Over the past year or so I have written a couple of postings on the Haystack software. This software was designed to help Iranian dissidents circumvent government censorship measures in Iran. Apparently, Haystack and its developer, Austin Heap, have come under heavy fire this week from a number of sources stating that their software has significant security holes which could put those same dissidents it seeks to assist in grave danger.

Although I consider myself more tech saavy than the average attorney, I’m still an attorney, and as such I could not even begin to test the coding of this software to verify that these security holes exist or how they could be manipulated. However, a lot of people are saying there are significant security concerns about the software. It is within this context that I received a call from one of the sources covering this story. During the course of the conversation an interesting issue came up: if the software is flawed and Iranian dissidents are exposing themselves to significant danger who’s fault is it?

Obviously, one’s immediate reaction would be to blame the developer or such software. However, when dealing with an export of technology to Iran, we’re talking about a transaction which would have to be authorized by the United States Department of the Treasury Office of Foreign Assets Control (“OFAC”). Indeed, Haystack eventually did receive such authorization in the form of a specific license from OFAC earlier this year and although I have not personally seen their license application it has been related to me that they provided the code to the software as part of their license application submission. The source I was speaking with posited that some agency of the U.S. government must have tested the software and known, or should have known, of these security holes when they issued the license. If this was the case then surely the U.S. government would have to take some of the blame for allowing exports that would put Iranian dissidents in danger.

I listened to this assumption at the time and thought it was fair, however, now I respectfully disagree. I think the source brought up a great point and its not entirely crazy to place some of the blame on the U.S. government for licensing the export of technology that could possibly put human lives at risk. However, its just not practical. The raison d’etre for the licensing regime under the Iranian Transactions Regulations (ITR), aka the Iran Sanctions, is to ensure that the authorization of an otherwise prohibited export would not be contrary to the foreign policy objectives of the United States of America; not to protect the consumers of those technologies in Iran. More specifically, the examination of such technologies by OFAC, the U.S. Department of State, The U.S. Department of Commerce Bureau of Industry and Security (“BIS”) and/or any other U.S. federal agency in light of the export controls implemented by the ITR is to ensure that the technology will not further specific activities; i.e., Iran’s proliferation of weapons of mass destruction, Iran’s support of foreign terrorist organizations, or the further enhancement of Iran’s nuclear, military, or industrial infrastructure.

For better or worse, I don’t believe that the powers that be were examining this software in order to protect lives, but rather to protect American interests. Moreover, I believe placing the burden on OFAC to ensure that the exports they authorize for consumption by Iranians are 100% safe would be impractical and outside the scope of their mission. As such, while I agree that authorizing technology exports containing security holes is unfortunate, I don’t necessarily agree with extending liability to OFAC or any other U.S. government agency for such actions. This line of thought would attempt to place OFAC in a position similar to the Food and Drug Administration and their role in approving drugs. However, again it should be stated that OFAC’s mission is to ensure that exports to Iran coincide with U.S. foreign policy objectives, not with protecting the consumers of such exports. Furthermore, even if you could draw a parallel between OFAC and the FDA in this regard, it is unlikely there would be any legal liability as the jurisprudence is fairly well established that a plaintiff could not sue the FDA for approving drugs with possible side effects; as such it would likely be the same with OFAC. Unfortunately for Austin Heap, I don’t believe the government would share in any legal liability for authorizing a potentially unsafe technology export.

I would be interested to hear from any plaintiff’s attorneys who disagree. Feel free to email me.

The author of this blog is Erich Ferrari, an attorney specializing in OFAC litigation. If you have any questions please contact him at 202-280-6370 at 202-351-6161 or ferrari@ferrari-legal.com.