Wow the Twitter thread and the experiences which are mentioned here sound so extreme and crazy that I am seriously confused to what believe.
- Is this all made up to prove some point?
- Is this just how the US ticks right now?
- Is Slack just completely gone mad?
- Is this what companies believes is acceptable nowadays?
- Is this the future of the web?
The fact that I am not sure what to believe and that I wouldn't be surprised if this is all true or equally all made up is what really scares me. Ten years ago I would have had a lot more confidence and faith in the world that this must be either a big mistake or something fishy, but today I feel like anything goes and in a week's time nobody will care again :(
It's the dystopia of the film Brazil: someone makes a typo in a database, someone else's life is dramatically inconvenienced, and it's impossible for them to access any means of redress.
Which is great for politeness, but largely rubbish for working out what people might be up to, given that people not only regularly disguise malice as stupidity, but in some cases find it highly entertaining. Hence the existence of - https://www.reddit.com/r/MaliciousCompliance/
This is also the future of blind faith in a few companies that control substantial things you depend on personally/professionally. You don't really think about how much damage something like Slack (or god forbid, Google) could do to you by shutting down your account until something like this actually happens.
Add to that the dark side of being "data driven," which is that stories like this one are just part of the 1% of edge cases. These companies also try to move away from actual customer service as much as possible because human labor doesn't scale as well as automation, so you'll fall through the cracks as long as the news that it happened to you doesn't get enough press to make it worth an engineer's or VP's time.
I know that sounds extremely cynical, but having been on the inside in situations like this, I saw how these dynamics converged despite good intentions. Stuff like this is why sending engineers through front-line customer support rotations tends to dramatically motivate engineering teams to make quality of life improvements. Once you lose the detachment that indirection from the user gets you, suddenly those 1% cases feel more important.
For more than a decade, Section 230 [1] has protected internet platforms from censorship of user-generated content. Why is Section 230 not applicable here, or is a similar law needed with wider scope?
>
It is the policy of the United States—
(1) to promote the continued development of the Internet and other interactive computer services and other interactive media;
(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation;
(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services;
Because this isn’t about content, it’s about OFAC designations. That’s the office in the US Treasury department that says who Americans can’t do business with. They’re the ones that enforce sanctions and Iran is on their list.
Penalties for noncompliance are stiff and there are no safe harbour provisions.
(IANAL but I have implemented systems to check OFAC lists at other companies and seen it result in similar situations)
Even if what you say is technically true, Slack appear to have interpreted that as saying that they can't do business with anyone who as ever in the past opened up the Slack app in a designated country, whatever their nationality and/or reason for being there. At the very least, that is a shoddy algorithm.
They have information from which they conclude that; this information is fallible and conclusions are not certain, but that's true of virtually all “knowledge” about the material world.
One of the replies to the OP in tweeter says "anyone who is legally an Iranian citizen". That basically covers all naturalized American citizens who emigrated to US from Iran.
The U.S. government doesn't care what Iran recognizes. The correct quotation would be "anyone who is legally an Iranian citizen in the eyes of the U.S. government."
When an Iranian citizen becomes a naturalized U.S. citizen, their Iranian citizenship is no longer valid in the U.S.
There is a limited number of nations that have dual citizenship agreements with the United States, and Iran isn't one of them.
Maybe it's time for Congress to help companies differentiate between:
(a) the objectives of laws prohibiting large commercial flows to sanctioned countries and
(b) the objectives of laws encouraging many tiny information exchanges on the internet, taking place outside of sanctioned countries
Is it worth burning down Internet commerce in the hope of catching a few individuals? Did Congress intend to create a Do-Not-Speak list, or one such list for every Internet company? Should Internet UGC platforms now relocate outside the USA, when Congress is also encouraging companies to repatriate assets to the USA?
Is it worth burning down Internet commerce in the hope of catching a few individuals?
What's happening here isn't an attempt to catch a few individuals. The goal is to put pressure on the entire government of Iran. This is done by making doing business hard for large businesses, as well as individuals, so that pressure to change is put on the Iranian government from above (businesses) and below (the people).
