[liberationtech] Open Call on State Department's Definition of "Sensitive Technologies"
Collin Anderson
collin at averysmallbird.com
Fri Nov 9 13:15:35 PST 2012
Colleagues,
Under the latest Iran and Syria sanctions bill, which I have discussed on
the list previously, there was a reporting requirement related to the
definition of sensitive technologies. Yesterday State put forward such a
definition and opened a call for comments, due in two months. It would be
worth everyones time to sort through the request and contribute guidance --
I will be doing so and would be more than happy to collaborate with others.
http://www.state.gov/e/eb/tfs/spi/iran/fs/200316.htm
Cordially,
Collin
---
Department of State: State Department Sanctions Information and Guidance
AGENCY: Department of State.
ACTION: Policy guidance.
SUMMARY: The Department of State is publishing information and guidance for
the public addressing the State Department's sanctions authorities,
including under the Iran Sanctions Act, as amended, certain Executive
Orders related to Iran sanctions, section 106 of the Comprehensive Iran
Sanctions, Accountability and Divestment Act of 2010 (CISADA) and certain
related provisions of law, and certain statutes and Executive Orders
related to terrorism and weapons of mass destruction.
DATES: The Department of State will accept comments on the Guidance on Iran
Sanctions and the Guidance on Sensitive Technology until January 12, 2013.
ADDRESSES: Interested parties may submit comments within 60 days of the
date of the publication by any e-mail at sanctions at state.gov with the
subject line, "Sanctions Guidance".
SUPPLEMENTARY INFORMATION: The Secretary of State has legal authority to
make determinations regarding sanctions on individuals and entities that
meet certain criteria in three areas that are important to the national
security, foreign policy, and economy of the United States: certain
activities related to Iran; certain activities related to weapons
proliferation; and certain activities related to global terrorism. This
notice includes policy guidance outlining the State Department's
authorities under the Iran Sanctions Act, as amended, and related Executive
Orders (EOs); provides guidelines to further describe the technologies that
may be considered "sensitive technology" for purposes of section 106 of
CISADA, as required under section 412 of the Iran Threat Reduction and
Syria Human Rights Act of 2012, and other related provisions of law; and
provides information on the State Department's authorities under certain
other EOs and statutory provisions related to terrorism and weapons of mass
destruction.
...
II. Guidance on the Provision of "Sensitive Technology" to Iran and Syria
Section 106 of the Comprehensive Iran Sanctions, Accountability, and
Divestment Act of 2010 (CISADA) (Public Law 111-195) (22 U.S.C. 8501 *et seq
*.) prohibits U.S. government agencies from entering into or renewing
procurement contracts with individuals or entities that export "sensitive
technology" to Iran. Further, sections 402 and 703 of the Iran Threat
Reduction and Syria Human Rights Act of 2012 (TRA) (Public Law 112-158)
mandate the imposition of sanctions on persons who are determined to have
engaged in certain activities, including, on or after August 10, 2012, to
knowingly transfer, or facilitate the transfer of "sensitive technology" to
Iran or Syria, or provide services with respect to "sensitive technology"
after such technology is transferred to Iran or Syria.
Section 106 of CISADA defines "sensitive technology" as "hardware,
software, telecommunications equipment, or any other technology, that the
President determines is to be used specifically - (A) to restrict the free
flow of unbiased information in Iran; or (B) to disrupt, monitor, or
otherwise restrict speech of the people of Iran." Section 703 of TRA
defines "sensitive technology" in the same way with respect to Syria.
These guidelines, which are required under section 412 of TRA, are intended
to assist individuals and entities so that, going forward, they can make
appropriate decisions with regard to business in Iran and Syria and take
steps to avoid engaging in potentially sanctionable transactions under
sections 106 and 105A of CISADA, as amended by section 402 of TRA,
Executive Order 13628, and section 703 of TRA due to the similarity of the
definition of "sensitive technology" to section 106 of CISADA.
*Misuse of Technology in Iran and Syria*
Information and communications technology serves to facilitate
communication, share information, and connect users to each other. Over the
last several years, the world has witnessed the important role this
technology can assume in holding repressive regimes accountable, assisting
people in exercising their human rights and protecting emerging elements of
civil society. However, certain information and communications technology
can also provide unprecedented capabilities for governments to conduct
surveillance on users" communications and movements, and to block or
disrupt communications.
The people of Iran and Syria use telecommunications technology and networks
to communicate with each other and the rest of the world. The United States
government supports efforts to facilitate the free flow of information and
freedom of expression in Iran and Syria and is cognizant of the vital
importance of providing technology that enables the Iranian and Syrian
people to freely communicate with each other and the outside world.
At the same time, the Iranian and Syrian governments have taken steps to
restrict the free flow of information and freedom of expression over their
networks, to track and monitor the communications of their people for the
purpose of perpetrating human rights abuses, or to disrupt networks in
support of military operations against their own people.
*Determining "Sensitive Technology"*
In determining whether a particular transaction involves a good or
technology that may be considered "sensitive technology" under CISADA and
TRA, the United States government will closely examine transactions that
could provide significant surveillance, censorship, or network disruption
capabilities to the Iranian or Syrian governments as a result of the
particular end-user, its end-use, or the type of technology.
