Hi HN, I'm the CEO of GitHub. Flagging this account was obviously a terrible mistake, and I apologize to anyone who was affected by it. We're investigating why it occurred and will make changes to make sure it doesn't happen again. I am glad that we restored access to the account in less than an hour after Aurelia filed their appeal.
For context on why any account flagging is ever necessary, unfortunately, every company in the world is required to comply with US sanctions if they do any business at all in the United States, e.g. serving US-based customers. This includes even interacting with US banking infrastructure. So being headquartered somewhere else doesn't help; you have to comply. And US sanctions as written do not allow us to provide commercial services or services which could be used commercially to sanctioned countries.
We are taking the broadest possible interpretation of US sanctions law to allow as much access to GitHub as possible and we are, as far as I know, the only major vendor to offer public repo access in US-sanctioned countries like Iran, Syria, and Cuba. I'm proud that we are taking this strong position to ensure developers everywhere can participate in open source.
I wish we could also offer access to private repos and still comply with government requirements. We have been advocating and will continue to advocate for broader developer access with the various government agencies involved.
You need to do a post-mortem on this. What exactly did Aurelia do to trigger this to start with? A contribution from a sanctioned country? A github issue posted by someone from a sanctioned country? How exactly are open source projects supposed to avoid this possibility if they don't happen to literally be Rob Eisenberg? How many other project repositories have been disabled because of this problem? Is Github doing a review of the processes? Highly doubtful Aurelia's the only one affected, but it might be the only one so far to be able to make it to HN front page.
Fun fact. My friend works in a bank. In this bank its account has a factory that produces curtains. Now, curtain in Polish is "firana", and any time those guys are doing a bank transfer it is thrown into some kind of lengthy manual processing mode because company name contains dreaded word "iran".
We had to remove products containing any and all references to Cuba and Egypt from our Shopify store to avoid PayPal suspending our account. All of the products are American made, produced in the US with local ingredients. For example, a raw flavour compound called “Cubano Style” or an eliquid brand called “The Great Pyramids” (fictional examples but in line with the real products.)
Only the thing was that PayPal wouldn’t actually confirm exactly what was triggering their automated system, we had to infer that ourselves by looking for commonalities between the flagged payments. Even when we identified the problem they refused to give any confirmation at all other than to re-enable our account.
Yea, there's a real lack of information in Github's response. I hope we get something more complete.
But really, if your project is mature enough and you have the bandwidth, just host it yourself. Gogs, Gitlab, cgit .. lots of FOSS implementations to choose from.
I agree. This is the second story list this we have seen come across the front page of HN this week. I'm glad they sorted it out quickly, but it is almost certainly a result of Mr. Eisenberg's high profile.
We saw another story like this come across the front page this week. The author is less well known (also happens to reside in Russia), and claimed that he had trouble even getting an e-mail response from the given support pathways for appeal. Sounds like it eventually got sorted out, but not without much waiting and effort from the maintainer.
So when GitHub CEO Mr. Friedman jumps in and pats himself on the back for getting this account restored in less than an hour, I can only roll my eyes. To try to sell it like this is an 'average' response to these type of appeals is a little disingenuous.
If I were starting a company today, I would absolutely self-host my repository to guarantee my business is never harmed by some automated flag that could total lock me out of my own work. We use GitLab Community Edition at my company. It is fantastic, and we are in full control.
Do you believe that trade regulations such as ITAR apply to publicly-available open source software? I do not¹, and it appears that your employees do not believe this either.
GitHub is currently hosting multiple GPS implementations² that are clearly against this line in your ToS, in addition to also being against ITAR by not implementing speed limits for missiles:
"GitHub may not be used for purposes prohibited under applicable export control laws, including purposes related to the development, production, or use of […] long range missiles or unmanned aerial vehicles."
I think you should probably make a blog post explaining GitHub's stance on this issue.
[2]: One of which is https://github.com/gnss-sdr/gnss-sdr. This repository does not implement ITAR-required GPS speed limits. Even if it was ITAR-compliant, the limits could easily be removed as it is open source software.
----------------------------
Update: GitHub has updated their ToS to remove this line. It was present on July 27, 2019. The issue still stands with this current statement from their ToS ( https://help.github.com/en/github/site-policy/github-and-tra...), which forbids ITAR-regulated software:
"Users are responsible for ensuring that the content they develop and share on GitHub.com complies with the U.S. export control laws, including the EAR and the U.S. International Traffic in Arms Regulations (ITAR). The cloud-hosted service offering available at GitHub.com has not been designed to host data subject to the ITAR and does not currently offer the ability to restrict repository access by country."
Whether it's open source or not is irrelevant. ITAR software cannot legally live on GitHub.com in any case -- it doesn't matter if the repos are public or private. [But a GitHub Enterprise install (self-hosted version only) can be compliant.]
I'm confused by your request for the company's stance, since it's not something up for debate... there is no room for them to take a stance on complying with the law. It's not up to GitHub at all.
If it's publicly available open source, it can't contain ITAR.
If there is existing open source that doesn't contain ITAR, then that's fine because it's beyond the scope of ITAR, so ITAR doesn't apply to that scenario. [Maybe this is the case you're mentioning?]
If it is ITAR, it can't possibly be publicly available open source. [How could it be possible to have publicly-available open source software that is also restricted to being only shared with U.S. citizens?]
Of course an ITAR project could pull in publicly available open source (e.g., dependencies), but that doesn't sounds like what's being discussed here.
We can sensibly speak of tech that "would be" an ITAR violation to deliver "if it were not" open source. This is exactly the scenario under discussion. It seems very clear from the linked page that, e.g., GPS code that is released as free/open is, in fact, not restricted by ITAR.
There is a certain unrealistic arrogance to the US approach to ITAR and software that seems to assume only US Persons could create technology on the list.
GPS receiver systems are the classic there: Russia, China and Europe all have their own GNSS. China runs the semiconductor industry and is quite capable of producing whatever unrestricted GNSS devices they choose. Therefore why restrict US companies?
Same with satellite tech, there may be some US specific tricks but there is a reason ITAR free satellite designs already exist and are multiplying. ITAR tries to protect too much and is killing US market share by being stupidly annoying.
The difference is companies actually get in a LOT of trouble for sanctions violations. When was the last time someone was prosecuted for an illegal GPS implementation?
You don't need an open source GPS radio for that, just fly a bit slower. The upper limit is plenty fast for weapons, 1900 km/h isn't much of a limitation, neither is 59,000 ft of altitude.
If you can understand the equations and engineering needed to build a cruise missile the GPS equations will not daunt you. Getting the final approach to have a useful Circular Error Probable at anything low enough for an assassination would be more of a technical challenge than the coarse guidance. Unless you had someone shining a designator you’d need real-time machine vision. To say nothing of designing an airframe that can perform precision manoeuvres at speed without breaking up.
While it is definitely possible to reverse-engineer and modify the software/firmware of existing proprietary GPS systems, I'd argue that the distinction between this and changing an open source project is not meaningless.
