
An Apology and an Update - abraham
https://slackhq.com/an-apology-and-an-update
======
mabbo
I'm a big fan and critic of apologies. This one is pretty good.

They admit the mistake was theirs and they take responsibility for it. They
say sorry. They explain what they're going to do to fix the situation. They
say they're going to learn from this and not have similar mistakes in the
future. Pretty solid.

The only thing that is missing, in my view, is personalization. Tell me who
you are, speaking for the organization. This humanizes the apology, and also
gives a face to who it is saying they're going to improve. Ideally the CEO.

Still, I give it 8/10.

~~~
nimbius
>We did not block any user based on their nationality or ethnicity.

Okay, so how did you block them?

>As is standard in the enterprise software industry, Slack uses location
information principally derived from IP addresses to implement these required
blocks.

So, you blocked users based on their nationality.

>We do not collect, use, or possess any information about the nationality or
ethnicity of our users.

you clearly possess enough information about the nationality of your users to
block them based on it, which was your intent. You backpedaled when people who
were _not_ the target nationality began to complain.

~~~
p1esk
No, they blocked users based on location. I'm currently located in California,
and this has nothing to do with my nationality.

~~~
aervaertaera
Expats comprise less than 1% of the global population, and I doubt the number
of international tourists at any given time pushes that percentage much
higher. Use a VPN I guess, or better yet ditch Slack.

~~~
briandear
Nonsense. Much of Silicon Valley consists of foreigners, yet they didn’t block
those users — a significant part of their user base ; thus the theory of
ethnic or nationality blocking makes zero logical sense.

------
pyrophane
This is yet another good reason to prefer decentralized networks. When Slack
or Facebook or whomever agrees to block someone there is no resolution other
than appealing to a company with a closed decision making process, something I
don't think any of us really want.

~~~
orthecreedence
Yep. Going to go ahead and throw Matrix/Riot out there as a great alternative.

~~~
derf_
I pretty much gave up on Matrix after the following exchange:
[https://news.ycombinator.com/item?id=8697151](https://news.ycombinator.com/item?id=8697151)

Perhaps I am overreacting, but that sort of attitude on matters core to basic
privacy in the post-Snowden era seems both problematic and incurable.

~~~
Arathorn
Yup, you’re overreacting, especially given I wrote that >4y ago when we hadn’t
even started implementing E2E encryption. Nowadays it’s almost complete and as
others have said we _will_ be turning it on by default for private comms in
the coming month(s). (There is little point in E2E for a conversation which is
public and being indexed by Google etc). Some deployments already have E2E on
by default in fact (eg the french government deployment).

------
Wowfunhappy
> We will soon begin blocking access to our service from IP addresses
> associated with an embargoed country. Users who travel to a sanctioned
> country may not be able to access Slack while they remain in that country.

Is Slack legally required to do this? As long as they aren't knowingly
accepting payment from these countries, shouldn't they be in the clear?

How are other tech companies dealing with this? Does Google block access from
embargoed countries? Does Windows refuse to work?

~~~
da_chicken
> Is Slack legally required to do this?

Yes, absolutely. Breaking sanctions is not just illegal, it's a _criminal
offense_. There have been sanctions against Iran since roughly when Trump
withdrew the US from the Joint Comprehensive Plan of Action [1] in May of this
year.

The CFO of Huawei was arrested in Canada per a request by the US because of
their dealings with Iran [2].

[1]:
[https://en.wikipedia.org/wiki/Joint_Comprehensive_Plan_of_Ac...](https://en.wikipedia.org/wiki/Joint_Comprehensive_Plan_of_Action)

[2]: [https://www.bloomberg.com/news/articles/2018-12-05/huawei-
cf...](https://www.bloomberg.com/news/articles/2018-12-05/huawei-cfo-arrested-
in-canada-as-u-s-seeks-her-extradition)

~~~
aaomidi
The CFO was arrested in relation to Iran but not because of it. She was
arrested because she lied to banks and sold American made technology to Iran.

Slack is actually not required to do this as IM applications are exempt from
sanctions.

~~~
jkaplowitz
The wording of the exemption applies only to personal communications and
requires the service to be available at no cost to the user. There are
plausible readings that Slack goes well beyond the exemption.

Still, even though the sanctions rules may apply, I'm glad Slack is reversing
their overbroad application of these rules.

------
hrktb
It’s still profoundly disturbing to my eyes.

Technically their underlying problem is relying on IP ranges, wich is flawed
and raises false positives all the time.

