GitHub reveals how it handles US trade restrictions, after blocking UK developer

GitHub's top lawyer sets out its recent efforts to comply with US trade restrictions affecting open-source code.
Written by Liam Tung, Contributing Writer

GitHub recently started blocking private repositories for developers in countries facing US trade sanctions. The Microsoft-owned open-source code-sharing site has now offered developers an explanation, saying it's only complying where necessary.

As ZDNet reported in July, GitHub started restricting key services for developers from countries under US trade sanctions, which include users from Crimea, Cuba, Iran, North Korea, and Syria. 

GitHub's new effort to comply with long-existing US trade controls caught some developers by surprise, who couldn't access or create private repositories. 

SEE: How to build a successful developer career (free PDF)

CEO Nat Friedman said at the time GitHub is trying to "do no more than what is required" by US law. However, the company's sometimes ham-fisted methods of handling compliance have also affected businesses and developers from non-sanctioned countries, including the UK. 

One method GitHub has used to determine if a user is accessing the site from a sanctioned country is to scan IP addresses. 

Duncan Worrell, a GitHub user from the UK, this month had his financial services company's private repository blocked because GitHub determined that it was subject to US trade controls. 

GitHub didn't explain how it determined that the UK company should be restricted. However, Worrell suspected it was because "a sub-contractor of a sub-contractor currently resident in Ukraine, accessed our GitHub repo while visiting family in Crimea". 

The only communication he received from GitHub was that: "Due to US trade controls law restrictions, paid GitHub organization services have been restricted." 

Worrell didn't immediately realize that it meant the whole company's GitHub services had been restricted, which resulted in it losing access to its source code. Fortunately the company had local copies, but Worrell lost his code change history and it broke the organization's deployment code. 

GitHub lifted the restrictions a week later, but only after the company appealed the decision. The timing of the restriction also suggested to Worrell that GitHub is scanning IP addresses for historical access since his subcontractor hadn't worked on the company's code since May.   

"We did know two sub-contractors of our Latvian sub-contractor were not Latvian and that one may have been Ukrainian, but we had no knowledge that a) Crimea had been sanctioned or b) the developer had visited Crimea. Neither had made any source code changes since May this year, so any IP tracking would have been historical," Worrell told ZDNet in email. 

"We also asked both developers to lodge individual appeals to prove they were no longer in Crimea, but that requires their IDs (copy and selfie) be uploaded and at least one of them still has that registered to a Crimean address, despite now living in Kiev, Ukraine. I don't imagine people update their passport every time they move house. GitHub should really provide another option to proving residence."

Tyler Fuller, GitHub's general counsel, outlined yesterday the difficulties GitHub faces in complying with US trade sanctions. 

"Sanctions are complex and were originally designed to regulate trade in more traditional goods and services, especially financial products," wrote Fuller. 

"For companies that provide certain types of digital services, compliance presents novel legal questions and involves some uncertainty."

Fuller, who is also associate general counsel at Microsoft, said one approach is to entirely block access to those digital services from sanctioned countries. 

"For companies taking that blanket approach, developers in sanctioned countries have lost – or never had – access to many services provided by those companies. GitHub approaches this differently," he said.

"We're dedicated to both allowing as many developers around the world as possible to participate in the open-source community and to following the law."

Fuller also explained that when GitHub restricts private repositories for users in sanctioned countries, affected developers can still use public repositories. 

"If a user's private repository has been restricted, we give them the option to make that repository public so they can still access their contents for personal communication purposes," wrote Fuller. 

All trade sanction notices also contain a link to GitHub's appeals form, which among other things asks whether the user has been to a sanctioned country in the past two years and to send a copy of their passport or other national ID as well as a selfie.  

READ MOREGitHub starts blocking developers in countries facing US trade sanctions

Fuller also suggests GitHub will be appealing to the US government and points to Treasury Department rules announced last year that allow US companies to obtain licenses to continue providing software and services, such as free messaging apps, to Iranian citizens.

"That means GitHub will continue to advocate for rules and regulatory interpretations that keep source code, open-source collaboration, and GitHub available to as many people as possible," wrote Fuller. 

"We're working to engage with US regulators regarding the impact of sanctions on GitHub and the global developer community. Our goal is to preserve as much access as possible for developers around the world, including in sanctioned countries.

"We believe sanctions must be narrowly tailored and clear as to precisely what they cover so that software collaboration, research, and development aren't inadvertently affected by these laws."

More on Microsoft's GitHub

Editorial standards