They can also bend those restrictions to non-US companies wanting to do business within the US. Just because the US embargoes/sanctions the sell of Iranian oil, or the sell of any nation's oil to North Korea, doesn't mean that it is illegal for other nation's companies to do so (unless their gov't also has similar restrictions). Here comes the but... the US then makes it illegal for those companies to do business within the US just because they were friendly to people the US doesn't like.
Because that's how embargoes work? They impact not only goods, but also services. The US has one on Iran. And as Slack is a US company (or rather, a company which has an interest of maintaining operations in the US, regardless of where it is based), it complies, thereby blocking service to any entities (e.g. people) in Iran.
Exactly. Embargos function by taking away the rights away of American businesses and people. Trade embargoes make it illegal for US entities and people to trade with certain groups of people.
i am an american national and i go to canada. my access to netflix changes for reasons that have nothing to do with my nationality (what passport i have), and everything to do with what nation i’m in.
I see it as a technically true statement: they blocked users who looked like they were connecting from within an embargoed nation, regardless of these users' actual nationality.
They likely blocked by whether you ever signed in from a blocked nation. That's not necessarily the same as blocking any users who would qualify as exporting software to a blocked nation, which is also not the same as blocking everyone whose nationality matches said nation.
You might read that and infer that Slack is somehow tracking the national origin, ethnicity, or race of all of its users, which would be much fishier behavior than IP-based blocking. They're explicitly saying that they don't do that and that they don't have that information.
Are the sanctions against doing business with Iran nationals or anyone with an Iran IP address? I would imagine the sanctions are in place to prevent trade with Iranian nationals.
Indeed. Compare and contrast with "sorry again for something new this week" Facebook. "We let everyone and their uncle access all your private data, my B dog." "Oh no, guess we helped cause a genocide, oopsie doodle."
This is yet another good reason to prefer decentralized networks. When Slack or Facebook or whomever agrees to block someone there is no resolution other than appealing to a company with a closed decision making process, something I don't think any of us really want.
Matrix is the protocol, Riot is a Slack-like implementation of the protocol: https://riot.im/
You can use the default (free) Matrix homeserver with Riot and you'll basically have a free chat system without any setup (besides installing the client).
I've been using Riot for a while now, and while Slack does seem a bit more polished, having client-side encryption for all my messages gives Riot the upper hand: I don't worry about sending passwords or sensitive info as much as I do with Slack.
I thought it was kind of expensive at first but then I saw the price of slack. ~$1.50/user/month seems very fair when you see what slack and email cost per user
Matrix E2E encryption is opt-in per room while its support is in beta, with the intent to have on by default when it's out. https://www.uhoreg.ca/blog/20170910-2110
It is planned to make riot enable encryption by default when it is fully stable but I totally understand why the protocol would allow it to be disabled. Matrix is about more than instant messaging and there are possible use cases where you may be using it for something that needs no e2e. Maybe you are using it to control the lights in your house and you want to write an SQL script that can read the commands sent to your light over matrix and tell you how long they were turned on for last month. You can't do that if the commands were e2e encrypted and you gain nothing by encrypting them.
Yes, you are overreacting. Perfect is the enemy of good. Encryption is not so easy when you have a room with potentially hundreds of users, each with many devices, and you have to safely share keys between all of them. I'm using it, and even in a 1 to 1 chat it can be a burden. They are working on it, and it will be default once it's out of beta. But there are reasons why you may not want to use it. And that's a personal choice that people should be allowed to make. Would you also disallow public rooms? Or bridges into non-encrypted services?
I care about encryption, you care about encryption, and they care about encryption. "Giving up on them" and saying their attitude is "problematic and incurable" is hurting, not helping.
Yup, you’re overreacting, especially given I wrote that >4y ago when we hadn’t even started implementing E2E encryption. Nowadays it’s almost complete and as others have said we will be turning it on by default for private comms in the coming month(s). (There is little point in E2E for a conversation which is public and being indexed by Google etc). Some deployments already have E2E on by default in fact (eg the french government deployment).
Anything I consider important that I post online is pretty much public. I also wrote private messages on Facebook, but I didn't upload photos or text posts that I didn't want the world to see. For that kind of stuff, encryption is just a giant waste of resources, in my case, so if I ran mastodon on my server, I would be glad that I can turn that off.
I still fell victim to apparently being reported as non-human (after 9 years of using FB with over a hundred RL friends and former class mates, many photos of me, real name from day one, and so on), and while I could send a photocopy of my ID to Facebook, as a matter of principle I didn't and won't, not without even having the right to confront my accusers. For all I know, they're bots, at best some people who didn't like a comment I made on some article -- and from the accounts of others, even showing your ID doesn't mean you won't get fucked over in a similar way again. There is just no real recourse, so why even start jumping through hoops, I'm not going to be party to normalizing that nonsense.
I also don't believe in technical solutions to social problems. Encryption gains me nothing in a world where my neighbours just shrug when I get carted off for having using encrypted communication -- or get booted off Facebook -- so that needs to be "fixed" anyway, and should it ever be, encryption would be something that protects you against criminals and assholes, not something that protects you against big brother. IMO it's lethal to assume it ever could or should. It's something we can and should use on our way to social solutions to social problems, but not something to rely on. I know that many people in other countries or very different circumstances NEED encryption, so they should have it, and I might use it out of solidarity and to give them cover even -- but that won't fix the problem anymore than Napster fixed the music industry.
Seconded. I like controlling things myself and hosting them myself. Nobody (um, but AWS, our ISP, our DNS registrar, ARIN, oh and heck tons of others) can shut me down now.
> Nobody (um, but AWS, our ISP, our DNS registrar, ARIN, oh and heck tons of others) can shut me down now.
But in theory all of those can be replaced, a site that was recently in the news for being kicked off Godaddy, Google, tucows, Cloudflare, the Russian media watchdog, namecheap, DreamHost and a ton of others. Today its online using a Chinese based provider.
But yeah, if SV takes a disliking to you, it can be a right PITA to find some where to get back online.
But you are right, Someone somewhere has to host you and/or provide you with services (even if you self host) you are still dependant on to be able to stay online.