They seem to recognize they shouldn’t be doing irreversible and critical
action with only that info, yet will still use it to drop traffic.

To me their message is “sorry we screwed with your accounts, going forward
we’ll only screw with your messages”. Am I supposed to be that reassured ?

~~~
lucb1e
I've never seen the whois info for an IP address resolve to the wrong country
though. The owner is registered with the regional IP something (RIR if I'm not
mistaken - like ARIN, RIPE, etc.) so that should be quite reliable.

Posting this I'm sure someone will take the challenge and can find an example
where it wasn't assigned to the right country, but is it more than one in a
billion IP addresses?

GeoIP databases on the other hand, the city and often even the
province/department/state are very unreliable.

~~~
mirimir
Consider HideMyAss server fun-tv.prcdn.net (5.62.58.220). They claim that it's
in Tuvalu.

However, [https://www.iplocation.net/](https://www.iplocation.net/) reports
some results indicating that it's in the UK, and some indicating that it's in
Tuvalu.

According to Hurricane Electric's BGP Toolkit, the origin AS for 5.62.58.0/23
is AS198605, with "Country of Origin: Czech Republic".[0]

But results from many ping probes (ping.pe, asm.ca.com and maplatency.com)
indicate that the server is in Miami, FL, US.[1]

That's a lot different from Tuvalu, the UK or the Czech Republic.

0) [https://bgp.he.net/AS198605](https://bgp.he.net/AS198605)

1) [https://www.ivpn.net/blog/wp-content/img/HMA-fun-
tv.prcdn_.n...](https://www.ivpn.net/blog/wp-content/img/HMA-fun-
tv.prcdn_.net-5.62.58.220-All-Probes-Tweak-Server.png)

------
kodablah
What changed recently that hadn't been the case for past years that made them
add these new measures? A true, earnest apology would at least touch on the
justifications for the changes more than just "become legal". But I understand
that, sadly, that kind of transparency is a bit much to ask of any company
these days. Still curious though if it was just an internal decision or
spurred via government/legal threat/request.

~~~
gk1
Three or four years ago I helped investigate application usage from embargoed
countries as part of an acquisition. The acquirer was performing due
diligence, and this was a liability they needed to assess.

So, to answer your question, I doubt anything serious changed outside of
Slack. Inside, however, maybe they got a new legal team that flagged this as a
liability, or they're getting serious about compliance, or they're preparing
for an IPO[1], or whatever...

[1] [https://www.cnbc.com/2018/12/07/slack-has-hired-goldman-
sach...](https://www.cnbc.com/2018/12/07/slack-has-hired-goldman-sachs-
for-2019-ipo.html)

------
berbec
A proper apology. These seem to have gone out of style.

~~~
InclinedPlane
Indeed. Compare and contrast with "sorry again for something new this week"
Facebook. "We let everyone and their uncle access all your private data, my B
dog." "Oh no, guess we helped cause a genocide, oopsie doodle."

------
teepo
My theory: Slack did this rough shot to get a deal signed with a major new
client and to support the due dil.

Also note that all the major cloud providers in the US do not do business with
embargoed countries. They all block IP from Iran, et al. to compute within the
US, but allow it to compute within other geos, this extends to tech support,
sales, etc.

I'm honestly surprised that Slack users within Iran could access the service
running in US to begin with. In all likelihood they could only access edge
servers located in other geos in APAC or the EU.

Look closely at everything Slack says in this message and others. "Enterprise
Software" is tossed around a lot. They want to be the communications platform
for the enterprise and have to meet these standards to compete with other
offerings that exist today.

------
chatmasta
> Users who travel to a sanctioned country may not be able to access Slack
> while they remain in that country. However, we will not deactivate their
> account and they will be able to access Slack when they return to countries
> or regions for which no blocking is required.

So why ban _any_ account? Why not just drop connections from IP addresses in
embargoed countries?

~~~
akerl_
That’s what they said they’re going to do.

~~~
chatmasta
It remains unclear. From the blog post, it sounds like they banned a number of
accounts, and now are manually unbanning some of them.

~~~
akerl_
The line you quoted is specifically clarifying what they will be doing moving
forward, which is blocking connections from sanctioned countries. Their post
as a whole is their apology for the prior method, which did deactivate
accounts.

~~~
chatmasta
Right, and their blog post also says that after de-activating accounts, they
have restored access to _some_ of them. So what about all the accounts they
banned but have not unbanned? What if one of those accounts has only ever
connected from an embargoed country, but travels in the future to a non-
embargoed country? Will it be able to use Slack?

