235 comments

[ 3.2 ms ] story [ 195 ms ] thread
(comment deleted)
I'm definitely living under a rock. Why is Slack being impacted by a trade embargo?
All US companies doing business internationally are impacted by US trade laws (eg; sanctions, trade embargoes), I believe.

Eg; you're not allowed to sell stuff to Iran, or certain individuals.

They can also bend those restrictions to non-US companies wanting to do business within the US. Just because the US embargoes/sanctions the sell of Iranian oil, or the sell of any nation's oil to North Korea, doesn't mean that it is illegal for other nation's companies to do so (unless their gov't also has similar restrictions). Here comes the but... the US then makes it illegal for those companies to do business within the US just because they were friendly to people the US doesn't like.
Because that's how embargoes work? They impact not only goods, but also services. The US has one on Iran. And as Slack is a US company (or rather, a company which has an interest of maintaining operations in the US, regardless of where it is based), it complies, thereby blocking service to any entities (e.g. people) in Iran.
Exactly. Embargos function by taking away the rights away of American businesses and people. Trade embargoes make it illegal for US entities and people to trade with certain groups of people.
Any US company is not allowed to do business/operate in embargoed countries. That's what an embargo means.
I'm puzzled. Does that mean nobody uses Windows in those countries? Same for Google/FB?
How did they not block based on nationality when they literally blocked a nation?
i am an american national and i go to canada. my access to netflix changes for reasons that have nothing to do with my nationality (what passport i have), and everything to do with what nation i’m in.
They don't care about the nationality of the person, just the location of the IP address.
I think they meant nationality as in the person's nationality, they were blocking solely based on an IP based location.
They were blocking everyone in that nation, regardless of nationality.
I see it as a technically true statement: they blocked users who looked like they were connecting from within an embargoed nation, regardless of these users' actual nationality.
They likely blocked by whether you ever signed in from a blocked nation. That's not necessarily the same as blocking any users who would qualify as exporting software to a blocked nation, which is also not the same as blocking everyone whose nationality matches said nation.
For context, one of the original reports of this was from (I believe) an Iranian-American with US Citizenship living in the US:

https://twitter.com/aaomidi/status/1075621119028314112

You might read that and infer that Slack is somehow tracking the national origin, ethnicity, or race of all of its users, which would be much fishier behavior than IP-based blocking. They're explicitly saying that they don't do that and that they don't have that information.

They're explicitly saying that they don't do that and that they don't have that information.

But they did do it, so what does that mean...

Did they? Or did they ban people associated with specific IPs?
Are the sanctions against doing business with Iran nationals or anyone with an Iran IP address? I would imagine the sanctions are in place to prevent trade with Iranian nationals.
A proper apology. These seem to have gone out of style.
Indeed. Compare and contrast with "sorry again for something new this week" Facebook. "We let everyone and their uncle access all your private data, my B dog." "Oh no, guess we helped cause a genocide, oopsie doodle."
This is yet another good reason to prefer decentralized networks. When Slack or Facebook or whomever agrees to block someone there is no resolution other than appealing to a company with a closed decision making process, something I don't think any of us really want.
Yep. Going to go ahead and throw Matrix/Riot out there as a great alternative.
Which platform would be better today from practical standpoint? for a remote team of developers. Matrix?
Matrix is the protocol, Riot is a Slack-like implementation of the protocol: https://riot.im/

You can use the default (free) Matrix homeserver with Riot and you'll basically have a free chat system without any setup (besides installing the client).

I've been using Riot for a while now, and while Slack does seem a bit more polished, having client-side encryption for all my messages gives Riot the upper hand: I don't worry about sending passwords or sensitive info as much as I do with Slack.

I pretty much gave up on Matrix after the following exchange: https://news.ycombinator.com/item?id=8697151

Perhaps I am overreacting, but that sort of attitude on matters core to basic privacy in the post-Snowden era seems both problematic and incurable.

It is planned to make riot enable encryption by default when it is fully stable but I totally understand why the protocol would allow it to be disabled. Matrix is about more than instant messaging and there are possible use cases where you may be using it for something that needs no e2e. Maybe you are using it to control the lights in your house and you want to write an SQL script that can read the commands sent to your light over matrix and tell you how long they were turned on for last month. You can't do that if the commands were e2e encrypted and you gain nothing by encrypting them.
Yes, you are overreacting. Perfect is the enemy of good. Encryption is not so easy when you have a room with potentially hundreds of users, each with many devices, and you have to safely share keys between all of them. I'm using it, and even in a 1 to 1 chat it can be a burden. They are working on it, and it will be default once it's out of beta. But there are reasons why you may not want to use it. And that's a personal choice that people should be allowed to make. Would you also disallow public rooms? Or bridges into non-encrypted services?

I care about encryption, you care about encryption, and they care about encryption. "Giving up on them" and saying their attitude is "problematic and incurable" is hurting, not helping.

Yup, you’re overreacting, especially given I wrote that >4y ago when we hadn’t even started implementing E2E encryption. Nowadays it’s almost complete and as others have said we will be turning it on by default for private comms in the coming month(s). (There is little point in E2E for a conversation which is public and being indexed by Google etc). Some deployments already have E2E on by default in fact (eg the french government deployment).
Anything I consider important that I post online is pretty much public. I also wrote private messages on Facebook, but I didn't upload photos or text posts that I didn't want the world to see. For that kind of stuff, encryption is just a giant waste of resources, in my case, so if I ran mastodon on my server, I would be glad that I can turn that off.

