Honest question: was GitHub legally obligated to delete the accounts of anyone who had contributed to the repos?
I get that contributing to the repos would be a violation of the sanctions, but it's not clear to me when the project was sanctioned and whether all the contributors were aware that they were contributing to a sanctioned project. Would it have been enough for GitHub just to remove the projects?
I ask as someone who has a lot of developer friends from Cuba who run into problems with accounts on platforms being deleted all the time. IIRC there was an episode awhile ago when accounts were being deleted simply for logging in from Cuba.
It seems like the legal obligation would be to block logins from Cuba (and/or Cuban people), but deletion of accounts seems more like a CYA move than a strict obligation.
It’s a gray area. These sanctions went against Tornado Cash, the entity. Does that extend to core devs? Anyone who did a PR? That’s the question GH’s counsel has to interpret.
> deletion of accounts seems more like a CYA move than a strict obligation.
Microsoft is prohibited from giving any good or service to a blocked entity. It’s very possible their lawyers will say “the easiest way to meet this obligation is to delete accounts related to the blocked entity.”
I’m not sure that there’s been a ton of cases exactly like this that have made it to court. If someone asked you to pick between [maybe going to prison] or [definitely not going to prison], which button would you press?
Probably not, but it is in their best interest. By blocking all these accounts, if it is later discovered they missed something else related to this they can bring all those blocked accounts up as evidence they were trying to obey the law and this was an honest mistake. The courts understand mistakes happen, but you need to prove it was a mistake and not an attempt to evade the law by ignoring something. The more you do to ensure mistakes don't happen, the more likely the courts are to decide you weren't trying to evade the law, but just made a mistake.
> Honest question: was GitHub legally obligated to delete the accounts of anyone who had contributed to the repos?
Tornado Cash is on the SDN list [1].
From [2]:
> Business transactions of any sort with SDNs are expressly prohibited and U.S. persons must block any property in their possession or under their control in which an SDN has an interest.
IANAL but it doesn't sound like much of a leap to say using GitHub falls within "business transactions of any sort".
Clarification question: Did GitHub delete the accounts of anyone who contributed to the repos? My guess would be owners and maintainers? Officially, Tornado Cash, the entity, is what's on the list, so I would think at the very least anyone who is formally tied to the entity.
It's hard to say, but sanctions violations are often heavily penalized. I don't think I go as far as saying it's simply CYA, but it is playing it on the safe side. Banning a few developer accounts is way less costly then the potential hit from violating sanctions.
I get that contributing to the repos would be a violation of the sanctions, but it's not clear to me when the project was sanctioned and whether all the contributors were aware that they were contributing to a sanctioned project. Would it have been enough for GitHub just to remove the projects?
I ask as someone who has a lot of developer friends from Cuba who run into problems with accounts on platforms being deleted all the time. IIRC there was an episode awhile ago when accounts were being deleted simply for logging in from Cuba.
It seems like the legal obligation would be to block logins from Cuba (and/or Cuban people), but deletion of accounts seems more like a CYA move than a strict obligation.