I'm not sure I've ever 180'd on a compliance practice as quickly as I have with GitLab's compliance policy repo transparency. When I first stumbled across it during the telemetry situation last week I thought they were nuts. Absolutely nuts. But reading through this thread and the one posted last week it seems like an incredibly effective approach. People from all areas of the company, not just legal/compliance are giving input and asking the right questions. And, just as important, they're not asking the wrong questions.
It's a bit of a chicken/egg situation - is there a strong culture of compliance because of the transparency or does the strong culture of compliance make transparency a non-issue? Whatever their secret sauce I think Wall Street could use some.
This one actually makes me scared for Gitlab. I feel like their exposing themselves to a lot of extra liability by making these discussions public.
For instance - it's been suggested (I don't know if rightly or wrongly) that they have a customer who asked them to do something that would violate the US boycott laws. I'll assume that it is the case that they've been asked to violate these laws.
According to a plain reading of a document someone linked here [0] that means they are required to report the request to the US government. I'll assume that it is the case that they are required to report it too, even though I'm not a lawyer, and that's not really an authoritative source.
> The EAR requires U.S. persons to report quarterly requests they have received to take certain actions to comply with, further, or support an unsanctioned foreign boycott.
If they don't (because they forgot, because they disagree with that interpretation of the law, because they don't want to piss off the customer, etc) they now have a public facing record of them violating the law. Even if the assumptions are wrong (they likely are) and they aren't violating the law, someone might decide they are and it might result in lengthy/costly legal battles.
How many other examples like this probably live in that repo for anyone to see?
You're concerned because you're worried if they violate the law they'll be held legally accountable? Isn't that the entire point of transparency / accountability?
>Probably the US government or something like that?
The requirement to block some class of people off from some customers is nothing new, and back at Sun there was separate Sun Federal which was dedicated for such clean business.
GitLab's approach (and i think it is just a start of the trend in the industry, time to get rid of the accent :) while theatrically good isn't practically efficient. A Chinese or Russian residing here with some family back at the Motherland is susceptible to the same pressure in the loving, yet firm hands of the Motherland as if s/he were residing there her-/himself. So the next absolutely logical and necessary step for GitLab on this path is to block all Russians and Chinese who has at least some family back there. Giving that there may be other ties too and the hassle to verify (to which degree of relationship?), simply blocking all those nationals would the natural and practically efficient way.
It seems obvious to me that the kind of pressure to which you are referring is not limited to family. It would be easy enough to threaten a high school boyfriend. Or the family of your child's former best friend. Or a former co-worker. Or any friend. Or even a complete stranger.
Extortion can be effective well outside family lines.
And, of course, extortion is equally effective on USians, Brits, Indians, Nigerians, or anybody else.
The title seems misleading, the article specifically states this does not effect any current employees, presumably as they have none in China and Russia.
> As such we feel a country block is the most humane solution at this time--especially because it affects zero current employees
The block is on current non-residents of China or Russia from moving to those countries. <strike>Not on any present residents of those countries from having further access.</strike>
<BOLD>See self-reply below, not the case.</BOLD>
Though that is alluded to as a possibility, with complications.
No? It would seem to apply to current employees who move to Russia/China who are in roles covered by the block. i.e. they would have the choice of moving and changing roles/quitting, or staying.
It does block them from moving to that country. So if a current employee was planning to move to either country soon they'd be prevented from doing that.
I've danced this dance at a previous company when we had an employee working from a country of interest for an extended period of time. They were air-gapped from our systems and it worked because they submitted everything by pull requests (the original way, sending git patches by email). They didn't have access to our CRM or any customer systems because several of our contracts - not just with governments but also major multinationals - prevented employees in certain countries from having access.
Even when I traveled to the same country I used a burner laptop that was decommissioned when I returned. When we EOL'd laptops in the office they'd go in the burner pile to have one last holiday abroad before they were wiped again and sent to a local charity.
All the people who are saying they've never seen a contract with a term like this, I'm just sitting here wondering how my experience is the opposite...
I've done some travelling to risky places before (Kiev and other places) and even though the networks were hostile there, I still don't understand the point of pretending that Russia et al can't get into Gitlab whenever they want to. They can. Air-gapping isn't going to slow them down.
I think it would probably be costly to bribe someone in the "allowed" countries. I'm not going to risk going to prison for some small sum of money, and a large sum of money is logistically difficult to give me. People will ask questions, the scheme will probably be found out.
Meanwhile, if the government can just arrest you and say "change this repository and you go free", it's essentially free.
> I still don't understand the point of pretending that Russia et al can't get into Gitlab whenever they want to
Security isn’t absolute, it’s layered. The harder you make it for the adversary, the more it costs the adversary (eg: potentially burning a zero day), and the more chance there is of detection.
Can Russian intelligence get into Gitlab? Probably. Are measures that make it more expensive liable to deter them? I think so.
As the subject of this thread also points out, there's an important factor of risk to the individual: to prevent them from getting put in a position where they can be coerced into turning over data access.
> They can. Air-gapping isn't going to slow them down.
Two points here. First of all, failing to acheive absolute security is not a justification for ignoring best practices.
Second, this isn't air gapping. It is preventing a bugged laptop from sitting in on conference calls and meetings for the next year or two until it gets aged out.
Correct, this block would be for two functions (Site Reliability Engineer and Support) and we currently have no people in that role in China and Russia.
Please note that we're still discussing this change. We work out in the open so you can see us working on it. I hope that people appreciate the difference between that and what you would see in a non-transparent company (probably nothing, they would just not open up a vacancy in the offices in that country).
Well actually we have over 1000 team members (all are remote) and only half are in the US. The other half are in 63 other countries. If you want to see where we all work from you can check out our team https://about.gitlab.com/company/team/.
The reason this is viewed from a US legal perspective is because we are a US company so we are governed by US laws.
Make sure your employees are all white Americans, or else they might be spies from other countries. Esp those Asian faces, they are untrustworthy. You should fire all of them.
Would you consider extending this to other roles? If you remember the Juniper VPN backdoor was so well done it would have likely (or did) passed code review, putting most software engineering in to scope.
Additionally would this extend to individuals who are of Chinese or Russian origin? China in particular leans on nationals who are on visas or have family still in country to conduct espionage operations.
It would be strange to not accept code from certain countries since we are an open core company that gets contributions from around the world. There are other ways to prevent supply chain attacks. A difference with data is that there are always multiple people involved before code is merged while data can be extracted by a single individual who has access.
> A difference with data is that there are always multiple people involved before code is merged while data can be extracted by a single individual who has access.
It sounds like you just need to harden your production perimeter. Jump boxes with two-man-rule access and terminal logging. Apply the same practices to data as you do code.
> Discriminating on origin is likely illegal.
You should ask your legal folks about the national security exceptions of Title VII. It sounds like your customer requirements are pushing you in that direction anyway.
Make sure your employees are all white Americans, or else they might be spies from other countries. Esp those Asian faces, they are untrustworthy. You should fire all of them.
Concerns on privacy, data and IP are understandable. However, this ban would be a symbolic move with absolutley zero substance. The world is small and highly interconnected and it would be extremely easy for the Russian and Chinese governments to compromise and co-opt support staff from pretty much any country of their chosing. This will lulll your customers and your infosec teams into a false sense of security. Considering how forthcoming you are with the names, roles and location of your team. They would pick you off in a heart beat and you would not suspect or see it coming. The Chinese are extremely well entrenched across the global - with enough money to grease anybody's wheels. Not to mention it would be trivial for them to get their "agents" passports from anywhere in the world
It affects no employess (per clarification in this thread) presently in affected roles.
It could affect present employees who are in other roles, located in China or Russia, from moving to a covered role, whilst continuing to reside in China or Russia.
Ok, I've temporarily changed from the submitted title ("Gitlab blocks current employees and stops future hires in China and Russia") to the page title—which I assume is accurate but is uninformative—until we get clarity about what an accurate, neutral title would be. Does anybody want to suggest one?
Edit: I've provisionally gone with "Gitlab blocks hiring SREs and Support Engineers in China and Russia". If that's wrong, or if anyone can suggest a more accurate and neutral title, we can change it again.
@edjdev wrote
There is an unacceptably high risk that these nations may apply pressure to individuals living within their borders with sensitive data access (based their role at GitLab).
Given the current australian law changes, the rampant israelian IT spy sector and despotic Belarus position on human rights, it's surprising that they only mention China and Russia.
This whole debacle doesn't look good and makes one to loose all faith in Gitlab.
Debacle? The week hasn't even started yet. Let's take a moment to breathe.
China and Russia are known to put pressure or watch/listen on nationals who work in key positions in foreign companies.
As US allys Australia, Israel don't pose the same threat. A lot of information that could be gained would be available through the US government and shared with the those parties if there was a need.
Yes debacle, because why are we only talking about gov secrets here. You know, industrial espionage is real too and some big potential customers could just as well reside outside the US.
There are definitely Chinese and Russian spies but there are spies from many countries besides those. The question is why are you singling out those countries and why now.
The reason is that there is a Cold War brewing between the US and China and this company has become an agent of that war.
The seems to be a propaganda war against China brewing in the US. I last saw this level of jingoism when Bush Jr decided to take over Iraq on the pretense of Saddam Hussein supposedly having nuclear weapons. All the TV network anchors were pushing for war and pushing the supposed threat. Later we find out it was all lies.
Spying is happening between all nations and the leaked cables showed this.
Why those two countries specifically? In Russia you can get imprisoned for a variety of political/strategic reasons if you refuse to cooperate. China implemented there own internet for spying.
When you visit these countries you are advised to buy new devices and throw them out on return to avoid backdoors.
General Powell misleading the UN and TV networks was based on having chemical weapons. Nuclear weapons is the fear with Iran. It was believed because the UN weapon inspector Hans Blix was being railroaded with fake traffic jams and other tactics preventing him from investigating. After he pulled out and Sadam had a history of using these types of weapons on his own people, it made the claim easier to accept without more proof.
Direct imprisonment in Russia isn't the reason for this topic, Federal Security Service had succesfully got their cooperation proposal accepted in most of the cases due to the unlimited number of ways they could coerce their target.
>get imprisoned for a variety of political/strategic reasons if you refuse to cooperate
The same is true of Australia, the USA, and the UK - these nations have no issues with imprisoning each others citizens if it behooves them - i.e. if the individual chooses not to cooperate with the military-industrial-pharmaceutical complex.
>As US allys Australia, Israel don't pose the same threat
China or Russia would not pose any threat if they managed to completely infiltrate US institutions, because they would be, at this stage, the US greatest allies.
Sure, China might try to constantly drag the US into pointless wars in Asia, but again it would be fine because it would be to defend the interests of China, the greatest ally.
I'm surprised we (Australia) aren't already on more of these lists.
After having this discussion with my manager and colleagues (the conversation with my manager was in my interview process where I bluntly stated if I was asked to comply with anything from this law, I'd immediately resign, my manager also agreed). Everyone I've spoken to agreed we'd immediately resign since it was the only potential option to protect our selves as employees and our employers.
Edit: I'll need to spend a little more time looking into the Assistance and Access Laws. The following article attempts to downplay some of these concerns:
You are assuming that is actually an option. There is nothing to suggest the current Australian government would not prevent you from resigning until the task had been completed. This is the same government currently attempting to make it illegal to boycott businesses that are damaging to the environment.
They don't have legal authority to prevent you from resigning.
Also, the proposed anti-boycott rules have been widely criticized as unconstitutional, unworkable and ludicrously against the conservatives free speech pronouncements. Unlikely they would get support from Senate cross bench.
Executive powers in Aus aren't that strong - they'd have to pass a law to give themselves that specific power. I don't think there's one to permit this now, though I'm no expert and there are many obscure laws.
That's the good(ish) news - the bad is that restraints on the passing of bad law are generally pretty weak in the absence of a hostile Senate. This is particularly true with the current feeble opposition, and even more so given the general atmosphere of cowering obeisance that the major parties have allowed (or encouraged) to develop around any legislation involving the word 'security'.
There is a good description of the many shortcomings of the legislation at https://stateofit.com/interception/ and https://stateofit.com/interceptionpart2/ -- TCNs (compelled changes) are not the real problem, its the more than willing compliance from companies with TARs -- voluntary technical assistance requests. It is unclear how much (if any) the company is shielded from civil suits for complying with TARs.
The problem is not really that you couldn't resign -- it is that the company would hire replacements that would get the job done. The company executive would be compelled to.
Albanese (and his forgettable deputy Marles) have so far been a disaster for the ALP.
> Since National Security Letters exist, blocking all employees from the US would also be logical.
Sure, it would be, especially for companies located in neutral countries, but since US influence is so strong everywhere almost all over the world that's also practically impossible.
"Every animal is equal but some animals are more equal than others"
We haven't seen the implementation details for Gaia-X, but it would not be unreasonable for it to include that priviledged persons (admins, company management) by EU citizens and resident in the EU, or possibly even FR/DE only. Full document below in Deutch.
China and Russia obviously have their own systems, but many other countries some some element of national control which is less obvious. Japan certainly has a mature native cloud capability, although it would be highly disruptive to move everything to it.
Its like plans to be 'cloud agile', it doesn't work unless you deploy to both every time, and you probably just double your cost and bugs for deployment ops. So the tendency will be towards cloud balkanization. Which could really suck, or it could force a path away from proprietary APIs towards standards, which will suck in a different way.
It's the same in France, and many other western countries.
I think it's just the usual "Australians not realizing they live in a bubble", and kindly warning the rest of the world about laws or practices that have already been in place in our countries for twenty years.
AFAIK there is no law in France where the government can force you to do something you don’t want to do related to your employment. They can however seize your devices.
That is not true. There is no such law in Germany, and the public backlash against it would be enormous. In the east we had a government that would pressure citizens to spy on each other -- any hint of that would be political suicide on all levels...
NSLs only bring back non-content information (eg, a call record, but not a recording of a call) and are issued under the Stored Communications Act. Unless you happen to be the owner of a sole proprietorship that falls under the act, you can't be directly issued an NSL - it's issued to the entity which holds the records (eg AT&T).
(1) it's a non-antiquated English word, etymologically linked to the antiquated foreign word (it entered English a long time ago.)
(2) In English, both hari kari and hara kiri are accepted spellings (the word came into English before modern, maybe even standardized, transliteration, and the source language doesn't natively use the Latin alphabet.)
(3) But, in any case, you are right that it is misspelled.
That's the spelling in my phone's dictionary. If I were writing about ancient Japanese cultural traditions I might have checked. I think Japanese people, being inveterate word-stealers, would understand.
As an Aussie living & working overseas I'm still not sure if it applies to me and makes me a liability? I know they can't enforce it unless I go home but I will someday
It does make you a liability. Australians can be shanghai'ed into working for the Australian intelligence agencies wherever they are on Earth.
I'm also an Australian living overseas, have worked on many sensitive projects that would be of interest to the Australian government and its masters, and I'm quite prepared to give up my nationality over this issue.
In the case of Chinese-based employees the assumption is that anything they did would go through Chinese Government controlled networks (there's VPN ban even for foreign businesses) and likely result in your intellectual property being shared with your Chinese-based competitors. Not to mention their access being potentially compromised and used.
If an Australian-based employee complied with a letter, they could destroy your business reputation when it got out, even if you threw them under the bus. Probably the main reason Australian employees are still given latitude is that committing compromised code into the codebase would require involving everyone who could possibly see that code change.
Yeah I would assume most only don't have them on the list because they weren't actually dealing with them in the first place and had no expectation to have a use for them.
I suspect this is driven more by surveillance or sabotage risks posed by employee access rather than jurisdictional risks.
Australian law is likely to have little impact on what an SRE or support engineer might be able to do. Australia having an established practice of recruiting and placing enterprise surveillance moles would.
China and Russia have some history with this latter. Though one might say similarly of the US and Israel, as two examples.
Alright, I also thought about Israel and AU at first but this thing is so political
that no way can they include US allies in there because gov wouldn't approve this sort of thing.
To my eye, american companies are becoming more and more like chinese companies in the amount of control governments can extort on them and that is highly troublesome.
I know of a couple major us companies that do include Israel along with other usual suspects but they don’t spray about it on the internet. There’s also growing concern regarding what corporate equipment you can take across us border so there’s that.
I'm shocked (in a positive way) about the amount of transparency Gitlab provides.
Even as a reader, it almost feels as if someone misconfigured the ACLs or I'm reading leaked internal documents, not an intentional decision to make this open. Some of the discussions seem highly sensitive, and yet it seems to work for them.
Thank you, Gitlab, for being so open! I've learned a lot about compliance from just reading this thread. For anyone curious, here's some background on the mentioned boycott laws: https://www.bis.doc.gov/index.php/enforcement/oac
Thanks! We try to be transparent by default and even when it is difficult. I think the OP is a good example of something that is hard to be transparent about because the decision isn't obvious and it takes discussion to come to the best conclusion.
I just read your CEO page section about flaws and how to engage you about your flaws. On the topic of transparency, I'm curious if this has been working. Do people feel comfortable bringing them up? Is it helping you improve?
I'm eager to find ways to be a more transparent person at work. I want to eliminate "politics" and "games" where possible and for work to be Wysiwyg.
I hoped that people would use the sentences I proposed on that page but that never happened.
What is helpful is that when people raise a concern I can recognize it more quickly and show them it is clearly my flaw. This doesn’t happen often but it happened last week.
Congratulations on taking a step in the right direction, even if it is a very small step. Nobody else seems to take the threat seriously, somewhat excepting defense contractors of course.
I can understand being reluctant to deal with the full extent of the problem. Somebody from China, with a family in China and subject to Chinese law, does not cease to be a security threat by moving to the USA and getting a green card. This gets awkward.
It really is no surprise that valuable secrets of all types (private key, customer data, trade secret, insider info for trading, etc.) end up in other countries.
In china, not from China. The former is easy to justify, and would affect even Americans of non Chinese descent. The latter would be incredibly difficult to justify, and could easily be seen as unwarranted discrimination.
