# Iran, you better run - .ir hosting in US ILLEGAL PART 2 - embargo breakers



## drmike (Oct 7, 2013)

So, we remember the Iran hosting thread that blew up with some sad providers mad about it being a CC shill piece:

http://vpsboard.com/topic/1944-justhost-a-us-hosting-company-shuts-down-iranian-opposition-website/

Well, the topic of Iran hosting within the United States hit WebhostingTalk, again.

This time, @funkywizard / Gabe from the very well liked IOFLOOD in Phoenix, Arizona, posed the question:



> I've gotten an unusual request, and I really don't know the answer. A sales lead has asked: "We Want To Resell Your Dedicated Server In Iran; Can We?"
> 
> I really don't know the answer to this question. Ignoring for a moment payment methods, is this something I'm even allowed to do?



What follows is aside from political bantering about stereotyping against whole countries, is a clear, no you cannot host .IR hosts and/or sell to Iranians even in your "uknown" downstream.

Whole thing here ---> https://www.webhostingtalk.com/showthread.php?t=1189254


----------



## peterw (Oct 7, 2013)

This is not about US or not US. Don't play with embargos. Even the EU does not play nice with embargo breakers.


----------



## jarland (Oct 7, 2013)

The topic was better received when someone with a fancier signature and a "corporate member" badge posted it. Exactly my problem with the posters at WHT.

Random person says it, the members basically say "GTFO out of our clubhouse."

Old member says the same thing, "Hey let's have a serious discussion."


----------



## drmike (Oct 7, 2013)

Yeah you think about breaking the embargo as a rogue capitalist you join the ranks of terrorists, money launderers and their ilk.  It's mega nowhere land to put your company in.

Folks complained for past decade or better about HIPAA regulations and open ended penalties on those disclosing medical info.  Compared to the Treasury regulations for embargo stuff, HIPAA looks like a wrist slap.

I brought this back to the forefront, since the topic isn't going away any time soon.  The embargo has been in place since the 1970s.

Regs might loosen like they did recently, but PLEASE consult with legal advisors and get proper clarification from Treasury before engaging in Iran deals.  Applies to downstream customers of customers too.


----------



## peterw (Oct 7, 2013)

And add some additional coutries to the list: http://www.pmddtc.state.gov/embargoed_countries/

Afghanistan
Belarus
Burma
China (PR)
Côte d'Ivoire
Cuba
Cyprus
Democratic Republic of the Congo
Eritrea
Fiji
Guinea, Republic of
Haiti
Iran
Iraq
Kyrgyzstan
Lebanon
Liberia
Libya
North Korea
Somalia
Sri Lanka
Sudan
Syria
Venezuela
Vietnam
Zimbabwe


----------



## drmike (Oct 7, 2013)

Fiji  

Thanks for the list @peterw.

I suspect popular panels blocks these countries or at least the clear no-no's?


----------



## peterw (Oct 7, 2013)

buffalooed said:


> I suspect popular panels blocks these countries or at least the clear no-no's?


I am not sure about China and Vietnam (weapon related) but the rest should be no-no's.


----------



## Shados (Oct 7, 2013)

peterw said:


> And add some additional coutries to the list: http://www.pmddtc.state.gov/embargoed_countries/
> 
> Afghanistan
> 
> ...


I've been to two of those. Guess I've got my travel plans for the next few years, then .


----------



## ChrisM (Oct 7, 2013)

peterw said:


> And add some additional coutries to the list: http://www.pmddtc.state.gov/embargoed_countries/
> 
> Afghanistan
> 
> ...


You should really research it more. Some of these bans were over in the late 80's early 90's.


----------



## HalfEatenPie (Oct 7, 2013)

If I recall EDIS once sold large quantities of servers to North Korea.


----------



## drmike (Oct 8, 2013)

Chris Miller said:


> You should really research it more. Some of these bans were over in the late 80's early 90's.


That list links through to the US Department of State - Directorate of Defense Trade Controls.

Meaning that is the long list for arms/military restrictions.  A bit over reaching for hosting area like Miller is inferring.

A reduced and slightly more on point list here:

http://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx


----------



## NetWatcher (Oct 8, 2013)

We had situation when cPanel contact us to remove an .ir account from our shared hosting server... 

We had to do it, because otherwise they would suspend license... 

And we are non US company... But by their policy we cannot let IR users to use their services... 

Even we paid for that license  

So, it's very pity...