Changing a couple lines of well-documented source code in an open source project before compiling is arguably a much lower bar to pass.
It depends. For most reasonable firmware, trying to figure out how to compile the stupid thing is generally harder than finding and byte patching a condition in a binary blob.
... to offer public repo access in US-sanctioned countries like Iran, Syria, and Cuba.
You should also add North Korea to that list. Three years ago I spent a semester in Pyongyang teaching a course on open source software development, and as part of the course students created git repos and contributed to other repos that are hosted on github.
So that you're not put in an awkward position, though, I won't tell you which repos these are :)
While I was in North Korea, I basically never used a VPN and rarely had problems with any services. A handful of news sites were blocked (ironically the sites did the blocking and provided a message about sanctions; the North Korean government didn't block anything), and so I needed a VPN for those.
All North Korean internet traffic originates from 175.45.176.0/22. They have no reason to hide (except for the massive amount of cyber crime they originate, where VPNs are used)
I used to use an Iranian based VPN. Sanctions are almost always implemented by billing address, not by IP address. Geolocation services are crap when you start getting in to third world countries.
Ok? I'm sure most e-commerce websites would scoff at the idea of having shoppers mail in a notarized copy of their passport before they can make a purchase.
How would this have been resolved if the post on Twitter/other social media didn't get enough traction? Is this just a terrible mistake because it has much more visibility than all of the other terrible mistakes?
I'm sure that there have also been takedowns that weren't terrible mistakes, but merely procedural. And given the disclosure that GitHub implements sanctions loosely, far more repos are likely at risk.
That's not a fair argument. You're demanding that GitHub prove the absence of any other mistakes. All they can do is fix bugs when they find them, the same as anyone else. If there's a systemic problem with the way they do sanction flagging, that needs evidence.
I disagree; it is a fair argument. This is the Tweet:
> I woke up this morning and you shut off the Aurelia site, archived tons of our repos, and I can no longer access admin settings. You sited US trade sanctions and sent me a non-descriptive email with no remediation information. What is going on? This is devastating for us!
"No remediation information," to me sounds like Twitter outrage was the remedy.
A follow up reply is this:
> The project has been public for 5yrs+, managed by a US company, whose owner is even a GitHub Insider and long time open source leader (15+ yrs).
Okay, there's the terrible mistake. It targeted someone with credentials, not a nobody.
> If a user or organization believes that they have been flagged in error, then that user or organization owner has the opportunity to appeal the flag by providing verification information to GitHub. Please see our FAQ for the appeals request form https://help.github.com/en/github/site-policy/github-and-tra...
> If an individual user or organization administrator believes that they have been flagged in error, then that user has the opportunity to appeal the flag by providing verification information to GitHub. If GitHub receives sufficient information to verify that the user or organization is not affiliated with a U.S.-sanctioned jurisdiction or otherwise restricted by U.S. economic sanctions, then the flag will be removed. Please see individual account appeals request form and organizational account appeals request form.
Those are just arguments that mistake shouldn't have been made. Of course the mistake shouldn't have been made, that's what "mistake" means.
Your post upthread was inferring the existence of multiple similar mistakes and demanding that GitHub prove they are impossible. They can't. It wasn't supposed to happen in the first place. It was a mistake.
It would be pretty easy to prove the absence of other mistakes here by simply providing a public list of all repositories affected by sanctions flags. If the number is, say, thousands, then it's almost certain this is a deeply automated process and there are other errors. If it's, say, 10, then this is probably a human-driven process.
Thanks so much for the swift fix, apology, and the current work to try to find out what happened & prevent the recurrence of the mistake. Mistakes are inevitable, especially at scale. I think taking those steps, when the inevitable mistake happens, is all we can ask of anyone.
> And US sanctions as written do not allow us to provide commercial services or services which could be used commercially to sanctioned countries.
This statement is so wide-sweeping as to be patently false. Some sanctions target specific activities. Others target specific entities that may or may not be entire countries. Many sanctions do not apply to information and communication services. To make such a wide statememt as you did suggests you're oversimplifying to placate the masses. Either way, not a good look.
Do you think as the EU and PRC grows politically and economically, they will start throwing around similar sanction requirements as the USA? Will GitHub be forced to obey those as well?
RPC already does it from forcing brands to remove Taiwan from list of countries on their sites to having Hollywood alter things they don't like in movies.
I appreciate the difficult position you're in, wanting to provide and advocate access while also forced hard by government regulations which are heavy handed and often over-reaching.
I wonder though, as cool as it is that the CEO of Github posts here, maybe you shouldn't be making this comment. Now a bunch of commentators have raised similar issues and you are now obligated to some degree to contact your legal and engineering teams to look into it - this may result in you having to take down MORE content which was clearly nobody's intention. Rock meet hard place.
I don’t think any company headquartered outside the US has to comply with those laws. It’s only if they value doing business in the US enough to do so.
> I am glad that we restored access to the account in less than an hour after Aurelia filed their appeal.
You mean after they went semi-viral on Twitter and landed on the HN front page. But I'm sure it doesn't happen again (to this repository, for this reason, in this year; everything else is on the table).
Using Twitter, FB, HN etc as your support-priority-queue system is a terrible idea.
As we've seen with all major internet service providing companies, getting customer service right 100% of the time does not scale. Errors happen. The mean time between errors approaches 0 hours as the ratio of users to human beings on the planet approaches 100%.
Sure, but there's plenty of space between offering Google-level support and getting it 100% right. Aim for 100%, not for Google. It's not their terrible support that made them successful, don't copy that part of their operation.
Setting the tradeoff in cost / effectiveness where Google did is probably part of the alchemy of what made them successful in the way they are successful (though offering better customer service and "white glove" treatment to a smaller customer base is also extremely likely to be a viable business model).
They reinstated the account 1hr after official appeal.
You comment is only relevant to those posts who are used as a last resort, usually after waiting days or weeks without any human response. AFAICT the tweet was done pretty much simultaneously, perhaps in an attempt to hasten response time.
> They reinstated the account 1hr after official appeal.
Yeah, because it got traction on HN and Twitter. Pretty much the same happened to somebody else just three days ago, and, wouldn't you know it, after their rant [1] made it to the HN front page [2], Github finally reacted to the appeal after having spent a week ignoring it.
If you expect to ever have troubles with GitHub, you better have a following or some luck to be posting at the right time.
> unfortunately, every company in the world is required to comply with US sanctions if they do any business at all in the United States, e.g. serving US-based customers. This includes even interacting with US banking infrastructure. So being headquartered somewhere else doesn't help; you have to comply. And US sanctions as written do not allow us to provide commercial services or services which could be used commercially to sanctioned countries.
How come DHL is able to ship packages to sanctioned countries? I understand there are some limitations to what can be sent there from the US, but it seems like they are able to do so from other countries. Is the DHL US a separate entity or is there something else I'm missing?
