Using a proprietary protocol that doesn't allow any form of federation is an unacceptable way to build a global community. Please consider using an IRC based service for group chat or an XMPP based service where 1:1, history, rapid reconnects, and other more complex chat features are required (yes, if you're a dev you have to use XML which is annoying, but overall it's a well designed protocol, so get over it). This lets you host your own, and (in the case of XMPP at least) if one person wants to use a U.S. based service and another is in Iran they can just sign up for a Belgian account (or wherever). We can't afford to let he internet splinter off into siloed tiers based on nationality.
We should start by admitting that Slack beat IRC. Beat it like a cheap hallway rug. IRC was always a terrible experience for novices, and it wasn't a great experience for experts. That it had any users at all is a testament not to IRC, but to what it enabled. Slack found a way to provide the same value but with a much better user experience. And then they rapidly iterated on that experience, making it better and better.
They started out with IRC and XMPP bridges. But they eventually shut those down because they were a drag on improving the product. When faced with the same choice, IRC kept the original protocol and shut down improving the product. This was an understandable choice, but one that set up the situation where commercial developers could come in and do something radically better. Open source needs to figure out how to compete with that, or things like this will keep happening.
If we want people to use principled technology, then we need to be able to honestly advertise products as "it's just as good as X, and also doesn't violate [your privacy|human rights|the environment|etc.]" If we have to say, "It's not quite as good, but..." then we're dead in the water. (Side note: I switched to Firefox out of principle and I'm hopeful it will hold the line on market share, since it really is just as good as Chrome.)
The issue is that we're dealing with corporations who aren't just rich and powerful, they are also innovative, agile, and laser-focused on providing consumer value. Slack is doing an amazing job at serving their users!
You wrote, "we have to find ways to make better apps built on top of open protocols." It's a really interesting dilemma and I suspect it's one that isn't solved by better technology, better design, etc., but rather by addressing the base economics of the situation. We need a scenario where principled, open-source, ethical technology is generating the kind of investment we're seeing in Silicon Valley unicorns so they can innovate the same way.
What I find a lot of people miss when comparing Slack to IRC, is that not everyone using Slack is a developer. The world doesn't consist solely of developers - and if your company is 30% of engineers, and the other 70% doesn't have the reserve to wrestle with XML, then your company is using Slack. Otherwise, you are simply choosing to sell out your friends and family in the name of "principle" as well.
Personally, I'm tired of the comparisons to IRC and XMPP. Both are garbage - time and time again its been show how difficult it is to create greate software on these protocols. Contrary to your final statement, there have been better open source applications - gitter and riot come to mind.
I know plenty of non-technical people who chatted on IRC who were not developers. They just used the mIRC client on windows to do that. They also managed to configure their email and news clients to send and read email and browse usenet.
I simply don't understand where the idea of needing a technical background came from for using something like IRC.
You don't have to be a developer but you do need a level of technical background higher than that of the average computer user. There are plenty of tech-savvy, non-developers who can get up and running with things like IRC. There are plenty more non-technical users who can't. Or at least wouldn't given the learning curve time commitment.
I'm the only person in my family who would be able to sign on to IRC in under an hour whereas they'd all be able to have slack up and running in a matter of minutes.
Unless the technical skill of the average computer user has decreased substantially in the last 10 to 15 years, that shouldn't really be the case.
It's amazing that when it comes to computers, it is somehow acceptable to be dumb. It's acceptable to not learn new stuff. It's acceptable to not read in order to understand stuff. As can be read in the comments here.
The whole ethos of startups and Silicon Valley has been around finding a market for your product. If people don’t want to use it then you can’t blame anyone but yourself.
Feel free to chat with yourself using an ideologically pure system... it’ll be lonely though.
Disclaimer - A FLOSS dev here.
If you were talking about using these protocols over a telnet session, then I would be more inclined to agree with that statement, but just installing an application, entering a server name and account credentials (the latter of which aren't needed for IRC), and connecting isn't any more difficult than creating an account on slack and connecting by entering the address in the browser.
Regular users have amazing blind spots. Also you’re not giving slack enough credit for their smooth onboarding process.
Of course, but I don't think that Slack has done a better job with this compared to previous solutions. In a lot of ways, it's worse given its performance issues. For example, I never experienced UI lag in a chat application until I used Slack (comparing it with UIs like a GUI IRC application, AIM, ICQ, MSN messenger, Yahoo messenger, Skype, etc). Second, auto-completion and search do not work like they do in previous chat applications (or other applications in general) due to infinite scroll and the default of doing a global search instead of just limiting it to the chat or group. Third, the fact that you're forced to join some channels because you were invited or can't leave a channel because you're the last one in it are other issues that come to mind.
As much as it annoys me too, it appears that people actually using it have enough tolerance for it that it doesn’t matter.
Granted, I have not used IRC for a while, but last time I checked, the story for getting message history was "start a irc client inside a screen session on a server you own". And there were no mobile at all.
(I remember writing a script which exported chat logs from my desktop client to text files available over HTTP... I'd then visit those pages from cell phone to see if I had any more messages. This is not the experience I would wish on anybody)
It was pretty much the same thing with newer chat services like ICQ, AIM, MSN messenger, etc. (though I think they started offering offline messages in later versions).
As for mobile, my older Nokia phone had a Symbian IRC/XMPP client that I could use without any issues.
In the same breath though, saying, "I'm not willing to sacrifice convenience in the name of principle" is also a privileged position, because Iranians who live in the US/Canada are currently being banned. Convenience is something we can address in the future, but bans aren't.
The concerns people raise about Slack -- that until very recently it wasn't blind-friendly, that it takes away control of user data, that it can arbitrarily ban companies and users for any reason; none of those are theoretical deontological postering. They are entirely practical in the sense of, "there are people who are affected by this who can't join your community because you're not using a tool that's accessible to them."
