Funny how GH gets shit for what the US has as laws. I'd focus my outrage on the law, the lawmaker, and those who uphold it. GH is merely trying to go by the book/ avoid penalties, as expected.
The US embargo prevents doing business with Iran. Providing service in Iran would be a violation of the embargo. Blocking a whole European company not conducting business with Iran because one of its employee tried to login while there is not respecting the embargo, it's just overreach. GitHub should get flak for that in the same way Paypal regularly get flak for randomly freezing accounts.
> GitHub should get flak for that in the same way Paypal regularly get flak for randomly freezing accounts.
Random? I think the problem with Paypal was that they do not warn or provide reasons for freezing. GH's reasons are clear.
> Blocking a whole European company not conducting business with Iran because one of its employee tried to login while there is not respecting the embargo, it's just overreach.
Says who? There is a law, the law is unclear and IHMO a bad law. The law is overreach. Blaming GH for shitty US laws is akin to killing the messenger.
Is Github on the hook if the client is actually a resident? If so, the law is still bad and github's response may be appropriate(just blocking login from Iran sounds better though). You can't expect them to investigate the personal details of their users.
GitHub didn't decide in their actions blindly. They have lawyers who review the laws, look at their services and write the rules to follow internally.
The lawyers obviously have a reason to disagree with the Treasury and GitHub under Microsoft aren't exactly going to be using cheap lawyers either.
Github shoulders all the responsibility if they get it wrong. They appear to be doing the reasonable thing, up until this could not be resolved through customer support (as the company bears the burden of satisfying github that they are not violating the embargo).
Yes, the core problem here is that unblocking the preventive block in 7 days is both unacceptable for the client and a big OPEX ask for github.
What I’m not sure at all is that github had the obligation to preventively block cases instead of the alternative to investigate high risk cases prior to block. As long as they had a sound Compliance process for determining sanction enforcement needs in a reasonable time it should be enough - though for sure more expensive than autoblock followed by non-specialized, non-time sensitive (for github!) customer service followup.
> GitHub should get flak for that in the same way Paypal regularly get flak for randomly freezing accounts.
If GitHub freezes your account, this is obviously serious and can impact your business to a greater or lesser extent depending on what your business does. But the data is not lost, and you'll likely have a copy of at least some of it (the actual repos) and maybe all of it if you were being careful.
If Paypal freeze your account then any money in it is simply lost (and your loss is Paypal's gain!). There's no way you could keep a "backup" of that money even if you were being careful. It's completely incomparable.
> If Paypal freeze your account then any money in it is simply lost (and your loss is Paypal's gain!).
While this is completely tangential to the current discussion, I feel compelled to inform you that that's not how it works. When Paypal freeze your account, your account is not deleted, you just can't do anything with it. The money on it obviously remains yours. You just have to convince them that your account should be unfrozen or wait the maximum duration you agreed to in Paypal ToS - 180 days - after which they have to hand it back to you.
It's so peculiar that you - and some guy on twitter, apparently - are quoting a footnote to a FAQ on Treasury's OFAC information page as if that captures the entirety of an American company's obligations under the law. This is really obviously crazy, right? In any other, less political, context involving business law and liability the advice would be "talk to a lawyer."
I doubt GitHub or any org is changing their SOP based on my comment. But the mere existence of a scenario equivalent to the one in question in the operating guidelines suggest there is room fur sanity to prevail in the interpretation of the law.
A single person has no way of influencing this. Twisting Github's and others' arms is a great proxy. If they get flak for their handling of this, they can go argue with law makers.
Does that not just speak to a larger problem with the current political system that twisting the arm of a large company is the only way to affect change?