This sort of thing is a temporary blip before everybody figures out decentralised solutions for everything.
Decentralisation is clearly the end game as long as politics causes problems like this. A decentralised solution will continue to "just work", while centralised solutions continue to boot people off. It's pretty obvious which one is going to win.
Except looking at the past 20 years or so it seems clear that the trend is going the other way around. Slack itself is an example of that, not long ago it would've been a set of self-hosted tools. People have ditched IRC in favor of Discord and friends, they've ditched decentralized forums, BBSs and mailing lists for social networks, everybody hosts everything using the same four or five cloud providers, streaming and direct download is much more popular than BitTorrent etc...
Maybe this trend will reverse eventually but I don't really see the signs yet. The Cryptocurrency crowd keeps shouting "decentralization" but they still fail to create applications that can compete with the centralized alternatives in terms of usability, performance and cost. There have been many attempts at making decentralized social networks but they failed to gain mainstream adoption. IPFS works pretty well but again, hardly anybody uses it.
I'm all for decentralization but there's no denying that there seems to be a path of least resistance towards centralized solutions. They're easier to develop, easier to maintain, easier to upgrade and often easier to use.
So for me decentralization is the objective, but unfortunately it's not "clearly the end game".
Exactly. I understand the desire for decentralization. There is certainly a lot of hype, and in the cryptocurrency world it verges on religious belief. But I haven't yet seen any examples of the trend reversing.
Even most of the very technically competent people I know are gradually moving toward central services. I'm part of a co-op of people with collocated servers. We started in 2000. We haven't had a new member in years, and we are gradually losing them. I'm at the point where I should replace my server, and I'm having a hard time coming up with reasons to justify the large capital expense and significant time cost versus moving it to somebody's cloud. And that's not even considering the benefits of moving to hosted services. Not worrying about spam, email deliverability, security patches, et cetera, ad nauseam.
I think part of the problem is that the "decentralize!" crowd is willing to put up with a lot of practical inconveniences as long as something conforms to their ideological desires. Their ideology may be perfectly correct, but until it has practical consequences, most consumers won't shift. So they're going to need to come up with competitive services that are better than the existing ones. Better not just to them, but to regular users.
This is a bit of a shameless plug, but I just made a Show HN post about Glowing Bear, which is a web front-end for the WeeChat IRC client: https://news.ycombinator.com/item?id=18725038. It's entirely implemented as client-side javascript, and you can easily self-host it without any requests being made to other servers. For me, it solves the problem of accessing IRC wherever I am without having to fumble with ssh on my phone or monospace text. And it doesn't have the limited functionality of these modern web IRC clients implemented in node because it's just a front-end for WeeChat, which is one of the most powerful IRC clients around.
Regarding your note on the path of least resistance leading to centralized solutions---Glowing Bear/WeeChat is definitely more work to set up than just signing up for Slack. You need a machine that runs WeeChat and get a TLS certificate so that the browser will let you connect securely. That definitely limits it to a somewhat nerdy demographic, even among the HN readers ;)
But I think for these solutions to gain more mainstream appeal, we’d need to make the setup much simpler, and work on ideally making it a single-click solution for an organization to set this up for their members. And maybe even provide hosted services (similar to IRCCloud) for the many users that would rather pay than run their own servers.
Yes, you're absolutely correct. Setup is indeed more complicated than it should be for Glowing Bear. I would love to have an automated solution for it, I just don't want to be the one to build it :)
20 years is a small timeframe in my opinion. Every new technology you exemplified is better in almost every way to the predecessor except for the fact that they hand the keys to the castle to a small group of people which the ordinary users don't care about until it starts hurting them, which has already started.
Now I suspect we'll start seeing clones of facebook / slack etc but with a decentralized backend while offering all the features users care about seamlessly. This might take a while but it'll eventually come.
It will take time before decentralised services become mainstream. It's slow right now and we are still learning, we need things to be easier. The backend is basically figured out at this point and we need to focus a bit more on UX.