Well, technically it is discrimination, but not racism. I.e. you can still hire a Japanese developer, and with a Chinese regime change you might be able to hire Chinese developers. However, federal law prohibits discrimination based on national origin. This is a touchy subject, but maybe this no longer makes sense? As burfrog pointed out, a Chinese employee living in America isn't free from Chinese control; the gov't will do bad things to his family if he gets a request for, say, information or access and doesn't comply. I'm hesitant to endorse allowing discrimination by national origin, but on the other hand, it doesn't make sense to allow the Chinese access to any kind of important data.
It doesn’t matter. As long as a security clearance isn’t required, discriminating based on notational origin is a big no no from an ethical perspective, even if it was legal.
> discriminating based on notational origin is a big no no from an ethical perspective
However, discriminating based on exposure to coercive pressure from aggressive and hostile foreign powers is probably OK, even if such exposure is heavily correlated with national origin. The key is that the discrimination must be based on an individual analysis of the applicant and his/her life circumstances.
It's not OK to blanket deny any person of Chinese ancestry.
Denying such a person access to sensitive data or positions might be OK, however, if that person is exposed to coercive threats by, e.g. having family located in a jurisdiction known to use its power over expatriates' families as leverage to recruit sources and agents.
So long as the intent is genuinely to serve a compelling interest in protecting against security threats and the vetting policy is as narrowly tailored as possible to minimizing insider risk from applicants with vulnerability to certain threat actors, I think such a policy could pass ethical and (IANAL) maybe legal muster.
I disagree completely. By that reasoning, a presidential candidate of Chinese descent who was a natural born American citizen but had relatives back in china would be disqualified, and that is nowhere justified by the constitution. A private company likewise shouldn’t be able to discriminate on speculative threats alone. What if they had a relative in prison, a hostile coercive environment by any measure?
I accept that I do not qualify for a high security clearance because I’m married to a Chinese national. I don’t think that should have any bearing on any other jobs that don’t require such clearances (nor my wife nor my son should be subject to such restrictions).
The Title of Nobility / Emoluments Clause [1] and the natural born (and age) qualifier are fairly specific as to what the framers thought were overly corrupting influences for the office of president.
They notably did not include "or family".
The expectation presumably being that foreign powers were clearly enough signalled to tread carefully with regards to exerting pressure on government officials.
At high levels, that seems reasonable. At lower levels, where there's less scrutiny and less opportunity for diplomatic redress? "Reasonable" measures seem murkier.
> By that reasoning, a presidential candidate of Chinese descent who was a natural born American citizen but had relatives back in china would be disqualified
Not so. The Constitution is very clear on eligibility requirements for the President. A natural born American citizen of Chinese descent who otherwise satisfies the requirements in Article II, Section 1, Clause 5 is perfectly eligible to run for the office. If there is concern about potential leverage foreign states have over that candidate--as there rightly would be if our natural born American had close family in PRC--voters might vote for someone else. My position is that such a motivation on the part of the voters is ethical.
> I accept that I do not qualify for a high security clearance because I’m married to a Chinese national. I don’t think that should have any bearing on any other jobs that don’t require such clearances (nor my wife nor my son should be subject to such restrictions).
First, I agree that your or your son's relationship to a Chinese national should not be sufficient grounds to deny you or your son any given job. My position is that a narrowly tailored policy to reject candidates with high risk of coercion from sensitive positions, or to limit such employees' access to sensitive data, is probably OK. Having close family residing in PRC unfortunately does raise the risk of coercive pressure being applied. If your wife has no surviving close relatives in PRC and she never goes to visit, you and your son should be assessed to have no greater vulnerability to coercion than any other citizen with otherwise similar circumstances (debts, addictions, etc.).
Second, I am curious why you disagree completely, yet accept that your relationship with your wife may disqualify you from holding a government security clearance. That means you accept that the government has an interest in protecting classified information from foreign powers, and that your relationship raises your risk profile. Do you not accept that private companies have an interest in protecting their IP and customer data from theft or sabotage? Or do you not accept that your relationship also raises your risk profile for these positions? Just because a position may not require a clearance does not mean that position is not highly sensitive to a potential insider threat. And unfortunately the PLA's targets are not restricted to intelligence agencies; they target virtually every sector of our economy.
> Second, I am curious why you disagree completely, yet accept that your relationship with your wife may disqualify you from holding a government security clearance.
This has to do with companies making their own rules about what is right or wrong without any checks, balances, or voter feedback. Security clearances are actually defined by law, I’m against corporations becoming their own extra judicial entities.
> This has to do with companies making their own rules about what is right or wrong without any checks, balances, or voter feedback.
As far as I understand, companies are generally free to make their own hiring decisions, so long as they do not amount to discrimination against a protected class. That limitation, by the way, stems from federal legislation--so companies are very much not extra-legal entities operating without any judicial accountability. If a state or federal Congress decide to further regulate companies' hiring decisions, they are free to do so.
I don't understand what exactly you would like companies to do: Simply ignore potential security risks? Do you have a specific process you advocate should be used to evaluate risks? What different kind of restrictions on companies' personnel decisions would you like to see? Do you just have a problem with a focus on risk from family members in PRC as opposed to a broader vetting process where that is only one risk factor?
> Security clearances are actually defined by law
I am not sure that an exact formula for grant/deny decisions exists in statute. These decisions strike me as inherently subjective, although certain facts are obviously pertinent to the decision. I would be very interested to read the relevant laws and regulations, though, if you'd be so kind as to point me to them.
As long as companies are operating faithfully within the law, they’re free to do that. And you’re free to criticize it and boycott it.
Companies like Apple and others should be allowed to be concerned about theft of sensitive data just as much as the government. Just because it’s not a matter of national security doesn’t mean it’s okay.
Nobody here is trying to discriminate against a race. The problem is having ties to relatives living under a government that is known for making people disappear. The same would apply for a white person with many relatives there, etc.
Your argument of companies not being allowed to take cautionary steps against a foreign government doesn’t hold water.
> I’m against corporations becoming their own extra judicial entities.
They already are, with most disputes being settled with Binding Arbitration rather than via the court systems.
Others have already pointed out though, that a company needs to act in its own interests and one of the things it would certainly find interesting is whether an individual is capable of being coerced into sabotaging/sharing corporate trade secrets.
Constitutionally speaking, the President does not require a security clearance; the President ex officio has unlimited access to classified information. If there are concerns the President may be vulnerable to foreign influence, the constitutional processes to address those concerns are election and impeachment not security clearances.
Is it a constitutional principle that no secrets may be kept from the President? Or is it just that the “security clearance” system is currently based on executive orders that the President issues, rather than Congress exercising its power to “make Rules for the Government and Regulation of the land and naval forces"?
According to the Congressional Research Service, "By virtue of his constitutional role as commander-and-in-chief and head of the executive branch, the President has access to all national intelligence collected, analyzed and produced by the Intelligence Community"
I think if Congress tried to pass a law limiting the President's access to classified information, the Supreme Court would likely find it to be unconstitutional.
True. Trump wouldn’t have qualified for high security access anyways just given his public relationship history, not even considering what an FBI clearances check would dig up.
> By that reasoning, a presidential candidate of Chinese descent who was a natural born American citizen but had relatives back in china would be disqualified
If large numbers of voters felt that, then they would never get elected.
> nowhere justified by the constitution
The voters are entitled to vote however they like; that's implied by the constitution.
> I accept that I do not qualify for a high security clearance because I’m married to a Chinese national
Then you essentially agree with me.
> I don’t think that should have any bearing on any other jobs that don’t require such clearances
I agree. The question is, which jobs should require such clearances?
Here's a very clear restriction you're faced with: You could never become a Chinese citizen. Why must be pretend that it's ok for this to be entirely one-sided? We should give what we get, imo.
The situation with presidential qualifications is one-of-a-kind special. Hiring at tech companies isn't spelled out in the constitution.
Constitutional requirements can also be changed, and it is long past time that we do so. The country has been around for 2.5 centuries, and now has hundreds of millions of people. We wouldn't suffer a shortage of presidential candidates if we required that all 4 grandparents (determined all possible ways) and all descendants and spouses have been born in the USA, along with all living ancestors and descendants of all of those. The job is simply too important to allow otherwise. (this would disqualify the most recent two, along with failed candidates like Romney and Cruz)
For tech companies we shouldn't be quite so extreme, but it also isn't good to ignore the problems.
You can't assume what ethical choices a person will make, before they make them. A Chinese citizen in that situation might find a way to get their family out of China, or otherwise find a way to avoid the issue, or just flat out refuse. You can't just take it for granted that you can't trust someone without much more specific evidence. That's a very greasy slippery slope towards justifying highly constructed justifications for discrimination.
China seems to have noticed how accusations of racism, xenophobia and "white supremacy" are a very effective button to push to try and get western countries to act against their own interests.
The thing is, coming from a country that is practicing cultural genocide against various ethnic groups, we can probably take those accusations and survive.
If a security clearance requirement suddenly makes it allowable it argues that it maybe isn't unethical, unless the argument is implicitly that it is ok to ask for unethical things when involving a security clearance?
You can rest assured that we did not, I have zero doubt that if there ever was another war at that scale we'd have internment camps for nationals of the enemy before the end of that war.
> discriminating based on notational origin is a big no no from an ethical perspective
Yes it is. You know what's also a big no-no from an ethical perspective? Letting China win so they turn the world into a global dictatorship with concentration camps, organ harvesting and ubiquitous surveillance.
Sometimes you have to do a bad thing to prevent a worse thing.
Have you ever been to China? Such discrimination happens left, right and center. If you’re of an “acceptable” origin and have the right skin color, you might be ok...
I lived and worked in China for almost 10 years. I get that the foreigner glass ceiling is much lower there than here, and things like naked officials are actively discriminated against in government. That has nothing to do with the USA, however.
Well, it does. Because they will use your ethical values against you to slowly boil you like a frog in a pot 'til you find yourself in a concentration camp having your organs harvested. Sometimes bad things have to happen to prevent worse things.
Because there are less people of ethnic minorities than in the majority demographic. That’s why they’re called minorities. The key point is that they have a chance.
Depends "national security" is much more than defence industries back when I worked BT the team leaders on some projects where getting positively vetted for SC clearance - That's top secret in US terms.
Arguably now the FANGS are now CNI - which is going to suck if your on a H1B or Green Card.
Discriminating someone because of their Chinese ethnicity would be hard to justify but what about Chinese citizenship (especially if it's the only one) or ties to China like family living there? Those would make someone vulnerable to pressure by the Chinese government.
No. As long as someone has a green card or citizenship, who cares where their family lives? The only exception would be for national security clearances, and those affect Americans as well.
Is it legal for a private US company to apply (some of) the same tests used to determine national security clearances in its hiring decisions? Or is the government the only entity allowed to make decisions that way? I'm genuinely asking, I haven't thought about this conflict before.
I on the other hand think that splitting countries into allies and enemies is stupid. China is a huge country, and excluding a billion people from your company just because their government does questionable things sounds like a pretty bad idea.
If you are really concerned about the confidentiality of your data, don't store it unencrypted in some SaaS where every customer service rep has full access to all your data. At that point you're already so vulnerable that exluding potenential employees from a whole country is just pointless security theater that some suit with an MBA thought up to justify his position.
> I on the other hand think that splitting countries into allies and enemies is stupid. China is a huge country, and excluding a billion people from your company just because their government does questionable things sounds like a pretty bad idea.
There are only two ways left for China getting rid of its dictator government. The first one is flattening China with nuclear weapons (conventional war is impossible to win) which is obviously inacceptable, the second one is totally excluding China from any and all international trade.
The third way (trade brings democracy) has been disproven over the last decades. Even worse, the Chinese dicatorship has taken our weapon of free trade and turned it against us. Our domestic production of many goods has completely shifted to China, our failure to treat Africa decently instead of using it as dumping ground for excess food and clothing has led to China filling the investment void and to top it off China has been using our money to buy up our companies and leverage that to shut down democratic protest (think of the Blizzard fuckup).
China is an enemy and should be treated as such if the Western world wants to survive instead of turning a blind eye towards genocide (e.g. the Muslim Gulags).
Are you in USA? Should other countries refuse to employ USA citizens because of actions of the government - things like pulling out of Syria to enable the Turkish murder of the Kurds to continue.
No, Germany, which also faces massive problems with Chinese buy-outs and industrial spionage.
> Should other countries refuse to employ USA citizens because of actions of the government - things like pulling out of Syria to enable the Turkish murder of the Kurds to continue.
I would wish so, but I'm realistic enough to know no government wants to put themselves into the spotlight of Trump's Twitter account and trade war threats.
>> China has been using our money ...
> The best way is to vote with your money then?
We as individuals can't do shit about international trade. No matter if I live vegan or not, pigs will be slaughtered in inhumane conditions. No matter if I drive an SUV or not, climate change will grow. Systemic issues need to be dealt with those who have been elected for this job.
By invading another country? I guess that's what the U.S. tends to do.
I believe people have a right to self determination. Borders are just lines on a map. I know America doesn't believe that, and that's a valid viewpoint too, just one I disagree with.
>No, Germany, which also faces massive problems with Chinese buy-outs and industrial spionage.
Well, Germany has gased 6 million people, started two world wars, caused more than 40-50 million deaths, and continues to strong arm EU and have hegemonical aspirations...
Perhaps they too should be cut out of international trade or nuked just to be sure? The allies had the right idea, split them into two countries and make sure to keep their heads down...
>The Germans of today have as much to do with the Holocaust as I do with American slavery.
You mean they continue its spirit in new ways (redlining, police bias, incarceration bias, racism, federal and local government neglect of their districts, under-representation etc) like it's the situation with blacks in the US?
>Should Germany have been isolated in 1939? Sure. Does that apply 80 years later when things have changed? Of course not.
Better safe than sorry. 1939 was not that far from 1918. In fact the whole spirit of splitting the country in East/West and have it have no army, as officially expressed by US, USSR, and European officials was exactly that -- to prevent future aggressions. They, having witnessed both WWI and WWII knew better.
> things like pulling out of Syria to enable the Turkish murder of the Kurds to continue
That's an incredibly disingenuous take. America has no business being there in the first place, so there is nothing wrong with having US troops leave that region.
By your logic, the US is responsible of all the atrocities in the world where it doesn't have special operators acting as human shields.
Besides, your FUD is a bit dated. Kurds simply went seeking protection with Syria and Russia and in the end, not much happened.
Well, the US government wont make my family disappear if I don’t cooperate, for starters.
I find it intellectually dishonest to compare the USA’s foreign policy with a dictatorship government that forces compliance through threats on local relatives, etc.
This is a thread where Americans are debating whether we should "flatten" a billion people via nuclear bombardment because they don't govern themselves the way we think they should.
I'd pick a different spot to call us morally superior. Like, any other thread.
Are we? I’ve seen a reasonable discussion so far on policy and ethics. There will always be trolls.
I never said anyone was completely superior. But in this specific case.. we are, because American citizens (and their families) don’t disappear for criticizing their government or for refusing to spy on other countries.
That's awfully cherrypicked if you're going to limit things to specifically political prisoners.
We have LOTS more prisoners, btw, 4x as many per capita, with a nasty racial bias. And that's before you get into all the dead Arabs and Latinos who dared to have a government that wasn't freedomy enough for us.
What's your exchange rate between those? Do you value the tiny number of people speaking out against the state's legitimacy that much, when were talking millions of other innocent lives?
Becoming suddenly sure that we MUST kneecap our rival for totally sound moral reasons is soooo American. I feel like I'm living in groundhog day and nobody else can tell.
There's a pretty significant online mob who really want to split HK off of China. I'd call 'kneecap' reasonably apt.
As far as hegemony.. I'm sorry you don't believe that :) Why is specifically China the Big Bad Guy if it's not about hegemony? Why aren't we focused on cleaning our own house first if it's about justice and freedom?
Like, if this isn't about power, we could at least stop actively supporting the horrible regimes that are useful to us? That seems like a pretty easy thing to do. Why hasn't it happened?
> here's a pretty significant online mob who really want to split HK off of China
There are significant online mobs dedicated to anything. That's not really a convincing argument. People who are advocating independence don't understand the situation, nor do they even understand what the protestors actually want (it's not independence).
> Why aren't we focused on cleaning our own house first if it's about justice and freedom?
It's almost as if America isn't comprised solely of 1 person! Not to mention, why can't people focus on both? This argument is basically "america has issues, so it can't point fingers". Not only is this an unconvincing argument, it doesn't make sense because what is "america"? Is it me, a singular US citizen? Is it Gitlab, a company headquartered in America with ~50% American employees? Is it just the US govt?
> Why hasn't it happened?
Because people aren't informed and don't vote based on that. That is another complex discussion in and of itself, but most people that I know are against it, so I don't really get what your argument is.
It's also complex over there, where Americans don't speak the language or understand anything about the culture or history. Our lack of understanding does not make them 1-dimensional movie villains in reality.
1. I do not need to comprehensively understand a country's culture to know about security risks and totalitarian governments. In fact, both of my grandparents and parents lived in and fled from a communist country, so I know a thing or two about that.
2. I do not need to comprehensively understand a country's culture to understand when human rights abuses are happening.
This argument is a form of -gatekeeping-. "Only X people can really discuss this issue", except you can move the goalposts whenever necessary.
People often don't understand American culture or history (and sometimes don't English either) but that doesn't seem to phase them when discussing America, etc.
Where you're wrong is that while both countries have skeletons in their closets, only one of them is blatant, espouses and has no qualms about kidnapping/murdering/torturing their own people, and is many factors more evil despite us not even knowing the full extent of their actions due to the opaqueness of their government. Hint, it's China. Last time I heard, the US doesn't have a Nazi-era concentration camp in 2019 enslaving 2,000,000 minorities, harvesting their organs, torturing them, erasing their culture, desecrating their graves, and forcing the women to marry into Han families. The irony is that you can only make these ignorant attacks on America because there is freedom of speech in the US while in China, you'd be silenced the moment you hit send.
> Well, the US government wont make my family disappear if I don’t cooperate, for starters.
Right, if you're a U.S citizen maybe not, otherwise they'll do that and worse, read on "enhanced integrations", kidnappings etc.
So the U.S is better domestically, (still employs prisoners as effectively slave labor, treats minorities harshly, lets people die due to lack of healthcare...), but it is worse in terms of foreign policy, so in the end it seems to be a bit of a wash, doesn't it?
