I'm shocked (in a positive way) about the amount of transparency Gitlab provides.
Even as a reader, it almost feels as if someone misconfigured the ACLs or I'm reading leaked internal documents, not an intentional decision to make this open. Some of the discussions seem highly sensitive, and yet it seems to work for them.
Thank you, Gitlab, for being so open! I've learned a lot about compliance from just reading this thread. For anyone curious, here's some background on the mentioned boycott laws: https://www.bis.doc.gov/index.php/enforcement/oac
Thanks! We try to be transparent by default and even when it is difficult. I think the OP is a good example of something that is hard to be transparent about because the decision isn't obvious and it takes discussion to come to the best conclusion.
Congratulations on taking a step in the right direction, even if it is a very small step. Nobody else seems to take the threat seriously, somewhat excepting defense contractors of course.
I can understand being reluctant to deal with the full extent of the problem. Somebody from China, with a family in China and subject to Chinese law, does not cease to be a security threat by moving to the USA and getting a green card. This gets awkward.
It really is no surprise that valuable secrets of all types (private key, customer data, trade secret, insider info for trading, etc.) end up in other countries.
I on the other hand think that splitting countries into allies and enemies is stupid. China is a huge country, and excluding a billion people from your company just because their government does questionable things sounds like a pretty bad idea.
If you are really concerned about the confidentiality of your data, don't store it unencrypted in some SaaS where every customer service rep has full access to all your data. At that point you're already so vulnerable that exluding potenential employees from a whole country is just pointless security theater that some suit with an MBA thought up to justify his position.
> China is a huge country, and excluding a billion people from your company just because their government does questionable things sounds like a pretty bad idea.
People have to do what the state they live in and belong to orders them to do. That's part of the point of having a state. So if you can't trust a state you can't trust its people either.
> you are really concerned about the confidentiality of your data, don't store it unencrypted in some SaaS
I don't think dissolving the company is on the table.
> I don't think dissolving the company is on the table.
Zing! Solid line but it misses the point. As with any other data, you can encrypt source code. It's perfectly easy to envision a setup where Gitlab employees in country X can only see plaintext Gitlab data they could already see over the public internet.
> People have to do what the state they live in and belong to orders them to do. That's part of the point of having a state. So if you can't trust a state you can't trust its people either.
So, I could say that American is sucks if I think Trump is sucks?
That is ridiculous. The first is that 'state is unauthentic' is a subjective speculation. And the most funny is that the conclusion 'people is unauthentic' is came from your first thought.
I can not say American is terrorist if Hillary wanna burn other country. Am I right?
>The first one is flattening China with nuclear weapons (conventional war is impossible to win) which is obviously inacceptable, the second one is totally excluding China from any and all international trade.
The world had had more invasions, interventions, toppling of legitimate governments, etc, from the US than from China. And while the US keeps democracy internally (unlike China) they have supported all kinds of dictators abroad.
So there's that.
The mere fact that you were even considering "flattening China with nuclear weapons" to bring democracy (even to discard it) is telling of the US imperial mindset...
And the same is for the interventionist idea of "totally excluding China from any and all international trade".
Yeah, let's risk internal chaos, power struggles, civil war, famines, etc in a sovereign nation like China, because they don't have a system of government we approve of.
As if intervention to "bring democracy" worked so well in Libya, Iraq, Afghanistan, and several other places besides, who cares for the million out of their homes, rising fundamentalism, killed, etc, they're not white enough...
When does some countries finally understand the concept of "mind you own effing business"?
It's incredible how many people miss this basic point. Land is a fixed quantity. Every square inch a state controls was at some point take from some other state or group of people. Big states were just better at this.
> China has a long history of war. The US doesn't even have a long history.
Please don't move the goalposts. We're talking about the current State of China, which came into being in the mid 20th century, and is thus a lot younger than the current US state which traces its founding to around 1776. By that measure, the US has been involved in far, far more invasions and wars than the Chinese state.
Right...perhaps you should ask the good people of Tibet, or the Muslims in western China if they feel that the Chinese government "minds its own effing business".
I have several friends from Xinjiang, yes, they complain about some (who don't complain about their government in life? As far as I know, Utopia is still a dream on the planet), but they feel good, even proud of their government. One of them, a girl, even volunteered in the rehearsal for the National Day parade.
For Tibetan, the government freed them from the old cult (you may don't know their nobles used to wear slave skin clothes and drink from human skull bowl), build railways accelerate their economy, lower the university score for them to help them get educated, enfranchise them to vote, propose new proposal in People's Congress, etc. So how do they feel about their government? I mean those Tibetans who live in China.
What's more, Tibetan, Muslims in western China, they are all Chinese people, so their issue IS the Chinese government's own business.
Your friends are presumably not detained for continuing to believe in the religions of their parents, so they're going to have a more positive outlook based on the state of the economy.
Even if you think that it's desirable for the government to try to accelerate secularization with its "re-education camps," the implementation is guaranteed to cause a lot of suffering. The rushed timeline for construction, involuntary detention in the resulting cramped quarters, guards and teachers who were hired quickly with essentially zero training... all of this is just setting things up for physical and psychological abuse of inmates. Just look at the cases of 杨永信 and 豫章书院 torturing children to cure them of internet addiction to see how far people are willing to go if there's no oversight and their aims are supported by mainstream opinion. That the government tries so hard to suppress negative reporting doesn't exactly inspire confidence that abuse will be prosecuted.
My personal prediction is that the majority of inmates are going to come out of "re-education" traumatized and with a justified hatred of the government. I'm sure they'd prefer it if the government stuck to their business of modernizing the economy, instead of trying to force loyalty in the most ham-fisted way possible.
1. While the Constitution of the People's Republic of China does protect religious freedom, this is only under the condition that the religious beliefs in question do not disturb the social order, cause bodily harm or obstruct the national education system. That means in practice, people will be detained for beliefs that are considered too extremist.
2. Would you believe me that they exist if I called them "education centers" instead? Try searching for 教培中心 in http://www.xinhuanet.com/politics/2019-03/18/c_1124247196.ht... It is described quite clearly that people can be brought to these centers even if their extremist beliefs do not otherwise amount to a crime.
3. I specifically brought up "杨永信" and "豫章书院" because they don't involve minorities. I didn't mean that they were mainstream in the sense that most people would approve of their methods, but there's definitely widespread concern about students spending too much time on the internet and too little studying. It's just that most schools take a less brutal approach to the problem and confiscate their student's phones instead of using torture.
Given your statement that
> Many Chinese people hope the government put an end to "杨永信" and "豫章书院", but I don't know why they don't.
consider that many Uyghur people hope the government put an end to the conditions in those "education centers" and don't know why they don't.
4. Do tell me if any of this is unconvincing. I'm still working on an airtight argument that is acceptable for someone with the perspective that the CPC is trying to do good in principle.
1&2. Oh, sorry I forgot the extremist. So what would you do when you face an extremist? Ignore him so he can stab innocent people in a railway station? Or you show him why he shouldn't do that, maybe even teach him some skills so he can make a living and become a part of society? The latter is exactly what "education centers" do according to the link. And it is described quite clearly that the center is not a prison or Auschwitz (go back home regularly). So I answer your question directly: I believe "education centers" exist, but it's not a synonym referring to the fabricated "re-education centers".
3. Your refute is valid only if the presumption is real, I applause sincerely for you, but how can you stand for many Uyghur? I live with Chinese every day so I can present more or less their thought, did you get in touch of some Uyghur or you just surmise their thought from, let me cite Trump, "Fake News"?
4. I really hope to read your airtight, immaculate, irrefutable argument!
> Ignore him so he can stab innocent people in a railway station?
Maybe not, but not all beliefs that are defined as extremist are of the stabby kind. It's a bit hard to get information on which specific beliefs are covered; http://www.xjnj.gov.cn/jgdj/flfg/201502/09174829hwdu.html talks mostly in general terms, but does explicitly mention "活佛转世". Belief in reincarnation is not exactly a violent ideology, but it does create a separate hierarchy (of reincarnated lamas) that does not directly answer to the CPC, which I guess falls under the "social order" exception. Also, various kinds of headscarves and beards seem to be forbidden alongside the Turkish/East Turkestan flags: http://xjtzb.gov.cn/2017-06/19/1121167392_14978365485711n.jp... (I realize the image is watermarked by some random WeChat account; but the reposting by the Xinjiang branch of the United Front seems like an endorsement.)
> maybe even teach him some skills so he can make a living and become a part of society? The latter is exactly what "education centers" do according to the link.
I don't have a problem with that in itself, but that's contingent on the implementation. Making the plan work requires lots of resources, not just the one-off construction of buildings, but also teachers, guards and other supporting staff. There's already a shortage of teachers in poorer regions of China, so where are all those teachers coming from? How are they trained? The inmates aren't going to be economically productive for some time, so how are their living expenses paid? What about the loss of income to their family members?
These are all difficult problems to solve, and I'm not sure the Chinese government has actually solved them.
> the center is not a prison or Auschwitz (go back home regularly)
I agree that comparisons with concentration camps are not appropriate, because the purpose is not genocide, but ideological assimilation. However, I'm not too sure about the "going home" part. Only one of the three groups are voluntary signups; what's the point of sending someone there involuntarily if they can just go? They might even end up stabbing someone.
> did you get in touch of some Uyghur or you just surmise their thought from, let me cite Trump, "Fake News"?
Unfortunately, Uyghurs are a bit rare where I live. It's certainly possible that the Uyghur and Kazakh Muslims who have appeared as eyewitnesses in Western media are just making everything up, or maybe their experience was simply atypical. After all, among a million people, finding one who had to live in a room with ten people because the new dorms weren't finished yet, or who was hit by a frustrated teacher, or who was raped by a drunk guard, is kind of to be expected. In that context, a statement from the government that they're investigating those crimes and will punish those responsible would be much more reassuring than a complete denial that anything bad ever happened.
Maybe you could ask some of your Uyghur friends if they know anyone who went to one of these centers and what they thought of the experience. I guess that'd be much more informative than debating with me.
> The third way (trade brings democracy) has been disproven over the last decades.
This is often claimed, but I fail to see the disproof. The standard of living in China has improved considerably as a result of trade. That new prosperity means that now more people can afford to support journalists, lawyers and activists working to expose and curtail abuses of power.
This is not limited to underground organizations or something; the Center for Legal Assistance to Pollution Victims is run by the China University of Political Science and Law in Beijing, probably funded by government grants. http://www.clapv.org/about/index.asp
It's also not limited to action in China; as Chinese companies get involved in large-scale construction abroad, so do Chinese NGOs who have experience mediating between those companies and the people negatively affected by them. https://pandapawdragonclaw.blog/2019/10/28/interview-can-chi...
You may think that internet censorship is a sign that things are regressing, but there used to be no internet at all. Nowadays anyone with a grievance can publish an article or a video to raise awareness; by the time the censors notice the outrage, it's already too late for the government to pretend that nothing happened.
30 years ago, the Tiananmen Square protests lasted barely over a month before they were crushed by the military; the protests in Hong Kong have been going on for half a year and the military hasn't been involved so far.
China hasn't turned into a democracy overnight, but neither did South Korea or Taiwan. So far, the trend seems to be positive.
Are you in USA? Should other countries refuse to employ USA citizens because of actions of the government - things like pulling out of Syria to enable the Turkish murder of the Kurds to continue.
Well, the US government wont make my family disappear if I don’t cooperate, for starters.
I find it intellectually dishonest to compare the USA’s foreign policy with a dictatorship government that forces compliance through threats on local relatives, etc.
> Well, the US government wont make my family disappear if I don’t cooperate, for starters.
Right, if you're a U.S citizen maybe not, otherwise they'll do that and worse, read on "enhanced integrations", kidnappings etc.
So the U.S is better domestically, (still employs prisoners as effectively slave labor, treats minorities harshly, lets people die due to lack of healthcare...), but it is worse in terms of foreign policy, so in the end it seems to be a bit of a wash, doesn't it?
Is the US worst in terms of foreign policy? Seems like the peoples of the South China sea, Tibet, and Hong Kong might have different opinions on that matter.
Also all the nations in Africa with newly built debt trap infrastructure.
The US has done some truly shit things abroad, but we’ve also been the dominant superpower during a period of unprecedented stability, prosperity, and peace when you look at the numbers.
Sure Iraq was a shit show, and I’m of the opinion that war crimes were committed during enhanced interrogations.
But the entire history of the world before WWII is just one long history of war basically everywhere. Open market slavery.
The US isn’t perfect, but the alternative filled with constant regional conflicts everywhere certainly seems like a worse alternative to me.
Edit: not sure why I waded into this conversation.
Curious though, I’m seeing the 4x prison population for USA per capita number bandied about.
On one level, I see that number slowly improving as we stop arresting people for smoking marijuana.
And on the other, I’m really curious, and have no idea, are China’s Uighur population which are in “reeducation camps” counted in China’s numbers?
Aren’t they harvesting people’s organs in those places?
Rough. America’s always had a lot of outright and systemic racism but my feeling is that it slowly but surely keeps getting better.
I have a feeling Generation Z is going to be pretty open about things whether it’s sexuality, skin color, gender, or whatever.
Ultra PC and call out/cancel culture is another thing with it’s own warts, but yay for a society where an entire generation can push forward this new ideology of being whatever the hell you want to be.
The boomers are dying out, the evangelicals and religious are losing people every day.
I have faith we’ll be fighting for human rights and climate change accords soon.
I really hope at least.
So to conclude, my opinion, we’re no paragon of morals and values, but our history shows a slow but steady stride towards an ideal, one of freedom, and individuality, and opportunity, for all.
We take steps back, we make awful mistakes, but over the long term, we always move forward.
That’s the America I believe in. I hope I’m not wrong.
This is very U.S. centrist, I'd grant you the relative peace and stability if you're in the West. But 70 years isn't that long and you could find empires with long stretches of time where relatively nothing was fundamentally changing for the dominant population of some of the long-lived empires. The U.S. in its modern form and position isn't around even as long as the golden age of democratic Athens was around.
Sure, there were historically always some tensions at the border regions of these empires, but there are pressures of such nature felt in Europe now too, (the U.S. has the advantage of being physically very, very far from the regions in unleashes its worst policies on, so of course it's less felt there).
Also, all empires saw themselves as in some way policing, keeping peace and bringing their enlightened values to what they saw as the lesser. If we see that kind of thinking now as wrong, then I really don't see how the U.S. is so much different from the empire model of old.
As for China, I agree its regional foreign policy is not great, the problem is the U.S. doesn't just keep it regional. It treats the whole world as its backyard.
If you're a non-U.S. citizen, the unipolar world is not so great. I don't want China to say replace the U.S. as the dominant superpower, I want it to offer a counter-balance. I want the EU to be its own great power, offering counter balance to both, bringing both democratic values & a more humane treatment of its own citizens than the U.S. has, especially the less fortunate.
I don't understand how these things somehow result in there being no difference between the US and China. Of course it's an imperfect system.
Try handing out flyers about civil rights in Washington DC and then try it in Beijing.
Of course it's easy to criticize the electoral college but look at the results of direct democracy recently, Brexit, the initial rejection of the FARC peace agreement in Columbia. There's a reason representative democracy is prefered to direct, it's just difficult to get a balance. Odds are that the Electoral College will be gone in my lifetime.
Is the authoritarian Chinese system better? Of course not.
> Of course it's easy to criticize the electoral college but look at the results of direct democracy recently, Brexit, the initial rejection of the FARC peace agreement in Columbia.
The obvious counter-example to this argument is Switzerland, which has been a direct democracy (or as close as you can get) for more than 120 years.
Brexit wasn't caused by the system by which the vote was conducted. It was a genuine public sentiment that had been cultivated through decades of media propaganda and scapegoating by politicians. Yes, the fact it was a single-issue vote made the issue more prominent, but it's entirely possible that the same result may have occurred through a general election if the right parties had been galvanized in the same manner.
> There's a reason representative democracy is prefered to direct, it's just difficult to get a balance.
I wonder which group of people overwhelmingly prefers such a system. Political apathy is rampant throughout the world of representative democracies, with a prevailing sentiment that people's views aren't being represented. Two-party politics results in elites being able to control the scope of options available to the electorate.
> Odds are that the Electoral College will be gone in my lifetime.
We can only hope, but that won't solve the two-party problem (or any of the other problems in American democracy such as the rank corruption).
> Is the authoritarian Chinese system better? Of course not.
Is anyone arguing that? The whole point being made is that America is in no position to take the moral high-ground. The US financially (and usually militarily) backs 70% of the world's dictators.
It's always a small group of people apply forces on the rest. In communism, it's the party members. In capitalism, it's the board of directors. communism prioritizes fairness. capitalism prioritizes freedom. People who want fairness hate capitalism. People who want freedom hate communism. Too much fairness but too little freedom bankrupts communism: people die in a fair manner. Too much freedom but too little fairness crashes capitalism: people die from voluntarily killing each other. Stop feeling superior to anyone else, but start acting. Western society has a lot of fairness problems to solve. Let's start solving them.
This is a thread where Americans are debating whether we should "flatten" a billion people via nuclear bombardment because they don't govern themselves the way we think they should.
I'd pick a different spot to call us morally superior. Like, any other thread.
Are we? I’ve seen a reasonable discussion so far on policy and ethics. There will always be trolls.
I never said anyone was completely superior. But in this specific case.. we are, because American citizens (and their families) don’t disappear for criticizing their government or for refusing to spy on other countries.
That's awfully cherrypicked if you're going to limit things to specifically political prisoners.
