The commenters saying be reasonable, they were sanctioned, GitHub had to do this, should look into the last time code was made illegal or similar turmoil and what the developer community did in response…It was not accepting sanctions or govt failures to understand code as “well that’s that.”
- Phil Zimmerman (PGP) was under criminal investigation for arms exports by releasing the code for consumer encryption. The case escalated and was eventually dropped, included POTUS attention.
- Aaron Swartz passed away via suicide in 2013 under threat of 35 years in prison and a lot else for downloading from JSTOR programmatically
- Clifford Stole spent several years being ignored by every govt agency under the Sun, except for CIA, for finding, attributing and then exposing a widespread KGB hack of govt systems in the 80s
- L0pht testified in front of congress to expose significant internet security risks that were otherwise ignored.
I’m not saying Tornado Cash and related devs were doing a purely moral action. But the automatic siding with the heavy hand of govt sanctions on code the govt doesn’t really understand is pretty shameful for a nuanced technical audience.
I think its important to make a distinction between GitHub attempting to ensure they are in legal compliance with a sanction and approving of the sanction happening at all.
You can disagree with the sanction while still being understanding of GitHub trying to cut ties with the sanctioned entity. Or be critical of them being heavy handed in their compliance but agree with the sanction in general.
You’d be on the “be reasonable” side of this I suppose.
Plenty of organizations in the past have chosen what side of this conceptual line to stand on.
One can end up looking like the EFF with a long term, very strong reputation of standing up for clear boundaries of what’s right in the legal<>code context and go to court over it, or you can end up looking like GitHub.
Has it ever been the case that the majority of the developer community stand behind this kind of resistance to government power?
It seems like it's always been a tiny minority of idealists who put their own lives on the line to do what they believe is right in the face of the beast bearing down on them.
The majority has always been (and probably will always be) weak minded corporate yes men.
What is distasteful is the so called "hacker" community being filled with corporate yes men.
> - Phil Zimmerman (PGP) was under criminal investigation for arms exports by releasing the code for consumer encryption. The case escalated and was eventually dropped, included POTUS attention.
A legitimate example of free speech. Zimmerman published his code in the appendix of scholarly book, in addition to posting online in source & binary form.
> - Aaron Swartz passed away via suicide in 2013 under threat of 35 years in prison and a lot else for downloading from JSTOR programmatically
A terrible example, and not comparable to your first example. Swartz gained physical access to a network room he was not supposed to be, inside a building he was not supposed to be, connected a laptop to a LAN he was not granted access.... When you say programmatically, you must mean the parts where he proceeded to download JSTOR using his laptop? Has was criminally trespassing, accessing a network he knew he wasn't allowed to access. The tragic outcome was due to... hate to say it, he had well known mental issues that amplified the stress he felt when being indicted for a crime he knew he was guilty.
So I get what you're saying, but you might want to limit your examples to abjectly reasonable ones that withstand scrutiny. Otherwise it might look like a bandwagon, generalization, or even false dichotomy.
Actual prison time wasn't on the table until the federal prosecutors took over and tried to make an example of him [1]. Until then, everyone expected a slap on the wrist.
I remember those events clearly and even JSTOR, the "victim" in the case, backpedaled on the prosecution before he committed suicide. He was driven to suicide by an overzealous federal prosecutor trying to make a career for themselves.
I don't find "facilitating mass money laundering" to be as compelling as the other cases, frankly.
This doesn't mean that any/all measures taken against them are automatically justified, but it's large-scale crime, and it's not in the realm of "information wants to be free", it's actual money laundering, for actual criminal cartels and actual rogue states.
It's not comparable to money laundering. When you launder money by registering sales that did not happen you'll get taxed and you can then spend that money wherever you'd like. If you try to use funds coming from Tornado Cash most people won't accept them because they'll assume they were stolen or they come from some type of illicit activity.
Its use is offering a level of privacy that is at least as good as the one a credit card offers. On the Ethereum blockchain anybody you transact with can see your transaction history.
Here's an analogy: Is it hypocritical to say "we shouldn't punish people who sell marijuana," but also say "we should punish people who sell heroin?"
