OFAC Letter On Request for Interpretive Guidance on the Applicability of Economic Sanctions to Infrastructure-as-a-Service Activities
Earlier this week, i2Coalition contacted the U.S. Department Of Treasury Office of Foreign Asset Control for clarity on issues of great importance to the Cloud community regarding the way global Internet commerce works online. That letter is attached. Though this may seem like some nuanced, archaic stuff it is important to engage in weedy conversations like this that give Cloud providers the confidence they need to operate in a global marketplace. This is a good example of the kind of work that i2Coalition does to help grow the Internet infrastructure industry.
Re: Request for Interpretive Guidance on the Applicability of Economic Sanctions to Infrastructure-as-a-Service Activities
Mr. Adam Szubin. Director. Office of Foreign Asset Control. U.S. Department of Treasury,
The Internet Infrastructure Coalition (i2C) is a trade association representing companies and organizations across the Internet infrastructure industry, including web hosting companies, registrars, and Infrastructure-as-a-service (IaaS) Providers. On behalf of i2C’s members who provide IaaS in particular, i2C hereby requests Interpretive Guidance from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on the applicability of economic sanctions laws and regulations to the provision of IaaS over the Internet to enterprise and individual customers. Specifically, in light of the U.S. Government’s recent policy initiatives and regulatory amendments to promote the free flow of information to, from, and within Cuba, this letter requests confirmation from OFAC that IaaS activities by IaaS Providers subject to U.S. jurisdiction do not implicate the prohibitions in the Cuban Assets Control Regulations, 31 C.F.R. part 515 (CACR). Alternatively, i2C requests that OFAC issue a general license authorizing such activities with respect to Cuba.
IaaS Providers offer infrastructure services for enterprise and individual customers via data centers, which may be located in the United States or elsewhere. Large IaaS Providers often have multiple data centers located in several different countries. Like a warehouse, a data center is a physical structure designed to optimize space, power, network, and personnel. Each data center can contain thousands of servers, as illustrated in the diagram below.
Enterprise and individual customers can “rent” the servers in these data centers for computing power and storage as well as managing intensive applications, databases, big data, and web sites in the cloud (i.e., over the Internet). This rental model, referred to as IaaS, enables customers to meet their computational needs at lower cost by allowing them to use resources at a remote location rather than on-site.
As illustrated below, IaaS Providers’ network traffic connects to the closest network points of presence (PoPs) and network carriers, depending on the geographical location. Alestra, ATT, China Telecom, China Unicom, Comcast, Level3, MetroRED, and NTT are a few examples of global network carriers that connect to the IaaS Providers’ networks.
Analysis of IaaS Activities Under the CACR
Persons subject to U.S. jurisdiction are prohibited from dealing in any property in which Cuba or a Cuban national has or has had an interest pursuant to Section 515.201 of the CACR. IaaS Providers subject to U.S. jurisdiction can readily determine whether their customers are located in Cuba through customer screening, which is an industry standard. However, once a customer is on-boarded, the IaaS Provider has only one mechanism for determining whether Cuban interests potentially are implicated by network traffic – specifically, the identification of Cuba-based IP addresses accessing an IaaS Provider’s network. It technically is possible for an IaaS Provider to block all such Cuba-based IP addresses from accessing its network. This so-called IP address blocking is, however, a blunt and overly broad tool that unnecessarily restricts the flow to and from Cuba of information which may be exempt or otherwise authorized by the CACR.
IaaS Providers have no way of segregating information on the servers in their data centers based on customer content, which they cannot see. All customer information may be co-located on the same servers or commingled in the same data centers. For example, a U.S. company could rent a server from an IaaS Provider to export or reexport to Cuba films, which are exempt as “information and informational materials” under Section 515.332 of the CACR. A non-U.S. company could rent a server from the same IaaS Provider to build a mobile application marketing tourist travel to Cuba and booking holiday packages. In a data center with thousands of servers working on behalf of thousands of customers, it is difficult – and, in some cases, impossible – for an IaaS Provider to differentiate between traffic involving Cuba.
The IaaS Provider has no involvement in, and often no visibility to, its customers’ communications that are flowing over its IT infrastructure.
IaaS Providers also do not own the content or control user access to that content on their servers. The prohibition on dealing in any property in which Cuba or a Cuban national has or has had an interest should apply only to the enterprise and individual customers who own or control access to the content. The enterprise and/or individual customers are in a better position to implement IP address blocking for Cuba because they have the requisite knowledge or reason to know the intended end use and end user of the information or data. In other words, an IaaS Provider’s delivery of infrastructure services to an enterprise or individual customer who exports or reexports (or attempts to export or reexport) software or technology to Cuba should not be considered “facilitation” under the CACR.
For these reasons, i2C submits that the IaaS activities of IaaS Providers do not implicate the prohibitions in the CACR and respectfully requests that OFAC issue Interpretive Guidance confirming this position.
Alternative Request for a General License
If OFAC disagrees with i2C’s analysis, i2C alternatively requests that OFAC issue a general license authorizing IaaS activities by IaaS Providers.
In a Fact Sheet on General Licensing for Communications dated July 13, 2015, Deputy Assistant Secretary of State for Threat Finance and Sanctions Andrew Keller is quoted as stating: “Telecommunications and internet-related services are a centerpiece of the recent changes in our Cuba sanctions regime. We want to do what we can to get the Cuban people connected to the Internet, have them using modern devices, and facilitate their communications with people on or off the island.” IaaS Providers subject to U.S. jurisdiction could play a key role in connecting their customers to the Cuban people over the Internet.
A general license authorizing infrastructure services in connection with transactions over the Internet would be consistent with the Deputy Assistant Secretary’s statement and, more broadly, the President’s policy initiatives to enhance the free flow of information to, from, and among the Cuban people. Moreover, in the CACR, there is precedent for authorizing certain industries or categories of service providers to engage in transactions that may otherwise be prohibited. New Section 515.572 of the CACR, for instance, authorizes travel services, carrier services, and remittance forwarding services. OFAC could amend Section 515.572 of the CACR to add an authorization for infrastructure services for internet-based transactions.
Alternatively, OFAC could draft a general license specifically addressing transactions by IaaS Providers (e.g., Section 515.573 Transactions by news organizations). All transactions necessary for the management and operation of servers whose primary purpose is to move customer- or user-created content over the Internet could be authorized. OFAC also could amend Section 515.578 of the CACR (Exportation and reexportation of certain internet-based services) to broadly authorize the exportation or reexportation of infrastructure services related to transactions over the Internet.
IaaS Providers are the anonymous backbone of much of the world’s Internet-based communications today. They do not own the content or control user access to the content on their servers located in data centers around the world. They do not have knowledge of, or reason to know, the intended end use or end user of any information or data that could be exported or reexported to a sanctioned country via their networks. Given the velocity and volume of Internet-based communications, there is no way for IaaS Providers to obtain and assess such knowledge in real time. Moreover, IaaS Providers may not have visibility to their customers’ data and information. Without this knowledge or reason to know, an IaaS Provider cannot initiate or facilitate a prohibited transaction under the CACR in any meaningful way. As a result, an IaaS Provider’s activities do not implicate the prohibitions in the CACR. At a minimum, strong policy considerations weigh in favor of the issuance of a general license authorizing such activities in order to ensure the free flow of information to, from, and among the Cuban people.
Chair Public Policy Working Group,
Chairman Board of Directors