[Owasp-board] Funding and Iran follow up

Matt Tesauro matt.tesauro at owasp.org
Wed Aug 24 15:13:18 UTC 2016

Answering inline for sake of efficiency...

TLDR:  The Foundation noticed a potential problem, realized that
understanding the problem will require expertise it doesn't have and the
Foundation is getting the advice from those that do have expertise in that

On Wed, Aug 24, 2016 at 9:04 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Board members,
> The following issues was mentioned during the board meeting yesterday:
> "Projects, Funding and Iran - Matt Tesauro & Claudia Casanovas
> We have several projects with leaders or co-leaders located in Iran. This
> makes funding those projects problematic due to the OWASP Foundation being
> a US charity and the economic sanctions imposed by the US. For background,
> see the US Dept of State Iran Sanction site
> <http://www.state.gov/e/eb/tfs/spi/iran/index.htm>. Details of the
> projects in question are in the Projects Report for this month, slide 5
> <https://docs.google.com/presentation/d/16III5sOo06KLyjdG2HEa7cA8hOSf9SKsuWbzbgD467s/edit?ts=57bc81b8#slide=id.g112855a4f6_0_14>.
> S*ince any funding of activities in Iran represents a risk to the
> Foundation, the staff is asking for the board to determine how the
> Foundation will interact with any community members or project leaders
> which are located in Iran*"
> https://www.owasp.org/index.php/August_23,_2016
> Now that this issue has been raised after some many years having a Project
> Leader from Iran (Abbas Naderi) and even a project leader that was
> considered to be part of the board and was a board candidate, I'm
> requesting a clarification and solution, meaning that once you have raised
> this subject , the situation should be clarified asap.

The existence of a risk and the knowledge of that risk being a factor for
an entity are two separate things.  Let me use an analogy to make this

If I drive on a road at 45 miles per hour (mph) without knowing the posted
/ legal speed limit and that limit is 35 mph, I am at risk of getting a
speeding ticket.  I could drive for an arbitrary amount of time not
realizing the speed limit of that road and therefore not realizing the risk
I was taking.  If a passenger in the car suggested to me that the speed
limit may be lower then 45 mph, I would then be aware of a potential risk
and, should I not want a speeding ticket, I would do the work to determine
what the speed limit is on that road - am maybe even drive a bit slower
until i knew for sure.

That is the essence of what has happened here.  Timing or the parties
involved had nothing to do with the realization that there _may_ be legal
problems when the Foundation interacts with parties in Iran.  You were on
the email thread where this issue was raised - I don't recall who raised
the issue but that is, to be honest, irrelevant.

> I did consult a lawyer but he mentioned that in this case, being OWASP a
> US non-profit foundation, to consult a lawyer knowledgeable in these
> matters, not just any lawyer.

I am not sure who the 'he' is in the above sentence but the Board, as a
whole, took the action to have Kate engage with the law firm the Foundation
has retained to look into this matter and determine both what the current
laws of the US say about interaction with Iran and what, if any, exposure
to legal risk/sanction the Foundation.  I agree with the Board's decision
that, since none of us in the Board meeting had any expertise in these
matter, utilizing the services of the Foundation's law firm was a valid
method to determine our risk and make a informed decision on how best to
interact with the OWASP community in Iran.

I find it very regrettable that because of actions of various government
bodies, we need to take this extra step with the OWASP community in Iran
but as much as the Internet has removed boarders for communication and
information sharing, we all live in one or another country and are subject
to that country's laws.

I'd also like to note that the fact that the Foundation wants to understand
any legal risks that may exist in this case DOES NOT lessen the value the
OWASP community places on the contributions from the those community
members in Iran.

> So far, none of the Iranian leaders have received any goods or financial
> support from OWASP. There is no commercial exchange between Iranian leaders
> and OWASP, however, the restrictions go so far including exchange of
> services or goods, or any kind of financial support, such as , sponsoring.
> In this case, many of the support/services provided by OWASP, could be seen
> as an exchange of services.
> I'm not a lawyer and since we are talking about a very specific situation,
> OWASP needs to define this situation asap because the consequences for
> OWASP can be quite big.

Nor was anyone on the Board call yesterday, hence the action to reach out
to the Foundation retained law firm.  I do not know if US law is only
covers funding or 'material support', nor is speculating particularly
useful; hence the use of a lawyer.

> *One of the project that I co-lead, is technically nor can be considered a
> 'Iranian' project, so please let's not call it that way. The Projects are
> not from Iran, the projects are open source, anyone can reach them and they
> are co-lead/lead by some one from Iran.So please, correct this naming that
> bring confusion and the wrong tone to this issue.*

I appreciate that, in your opinion the project you co-lead isn't subject to
the Iran sanctions, but I'd much prefer to get an opinion from a legal
expert - which is what the Foundation is doing.

> Given this situation, it is clear that OWASP requires the advice of a
> knowledgeable lawyer specialised in these cases, considering also that some
> of the sanctions have been lifted and what that means for OWASP if provides
> support of goods or services.

Yup.  That's exactly what the Board said it was going to do on the call you
attended yesterday.  The call was recorded and should be posted in the next
day or two.

> Please let us know asap, the next steps. I hope there is some actions
> after this issue has been raised, so Ali and Reza , including me know what
> to expect.

Once the Foundation has received advice from their legal firm and
understands what, if any, changes need to happen with community members in
Iran, we'll not only let those involved know but will document it
publicly.  O is for Open after all.


-- Matt Tesauro

> Regards
> --
> Johanna Curiel
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160824/97e03875/attachment-0001.html>

More information about the Owasp-board mailing list