Maybe you disagree with the person's preference for what should be punished, but saying "we should punish this behavior but not that behavior" doesn't make a person a hypocrite.
People on Twitter are either wilfully dumb or simply ignorant.
GitHub had to do this. It was required of them by law. Tornado was sanctioned.
> These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.
This is, unambiguously, directed toward entities such as GitHub providing them service.
I'm not a fan of GH these days but they did the only thing they could do in this situation. You can be upset about it, but you can't be upset at GitHub about it.
Does Tornado being sanctioned mean that everyone who has contributed in the past also needs to be blocked? (It’s not clear from the thread whether the people blocked contributed after, or only before, the sanction.)
For what it’s worth, I don’t see much evidence of people being upset at GitHub in the thread. There’s talk about decentralized alternatives, but not much actual pinning the blame on them.
This is the crux of the issue in my opinion. It seems ridiculous that the sanctions should apply retroactively to anyone who has dealt with a sanctioned entity at any time in the past - if the people contributed before the sanctions, they were not contributing to a “blocked person”, as the project was not blocked at the time.
Imagine if, say, A foreign electronics company is sanctioned by the government - does this mean that anyone who has previously worked with them or bought their electronics has done so illegally? If so, that sounds like a significant impediment to commerce, since nobody can predict who will be sanctioned in the future.
I'm assuming that the problem for Github is that they can't reliably know which of the contributors are "currently part of" TornadoCash and which ones are unrelated people who just contributed code some time ago, and since they absolutely must block the former, in the case of uncertainty the only safe option was to block everyone who seems related.
This is chilling for me. I've contributed to plenty of projects during my 10 years of using GH. Little PR's here and there, sometimes just typos, sometimes just issues. If one of those projects runs into trouble with the law or with GH, will GH delete my account? This would be disastrous for me.
> Does Tornado being sanctioned mean that everyone who has contributed in the past also needs to be blocked?
I'd say that this is a significant risk that people doing DeFi need to have a long, hard think about. Without a clear organization, without clear leadership, one cannot draw a bright line around those who deserve sanctioning. In court, efforts made towards plausible deniability might pay off. But github is not the courts, its interest is its own liability.
They only had to block accounts that contributed after establishing the sanction. It's not clear that they limited themselves to those. It would in fact seem to be hard to contribute in the limited time range between establishing the sanction and removing the project.
There is also the collateral damage of removing unrelated projects that happened to be owned by these people.
Couldn't github preserve such projects while putting them in some ownerless state?
> only had to block accounts that contributed after establishing the sanction
The people who built Tornado Cash are already in trouble. The crime--facilitating money laundering--has already been committed. OFAC is an enforcement office. Its lists are more like wanted posters than rules.
GitHub is cutting ties with people likely to be charged with federal crimes. If some of them are going to continue contributing to the project, GitHub doesn't want to be the conduit through which it is done. This is all standard sanctions compliance.
> People on Twitter are either wilfully dumb or simply ignorant.
You'd think after 16 years I'd be used to it, but it still kinda blows my mind that the social network designed for context- and detail-free hot takes is the one people use for political discussion.
I have no sympathy for crypto whatever and I really don't care about who sanctioned whom and for what reason, but...
Sanctioned project's contributors must be deleted from the server - where is that written in the list of things Microsoft has to do since you went out of your way calling everyone on the reply train ignorant?
Because others are answering you in much more detail, I’ll give them more generalized answer –
This is quite simply not how a sanctions regime works. The US government does not make a list of all the sanctioned persons’ assets, then start going after those in court.
Instead, it goes the other way: any company with a US nexus watches those sanction lists carefully. When someone is listed they look at their internal records for hits and denies them service. So no one told Microsoft anything; they self-enforced a sanction that applies to everyone in the US. And I mean everyone: if an individual knowingly violates these sanctions they’re breaking federal law - it’s not just companies.
It's written in the definition of the sanction given by the Department of the Treasury [0], i.e. at the level of US federal law, of which Microsoft must follow as a US company.
> Sanctions Implications
> These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.
> These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.
"GitHub had to do this. It was required of them by law. Tornado was sanctioned."
