Hacker News new | past | comments | ask | show | jobs | submit login

My wife’s Slack account was closed yesterday.

She created the account while traveling in Cuba (legally) years ago and hasn’t been back to Cuba or any other sanctioned country since.

She is a cofounder of an org that uses Slack heavily and has now lost access to all her messages and files from the past couple years of work.

There appears to be no appeal process here.

Cuba is one of the most popular destination for Canadians, can't ever imagine what would happen if they actually ban everyone that had their IP over there at some point in the last few years.

I suspect the fact that the account was created in Cuba is what triggered the action.

If Slack did this because of her trip to Cuba years ago it means they have kept records of her IP going back years.

This causes me to think about the metadata records they have held onto in addition to all the data.

And yet some people are wondering why GDPR has a data retention policy that aims at keeping personal data around for the least amount of time necessary.

Companies should be made accountable for such blatant abuse of user data.

Right, which should also indicate that this trip to Cuba wasn’t part of a pattern but rather an anomaly.

I understand the complex legal frames that this exists in, but they appear to have the data to be way more precise here.

They may have the data, but they have no incentive to care whether or not their inferences are correct. This is a common problem with ostensibly data-driven companies.

> If Slack did this because of her trip to Cuba years ago it means they have kept records of her IP going back years

Or they did an IP to country lookup back then and kept the result of that rather than keeping the IP.

i am starting to become scared that my accounts with different companies will be closed retroactively. I have, through work, toured most of the free and some parts of the non-free world (including Iran, Cuba and sudan). That apparently makes me fair game to have my US accounts closed. Had I been a slack user I, by the look of it, probably would have had my account closed today, even though I have lived within the EU for all my life.

I am pretty certain I have logged into my mail, PayPal account and Digital Ocean account from countries embargoed in the regions my providers operate. PayPal I could lose without much fuzz, but jeez how I'd hate to lose access to my email.

I worked in webhosting forever and I've never heard of a company until this post actively digging through a users access to services to block them. What we'd do is use products like Maxmind where if you tried to sign up and pay from Iran, etc, you'd be automatically denied. I've never, ever heard of audits to SSH logs to track this stuff down. We'd audit ssh logs if there was a server that was hacked, etc, usually to see if they hacked other servers so we could take them all down at once or find out (they'd often have irc running) what groups they were in to get more info on how they did it, etc.

This is absolutely ridiculous. I've opened up Slack while in Cuba to check on work things at my American company who does no business there. I don't have anything to do with our Slack bill and I'm a US citizen. So if someone goes to see their family in Iran/etc and just happens to open Slack they'll get banned? That's hamfisted as all hell.

While it's perfectly legal for your wife, a Canadian, to go to Cuba, it's still embargoed by the U.S., and Slack as a U.S. company must comply with the embargo (even though your wife has done nothing wrong per Canadian law).

That's true, but why does that mean they need to shut down her account just because she visited Cuba? Would that mean a grocery store would then have to refuse to sell you their goods because you visited the country once?

The guy's wife didn't do anything wrong. Slack broke the law by providing an embargoed service to someone in Cuba. I'll bet money that when this was discussed with their compliance officer, the lawyers and engineers and everyone else agreed to use certain metrics (like source IP) to determine whether someone fell under the embargo. Otherwise, Slack would have to spend a lot of time and money validating people's identity, etc., in order to comply. I don't really fault them for taking this path because their exposure is huge and compliance is hard.

Your analogy about grocery stores doesn't really work because logging into Slack isn't the same thing as walking into a grocery store, because buying from a grocery store isn't the same thing as exporting food across a national boarder, and because neither food nor medicine is embargoed.

They didn't shut down their account because she visited Cuba, but because her account was created _from_ Cuba. It's unfortunate but I guess it's the only way Slack has to "know" where an account is from.

It's the laziest possible way. They could've looked at most frequent login IPs instead.

They should never have allowed the account to be created from Cuba in the first place. Slack when it was younger, didn't have good policies in place to actually follow US law. As such, now that they are reviewing their old records they realized they committed illegal actions that they need to clean up.

Yes, it harms their customers, but that harm and the resulting damages to Slack' reputation (and maybe legal costs), is what they must pay for being negligent in the past.

Not a great analogy since you normally can't shop at an American grocery store from Cuba, but you can use an American web site from there.

That's a good point except that Slack shouldn't be banning people that are not violating sanctions.

In this case, if the account was actually opened from Cuba ... that could be a problem.

What they should do is offer recourse and a way to have this resolved.

They did offer an appeals process, but that can be safely assumed not to be a process for appealing the US law and their interpretation of it — it’s much more likely a process for appealing technical errors committed by accident during bulk work, such as “you identified my IP as Cuba when it’s Florida” or “I was hacked and we discussed that back then, please recheck your logs excluding the hacker’s activity”.

So they are absolutely offering recourse and resolution, but only where it is in their power to do so.

TLDR: Don’t expect Slack to be responsive to arguments that contain “please ignore US law for my individual circumstances”.