There is one. I'm using it, it works, but it's a little buggy: https://github.com/tijder/SmsMatrix. I haven't been able to ignore my message app and trust the bridge 100% yet.
I'm hoping to spend some of my christmas break contributing some work to the project. I agree, bridging SMS into a chat service that you can use from anywhere is a killer feature.
This event made me realize I needed a good independent backup solution for Slack. I bought some tool to do it daily locally. I'll be able to move on to an alternative like Mattermost if the need arise.
Why is this a good reason to prefer decentralized networks? Slack is a tool for employees at a company to communicate with each other. At some point those communications need to arrive back at a server that lives inside the boundaries of a nation state that is one of the world's major economies. Most of the major governments of the world work together to regulate the worlds networks. But even if that wasn't true, what would you get by trying to leave the networks? Are you trying to evade the law? If so, why? If you don't like the law, you can always lobby to change it, but there will always be laws. You can and should work to make the laws better, but still there will be laws, and we all gain some benefit from living in a society with laws. Or if you disagree, what do you think the alternative is?
If you are not US based, you may want to trade and work with us-embargoed countries. Especially as the embargoes may come and go unpredictably as US foteign policy gets increasingly erratic.
Closing their eyes and pretending it doesn't happen, because with VPN they have plausible deniability/can claim they had no way to detect that they were actually providing the service to someone in a sanctioned country.
What changed recently that hadn't been the case for past years that made them add these new measures? A true, earnest apology would at least touch on the justifications for the changes more than just "become legal". But I understand that, sadly, that kind of transparency is a bit much to ask of any company these days. Still curious though if it was just an internal decision or spurred via government/legal threat/request.
Three or four years ago I helped investigate application usage from embargoed countries as part of an acquisition. The acquirer was performing due diligence, and this was a liability they needed to assess.
So, to answer your question, I doubt anything serious changed outside of Slack. Inside, however, maybe they got a new legal team that flagged this as a liability, or they're getting serious about compliance, or they're preparing for an IPO[1], or whatever...
I worked at a couple companies where these "sudden pushes" to knock out embargoed countries were made. They both came when new legal counsel joined the staff.
It's very clear to me that this is some housekeeping attached to their IPO.
> We will soon begin blocking access to our service from IP addresses associated with an embargoed country. Users who travel to a sanctioned country may not be able to access Slack while they remain in that country.
Is Slack legally required to do this? As long as they aren't knowingly accepting payment from these countries, shouldn't they be in the clear?
How are other tech companies dealing with this? Does Google block access from embargoed countries? Does Windows refuse to work?
Yes, absolutely. Breaking sanctions is not just illegal, it's a criminal offense. There have been sanctions against Iran since roughly when Trump withdrew the US from the Joint Comprehensive Plan of Action [1] in May of this year.
The CFO of Huawei was arrested in Canada per a request by the US because of their dealings with Iran [2].
The wording of the exemption applies only to personal communications and requires the service to be available at no cost to the user. There are plausible readings that Slack goes well beyond the exemption.
Still, even though the sanctions rules may apply, I'm glad Slack is reversing their overbroad application of these rules.
If a company like IBM or Amazon were to adopt slack, would that potentially require Slack to ban things? Both have government contracts, and could potentially export sensitive software to Iran this way accidentally.
"Specifically, section 560.540 of the ITR authorizes the exportation from the United States or by U.S. persons, wherever located, to persons in Iran of services incident to the exchange of personal communications over the Internet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging, provided that such services are publicly available at no cost to the user."
That says "personal communications". Slack is aimed at businesses, not personal use. It also requires "no cost to the user." Very well may not exempt their business model, though some room for argument exists.
Of course, any sanctions regime that does still apply wouldn't require the collateral damage of Slack's excessive initial ban.
The "corporations are people" thing is exaggerated in a lot of understandings, and I doubt corporations are deemed capable of "personal communications". Still, personal communications might be found to cover the communication among persons at the companies.
But Slack does support a lot more than just people chatting with people, like bot and app/SaaS integrations. Those clearly aren't personal communications and frequently accomplish more than just exchanging information.
Good catch that the license does have provisions for fee-based services as well. However, the person I was replying to quoted the one for no-cost services, so that's what I focused on in my reply.
I used Google Maps and most other google apps fine while in Iran. Youtube and some other sites are blocked, but that's actually from the Iran side. Of course these are all free services, I assume I could not have actually paid for any paid services.
EDIT: I know that Google AppEngine and probably Cloud are blocked, because they provide foreign nation with "computing resources", but that's also its own different bucket.
I honestly don't see the point of blocking simple users because of a political conflict, i.e. between governments. One answer that jumps to mind is that those governments are merely a representative of those users but in the case of Iran, we know what happened when people elected their leaders, so it's kinda hypocritical from that regard to punish users because of a leader we placed.
I thought embargoes didn't apply to information anyway? You're still allowed to text someone in Cuba or even call North Korea, so how come Slack is banned?
Texts/SMS/voice calls etc are not encrypted. The NSA slurps that data up like a sponge wrapped in Brawny wrapped in a ShamWow. There's a huge list of why we can't export/sale things to certain countries, but encryption is one of them. Things that seem "innocent" enough like a hardware video box might qualify as embargoed because it has the ability to decode SSL network traffic. Can't let that tech get in the hands of the "enemy".
Encryption is not considered ammo since forever now. And slack doesn't have E2E encryption, and is an american company. The NSA can just knock on the front door and ask for the data, same as they would for an ISP.
My understanding is that there is a general license for telecommunications with embargoed countries, so I suspect that this is not legally required, but perhaps Slack doesn't care to fight for it.
Phone calls, SMS, and the like work fine enough to embargoed countries (although North Korea doesn't allow that, except to a very limited set of phone numbers, mostly consolates), and that likely involves payments between phone companies in the embargoed countries and in the US.
I'm aware that Softlayer (IBM) blocks traffic to embargoed countries by default, but has a process to allow traffic, given documentation of exemption.
> The Crown Prince also invested $45 billion into a SoftBank subsidiary, the Vision Fund, which made subsequent investments in a number of US tech companies. The Vision Fund made significant investments into Slack, DoorDash, and Nvidia. Slack declined to comment and DoorDash did respond to a request for comment as of publication.