We have LOTS more prisoners, btw, 4x as many per capita, with a nasty racial bias. And that's before you get into all the dead Arabs and Latinos who dared to have a government that wasn't freedomy enough for us.
What's your exchange rate between those? Do you value the tiny number of people speaking out against the state's legitimacy that much, when were talking millions of other innocent lives?
Becoming suddenly sure that we MUST kneecap our rival for totally sound moral reasons is soooo American. I feel like I'm living in groundhog day and nobody else can tell.
There's a pretty significant online mob who really want to split HK off of China. I'd call 'kneecap' reasonably apt.
As far as hegemony.. I'm sorry you don't believe that :) Why is specifically China the Big Bad Guy if it's not about hegemony? Why aren't we focused on cleaning our own house first if it's about justice and freedom?
Like, if this isn't about power, we could at least stop actively supporting the horrible regimes that are useful to us? That seems like a pretty easy thing to do. Why hasn't it happened?
> here's a pretty significant online mob who really want to split HK off of China
There are significant online mobs dedicated to anything. That's not really a convincing argument. People who are advocating independence don't understand the situation, nor do they even understand what the protestors actually want (it's not independence).
> Why aren't we focused on cleaning our own house first if it's about justice and freedom?
It's almost as if America isn't comprised solely of 1 person! Not to mention, why can't people focus on both? This argument is basically "america has issues, so it can't point fingers". Not only is this an unconvincing argument, it doesn't make sense because what is "america"? Is it me, a singular US citizen? Is it Gitlab, a company headquartered in America with ~50% American employees? Is it just the US govt?
> Why hasn't it happened?
Because people aren't informed and don't vote based on that. That is another complex discussion in and of itself, but most people that I know are against it, so I don't really get what your argument is.
It's also complex over there, where Americans don't speak the language or understand anything about the culture or history. Our lack of understanding does not make them 1-dimensional movie villains in reality.
1. I do not need to comprehensively understand a country's culture to know about security risks and totalitarian governments. In fact, both of my grandparents and parents lived in and fled from a communist country, so I know a thing or two about that.
2. I do not need to comprehensively understand a country's culture to understand when human rights abuses are happening.
This argument is a form of -gatekeeping-. "Only X people can really discuss this issue", except you can move the goalposts whenever necessary.
People often don't understand American culture or history (and sometimes don't English either) but that doesn't seem to phase them when discussing America, etc.
Where you're wrong is that while both countries have skeletons in their closets, only one of them is blatant, espouses and has no qualms about kidnapping/murdering/torturing their own people, and is many factors more evil despite us not even knowing the full extent of their actions due to the opaqueness of their government. Hint, it's China. Last time I heard, the US doesn't have a Nazi-era concentration camp in 2019 enslaving 2,000,000 minorities, harvesting their organs, torturing them, erasing their culture, desecrating their graves, and forcing the women to marry into Han families. The irony is that you can only make these ignorant attacks on America because there is freedom of speech in the US while in China, you'd be silenced the moment you hit send.
USA has been a dictator around the world for a century. So many unethical wars involved. So many radical movements are cultivated by US propaganda. Now these fear fed propaganda are dividing itself and destroying the future. People who are blind to all these are the ones full of fake Democracy ideology.
> the US government wont make my family disappear if I don’t cooperate,
Don't be so sure of that. If you hold valuable information on a foreign state, you will be accused and quickly convicted under various national security laws if you don't co-operate.
You severely under-estimate the power of a state, especially one as powerful as the US. If they want something from you, they will get it. Have you broken a minor law? Maybe you've been stellar, but some member of your family hasn't. The likelihood of being in an entire family with spotless records is very very low.
Even in that example, the US government would not make my family disappear. Please cite any reputable sources that you have to the contrary, because anything else is a spurious claim. I'm not going to argue over various conspiracy theories.
Corruption and unfair things exist in every single country, but we do have the right to freedom of press, speech, assembly, and due process.
To be clear, I'm not arguing for any such conspiracy theories. All I'm saying is that the State can go after you and your family if you refuse to co-operate with it on important enough subjects.
I do agree that the barrier for that may be lower in more authoritarian states, as they're not restricted by the system of laws in the US. Maybe that's the best we can get.
Just because my kitchen's on fire doesn't mean I shouldn't report the murder occurring at my neighbor's house. I can be concerned with both, and should be. So while I'm trying to put out my kitchen fire, I should also probably be on the line with emergency response. I am not my government, nor is my government going to disappear me for loudly criticizing it and supporting politicians that would work to stop our moral failings.
No, Germany, which also faces massive problems with Chinese buy-outs and industrial spionage.
> Should other countries refuse to employ USA citizens because of actions of the government - things like pulling out of Syria to enable the Turkish murder of the Kurds to continue.
I would wish so, but I'm realistic enough to know no government wants to put themselves into the spotlight of Trump's Twitter account and trade war threats.
>> China has been using our money ...
> The best way is to vote with your money then?
We as individuals can't do shit about international trade. No matter if I live vegan or not, pigs will be slaughtered in inhumane conditions. No matter if I drive an SUV or not, climate change will grow. Systemic issues need to be dealt with those who have been elected for this job.
> things like pulling out of Syria to enable the Turkish murder of the Kurds to continue
That's an incredibly disingenuous take. America has no business being there in the first place, so there is nothing wrong with having US troops leave that region.
By your logic, the US is responsible of all the atrocities in the world where it doesn't have special operators acting as human shields.
Besides, your FUD is a bit dated. Kurds simply went seeking protection with Syria and Russia and in the end, not much happened.
By invading another country? I guess that's what the U.S. tends to do.
I believe people have a right to self determination. Borders are just lines on a map. I know America doesn't believe that, and that's a valid viewpoint too, just one I disagree with.
They didn't use free trade against you, they used the American corporate greed and bottom line mentality. It was a cooperation. We got plenty of cheap shiny plastic nikanks to keep complient while corporations sold out on local economies.
Now that it is proven to be unsustainable they beat the war drums and want us to fight for them.
> totally excluding China from any and all international trade
I don't have an opinion whether this is the right thing to do or not.
But regardless of my opinion, how does not hiring chinese citizens help with that? This just sounds like harassing chinese people because of their government.
If you really wanted to change something, hiring chinese people and showing them what the western world is like would be the best thing to do.
Harassing chinese people because of their government, and at the same time buying all the stuff their factories produce, sounds like the most idiotic course of action if you want to change the status quo.
If you are a citizen of a state that is known to coerce its people to work for it, you are not an individual, you're a state-level actor.
If you are known to directly or indirectly provide assets to a government and said assets are a critical part of the infrastructure, you're responsible for the safety of the government in your dealings.
An American company refusing to recruit people from China is just the US government refusing to hire the Chinese government to run the country, not companies discriminating against individuals. This holds true even if you swap the states in the previous sentence.
For the record, I'm not a citizen of either of the aforementioned countries but my home country has a similar relation with its neighbor.
> If you are a citizen of a state that is known to coerce its people to work for it, you are not an individual, you're a state-level actor.
You are putting collective blame on a billion people for the actions of their dictatorial government. This is not a reasonable position to hold in a supposedly enlightened society, it is rather just a thinly veiled excuse for run-of-the-mill xenophobia.
Nobody blames anyone here. The point is that anyone who lives (or has family) in a dictatorship can be easily blackmailed by its own state, with no legal recourse.
Harassing : the action of subjecting someone to aggressive pressure or intimidation.
Where do you see any harassment ?
Gitlab has no Chinese or Russian employee so far -> so nobody got pressure or intimidate, ffs.
China is harassing the rest of the world. China is systematically spying with state wide support. China is bullying with military, economic or soft power. China is a threat.
* Recently, in France, concerns were raised by the intelligence community about the outsized number of young Chinese students flirting / marrying with military & defence engineers. You don't even need to spy, really, just marrying people to stop any aggressive ideas toward China spreading. I mean, you would not push to war against your wife's birth place where you are now visiting every year, right ?
Gitlab is simply pragmatic and clear-minded, their teams works in transparency and trust, they can't handle potential threats without a deep rework. I think it's much more than just having permissions baked in their systems, it's the whole defence industries layering that they would need to acquire.
Western players are now actively reducing their Chinese exposure (buying less critical stuff from their factories, cf. Huawei's affairs, moving factories to others countries). I am afraid it's too little too late.
While western people, and even more highly educated western people, have low levels of nationalism, Chinese people are brain-washed into thinking it's the best country in the world, best ever. Helping China is very important and their authorities have lots of leeway to push this.
Currently using Gitlab, I am glad they are aware of the issue and of their limited capacity to stop it from inside. Putting the fox in charge of the hen house, am I right ?
> if you really wanted to change something :
It's not West mission to bring democracy in China, it's not our country, they are grown up already and will keep finding their own way. It's typically USA ego to think the whole world must be awoken to USA values. The rest of the world is fine, thank you very much. We witness South America's fate in the XX century and Middle East's fate in the XXI. China just want western technology : buying, trading or spying it.
The most idiotic course of action has been followed already by moving the whole factories chains to China and thinking we could keep the knowledge here while it is applied there.
In china, not from China. The former is easy to justify, and would affect even Americans of non Chinese descent. The latter would be incredibly difficult to justify, and could easily be seen as unwarranted discrimination.
Discriminating someone because of their Chinese ethnicity would be hard to justify but what about Chinese citizenship (especially if it's the only one) or ties to China like family living there? Those would make someone vulnerable to pressure by the Chinese government.
No. As long as someone has a green card or citizenship, who cares where their family lives? The only exception would be for national security clearances, and those affect Americans as well.
Is it legal for a private US company to apply (some of) the same tests used to determine national security clearances in its hiring decisions? Or is the government the only entity allowed to make decisions that way? I'm genuinely asking, I haven't thought about this conflict before.
Well, technically it is discrimination, but not racism. I.e. you can still hire a Japanese developer, and with a Chinese regime change you might be able to hire Chinese developers. However, federal law prohibits discrimination based on national origin. This is a touchy subject, but maybe this no longer makes sense? As burfrog pointed out, a Chinese employee living in America isn't free from Chinese control; the gov't will do bad things to his family if he gets a request for, say, information or access and doesn't comply. I'm hesitant to endorse allowing discrimination by national origin, but on the other hand, it doesn't make sense to allow the Chinese access to any kind of important data.
It doesn’t matter. As long as a security clearance isn’t required, discriminating based on notational origin is a big no no from an ethical perspective, even if it was legal.
> discriminating based on notational origin is a big no no from an ethical perspective
However, discriminating based on exposure to coercive pressure from aggressive and hostile foreign powers is probably OK, even if such exposure is heavily correlated with national origin. The key is that the discrimination must be based on an individual analysis of the applicant and his/her life circumstances.
It's not OK to blanket deny any person of Chinese ancestry.
Denying such a person access to sensitive data or positions might be OK, however, if that person is exposed to coercive threats by, e.g. having family located in a jurisdiction known to use its power over expatriates' families as leverage to recruit sources and agents.
So long as the intent is genuinely to serve a compelling interest in protecting against security threats and the vetting policy is as narrowly tailored as possible to minimizing insider risk from applicants with vulnerability to certain threat actors, I think such a policy could pass ethical and (IANAL) maybe legal muster.
I disagree completely. By that reasoning, a presidential candidate of Chinese descent who was a natural born American citizen but had relatives back in china would be disqualified, and that is nowhere justified by the constitution. A private company likewise shouldn’t be able to discriminate on speculative threats alone. What if they had a relative in prison, a hostile coercive environment by any measure?
I accept that I do not qualify for a high security clearance because I’m married to a Chinese national. I don’t think that should have any bearing on any other jobs that don’t require such clearances (nor my wife nor my son should be subject to such restrictions).
> By that reasoning, a presidential candidate of Chinese descent who was a natural born American citizen but had relatives back in china would be disqualified
Not so. The Constitution is very clear on eligibility requirements for the President. A natural born American citizen of Chinese descent who otherwise satisfies the requirements in Article II, Section 1, Clause 5 is perfectly eligible to run for the office. If there is concern about potential leverage foreign states have over that candidate--as there rightly would be if our natural born American had close family in PRC--voters might vote for someone else. My position is that such a motivation on the part of the voters is ethical.
> I accept that I do not qualify for a high security clearance because I’m married to a Chinese national. I don’t think that should have any bearing on any other jobs that don’t require such clearances (nor my wife nor my son should be subject to such restrictions).
First, I agree that your or your son's relationship to a Chinese national should not be sufficient grounds to deny you or your son any given job. My position is that a narrowly tailored policy to reject candidates with high risk of coercion from sensitive positions, or to limit such employees' access to sensitive data, is probably OK. Having close family residing in PRC unfortunately does raise the risk of coercive pressure being applied. If your wife has no surviving close relatives in PRC and she never goes to visit, you and your son should be assessed to have no greater vulnerability to coercion than any other citizen with otherwise similar circumstances (debts, addictions, etc.).
Second, I am curious why you disagree completely, yet accept that your relationship with your wife may disqualify you from holding a government security clearance. That means you accept that the government has an interest in protecting classified information from foreign powers, and that your relationship raises your risk profile. Do you not accept that private companies have an interest in protecting their IP and customer data from theft or sabotage? Or do you not accept that your relationship also raises your risk profile for these positions? Just because a position may not require a clearance does not mean that position is not highly sensitive to a potential insider threat. And unfortunately the PLA's targets are not restricted to intelligence agencies; they target virtually every sector of our economy.
> Second, I am curious why you disagree completely, yet accept that your relationship with your wife may disqualify you from holding a government security clearance.
This has to do with companies making their own rules about what is right or wrong without any checks, balances, or voter feedback. Security clearances are actually defined by law, I’m against corporations becoming their own extra judicial entities.
> This has to do with companies making their own rules about what is right or wrong without any checks, balances, or voter feedback.
As far as I understand, companies are generally free to make their own hiring decisions, so long as they do not amount to discrimination against a protected class. That limitation, by the way, stems from federal legislation--so companies are very much not extra-legal entities operating without any judicial accountability. If a state or federal Congress decide to further regulate companies' hiring decisions, they are free to do so.
I don't understand what exactly you would like companies to do: Simply ignore potential security risks? Do you have a specific process you advocate should be used to evaluate risks? What different kind of restrictions on companies' personnel decisions would you like to see? Do you just have a problem with a focus on risk from family members in PRC as opposed to a broader vetting process where that is only one risk factor?
> Security clearances are actually defined by law
I am not sure that an exact formula for grant/deny decisions exists in statute. These decisions strike me as inherently subjective, although certain facts are obviously pertinent to the decision. I would be very interested to read the relevant laws and regulations, though, if you'd be so kind as to point me to them.
As long as companies are operating faithfully within the law, they’re free to do that. And you’re free to criticize it and boycott it.
Companies like Apple and others should be allowed to be concerned about theft of sensitive data just as much as the government. Just because it’s not a matter of national security doesn’t mean it’s okay.
Nobody here is trying to discriminate against a race. The problem is having ties to relatives living under a government that is known for making people disappear. The same would apply for a white person with many relatives there, etc.
Your argument of companies not being allowed to take cautionary steps against a foreign government doesn’t hold water.
> I’m against corporations becoming their own extra judicial entities.
They already are, with most disputes being settled with Binding Arbitration rather than via the court systems.
Others have already pointed out though, that a company needs to act in its own interests and one of the things it would certainly find interesting is whether an individual is capable of being coerced into sabotaging/sharing corporate trade secrets.
> By that reasoning, a presidential candidate of Chinese descent who was a natural born American citizen but had relatives back in china would be disqualified
If large numbers of voters felt that, then they would never get elected.
> nowhere justified by the constitution
The voters are entitled to vote however they like; that's implied by the constitution.
> I accept that I do not qualify for a high security clearance because I’m married to a Chinese national
Then you essentially agree with me.
> I don’t think that should have any bearing on any other jobs that don’t require such clearances
I agree. The question is, which jobs should require such clearances?
The Title of Nobility / Emoluments Clause [1] and the natural born (and age) qualifier are fairly specific as to what the framers thought were overly corrupting influences for the office of president.
They notably did not include "or family".
The expectation presumably being that foreign powers were clearly enough signalled to tread carefully with regards to exerting pressure on government officials.
At high levels, that seems reasonable. At lower levels, where there's less scrutiny and less opportunity for diplomatic redress? "Reasonable" measures seem murkier.
Constitutionally speaking, the President does not require a security clearance; the President ex officio has unlimited access to classified information. If there are concerns the President may be vulnerable to foreign influence, the constitutional processes to address those concerns are election and impeachment not security clearances.
Is it a constitutional principle that no secrets may be kept from the President? Or is it just that the “security clearance” system is currently based on executive orders that the President issues, rather than Congress exercising its power to “make Rules for the Government and Regulation of the land and naval forces"?
According to the Congressional Research Service, "By virtue of his constitutional role as commander-and-in-chief and head of the executive branch, the President has access to all national intelligence collected, analyzed and produced by the Intelligence Community"
I think if Congress tried to pass a law limiting the President's access to classified information, the Supreme Court would likely find it to be unconstitutional.
True. Trump wouldn’t have qualified for high security access anyways just given his public relationship history, not even considering what an FBI clearances check would dig up.
The situation with presidential qualifications is one-of-a-kind special. Hiring at tech companies isn't spelled out in the constitution.