> DHL offers worldwide services, including deliveries to countries such as Iraq, Afghanistan and Myanmar (formerly Burma). As it is German-owned, DHL is not affected by U.S. embargoes or sanctions and will ship to Cuba and North Korea. However, there are strict codes for delivering to North Korea, as the country has shaky relations with the West. As DHL is no longer a United States company, it is not allowed to make domestic flights between U.S. airports. DHL contracts these services to other providers.
> DHL ended domestic pickup and delivery service in the United States in 2009
Is there really no process in place to first notify an organization that you will need to close their account down? Or is there something in existing sanction law that prevents extending such a courtesy when account is flagged?
I'm sorry, I understand why you don't like the ICE, but why should they start "randomly" arbitration what can and can't appear on their platform? That's just a massive can of worms nobody wants to open
Responses like this are so disgusting to me. It perfectly highlights that the only way to get treated fairly on the system is to be important enough to make the CEO look bad and get a direct response from him.
They have unlimited resources more or less to review sanctions cases, they choose to spend them on buybacks, and executive bonuses, and private jets. They are not ever going to take the time to do this properly because the interests of their users are their last priority.
Sounds like a great time to get off the github platform as soon as possible before your repos dissappear because some iranian guy posted an issue.
Note they didn't mention why they incorrectly flagged the repo or take any responisbility for doing so, or make any claim that it's not going to happen in the future. They just claim it's the government's fault. Bullshit.
> We are taking the broadest possible interpretation of US sanctions law to allow as much access to GitHub as possible and we are, as far as I know, the only major vendor to offer public repo access in US-sanctioned countries like Iran, Syria, and Cuba.
Does this mean that users in sanctioned countries can create accounts and use the site noncommercially as normal, just as long as they don’t have private repos? It was my understanding that you will nuke ANY account possessed by someone from a sanctioned country.
GitHub has corrected the issue, restoring our organization access and web site. They have reported that the org was flagged as part of an automated process. The flagging occurred because we have two external contributors from Iran (non GH org members). They told me that there should have been a warning and they are investigating why that didn't happen. The CEO of GitHub also reached out personally to try to speedily rectify the situation.
A few months ago GitHub banned access of Iranian developers (and devs who live in a few other countries) to private repositories and gists and now, with actions like this, even if it's by accident, they are threatening our chance of collaboration to public open-source repos because maintainers would be afraid that if they accept our contribution they may face consequences.
> maintainers would be afraid that if they accept our contribution they may face consequences
But that isn't a result of GitHub's actions, if anything they are trying to protect maintainers by blocking Iranian contributions.
Sanctions are 1) implemented at a federal government level and 2) intended to make it almost impossible for the sanctioned country to get anything done. It's like not letting your kid take their Switch or iPhone with them to timeout. Yeah it sucks and makes everything awful, but that is exactly the point.
So Iran could sponsor programmers to contribute to as many repos as possible? Then they can win a propaganda war of why Iran is progressive and good and the US is bad?
Haven't they already won that war? USA created ISIS, gave ISIS lots of weapons and logistical support, then assassinated the guy who beat ISIS while he was in diplomatic talks with supposed USA ally Iraq. In response, Iran says "we will destroy buildings at the following addresses", allows time for those buildings to be evacuated, then their guided missiles destroy exactly those buildings. USA military brass then downgraded Iran from their "let's go to war now" list...
This is pure speculation, but it seems that GitHub's ownership by Microsoft causes them to be significantly more strict with the types of content that they are comfortable hosting. Expect this to continue as they expand up and down the stack; once their npm acquisition closes you'll see this there too.
I think this should be a wake-up call to anyone staking their open source project on GitHub — if I let someone from a US sanctioned country contribute to my repo will I be banned? Hopefully mindshare moves to alternatives in due time.
GitLab is fantastic, but GitHub has the most eyeballs and best discoverability features. As long as that remains true, GitHub will remain a better place to launch an open source product than alternatives.
You can use any old git repo as your main source, and "dump" every commit into github for visibility. Any issues and pull request into the github site are replied by an automatic answer to use some other site.
Not a bad idea. But I haven’t seen it work in practice with strong usability. The fact of the matter is, if you ask developers where they discovered software, “GitHub” would rank higher than GitLab.
This is due not only to higher traffic numbers, but also more features revolving around discoverability. GitLab could build those features too, but it’s difficult to overcome the network effect driving GitHub’s momentum. It’s especially hard because even the people who did migrate to GitLab mostly did so for the free private projects and CI. It’s unlikely many will move public repositories to GitLab now that GitHub nears feature parity in CI.
> But I haven’t seen it work in practice with strong usability.
The Linux kernel does this (with a mailing list, no less!). I agree with the main thrust of your post and I suppose strong usability is arguable but I thought it would be good to throw out a (very) notable example regardless.
You’re right, strong usability is arguable. Very arguable.
But you’ve got a good point that they make it work. It’s certainly possible. (And obviously Linux is an exceptional example, let’s not forget it shares a creator with git.)
Is it really a thing, to have to learn another site?
If you know the basic functionality of Github, do you really have to learn to use similar functionality of Gitlab, Gitea, etc? Is it not enough to be familiar with the concepts?
Having to set up a new account, complete with a new username and password, is by itself sufficient to drive away a staggering amount of adoption / conversions according to several UX studies.
Just like when people were switching from the blue e to firefox/chrome: these were different browsers, with different UI, but the concept of browsing the internet was the same. So in the end, the different UI didn't matter.
For my GitLab repos (where I maintain source/workflow) I use the mirror functionality to automatically push any and all all commits to GitHub. I configure the GitHub mirror with a link to the official repo and disable issues.
Unfortunately, you can’t outright disable GitHub’s pull requests. I’ve seen plenty of orphaned PRs on repos that do tracking/review elsewhere and people just don’t read (or actively ignore) the provided contributor guidelines.
Worth noting, it’s also possible (and quite easy) to do this vice versa. When you want a private fork of a public repo on github, it can be useful to mirror it to a private repository on GitLab. GL will keep all commits up to date for you.
(Ironically, there is nothing comparable on GitHub’s platform. You cannot make a fork that keeps itself up to date, for example.)
Very interesting use case for the mirroring feature. It really is super helpful and powerful. Though currently pull mirrors show as activity contributions, so if you mirror a large, active project your commit activity graph will go through the roof (if you care about that sort of thing).
Interesting. I haven't looked at Actions at all yet but this is nifty. Previously I had seen people write their own GitHub bots to handle this sort of thing.
Note that Gitlab hosts on Google Cloud, which blocks all traffic from sanctioned countries on a network level. No IP packages from US sanctioned countries reach any service hosted on Google Cloud, including OpenSource gitlab repos.
No, the point of sanctions is to hurt the leaders of a country, not their citizens. That's why sanctions are applied to specific goods and not across the board.
One reason we ask users not to go on about downvotes is that users frequently come along and add corrective upvotes, but comments like this don't garbage-collect themselves. They start as off-topic and end by being off-topic and false.
Nobody should depend on GitHub, especially after it was taken over by Microsoft. If you have any repository on GH, create similar accounts on competing sites such as bitbucket. Also consider services hosted in other countries, since it seems that local political prejudices and propaganda are starting to creep out on the science and technology arena.
