I've been mad at the Go community in particular for continuing to promote Slack for ages, and this is exactly the hypothetical situation I always use to explain why (although there are other reasons too; Slack is a perfect embodiment of everything wrong with this industry, but that needs a fuller writeup). At a previous job we had to start doing this exact same thing when we were considering going public; this is the point at which I started considering leaving.
Using a proprietary protocol that doesn't allow any form of federation is an unacceptable way to build a global community. Please consider using an IRC based service for group chat or an XMPP based service where 1:1, history, rapid reconnects, and other more complex chat features are required (yes, if you're a dev you have to use XML which is annoying, but overall it's a well designed protocol, so get over it). This lets you host your own, and (in the case of XMPP at least) if one person wants to use a U.S. based service and another is in Iran they can just sign up for a Belgian account (or wherever). We can't afford to let he internet splinter off into siloed tiers based on nationality.
I would love to see more things built on open protocols. But for that to be the case, we have to find ways to make better apps built on top of open protocols.
We should start by admitting that Slack beat IRC. Beat it like a cheap hallway rug. IRC was always a terrible experience for novices, and it wasn't a great experience for experts. That it had any users at all is a testament not to IRC, but to what it enabled. Slack found a way to provide the same value but with a much better user experience. And then they rapidly iterated on that experience, making it better and better.
They started out with IRC and XMPP bridges. But they eventually shut those down because they were a drag on improving the product. When faced with the same choice, IRC kept the original protocol and shut down improving the product. This was an understandable choice, but one that set up the situation where commercial developers could come in and do something radically better. Open source needs to figure out how to compete with that, or things like this will keep happening.
So it seems that Slack is going through their log files and closing down accounts that have used IP addresses that are considered to be in embargoed countries. I base that assumption on various comments here and on Twitter.
If true, it is definitely the worst way to do. It doesn't take into account any circumstantial evidence that could explain the use of such an IP address (vacation, VPN, BGP or a mistake in the geolocation data used) and Slack doesn't seem to offer any way to appeal or even inform other users about what happened to their contacts.
Slack should offer a configurable notification that could contain other contact methods to the banned user. Slack could also give those users at least sth like 48 hours to inform their contacts about what is going to happen. And it could offer banned users a downloadable archive of all content created to make sure no data is lost.
But the way Slack is doing it right now means that you can't trust them and one should really think about relying on their services in the future.
I am still on IRC and XMPP (Jabber) for good reasons ;)
This is very disturbing for ways that some folks might not realize. One of the servers I've leased was assigned an IP address range whose reverse DNS (i.e., PTR records) ended in .ir.
I only discovered this because I was trying to use Google's CLI tools and got blocked, with the shocking message that access from embargoed countries was not allowed. I was utterly confused given that my server, myself, and anything to do with my hosting was all contained completely within the US. After studying the message and finally figuring out after some time the problem, I reported it to my host and they promptly submitted a correction to that, and the issue was resolved.
But had I somehow used this host to access Slack, I would find my own account deleted, if what is being deduced here is correct.
Deleting or disabling accounts is completely the wrong approach. The absolutely maximum that could be done is BLOCKING ACCESS (i.e., actually embargoing) from these restricted IPs. Disabling or deleting accounts is stupid and shows that Slack has a profound MISUNDERSTANDING of how the Internet works, i.e., it's not perfect. This is exactly akin to using an IP address for identification. IP addresses, and hostnames, are not identification of people and cannot nor should be used for these kinds of heavy-handed, punitive punishments.
So the next time someone attacks BGP they should divert slack traffic through Iran to get all users automatically banned? Or just think if slack accounts are compromised and a hacker logs-in through a proxy in Iran.
> Slack should offer a configurable notification that could contain other contact methods to the banned user. Slack could also give those users at least sth like 48 hours to inform their contacts about what is going to happen. And it could offer banned users a downloadable archive of all content created to make sure no data is lost.
The government could argue that any of these options is "doing business with" an identified, sanctioned individual.
I'm not saying it's right, I could just see a company attorney wanting to minimize potential federal liability.