Regarding torrents, many game clients will use torrents for their downloads, the user simply doesn't see and deal with the torrenting.
Don't confuse self-hosted with decentralised, not the same :)
>It will take time before decentralised services become mainstream.
Again, this is looking at things backwards IMO. You seem to imply that there's a slow momentum from a centralized web to a decentralized one when in fact there's been a rather fast momentum in exactly the opposite direction over the past decades.
To me what you're saying sounds like "horses are about to become a very common way of moving goods". Maybe you're right but merely looking at the trend it's clearly not going that way at all.
>The backend is basically figured out at this point and we need to focus a bit more on UX.
You'll have to tell me more specifically what you have in mind there because that sounds very optimistic to me. We've had decentralized "backends" for as long as we've had the internet. The web is mostly decentralized by design. Even DNS is distributed across plenty of authorities for the various TLDs (even if each of them is effectively centralized and not anybody can become an authority).
Email is decentralized. BitTorrent is decentralized. IRC is decentralized. We're collectively moving away from these technologies, not towards them. I'm personally still a heavy user of all three of these things but it definitely feels niche now (email obviously isn't but self-hosted email is).
>Regarding torrents, many game clients will use torrents for their downloads, the user simply doesn't see and deal with the torrenting.
Which is pretty much irrelevant in this conversation then. It's about the technology people use to share content with each other, not about how Blizzard chooses to update your WoW client. It's a locked-down, vendor-approved way of distributing software from a centralized authority.
>Don't confuse self-hosted with decentralised, not the same :)
It's not the same but it's related. In general if something is truly decentralized then it becomes self-hostable otherwise it's more distributed than decentralized. Anybody can host their Bitcoin node, their Bittorent peer or their email server. I can't host a Facebook node.
Until taking part in a decentralized system is a crime by itself due to potentially illegal content and your possession and distribution of that content.
The distributed system does not stop to work then, but the user might risk punishment for using it, which might be even worse than not being able to use it.
I've been thinking about running a Mastodon server so I'm in control of my social media, but I'm worried about letting anyone use it because of the GDPR.
When decentralized systems are illegal, only criminals will use them. Anonymously. And very likely, using your devices as botnet slaves. But pretty much, you get what you select for.
It will also drop the userbase below a useful threshold. Sure, there will be the technical possibility of still managing to use it illegally and undetected--but there will be no herd immunity, there will be no effects of scale that make the system particularly useful or affordable compared to proprietary, centralized, and more performant alternatives. People can and do still use bittorrent illegally, but it doesn't have even close to enough market share to make centralized streaming services nonexistent or non-competitive. Basically the same idea.
The fact that you can't decentralize legislation and physical governance is not insignificant. You can't block the influence of preexisting powerful actors. Those factors do have the power to destroy the decentralization movement, and most likely will.
Some of us don't particularly want the "herd". The Internet was a better place before Eternal September. And it arguably would have become a far better place, without commercialization.
Maybe those "powerful actors" could prevent decentralization from becoming mainstream, but they can't kill it. Consider marijuana, for example. Use has been demonized for decades by the US and its allies. But that didn't stop an appreciable fraction of the US population from using (or at least, trying). And now it's becoming legal in more and more states.
For Internet decentralization, the driving factors will almost certainly be porn, gambling and prostitution. To the extent that they're driven off the clearnet, demand for them will fuel growth of alternatives. Freedom of expression is essential, of course, but it will be just a side benefit.
The more decentralization is suppressed by "powerful actors", the more it will be dominated by other "powerful actors". That is, by organized crime.
It will never happen, at least not on a scale that will affect significant web traffic.
There is another model, not decentralised but a practical middle-ground: the WordPress model.
Consider the following: Wordpress is an example of a profitable open source app that can easily be installed on countless shared hosting platforms or on a VPS. It's easy to switch hosting providers when you want to (and to take your data with you). It's popularity means that one-click installs are widespread.
Unfortunately, there is no common standard for software installation on the server side, and this lack of an easy installation process for everyone else severely limits self-hosting websites and apps.