I still fell victim to apparently being reported as non-human (after 9 years of using FB with over a hundred RL friends and former class mates, many photos of me, real name from day one, and so on), and while I could send a photocopy of my ID to Facebook, as a matter of principle I didn't and won't, not without even having the right to confront my accusers. For all I know, they're bots, at best some people who didn't like a comment I made on some article -- and from the accounts of others, even showing your ID doesn't mean you won't get fucked over in a similar way again. There is just no real recourse, so why even start jumping through hoops, I'm not going to be party to normalizing that nonsense.

I also don't believe in technical solutions to social problems. Encryption gains me nothing in a world where my neighbours just shrug when I get carted off for having using encrypted communication -- or get booted off Facebook -- so that needs to be "fixed" anyway, and should it ever be, encryption would be something that protects you against criminals and assholes, not something that protects you against big brother. IMO it's lethal to assume it ever could or should. It's something we can and should use on our way to social solutions to social problems, but not something to rely on. I know that many people in other countries or very different circumstances NEED encryption, so they should have it, and I might use it out of solidarity and to give them cover even -- but that won't fix the problem anymore than Napster fixed the music industry.

We use Mattermost at my company, which works well for us and is entirely self hosted.
Seconded. I like controlling things myself and hosting them myself. Nobody (um, but AWS, our ISP, our DNS registrar, ARIN, oh and heck tons of others) can shut me down now.
> Nobody (um, but AWS, our ISP, our DNS registrar, ARIN, oh and heck tons of others) can shut me down now.

But in theory all of those can be replaced, a site that was recently in the news for being kicked off Godaddy, Google, tucows, Cloudflare, the Russian media watchdog, namecheap, DreamHost and a ton of others. Today its online using a Chinese based provider.

But yeah, if SV takes a disliking to you, it can be a right PITA to find some where to get back online.

But you are right, Someone somewhere has to host you and/or provide you with services (even if you self host) you are still dependant on to be able to stay online.

I'm still hoping they'll implement an SMS gateway. If Matrix could replace Google Voice too, that would rock my world.
There is one. I'm using it, it works, but it's a little buggy: https://github.com/tijder/SmsMatrix. I haven't been able to ignore my message app and trust the bridge 100% yet.

I'm hoping to spend some of my christmas break contributing some work to the project. I agree, bridging SMS into a chat service that you can use from anywhere is a killer feature.

What are the decentralized networks one should give preference to?
This is especially scary with SSO systems. Google/Facebook blocks your account? Guess what else you can't log into.
Its interesting to imagine what would happen if google blocked you from captcha.
This event made me realize I needed a good independent backup solution for Slack. I bought some tool to do it daily locally. I'll be able to move on to an alternative like Mattermost if the need arise.
Why is this a good reason to prefer decentralized networks? Slack is a tool for employees at a company to communicate with each other. At some point those communications need to arrive back at a server that lives inside the boundaries of a nation state that is one of the world's major economies. Most of the major governments of the world work together to regulate the worlds networks. But even if that wasn't true, what would you get by trying to leave the networks? Are you trying to evade the law? If so, why? If you don't like the law, you can always lobby to change it, but there will always be laws. You can and should work to make the laws better, but still there will be laws, and we all gain some benefit from living in a society with laws. Or if you disagree, what do you think the alternative is?
If you are not US based, you may want to trade and work with us-embargoed countries. Especially as the embargoes may come and go unpredictably as US foteign policy gets increasingly erratic.
What does Slack propose to do about access through a VPN so your real IP is hidden?

Of course in the long term this is just incentive for countries to support balkanisation of the Internet.

Reading between the lines, I think that's what they're suggesting.
They just do whatever the bare minimum is to comply with export laws.
It’s an arms race but can always invest in detecting VPN access — see for example trying to watch Netflix through a VPN.
Closing their eyes and pretending it doesn't happen, because with VPN they have plausible deniability/can claim they had no way to detect that they were actually providing the service to someone in a sanctioned country.
They should apologize for the cowardice displayed in adopting the discriminatory policies foist upon them by bad actors.
What changed recently that hadn't been the case for past years that made them add these new measures? A true, earnest apology would at least touch on the justifications for the changes more than just "become legal". But I understand that, sadly, that kind of transparency is a bit much to ask of any company these days. Still curious though if it was just an internal decision or spurred via government/legal threat/request.
Three or four years ago I helped investigate application usage from embargoed countries as part of an acquisition. The acquirer was performing due diligence, and this was a liability they needed to assess.

So, to answer your question, I doubt anything serious changed outside of Slack. Inside, however, maybe they got a new legal team that flagged this as a liability, or they're getting serious about compliance, or they're preparing for an IPO[1], or whatever...

[1] https://www.cnbc.com/2018/12/07/slack-has-hired-goldman-sach...

I worked at a couple companies where these "sudden pushes" to knock out embargoed countries were made. They both came when new legal counsel joined the staff.

It's very clear to me that this is some housekeeping attached to their IPO.

The US elected Donald Trump as President, who then reversed the Obama Administration approach to Iran and reimposed sanctions.