I'd ask you if you had any evidence for this claim, but of course you don't. You have a very odd view of how investments work. Perhaps MBS went straight from ordering Kashoggi's execution to getting a random Iranian banned from an Internet chat system.
Fines if it's not a criminal violation, or potential prison time if it is. Since it's a corp, and the group think here is that corps are shields from jail time for the employees, then probably no jail time.
There's also the negative PR that comes with being labeled as "aiding and abetting the enemy".
Slack missed an excellent opportunity here: to be first US company to suspend services momentarily due to egregious and broken* sanctions imposed by the US on other countries.
* Broken in that they are levied against random individual citizens of sanctioned countries instead of groups trading with or state entities otherwise interacting with the US.
I'm a big fan and critic of apologies. This one is pretty good.
They admit the mistake was theirs and they take responsibility for it. They say sorry. They explain what they're going to do to fix the situation. They say they're going to learn from this and not have similar mistakes in the future. Pretty solid.
The only thing that is missing, in my view, is personalization. Tell me who you are, speaking for the organization. This humanizes the apology, and also gives a face to who it is saying they're going to improve. Ideally the CEO.
Are people actually boycotting their product? They very clearly see their free users as their non-primary market (no automatic invites, no tools for individuals to block individuals because your HR department is supposed to deal with it, limited archives, etc.) and I'm not sure a "boycott" of a free service even counts anyway. And a paying customer is not going to be able to drop Slack on one day's notice any more than they could drop email on one day's notice. Were there actually paying / potentially paying customers who cited this as a reason to stop using Slack?
My Twitter is full of academics with students and collaborators from all over the world that are complaining that Slack just eliminated their ability for them to communicate over the service. I'm not sure how many of them were free or paid though.
Being involuntarily prevented from using a service is rather the opposite of boycotting, I think. (In the sense that boycotts are a tool of applying economic pressure to convince someone to change their mind, and if you're being kicked off you aren't actually able to exert any pressure.)
It isn't those that got kicked off that are boycotting. It is those that had students or collaborators get kicked off, that are now refusing to use Slack.
You can block users now? At megacorp we definitely couldn't, and as much as there were people I wanted to block and mandatory channels I didn't want to be in… all of the frigging the bots were the most unbearable.
All the same, it's good they took responsibility when they did. I don't use Slack at work at present, but being an emigrant worker myself (not iranian, but honestly it shouldn't really matter), the past week's events left enough of an impression on me that I would have likely strongly protested any attempts in my organization at getting a slack channel going. This response is at least well-written enough that it gives me pause, that I should research the company's track record more carefully before jumping to judgment. (they're still on thin ice as far as I'm concerned, but it's a step in the right direction)
That was my point. Unless the apology is of the type "it accidentally got deployed before we had the opportunity to test the change and communicate to users..." then they shouldn't have done it to begin with.
“If you were sorry you wouldn’t have done it to begin with” has also come up on several occasions in my personal life. Haven’t figured out how best to respond to that one.
If you did something wrong more than once and gave the same apology that statement would make total sense. The first time though is unfair and kind of selfish minded.
Spilling something is usually a mistake, and often can be mitigated; the point is that mere repitition of error is insufficient to prove moral degeneracy.
If you trust the person to not be acting on malice, then I'd not worry too much about the precise semantics of those words and guess that the person is mainly expressing their frustration, hurt, etc.
What about responding to that honest emotional expression directly? "Ouch. I hadn't realize how much I'd hurt you. Truly, I'm sorry."
There are a range of harms that are reasonably excusable and then those that are inexcusable. It's when people are excessively or inconsistently unreasonable that you're better off not associating with them and their BS. It's unreasonable to reason with an unreasonable person.
Your personal life sounds more exciting than mine.
In each case though you did it to begin with because
1) while you knew you would be sorry, you surmised you would be more sorry not doing it, or
2) did not believe anyone would mind your actions, or
3) did not realize you would so much regret it when others took offense to your actions.
#3 absolves you of nothing.
#2 absolves you unless you thought they wouldn't mind simply because they wouldn't know.
#1 could absolves you in theory, but might just reflect priorities that the recipient of your apology doesn't share.
All this is likely of little use to anyone, but I couldn't resist writing it down anyway.
All three of your possibilities imply that it was on purpose and understood to be wrong to begin with. What about if you made a mistake: you thought you were doing the right thing, but turns out it was the wrong thing. Or you thought what you are doing wouldn’t impact anybody negatively. Or you did the right thing but it didn’t work out the way you anticipated. Or it was an innocent and honest thing you did, but somebody else took offence anyway. You can be sorry for things without there being any malice at play.
We (humans) are not always good at predicting the future or other people’s reactions. We do stupid things and make stupid mistakes all the time and when these things affect others we often feel sorry that we did those things.
This statement would only work if one's could be perfect, if their actions would be not a mistake but a calculated misdeed and their apology would not be sincere.
If you are really sincere with your apology, and you are doing the best you can to fix what you did, so just ignore this kind of statement. You are doing your part.
From what I'm reading here, it would be impossible by your logic to effectively apologize. The only solution is to never make a mistake in the first place, which isn't a feasible expectation when dealing with humans.
I agree entirely with your sentiment. Still, I'm not sure corporate personhood means we should judge corporate action as we would human action. It's still not possible to expect corporations to never mistakes, but I wouldn't excuse it on the basis of their humanity.
I believe there are unapologizable offenses that reveal true intrinsic character character flaws that can't be regretted away, but this definitely isn't one of them.
I have character flaws. Do you propose that we exclude people with certain flaws from our online communities? Which ones? Lack of empathy is a popular target, but children under 7 almost all lack empathy and they can be generous and kind despite it being intellectually motivated instead of emotional. Adults without empathy can be similarly productive members of our communities.
Do you have any specific unapologizably offensive character flaws that you want to admit to, or do you want me to try to make a judgement of whether or not you should be ostracized from society based on your one vague comment?
>We did not block any user based on their nationality or ethnicity.
Okay, so how did you block them?
>As is standard in the enterprise software industry, Slack uses location information principally derived from IP addresses to implement these required blocks.
So, you blocked users based on their nationality.