This makes no sense. They could have just blocked the Tornado project. Suspending individual accounts and contributors seems punitive. I was banned on github https://github.com/ransom1538 (unrelated) - it is pretty devastating. No recourse. Just gone. If something involves your lively hood (uber,grubhub,paypal,github, etc) you should be able to state your case.
>GitHub had to do this. It was required of them by law. Tornado was sanctioned.
Does anyone know if this sanction, "contribution or provision of funds, goods, or services by, to, or for...", applies also to individual human persons not associated with a corporate or institutional entity? Is there somewhere I can read about what sactions are, what they mean, and who they apply to?
If it's just a Microsoft problem and not a human person problem then the solutions are many and obvious for any tool that's useful. git itself is already pretty distributed friendly.
Tornado is code, not an entity. AFAIK it isn't a corporation, group, or anything else - it is a smart contract address and a website.
The people who wrote the code were not sanctioned. The repo hosting the code was not sanctioned.
GitHub did not have to do this. This is Microsoft's legal department and the concept of "an abundance of caution".
Nothing about hosting open source code is at issue here. Tornado (the smart contract) was financially sanctioned; it is still fine to host source code.
> People on Twitter are either wilfully dumb or simply ignorant.
I think it's the culture of reacting to 240 characters or less. People already know what they want to feel and finding a quick and completely baseless confirmation bias on twitter is easy and rewards you greatly with dopamine.
Smart, mature people gather information before making a decision. Dumb people knee-jerk react based on low information. Twitter heavily encourages the latter by making the former very difficult to do.
GitHub is, by their own choice, a massive global library or bookseller of code. They effectively made the choice to take books off their shelves and cease accepting new ones from specific authors, because the US government made them afraid. This should not happen in a country governed by our First Amendment. And, having chosen to take on this responsibility, GitHub/Microsoft’s attorneys should have to courage to stand up for those principles and be rightly criticized if they fail to.
Note that hosting code and free developer accounts does not require GitHub to accept or pay money to the developers (who are not named explicitly in the sanctions order, by the way.)
ETA: Big tech companies have a lot of resources and freedom to devote those resources to defending their users (see Google and Twitter lawsuits.) But they’re self-interested and won’t do that if they think their user-base won’t hold them responsible for doing that. I think GitHub is responsible here and I wish the HN commentariat would recognize that their opinion matters. By excusing the company’s cowardice here, we are incentivizing more of it in the future.
I don't think so. The sanctions are against Tornado Cash the entity, as well as specific ETH addresses associated with it. No individuals are cited in the sanction that I am aware of.
To be clear, they did it proactively, not because they were ordered to. For example, many organizations and conferences make exceptions for students from Iran
This is why I'm surprised more people aren't way more terrified about OFAC than there are. It's probably one of the nastiest diplomatic tools the U.S. has in its arsenal.
Honest question: was GitHub legally obligated to delete the accounts of anyone who had contributed to the repos?
I get that contributing to the repos would be a violation of the sanctions, but it's not clear to me when the project was sanctioned and whether all the contributors were aware that they were contributing to a sanctioned project. Would it have been enough for GitHub just to remove the projects?
I ask as someone who has a lot of developer friends from Cuba who run into problems with accounts on platforms being deleted all the time. IIRC there was an episode awhile ago when accounts were being deleted simply for logging in from Cuba.
It seems like the legal obligation would be to block logins from Cuba (and/or Cuban people), but deletion of accounts seems more like a CYA move than a strict obligation.
It’s a gray area. These sanctions went against Tornado Cash, the entity. Does that extend to core devs? Anyone who did a PR? That’s the question GH’s counsel has to interpret.
> deletion of accounts seems more like a CYA move than a strict obligation.
Microsoft is prohibited from giving any good or service to a blocked entity. It’s very possible their lawyers will say “the easiest way to meet this obligation is to delete accounts related to the blocked entity.”
I’m not sure that there’s been a ton of cases exactly like this that have made it to court. If someone asked you to pick between [maybe going to prison] or [definitely not going to prison], which button would you press?
Probably not, but it is in their best interest. By blocking all these accounts, if it is later discovered they missed something else related to this they can bring all those blocked accounts up as evidence they were trying to obey the law and this was an honest mistake. The courts understand mistakes happen, but you need to prove it was a mistake and not an attempt to evade the law by ignoring something. The more you do to ensure mistakes don't happen, the more likely the courts are to decide you weren't trying to evade the law, but just made a mistake.