With respect to Slack, if they intend to IPO in 2019 they may be going through a due diligence checklist as others have suggested.

> We will soon begin blocking access to our service from IP addresses associated with an embargoed country. Users who travel to a sanctioned country may not be able to access Slack while they remain in that country.

Is Slack legally required to do this? As long as they aren't knowingly accepting payment from these countries, shouldn't they be in the clear?

How are other tech companies dealing with this? Does Google block access from embargoed countries? Does Windows refuse to work?

No it only does Google do it themselves but if you host at GCP then they automatically do it for you as well.
> Is Slack legally required to do this?

Yes, absolutely. Breaking sanctions is not just illegal, it's a criminal offense. There have been sanctions against Iran since roughly when Trump withdrew the US from the Joint Comprehensive Plan of Action [1] in May of this year.

The CFO of Huawei was arrested in Canada per a request by the US because of their dealings with Iran [2].

[1]: https://en.wikipedia.org/wiki/Joint_Comprehensive_Plan_of_Ac...

[2]: https://www.bloomberg.com/news/articles/2018-12-05/huawei-cf...

The CFO was arrested in relation to Iran but not because of it. She was arrested because she lied to banks and sold American made technology to Iran.

Slack is actually not required to do this as IM applications are exempt from sanctions.

Is Slack just an IM application?
The wording of the exemption applies only to personal communications and requires the service to be available at no cost to the user. There are plausible readings that Slack goes well beyond the exemption.

Still, even though the sanctions rules may apply, I'm glad Slack is reversing their overbroad application of these rules.

If a company like IBM or Amazon were to adopt slack, would that potentially require Slack to ban things? Both have government contracts, and could potentially export sensitive software to Iran this way accidentally.
Nope -- the stipulations of the licensing policy on Internet freedom in Iran are still in effect: https://www.treasury.gov/resource-center/sanctions/Programs/...

See specific of the current application of the rules here: https://www.treasury.gov/resource-center/faqs/Sanctions/Page...

   "Specifically, section 560.540 of the ITR authorizes the exportation from the United States or by U.S. persons, wherever located, to persons in Iran of services incident to the exchange of personal communications over the Internet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging, provided that such services are publicly available at no cost to the user."
That says "personal communications". Slack is aimed at businesses, not personal use. It also requires "no cost to the user." Very well may not exempt their business model, though some room for argument exists.

Of course, any sanctions regime that does still apply wouldn't require the collateral damage of Slack's excessive initial ban.

Corporations and other business entities are persons.

Also, the license applies to services for a fee.

Also, exchanging information isn't embargoed.

The "corporations are people" thing is exaggerated in a lot of understandings, and I doubt corporations are deemed capable of "personal communications". Still, personal communications might be found to cover the communication among persons at the companies.

But Slack does support a lot more than just people chatting with people, like bot and app/SaaS integrations. Those clearly aren't personal communications and frequently accomplish more than just exchanging information.

Good catch that the license does have provisions for fee-based services as well. However, the person I was replying to quoted the one for no-cost services, so that's what I focused on in my reply.

I used Google Maps and most other google apps fine while in Iran. Youtube and some other sites are blocked, but that's actually from the Iran side. Of course these are all free services, I assume I could not have actually paid for any paid services.

EDIT: I know that Google AppEngine and probably Cloud are blocked, because they provide foreign nation with "computing resources", but that's also its own different bucket.

I honestly don't see the point of blocking simple users because of a political conflict, i.e. between governments. One answer that jumps to mind is that those governments are merely a representative of those users but in the case of Iran, we know what happened when people elected their leaders, so it's kinda hypocritical from that regard to punish users because of a leader we placed.
Yes, I work for a SaaS provider and we maintain blocks on access from a short list of embargoed countries.
Can’t publically trade your stock if your house isn’t in order.
I thought embargoes didn't apply to information anyway? You're still allowed to text someone in Cuba or even call North Korea, so how come Slack is banned?
Texts/SMS/voice calls etc are not encrypted. The NSA slurps that data up like a sponge wrapped in Brawny wrapped in a ShamWow. There's a huge list of why we can't export/sale things to certain countries, but encryption is one of them. Things that seem "innocent" enough like a hardware video box might qualify as embargoed because it has the ability to decode SSL network traffic. Can't let that tech get in the hands of the "enemy".
Encryption is not considered ammo since forever now. And slack doesn't have E2E encryption, and is an american company. The NSA can just knock on the front door and ask for the data, same as they would for an ISP.
Encryption is not considered ammo since forever now.

Regardless, there remain restrictions on certain countries.

It is still expert controlled to embargoed countries. The law makes no distinction between Encryption, so non-E2E doesn't mean anything.
But what encryption does Slack actually ship? If it just uses SSL then that is being done by the browser not the Slack JS code.
My understanding is that there is a general license for telecommunications with embargoed countries, so I suspect that this is not legally required, but perhaps Slack doesn't care to fight for it.

Phone calls, SMS, and the like work fine enough to embargoed countries (although North Korea doesn't allow that, except to a very limited set of phone numbers, mostly consolates), and that likely involves payments between phone companies in the embargoed countries and in the US.

I'm aware that Softlayer (IBM) blocks traffic to embargoed countries by default, but has a process to allow traffic, given documentation of exemption.