>We do not collect, use, or possess any information about the nationality or ethnicity of our users.
you clearly possess enough information about the nationality of your users to block them based on it, which was your intent. You backpedaled when people who were not the target nationality began to complain.
Expats comprise less than 1% of the global population, and I doubt the number of international tourists at any given time pushes that percentage much higher. Use a VPN I guess, or better yet ditch Slack.
Nonsense. Much of Silicon Valley consists of foreigners, yet they didn’t block those users — a significant part of their user base ; thus the theory of ethnic or nationality blocking makes zero logical sense.
No. It's the exact opposite. The fact that Californian IP-s were not targeted makes it pretty clear that US nationals were not targeted. While other nationals were. And it also proves that Slack engineers are dumb as f@ck.
This comment breaks the site guidelines. We ban accounts that keep doing that, so if you'd please review https://news.ycombinator.com/newsguidelines.html and stop doing that, we'd all appreciate it.
> So, you blocked users based on their nationality.
Where you are currently located or resident is effectively unrelated to your nationality (unless you were born a citizen of your country and have never left it, not even for a vacation).
This comment by Slack was in response to several (fairly overblown) comments that they were racially targeting users ("Slack bans Iranian in Canada"), when in fact they were disabling accounts of people who have used Slack from an embargoed country at some point. To be clear, this is still bad, just not "blocking users based on their nationality". All of the outrage was over expats (or travellers) being blocked.
It seemed insincere to me with the emoji-like slack logo at the end of their post. I know it's a standard practice for them but if they wanted to appear sincere they should have discontinued that practice.
The apology wasn't good just because it accepted responsibility, it was good because they acted responsibly. The incident lasted two days, and it was quickly corrected. Many other companies would ignore it for months, and a similar apology in that case would be feel far less sincere.
It's okay to mess up if you quickly correct the issue or at least quickly recognize it and try to correct it. The problems arise when incidents are buried or ignored. Late apologies are not apologies at all.
Apologies mean nothing without a believable promise to not behave similarly in the future. Furthermore, "sorry" doesn't excuse all behaviors. Doing something shitty like closing someone's account without warning and without an appeal process is inexcusable.
I think also apologies require explaining what changes they made and why they decided to do it that way. A look behind the curtain on why they chose way A when they could have chosen way B is illustrative to users.
We had someone locked out of their email while using Google's paid company mail service (App engine, I think it was called). Several days with no mail and no useful support taught me that relying on Google can leave you with no recourse.
When I was consulting I had a client whose google ads stopped working for six weeks. She was spending $500 a week in ads, but Google wouldn't do anything to fix or even acknowledge the issue.
I also had Google accuse me of "click fraud" on a website I ran in college- they stole about $300 from me, with no ability to appeal.
Google's support- even for paying customers- is abysmal.
Are you joking? It provides no specific action they're taking to prevent this type of thing in the future, and it's internally inconsistent (who are "the people whose accounts we intended to disable" who they "will not deactivate their account and they will be able to access Slack when they return to countries or regions for which no blocking is required"?).
I've spent the day messaging and talking with friends who work within Slack in an engineering capacity who feel, frankly, betrayed by the organization. Slack advertises itself internally as an engineering-driven company and on the security side, has an incredibly elaborate system of internal controls that I have espoused emulations of during my consulting that, and I am being very specific without being too specific here, were bypassed to perform these account bans. Slack's security team was bypassed. Slack's internal controls were contravened. Slack has demonstrated that they can access every location you've ever logged in from and will cheerfully give that information up for the pleasure of the US Government without it even being required of them.
>I've spent the day messaging and talking with friends ...
Some of us use Slack because we have work to do.
How noble in reason! Some of us were banned without justification from our jobs today via the unjustified unilateral action of a private company. In fact, my job is to help companies secure their internal communications. So, talking with people about this was my job. What was yours?
What in the world makes you think they will "cheerfully give that information up for the pleasure of the US Government without it even being required of them"?
They're required by law not to do business in certain countries. They were over-broad and over-aggressive in how they tried to follow that law, unnecessarily shutting down accounts, which was certainly a fuckup. But I don't see any indication that they gave information to the US government.
>They admit the mistake was theirs and they take responsibility for it. They say sorry. They explain what they're going to do to fix the situation. They say they're going to learn from this and not have similar mistakes in the future. Pretty solid.
This doesn’t really mean much by itself. These are elements of the BP apology for the gulf spill as well. The only thing that matters is actions taken. Anything else is fluff part of standard PR.
I don't think anyone would say an apology is sufficient response. It's only a necessary component of a full response. But if a company screws up the apology right off the bat (as so many companies do), you can tell that things are not going to turn out well for them. So it's pretty interesting that so many companies (and individuals) write such bad apologies, so much so that it's pretty rare to see an apology even as good as this one.
While "banning by ip" will work for discouraging most users, a VPN service or a Proxy service (Socks, ssh, etc)
would make it irrelevant if someone wants to use a service like slack, facebook or google...It just inconveniences those
who do want to use it bad enough. To me, it's a "band-aid of compliance" to whatever agency has requested them to do a ban on certain countries IPs.
Nope sorry. Slack is a walled garden. And relying on a walled garden means handing over your control, freedom and privacy which eventually gonna lead to similar kind of exploitation/abuse.
As another HN commenter @SamWhited put it, "Using a proprietary protocol that doesn't allow any form of federation is an unacceptable way to build a global community". We need to develop and use FLOSS protocols/tools as much as possible.
Does an IPv6 world prevent IP-based location sniffing?
It seems odd to me that IPs can still be used to (semi-)reliably determine a client's geographical location.
With the immensely larger address space that comes with IPv6, does that give the Internet a chance to completely sever the link between geography and IP address? Or do we still have issues with aggregating routes in a space-efficient way?
In my limited understanding I believe that ipv6 blocks are given out to organisations such as your local ISP which let's you know the location because you can see who owns the block.
I don't think limited addresses was ever the reason for assigning in blocks but the real reason is it makes routing easier. Instead of having every router know the path to 128² addresses it only needs to know that everything starting with these few bytes goes to this port which saves memory on routers.
IPv6 address space is less fragmented than IPv4 (that's part of the point), so inferring location from IPv6 address is if anything easier.