----------



## Francisco (Oct 8, 2013)

Turelio said:


> We had situation when cPanel contact us to remove an .ir account from our shared hosting server...
> 
> We had to do it, because otherwise they would suspend license...
> 
> ...


Does the law require this? Or is it just a 'they prefer' option?

Francisco


----------



## NetWatcher (Oct 8, 2013)

I guess US law require this on some level. 

cPanel also have require to agree with 

" To the best of my knowledge, the license I am about to add is not for a machine owned, operated, or located in a country and/or person that US export regulations prohibit. Further information can be found at US Department of Treasury Office of Foreign Asset Control (OFAC).

" 

Before you proceed with adding some license. 

 

But from other side, for example Microsoft and Apple should say "Ok, you cannot use our OS if you work with Iran people"  

Such decisions and regulations are very questionable.


----------



## EricGregory (Oct 10, 2013)

When I used to work for cPanel we always had to deal with people who were doing things they shouldn't be.  Always a fun time.  The OFAC list is your friend.  Basically, if there is a doubt about the legality of doing business with someone, somewhere the potential hassle usually isn't worth it.

This page may also be of use:

http://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx


----------



## DomainBop (Nov 13, 2013)

> no you cannot host .IR hosts and/or sell to Iranians even in your "uknown" downstream.



That might explain why bgp.he.net now has a red lock symbol next to the 185.2.12.0/22 IP range http://bgp.he.net/net/185.2.12.0/22

A large percentage of the websites which this page (https://route.robtex.com/185.2.12.0-22.html#sites) shows were formerly hosted on that IP range are now hosted on AS19084 which is single homed to [fill in blank]


----------



## graeme (Nov 20, 2013)

The long list is completely wrong. I live in one of the countries on the list, and there have never been US or EU sanctions that would affect anything other than weapons sales.

The link to the OFAC site is more helpful, but you need to read the documents. A lot of the sanctions apply to dealing in property and investments (so services are OK, I think) by certain people, not the country as a whole -  it does not matter if they move to another country - you still cannot sell them stuff.

Finally, US and EU sanctions are far from identical.


----------



## scv (Nov 20, 2013)

DomainBop said:


> That might explain why bgp.he.net now has a red lock symbol next to the 185.2.12.0/22 IP range http://bgp.he.net/net/185.2.12.0/22
> 
> A large percentage of the websites which this page (https://route.robtex.com/185.2.12.0-22.html#sites) shows were formerly hosted on that IP range are now hosted on AS19084 which is single homed to [fill in blank]


The red lock means the ROA (Route Origin Authorization) is invalid. So, they aren't supposed to be using that IP space or they've incorrectly setup their ROA.


----------



## Ruchirablog (Nov 20, 2013)

drmike said:


> I suspect popular panels blocks these countries or at least the clear no-no's?


I'm a Sri lankan and I never had a problem signing up to anything


----------



## InertiaNetworks-John (Nov 20, 2013)

Turelio said:


> We had situation when cPanel contact us to remove an .ir account from our shared hosting server...
> 
> We had to do it, because otherwise they would suspend license...
> 
> ...


How did they know you had an .ir account on your server?


----------



## fixidixi (Nov 20, 2013)

by default cpanel sends back 'usage statistics'

but i think someone snitched them..


----------



## InertiaNetworks-John (Nov 20, 2013)

fixidixi said:


> by default cpanel sends back 'usage statistics'
> 
> but i think someone snitched them..


Time for me to disable those usage stats!

Not that I'm hiding anything, but I'd rather keep client data private...


----------



## drmike (Nov 20, 2013)

Yeppers, looks like the resident Iranians are playing musical chairs over at ColoCrossing.

One group of them appears to have a new Delaware incorporation to hide behind.  Good luck with that since Delaware doesn't protect like that/shield.


----------



## SPINIKR-RO (Nov 20, 2013)

IIRC Sanctions were lightened with Iran earlier this year and selling digital goods is legal as long as its not B2B related.

http://arstechnica.com/tech-policy/2013/05/everything-from-iphones-to-vpns-can-now-be-legally-exported-to-iran/

http://www.treasury.gov/press-center/press-releases/Pages/jl1961.aspx



> the Obama Administration lifted digital sanctions that for more than two decades have prevented companies that do business in the US from also selling or distributing digital goods—including mobile phones, hosting services, VPNs, and software updates—to Iran.