> Is Slack legally required to do this?

No, the reason is Saudi Arabia told them to.

> The Crown Prince also invested $45 billion into a SoftBank subsidiary, the Vision Fund, which made subsequent investments in a number of US tech companies. The Vision Fund made significant investments into Slack, DoorDash, and Nvidia. Slack declined to comment and DoorDash did respond to a request for comment as of publication.

I'd ask you if you had any evidence for this claim, but of course you don't. You have a very odd view of how investments work. Perhaps MBS went straight from ordering Kashoggi's execution to getting a random Iranian banned from an Internet chat system.
(comment deleted)
What would the penalty for non-compliance here be?
Fines if it's not a criminal violation, or potential prison time if it is. Since it's a corp, and the group think here is that corps are shields from jail time for the employees, then probably no jail time.

There's also the negative PR that comes with being labeled as "aiding and abetting the enemy".

Slack missed an excellent opportunity here: to be first US company to suspend services momentarily due to egregious and broken* sanctions imposed by the US on other countries.

* Broken in that they are levied against random individual citizens of sanctioned countries instead of groups trading with or state entities otherwise interacting with the US.

I'm a big fan and critic of apologies. This one is pretty good.

They admit the mistake was theirs and they take responsibility for it. They say sorry. They explain what they're going to do to fix the situation. They say they're going to learn from this and not have similar mistakes in the future. Pretty solid.

The only thing that is missing, in my view, is personalization. Tell me who you are, speaking for the organization. This humanizes the apology, and also gives a face to who it is saying they're going to improve. Ideally the CEO.

Still, I give it 8/10.

I'd subtract a few points for taking so long. Lawyers have gawked on this for hours to find holes, rendering the sincerity mute. 5/10

It's Slack, so actually 2/10.

This apology seems very generic and sterile to me. People are boycotting their product so they apologized.

They should have communicated with their users to begin with before taking such harsh actions.

Are people actually boycotting their product? They very clearly see their free users as their non-primary market (no automatic invites, no tools for individuals to block individuals because your HR department is supposed to deal with it, limited archives, etc.) and I'm not sure a "boycott" of a free service even counts anyway. And a paying customer is not going to be able to drop Slack on one day's notice any more than they could drop email on one day's notice. Were there actually paying / potentially paying customers who cited this as a reason to stop using Slack?
My Twitter is full of academics with students and collaborators from all over the world that are complaining that Slack just eliminated their ability for them to communicate over the service. I'm not sure how many of them were free or paid though.
Being involuntarily prevented from using a service is rather the opposite of boycotting, I think. (In the sense that boycotts are a tool of applying economic pressure to convince someone to change their mind, and if you're being kicked off you aren't actually able to exert any pressure.)
It isn't those that got kicked off that are boycotting. It is those that had students or collaborators get kicked off, that are now refusing to use Slack.
You can block users now? At megacorp we definitely couldn't, and as much as there were people I wanted to block and mandatory channels I didn't want to be in… all of the frigging the bots were the most unbearable.
Sorry, I was unclear. You can't block people on either the free or paid plans, because you're supposed to ask your HR department to ask people to behave, and if you don't have an HR department you're 100% not their target audience. I've complained about this to Slack multiple times before, see their responses about how as a tool built for work they can't implement a block feature: https://twitter.com/geofft/status/767857284827475968 https://twitter.com/geofft/status/770000987016818688 https://twitter.com/geofft/status/818517767607517184 https://twitter.com/geofft/status/1017193464415576065
Yeah I've seen that response too. While at megacorp I just stayed off of slack as much as possible.
All the same, it's good they took responsibility when they did. I don't use Slack at work at present, but being an emigrant worker myself (not iranian, but honestly it shouldn't really matter), the past week's events left enough of an impression on me that I would have likely strongly protested any attempts in my organization at getting a slack channel going. This response is at least well-written enough that it gives me pause, that I should research the company's track record more carefully before jumping to judgment. (they're still on thin ice as far as I'm concerned, but it's a step in the right direction)
Saying "they should have acted differently to begin with" isn't a valid criticism of an apology, or it would apply to all apologies.
That was my point. Unless the apology is of the type "it accidentally got deployed before we had the opportunity to test the change and communicate to users..." then they shouldn't have done it to begin with.
So you are saying we are never allowed to make mistakes?
I'm not sure you'll get a response as the OP probably can't hear you right up there on that high horse of theirs.
Your point is that you don't know what an apology is.
“If you were sorry you wouldn’t have done it to begin with” has also come up on several occasions in my personal life. Haven’t figured out how best to respond to that one.
If you did something wrong more than once and gave the same apology that statement would make total sense. The first time though is unfair and kind of selfish minded.
I've spilt things on people more than once, AFAIK that's not unusual. Does that make me at fault morally?

I'd say no.

Your thesis needs work IMO.

Make sure you don't fail morally by ever presenting an incomplete/unsound thesis again!

Spilling something is an accident. Other things can be mistakes but not accidents.
Spilling something is usually a mistake, and often can be mitigated; the point is that mere repitition of error is insufficient to prove moral degeneracy.
If repetition of a trait is not enough to demonstrate it as a core trait, what is?