Cuba is one of the most popular destination for Canadians, can't ever imagine what would happen if they actually ban everyone that had their IP over there at some point in the last few years.
i am starting to become scared that my accounts with different companies will be closed retroactively. I have, through work, toured most of the free and some parts of the non-free world (including Iran, Cuba and sudan). That apparently makes me fair game to have my US accounts closed. Had I been a slack user I, by the look of it, probably would have had my account closed today, even though I have lived within the EU for all my life.
I am pretty certain I have logged into my mail, PayPal account and Digital Ocean account from countries embargoed in the regions my providers operate. PayPal I could lose without much fuzz, but jeez how I'd hate to lose access to my email.
While it's perfectly legal for your wife, a Canadian, to go to Cuba, it's still embargoed by the U.S., and Slack as a U.S. company must comply with the embargo (even though your wife has done nothing wrong per Canadian law).
Slack could just block access to IPs from banned countries. Why are they retroactively blocking accounts? Sounds like Slack is punishing regular people who visited those countries.
The appeal process is filing a lawsuit against Slack, provided the person wronged didn’t already agree to give up that right when accepting Slack’s TOS.
Wow the Twitter thread and the experiences which are mentioned here sound so extreme and crazy that I am seriously confused to what believe.
- Is this all made up to prove some point?
- Is this just how the US ticks right now?
- Is Slack just completely gone mad?
- Is this what companies believes is acceptable nowadays?
- Is this the future of the web?
The fact that I am not sure what to believe and that I wouldn't be surprised if this is all true or equally all made up is what really scares me. Ten years ago I would have had a lot more confidence and faith in the world that this must be either a big mistake or something fishy, but today I feel like anything goes and in a week's time nobody will care again :(
It's the dystopia of the film Brazil: someone makes a typo in a database, someone else's life is dramatically inconvenienced, and it's impossible for them to access any means of redress.
For more than a decade, Section 230 [1] has protected internet platforms from censorship of user-generated content. Why is Section 230 not applicable here, or is a similar law needed with wider scope?
>
It is the policy of the United States—
(1) to promote the continued development of the Internet and other interactive computer services and other interactive media;
(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation;
(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services;
This sort of thing is a temporary blip before everybody figures out decentralised solutions for everything.
Decentralisation is clearly the end game as long as politics causes problems like this. A decentralised solution will continue to "just work", while centralised solutions continue to boot people off. It's pretty obvious which one is going to win.
I'm an Iranian-American and Coinbase did something very similar to me in 2017. Here is the notice they sent me: https://i.imgur.com/xnJe0kd.png
We were very convinced it was name/ethnically based as I hadn't been to Iran for a few years before. The general counsel at my last job sent a strongly worded email suggesting they may have been using names to do this (thanks AA!). The email quickly resulted in my account being reinstated without any commentary on their methodology.
This is what centralized silos are like, have always been like, and will always be like.
Unfortunately centralized silos also allow unprecedented convenience and ease of use. Nobody's figured out yet how to duplicate that in a decentralized or federated system.
I mean, Slack recently announced that they would give employees complete access to employee's private conversions.
When a company starts thinking this way, you know there's no turning back, and more such (censorship/surveillance-friendly) actions will be taken in the future.
>- Is this just how the US ticks right now?
>- Is Slack just completely gone mad?
>- Is this what companies believes is acceptable nowadays?
>- Is this the future of the web?
Iran has sanctions against it right now. Slack, and other companies that have done this sort of thing with Iran, Cuba, etc the past few years, are trying to stay on the right side of the law. To avoid imprisonment, fines, etc. If you think what they did is wrong, start a company and risk serving prison time to stand up for your what you believe in by creating a similar product and offering it to customers that have direct geographical ties to sanctioned and embargoed countries. I'm serious, imprisonment is a very real risk with dealing with sanctioned and embargoed countries.
Doing business with Iran, or a citizen of Iran, can open the door for all sorts of government investigation from fines, to being shut down for an investigation, to having data from other users compromised, to criminal prosecution of employees/officers of the company.
It's a lot easier to just immediately sever ties with anyone that has had dealings with an IP geographically connected to Iran than to go one by one "hey, you an enemy of the state? You sure you aren't? Promise? Cross your heart and hope to die? Ok, we believe you, we'll just hope you're telling the truth!"