I saw this and asked if cPanels policy still stood, which it does and is now more of a company policy that a requirement.



> We are aware of a new OFAC press release involving internet communications and are currently reviewing this information internally, which may take our Legal Team up to 30 days for review. No actions have been taken to change our policy at this time.


----------



## javaj (Nov 20, 2013)

SPINIKR-RO said:


> IIRC Sanctions were lightened with Iran earlier this year and selling digital goods is legal as long as its not B2B related.
> 
> http://.com/tech-policy/2013/05/everything-from-iphones-to-vpns-can-now-be-legally-exported-to-iran/
> 
> ...



Yeah I just read that arstechnica article too, I've been trying to do some research on related embargoes but I would like to know what cPanel's legal team comes up with for an answer before I would want to touch any customer from Iran at this point, be it for any form of service, cPanel or not.

I guess just going by cPanels non updated TOS, it looks like _"export or re-export to Cuba, North Korea, Iran, Iraq, Libya, Syria and Sudan or to any country subject to relevant trade sanctions."_ there are several other countries which could possibly land you in jail, hefty fines etc.,

Studied a few other gov't websites too, but felt like I would need to hire a legal team just to know what the hell was what.


----------



## scv (Nov 20, 2013)

The safest bet is to avoid selling to these customers, even if the sanctions have been lightened. You can't rely on the customer to honestly tell you if they're acting as an individual or a business.


----------



## InertiaNetworks-John (Nov 20, 2013)

scv said:


> The safest bet is to avoid selling to these customers, even if the sanctions have been lightened. You can't rely on the customer to honestly tell you if they're acting as an individual or a business.


Very true. The last thing that you would want is getting into legal trouble with something like this.


----------



## EricGregory (Nov 21, 2013)

^^What he said.  Always better to play it safe.  Whatever gain you may realize will be negated by the headache of dealing with any government entities.


----------



## DomainBop (Nov 21, 2013)

SPINIKR-RO said:


> IIRC Sanctions were lightened with Iran earlier this year and selling digital goods is legal as long as its not B2B related.


I'm lazy so I'll repost the LET post I made in May when the sanctions were lightened. 



> The sanctions on US hosting companies selling hosting services to Iranian individuals for non-commercial personal communications purposes have been lifted but the sanctions on selling hosting services to Iranian companies/individuals that will be used for commercial endeavors is still prohibited. Domain name registration services are also still prohibited.
> 
> (see section 4 on page 3 http://www.scribd.com/doc/144712313/iran-gld


http://lowendtalk.com/discussion/10839/services-to-iran

TL;DR you can host a strictly personal blog that is owned by an Iranian national but all commercial sites that are owned by Iranian nationals are still forbidden.  Selling .ir domain names, and hosting .ir domains is also still forbidden--the sanction easing didn't apply to domain names.


----------



## BlueVM (Nov 28, 2013)

Based on this document:

http://www.treasury.gov/resource-center/sanctions/Programs/Documents/internet_freedom.pdf

It appears we can sell VPS and web hosting to Iranian persons, just not domains.


----------



## drmike (Nov 29, 2013)

BlueVM said:


> Based on this document:
> 
> http://www.treasury.gov/resource-center/sanctions/Programs/Documents/internet_freedom.pdf
> 
> *It appears we can sell VPS and web hosting to Iranian persons, just not domains.*


Re-read that document.

Legalese is a mOtherfncker.   That document is pretty clear to someone like me who has spent decades deciphering such bullsh!t.

*Page 1, Paragraph 2, *

"...  provided that such services are publicly available *at no cost to the user*..."

That right at the get go says these exemptions are NON COMMERCIAL in nature.  Meaning, no corporate use, no business hosting and no accepting payments from Iranian folks.

*Page 1, Paragraph 4, (speaking on same authorizations under 560.540 of Iranian Transactions Regulations)*

"... This section does not authorize ...

(4) the direct or indirect exportation of web-hosting services that are for purposes other than PERSONAL COMMUNICATIONS..."

(my emphasis on PERSONAL COMMUNICATIONS)

So no, this document says selling dedicated servers, accepting money for peering, selling VPS, selling cPanel, selling anything basically is prohibited.

HOWEVER,   you can create a site called colocrossinglovesiran.com and give away free forums, free file storage, free email, etc. to Iranian citizens.