Constitutional requirements can also be changed, and it is long past time that we do so. The country has been around for 2.5 centuries, and now has hundreds of millions of people. We wouldn't suffer a shortage of presidential candidates if we required that all 4 grandparents (determined all possible ways) and all descendants and spouses have been born in the USA, along with all living ancestors and descendants of all of those. The job is simply too important to allow otherwise. (this would disqualify the most recent two, along with failed candidates like Romney and Cruz)
For tech companies we shouldn't be quite so extreme, but it also isn't good to ignore the problems.
Here's a very clear restriction you're faced with: You could never become a Chinese citizen. Why must be pretend that it's ok for this to be entirely one-sided? We should give what we get, imo.
You can't assume what ethical choices a person will make, before they make them. A Chinese citizen in that situation might find a way to get their family out of China, or otherwise find a way to avoid the issue, or just flat out refuse. You can't just take it for granted that you can't trust someone without much more specific evidence. That's a very greasy slippery slope towards justifying highly constructed justifications for discrimination.
You can rest assured that we did not, I have zero doubt that if there ever was another war at that scale we'd have internment camps for nationals of the enemy before the end of that war.
Have you ever been to China? Such discrimination happens left, right and center. If you’re of an “acceptable” origin and have the right skin color, you might be ok...
I lived and worked in China for almost 10 years. I get that the foreigner glass ceiling is much lower there than here, and things like naked officials are actively discriminated against in government. That has nothing to do with the USA, however.
Well, it does. Because they will use your ethical values against you to slowly boil you like a frog in a pot 'til you find yourself in a concentration camp having your organs harvested. Sometimes bad things have to happen to prevent worse things.
Because there are less people of ethnic minorities than in the majority demographic. That’s why they’re called minorities. The key point is that they have a chance.
If a security clearance requirement suddenly makes it allowable it argues that it maybe isn't unethical, unless the argument is implicitly that it is ok to ask for unethical things when involving a security clearance?
> discriminating based on notational origin is a big no no from an ethical perspective
Yes it is. You know what's also a big no-no from an ethical perspective? Letting China win so they turn the world into a global dictatorship with concentration camps, organ harvesting and ubiquitous surveillance.
Sometimes you have to do a bad thing to prevent a worse thing.
Depends "national security" is much more than defence industries back when I worked BT the team leaders on some projects where getting positively vetted for SC clearance - That's top secret in US terms.
Arguably now the FANGS are now CNI - which is going to suck if your on a H1B or Green Card.
China seems to have noticed how accusations of racism, xenophobia and "white supremacy" are a very effective button to push to try and get western countries to act against their own interests.
The thing is, coming from a country that is practicing cultural genocide against various ethnic groups, we can probably take those accusations and survive.
I never thought I'd see this level of xenophobia becoming widely acceptable in the United States. For everything educated Americans loathe about Trump, the one thing they've taken on board from him is fear of the Yellow Peril - which is probably the most dangerous aspect of his Presidency.
It’s not xenopohobia, it’s a hard problem. China actively exploits American tolerance for their own gain, and we have no good way to stem corporate espionage other than a blanket ban.
Even then, good old corruption of non-Chinese is still possible.
I'm sorry, targeting Chinese people on Green Cards is xenophobia. I'm not interested in whatever rationalizations are given for this sort of discriminatory behavior. The US is sadly headed down a path towards socially acceptable racial discrimination, justified by the new bogeyman - China.
The same argument would apply if the person was white and had many relatives in China. Or real estate, or other leverage that can be used against them.
You can’t ignore the fact that the PRC uses those things as leverage against people abroad in order to get information. Until that stops, what are companies and governments supposed to do? Roll over and allow espionage because we’re so tolerant?
I could use the exact same argument to propose banning Americans from GitLab. I'd also have much better empirical grounds for doing so, given how much is known about the extent of US espionage.
There's a growing hysteria in the US about China, which is leading to increasing signs of discrimination and harassment of Chinese people in the US. This sort of demonization of an entire country and the politics behind it (preservation of the US as the world's dominant power by containing China) are very dangerous. The thing that makes it most disturbing is the way people across the political spectrum have bought into the idea of the Yellow Peril, and are now okay with discriminatory policies, the trade war, and challenging Chinese territorial sovereignty.
I don't buy it. Yes there's a growing hysteria of China, but that's due to their government. It's not against the people in general. (Yes, yes, there's always an example of someone being racist/xenophobic. My response is there are always idiots who are racist/xenophobic. Citing them as an example of the populace at large is just lazy.)
People don't care about people from the ROC, aka Taiwan, aka China*. If people in our extremely polarized political environment are uniting on this, it's because it's a Serious Issue that needs to be addressed.
It very quickly escalates to discrimination against Chinese people in the US, as evidenced by the highly upvoted comment I originally responded to. I'm sorry if I get my knickers twisted about people proposing an entire race of people pose a national security threat, but this sort of xenophobia has rarely gone well in history.
Chinese and Russians living outside of China and Russia will not be affected by the ban.
You keep calling it xenophobia even after you've been proven wrong when you claimed this is targetted at green-card holders. You are absolutely disengenuous and have no intention at good-faith discussion.
I would fully defend Russians against this sort of xenophobia as well. They just don't seem to be the enemy du jour. Complaining about Russia is so 2018. America has a short attention span, and has moved on to the next great evil.
> Regardless, the GP does raise a valid point that if you have family living under the heel of a totalitarian dictatorship they can and will be used as leverage.
Okay, so now you can edit our your attacks above, because you see that the post I was responding to did discuss targeting Chinese and Russian people living in the US.
> Your whinging won't change that fact, and it has nothing to do with them being Chinese (or Russian!), and everything to do with their country's government.
Regardless of the rationale, they're still being targeted on the basis of their nationality. The general impression is being created that all Chinese and Russian people in the US are potential national security threats, whose employment should be restricted. I don't see any functional or moral difference between that and xenophobia. It reminds me of the generalized suspicion of Muslims after 9/11. It's not a pretty thing, and it's sad to see it gaining currency.
Unfortunately I can no longer edit my reply - please take my apology for misunderstanding your argument.
Back on topic of green cards: whether you want to bury your head in the sand or face the reality that foreign dictatorships will use their own citizens to infiltrate their rivals is up to you. If you want to take the high road you can, and likely be excluded from government contract work.
Don't get me wrong on one thing, the west is in a precarious situation of openly doing the same thing in certain cases - eg: Australia's draconian backdoor law. I will not hire or recommend hiring an autralian dev working in Australia - and you can call me a racist or xenophobe if you want, it will not change the reason for the decision.
Fortunately for an australian immigrant abroad they are not going to have their family black-bagged for failure to submit to their government. I don't have this confidence for Russia, and especially not China.
We're really getting into the realm of fantastical scenarios now. The idea that the Chinese government would kidnap the family of a US-based employee in order to force them to hand over data is completely hypothetical, and to my knowledge not backed up by any known case. If they're willing to go to those lengths, they could just as easily blackmail or bribe any random employee. They surely have the power to do so, as does every government with any intelligence service to speak of.
What I do know is that there's an increasing atmosphere of generalized suspicion against Chinese people in the United States, and even of people of Chinese descent. There are lots of recent examples, but to give you just one chilling one: US government pressured Emory University to fire two US-citizen medical researchers of Chinese origin, for the non-crime of pursuing research collaborations in China. The two are leading researchers into Huntington's disease. At the time they pursued their collaborations in China, such collaborations were encouraged by the university, and they pursued them openly. Their entire lab was closed down, and the more junior researchers from China were sent home. This is not an isolated case.
I can't see what's changed to warrant this crackdown in the last few years, other than the quite open discussion in US foreign policy circles about the need to maintain US hegemony, and the long-term threat to that hegemony from a rising China. This has been accompanied in recent months by increasingly hysterical media coverage. One of the most consistently frustrating things about the US is the susceptibility of the public to these periodic campaigns of demonization. Obama laughed about Russia in 2012, but in 2016, Americans suddenly discovered that Russia is the root of all evil in the world - they're even responsible for racial tension in the US! Something similar is happening with China now, and it's reached such proportions that even a Chinese app that teenagers use to share lip-sync videos is a national security risk.
That you find this scenario so fantastical is naive...and yes, the Chinese government openly threatening its own citizens abroad is documented. What do you think of the following article, is it cause for concern for you, or do you believe it's just our media misrepresenting China?
Blackmailing any random employee (with their family safely in the US or another western country) is absolutely not the same as blackmailing an employee with the family still living in China or Russia.
If you have family in China and you have access to government information or IP they want it is not at all far fetched they will do this.
Threatening the families of separatist activists is definitely wrong and despicable, but it's very different from what we're discussing here. I haven't heard of any cases similar to the type of scenario you're suggesting.
I can't see how you think there's absolutely no connection here. The Chinese government has demonstrated very clearly it will coerce their citizens' compliance - they're not going to be immune to this just by not being activists.
If you have something they want - or are able to do something they want - it's quite obvious they will use your family as leverage.
That hasn't been demonstrated. You're citing the treatment of Chinese people abroad who are affiliated with CIA-funded separatist organizations and drawing conclusions about how random people working for tech companies will be treated. I don't think these situations are analogous.
If I ran state security for a poor African dictatorship, I would find all successful expatriates in the .US/.EU/.AU and sell their details to other nasty outfits and offer to "apply my heel" to their families for a fee.
I just read your CEO page section about flaws and how to engage you about your flaws. On the topic of transparency, I'm curious if this has been working. Do people feel comfortable bringing them up? Is it helping you improve?
I'm eager to find ways to be a more transparent person at work. I want to eliminate "politics" and "games" where possible and for work to be Wysiwyg.
I hoped that people would use the sentences I proposed on that page but that never happened.
What is helpful is that when people raise a concern I can recognize it more quickly and show them it is clearly my flaw. This doesn’t happen often but it happened last week.
If you don't mind me asking, why is this conversation open to comments from non-employees? Having discussions be publicly viewable seems valuable, but letting anyone at all participate seems disruptive and unhelpful (as an outside party, I was having trouble following the thread of employee discussion interrupted as it was by internet furor).
Wait, am I to understand that this law says I cannot boycott doing business with businesses located in Israel?
I am in the US, so can not say, "I disagree with how the Israeli government is treating Palestine and thus don't want to do business with any entity located there."?
If you're in the US, you can decide to do that. The law restricts your business with foreign entities that might engage in a boycott. The nuances of what might trigger these regulations are not always straightforward (look at https://www.bis.doc.gov/index.php/enforcement/oac/7-enforcem...) but normally you just have to avoid "bad words" in contracts, RFQs, etc.
I would note my understanding is that fines for non-compliance have historically been relatively light and therefore, to my knowledge, these regulations have not been seriously tested in court in recent times. (And the article I read suggested there was a causal link between those two facts.)
I have a hard time believing that the government could do this but the way I read it says that if I said:
As a business, I disagree with the human rights violations the government of China is engaged in. I am again Saudis Arabia's ban of alcohol on its residents, its treatment of gay people--including death for simply being gay and the way it withholds rights from women. I also deplore Israel's treatment of the Palestinians, including the demolishing of houses.
Therefore, I will not allow my product to be sold in a way which results in any of these governments collecting tax on it, this supporting the government.
The way this reads, it seems the government can say, "Whoa, you can't to that to Israel though." and ignore the other two. Unfair and prejudicial in my opinion.
> Wait, am I to understand that this law says I cannot boycott doing business with businesses located in Israel?
No.
That link the parent commenter shared is a very good overview: it basically means that your company will not receive special corporate tax consideration if your company:
Enters agreements to refuse or actually refuses to do business with or in Israel or with blacklisted companies.
Enters agreements to discriminate or actually discriminates against other persons based on race, religion, sex, national origin or nationality.
Enters agreements to furnish or actually furnishes information about business relationships with or in Israel or with blacklisted companies.
Enters agreements to furnish or actually furnishes of information about the race, religion, sex, or national origin of another person.
(e.g. “hey [anti-Semitic company], this competing businessperson is a Jew, if you were wondering”)
In any of these cases, there are exceptions and matters of interpretation.
Whether or not you think this is appropriate for the government, it's not as simple as “you can't engage in a boycott as a matter of personal conscience”.
>your company will not receive special corporate tax consideration if your company:
>Enters agreements to refuse or actually refuses to do business with or in Israel
The link does actually include the penalties, which are far more than just losing special tax considerations. It includes hefty fines and even imprisonment under the TRA. The "just losing tax consideration" part is only under the EAR. I understand that part.
It's the fact that they say I cannot boycott Israel independently.
I'm still confused at how this can be fully Constitutional. Say I care a lot about the Palestinians and object to their treatment by the government and military of Israel. Say I make widgets wholesale for people to resell retail.
So I say, if you buy my product and resell it you make money and your government takes some of that money, as is normal. Therefore, I will not sell to any company that sells this in Israel as I do not want to my product to be used to make money for a government whose actions I condemn. I don't care if you are a Jew, a Christian, an Arab and/or even a Palestinian, if you want to sell my product in Israel and taxes which go to the Israeli government will be collected on that, I'm not selling it to you. Not just certain companies within Israel, all of them. Anyone who sells my product and thus makes money for the Israel government, nope, I'm not doing it.
That's the part I have a problem with. If I don't actively try to stop Israel from doing anything but want to take an active role in not helping them in any way, I'm breaking the law? I don't see if how I want to act independently the Arab League but what I want to do aligns with part of what they want to do, that is a problem? I should be able to not support what I see as a bad actor.
Honestly, I also do not understand their wording on that.
Getting on board with foreign boycott is not ok that much is clear, but exercising your freedom of affiliation as a company is fine as long as it doesn't contradict US foreign policies. So if you don't want to contradict those you shouldn't boycott them if you don't your gov deciding that your decision is not independent. I mean you never know, but stranger things have happened. Just because of that I generally advise foreign entrepreneurs to think hundreds of times over before they go ahead to open their offices in US.
> can the US government legally issue a National Security Letter to an individual employee that forces them to comply and spy for them?
I don’t have a link I can share at the moment to prove this (I’ll update this comment if I find one), but at least in the case of an employee with a security clearance, it is my understanding they can be forced to comply with a US Government order without the ability to inform anyone at their employer (including corporate legal staff). I’m not clear if this order would have to come as an NSL or via another channel.
> If they can, does this also mean the employee has no legal recourse since NSLs must be kept secret?
No, because that would be unconstitutional. But the proceedings of objecting to a NSL similarly must be kept secret. There wouldn't be any point to the secret component of a NSL if the recipient could object and hash out the merits of the request in public court records.
Welcome to the wonderfully paradoxical task of organizing and controlling secret services and jurisdictions in an otherwise democratic state.
Most countries do it by subordinating secret agencies to a military division of sorts, wherein martial courts and security access is already structural. Others choose a more 'civilian' approach subordinated to a parallel chain of command within the citizen government/legislation/judiciary — closer to police, interior dpt / homeland security, etc. (in such cases, army intelligence is usually quite distinct from civilian surveillance).
Which approach is favored historically by a country typically depends on pre-existing constitutional models and principles — notably how the army features relatively to the ultimate civilian chain of command, and how the latter is accountable to the (sovereign) public in the event of treason.
None of this applies in authoritarian regimes where the ruling caste or figure(s) usually answer to no principle (no courts for them, only 'advisors' for they sit above the law) and secret service is almost always directly answering to them, as part of the active coercion of the people (fear of the "enemy within", etc).
I used to work for a company that had a public Jira bug tracker (security related bugs were hidden). I imagine a lot of customers had the same feeling you had: listing all bugs in a release, their status, the discussion around them, it was all there. Very transparent and very appreciated.
Unfortunately, like most good things in corporate software, it didn't last.
Indeed, thanks GitLab for being so open about your bigotry. I wonder what would happen if GitLab started excluding say Israeli nationals, because a large number of companies that sell 0-days for profit are based there, I suspect that accusations of antisemitism would pour in from all corners & rightfully so, but since demonizing China has been cool since the USSR's collapse & Russia rejoined the club it never really left in the eyes of Americans, it's all good.
Disgraceful. GitLab was once an inspiration to me in terms of its openness & culture, but the recent moves around tracking and now this, make it clear that GitLab has been around for too long to stay a hero.
Except when you look at Hollywood production, U.S TV news etc. that's exactly what you get. The Red Scare was a real thing, so was Russiagate. The anti-Chinese sentiment is very much real in the U.S. too, if the campaign rhetoric, current trade policies & the constant stream of accusations from newspapers of record are to be any indication.
Maybe I could have worded it better, but I am referring to American culture and the mindset that when you think 'anti-hero', it's going to be a Russian/Chinese most of the time.
> forbidden from … Agreements to discriminate or actual discrimination against other persons based on race, religion, sex, national origin or nationality.
So, to be clear - GitLab can merrily discriminate against Chinese citizens of the US on national origin by themselves, but are breaking the law if they do the same under a joint venture with a non-US entity.
I'm shocked that they'd extend it to their lawyers. This thread (and the one the other day about telemetry and the GDPR) are a plaintiff and/or prosecutor's dream.
One of the hardest parts of most white collar prosecutions is proving that an action was taken "knowingly and willfully". Unlike other areas of criminal law, most white collar offenses require prosecutors to prove that not only did the person know they were doing the things they were doing, they had to know they were illegal.
Having the party's own lawyer offering legal advice outside the scope of privileged communication is normally windfall enough. Having them do it publicly and in the media's eye is just insane.
On the other hand, the discussion threads actually show that they have no idea what they are doing.
It's a good question what one could prosecute out of that and what to gain. There are so many open angles and I don't think there is any precedent with a fully opened company.
It's immoral to discriminate on the basis of fear, prejudice, and rumor.