The United States government recognizes that certain geolocation and other
monitoring capabilities are part of the basic functioning of modern
telecommunications networks. The United States government further
recognizes that online communications services commonly track users'
network addresses and usage patterns and may request additional personal
information from users. These capabilities generally would not be
considered "sensitive technology" under CISADA and TRA. Moreover,
"sensitive technology" does not generally include technology essential for
ordinary network operation, personal computing or private communications
that does not provide significant surveillance, censorship or network
disruption capabilities, including: Wi-Fi access points, network routers,
switches and mobile phone base stations; cables (fiber optic, coaxial and
twisted pair); basic network performance monitoring tools; wireless
antennas and other architectural elements; mobile phones and mass market
desktop, laptop and tablet computers without external monitoring or
surveillance capabilities such as keyloggers; computer monitors, screens,
speakers, mice, headphones, headsets, and other accessories; defensive
technologies to protect individual computers against malware and related
security threats (including software and definition updates); software
development tools including libraries, integrated development environments,
hosting services, and collaboration platforms; mass market document
creation, viewing and editing tools without special surveillance
capabilities; censorship-circumvention technologies and services; virtual
private network (VPN) services; anti-tracking and encryption technologies
to protect user privacy, if supplied without monitoring or surveillance
capabilities; personal communications technologies (including software
updates to such technologies) such as instant messaging, chat, e-mail,
social networking, photo and movie sharing, web browsing, and blogging; web
browser plug-ins for rendering web content; data and web hosting and
storage technology without monitoring or surveillance capabilities; RSS
feed production, distribution, and reading tools and comparable information
transmission technologies; and other similar equipment that does not
provide significant surveillance, censorship or network disruption
capabilities.
When making an assessment of whether or not a company, entity, or
individual is exporting, transferring, facilitating the transfer of, or
providing services that may be considered sensitive technology with regard
to Iran or Syria, the State Department will review all available
information, including through direct communication with the entity or
individual if possible. It will consider, among other factors, whether a
company knew, or should have known, that a particular end-user of its
technology was likely to misuse such technology, or that a particular
technology has a history of being misused in Iran or Syria to further human
rights abuses. As such, individuals or entities engaged in transactions
with Iran or Syria involving telecommunications goods, services or
technology should conduct rigorous due diligence to "know their customer"
and assess the potential risk that a particular technology is likely to be
used to facilitate human rights abuses, restrict the free flow of
information, or disrupt, monitor, or otherwise restrict speech of the
people of Iran and Syria.
For example, individuals or entities sanctioned by the U.S. government for
activities related to human rights abuses in Iran and Syria may pose a more
apparent risk of misusing technology. Under these circumstances, any
hardware, software, or telecommunications equipment provided to persons
sanctioned for human rights abuses pose the potential to be considered
"sensitive technology" for the purposes of CISADA and TRA, and any type of
support provided to these individuals or entities may subject the provider
to sanctions.
Regardless of the recipient or known end-use, specific telecommunications
technologies such as "lawful interception" and "surreptitious listening"
devices, systems and technology for the interception of wire, oral or
electronic communications or to jam or intercept the air interface of
mobile telecommunications, have the potential to be considered "sensitive
technology" for the purposes of CISADA and TRA under some, but not all,
circumstances. Similarly, keyword list blocking technology that allows
persons to block the transmission of content containing certain words, has
the potential to be considered "sensitive technology" for the purposes of
CISADA and TRA under some, but not all, circumstances. The following is an
illustrative, but not exclusive, list of other technologies and
capabilities that pose the risk of being misused by the Iranian and Syrian
governments, and that have the potential to be considered "sensitive
technology":
- Key logging technology / spyware
- Allows persons to record key strokes, mouse clicks, data processes,
or activity on a touchscreen without consent of the device user.
- Mobile device forensics data extraction and analysis technology
- Allows persons to extract and analyze data from a mobile phone
device, even if password protected.
- Nonconsensual remote forensic technology
- Allows persons to perform undetected collection and analysis of
data from remote target computers.
- Nonconsensual tracking/monitoring technology
- Allows persons to cause a mobile or networked device to reveal its
geographic location, operating status or application data,
without consent
of the device owner or content provider.
- Network disruption technology
- Designed to enable disruption, inhibition or degradation of
networks or sub-parts.
- Infection vectors technology
- Allows persons to install or execute malware or perform other
attacks.
- Rootkit technology
- Allows persons to defeat or bypass security, hide malware, or
enable privileged access to computer process or network resources.
- DNS poisoning technology
- Allows persons to hijack Domain Name System (DNS) requests and
reroute Internet traffic to illegitimate websites / servers.
- Censorship-enhancement technology
- Designed to allow persons to enforce content blocking or to
fingerprint and/or defeat anti-censorship technologies.
This guidance was developed for its applicability to current conditions in
Iran, as called for by section 412 of TRA and by section 106 of CISADA, and
in Syria, due to the similarity of section 703 of TRA to section 106 of
CISADA, and should not be considered automatically relevant for other
contexts or conditions. The State Department will periodically review these
guidelines and, if necessary, amend them to take into account new
information and circumstances regarding the use of technology in Iran and
Syria. U.S. entities and individuals are generally prohibited from engaging
in any transaction involving Iran and Syria unless such transactions are
authorized by the Department of the Treasury's Office of Foreign Assets
Control. Foreign entities and individuals may also be subject to license
requirements if their transactions involving Iran or Syria also involve the
United States, such as a funds transfer that transits a U.S. bank. For
transactions involving exports to Iran or Syria, U.S. companies should also
consult with the Department of Commerce's Bureau of Industry and Security
regarding relevant licensing requirements.
Persons with questions on sensitive technology, section 106 of CISADA, or
TRA should contact the State Department's Office of Sanctions Policy and
Implementation in the Bureau of Economic and Business Affairs at (202)
647-7489 or e-mailing CISADA106 at state.gov.
--
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20121109/803e83b7/attachment.html>
More information about the liberationtech
mailing list