(Put another way, it seems like they’re saying some accounts remain de-
activated. So which is it? Accounts are de-activated or IP addresses are
blocked?)

~~~
akerl_
That’s a hedge in case they missed somebody. If they said “we unbanned all the
accounts” but via a search error they’d missed one, and that person commented
“no, liars, I’m still banned”, it would be a whole new round of controversy.
So instead they say that they got most of them and if they missed you, ping
their support team and they’ll fix it.

------
roadkillon101
While "banning by ip" will work for discouraging most users, a VPN service or
a Proxy service (Socks, ssh, etc) would make it irrelevant if someone wants to
use a service like slack, facebook or google...It just inconveniences those
who do want to use it bad enough. To me, it's a "band-aid of compliance" to
whatever agency has requested them to do a ban on certain countries IPs.

~~~
vharuck
IANAL, but the legal standard is often "enough effort to show you tried, but
it doesn't have to be perfect."

Which is usually taken as, "enough to inconvenience unintended targets, even
if intended targets can easily avoid the punishment."

------
dbg31415
This disturbs me.

So Slack is a communications platform.

If we have an embargo against a country, we have to shut off any services we
offer to that country? Including communications platforms.

Doesn't seem like that will help improve things in that country, or help the
people in that country communicate.

I'm all for not sending a dictatorship steel or guns, but why would we cut off
communications platforms? That seems batshit.

~~~
ssnistfajen
Maybe KJU, Khamenei, and Raul Castro has a secret slack group for plotting
USA's downfall. You never know! /s

I'm betting that Slack only had to do this to comply with some dumb laws
regarding sanctions because I am unable to see why anyone from these countries
using civilian, commercial, non-sensitive services such as Slack would have
any impact on sanction enforcement.

~~~
dbg31415
Nah, they're on WhatsApp.

------
googamooga
I wonder why Slack so cares about blocking poor Crimeans from its service and
at the same time Visa and MasterCard are accepted freely in any town of
Crimea. Why these payment schemes are allowed to work there despite the
embargo?

~~~
meshr
Why do you think so? Visa and MasterCard are banned in Crimea. Visa and
MasterCard can't track its holder location.

~~~
googamooga
Banned or not, there are ATMs and POSes across whole Crimea, accepting Visa
and MasterCard. There was a brief period in 2014 when the schemes withdrew
from the peninsula, but they get back pretty soon in 2015.

------
drawkbox
Sanctions and embargos are getting out of hand. Blanket, rather than targeted
individual sanctions/actions, truly only harm the people of a country that
have little to no say in what their government or country does.

As seen here, sanctions turn companies that provide services into poor
customer service scenarios through forced compliance for what reason
ultimately? All that does is make it harder to track since we now live in a
surveillance society. What a waste of time and energy. We are living in an age
of the abuse of economic sanctions, that ultimately harm the wrong people and
make companies/products look bad.

~~~
kortilla
>Truly they only harm the people of a country that have little to no say in
what their government or country does.

That’s the whole point. It’s not an unintended side effect. You’re targeting
an entire country’s economy to pressure the government regardless of whether
or not it’s elected.

Disclaimer: This is not an endorsement of embargoes.

~~~
filleduchaos
It takes a special kind of naivete to think that a country worth placing this
sort of embargo on is a country where "pressuring the government" would lead
to any tangible results.

That or a special kind of callousness, because most often the only way the
citizenry can effect change is through violent revolt after reaching the
boiling point of poverty and/or oppression.

~~~
kortilla
Damaging an economy pressures a government whether or not there is any kind of
pressure from the citizenry. Governments need economies to run, especially
ones depending on the military to “keep peace”.

It takes a special kind of naïveté to think governments run in a vacuum
independent of the economy.

~~~
filleduchaos
It's cute you think a failing economy is any pressure to the sort of
government I'm talking about.

Sincerely, a citizen of a country whose government literally actively
bankrupts it.

------
Santosh83
What does Slack propose to do about access through a VPN so your real IP is
hidden?