One client can demand that Gitlab get rid of Chinese and Russian nationals today. Tomorrow, a different client can make similar demands - aimed at the nationals of different countries. This makes no sense whatsoever, and will blow out of control quickly.
It's disappointing to see the promise of some money making the company go full 180 on its hiring and employment procedures - going as-far as potentially rescinding one employee's offer, and flagging another employee's personal choice to live in a different country as a risk.
The due process here is concerning. Some techbro starts by creating a "we need to block all Russian/Chinese" issue - followed by a bunch of echo-chamber "yessir" comments. When a legal advisor steps in - everyone tries to silence her and convince her it's just an "iterative process".
Finally - it actually looks like Gitlab's security practices are truly lacking. That an employee is Chinese/Russian shouldn't be a consideration - the systems should be tight enough to make sure absolutely no-one has access to customer data without consent - and that any actions taken are logged for auditing. Whenever necessary - pass your employees through a background-check. In sensitive (government) scenarios - restrict to employees with government clearance.
Honest question: Is Gitlab now a company not in a position to say "no"? Investors and potential customers need to know.
This is a question of liability. Gitlab's liability, based on whatever internal metrics being measured, would be significantly higher than the potential economic rewards of having employees in sensitive positions in these two countries--at the moment.
Also, on a side note, morality != legality. They're two different things. What is moral isn't necessarily illegal, and vice versa.
There's no need to beat up the strawman "techbro." It seems to me that this was a difficult decision to make and somebody had to make it.
That was roughly the reading of this issue that I assumed initially too, but in fact the liability/reward situation is reversed here, I think.
GitLab are considering making this change in order to satisfy the requirements of a potential customer[0] - i.e. the reward is for adding the restriction.
And in turn, making the change itself could increase liability[1] since it doesn't seem to be based on a legal request or existing defensible GitLab policy.
The thread reads like a case of the compliance arm of the business trying to keep the ship steady and non-discriminatory (which is in-line with GitLab's stated goals, the intent of the law, and likely in-line with their prospects as a long-term global employer), while a sales part of the organization tries to close a deal.
Putting in additional engineering effort to allow the customer to specify their own policy on SRE/support access to data -- which they'd be responsible for defending if there were any questions -- seems like it might be a way forward. Whether the sales team and customer would wait for that is another question.
It's remarkable and very progressive to see this discussion in the open; it's also interesting to note how many side-discussions and different opinions emerge in the comments and in discussion here, while the core communication continues between a small number of participants in the merge request.
Why not? And Australians, they're explicitly (by law) required to be spies.
And your comment suggests as much - why would opsec about consumer / sensitive data be important unless you expect your employees to act in less-than-fair manner (be that for personal gain, a competitor's gain, a national gain, ...)?
> "Why not? And Australians, they're explicitly (by law) required to be spies."
How come we don't see Gitlab re-considering hiring Australians then?
> "And your comment suggests as much - why would opsec about consumer / sensitive data be important unless you expect your employees to act in less-than-fair manner (be that for personal gain, a competitor's gain, a national gain, ...)?"
The defense industry will put you through background checks, demand a security clearance, and won't hire you unless you're a citizen - whilst simultaneously employing some of the strictest security measures available today. Security will stay there long after you've stopped hiring Chinese and Russian individuals.
> How come we don't see Gitlab re-considering hiring Australians then?
I can't speak to GitLab specifically, but them restricting Australian hires too has been brought up numerous times in this HN thread. Given the amount of activity on here from their team members and specifically sytse, it would seem likely that they have at least been made aware.
Dammit.. was hoping Australia could silently slip under the radar on this one.
The thing that I suspect that most people don't understand about Australia is that the laws don't really mean shit all unless the situation gets very serious very fast.
I know people who have received aa requests who have literally responded with "get fucked mate, why on earth would I do that?" and the response has (for every instance I'm aware of) been "yea, true. it was a bit of a stretch"
It's rather like the Australian constitution, I'm fairly sure I've seen a joke around about it, we have one but like... no one actually cares... if shit really hits the fan I'm sure we'll all go find a copy and figure it out, but otherwise we're doing only slightly less than alright just kinda playing it by ear...
> It's immoral to discriminate on the basis of fear, prejudice, and rumor.
Except for the fact that state-sponsored hacking and IP theft is a real thing. Your comment reads as naive and extremely uninformed. I would invite you to read the Huawei "Tappy" indictment [1] to understand the lengths that certain nations go to steal from US companies. Here we have a company that is literally offering cash bonuses to their employees for stealing IP.
> the systems should be tight enough to make sure absolutely no-one has access to customer data without consent
If you read the indictment, you'll realize that these rogue employees don't care about audit logging or any punishment that follows as a result of getting caught. In many cases, all they have to do is fly back to their country and they'll be rewarded and regarded as heroes for their loyalty to their country.
> the systems should be tight enough to make sure absolutely no-one has access to customer data without consent - and that any actions taken are logged for auditing.
You haven't really done OpSec have you? There is very little absolutism in defining who gets access to what data. In fact barring nations that have historically shared data with their governments is exactly one step closer to how you would achieve this.
> Investors and potential customers need to know.
Says the guy hiding behind a throwaway (new?) account...
> "You haven't really done OpSec have you? There is very little absolutism in defining who gets access to what data. In fact barring nations that have historically shared data with their governments is exactly one step closer to how you would achieve this."
When was the last time you've contracted for a serious client? When it comes to tech - you don't implement "OpSec" by blanket banning hiring Chinese/Russian individuals. Disregarding your bizarre definition of "OpSec" - plenty of individuals with Chinese/Russian background are working for companies such as Google/Microsoft/Facebook/Uber - making significant contributions and getting paid vast sums of money for it. Those companies actually invest into background checks, have dedicated security teams, are investing into locking networks down and improving monitoring. It appears that Gitlab simply wants the easy way out, or, they can't afford to refuse the aforementioned client's offer.
> When was the last time you've contracted for a serious client?
Uhh, today? I have about 20 on-going contracts with "serious clients", which include manufacturers, distributors, software companies, etc. What's your point?
> When it comes to tech - you don't implement "OpSec" by blanket banning hiring Chinese/Russian individuals. Disregarding your bizarre definition of "OpSec"
Banning hiring from countries isn't an exclusively isolated tactic for executing OpSec...I'm not sure why you implied that.
> Those companies actually invest into background checks, have dedicated security teams, are investing into locking networks down and improving monitoring.
Those companies all have physical presences in those countries. Gitlab does not. BIG DIFFERENCE.
I believe “serious clients” meaning more towards to military/banking clients. The access to their production env is very strict, and the personnels are always being audited no matter their nationality and/or geolocation
I think you're being a bit disingenuous. It seems you're almost implying Chinese and Russians are being randomly discriminated against for no reason, as if the kind of thing Gitlab is worried about has never happened before. Specifically with people loyal to those two countries. Yes, it is discrimination, whether it is baseless discrimination is much more debatable.
> "It seems you're almost implying Chinese and Russians are being randomly discriminated against for no reason, as if the kind of thing Gitlab is worried about has never happened before. Specifically with people loyal to those two countries. Yes, it is discrimination, whether it is baseless discrimination is much more debatable."
Do you have concrete numbers that prove Chinese/Russian workers are significantly more likely to act in bad faith against the companies they work in?
To quote Gitlab's chief legal officer, @cciresi:
> "The highest risk countries for hackers are: Romania, Brazil, Taiwan, Russia, Turkey, China and the United States (The US ranks number two in hackers according to ABC news). Surely, we aren't going to start restricting employment on all these countries?"
If you look at the vetting processes in the defence sector they have strict nationality and background checks.
Why should the same not be true for something with a damage multiplier the size of github which is basically carrying a big chunk of commercial IP in private repos?
> "If you look at the vetting processes in the defence sector they have strict nationality and background checks.
Why should the same not be true for something with a damage multiplier the size of github which is basically carrying a big chunk of commercial IP in private repos?"
I'm all for background checks. Those at-least try to give everyone an equal opportunity - and if you fail them, you'll know why and have a chance to challenge the decision. There is a due process - as opposed to having some random techbro creating "need to get rid of {arbitrary nationality} asap" issues and having a bunch of random employees debating it...
If by having "nationality requirements" you mean "being a US citizen" - then Gitlab will lose 50% of its workforce overnight. The same will be true for many other tech companies. You make it sound like the defense sector is enjoying the strict employment regulations...
The issue is not necessarily the background checks but the fact that you can be compelled by the state you reside in after the fact. For example the state could target known employees of GitHub after they are employed and checks passed.
I'm not suggesting any national correlation here. I suspect the same is true for Chinese and Russian companies too!
As for the defence sector it is not enjoying it, at least in Europe as the incoming staff into the sector are shrivelling up pretty rapidly.
I think that last paragraph is suggesting that GitLab could simply reject such clients - or better, direct them to the self-hosted plan where they have full access control.
Director of Compliance raised very similar concerns in the discussion over there, it's funny (not really) to see how our good old friend Paul (CFO) stomps over it again
Lol, our employees who have access to sensitive data cannot be citizens of:
- A country the country our company is based in is currently in war with.
- A communist dictatorship known for pressuring its citizens into stealing IP/corporate secrets abroad.
It's not arbitrary banning from foreign countries on your client's request if there's actually good reasons to take precautions with these nation-states.
And why not? They're a private company they can choose to employ whomever they want as long as they're compliant to local labour laws. There's no "due proccess" in business.
"Finally - it actually looks like Gitlab's security practices are truly lacking. That an employee is Chinese/Russian shouldn't be a consideration - the systems should be tight enough to make sure absolutely no-one has access to customer data without consent - and that any actions taken are logged for auditing. Whenever necessary - pass your employees through a background-check. In sensitive (government) scenarios - restrict to employees with government clearance."
Don't improve HR security practices because you're vulnerable in different ways anyways?
If you as a company simply don't trust the government your employees work under, you cannot trust them with sensitive information, even if they're outstanding trustworthy people.
I am Chinese living in China. Nationalism is on the rise lately in China, not just for domestic reasons, but also as an reaction to nationalistic moves from "the West" like this one. It's a recurring theme, not just in governmental propaganda, but also in daily conversations, that "the West" would talk about fairness and justice then commit blatant discrimination and double standards.
As a founder of a tech company based in China, I benefit from US companies blocking Chinese (and Russian) engineers; still I am saddened by this. I hope they could come up with more intelligent policies to protect their OPSEC.
Nationalism has always been high in China ever since the CCP took control. Not being a nationalist would be a good way to suddenly disappear off the face of the Earth.
China has always had double standards. They make it hell for U.S companies to do business there. The only thing that has changed is that the U.S has started pushing back somewhat as of late, but things are still currently in favor of China.
Is it really a surprise that companies that care about their customer privacy would be hesitant in dealing with China? Is it inconceivable that data breaches and unauthorized access of data/systems could happen through Chinese employees? These are some of the things you have to think about.
Maybe the Chinese government should look at the year (2019) and realize that personal liberties, sovereignty and privacy are important to the "west". If China is going to disrespect our important values, than what you are seeing in this Gitlab discussion is bound to take place for companies that are sensitive about protecting their customers.
>realize that personal liberties, sovereignty and privacy are important to the "west"
I think that Snowden showed us that this is not actually true. Things like National Security letters and the PATRIOT act make the US to me, as a European, seem very hypocritical right now.
There was a huge backlash against the government after Snowden. And Snowden was an American who leaked classified government information for the good of the country. Our perception of Snowden is generally very positive. If what you are saying is right, this wouldn't be the case. You don't see many Chinese whistleblowers leaking the most classified information to the vast public, for example.
The patriot act was passed after 9/11 where the people were hurt and scared. There is backlast against the Patriot act too. Besides PRISM was a highly classified program because the people wouldn't be okay with that type of surveillance here in the U.S where the expectation of privacy isn't even a thing in China.
You can't deny the hypocrisy here. While our citizens might support him they don't to the extent that they can pressure governments enough to allow him to return home.
Pressuring the government into action is hard and requires personal sacrifice. It would be amazing if we had the same vigor and care about our personal liberties as for instance the people of Hong Kong.
It’s not really hypocrisy if the people who are pro-Snowden are also anti-China. Citizens with opinions aren’t hypocrites because their current government’s policies have flaws.
Yes, but I think the difference is that CCP is much further down the abuse road than Western governments.
First, they've had neighbor surveilling (snitching on) neighbor to control the people since Mao: it's part of the culture and fully accepted because they can't envision another way. They have a saying [ref needed] "Such a people deserve such a government." Now of course the whole tech stack supports it. We're just getting used to ubiquitous domestic surveillance in the West.
Second, because they've further along, they've used their control of information to abuse their power. Tibet, Tiananmen, organ harvesting, and more lately the Uighur atrocities against people of dissent or race. The West is not there but you can see we're blasting down that road now.
> Things like National Security letters and the PATRIOT act make the US to me, as a European, seem very hypocritical right now.
These are not even remotely comparable. China is an outright police state. Not saying the United States doesn't have a lot of work to do with regards to personal liberty, but the Government here has nothing close to the iron grip control that the CCP has; they may want it, and what Government doesn't, but they don't have it and a ton of our internal legal mechanisms are designed specifically to prevent it.
Assuming you aren’t native Chinese or don’t have lots of friends in China, you don’t seem to understand what the parent said about nationalism rises. No China’s nationalism WAS NOT this high before, (the parade etc) you saw before is organized and it’s actually quite small considering the scale of China. Common people were normally cynical and only act patriotic at occasions where they really have to. Things are freaking different now with certified news from the US regarding trade war and the fact Trump can’t win the trade war. Normal people this time really become nationalist
Is there debate about this on the Chinese net? I'm curious because I don't know, but I imagine having a debate where people can genuinely criticize China would be difficult to conduct in the face of censorship and legal risk.
I ask because my experience across the Western net has been seeing lots of debate. This thread is a good example. I only see Chinese netizens appear in huge angry voting brigades, spamming threads with proclamations, denunciations and flimsy claims.
So I genuinely wonder; does vibrant and open debate take place somewhere? How/where could I see what such debates look like?
> I only see Chinese netizens appear in huge angry voting brigades, spamming threads with proclamations, denunciations and flimsy claims.
You will never see it anywhere on the internet, because from the very beginning your decision has been made. Anything you read will be morphed according to your belief. Anyone pro China on this site is immediately either labeled as brainwashed retards or paid shill. That's why there are no discussions, it's just your echo chamber.
Yes it took place somewhere else. Even in tech a good portion of Chineses don’t know HN and other people just use it as “tech news hub” like medium/TechCrunch (tbh that’s my common usage). There would be a language barrier because most of the discussion would be in written Chinese which is quite ambiguous for discussion. The best way might be to interview a few Chinese people but keep in mind the redlines: 1) integrity/definition of China (e.g no sane Chinese would think HongKong is not part of China and some would terminate the conversation directly if you raise some other point. Tibet/Taiwan is more controversial maybe you can discuss). 2)Those “well known” crimes/human rights offense the government committed. Native Chinese doesn’t really trust western media that much and it might be such a meme to them already so it’s likely turning into whataboutsim (which is perfectly ok in Chinese culture, if you are not better by another magnitude don’t comment on me)
Nationalism in China is fueled by the Chinese media (i.e. the Chinese government) which control the message. The chinese government control the degree of nationalism in China like they turn the volume knob of a TV. They use it as weapon.
I agree to some extent, but that’s not the only reason. When earlier US sanctioned ZTE that almost stopped all IC tech blocked, instead of rising nationalism, the view of the future was very pessimistic inside China. However now common people realized US just use it as a leverage and it appears US can’t even make it happen. With multiple US retreats from the trade war, Chinese people are never been more confident in history
> They make it hell for U.S companies to do business there.
That's not evidenced by the massive presence of US companies in China. American companies do vastly more business in China than vice versa. Whenever I see these sorts of claims, I ask what specific restrictions or hurdles are being discussed.
The U.S is a much bigger economy than China and that's one of the reasons why you see penetration from U.S companies in China. Just because there are U.S companies in China doesn't mean that what I said about the Chinese government making it hell to do business there is false. Your argument is not logically sound.
and subsidies (both monetary and policy) from the Chinese government that make it almost impossible for foreign companies to compete against domestic companies.
China’s economy is “much” smaller than the US by what metric? China and the USA are the top two economies by any measure (GDP, exports, imports, etc.) with both countries switching places as 1 or 2 depending on the metric.
The difference between China/US in nominal GDP is much much greater than the difference in PPP. Secondly China is a known currency manipulator so I am inclined to pay less heed to the PPP. Finally the GDP per capita of China is absolutely dismal. Vast majority of the people there are not doing well and it's not a prosperous country. It's a third world country with vast majority of its citizens in poverty.
PPP GDP is much less affected by currency manipulation than nominal GDP, because the latter relies directly on the exchange rate.
> China is a known currency manipulator
The accusation has always been that they're suppressing the value of their currency (in order to boost exports), which would actually mean that their nominal GDP understates rather than overstates the size of the economy. Whether these accusations are true is a different question.
> It's a third world country with vast majority of its citizens in poverty.
It's certainly not a Third World country anymore (technically, this is a misuse of the term "Third World," but I'll go with it). GDP/capita in Beijing, Shanghai and Tianjin (China's 3 largest cities) is about $20k, which puts them roughly on the same level as the Czech Republic, Greece and Estonia, and just slightly below Portugal and Taiwan. Lots of Chinese cities are richer than these three (Shenzhen is at $32k/capita, similar to South Korea). On average, Chinese GDP/capita is about $10k, similar to Mexico and Turkey. That's pretty much average for the world.