Then there's the fact that Slack uses encryption at rest and in transit, there may be a LEGAL REQUIREMENT not to allow users with ties to Iran to use the product under CFR title 15 chapter VII, subchapter C. Or they may at least suspect they are at risk of running afoul of the cryptography export laws as they stand and simply decided, they don't want to risk it to protect the company and other users.
I highly doubt this is some Islamaphobic/Iranaphobic move on Slack's part, this is simply a cover-our-ass move so we can stay in business and not risk prison time.
Just because he said that he has no connection to Iran does not make that true. If you carefully read the tweets, Amir says that he travelled to Iran. It might be that Slack did something ridiculous, but that can't be seen from the data.
Aside from the obvious wrong of blocking people based on their origin, what's up with these companies closing accounts with no warning and no recourse? I know they're private companies and they _can_ do it, but just because you can doesn't mean you should.
Why not give the user even a few days notice so they can communicate with support to try and clear things up? Taking the OP's story at face value, Slack should easily be able to verify with him that he lives in Canada. Instead, they simply block it and bye. I find this extremely hostile.
Wow. This seems rather unprecedented and unnecessary, based upon the lack of action in this regard by other companies I don't know why Slack would do this. If for instance this kind of arbitrary action took place on GitHub I could see it having a detrimental impact to free software projects. This is another good reason to choose Zulipchat and other self-hostable platforms instead of proprietary SaaS solutions.
Welcome to the brave new world of the "cloud": you data, business, money, most intimate secrets and livelihood is at the whims of a foreign corporation that will stop at nothing if it means 2 cents more on their bottom line, or gets them on the good side of a government entity.
You have no rights, you have no intrinsic human valuu and you have no means to fight for yourself.
This kind of thing can kill Slack or other networks because if you have a team of 100 people and just one can't use the platform, you'll switch. The network effect seems likely to work in reverse in this case.
A couple of our employees from Syria also got blocked today. They were using Slack from Syria though.
EDIT: I don't understand why they ban/block the account rather than "simply" block access from IPs from the country. This seems really strange and overreaching.
When a company gets large or important enough it realizes that it has to follow some inconvenient laws.
In the US there's OFAC (https://www.treasury.gov/about/organizational-structure/offi...) which lists individuals and entities that companies cannot do business with. Implementing these rules is a nightmare for companies so they use a 3rd party services which produce a huge number of false positives. Middle eastern names tend result in many false positives.
My guess is that Slack is scrambling to clean house ahead of the IPO and they don't have a user friendly way of dealing with this. In fact most companies don't. This is the same crap that bites people who inadvertently end up on no-fly lists with no way to get off.
Don't like this? Call your representative. Build a better way to implement OFAC and similar laws.
It seems most likely that Slack has geolocated IP addresses from account access logs, and closed accounts with hits from sanctioned countries. Perhaps going back years.
That in itself seems over the top. But it doesn't constitute ethnic profiling.
But if someone has a counterexample, that would be OK too.
If they are just deleting accounts where someone logged in from a treasury-barred country’s IP, I wonder what happens if you BGP hijack a small amount of that address space, somehow get admins or high profile users to connect via this (run WiFi? Some kind of proxy?), and then observe the chaos.
If you work for an American company, get a bug report from a user you know to be in Iran against an open source project you work on during company time and fix it as a result, can the company be considered to be engaging in commerce with Iran?
From a technical standpoint what they're saying is if your IP matches any of these countries, we cannot allow you on our services. It's got nothing to do with ethnicity if a Puerto Rican guy from Orlando goes to Iran and gets banned, it's all about the IP not the person.
Seems they might want to tone down their bans starting from the moment the policy came to be vs doing it from the dawn of Slack's time, not sure how the policy is written and I'm not a lawyer so maybe they went off from legal advise.
I believe that the only party that suffers from those sanctions are actually the populations living in those dictatorships who don't have a say about who is their leader. Who does actually benefit from them and who do they really harm?
OP here. Dear mods, you have now twice changed the description, which I understand. But would it be too much to ask to have an indication that shows that someone who is NOT the OP has changed the description? The way it is currently worded are simply not my words and I have no way of showing that. Could potentially be bad for me.
