Hacker News new | past | comments | ask | show | jobs | submit login

Hi HN, I'm the CEO of GitHub. Flagging this account was obviously a terrible mistake, and I apologize to anyone who was affected by it. We're investigating why it occurred and will make changes to make sure it doesn't happen again. I am glad that we restored access to the account in less than an hour after Aurelia filed their appeal.

For context on why any account flagging is ever necessary, unfortunately, every company in the world is required to comply with US sanctions if they do any business at all in the United States, e.g. serving US-based customers. This includes even interacting with US banking infrastructure. So being headquartered somewhere else doesn't help; you have to comply. And US sanctions as written do not allow us to provide commercial services or services which could be used commercially to sanctioned countries.

We are taking the broadest possible interpretation of US sanctions law to allow as much access to GitHub as possible and we are, as far as I know, the only major vendor to offer public repo access in US-sanctioned countries like Iran, Syria, and Cuba. I'm proud that we are taking this strong position to ensure developers everywhere can participate in open source.

I wish we could also offer access to private repos and still comply with government requirements. We have been advocating and will continue to advocate for broader developer access with the various government agencies involved.






You need to do a post-mortem on this. What exactly did Aurelia do to trigger this to start with? A contribution from a sanctioned country? A github issue posted by someone from a sanctioned country? How exactly are open source projects supposed to avoid this possibility if they don't happen to literally be Rob Eisenberg? How many other project repositories have been disabled because of this problem? Is Github doing a review of the processes? Highly doubtful Aurelia's the only one affected, but it might be the only one so far to be able to make it to HN front page.

Fun fact. My friend works in a bank. In this bank its account has a factory that produces curtains. Now, curtain in Polish is "firana", and any time those guys are doing a bank transfer it is thrown into some kind of lengthy manual processing mode because company name contains dreaded word "iran".

Seems crazy that the "Scunthorpe Problem" still rears its head after probably more than 25 years. [https://en.wikipedia.org/wiki/Scunthorpe_problem]

History repeats itself

We had to remove products containing any and all references to Cuba and Egypt from our Shopify store to avoid PayPal suspending our account. All of the products are American made, produced in the US with local ingredients. For example, a raw flavour compound called “Cubano Style” or an eliquid brand called “The Great Pyramids” (fictional examples but in line with the real products.)

Only the thing was that PayPal wouldn’t actually confirm exactly what was triggering their automated system, we had to infer that ourselves by looking for commonalities between the flagged payments. Even when we identified the problem they refused to give any confirmation at all other than to re-enable our account.


Yea, there's a real lack of information in Github's response. I hope we get something more complete.

But really, if your project is mature enough and you have the bandwidth, just host it yourself. Gogs, Gitlab, cgit .. lots of FOSS implementations to choose from.


I agree. This is the second story list this we have seen come across the front page of HN this week. I'm glad they sorted it out quickly, but it is almost certainly a result of Mr. Eisenberg's high profile.

We saw another story like this come across the front page this week. The author is less well known (also happens to reside in Russia), and claimed that he had trouble even getting an e-mail response from the given support pathways for appeal. Sounds like it eventually got sorted out, but not without much waiting and effort from the maintainer.

So when GitHub CEO Mr. Friedman jumps in and pats himself on the back for getting this account restored in less than an hour, I can only roll my eyes. To try to sell it like this is an 'average' response to these type of appeals is a little disingenuous.

If I were starting a company today, I would absolutely self-host my repository to guarantee my business is never harmed by some automated flag that could total lock me out of my own work. We use GitLab Community Edition at my company. It is fantastic, and we are in full control.


Here at RhodeCode we strongly believe in self-hosting, this is why we started as an on-premise product for source code management.

You should check out RhodeCode too for self-hosting your own code, with extra security features to make sure it's well protected


What benefits does it provide over self-hosting gitlab or gitea?

Some projects enjoy increase in contributions once they move to Github. I think it was either CPython or Erlang which mentioned this effect.

Lower in the thread is a response from an Aurelia author, saying there is an ongoing investigation to find out why it was flagged.

Do you believe that trade regulations such as ITAR apply to publicly-available open source software? I do not¹, and it appears that your employees do not believe this either. GitHub is currently hosting multiple GPS implementations² that are clearly against this line in your ToS, in addition to also being against ITAR by not implementing speed limits for missiles:

"GitHub may not be used for purposes prohibited under applicable export control laws, including purposes related to the development, production, or use of […] long range missiles or unmanned aerial vehicles."

I think you should probably make a blog post explaining GitHub's stance on this issue.

[1]: https://www.unr.edu/sponsored-projects/compliance/export-con...

