[capableweb]

Wow, and here I thought Okta had split up their service into US and non-US, like many other big companies, but seems they have not, so now just because the US has some arbitrary list of who can be a user, everyone using Okta needs to follow that... Seems like the laws are a bit outdated and haven't really been updated for a global internet, hope we see some changes in that direction.

[kube-system]

There’s nothing “outdated” here. The OFAC Controls being applicable to business done over the internet is not an unintended effect.

[Nextgrid]

I think the reason he calls it outdated is the definition of "business" becomes murky when it comes to online services and SaaS companies. Does servicing an HTTP request that appears to come from a sanctioned country (based on unreliable GeoIP data) actually count as "business" for sanctions purposes?

[kube-system]

The specific prohibitions vary by sanctions program, but there are some that prohibit companies from providing “services” and the answer as to whether that includes SaaS is right there in the name.

Companies are required to do due diligence to determine that they aren’t engaged in activities that are sanctioned. GeoIP is less than 100% accurate… but so is comparing first and last names. Unreliable data is not something inherently unique to the internet.

[vertis]

Multi-nationals have to exist in the Venn diagram of laws.

Which is problematic in a bunch of scenarios:

  - US foreign policy (note: I don't really want to stick up for a bunch of the countries/regions on that list).
 
  - Chinese (and other countries) with censored internet. 

  - GDPR reaching far further than the EU borders.

  - Badly written cryptography laws[0]

I don't really see a solution to this problem though. It's more of a problem when there is no transparency or ability to provide feedback and move democratic mechanisms toward "correct" solutions.

In the case of Okta/Auth0, however they've segmented their business (I use their EU region) they're still at the end of the day a US company with US board and directors. They can make a "service region" that respects EU laws because they don't contradict US laws (mostly), but there is nothing in EU laws mandating offering services to these regions. ¯\_(ツ)_/¯

[0]: https://www.eff.org/deeplinks/2018/09/australian-government-...

[BrandoElFollito]

It does not matter. If there is business presence ini the US of a company (direct or indirect), this business will be used to punish unwanted operations outside the US.

If you have a US-Okta and a non-US Okta and both ultimately are "Okta", then if the non-US Okta does not follow US regulations, the US-Okta will take the whip.