I still can't access my company's org private repos (a company incorporated in Hong Kong, with only European employees) because I opened my laptop in a hotel in Iran 3 months ago.
Hey Nat, since you're on the line here, can I ask for more details about how this process might apply to other software forges? Were you able to secure a general exception for your line of business, or is it specific to GitHub? If the latter, how difficult/expensive was the process?
Great work, by the way. Kudos as well for committing to a DMCA abuse fund.
However, we don't want this to be a competitive advantage for GitHub; developers should choose GitHub because it is better, not because it has a license from OFAC. So we have taken it upon ourselves to advocate for OFAC to allow developers in Iran and other sanctioned countries greater access to all platforms, and we will continue to do so.
This kind of change would likely require an update to OFAC’s regulations, the issuance of an updated general license, or the issuance of formal guidance from the agency. We hope that OFAC’s issuance of a license to GitHub will help pave the way for broader access to similar platforms.
Are you concerned that the first time someone from Iran posts something controversial (eg. "Opensource Nuclear enrichment centrifuge control algorithm") that the license will be knee-jerk revoked with no notice?
Logically speaking, if someone shared such code from Iran, that would be the opposite of what the US government is concerned about. It would be import into the US instead of export.
Github might need to take down something like that from any developer regardless of country, because of other export laws, concerning nuclear technology. But I don't think that would result in punishment of the developer's country. But IANAL and the rules are complex.
Yes, but re-export is covered under a separate regime. Intellectual property served royalty free does not have a correspondent item in internal processing and re-export regime.
I'm curious: what was the rationale for not talking about this at all until it was ready? It seems like "we're working on a possible solution" would have been a good response to the many complaints about this.
Was there some reason to believe that mentioning you were working towards this license would have a detrimental effect on the review process for that license?
- Expectations settings. If they say they're working on a possible solution, people will expect the solution to materialize and get upset when it doesn't. Since this seems like it was a lobbying effort with OFAC, there was probably a large degree of uncertainty on whether this would happen at all.
- Like you suggested, maybe they thought any public comment about this might put at risk the conversations they were having with OFAC?
If they had been denied the licence then it’s potentially misleading. Generally you don’t comment on things if there is a very realistic chance they’re unachievable.
Because this is the Internet and the angry mob often doesn't understand how the real world works, and the cognitive load of dealing with that angry mob when said things don't go the way they've naively imagined it _must_ is exhausting.
I'm going to guess that the US government wouldn't have appreciated the external pressure going public about it would've added onto their review process.
as a software engineer, you have some* control over the scheduling and cadence of your features you develop.
You have no control over when you get a permit from the government like this. It's nuts. Even when the open source exception to ITAR was passed in the late 90s MIT was very careful not to release kerberos V outside the USA until they had very clear guarantees that it was approved.
Saying "we are applying for an OFAC license" will lead to a deluge of other tech companies applying for the same license, and the likely outcome is the OFAC says "we don't have the manpower to review all these, reject them all".
Thank you Nat. It is better that Github be fully available on other countries sanctioned by US like Syria, Venezuela, ...
I am from Iran. unfortunately, we are prisoners of mullahs like peoples of other countries sanctioned by US that are prisoners of their dictatorship governments.
First, American holidays does screw up customer service that in some instances it knocks out the very service (a la Slack). Second, despite posting a FAQ from the US treasury department that apparently excludes this case, the posters have missed the point that it only applies to financial services. Software is much more regulated (the silver lining is that cryptography is no longer munitions-class export fortunately) than most commenters think and that behind-the-scenes negotiations tends to happen especially with regards to cryptography.