I think that it's easier and preferable to teach my friends and family members to use open tools than it is to use something that blocks people of Iranian descent from participating in my community. Yes, that means my communities will be less accessible to tech-unsavy people. But that's a problem I can try to address in the future. I'm OK making their life harder for right now if it means not permanently banning people based on a random company's whims.
That is selling people out, in the sense that it's making a calculated decision about which people are most important to support right now. But if the Go community is using Slack, they're making the same exact same decisions to prioritize accessibility for some people. They're just choosing different people.
An example of how it might be possible to push this in the right direction is LEED. It didn't matter what the individual environmental ethics of people manufacturing electronics and designing houses was. Environmentally efficient building practices cost more, and there was no way for all the companies involved to form an opaque conspiratorial cabal to secretly impose the cost on consumers who would rather not pay it. Instead, they created LEED and used marketing to teach end consumers that LEED stood for more environmentally responsible practices.
Right now computer privacy and security are huge in the headlines, and a large number of people in the public and in industry want to do the right thing. But consumers don't know how to make the right choices, and companies aren't going to spend extra on the right thing if users are just as likely to choose something horrible. What companies need in order to invest extra capital in privacy and security is a plausible story of how to get users to choose the right thing and pay a bit more for it, if the industry builds it. They need a LEED standard for privacy and security. Then they can promote it and use it as a way to justify their investment in better, more ethical software. Corporations, schools, nonprofits, and other organizations can be pressured to make public commitments to use, or at least prefer, software that meets the standard. This won't drive horrible software out of the market, but it will create a sub-market where good software can survive.
Obviously laws and regulation are the bedrock, but in areas where consumers have a choice, we need to make it easy for them to make the right choice if they want to.
Honestly, at this point, I can't really tell the difference between Slack and most "Slack clones" -- the interface of Slack has basically been copied by most people and to be honest it really wasn't that hard. Mattermost and Rocket.chat both look exactly like Slack to me.
Matrix could have done the same thing, but they chose to waste time and money reinventing the wheel (and doing a bad job of it) instead of focusing on the service and the clients.
If you have legitimate grievances with the protocol and feel you can see flaws in it, make an issue on the tracker now while its still a 0.x release, doesn't have the broad adoption you describe, and while the team (knowingly) can make breaking changes simultaneously released to matrix.org and riot.im and cover 95% of the users still.
There are no stable servers. The reference server is being completely rewritten.
Matrix bridges work about as well as XMPP bridges in my experience.
The Matrix developers are familiar with XMPP, and have it covered in their FAQ: https://matrix.org/docs/guides/faq#what-is-the-difference-be...
Finally someone gets it! A chat service should value each message and it should never lose messages due to connectivity problems.
Thank you for sharing that link, I learned something new today.
- Person-to-person chat system. This requires offline messages: "when you get to work, please take a look at ABC-1234". Some people have cell phone as well, so this needs multi-delivery to all the clients (so you can read the message on the phone, then read it again from work PC)
- Support system: one person posts "I cannot run TOOL_Z", people who know reply. This requires offline history -- if I maintain TOOL_Z and I come in late, I was to see the question asked, answers, and maybe I want to contribute an answer as well. By the way, slack threads are super helpful for this.
- Knowledge archive: next person to have TOOL_Z problem would search the channel history, and find previous answers.
- Announcement with discussion: someone posts "New version of TOOL_Z is released! New features: ...". People might respond by discussing the new features.
All of those basically require "global database" -- those messages are not volatile things; it is not OK if the announcement is lost, or if you did not see the help request because there was something wrong with the system.
And I know that XMPP does not work for that because back when my workplace used to use XMPP (a few years ago), I went to https://xmpp.org/software/clients.html , installed "gaijim", and found out it has no offline message history, no message searching, and half-broken multi-delivery.
So we ended up building scaffolding - set up our own search engine, archive system, use different methods for communication. This was a lot of pain and very little gain. So when we had to re-do infrastructure from scratch, we went with Slack.
(Note that you can't just say: "I don't need those features". As long as there is a single person in the company who does not have history, the whole company cannot use pure XMPP for support system or knowledge archive anymore -- or that person would be excluded.)
As you said in other messages, things are better now -- there are compliance suites. So "XMPP Advanced Client 2018" does do what you want. Unfortunately, I cannot find a list of clients which support "XMPP Advanced Client 2018".
Also, there are people who confuse matters by saying that "XMPP does everything Slack can, and has tons of clients". No. "XMPP Advanced Client 2018" does everything Slack can but has very few clients. Regular XMPP has tons of clients but does not support everything that Slack can. It is very important to distinguish between the two.
The FAQ skirts around the fact that it doesn't matter if they're slightly different: you shouldn't make up your own new thing to force adoption of your commercial product. Use and improve the existing technologies that are "good enough" and stop splitting effort and making yet another standard that everyone has to try and support or run bridges for. This is unacceptably bad engineering. Saying "this is subjective" is true, but just an excuse for "we have not-invented-here syndrome".
Pure-XMPP simply would not have worked.
(I have my issues with the matrix protocol, mind, but they had good reasons to create a protocol even so)
Edit: I also wouldn't be surprised if this is why facebook messenger switched from XMPP to a custom MQTT-based system.
I run an ejabberd server and for example the Client State Indicator (XEP-0352), which is one of the extensions that improve battery life for mobile clients, was experimental for a long time but at the same time also available for major servers (e.g. community edition of ejabberd) and mobile clients like Conversations (open source too).
So in my experience, the battery consumption of a modern XMPP client is quite good. When people are complaining about the bad mobile experience they are mostly referring to the time before the mobile extensions were built.
