Colleagues, Under the latest Iran and Syria sanctions bill, which I have discussed on the list previously, there was a reporting requirement related to the definition of sensitive technologies. Yesterday State put forward such a definition and opened a call for comments, due in two months. It would be worth everyones time to sort through the request and contribute guidance -- I will be doing so and would be more than happy to collaborate with others.
http://www.state.gov/e/eb/tfs/spi/iran/fs/200316.htm Cordially, Collin --- Department of State: State Department Sanctions Information and Guidance AGENCY: Department of State. ACTION: Policy guidance. SUMMARY: The Department of State is publishing information and guidance for the public addressing the State Department's sanctions authorities, including under the Iran Sanctions Act, as amended, certain Executive Orders related to Iran sanctions, section 106 of the Comprehensive Iran Sanctions, Accountability and Divestment Act of 2010 (CISADA) and certain related provisions of law, and certain statutes and Executive Orders related to terrorism and weapons of mass destruction. DATES: The Department of State will accept comments on the Guidance on Iran Sanctions and the Guidance on Sensitive Technology until January 12, 2013. ADDRESSES: Interested parties may submit comments within 60 days of the date of the publication by any e-mail at [email protected] with the subject line, "Sanctions Guidance". SUPPLEMENTARY INFORMATION: The Secretary of State has legal authority to make determinations regarding sanctions on individuals and entities that meet certain criteria in three areas that are important to the national security, foreign policy, and economy of the United States: certain activities related to Iran; certain activities related to weapons proliferation; and certain activities related to global terrorism. This notice includes policy guidance outlining the State Department's authorities under the Iran Sanctions Act, as amended, and related Executive Orders (EOs); provides guidelines to further describe the technologies that may be considered "sensitive technology" for purposes of section 106 of CISADA, as required under section 412 of the Iran Threat Reduction and Syria Human Rights Act of 2012, and other related provisions of law; and provides information on the State Department's authorities under certain other EOs and statutory provisions related to terrorism and weapons of mass destruction. ... II. Guidance on the Provision of "Sensitive Technology" to Iran and Syria Section 106 of the Comprehensive Iran Sanctions, Accountability, and Divestment Act of 2010 (CISADA) (Public Law 111-195) (22 U.S.C. 8501 *et seq *.) prohibits U.S. government agencies from entering into or renewing procurement contracts with individuals or entities that export "sensitive technology" to Iran. Further, sections 402 and 703 of the Iran Threat Reduction and Syria Human Rights Act of 2012 (TRA) (Public Law 112-158) mandate the imposition of sanctions on persons who are determined to have engaged in certain activities, including, on or after August 10, 2012, to knowingly transfer, or facilitate the transfer of "sensitive technology" to Iran or Syria, or provide services with respect to "sensitive technology" after such technology is transferred to Iran or Syria. Section 106 of CISADA defines "sensitive technology" as "hardware, software, telecommunications equipment, or any other technology, that the President determines is to be used specifically - (A) to restrict the free flow of unbiased information in Iran; or (B) to disrupt, monitor, or otherwise restrict speech of the people of Iran." Section 703 of TRA defines "sensitive technology" in the same way with respect to Syria. These guidelines, which are required under section 412 of TRA, are intended to assist individuals and entities so that, going forward, they can make appropriate decisions with regard to business in Iran and Syria and take steps to avoid engaging in potentially sanctionable transactions under sections 106 and 105A of CISADA, as amended by section 402 of TRA, Executive Order 13628, and section 703 of TRA due to the similarity of the definition of "sensitive technology" to section 106 of CISADA. *Misuse of Technology in Iran and Syria* Information and communications technology serves to facilitate communication, share information, and connect users to each other. Over the last several years, the world has witnessed the important role this technology can assume in holding repressive regimes accountable, assisting people in exercising their human rights and protecting emerging elements of civil society. However, certain information and communications technology can also provide unprecedented capabilities for governments to conduct surveillance on users" communications and movements, and to block or disrupt communications. The people of Iran and Syria use telecommunications technology and networks to communicate with each other and the rest of the world. The United States government supports efforts to facilitate the free flow of information and freedom of expression in Iran and Syria and is cognizant of the vital importance of providing technology that enables the Iranian and Syrian people to freely communicate with each other and the outside world. At the same time, the Iranian and Syrian governments have taken steps to restrict the free flow of information and freedom of expression over their networks, to track and monitor the communications of their people for the purpose of perpetrating human rights abuses, or to disrupt networks in support of military operations against their own people. *Determining "Sensitive Technology"* In determining whether a particular transaction involves a good or technology that may be considered "sensitive technology" under CISADA and TRA, the United States government will closely examine transactions that could provide significant surveillance, censorship, or network disruption capabilities to the Iranian or Syrian governments as a result of the particular end-user, its end-use, or the type of technology. The United States government recognizes that certain geolocation and other monitoring capabilities are part of the basic functioning of modern telecommunications networks. The United States government further recognizes that online communications services commonly track users' network addresses and usage patterns and may request additional personal information from users. These capabilities generally would not be considered "sensitive technology" under CISADA and TRA. Moreover, "sensitive technology" does not generally include technology essential for ordinary network operation, personal computing or private communications that does not provide significant surveillance, censorship or network disruption capabilities, including: Wi-Fi access points, network routers, switches and mobile phone base stations; cables (fiber optic, coaxial