Addresses should correspond to network topology in order to be useful for, you know, routing. And network topology tends to correspond to physical location for practical engineering reasons. Of course there's no reason someone couldn't run a cable halfway around the world to use IP space in one country from a different one (or use a VPN, is what people do in practice), but realistically what would they gain from that?
Thanks. I had some fuzzy idea backwards in my mind: that part of the reason IP blocks are correlated to location had to do with address space constraints.
But that’s wrong. Having a massive address space makes it trivial to keep routable blocks contiguous no matter how many IPs they contain.
Maybe KJU, Khamenei, and Raul Castro has a secret slack group for plotting USA's downfall. You never know! /s
I'm betting that Slack only had to do this to comply with some dumb laws regarding sanctions because I am unable to see why anyone from these countries using civilian, commercial, non-sensitive services such as Slack would have any impact on sanction enforcement.
> Users who travel to a sanctioned country may not be able to access Slack while they remain in that country. However, we will not deactivate their account and they will be able to access Slack when they return to countries or regions for which no blocking is required.
So why ban any account? Why not just drop connections from IP addresses in embargoed countries?
The line you quoted is specifically clarifying what they will be doing moving forward, which is blocking connections from sanctioned countries. Their post as a whole is their apology for the prior method, which did deactivate accounts.
Right, and their blog post also says that after de-activating accounts, they have restored access to some of them. So what about all the accounts they banned but have not unbanned? What if one of those accounts has only ever connected from an embargoed country, but travels in the future to a non-embargoed country? Will it be able to use Slack?
(Put another way, it seems like they’re saying some accounts remain de-activated. So which is it? Accounts are de-activated or IP addresses are blocked?)
That’s a hedge in case they missed somebody. If they said “we unbanned all the accounts” but via a search error they’d missed one, and that person commented “no, liars, I’m still banned”, it would be a whole new round of controversy. So instead they say that they got most of them and if they missed you, ping their support team and they’ll fix it.
Blocking people's accounts based on their affiliation with certain countries, instead of blocking just IPs and with no prior warning given is a pretty serious mistake to make.
What made matters much worse for them was that their algorithm failed, also blocking unaffiliated with any of the embargoed countries. But the design itself is the bigger problem.
"It happens" is a poor excuse.
What if people with blocked accounts lost revenue due to Slack's decision? Will Slack pay for the damages?
I'm curious whether IP blocking is actually enough to comply with the spirit of a trade embargo.
Surely, the point of "not trading with Iran" is to avoid, through one's economic activity, enriching the citizens or corporations of Iran; and has nothing to do with preventing access to people who just happen to currently be within the geographic boundaries of Iran. (So: email blocking by detection of Iranian-ISP mail host = sensible; Iranian IP blocking = not-so-much.)
Unless, I suppose, you expect that a tourist accessing your service through an Iranian ISP, will be enriching the Iranian ISP to exactly the degree that you are serving them, and therefore, you are legally required to not serve the tourist, lest they enrich the ISP thereby. (That would be a hard point to prove.)
But actually, even if it was just the letter of the sanctions that you had to obey, I would expect that "not trading with Iran" would be a lot harder than it sounds—it would require, for example, that you do not trade with an Iranian citizen who is currently geographically located in, say, Mexico. How would you know? Your random IM webapp would need a KYC process (submission of ID documents, etc.) to be "sanction-compliant", wouldn't it?
Its actually pretty funny. US and others says that Russia forcibly occupy Crimea. But now all people of Crimea is under embargo, not Russia.
It like if its not enough, lets beat them harder.
My theory: Slack did this rough shot to get a deal signed with a major new client and to support the due dil.
Also note that all the major cloud providers in the US do not do business with embargoed countries. They all block IP from Iran, et al. to compute within the US, but allow it to compute within other geos, this extends to tech support, sales, etc.
I'm honestly surprised that Slack users within Iran could access the service running in US to begin with. In all likelihood they could only access edge servers located in other geos in APAC or the EU.
Look closely at everything Slack says in this message and others. "Enterprise Software" is tossed around a lot. They want to be the communications platform for the enterprise and have to meet these standards to compete with other offerings that exist today.
My guess is that this was a poorly thought and prioritized issue.
Probably they asked some junior engineer to write a database query looking for a list of accounts with IP logs that matched a range of IPs coming from the banned countries, and then they passed that list to another junior employee who deactivated the accounts.
Of course, there are many reasons for those IPs that are not your default/work/home, to be logged against your Slack account. They probably didn't think this throughly.
But the problem then is what they ought to rely on. If in fact they are legally required to deny service to those in sanctioned countries.
The whole thing is silly. I mean, anyone in a sanctioned country who was truly up to no good would be spoofing their IP address in some way. So most of the users that they ban or block will be innocent.
Sanctions aren't about stopping people who are up to no good. They're supposed to hurt the country as a whole, which mostly means hurting the innocent. The idea is that this will incentivize the country to stop doing the thing it's being sanctioned for.
OK, so I know nothing about the legal context for sanction enforcement. But in the US, the standard of proof in criminal cases is something like "beyond a reasonable doubt". And even in civil cases, it's something like "preponderance of the evidence". In my experience with pollution torts, that typically meant >50% probability of causation. But it usually devolved into battles of experts, and Daubert challenges.
I don't get how IP-based geolocation could satisfy either standard.
One country decides "fuck that other country in particular", either alone by their power of sovereignty or together with some international body. The sanctioning country (say, the US) now declares economic sanctions against another country (say, Iran). Since the US can only directly make rules for citizens/entities within the US, they say "it is illegal for anyone to export goods or services to anyone in Iran - if your company does it, the company gets fined and the CEO goes to prison". They might also say "and if anyone else that I can't punish directly sells to Iran, I will prohibit my people from selling things to you!" to force others to also participate in their sanctions.
Now, the US gets a suspicion that Slack provided services to Iran. They arrange for the FBI (or whoever is responsible) to raid their offices, build a case beyond reasonable doubt that shows Slack provided services to a company in Iran, e.g. because said companies egress NAT IP was connecting and the user names match people working for that company in Iran. On top of that, they also show that Slack didn't do enough to prevent that from happening. Now, Slack gets fined and their CEO goes to jail (not sure if that's the penalty for sanction violations but I'd assume so).
