Outdated U.S. Policies Are Helping Iran Censor Its Citizens (Commentary Published in Foreign Policy)
*This op-ed was published by Foreign Policy
Unclear guidelines and fear of sanctions are stopping tech companies from selling products that would help Iranians access the internet freely and evade government surveillance.
By Karen Kramer, director of publications at the New York-based Center for Human Rights in Iran.
An existential battle is playing out online in Iran between citizens and the state that seeks to control them.
Citizens there rely on the internet to get information beyond the state-controlled media and share this information with one another and the outside world. The government, meanwhile, relentlessly restricts what people can see on the internet, eavesdrops on what they do, and punishes those who cross the state’s red lines.
It’s a cat and mouse game with tools that allow online censorship and surveillance on one side and those that allow circumvention and encryption on the other.
Yet the people of Iran are at a growing disadvantage in this struggle. Thanks to sanctions against the regime, international communication products they need to bypass state censors and evade intelligence agency operatives monitoring their online activities are often out of reach. Many companies—including tech giants like Google, Apple, and Amazon—by and large will not sell their products to them or even make their free services available to Iranians due to fears of violating U.S. sanctions on Iran.
Such sales are perfectly legal. Indeed, recognizing the vital role these tools play in supporting civil society and freedom of expression, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) under General License D-1 explicitly exempts personal communications tools and services from U.S. sanctions on Iran. But it’s not a question of legality; what matters is companies’ appetite for risk.
There has long been a climate of fear surrounding sanctions, arising in large part from a lack of clarity and inclusiveness in D-1. Companies are unsure of what is permissible and thus err on the side of caution. This overcompliance holds true not only for tech products but for other types of goods the United States has exempted from sanctions, such as medicines and humanitarian items. Banks also fall prey to overcompliance, often refusing to process perfectly legal transactions due to fears of violating U.S. secondary sanctions.
In addition, D-1 is an old category and does not reference current technologies that have become central to communications, such as cloud and hosting services. As a result, companies like Google Cloud, Amazon Web Services, DigitalOcean, and GoDaddy to name just a few—as well as Apple tools and services—are unavailable.
This has real and potentially catastrophic consequences. For example, people in Iran cannot create an Apple ID, which is needed to download any application or security update. This means they buy IDs on the black market that could be sold to multiple people, including state officials. Or they use local cloud services, which are required to provide backdoor access to Iranian state agencies that have a history of accessing the private content of individuals or groups it wishes to monitor or suppress.
Many companies have also avoided applying for specific OFAC licenses, which allow the sale of products not covered by D-1 due to the lengthy process’s cost. The general inability of Iranians to pay for such goods and services due to banking sanctions, irrespective of their permissibility, has compounded the problem.
All this means Iranians must rely on products produced in Iran that provide the state easy access into accounts for surveillance and strengthen the government’s ability to block and censor content. This poses grave security risks for users, who operate in a context where online content disapproved of by the state can land one in prison. The effect has been particularly harmful for the activist and dissident communities the U.S. government has long expressed support for—and for whom internet security is of vital importance.
There are actions the U.S. government and tech companies could take immediately that would address this situation—and none would require the lifting of any sanctions.
First, the Biden administration should clarify, with specificity and detailed guidance, exactly what D-1 includes, ending the ambiguity. The administration should also update D-1 so it includes current technologies that are now central to online communications and safety, such as cloud and hosting services. The administration should consult with tech and digital rights experts to determine those products and technologies that should be explicitly referenced as permitted under D-1.
Second, the administration should encourage companies to sell these tools and services to Iranians and make free services available to them. This could be done through public assurances and comfort letters that assure companies of the permissibility of such transactions. The U.S. Treasury Department should also encourage companies to apply for OFAC licenses for further sales.
Third, OFAC should streamline its license application process so companies do not need to allocate years’ worth of their legal and technical teams’ time to obtain a license. The recent granting of an OFAC license for the code hosting service GitHub, for example, took the company two years.
Lastly, the U.S. Treasury Department must designate OFAC-approved financial channels for these sales so Iranians can actually pay for these products.
Technology companies, for their part, should actively pursue sales of personal communications tools and services to Iranians under D-1, make their free services available, and devote legal and technical resources to apply for OFAC licenses.
None of these measures require the lifting of any sanctions. They only require more effective clarification and implementation of existing sanctions exemptions as well as a demonstrated commitment by the government and companies to support Iranian citizens’ fundamental human rights.
Limiting access to international communications products undermines freedom of expression and directly endangers Iran’s civil society. Without them, nothing citizens say, do, or share online is safe from a prying, repressive state. But it also hurts internet freedom everywhere. Repressive countries around the world share tools and techniques and learn from one another, and the growing localization of the internet, where governments develop their own controlled national networks, communications infrastructure, tools, and services that aid and abet state surveillance and censorship is a growing threat.
Access to the internet is a fundamental right—and access to international communications tools and services is central to protecting it. If individuals risk arrest and imprisonment for accessing a foreign news website, downloading a video of a protest, or sharing information on a human rights violation, they are being deprived of a basic right. Ultimately, such access is critical to countering repressive states’ relentless efforts to control the public space the internet has become.
Karen Kramer is director of publications at the New York-based Center for Human Rights in Iran.