Many developers think deploying a server-side web app is a non-issue, or they erroneously think that installing Cloudron/providing Docker instances/typing command line instructions are all "easy". Have you seen the server deployment instructions for "web friendly" languages like Ruby and Python? It's ludicrously complicated. And still developers seen nothing wrong in such install procedures. It's so frustrating.
I wish there was some momentum or traction in making server-side web app installation as universally simple as a one-click Wordpress install. It would also unlock countless opportunities for developers to reach more users or customers. But maybe some developers secretly prefer the complexity? It certainly makes selling a SaaS solution much more attractive over the stupidly complicated self-hosting option.
Decentralisation has costs, and note that booting off ""disruptive"" users (however defined - spam, abuse) is an absolute necessity of running a communications service. These costs are part of why USENET died.
> Decentralisation is clearly the end game as long as politics causes problems like this.
Only techies care about decentralization. Most people would rather follow a Twitter feed rather than an RSS feed. Most would prefer a mega forum like Reddit rather than multiple, standalone forums with separate accounts. There are also network effects that give centralized platforms more of a competitive advantage.
I keep hearing people talk about the need for decentralized social media, but nobody knows how to make it an attractive, viable option for the masses...especially when such a solution wouldn't be as profitable (or as frictionless) as Facebook, Twitter, etc.
Controversial opinion incoming: decentralization isn't going to be a silver bullet that fundamentally solves anything. These services are still going to depend on large amounts of expensive hardware and infrastructure that must exist in the real world, much like cryptocurrency. That hardware is still vulnerable to control and influence from strong corporate or state actors, so the decentralized stuff running on them is always going to be under influence as well. Even with strong crypto, methods to manipulate it either directly or through side channels will be developed. It's absolutely inevitable. Somebody controls the power plants generating and pricing all that electricity, somebody owns the internet backbone hardware, somebody can afford a much higher hashrate, somebody controls tech legistlation, and somebody is on the bleeding edge of cyber-warfare with a DOD budget. Sure, some of the hardware will be in private ownership, but not the majority. If it ever becomes widespread enough to be of great significance, traditional power structures will absolutely contrive a way to seize it.
What this all really does in the end is create a technical caste system and obfuscation of ownership. People fortunate enough to have access and be up to speed on the latest technology (or hire people who are) will reap the rewards of decentralized systems which still belong to authoritarian actors, yet it will be extremely difficult to prove that ownership--especially to laymen. It will always have a nice hazy deniability, and it will be almost impossible to hold anyone accountable for their actions, or prevent or even identify exploitation.
This is absolutely the future of the web. Perpetual and stealthy non-neutral manipulation by the technically advanced and financially powerful is here to stay. I think that as engineers our tunnel vision and intellectual hubris have given us a false sense of security as we developed this hideous system, because we thought it was some kind of purely digital realm where we have real control and real comprehension of what we are doing. But nothing is purely digital. Everything is built on top of the real, analogue world where strong actors have already divvied up and taken ownership of everything.
I wish you were right.
But so far the winner takes all effect and commercial benefits pushed most things to big companies. Even the archetype of decentralization, email, is being pushed to big players by spam control.
I'm an Iranian-American and Coinbase did something very similar to me in 2017. Here is the notice they sent me: https://i.imgur.com/xnJe0kd.png
We were very convinced it was name/ethnically based as I hadn't been to Iran for a few years before. The general counsel at my last job sent a strongly worded email suggesting they may have been using names to do this (thanks AA!). The email quickly resulted in my account being reinstated without any commentary on their methodology.
This is what centralized silos are like, have always been like, and will always be like.
Unfortunately centralized silos also allow unprecedented convenience and ease of use. Nobody's figured out yet how to duplicate that in a decentralized or federated system.
I mean, Slack recently announced that they would give employees complete access to employee's private conversions.
When a company starts thinking this way, you know there's no turning back, and more such (censorship/surveillance-friendly) actions will be taken in the future.
It's not about visiting a country, it's about where your Slack account was created. If you created your Slack account from an embargoed country, regardless of your citizenship or ethnicity, they will probably disable it.