[2]: One of which is https://github.com/gnss-sdr/gnss-sdr. This repository does not implement ITAR-required GPS speed limits. Even if it was ITAR-compliant, the limits could easily be removed as it is open source software.

----------------------------

Update: GitHub has updated their ToS to remove this line. It was present on July 27, 2019. The issue still stands with this current statement from their ToS ( https://help.github.com/en/github/site-policy/github-and-tra...), which forbids ITAR-regulated software:

"Users are responsible for ensuring that the content they develop and share on GitHub.com complies with the U.S. export control laws, including the EAR and the U.S. International Traffic in Arms Regulations (ITAR). The cloud-hosted service offering available at GitHub.com has not been designed to host data subject to the ITAR and does not currently offer the ability to restrict repository access by country."


ITAR undeniably applies to software.

Whether it's open source or not is irrelevant. ITAR software cannot legally live on GitHub.com in any case -- it doesn't matter if the repos are public or private. [But a GitHub Enterprise install (self-hosted version only) can be compliant.]

I'm confused by your request for the company's stance, since it's not something up for debate... there is no room for them to take a stance on complying with the law. It's not up to GitHub at all.


Are you sure about that? Publicly-available open source software can be exempt from ITAR according to this page: https://www.unr.edu/sponsored-projects/compliance/export-con...

If it's publicly available open source, it can't contain ITAR.

If there is existing open source that doesn't contain ITAR, then that's fine because it's beyond the scope of ITAR, so ITAR doesn't apply to that scenario. [Maybe this is the case you're mentioning?]

If it is ITAR, it can't possibly be publicly available open source. [How could it be possible to have publicly-available open source software that is also restricted to being only shared with U.S. citizens?]

Of course an ITAR project could pull in publicly available open source (e.g., dependencies), but that doesn't sounds like what's being discussed here.


This is just word games.

We can sensibly speak of tech that "would be" an ITAR violation to deliver "if it were not" open source. This is exactly the scenario under discussion. It seems very clear from the linked page that, e.g., GPS code that is released as free/open is, in fact, not restricted by ITAR.


There is a certain unrealistic arrogance to the US approach to ITAR and software that seems to assume only US Persons could create technology on the list.

GPS receiver systems are the classic there: Russia, China and Europe all have their own GNSS. China runs the semiconductor industry and is quite capable of producing whatever unrestricted GNSS devices they choose. Therefore why restrict US companies?

Same with satellite tech, there may be some US specific tricks but there is a reason ITAR free satellite designs already exist and are multiplying. ITAR tries to protect too much and is killing US market share by being stupidly annoying.


The difference is companies actually get in a LOT of trouble for sanctions violations. When was the last time someone was prosecuted for an illegal GPS implementation?

The minute someone uses an open-source GPS radio to build a cruise missile in their garage, and uses it for assassinations.

Given the current tech level available to hobbyists, this isn't that far fetched.


You don't need an open source GPS radio for that, just fly a bit slower. The upper limit is plenty fast for weapons, 1900 km/h isn't much of a limitation, neither is 59,000 ft of altitude.

If you can understand the equations and engineering needed to build a cruise missile the GPS equations will not daunt you. Getting the final approach to have a useful Circular Error Probable at anything low enough for an assassination would be more of a technical challenge than the coarse guidance. Unless you had someone shining a designator you’d need real-time machine vision. To say nothing of designing an airframe that can perform precision manoeuvres at speed without breaking up.

> Even if it was ITAR-compliant, the limits could easily be removed as it is open source software.

To someone willing to spend more than a couple minutes, the fact that it's open source is quite meaningless.


While it is definitely possible to reverse-engineer and modify the software/firmware of existing proprietary GPS systems, I'd argue that the distinction between this and changing an open source project is not meaningless.

Changing a couple lines of well-documented source code in an open source project before compiling is arguably a much lower bar to pass.


It depends. For most reasonable firmware, trying to figure out how to compile the stupid thing is generally harder than finding and byte patching a condition in a binary blob.

ITAR absolutely, without a doubt, applies to open source projects. Giving the code away confers no immunity.

... to offer public repo access in US-sanctioned countries like Iran, Syria, and Cuba.

You should also add North Korea to that list. Three years ago I spent a semester in Pyongyang teaching a course on open source software development, and as part of the course students created git repos and contributed to other repos that are hosted on github.

So that you're not put in an awkward position, though, I won't tell you which repos these are :)


I wonder do they use VPN to obfuscate where they come from?

While I was in North Korea, I basically never used a VPN and rarely had problems with any services. A handful of news sites were blocked (ironically the sites did the blocking and provided a message about sanctions; the North Korean government didn't block anything), and so I needed a VPN for those.