I don't understand how these things somehow result in there being no difference between the US and China. Of course it's an imperfect system.
Try handing out flyers about civil rights in Washington DC and then try it in Beijing.
Of course it's easy to criticize the electoral college but look at the results of direct democracy recently, Brexit, the initial rejection of the FARC peace agreement in Columbia. There's a reason representative democracy is prefered to direct, it's just difficult to get a balance. Odds are that the Electoral College will be gone in my lifetime.
Is the authoritarian Chinese system better? Of course not.
> Of course it's easy to criticize the electoral college but look at the results of direct democracy recently, Brexit, the initial rejection of the FARC peace agreement in Columbia.
The obvious counter-example to this argument is Switzerland, which has been a direct democracy (or as close as you can get) for more than 120 years.
Brexit wasn't caused by the system by which the vote was conducted. It was a genuine public sentiment that had been cultivated through decades of media propaganda and scapegoating by politicians. Yes, the fact it was a single-issue vote made the issue more prominent, but it's entirely possible that the same result may have occurred through a general election if the right parties had been galvanized in the same manner.
> There's a reason representative democracy is prefered to direct, it's just difficult to get a balance.
I wonder which group of people overwhelmingly prefers such a system. Political apathy is rampant throughout the world of representative democracies, with a prevailing sentiment that people's views aren't being represented. Two-party politics results in elites being able to control the scope of options available to the electorate.
> Odds are that the Electoral College will be gone in my lifetime.
We can only hope, but that won't solve the two-party problem (or any of the other problems in American democracy such as the rank corruption).
> Is the authoritarian Chinese system better? Of course not.
Is anyone arguing that? The whole point being made is that America is in no position to take the moral high-ground. The US financially (and usually militarily) backs 70% of the world's dictators.
It's always a small group of people apply forces on the rest. In communism, it's the party members. In capitalism, it's the board of directors. communism prioritizes fairness. capitalism prioritizes freedom. People who want fairness hate capitalism. People who want freedom hate communism. Too much fairness but too little freedom bankrupts communism: people die in a fair manner. Too much freedom but too little fairness crashes capitalism: people die from voluntarily killing each other. Stop feeling superior to anyone else, but start acting. Western society has a lot of fairness problems to solve. Let's start solving them.
Is the US worst in terms of foreign policy? Seems like the peoples of the South China sea, Tibet, and Hong Kong might have different opinions on that matter.
Also all the nations in Africa with newly built debt trap infrastructure.
The US has done some truly shit things abroad, but we’ve also been the dominant superpower during a period of unprecedented stability, prosperity, and peace when you look at the numbers.
Sure Iraq was a shit show, and I’m of the opinion that war crimes were committed during enhanced interrogations.
But the entire history of the world before WWII is just one long history of war basically everywhere. Open market slavery.
The US isn’t perfect, but the alternative filled with constant regional conflicts everywhere certainly seems like a worse alternative to me.
Edit: not sure why I waded into this conversation.
Curious though, I’m seeing the 4x prison population for USA per capita number bandied about.
On one level, I see that number slowly improving as we stop arresting people for smoking marijuana.
And on the other, I’m really curious, and have no idea, are China’s Uighur population which are in “reeducation camps” counted in China’s numbers?
Aren’t they harvesting people’s organs in those places?
Rough. America’s always had a lot of outright and systemic racism but my feeling is that it slowly but surely keeps getting better.
I have a feeling Generation Z is going to be pretty open about things whether it’s sexuality, skin color, gender, or whatever.
Ultra PC and call out/cancel culture is another thing with it’s own warts, but yay for a society where an entire generation can push forward this new ideology of being whatever the hell you want to be.
The boomers are dying out, the evangelicals and religious are losing people every day.
I have faith we’ll be fighting for human rights and climate change accords soon.
I really hope at least.
So to conclude, my opinion, we’re no paragon of morals and values, but our history shows a slow but steady stride towards an ideal, one of freedom, and individuality, and opportunity, for all.
We take steps back, we make awful mistakes, but over the long term, we always move forward.
That’s the America I believe in. I hope I’m not wrong.
This is very U.S. centrist, I'd grant you the relative peace and stability if you're in the West. But 70 years isn't that long and you could find empires with long stretches of time where relatively nothing was fundamentally changing for the dominant population of some of the long-lived empires. The U.S. in its modern form and position isn't around even as long as the golden age of democratic Athens was around.
Sure, there were historically always some tensions at the border regions of these empires, but there are pressures of such nature felt in Europe now too, (the U.S. has the advantage of being physically very, very far from the regions in unleashes its worst policies on, so of course it's less felt there).
Also, all empires saw themselves as in some way policing, keeping peace and bringing their enlightened values to what they saw as the lesser. If we see that kind of thinking now as wrong, then I really don't see how the U.S. is so much different from the empire model of old.
As for China, I agree its regional foreign policy is not great, the problem is the U.S. doesn't just keep it regional. It treats the whole world as its backyard.
If you're a non-U.S. citizen, the unipolar world is not so great. I don't want China to say replace the U.S. as the dominant superpower, I want it to offer a counter-balance. I want the EU to be its own great power, offering counter balance to both, bringing both democratic values & a more humane treatment of its own citizens than the U.S. has, especially the less fortunate.
Just because my kitchen's on fire doesn't mean I shouldn't report the murder occurring at my neighbor's house. I can be concerned with both, and should be. So while I'm trying to put out my kitchen fire, I should also probably be on the line with emergency response. I am not my government, nor is my government going to disappear me for loudly criticizing it and supporting politicians that would work to stop our moral failings.
> the US government wont make my family disappear if I don’t cooperate,
Don't be so sure of that. If you hold valuable information on a foreign state, you will be accused and quickly convicted under various national security laws if you don't co-operate.
You severely under-estimate the power of a state, especially one as powerful as the US. If they want something from you, they will get it. Have you broken a minor law? Maybe you've been stellar, but some member of your family hasn't. The likelihood of being in an entire family with spotless records is very very low.
Even in that example, the US government would not make my family disappear. Please cite any reputable sources that you have to the contrary, because anything else is a spurious claim. I'm not going to argue over various conspiracy theories.
Corruption and unfair things exist in every single country, but we do have the right to freedom of press, speech, assembly, and due process.
To be clear, I'm not arguing for any such conspiracy theories. All I'm saying is that the State can go after you and your family if you refuse to co-operate with it on important enough subjects.
I do agree that the barrier for that may be lower in more authoritarian states, as they're not restricted by the system of laws in the US. Maybe that's the best we can get.
USA has been a dictator around the world for a century. So many unethical wars involved. So many radical movements are cultivated by US propaganda. Now these fear fed propaganda are dividing itself and destroying the future. People who are blind to all these are the ones full of fake Democracy ideology.
> totally excluding China from any and all international trade
I don't have an opinion whether this is the right thing to do or not.
But regardless of my opinion, how does not hiring chinese citizens help with that? This just sounds like harassing chinese people because of their government.
If you really wanted to change something, hiring chinese people and showing them what the western world is like would be the best thing to do.
Harassing chinese people because of their government, and at the same time buying all the stuff their factories produce, sounds like the most idiotic course of action if you want to change the status quo.
Harassing : the action of subjecting someone to aggressive pressure or intimidation.
Where do you see any harassment ?
Gitlab has no Chinese or Russian employee so far -> so nobody got pressure or intimidate, ffs.
China is harassing the rest of the world. China is systematically spying with state wide support. China is bullying with military, economic or soft power. China is a threat.
* Recently, in France, concerns were raised by the intelligence community about the outsized number of young Chinese students flirting / marrying with military & defence engineers. You don't even need to spy, really, just marrying people to stop any aggressive ideas toward China spreading. I mean, you would not push to war against your wife's birth place where you are now visiting every year, right ?
Gitlab is simply pragmatic and clear-minded, their teams works in transparency and trust, they can't handle potential threats without a deep rework. I think it's much more than just having permissions baked in their systems, it's the whole defence industries layering that they would need to acquire.
Western players are now actively reducing their Chinese exposure (buying less critical stuff from their factories, cf. Huawei's affairs, moving factories to others countries). I am afraid it's too little too late.
While western people, and even more highly educated western people, have low levels of nationalism, Chinese people are brain-washed into thinking it's the best country in the world, best ever. Helping China is very important and their authorities have lots of leeway to push this.
Currently using Gitlab, I am glad they are aware of the issue and of their limited capacity to stop it from inside. Putting the fox in charge of the hen house, am I right ?
> if you really wanted to change something :
It's not West mission to bring democracy in China, it's not our country, they are grown up already and will keep finding their own way. It's typically USA ego to think the whole world must be awoken to USA values. The rest of the world is fine, thank you very much. We witness South America's fate in the XX century and Middle East's fate in the XXI. China just want western technology : buying, trading or spying it.
The most idiotic course of action has been followed already by moving the whole factories chains to China and thinking we could keep the knowledge here while it is applied there.
If you are a citizen of a state that is known to coerce its people to work for it, you are not an individual, you're a state-level actor.
If you are known to directly or indirectly provide assets to a government and said assets are a critical part of the infrastructure, you're responsible for the safety of the government in your dealings.
An American company refusing to recruit people from China is just the US government refusing to hire the Chinese government to run the country, not companies discriminating against individuals. This holds true even if you swap the states in the previous sentence.
For the record, I'm not a citizen of either of the aforementioned countries but my home country has a similar relation with its neighbor.
> If you are a citizen of a state that is known to coerce its people to work for it, you are not an individual, you're a state-level actor.
You are putting collective blame on a billion people for the actions of their dictatorial government. This is not a reasonable position to hold in a supposedly enlightened society, it is rather just a thinly veiled excuse for run-of-the-mill xenophobia.
Nobody blames anyone here. The point is that anyone who lives (or has family) in a dictatorship can be easily blackmailed by its own state, with no legal recourse.
>The first one is flattening China with nuclear weapons (conventional war is impossible to win) which is obviously inacceptable, the second one is totally excluding China from any and all international trade.
The world had had more invasions, interventions, toppling of legitimate governments, etc, from the US than from China. And while the US keeps democracy internally (unlike China) they have supported all kinds of dictators abroad.
So there's that.
The mere fact that you were even considering "flattening China with nuclear weapons" to bring democracy (even to discard it) is telling of the US imperial mindset...
And the same is for the interventionist idea of "totally excluding China from any and all international trade".
Yeah, let's risk internal chaos, power struggles, civil war, famines, etc in a sovereign nation like China, because they don't have a system of government we approve of.
As if intervention to "bring democracy" worked so well in Libya, Iraq, Afghanistan, and several other places besides, who cares for the million out of their homes, rising fundamentalism, killed, etc, they're not white enough...
When does some countries finally understand the concept of "mind you own effing business"?
It's incredible how many people miss this basic point. Land is a fixed quantity. Every square inch a state controls was at some point take from some other state or group of people. Big states were just better at this.
> China has a long history of war. The US doesn't even have a long history.
Please don't move the goalposts. We're talking about the current State of China, which came into being in the mid 20th century, and is thus a lot younger than the current US state which traces its founding to around 1776. By that measure, the US has been involved in far, far more invasions and wars than the Chinese state.
Right...perhaps you should ask the good people of Tibet, or the Muslims in western China if they feel that the Chinese government "minds its own effing business".
I have several friends from Xinjiang, yes, they complain about some (who don't complain about their government in life? As far as I know, Utopia is still a dream on the planet), but they feel good, even proud of their government. One of them, a girl, even volunteered in the rehearsal for the National Day parade.
For Tibetan, the government freed them from the old cult (you may don't know their nobles used to wear slave skin clothes and drink from human skull bowl), build railways accelerate their economy, lower the university score for them to help them get educated, enfranchise them to vote, propose new proposal in People's Congress, etc. So how do they feel about their government? I mean those Tibetans who live in China.
What's more, Tibetan, Muslims in western China, they are all Chinese people, so their issue IS the Chinese government's own business.
Your friends are presumably not detained for continuing to believe in the religions of their parents, so they're going to have a more positive outlook based on the state of the economy.
Even if you think that it's desirable for the government to try to accelerate secularization with its "re-education camps," the implementation is guaranteed to cause a lot of suffering. The rushed timeline for construction, involuntary detention in the resulting cramped quarters, guards and teachers who were hired quickly with essentially zero training... all of this is just setting things up for physical and psychological abuse of inmates. Just look at the cases of 杨永信 and 豫章书院 torturing children to cure them of internet addiction to see how far people are willing to go if there's no oversight and their aims are supported by mainstream opinion. That the government tries so hard to suppress negative reporting doesn't exactly inspire confidence that abuse will be prosecuted.
My personal prediction is that the majority of inmates are going to come out of "re-education" traumatized and with a justified hatred of the government. I'm sure they'd prefer it if the government stuck to their business of modernizing the economy, instead of trying to force loyalty in the most ham-fisted way possible.
Yes, they sure are not detained, because no one gets detained for religious belief in China. The freedom of religion is written in the Constitution of China, the government shall protect their belief (you can check it yourself, it's the No. 36 in Chapter 2).
I doubt the existence of the so-called "re-education camps", but I don't have enough evidence to prove it's a lie. (I think is hard to prove a thing don't exist, for example, I'm an atheist but I can't prove the absence of any god)
"杨永信" and "豫章书院" is never supported by the mainstream opinion, their existence only indicate there are a bunch of people don't know how to raise their kids, and blame their children's disobedience for so-called "Internet addiction". Many Chinese people hope the government put an end to "杨永信" and "豫章书院", but I don't know why they don't. However, this issue is not akin to Xinjiang and Tibet issues because there's no religious or minority involved.
1. While the Constitution of the People's Republic of China does protect religious freedom, this is only under the condition that the religious beliefs in question do not disturb the social order, cause bodily harm or obstruct the national education system. That means in practice, people will be detained for beliefs that are considered too extremist.
2. Would you believe me that they exist if I called them "education centers" instead? Try searching for 教培中心 in http://www.xinhuanet.com/politics/2019-03/18/c_1124247196.ht... It is described quite clearly that people can be brought to these centers even if their extremist beliefs do not otherwise amount to a crime.
3. I specifically brought up "杨永信" and "豫章书院" because they don't involve minorities. I didn't mean that they were mainstream in the sense that most people would approve of their methods, but there's definitely widespread concern about students spending too much time on the internet and too little studying. It's just that most schools take a less brutal approach to the problem and confiscate their student's phones instead of using torture.
Given your statement that
> Many Chinese people hope the government put an end to "杨永信" and "豫章书院", but I don't know why they don't.
consider that many Uyghur people hope the government put an end to the conditions in those "education centers" and don't know why they don't.
4. Do tell me if any of this is unconvincing. I'm still working on an airtight argument that is acceptable for someone with the perspective that the CPC is trying to do good in principle.
1&2. Oh, sorry I forgot the extremist. So what would you do when you face an extremist? Ignore him so he can stab innocent people in a railway station? Or you show him why he shouldn't do that, maybe even teach him some skills so he can make a living and become a part of society? The latter is exactly what "education centers" do according to the link. And it is described quite clearly that the center is not a prison or Auschwitz (go back home regularly). So I answer your question directly: I believe "education centers" exist, but it's not a synonym referring to the fabricated "re-education centers".
3. Your refute is valid only if the presumption is real, I applause sincerely for you, but how can you stand for many Uyghur? I live with Chinese every day so I can present more or less their thought, did you get in touch of some Uyghur or you just surmise their thought from, let me cite Trump, "Fake News"?
4. I really hope to read your airtight, immaculate, irrefutable argument!
> Ignore him so he can stab innocent people in a railway station?
Maybe not, but not all beliefs that are defined as extremist are of the stabby kind. It's a bit hard to get information on which specific beliefs are covered; http://www.xjnj.gov.cn/jgdj/flfg/201502/09174829hwdu.html talks mostly in general terms, but does explicitly mention "活佛转世". Belief in reincarnation is not exactly a violent ideology, but it does create a separate hierarchy (of reincarnated lamas) that does not directly answer to the CPC, which I guess falls under the "social order" exception. Also, various kinds of headscarves and beards seem to be forbidden alongside the Turkish/East Turkestan flags: http://xjtzb.gov.cn/2017-06/19/1121167392_14978365485711n.jp... (I realize the image is watermarked by some random WeChat account; but the reposting by the Xinjiang branch of the United Front seems like an endorsement.)
> maybe even teach him some skills so he can make a living and become a part of society? The latter is exactly what "education centers" do according to the link.
I don't have a problem with that in itself, but that's contingent on the implementation. Making the plan work requires lots of resources, not just the one-off construction of buildings, but also teachers, guards and other supporting staff. There's already a shortage of teachers in poorer regions of China, so where are all those teachers coming from? How are they trained? The inmates aren't going to be economically productive for some time, so how are their living expenses paid? What about the loss of income to their family members?
These are all difficult problems to solve, and I'm not sure the Chinese government has actually solved them.
> the center is not a prison or Auschwitz (go back home regularly)
I agree that comparisons with concentration camps are not appropriate, because the purpose is not genocide, but ideological assimilation. However, I'm not too sure about the "going home" part. Only one of the three groups are voluntary signups; what's the point of sending someone there involuntarily if they can just go? They might even end up stabbing someone.
> did you get in touch of some Uyghur or you just surmise their thought from, let me cite Trump, "Fake News"?
Unfortunately, Uyghurs are a bit rare where I live. It's certainly possible that the Uyghur and Kazakh Muslims who have appeared as eyewitnesses in Western media are just making everything up, or maybe their experience was simply atypical. After all, among a million people, finding one who had to live in a room with ten people because the new dorms weren't finished yet, or who was hit by a frustrated teacher, or who was raped by a drunk guard, is kind of to be expected. In that context, a statement from the government that they're investigating those crimes and will punish those responsible would be much more reassuring than a complete denial that anything bad ever happened.
Maybe you could ask some of your Uyghur friends if they know anyone who went to one of these centers and what they thought of the experience. I guess that'd be much more informative than debating with me.
They didn't use free trade against you, they used the American corporate greed and bottom line mentality. It was a cooperation. We got plenty of cheap shiny plastic nikanks to keep complient while corporations sold out on local economies.
