In July, Microsoft-owned GitHub started blocking repositories of developers located in nations under U.S. trade sanctions. Since the initial complaint, more developers have said they have been affected. GitHub had kept quiet on its exact reasoning but has now offered an explanation.
Previously, the company said it was doing “no more than what is required” under U.S. trade law. Expanding on the reason, GitHub now says is only doing the bare minimum to comply with those laws.
The story started when a Russian based in Crimea found is repository had been blocked. 21-year-old Anatoliy Kashkin received a notice from GitHub saying his account had been restricted. The company pointed him towards its page detailing U.S. trade controls. Countries listed as being under trade sanctions are Iran, Crimea, Cuba, North Korea, and Syria.
GitHub confirmed one of its determining factors is the IP address used by a user and whether it comes from a sanctioned country. However, it seems some users from non-sanctions nations are facing issues too.
Duncan Worrell, a UK-based developer said his private financial services company was recently blocked on GitHub. According to the website, the repository was from a country under US trade sanctions. The UK clearly isn’t, and GitHub did not explain how this could happen.
Worrell says it is likely because “a sub-contractor of a sub-contractor currently resident in Ukraine, accessed our GitHub repo while visiting family in Crimea”.
“We did know two sub-contractors of our Latvian sub-contractor were not Latvian. That one may have been Ukrainian, but we had no knowledge that a) Crimea had been sanctioned or b) the developer had visited Crimea. Neither had made any source code changes since May this year, so any IP tracking would have been historical,” Worrell told ZDNet in email.
“We also asked both developers to lodge individual appeals to prove they were no longer in Crimea. That requires their IDs (copy and selfie) be uploaded and at least one of them still has that registered to a Crimean address, despite now living in Kiev, Ukraine. I don’t imagine people update their passport every time they move house. GitHub should really provide another option to proving residence.”
Tyler Fuller, GitHub’s general counsel, explained this week GitHub faces problems when trying to comply with U.S. trade laws.
“Sanctions are complex and were originally designed to regulate trade in more traditional goods and services, especially financial products,” wrote Fuller.
“For companies that provide certain types of digital services, compliance presents novel legal questions and involves some uncertainty.”
“We’re dedicated to both allowing as many developers around the world as possible to participate in the open-source community and to following the law.”