I think I'd need a citation on why "prejudice and propaganda" applies here. The US doesn't turn to sanctions flippantly (it's not in the US's economic interests, in general, to take a trading partner off the table).
I probably wouldn't use language quite that strong, but the view from outside the US is definitely quite different.
The US withdrawl from the Iran nuclear agreement was more a result of changes in the US than of changes in Iran. Barack Obama brokered the deal and he stated his clear opposition to Donald Trump's decision to end it. (https://facebook.com/barackobama/posts/10155854913976749)
The European Union was also a party to the Iran nuclear deal, and they thought so poorly of the resumption of US sanctions on Iran that they passed a law making it illegal for European companies to comply. (https://dw.com/en/eu-to-reactivate-blocking-statute-against-...)
Absolutely agree with this, and if Gitlab's hardware requirements seem a little expensive, I can highly recommend Gitea[0]. It runs very happily on a $5 Digital Ocean droplet. It doesn't have all the bells and whistles, but for my basic needs, and presumably as a panic backup, it's a great bit of software.
Pull requests and collaboration would be a bit more complicated, I guess. But as long as "Log in with ..." works to quickly create an account, it may be ok.
Note: This is the company that is acquiring NPM. Which now also is going to have to deal with the messy reality of us sanctions, if they'd been dodging them before. Prior to this it wouldn't have been entirely beyond the pale for NPM to move ownership to another country if it proved to onerous. The threshold for "too onerous" is likely to be significantly higher at Microsoft / Github.
Yes, these trade sanctions will definitely cause these issues--if they operate a business or do any dealings with businesses in countries which are embargo'd they will lose their ability to sell their product internationally, since Microsoft also fulfills defense contracts it probably makes these obligations even stronger, though I am not a lawyer.
I think at this point Fossil is looking really really good.
There's independently and independently. MS is on the hook for violations of US sanctions by any of its subsidiaries and constituent organizations; one can assume the legal team keeps an eye on Github's operations even if the main operations team allows for independent goals and direction of work.
This is true, and not only for US regulation-related reasons. They also removed multiple political writings about people criticising their authoritarian governments as well as games with sexually explicit content (but no images).
>You could self-host and your ISP would still take you down if you were violating US sanctions in most parts of the world.
I doubt there's any ISP that would ban you because someone who contributed to your project at some point used an IP from a sanctioned country. Hell, I doubt any ISP even would have the data to correlate together to figure that out. Github will and has.
> your ISP would still take you down if you were violating US sanctions in most parts of the world
No, they would not.
These are US sanctions, not most parts of the world sanctions. You could have problems with companies in the jurisdiction of US, but most parts of the world are not it.
If that's not an idealists view of how the world works. So you think if you're in Japan that NTT is going to risk losing ALL of their US contracts for a random home user that's violating US sanctions? Good luck with that.
Just because you aren't in US jurisdictions doesn't mean your ISP doesn't make a LOT of money off the US market. Not to mention the mass exodus of customers if they were banned from all US based content:
Does not work that way. How do you think Iran and North Korea are connected to Internet in the first place?
For NTT and US, such a situation would be a PR disaster. It would be very difficult for them to explain to the public, why they are applying foreign laws to Japanese citizens.
Even US knows that, and they would never push for such draconian thing.
> Does not work that way. How do you think Iran and North Korea are connected to Internet in the first place?
It literally works that way. North Korea is connected through China Unicom, and China doesn't recognize the North Korean sanctions.
Iran's internet access isn't part of the current sanctions.
>OFAC or the State Department may also impose so-called “secondary sanctions” on non-US companies, even with no US nexus to the activity. Under secondary sanctions, a non-US company may be restricted from US markets or the US financial system if it engages in certain conduct related to Iran, Russia, or North Korea.
> China doesn't recognize the North Korean sanctions.
And this is the key.
In order to the hypothetical NTT situation to be affected by US sanctions, Japan would have to recognize them. It would be up to the Japanese parliament to adopt them. US cannot force NTT unilaterally to kick out someone, NTT in Japan must be in line with Japanese law.
Most countries in the world do not adopt US sanctions as their own. The sanction are being enforced worldwide via contract law (i.e. the exporting company has a contract with the US vendor that it won't sell to specified parties); not by US forcing its jurisdiction on other countries.
That would result in pretty nasty questioning about democracy.
>In order to the hypothetical NTT situation to be affected by US sanctions, Japan would have to recognize them. It would be up to the Japanese parliament to adopt them. US cannot force NTT unilaterally to kick out someone, NTT in Japan must be in line with Japanese law.
You can say that until you're blue in the face but it's not accurate. Let me know when NTT has a line running into Cuba and we can talk about how they only have to abide by Japanese sanctions and Japanese law.
What frustrates me about these kind of things is how impersonal they are. How many orgs/users does GitHub sanction a day? Too many for it to be able to email the users and ask clarifying questions? Or even have a human dig in and double check what the algorithm says.
Basic human interaction would seemingly solve 99% of false account lockouts and takedowns. Even basic heuristics like this org has a repo with 11,000 stars, it isn't a new user that just signed up yesterday, we need to look into this deeper.
In a world in which online presence is an essential attribute of... commerce, professionalism, etc., deplatforming cannot be allowed to be so trivial to effect and difficult (in many cases impossible) to challenge. At some point human rights have got to include sufficient due process to deal with accidental or unjust deplatforming.
It's an interesting thought, but at the moment at least, things are still too fluid to really nail down how that would work. What is a "platform?" What is "deplatforming?" If Github kicks me off and I can migrate easily to GitLab, have I been "deplatformed?" Is it morally correct to tie Github's hands from locking someone's account if they're using their git repo to host CP?
We're getting there, but pulling it off is going to require a level of international cooperation that is rarely seen (and tends to give a few key players a lot of power; if we do this, I hope everyone's excited to be living under the US's notion of what morality looks like. Or Europe's. or China's).
> If Github kicks me off and I can migrate easily to GitLab, have I been "deplatformed?"
Most definitely you have. Especially if the reason and process used by GH is likely to also be in use at GL.
> Is it morally correct to tie Github's hands from locking someone's account if they're using their git repo to host CP?
The relevant question is: is it constitutional. In the U.S. I believe the answer would be a solid "yes" as to a Federal statute that adds due process protections for this, no different than with the many many Federal and State laws and regulations that have created civil justice recourse for specific kinds of torts.
Morality is a different issue, and it's much too easy to flip your question on its head: is it moral to deplatform people if doing so damages their ability to earn a living?
Indeed, there's no need to frame this as a moral question, and it's arguably foolish to do so. It is and should be only a question of policy, politics, and constitutional law.
Regarding politics, mine is a political argument.
Regarding policy, I think it's a good idea to give "little people" some minimal protections from "big people". This is quite standard around the world. There are going to be policy details to debate, but writ large, this is a no-brainer.
I already address the very likely U.S. consitutionality of such a policy.
