Linux Foundation warns of US OFAC sanctions

Developers must be cautious about who they interact with and where contributions come from, warns a Linux Foundation blog post intended to help open-source developers navigate US OFAC (Office of Foreign Assets Control) sanctions.

Published January 29 and titled, “Navigating Global Regulations and Open Source: US OFAC Sanctions,” the blog states that increased cybersecurity risk and regulatory compliance are creating burdens on open source communities that these communities must meet. While there are sanctions programs in place around the world, many developers will need to be mindful of laws and regulations like OFAC, which restrict or prohibit transactions with certain countries, entities, and individuals, the foundation warned.

Issues involving OFAC sanctions programs and open source are not common, but are important to be aware of, the foundation noted. “With the US and international sanctions targeting technology companies based in Russia, this issue has become a topic in certain open source communities that have participation from entities targeted by such sanctions,” it said. Violating OFAC sanctions can result in serious consequences, including large civil fines and criminal penalties. OFAC sanctions apply not just to financial transactions, but often to almost all interactions with a sanctions target, including those in the open source community spaces.

Further, OFAC sanctions only reflect the US sanctions programs. Many other countries also have similar sanctions programs in place, including the European Union, United Kingdom, Japan, Australia, Switzerland, China, and many more. OFAC-sanctioned countries include comprehensively sanctioned countries such as Russia, Iran, Cuba, and North Korea and other countries subject to OFAC sanctions including Iraq, Lebanon, Venezuela, and Nicaragua.

OFAC publishes a list of Specifically Designated Nationals (SDNs) and provides a OFAC SDN list search tool. Using the search tool, a user can check if an organization is on the OFAC SDN List. Some sanctions apply to entire countries (e.g. Iran), regions (e.g., the Crimea region of Ukraine), or governments (e.g., the government of Venezuela), and those countries, regions, and governments are not on the SDN List. The OFAC SDN list and search tool are also not exhaustive and any analysis cannot solely rely on this list, the foundation said.

The foundation stressed its commitment to open source and global collaboration and doing so responsibly while complying with laws and regulations where the foundation and community members operate. “It is disappointing that the open source community cannot operate independently of international sanctions programs, but these sanctions are the law of each country and are not optional,” the foundation said.

Several Russian maintainers of the Linux kernel were removed last fall because of various compliance requirements.