All North Korean internet traffic originates from 175.45.176.0/22. They have no reason to hide (except for the massive amount of cyber crime they originate, where VPNs are used)

> They have no reason to hide (except for the massive amount of cyber crime they originate, where VPNs are used)

And, well, trade sanctions, which is why the parent comment wondered if they used VPNs.


I used to use an Iranian based VPN. Sanctions are almost always implemented by billing address, not by IP address. Geolocation services are crap when you start getting in to third world countries.

Billing addresses are easy to fake.

Ok? I'm sure most e-commerce websites would scoff at the idea of having shoppers mail in a notarized copy of their passport before they can make a purchase.

A passport generally doesn't even indicate where someone lives or has lived.

For most businesses forced to comply, that seems like a feature, not a bug.

How would this have been resolved if the post on Twitter/other social media didn't get enough traction? Is this just a terrible mistake because it has much more visibility than all of the other terrible mistakes?

I'm sure that there have also been takedowns that weren't terrible mistakes, but merely procedural. And given the disclosure that GitHub implements sanctions loosely, far more repos are likely at risk.

That's not a fair argument. You're demanding that GitHub prove the absence of any other mistakes. All they can do is fix bugs when they find them, the same as anyone else. If there's a systemic problem with the way they do sanction flagging, that needs evidence.

I disagree; it is a fair argument. This is the Tweet:

> I woke up this morning and you shut off the Aurelia site, archived tons of our repos, and I can no longer access admin settings. You sited US trade sanctions and sent me a non-descriptive email with no remediation information. What is going on? This is devastating for us!

"No remediation information," to me sounds like Twitter outrage was the remedy.

A follow up reply is this:

> The project has been public for 5yrs+, managed by a US company, whose owner is even a GitHub Insider and long time open source leader (15+ yrs).

Okay, there's the terrible mistake. It targeted someone with credentials, not a nobody.


> If a user or organization believes that they have been flagged in error, then that user or organization owner has the opportunity to appeal the flag by providing verification information to GitHub. Please see our FAQ for the appeals request form https://help.github.com/en/github/site-policy/github-and-tra...

https://twitter.com/GitHubHelp/status/1240682163193942018

> If an individual user or organization administrator believes that they have been flagged in error, then that user has the opportunity to appeal the flag by providing verification information to GitHub. If GitHub receives sufficient information to verify that the user or organization is not affiliated with a U.S.-sanctioned jurisdiction or otherwise restricted by U.S. economic sanctions, then the flag will be removed. Please see individual account appeals request form and organizational account appeals request form.


which involves sending them documents and even selfies.

Those are just arguments that mistake shouldn't have been made. Of course the mistake shouldn't have been made, that's what "mistake" means.

Your post upthread was inferring the existence of multiple similar mistakes and demanding that GitHub prove they are impossible. They can't. It wasn't supposed to happen in the first place. It was a mistake.


It would be pretty easy to prove the absence of other mistakes here by simply providing a public list of all repositories affected by sanctions flags. If the number is, say, thousands, then it's almost certain this is a deeply automated process and there are other errors. If it's, say, 10, then this is probably a human-driven process.

Thanks so much for the swift fix, apology, and the current work to try to find out what happened & prevent the recurrence of the mistake. Mistakes are inevitable, especially at scale. I think taking those steps, when the inevitable mistake happens, is all we can ask of anyone.

Good job!!


> And US sanctions as written do not allow us to provide commercial services or services which could be used commercially to sanctioned countries.

This statement is so wide-sweeping as to be patently false. Some sanctions target specific activities. Others target specific entities that may or may not be entire countries. Many sanctions do not apply to information and communication services. To make such a wide statememt as you did suggests you're oversimplifying to placate the masses. Either way, not a good look.


Or maybe he's just paraphrasing in simple terms things his lawyers explained to him because he doesn't want to go write 20 pages of specifics?

Do you think as the EU and PRC grows politically and economically, they will start throwing around similar sanction requirements as the USA? Will GitHub be forced to obey those as well?

RPC already does it from forcing brands to remove Taiwan from list of countries on their sites to having Hollywood alter things they don't like in movies.

GitHub hast to follow EU legislation already - see GDPR for a famous one.

The EU has GDPR which has a provision against making automated decisions, which has been outlined by the UK as such: https://ico.org.uk/for-organisations/guide-to-data-protectio...

I appreciate the difficult position you're in, wanting to provide and advocate access while also forced hard by government regulations which are heavy handed and often over-reaching.

I wonder though, as cool as it is that the CEO of Github posts here, maybe you shouldn't be making this comment. Now a bunch of commentators have raised similar issues and you are now obligated to some degree to contact your legal and engineering teams to look into it - this may result in you having to take down MORE content which was clearly nobody's intention. Rock meet hard place.