> We're getting there, but pulling it off is going to require a level of international cooperation that is rarely seen (and tends to give a few key players a lot of power; if we do this, I hope everyone's excited to be living under the US's notion of what morality looks like. Or Europe's. or China's).
No. This can be done in each country w/o internaltional cooperation. Granted, GH might pull out of France, say, if they don't like French laws, and so on. But U.S. business will not leave the U.S. over this.
> Indeed, there's no need to frame this as a moral question, and it's arguably foolish to do so. It is and should be only a question of policy, politics, and constitutional law.
Morality drives the shaping of all three of those things, so framing it as a question of morality is unavoidable if one wants to do something other than the status quo (which is "A private service provider may choose to do business with or refrain from doing business with anyone for any reason that hasn't already been carved out by previous civil rights legislation"). I believe you immediately demonstrated this fact by stating as "policy" something that is a moral stance ("little people" deserve some minimal protections from "big people"). And we may do well to remember that the KKK is also "little people", as are neo-Nazis (and society has a vested interest in keeping both groups "little people").
All people should be treated equally as people in the eyes of the law, i.e. with empathy for their humanity. But when you divide groups into "little" and "big" by political belief, sometimes you do, in fact, find situations where the majority should suppress the minority (because the minority's belief is anti-human, and political beliefs are malleable).
Which is going to need to be acceptable, because the alternative is much worse. The backstop is to keep checks on those who hold power.
And if no such checks can be kept, then whether we consider deplatforming acceptable is irrelevant, because the powerful will do whatever they want regardless.
Personal interaction and special-case handling of individual issues does not scale. That's the curse of getting too big as an internet service provider of any stripe.
Does the law actually require a fully automated means of detection? For example to "nuke first" means you need to know that sanctions apply. If the law doesn't require it to be fully automated, "know that sanctions apply" could involve a human doing verification.
With over 100M repos, manually reviewing (even if the flagging for review is automated) is likely just not practical. I suspect that once they are aware (the automated flagging) they are then legally on the hook for as long as it takes to perform the review.
That still comes down to when they are considered "aware". If I emailed GitHub and told them the "microsoft" org was run by people in Iran, would they then be "aware" and need to shutdown the "microsoft" org? If you consider automated flagging to be a tip-off that needs to be investigated, then you aren't "aware" until it is investigated.
I don't think 100 million repos matters. What matters is how many automated tip-offs they need to investigate. It would have taken two minutes of investigation to find out this repo wasn't from a sanctioned country. If it takes two minutes to review a case, a team of five people could review over a thousand cases in an eight hour day. I work for a tech company that has a team of people that reviews uploaded content for copyright violations, it can be done.
Remember that the sanctions are for commercial use, primarily paid accounts. These sanction violation aren't happening at the rate of something like YouTube copyright violations. I wouldn't be surprised if it was less than ten a day.
Let's take a moment and appreciate the copy and paste support response "If a user or organization believes that they have been flagged in error, then that user or organization owner has the opportunity to appeal the flag by providing verification information to GitHub. Please see our FAQ for the appeals request form." https://twitter.com/GitHubHelp/status/1240682163193942018
Is that an official GH account? It's old and the answers look legitimate but that one is certainly a really off-putting reaction.
It doesn't seem off-putting to me. The form is there for a reason. Filling it out is literally easier than explaining everything to a support person on Twitter point-by-point. If you want help, you can spend 60 seconds and fill out a damn web form.
Have black hat people figured out what triggers this yet?
Looks like a new attack, where you make a few contributions to a project, then start proxying your logins through Iran for a while till everything you touch shuts down.
Sanctions for online services are one of the worst things about working in this industry. Being forced to implement and maintain technical solutions to block access to every day citizens of certain regions because some guys in suits decided these are second tier humans is demoralizing as hell.
How are people supposed to rise up and depose or vote for less tyranical governments if they cannot access information, or use services that'll boost their businesses in the global market? Having had to implement things like this myself in the past, I just feel like puking when I do it.
And don't think about just ignoring these, as soon as you get bigger than tiny, your bank will threaten to freeze all your accounts and stop doing business with you if for some reason you let some Crimean or Iranian get onto your service and pay you for it.
What exactly is the plan? Are we expecting that individuals who disagree with their regimes would leave their country and their families? It just feels like cold blooded retribution with no care for the regular every day population.
Apparently, the idea is that those "Crimean or Iranian" would get pissed off at their government and revolt. Which, as the practice shows, doesn't quite work taht way. They get pissed off at the sanctioning government as well, and are less likely to believe that that government actually worries about their interests and rights and not, say, as using them as a free battering ram against their current government/regime.
Country 'A' would like to build a weapon of mass destruction. Country 'B' asks them nicely to not do that.
They ignore the request and continue building the technology. At that point you can either do the following:
- Ignore it and hope they don't destabilize the region / world.
- Economic and Trade sanctions to slow down their progress, and impact the economy of the country.
- Physical blockade / severing of Internet connections.
- Declaration of war.
Unless you're saying we should simply ignore these states and let them do what ever they want. I don't really know what solution you would envision that would be _less_ impactful to the average citizen.
Economic sanctions might work as a sudden shock action.
Long-term sanctions are likely futile. There's a point at which the domestic economy compensates. They buy from other players, they learn to do without, they grumble and suck it up, but it doesn't evoke a reaction anymore. I also suspect the tendency to roll them out as "we're sanctioning 13 specific people in the cabinet and their companies" in waves until we finally actually impact everyday civilians doesn't help-- it's basically saying "brace for impact" to the population.
I suspect there's an entire generation or more of Cubans and Iranians who just grew up assuming "this is our economic normal" and don't really see it as a direct call to action of "if you'd be so kind as to remove your leadership, we'd buy your products."
Now, if you spend as much time as possible getting nations to build and maintain deep economic ties with each other, THEN pulling the plug suddenly and boldly, can have an impact. There's more disruption and a clear inflection point.
I also suspect that a lot of civilians view sanctions as non-actionable because there are usually limited and absurd requirements for them to be lifted. I can't imagine, for example, any way Cuba or the DPRK gets out of sanctions without explicitly discharging their current leadership. At best, that's intrusive and insulting to a sovereign nation; at worst it's cheering on civil war and strife. The Iran nuclear deal, before it imploded, was a potential breakthrough here-- we gave them tangible, realistic milestones that could be achieved without a coup, and honoured the commitment.
Country A has zero legitimacy doing this if they have the exact same weapons of mass destruction. Their only argument would be that they are more responsible. It reminds me of parents punishing their kid for smoking while they are smokers themselves. No credibilty.
Yes, absolutely. The US is responsible for far more bloodshed than North Korea. How many coups were backed by the US government, how many nukes we have, our never ending war machine...list goes on and on. I don't think North Korea is anything more than a totalitarian dictatorship but I 100% would never believe what western media backed by US imperialist propaganda is telling me about them.
By the way, the South Korea's National Security Law still has the clause that "any person who praises, incites or propagates the activities of an antigovernment organization (that includes DPRK by design)... shall be punished by imprisonment for not more than seven years". And this clause is actually used (see Amnesty International's report https://www.amnesty.org/en/documents/asa25/006/2012/en/ ), so it's literally illegal for a South Korean newspaper to print anything positive about DPRK.
