[dcow]

I understand that GitHub is just taking immediate actions in a way they perceive as being compliant with the law. The question is more existential: since source source code is speech, can the government even sanction it? And should GH fight this if they want to remain a reliable platform for publishing code? What even is GH required to do in response to this sanction, or are they just being overly cautious since we’re in uncharted waters?

[323]

ISIS recruiting manuals and videos are also free speech. According to your view YouTube/Microsoft should not remove them.

Beside the fact that GH is a private company that maybe doesn't want to be associated with some stuff.

[dcow]

That is not my view.

I am not talking about what GH is at liberty to do; clearly they can do whatever they want. I’m asking about what they’re legally bound to do as a result of these sanctions. I find the precedent here more fascinating and troublesome (as an open source author myself) than the instance of the code in question.

[deeg]

As we've seen with Alex Jones even free speech is not absolute (for the record I agree with the rulings against Jones). If the code is designed to facilitate illegal activity I can see how that could be shut down by the government.

[dcow]

Alex Jones got sued. It’s very different. The government did not pass a law saying he can’t share conspiracy theories directly or that certain theories are off-limits. He just conducted himself in such a way as to cause enough other problems and thus give people grounds to sue him (and win).

[misnome]

Specifically as I understand it ,he got sued then deliberately didn’t try to fight it, and defaulted.

[gerikson]

The linked Treasury doc references Executive Order 13694, which has its own wikipedia page https://en.wikipedia.org/wiki/Executive_Order_13694.

[lysergia]

Code is a form of speech. It’s the way the code was used that frightened the authorities. Just the way certain forms of cryptographic code were reframed as a ‘munition’ in the first crypto war.

[bb88]

Code is just documents or written speech, and should be regulated as such. So code vs written documents shouldn't be legally different.

So I guess a good question is: should it be illegal to tell people how to launder money? I would say no because I think laws should regulate behavior not speech.

I think for example that people should be able to make arguments why punching a Nazi should not be illegal, say, and maybe the best way to do it. But punching is clearly illegal, and threatening a Nazi directly should also be illegal.

However with abortion, some states that have made abortion illegal are trying to make it illegal to talk about where to get abortions, or how an abortion is performed. So if that is deemed legal by SCOTUS, then expect all kinds of laws to restrict speech in that manner.

[salawat]

Encryption beyond a particular strength has long been an ITAR restricted export.

Now everybody gets to learn that the United States regulatory policy machine will lean very hard on anything that'll threaten it's ability to flex soft power against its opponents.

>What even is GH required to do in response to this sanction, or are they just being overly cautious since we’re in uncharted waters?

Letter of the law is don't do financial transactions with those addresses.

The quiet part is: this technology is now associated with being a channel for money laundering, and will open up any parties hosting or making it available a potential subject of accessory to wire fraud/money laundering charges. As a publically funded company, I assure you, the legal, risk, and compliance departments are now erecting 100 foot poles between the company and this project.

You see, big business and government have a bit of an incestuous relationship. The bigger the market actor, the easier it is for the government to apply sufficient pressure where the easy way out is for said large actor to just "stop associating with that thing".

This is why OFAC is aptly named. You end up on it, and you basically fall out of the economy. The last sound you hear is the subject in question going O, FAC-<signal lost>.

Oh, actually, no, slight exaggeration, the truth is far more chilling.

You see, financial institutions will still process deposits. They just stop allowing withdrawals, turning the business relationship into a one-way trap for funds.

In theory, it may be possible to get off the OFAC list if you end up on it, however, financial institutions are instructed not to inform customers that they are sanctioned if asked. You're only told that a technical error precludes them from completing the transaction. If you mistakenly show up on OFAC, (like by sharing a name with someone who is on it), there are ways to get off of it by providing proof you are not the individual in question. In fact, most times, if you reach out, the service personnel you get are trained to get as much personal info as possible to try to determine whether or not you are actually the individual targeted by OFAC.

Companies will generally dig into it, and resolve it while playing coy. In this case though, it looks like businesses are taking the message to heart and just noping out of supporting it.

[DennisP]

> Encryption beyond a particular strength has long been an ITAR restricted export.

I'm not sure what you mean by "restricted," but publishing open source encryption software on the internet only requires that the BIS be notified. No review or approval is required.

https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...

[salawat]

Technically, you're supposed to have to ask, and BIS can say no. That's restricted. There is the possibility of extra friction. I've never administered or experienced the compliance process myself, mind. I just know it's a thing.

[dcow]

Can you link the section where it says you’re supposed to ask? In my experience you don’t get assigned anything, you tell them what you are classified as and of course they can disagree but there’s no “tell me my export classification” part unless you fall under a restriction and can’t claim any exemption. Only then do you submit anything. And from my reading of those hellish documents, encryption software for which the source code is publicly available is exempt.

[DennisP]

I linked as source saying that's not the case. Maybe you can provide a source for your claim?

[bananapub]

> since source source code is speech, can the government even sanction it?

er...the US government infringes on free speech all the time

[DennisP]

And courts often put a stop to it. Regarding source code, federal courts told the government it couldn't restrict the publishing of strong cryptography, which it considered a munition.

[bananapub]

> Regarding source code, federal courts told the government it couldn't restrict the publishing of strong cryptography, which it considered a munition.

?

you mean after Phil Zimmerman spent years in court, and then published a physical book of the source code?

and the US government then sucessfully restricted export of actual software with above 56-bit keys for years[1]? to the extent that Debian and OpenBSD did all their opensource crypto work outside the US to avoid trouble?

and they still explicitly ban export to "rogue states" and "terrorist organisations" in 2022[2]?

things have improved since the 90s but it's still not unencumbered by the US government and the changes mostly happened to make US tech companies more competitive, not due to a desire to free anyone's speech.

[1]: https://en.wikipedia.org/wiki/Export_of_cryptography_from_th... [2]: https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...

[DennisP]

Bernstein vs US ruled that source code is protected speech, and struck down the export prohibition on strong cryptography.

https://en.wikipedia.org/wiki/Bernstein_v._United_States

From your link: "the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required."

[aYsY4dDQ2NrcNzA]

There definitely still exist some US restrictions.

https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...

[DennisP]

Yes, that's the same link as above. Some restrictions:

> Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license.

However:

> the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required.

So you're free to publish open source cryptographic software on the internet, you just have to let them know you're doing it. Bernstein vs US is the reason for that.

[altairprime]

There is a question unasked in all replies here:

Is GitHub sanctioning just the accounts that they consider to be directly associated with the sanctioned organization, or, are they also sanctioning the upload of that open source code by unassociated third parties?

[altairprime]

See also: https://news.ycombinator.com/item?id=32395971

[birdyrooster]

Is speech which is used to commit crime protected in the same way?

[viro]

no