Since the CEO doesn't want to go to jail, and the company doesn't want to be fined, they'll do whatever they can to avoid selling services to Iran. They can generally choose who they do business with, and its in their best interest to err on the side of caution. You have little recourse if Slack doesn't do business with you because they don't like your IP, and they're almost certainly well covered by their ToS.
I've never seen the whois info for an IP address resolve to the wrong country though. The owner is registered with the regional IP something (RIR if I'm not mistaken - like ARIN, RIPE, etc.) so that should be quite reliable.
Posting this I'm sure someone will take the challenge and can find an example where it wasn't assigned to the right country, but is it more than one in a billion IP addresses?
GeoIP databases on the other hand, the city and often even the province/department/state are very unreliable.
235 comments
[ 3.2 ms ] story [ 195 ms ] threadEg; you're not allowed to sell stuff to Iran, or certain individuals.
https://twitter.com/aaomidi/status/1075621119028314112
You might read that and infer that Slack is somehow tracking the national origin, ethnicity, or race of all of its users, which would be much fishier behavior than IP-based blocking. They're explicitly saying that they don't do that and that they don't have that information.
But they did do it, so what does that mean...
You can use the default (free) Matrix homeserver with Riot and you'll basically have a free chat system without any setup (besides installing the client).
I've been using Riot for a while now, and while Slack does seem a bit more polished, having client-side encryption for all my messages gives Riot the upper hand: I don't worry about sending passwords or sensitive info as much as I do with Slack.
you can participate in the discussion at https://riot.im/experimental/#/room/#modular:matrix.org to understand more if you want.
Perhaps I am overreacting, but that sort of attitude on matters core to basic privacy in the post-Snowden era seems both problematic and incurable.
I care about encryption, you care about encryption, and they care about encryption. "Giving up on them" and saying their attitude is "problematic and incurable" is hurting, not helping.
I still fell victim to apparently being reported as non-human (after 9 years of using FB with over a hundred RL friends and former class mates, many photos of me, real name from day one, and so on), and while I could send a photocopy of my ID to Facebook, as a matter of principle I didn't and won't, not without even having the right to confront my accusers. For all I know, they're bots, at best some people who didn't like a comment I made on some article -- and from the accounts of others, even showing your ID doesn't mean you won't get fucked over in a similar way again. There is just no real recourse, so why even start jumping through hoops, I'm not going to be party to normalizing that nonsense.
I also don't believe in technical solutions to social problems. Encryption gains me nothing in a world where my neighbours just shrug when I get carted off for having using encrypted communication -- or get booted off Facebook -- so that needs to be "fixed" anyway, and should it ever be, encryption would be something that protects you against criminals and assholes, not something that protects you against big brother. IMO it's lethal to assume it ever could or should. It's something we can and should use on our way to social solutions to social problems, but not something to rely on. I know that many people in other countries or very different circumstances NEED encryption, so they should have it, and I might use it out of solidarity and to give them cover even -- but that won't fix the problem anymore than Napster fixed the music industry.
But in theory all of those can be replaced, a site that was recently in the news for being kicked off Godaddy, Google, tucows, Cloudflare, the Russian media watchdog, namecheap, DreamHost and a ton of others. Today its online using a Chinese based provider.
But yeah, if SV takes a disliking to you, it can be a right PITA to find some where to get back online.
But you are right, Someone somewhere has to host you and/or provide you with services (even if you self host) you are still dependant on to be able to stay online.
I'm hoping to spend some of my christmas break contributing some work to the project. I agree, bridging SMS into a chat service that you can use from anywhere is a killer feature.
https://matrix.to/#/#twim:matrix.org
Of course in the long term this is just incentive for countries to support balkanisation of the Internet.
So, to answer your question, I doubt anything serious changed outside of Slack. Inside, however, maybe they got a new legal team that flagged this as a liability, or they're getting serious about compliance, or they're preparing for an IPO[1], or whatever...
[1] https://www.cnbc.com/2018/12/07/slack-has-hired-goldman-sach...
It's very clear to me that this is some housekeeping attached to their IPO.
With respect to Slack, if they intend to IPO in 2019 they may be going through a due diligence checklist as others have suggested.
Is Slack legally required to do this? As long as they aren't knowingly accepting payment from these countries, shouldn't they be in the clear?
How are other tech companies dealing with this? Does Google block access from embargoed countries? Does Windows refuse to work?
Yes, absolutely. Breaking sanctions is not just illegal, it's a criminal offense. There have been sanctions against Iran since roughly when Trump withdrew the US from the Joint Comprehensive Plan of Action [1] in May of this year.
The CFO of Huawei was arrested in Canada per a request by the US because of their dealings with Iran [2].
[1]: https://en.wikipedia.org/wiki/Joint_Comprehensive_Plan_of_Ac...
[2]: https://www.bloomberg.com/news/articles/2018-12-05/huawei-cf...
Slack is actually not required to do this as IM applications are exempt from sanctions.
Still, even though the sanctions rules may apply, I'm glad Slack is reversing their overbroad application of these rules.
See specific of the current application of the rules here: https://www.treasury.gov/resource-center/faqs/Sanctions/Page...
Of course, any sanctions regime that does still apply wouldn't require the collateral damage of Slack's excessive initial ban.
Also, the license applies to services for a fee.
Also, exchanging information isn't embargoed.
But Slack does support a lot more than just people chatting with people, like bot and app/SaaS integrations. Those clearly aren't personal communications and frequently accomplish more than just exchanging information.
Good catch that the license does have provisions for fee-based services as well. However, the person I was replying to quoted the one for no-cost services, so that's what I focused on in my reply.
EDIT: I know that Google AppEngine and probably Cloud are blocked, because they provide foreign nation with "computing resources", but that's also its own different bucket.
Regardless, there remain restrictions on certain countries.
Phone calls, SMS, and the like work fine enough to embargoed countries (although North Korea doesn't allow that, except to a very limited set of phone numbers, mostly consolates), and that likely involves payments between phone companies in the embargoed countries and in the US.
I'm aware that Softlayer (IBM) blocks traffic to embargoed countries by default, but has a process to allow traffic, given documentation of exemption.