So apparently not everybody shares your definition of
'solved' - I appreciate the alternative opinion, but simply declaring it a myth is, I suspect, unlikely to convince remaining skeptics.
simply declaring it a myth is, I suspect, unlikely to convince remaining skeptics
It's hard to provide specific counter-arguments to anecdotal evidence repeated since back when gtalk was a thing.
More to the point, there is always going to be some value-added service a profit-seeking enterprise is going to be able to provide over what's freely available. If we built IRC 2.0, then Slack 3.0 will provide what everyone hates about IRC 2.0 and then the dynamics of profit seeking will drive Slack 3.0 to divorce from the free alternative.
We see this pattern over and over and over again. It doesn't happen necessarily because businesses are being ruthless, but because there's always going to be a market space, even in the face of a fantastic free service. That's just how a market economy works.
A good example here is Firefox. When it started out, it was better than the competition. Chrome pulled ahead for a while, but Mozilla responded and now it's competitive again. And Firefox has done this while advocating energetically for an open web.
Another one that interests me is WhatsApp. They built a messaging product that was clearly superior to the alternatives. They eventually sold out for billions. But there's no reason they couldn't have done that as a nonprofit. And Signal has shown that a nonprofit can still jump into the space and do good things.
I guess it lacks persistence and access to history? But there are surely ways to solve that.
persistence, history, search, rich formatting, image previews, synchronization between devices, usable mobile clients, group/here/channel mentions, channel directory/search, channel descriptions, file upload/sharing (XDCC is not this), multi-line/expandable messages (eg, paste code or logs without flooding the channel), user status (away/DND).
Some of this can be approximated with bots, of course, but there's a lot of extra work then required to make that work (namely, setting up, writing and maintaining the bot). Some of this can be done client-side, but then you have inconsistent experience.. you don't know if the other user is going to get the image preview or if their client understands markdown or some other formatting, or is going to interpret and display your message using some other markup format. Some of this you can also work around with one of those persistent IRC connection proxies, provided each user gets one and that is also maintained by somebody.
Eventually someone packages this stuff all together for simple deployment.. and basically creates a bad clone of Slack, but with 10x maintenance requirement and so many more things that can break.
For example my app https://quasseldroid.info/ which requires you to run the https://quassel-irc.org/ bouncer, but provides all that. As well as IRCCloud and Weechat-Android, which are also very awesome and provide a similar amount of functionality.
The other features are atm a work in progress.
I wish I could do more, but in the end, I’m just a single developer improving the usability of a single app in my free time.
For open source non-centralized solutions to compete with the proprietary options, you need lots of devs and even more funding. Matrix/Riot.im has that, and even they aren’t close to where Slack is. Most of us IRC devs are either getting nothing, or, as e.g. in my case, the donations don’t even cover the server costs.
In the end, if people want open solutions to grow, they need to put their money where their mouth is.
I hate Slack for open communities as much as the next person, but IRC or fixes on top of it aren't really the solution.
Are we complaining about price or are we complaining about proprietary services?
Doesn't IRC file sharing involve directly connecting to individual users to transfer the file, instead of those users choosing to download it at their leisure? And if you happened to be offline at the moment the user shared the file, can't you never download it unless you ask them to resend? For large, asynchronous groups, that is untenable. Slack's file sharing works because Slack hosts the file.
Also, basic messaging features are indeed missing from IRC. How do you do a private group chat? Like an SMS group thread? Doesn't it only support channels and then individual 1:1 DMs? Slack has ad-hoc group DMs. On IRC you'd have to make a new channel every time. It's like getting a conference room every time you want to talk to more than one person at once.
Slack also does voice and video calls, and screen sharing, and it's really quite good at it (feels light, not bloated). Sometimes talking with someone needs to turn into a face-to-face call.
> there are surely ways to solve that
Most common solution is to use something else.
You could say IRC could do anything any other chat program does, but it doesn't.
And re IRC, I gather that Sabu got doxed based on EFnet logs from the late 90s.
The obvious advantages versus classic IRC clients: it's always online and the connection happening through their servers you get good push notifications on mobile.
The obvious advantage versus Slack: they don't own the IRC networks you're connecting to, so if you have issues with IRCCloud you can just change to another client.
It has some missing features, most notably search in archives, but they are working on it.
>> "admitting that Slack beat IRC"
Sure but are we talking about a fundamental limitation of the IRC protocol, or are we simply talking about implementation details that can be fixed?
We can talk about all the other issues around persistence and UX but just getting started is something beyond the vast majority of computer users.
It’s really hard for us to remember and empathize with this.
But mostly access to history and search. (Note that it's not coincidence that this is what differentiates the free from paid Slack.)
That being said, I wish there was a better open source alternative.
No. They shut it down because they want people to use their (crappy) UI.
Even Comic Chat was based on IRC, and that's as far from "user-unfriendly" as you can get https://en.wikipedia.org/wiki/Microsoft_Comic_Chat
In which world does it beat IRC? Number of users? That's not even sure, since there are dozens of thousands of IRC servers worldwide. And that's not even counting the private, self-hosted IRC servers.
IRC runs everywhere and does not need a fat browser or a RAM-and-CPU hungry application to enable "chat".
As for the user experience, this would merit a whole post in itself, but Slack sucks in many ways: threads are completely unusable, channels are hard to discover unless you know about them, and now Slack makes you pay for searching thru your past messages.
I'd say there is a lot more to this topic than "Slack beat IRC".
As far as I can tell, Slack has an order of magnitude more users. They were at 8m DAU back in May: https://techcrunch.com/2018/05/08/slack-hits-8-million-daily...
IRC was in long-term decline even before Slack: https://royal.pingdom.com/2012/04/24/irc-is-dead-long-live-i...
So my best guess is that Slack has at least an order of magnitude more users.