There are certainly huge differences between different regions of China (Beijing is way more developed than a random farming village in the West of China), and there's enormous inequality within every part of China, so there are a lot of poor people. However, there are also a few hundred million people living what you would recognize as middle-class lives. That's why you'll see so many Chinese tourists these days at any random tourist destination around the world - they have the money to afford those sorts of luxuries now.
> Vast majority of the people there are not doing well and it's not a prosperous country.
Most Chinese people would agree with you that China is not yet "prosperous." Even the Chinese government officially agrees with you on that. They are doing vastly better than they used to, though, and the country as a whole is no longer poor. It's about average for the world now, but with a high growth rate and some highly developed regions in the East. Whether they make the final push into developed-country status remains to be seen.
> subsidies (both monetary and policy) from the Chinese government that make it almost impossible for foreign companies to compete against domestic companies.
You keep saying this sort of thing, but yet, all sorts of foreign companies do booming business in China. The likes of Starbucks, KFC, Volkswagen, Intel, Boeing and Airbus absolutely dominate their respective markets in China. For a long time, Apple was crushing it in China (until Chinese consumers decided the quality/price ratio was too low).
> But as to your point, some of the things that make it difficult for western countries to do business there is the great firewall, draconian privacy laws
The privacy laws you're citing were only just passed about a month ago. They can't have been a hindrance before. The Great Firewall affects every business in China, both foreign and Chinese.
> Just because there are U.S companies in China
It's not just that there are a few US businesses here or there in China. Foreign businesses have an enormous presence in China. It's the most important single market in the world for a very large number of American and European businesses. If that's what business "hell" looks like, I can only imagine how great heaven is.
> The U.S is a much bigger economy than China and that's one of the reasons why you see penetration from U.S companies in China.
It depends on how you measure the size of an economy. In purchasing power parity units, the Chinese economy is larger than the American economy. Going by the exchange rate, it's smaller. The question of which economy is larger is actually ill-defined.
However, the reason why there's greater penetration of American companies in China than vice versa is that the US economy is more developed. There are simply many more leading companies in many sectors in the US. In the late 1970s, China began courting foreign investment, which meant courting foreign companies. Far from making life "hell" for those companies, the Chinese government tried to give them attractive conditions. Many foreign companies invested large sums in China, and made enormous profits out of those investments.
Now, for the first time, Western companies are facing peer competitors from within China, and you suddenly hear cries of how China is taking advantage of everyone. The crazy thing is how all perspective is lost. The massive presence of foreign companies in the Chinese market and the massive exploitation of cheap Chinese labor by foreign corporations are forgotten, and all we hear about are how it's supposedly impossible to do business in China.
I tried to buy my $2.50 Old Spice deodorant in Shanghai. The price tag when translated to dollars was over $8.
If you are ever in China, go into a grocery store and look at the aisles. The main reason why American products are priced at 200%-300% the competition is because of tariffs. Tariffs designed to make ordinary middle class American products only affordable by rich elites. It's a very effective cap on market share.
> I tried to buy my $2.50 Old Spice deodorant in Shanghai. The price tag when translated to dollars was over $8.
This particular case is likely because the usage of deodorant is not a thing in China. The majority of East Asia doesn't have the body odor issue. It's a gene thing.
I have no idea why Old Spice is expensive in Shanghai, but 200-300% tariffs are not the norm in China. The mean tariff is under 4%, according to the World Bank. I have noticed, however, that many people in China people hold foreign brands in high regard, and are willing to pay a premium for them.
> China has always had double standards. They make it hell for U.S companies to do business there
Here we go. "CCP is bad and China is bad, so every Chinese is bad". This kind of logic is not very healthy, it just like saying "Google(Or insert any company here) is bad, let's punish their employees", it will hurt those employees (way) more than it hurt Google.
Put the story into context, if Chinese engineers cannot find a job oversea, they will probably go back to China and contribute to a Chinese company that operate under CCP's rule. Will that be a good thing for you eventually?
I bet CCP is also counting on the rising nationalism in the US as well, to drive Chinese engineers back home with their valuable knowledge.
> I bet CCP is also counting on the rising nationalism in the US as well, to drive Chinese engineers back home
OP even mentioned that moves restricting hiring in China from US will help their Chinese based company.
> CCP is bad and China is bad, so every Chinese is bad
This is a very unfair summarization of the parent comment. They never implied that conclusion. Yes, the CCP is bad; And they control China and the Chinese people. But that does not say anything about the people themselves other then they are subject to the communist rules. It is a resistance to the CCP privacy practices that brings this change.
Curious as the way I see it it's very often China who is the 'initiator', eg internment of Muslims, stealing of territory in South China sea, debt-trap diplomacy, and so forth. Presuming that you are aware of these occurrences, do you agree with your government's positions and actions, and - if not - what actions, if any, do you take to make it clear your opposition?
>Presuming that you are aware of these occurrences, do you agree with your government's positions and actions, and - if not - what actions, if any, do you take to make it clear your opposition?
I'm not from China and I disagree with the action of the China's government you listed above. However I wonder why this kind of opinion (aka the Chinese should be responsible for their government) is not commonly held against the USA?
The USA had invaded countries based on false pretext, toppling legitimate governments, and supported dictators all around the world. Why then, this "the Chinese are responsible for their authoritarian government" argument was not commonly held against the citizens of the USA, who supposedly live in democracy and therefore better equipped to actually change the situation?
Because the USA has an independent media that is very critical of its government while China doesn't (at least not on the scale as the USA's main stream media). I mean maybe if you're a conspiracy theorist you could say it's just controlled opposition or a distraction, but in the context of this argument at least the US media is unafraid to criticize or even just straight up mock the government and it's leaders, that has to count for something compared to China.
Considering the US media completely swallowed the WMD lies and that the most popular news outlet in America is Fox News (WTF) which has all the characteristics of a state run channel... the US media hasn't done a very good job of speaking truth to power.
The current Presidency has put some of these issues in sharper contrast, but the Iraq war was a total failure of the US media to do their job (IMO).
I certainly wouldn't call them perfect, but again, being able to criticize the leader (whether that be Trump now with the left-leaning media or Obama previously with the right-leaning media) puts them head and shoulders above what China has. Hell, 50 years ago journalist reporting led to the resignation of the president, can you see anything even remotely close to that happening in China?
Well, I at least try to be consistent, and do query my USA friends about the current administration and it's actions. Recent political changes in the USA have made it the norm to have similar populist leaders or parties gain strength all around the world, it's actually quite distressing for me to see.
Really aggressors project and victim blame as standard practice to justify themselves and their travesties. This goes back to Rome's war with Carthage and probably well before then.
Nationalists of all stripes get very angry when you point out their nation's crimes. Poland made outright illegal to point out that there were in fact Polish collaborators in the Holocaust for instance. It is true that the country was overwhelmingly the victim and Nazis were responsible but cutting off this self reflection only looks sinister. When 'face' culture is involved it seems to be further. Numerous sister city relationships were ended unilaterally by Japan for acknowledging the "comfort women" - ironically losing far more face internationally. Add in outright totalitarianism under a dictator and criticism is seen as an outright threat.
He's more likely to talk about camps in China than he is about the homeless in Los Angeles. One is a problem completely out of his control, another is one he could easily mitigate. You wonder why that is?
I'm not American, and don't follow what Trump says or doesn't say that closely.
Myself, I do criticise my own government, protest on the streets, and also donate money to causes that work in opposition, mostly, to the current government. I've also made business decisions that involve much less interaction with mainland Chinese businesses and customers precisely because I disagree with the mainland Chinese governments way of doing things. Maybe it's cost me some money, but I sleep better at night.
My point is that people like to talk smack about stuff elsewhere they can't change to detract people from injustices they CAN impact. Its the same with China, what better way to avoid awkward conversations about Taiwan, Hong Kong or the Uighurs than talk about how "unfair" the West is being?
As a Westerner, while its important to understand about the nasty side of China is somewhat pointless to endlessly focus on it because its not a problem we have the capacity to solve.
There are issues that we can obtain Chinese buy-in on like climate-change (we all live on this planet) so we should focus on things like this where we can work together so we can forge better ties instead of focusing on what we don't like about each other. Lets not do evil-empire all over again.
How do you expect a Chinese to respond to this kind of "Have you stopped beating your wife" questions?
Whether some of the view points are valid in the first place (at least the second or third one) is deeply contested to Chinese. If you're just parroting Western media view points without showing at least some understanding of Chinese view points, you will likely not get any genuine answers.
I've lived in China for some time, and have sources of information other than just 'Western media'. Are you saying the article I linked in, for one example, is not accurate? Are you saying the UN is wrong with their information? I have no doubt the Chinese have a different point of view; they have much less complete information on the subjects I mentioned, and others.
But, yes, of course the point is that the poster likely isn't doing anything as they are partially funded by the Chinese government, and also are benefiting from all the aggressive actions their government is taking inside and outside of China.
It's very disputable whether or not China is "stealing" territory in the South China Sea or engaging in debt-trap diplomacy. The latter accusation is mostly hypothetical at the moment, based on a general fear that Chinese loans for infrastructure investment might in the future be abused to trap poor countries in debt.
More generally, what's the point of raising these accusations? When you speak to an American, do you demand that they apologize for their government's illegal invasion of Iraq (and the ensuing hundreds of thousands of deaths) or support for Sunni radicals in Syria?
That's not actually true. Taiwan agrees with China, because China's claims are simply those that successive Chinese governments held throughout the 20th Century. The United States used to agree with China - that is, until China went from being the ROC to the PRC.
As for what China is actively doing to assert these claims, I suggest you look at a map of which countries occupy which islands in the South China Sea. The PRC is not the worst offender there, by a long shot. Nobody's hands are clean in the matter.
Self-interested motivations (TW) or transitory diplomatic policies aside, I mean that it is plainly a bullshit claim. "We're big and we want it really bad" is not a justifiable standard of resolving resource and territory disputes.
Let's compare island occupation to island-building, island militarization and bullying tactics with vessels. Whatever combination of ways different parties are jostling over trying to de facto claim parts of the Sea, a pretty thorny root of the problem is one actor trying to claim all the marbles.
> island militarization and bullying tactics with vessels
Like sailing warships or flying military aircraft next to islands that a foreign country claims as its own? US military actions is the South China Sea could be viewed as highly provocative. I can see why China would respond by putting anti-aircraft batteries on the islands.
> Self-interested motivations (TW)
Everyone's motivations are self-interested. Virtually all countries bordering the South China Sea stake wide-ranging claims.
> "We're big and we want it really bad" is not a justifiable standard of resolving resource and territory disputes.
Of course, that's not how China makes its case. It claims that the islands have belonged to China for hundreds of years, and points to various old maps, historical use by Chinese fishermen, mentions in various treaties, and so on. I don't know how strong these claims are, but I try not to get worked up about tiny uninhabited islands. I mostly hope that the situation doesn't escalate, but many sides are capable of escalation - the US, China, the Philippines, Vietnam, and others.
> a pretty thorny root of the problem is one actor trying to claim all the marbles.
Two actors "claim all the marbles" (the ROC and PRC), Vietnam and the Philippines each claim 80% of the marbles, and Malaysia claims 30% of the marbles.
My original question was why any of this is relevant. If we're going to be raising random accusations against various governments, I can think of much more serious issues than some uninhabited islands and rocks, like the illegal invasion of Iraq or the overthrow of the Libyan government.
> It claims that the islands have belonged to China for hundreds of years, and points to various old maps, historical use by Chinese fishermen, mentions in various treaties, and so on.
> I mostly hope that the situation doesn't escalate, but many sides are capable of escalation - the US, China, the Philippines, Vietnam, and others.
Only one of those countries has been building / extending artificially reefs / islands in this area.
Xi lost face over this decision, and just said "tough, we aren't going to abide by it anyway". Hardly the actions of a reasonable government as good world citizens.
> I can think of much more serious issues than some uninhabited islands and rocks
China has deemed it very, very important to seize this area. It's pretty clear why to most people.
> US military actions is the South China Sea could be viewed as highly provocative. I can see why China would respond by putting anti-aircraft batteries on the islands.
You think it's reasonable to respond to freedom of navigation operations (also conducted by other countries than the USA) by militarising islands that aren't even theirs?
> "... the tribunal rejected China’s argument that it enjoys historic rights over most of the South China Sea. "
China doesn't recognize the tribunal's jurisdiction in this case, since China previously opted out of binding arbitration on territorial issues, as allowed by UNCLOS.
> Only one of those countries has been building / extending artificially reefs / islands in this area.
At the same time, the US has been conducting provocative military maneuvers in the South China Sea. These days, China and the Philippines are cooperating to some extent in the South China Sea. The US has been prodding the Philippines to take a more confrontational approach.
> China has deemed it very, very important to seize this area.
I think there are two issues. They view the sea as strategically important, and don't want to be at the mercy of the US Navy, which could shut down a lot of Chinese trade in the event of a conflict. They also don't want to lose face, and giving in to US demands that they drop China's traditional territorial claims would not go over well among the Chinese population.
> You think it's reasonable to respond to freedom of navigation operations (also conducted by other countries than the USA) by militarising islands that aren't even theirs?
"Freedom of navigation operations" is a propagandistic name given by the US Navy to very provocative military maneuvers in what China views as its territorial waters. I think it's entirely understandable that China puts defensive weaponry on islands it considers its own, in response to perceived violations of its sovereignty by a hostile military.
If they're not international waters, but rather the territorial waters of another country, then it's illegal. These are provocative maneuvers, meant to forcibly contest the territorial claims of another country.
> One can only speculate as to why that is.
Calling people shills is against the rules here. That's why you're not coming out and saying it, but rather trying to imply it.
To be fair they actually have beaten their wife into the hospital several times metaphorically - so it stops being a leading question so much as one which acknowledges the obvious.
Those who aren't outright dissidents seem to have an exceptionalism complex where Chinese X is different so no criticism can apply - combined with Not Invented Here syndrome. From what I have heard from those through VPN tunnels they are accutely aware that they aren't anything special.
As a chinese, this kind of comment makes me hate the west even more. I have no control over my government. Zero. 0. Do you understand the concept of 0? Thats the amount of influence I have over any government matter. And you people being racist pos because there is nothing I can do about my gov. Wtf do you want?
No one is criticizing the Chinese people who have zero control over their authoritarian government. The Chinese people are humans just like any other person on Earth, whether from America or Canada or Nigeria or India or anywhere.
When people criticize China, they are almost universally criticizing the Chinese government, because of their double standards, shady practices, lack of respect for individual privacy/sovereignty, ethnic cleansing in xinjiang.
I love the Chinese people, whereas I hate the Chinese government.
CCP has succeeded in making the Chinese government an important part of Chinese people's identity. I've noticed even open minded Chinese people who have lived abroad for years tend to feel a little like insults on Chinese government are personal.
I am sorry that you think like that, but the government is nothing without its people. The moment you start saying there is nothing you can do is the moment you lose. Russian dissidents etc. Chinese middle-class is complacently trading freedom for comfort. American and European middle-class too, for that matter.
I feel it is really unfair to blame chinese individuals like this, can we blame American's for all of their terrible influences they have had around the world too then?
There is a difference between blaming someone for the actions of a government over which they have little control, and suggesting that it’s possible to work toward a better system. Nobody blamed the Civil Rights Movement for segregation; though they lived in a time when Jim Crow was law, they did all they could to defeat it.
I’d also suggest there’s a difference between acceptance of bad government action, even if you don’t or can’t actively oppose it, and active defense of such action.
It's only zero if you exclude actions that are unlikely to work while requiring great sacrifices and/or likely to get you killed. Of course, no one should blame you for not:
- Joining/founding an underground resistance group
- Distributing anti-government propaganda
- Rising through the ranks of the party until you're influential.
- Emigrating (This won't directly influence your government. But losing skilled workers (I assume you are one) harms the economy, making a revolution more likely.
- If that is not possible, being as unproductive as you can get away with.
- Becoming friends with high-ranking officials, then influence them.
- Protesting. You can technically make sure you won't get punished by setting yourself on fire.
> And you people being racist pos because there is nothing I can do about my gov. Wtf do you want?
No one's being racist here. The entity people don't trust is the Chinese government. Governments act through the people they govern so that distrust extends to your potentially involuntary actions (but not to your character). Note that Gitlab doesn't trust employees living in China independently of their ethnicity.
Criticizing a government apparatus isn’t racist. I don’t know why every single time a westerner criticizes the PRC, they act like we hate all Chinese people.
Nobody here has a problem with Chinese people in general. Hopefully all of us can separate a nation’s people from their government... The problem is with the PRC’s government.
"Nobody here has a problem with Chinese people in general"
The link this whole discussion is about is about banning Chinese people. Not the government, not even people that work for the government, just "Chinese people in general"
The ticket raised on gitlab is specifically about Chinese and Russian nationals, but this would also apply to Australians (they can be compelled, legally, to build backdoors upon request of the government). If I were in charge of a non-trivial company I certainly would not hire an australian national.
This same exact argument would apply for a white person from China who has family or other assets in China, and thus has leverage that can be used against them by the current totalitarian regime.
If the US government enacted a law similar to Australia where we could be compelled to build secret backdoors, then foreign companies probably wouldn't hire an American either.
This really has little to do with race, and everything to do with risk and governments. We would still be discussing a ban on hiring Chinese nationals even if China -weren't- almost completely homogeneous in race; it's basically irrelevant.