What other life-long punishments does she deserve for doing that horrible deed? Completely removed Google account with all her data? Permanent ban from any grocery store? Revoked driver license? Lifelong ban from Amazon, HN and other US services?

I've just opened all my slack workspaces from an IP Geolocated in Tehran to test that hypothesis. Let's see how it unfolds.

[EDIT] to be on the safe side, I've also created a new workspace from said IP.

So is it related to her ethnicity as this guy is claiming it is in his case?

If not maybe everyone can consider that maybe Slack’s actions for the Iranian guy have some basis other than “his ethnicity.”

It appears we are talking about place of origin of accounts, at least in my wife’s case.

Slack could just block access to IPs from banned countries. Why are they retroactively blocking accounts? Sounds like Slack is punishing regular people who visited those countries.

If the data is worth something, get a lawyer to write a letter to them and request the data back.

Lesson: keep backup of everything in multiple jurisdictions even if you are innocent like Jesus. You know what happened to him.

Was her account the owner of the workspace? What has happened to the whole workspace?

How do people export/backup messages from Slack?

Migrating to Mattermost from Slack and transitioning all the data is easy. My team at work transitioned to Mattermost a few years ago. https://docs.mattermost.com/administration/migrating.html#mi...

Thanks. This seems to be the important part:

> Generate a Slack “Export” file from Slack > Administration > Workspace settings > Import/Export Data > Export > Start Export.

If the account is already closed, this is not possible. And this is a major problem.

The appeal process is filing a lawsuit against Slack, provided the person wronged didn’t already agree to give up that right when accepting Slack’s TOS.

Even if it wasn't given up, what would the lawsuit complain be, and what would one gain from it if it succeeds? Isn't Slack legally entitled to shut down any accounts at any time?

IANAL but cutting you off your everyday job and crucial documents (causing stress, money problems, hopefully not: unemployment) only because you happened to open an account in a random country seems like a reason good enough for a lawsuit. What to gain: compensation, and that damn' account.

You are not entitled to Slack's infrastructure, no matter how much you came to depend on it for your day-to-day life.

Well that's not strictly true. Presumably there is a contract of some sort, and Slack must abide by it, entitling users to Slack's infrastructure to some degree.

It's not completely arbitrary. Plus there're notions of estoppel potentially at play.

I'd pretty much guarantee their terms of service stipulate they can terminate an account at any time for any reason. It's how most Internet services operate. The only likely addition to that, is a monetary refund if warranted based on the account context.

Pretty sure the contract is going to be in Slack’s favor. They had all the leverage when somebody agreed to it.


One, no, you are not legally entitled to shut down accounts on the basis of race or national origin, if that's what they're doing.

Two, they may have to at least return the data: if I let you use a desk at my place and you start doing business there, I am pretty sure I cannot legally refuse you entry and hold on to your papers.

Three, even if they are, we're also legally entitled to call Slack incompetent losers, and to tell our employers that we should not switch to Slack if we wish to continue being co-workers with Iranians. I will be telling my employer that shortly. (One fascinating aide effect of using Slack is thst the entire company must conform to Slack's policies. You cannot hire someone whom Slack won't create an account for, nor someone who won't agree to Slack's ToS, because if they're not on Slack they can't get work done.)

> no, you are not legally entitled to shut down accounts on the basis of race or national origin, if that’s what they’re doing.

That’s not what the parent comment said, you’re twisting it with an assumption. Slack is not legally obligated to provide Slack accounts to anyone, that was the point.

> they may have to at least return the data: if I let you use a desk at my place and you start doing business there, I am pretty sure I cannot legally refuse you entry and hold on to your papers.

Your analogy is rather confused. The data Slack has isn’t equivalent to your papers that you dropped on their desk. When you sign up for Slack, you enter into a contract outlined in their Terms of Service that detail explicitly what they agree to be responsible for. In particular, here’s the agreement relating to your data:

“Following termination or expiration of a workspace’s subscriptions, we will have no obligation to maintain or provide any Customer Data and may thereafter, unless legally prohibited, delete all Customer Data in our systems or otherwise in our possession or under our control.”


> "will have no obligation to maintain or provide any Customer Data..."

I have to admit that this case (and some others I read in recent days, e.g. MailChimp account deleted: https://news.ycombinator.com/item?id=18715866 ) made me aware that the terms of some popular services can be much worse than I would expect. I should really start reading those terms. Thank you for helping me reduce my naivety.

> Slack is not legally obligated to provide Slack accounts to anyone, that was the point.

And this point is untrue. As long as Slack provides accounts to the general public, they are required by law not to discriminate when doing so on the basis of race or national origin. They can stop serving everyone. They can firewall access from Iran, or identify actual persons covered by the sanctions. But they are legally obligated to serve Iranians as much as they serve anyone else.

> Following termination or expiration of a workspace’s subscriptions

One, this is an individual account, not a workspace. The workspace remains active.

