Paypal does naive keyword matching. I know this, because I used the word 'aleph' in the comments field when sending someone money, because that word was in the name of the thing I was buying.
Turns out, there is some terror group with the same word in their name.
Also turns out, PP's "sophisticated" fraud detection will hold a payment for nearly a month, when a human looking at the transaction is going to figure out it is a false-positive from a bullshit system pretty quickly.
Also turns out that apparently terrorists are somehow still capable of functioning, despite the best minds of our generation writing these super-cutting-edge detection algorithms.
I have to imagine that there are members of the set of people who are terrorists and also stupid enough to type "for the greater glory of MyTerrorGroup!" in a PP comment field, but there can't be many. And guess what? This gets everyone thinking about what sort of scanning takes place. So in the interests of catching the two idiot financiers who do this, we're teaching everyone to Be Careful What You Say.
Which, come to think of it, is probably an outcome that some are not unhappy about.
Companies like PayPal aren't doing this because they honestly believe it will catch terrorism. They are doing this because the US government tells them to, and they risk onerous penalties for non-compliance.
"Aleph" is on that list as an alias of Aum Shinrikyo, the cult responsible for the Japanese subway Sarin attack in 1995.
These regulations are somewhat pointless in that the list is public so anyone on the list can easily find out the fact they are on it and use an alias / front company / etc which isn't – so they only catch the truly incompetent terrorist funder/sanctions-buster/etc. But I don't think we can blame companies like PayPal for the existence of government regulations like this–I'm not aware that PayPal, or any other major corporation, has lobbied for these regulations to exist–although if PayPal take a month to remedy a false positive, that is unacceptably slow and it is fair to criticise them for that.
Question is, does the gov specify what actions to take when a word is encountered? Sure scan for them, maybe report them but banning, blocking etc without proper investigation seems more a typical Paypal thing I have come to expect over the years working with them than something the US gov would specify.
If you apply your best efforts to following the US government's advice, but then unintentionally end up doing business with a denied party – they are unlikely to prosecute you, and any prosecution is unlikely to suceed. If you ignore their advice, and then end up doing business with a denied party – even if you never realised they were one – then negative legal consequences are much more likely.
Any US exporter (including overseas subsidiaries of US corporations) is required to obey these laws. Other countries have similar laws which must be obeyed as well. For a large global business, this can get very messy fast, which is why large businesses employ whole teams of people to manage this and use software to help them do it (many ERP packages incorporate this functionality).
And these laws don't say "report the transaction to the government but let it through anyway". The laws say "report the transaction to the government AND deny it". If you do the former instead of the later, you are likely both breaking the law and telling the government that you've done it, which is unlikely to end well for you.
From an end-user perspective, freezing the suspect transaction until an investigation can confirm it is harmless is unpleasant. But, from the company's viewpoint, if they don't take the time to do a through investigation of a suspect transaction, they are exposing themselves to significant legal risks.
(Disclaimer: I speak for myself, and these statements should not be taken as statements of my employer. I am not a lawyer and I don't work in the export control field.)
Turns out, there is some terror group with the same word in their name.
Also turns out, PP's "sophisticated" fraud detection will hold a payment for nearly a month, when a human looking at the transaction is going to figure out it is a false-positive from a bullshit system pretty quickly.
Also turns out that apparently terrorists are somehow still capable of functioning, despite the best minds of our generation writing these super-cutting-edge detection algorithms.
I have to imagine that there are members of the set of people who are terrorists and also stupid enough to type "for the greater glory of MyTerrorGroup!" in a PP comment field, but there can't be many. And guess what? This gets everyone thinking about what sort of scanning takes place. So in the interests of catching the two idiot financiers who do this, we're teaching everyone to Be Careful What You Say.
Which, come to think of it, is probably an outcome that some are not unhappy about.