(Serious question)

IDK at some point you should be investing in a sippy-cup
your willful misunderstanding is making this thread unbearable.
That's... not how the direction of time works.

By that argument regret seems impossible. Some nuance is probably lost here, to be fair.

Victims have the hardest hearts.
If you trust the person to not be acting on malice, then I'd not worry too much about the precise semantics of those words and guess that the person is mainly expressing their frustration, hurt, etc.

What about responding to that honest emotional expression directly? "Ouch. I hadn't realize how much I'd hurt you. Truly, I'm sorry."

I am not perfect and I am trying to be better.
There are a range of harms that are reasonably excusable and then those that are inexcusable. It's when people are excessively or inconsistently unreasonable that you're better off not associating with them and their BS. It's unreasonable to reason with an unreasonable person.
Your personal life sounds more exciting than mine.

In each case though you did it to begin with because

1) while you knew you would be sorry, you surmised you would be more sorry not doing it, or

2) did not believe anyone would mind your actions, or

3) did not realize you would so much regret it when others took offense to your actions.

#3 absolves you of nothing. #2 absolves you unless you thought they wouldn't mind simply because they wouldn't know. #1 could absolves you in theory, but might just reflect priorities that the recipient of your apology doesn't share.

All this is likely of little use to anyone, but I couldn't resist writing it down anyway.

All three of your possibilities imply that it was on purpose and understood to be wrong to begin with. What about if you made a mistake: you thought you were doing the right thing, but turns out it was the wrong thing. Or you thought what you are doing wouldn’t impact anybody negatively. Or you did the right thing but it didn’t work out the way you anticipated. Or it was an innocent and honest thing you did, but somebody else took offence anyway. You can be sorry for things without there being any malice at play.

We (humans) are not always good at predicting the future or other people’s reactions. We do stupid things and make stupid mistakes all the time and when these things affect others we often feel sorry that we did those things.

Don't those all fall squarely under #2 (supposing the act won't bother anyone)?
This statement would only work if one's could be perfect, if their actions would be not a mistake but a calculated misdeed and their apology would not be sincere.

If you are really sincere with your apology, and you are doing the best you can to fix what you did, so just ignore this kind of statement. You are doing your part.

From what I'm reading here, it would be impossible by your logic to effectively apologize. The only solution is to never make a mistake in the first place, which isn't a feasible expectation when dealing with humans.
(comment deleted)
I agree entirely with your sentiment. Still, I'm not sure corporate personhood means we should judge corporate action as we would human action. It's still not possible to expect corporations to never mistakes, but I wouldn't excuse it on the basis of their humanity.
I believe there are unapologizable offenses that reveal true intrinsic character character flaws that can't be regretted away, but this definitely isn't one of them.
I have character flaws. Do you propose that we exclude people with certain flaws from our online communities? Which ones? Lack of empathy is a popular target, but children under 7 almost all lack empathy and they can be generous and kind despite it being intellectually motivated instead of emotional. Adults without empathy can be similarly productive members of our communities.
Do you have any specific unapologizably offensive character flaws that you want to admit to, or do you want me to try to make a judgement of whether or not you should be ostracized from society based on your one vague comment?
>We did not block any user based on their nationality or ethnicity.

Okay, so how did you block them?

>As is standard in the enterprise software industry, Slack uses location information principally derived from IP addresses to implement these required blocks.

So, you blocked users based on their nationality.

>We do not collect, use, or possess any information about the nationality or ethnicity of our users.

you clearly possess enough information about the nationality of your users to block them based on it, which was your intent. You backpedaled when people who were not the target nationality began to complain.

I was in London last month but that doesn't make me British.
No, they blocked users based on location. I'm currently located in California, and this has nothing to do with my nationality.
Expats comprise less than 1% of the global population, and I doubt the number of international tourists at any given time pushes that percentage much higher. Use a VPN I guess, or better yet ditch Slack.
Likely a much higher percentage of Slack users though.
Nonsense. Much of Silicon Valley consists of foreigners, yet they didn’t block those users — a significant part of their user base ; thus the theory of ethnic or nationality blocking makes zero logical sense.
No. It's the exact opposite. The fact that Californian IP-s were not targeted makes it pretty clear that US nationals were not targeted. While other nationals were. And it also proves that Slack engineers are dumb as f@ck.
(comment deleted)
I'm Canadian, but live in Boston. My IP address shows where I live, not my nationality.
IP != nationality or ethnicity.
You gotta wait for IPV7 where your DNA sequence is your IP address, so they can block you and all your descendants.
> So, you blocked users based on their nationality.

Where you are currently located or resident is effectively unrelated to your nationality (unless you were born a citizen of your country and have never left it, not even for a vacation).

This comment by Slack was in response to several (fairly overblown) comments that they were racially targeting users ("Slack bans Iranian in Canada"), when in fact they were disabling accounts of people who have used Slack from an embargoed country at some point. To be clear, this is still bad, just not "blocking users based on their nationality". All of the outrage was over expats (or travellers) being blocked.

They were very to the point.
It seemed insincere to me with the emoji-like slack logo at the end of their post. I know it's a standard practice for them but if they wanted to appear sincere they should have discontinued that practice.
That just looked like a "signature" to me, it didn't come off as insincere at all.
The apology wasn't good just because it accepted responsibility, it was good because they acted responsibly. The incident lasted two days, and it was quickly corrected. Many other companies would ignore it for months, and a similar apology in that case would be feel far less sincere.