Now that it is proven to be unsustainable they beat the war drums and want us to fight for them.
> The third way (trade brings democracy) has been disproven over the last decades.
This is often claimed, but I fail to see the disproof. The standard of living in China has improved considerably as a result of trade. That new prosperity means that now more people can afford to support journalists, lawyers and activists working to expose and curtail abuses of power.
This is not limited to underground organizations or something; the Center for Legal Assistance to Pollution Victims is run by the China University of Political Science and Law in Beijing, probably funded by government grants. http://www.clapv.org/about/index.asp
It's also not limited to action in China; as Chinese companies get involved in large-scale construction abroad, so do Chinese NGOs who have experience mediating between those companies and the people negatively affected by them. https://pandapawdragonclaw.blog/2019/10/28/interview-can-chi...
You may think that internet censorship is a sign that things are regressing, but there used to be no internet at all. Nowadays anyone with a grievance can publish an article or a video to raise awareness; by the time the censors notice the outrage, it's already too late for the government to pretend that nothing happened.
30 years ago, the Tiananmen Square protests lasted barely over a month before they were crushed by the military; the protests in Hong Kong have been going on for half a year and the military hasn't been involved so far.
China hasn't turned into a democracy overnight, but neither did South Korea or Taiwan. So far, the trend seems to be positive.
> China is a huge country, and excluding a billion people from your company just because their government does questionable things sounds like a pretty bad idea.
People have to do what the state they live in and belong to orders them to do. That's part of the point of having a state. So if you can't trust a state you can't trust its people either.
> you are really concerned about the confidentiality of your data, don't store it unencrypted in some SaaS
I don't think dissolving the company is on the table.
> People have to do what the state they live in and belong to orders them to do. That's part of the point of having a state. So if you can't trust a state you can't trust its people either.
So, I could say that American is sucks if I think Trump is sucks?
That is ridiculous. The first is that 'state is unauthentic' is a subjective speculation. And the most funny is that the conclusion 'people is unauthentic' is came from your first thought.
I can not say American is terrorist if Hillary wanna burn other country. Am I right?
> I don't think dissolving the company is on the table.
Zing! Solid line but it misses the point. As with any other data, you can encrypt source code. It's perfectly easy to envision a setup where Gitlab employees in country X can only see plaintext Gitlab data they could already see over the public internet.
Trolling much? I expect a lot of Chinese rationalizing why this is a bad idea. After all, you get good social points for supporting the Party. Otherwise...
I never thought I'd see this level of xenophobia becoming widely acceptable in the United States. For everything educated Americans loathe about Trump, the one thing they've taken on board from him is fear of the Yellow Peril - which is probably the most dangerous aspect of his Presidency.
It’s not xenopohobia, it’s a hard problem. China actively exploits American tolerance for their own gain, and we have no good way to stem corporate espionage other than a blanket ban.
Even then, good old corruption of non-Chinese is still possible.
I'm sorry, targeting Chinese people on Green Cards is xenophobia. I'm not interested in whatever rationalizations are given for this sort of discriminatory behavior. The US is sadly headed down a path towards socially acceptable racial discrimination, justified by the new bogeyman - China.
The same argument would apply if the person was white and had many relatives in China. Or real estate, or other leverage that can be used against them.
You can’t ignore the fact that the PRC uses those things as leverage against people abroad in order to get information. Until that stops, what are companies and governments supposed to do? Roll over and allow espionage because we’re so tolerant?
I could use the exact same argument to propose banning Americans from GitLab. I'd also have much better empirical grounds for doing so, given how much is known about the extent of US espionage.
There's a growing hysteria in the US about China, which is leading to increasing signs of discrimination and harassment of Chinese people in the US. This sort of demonization of an entire country and the politics behind it (preservation of the US as the world's dominant power by containing China) are very dangerous. The thing that makes it most disturbing is the way people across the political spectrum have bought into the idea of the Yellow Peril, and are now okay with discriminatory policies, the trade war, and challenging Chinese territorial sovereignty.
I don't buy it. Yes there's a growing hysteria of China, but that's due to their government. It's not against the people in general. (Yes, yes, there's always an example of someone being racist/xenophobic. My response is there are always idiots who are racist/xenophobic. Citing them as an example of the populace at large is just lazy.)
People don't care about people from the ROC, aka Taiwan, aka China*. If people in our extremely polarized political environment are uniting on this, it's because it's a Serious Issue that needs to be addressed.
It very quickly escalates to discrimination against Chinese people in the US, as evidenced by the highly upvoted comment I originally responded to. I'm sorry if I get my knickers twisted about people proposing an entire race of people pose a national security threat, but this sort of xenophobia has rarely gone well in history.
Chinese and Russians living outside of China and Russia will not be affected by the ban.
You keep calling it xenophobia even after you've been proven wrong when you claimed this is targetted at green-card holders. You are absolutely disengenuous and have no intention at good-faith discussion.
You seem very focused on China only...why is that? GP's "musing" equally affects Russians. Or are Russians not something your ideology would allow you to defend?
Regardless, the GP does raise a valid point that if you have family living under the heel of a totalitarian dictatorship they can and will be used as leverage.
Your whinging won't change that fact, and it has nothing to do with them being Chinese (or Russian!), and everything to do with their country's government.
If I ran state security for a poor African dictatorship, I would find all successful expatriates in the .US/.EU/.AU and sell their details to other nasty outfits and offer to "apply my heel" to their families for a fee.
I would fully defend Russians against this sort of xenophobia as well. They just don't seem to be the enemy du jour. Complaining about Russia is so 2018. America has a short attention span, and has moved on to the next great evil.
> Regardless, the GP does raise a valid point that if you have family living under the heel of a totalitarian dictatorship they can and will be used as leverage.
Okay, so now you can edit our your attacks above, because you see that the post I was responding to did discuss targeting Chinese and Russian people living in the US.
> Your whinging won't change that fact, and it has nothing to do with them being Chinese (or Russian!), and everything to do with their country's government.
Regardless of the rationale, they're still being targeted on the basis of their nationality. The general impression is being created that all Chinese and Russian people in the US are potential national security threats, whose employment should be restricted. I don't see any functional or moral difference between that and xenophobia. It reminds me of the generalized suspicion of Muslims after 9/11. It's not a pretty thing, and it's sad to see it gaining currency.
Unfortunately I can no longer edit my reply - please take my apology for misunderstanding your argument.
Back on topic of green cards: whether you want to bury your head in the sand or face the reality that foreign dictatorships will use their own citizens to infiltrate their rivals is up to you. If you want to take the high road you can, and likely be excluded from government contract work.
Don't get me wrong on one thing, the west is in a precarious situation of openly doing the same thing in certain cases - eg: Australia's draconian backdoor law. I will not hire or recommend hiring an autralian dev working in Australia - and you can call me a racist or xenophobe if you want, it will not change the reason for the decision.
Fortunately for an australian immigrant abroad they are not going to have their family black-bagged for failure to submit to their government. I don't have this confidence for Russia, and especially not China.
We're really getting into the realm of fantastical scenarios now. The idea that the Chinese government would kidnap the family of a US-based employee in order to force them to hand over data is completely hypothetical, and to my knowledge not backed up by any known case. If they're willing to go to those lengths, they could just as easily blackmail or bribe any random employee. They surely have the power to do so, as does every government with any intelligence service to speak of.
What I do know is that there's an increasing atmosphere of generalized suspicion against Chinese people in the United States, and even of people of Chinese descent. There are lots of recent examples, but to give you just one chilling one: US government pressured Emory University to fire two US-citizen medical researchers of Chinese origin, for the non-crime of pursuing research collaborations in China. The two are leading researchers into Huntington's disease. At the time they pursued their collaborations in China, such collaborations were encouraged by the university, and they pursued them openly. Their entire lab was closed down, and the more junior researchers from China were sent home. This is not an isolated case.
I can't see what's changed to warrant this crackdown in the last few years, other than the quite open discussion in US foreign policy circles about the need to maintain US hegemony, and the long-term threat to that hegemony from a rising China. This has been accompanied in recent months by increasingly hysterical media coverage. One of the most consistently frustrating things about the US is the susceptibility of the public to these periodic campaigns of demonization. Obama laughed about Russia in 2012, but in 2016, Americans suddenly discovered that Russia is the root of all evil in the world - they're even responsible for racial tension in the US! Something similar is happening with China now, and it's reached such proportions that even a Chinese app that teenagers use to share lip-sync videos is a national security risk.
That you find this scenario so fantastical is naive...and yes, the Chinese government openly threatening its own citizens abroad is documented. What do you think of the following article, is it cause for concern for you, or do you believe it's just our media misrepresenting China?
Blackmailing any random employee (with their family safely in the US or another western country) is absolutely not the same as blackmailing an employee with the family still living in China or Russia.
If you have family in China and you have access to government information or IP they want it is not at all far fetched they will do this.
Threatening the families of separatist activists is definitely wrong and despicable, but it's very different from what we're discussing here. I haven't heard of any cases similar to the type of scenario you're suggesting.
I can't see how you think there's absolutely no connection here. The Chinese government has demonstrated very clearly it will coerce their citizens' compliance - they're not going to be immune to this just by not being activists.
If you have something they want - or are able to do something they want - it's quite obvious they will use your family as leverage.
That hasn't been demonstrated. You're citing the treatment of Chinese people abroad who are affiliated with CIA-funded separatist organizations and drawing conclusions about how random people working for tech companies will be treated. I don't think these situations are analogous.
If you don't mind me asking, why is this conversation open to comments from non-employees? Having discussions be publicly viewable seems valuable, but letting anyone at all participate seems disruptive and unhelpful (as an outside party, I was having trouble following the thread of employee discussion interrupted as it was by internet furor).
> If they can, does this also mean the employee has no legal recourse since NSLs must be kept secret?
No, because that would be unconstitutional. But the proceedings of objecting to a NSL similarly must be kept secret. There wouldn't be any point to the secret component of a NSL if the recipient could object and hash out the merits of the request in public court records.
Welcome to the wonderfully paradoxical task of organizing and controlling secret services and jurisdictions in an otherwise democratic state.
Most countries do it by subordinating secret agencies to a military division of sorts, wherein martial courts and security access is already structural. Others choose a more 'civilian' approach subordinated to a parallel chain of command within the citizen government/legislation/judiciary — closer to police, interior dpt / homeland security, etc. (in such cases, army intelligence is usually quite distinct from civilian surveillance).
Which approach is favored historically by a country typically depends on pre-existing constitutional models and principles — notably how the army features relatively to the ultimate civilian chain of command, and how the latter is accountable to the (sovereign) public in the event of treason.
None of this applies in authoritarian regimes where the ruling caste or figure(s) usually answer to no principle (no courts for them, only 'advisors' for they sit above the law) and secret service is almost always directly answering to them, as part of the active coercion of the people (fear of the "enemy within", etc).
> can the US government legally issue a National Security Letter to an individual employee that forces them to comply and spy for them?
I don’t have a link I can share at the moment to prove this (I’ll update this comment if I find one), but at least in the case of an employee with a security clearance, it is my understanding they can be forced to comply with a US Government order without the ability to inform anyone at their employer (including corporate legal staff). I’m not clear if this order would have to come as an NSL or via another channel.
I used to work for a company that had a public Jira bug tracker (security related bugs were hidden). I imagine a lot of customers had the same feeling you had: listing all bugs in a release, their status, the discussion around them, it was all there. Very transparent and very appreciated.
Unfortunately, like most good things in corporate software, it didn't last.
Wait, am I to understand that this law says I cannot boycott doing business with businesses located in Israel?
I am in the US, so can not say, "I disagree with how the Israeli government is treating Palestine and thus don't want to do business with any entity located there."?
> Wait, am I to understand that this law says I cannot boycott doing business with businesses located in Israel?
No.
That link the parent commenter shared is a very good overview: it basically means that your company will not receive special corporate tax consideration if your company:
Enters agreements to refuse or actually refuses to do business with or in Israel or with blacklisted companies.
Enters agreements to discriminate or actually discriminates against other persons based on race, religion, sex, national origin or nationality.
Enters agreements to furnish or actually furnishes information about business relationships with or in Israel or with blacklisted companies.
Enters agreements to furnish or actually furnishes of information about the race, religion, sex, or national origin of another person.
(e.g. “hey [anti-Semitic company], this competing businessperson is a Jew, if you were wondering”)
In any of these cases, there are exceptions and matters of interpretation.
Whether or not you think this is appropriate for the government, it's not as simple as “you can't engage in a boycott as a matter of personal conscience”.
>your company will not receive special corporate tax consideration if your company:
>Enters agreements to refuse or actually refuses to do business with or in Israel
The link does actually include the penalties, which are far more than just losing special tax considerations. It includes hefty fines and even imprisonment under the TRA. The "just losing tax consideration" part is only under the EAR. I understand that part.
It's the fact that they say I cannot boycott Israel independently.
I'm still confused at how this can be fully Constitutional. Say I care a lot about the Palestinians and object to their treatment by the government and military of Israel. Say I make widgets wholesale for people to resell retail.
So I say, if you buy my product and resell it you make money and your government takes some of that money, as is normal. Therefore, I will not sell to any company that sells this in Israel as I do not want to my product to be used to make money for a government whose actions I condemn. I don't care if you are a Jew, a Christian, an Arab and/or even a Palestinian, if you want to sell my product in Israel and taxes which go to the Israeli government will be collected on that, I'm not selling it to you. Not just certain companies within Israel, all of them. Anyone who sells my product and thus makes money for the Israel government, nope, I'm not doing it.
That's the part I have a problem with. If I don't actively try to stop Israel from doing anything but want to take an active role in not helping them in any way, I'm breaking the law? I don't see if how I want to act independently the Arab League but what I want to do aligns with part of what they want to do, that is a problem? I should be able to not support what I see as a bad actor.
Honestly, I also do not understand their wording on that.
Getting on board with foreign boycott is not ok that much is clear, but exercising your freedom of affiliation as a company is fine as long as it doesn't contradict US foreign policies. So if you don't want to contradict those you shouldn't boycott them if you don't your gov deciding that your decision is not independent. I mean you never know, but stranger things have happened. Just because of that I generally advise foreign entrepreneurs to think hundreds of times over before they go ahead to open their offices in US.
If you're in the US, you can decide to do that. The law restricts your business with foreign entities that might engage in a boycott. The nuances of what might trigger these regulations are not always straightforward (look at https://www.bis.doc.gov/index.php/enforcement/oac/7-enforcem...) but normally you just have to avoid "bad words" in contracts, RFQs, etc.
I would note my understanding is that fines for non-compliance have historically been relatively light and therefore, to my knowledge, these regulations have not been seriously tested in court in recent times. (And the article I read suggested there was a causal link between those two facts.)
I have a hard time believing that the government could do this but the way I read it says that if I said:
As a business, I disagree with the human rights violations the government of China is engaged in. I am again Saudis Arabia's ban of alcohol on its residents, its treatment of gay people--including death for simply being gay and the way it withholds rights from women. I also deplore Israel's treatment of the Palestinians, including the demolishing of houses.
Therefore, I will not allow my product to be sold in a way which results in any of these governments collecting tax on it, this supporting the government.
The way this reads, it seems the government can say, "Whoa, you can't to that to Israel though." and ignore the other two. Unfair and prejudicial in my opinion.
> forbidden from … Agreements to discriminate or actual discrimination against other persons based on race, religion, sex, national origin or nationality.
So, to be clear - GitLab can merrily discriminate against Chinese citizens of the US on national origin by themselves, but are breaking the law if they do the same under a joint venture with a non-US entity.
Indeed, thanks GitLab for being so open about your bigotry. I wonder what would happen if GitLab started excluding say Israeli nationals, because a large number of companies that sell 0-days for profit are based there, I suspect that accusations of antisemitism would pour in from all corners & rightfully so, but since demonizing China has been cool since the USSR's collapse & Russia rejoined the club it never really left in the eyes of Americans, it's all good.
Disgraceful. GitLab was once an inspiration to me in terms of its openness & culture, but the recent moves around tracking and now this, make it clear that GitLab has been around for too long to stay a hero.
Except when you look at Hollywood production, U.S TV news etc. that's exactly what you get. The Red Scare was a real thing, so was Russiagate. The anti-Chinese sentiment is very much real in the U.S. too, if the campaign rhetoric, current trade policies & the constant stream of accusations from newspapers of record are to be any indication.
Maybe I could have worded it better, but I am referring to American culture and the mindset that when you think 'anti-hero', it's going to be a Russian/Chinese most of the time.
I'm shocked that they'd extend it to their lawyers. This thread (and the one the other day about telemetry and the GDPR) are a plaintiff and/or prosecutor's dream.
One of the hardest parts of most white collar prosecutions is proving that an action was taken "knowingly and willfully". Unlike other areas of criminal law, most white collar offenses require prosecutors to prove that not only did the person know they were doing the things they were doing, they had to know they were illegal.
Having the party's own lawyer offering legal advice outside the scope of privileged communication is normally windfall enough. Having them do it publicly and in the media's eye is just insane.
On the other hand, the discussion threads actually show that they have no idea what they are doing.
It's a good question what one could prosecute out of that and what to gain. There are so many open angles and I don't think there is any precedent with a fully opened company.
GitLab wants to be "on the right side of the law" when things get stickier . . . plus China and Russia both have State supported hacking (US does too, probably all 5 eyes countries), but if they have to choose between Allies or Axis powers - - it's a pretty easy choice for the side that is more stable, that does not actively promote organ harvesting of live humans, less obvious police state and their money is accepted everywhere . . .
It sounds like there is nobody that this affects, and nobody it is likely to affect. They just want an official policy in place to reassure their customers.
Audrey Tang Minister without Portfolio in the government of the Republic of China (aka Taiwan) advocated this type of radical transparency in government.
While I acknowledge the pragmatic approach taken by the company to protect their user's data, I am curious as to how this will play out over time. Factors such as longer term travel or working vacations to these countries by their employees?
Or, What about if one of their employees is married (or wants to get married) to a legal resident of one of these countries? How far removed does the employee have to be from this risk? And how much of an impact on their (and their family's) civil liberties could this have?
