Here’s Why GitHub is Blocking Developers from Iran and Syria

Recently, developers in Iran, Syria, and Crimea noticed their access to GitHub was cut off. The move was unannounced, but the Microsoft-owned firm now admits why it implemented a ban on those developers.

Simply put, those countries are on a United States export ban list. As a U.S.-based company, GitHub has no option but to comply with the law. On Twitter, GitHub CEO Nat Friedman wrote, “GitHub is subject to U.S. trade law, just like any company that does business in the U.S.,” adding: “We have gone to great lengths to do no more than what is required by the law.”

Syria, Iran, and Crimea join Cuba and North Korea on the list of countries GitHub cannot fully operate in. Via its website, the company suggests it would rather not participate in the bans:

To comply with U.S. trade control laws, GitHub recently made some required changes to the way we conduct our services. As U.S. trade controls laws evolve, we will continue to work with U.S. regulators about the extent to which we can offer free code collaboration services to developers in sanctioned markets. We believe that offering those free services supports U.S. foreign policy of encouraging the free flow of information and free speech in those markets.

GitHub also says not all services will be affected for people in those countries. Public repository services will remain accessible, though GitHub says access is specific to “support personal communications involving developers in sanctioned regions.” Developers in sanctioned countries can still communicate about projects, but it’s unclear if they can actually contribute.

GitHub is simply complying with the law here, but it does help the platform avoid becoming ground zero for digital warfare in the midst of international kerfuffles it has no influence over. Besides, GitHub frequently has issues of its own to quash. Man-in-the-middle attacks are already found in repos; malicious code has been discovered in at least one compromised library to steal bitcoin from unsuspecting users (operating in the background, the code was able to peer into a user’s Copay cryptocurrency wallet and siphon funds into an outside wallet without users being aware).

Users in sanctioned countries can’t sidestep the ban, either. The company writes: “Persons in or ordinarily resident in these countries and territories are prohibited from using IP proxies, VPNs, or other methods to disguise their location when accessing services.” A Russian developer living in Crimea was blocked, and an Iranian developer took to Medium to note their access was shut off without warning, leaving them without a local copy of what they were working on.

Banned users can appeal, but it won’t do much good for those who are citizens in a banned country, because a government-issued ID is required as part of that process.