Thankfully, that isn't how the world actually works. People are able to understand that any country, including the US, is composed of people who work on different things with different views, and that there are things US entities still say and do that can be valuable and trusted.
> there are things US entities still say and do that can be valuable and trusted
Yeah, sure.
For some reason, the US enjoys some special privileges when it comes to the international politics.
How long has the Russiahoax been going, five years? For five years, every single media outlet in the US attacks attacks my country and blames it of all sorts of criminal activity, while not a single piece or evidence has been presented.
And for some reason, most of the Americans that I've talked to don't see any problem with that and won't call their government russophobic, so much for your "different views."
Why should anybody believe anything said by an American anymore?
The easy answer: "most of the Americans that I've talked to" vs. "anything said by an American"
I'll expand: In the country I live in, a country often touted as very highly developed, there are still a lot of people that have weirdly (uninformed) nationalistic views about certain topics probably due to some oddities of history. This is the case in every single country I've traveled to or lived in. No one is advocating for designing global policy on Russia based on the views of the average American. That has little to do with trusting Americans (or Britons, or any other nationality of a place with a violent history) on other specific issues.
I suppose you'd prefer that, instead, the entirety of Japan would have had to be bombed into oblivion using non-nuclear weapons, not to mention the extra loss of life on the Allied side that would have almost certainly occurred during a more traditional invasion that would have likely been necessary.
War sucks, and there are rarely good choices; it's nearly always going to be a choice between something truly awful and something just merely really bad. Nuclear weapons suck, but I dare say they saved lives -- on both sides -- when used in that instance. Of course, after more people had them, and we realized the implications of MAD, using nuclear weapons is (thankfully) more or less off the table for any non-suicidal nation.
There were other options besides just those two. Japan at the time would have accepted any peace agreement with just a single clause: that the Emperor would not be executed. Anyone else could be. This was a reasonable agreement to make since the US didn't execute him anyway. The war could have ended in the same state that it ultimately did with far less loss of life on both sides except for the US insistence on unconditional surrender.
USA is full of weapon of mass destruction. You may agree or not that policy but the sheer fact that is true means that most contries go for
- Ignore it and hope they don't destabilize the region / world.
> They get pissed off at the sanctioning government as well, and are less likely to believe that that government actually worries about their interests and rights...
Oh thank god they’re less likely to believe that, because at least in this version of reality no government actually worries about the interests and rights of the human beings on the other side of the planet; if they say so they’re just bullshitting.
When regular diplomacy fails to resolve an international dispute, what further options do you believe exist? As far as I can tell, generally speaking, you have economic sanctions, and war. I know which of those I would personally consider to be more humane, but if you have a case for war, then please make it. I’m also not aware of any sanctions that have been put in place because a government sees the citizens of another country as second tier humans. But if you have any rationale to support that ridiculous claim, I’d be interested in hearing it.
>What exactly is the plan? Are we expecting that individuals who disagree with their regimes would leave their country and their families? It just feels like cold blooded retribution with no care for the regular every day population.
That it will impact the country economically and hopefully result in the Government changing coarse or for the People of the country to not want to live in a shitty place with a poor economy.
I find sanctions vastly better than the alternative at that level, which would be some sort of blockade or other military intervention.
That sounds good in theory, but in reality you end up with worse outcomes than doing nothing:
a) The target country just allows their citizens to feel the brunt of the sanctions while the ruling class hoards resources for themselves.
b) The target country starts a propaganda campaign to blame the sanction-issuer for all their problems, which the citizens mostly believe.
So ultimately you end up with regular-Joe citizens in the target country having a worse quality of life, while also being led to believe that your country is the evil one.
Another poster hit the nail on the head: the politicians in the sanction-issuing country need to be seen as doing something by their populace, regardless of what the result of that something is.
Heh, an excellent point. Obviously the sanctioner's goal is for the sanctionee's citizens to understand why the sanctions are in place, and ultimately blame their own government, but that can be a hard sell, even without a propaganda campaign.
Sanctions are part of a war or often a preparation. You could also call it blackmailing. If people die from not having access to medical goods etc because of sanctions it just cheaper than sending troops.
But the reality is probably more like the top levels of governments bullying, and they don’t give a flying fuck about the impacts on the average citizen.
I don't think anyone reasonably expects that their citizens will have any useful reaction. Rather, it's simply a way to cause economic hardship to the country.
Whether that's a wise or ethical idea depends on the particular situation, but it's certainly a much smaller hammer than (say) direct military action.
Why should software or online services be treated different than any other good/service when it comes to an embargo?
It's fine to debate an embargo, but that belongs in the political space and not technical or business realm.
Personally I may not agree with the efficacy of particular embargoes, but I do support the ability of my government to enforce one wholeheartedly. Because by the same token that you want to sell your information services to people oppressed by hostile foreign powers, there are those that want to sell them to the oppressors, and it's generally impossible to tell the difference. I don't want to hear about another IBM selling bookkeeping tools to another Nazi regime to improve the bureaucracy of their death camps, and if that means a few indie developers can't get Iranians to use their front end JS framework that's ok with me.
This debate belongs in the senate, not in the tech world.
The stupidest part is, people in affected countries easily and routinely circumvent the block. The only people affected are foreign companies from countries that do not have a sanction, but risk being sued in the US. For example, European oil companies operating in Iran.
Not my field, but my impression is there's an ongoing argument over whether severe economic sanctions constitute a form of collective punishment as prohibited under the Geneva convention. Usually it's in the context of trade and infrastructure. "Once your government submits to our policy demands, we'll permit your infant mortality rates to drop back down - until then, don't blame us for your suffering". But where access to information is seen as a universal human right, a similar issue might arise with online services.
GitHub could take the approach of collecting less data and saying that they don't know where their users are. They could drop the IP at the LB, disassociate all location metrics from their user accounts, and thus have no ability to tell where developer accounts are from.
But instead they choose to data mine users for their location and block them. Just like their ridiculous contract with ICE, GitHub is choosing to actively participate in these sort of things.
Without even delving on the perverse sanctions part, it should never be forgotten that the whole point of git is that it's a distributed source control system. Grab your source and move it elsewhere. Heck, even an old forked gitlab community instance should work.
Github is good for the exposure, but it's their house, and so their rules apply, not ours. Don't rely on them to always be OK with you staying.
Every time something like this happens someone has to make this argument. This isn't just about the source, it's all the other tools like pull requests that Github provides. Git is only one part of Github.
It should really be an argument to have github decentralized as well.
I know the “hub” part is in the name, but there must be a way to have separate legal instances working under different sets of rules. The finance world optimized the hell out of regional rules, we should find the legal equivalent to avoid a single gov. setting the rules for the whole planet.
Up until now it might not have been worth the hassle, I’d argue it has become more important nowadays.
FWIW, I have attempted to look it up myself, and unlike Github, GitLab doesn't appear to allow me a transparent view into their offerings in action without signing up to start my free trial. Which is a lot more engagement than Github requires of someone just trying to discover capabilities.
From what it looks like, the free trial is similar to GitHub‘s paid account but you can use the extra tools for free for the duration of the trial. Seems as transparent as GitHub.
Never used GitLab outside of running it myself but I think hosting OS software on GitLab.com is free.
You don't even need the trial. Just press "Register" to get the standard login page for GitLab.com. From there you can sign in with GitHub (or make an account) and explore the platform for yourself.
The trial is just for the paid subscriptions. The normal, free account has access to all of the platform's Gold features as long as the repos in question are public (or internal, just not private).
> Yes! As part of GitLab’s commitment to open source, Gold project-level features are available for free to public projects on GitLab.com. Gold group-level features, however, still require a subscription, for reasons explained here[0]. For organizations interested in free Gold features for groups, we also offer free Gold and Ultimate to educational institutions and open source projects[1].
Note that public repos inside a public group do have access to Gold level features. It's just the group level features that are restricted.
Yes to all (obviously 3rd party integrations vary, in practice depends which you need), but I guess the actual point is that all these extras are implemented by each service individually and aren't guaranteed to be compatible.
WTH? GitHub is owned by Microsoft. Rob Eisenberg, who posted that tweet, works for Microsoft.
There's so much about this I don't get, not least of which is the fact that despite what the headline suggests, along with the amount of bile still being spewed on this thread, Aurelia is back up and running, as are all its repos: https://aurelia.io/, https://github.com/aurelia.
So, yes, GitHub properly effed up here, but they do at least appear to have backpedalled and fixed the problem quickly.
It got fixed quickly because of the very high profile nature of the project. What happens when it's one of our projects, and we aren't some bigwig at Github's parent company to complain?
Seems that Github has automated some repository banning actions.
3 days ago, the author of a repo got removed his account without reason and hours later got his account reactivated (https://news.ycombinator.com/item?id=22593595), after posting to hackernews.
As we see, the Aurelia repository were also removed, and hours later reactivated.
What caught my attention is that the banned user is from Russia and that Aurelia repository has got developers from Iran.
Is this a sign of Github country discrimination? Or is this a sign of Machine learning bias?
It's a sign that Github strictly follows US sanctions which currently impact Crimea and Iran. They literally say in the messages for these closures that it's due to sanctions.
I can empathize that GitHub has to abide by laws more stringently now that it's part of Microsoft but oh boy does it's automatic flagging system need work.
One day I was randomly permanently banned because a hacker starred some of my public repos from hacked accounts (only ~6 stars btw). I had no involvement whatsoever, it was likely an attempt by the hacker to dilute the target of the repos they were trying to star. It took me ~2 weeks to appeal and they still blamed me for hacking even though the IPs of those accounts were different. My ban was eventually lifted but I doubt their system works nearly as well as it should.
What a debacle. If GitHub believes this is necessary to comply with sanctions, they should provide a "rather than shut me down, please block contributions that GitHub would consider sanctioned” switch.
Can’t speak for others, but I for one wouldn’t want this switch, and would be offended by it. I would defend people’s rights to contribute to open source regardless of their nationalities by taking my project elsewhere.
Addressing someone in the third person is about a far from empathy as one could get. Clearly, the signal is strong to begin the exodus from Github as soon as practical.
They can no longer be trusted, and are no longer developer friendly.
It looks like a JS frontend framework. I've never used it. I have no idea why it would be sanctioned. Bizarrely Aurelia 1.0 at https://github.com/aurelia/framework has a banner across its top indicating trade sanctions, but the new version Aurelia 2.0 doesn't https://github.com/aurelia/aurelia.
My first question is: how does Github know that certain committers are from sanctioned countries? Do they have Github profiles showing they're from sanctioned countries?
Given the number of huge FOSS projects on Github, it's feasible to imagine that many major repos have code contributed by people from sanctioned countries.
I have no idea what their motive is, but it smells really political to me. I could see Github's argument if they violated labor laws by hiring or contracting with individuals illegally, but that doesn't sound like what happened here.
The author of the tweet says "A popular open source JavaScript framework with tens of thousands of customers worldwide. The project has been public for 5yrs+, managed by a US company, whose owner is even a GitHub Insider and long time open source leader (15+ yrs)."
First a disclaimer, this is pure speculation on my part, but based on what others have said about github cracking down on sanctioned countries. I'm guessing they audited and found some accounts that belonged to people they suspected of being from sanctioned countries, and then went massively overboard and nuked any repo those users ever contributed to.
"This repository has been archived with read-only access. Due to U.S. trade controls law restrictions, paid GitHub organization services have been restricted. For free organization accounts, you may have access to free GitHub public repository services (such as access to GitHub Pages and public repositories used for open source projects) for personal communications only, and not for commercial purposes. Please contact the organization admin and read about GitHub and Trade Controls for more information.
"
A front-end framework I first used on a project about 4 years ago. I always hoped it would become as popular as Angular or React but it hasn’t picked up that much (I still have hope since I like it so much). Pretty strange that GH would have applied sanctions to it, even if it was a mistake.
And I just finished setting up gitea(https://gitea.io/en-us/) on my server and mirrored all my repos. An elegant piece of software, setup was straightforward and took less than an hour.
If people just used git the way it was intended, as a decentralized protocol for editing and sending patches by email, we wouldn't have this issue. See https://git-send-email.io
This looks like a terrible but honest mistake. The repo is already back, after something like an hour and a half. The . io website is not back yet, but I suspect that takes a moment to get back running.
It doesn’t matter if it’s an honest mistake, this sort of action alongside the canned HR response is completely unacceptable. Honest mistakes don’t exempt your actions from being disgusting.
An action that is an honest mistake isn't disgusting; it is simply a mistake. We all make mistakes. Anyone who makes no mistakes is not doing anything useful.
What matters is doing the right thing after the mistake is discovered. I agree that the canned HR response wasn't acceptable, but that is not all that happened. GitHub quickly restored the project - and that was the most important issue. In addition, GitHub has now posted an apology, and has also said that they will try to figure out how to prevent its recurrence in the future.
THAT is exactly the right way to handle a mistake: fix the problem, say sorry, and try to prevent its recurrence. Good show. I am actually impressed with GitHub's response to this!!
I get the impression that part of your complaint is that "flagging" itself is disgusting. If that's the case, your ire is completely misdirected. This is required by US law for anyone doing business in the US. If you don't like it, that's fine; complain to the US Congress, who create the US laws. GitHub is simply doing what it must do. In the US, and in most of the western world, the rule of law is still a thing (and a good thing it is!). Please point your disagreement at those who are responsible for it.
> What matters is doing the right thing after the mistake is discovered.
They didn't. They only did "the right thing" after it went viral on HN.
They did the same thing a few days ago to another developer, and only after it went viral on HN did they do the right thing. They were very aware that a) their flagging process is broken and b) their support process is non-existant unless you make your complaint go viral. The canned response is part of their strategy to filter out everyone that isn't large enough and they'll just ignore those complaints.