Don't quote me, but this clarification matter as I recall was the result of entities like email hosts, Google, Yahoo, etc. asking the Treasury for clarification so as to not run afoul of the regulations.  All the entities are "free" services or perceived to be (i.e. they aren't in the hosting package sales sector).


----------



## BlueVM (Nov 29, 2013)

It was my understanding that section III stated that specific fee-based services could be exempted from the embargo and that web hosting was listed under such exemption. Each of the three sections lists off different forms of acceptable exports.

I could be wrong... this is probably something for the EFF to look into.


----------



## Kakashi (Nov 29, 2013)

scv said:


> The safest bet is to avoid selling to these customers, even if the sanctions have been lightened. You can't rely on the customer to honestly tell you if they're acting as an individual or a business.


This is pretty much my stance as well.Just not worth the money/trouble/risk.


----------



## drmike (Nov 29, 2013)

BlueVM said:


> It was my understanding that section III stated that specific fee-based services could be exempted from the embargo and that web hosting was listed under such exemption. Each of the three sections lists off different forms of acceptable exports.
> 
> I could be wrong... this is probably something for the EFF to look into.


It's unlikely, unless recent activity to loosen sanctions allows something new.  Spirit of the regulations were to prevent any commerce activity that would benefit any business in Iran and especially to prevent benefit by the Iranian government.

Over the years (since the 1970's) many folks have asked for clarifications for all sorts of things from the Treasury.   Like most laws, the legalese simply sucks.    Nested gotchas of logic that make any programmer cringe.

Humanitarian and albeit free has pretty much been the only real exemption to any data service or related offering.  Offering such would minimize to some extent popularity of competing service/offering in Iran which is consistent with spirit of the regulations.

I'd be glad to see something that contradicts with what I've said though.  

To recap what I've said prior and probably elsewhere, if you get caught violating the embargo, your ass is grass.   The Treasury can be as nice or as heavy handed as they like. Penalties aren't clear and enforcement is rather arbitrary.    How heavy?  Well messing with the Treasury in such a way is much like intentionally stiffing the IRS.


----------



## alipoor90 (Nov 3, 2014)

the good thing about this sanctions is that is made us very creative 

for example i think now we know more than paypal stuffs about paypal

we also host  thousands of cpanel servers in iran without any problem

just run a VPN server in europe/US and tunnel from hypervisor/HW router/router VM/VM to that server and connect the tunnel just for a moment after restarts to enable the cpanel to validate the license and then disable tunnel (also you should block cpanel license server in your regular network)

*I think cpanel will not going to like this  because with this method you can even use single license for multiple servers! because all of them will use same IP to validate the license (the IP of VPN server)*


----------



## Francisco (Nov 3, 2014)

For your sake I hope cpanel doesn't find your box because they'll suspend just because you're hosting .ir domains.

Francisco


----------



## HalfEatenPie (Nov 3, 2014)

I don't really understand people who try and boast about circumventing policies and laws.  

You want a medal for it?


----------



## DomainBop (Nov 3, 2014)

HalfEatenPie said:


> I don't really understand people who try and boast about circumventing policies and laws.


The legality or illegality of an action is relative to where you call home. If he's in Iran then he's not circumventing any policies or laws that apply to him because he is only subject to Iranian laws and regulations.

The sanctions against Iran aren't an Iranian law and therefore Iranians aren't breaking any laws in their country if they find ways to circumvent the sanctions .

Plus,  Iran and the US have no official copyright relations so US copyrights don't mean squat in Iran and (published) US software and other US copyrighted works can be legally copied in Iran (and likewise Iranian copyrights don't mean squat in the US and Americans are free to make copies of published Iranian copyrighted works).


----------



## HalfEatenPie (Nov 3, 2014)

DomainBop said:


> The legality or illegality of an action is relative to where you call home. If he's in Iran then he's not circumventing any policies or laws that apply to him because he is only subject to Iranian laws and regulations.
> 
> The sanctions against Iran aren't an Iranian law and therefore Iranians aren't breaking any laws in their country if they find ways to circumvent the sanctions .
> 
> Plus,  Iran and the US have no official copyright relations so US copyrights don't mean squat in Iran and (published) US software and other US copyrighted works can be legally copied in Iran (and likewise Iranian copyrights don't mean squat in the US and Americans are free to make copies of published Iranian copyrighted works).


In this case I was simply referring to the policies set by companies in order to protect their own interests.  I mean if you get around another company's policies I guess good for you?  But advertising it and boasting about it I don't understand.


----------