> Honest question: was GitHub legally obligated to delete the accounts of anyone who had contributed to the repos?
Tornado Cash is on the SDN list [1].
From [2]:
> Business transactions of any sort with SDNs are expressly prohibited and U.S. persons must block any property in their possession or under their control in which an SDN has an interest.
IANAL but it doesn't sound like much of a leap to say using GitHub falls within "business transactions of any sort".
Clarification question: Did GitHub delete the accounts of anyone who contributed to the repos? My guess would be owners and maintainers? Officially, Tornado Cash, the entity, is what's on the list, so I would think at the very least anyone who is formally tied to the entity.
It's hard to say, but sanctions violations are often heavily penalized. I don't think I go as far as saying it's simply CYA, but it is playing it on the safe side. Banning a few developer accounts is way less costly then the potential hit from violating sanctions.
GitHub has the right to do whatever it wants, and it makes sense they would take this action to avoid getting into legal concerns.
But it is deeply concerning. Whether or not you like crypto, you should not be supporting this if you are a researcher, academic, technologist, cryptographer, or privacy advocate. The code for Tornado Cash is a series of cryptographic and mathematical functions that can be repurposed for a variety of applications unrelated to privatizing user wallets.
Having it open source and accessible is a net benefit for the entire world.
EDIT: A comparison would be that US decides to sanction the open Matrix protocol and any developer that has contributed to it, as it can facilitate end-to-end encrypted terrorist communication.
HN post title is misleading. GitHub suspended (and not deleted) the 3 accounts of the org owners of the tornadocash org on GitHub. Going through the commit history, I have not found a single contributor (i.e. other than the 3 owners) which got suspended or deleted.
This is open huge so many terrible ways for abuse.
1. Make some random crypto project.
2. Motivate people contribute to it, see DigitalOcean hacktoberfest.
3. Replace the code with Tornado.Cash source.
Everyone's account is banned by Microsoft. Also I wonder what happen if you didnt sent PR yourself, but someone crafted git commit with your email and added it to such repository.
GitHub didn't remove the account of everyone who ever contributed to the repository; if you go to the Web Archive many of the people listed under "contributors" still have accounts. Presumably, they just removed the people who were a member of the organisation.
Ok this makes alot more sense. I can totally see how they would nuke every member of the org in an attempt to CYA. It sounded like they nuked every contributor which would have been insane.
This should be the top comment and the title should be changed. The title and other comments made me wonder if GitHub deleted the account of all contributors to that repo, which is more serious than deleting the account of members in an organization.
> Replace the code with Tornado.Cash source.
Everyone's account is banned by Microsoft.
Code is speech, that's settled law. It's the entity and wallets that are sanctioned. If someone is a member of the Tornado Cash group on GitHub, it’s safe to say they’re in at least legal jeopardy. GitHub puts itself at risk by knowingly continuing to facilitate their work.
I would encourage everyone on both sides of this argument to watch this [1] video from Peter van Valkenburgh at ZCON. It lays out a very clear argument why this is really much more serious than just a sanction against a bad actor.
What motivation do someone have for swatting people?
Problem is that Microsoft is certainly overreaching here and this precedent will be abused by malicious actors. One day someone will come to work and find out that whole organization was banned on github just by forging to commits.
OP - more context in the title next time please. Some of us have no idea which "tornado" this refers to and or were unaware of a crypto project called "Tornado".
I am by no means a fan of Tornado and what it represents in the crypto community - I think crypto has enough cretins already.
But this is definitely a bit of a stretch to go after the creator(s) in this way. Reminds me of the US Gov trying to ban/limit all encryption. Didn't seem okay then and this doesn't seem okay now.
I don't have particular vitriol against Tornado itself, they do offer compliance tool and seem to have just been an eventual outcome in crypto.
I do however have an issue with the incredibly high rate of money laundering etc that flows through crypto. Particularly so with Tornado cash. It's the 'go-to' for easy money laundering.