> As a chinese, this kind of comment makes me hate the west even more. I have no control over my government.
That right there is exactly the response your government would want you to have. You already 'hate the west', and now even more because of what I wrote? That seems unreasonable to me, and there was not one racist mention in my comment either.
If 'my' government (in Australia) were pulling these kind of stunts in 'my' name, damn right I would be doing something about it. In fact, I already do something about my community's shabby treatment of the First Australians (financially and lobbying wise).
I feel we, the people, have a responsibility to ourselves and other humans, irrespective of country of origin, culture or background, to resist and oppose transgressions by the governments who represent us.
>I have no control over my government. Zero. 0. Do you understand the concept of 0? Thats the amount of influence I have over any government matter.
Then you should be more pissed off at your own government and screwed up system than the people who are pointing how that the system you live under is screwed up.
I think the question is, how much control do you want over your government? Do you want them doing this stuff? I come from a country with a stronger democracy than the US and governments will fall over stuff like human rights violations, if they don't properly punish the perpetrators.
Feel what!? You need to look up how the structure of the citizen control by the party functions out there, even if you wanted there's no wiggle room for that.
You say that nationalism in China is a reaction to nationalism in the US when it is actually the other way around. After many decades of realizing China has engaged in unfair trade practices, IP theft, and predatory behavior despite maintaining innocence, US finally has to react. If someone keeps punching you and spitting in your face, how do you think they'll react eventually?
I don't expect Chinese natives to understand the full story because they aren't exposed to all the wrongdoings of their government and even if they are, they think it's justified because they selfishly believe in supremacy of their own race/country. Even your comment suggests that you have been led to believe US is the "bully". I have heard all the arguments from the Chinese about 100 years of humiliation, Opium wars, and how US did X, Y, and Z "bad things" without ever pausing and stepping out of their own shoes to look at their actions in an unbiased way or learning the truth of the facts. I guess you can't have a meaningful argument when your only sources are your government textbooks and fire-walled internet. Think about that.
Do you have any suggestions as to what Western companies can do to prevent intellectual property theft and the Chinese government trying to pressure them into censoring non-Chinese citizens?
Because short of some effective alternatives, the Chinese government isn't really giving the West much of a choice here.
>It's a recurring theme, not just in governmental propaganda, but also in daily conversations, that "the West" would talk about fairness and justice then commit blatant discrimination and double standards.
Do you believe this move is a double standard? If America and the E.U. mirrored Chinese rules and practices for corporate governance, foreign investment, and political involvement in private enterprise, how would that look?
Agreed; it's unfortunate to see companies considering acting this way. In this case it seems like GitLab are doing this for a single customer, so I'd bet it's caused by a desire to meet sales quotas and/or financial goals, rather than fundamental company strategy or policy.
Using that lens, this is a short-term financially-motivated attempt to change company hiring/access policy, which in turn provides justification for the anti-Western sentiment you mention.
In my opinion this is a restriction that should be the customer's responsibility to enact, if they choose to - which means that GitLab should pause and build access controls which allow the customer to configure (and ideally audit) who at GitLab has access.
What is excellent and commendable is that GitLab is able to have much of this discussion in the open; because at many other organizations, this would all have happened behind closed doors.
I've noticed nationalism rising in China lately too.
It's easy to pay attention to difference between people and culture, as noticing difference is what we instinctively do, but it is also beneficial to notice our similarities too. We're all people. Besides minor cultural differences, we all respond in similar ways to the situations we are given throughout life.
>As a founder of a tech company based in China, I benefit from US companies blocking Chinese (and Russian) engineers; still I am saddened by this. I hope they could come up with more intelligent policies to protect their OPSEC.
As a founder of a tech company based in China, you benefit from China blocking US (and the western world's) companies; You should be saddened by this. Can you please write a letter to Chairman Xi telling him he is wrong?
The article/policy isn't about blocking Chinese/Russian people, it's blocking people in China and Russia, or equivalenly blocking gitlab corporate from spreading into China/Russia.
They have a customer that required the personal data they'll give to Gitlab not be handled by people living in Russia and China. Could be a group doing humanitarian or journalistic work.
That's actually an interesting conundrum: you want to hire a company, need to trust it for handling sensitive material, and can't afford it to fall between specific states' hands.
I don't think there is an objective process to do that. I know that USA and France and probably many other countries have laws to authorize seizure of data they consider linked to a variety of vaguely labeled activities (from "trouble to public order" to "terrorism"). You may end up excluding 80% of the world if you use objective criterion there.
Honestly I don't understand @cciresi's position. As far as a I know anti-boycott regulations have primarily (only?) been used to prevent US companies from not doing business with Isreal. China & Russia are geopolitical rivals to the US and I don't see any sort of risk of anti-boycott regulations being applied in restricting business with residents of those countries. I guess you could say there is a risk that could change, but that seems hypothetical to the extreme and realistically irrelevant to worry about from a risk perspective.
And this isn't discriminating on nationality or national origin, it is on the nation you currently live in. Employers decide not to hire employees living in other countries all the time, it's the most prevalent choice (i.e. US companies only hiring employees living in the US). I don't see why doing this because a customer you've considered critical has asked for it is any more legally risky that having done it for other reasons, assuming we discount the anti-boycott argument.
This is all with the huge caveat of I'm not a lawyer, just giving my perspective based on how I've seen these laws/regulations applied in the past.
Anti-boycott regulations are highly hypocritical because indeed, they are designed for Israel but pretend to apply to all countries.
Thing is, even if it is just country of residence, it is still a discrimination on hiring and could very well be illegal unless there are strong legal reasons. E.g. "we have to do things that are illegal under the laws in country X, so we can't hire people there".
I think the main point of her position is that one should have an objective criterion to add countries into a blacklist and that none can realistically been done over privacy issues that would include China and Russia but not USA.
National borders are a strong legal reason. It's silly to have to write that down.
Absent a treaty between nations, national borders are the borders of laws!
The US government is currently in a trade war with China. Is that illegal discrimination?
Regulating internatiinal relations is a core government
responsibility.
No government would make it illegal for a company to choose not to do business in a non-ally foreign country. Millions of business already don't engage in many foreign countries, by default. Including yours, I bet. Why should they be required to do so?
>Could be a group doing humanitarian or journalistic work
They speak about revenue, so I'm sure that's not the case. I bet it's a commercial company with sensitive data, probably gov/mil contractor with strict obligations to their customer.
And someone at their management doesn't understand Intelligence 101: they don't reach for your data from the country of origin.
Journalists and humanitarian organizations do have revenues.
I doubt a mil contractor would add Russia and China but not embargoed places like Iran.
And yes, I think this is a misguided attempt at security. Companies that handled crucial data that need to stay private really should spend the resources on managing these data themselves.
True. You have to decide what level of security is necessary for you. In some countries like China privacy from the government is basically nonexistent. In some like Australia backdoors are mandated by the government. In others like the US secret FISA courts exist and can demand data from companies and gag them at the same time. Off the top of my head I don't really know any ideal developed countries to do business in where privacy is concerned.
The title seems misleading, the article specifically states this does not effect any current employees, presumably as they have none in China and Russia.
> As such we feel a country block is the most humane solution at this time--especially because it affects zero current employees
Ok, I've temporarily changed from the submitted title ("Gitlab blocks current employees and stops future hires in China and Russia") to the page title—which I assume is accurate but is uninformative—until we get clarity about what an accurate, neutral title would be. Does anybody want to suggest one?
Edit: I've provisionally gone with "Gitlab blocks hiring SREs and Support Engineers in China and Russia". If that's wrong, or if anyone can suggest a more accurate and neutral title, we can change it again.
Correct, this block would be for two functions (Site Reliability Engineer and Support) and we currently have no people in that role in China and Russia.
Please note that we're still discussing this change. We work out in the open so you can see us working on it. I hope that people appreciate the difference between that and what you would see in a non-transparent company (probably nothing, they would just not open up a vacancy in the offices in that country).
Concerns on privacy, data and IP are understandable. However, this ban would be a symbolic move with absolutley zero substance. The world is small and highly interconnected and it would be extremely easy for the Russian and Chinese governments to compromise and co-opt support staff from pretty much any country of their chosing. This will lulll your customers and your infosec teams into a false sense of security. Considering how forthcoming you are with the names, roles and location of your team. They would pick you off in a heart beat and you would not suspect or see it coming. The Chinese are extremely well entrenched across the global - with enough money to grease anybody's wheels. Not to mention it would be trivial for them to get their "agents" passports from anywhere in the world
Would you consider extending this to other roles? If you remember the Juniper VPN backdoor was so well done it would have likely (or did) passed code review, putting most software engineering in to scope.
Additionally would this extend to individuals who are of Chinese or Russian origin? China in particular leans on nationals who are on visas or have family still in country to conduct espionage operations.
It would be strange to not accept code from certain countries since we are an open core company that gets contributions from around the world. There are other ways to prevent supply chain attacks. A difference with data is that there are always multiple people involved before code is merged while data can be extracted by a single individual who has access.
> A difference with data is that there are always multiple people involved before code is merged while data can be extracted by a single individual who has access.
It sounds like you just need to harden your production perimeter. Jump boxes with two-man-rule access and terminal logging. Apply the same practices to data as you do code.
> Discriminating on origin is likely illegal.
You should ask your legal folks about the national security exceptions of Title VII. It sounds like your customer requirements are pushing you in that direction anyway.
Well actually we have over 1000 team members (all are remote) and only half are in the US. The other half are in 63 other countries. If you want to see where we all work from you can check out our team https://about.gitlab.com/company/team/.
The reason this is viewed from a US legal perspective is because we are a US company so we are governed by US laws.
It does block them from moving to that country. So if a current employee was planning to move to either country soon they'd be prevented from doing that.
I've danced this dance at a previous company when we had an employee working from a country of interest for an extended period of time. They were air-gapped from our systems and it worked because they submitted everything by pull requests (the original way, sending git patches by email). They didn't have access to our CRM or any customer systems because several of our contracts - not just with governments but also major multinationals - prevented employees in certain countries from having access.
Even when I traveled to the same country I used a burner laptop that was decommissioned when I returned. When we EOL'd laptops in the office they'd go in the burner pile to have one last holiday abroad before they were wiped again and sent to a local charity.
I've done some travelling to risky places before (Kiev and other places) and even though the networks were hostile there, I still don't understand the point of pretending that Russia et al can't get into Gitlab whenever they want to. They can. Air-gapping isn't going to slow them down.
> I still don't understand the point of pretending that Russia et al can't get into Gitlab whenever they want to
Security isn’t absolute, it’s layered. The harder you make it for the adversary, the more it costs the adversary (eg: potentially burning a zero day), and the more chance there is of detection.
Can Russian intelligence get into Gitlab? Probably. Are measures that make it more expensive liable to deter them? I think so.
> They can. Air-gapping isn't going to slow them down.
Two points here. First of all, failing to acheive absolute security is not a justification for ignoring best practices.
Second, this isn't air gapping. It is preventing a bugged laptop from sitting in on conference calls and meetings for the next year or two until it gets aged out.
As the subject of this thread also points out, there's an important factor of risk to the individual: to prevent them from getting put in a position where they can be coerced into turning over data access.
I think it would probably be costly to bribe someone in the "allowed" countries. I'm not going to risk going to prison for some small sum of money, and a large sum of money is logistically difficult to give me. People will ask questions, the scheme will probably be found out.
Meanwhile, if the government can just arrest you and say "change this repository and you go free", it's essentially free.
All the people who are saying they've never seen a contract with a term like this, I'm just sitting here wondering how my experience is the opposite...
It affects no employess (per clarification in this thread) presently in affected roles.
It could affect present employees who are in other roles, located in China or Russia, from moving to a covered role, whilst continuing to reside in China or Russia.
The block is on current non-residents of China or Russia from moving to those countries. <strike>Not on any present residents of those countries from having further access.</strike>
<BOLD>See self-reply below, not the case.</BOLD>
Though that is alluded to as a possibility, with complications.
No? It would seem to apply to current employees who move to Russia/China who are in roles covered by the block. i.e. they would have the choice of moving and changing roles/quitting, or staying.
I'm surprised we (Australia) aren't already on more of these lists.
After having this discussion with my manager and colleagues (the conversation with my manager was in my interview process where I bluntly stated if I was asked to comply with anything from this law, I'd immediately resign, my manager also agreed). Everyone I've spoken to agreed we'd immediately resign since it was the only potential option to protect our selves as employees and our employers.
Edit: I'll need to spend a little more time looking into the Assistance and Access Laws. The following article attempts to downplay some of these concerns:
You are assuming that is actually an option. There is nothing to suggest the current Australian government would not prevent you from resigning until the task had been completed. This is the same government currently attempting to make it illegal to boycott businesses that are damaging to the environment.
They don't have legal authority to prevent you from resigning.
Also, the proposed anti-boycott rules have been widely criticized as unconstitutional, unworkable and ludicrously against the conservatives free speech pronouncements. Unlikely they would get support from Senate cross bench.
Executive powers in Aus aren't that strong - they'd have to pass a law to give themselves that specific power. I don't think there's one to permit this now, though I'm no expert and there are many obscure laws.
That's the good(ish) news - the bad is that restraints on the passing of bad law are generally pretty weak in the absence of a hostile Senate. This is particularly true with the current feeble opposition, and even more so given the general atmosphere of cowering obeisance that the major parties have allowed (or encouraged) to develop around any legislation involving the word 'security'.
There is a good description of the many shortcomings of the legislation at https://stateofit.com/interception/ and https://stateofit.com/interceptionpart2/ -- TCNs (compelled changes) are not the real problem, its the more than willing compliance from companies with TARs -- voluntary technical assistance requests. It is unclear how much (if any) the company is shielded from civil suits for complying with TARs.
The problem is not really that you couldn't resign -- it is that the company would hire replacements that would get the job done. The company executive would be compelled to.
Albanese (and his forgettable deputy Marles) have so far been a disaster for the ALP.
> Since National Security Letters exist, blocking all employees from the US would also be logical.
Sure, it would be, especially for companies located in neutral countries, but since US influence is so strong everywhere almost all over the world that's also practically impossible.
"Every animal is equal but some animals are more equal than others"
We haven't seen the implementation details for Gaia-X, but it would not be unreasonable for it to include that priviledged persons (admins, company management) by EU citizens and resident in the EU, or possibly even FR/DE only. Full document below in Deutch.
China and Russia obviously have their own systems, but many other countries some some element of national control which is less obvious. Japan certainly has a mature native cloud capability, although it would be highly disruptive to move everything to it.
Its like plans to be 'cloud agile', it doesn't work unless you deploy to both every time, and you probably just double your cost and bugs for deployment ops. So the tendency will be towards cloud balkanization. Which could really suck, or it could force a path away from proprietary APIs towards standards, which will suck in a different way.
NSLs only bring back non-content information (eg, a call record, but not a recording of a call) and are issued under the Stored Communications Act. Unless you happen to be the owner of a sole proprietorship that falls under the act, you can't be directly issued an NSL - it's issued to the entity which holds the records (eg AT&T).
(1) it's a non-antiquated English word, etymologically linked to the antiquated foreign word (it entered English a long time ago.)
(2) In English, both hari kari and hara kiri are accepted spellings (the word came into English before modern, maybe even standardized, transliteration, and the source language doesn't natively use the Latin alphabet.)
(3) But, in any case, you are right that it is misspelled.
That's the spelling in my phone's dictionary. If I were writing about ancient Japanese cultural traditions I might have checked. I think Japanese people, being inveterate word-stealers, would understand.
It's the same in France, and many other western countries.
I think it's just the usual "Australians not realizing they live in a bubble", and kindly warning the rest of the world about laws or practices that have already been in place in our countries for twenty years.
That is not true. There is no such law in Germany, and the public backlash against it would be enormous. In the east we had a government that would pressure citizens to spy on each other -- any hint of that would be political suicide on all levels...
AFAIK there is no law in France where the government can force you to do something you don’t want to do related to your employment. They can however seize your devices.
As an Aussie living & working overseas I'm still not sure if it applies to me and makes me a liability? I know they can't enforce it unless I go home but I will someday
It does make you a liability. Australians can be shanghai'ed into working for the Australian intelligence agencies wherever they are on Earth.
I'm also an Australian living overseas, have worked on many sensitive projects that would be of interest to the Australian government and its masters, and I'm quite prepared to give up my nationality over this issue.
In the case of Chinese-based employees the assumption is that anything they did would go through Chinese Government controlled networks (there's VPN ban even for foreign businesses) and likely result in your intellectual property being shared with your Chinese-based competitors. Not to mention their access being potentially compromised and used.
If an Australian-based employee complied with a letter, they could destroy your business reputation when it got out, even if you threw them under the bus. Probably the main reason Australian employees are still given latitude is that committing compromised code into the codebase would require involving everyone who could possibly see that code change.
Yeah I would assume most only don't have them on the list because they weren't actually dealing with them in the first place and had no expectation to have a use for them.
Personally for me, coming into a company that was so transparent was very difficult at first, especially as an attorney. However, over time I realized how much I developed and grew from it. I became much more open and accepting of criticism and feedback. Instead of becoming defensive, I listened to it and learned from it. I also welcomed all of the extra eyes on my work, it helped me create much better work product, just as the open source community does with open source code. When you are transparent, people know what you are doing and that you are genuinely putting the efforts in to do your best. You never know what is going on with others behind closed doors.
