
Atlassian refuses service because “unable to confirm restricted party” - amingilani
https://twitter.com/mukhmustafa/status/1102954823018795008
======
uberman
We apply a terrorist watch list to deny access to online project management
software under the premise that international terrorists will use their real
name to register for an online service?

This seems totally bonkers. If a terrorist organization wanted to use an
online service to do project management and communication, would it not be in
the best interest of intelligence agencies to encourage that kind of behavior?
Particularly when Australia now legally requires backdoors.

I would have called "BS" if I had not seen the Atlassian reply.

How did Altassain gain access to this list? If they don't have "the list" how
much does it cost per lookup? How do they disambiguate a (partial) match? Do
they look up the identities of all prospective clients or only ones with names
they think sound untrustworthy?

I work for a company that provides an online service related to higher
education. We have international users and we don't have access to this list.
Does anyone else work at a company that uses a terrorist watch list as part of
user registration?

Apparently Atlassian feels free to talk about it so I gather there is no gag
order in place.

~~~
occamrazor
“The list” is public, or more precisely there are several such lists published
by different government agencies. A “list of lists” for the US is available at
[https://www.state.gov/strategictrade/redflags/](https://www.state.gov/strategictrade/redflags/)

Most large companies use specialized screening services that aggregate all the
relevant lists and provide help for disambiguation of common names.

~~~
uberman
Many thanks. I was not aware that such was publicly available.

Do you know if all online services (doing business in the U.S.) would
hypothetically be required to verify registrations against this?

~~~
occamrazor
In general every business has to comply with sanctions and embargoes, but the
law does not prescribe how they have to enact their compliance rules. Specific
businesses (financial institutions, weapons manufacturers, uranium refiners,
etc.) must have protocols to screen their clients, with requirements that vary
by industry.

Disclaimer: IANAL, things vary by jurisdiction, and I am not from the US.

------
pcr0
I think Atlassian handled this okay by explaining themselves and requesting
proof of identity. His name looks common enough that it is probably a case of
mistaken identity.

The one thing they could have done better would be to provide a grace period,
but I doubt that would be compliant with the law.