>- Is this just how the US ticks right now?
>- Is Slack just completely gone mad?
>- Is this what companies believes is acceptable nowadays?
>- Is this the future of the web?
Iran has sanctions against it right now. Slack, and other companies that have done this sort of thing with Iran, Cuba, etc the past few years, are trying to stay on the right side of the law. To avoid imprisonment, fines, etc. If you think what they did is wrong, start a company and risk serving prison time to stand up for your what you believe in by creating a similar product and offering it to customers that have direct geographical ties to sanctioned and embargoed countries. I'm serious, imprisonment is a very real risk with dealing with sanctioned and embargoed countries.
Doing business with Iran, or a citizen of Iran, can open the door for all sorts of government investigation from fines, to being shut down for an investigation, to having data from other users compromised, to criminal prosecution of employees/officers of the company.
It's a lot easier to just immediately sever ties with anyone that has had dealings with an IP geographically connected to Iran than to go one by one "hey, you an enemy of the state? You sure you aren't? Promise? Cross your heart and hope to die? Ok, we believe you, we'll just hope you're telling the truth!"
Then there's the fact that Slack uses encryption at rest and in transit, there may be a LEGAL REQUIREMENT not to allow users with ties to Iran to use the product under CFR title 15 chapter VII, subchapter C. Or they may at least suspect they are at risk of running afoul of the cryptography export laws as they stand and simply decided, they don't want to risk it to protect the company and other users.
I highly doubt this is some Islamaphobic/Iranaphobic move on Slack's part, this is simply a cover-our-ass move so we can stay in business and not risk prison time.
Heh. Seems everyone has decided to shoot the messenger.
You may disagree with the policy, but ryaymercer isn't wrong. Living in startup land where everything is light, you move fast, and things get broken, it's very easy to overlook that there is this 500 lb gorilla in the corner just waiting to smash you into pulp for doing the wrong thing.
My guess is that something internally at Slack has triggered this. It seems likely that they're in the midst of contracting with a Federal agency, or something of the sort. When you do business with the Federal government, all manner of hell is unleashed on you in the form of paperwork and due diligence. "Negotiation" boils down to litigation, and litigation is god damned expensive.
I am not saying what's happening is right. I'm simply pointing out that this is the culmination of decades of policy and momentum within our government. Wagging our collective fingers at Slack isn't going to change a thing. What can Slack do? Let's say they pass on whatever opportunity is driving this ridiculous witch hunt. So then what? Some Federal agency doesn't get to use their messaging platform? Who cares? Nothing changes.
It all starts with asking the right questions, and ryanmercer's post likely contains the answers to a number of questions that few people are asking: what's motivating this change, who is responsible for the policy, and how can our community affect change to prevent it in the future?
You've been breaking the guidelines a whole lot by posting unsubstantive flamey comments. Please stop—we ban accounts that keep on, especially if that's all they've been doing.
I disagree with the way Slack handled this, but by now it’s clear (even the original poster seems to have realised) that Slack banned everyone who accessed the service from an Iranian IP, irrespective of who they were or where they were from.
It’s pretty clear that’s it not motivated by race or any kind of profiling.
Slack has no incentive to boot more people off their platform than necessary, so this overly broad ban could be a result of either misunderstanding the US governments mandate, or that might be just what they were asked to do.
Who asked them to do this ? I have serious doubts that this action was directly recommended in any official government communication otherwise we would have had someone leak it and debate about it. My hunch is this isn't directed by a national security letter or anything like that with mandated secrecy otherwise we would see similar actions from other tech service providers. As far as I know Facebook isn't deleting the accounts of everyone who has connected from Iran or Syria. My suspicion is that this is the result of a shoddy communication between the legal department and some coders and I suspect that Slack will be stuck in a hard place explaining it and justifying it. As far as I know there was no official explanation or blog post, the suade velvet secret slack police just started causing people to disappear in the night. It will also be hard for them to walk back this action because they have set at least an internal precedent and opened themselves and other companies up to attack by opportunistic regulators if they now say they were wrong.