Of course in the long term this is just incentive for countries to support
balkanisation of the Internet.

~~~
morpheuskafka
They just do whatever the bare minimum is to comply with export laws.

------
paulgrimes1
I understand the necessity of embargoes, but I’m a little torn on this one,
given the ubiquity of Slack, IP crackdown mistakes aside.

Hypothetical: If you build a product meant for use in other countries than
(also as well as) the one it’s been built in, should you be allowed embargo
its use based on the (possibly arbitrary) politics of a single one of those
countries?

I suppose the makers can do as they please/are required to in their home
country.

However, it opens another costly-to-startups hypothetical: If the politics of
our home country swing to the (insert x-axis direction) and we decide (insert
country Y) are baddies, do we have the resources to comply with an enforced
embargo?

------
chx
Reports from the affected are a bit imprecise and often heated. Do we know
whether Slack here banned based on IPs from the past and if so, do we know how
long they keep that data?

------
derefr
I'm curious whether IP blocking is actually enough to comply with the _spirit_
of a trade embargo.

Surely, the point of "not trading with Iran" is to avoid, through one's
economic activity, enriching the _citizens_ or _corporations_ of Iran; and has
nothing to do with preventing access to people who just happen to currently be
within the geographic boundaries of Iran. (So: email blocking by detection of
Iranian-ISP mail host = sensible; Iranian IP blocking = not-so-much.)

Unless, I suppose, you expect that a tourist accessing your service through an
Iranian ISP, will be enriching the Iranian ISP to exactly the degree that you
are serving them, and therefore, you are legally required to not serve the
tourist, lest _they_ enrich the ISP thereby. ( _That_ would be a hard point to
prove.)

But actually, even if it was just the letter of the sanctions that you had to
obey, I would expect that "not trading with Iran" would be a lot _harder_ than
it sounds—it would require, for example, that you do not trade with an Iranian
citizen who is currently geographically located in, say, Mexico. How would you
know? Your random IM webapp would need a KYC process (submission of ID
documents, etc.) to be "sanction-compliant", wouldn't it?

~~~
AlfeG
Its actually pretty funny. US and others says that Russia forcibly occupy
Crimea. But now all people of Crimea is under embargo, not Russia. It like if
its not enough, lets beat them harder.

~~~
meshr
Nobody forced people of "Crime" to go to vote for occupation. Formally, no one
asked Russians if they want this occupation.

------
Jare
"Mistakes were made" is a good apology, but with no personalization, no
reparations for the people impacted, and no reflection on the process and
context that allowed those mistakes to happen, it still leaves Slack in a
lower place in my mind compared to where it was before this incident.

It may sound like there's no way to win for them, but well, mistakes have
consequences. Time will heal the wounds.

~~~
tjoff
Missing the _why_ the mistakes were made. What assumptions they made didn't
hold up etc. Since they don't dare to even touch that subject incompetence is
about the most charitable I can think of.

------
function_seven
Does an IPv6 world prevent IP-based location sniffing?

It seems odd to me that IPs can still be used to (semi-)reliably determine a
client's geographical location.

With the immensely larger address space that comes with IPv6, does that give
the Internet a chance to completely sever the link between geography and IP
address? Or do we still have issues with aggregating routes in a space-
efficient way?

~~~
lmm
IPv6 address space is less fragmented than IPv4 (that's part of the point), so
inferring location from IPv6 address is if anything easier.

Addresses _should_ correspond to network topology in order to be useful for,
you know, routing. And network topology tends to correspond to physical
location for practical engineering reasons. Of course there's no reason
someone _couldn 't_ run a cable halfway around the world to use IP space in
one country from a different one (or use a VPN, is what people do in
practice), but realistically what would they gain from that?

~~~
function_seven
Thanks. I had some fuzzy idea backwards in my mind: that part of the reason IP
blocks are correlated to location had to do with address space constraints.

But that’s wrong. Having a massive address space makes it trivial to keep
routable blocks contiguous no matter how many IPs they contain.

------
mirimir
As apologies go, this is a decent one.

But they still say:

> We would also like to notify our users that as we continue to update our
> systems over the next several weeks, we will soon begin blocking access to
> our service from IP addresses associated with an embargoed country.

I'm no expert, but I did spend a couple months checking alleged locations of
VPN servers. I compared: 1) location alleged by the VPN provider; 2) location
from various geolocation databases; and 3) ping results from several hundred
servers (from various providers).

Bottom line, locations alleged by VPN providers and locations from geolocation
databases were generally in agreement. But for some VPN providers, such as
HideMyAss, ping results demonstrated that those locations were very often
implausible. Because they implied signal transmission faster than the speed of
light.

So anyway, basing life-altering decisions on IP-based geolocation is an
_extremely_ stupid (or at least, unjust) thing to do.

