Country-based sanctions start to get leaky in the age of the Internet. How does a software download service know whether or not it’s providing a service to an individual in a sanctioned country?

A blogger at PBS’s Mediashift Blog notes that Google has blocked downloads of its new browser Chrome, as well as other Google programs, to residents of Syria and Iran. Well, sorta:

Iranian blogger, Hamid Tehrani, who edits the Iran section for Global Voices, [reports] that Chrome is blocked, along with other Google downloads, in Iran. But it’s relatively easy for Iranian users to get around this obstacle. [Another Iranian blogger reported] in an email (from his Gmail account) that he is still able to access Google services by using a proxy.

“Currently, we are using all of the search engines and portals without any restriction, using the latest versions of Google Earth, Chrome, GTalk and any other downloadable product,” he said. In addition to helping users get around government filtering and censorship, proxies and anonymizers can also fool Google’s servers into thinking that the downloads were going elsewhere rather than to users in Iran.

What’s going on here is that normally each user is assigned an IP address that identifies the user as he or she surfs the Internet. IP addresses are assigned, in part, based on geographical location, and there are blocks of IP addresses that would identify an Internet surfer as Iranian or Syrian (or French, etc.) Google has, apparently, blocked downloads from users with IP addresses allocated to sanctioned countries. An open proxy server, however, can be used by most browsers to connect to the Internet, thereby making the user appear to be coming from the country in which that proxy server is located rather than from the country in which the user is actually located.

The article reports that other web-based service providers have taken alternate approaches to dealing with U.S. sanctions.

Although Yahoo removed Iran from the drop-down list, Iranians were still using Yahoo services, according to Kourosh Ziabari, an Iranian journalist and blogger who wrote about the issue for the citizen journalism site OhMyNews.

“[Iranians are using] Yahoo services, downloading new versions of Messenger, using the different web site parts but not finding the name of their country in the sign-up list,” Ziabari wrote. “In fact, if an Iranian user wanted to sign up for a new account in Yahoo mail, he should have selected the name of the other countries, and then he would proceed.”

Although removing Iran, Cuba, Syria and other sanctioned countries from drop-down lists is certainly a good idea to demonstrate compliance with U.S. economic sanctions, it can hardly be considered sufficient. Websites that provide web services, such as downloads, should also capture IP addresses in order to determine whether a web-based customer is coming from sanctioned country. Arguably, websites that sell non-virtual products (you know, computers, GPS equipment, bricks, etc.) should also capture those addresses. A web-based order from Iran for a shipment to the UAE is a bit of a red flag, n’est-ce pas?

But given the ease of using proxy servers, should websites do more to implement U.S. sanctions? Should Google (and other browser providers) put “kill switches” in downloadable software that would make a direct connection to the Internet, “call home,” and then shut the program down if the home servers indicated the verification connection was coming from a sanctioned country? Or should the program require activation using a code sent to an email address other than a web-based email address? Any other ideas? Or is this just a losing battle that should be abandoned?

Permalink