I've been told (at a different company based in a different country) "don't bring your work laptop to China, don't bring materials to China without authorization, we'll provide what is effectively a burner device for whatever you are bringing to China (I believe they re-used them as different employees went to China)".
I imagine Gitlab would have a similar but less restrictive policy, "don't bring a work laptop <with credentials that gives you access to one of these roles> to China, ...".
I don't see why a policy against residing/working in China would care about who you are married to or where they live.
Consider this scenario: Loyal and long time high performing Gitlab employee Bob, is happily married to Su, who originally hails from China. They live and work in the US. All good.
Until Su's ageing parents back home succumb to ill health and she decides that the family need to move back to China to care for them for maybe one or two years - perhaps longer.
Bob then has to make the choice between (a) resigning his job or (b) being forced into a long distance relationship with lots of travel between China and the US, or (c) divorcing his wife.
When company policy gets in the way of important life decisions, I think it is a dangerous line to walk.
Sound like "loyal and high performing" Bob could land a new gig. Life is about choice and Bob might have a difficult one. I hope he'd stay with Su. Better and Worse and all that.
Then the good thing is that you are not married to the company you work for. You can even work for more than one at the same time; to be married to more than one person is so much more difficult :/>
Consider the exact same scenario at any non-remote company.
If Bob wants to move to China, where the company doesn't have an office, he's going to have to resign or take a leave of absence.
This decision on Gitlab's part would be moving their incredibly generous "you can work from anywhere you want except places where we legally can't let you like Crimea and Iran" to a nearly as generous "you can work from anywhere you want except places where we legally can't let you like Crimea and Iran, and places that are known to coerce people into spying for them like China and Russia".
Most companies operate on a whitelist of places where you can work (where they have offices), not a blacklist. Even many remote companies operate on a whitelist (e.g. "Remote, US only"). Really, I'm amazed they feel that they can operate on a black list approach at all and not accidentally violate tons of local laws.
I may be reading into things here but it sounds a lot like the reason for this is to gain business from the US Government. Limiting reach from governments such as China and Russia is already standard practice for most security/defense related functions of the government.
The point is that those 250 countries all have different legislation and cultures. The only concern is not "we don't want the Chinese government to have access to user data". That's the only concern for Gitlab (well that and not violating US laws in regards to who they can do business with), but it is not as simple for many other companies.
Going from a whitelist to a blacklist is hard because you need to either individually vet every country and decide if they're ok, or you need to just assume a lot of countries are ok.
Going from a blacklist to a whitelist is obviously trivial.
i am not sure we are getting anywhere with this argument. i don't really see the point. when a list has a fixed number of possible entries, then the difference between whitelist and blacklist is purely academic. the result is exactly the same.
You seem to be talking about reciprocal lists (blacklist of 3 -> whitelist of 247, whitelist of 10 -> blacklist of 240, etc), which is not what OC was talking about. OC was specifically talking about going from a "small whitelist" to a "small blacklist". Not a "large whitelist to a small blacklist" and certainly not anything the other way around.
Whitelist with 3 countries: I have vetted three countries, and know my employees can operate in those countries legally without issues.
Blacklist with 3 countries: I either need to vet 247 countries to ensure my employees can operate there legally, or I am just assuming that those 247 countries are fine without actually doing the due diligence.
Again, going from a blacklist of 3 countries to a whitelist of 247 countries is obviously not an issue. You're operating on the same data. The issue is going from a whitelist of say 3 countries and then not going to a reciprocal blacklist of 247 countries, but a much smaller blacklist of 3. This is what Gitlab has effectively done in OC's estimation. That either means you vetted those 244 extra countries that are now on your "whitelist", or you're making a lot of assumptions.
>Or, What about if one of their employees is married (or wants to get married) to a legal resident of one of these countries? How far removed does the employee have to be from this risk?
Security clearance background checks will cover this sort of thing. For sensitive government contract work, clearances are generally required for the relevant contractor employees.
For non-government customers who still have these concerns, I’m not sure there’s a good answer. I guess you could define your own clearance process and run similar background checks - many of the government’s own background checks are done by private investigators already.
Super ignorant question that I'm sure has an obvious answer because nobody else is asking:
How is this not a form of Japanese internment camps? Russia and China are a problem so we block Russian and Chinese citizens? Also, wouldn't I just have my Russian agents living and working in Sweden or Canada or something?
Well first, it is not a camp. No one is putting no one in prison there.
Second, a company will want to abide by the laws of the countries it operates in. Having an employee somewhere may, nowadays, count as "operating in" that country. If they are not comfortable with some state laws, that makes sense to avoid these countries. Just like the companies that say they can't operate in Europe because of GDPR.
Third, if you identify one of your employee as a Russian agent living abroad, you fire them and Russia is in the wrong there. But if you hire a Russian and that makes you legally forced to share some data, you would be in the wrong to not comply.
I don't understand what I am reading, I feel I am missing some context... Is it about being afraid the Chinese and Russian state will spy on user data if some employees are located in those countries? Or were there updates to their laws that made it mandatory to open databases to the state if an employee is located in these countries?
> There is an unacceptably high risk that these nations may apply pressure to individuals living within their borders with sensitive data access (based their role at GitLab). It is our concern. And it is the stated concerns of several customers.
The discussion is actually pretty significant, as they sort out how they might manage the _customer demand_ that is creating these hiring blocks, and in turn, how that is reported and tracked.
I don't see this as a purely "done deal", it's a company having very important discussions in the open that most would just default to "restricted". All this transparency is a great source for others to learn from.
After activating JS I could see the discussion, sorry.
Going a bit deeper, it seems to be a specific demand by a potential client. Can make sense for activists, journalists, humanitarians. Makes sense for gitlab to push back too though.
Whether it's real or not or even likely to be effective, there's a chilling effect and businesses are obviously concerned to be raising the issue of Chinese-based employees with GitLab.
Oh, China is finally following US policies on full takes. Not entirely unexpected. The difference is that China observes their borders, whilst the USA does full takes everywhere they can, which is everywhere in the west.
What is a full take, what do you mean by US policies on full takes, and can I also have a source on US performing full takes everywhere in the west? Thanks!
They have a customer that required the personal data they'll give to Gitlab not be handled by people living in Russia and China. Could be a group doing humanitarian or journalistic work.
That's actually an interesting conundrum: you want to hire a company, need to trust it for handling sensitive material, and can't afford it to fall between specific states' hands.
I don't think there is an objective process to do that. I know that USA and France and probably many other countries have laws to authorize seizure of data they consider linked to a variety of vaguely labeled activities (from "trouble to public order" to "terrorism"). You may end up excluding 80% of the world if you use objective criterion there.
True. You have to decide what level of security is necessary for you. In some countries like China privacy from the government is basically nonexistent. In some like Australia backdoors are mandated by the government. In others like the US secret FISA courts exist and can demand data from companies and gag them at the same time. Off the top of my head I don't really know any ideal developed countries to do business in where privacy is concerned.
Honestly I don't understand @cciresi's position. As far as a I know anti-boycott regulations have primarily (only?) been used to prevent US companies from not doing business with Isreal. China & Russia are geopolitical rivals to the US and I don't see any sort of risk of anti-boycott regulations being applied in restricting business with residents of those countries. I guess you could say there is a risk that could change, but that seems hypothetical to the extreme and realistically irrelevant to worry about from a risk perspective.
And this isn't discriminating on nationality or national origin, it is on the nation you currently live in. Employers decide not to hire employees living in other countries all the time, it's the most prevalent choice (i.e. US companies only hiring employees living in the US). I don't see why doing this because a customer you've considered critical has asked for it is any more legally risky that having done it for other reasons, assuming we discount the anti-boycott argument.
This is all with the huge caveat of I'm not a lawyer, just giving my perspective based on how I've seen these laws/regulations applied in the past.
Anti-boycott regulations are highly hypocritical because indeed, they are designed for Israel but pretend to apply to all countries.
Thing is, even if it is just country of residence, it is still a discrimination on hiring and could very well be illegal unless there are strong legal reasons. E.g. "we have to do things that are illegal under the laws in country X, so we can't hire people there".
I think the main point of her position is that one should have an objective criterion to add countries into a blacklist and that none can realistically been done over privacy issues that would include China and Russia but not USA.
National borders are a strong legal reason. It's silly to have to write that down.
Absent a treaty between nations, national borders are the borders of laws!
The US government is currently in a trade war with China. Is that illegal discrimination?
Regulating internatiinal relations is a core government
responsibility.
No government would make it illegal for a company to choose not to do business in a non-ally foreign country. Millions of business already don't engage in many foreign countries, by default. Including yours, I bet. Why should they be required to do so?
>Could be a group doing humanitarian or journalistic work
They speak about revenue, so I'm sure that's not the case. I bet it's a commercial company with sensitive data, probably gov/mil contractor with strict obligations to their customer.
And someone at their management doesn't understand Intelligence 101: they don't reach for your data from the country of origin.
Journalists and humanitarian organizations do have revenues.
I doubt a mil contractor would add Russia and China but not embargoed places like Iran.
And yes, I think this is a misguided attempt at security. Companies that handled crucial data that need to stay private really should spend the resources on managing these data themselves.
> "It seems odd that we proclaim that we will accept any customer not prohibited by law (b5a35716) but we are implementing controls that impact employees based on a perceived political climate. This is contradictory."
Accepting any customer serves the customers interest.
According to customer requests that their sensitive information not be placed in a situation where it could be relatively easily accessed by state actors ... serves the customers interest.
That’s not contradictory, except in the most superficial sense of “but we have open arms for everyone”.
Personally for me, coming into a company that was so transparent was very difficult at first, especially as an attorney. However, over time I realized how much I developed and grew from it. I became much more open and accepting of criticism and feedback. Instead of becoming defensive, I listened to it and learned from it. I also welcomed all of the extra eyes on my work, it helped me create much better work product, just as the open source community does with open source code. When you are transparent, people know what you are doing and that you are genuinely putting the efforts in to do your best. You never know what is going on with others behind closed doors.
why do you all show up in this thread on another website. isn't it embarassing that your company has no concept of a "federal" branch that restricts access to selected vetted employees? this seems like a very basic business decision that preempts all this hubbub.
I think one of the reasons should be that Gitlab does not have many enterprise customers in China and Russia. Native Chinese or Russian speakers are not needed for Support.
Russians and Chinese could not care less but gitlab. They have progressed so much in the last years, they have their own gitlab systems. Demonizing Russia and China for bad practices and not doing any introspection on yourself is hypocritical. US suppremacy is over. Get on with it
I understand the basic issues involved here. Both countries are doing very odd things when it comes to information and privacy. However, I feel like making this a "country issue" is really not exactly the right horse to ride on. Rather, I think it should be stated due to the security policies of these governments, we are banning them as information safeholds at this time or something of the sort. Then, the issue is LESS the country, and more the governmental informational policies.
But the problem isn’t storing information in these countries in this case. It’s how these are known to coerce nationals with ties to the homeland into spying for them.
Reading the discussion, it appears this policy was due to a customer request, and not some legal requirement.
I wonder how the HN crowd feels about that? There was a lot of talk recently about how companies should not sacrifice their values and kowtow to the demands of large clients.
As a company that values freedom of movement and is remote first, this prevents their employees from moving to where they want. Does this also mean they can’t vacation there either?
> Does this also mean they can’t vacation there either?
No, the post is fairly explicit about what the proposed block is.
While I agree with the position that companies should avoid trading ethics for short-term profit, this is a move I hesitate to condemn - the cost is fairly minimal (their remote-first position is still quite generous), and there is much to be said for the increase in privacy and security this provides their customers.
It’s hard when you have people in your circle of trust who are subject to coercive law enforcement. My heart goes out to victims of such apparatus.
It isn’t even as simple as worrying that foreign national employees can be coerced by their home nation police or state security services — anyone subject to policies like Gitlab’s who is local to your business but who has family or assets abroad that can be used to effect duress, or who can be blackmailed in some way elsewhere, would need to be vetted.
Why are you assuming that their backend architecture is bad when these positions touch sensitive data much more frequently than a software engineering position in companies globally?
In order to effectively support customers, you need to make a decision into how much visibility you'll give customers. Alternatively, you give your support the even more unfortunate circumstance of needing to request sensitive data.
SREs need to be able to work with hardware and software and by virtue of needing to take decisive action are in a similar situation.
Well, technically you should then block people from these countries irrespective of where they reside. They have extended families back in their home countries, so the spooks can still lean on them quite heavily, and there's nothing they'll be able to do.
This is why I refused to obtain a DoD security clearance when my job needed me to: I go to Russia to visit my family every 2-3 years, and I don't want to be in any way valuable to their intelligence services or the like, nor do I want to put myself or my family in danger.
All of the above is in spite of me having spent most of my life in the US by now.
IMO a better solution is for nobody to have permanent access, and granting it on as-needed basis, with a full audit trail. It's not perfect, but it's a heck of a lot better than the ineffectual geography-based blocking that you are implementing.
583 comments
[ 4.5 ms ] story [ 300 ms ] thread> @cciresi this is a request from a customer considering using GitLab.com. @mmcb has more context on the why. We should probably add that to the MR.
Probably the US government or something like that?
It's a bit of a chicken/egg situation - is there a strong culture of compliance because of the transparency or does the strong culture of compliance make transparency a non-issue? Whatever their secret sauce I think Wall Street could use some.
For instance - it's been suggested (I don't know if rightly or wrongly) that they have a customer who asked them to do something that would violate the US boycott laws. I'll assume that it is the case that they've been asked to violate these laws.
According to a plain reading of a document someone linked here [0] that means they are required to report the request to the US government. I'll assume that it is the case that they are required to report it too, even though I'm not a lawyer, and that's not really an authoritative source.
> The EAR requires U.S. persons to report quarterly requests they have received to take certain actions to comply with, further, or support an unsanctioned foreign boycott.
If they don't (because they forgot, because they disagree with that interpretation of the law, because they don't want to piss off the customer, etc) they now have a public facing record of them violating the law. Even if the assumptions are wrong (they likely are) and they aren't violating the law, someone might decide they are and it might result in lengthy/costly legal battles.
How many other examples like this probably live in that repo for anyone to see?
[0] https://www.bis.doc.gov/index.php/enforcement/oac
The requirement to block some class of people off from some customers is nothing new, and back at Sun there was separate Sun Federal which was dedicated for such clean business.
GitLab's approach (and i think it is just a start of the trend in the industry, time to get rid of the accent :) while theatrically good isn't practically efficient. A Chinese or Russian residing here with some family back at the Motherland is susceptible to the same pressure in the loving, yet firm hands of the Motherland as if s/he were residing there her-/himself. So the next absolutely logical and necessary step for GitLab on this path is to block all Russians and Chinese who has at least some family back there. Giving that there may be other ties too and the hassle to verify (to which degree of relationship?), simply blocking all those nationals would the natural and practically efficient way.
Extortion can be effective well outside family lines.
And, of course, extortion is equally effective on USians, Brits, Indians, Nigerians, or anybody else.
> As such we feel a country block is the most humane solution at this time--especially because it affects zero current employees
<BOLD>See self-reply below, not the case.</BOLD>
Though that is alluded to as a possibility, with complications.
________________________________
Update: My first read was incorrect.
That would seem to apply to current employees in Russia / China who are in roles covered by the block.
Which is kind of A Big Deal.
X: "Current team members"
A: "moving to these countries"
B: "remaining in a role that prohibits it"
X are prevented from BOTH A AND B.
(X may do neither A NOR B)
Or:
X are prevented from (A AND B).
Whether or not remaining in one of these countries and MOVING to a role that prohibits it is included in the prohibition is unclear.
Someone's future transfer may hinge on that.
I've danced this dance at a previous company when we had an employee working from a country of interest for an extended period of time. They were air-gapped from our systems and it worked because they submitted everything by pull requests (the original way, sending git patches by email). They didn't have access to our CRM or any customer systems because several of our contracts - not just with governments but also major multinationals - prevented employees in certain countries from having access.
Even when I traveled to the same country I used a burner laptop that was decommissioned when I returned. When we EOL'd laptops in the office they'd go in the burner pile to have one last holiday abroad before they were wiped again and sent to a local charity.
So, someone in, say, QA or documentation, looking to head into SRE or Support, would be unable to if they presently reside in China or Russia.
Meanwhile, if the government can just arrest you and say "change this repository and you go free", it's essentially free.
Security isn’t absolute, it’s layered. The harder you make it for the adversary, the more it costs the adversary (eg: potentially burning a zero day), and the more chance there is of detection.
Can Russian intelligence get into Gitlab? Probably. Are measures that make it more expensive liable to deter them? I think so.
Two points here. First of all, failing to acheive absolute security is not a justification for ignoring best practices.
Second, this isn't air gapping. It is preventing a bugged laptop from sitting in on conference calls and meetings for the next year or two until it gets aged out.
Their employment being dependent on them residing within specific locales is not the same as "prevention". It's an incentive scheme, afaik.
Please note that we're still discussing this change. We work out in the open so you can see us working on it. I hope that people appreciate the difference between that and what you would see in a non-transparent company (probably nothing, they would just not open up a vacancy in the offices in that country).
Although they will probably choose to hack them instead
The reason this is viewed from a US legal perspective is because we are a US company so we are governed by US laws.
Additionally would this extend to individuals who are of Chinese or Russian origin? China in particular leans on nationals who are on visas or have family still in country to conduct espionage operations.
Discriminating on origin is likely illegal.
It sounds like you just need to harden your production perimeter. Jump boxes with two-man-rule access and terminal logging. Apply the same practices to data as you do code.
> Discriminating on origin is likely illegal.
You should ask your legal folks about the national security exceptions of Title VII. It sounds like your customer requirements are pushing you in that direction anyway.
The irony...
It could affect present employees who are in other roles, located in China or Russia, from moving to a covered role, whilst continuing to reside in China or Russia.
Edit: I've provisionally gone with "Gitlab blocks hiring SREs and Support Engineers in China and Russia". If that's wrong, or if anyone can suggest a more accurate and neutral title, we can change it again.
Maybe substitute "not" for "blocking" as well since that seems clearer.
Given the current australian law changes, the rampant israelian IT spy sector and despotic Belarus position on human rights, it's surprising that they only mention China and Russia. This whole debacle doesn't look good and makes one to loose all faith in Gitlab.