and twisted pair); basic network performance monitoring tools; wireless antennas and other architectural elements; mobile phones and mass market desktop, laptop and tablet computers without external monitoring or surveillance capabilities such as keyloggers; computer monitors, screens, speakers, mice, headphones, headsets, and other accessories; defensive technologies to protect individual computers against malware and related security threats (including software and definition updates); software development tools including libraries, integrated development environments, hosting services, and collaboration platforms; mass market document creation, viewing and editing tools without special surveillance capabilities; censorship-circumvention technologies and services; virtual private network (VPN) services; anti-tracking and encryption technologies to protect user privacy, if supplied without monitoring or surveillance capabilities; personal communications technologies (including software updates to such technologies) such as instant messaging, chat, e-mail, social networking, photo and movie sharing, web browsing, and blogging; web browser plug-ins for rendering web content; data and web hosting and storage technology without monitoring or surveillance capabilities; RSS feed production, distribution, and reading tools and comparable information transmission technologies; and other similar equipment that does not provide significant surveillance, censorship or network disruption capabilities. When making an assessment of whether or not a company, entity, or individual is exporting, transferring, facilitating the transfer of, or providing services that may be considered sensitive technology with regard to Iran or Syria, the State Department will review all available information, including through direct communication with the entity or individual if possible. It will consider, among other factors, whether a company knew, or should have known, that a particular end-user of its technology was likely to misuse such technology, or that a particular technology has a history of being misused in Iran or Syria to further human rights abuses. As such, individuals or entities engaged in transactions with Iran or Syria involving telecommunications goods, services or technology should conduct rigorous due diligence to "know their customer" and assess the potential risk that a particular technology is likely to be used to facilitate human rights abuses, restrict the free flow of information, or disrupt, monitor, or otherwise restrict speech of the people of Iran and Syria. For example, individuals or entities sanctioned by the U.S. government for activities related to human rights abuses in Iran and Syria may pose a more apparent risk of misusing technology. Under these circumstances, any hardware, software, or telecommunications equipment provided to persons sanctioned for human rights abuses pose the potential to be considered "sensitive technology" for the purposes of CISADA and TRA, and any type of support provided to these individuals or entities may subject the provider to sanctions. Regardless of the recipient or known end-use, specific telecommunications technologies such as "lawful interception" and "surreptitious listening" devices, systems and technology for the interception of wire, oral or electronic communications or to jam or intercept the air interface of mobile telecommunications, have the potential to be considered "sensitive technology" for the purposes of CISADA and TRA under some, but not all, circumstances. Similarly, keyword list blocking technology that allows persons to block the transmission of content containing certain words, has the potential to be considered "sensitive technology" for the purposes of CISADA and TRA under some, but not all, circumstances. The following is an illustrative, but not exclusive, list of other technologies and capabilities that pose the risk of being misused by the Iranian and Syrian governments, and that have the potential to be considered "sensitive technology": - Key logging technology / spyware - Allows persons to record key strokes, mouse clicks, data processes, or activity on a touchscreen without consent of the device user. - Mobile device forensics data extraction and analysis technology - Allows persons to extract and analyze data from a mobile phone device, even if password protected. - Nonconsensual remote forensic technology - Allows persons to perform undetected collection and analysis of data from remote target computers. - Nonconsensual tracking/monitoring technology - Allows persons to cause a mobile or networked device to reveal its geographic location, operating status or application data, without consent of the device owner or content provider. - Network disruption technology - Designed to enable disruption, inhibition or degradation of networks or sub-parts. - Infection vectors technology - Allows persons to install or execute malware or perform other attacks. - Rootkit technology - Allows persons to defeat or bypass security, hide malware, or enable privileged access to computer process or network resources. - DNS poisoning technology - Allows persons to hijack Domain Name System (DNS) requests and reroute Internet traffic to illegitimate websites / servers. - Censorship-enhancement technology - Designed to allow persons to enforce content blocking or to fingerprint and/or defeat anti-censorship technologies. This guidance was developed for its applicability to current conditions in Iran, as called for by section 412 of TRA and by section 106 of CISADA, and in Syria, due to the similarity of section 703 of TRA to section 106 of CISADA, and should not be considered automatically relevant for other contexts or conditions. The State Department will periodically review these guidelines and, if necessary, amend them to take into account new information and circumstances regarding the use of technology in Iran and Syria. U.S. entities and individuals are generally prohibited from engaging in any transaction involving Iran and Syria unless such transactions are authorized by the Department of the Treasury's Office of Foreign Assets Control. Foreign entities and individuals may also be subject to license requirements if their transactions involving Iran or Syria also involve the United States, such as a funds transfer that transits a U.S. bank. For transactions involving exports to Iran or Syria, U.S. companies should also consult with the Department of Commerce's Bureau of Industry and Security regarding relevant licensing requirements. Persons with questions on sensitive technology, section 106 of CISADA, or TRA should contact the State Department's Office of Sanctions Policy and Implementation in the Bureau of Economic and Business Affairs at (202) 647-7489 or e-mailing [email protected]. -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C.
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