And no that's not a 'general ignorance' it's just a bi-product of having decentralized systems, it's not for me. That doesn't mean people are ignorant of it.
Edit: It really irks me this "oh you just don't get it" from some people. It's unproductive and from my own experience, incorrect. They give crypto supporters a bad name.
Readit News
- Phil Zimmerman (PGP) was under criminal investigation for arms exports by releasing the code for consumer encryption. The case escalated and was eventually dropped, included POTUS attention.
- Aaron Swartz passed away via suicide in 2013 under threat of 35 years in prison and a lot else for downloading from JSTOR programmatically
- Clifford Stole spent several years being ignored by every govt agency under the Sun, except for CIA, for finding, attributing and then exposing a widespread KGB hack of govt systems in the 80s
- L0pht testified in front of congress to expose significant internet security risks that were otherwise ignored.
I’m not saying Tornado Cash and related devs were doing a purely moral action. But the automatic siding with the heavy hand of govt sanctions on code the govt doesn’t really understand is pretty shameful for a nuanced technical audience.
You can disagree with the sanction while still being understanding of GitHub trying to cut ties with the sanctioned entity. Or be critical of them being heavy handed in their compliance but agree with the sanction in general.
Plenty of organizations in the past have chosen what side of this conceptual line to stand on.
One can end up looking like the EFF with a long term, very strong reputation of standing up for clear boundaries of what’s right in the legal<>code context and go to court over it, or you can end up looking like GitHub.
What is the name of this sanctioned entity that GitHub supposedly cut ties with?
You'll note that none of the developers who had their accounts suspended were themselves sanctioned.
It seems like it's always been a tiny minority of idealists who put their own lives on the line to do what they believe is right in the face of the beast bearing down on them.
The majority has always been (and probably will always be) weak minded corporate yes men.
What is distasteful is the so called "hacker" community being filled with corporate yes men.
Also: GitHub is a private company. It's their real estate, they can do what they want with it. If they wanted to keep it up, they could have.
They didn't want to.
A legitimate example of free speech. Zimmerman published his code in the appendix of scholarly book, in addition to posting online in source & binary form.
> - Aaron Swartz passed away via suicide in 2013 under threat of 35 years in prison and a lot else for downloading from JSTOR programmatically
A terrible example, and not comparable to your first example. Swartz gained physical access to a network room he was not supposed to be, inside a building he was not supposed to be, connected a laptop to a LAN he was not granted access.... When you say programmatically, you must mean the parts where he proceeded to download JSTOR using his laptop? Has was criminally trespassing, accessing a network he knew he wasn't allowed to access. The tragic outcome was due to... hate to say it, he had well known mental issues that amplified the stress he felt when being indicted for a crime he knew he was guilty.
So I get what you're saying, but you might want to limit your examples to abjectly reasonable ones that withstand scrutiny. Otherwise it might look like a bandwagon, generalization, or even false dichotomy.
I remember those events clearly and even JSTOR, the "victim" in the case, backpedaled on the prosecution before he committed suicide. He was driven to suicide by an overzealous federal prosecutor trying to make a career for themselves.
[1] https://www.cnet.com/tech/tech-industry/swartz-didnt-face-pr...
This doesn't mean that any/all measures taken against them are automatically justified, but it's large-scale crime, and it's not in the realm of "information wants to be free", it's actual money laundering, for actual criminal cartels and actual rogue states.
The automatic opposing of govt sanctions is pretty shameful for a nuanced technical audience.
But they do understand it, quite well. It launders money, there is no legal use for a money laundering machine.
Here's an analogy: Is it hypocritical to say "we shouldn't punish people who sell marijuana," but also say "we should punish people who sell heroin?"
Maybe you disagree with the person's preference for what should be punished, but saying "we should punish this behavior but not that behavior" doesn't make a person a hypocrite.
GitHub had to do this. It was required of them by law. Tornado was sanctioned.
> These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.
This is, unambiguously, directed toward entities such as GitHub providing them service.
I'm not a fan of GH these days but they did the only thing they could do in this situation. You can be upset about it, but you can't be upset at GitHub about it.
For what it’s worth, I don’t see much evidence of people being upset at GitHub in the thread. There’s talk about decentralized alternatives, but not much actual pinning the blame on them.