China and Russia are known to put pressure or watch/listen on nationals who work in key positions in foreign companies.
As US allys Australia, Israel don't pose the same threat. A lot of information that could be gained would be available through the US government and shared with the those parties if there was a need.
https://en.m.wikipedia.org/wiki/Jonathan_Pollard
https://www.google.com/amp/s/amp.theguardian.com/world/2019/...
There are definitely Chinese and Russian spies but there are spies from many countries besides those. The question is why are you singling out those countries and why now.
The reason is that there is a Cold War brewing between the US and China and this company has become an agent of that war.
The seems to be a propaganda war against China brewing in the US. I last saw this level of jingoism when Bush Jr decided to take over Iraq on the pretense of Saddam Hussein supposedly having nuclear weapons. All the TV network anchors were pushing for war and pushing the supposed threat. Later we find out it was all lies.
Why those two countries specifically? In Russia you can get imprisoned for a variety of political/strategic reasons if you refuse to cooperate. China implemented there own internet for spying.
When you visit these countries you are advised to buy new devices and throw them out on return to avoid backdoors.
General Powell misleading the UN and TV networks was based on having chemical weapons. Nuclear weapons is the fear with Iran. It was believed because the UN weapon inspector Hans Blix was being railroaded with fake traffic jams and other tactics preventing him from investigating. After he pulled out and Sadam had a history of using these types of weapons on his own people, it made the claim easier to accept without more proof.
The same is true of Australia, the USA, and the UK - these nations have no issues with imprisoning each others citizens if it behooves them - i.e. if the individual chooses not to cooperate with the military-industrial-pharmaceutical complex.
China or Russia would not pose any threat if they managed to completely infiltrate US institutions, because they would be, at this stage, the US greatest allies. Sure, China might try to constantly drag the US into pointless wars in Asia, but again it would be fine because it would be to defend the interests of China, the greatest ally.
https://www.zdnet.com/article/whats-actually-in-australias-e...
After having this discussion with my manager and colleagues (the conversation with my manager was in my interview process where I bluntly stated if I was asked to comply with anything from this law, I'd immediately resign, my manager also agreed). Everyone I've spoken to agreed we'd immediately resign since it was the only potential option to protect our selves as employees and our employers.
Edit: I'll need to spend a little more time looking into the Assistance and Access Laws. The following article attempts to downplay some of these concerns:
https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...
You are assuming that is actually an option. There is nothing to suggest the current Australian government would not prevent you from resigning until the task had been completed. This is the same government currently attempting to make it illegal to boycott businesses that are damaging to the environment.
Also, the proposed anti-boycott rules have been widely criticized as unconstitutional, unworkable and ludicrously against the conservatives free speech pronouncements. Unlikely they would get support from Senate cross bench.
That's the good(ish) news - the bad is that restraints on the passing of bad law are generally pretty weak in the absence of a hostile Senate. This is particularly true with the current feeble opposition, and even more so given the general atmosphere of cowering obeisance that the major parties have allowed (or encouraged) to develop around any legislation involving the word 'security'.
The problem is not really that you couldn't resign -- it is that the company would hire replacements that would get the job done. The company executive would be compelled to.
Albanese (and his forgettable deputy Marles) have so far been a disaster for the ALP.
There needs to be a more effective response than Hari Kiri.
Sure, it would be, especially for companies located in neutral countries, but since US influence is so strong everywhere almost all over the world that's also practically impossible. "Every animal is equal but some animals are more equal than others"
https://www.bmwi.de/Navigation/EN/Home/home.html https://www.bmwi.de/Redaktion/DE/Publikationen/Digitale-Welt...
China and Russia obviously have their own systems, but many other countries some some element of national control which is less obvious. Japan certainly has a mature native cloud capability, although it would be highly disruptive to move everything to it.
Its like plans to be 'cloud agile', it doesn't work unless you deploy to both every time, and you probably just double your cost and bugs for deployment ops. So the tendency will be towards cloud balkanization. Which could really suck, or it could force a path away from proprietary APIs towards standards, which will suck in a different way.
I think it's just the usual "Australians not realizing they live in a bubble", and kindly warning the rest of the world about laws or practices that have already been in place in our countries for twenty years.
(2) In English, both hari kari and hara kiri are accepted spellings (the word came into English before modern, maybe even standardized, transliteration, and the source language doesn't natively use the Latin alphabet.)
(3) But, in any case, you are right that it is misspelled.
I'm also an Australian living overseas, have worked on many sensitive projects that would be of interest to the Australian government and its masters, and I'm quite prepared to give up my nationality over this issue.
Australians will never be afforded an opportunity to overthrow their government, nor will we get the revolutions our demonstrations hope for.
In the case of Chinese-based employees the assumption is that anything they did would go through Chinese Government controlled networks (there's VPN ban even for foreign businesses) and likely result in your intellectual property being shared with your Chinese-based competitors. Not to mention their access being potentially compromised and used.
If an Australian-based employee complied with a letter, they could destroy your business reputation when it got out, even if you threw them under the bus. Probably the main reason Australian employees are still given latitude is that committing compromised code into the codebase would require involving everyone who could possibly see that code change.
Australian law is likely to have little impact on what an SRE or support engineer might be able to do. Australia having an established practice of recruiting and placing enterprise surveillance moles would.
China and Russia have some history with this latter. Though one might say similarly of the US and Israel, as two examples.
To my eye, american companies are becoming more and more like chinese companies in the amount of control governments can extort on them and that is highly troublesome.
Even as a reader, it almost feels as if someone misconfigured the ACLs or I'm reading leaked internal documents, not an intentional decision to make this open. Some of the discussions seem highly sensitive, and yet it seems to work for them.
Thank you, Gitlab, for being so open! I've learned a lot about compliance from just reading this thread. For anyone curious, here's some background on the mentioned boycott laws: https://www.bis.doc.gov/index.php/enforcement/oac
I'm eager to find ways to be a more transparent person at work. I want to eliminate "politics" and "games" where possible and for work to be Wysiwyg.
I hoped that people would use the sentences I proposed on that page but that never happened.
What is helpful is that when people raise a concern I can recognize it more quickly and show them it is clearly my flaw. This doesn’t happen often but it happened last week.
I can understand being reluctant to deal with the full extent of the problem. Somebody from China, with a family in China and subject to Chinese law, does not cease to be a security threat by moving to the USA and getting a green card. This gets awkward.
It really is no surprise that valuable secrets of all types (private key, customer data, trade secret, insider info for trading, etc.) end up in other countries.
I hope we learned our lesson during WW2.
However, discriminating based on exposure to coercive pressure from aggressive and hostile foreign powers is probably OK, even if such exposure is heavily correlated with national origin. The key is that the discrimination must be based on an individual analysis of the applicant and his/her life circumstances.
It's not OK to blanket deny any person of Chinese ancestry.
Denying such a person access to sensitive data or positions might be OK, however, if that person is exposed to coercive threats by, e.g. having family located in a jurisdiction known to use its power over expatriates' families as leverage to recruit sources and agents.
So long as the intent is genuinely to serve a compelling interest in protecting against security threats and the vetting policy is as narrowly tailored as possible to minimizing insider risk from applicants with vulnerability to certain threat actors, I think such a policy could pass ethical and (IANAL) maybe legal muster.
"Your honor, of course my intent was genuine ..."
Therein lies the rub ;)
I accept that I do not qualify for a high security clearance because I’m married to a Chinese national. I don’t think that should have any bearing on any other jobs that don’t require such clearances (nor my wife nor my son should be subject to such restrictions).
They notably did not include "or family".
The expectation presumably being that foreign powers were clearly enough signalled to tread carefully with regards to exerting pressure on government officials.
At high levels, that seems reasonable. At lower levels, where there's less scrutiny and less opportunity for diplomatic redress? "Reasonable" measures seem murkier.
[1] https://www.law.cornell.edu/constitution-conan/article-1/sec...
Not so. The Constitution is very clear on eligibility requirements for the President. A natural born American citizen of Chinese descent who otherwise satisfies the requirements in Article II, Section 1, Clause 5 is perfectly eligible to run for the office. If there is concern about potential leverage foreign states have over that candidate--as there rightly would be if our natural born American had close family in PRC--voters might vote for someone else. My position is that such a motivation on the part of the voters is ethical.
> I accept that I do not qualify for a high security clearance because I’m married to a Chinese national. I don’t think that should have any bearing on any other jobs that don’t require such clearances (nor my wife nor my son should be subject to such restrictions).
First, I agree that your or your son's relationship to a Chinese national should not be sufficient grounds to deny you or your son any given job. My position is that a narrowly tailored policy to reject candidates with high risk of coercion from sensitive positions, or to limit such employees' access to sensitive data, is probably OK. Having close family residing in PRC unfortunately does raise the risk of coercive pressure being applied. If your wife has no surviving close relatives in PRC and she never goes to visit, you and your son should be assessed to have no greater vulnerability to coercion than any other citizen with otherwise similar circumstances (debts, addictions, etc.).
Second, I am curious why you disagree completely, yet accept that your relationship with your wife may disqualify you from holding a government security clearance. That means you accept that the government has an interest in protecting classified information from foreign powers, and that your relationship raises your risk profile. Do you not accept that private companies have an interest in protecting their IP and customer data from theft or sabotage? Or do you not accept that your relationship also raises your risk profile for these positions? Just because a position may not require a clearance does not mean that position is not highly sensitive to a potential insider threat. And unfortunately the PLA's targets are not restricted to intelligence agencies; they target virtually every sector of our economy.
This has to do with companies making their own rules about what is right or wrong without any checks, balances, or voter feedback. Security clearances are actually defined by law, I’m against corporations becoming their own extra judicial entities.
As far as I understand, companies are generally free to make their own hiring decisions, so long as they do not amount to discrimination against a protected class. That limitation, by the way, stems from federal legislation--so companies are very much not extra-legal entities operating without any judicial accountability. If a state or federal Congress decide to further regulate companies' hiring decisions, they are free to do so.
I don't understand what exactly you would like companies to do: Simply ignore potential security risks? Do you have a specific process you advocate should be used to evaluate risks? What different kind of restrictions on companies' personnel decisions would you like to see? Do you just have a problem with a focus on risk from family members in PRC as opposed to a broader vetting process where that is only one risk factor?
> Security clearances are actually defined by law
I am not sure that an exact formula for grant/deny decisions exists in statute. These decisions strike me as inherently subjective, although certain facts are obviously pertinent to the decision. I would be very interested to read the relevant laws and regulations, though, if you'd be so kind as to point me to them.
Companies like Apple and others should be allowed to be concerned about theft of sensitive data just as much as the government. Just because it’s not a matter of national security doesn’t mean it’s okay.
Nobody here is trying to discriminate against a race. The problem is having ties to relatives living under a government that is known for making people disappear. The same would apply for a white person with many relatives there, etc.
Your argument of companies not being allowed to take cautionary steps against a foreign government doesn’t hold water.
They already are, with most disputes being settled with Binding Arbitration rather than via the court systems.
Others have already pointed out though, that a company needs to act in its own interests and one of the things it would certainly find interesting is whether an individual is capable of being coerced into sabotaging/sharing corporate trade secrets.
Source: https://web.archive.org/web/20110113190609/http://feinstein....
I think if Congress tried to pass a law limiting the President's access to classified information, the Supreme Court would likely find it to be unconstitutional.
If large numbers of voters felt that, then they would never get elected.
> nowhere justified by the constitution
The voters are entitled to vote however they like; that's implied by the constitution.
> I accept that I do not qualify for a high security clearance because I’m married to a Chinese national
Then you essentially agree with me.
> I don’t think that should have any bearing on any other jobs that don’t require such clearances
I agree. The question is, which jobs should require such clearances?
Constitutional requirements can also be changed, and it is long past time that we do so. The country has been around for 2.5 centuries, and now has hundreds of millions of people. We wouldn't suffer a shortage of presidential candidates if we required that all 4 grandparents (determined all possible ways) and all descendants and spouses have been born in the USA, along with all living ancestors and descendants of all of those. The job is simply too important to allow otherwise. (this would disqualify the most recent two, along with failed candidates like Romney and Cruz)
For tech companies we shouldn't be quite so extreme, but it also isn't good to ignore the problems.
The wiser among us know historically garbage thinking when we see it.
The thing is, coming from a country that is practicing cultural genocide against various ethnic groups, we can probably take those accusations and survive.
You can rest assured that we did not, I have zero doubt that if there ever was another war at that scale we'd have internment camps for nationals of the enemy before the end of that war.
Yes it is. You know what's also a big no-no from an ethical perspective? Letting China win so they turn the world into a global dictatorship with concentration camps, organ harvesting and ubiquitous surveillance.
Sometimes you have to do a bad thing to prevent a worse thing.
Arguably now the FANGS are now CNI - which is going to suck if your on a H1B or Green Card.
Where an employee's family lives seems like the single most important point to consider...
If you are really concerned about the confidentiality of your data, don't store it unencrypted in some SaaS where every customer service rep has full access to all your data. At that point you're already so vulnerable that exluding potenential employees from a whole country is just pointless security theater that some suit with an MBA thought up to justify his position.
There are only two ways left for China getting rid of its dictator government. The first one is flattening China with nuclear weapons (conventional war is impossible to win) which is obviously inacceptable, the second one is totally excluding China from any and all international trade.
The third way (trade brings democracy) has been disproven over the last decades. Even worse, the Chinese dicatorship has taken our weapon of free trade and turned it against us. Our domestic production of many goods has completely shifted to China, our failure to treat Africa decently instead of using it as dumping ground for excess food and clothing has led to China filling the investment void and to top it off China has been using our money to buy up our companies and leverage that to shut down democratic protest (think of the Blizzard fuckup).
China is an enemy and should be treated as such if the Western world wants to survive instead of turning a blind eye towards genocide (e.g. the Muslim Gulags).
>China has been using our money ...
The best way is to vote with your money then?
No, Germany, which also faces massive problems with Chinese buy-outs and industrial spionage.
> Should other countries refuse to employ USA citizens because of actions of the government - things like pulling out of Syria to enable the Turkish murder of the Kurds to continue.
I would wish so, but I'm realistic enough to know no government wants to put themselves into the spotlight of Trump's Twitter account and trade war threats.
>> China has been using our money ...
> The best way is to vote with your money then?
We as individuals can't do shit about international trade. No matter if I live vegan or not, pigs will be slaughtered in inhumane conditions. No matter if I drive an SUV or not, climate change will grow. Systemic issues need to be dealt with those who have been elected for this job.
I believe people have a right to self determination. Borders are just lines on a map. I know America doesn't believe that, and that's a valid viewpoint too, just one I disagree with.
Well, Germany has gased 6 million people, started two world wars, caused more than 40-50 million deaths, and continues to strong arm EU and have hegemonical aspirations...
Perhaps they too should be cut out of international trade or nuked just to be sure? The allies had the right idea, split them into two countries and make sure to keep their heads down...
Does that sound OK?
Should Germany have been isolated in 1939? Sure. Does that apply 80 years later when things have changed? Of course not.
You mean they continue its spirit in new ways (redlining, police bias, incarceration bias, racism, federal and local government neglect of their districts, under-representation etc) like it's the situation with blacks in the US?
>Should Germany have been isolated in 1939? Sure. Does that apply 80 years later when things have changed? Of course not.
Better safe than sorry. 1939 was not that far from 1918. In fact the whole spirit of splitting the country in East/West and have it have no army, as officially expressed by US, USSR, and European officials was exactly that -- to prevent future aggressions. They, having witnessed both WWI and WWII knew better.
That's an incredibly disingenuous take. America has no business being there in the first place, so there is nothing wrong with having US troops leave that region.
By your logic, the US is responsible of all the atrocities in the world where it doesn't have special operators acting as human shields.
Besides, your FUD is a bit dated. Kurds simply went seeking protection with Syria and Russia and in the end, not much happened.
This is done in China BTW.
I find it intellectually dishonest to compare the USA’s foreign policy with a dictatorship government that forces compliance through threats on local relatives, etc.
... yeah, about that... https://en.wikipedia.org/wiki/Western_Hemisphere_Institute_f...
I'd pick a different spot to call us morally superior. Like, any other thread.
I never said anyone was completely superior. But in this specific case.. we are, because American citizens (and their families) don’t disappear for criticizing their government or for refusing to spy on other countries.
We have LOTS more prisoners, btw, 4x as many per capita, with a nasty racial bias. And that's before you get into all the dead Arabs and Latinos who dared to have a government that wasn't freedomy enough for us.
What's your exchange rate between those? Do you value the tiny number of people speaking out against the state's legitimacy that much, when were talking millions of other innocent lives?
Becoming suddenly sure that we MUST kneecap our rival for totally sound moral reasons is soooo American. I feel like I'm living in groundhog day and nobody else can tell.
I can’t change what my government has done, and I can’t really change what it’s doing besides voting, but I can have my own opinion.
A mob opinion that our chief rival must be kneecapped in the name of freedom and justice is super suspect, is what I'm saying.
Americans want American hegemony, and that's fine, but please don't preach about values while you're doing it.
I think we can talk without hyperbole, no?
>Americans want American hegemony,
Sorry if that's what you think.
As far as hegemony.. I'm sorry you don't believe that :) Why is specifically China the Big Bad Guy if it's not about hegemony? Why aren't we focused on cleaning our own house first if it's about justice and freedom?
Like, if this isn't about power, we could at least stop actively supporting the horrible regimes that are useful to us? That seems like a pretty easy thing to do. Why hasn't it happened?
There are significant online mobs dedicated to anything. That's not really a convincing argument. People who are advocating independence don't understand the situation, nor do they even understand what the protestors actually want (it's not independence).
> Why aren't we focused on cleaning our own house first if it's about justice and freedom?
It's almost as if America isn't comprised solely of 1 person! Not to mention, why can't people focus on both? This argument is basically "america has issues, so it can't point fingers". Not only is this an unconvincing argument, it doesn't make sense because what is "america"? Is it me, a singular US citizen? Is it Gitlab, a company headquartered in America with ~50% American employees? Is it just the US govt?