------
pozzed420
Iran is a terrorist state and anyone providing aid to them can be tried under
the PATRIOT act:
[https://en.wikipedia.org/wiki/Providing_material_support_for...](https://en.wikipedia.org/wiki/Providing_material_support_for_terrorism)

------
paulschreiber
I want to see a post-incident analysis, like GitHub published:
[https://blog.github.com/2018-10-30-oct21-post-incident-
analy...](https://blog.github.com/2018-10-30-oct21-post-incident-analysis/)

------
Annatar
Why should anyone even bother using "Slack" when there is internet relay chat?

------
warent
I'm definitely living under a rock. Why is Slack being impacted by a trade
embargo?

~~~
IkmoIkmo
Because that's how embargoes work? They impact not only goods, but also
services. The US has one on Iran. And as Slack is a US company (or rather, a
company which has an interest of maintaining operations in the US, regardless
of where it is based), it complies, thereby blocking service to any entities
(e.g. people) in Iran.

~~~
larrysalibra
Exactly. Embargos function by taking away the rights away of American
businesses and people. Trade embargoes make it illegal for US entities and
people to trade with certain groups of people.

------
bad_user
Bad apologies make things worse, but good apologies don’t make things better.

Actions speak louder than words. Blocking people accounts was a management
level decision that they are only regretting due to this coming to the
public’s attention.

------
unethical_ban
What countries are embargoed for chat?

I work in banking, and when we discuss certain kinds of remote access, it's
notable that there is no "OFAC" list. There are shit tons of lists for
different things. I wonder which list Slack uses.

------
phyzome
Can someone provide backstory on this? I missed it because I blinked. :-)

~~~
teddyh
_Slack 'bans users' who have visited US sanctioned countries_

[https://news.ycombinator.com/item?id=18730314](https://news.ycombinator.com/item?id=18730314)

------
ouid
What would the penalty for non-compliance here be?

~~~
dylan604
Fines if it's not a criminal violation, or potential prison time if it is.
Since it's a corp, and the group think here is that corps are shields from
jail time for the employees, then probably no jail time.

There's also the negative PR that comes with being labeled as "aiding and
abetting the enemy".

------
zbentley
Slack missed an excellent opportunity here: to be first US company to suspend
services momentarily due to egregious and broken* sanctions imposed by the US
on other countries.

* Broken in that they are levied against random individual citizens of sanctioned countries instead of groups trading with or state entities otherwise interacting with the US.

------
yani
Internet should not be censored.

------
baybal2
Offering a free service is not "trading" by definition

------
malloryerik
Faith in Slack mostly restored.

~~~
rootkea
Nope sorry. Slack is a walled garden. And relying on a walled garden means
handing over your control, freedom and privacy which eventually gonna lead to
similar kind of exploitation/abuse.

As another HN commenter @SamWhited put it, "Using a proprietary protocol that
doesn't allow any form of federation is an unacceptable way to build a global
community". We need to develop and use FLOSS protocols/tools as much as
possible.

~~~
lostlogin
These are good points, but wow are the walls Slack has built beautiful. The
webhooks make so many things better.

Is there a service you recommend?

~~~
xfitm3
Webhooks are great, but slack's notification semantics are infuriating.

------
shutdown57
Slack also banned people who are just nationality of iran and they dont live
in iran.

------
toefraz
How did they not block based on nationality when they literally blocked a
nation?

~~~
alangpierce
For context, one of the original reports of this was from (I believe) an
Iranian-American with US Citizenship living in the US:

[https://twitter.com/aaomidi/status/1075621119028314112](https://twitter.com/aaomidi/status/1075621119028314112)

You might read that and infer that Slack is somehow tracking the national
origin, ethnicity, or race of all of its users, which would be much fishier
behavior than IP-based blocking. They're explicitly saying that they don't do
that and that they don't have that information.

~~~
gaius
_They 're explicitly saying that they don't do that and that they don't have
that information._

But they _did_ do it, so what does that mean...

~~~
briandear
Did they? Or did they ban people associated with specific IPs?

~~~
vageli
Are the sanctions against doing business with Iran nationals or anyone with an
Iran IP address? I would imagine the sanctions are in place to prevent trade
with Iranian nationals.

------
lispm
> In fact, we also apologize to the people whose accounts we intended to
> disable in order to comply with these regulations

Misguided politics of the Trump 'administration'. This stuff is highly
unpopular outside the US.

For me a reason to avoid US services which actually enforce these politics.
Slack can do whatever they want, but these actions make sure that I never want
to be a customer of theirs and I would never recommend to use their services.