This is hard to explain to anyone who hasn't done business with the Federal government, but your visions of national security letters are very much on one end of a broad spectrum. At the other end of the spectrum is the mundane.
The mundane includes things like contracting with the Federal government or even certain government contractors. Our company just contracted with PAE, and PAE contractors must agree to much of the same Federal Acquisition Regulations as someone doing business directly with the Federal government. One of the vendor forms was 37 pages long, and it contains sections explicitly requiring certifications that your company will comply with sanctions. The form binds the signer to personal culpability for failure.
So if you're a company contracting in this process you're tasked with preventing delivery of your product to Iran, and the Federal government gets to set the bar, not you. If you fail to meet the bar, you end up in Michael Flynn's shoes, only far less public. How long of a bet is it to expect a Federal bureaucrat will interpret compliance the same way you do? Are you willing to risk inquiry if your opinions differ?
I don't like what's happening here. I don't like it at all, but I know just enough about dealing with the Federal government that I can smell the odor from here.
It's not inconceivable that Slack's general counsel saw the headlines about Trump campaign officials being investigated for circumventing Iranian sanctions, evaluated their position, and recommended this action just to be safe.
Except it isn’t because of ethnicity. There are thousands of people from Iranian descent that use Slack in the US each day and they aren’t getting banned. Nor has anyone else been banned “because of their ethnicity.” That is absolutely ludicrous. The guy who was banned is being banned for something beyond his ethnicity.
That's not what happened at all, that's why it's hard to take him seriously. He makes it look like Slack went out of their way to look at all of their users and check of what race they are to ban those who are Iranians, when they just made a geoip check.
If they're just doing GeoIP checking, wouldn't it have made more sense for them to just block access from those countries, which would be an inconvenience to their users, instead of retroactively removing their accounts?
> That's not what happened at all ... when they just made a geoip check ...
It sounds as though you have access to data that the rest of people on HN do not. Would you care to share your source? Are you certain he would not have been banned by Slack if he were not an Iran citizen (just Canadian) but would have (possibly) used Slack when travelling to Iran?
Assuming that for some reason I should take your word over his, banning for "having logged on in Iran at some point" is, effectively, banning for ethnicity.
It only is if you think someone who has ever set foot on Iran is an ethnic Irani. You just have to look at this HN thread to see that is false, as this problem also applies to other embargoed countries.
> It only is if you think someone who has ever set foot on Iran is an ethnic Irani.
We're both adults here and I assume we both can realize that splitting these hairs doesn't make my statement that banning everyone that's ever logged on Iran from slack is, in effect, a ban on Iranian ethnic users?
No it’s not. There are millions of Persians in the US that haven’t been to since the 1970s. Those are of the same ethnicity as someone living in Tehran. There are millions of Persians living in Europe as well — also ethnic “Iranian” who would be unaffected by a geo-ban.
So no, a ban based on signing in from a specific locale has zero to do with ethnicity or race.
On one hand, yes, but it's fair because it's an embargoed country. I mean, it's not fair in my opinion, but Slack is forced to abide by the laws of the United States. This approach they've chosen of banning everybody who's ever connected from Iran is stupid and ham-fisted and they are being rightly ridiculed for it.
On the other, the author of the thread is accusing Slack of profiling him racially. What he's implying is that a human proceeded to stalk him around the Internet, on social networks, etc to check if he is an actual Iranian and ban him based on that. And that is a very, very grave accusation.
Just because he said that he has no connection to Iran does not make that true. If you carefully read the tweets, Amir says that he travelled to Iran. It might be that Slack did something ridiculous, but that can't be seen from the data.
- Is this all made up to prove some point?
- Is this just how the US ticks right now?
- Is Slack just completely gone mad?
- Is this what companies believes is acceptable nowadays?
- Is this the future of the web?
The fact that I am not sure what to believe and that I wouldn't be surprised if this is all true or equally all made up is what really scares me. Ten years ago I would have had a lot more confidence and faith in the world that this must be either a big mistake or something fishy, but today I feel like anything goes and in a week's time nobody will care again :(