But users is not exactly the metric I'm thinking of. It's when people say, "We need some way for us to communicate," Slack is the popular option. Even though I'd rather not use it, I'm in 8 right now. If you look through this thread, you'll find plenty of people concerned about how prominent it is in the open-source world, IRC's home ground.
> IRC runs everywhere and does not need a fat browser or a RAM-and-CPU hungry application to enable "chat".
I get this in theory. But RAM and CPU power are fantastically cheap. Conserving them to get a worse user experience is optimizing for the wrong thing.
> but Slack sucks in many ways
Sure. There are no perfect things. But Slack doesn't have to be perfect. It just had to be better than the competition. And for most people it manifestly is.
Who the hell cares? I figured out IRC when I was about 12 and I'm no genius. If that bar is too high for people in tech then we have serious problems.
I too figured out all sorts of computer things at 12. By standardized tests, I'm also in the top 1% of ability for things like that. And my dad was a programmer then, so I had a leg up.
At some point, I realized I had a choice. I could feel smug about my (narrow) genius and focus on tools for my (narrow) cohort. While grumping, of course, about how stupid everybody else was. Or I could recognize my luck and use it to make things that were good for everybody.
You know what helped me make this choice? Realizing how bad I was at so many other things. And how generous other people were in not only putting up with that, but helping me along.
Our school had nothing blocked, and the computers weren't locked down at all.
But Slack isn't solely used by technical people. Where I work, everyone is on slack - product people, lawyers, tech people, etc.
Wire is open-source today and usable by regular people, with E2E encryption and email-only accounts.
Why not just use XMPP? Yes, everyone hates XML, but the protocol is well designed, has sustainable funding (via the IETF and XSF), and there's lots of experience out there, and it's flexible enough to develop services like Slack on top of.
"XMPP is an example of a federated protocol that advertises itself as a “living standard.” Despite its capacity for protocol “extensions,” however, it’s undeniable that XMPP still largely resembles a synchronous protocol with limited support for rich media, which can’t realistically be deployed on mobile devices. If XMPP is so extensible, why haven’t those extensions quickly brought it up to speed with the modern world?
Like any federated protocol, extensions don’t mean much unless everyone applies them, and that’s an almost impossible task in a truly federated landscape. What we have instead is a complicated morass of XEPs that aren’t consistently applied anywhere. The implications of that are severe, because someone’s choice to use an XMPP client or server that doesn’t support video or some other arbitrary feature doesn’t only affect them, it affects everyone who tries to communicate with them. It creates a climate of uncertainty, never knowing whether things will work or not. In the consumer space, fractured client support is often worse than no client support at all, because consistency is incredibly important for creating a compelling user experience."
But I do tend to agree in general that we need fewer features and less complexity and to push more for basic profiles that everything should implement and that have a clear compliance label.
Now we have uncertainty around which networks people use, which devices they use them on, and which features each network supports.
You cannot just tell people "go choose any XMPP client, and it will work fine". Instead, it is more like "get XMPP client, but make sure it supports XEP-1111, XEP-2222 and XEP-3333". And if you have multiple platforms (Android, iOS, Win, Linux), let's hope you can find a client for each.
For example, I used to use Mcabber with HipChat at work. Mcabber doesn't support even basic modern XMPP things (history, for example), but it was plenty good enough for me to chat with my coworkers.
For your work: Are you connecting Mcabber to HipChat server? Do you use native HipChat client as well?
From your link.
I tried to download and run Jitsi a couple months ago for a project and it's voice quality was terrible. Skype just works. I sometimes have weird quirky bugs with Adium, and it's getting harder to justify telling my team to use it.
Get hacking folks. This space needs better tools.
I tend to think that we don't need more small community projects, we need one or two entire services like Slack to build themselves on the base protocols and federate. Even if they only allowed their own clients so that they controlled the entire experience, if they just federated with other servers it would give users a choice and largely solve the Slack problem.
How did Slack figure out this guy's ethnicity / citizenship / status? Why are they allowed to access that information and unilaterally act on it? Sounds like there's a valid question being asked here to me.
Slack is protecting their multi-billion dollar business and their investors which are both based in the U.S. If they do not, they could run into trouble and put far more at risk. This does not only affect Iran, it affects other countries too which the U.S. has active sanctions against.
Now, I admit that visiting the countries on the list aren't on my to-do-list, but if for example I decided to make a vacation trip to Cuba I really shouldn't lose my account at any US-based service just because of that.
So you would make people suffer and think that they would blame their own government for that and not the US?
Don't you think that makes you and your country evil?
If true, it is definitely the worst way to do. It doesn't take into account any circumstantial evidence that could explain the use of such an IP address (vacation, VPN, BGP or a mistake in the geolocation data used) and Slack doesn't seem to offer any way to appeal or even inform other users about what happened to their contacts.
Slack should offer a configurable notification that could contain other contact methods to the banned user. Slack could also give those users at least sth like 48 hours to inform their contacts about what is going to happen. And it could offer banned users a downloadable archive of all content created to make sure no data is lost.
But the way Slack is doing it right now means that you can't trust them and one should really think about relying on their services in the future.
I am still on IRC and XMPP (Jabber) for good reasons ;)
I only discovered this because I was trying to use Google's CLI tools and got blocked, with the shocking message that access from embargoed countries was not allowed. I was utterly confused given that my server, myself, and anything to do with my hosting was all contained completely within the US. After studying the message and finally figuring out after some time the problem, I reported it to my host and they promptly submitted a correction to that, and the issue was resolved.
But had I somehow used this host to access Slack, I would find my own account deleted, if what is being deduced here is correct.
