured by the broad definition of sensitive technology in CISADA, it should not be viewed as a safe harbor given the analytical framework described above and the Guidelines' explicit qualification that such NSTs are generally – but not in all cases – excluded.
The Guidelines' primary focus on the end user and omission of a bright line between sensitive and non-sensitive technology should not be surprising given the difficulty in distinguishing between NSTs intended for nefarious end uses and those having acceptable ones, with many even having simultaneous capability for both. Thus, as the Guidelines implicitly acknowledge, an analytical framework that instead relies primarily on product and technology characteristics is likely to be overly broad and impractical, having the unintended consequence of cutting-off the Iranian and Syrian people from products and technologies that, although capable of being used for committing human rights abuses and censorship, are also instrumental in promoting human rights and democracy. In this context, the Guidelines represent the State Department's attempt to balance the potential threats and benefits of NSTs.
Against this background, due diligence is paramount. Potentially-affected companies should examine the totality of the transaction before selling an NST that may be used for surveillance, censorship, or network disruption in Iran or Syria. Indeed, the Guidelines themselves stress that potentially-affected companies "should conduct rigorous due diligence to ‘know their customer' and assess the potential risk that a particular technology is likely to be used to facilitate human rights abuses, restrict the free flow information, or disrupt, monitor, or otherwise restrict speech of the people of Iran and Syria."
The State Department will periodically review and, if necessary, modify the Guidelines to account for "new information and circumstances." Thus, potentially-affected companies should anticipate occasional changes to the Guidelines as technology and the diplomatic and political climate with respect to Iran and Syria evolve.
"Network surveillance technology" is broadly defined throughout this Alert to cover any hardware, software, or technology for conducting electronic surveillance on network communications, whether for suppressive or non-suppressive means.
2ITRA Section 402(a) was incorporated into CISADA as Section 105A.
3ITRA Section 403(b) was incorporated into CISADA as Section 105B.
4Iranian Transactions Regulations, 77 Fed. Reg. 64,664 (Dep't Treasury Oct. 22, 2012) (final rule).
5ITSR Section 560.211 has been included in the ITSR to codify, as part of the regulations, the blocking measures in the NDAA and EO 13599.
6Dep't of State: State Dep't Sanctions Information and Guidance, 77 Fed. Reg. 67,726 (Nov. 13, 2012) (policy guidance).
7The Guidelines provide descriptions and examples of NSTs without regard to the normal restrictions that apply to their transfer, export, or reexport under the ITSR, the Syrian Sanctions Regulations, or the Export Administration Regulations (the "EAR"). Stated differently, the Guidelines apply to all NSTs, even those that may normally be prohibited from export or reexport to Iran or Syria and regardless of whether the NST may be classified as EAR99 or identified on the EAR's Commerce Control List.
For more information, please contact:
Larry E. Christensen, firstname.lastname@example.org, 202-626-1469
Barbara D. Linney, email@example.com, 202-626-5806
David T. Hardin