OFAC's General License D-1 provides Slack with exemptions to offer their services even to users based in Iran:
(a) Effective February 7, 2014, to the extent that such transactions are not exempt from
the prohibitions of the Iranian Transactions and Sanctions Regulations, 31 C.F.R. Part 560
("ITSR"), and subject to the restrictions set forth in paragraph (b), the following transactions are
authorized:
(1) Fee-based services. The exportation or reexportation, directly or indirectly, from the
United States or by a U.S. person, wherever located, to Iran of fee-based services incident to the
exchange of personal communications over the Intemet, such as instant messaging, chat and
email, social networking, sharing of photos and movies, web browsing, and blogging.
As an outsider, I am really surprised by how deep-rooted America's hostility is towards Iran. Shi'ite Iran certainly has human rights issues, but as far as terrorism is concerned the majority of them are orchestrated by Sunni groups. 9/11 hijackers, Al Queda, Islamic State, Paris attackers - are all Sunni.
[+] [-] SamWhited|7 years ago|reply
Using a proprietary protocol that doesn't allow any form of federation is an unacceptable way to build a global community. Please consider using an IRC based service for group chat or an XMPP based service where 1:1, history, rapid reconnects, and other more complex chat features are required (yes, if you're a dev you have to use XML which is annoying, but overall it's a well designed protocol, so get over it). This lets you host your own, and (in the case of XMPP at least) if one person wants to use a U.S. based service and another is in Iran they can just sign up for a Belgian account (or wherever). We can't afford to let he internet splinter off into siloed tiers based on nationality.
[+] [-] wpietri|7 years ago|reply
We should start by admitting that Slack beat IRC. Beat it like a cheap hallway rug. IRC was always a terrible experience for novices, and it wasn't a great experience for experts. That it had any users at all is a testament not to IRC, but to what it enabled. Slack found a way to provide the same value but with a much better user experience. And then they rapidly iterated on that experience, making it better and better.
They started out with IRC and XMPP bridges. But they eventually shut those down because they were a drag on improving the product. When faced with the same choice, IRC kept the original protocol and shut down improving the product. This was an understandable choice, but one that set up the situation where commercial developers could come in and do something radically better. Open source needs to figure out how to compete with that, or things like this will keep happening.
[+] [-] jwildeboer|7 years ago|reply
If true, it is definitely the worst way to do. It doesn't take into account any circumstantial evidence that could explain the use of such an IP address (vacation, VPN, BGP or a mistake in the geolocation data used) and Slack doesn't seem to offer any way to appeal or even inform other users about what happened to their contacts.
Slack should offer a configurable notification that could contain other contact methods to the banned user. Slack could also give those users at least sth like 48 hours to inform their contacts about what is going to happen. And it could offer banned users a downloadable archive of all content created to make sure no data is lost.
But the way Slack is doing it right now means that you can't trust them and one should really think about relying on their services in the future.
I am still on IRC and XMPP (Jabber) for good reasons ;)
[+] [-] basilgohar|7 years ago|reply
I only discovered this because I was trying to use Google's CLI tools and got blocked, with the shocking message that access from embargoed countries was not allowed. I was utterly confused given that my server, myself, and anything to do with my hosting was all contained completely within the US. After studying the message and finally figuring out after some time the problem, I reported it to my host and they promptly submitted a correction to that, and the issue was resolved.
But had I somehow used this host to access Slack, I would find my own account deleted, if what is being deduced here is correct.
Deleting or disabling accounts is completely the wrong approach. The absolutely maximum that could be done is BLOCKING ACCESS (i.e., actually embargoing) from these restricted IPs. Disabling or deleting accounts is stupid and shows that Slack has a profound MISUNDERSTANDING of how the Internet works, i.e., it's not perfect. This is exactly akin to using an IP address for identification. IP addresses, and hostnames, are not identification of people and cannot nor should be used for these kinds of heavy-handed, punitive punishments.
[+] [-] mirimir|7 years ago|reply
[+] [-] darkarmani|7 years ago|reply
[+] [-] Spoom|7 years ago|reply
The government could argue that any of these options is "doing business with" an identified, sanctioned individual.
I'm not saying it's right, I could just see a company attorney wanting to minimize potential federal liability.
