If you’re old enough to remember downloading most of your software from FTP and gopher sites, you probably remember clicking on agreements where you promised not to export software to a wide range of nations the US maintained trade sanctions against. For much of the 1990s, strong encryption – including the sort of encryption used to securely send a credit card to Amazon – was considered a munition under US laws and subject to complex export regulations. The absurdity of this wasn’t lost on the geek community – it was very fashionable (if you were a Perl hacker) to pass through airports wearing a shirt with a implementation of RSA in Perl printed on the front. (I somewhere have a ratty black t-shirt with the warning “dangerous – munitions grade-encryption inside”, a shirt that I can no longer wear in good conscience, as I suspect I can no longer implement RSA or a similarly complex algorithm from memory.)
On January 14, 2000, the US government made changes to policies on encryption that made exporting software significantly less onerous, and many of these warnings disappear. But the rules are still pretty confusing, and it’s not hard to understand how some webfolks find themselves confused about who they can and cannot provide services to.
On Saturday, Global Voices Advocacy reported that LinkedIn, a popular business social networking site, was blocking access to Syrian users. Users thought that the site might be blocked by the government, but by using tools like Tor to circumvent firewalls, they discovered that the site was blocking access to all users who’d identified Syria as their location. After a brief, but ferocious Twitter and blog campaign, a LinkedIn staffer announced on Twitter that the block had been a human error and had been fixed. The official statement from LinkedIn, as reported on Global Voices Advocacy, read as follows:
Some changes made to our site recently resulted in Syrian users being unable to access LinkedIn. In looking into this matter, it has come to our attention that human error led to over compliance with respect to export controls. This issue is being addressed tonight and service to our Syrian users should be restored shortly.
I’m interested in this story because it has some resonance with a situation I reported on two months back, when web hosting company Bluehost decided to suspend accounts of Zimbabwean users. Evgeny Morozov reported on a similar decision to suspend Belarussian users, and friends in the Global Voices community report that Iranian and Syrian accounts were asked to leave by Bluehost as well. Outcry about Bluehost’s decision led the company to reconsider their policy, and some Zimbabwean bloggers decided to stay with Bluehost, while others concluded that the experience had eroded their confidence in Bluehost and went to other providers.
In my first post on the Bluehost situation, I accused them of being lazy, rather than of being anti-free speech. I speculated that they’d been warned they were hosting accounts in a country where US Treasury sanctions apply and they didn’t take the extra step of checking to see if the individuals in question were sanctioned. (They weren’t – the sanctions on Zimbabwe are highly targetted and certainly don’t apply to human rights organizations.)
As I’m watching other companies stumble over questions of who they should and shouldn’t work with, I’m feeling slightly more sympathy for Bluehost – it is genuinely difficult to figure out which Treasury and Commerce Department regulations apply to the use or hosting of websites. Furthermore, for companies offering hosting at fairly low prices, or services for free like LinkedIn, it’s easy to understand why a firm might choose to cut off customers rather than investigate a matter in more detail.
I’m hoping to get some clarity from colleagues at Berkman and elsewhere about exactly what restrictions and regulations Web2.0 companies and web hosting companies should be considering in providing services to users in Syria and other sanctioned countries. In the meantime, if anyone has insight on whether these two incidents are unrelated, or if there’s some sort of trend pressuring web companies to reconsider what countries they provide services to, I’d be grateful for your insights.