It's okay to mess up if you quickly correct the issue or at least quickly recognize it and try to correct it. The problems arise when incidents are buried or ignored. Late apologies are not apologies at all.

Apologies mean nothing without a believable promise to not behave similarly in the future. Furthermore, "sorry" doesn't excuse all behaviors. Doing something shitty like closing someone's account without warning and without an appeal process is inexcusable.
I think also apologies require explaining what changes they made and why they decided to do it that way. A look behind the curtain on why they chose way A when they could have chosen way B is illustrative to users.
2 days for people being locked out of their account, through no fault of their own, is a long time.

Slack is only apologizing due to the public uproar, as apparently many people were affected.

Our cofounder was also locked of his account. He's Irish and living in Romania, with nothing to do with the embargoed countries.

To make matters worse, he tried contacting support to prove his nationality and country of residence and 2 days later he's still locked out of Slack.

> 2 days for people being locked out of their account, through no fault of their own, is a long time.

In absolute terms yes. Compared to how for example google handles this it’s outstanding.

Most times Google has issues like that, it's for a free service, rather than something affecting paid customers, yeah?
No.

We had someone locked out of their email while using Google's paid company mail service (App engine, I think it was called). Several days with no mail and no useful support taught me that relying on Google can leave you with no recourse.

When I was consulting I had a client whose google ads stopped working for six weeks. She was spending $500 a week in ads, but Google wouldn't do anything to fix or even acknowledge the issue.

I also had Google accuse me of "click fraud" on a website I ran in college- they stole about $300 from me, with no ability to appeal.

Google's support- even for paying customers- is abysmal.

Are you joking? It provides no specific action they're taking to prevent this type of thing in the future, and it's internally inconsistent (who are "the people whose accounts we intended to disable" who they "will not deactivate their account and they will be able to access Slack when they return to countries or regions for which no blocking is required"?).

I've spent the day messaging and talking with friends who work within Slack in an engineering capacity who feel, frankly, betrayed by the organization. Slack advertises itself internally as an engineering-driven company and on the security side, has an incredibly elaborate system of internal controls that I have espoused emulations of during my consulting that, and I am being very specific without being too specific here, were bypassed to perform these account bans. Slack's security team was bypassed. Slack's internal controls were contravened. Slack has demonstrated that they can access every location you've ever logged in from and will cheerfully give that information up for the pleasure of the US Government without it even being required of them.

>I've spent the day messaging and talking with friends ...

Some of us use Slack because we have work to do.

>I've spent the day messaging and talking with friends ... Some of us use Slack because we have work to do.

How noble in reason! Some of us were banned without justification from our jobs today via the unjustified unilateral action of a private company. In fact, my job is to help companies secure their internal communications. So, talking with people about this was my job. What was yours?

What in the world makes you think they will "cheerfully give that information up for the pleasure of the US Government without it even being required of them"?

They're required by law not to do business in certain countries. They were over-broad and over-aggressive in how they tried to follow that law, unnecessarily shutting down accounts, which was certainly a fuckup. But I don't see any indication that they gave information to the US government.

>They admit the mistake was theirs and they take responsibility for it. They say sorry. They explain what they're going to do to fix the situation. They say they're going to learn from this and not have similar mistakes in the future. Pretty solid.

This doesn’t really mean much by itself. These are elements of the BP apology for the gulf spill as well. The only thing that matters is actions taken. Anything else is fluff part of standard PR.

I don't think anyone would say an apology is sufficient response. It's only a necessary component of a full response. But if a company screws up the apology right off the bat (as so many companies do), you can tell that things are not going to turn out well for them. So it's pretty interesting that so many companies (and individuals) write such bad apologies, so much so that it's pretty rare to see an apology even as good as this one.
(comment deleted)
Who says they didn't hire a PR firm to write this apology?
quality and sincerity are orthogonal.
This is confusing:

> We do not collect, use, or possess any information about the nationality or ethnicity of our users.

No nationality? Don't they kind of have to collect nationality in order to comply with the law on implementing sanctions?

They need to block people who are in (for example) Iran, not all Iranian citizens, or all people who have visited Iran in the past.
Aren't the sanctions on the country itself? It makes sense that you only block people that are in the country, not everyone that was born there.
While "banning by ip" will work for discouraging most users, a VPN service or a Proxy service (Socks, ssh, etc) would make it irrelevant if someone wants to use a service like slack, facebook or google...It just inconveniences those who do want to use it bad enough. To me, it's a "band-aid of compliance" to whatever agency has requested them to do a ban on certain countries IPs.
IANAL, but the legal standard is often "enough effort to show you tried, but it doesn't have to be perfect."

Which is usually taken as, "enough to inconvenience unintended targets, even if intended targets can easily avoid the punishment."

Faith in Slack mostly restored.
Nope sorry. Slack is a walled garden. And relying on a walled garden means handing over your control, freedom and privacy which eventually gonna lead to similar kind of exploitation/abuse.

As another HN commenter @SamWhited put it, "Using a proprietary protocol that doesn't allow any form of federation is an unacceptable way to build a global community". We need to develop and use FLOSS protocols/tools as much as possible.