[+] [-] chisleu|7 years ago|reply
[+] [-] jordank|7 years ago|reply
She created the account while traveling in Cuba (legally) years ago and hasn’t been back to Cuba or any other sanctioned country since.
She is a cofounder of an org that uses Slack heavily and has now lost access to all her messages and files from the past couple years of work.
There appears to be no appeal process here.
[+] [-] jeromegv|7 years ago|reply
[+] [-] mfer|7 years ago|reply
This causes me to think about the metadata records they have held onto in addition to all the data.
[+] [-] bjoli|7 years ago|reply
I am pretty certain I have logged into my mail, PayPal account and Digital Ocean account from countries embargoed in the regions my providers operate. PayPal I could lose without much fuzz, but jeez how I'd hate to lose access to my email.
[+] [-] xenophonf|7 years ago|reply
[+] [-] avip|7 years ago|reply
[EDIT] to be on the safe side, I've also created a new workspace from said IP.
[+] [-] natch|7 years ago|reply
If not maybe everyone can consider that maybe Slack’s actions for the Iranian guy have some basis other than “his ethnicity.”
[+] [-] alexlavrww|7 years ago|reply
[+] [-] painlord2k|7 years ago|reply
Lesson: keep backup of everything in multiple jurisdictions even if you are innocent like Jesus. You know what happened to him.
[+] [-] arsinux|7 years ago|reply
[+] [-] walterbell|7 years ago|reply
[+] [-] sneak|7 years ago|reply
[+] [-] mbesto|7 years ago|reply
[+] [-] dustinmoris|7 years ago|reply
- Is this all made up to prove some point?
- Is this just how the US ticks right now?
- Is Slack just completely gone mad?
- Is this what companies believes is acceptable nowadays?
- Is this the future of the web?
The fact that I am not sure what to believe and that I wouldn't be surprised if this is all true or equally all made up is what really scares me. Ten years ago I would have had a lot more confidence and faith in the world that this must be either a big mistake or something fishy, but today I feel like anything goes and in a week's time nobody will care again :(
[+] [-] pjc50|7 years ago|reply
> Is this just how the US ticks right now?
Yes.
[+] [-] walterbell|7 years ago|reply
[1] https://www.law.cornell.edu/uscode/text/47/230
> It is the policy of the United States— (1) to promote the continued development of the Internet and other interactive computer services and other interactive media; (2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation; (3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services;
[+] [-] jstanley|7 years ago|reply
This sort of thing is a temporary blip before everybody figures out decentralised solutions for everything.
Decentralisation is clearly the end game as long as politics causes problems like this. A decentralised solution will continue to "just work", while centralised solutions continue to boot people off. It's pretty obvious which one is going to win.
[+] [-] parhamn|7 years ago|reply
We were very convinced it was name/ethnically based as I hadn't been to Iran for a few years before. The general counsel at my last job sent a strongly worded email suggesting they may have been using names to do this (thanks AA!). The email quickly resulted in my account being reinstated without any commentary on their methodology.
[+] [-] api|7 years ago|reply
Unfortunately centralized silos also allow unprecedented convenience and ease of use. Nobody's figured out yet how to duplicate that in a decentralized or federated system.
[+] [-] mtgx|7 years ago|reply
When a company starts thinking this way, you know there's no turning back, and more such (censorship/surveillance-friendly) actions will be taken in the future.
[+] [-] samirm|7 years ago|reply
[+] [-] chisleu|7 years ago|reply
[+] [-] ryanmercer|7 years ago|reply
Iran has sanctions against it right now. Slack, and other companies that have done this sort of thing with Iran, Cuba, etc the past few years, are trying to stay on the right side of the law. To avoid imprisonment, fines, etc. If you think what they did is wrong, start a company and risk serving prison time to stand up for your what you believe in by creating a similar product and offering it to customers that have direct geographical ties to sanctioned and embargoed countries. I'm serious, imprisonment is a very real risk with dealing with sanctioned and embargoed countries.
Doing business with Iran, or a citizen of Iran, can open the door for all sorts of government investigation from fines, to being shut down for an investigation, to having data from other users compromised, to criminal prosecution of employees/officers of the company.