Deleting or disabling accounts is completely the wrong approach. The absolutely maximum that could be done is BLOCKING ACCESS (i.e., actually embargoing) from these restricted IPs. Disabling or deleting accounts is stupid and shows that Slack has a profound MISUNDERSTANDING of how the Internet works, i.e., it's not perfect. This is exactly akin to using an IP address for identification. IP addresses, and hostnames, are not identification of people and cannot nor should be used for these kinds of heavy-handed, punitive punishments.
The government could argue that any of these options is "doing business with" an identified, sanctioned individual.
I'm not saying it's right, I could just see a company attorney wanting to minimize potential federal liability.
She created the account while traveling in Cuba (legally) years ago and hasn’t been back to Cuba or any other sanctioned country since.
She is a cofounder of an org that uses Slack heavily and has now lost access to all her messages and files from the past couple years of work.
There appears to be no appeal process here.
This causes me to think about the metadata records they have held onto in addition to all the data.
Companies should be made accountable for such blatant abuse of user data.
I understand the complex legal frames that this exists in, but they appear to have the data to be way more precise here.
Or they did an IP to country lookup back then and kept the result of that rather than keeping the IP.
I am pretty certain I have logged into my mail, PayPal account and Digital Ocean account from countries embargoed in the regions my providers operate. PayPal I could lose without much fuzz, but jeez how I'd hate to lose access to my email.
This is absolutely ridiculous. I've opened up Slack while in Cuba to check on work things at my American company who does no business there. I don't have anything to do with our Slack bill and I'm a US citizen. So if someone goes to see their family in Iran/etc and just happens to open Slack they'll get banned? That's hamfisted as all hell.
Your analogy about grocery stores doesn't really work because logging into Slack isn't the same thing as walking into a grocery store, because buying from a grocery store isn't the same thing as exporting food across a national boarder, and because neither food nor medicine is embargoed.
Yes, it harms their customers, but that harm and the resulting damages to Slack' reputation (and maybe legal costs), is what they must pay for being negligent in the past.
In this case, if the account was actually opened from Cuba ... that could be a problem.
What they should do is offer recourse and a way to have this resolved.
So they are absolutely offering recourse and resolution, but only where it is in their power to do so.
TLDR: Don’t expect Slack to be responsive to arguments that contain “please ignore US law for my individual circumstances”.
[EDIT] to be on the safe side, I've also created a new workspace from said IP.
If not maybe everyone can consider that maybe Slack’s actions for the Iranian guy have some basis other than “his ethnicity.”
Lesson: keep backup of everything in multiple jurisdictions even if you are innocent like Jesus. You know what happened to him.
> Generate a Slack “Export” file from Slack > Administration > Workspace settings > Import/Export Data > Export > Start Export.
It's not completely arbitrary. Plus there're notions of estoppel potentially at play.
Two, they may have to at least return the data: if I let you use a desk at my place and you start doing business there, I am pretty sure I cannot legally refuse you entry and hold on to your papers.
Three, even if they are, we're also legally entitled to call Slack incompetent losers, and to tell our employers that we should not switch to Slack if we wish to continue being co-workers with Iranians. I will be telling my employer that shortly. (One fascinating aide effect of using Slack is thst the entire company must conform to Slack's policies. You cannot hire someone whom Slack won't create an account for, nor someone who won't agree to Slack's ToS, because if they're not on Slack they can't get work done.)
That’s not what the parent comment said, you’re twisting it with an assumption. Slack is not legally obligated to provide Slack accounts to anyone, that was the point.
> they may have to at least return the data: if I let you use a desk at my place and you start doing business there, I am pretty sure I cannot legally refuse you entry and hold on to your papers.
Your analogy is rather confused. The data Slack has isn’t equivalent to your papers that you dropped on their desk. When you sign up for Slack, you enter into a contract outlined in their Terms of Service that detail explicitly what they agree to be responsible for. In particular, here’s the agreement relating to your data:
“Following termination or expiration of a workspace’s subscriptions, we will have no obligation to maintain or provide any Customer Data and may thereafter, unless legally prohibited, delete all Customer Data in our systems or otherwise in our possession or under our control.”
I have to admit that this case (and some others I read in recent days, e.g. MailChimp account deleted: https://news.ycombinator.com/item?id=18715866 ) made me aware that the terms of some popular services can be much worse than I would expect. I should really start reading those terms. Thank you for helping me reduce my naivety.
And this point is untrue. As long as Slack provides accounts to the general public, they are required by law not to discriminate when doing so on the basis of race or national origin. They can stop serving everyone. They can firewall access from Iran, or identify actual persons covered by the sanctions. But they are legally obligated to serve Iranians as much as they serve anyone else.
> Following termination or expiration of a workspace’s subscriptions
One, this is an individual account, not a workspace. The workspace remains active.
Two, terms of service don't override law. There may or may not be law that overrides this and says that certain rights cannot be signed away. (For instance, if you're subject to the GDPR, my understanding is it would override it.)
> As long as Slack provides accounts to the general public
Slack does not provide accounts to the general public, in any legal sense. Slack is a private business, not a public service. Please read the terms of service to understand the terminology.
> they are required by law to not discriminate
Well, they are required by law to discriminate against traffic to Iran.
But, again, you've twisted my meaning to make your own separate point. I wasn't talking about discrimination. Slack is not compelled by law to provide accounts to someone. They can legally refuse service to someone who lives in Iran, or connects to Slack from servers located in Iran.
> But they are legally obligated to serve Iranians as much as they serve anyone else.
That statement is true in the sense that Slack is under no legal obligation to provide their service to anyone, outside of the agreement they created. That is separate from and irrelevant to whether or not they're allowed to discriminate against the people Slack agrees to provide service to, under their terms of service contract.
> they are required by law not to discriminate
BTW, what law are you talking about specifically? I'm aware of civil rights for US citizens, and anti-discrimination employment law in the US, but not of a specific law that bars online discrimination. I personally believe discrimination online would be wrong and bad, but are you certain that it's illegal?