I don’t think any company headquartered outside the US has to comply with those laws. It’s only if they value doing business in the US enough to do so.

> I am glad that we restored access to the account in less than an hour after Aurelia filed their appeal.

You mean after they went semi-viral on Twitter and landed on the HN front page. But I'm sure it doesn't happen again (to this repository, for this reason, in this year; everything else is on the table).

Using Twitter, FB, HN etc as your support-priority-queue system is a terrible idea.


As we've seen with all major internet service providing companies, getting customer service right 100% of the time does not scale. Errors happen. The mean time between errors approaches 0 hours as the ratio of users to human beings on the planet approaches 100%.

Sure, but there's plenty of space between offering Google-level support and getting it 100% right. Aim for 100%, not for Google. It's not their terrible support that made them successful, don't copy that part of their operation.

Setting the tradeoff in cost / effectiveness where Google did is probably part of the alchemy of what made them successful in the way they are successful (though offering better customer service and "white glove" treatment to a smaller customer base is also extremely likely to be a viable business model).

They reinstated the account 1hr after official appeal.

You comment is only relevant to those posts who are used as a last resort, usually after waiting days or weeks without any human response. AFAICT the tweet was done pretty much simultaneously, perhaps in an attempt to hasten response time.


> They reinstated the account 1hr after official appeal.

Yeah, because it got traction on HN and Twitter. Pretty much the same happened to somebody else just three days ago, and, wouldn't you know it, after their rant [1] made it to the HN front page [2], Github finally reacted to the appeal after having spent a week ignoring it.

If you expect to ever have troubles with GitHub, you better have a following or some luck to be posting at the right time.

[1] https://medium.com/@catamphetamine/how-github-blocked-me-and... [2] https://news.ycombinator.com/item?id=22593595


> unfortunately, every company in the world is required to comply with US sanctions if they do any business at all in the United States, e.g. serving US-based customers. This includes even interacting with US banking infrastructure. So being headquartered somewhere else doesn't help; you have to comply. And US sanctions as written do not allow us to provide commercial services or services which could be used commercially to sanctioned countries.

How come DHL is able to ship packages to sanctioned countries? I understand there are some limitations to what can be sent there from the US, but it seems like they are able to do so from other countries. Is the DHL US a separate entity or is there something else I'm missing?


Wikipedia article says this:

> DHL offers worldwide services, including deliveries to countries such as Iraq, Afghanistan and Myanmar (formerly Burma). As it is German-owned, DHL is not affected by U.S. embargoes or sanctions and will ship to Cuba and North Korea. However, there are strict codes for delivering to North Korea, as the country has shaky relations with the West. As DHL is no longer a United States company, it is not allowed to make domestic flights between U.S. airports. DHL contracts these services to other providers.

> DHL ended domestic pickup and delivery service in the United States in 2009


Thank you for the response and swift action.

Is there really no process in place to first notify an organization that you will need to close their account down? Or is there something in existing sanction law that prevents extending such a courtesy when account is flagged?

Really good to see a proper response here.

Thanks, and I'm sure this will be cleared up, but it is really strange how this flagging is taking place..


GitHub, DROP ICE!

I'm sorry, I understand why you don't like the ICE, but why should they start "randomly" arbitration what can and can't appear on their platform? That's just a massive can of worms nobody wants to open

I think denying access to organisations that are EXPRESSLY DESIGNED to violate human rights is a good enough reason.

So how do you plan to not overreact going forward? Or did the Microsoft acquisition play a role?

Responses like this are so disgusting to me. It perfectly highlights that the only way to get treated fairly on the system is to be important enough to make the CEO look bad and get a direct response from him.

They have unlimited resources more or less to review sanctions cases, they choose to spend them on buybacks, and executive bonuses, and private jets. They are not ever going to take the time to do this properly because the interests of their users are their last priority.

Sounds like a great time to get off the github platform as soon as possible before your repos dissappear because some iranian guy posted an issue.

Note they didn't mention why they incorrectly flagged the repo or take any responisbility for doing so, or make any claim that it's not going to happen in the future. They just claim it's the government's fault. Bullshit.


> We are taking the broadest possible interpretation of US sanctions law to allow as much access to GitHub as possible and we are, as far as I know, the only major vendor to offer public repo access in US-sanctioned countries like Iran, Syria, and Cuba.

Does this mean that users in sanctioned countries can create accounts and use the site noncommercially as normal, just as long as they don’t have private repos? It was my understanding that you will nuke ANY account possessed by someone from a sanctioned country.

PS: Please stop doing business with ICE.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: