Technical writing
Sanctions timelines and internet shutdowns: how Voidly correlates OFAC designation bursts with censorship events
Internet shutdowns are not random. They cluster around elections held under authoritarian pressure, protest movements that threaten incumbent governments, and military operations that benefit from communications darkness. The mechanisms producing these clusters share a common upstream dynamic: political crisis creates conditions for both international sanctions and domestic internet suppression simultaneously. Sanctions and shutdowns are rarely causally linked — but they are jointly caused by the same political forces, which makes sanctions timelines a useful leading indicator in the forecasting model.
OFAC designations are among the most precisely timestamped open-source signals available. They are published on a known date (often midnight ET), linked to specific entities with national associations, cross-referenced against a named sanctions program, and indexed by the Federal Register within hours. Because the United States government publishes these on a predictable cadence and with machine-readable structure, they are easier to align with shutdown event timelines than most other diplomatic signals. This article explains how Voidly ingests OFAC, EU, and UN designation events, aligns them against the Voidly incident table, and derives the diplomatic_isolation_score feature that feeds the 7-day shutdown forecasting model.
The hypothesis
The hypothesis driving this feature group is that diplomatic isolation — measured as the volume and intensity of international sanctions activity targeting a country — is a leading indicator of the political-crisis conditions that precede internet shutdowns. The causal chain runs: political crisis → international response (sanctions) and domestic response (censorship) in parallel, rather than sanctions → shutdown. The designation is not cutting off the internet. The same political conditions that prompted the designation are also prompting the shutdown.
This distinction matters for model design. Features derived from sanctions timelines are marked correlation_feature: true in the model schema to distinguish them from causal inputs. A feature that merely correlates with outcomes (like ofac_designation_30d) must be interpreted differently during model evaluation than one with a plausible causal path (like probe_measurement_rate_delta, which drops because throttling is literally degrading probe throughput). Both types are useful for forecasting; neither type should be described as an explanation.
Data sources
Four designation sources are aligned against the Voidly shutdown incident table. Each has different update cadence, geographic scope, and reliability characteristics.
| Source | Update cadence | Ingestion method | Geographic scope |
|---|---|---|---|
| OFAC SDN / NS-MBS | Daily (conditional GET) | Federal Regulatory Data Hub pipeline | Global (US Treasury programs) |
| EU Council restrictive measures | Same-day on publication | eur-lex.europa.eu scraper | EU-targeted countries |
| UN Security Council (Res. 1267 and successors) | RSS feed, 4-hour poll | UNSC website RSS ingestion | UN member states |
| UK OFSI consolidated list | Daily conditional GET | GOV.UK asset-freeze list endpoint | UK-designated countries |
Voidly shutdown incidents are drawn from the internal incidents table, filtered to confidence_tier >= VERIFIED and duration >= 24 hours. The 24-hour floor excludes transient outages and election-night throttling events that are real but too short to represent a sustained government action. The confidence filter eliminates incidents where network telemetry exists but political context is absent — these are more likely infrastructure events than ordered shutdowns.
The SanctionsEvent data model
Each designation event — whether a single added entity or a coordinated 40-entity bulk package — is normalized into a SanctionsEvent record before any feature computation occurs. This normalization step is critical because designation batches vary enormously in size: a single Venezuela SDN addition carries a different signal weight than the Iran maximum-pressure packages that designated hundreds of entities across petrochemical, shipping, and financial sectors.
from dataclasses import dataclass, field
from datetime import date
@dataclass
class SanctionsEvent:
event_id: str
country_code: str # ISO 3166-1 alpha-2 of targeted country
designation_date: date
sanctions_list: str # 'ofac_sdn', 'ofac_ns_mbs', 'eu_asset_freeze', 'un_1267'
jurisdiction: str # 'US', 'EU', 'UN'
action_type: str # 'designation', 'delisting', 'amendment'
entity_count: int # number of entities in this batch
is_bulk_package: bool # True if > 10 entities designated simultaneously
# Derived: which Voidly shutdown events fall within +/-30 days
correlated_incidents: list[str] = field(default_factory=list)The is_bulk_package flag (entity count above 10) captures a meaningful distinction in US sanctions practice. Routine designations — one or two individuals added under an existing program — represent ongoing enforcement of an established policy. Bulk packages, by contrast, typically represent a deliberate escalation decision: a new sector targeted, an expanded program, or a coordinated multilateral action. In the training corpus, bulk packages precede shutdown events at higher rates than single-entity additions.
The corresponding TimescaleDB table carries an index on (country_code, designation_date)to support the time-windowed lookback queries that feature computation requires. The table is append-only: amendments and delistings are inserted as separate rows rather than updates, preserving the full timeline of each entity's designation history.
ofac_designation_30d: the primary SQL feature
The core OFAC feature is a 30-day rolling count of designation events targeting a specific country, computed for every day in the training and inference window. The query below is run per country during nightly feature recomputation and stored in the shutdown_forecast_features table.
-- Count OFAC designations targeting country CC in the 30 days before each day
SELECT
d.day,
COUNT(se.event_id) AS ofac_designation_30d,
SUM(se.entity_count) AS ofac_entity_30d
FROM generate_series(
'2019-01-01'::date,
CURRENT_DATE,
'1 day'::interval
) AS d(day)
LEFT JOIN sanctions_events se ON
se.country_code = $1
AND se.sanctions_list IN ('ofac_sdn', 'ofac_ns_mbs')
AND se.designation_date BETWEEN d.day - INTERVAL '30 days' AND d.day
GROUP BY d.day
ORDER BY d.day;Two metrics are computed together: ofac_designation_30d counts discrete designation events (batch packages), while ofac_entity_30d sums the entity counts within those packages. The entity count feature sometimes carries more information than the event count — a single bulk package designating 40 entities is a stronger escalation signal than four separate events each designating one entity, even though the event-count feature sees 1 versus 4.
When a new OFAC package arrives via the 10-minute conditional GET pipeline, the feature recomputation for affected countries is triggered immediately rather than waiting for the nightly batch. A same-day OFAC designation can therefore update the shutdown forecast within approximately 20 minutes of publication.
diplomatic_isolation_score: multi-jurisdiction composite
The ofac_designation_30d feature captures US Treasury activity alone. The broaderdiplomatic_isolation_score combines all four jurisdiction sources into a single composite, weighted by the severity and binding nature of each designation type and decayed exponentially to weight recent activity more heavily than older events.
import math
from datetime import date, timedelta
JURISDICTION_WEIGHTS = {
'ofac_sdn': 1.0, # US Treasury primary list
'ofac_ns_mbs': 0.9, # US non-SDN MBS (significant but narrower)
'un_1267': 0.9, # UN Security Council binding
'eu_asset_freeze': 0.8,
'uk_asset_freeze': 0.7,
'ofac_bis_entity': 0.6, # Commerce/BIS export controls
}
def compute_diplomatic_isolation_score(
country_code: str,
as_of: date,
lookback_days: int = 90
) -> float:
events = get_sanctions_events(
country_code,
as_of - timedelta(days=lookback_days),
as_of
)
if not events:
return 0.0
# Weight recent events more heavily (exponential decay, half-life 30 days)
score = sum(
JURISDICTION_WEIGHTS.get(e.sanctions_list, 0.5)
* is_bulk_package_multiplier(e)
* math.exp(-math.log(2) * (as_of - e.designation_date).days / 30)
for e in events
)
return min(score, 10.0) # cap at 10.0
def is_bulk_package_multiplier(e: SanctionsEvent) -> float:
return 1.5 if e.is_bulk_package else 1.0The exponential decay uses a 30-day half-life: a designation from 30 days ago contributes half as much as one from today; one from 60 days ago contributes one-quarter. The 90-day lookback window means events older than three half-lives are contributing less than 12.5% of their original weight and are effectively noise at most jurisdictional weight levels. The 10.0 cap prevents extreme-pressure countries (Russia in March 2022, Iran at various points) from producing scores that dominate model inputs in ways that confound calibration across the 200-country population.
Historical correlation: four case studies
Before integrating this feature into the model, we validated it against four historical episodes where the alignment between sanctions timelines and shutdown events was measurable. Each case illustrates a different aspect of the correlation and its limits.
Iran 2019: OFAC maximum pressure campaign
The maximum pressure campaign produced some of the densest OFAC designation activity in the dataset. May 2019 brought a bulk package targeting Iran's petrochemical sector (8 entities). September 2019 saw the rare designation of the IRGC as a sovereign-entity-linked organization. The diplomatic_isolation_score reached 8.7 by November 2019 — the highest recorded for any country before 2022.
On 2019-11-16, Iran shut down the internet nationwide for four days during fuel-price protest suppression. Approximately 44 million users lost access. The Voidly incident record classifies this as a POLITICAL_SHUTDOWN with confidence_tier = VERIFIED. The shutdown came 6 months after the first major bulk designation package, illustrating that the relevant window for the correlation is not days but months — the feature works as a baseline pressure gauge, not a 48-hour predictor.