No, the reason is Saudi Arabia told them to.
> The Crown Prince also invested $45 billion into a SoftBank subsidiary, the Vision Fund, which made subsequent investments in a number of US tech companies. The Vision Fund made significant investments into Slack, DoorDash, and Nvidia. Slack declined to comment and DoorDash did respond to a request for comment as of publication.
There's also the negative PR that comes with being labeled as "aiding and abetting the enemy".
* Broken in that they are levied against random individual citizens of sanctioned countries instead of groups trading with or state entities otherwise interacting with the US.
They admit the mistake was theirs and they take responsibility for it. They say sorry. They explain what they're going to do to fix the situation. They say they're going to learn from this and not have similar mistakes in the future. Pretty solid.
The only thing that is missing, in my view, is personalization. Tell me who you are, speaking for the organization. This humanizes the apology, and also gives a face to who it is saying they're going to improve. Ideally the CEO.
Still, I give it 8/10.
It's Slack, so actually 2/10.
They should have communicated with their users to begin with before taking such harsh actions.
I'd say no.
Your thesis needs work IMO.
Make sure you don't fail morally by ever presenting an incomplete/unsound thesis again!
(Serious question)
By that argument regret seems impossible. Some nuance is probably lost here, to be fair.
What about responding to that honest emotional expression directly? "Ouch. I hadn't realize how much I'd hurt you. Truly, I'm sorry."
In each case though you did it to begin with because
1) while you knew you would be sorry, you surmised you would be more sorry not doing it, or
2) did not believe anyone would mind your actions, or
3) did not realize you would so much regret it when others took offense to your actions.
#3 absolves you of nothing. #2 absolves you unless you thought they wouldn't mind simply because they wouldn't know. #1 could absolves you in theory, but might just reflect priorities that the recipient of your apology doesn't share.
All this is likely of little use to anyone, but I couldn't resist writing it down anyway.
We (humans) are not always good at predicting the future or other people’s reactions. We do stupid things and make stupid mistakes all the time and when these things affect others we often feel sorry that we did those things.
If you are really sincere with your apology, and you are doing the best you can to fix what you did, so just ignore this kind of statement. You are doing your part.
Okay, so how did you block them?
>As is standard in the enterprise software industry, Slack uses location information principally derived from IP addresses to implement these required blocks.
So, you blocked users based on their nationality.
>We do not collect, use, or possess any information about the nationality or ethnicity of our users.
you clearly possess enough information about the nationality of your users to block them based on it, which was your intent. You backpedaled when people who were not the target nationality began to complain.
Where you are currently located or resident is effectively unrelated to your nationality (unless you were born a citizen of your country and have never left it, not even for a vacation).
This comment by Slack was in response to several (fairly overblown) comments that they were racially targeting users ("Slack bans Iranian in Canada"), when in fact they were disabling accounts of people who have used Slack from an embargoed country at some point. To be clear, this is still bad, just not "blocking users based on their nationality". All of the outrage was over expats (or travellers) being blocked.
It's okay to mess up if you quickly correct the issue or at least quickly recognize it and try to correct it. The problems arise when incidents are buried or ignored. Late apologies are not apologies at all.
Slack is only apologizing due to the public uproar, as apparently many people were affected.
Our cofounder was also locked of his account. He's Irish and living in Romania, with nothing to do with the embargoed countries.
To make matters worse, he tried contacting support to prove his nationality and country of residence and 2 days later he's still locked out of Slack.
In absolute terms yes. Compared to how for example google handles this it’s outstanding.
Regarding user support, Google ranks on par with an anvil.
Anvils do break, sometimes, and the failure mode is catastrophic: https://duckduckgo.com/?q=broken+anvil&t=h_&iax=images&ia=im...
We had someone locked out of their email while using Google's paid company mail service (App engine, I think it was called). Several days with no mail and no useful support taught me that relying on Google can leave you with no recourse.
I also had Google accuse me of "click fraud" on a website I ran in college- they stole about $300 from me, with no ability to appeal.
Google's support- even for paying customers- is abysmal.
I've spent the day messaging and talking with friends who work within Slack in an engineering capacity who feel, frankly, betrayed by the organization. Slack advertises itself internally as an engineering-driven company and on the security side, has an incredibly elaborate system of internal controls that I have espoused emulations of during my consulting that, and I am being very specific without being too specific here, were bypassed to perform these account bans. Slack's security team was bypassed. Slack's internal controls were contravened. Slack has demonstrated that they can access every location you've ever logged in from and will cheerfully give that information up for the pleasure of the US Government without it even being required of them.
Some of us use Slack because we have work to do.
How noble in reason! Some of us were banned without justification from our jobs today via the unjustified unilateral action of a private company. In fact, my job is to help companies secure their internal communications. So, talking with people about this was my job. What was yours?
They're required by law not to do business in certain countries. They were over-broad and over-aggressive in how they tried to follow that law, unnecessarily shutting down accounts, which was certainly a fuckup. But I don't see any indication that they gave information to the US government.
This doesn’t really mean much by itself. These are elements of the BP apology for the gulf spill as well. The only thing that matters is actions taken. Anything else is fluff part of standard PR.
That specifically doesn't admit the mistake or take responsibility.
You can find further discussion of their apologies here, and they get a 3/10 rating for apologizing well: https://www.perfectapology.com/BP-oil-spill-apology.html
> We do not collect, use, or possess any information about the nationality or ethnicity of our users.
No nationality? Don't they kind of have to collect nationality in order to comply with the law on implementing sanctions?
Which is usually taken as, "enough to inconvenience unintended targets, even if intended targets can easily avoid the punishment."
As another HN commenter @SamWhited put it, "Using a proprietary protocol that doesn't allow any form of federation is an unacceptable way to build a global community". We need to develop and use FLOSS protocols/tools as much as possible.
Is there a service you recommend?
It seems odd to me that IPs can still be used to (semi-)reliably determine a client's geographical location.
With the immensely larger address space that comes with IPv6, does that give the Internet a chance to completely sever the link between geography and IP address? Or do we still have issues with aggregating routes in a space-efficient way?
I don't think limited addresses was ever the reason for assigning in blocks but the real reason is it makes routing easier. Instead of having every router know the path to 128² addresses it only needs to know that everything starting with these few bytes goes to this port which saves memory on routers.
