Update, 7/29/19, 7 a.m. PT: GitHub sent us the following statement in response to our request for comment.
“GitHub is subject to U.S. trade control laws, and is committed to full compliance with applicable law. At the same time, GitHub’s vision is to be the global platform for developer collaboration, no matter where developers reside. As a result, we take seriously our responsibility to examine government mandates thoroughly to be certain that users and customers are not impacted beyond what is required by law. This includes keeping public repositories services, including those for open source projects, available and accessible to support personal communications involving developers in sanctioned regions.”
GitHub CEO Nat Friedman revealed more information about the company's actions on Twitter. Friedman said GitHub had to shut down private code repositories and paid accounts from users in Iran, Syria and Crimea to comply with U.S. export restrictions; public code repositories are still available. He added that restrictions are "based on place of residence and location, not on nationality or heritage," and that erroneously restricted users can "fill out a form to get the restrictions lifted on their account within hours." The company doesn't believe U.S. laws allow it to warn users about restrictions in advance.
"We're not doing this because we want to; we're doing it because we have to," Friedman said. "GitHub will continue to advocate vigorously with governments around the world for policies that protect software developers and the global open source community."
Original article, 7/27/19, 4:40 p.m. PT:
GitHub is mostly known for allowing developers to share code with each other using the popular Git version control system. The platform can also be used to host websites; however, with the help of services that use its code repositories as their back-ends. That's exactly how a Russian developer named Anatoliy Kashkin, who lives in the Crimea region of Ukraine, used GitHub. At least until his account was unexpectedly "restricted" this week.
Kashkin used GitHub to publish his personal blog. He also used it to host the GameHub launcher for Linux that brought Steam, GOG, and Humble Bundle games into a single place. Then he posted this update on July 24: "My GitHub account has been restricted due to US sanctions as I live in Crimea. I may not be able to continue maintaining GameHub in future." Underneath he shared a screenshot that was allegedly taken from a GitHub message.
Here's the screenshot:
ZDNet reported that other GitHub users in Crimea have had their accounts restricted, too, and Iran-based developer Hamed Saeedi said on Medium that his GitHub account was restricted as well. Saeedi published numerous screenshots depicting messages from GitHub, snippets of its GitHub and Trade Controls support page, and repositories that have been disabled. (Plus an image macro depicting the Mad King from "Game of Thrones.")
It's not like GitHub hasn't been transparent about how it will treat users based in nations sanctioned by the U.S. It clearly said on that GitHub and Trade Controls support page that, "to comply with U.S. trade control laws, GitHub recently made some required changes to the way we conduct our services." That doesn't necessarily align with its goal of connecting developers around the world, but U.S. laws carry more weight than corporate ideals.
This puts GitHub--and other companies that believe they have to ban users to comply with U.S. restrictions--in an unenviable position. The company might have to endure serious consequences if it knowingly violates U.S. policies. Complying with those policies without much warning risks alienating the platform's users, however, especially if there isn't a good way to appeal the decision. (Kashkin told ZDNet there's no point in appealing the restriction.)
Microsoft agreed to acquire GitHub for $7.5 billion in June 2018. We've reached out to both companies for comment on these account restrictions and how it's approaching compliance with U.S. export laws; we'll update this post if either company responds.
With all sanctions, one risk is that it just displaces the demand towards alternative services that are hosted in either neutral or hostile countries. As this fallback capacity is increased, it then blunts the impact of future sanctions. The same thing applies to financial sanctions, where I'd guess someone like China or Russia probably has alternate financial network for everyone frozen out of the SWIFT network. In fact, Wikipedia cites a reference to an existing Russian alternative:
Anyway, I feel for these unfortunate guys, who are suffering from the fallout of their countries' policies. All the more so, if they don't even support said policies. I think we can all empathize with that part.