It's a lot easier to just immediately sever ties with anyone that has had dealings with an IP geographically connected to Iran than to go one by one "hey, you an enemy of the state? You sure you aren't? Promise? Cross your heart and hope to die? Ok, we believe you, we'll just hope you're telling the truth!"
Then there's the fact that Slack uses encryption at rest and in transit, there may be a LEGAL REQUIREMENT not to allow users with ties to Iran to use the product under CFR title 15 chapter VII, subchapter C. Or they may at least suspect they are at risk of running afoul of the cryptography export laws as they stand and simply decided, they don't want to risk it to protect the company and other users.
I highly doubt this is some Islamaphobic/Iranaphobic move on Slack's part, this is simply a cover-our-ass move so we can stay in business and not risk prison time.
See:
- 15 CFR chapter VII, subchapter C.
- 31 CFR Part 560 and Appendix A to Chapter V
- Public Law 115–44 (the CAATSA)
[+] [-] user5994461|7 years ago|reply
Established businesses simply block connections/signup/login from sanctioned countries. It's part of the checklist for new apps. It's really basic.
Slack is just another startup to discover that there are regulations to follow. They did very poorly on the interpretation though.
[+] [-] hnauz|7 years ago|reply
[deleted]
[+] [-] IncRnd|7 years ago|reply
[+] [-] robteix|7 years ago|reply
Why not give the user even a few days notice so they can communicate with support to try and clear things up? Taking the OP's story at face value, Slack should easily be able to verify with him that he lives in Canada. Instead, they simply block it and bye. I find this extremely hostile.
[+] [-] robotbikes|7 years ago|reply
[+] [-] colanderman|7 years ago|reply
http://sdelements.github.io/lets-chat/
https://rocket.chat/
https://mattermost.com/
https://zulipchat.com/
[+] [-] yholio|7 years ago|reply
You have no rights, you have no intrinsic human valuu and you have no means to fight for yourself.
[+] [-] malloryerik|7 years ago|reply
Beyond that I find it outrageously unethical.
[+] [-] gingerlime|7 years ago|reply
EDIT: I don't understand why they ban/block the account rather than "simply" block access from IPs from the country. This seems really strange and overreaching.
[+] [-] rostasteve|7 years ago|reply
In the US there's OFAC (https://www.treasury.gov/about/organizational-structure/offi...) which lists individuals and entities that companies cannot do business with. Implementing these rules is a nightmare for companies so they use a 3rd party services which produce a huge number of false positives. Middle eastern names tend result in many false positives.
My guess is that Slack is scrambling to clean house ahead of the IPO and they don't have a user friendly way of dealing with this. In fact most companies don't. This is the same crap that bites people who inadvertently end up on no-fly lists with no way to get off.
Don't like this? Call your representative. Build a better way to implement OFAC and similar laws.
[+] [-] mirimir|7 years ago|reply
It seems most likely that Slack has geolocated IP addresses from account access logs, and closed accounts with hits from sanctioned countries. Perhaps going back years.
That in itself seems over the top. But it doesn't constitute ethnic profiling.
But if someone has a counterexample, that would be OK too.
[+] [-] rdl|7 years ago|reply
[+] [-] avar|7 years ago|reply
[+] [-] giancarlostoro|7 years ago|reply
Seems they might want to tone down their bans starting from the moment the policy came to be vs doing it from the dawn of Slack's time, not sure how the policy is written and I'm not a lawyer so maybe they went off from legal advise.
[+] [-] mimi89999|7 years ago|reply
[+] [-] jwildeboer|7 years ago|reply
[+] [-] underyx|7 years ago|reply
[+] [-] asl19dev|7 years ago|reply
(a) Effective February 7, 2014, to the extent that such transactions are not exempt from the prohibitions of the Iranian Transactions and Sanctions Regulations, 31 C.F.R. Part 560 ("ITSR"), and subject to the restrictions set forth in paragraph (b), the following transactions are authorized: (1) Fee-based services. The exportation or reexportation, directly or indirectly, from the United States or by a U.S. person, wherever located, to Iran of fee-based services incident to the exchange of personal communications over the Intemet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging.
https://www.treasury.gov/resource-center/sanctions/Programs/...
[+] [-] jeswin|7 years ago|reply