May
9
Internet Download From Iran Leads to Criminal Prosecution in U.S.
Posted by Clif Burns at 9:50 pm on May 9, 2007
Category: Criminal Penalties • Sanctions
Reader Mike Deal forwarded to me some of the documents filed in the prosecution of Mohammad Alavi, who has been charged with exporting copies of simulation software to Iran in violation of the Iranian Transaction Regulations. The affidavit filed in support of the arrest warrant provides some interesting background to the Alavi case.
According to that affidavit, Alavi was a naturalized U.S. citizen who was born in Tehran. He had worked at the Palo Verde Nuclear Generating Station since 1989 as a software engineer. In the summer of 2006, Alavi requested, and was granted, access to the site of Western Services Corporation in order to obtain a registration key to use Western Services Corporation’s software 3KeyMaster. That software is used, among other things, to simulate operations of power plants, including nuclear plants, fossil fuel plants and co-generation facilities. It is not used to control the actual operation of any power facilities.
Alavi resigned his position at Palo Verde in July 2006. Shortly after Alavi’s last day at Palo Verde, he traveled with his wife to Iran. In October 2006, while Alavi was in Iran, Alavi’s user name and password was used to log onto the Western Services site and download another registration key. The IP Address of the computer that logged on to the Western Services, 84.47.215.172, traced back to an Internet service provider located in Tehran, Iran. Alavi was arrested on his return to the United States on April 9.
The circumstantial case against Alavi, at least as set forth in the affidavit, seems strong. Each computer on which the 3KeyMaster software is downloaded needs a separate registration key for the software to operate. The registration key is generated by the Western Services website based on the serial number of the computer’s hard drive. The only reason for Alavi to log on to the Western Services site while in Iran was to obtain a 3KeyMaster registration key for the computer in Iran from which he logged on.
But Alavi may not be the only one who violated the Iran sanctions here. Western Services, after all, supplied the registration key even though the IP Address to which it supplied the key traced back to Iran. Without the registration key, the software would not continue to work. And a simple reverse DNS look-up by Western Services on the IP Address 84.47.215.172 would show that the computer was located in Iran. Click here to see for yourself.
The issue here is whether providers of Internet services should be required to take steps to determine the location of the computer requesting those services. As we previously noted, Google Earth took such steps to prevent download of the Google Earth software to computers located in Sudan. Should this be done by everyone providing services over the Internet? Did Western Services have an obligation to do a reverse DNS look-up before allowing a user to download a registration key? Let me hear your thoughts on this in the comments.
Permalink
Copyright © 2007 Clif Burns. All Rights Reserved.
(No republication, syndication or use permitted without my consent.)
7 Comments:
You’re trying to sell GeoIP location services, right? How reliable are such responses? The problem with mandating such lookups is that it lulls you in a false sense of security while a smart attacker uses a proxy or the ISP changes IP addresses.
It makes sense to log and report such foreign IP addresses but this can’t be the only way, let alone law mandated.
In this particular case the software provider hadn’t revoked his credentials even though he was no longer employed with the power plant. Well, maybe they put a honeypot ๐
GeoIP is different from using reverse DNS and a Whois query to find the address of the host computer. I agree that GeoIP is not that reliable, but if a reverse DNS/Whois inquiry would show that the computer is in Iran, what possible argument does a company have for permitting that host computer to download software?
Furthermore, if that info is good enough to convict Alavi, why isn’t it good enough to raise questions about why Western Services allowed a computer in Iran to download a registration key?
I agree with the relative ease in getting around such systems, but one can’t deny that if even the simplest reverse-DNS lookup policy was in place, this transaction would have been halted.
Cliff: Just in the interest of completeness, I note that the FBI affidavit omitted the fact that the software in question is not nuclear specific, but is safety training software that is in fact EAR99, and used in conventional fossil fuel and co-generation plants. That begs the question of whether this particular application software was “information or informational material” within the meaning of the exclusion from presidential authority set forth in the Berman Amendment as modified by the Free Trade in Ideas Act, 50 USC 1702(b)(3). The legislative history suggests that it was meant to be interpreted broadly, at least as broad as the 1st Amendment. In Junger v Daley, the 6th Circuit held that software is information protected by the 1st Amendment, albeit not entitled to strict scrutiny due to its dual functional character. We all know from the PENN and IEEE suits that OFAC realizes its vulnerable on the Berman Amendment issue, thus the reason for mooting both suits by establishing a general license for publishing that covered the representative plaintiffs’ situation in those cases. What the complaints, especially in the PENN case, make eminently clear is that OFAC has willfully violated 1702(b)(3)by issuing regs that do not fully implement the statutory exclusion because they do not conform to either the statutory text or the legisltive history. In fact, the legislative history to the Free Trade in Ideas Act explicitly states that it was being enacted because OFAC failed to give effect to the original Berman Amendment. I reckon my point is that just because this case doesn’t meet OFAC’s regulation doesn’t mean that it doesn’t necessarily fall within the statory exclusion. I don’t think OFAC is entitled to Chevron defference here: As in the Gitmo cases, in which the Supremes applied US. v Mead far broader than just for interpretation of the HST, OFAC’s interpretation is entitled to only Skidmore defference, i.e., only the power to persuade.
One other thing, Cliff: One should say that Mr. Alavi is alleged to have done these things. Anyone familiar with the FBI knows that its agents in the counterintelligence section (which is more aptly named than they might think) are all aspiring spy novelists who use the occasion of filing affidavits to practice their craft. The GAO report sent to the House International Affairs committee last December is pretty indicative that FBI expertise in export controls is prit’ near nothin’.
Mike: Agreed, although I thought I made clear that what I was recounting were only the allegations of the affidavit. That includes both what Alavia and Western Services were alleged to have done.
[…] As we reported earlier, Alavi was accused of having downloaded, while in Iran, simulation software used for training employees at various power facilities, including nuclear generation plants. The prosecution also alleged that Alavi took to Iran detailed schematics of the Palo Verde nuclear plant. […]