> Why hasn't it happened? Because people aren't informed and don't vote based on that. That is another complex discussion in and of itself, but most people that I know are against it, so I don't really get what your argument is.
It's also complex over there, where Americans don't speak the language or understand anything about the culture or history. Our lack of understanding does not make them 1-dimensional movie villains in reality.
1. I do not need to comprehensively understand a country's culture to know about security risks and totalitarian governments. In fact, both of my grandparents and parents lived in and fled from a communist country, so I know a thing or two about that. 2. I do not need to comprehensively understand a country's culture to understand when human rights abuses are happening.
This argument is a form of -gatekeeping-. "Only X people can really discuss this issue", except you can move the goalposts whenever necessary.
People often don't understand American culture or history (and sometimes don't English either) but that doesn't seem to phase them when discussing America, etc.
Right, if you're a U.S citizen maybe not, otherwise they'll do that and worse, read on "enhanced integrations", kidnappings etc.
So the U.S is better domestically, (still employs prisoners as effectively slave labor, treats minorities harshly, lets people die due to lack of healthcare...), but it is worse in terms of foreign policy, so in the end it seems to be a bit of a wash, doesn't it?
Try handing out flyers about civil rights in Washington DC and then try it in Beijing.
Of course it's easy to criticize the electoral college but look at the results of direct democracy recently, Brexit, the initial rejection of the FARC peace agreement in Columbia. There's a reason representative democracy is prefered to direct, it's just difficult to get a balance. Odds are that the Electoral College will be gone in my lifetime.
Is the authoritarian Chinese system better? Of course not.
The obvious counter-example to this argument is Switzerland, which has been a direct democracy (or as close as you can get) for more than 120 years.
Brexit wasn't caused by the system by which the vote was conducted. It was a genuine public sentiment that had been cultivated through decades of media propaganda and scapegoating by politicians. Yes, the fact it was a single-issue vote made the issue more prominent, but it's entirely possible that the same result may have occurred through a general election if the right parties had been galvanized in the same manner.
> There's a reason representative democracy is prefered to direct, it's just difficult to get a balance.
I wonder which group of people overwhelmingly prefers such a system. Political apathy is rampant throughout the world of representative democracies, with a prevailing sentiment that people's views aren't being represented. Two-party politics results in elites being able to control the scope of options available to the electorate.
> Odds are that the Electoral College will be gone in my lifetime.
We can only hope, but that won't solve the two-party problem (or any of the other problems in American democracy such as the rank corruption).
> Is the authoritarian Chinese system better? Of course not.
Is anyone arguing that? The whole point being made is that America is in no position to take the moral high-ground. The US financially (and usually militarily) backs 70% of the world's dictators.
Also all the nations in Africa with newly built debt trap infrastructure.
The US has done some truly shit things abroad, but we’ve also been the dominant superpower during a period of unprecedented stability, prosperity, and peace when you look at the numbers.
Sure Iraq was a shit show, and I’m of the opinion that war crimes were committed during enhanced interrogations.
But the entire history of the world before WWII is just one long history of war basically everywhere. Open market slavery.
The US isn’t perfect, but the alternative filled with constant regional conflicts everywhere certainly seems like a worse alternative to me.
Edit: not sure why I waded into this conversation.
Curious though, I’m seeing the 4x prison population for USA per capita number bandied about.
On one level, I see that number slowly improving as we stop arresting people for smoking marijuana.
And on the other, I’m really curious, and have no idea, are China’s Uighur population which are in “reeducation camps” counted in China’s numbers?
Aren’t they harvesting people’s organs in those places?
Rough. America’s always had a lot of outright and systemic racism but my feeling is that it slowly but surely keeps getting better.
I have a feeling Generation Z is going to be pretty open about things whether it’s sexuality, skin color, gender, or whatever.
Ultra PC and call out/cancel culture is another thing with it’s own warts, but yay for a society where an entire generation can push forward this new ideology of being whatever the hell you want to be.
The boomers are dying out, the evangelicals and religious are losing people every day.
I have faith we’ll be fighting for human rights and climate change accords soon.
I really hope at least.
So to conclude, my opinion, we’re no paragon of morals and values, but our history shows a slow but steady stride towards an ideal, one of freedom, and individuality, and opportunity, for all.
We take steps back, we make awful mistakes, but over the long term, we always move forward.
That’s the America I believe in. I hope I’m not wrong.
Sure, there were historically always some tensions at the border regions of these empires, but there are pressures of such nature felt in Europe now too, (the U.S. has the advantage of being physically very, very far from the regions in unleashes its worst policies on, so of course it's less felt there).
Also, all empires saw themselves as in some way policing, keeping peace and bringing their enlightened values to what they saw as the lesser. If we see that kind of thinking now as wrong, then I really don't see how the U.S. is so much different from the empire model of old.
As for China, I agree its regional foreign policy is not great, the problem is the U.S. doesn't just keep it regional. It treats the whole world as its backyard.
If you're a non-U.S. citizen, the unipolar world is not so great. I don't want China to say replace the U.S. as the dominant superpower, I want it to offer a counter-balance. I want the EU to be its own great power, offering counter balance to both, bringing both democratic values & a more humane treatment of its own citizens than the U.S. has, especially the less fortunate.
Or the infamous “signature strikes” that target individuals based on metadata? [1]
1. https://www.rollingstone.com/politics/politics-features/how-...
Don't be so sure of that. If you hold valuable information on a foreign state, you will be accused and quickly convicted under various national security laws if you don't co-operate.
You severely under-estimate the power of a state, especially one as powerful as the US. If they want something from you, they will get it. Have you broken a minor law? Maybe you've been stellar, but some member of your family hasn't. The likelihood of being in an entire family with spotless records is very very low.
Corruption and unfair things exist in every single country, but we do have the right to freedom of press, speech, assembly, and due process.
I do agree that the barrier for that may be lower in more authoritarian states, as they're not restricted by the system of laws in the US. Maybe that's the best we can get.
I don't have an opinion whether this is the right thing to do or not.
But regardless of my opinion, how does not hiring chinese citizens help with that? This just sounds like harassing chinese people because of their government.
If you really wanted to change something, hiring chinese people and showing them what the western world is like would be the best thing to do.
Harassing chinese people because of their government, and at the same time buying all the stuff their factories produce, sounds like the most idiotic course of action if you want to change the status quo.
The Western world has tried this and ended up with Chinese students harrassing and intimidating pro-Hongkong protestors. This path has failed.
Has it? Not convincing 100% of Chinese students is not automatically a failure. What about Chinese pro-Hongkong protestors?
Harassing : the action of subjecting someone to aggressive pressure or intimidation.
Where do you see any harassment ?
Gitlab has no Chinese or Russian employee so far -> so nobody got pressure or intimidate, ffs.
China is harassing the rest of the world. China is systematically spying with state wide support. China is bullying with military, economic or soft power. China is a threat.
* Recently, in France, concerns were raised by the intelligence community about the outsized number of young Chinese students flirting / marrying with military & defence engineers. You don't even need to spy, really, just marrying people to stop any aggressive ideas toward China spreading. I mean, you would not push to war against your wife's birth place where you are now visiting every year, right ?
* Apple spotted 2 cases, how many are missed ? https://www.theverge.com/2019/1/30/18203718/apple-self-drivi...
* Lol, there is a whole wikipedia page on the topic, just for the USA : https://en.wikipedia.org/wiki/Chinese_espionage_in_the_Unite...
* In the European Union, they buy big companies from small countries to get leverage on EU decision making process. https://www.ft.com/content/d7145792-4743-11e9-b168-96a37d002...
Gitlab is simply pragmatic and clear-minded, their teams works in transparency and trust, they can't handle potential threats without a deep rework. I think it's much more than just having permissions baked in their systems, it's the whole defence industries layering that they would need to acquire.
Western players are now actively reducing their Chinese exposure (buying less critical stuff from their factories, cf. Huawei's affairs, moving factories to others countries). I am afraid it's too little too late.
While western people, and even more highly educated western people, have low levels of nationalism, Chinese people are brain-washed into thinking it's the best country in the world, best ever. Helping China is very important and their authorities have lots of leeway to push this.
Currently using Gitlab, I am glad they are aware of the issue and of their limited capacity to stop it from inside. Putting the fox in charge of the hen house, am I right ?
> if you really wanted to change something :
It's not West mission to bring democracy in China, it's not our country, they are grown up already and will keep finding their own way. It's typically USA ego to think the whole world must be awoken to USA values. The rest of the world is fine, thank you very much. We witness South America's fate in the XX century and Middle East's fate in the XXI. China just want western technology : buying, trading or spying it.
The most idiotic course of action has been followed already by moving the whole factories chains to China and thinking we could keep the knowledge here while it is applied there.
Actually, they do have employees there. There are at least 5 Russians and 1 Chinese listed here: https://about.gitlab.com/jobs/
There are no Russians at the role that had been debated though.
If you are known to directly or indirectly provide assets to a government and said assets are a critical part of the infrastructure, you're responsible for the safety of the government in your dealings.
An American company refusing to recruit people from China is just the US government refusing to hire the Chinese government to run the country, not companies discriminating against individuals. This holds true even if you swap the states in the previous sentence.
For the record, I'm not a citizen of either of the aforementioned countries but my home country has a similar relation with its neighbor.
You are putting collective blame on a billion people for the actions of their dictatorial government. This is not a reasonable position to hold in a supposedly enlightened society, it is rather just a thinly veiled excuse for run-of-the-mill xenophobia.
The world had had more invasions, interventions, toppling of legitimate governments, etc, from the US than from China. And while the US keeps democracy internally (unlike China) they have supported all kinds of dictators abroad.
So there's that.
The mere fact that you were even considering "flattening China with nuclear weapons" to bring democracy (even to discard it) is telling of the US imperial mindset...
And the same is for the interventionist idea of "totally excluding China from any and all international trade".
Yeah, let's risk internal chaos, power struggles, civil war, famines, etc in a sovereign nation like China, because they don't have a system of government we approve of.
As if intervention to "bring democracy" worked so well in Libya, Iraq, Afghanistan, and several other places besides, who cares for the million out of their homes, rising fundamentalism, killed, etc, they're not white enough...
When does some countries finally understand the concept of "mind you own effing business"?
All large nation states are guilty of aggression, that's how you become a large nation state.
Please don't move the goalposts. We're talking about the current State of China, which came into being in the mid 20th century, and is thus a lot younger than the current US state which traces its founding to around 1776. By that measure, the US has been involved in far, far more invasions and wars than the Chinese state.
For Tibetan, the government freed them from the old cult (you may don't know their nobles used to wear slave skin clothes and drink from human skull bowl), build railways accelerate their economy, lower the university score for them to help them get educated, enfranchise them to vote, propose new proposal in People's Congress, etc. So how do they feel about their government? I mean those Tibetans who live in China.
What's more, Tibetan, Muslims in western China, they are all Chinese people, so their issue IS the Chinese government's own business.
Even if you think that it's desirable for the government to try to accelerate secularization with its "re-education camps," the implementation is guaranteed to cause a lot of suffering. The rushed timeline for construction, involuntary detention in the resulting cramped quarters, guards and teachers who were hired quickly with essentially zero training... all of this is just setting things up for physical and psychological abuse of inmates. Just look at the cases of 杨永信 and 豫章书院 torturing children to cure them of internet addiction to see how far people are willing to go if there's no oversight and their aims are supported by mainstream opinion. That the government tries so hard to suppress negative reporting doesn't exactly inspire confidence that abuse will be prosecuted.
My personal prediction is that the majority of inmates are going to come out of "re-education" traumatized and with a justified hatred of the government. I'm sure they'd prefer it if the government stuck to their business of modernizing the economy, instead of trying to force loyalty in the most ham-fisted way possible.
I doubt the existence of the so-called "re-education camps", but I don't have enough evidence to prove it's a lie. (I think is hard to prove a thing don't exist, for example, I'm an atheist but I can't prove the absence of any god)
"杨永信" and "豫章书院" is never supported by the mainstream opinion, their existence only indicate there are a bunch of people don't know how to raise their kids, and blame their children's disobedience for so-called "Internet addiction". Many Chinese people hope the government put an end to "杨永信" and "豫章书院", but I don't know why they don't. However, this issue is not akin to Xinjiang and Tibet issues because there's no religious or minority involved.
1. While the Constitution of the People's Republic of China does protect religious freedom, this is only under the condition that the religious beliefs in question do not disturb the social order, cause bodily harm or obstruct the national education system. That means in practice, people will be detained for beliefs that are considered too extremist.
2. Would you believe me that they exist if I called them "education centers" instead? Try searching for 教培中心 in http://www.xinhuanet.com/politics/2019-03/18/c_1124247196.ht... It is described quite clearly that people can be brought to these centers even if their extremist beliefs do not otherwise amount to a crime.
3. I specifically brought up "杨永信" and "豫章书院" because they don't involve minorities. I didn't mean that they were mainstream in the sense that most people would approve of their methods, but there's definitely widespread concern about students spending too much time on the internet and too little studying. It's just that most schools take a less brutal approach to the problem and confiscate their student's phones instead of using torture.
Given your statement that
> Many Chinese people hope the government put an end to "杨永信" and "豫章书院", but I don't know why they don't.
consider that many Uyghur people hope the government put an end to the conditions in those "education centers" and don't know why they don't.
4. Do tell me if any of this is unconvincing. I'm still working on an airtight argument that is acceptable for someone with the perspective that the CPC is trying to do good in principle.
3. Your refute is valid only if the presumption is real, I applause sincerely for you, but how can you stand for many Uyghur? I live with Chinese every day so I can present more or less their thought, did you get in touch of some Uyghur or you just surmise their thought from, let me cite Trump, "Fake News"?
4. I really hope to read your airtight, immaculate, irrefutable argument!
Maybe not, but not all beliefs that are defined as extremist are of the stabby kind. It's a bit hard to get information on which specific beliefs are covered; http://www.xjnj.gov.cn/jgdj/flfg/201502/09174829hwdu.html talks mostly in general terms, but does explicitly mention "活佛转世". Belief in reincarnation is not exactly a violent ideology, but it does create a separate hierarchy (of reincarnated lamas) that does not directly answer to the CPC, which I guess falls under the "social order" exception. Also, various kinds of headscarves and beards seem to be forbidden alongside the Turkish/East Turkestan flags: http://xjtzb.gov.cn/2017-06/19/1121167392_14978365485711n.jp... (I realize the image is watermarked by some random WeChat account; but the reposting by the Xinjiang branch of the United Front seems like an endorsement.)
> maybe even teach him some skills so he can make a living and become a part of society? The latter is exactly what "education centers" do according to the link.
I don't have a problem with that in itself, but that's contingent on the implementation. Making the plan work requires lots of resources, not just the one-off construction of buildings, but also teachers, guards and other supporting staff. There's already a shortage of teachers in poorer regions of China, so where are all those teachers coming from? How are they trained? The inmates aren't going to be economically productive for some time, so how are their living expenses paid? What about the loss of income to their family members?
These are all difficult problems to solve, and I'm not sure the Chinese government has actually solved them.
> the center is not a prison or Auschwitz (go back home regularly)
I agree that comparisons with concentration camps are not appropriate, because the purpose is not genocide, but ideological assimilation. However, I'm not too sure about the "going home" part. Only one of the three groups are voluntary signups; what's the point of sending someone there involuntarily if they can just go? They might even end up stabbing someone.
> did you get in touch of some Uyghur or you just surmise their thought from, let me cite Trump, "Fake News"?
Unfortunately, Uyghurs are a bit rare where I live. It's certainly possible that the Uyghur and Kazakh Muslims who have appeared as eyewitnesses in Western media are just making everything up, or maybe their experience was simply atypical. After all, among a million people, finding one who had to live in a room with ten people because the new dorms weren't finished yet, or who was hit by a frustrated teacher, or who was raped by a drunk guard, is kind of to be expected. In that context, a statement from the government that they're investigating those crimes and will punish those responsible would be much more reassuring than a complete denial that anything bad ever happened.
Maybe you could ask some of your Uyghur friends if they know anyone who went to one of these centers and what they thought of the experience. I guess that'd be much more informative than debating with me.
This is an old story
This is often claimed, but I fail to see the disproof. The standard of living in China has improved considerably as a result of trade. That new prosperity means that now more people can afford to support journalists, lawyers and activists working to expose and curtail abuses of power.
This is not limited to underground organizations or something; the Center for Legal Assistance to Pollution Victims is run by the China University of Political Science and Law in Beijing, probably funded by government grants. http://www.clapv.org/about/index.asp
It's also not limited to action in China; as Chinese companies get involved in large-scale construction abroad, so do Chinese NGOs who have experience mediating between those companies and the people negatively affected by them. https://pandapawdragonclaw.blog/2019/10/28/interview-can-chi...
You may think that internet censorship is a sign that things are regressing, but there used to be no internet at all. Nowadays anyone with a grievance can publish an article or a video to raise awareness; by the time the censors notice the outrage, it's already too late for the government to pretend that nothing happened.
30 years ago, the Tiananmen Square protests lasted barely over a month before they were crushed by the military; the protests in Hong Kong have been going on for half a year and the military hasn't been involved so far.
China hasn't turned into a democracy overnight, but neither did South Korea or Taiwan. So far, the trend seems to be positive.
People have to do what the state they live in and belong to orders them to do. That's part of the point of having a state. So if you can't trust a state you can't trust its people either.
> you are really concerned about the confidentiality of your data, don't store it unencrypted in some SaaS
I don't think dissolving the company is on the table.
So, I could say that American is sucks if I think Trump is sucks?
That is ridiculous. The first is that 'state is unauthentic' is a subjective speculation. And the most funny is that the conclusion 'people is unauthentic' is came from your first thought.
I can not say American is terrorist if Hillary wanna burn other country. Am I right?
Zing! Solid line but it misses the point. As with any other data, you can encrypt source code. It's perfectly easy to envision a setup where Gitlab employees in country X can only see plaintext Gitlab data they could already see over the public internet.
Even then, good old corruption of non-Chinese is still possible.
You can’t ignore the fact that the PRC uses those things as leverage against people abroad in order to get information. Until that stops, what are companies and governments supposed to do? Roll over and allow espionage because we’re so tolerant?