These are good points, but wow are the walls Slack has built beautiful. The webhooks make so many things better.

Is there a service you recommend?

Webhooks are great, but slack's notification semantics are infuriating.
Does an IPv6 world prevent IP-based location sniffing?

It seems odd to me that IPs can still be used to (semi-)reliably determine a client's geographical location.

With the immensely larger address space that comes with IPv6, does that give the Internet a chance to completely sever the link between geography and IP address? Or do we still have issues with aggregating routes in a space-efficient way?

The commercial internet does not want to sever the link. It wants to be able to lock users out in certain ways, have blackout dates, etc.
In my limited understanding I believe that ipv6 blocks are given out to organisations such as your local ISP which let's you know the location because you can see who owns the block.

I don't think limited addresses was ever the reason for assigning in blocks but the real reason is it makes routing easier. Instead of having every router know the path to 128² addresses it only needs to know that everything starting with these few bytes goes to this port which saves memory on routers.

IPv6 address space is less fragmented than IPv4 (that's part of the point), so inferring location from IPv6 address is if anything easier.

Addresses should correspond to network topology in order to be useful for, you know, routing. And network topology tends to correspond to physical location for practical engineering reasons. Of course there's no reason someone couldn't run a cable halfway around the world to use IP space in one country from a different one (or use a VPN, is what people do in practice), but realistically what would they gain from that?

Thanks. I had some fuzzy idea backwards in my mind: that part of the reason IP blocks are correlated to location had to do with address space constraints.

But that’s wrong. Having a massive address space makes it trivial to keep routable blocks contiguous no matter how many IPs they contain.

This disturbs me.

So Slack is a communications platform.

If we have an embargo against a country, we have to shut off any services we offer to that country? Including communications platforms.

Doesn't seem like that will help improve things in that country, or help the people in that country communicate.

I'm all for not sending a dictatorship steel or guns, but why would we cut off communications platforms? That seems batshit.

Maybe KJU, Khamenei, and Raul Castro has a secret slack group for plotting USA's downfall. You never know! /s

I'm betting that Slack only had to do this to comply with some dumb laws regarding sanctions because I am unable to see why anyone from these countries using civilian, commercial, non-sensitive services such as Slack would have any impact on sanction enforcement.

> Users who travel to a sanctioned country may not be able to access Slack while they remain in that country. However, we will not deactivate their account and they will be able to access Slack when they return to countries or regions for which no blocking is required.

So why ban any account? Why not just drop connections from IP addresses in embargoed countries?

That’s what they said they’re going to do.
It remains unclear. From the blog post, it sounds like they banned a number of accounts, and now are manually unbanning some of them.
The line you quoted is specifically clarifying what they will be doing moving forward, which is blocking connections from sanctioned countries. Their post as a whole is their apology for the prior method, which did deactivate accounts.
Right, and their blog post also says that after de-activating accounts, they have restored access to some of them. So what about all the accounts they banned but have not unbanned? What if one of those accounts has only ever connected from an embargoed country, but travels in the future to a non-embargoed country? Will it be able to use Slack?

(Put another way, it seems like they’re saying some accounts remain de-activated. So which is it? Accounts are de-activated or IP addresses are blocked?)

That’s a hedge in case they missed somebody. If they said “we unbanned all the accounts” but via a search error they’d missed one, and that person commented “no, liars, I’m still banned”, it would be a whole new round of controversy. So instead they say that they got most of them and if they missed you, ping their support team and they’ll fix it.
Why didn't they do that in the first place then?

This wasn't a bug, but a management level decision.

Because their management made a mistake. It does happen.
Blocking people's accounts based on their affiliation with certain countries, instead of blocking just IPs and with no prior warning given is a pretty serious mistake to make.

What made matters much worse for them was that their algorithm failed, also blocking unaffiliated with any of the embargoed countries. But the design itself is the bigger problem.

"It happens" is a poor excuse.

What if people with blocked accounts lost revenue due to Slack's decision? Will Slack pay for the damages?

What else do you want us to say? We're not omniscient.
I'm curious whether IP blocking is actually enough to comply with the spirit of a trade embargo.

Surely, the point of "not trading with Iran" is to avoid, through one's economic activity, enriching the citizens or corporations of Iran; and has nothing to do with preventing access to people who just happen to currently be within the geographic boundaries of Iran. (So: email blocking by detection of Iranian-ISP mail host = sensible; Iranian IP blocking = not-so-much.)

Unless, I suppose, you expect that a tourist accessing your service through an Iranian ISP, will be enriching the Iranian ISP to exactly the degree that you are serving them, and therefore, you are legally required to not serve the tourist, lest they enrich the ISP thereby. (That would be a hard point to prove.)

But actually, even if it was just the letter of the sanctions that you had to obey, I would expect that "not trading with Iran" would be a lot harder than it sounds—it would require, for example, that you do not trade with an Iranian citizen who is currently geographically located in, say, Mexico. How would you know? Your random IM webapp would need a KYC process (submission of ID documents, etc.) to be "sanction-compliant", wouldn't it?