Keep in mind we're talking about someone in Canada connecting to a US service, with a plausible decent chance that he connected from Iran or through an Iran server and just forgot about it. I'm not aware of specific US anti-discrimination or civil rights laws that would protect Amir in this case.
Of course that argument has an opposing side as well, but it seems prima facie plausible as a cause of action.
Slack is legally obligated to provide Slack accounts to people who pay, with 30 days notice for termination in most cases. There is this stipulation:
> We may terminate the Contract immediately on notice to Customer if we reasonably believe that the Services are being used by Customer or its Authorized Users in violation of applicable law.
However, if they are terminating accounts based on ethnicity that doesn't seem like a reasonable belief they can use to justify applying export controls.
Rather, Slack agrees to provide accounts to people who pay and agree to the contract in return.
That little stipulation is exactly what is in effect here. Slack believes the users are in violation of the agreement, and under the legal rules that Slack established and controls, they enforce immediate termination.
> if they are terminating accounts based on ethnicity
This defending of the argument based on wild assumptions that Slack is ethnically profiling is a bad place to start from. That hasn't been shown, nor is it very likely.
On the other hand, Slack is legally obligated to block traffic to Iran, and it's within reason to assume an account that ever had any traffic in Iran broke the law. It's certainly possible that Amir forgot that he used an Iran proxy, or traveled there. It's possible that someone on his team broke the rule without his knowledge. It's also possible that Slack made a mistake, which can and does happen from time to time at many companies when trying to enforce international laws using only IP traffic logs. None of that points at Slack intentionally terminating accounts based on ethnicity.
If not, I am totally confused about how your response connects to what I wrote.
- Is this all made up to prove some point?
- Is this just how the US ticks right now?
- Is Slack just completely gone mad?
- Is this what companies believes is acceptable nowadays?
- Is this the future of the web?
The fact that I am not sure what to believe and that I wouldn't be surprised if this is all true or equally all made up is what really scares me. Ten years ago I would have had a lot more confidence and faith in the world that this must be either a big mistake or something fishy, but today I feel like anything goes and in a week's time nobody will care again :(
> Is this just how the US ticks right now?
Any sufficiently advanced technology is indistinguishable from magic.
Add to that the dark side of being "data driven," which is that stories like this one are just part of the 1% of edge cases. These companies also try to move away from actual customer service as much as possible because human labor doesn't scale as well as automation, so you'll fall through the cracks as long as the news that it happened to you doesn't get enough press to make it worth an engineer's or VP's time.
I know that sounds extremely cynical, but having been on the inside in situations like this, I saw how these dynamics converged despite good intentions. Stuff like this is why sending engineers through front-line customer support rotations tends to dramatically motivate engineering teams to make quality of life improvements. Once you lose the detachment that indirection from the user gets you, suddenly those 1% cases feel more important.
It is the policy of the United States—
(1) to promote the continued development of the Internet and other interactive computer services and other interactive media;
(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation;
(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services;
Penalties for noncompliance are stiff and there are no safe harbour provisions.
(IANAL but I have implemented systems to check OFAC lists at other companies and seen it result in similar situations)
But they don't know that. They have IP addresses. And they do geolocation. But IP-based geolocation isn't reliable enough for that.
They have information from which they conclude that; this information is fallible and conclusions are not certain, but that's true of virtually all “knowledge” about the material world.
Iran does not recognize changes in citizenship.
The U.S. government doesn't care what Iran recognizes. The correct quotation would be "anyone who is legally an Iranian citizen in the eyes of the U.S. government."
When an Iranian citizen becomes a naturalized U.S. citizen, their Iranian citizenship is no longer valid in the U.S.
There is a limited number of nations that have dual citizenship agreements with the United States, and Iran isn't one of them.
(a) the objectives of laws prohibiting large commercial flows to sanctioned countries and
(b) the objectives of laws encouraging many tiny information exchanges on the internet, taking place outside of sanctioned countries
Is it worth burning down Internet commerce in the hope of catching a few individuals? Did Congress intend to create a Do-Not-Speak list, or one such list for every Internet company? Should Internet UGC platforms now relocate outside the USA, when Congress is also encouraging companies to repatriate assets to the USA?
What's happening here isn't an attempt to catch a few individuals. The goal is to put pressure on the entire government of Iran. This is done by making doing business hard for large businesses, as well as individuals, so that pressure to change is put on the Iranian government from above (businesses) and below (the people).
This sort of thing is a temporary blip before everybody figures out decentralised solutions for everything.
Decentralisation is clearly the end game as long as politics causes problems like this. A decentralised solution will continue to "just work", while centralised solutions continue to boot people off. It's pretty obvious which one is going to win.
Maybe this trend will reverse eventually but I don't really see the signs yet. The Cryptocurrency crowd keeps shouting "decentralization" but they still fail to create applications that can compete with the centralized alternatives in terms of usability, performance and cost. There have been many attempts at making decentralized social networks but they failed to gain mainstream adoption. IPFS works pretty well but again, hardly anybody uses it.
I'm all for decentralization but there's no denying that there seems to be a path of least resistance towards centralized solutions. They're easier to develop, easier to maintain, easier to upgrade and often easier to use.
So for me decentralization is the objective, but unfortunately it's not "clearly the end game".
Even most of the very technically competent people I know are gradually moving toward central services. I'm part of a co-op of people with collocated servers. We started in 2000. We haven't had a new member in years, and we are gradually losing them. I'm at the point where I should replace my server, and I'm having a hard time coming up with reasons to justify the large capital expense and significant time cost versus moving it to somebody's cloud. And that's not even considering the benefits of moving to hosted services. Not worrying about spam, email deliverability, security patches, et cetera, ad nauseam.
