Slack is banning some users with links to Iran even if they’ve left the country

By Russell Brandom

Photo by Amelia Holowaty Krales / The Verge

This morning, many Slack users with ties to Iran discovered their accounts had been abruptly deactivated. The bans affected users living as far as Finland, Canada and the United States, many with few remaining ties to Iran in either citizenship or physical presence.

“In order to comply with export control and economic sanctions laws…Slack prohibits unauthorized use of its products and services in certain sanctioned countries,” the notice from Slack read. “We’ve identified your team/account as originating from one of these countries and are closing the account effective immediately.” Users received no warning, and had no time to create archives or otherwise back up data.

It was an abrupt reminder of the broad reach of US tech sanctions, and a sign of how haphazard companies are when enforcing them.

In a statement to The Verge, Slack said it complies with all US regulations on embargoed countries, and as a result, prohibits Slack use in Cuba, Iran, North Korea, Syria and “the Crimea region of Ukraine.”

According to a company representative, today’s deactivations were the result of an update to Slack’s geolocation system. “We updated our system for applying geolocation information, which relies on IP addresses, and that led to the deactivations for accounts tied to embargoed countries,” the representative said. “We only utilize IP addresses to take these actions. We do not possess information about nationality or the ethnicity of our users. If users think we’ve made a mistake in blocking their access, please reach out to feedback@slack.com and we’ll review as soon as possible.”

Many Iranian ex-pats see the company’s interpretation of sanctions as overly broad, going far beyond the actual restrictions put in place by the US government. “They are either incompetent at OFAC interpretation or racist,” said Oxford researcher Mahsa Alimardani, who specializes in communication tools in Iran.

Most technology exports to Iran are illegal under US treasury rules, particularly when those exports involve financial transactions. But since 2014, US sanctions have included a general license for personal communications tools, described in the license as “fee-based services incident to the exchange of personal communications over the Intemet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging.” That clause is generally understood to include services like Slack.

“Detecting an Iranian IP address on a paid account (which is presumed to be for business) login as a violation of sanctions is a wrong interpretation of these regulations,” Alimardani says. “At best it’s over-regulation to prevent any sort of misunderstanding or possible future hassle with OFAC.”

However, the mechanics of sanctions enforcement make it simpler for companies to ban first and ask questions later. The cost of violating US sanctions can be enormous, while the cost of deactivating a defensible account is relatively small. In many cases, companies prefer to avoid the details of sanctions licensing for fear of making an expensive mistake. Google places similarly broad restrictions on the Google Cloud and App Engine, although the Google Play Store and iOS App Store are available under the personal communications license.

Notably, Slack has encountered few corresponding problems from the government in Iran. Unlike many US-based web services, Slack is not blocked by Iran’s internal web filters, and easily loads from IP addresses within the country.

The Trump administration has grown more aggressive about enforcing sanctions abroad in recent months, most notably against Huawei, which is based in China and does not consider itself subject to US sanctions. Earlier this month, Huawei CFO Meng Wanzhou was arrested in Canada on suspicion of violating US sanctions on Iran, triggering an ongoing international incident.

Update 2:59 PM ET: Updated with further statement from Slack.