Imagine if, say, A foreign electronics company is sanctioned by the government - does this mean that anyone who has previously worked with them or bought their electronics has done so illegally? If so, that sounds like a significant impediment to commerce, since nobody can predict who will be sanctioned in the future.
I'd say that this is a significant risk that people doing DeFi need to have a long, hard think about. Without a clear organization, without clear leadership, one cannot draw a bright line around those who deserve sanctioning. In court, efforts made towards plausible deniability might pay off. But github is not the courts, its interest is its own liability.
It looks like it was just the three creators. If they’re smart, this is a prelude to announcing a legal defence fund.
They only had to block accounts that contributed after establishing the sanction. It's not clear that they limited themselves to those. It would in fact seem to be hard to contribute in the limited time range between establishing the sanction and removing the project.
There is also the collateral damage of removing unrelated projects that happened to be owned by these people. Couldn't github preserve such projects while putting them in some ownerless state?
The people who built Tornado Cash are already in trouble. The crime--facilitating money laundering--has already been committed. OFAC is an enforcement office. Its lists are more like wanted posters than rules.
GitHub is cutting ties with people likely to be charged with federal crimes. If some of them are going to continue contributing to the project, GitHub doesn't want to be the conduit through which it is done. This is all standard sanctions compliance.
You'd think after 16 years I'd be used to it, but it still kinda blows my mind that the social network designed for context- and detail-free hot takes is the one people use for political discussion.
Having to explain yourself long form leads to people attacking you and often being correct.
Sanctioned project's contributors must be deleted from the server - where is that written in the list of things Microsoft has to do since you went out of your way calling everyone on the reply train ignorant?
This is quite simply not how a sanctions regime works. The US government does not make a list of all the sanctioned persons’ assets, then start going after those in court.
Instead, it goes the other way: any company with a US nexus watches those sanction lists carefully. When someone is listed they look at their internal records for hits and denies them service. So no one told Microsoft anything; they self-enforced a sanction that applies to everyone in the US. And I mean everyone: if an individual knowingly violates these sanctions they’re breaking federal law - it’s not just companies.
> Sanctions Implications
> These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.
[0]: https://home.treasury.gov/news/press-releases/jy0916
It's pretty cut and dry.
I don't know but there are some comments asking for an distribute alternative to GitHub. That was pretty funny.
This makes no sense. They could have just blocked the Tornado project. Suspending individual accounts and contributors seems punitive. I was banned on github https://github.com/ransom1538 (unrelated) - it is pretty devastating. No recourse. Just gone. If something involves your lively hood (uber,grubhub,paypal,github, etc) you should be able to state your case.
Deleted Comment
Does anyone know if this sanction, "contribution or provision of funds, goods, or services by, to, or for...", applies also to individual human persons not associated with a corporate or institutional entity? Is there somewhere I can read about what sactions are, what they mean, and who they apply to?
If it's just a Microsoft problem and not a human person problem then the solutions are many and obvious for any tool that's useful. git itself is already pretty distributed friendly.
The people who wrote the code were not sanctioned. The repo hosting the code was not sanctioned.
GitHub did not have to do this. This is Microsoft's legal department and the concept of "an abundance of caution".
Nothing about hosting open source code is at issue here. Tornado (the smart contract) was financially sanctioned; it is still fine to host source code.
I think it's the culture of reacting to 240 characters or less. People already know what they want to feel and finding a quick and completely baseless confirmation bias on twitter is easy and rewards you greatly with dopamine.
Smart, mature people gather information before making a decision. Dumb people knee-jerk react based on low information. Twitter heavily encourages the latter by making the former very difficult to do.
> TORNADO CASH (a.k.a. TORNADO CASH CLASSIC; a.k.a. TORNADO CASH NOVA);
> Website tornado.cash;
Note that hosting code and free developer accounts does not require GitHub to accept or pay money to the developers (who are not named explicitly in the sanctions order, by the way.)
ETA: Big tech companies have a lot of resources and freedom to devote those resources to defending their users (see Google and Twitter lawsuits.) But they’re self-interested and won’t do that if they think their user-base won’t hold them responsible for doing that. I think GitHub is responsible here and I wish the HN commentariat would recognize that their opinion matters. By excusing the company’s cowardice here, we are incentivizing more of it in the future.