I think part of the problem is that the "decentralize!" crowd is willing to put up with a lot of practical inconveniences as long as something conforms to their ideological desires. Their ideology may be perfectly correct, but until it has practical consequences, most consumers won't shift. So they're going to need to come up with competitive services that are better than the existing ones. Better not just to them, but to regular users.
Regarding your note on the path of least resistance leading to centralized solutions---Glowing Bear/WeeChat is definitely more work to set up than just signing up for Slack. You need a machine that runs WeeChat and get a TLS certificate so that the browser will let you connect securely. That definitely limits it to a somewhat nerdy demographic, even among the HN readers ;)
(Personally, I’m ofc biased, as I’m the dev of https://quasseldroid.info/).
But I think for these solutions to gain more mainstream appeal, we’d need to make the setup much simpler, and work on ideally making it a single-click solution for an organization to set this up for their members. And maybe even provide hosted services (similar to IRCCloud) for the many users that would rather pay than run their own servers.
Now I suspect we'll start seeing clones of facebook / slack etc but with a decentralized backend while offering all the features users care about seamlessly. This might take a while but it'll eventually come.
Even on the technical side, most tech products have convenience as a selling point to being more productive/effective/agile, etc.
Regarding torrents, many game clients will use torrents for their downloads, the user simply doesn't see and deal with the torrenting.
Don't confuse self-hosted with decentralised, not the same :)
Again, this is looking at things backwards IMO. You seem to imply that there's a slow momentum from a centralized web to a decentralized one when in fact there's been a rather fast momentum in exactly the opposite direction over the past decades.
To me what you're saying sounds like "horses are about to become a very common way of moving goods". Maybe you're right but merely looking at the trend it's clearly not going that way at all.
>The backend is basically figured out at this point and we need to focus a bit more on UX.
You'll have to tell me more specifically what you have in mind there because that sounds very optimistic to me. We've had decentralized "backends" for as long as we've had the internet. The web is mostly decentralized by design. Even DNS is distributed across plenty of authorities for the various TLDs (even if each of them is effectively centralized and not anybody can become an authority).
Email is decentralized. BitTorrent is decentralized. IRC is decentralized. We're collectively moving away from these technologies, not towards them. I'm personally still a heavy user of all three of these things but it definitely feels niche now (email obviously isn't but self-hosted email is).
>Regarding torrents, many game clients will use torrents for their downloads, the user simply doesn't see and deal with the torrenting.
Which is pretty much irrelevant in this conversation then. It's about the technology people use to share content with each other, not about how Blizzard chooses to update your WoW client. It's a locked-down, vendor-approved way of distributing software from a centralized authority.
>Don't confuse self-hosted with decentralised, not the same :)
It's not the same but it's related. In general if something is truly decentralized then it becomes self-hostable otherwise it's more distributed than decentralized. Anybody can host their Bitcoin node, their Bittorent peer or their email server. I can't host a Facebook node.
The distributed system does not stop to work then, but the user might risk punishment for using it, which might be even worse than not being able to use it.
The fact that you can't decentralize legislation and physical governance is not insignificant. You can't block the influence of preexisting powerful actors. Those factors do have the power to destroy the decentralization movement, and most likely will.
Maybe those "powerful actors" could prevent decentralization from becoming mainstream, but they can't kill it. Consider marijuana, for example. Use has been demonized for decades by the US and its allies. But that didn't stop an appreciable fraction of the US population from using (or at least, trying). And now it's becoming legal in more and more states.
For Internet decentralization, the driving factors will almost certainly be porn, gambling and prostitution. To the extent that they're driven off the clearnet, demand for them will fuel growth of alternatives. Freedom of expression is essential, of course, but it will be just a side benefit.
The more decentralization is suppressed by "powerful actors", the more it will be dominated by other "powerful actors". That is, by organized crime.
It will never happen, at least not on a scale that will affect significant web traffic.
There is another model, not decentralised but a practical middle-ground: the WordPress model.
Consider the following: Wordpress is an example of a profitable open source app that can easily be installed on countless shared hosting platforms or on a VPS. It's easy to switch hosting providers when you want to (and to take your data with you). It's popularity means that one-click installs are widespread.
Unfortunately, there is no common standard for software installation on the server side, and this lack of an easy installation process for everyone else severely limits self-hosting websites and apps.
Many developers think deploying a server-side web app is a non-issue, or they erroneously think that installing Cloudron/providing Docker instances/typing command line instructions are all "easy". Have you seen the server deployment instructions for "web friendly" languages like Ruby and Python? It's ludicrously complicated. And still developers seen nothing wrong in such install procedures. It's so frustrating.
I wish there was some momentum or traction in making server-side web app installation as universally simple as a one-click Wordpress install. It would also unlock countless opportunities for developers to reach more users or customers. But maybe some developers secretly prefer the complexity? It certainly makes selling a SaaS solution much more attractive over the stupidly complicated self-hosting option.
Only techies care about decentralization. Most people would rather follow a Twitter feed rather than an RSS feed. Most would prefer a mega forum like Reddit rather than multiple, standalone forums with separate accounts. There are also network effects that give centralized platforms more of a competitive advantage.
I keep hearing people talk about the need for decentralized social media, but nobody knows how to make it an attractive, viable option for the masses...especially when such a solution wouldn't be as profitable (or as frictionless) as Facebook, Twitter, etc.
This is the future of a centralized web with products, services and companies that people salaries to develop products and services.
The decentralized internet utopia is dead. Stick a fork in it. It is a fringe populated by the modern equivalent of the grey beards of 1990s.
What this all really does in the end is create a technical caste system and obfuscation of ownership. People fortunate enough to have access and be up to speed on the latest technology (or hire people who are) will reap the rewards of decentralized systems which still belong to authoritarian actors, yet it will be extremely difficult to prove that ownership--especially to laymen. It will always have a nice hazy deniability, and it will be almost impossible to hold anyone accountable for their actions, or prevent or even identify exploitation.