Its actually pretty funny. US and others says that Russia forcibly occupy Crimea. But now all people of Crimea is under embargo, not Russia. It like if its not enough, lets beat them harder.
Well, the people of Crimea wanted it, so there's that.
Nobody forced people of "Crime" to go to vote for occupation. Formally, no one asked Russians if they want this occupation.
Internet should not be censored.
Why should anyone even bother using "Slack" when there is internet relay chat?
Slack employees participated in indiscriminate warfare against innocent people. Because economic sanctions are a means of warfare by definition.

Like often happens in warfare, collateral damage of other innocent people happened.

There wasn't even a requirement that they had to do it in such a cruel way.

Anyone still working there... fuck you.

My theory: Slack did this rough shot to get a deal signed with a major new client and to support the due dil.

Also note that all the major cloud providers in the US do not do business with embargoed countries. They all block IP from Iran, et al. to compute within the US, but allow it to compute within other geos, this extends to tech support, sales, etc.

I'm honestly surprised that Slack users within Iran could access the service running in US to begin with. In all likelihood they could only access edge servers located in other geos in APAC or the EU.

Look closely at everything Slack says in this message and others. "Enterprise Software" is tossed around a lot. They want to be the communications platform for the enterprise and have to meet these standards to compete with other offerings that exist today.

It’s still profoundly disturbing to my eyes.

Technically their underlying problem is relying on IP ranges, wich is flawed and raises false positives all the time.

They seem to recognize they shouldn’t be doing irreversible and critical action with only that info, yet will still use it to drop traffic.

To me their message is “sorry we screwed with your accounts, going forward we’ll only screw with your messages”. Am I supposed to be that reassured ?

My guess is that this was a poorly thought and prioritized issue.

Probably they asked some junior engineer to write a database query looking for a list of accounts with IP logs that matched a range of IPs coming from the banned countries, and then they passed that list to another junior employee who deactivated the accounts.

Of course, there are many reasons for those IPs that are not your default/work/home, to be logged against your Slack account. They probably didn't think this throughly.

I find it profoundly disturbing the US foreign policy has been hijacked by Israel and Saudi Arabia.
I totally agree.

But the problem then is what they ought to rely on. If in fact they are legally required to deny service to those in sanctioned countries.

The whole thing is silly. I mean, anyone in a sanctioned country who was truly up to no good would be spoofing their IP address in some way. So most of the users that they ban or block will be innocent.

Sanctions aren't about stopping people who are up to no good. They're supposed to hurt the country as a whole, which mostly means hurting the innocent. The idea is that this will incentivize the country to stop doing the thing it's being sanctioned for.
OK, so I know nothing about the legal context for sanction enforcement. But in the US, the standard of proof in criminal cases is something like "beyond a reasonable doubt". And even in civil cases, it's something like "preponderance of the evidence". In my experience with pollution torts, that typically meant >50% probability of causation. But it usually devolved into battles of experts, and Daubert challenges.

I don't get how IP-based geolocation could satisfy either standard.

Sanctions work like this:

One country decides "fuck that other country in particular", either alone by their power of sovereignty or together with some international body. The sanctioning country (say, the US) now declares economic sanctions against another country (say, Iran). Since the US can only directly make rules for citizens/entities within the US, they say "it is illegal for anyone to export goods or services to anyone in Iran - if your company does it, the company gets fined and the CEO goes to prison". They might also say "and if anyone else that I can't punish directly sells to Iran, I will prohibit my people from selling things to you!" to force others to also participate in their sanctions.

Now, the US gets a suspicion that Slack provided services to Iran. They arrange for the FBI (or whoever is responsible) to raid their offices, build a case beyond reasonable doubt that shows Slack provided services to a company in Iran, e.g. because said companies egress NAT IP was connecting and the user names match people working for that company in Iran. On top of that, they also show that Slack didn't do enough to prevent that from happening. Now, Slack gets fined and their CEO goes to jail (not sure if that's the penalty for sanction violations but I'd assume so).

Since the CEO doesn't want to go to jail, and the company doesn't want to be fined, they'll do whatever they can to avoid selling services to Iran. They can generally choose who they do business with, and its in their best interest to err on the side of caution. You have little recourse if Slack doesn't do business with you because they don't like your IP, and they're almost certainly well covered by their ToS.

I've never seen the whois info for an IP address resolve to the wrong country though. The owner is registered with the regional IP something (RIR if I'm not mistaken - like ARIN, RIPE, etc.) so that should be quite reliable.

Posting this I'm sure someone will take the challenge and can find an example where it wasn't assigned to the right country, but is it more than one in a billion IP addresses?

GeoIP databases on the other hand, the city and often even the province/department/state are very unreliable.

> I've never seen the whois info for an IP address resolve to the wrong country though.

Try anything in 17.x

Consider HideMyAss server fun-tv.prcdn.net (5.62.58.220). They claim that it's in Tuvalu.

However, https://www.iplocation.net/ reports some results indicating that it's in the UK, and some indicating that it's in Tuvalu.

According to Hurricane Electric's BGP Toolkit, the origin AS for 5.62.58.0/23 is AS198605, with "Country of Origin: Czech Republic".[0]

But results from many ping probes (ping.pe, asm.ca.com and maplatency.com) indicate that the server is in Miami, FL, US.[1]

That's a lot different from Tuvalu, the UK or the Czech Republic.

0) https://bgp.he.net/AS198605

1) https://www.ivpn.net/blog/wp-content/img/HMA-fun-tv.prcdn_.n...