Russia 2022: Ukraine invasion
The February 2022 coordination between OFAC, the EU, and the UK produced the most intense multi-jurisdiction designation burst in the dataset. Between February 22 and February 28, OFAC designated Sberbank, VTB, and GazpromBank under existing Russia-related programs; the EU and UK announced coordinated asset-freeze packages on overlapping timelines; and the SWIFT exclusion — not itself an OFAC action but correlated in timing — amplified the economic signal.
The diplomatic_isolation_score at 2022-03-01 reached 9.4, the highest in the dataset. In the same window, BGP routing anomalies were detected in occupied Ukrainian territories beginning February 24. Russia began throttling Twitter in early March before transitioning to a block; VPN usage in Russia spiked approximately 2,000% in the first weeks of March. Voidly recorded 847 new verified incidents across Ukraine and Russia in March 2022 — 21 times the baseline rate for that country pair. The multi-jurisdiction coordination that produced the 9.4 score was directly downstream of the same invasion that triggered the connectivity events.
Myanmar 2021: military coup
Myanmar represents one of four cases in the dataset where the shutdown led the sanctions response rather than following it. On February 1, 2021, the military executed a coup beginning at 8:00 AM local time; the internet shutdown began at 9:00 PM the same evening, hours after MRTV broadcast announced the transfer of power. OFAC did not designate military leaders until February 11 — ten days later. Broader OFAC, EU, and UK coordinated packages followed in March.
The diplomatic_isolation_score at the coup date was 3.2, reflecting Myanmar's relatively low prior sanctions baseline. By April 2021 it had risen to 7.1 as the international response accumulated. This case demonstrates that sanctions can follow rather than precede a shutdown — and that the model needs to handle this directionality correctly. The feature contributes positively to forecast accuracy in the weeks and months following the initial event, not at the moment of the coup itself.
Belarus 2020: Lukashenko election
The Belarus case illustrates the difference between throttling (which Voidly classifies separately from shutdowns) and full connectivity cutoffs. Between August 9 and 11, 2020, during the presidential election and its immediate aftermath, Voidly recorded sustained internet throttling: bandwidth collapse on international transit, elevated probe failure rates, and social media platform slowdowns. The EU imposed its first round of targeted sanctions in October 2020 — eight months after the connectivity suppression began.
The Belarus episode illustrates a fundamental constraint on the feature: sanctions are primarily a response by Western governments to political events, not a cause of shutdowns. A government that fears an election outcome will throttle internet access regardless of whether Washington has designated any Belarusian officials. The diplomatic_isolation_score is a proxy for "is this country under sustained Western political pressure" — it is not a mechanism.
Correlation statistics
Across 200 countries and the 2019–2025 training window, the Voidly dataset contains 87 verified internet shutdowns with duration of 24 hours or more. Within this set, 34 events (39%) were preceded in the 30-day window by an OFAC designation burst of two or more entities targeting the affected country.
| Region | Pearson r (30-day OFAC count vs. shutdown probability) | Notes |
|---|---|---|
| Global | 0.42 (p < 0.001) | Significant across full dataset |
| Middle East | 0.61 | Strongest regional correlation; Iran dominates signal |
| Sub-Saharan Africa | 0.38 | Broad coverage but lower designation density |
| Central Asia | 0.35 | Kazakhstan 2022 and Kyrgyzstan events drive correlation |
| Latin America | 0.09 | Few shutdowns; few OFAC packages targeting internet-shutting countries |
The global Pearson r of 0.42 is statistically significant and practically meaningful for a feature that operates months in advance of an event. The Latin America near-zero correlation (r = 0.09) reflects both that shutdowns are rare there and that OFAC packages targeting countries in the region rarely co-occur with connectivity events — Venezuela receives significant OFAC activity but has not executed a sustained national-level shutdown of the kind scored in this dataset.
In the XGBoost model, the ofac_designation_30d feature carries a mean absolute SHAP value of 0.07, making it the 7th most important of 47 features. The diplomatic_isolation_scorecomposite adds a further 0.05 SHAP contribution. Together, the sanctions feature group accounts for roughly 17% of the model's total feature importance — meaningful but well behind election proximity and historical shutdown count.
Event-driven versus administrative shutdowns
Not all connectivity events in the dataset are politically motivated. Submarine cable cuts produce dramatic BGP withdrawal signatures — Egypt in 2022, Yemen in 2022 — that generate false positives if the model treats all network anomalies as potential ordered shutdowns. The sanctions correlation provides a useful disambiguation signal: a cable cut produces no preceding OFAC activity, while a government-ordered shutdown almost always occurs in a country under some level of international pressure.
