118. I have a client that is in Iran to visit a relative. Do I need to restrict the account?
A: No. As long as you are satisfied that the client is not ordinarily resident in Iran, then the account does not need to be restricted. See FAQ 37.
It may be overreach by GitHub, but given the severity of the sanctions lawmakers have set for if they happen to get it wrong, I'd like to at least blame lawmakers for creating such a risky situation.
I work with sanctions. I think both can be easily blamed. Similarly to DMCA notices, most companies opt to for the path of least resistance ( it is cheaper to blanket ban than to investigate ). Yes, politicians are to blame for creating the environment, but companies deserve flak for taking the path that is bad for the customer ( unless they are sufficiently well-heeled ).
My thoughts are my own. I do not represent anyone other than myself.
So look at (one one hand) a customer worth... well, PureLabs is "10 incredible FTEs," let's give them the $21/user/mo Enterprise plan at $210/month in revenue.
On the other hand, a sanctions violation could be a $65,000 fine (Trading with the Enemy Act) or $250,000 (International Emergency Economic Powers Act) for each offense. (I leave aside the million-dollar narcotics-kingpin act). On top of this we also see the risk of criminal prosecution.
In what world is it reasonable to expect anyone to take this chance?
It is hard to discuss hypothetical violations so I won't do that. It absolutely is a safe course of action to do a blanket ban. That said, is it reasonable to assume violation based on IP address ( and that is what seems to have happened here )? Banks don't automatically (typically ) block MUHAMMAD JIHAD even if they may end up questioning it.
That’s because the combined business of all Muhammads and their employers is way more than 210$/month AND it would be illegal, and Bad PR™, to ban them from your business based just on their culture/name. Otherwise they would have been “derisked” out of service.
You have a point ( and Mnuchin to his credit ,based on reports, does care about regulatory burden and its impact ). So you are right, one is not like the other. To address your point directly, if OFAC tomorrow added MOHAMMAD JIHAD with no other information ( no DOB, no address, and so on ), you would be surprised how quickly the banks would respond.
Now note that that we are discussing a name, a commmon, but somewhat reliable, if mutable, driver of our identity. Now compare it to IP address and tell me, which one is a better predictor of who you are.
Unless, we are assuming IP is a proxy for location, which is another story.
Banks typically would react overnight to OFAC list updates, through a sanctions list service.
If no DOB or similar is also provided, though, scoring should not be too high - and if a match with Mohammad is enough to trigger an alert, the overnight alert delta would be either manually processed by Compliance, or bulk closed as false positives, depending on how much time you need to unblock the clients and similar risk considerations.
I am not sure if you realize it, but you are proving my point. Banks found a way to address the issue without adversely affecting the customers. Github appears to have only recently started to do the same, but they opted for a blanket approach as opposed to a more targeted one.
Not parent and not about terrorism directly, but Tardigrade Ltd. was sanctioned in US (because it is an arms dealer without licence in US) causing all "Tardigrade" payments blocked (even innocuous ones): https://news.ycombinator.com/item?id=24450828
Cases like this are an example of a company trying to cover their ass leads to a customer getting kicked in the ass.
Sanctions, compliance, etc. is a messy ordeal to manage (both technically and operationally), and the ways laws are written with so many intricacies and dependencies doesn't make it easier.
Because only 1 instance of violation could lead to fines equivalent to a person's salary, often the systems are made to be overly sensitive and less investigative to figure out whether a 'hit' is actually a false-positive because that also takes time/money and still carries potential risk.
I would blame the automatic sanctioning software triggering such as situation, without checking if the new access from Iran was by a tourist or citizen. Adding an org block for minor access within two weeks is overreach.
This kind of software is not simply installed with an apt-get one-liner, github can’t be exempted from choosing their business rules on screening matches.
Thing is, GitHub is a tool that facilitates distribution of IP. So if someone is logging into GitHub in Iran, whether they live there or not, they can use it to "export" code.
Which is kind of irrelevant---preventing the export of code is not the issue. This is an economic sanction against Iran by preventing companies from doing business there.
The law has a chilling effect on companies, that drives them to do things like this. If a company does something, that they clearly would not have done without a law, it's the fault of the law, even if that law didn't specifically require it, in fact even if that law specifically exempts it.
If you read this literally, you could get away with leaking state secrets as long as you're visiting a relative while doing it.
Github cannot be expected to reliably differentiate between the coworker who just checked the status of a PR on a webapp versus the employee who opened a crucial piece of encryption code to leak it to the Iranian military or whatever.
If that's the case, then the problem isn't Github, but of the organization having Iranian intelligence assets on staff. And the whole idea of the government regulating encryption and it being weaponized is overdone.
https://home.treasury.gov/policy-issues/financial-sanctions/...
Source: https://twitter.com/Hamed/status/1346433510786138114/photo/1