There's a growing hysteria in the US about China, which is leading to increasing signs of discrimination and harassment of Chinese people in the US. This sort of demonization of an entire country and the politics behind it (preservation of the US as the world's dominant power by containing China) are very dangerous. The thing that makes it most disturbing is the way people across the political spectrum have bought into the idea of the Yellow Peril, and are now okay with discriminatory policies, the trade war, and challenging Chinese territorial sovereignty.
People don't care about people from the ROC, aka Taiwan, aka China*. If people in our extremely polarized political environment are uniting on this, it's because it's a Serious Issue that needs to be addressed.
Any american or european living in either country would similarly be affected by the ban. Untwist your knickers please.
You keep calling it xenophobia even after you've been proven wrong when you claimed this is targetted at green-card holders. You are absolutely disengenuous and have no intention at good-faith discussion.
I then suggest you edit out your erroneous personal attacks.
Regardless, the GP does raise a valid point that if you have family living under the heel of a totalitarian dictatorship they can and will be used as leverage.
Your whinging won't change that fact, and it has nothing to do with them being Chinese (or Russian!), and everything to do with their country's government.
If I ran state security for a poor African dictatorship, I would find all successful expatriates in the .US/.EU/.AU and sell their details to other nasty outfits and offer to "apply my heel" to their families for a fee.
And the optics would be on my side.
> Regardless, the GP does raise a valid point that if you have family living under the heel of a totalitarian dictatorship they can and will be used as leverage.
Okay, so now you can edit our your attacks above, because you see that the post I was responding to did discuss targeting Chinese and Russian people living in the US.
> Your whinging won't change that fact, and it has nothing to do with them being Chinese (or Russian!), and everything to do with their country's government.
Regardless of the rationale, they're still being targeted on the basis of their nationality. The general impression is being created that all Chinese and Russian people in the US are potential national security threats, whose employment should be restricted. I don't see any functional or moral difference between that and xenophobia. It reminds me of the generalized suspicion of Muslims after 9/11. It's not a pretty thing, and it's sad to see it gaining currency.
Back on topic of green cards: whether you want to bury your head in the sand or face the reality that foreign dictatorships will use their own citizens to infiltrate their rivals is up to you. If you want to take the high road you can, and likely be excluded from government contract work.
Don't get me wrong on one thing, the west is in a precarious situation of openly doing the same thing in certain cases - eg: Australia's draconian backdoor law. I will not hire or recommend hiring an autralian dev working in Australia - and you can call me a racist or xenophobe if you want, it will not change the reason for the decision.
Fortunately for an australian immigrant abroad they are not going to have their family black-bagged for failure to submit to their government. I don't have this confidence for Russia, and especially not China.
What I do know is that there's an increasing atmosphere of generalized suspicion against Chinese people in the United States, and even of people of Chinese descent. There are lots of recent examples, but to give you just one chilling one: US government pressured Emory University to fire two US-citizen medical researchers of Chinese origin, for the non-crime of pursuing research collaborations in China. The two are leading researchers into Huntington's disease. At the time they pursued their collaborations in China, such collaborations were encouraged by the university, and they pursued them openly. Their entire lab was closed down, and the more junior researchers from China were sent home. This is not an isolated case.
I can't see what's changed to warrant this crackdown in the last few years, other than the quite open discussion in US foreign policy circles about the need to maintain US hegemony, and the long-term threat to that hegemony from a rising China. This has been accompanied in recent months by increasingly hysterical media coverage. One of the most consistently frustrating things about the US is the susceptibility of the public to these periodic campaigns of demonization. Obama laughed about Russia in 2012, but in 2016, Americans suddenly discovered that Russia is the root of all evil in the world - they're even responsible for racial tension in the US! Something similar is happening with China now, and it's reached such proportions that even a Chinese app that teenagers use to share lip-sync videos is a national security risk.
https://www.theguardian.com/world/2019/oct/17/think-of-your-...
They also have no problem black-bagging non-compliant citizens, no matter how high-profile they seem to be:
https://www.bbc.co.uk/news/world-asia-china-45806904
Blackmailing any random employee (with their family safely in the US or another western country) is absolutely not the same as blackmailing an employee with the family still living in China or Russia.
If you have family in China and you have access to government information or IP they want it is not at all far fetched they will do this.
If you have something they want - or are able to do something they want - it's quite obvious they will use your family as leverage.
I’m wondering, can the US government legally issue a National Security Letter to an individual employee that forces them to comply and spy for them?
If they can, does this also mean the employee has no legal recourse since NSLs must be kept secret?
No, because that would be unconstitutional. But the proceedings of objecting to a NSL similarly must be kept secret. There wouldn't be any point to the secret component of a NSL if the recipient could object and hash out the merits of the request in public court records.
Most countries do it by subordinating secret agencies to a military division of sorts, wherein martial courts and security access is already structural. Others choose a more 'civilian' approach subordinated to a parallel chain of command within the citizen government/legislation/judiciary — closer to police, interior dpt / homeland security, etc. (in such cases, army intelligence is usually quite distinct from civilian surveillance).
Which approach is favored historically by a country typically depends on pre-existing constitutional models and principles — notably how the army features relatively to the ultimate civilian chain of command, and how the latter is accountable to the (sovereign) public in the event of treason.
None of this applies in authoritarian regimes where the ruling caste or figure(s) usually answer to no principle (no courts for them, only 'advisors' for they sit above the law) and secret service is almost always directly answering to them, as part of the active coercion of the people (fear of the "enemy within", etc).
I don’t have a link I can share at the moment to prove this (I’ll update this comment if I find one), but at least in the case of an employee with a security clearance, it is my understanding they can be forced to comply with a US Government order without the ability to inform anyone at their employer (including corporate legal staff). I’m not clear if this order would have to come as an NSL or via another channel.
Unfortunately, like most good things in corporate software, it didn't last.
Source: am a former RHEL customer now using Fedora
I am in the US, so can not say, "I disagree with how the Israeli government is treating Palestine and thus don't want to do business with any entity located there."?
No.
That link the parent commenter shared is a very good overview: it basically means that your company will not receive special corporate tax consideration if your company:
Enters agreements to refuse or actually refuses to do business with or in Israel or with blacklisted companies.
Enters agreements to discriminate or actually discriminates against other persons based on race, religion, sex, national origin or nationality.
Enters agreements to furnish or actually furnishes information about business relationships with or in Israel or with blacklisted companies.
Enters agreements to furnish or actually furnishes of information about the race, religion, sex, or national origin of another person.
(e.g. “hey [anti-Semitic company], this competing businessperson is a Jew, if you were wondering”)
In any of these cases, there are exceptions and matters of interpretation.
Whether or not you think this is appropriate for the government, it's not as simple as “you can't engage in a boycott as a matter of personal conscience”.
>Enters agreements to refuse or actually refuses to do business with or in Israel
The link does actually include the penalties, which are far more than just losing special tax considerations. It includes hefty fines and even imprisonment under the TRA. The "just losing tax consideration" part is only under the EAR. I understand that part.
It's the fact that they say I cannot boycott Israel independently.
I'm still confused at how this can be fully Constitutional. Say I care a lot about the Palestinians and object to their treatment by the government and military of Israel. Say I make widgets wholesale for people to resell retail.
So I say, if you buy my product and resell it you make money and your government takes some of that money, as is normal. Therefore, I will not sell to any company that sells this in Israel as I do not want to my product to be used to make money for a government whose actions I condemn. I don't care if you are a Jew, a Christian, an Arab and/or even a Palestinian, if you want to sell my product in Israel and taxes which go to the Israeli government will be collected on that, I'm not selling it to you. Not just certain companies within Israel, all of them. Anyone who sells my product and thus makes money for the Israel government, nope, I'm not doing it.
That's the part I have a problem with. If I don't actively try to stop Israel from doing anything but want to take an active role in not helping them in any way, I'm breaking the law? I don't see if how I want to act independently the Arab League but what I want to do aligns with part of what they want to do, that is a problem? I should be able to not support what I see as a bad actor.
I would note my understanding is that fines for non-compliance have historically been relatively light and therefore, to my knowledge, these regulations have not been seriously tested in court in recent times. (And the article I read suggested there was a causal link between those two facts.)
I have a hard time believing that the government could do this but the way I read it says that if I said:
As a business, I disagree with the human rights violations the government of China is engaged in. I am again Saudis Arabia's ban of alcohol on its residents, its treatment of gay people--including death for simply being gay and the way it withholds rights from women. I also deplore Israel's treatment of the Palestinians, including the demolishing of houses.
Therefore, I will not allow my product to be sold in a way which results in any of these governments collecting tax on it, this supporting the government.
The way this reads, it seems the government can say, "Whoa, you can't to that to Israel though." and ignore the other two. Unfair and prejudicial in my opinion.
> forbidden from … Agreements to discriminate or actual discrimination against other persons based on race, religion, sex, national origin or nationality.
So, to be clear - GitLab can merrily discriminate against Chinese citizens of the US on national origin by themselves, but are breaking the law if they do the same under a joint venture with a non-US entity.
Bonkers.
Disgraceful. GitLab was once an inspiration to me in terms of its openness & culture, but the recent moves around tracking and now this, make it clear that GitLab has been around for too long to stay a hero.
Nice bigotry in a post complaining about bigotry.
Maybe I could have worded it better, but I am referring to American culture and the mindset that when you think 'anti-hero', it's going to be a Russian/Chinese most of the time.
One of the hardest parts of most white collar prosecutions is proving that an action was taken "knowingly and willfully". Unlike other areas of criminal law, most white collar offenses require prosecutors to prove that not only did the person know they were doing the things they were doing, they had to know they were illegal.
Having the party's own lawyer offering legal advice outside the scope of privileged communication is normally windfall enough. Having them do it publicly and in the media's eye is just insane.
It's a good question what one could prosecute out of that and what to gain. There are so many open angles and I don't think there is any precedent with a fully opened company.
Imagine if governments worked like this? Holy hell. This is what Assange should have aimed for instead of getting involved in geopolitical intrigue.
Or, What about if one of their employees is married (or wants to get married) to a legal resident of one of these countries? How far removed does the employee have to be from this risk? And how much of an impact on their (and their family's) civil liberties could this have?
I imagine Gitlab would have a similar but less restrictive policy, "don't bring a work laptop <with credentials that gives you access to one of these roles> to China, ...".
I don't see why a policy against residing/working in China would care about who you are married to or where they live.
Until Su's ageing parents back home succumb to ill health and she decides that the family need to move back to China to care for them for maybe one or two years - perhaps longer.
Bob then has to make the choice between (a) resigning his job or (b) being forced into a long distance relationship with lots of travel between China and the US, or (c) divorcing his wife.
When company policy gets in the way of important life decisions, I think it is a dangerous line to walk.
If Bob wants to move to China, where the company doesn't have an office, he's going to have to resign or take a leave of absence.
This decision on Gitlab's part would be moving their incredibly generous "you can work from anywhere you want except places where we legally can't let you like Crimea and Iran" to a nearly as generous "you can work from anywhere you want except places where we legally can't let you like Crimea and Iran, and places that are known to coerce people into spying for them like China and Russia".
Most companies operate on a whitelist of places where you can work (where they have offices), not a blacklist. Even many remote companies operate on a whitelist (e.g. "Remote, US only"). Really, I'm amazed they feel that they can operate on a black list approach at all and not accidentally violate tons of local laws.
MSFT just recently won a 10B cloud deal from the DoD, perhaps the purse is still open there?
Going from a whitelist to a blacklist is hard because you need to either individually vet every country and decide if they're ok, or you need to just assume a lot of countries are ok.
Going from a blacklist to a whitelist is obviously trivial.
Whitelist with 3 countries: I have vetted three countries, and know my employees can operate in those countries legally without issues.
Blacklist with 3 countries: I either need to vet 247 countries to ensure my employees can operate there legally, or I am just assuming that those 247 countries are fine without actually doing the due diligence.
Again, going from a blacklist of 3 countries to a whitelist of 247 countries is obviously not an issue. You're operating on the same data. The issue is going from a whitelist of say 3 countries and then not going to a reciprocal blacklist of 247 countries, but a much smaller blacklist of 3. This is what Gitlab has effectively done in OC's estimation. That either means you vetted those 244 extra countries that are now on your "whitelist", or you're making a lot of assumptions.
You forgot D that gitlab is actively discussing which is a role change while staying with the company.
Do one or the other, please. Otherwise you're not doing either very well.
Security clearance background checks will cover this sort of thing. For sensitive government contract work, clearances are generally required for the relevant contractor employees.
For non-government customers who still have these concerns, I’m not sure there’s a good answer. I guess you could define your own clearance process and run similar background checks - many of the government’s own background checks are done by private investigators already.
How is this not a form of Japanese internment camps? Russia and China are a problem so we block Russian and Chinese citizens? Also, wouldn't I just have my Russian agents living and working in Sweden or Canada or something?
Second, a company will want to abide by the laws of the countries it operates in. Having an employee somewhere may, nowadays, count as "operating in" that country. If they are not comfortable with some state laws, that makes sense to avoid these countries. Just like the companies that say they can't operate in Europe because of GDPR.
Third, if you identify one of your employee as a Russian agent living abroad, you fire them and Russia is in the wrong there. But if you hire a Russian and that makes you legally forced to share some data, you would be in the wrong to not comply.
> There is an unacceptably high risk that these nations may apply pressure to individuals living within their borders with sensitive data access (based their role at GitLab). It is our concern. And it is the stated concerns of several customers.
The discussion is actually pretty significant, as they sort out how they might manage the _customer demand_ that is creating these hiring blocks, and in turn, how that is reported and tracked.
I don't see this as a purely "done deal", it's a company having very important discussions in the open that most would just default to "restricted". All this transparency is a great source for others to learn from.
Going a bit deeper, it seems to be a specific demand by a potential client. Can make sense for activists, journalists, humanitarians. Makes sense for gitlab to push back too though.
https://www.chinalawblog.com/2019/09/chinas-new-cybersecurit...
Whether it's real or not or even likely to be effective, there's a chilling effect and businesses are obviously concerned to be raising the issue of Chinese-based employees with GitLab.
Every US company must hand over any customer data held anywhere, by any subsidiary or joint venture, on earth at the request of the US government.
Be transparent about your theft of IP with that Meltano ripoff of Looker.
How about you be transparent about the theft of IP that was Meltano, though.
You literally linked to documentation from the company whose IP you stole. Gl, hope you have a good legal team.
https://gitlab.com/gitlab-com/www-gitlab-com/issues/5555#not...
They have a customer that required the personal data they'll give to Gitlab not be handled by people living in Russia and China. Could be a group doing humanitarian or journalistic work.
That's actually an interesting conundrum: you want to hire a company, need to trust it for handling sensitive material, and can't afford it to fall between specific states' hands.
I don't think there is an objective process to do that. I know that USA and France and probably many other countries have laws to authorize seizure of data they consider linked to a variety of vaguely labeled activities (from "trouble to public order" to "terrorism"). You may end up excluding 80% of the world if you use objective criterion there.
https://www.tabletmag.com/jewish-arts-and-culture/culture-ne...
Search for "You were directly involved in the drafting of the original FISA law in 1978."
And this isn't discriminating on nationality or national origin, it is on the nation you currently live in. Employers decide not to hire employees living in other countries all the time, it's the most prevalent choice (i.e. US companies only hiring employees living in the US). I don't see why doing this because a customer you've considered critical has asked for it is any more legally risky that having done it for other reasons, assuming we discount the anti-boycott argument.
This is all with the huge caveat of I'm not a lawyer, just giving my perspective based on how I've seen these laws/regulations applied in the past.
Thing is, even if it is just country of residence, it is still a discrimination on hiring and could very well be illegal unless there are strong legal reasons. E.g. "we have to do things that are illegal under the laws in country X, so we can't hire people there".
I think the main point of her position is that one should have an objective criterion to add countries into a blacklist and that none can realistically been done over privacy issues that would include China and Russia but not USA.
No government would make it illegal for a company to choose not to do business in a non-ally foreign country. Millions of business already don't engage in many foreign countries, by default. Including yours, I bet. Why should they be required to do so?
They speak about revenue, so I'm sure that's not the case. I bet it's a commercial company with sensitive data, probably gov/mil contractor with strict obligations to their customer.
And someone at their management doesn't understand Intelligence 101: they don't reach for your data from the country of origin.
I doubt a mil contractor would add Russia and China but not embargoed places like Iran.
And yes, I think this is a misguided attempt at security. Companies that handled crucial data that need to stay private really should spend the resources on managing these data themselves.
Second this
According to customer requests that their sensitive information not be placed in a situation where it could be relatively easily accessed by state actors ... serves the customers interest.
That’s not contradictory, except in the most superficial sense of “but we have open arms for everyone”.
I wonder how the HN crowd feels about that? There was a lot of talk recently about how companies should not sacrifice their values and kowtow to the demands of large clients.
As a company that values freedom of movement and is remote first, this prevents their employees from moving to where they want. Does this also mean they can’t vacation there either?
No, the post is fairly explicit about what the proposed block is.
While I agree with the position that companies should avoid trading ethics for short-term profit, this is a move I hesitate to condemn - the cost is fairly minimal (their remote-first position is still quite generous), and there is much to be said for the increase in privacy and security this provides their customers.
It isn’t even as simple as worrying that foreign national employees can be coerced by their home nation police or state security services — anyone subject to policies like Gitlab’s who is local to your business but who has family or assets abroad that can be used to effect duress, or who can be blackmailed in some way elsewhere, would need to be vetted.
In order to effectively support customers, you need to make a decision into how much visibility you'll give customers. Alternatively, you give your support the even more unfortunate circumstance of needing to request sensitive data.
SREs need to be able to work with hardware and software and by virtue of needing to take decisive action are in a similar situation.
This is why I refused to obtain a DoD security clearance when my job needed me to: I go to Russia to visit my family every 2-3 years, and I don't want to be in any way valuable to their intelligence services or the like, nor do I want to put myself or my family in danger.
All of the above is in spite of me having spent most of my life in the US by now.
IMO a better solution is for nobody to have permanent access, and granting it on as-needed basis, with a full audit trail. It's not perfect, but it's a heck of a lot better than the ineffectual geography-based blocking that you are implementing.