Voidly classifies verified incidents into three categories that the model consumes as a label rather than a feature:
- POLITICAL_SHUTDOWN: political_context_score above 0.5, derived from GDELT political event density in the preceding 14 days combined with the presence of a sanctions signal. These are the events the forecasting model is primarily designed to predict.
- TECHNICAL_OUTAGE: routing anomaly consistent with infrastructure failure — single-AS withdrawal, ICMP unreachable pattern, absence of RST injection signatures. No political context score required. These are excluded from the shutdown forecast evaluation set.
- AMBIGUOUS: classifier uncertainty above the configured threshold. These events are held out of both the training set and the evaluation set and reviewed manually by the Voidly analysis team before final classification.
The sanctions correlation feature contributes to the political_context_score that drives the POLITICAL_SHUTDOWN classification: a country with diplomatic_isolation_score above 4.0 receives a baseline political context score of 0.3 even before GDELT protest signals are added. This means the feature influences both the input to the forecasting model (the diplomatic isolation feature itself) and the labeling of historical events used to train it — a coupling that is documented in the model card and controlled for during cross-validation by holding out country-years entirely rather than individual events.
Limitations
Several structural limitations constrain how much predictive work the sanctions features can do.
First, OFAC designations target specific entities, not countries. An SDN addition listing a Russian oil oligarch does not directly implicate Russian telecommunications infrastructure. The country-code tagging applied during ingestion — derived from the entity's nationality, program, and address fields — is an inference, not a formal attribute. Approximately 8% of SDN entries receive a country code that differs between the OFAC XML source and Voidly's derived tag; these are logged and manually reviewed monthly.
Second, the correlation is strongest for countries with well-developed OFAC programs (Iran, Russia, North Korea, Syria, Venezuela). For countries with thin or no SDN footprints — many Sub-Saharan African states, most Pacific island nations — the feature provides near-zero signal regardless of what is happening domestically. Ethiopia shut down the internet during the Tigray conflict with essentially no preceding OFAC activity; the model's prediction for that event relied on election proximity and protest intensity features, not the diplomatic isolation score.
Third, the 30-day lookback for ofac_designation_30d can produce noise in the feature during periods of high routine designation activity. The US Treasury designates entities under counter-narcotics, counter-terrorism, and human trafficking programs continuously; a country that happens to have cartel-linked individuals on the SDN list receives non-zero feature values even during periods of no relevant political tension. The is_bulk_package flag partially addresses this — routine counter-narcotics designations rarely involve 10+ entities simultaneously — but the feature is still noisy for a subset of countries in Latin America and Southeast Asia.
Integration with the forecasting pipeline
The sanctions features are computed nightly as part of the batch feature construction run that populates the shutdown_forecast_features TimescaleDB table. Each row in that table represents one (country_code, forecast_date) pair and contains all 47 feature values alongside metadata about data availability and any missingness flags.
The OFAC ingestion pipeline (10-minute conditional GET from the Federal Regulatory Data Hub, described in detail in the OFAC SDN integration article) runs separately from the nightly batch. When it detects a new designation event, it writes to the sanctions_events table and immediately triggers a targeted feature recomputation for all countries affected by the new entries. This means a same-day OFAC designation package can propagate through to a revised forecast within approximately 20 minutes of the Treasury publishing the update — substantially faster than the nightly batch cadence that governs most other features in the set.
The EU and UK pipelines run on a same-day scrape cadence but with less reliable publication timing; EU Council restrictive measure updates can publish at any point during the European business day. The UNSC RSS feed is polled every four hours. For features derived from these sources, same-day propagation is common but not guaranteed within a specific latency window. The data_quality_flags field in each forecast response records which sources were current at the time the forecast was computed.
For how OFAC SDN data is ingested into the Federal Regulatory Data Hub — the 10-minute conditional GET, entity normalization, alias explosion, and the change feed that produces the raw designation events used here: OFAC SDN integration in the Federal Regulatory Data Hub: conditional GET, entity normalization, and sub-second screening →
For the full 47-feature engineering pipeline feeding the forecasting model — political calendar, network telemetry, and historical pattern features alongside the sanctions group: The features behind Voidly's 7-day shutdown forecast: political calendar, sanctions timelines, and network telemetry →
For the XGBoost ensemble model that consumes these features — the ARIMA baseline, per-country calibration, and the reliability scoring system: Seven-day internet shutdown forecasting: how Voidly predicts connectivity outages →
For how country-level censorship scores are computed — the 90-day rolling aggregation of probe measurements that produces the blocking-rate trend feature: Voidly's country-level censorship score: aggregating 2.2B probe measurements into the global index →