> This is required by US law for anyone doing business in the US.
It's required to do it automatically and wrong? I have some serious doubts.
Weirdest part of this is that the Lead Developer at Aurelia and the guy who posted this on twitter works at Microsoft which again is weird now that Github is part of Microsoft.
- https://gitea.com/ by the gitea project is hosted in China by a Chinese company. It's probably the safest one to use.
- https://bitbucket.org/ by Atlassian is probably hosted in the US but is owned by a company headquartered in Australia.
Personally, I don't think searching for alternatives in other jurisdictions is the right way to tackle this issue. With the way things are devolving in terms of hosting reliability (i.e. getting automatically banned by big tech for vague reasons) and US laws that overstep their boundaries, the best way is to host mirrors across as many services and networks as possible and switch your workflow (incl. issues) to a mail-based one.
"Due to U.S. trade controls law restrictions, paid GitHub organization services have been restricted. For free organization accounts, you may have access to free GitHub public repository services (such as access to GitHub Pages and public repositories used for open source projects) for personal communications only, and not for commercial purposes. "
so it looks like its not the most stable place to make money.
Github was cool when git was new years back - but these days, and especially given how git inherently is not centralized, it is not very clear to me why we all cling to github. With a little work, all that it offers can be done without any help of a centralized server/corporation.
Does any license in particular effect the trade sanctions? MIT for example in my eyes would be the most lax, does that mean that it does not apply for trade sanctions ?
Open source based on government sanctions kinda feels like some oxymoron.
The funniest thing to me is that the twitter account complaining is a Microsoft employee and Github is owned by Microsoft but the only way he could complain and be heard is via twitter? Amazing!
GitLab CEO here, thanks Nat for doing everything you can do to keep open source accessible around the world. We have to comply with the same restrictions and respect greatly that GitHub is taking the broadest possible interpretation of US sanctions law to help users.
Yes, they do. If you are suggesting they should do what those employees did and quit in protest (which for a company would be to shut itself down), then I guess you are right they don't HAVE to comply with US law... but they do if they want to continue to exist.
I'm saying to take the whole operation into anonymous space. Or replace it with one that is. It could be Tor, or perhaps Loki, based on what little I know about it so far. And pay with cryptocurrencies.
People who work anonymously enough can't be arrested.
No, I'm advocating resistance against US policy that's unjust and overreaching. And given that the US is too powerful to resist directly, I'm advocating discretion.
What's criminal and what's human rights depends on ones perspective.
So, all companies are lawful because they are required to be. That's a bit of a tautology, no? It also doesn't play out in reality.
Maybe they keep the company running so they can do secondary offerings and an IPO, so the investors and executives get paid, is the motivation to do unlawful things. Maybe it's okay to break the law now, cause when they are bigger and public they'll go back and fix it - breaking the law is a cost of doing business. Maybe they were so focused on signing the deal that they didn't want to hear from compliance. It's not the first time legal / compliance was railroaded or disregarded at a startup, in the name of doing something great. In the startup world, that's kind of a badge of honor.
It seems like, if a VP wants to discriminate hiring within certain countries, based on a pending customer contract, as stated by Mr. Johnson - it's reasonable to assume that GitLab should report, as per the EAR requirement, that:
Any person under U.S. Jurisdiction who is asked to enter into an agreement or provide
information that would violate anti-boycott laws must report this to BIS using a form BIS-621-P
or form BIS-6051P in accordance with 15 C.F.R. § 760.5.
That's not an interpretation of sanctions, you're pulling in a second set of laws. Additionally, I'm pretty sure a country being on a boycotted list doesn't prohibit a company from making hiring decisions for reasons outside of the boycott.
At best, it's a matter of law to determine what doing business in a country means. In the broadest interpretation, employing seems like doing business. Merely being asked, by a customer, is reportable and the government gets to make the determination.
How to act seems like a determination / recommendation made by the head of compliance.
Isn't this a first amendment violation? Are we not on board with the notion that code is speech, and that the constitution applies to everyone, not just US citizens?
With those things in mind, I don't understand how the Iranian peoples' free speech rights can be infringed just because their speech is in the form of code.
I think that's not right, because the reason the company is doing the censoring is to comply with sanctions imposed by the government. If the US says you can't host content praising Iran, and GitHub takes it down to comply, that's a 1st Amendment violation.
However, code seems to be in a strange place, neither clearly speech nor clearly not-speech.
If Github is acting as agents of the USG, they're bound by 1A. Here, there's a direct instruction from the government telling them to do this thing.
But I'm not sure there's a 1A case against this form of trade sanctions. The government isn't saying Iranians (as an example) can't write code, or that US citizens can't write code. They're saying they Iranian citizens can't use a US service. It's being denied as an economic transaction, not as speech.
Art I Sec 8 specifically enumerates the power "To regulate Commerce with foreign Nations...", and arguably sanctions are further allowed under the power "To define and punish Piracies and Felonies committed on the high Seas, and Offenses against the Law of Nations;"
So does that mean Iranians could just mirror the repo, someone in the US could mirror that repo, and then push the Iranians' commits to GitHub unimpeded by the sanctions?
In practice, of course they could unless Github specifically tracks that kind of thing.
I'm no expert on sanctions law, I mostly know what I do from having read all the compliance stuff at work.
There's a lot of law that's effectivey enforced by business. All the alcohol prohibition for minors, for instance, is enforced by your local bar checking ID.
And many laws aren't intended to have perfect enforcement.
Take taxes. Banks won't, for instance, send a 1099 to the IRS if you have a small balance, even if you earned some interest. And there's no one tracking your cash income, but if you had a large amount and got audited you could be in trouble.
Likewise, sanctions aren't meant to be perfect, the intent is to hamper the target nation's economy by restricting most trade.
So the law always has to be black and white as to whether a thing is illegal. It then deals with the "grey" part through how it enforces it. Here I'd observe it's not monitored by a deputized business, and the executive won't prioritize it.
Whatever free speech rights apply to Iranians in Iran don't come from the US Constitution, not even from its First Amendment. The US Constitution protects US citizens (and maybe non-citizen nationals) anywhere and anyone of any nationality within the US, with respect to their dealings with the US federal/ state / local governments or those private entities exercising the authority of these governments. That's it.
For context on why any account flagging is ever necessary, unfortunately, every company in the world is required to comply with US sanctions if they do any business at all in the United States, e.g. serving US-based customers. This includes even interacting with US banking infrastructure. So being headquartered somewhere else doesn't help; you have to comply. And US sanctions as written do not allow us to provide commercial services or services which could be used commercially to sanctioned countries.
We are taking the broadest possible interpretation of US sanctions law to allow as much access to GitHub as possible and we are, as far as I know, the only major vendor to offer public repo access in US-sanctioned countries like Iran, Syria, and Cuba. I'm proud that we are taking this strong position to ensure developers everywhere can participate in open source.
I wish we could also offer access to private repos and still comply with government requirements. We have been advocating and will continue to advocate for broader developer access with the various government agencies involved.