This is absolutely the future of the web. Perpetual and stealthy non-neutral manipulation by the technically advanced and financially powerful is here to stay. I think that as engineers our tunnel vision and intellectual hubris have given us a false sense of security as we developed this hideous system, because we thought it was some kind of purely digital realm where we have real control and real comprehension of what we are doing. But nothing is purely digital. Everything is built on top of the real, analogue world where strong actors have already divvied up and taken ownership of everything.
We were very convinced it was name/ethnically based as I hadn't been to Iran for a few years before. The general counsel at my last job sent a strongly worded email suggesting they may have been using names to do this (thanks AA!). The email quickly resulted in my account being reinstated without any commentary on their methodology.
Unfortunately centralized silos also allow unprecedented convenience and ease of use. Nobody's figured out yet how to duplicate that in a decentralized or federated system.
When a company starts thinking this way, you know there's no turning back, and more such (censorship/surveillance-friendly) actions will be taken in the future.
Iran has sanctions against it right now. Slack, and other companies that have done this sort of thing with Iran, Cuba, etc the past few years, are trying to stay on the right side of the law. To avoid imprisonment, fines, etc. If you think what they did is wrong, start a company and risk serving prison time to stand up for your what you believe in by creating a similar product and offering it to customers that have direct geographical ties to sanctioned and embargoed countries. I'm serious, imprisonment is a very real risk with dealing with sanctioned and embargoed countries.
Doing business with Iran, or a citizen of Iran, can open the door for all sorts of government investigation from fines, to being shut down for an investigation, to having data from other users compromised, to criminal prosecution of employees/officers of the company.
It's a lot easier to just immediately sever ties with anyone that has had dealings with an IP geographically connected to Iran than to go one by one "hey, you an enemy of the state? You sure you aren't? Promise? Cross your heart and hope to die? Ok, we believe you, we'll just hope you're telling the truth!"
Then there's the fact that Slack uses encryption at rest and in transit, there may be a LEGAL REQUIREMENT not to allow users with ties to Iran to use the product under CFR title 15 chapter VII, subchapter C. Or they may at least suspect they are at risk of running afoul of the cryptography export laws as they stand and simply decided, they don't want to risk it to protect the company and other users.
I highly doubt this is some Islamaphobic/Iranaphobic move on Slack's part, this is simply a cover-our-ass move so we can stay in business and not risk prison time.
- 15 CFR chapter VII, subchapter C.
- 31 CFR Part 560 and Appendix A to Chapter V
- Public Law 115–44 (the CAATSA)
You may disagree with the policy, but ryaymercer isn't wrong. Living in startup land where everything is light, you move fast, and things get broken, it's very easy to overlook that there is this 500 lb gorilla in the corner just waiting to smash you into pulp for doing the wrong thing.
My guess is that something internally at Slack has triggered this. It seems likely that they're in the midst of contracting with a Federal agency, or something of the sort. When you do business with the Federal government, all manner of hell is unleashed on you in the form of paperwork and due diligence. "Negotiation" boils down to litigation, and litigation is god damned expensive.
I am not saying what's happening is right. I'm simply pointing out that this is the culmination of decades of policy and momentum within our government. Wagging our collective fingers at Slack isn't going to change a thing. What can Slack do? Let's say they pass on whatever opportunity is driving this ridiculous witch hunt. So then what? Some Federal agency doesn't get to use their messaging platform? Who cares? Nothing changes.
It all starts with asking the right questions, and ryanmercer's post likely contains the answers to a number of questions that few people are asking: what's motivating this change, who is responsible for the policy, and how can our community affect change to prevent it in the future?
Established businesses simply block connections/signup/login from sanctioned countries. It's part of the checklist for new apps. It's really basic.
Slack is just another startup to discover that there are regulations to follow. They did very poorly on the interpretation though.
It’s pretty clear that’s it not motivated by race or any kind of profiling.
Slack has no incentive to boot more people off their platform than necessary, so this overly broad ban could be a result of either misunderstanding the US governments mandate, or that might be just what they were asked to do.
The mundane includes things like contracting with the Federal government or even certain government contractors. Our company just contracted with PAE, and PAE contractors must agree to much of the same Federal Acquisition Regulations as someone doing business directly with the Federal government. One of the vendor forms was 37 pages long, and it contains sections explicitly requiring certifications that your company will comply with sanctions. The form binds the signer to personal culpability for failure.
So if you're a company contracting in this process you're tasked with preventing delivery of your product to Iran, and the Federal government gets to set the bar, not you. If you fail to meet the bar, you end up in Michael Flynn's shoes, only far less public. How long of a bet is it to expect a Federal bureaucrat will interpret compliance the same way you do? Are you willing to risk inquiry if your opinions differ?
I don't like what's happening here. I don't like it at all, but I know just enough about dealing with the Federal government that I can smell the odor from here.
It sounds as though you have access to data that the rest of people on HN do not. Would you care to share your source? Are you certain he would not have been banned by Slack if he were not an Iran citizen (just Canadian) but would have (possibly) used Slack when travelling to Iran?
We're both adults here and I assume we both can realize that splitting these hairs doesn't make my statement that banning everyone that's ever logged on Iran from slack is, in effect, a ban on Iranian ethnic users?
So no, a ban based on signing in from a specific locale has zero to do with ethnicity or race.
On the other, the author of the thread is accusing Slack of profiling him racially. What he's implying is that a human proceeded to stalk him around the Internet, on social networks, etc to check if he is an actual Iranian and ban him based on that. And that is a very, very grave accusation.
Banning anyone who has ever used Farsi in Slack, now that would be a bit closer to banning for ethnicity.