If I was a Chinese or a Russian engineer working for Gitlab, I'd consider quitting right now regardless of how this discussion ends. I am surprised that this initiative is not just considered by them, but basically approved by some of the senior staff:
> In e-group on Monday October 15, 2019 we took the decision to enable a "job family country-of-residence block" for team members who have access to customer data.
I don't think there's a need to explain what's wrong with this idea, there are a lot of sane comments on this thread explaining this just okay.
On a side note, I really like how company transparency saves them from making wrong decisions final. I think that this initiative will be dropped just like the recent third-party tracking issue, and I wish more companies were as transparent as this one.
So you'd suggest staying and fighting against this inside the company? If they truly love the company and it deserves this, you might be right.
edit: what bothers me is that at least by some senior staff members these employees are already considered second-class citizens as otherwise this initiative wouldn't even be discussed, and I wonder how comfortable it will be to continue working with these people now.
When a wast majority thinks in a way against you, fighting them you will inevitably make mistakes and be triggered to do dumb stuff. Crowd think can make people believe that Chinese and Russians are some sort of zombies. If you stay around and show that you are not a zombie to be eliminated, this is already a lot. I know how it sounds, but don't underestimate crowd dynamics.
I wrote another comment arguing that this proposal was both racist and discriminatory, which got flagged and deleted without explanation, presumably because I worded it in such a way as to give an example that might resonate more with Americans by using examples of specific groups of people that have experienced oppression in the US. In the interests of quality discussion on HN, I'm going to make another attempt but in a way which is hopefully less likely to be misinterpreted.
There are employment laws which prevent companies from discriminating against people based on factors such as race, sexual orientation, religion, physical appearance, age, marital status, and other things over which they either have no control or which are not relevant to their job. These laws are in place for good reason and most people (myself included) support them.
It is my belief that a company policy prohibiting the hiring of people based on any of the above attributes would be wrong, and probably illegal (depending on the jurisdiction).
The question then comes down to whether refusing to hire someone based on either their nationality or the country in which they live (in the case of a remote company) is wrong in the same sense as the above factors. My argument is yes. The fact that someone lives in China or Russia does not, by itself, make them an untrustworthy person, any more than someone living in the United States, Germany, Japan, or the UK.
At the request of several customers, GitLab is proposing a policy which discriminates against people based on their naionality/country of residence, which I would argue is almost (if not equally) as bad as discrimination based on the other factors I've mentioned, and should be opposed for the same reasons as a policy which prohibited hires who were of a particular race or sexual orientation.
If anyone wants to flag this comment, you are of course free to do so. But I would much prefer, and I think we could all benefit from, a coherent discussion of the flaws in my argument.
In america it is my understanding you can be legally forced by intelligence agencies to provide confidential info about your company and legally forced to not disclose it to your company.
There's no reason to believe it's different in any other countries, in particular countries that have a an obvious confrontational stance against "the west" and are at least semi authoritarian.
So a person maybe a "nice/trustworthy person" but because of such laws, working with a person from a country equal granting access to your internal infos to the whole country this person is a citizen of.
there is no reason to believe any other country does this to it's citizen. my understanding is this kind of imperial reach has been abandoned by all other countries since the invention of the nation-state (in favor of positive law)
> The fact that someone lives in China or Russia does not, by itself, make them an untrustworthy person, any more than someone living in the United States, Germany, Japan, or the UK.
It has nothing to do with "untrustworthy" and everything to do with "will be coerced without anyone even breaking the law".
I don't know if that will change your mind, but it's an important difference, it's not a judgement of the people but of the state they are living in.
The fact that you’re in one of these countries makes you easy to access by enemies on the global scale. Assuming the individuals are good, that doesn’t mean they’re not a security risk. The reality is, countries like Russia and China do not respect intellectual property, and are know to perform cyber espionage and attacks. This seems very reasonable to me.
Furthermore, the whole point of anti-discrimination laws are to prevent judgement based off traits that cannot be changed. Where you live is not the same thing as your skin color. Imagine if someone refused to change their password and only used 6 characters for it. It’s a security protocol to force a change there. I’m viewing thing more similar to that than similar to racial discrimination, given that gitlab is not saying they won’t hire Russians widely.
>Furthermore, the whole point of anti-discrimination laws are to prevent judgement based off traits that cannot be changed. Where you live is not the same thing as your skin color.
This is very true. People are getting very caught up on discrimination without taking into account all of the "acceptable" forms that happen all the time. If you're a violent felon, you are likely going to be discriminated against when looking for a job in child-care. Yeah, this is an extreme example, but it's a form of job discrimination most people see as reasonable. Like-wise, people are discriminated against all the time in jobs for things like lack of qualification or lack of relevant degrees, etc., and again most see this kind of discrimination as reasonable. The kinds of discrimination that aren't reasonable are things like no hiring somebody because of their race because there isn't any reasonable connection between that fact and their ability to do job.
The question here isn't whether it is discrimination to not hire those who live in Russia or China, the question is if the underlying premise that those people are more of a data liability than other people. I haven't read the entire thread, but so far I haven't really seen much discussion on this point, just lots of people saying the policy is outright racist (even though I believe the policy only affects people who currently live in those countries regardless of race rather than not hiring people of Chinese/Russian descent who live elsewhere).
The factor I'd consider is the legal system of those countries: if you hire someone who lives in China, you're adding another country which can compel your employee to against against your company or customers’ interests (as an American company they're already exposed to the U.S. government's powers). Similarly, you're taking on the risk that something like, say, a future iteration of the current trade war would lead to you suddenly being forced to discontinue their employment on potentially very short notice (remember Adobe's need to comply with the Venezuelan sanctions?).
to elaborate: defence.
They don't want people to have potential leverage (e.g. family members) within the grasp of other national powers who may not be allies.
I might be understanding this differently (perhaps incorrectly). I lived in Russia, and I left with a very strong model in my mind that Russian_people != Russian_government. I don't think this is related to trusting foreign nationals, I believe it's strictly about trusting foreign states.
The threat model isn't "Russian developer who wants to support their family." The threat model is "Russian government." I agree with and support the laws prohibiting discrimination against people for race, religion, etc., but I don't think this is related to any of the criteria you cited. As far as I can tell, GitLab is enthusiastic about promoting diversity [0]. It's based on country of residence; Americans living in Russia would be blocked and Russians living in America would not. Frankly, I think they should consider putting Australia on the list too [1].
It's not an issue of discrimination based on race, sexual orientation, religion, physical appearance, age, marital status, or ethnicity.
I think you're really missing the point of this entire discussion in the first place.
This came up because of a client request.
Your question about whether people from other countries can be considered trustworthy is completely irrelevant.
The fact is, organizations exist that are at polar odds with governments that exist today. It is not unreasonable to, for example, have a 'Uyghur Oppression Awareness Group' require that all of their data be handled by NOT-CHINA. It has nothing to do with Chinese people, or their ethnicity. It has to do with the fact that if an employee is able to access their data, and the government has an incentive to take that data, the government can easily force that person to hand over that data.
This exists in many countries, Russia, China, USA, Australia, UK, the list is very long.
Your argument is flawed because you're arguing the wrong point. The trustworthiness of an individual is not relevant in any capacity.
It’s hard when you have people in your circle of trust who are subject to coercive law enforcement. My heart goes out to victims of such apparatus.
It isn’t even as simple as worrying that foreign national employees can be coerced by their home nation police or state security services — anyone subject to policies like Gitlab’s who is local to your business but who has family or assets abroad that can be used to effect duress, or who can be blackmailed in some way elsewhere, would need to be vetted.
I suspect this is driven more by surveillance or sabotage risks posed by employee access rather than jurisdictional risks.
Australian law is likely to have little impact on what an SRE or support engineer might be able to do. Australia having an established practice of recruiting and placing enterprise surveillance moles would.
China and Russia have some history with this latter. Though one might say similarly of the US and Israel, as two examples.
Alright, I also thought about Israel and AU at first but this thing is so political
that no way can they include US allies in there because gov wouldn't approve this sort of thing.
To my eye, american companies are becoming more and more like chinese companies in the amount of control governments can extort on them and that is highly troublesome.
I know of a couple major us companies that do include Israel along with other usual suspects but they don’t spray about it on the internet. There’s also growing concern regarding what corporate equipment you can take across us border so there’s that.
While I acknowledge the pragmatic approach taken by the company to protect their user's data, I am curious as to how this will play out over time. Factors such as longer term travel or working vacations to these countries by their employees?
Or, What about if one of their employees is married (or wants to get married) to a legal resident of one of these countries? How far removed does the employee have to be from this risk? And how much of an impact on their (and their family's) civil liberties could this have?
I've been told (at a different company based in a different country) "don't bring your work laptop to China, don't bring materials to China without authorization, we'll provide what is effectively a burner device for whatever you are bringing to China (I believe they re-used them as different employees went to China)".
I imagine Gitlab would have a similar but less restrictive policy, "don't bring a work laptop <with credentials that gives you access to one of these roles> to China, ...".
I don't see why a policy against residing/working in China would care about who you are married to or where they live.
Consider this scenario: Loyal and long time high performing Gitlab employee Bob, is happily married to Su, who originally hails from China. They live and work in the US. All good.
Until Su's ageing parents back home succumb to ill health and she decides that the family need to move back to China to care for them for maybe one or two years - perhaps longer.
Bob then has to make the choice between (a) resigning his job or (b) being forced into a long distance relationship with lots of travel between China and the US, or (c) divorcing his wife.
When company policy gets in the way of important life decisions, I think it is a dangerous line to walk.
Consider the exact same scenario at any non-remote company.
If Bob wants to move to China, where the company doesn't have an office, he's going to have to resign or take a leave of absence.
This decision on Gitlab's part would be moving their incredibly generous "you can work from anywhere you want except places where we legally can't let you like Crimea and Iran" to a nearly as generous "you can work from anywhere you want except places where we legally can't let you like Crimea and Iran, and places that are known to coerce people into spying for them like China and Russia".
Most companies operate on a whitelist of places where you can work (where they have offices), not a blacklist. Even many remote companies operate on a whitelist (e.g. "Remote, US only"). Really, I'm amazed they feel that they can operate on a black list approach at all and not accidentally violate tons of local laws.
I may be reading into things here but it sounds a lot like the reason for this is to gain business from the US Government. Limiting reach from governments such as China and Russia is already standard practice for most security/defense related functions of the government.
The point is that those 250 countries all have different legislation and cultures. The only concern is not "we don't want the Chinese government to have access to user data". That's the only concern for Gitlab (well that and not violating US laws in regards to who they can do business with), but it is not as simple for many other companies.
Going from a whitelist to a blacklist is hard because you need to either individually vet every country and decide if they're ok, or you need to just assume a lot of countries are ok.
Going from a blacklist to a whitelist is obviously trivial.
i am not sure we are getting anywhere with this argument. i don't really see the point. when a list has a fixed number of possible entries, then the difference between whitelist and blacklist is purely academic. the result is exactly the same.
You seem to be talking about reciprocal lists (blacklist of 3 -> whitelist of 247, whitelist of 10 -> blacklist of 240, etc), which is not what OC was talking about. OC was specifically talking about going from a "small whitelist" to a "small blacklist". Not a "large whitelist to a small blacklist" and certainly not anything the other way around.
Whitelist with 3 countries: I have vetted three countries, and know my employees can operate in those countries legally without issues.
Blacklist with 3 countries: I either need to vet 247 countries to ensure my employees can operate there legally, or I am just assuming that those 247 countries are fine without actually doing the due diligence.
Again, going from a blacklist of 3 countries to a whitelist of 247 countries is obviously not an issue. You're operating on the same data. The issue is going from a whitelist of say 3 countries and then not going to a reciprocal blacklist of 247 countries, but a much smaller blacklist of 3. This is what Gitlab has effectively done in OC's estimation. That either means you vetted those 244 extra countries that are now on your "whitelist", or you're making a lot of assumptions.
Sound like "loyal and high performing" Bob could land a new gig. Life is about choice and Bob might have a difficult one. I hope he'd stay with Su. Better and Worse and all that.
Then the good thing is that you are not married to the company you work for. You can even work for more than one at the same time; to be married to more than one person is so much more difficult :/>
>Or, What about if one of their employees is married (or wants to get married) to a legal resident of one of these countries? How far removed does the employee have to be from this risk?
Security clearance background checks will cover this sort of thing. For sensitive government contract work, clearances are generally required for the relevant contractor employees.
For non-government customers who still have these concerns, I’m not sure there’s a good answer. I guess you could define your own clearance process and run similar background checks - many of the government’s own background checks are done by private investigators already.
> "It seems odd that we proclaim that we will accept any customer not prohibited by law (b5a35716) but we are implementing controls that impact employees based on a perceived political climate. This is contradictory."
Accepting any customer serves the customers interest.
According to customer requests that their sensitive information not be placed in a situation where it could be relatively easily accessed by state actors ... serves the customers interest.
That’s not contradictory, except in the most superficial sense of “but we have open arms for everyone”.
I don't understand what I am reading, I feel I am missing some context... Is it about being afraid the Chinese and Russian state will spy on user data if some employees are located in those countries? Or were there updates to their laws that made it mandatory to open databases to the state if an employee is located in these countries?
> There is an unacceptably high risk that these nations may apply pressure to individuals living within their borders with sensitive data access (based their role at GitLab). It is our concern. And it is the stated concerns of several customers.
The discussion is actually pretty significant, as they sort out how they might manage the _customer demand_ that is creating these hiring blocks, and in turn, how that is reported and tracked.
I don't see this as a purely "done deal", it's a company having very important discussions in the open that most would just default to "restricted". All this transparency is a great source for others to learn from.
After activating JS I could see the discussion, sorry.
Going a bit deeper, it seems to be a specific demand by a potential client. Can make sense for activists, journalists, humanitarians. Makes sense for gitlab to push back too though.
Whether it's real or not or even likely to be effective, there's a chilling effect and businesses are obviously concerned to be raising the issue of Chinese-based employees with GitLab.
Oh, China is finally following US policies on full takes. Not entirely unexpected. The difference is that China observes their borders, whilst the USA does full takes everywhere they can, which is everywhere in the west.
What is a full take, what do you mean by US policies on full takes, and can I also have a source on US performing full takes everywhere in the west? Thanks!
So. As a freelancer living in one of the scary red states and seeing a lot of US people and companies in the potential client crowd, should I now start looking for opportunities more in Asia, South America and Africa? Is the Gitlab client's sentiment spreading among Western companies?
Reading the discussion, it appears this policy was due to a customer request, and not some legal requirement.
I wonder how the HN crowd feels about that? There was a lot of talk recently about how companies should not sacrifice their values and kowtow to the demands of large clients.
As a company that values freedom of movement and is remote first, this prevents their employees from moving to where they want. Does this also mean they can’t vacation there either?
> Does this also mean they can’t vacation there either?
No, the post is fairly explicit about what the proposed block is.
While I agree with the position that companies should avoid trading ethics for short-term profit, this is a move I hesitate to condemn - the cost is fairly minimal (their remote-first position is still quite generous), and there is much to be said for the increase in privacy and security this provides their customers.
This is just ridiculous. It is truly unfair to discriminate people based on the country of their birth. It's not like they had a choice.
Am I the only one who thinks that both China and Russia have spies who are not native Chinese or Russians? And are people really naive to believe that a stupid decision like this would prevent China or Russia from trying to obtain the information they need (if they really want it)
You might have misread the issue at hand, this is not discriminating on country of birth, but country of residence. You can choose not to continue living in the above mentioned countries, and this would no longer be a problem it seems.
Ultimately it affects the developers who are born in China and Russia as well. Not everyone can afford migrating to a "white listed" country due to various reasons like family, friends and other commitments.
How is that different from any other job? Unless they support remote work, which most don't, is it not discrimination for a job to only consider people who are willing to move to city X or country Y?
> @cciresi I appreciate your position. Please be aware there is an active, time-sensitive contract negotiation linked to this matter. And you need to advocate to the DRI that the company walk away from that contract in order to enact your proposal.
I'm not sure I've ever 180'd on a compliance practice as quickly as I have with GitLab's compliance policy repo transparency. When I first stumbled across it during the telemetry situation last week I thought they were nuts. Absolutely nuts. But reading through this thread and the one posted last week it seems like an incredibly effective approach. People from all areas of the company, not just legal/compliance are giving input and asking the right questions. And, just as important, they're not asking the wrong questions.
It's a bit of a chicken/egg situation - is there a strong culture of compliance because of the transparency or does the strong culture of compliance make transparency a non-issue? Whatever their secret sauce I think Wall Street could use some.
This one actually makes me scared for Gitlab. I feel like their exposing themselves to a lot of extra liability by making these discussions public.
For instance - it's been suggested (I don't know if rightly or wrongly) that they have a customer who asked them to do something that would violate the US boycott laws. I'll assume that it is the case that they've been asked to violate these laws.
According to a plain reading of a document someone linked here [0] that means they are required to report the request to the US government. I'll assume that it is the case that they are required to report it too, even though I'm not a lawyer, and that's not really an authoritative source.
> The EAR requires U.S. persons to report quarterly requests they have received to take certain actions to comply with, further, or support an unsanctioned foreign boycott.
If they don't (because they forgot, because they disagree with that interpretation of the law, because they don't want to piss off the customer, etc) they now have a public facing record of them violating the law. Even if the assumptions are wrong (they likely are) and they aren't violating the law, someone might decide they are and it might result in lengthy/costly legal battles.
How many other examples like this probably live in that repo for anyone to see?
You're concerned because you're worried if they violate the law they'll be held legally accountable? Isn't that the entire point of transparency / accountability?