The nicest way i'd choose to describe the people of twitter.
You just gave the best 3-sentence argument for not using GitHub.
Given how capricious US government has become, it's unreasonable to host your code in Github.
Can't repeat that often enough. No matter how much I think I have internalized this, it is a continuing lesson.
This is why I'm surprised more people aren't way more terrified about OFAC than there are. It's probably one of the nastiest diplomatic tools the U.S. has in its arsenal.
Deleted Comment
https://en.wikipedia.org/wiki/Junger_v._Daleyhttps://en.wikipedia.org/wiki/Bernstein_v._United_States
I get that contributing to the repos would be a violation of the sanctions, but it's not clear to me when the project was sanctioned and whether all the contributors were aware that they were contributing to a sanctioned project. Would it have been enough for GitHub just to remove the projects?
I ask as someone who has a lot of developer friends from Cuba who run into problems with accounts on platforms being deleted all the time. IIRC there was an episode awhile ago when accounts were being deleted simply for logging in from Cuba.
It seems like the legal obligation would be to block logins from Cuba (and/or Cuban people), but deletion of accounts seems more like a CYA move than a strict obligation.
> deletion of accounts seems more like a CYA move than a strict obligation.
Microsoft is prohibited from giving any good or service to a blocked entity. It’s very possible their lawyers will say “the easiest way to meet this obligation is to delete accounts related to the blocked entity.”
The legal system is CYA, after all.
Tornado Cash is on the SDN list [1].
From [2]:
> Business transactions of any sort with SDNs are expressly prohibited and U.S. persons must block any property in their possession or under their control in which an SDN has an interest.
IANAL but it doesn't sound like much of a leap to say using GitHub falls within "business transactions of any sort".
Clarification question: Did GitHub delete the accounts of anyone who contributed to the repos? My guess would be owners and maintainers? Officially, Tornado Cash, the entity, is what's on the list, so I would think at the very least anyone who is formally tied to the entity.
[1]: https://home.treasury.gov/policy-issues/financial-sanctions/...
[2]: https://www.visualofac.com/resources/sanctions-and-embargoes...
Deleted Comment
But it is deeply concerning. Whether or not you like crypto, you should not be supporting this if you are a researcher, academic, technologist, cryptographer, or privacy advocate. The code for Tornado Cash is a series of cryptographic and mathematical functions that can be repurposed for a variety of applications unrelated to privatizing user wallets.
Having it open source and accessible is a net benefit for the entire world.
EDIT: A comparison would be that US decides to sanction the open Matrix protocol and any developer that has contributed to it, as it can facilitate end-to-end encrypted terrorist communication.
If you want to run git for free, run it on your own computer.
This is open huge so many terrible ways for abuse.
Everyone's account is banned by Microsoft. Also I wonder what happen if you didnt sent PR yourself, but someone crafted git commit with your email and added it to such repository.Can skip this step. Just make fake commits (https://github.com/asizikov/gang/graphs/contributors).
Code is speech, that's settled law. It's the entity and wallets that are sanctioned. If someone is a member of the Tornado Cash group on GitHub, it’s safe to say they’re in at least legal jeopardy. GitHub puts itself at risk by knowingly continuing to facilitate their work.
1. https://www.youtube.com/watch?v=XpTrCA3tEKM
Problem is that Microsoft is certainly overreaching here and this precedent will be abused by malicious actors. One day someone will come to work and find out that whole organization was banned on github just by forging to commits.
But this is definitely a bit of a stretch to go after the creator(s) in this way. Reminds me of the US Gov trying to ban/limit all encryption. Didn't seem okay then and this doesn't seem okay now.
I do however have an issue with the incredibly high rate of money laundering etc that flows through crypto. Particularly so with Tornado cash. It's the 'go-to' for easy money laundering.
And no that's not a 'general ignorance' it's just a bi-product of having decentralized systems, it's not for me. That doesn't mean people are ignorant of it.
Edit: It really irks me this "oh you just don't get it" from some people. It's unproductive and from my own experience, incorrect. They give crypto supporters a bad name.