Addresses should correspond to network topology in order to be useful for, you know, routing. And network topology tends to correspond to physical location for practical engineering reasons. Of course there's no reason someone couldn't run a cable halfway around the world to use IP space in one country from a different one (or use a VPN, is what people do in practice), but realistically what would they gain from that?
But that’s wrong. Having a massive address space makes it trivial to keep routable blocks contiguous no matter how many IPs they contain.
So Slack is a communications platform.
If we have an embargo against a country, we have to shut off any services we offer to that country? Including communications platforms.
Doesn't seem like that will help improve things in that country, or help the people in that country communicate.
I'm all for not sending a dictatorship steel or guns, but why would we cut off communications platforms? That seems batshit.
I'm betting that Slack only had to do this to comply with some dumb laws regarding sanctions because I am unable to see why anyone from these countries using civilian, commercial, non-sensitive services such as Slack would have any impact on sanction enforcement.
So why ban any account? Why not just drop connections from IP addresses in embargoed countries?
(Put another way, it seems like they’re saying some accounts remain de-activated. So which is it? Accounts are de-activated or IP addresses are blocked?)
This wasn't a bug, but a management level decision.
What made matters much worse for them was that their algorithm failed, also blocking unaffiliated with any of the embargoed countries. But the design itself is the bigger problem.
"It happens" is a poor excuse.
What if people with blocked accounts lost revenue due to Slack's decision? Will Slack pay for the damages?
Surely, the point of "not trading with Iran" is to avoid, through one's economic activity, enriching the citizens or corporations of Iran; and has nothing to do with preventing access to people who just happen to currently be within the geographic boundaries of Iran. (So: email blocking by detection of Iranian-ISP mail host = sensible; Iranian IP blocking = not-so-much.)
Unless, I suppose, you expect that a tourist accessing your service through an Iranian ISP, will be enriching the Iranian ISP to exactly the degree that you are serving them, and therefore, you are legally required to not serve the tourist, lest they enrich the ISP thereby. (That would be a hard point to prove.)
But actually, even if it was just the letter of the sanctions that you had to obey, I would expect that "not trading with Iran" would be a lot harder than it sounds—it would require, for example, that you do not trade with an Iranian citizen who is currently geographically located in, say, Mexico. How would you know? Your random IM webapp would need a KYC process (submission of ID documents, etc.) to be "sanction-compliant", wouldn't it?
Like often happens in warfare, collateral damage of other innocent people happened.
There wasn't even a requirement that they had to do it in such a cruel way.
Anyone still working there... fuck you.
Also note that all the major cloud providers in the US do not do business with embargoed countries. They all block IP from Iran, et al. to compute within the US, but allow it to compute within other geos, this extends to tech support, sales, etc.
I'm honestly surprised that Slack users within Iran could access the service running in US to begin with. In all likelihood they could only access edge servers located in other geos in APAC or the EU.
Look closely at everything Slack says in this message and others. "Enterprise Software" is tossed around a lot. They want to be the communications platform for the enterprise and have to meet these standards to compete with other offerings that exist today.
Technically their underlying problem is relying on IP ranges, wich is flawed and raises false positives all the time.
They seem to recognize they shouldn’t be doing irreversible and critical action with only that info, yet will still use it to drop traffic.
To me their message is “sorry we screwed with your accounts, going forward we’ll only screw with your messages”. Am I supposed to be that reassured ?
Probably they asked some junior engineer to write a database query looking for a list of accounts with IP logs that matched a range of IPs coming from the banned countries, and then they passed that list to another junior employee who deactivated the accounts.
Of course, there are many reasons for those IPs that are not your default/work/home, to be logged against your Slack account. They probably didn't think this throughly.
But the problem then is what they ought to rely on. If in fact they are legally required to deny service to those in sanctioned countries.
The whole thing is silly. I mean, anyone in a sanctioned country who was truly up to no good would be spoofing their IP address in some way. So most of the users that they ban or block will be innocent.
I don't get how IP-based geolocation could satisfy either standard.
One country decides "fuck that other country in particular", either alone by their power of sovereignty or together with some international body. The sanctioning country (say, the US) now declares economic sanctions against another country (say, Iran). Since the US can only directly make rules for citizens/entities within the US, they say "it is illegal for anyone to export goods or services to anyone in Iran - if your company does it, the company gets fined and the CEO goes to prison". They might also say "and if anyone else that I can't punish directly sells to Iran, I will prohibit my people from selling things to you!" to force others to also participate in their sanctions.
Now, the US gets a suspicion that Slack provided services to Iran. They arrange for the FBI (or whoever is responsible) to raid their offices, build a case beyond reasonable doubt that shows Slack provided services to a company in Iran, e.g. because said companies egress NAT IP was connecting and the user names match people working for that company in Iran. On top of that, they also show that Slack didn't do enough to prevent that from happening. Now, Slack gets fined and their CEO goes to jail (not sure if that's the penalty for sanction violations but I'd assume so).
Since the CEO doesn't want to go to jail, and the company doesn't want to be fined, they'll do whatever they can to avoid selling services to Iran. They can generally choose who they do business with, and its in their best interest to err on the side of caution. You have little recourse if Slack doesn't do business with you because they don't like your IP, and they're almost certainly well covered by their ToS.
Posting this I'm sure someone will take the challenge and can find an example where it wasn't assigned to the right country, but is it more than one in a billion IP addresses?
GeoIP databases on the other hand, the city and often even the province/department/state are very unreliable.
Try anything in 17.x
However, https://www.iplocation.net/ reports some results indicating that it's in the UK, and some indicating that it's in Tuvalu.
According to Hurricane Electric's BGP Toolkit, the origin AS for 5.62.58.0/23 is AS198605, with "Country of Origin: Czech Republic".[0]
But results from many ping probes (ping.pe, asm.ca.com and maplatency.com) indicate that the server is in Miami, FL, US.[1]
That's a lot different from Tuvalu, the UK or the Czech Republic.
0) https://bgp.he.net/AS198605
1) https://www.ivpn.net/blog/wp-content/img/HMA-fun-tv.prcdn_.n...