>Probably the US government or something like that?
The requirement to block some class of people off from some customers is nothing new, and back at Sun there was separate Sun Federal which was dedicated for such clean business.
GitLab's approach (and i think it is just a start of the trend in the industry, time to get rid of the accent :) while theatrically good isn't practically efficient. A Chinese or Russian residing here with some family back at the Motherland is susceptible to the same pressure in the loving, yet firm hands of the Motherland as if s/he were residing there her-/himself. So the next absolutely logical and necessary step for GitLab on this path is to block all Russians and Chinese who has at least some family back there. Giving that there may be other ties too and the hassle to verify (to which degree of relationship?), simply blocking all those nationals would the natural and practically efficient way.
It seems obvious to me that the kind of pressure to which you are referring is not limited to family. It would be easy enough to threaten a high school boyfriend. Or the family of your child's former best friend. Or a former co-worker. Or any friend. Or even a complete stranger.
Extortion can be effective well outside family lines.
And, of course, extortion is equally effective on USians, Brits, Indians, Nigerians, or anybody else.
I've never heard of Russian government using their state powers to take advantage of some developer and break into foreign network. That seems like strange and unethical move. I, personally, won't ever use Gitlab after that move.
Interestingly, Ukraine was also on the list initially, but then was removed. Is it a coincidence, that Gitlab co-founder, Dmitry Zaporozhets, is from Ukraine?
Perhaps if they are Chinese or Russian and work closely with their nation's government or military, but in that case I imagine they probably are already taking whatever precautions they can to limit access by Americans.
That is just whataboutism. China has a long demonstrated history of using its intelligence services for the benefit of domestic corporations, as well as exploiting its citizens working overseas to aid in the same.
Could someone "in the know" elaborate on what specifically prompted them to contemplate this? e.g. They mention concerns from enterprise customers.
I commend the transparency of debating it in the open, but I suspect it'll get hard to maintain reasonable discourse once the issue hits mainstream headlines and becomes sensationalized.
The suggestion does feel like a giant cudgel. I get there are genuine concerns, and I don't have better ideas to offer. I can't help feeling bad for legitimate future job applicants who will feel discriminated against. I'm sure if a bad actor wants to do something adversarial, they'll find ways around it (like agents in a non-banned country).
It used to feel like attitudes of major world powers were slowly converging (Russia got some democrazy, China started to open up its economy, tolerance seemed to be growing). Now it scares me how fast they're diverging. Politics is seeping deeper into tech, and it's going to get more fervent. Curtailing trade is loosening the ties between disparate cultures (https://www.cato.org/publications/commentary/peace-earth-fre...).
The internet was supposed to connect us all and help bring us closer together. What happened?
I don't mind this, as long as they would offer a relocation from the country in question. I would even volunteer! It's not my fault I was born in this shithole.
It sounds like there is nobody that this affects, and nobody it is likely to affect. They just want an official policy in place to reassure their customers.
The discussion on Gitlab is completely out of control now. Gitlab should never have opened that can of worms. Geopolitics and all, first started talking about limiting nationals of China and Russia to do certain jobs and now so many have conflated this to ethnicity, political views, hacking and anything in between.
One would this the best solution for this would be a Federated structure that would ensure a Chinese Systems administrator could only deal with whatever resources assigned (China maybe) and a US administrator can only work with whatever resources are assigned (U.S customers??). Therefore you can have the separation of data but please everyone.
I am not saying it would be simple to iron out, but it would allow for distrusting customers to all play together without worrying about data compromise.
Just a thought, i read all the comments and they are about politics and such and very few are about a technical solution to work for all.
One can argue only letting a Chinese Administrator work on a subset is again a geopolitical thing, but that point should be moot if other administrators are restricted as well.
Gitlab can restrict SRE selection for concerned clients and change their process to make sure every SRE doesn’t have access to every client. I’m sure some Chinese companies wouldn’t be happy to have American SREs access their data either and I can think about dozens other countries with political issues against each other.
But off topic, I’m wondering how many companies have similar policies that nobody knows just because they don’t have “open-source” policy.
Sadly recruitment process is polluted with many hidden policies and while we appreciate and expect honesty and transparency from applicants, the recruiters themselves aren’t anything close to honest and transparent.
IMO this is not really about hiring, the hiring aspect is just a temporary workaround for a broader policy/technical challenge.
Namely, how to maintain your overall organization and software-stack while internally isolating data-flows and rules which are unique to different jurisdictions.
Even if today it's some potential client expressing general concern, tomorrow it might be something you can't simply ignore, like an EU privacy law that must be complied with to avoid dropping a bunch of customers. (Or a demand by Elbonian officials for an account that lets their secret police snoop on Elbonian business, but hopefully that one would be resisted.)
This is where it is important to get back to first principles, and making distinctions based on nationality is less helpful than making distinctions based on rules-oriented-organisations vs. people-oriented organisations. The primary distinguishing characteristic which we need to pay attention to is rule-of-law and the power-predominance of rules-oriented-organizations across the political and economic system. This is something which should in principle be apolitical and possible to evaluate empirically.
Gitlab is investing hard on looking good in the press, but forgetting to fix their critical bugs. Their CI/CD feature is useless due to the bugs that are never fixed as they are not prioritized. One example is this 1-year old critical bug in CI/CD:
As someone who resides in a neutral country, I fully support your decision. That’s how I feel about HN. Go well. I am also considering leaving HN because of propaganda against China and Russia. You will think USA is this saint when you read comments on HN. How I wish user base of HN wasn’t dominated by one country or can completely stay away from international politics. There are many other sites for such discussions.
So, give any quote from the link or elsewhere that in any way shows the reasoning for this consideration is based on how much they don’t like Chinese people or how inferior they are as a race. People keep throwing around the racist label even when it’s absolutely clear that it’s not about race. It’s about the Chinese and Russian governments and how they operate. These are legitimate informational/operational security concerns that can’t be waved away with "well, it’s racist to protect ourselves, so we just won’t".
Yes, so? Nobody is concerned about the Chinese because they’re Chinese. Unless the CCP adopts principles like freedom of speech or other values that are foundational to Western countries, the CCP is forever going to be at odds with us. As long as they oppress their population and minorities and expand their influence on neighboring countries in undemocratic ways, and seek to extend that influence to the West, there’s a conflict. And the conflict isn’t race. It’s values. This tolerating undemocratic behavior because it might be intolerant only allows authoritarian regimes like the CCP to continue their spread.
It’s hilarious and depressing to see people using their freedom of speech to defend China, a place that suppresses any and all criticism in absurdly draconian ways.
I'm a little surprised this isn't illegal, and it really should be. It's irrelevant whether or not this actually would work, it's in principle immoral.
As a Chinese I'm actually very disappointed at Gitlab. I think anyone wouldn't be happy if one's country is banned from the company.
And I also think some people just worry too much about people in China. Actually, ordinary people in China are not so oppressed by the government. And ordinary developers from China is just as ones in America. Few of them will steal data from the company.
This is reported in Gittalk (a high impact platform for Chinese IT workers). I admire the transparency. The issue can't be solved by a company alone. Practically there might be workaround but it's up to the employer..
Which clause of which act, or which executive order specifically prevent Gitlab from recruiting non-enemy state person?
This leads to discussion of using Chinese alternative other than Gitlab/GIthub, and the expansion would lead to more employment by Chinese code repository providers...
How big of a customer one needs to be to request some other country citizens to be banned from working as SRE? How much do we need to pay to ban Israelis for example?
Am I missing something? Why does said customer just self host the open source software and purchase support. 90% of the sensitive issues will be solved
You can never be sure, that the guy didn't sell his soul to intelligence agency and some government official during his visit. Better completely terminate the account and fire the employee if (s)he happened to travel there.
Well, the answer to that is simple. #boycottgitlab
I am working at a European company where the amount of Russian engineers is constantly increasing (similar thing happens in many of the bigger companies nearby). And they prove to be quite ok.
So since today I will speak strongly against use of Gitlab in my workplace should such a talk begin.
I think you are confusing them having something against Russia(gov) with Russians(people).
They also clearly state that current employees will not be affected. Reading the motivation behind it and the possible dangers it would pose to their clients.
I think it's very reasonable not to continue having sensitive data be available in Rus & Chi.
Gitlabs actions affect Russians(people) and not Russia(gov).
Their motivation, should they apply it to UK, US, Spain and France, should lead them to forbid having employees from those countries as well.
As a Swede, I would not like my gitlab sensitive data to be in the hands of US gov.
If you really believe national security agencies do not apply pressure to any tech employees just because they are X citizens of their X country - you need to mature a little bit more, perhaps read Snowdens book and look into what happened with Wikileaks.
This way you may end up justifying terrorist attacks against American citizens coming as a retribution for the foreign policy and military adventures of the democratically elected American government.
I think, that it’s reasonable not to use servers located in certain countries and not to use (closed-source) software made by some bigger companies there. I myself would not use much of the software or services from the countries mentioned. Because I know who might well be getting access to my data and what those people’s approximate values are.
But not hiring devs that are maybe trying to get away from those places? As a dev and an immigrant myself I could not just stay silent about that.
What? For me this is a big reason on why I want to use Gitlab.
I am european and I think you're being pretty stupid. You celebrate that the company you work for hire people in Russia rather from where you live. You seem to fail to realize that if all companies in your country would do that you would soon find yourself out of a job since there is always some place cheaper.
No one is saying russians aren't knowledgeable or good at what they do. Maybe you should read what they actually write instead of simply projecting your straw man ideas onto them.
How is their action discrimination? That's silly. Obviously it would be discrimination if they wouldn't hire people because they have a specific country of birth but that is not what they are doing.
They are afraid that the governments of China and Russia could easily force people who live in those countries to give up data. That is a valid concern since that is happening in China.
I know how it affects the economic. Just look at where stuff is produced. It's hard to find things that are produced in Europe or the states. You may say that this is a good thing but I disagree, the same thing could easily happen with software and that would be a dark day in my opinion.
I don't care if that would make me "poorer" in the sense that I can have less material goods. It would still be a better world in my view and better for the environment. I rather pay more for something produced in the EU than to have something shipped from China just to save a few bucks.
I live in Europe and I use/consume things made in Europe every day. And instead of arguing to me, just read if protectionism was ever a good decision - just from the history.
> I rather pay more for something produced in the EU than to have something shipped from China just to save a few bucks.
Protectionism works quite contrary, so you do not support it anyway :)
Yes, it certainly is a good decision. For example, if we had no protections like customs China would easily subsidize any market they wish to gain monopoly of the market in question.
This is happening even WITH protectionism like customs and tolls. Chinas government subsidize stuff like steel production which makes it hard for companies like SSAB in Sweden to compete with them since they sell their steel cheaper than the cost to produce it.
How shall countries protect themselves from countries that act like that without protecting their market? It's extremely naive to think that countries that are rough dictatorships will play fair and nice.
EU should have A LOT higher customs against countries like China. Trading with them on a fair level gives them too much economic control which is good for us in the short term but incredibly bad in the long term.
That is why south park can make an episode like "Band in China" today because we have already given them a lot of control.
One thing is a response to unfair competition and completely different - protectionism just to support local companies and give them advantage in competition - it leads to stagnation.
Why are you assuming that their backend architecture is bad when these positions touch sensitive data much more frequently than a software engineering position in companies globally?
In order to effectively support customers, you need to make a decision into how much visibility you'll give customers. Alternatively, you give your support the even more unfortunate circumstance of needing to request sensitive data.
SREs need to be able to work with hardware and software and by virtue of needing to take decisive action are in a similar situation.
I live in Spain but was born in Russia, I moved 3 years ago because I hate current russian government and still I hope russian and chinese companies and engineers will boycott Gitlab in response. Such offensive nationalism should not be forgiven.
You moved from a openly repressive country to another secretly repressive country. Congratulations ;) Hope you have the possibility to freely move around Europe, as you'll probably will need to use it in the future
Audrey Tang Minister without Portfolio in the government of the Republic of China (aka Taiwan) advocated this type of radical transparency in government.
The National Intelligence Law of China, passed in 2017, demands that all its citizens "support, assist and comply with works on national intelligence", aka proactively collect intelligence for the regime. (Article 7)
Well, technically you should then block people from these countries irrespective of where they reside. They have extended families back in their home countries, so the spooks can still lean on them quite heavily, and there's nothing they'll be able to do.
This is why I refused to obtain a DoD security clearance when my job needed me to: I go to Russia to visit my family every 2-3 years, and I don't want to be in any way valuable to their intelligence services or the like, nor do I want to put myself or my family in danger.
All of the above is in spite of me having spent most of my life in the US by now.
IMO a better solution is for nobody to have permanent access, and granting it on as-needed basis, with a full audit trail. It's not perfect, but it's a heck of a lot better than the ineffectual geography-based blocking that you are implementing.
Ever since the China attack in 2010 when Google pulled out of China, Google has prohibited access to user data from employees in China. They gave since expanded to a more general geographic blocking system.
I assume Gitlab lacks the sophistication to do this split of user data access vs other business operations.
Gitlab runs an open source company, so I don't understand why they are so concerned about China and Russia. Is it for anonymous/confidential customers?
Well first, it is not a camp. No one is putting no one in prison there.
Second, a company will want to abide by the laws of the countries it operates in. Having an employee somewhere may, nowadays, count as "operating in" that country. If they are not comfortable with some state laws, that makes sense to avoid these countries. Just like the companies that say they can't operate in Europe because of GDPR.
Third, if you identify one of your employee as a Russian agent living abroad, you fire them and Russia is in the wrong there. But if you hire a Russian and that makes you legally forced to share some data, you would be in the wrong to not comply.
Yep. It also would be nice to provide a form where clients would be able to select race, sex, age, sexual orientation, religion and other employee parameters as they wish to build a real dream team.
I think one of the reasons should be that Gitlab does not have many enterprise customers in China and Russia. Native Chinese or Russian speakers are not needed for Support.
Russians and Chinese could not care less but gitlab. They have progressed so much in the last years, they have their own gitlab systems. Demonizing Russia and China for bad practices and not doing any introspection on yourself is hypocritical. US suppremacy is over. Get on with it
I understand the basic issues involved here. Both countries are doing very odd things when it comes to information and privacy. However, I feel like making this a "country issue" is really not exactly the right horse to ride on. Rather, I think it should be stated due to the security policies of these governments, we are banning them as information safeholds at this time or something of the sort. Then, the issue is LESS the country, and more the governmental informational policies.
But the problem isn’t storing information in these countries in this case. It’s how these are known to coerce nationals with ties to the homeland into spying for them.
@edjdev wrote
There is an unacceptably high risk that these nations may apply pressure to individuals living within their borders with sensitive data access (based their role at GitLab).
Given the current australian law changes, the rampant israelian IT spy sector and despotic Belarus position on human rights, it's surprising that they only mention China and Russia.
This whole debacle doesn't look good and makes one to loose all faith in Gitlab.
Debacle? The week hasn't even started yet. Let's take a moment to breathe.
China and Russia are known to put pressure or watch/listen on nationals who work in key positions in foreign companies.
As US allys Australia, Israel don't pose the same threat. A lot of information that could be gained would be available through the US government and shared with the those parties if there was a need.
There are definitely Chinese and Russian spies but there are spies from many countries besides those. The question is why are you singling out those countries and why now.
The reason is that there is a Cold War brewing between the US and China and this company has become an agent of that war.
The seems to be a propaganda war against China brewing in the US. I last saw this level of jingoism when Bush Jr decided to take over Iraq on the pretense of Saddam Hussein supposedly having nuclear weapons. All the TV network anchors were pushing for war and pushing the supposed threat. Later we find out it was all lies.
Spying is happening between all nations and the leaked cables showed this.
Why those two countries specifically? In Russia you can get imprisoned for a variety of political/strategic reasons if you refuse to cooperate. China implemented there own internet for spying.
When you visit these countries you are advised to buy new devices and throw them out on return to avoid backdoors.
General Powell misleading the UN and TV networks was based on having chemical weapons. Nuclear weapons is the fear with Iran. It was believed because the UN weapon inspector Hans Blix was being railroaded with fake traffic jams and other tactics preventing him from investigating. After he pulled out and Sadam had a history of using these types of weapons on his own people, it made the claim easier to accept without more proof.
Direct imprisonment in Russia isn't the reason for this topic, Federal Security Service had succesfully got their cooperation proposal accepted in most of the cases due to the unlimited number of ways they could coerce their target.
>get imprisoned for a variety of political/strategic reasons if you refuse to cooperate
The same is true of Australia, the USA, and the UK - these nations have no issues with imprisoning each others citizens if it behooves them - i.e. if the individual chooses not to cooperate with the military-industrial-pharmaceutical complex.
Yes debacle, because why are we only talking about gov secrets here. You know, industrial espionage is real too and some big potential customers could just as well reside outside the US.
>As US allys Australia, Israel don't pose the same threat
China or Russia would not pose any threat if they managed to completely infiltrate US institutions, because they would be, at this stage, the US greatest allies.
Sure, China might try to constantly drag the US into pointless wars in Asia, but again it would be fine because it would be to defend the interests of China, the greatest ally.
Even as a reader, it almost feels as if someone misconfigured the ACLs or I'm reading leaked internal documents, not an intentional decision to make this open. Some of the discussions seem highly sensitive, and yet it seems to work for them.
Thank you, Gitlab, for being so open! I've learned a lot about compliance from just reading this thread. For anyone curious, here's some background on the mentioned boycott laws: https://www.bis.doc.gov/index.php/enforcement/oac