Two, terms of service don't override law. There may or may not be law that overrides this and says that certain rights cannot be signed away. (For instance, if you're subject to the GDPR, my understanding is it would override it.)

> terms of service don't override law.

Correct, agreed!

> As long as Slack provides accounts to the general public

Slack does not provide accounts to the general public, in any legal sense. Slack is a private business, not a public service. Please read the terms of service to understand the terminology.

> they are required by law to not discriminate

Well, they are required by law to discriminate against traffic to Iran.

But, again, you've twisted my meaning to make your own separate point. I wasn't talking about discrimination. Slack is not compelled by law to provide accounts to someone. They can legally refuse service to someone who lives in Iran, or connects to Slack from servers located in Iran.

> But they are legally obligated to serve Iranians as much as they serve anyone else.

That statement is true in the sense that Slack is under no legal obligation to provide their service to anyone, outside of the agreement they created. That is separate from and irrelevant to whether or not they're allowed to discriminate against the people Slack agrees to provide service to, under their terms of service contract.

> they are required by law not to discriminate

BTW, what law are you talking about specifically? I'm aware of civil rights for US citizens, and anti-discrimination employment law in the US, but not of a specific law that bars online discrimination. I personally believe discrimination online would be wrong and bad, but are you certain that it's illegal?

Keep in mind we're talking about someone in Canada connecting to a US service, with a plausible decent chance that he connected from Iran or through an Iran server and just forgot about it. I'm not aware of specific US anti-discrimination or civil rights laws that would protect Amir in this case.

Slack doesn't even know someone's race or ethnicity, thus can't discriminate against that. They are just disabling accounts based on the IP they were created from, which was the best they had to go by to abide the sanctions. This is for sure inexact and bound to have false positives though.

It’s not quite that simple. A case could be made that other variables are a proxy for race or national origin, and travel to specific countries is one of them.

Of course that argument has an opposing side as well, but it seems prima facie plausible as a cause of action.

Exactly. Assuming ethnic discrimination seems pretty unwarranted.

> Slack is not legally obligated to provide Slack accounts to anyone

Slack is legally obligated to provide Slack accounts to people who pay, with 30 days notice for termination in most cases. There is this stipulation:

> We may terminate the Contract immediately on notice to Customer if we reasonably believe that the Services are being used by Customer or its Authorized Users in violation of applicable law.

However, if they are terminating accounts based on ethnicity that doesn't seem like a reasonable belief they can use to justify applying export controls.

> Slack is legally obligated to provide Slack accounts to people who pay

Rather, Slack agrees to provide accounts to people who pay and agree to the contract in return.

That little stipulation is exactly what is in effect here. Slack believes the users are in violation of the agreement, and under the legal rules that Slack established and controls, they enforce immediate termination.

> if they are terminating accounts based on ethnicity

This defending of the argument based on wild assumptions that Slack is ethnically profiling is a bad place to start from. That hasn't been shown, nor is it very likely.

On the other hand, Slack is legally obligated to block traffic to Iran, and it's within reason to assume an account that ever had any traffic in Iran broke the law. It's certainly possible that Amir forgot that he used an Iran proxy, or traveled there. It's possible that someone on his team broke the rule without his knowledge. It's also possible that Slack made a mistake, which can and does happen from time to time at many companies when trying to enforce international laws using only IP traffic logs. None of that points at Slack intentionally terminating accounts based on ethnicity.

Digital data is not paper.

(Maybe this a stupid question) Why should they be entitled if you are a paying customer? Do they give you a backup of your activity on their platform before closing the account?

Honest question: if I go to McDonalds and pay for a burger can they refuse to serve me? I understand that they can refuse to serve me before paying, but after I pay their service and goods too?

GDPR holds that you own your data and are entitled to be provided a download of it. Not sure what the Canadian equivalent is, if any.

And it applies to people who are in the EU. So all these people have to do to get their data is to book a plane ticket into any EU country.

Even if the GDPR applied in this situation, Slack is trying to obey US sanctions. I’d wager a guess GDPR can’t force a company to violate those laws.

GDPR has the force of law in its area of jurisdiction. If Slack can't comply with it, then they'd better not do business in that jurisdiction. That's how the law works; there isn't some hierarchy of one country's laws overriding others'.

/s Exactly. It’s why we never saw two countries going to war.

Are you suggesting the US go to war with the EU to force them to repeal the GDPR, so that Slack can do business in the EU? I know HN typically takes a pro-business angle politically, but that seems beyond even the most rabid line that I usually see here.

If not, I am totally confused about how your response connects to what I wrote.

Other way around. The EU is the one who bears the burden of forcing American companies like slack to comply with their laws. Though jumping straight to a shooting war feels like an overreaction. Maybe start with a fine and ban the company if they don't pay.

Do the US sanctions prevent them from giving the user a copy of their data?

So, uhh, just stop using Slack then? There are plenty of alternatives now.

I don't think this is about Slack.

Huh? This seems about Slack.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact