[Repo-criteria-discuss] Repository response to takedown notices

[Ian Jackson]

I see that GitHub is in part being scored down[1] because

  Specific information may not be available in all countries; see
  roskomnadzor[2a] and export controls[2b] for more details. (C2)

Firstly, I am no fan of github.  I wouldn't recommend it because it's
nonfree and I think GNU shouldn't either for the same reason.  See my
other message, just sent.

But I want to quibble with _this specific reason_ for failing
github on C2.  There are two aspects:


I. roskomnadzor.

The facts: github are receiving takedown requests from an arm of the
Russian government.  They act on these by preventing access to the
relevant resources by users in Russia (I think, by geolocating based
on IP address).

github have an poor choice here: they can (of course) refuse to act on
these requests, but in that case the Russian authorities will probably
arrange for users in Russia to have no access to github.

This is an obvious tradeoff with no obviously right answer, for
github.  I don't think it is fair to criticise github for making the
choice they have made.

Now, the wording of C2 says

  Does not discriminate against classes of users, or against any
  country. (C2)

Arguably github are not actually discriminating against any country;
if they received similar legal requests from the French or British or
Chinese authorities, I assume they would do the same, if the request
was backed by the threat of total blockage of github.  Their policy is
to comply with such takedown notices in order to keep their service
mostly-available in the relevant country.

But anywway, it is clear that the definition of C2 needs clarifying,
at the very least.  And I would argue that the clarification should be
such that github's choices here fall on the right side of the line.


II. export controls

The link is to [2b].  I see nothing in that page that says github will
restrict what anyone will do with github for ITAR reasons.

The page simply reminds users that there are US laws that may or may
not apply, and leaves it up to its users to comply:

  Although we've provided the following information below for your
  convenience, it is ultimately your responsibility to ensure that your
  use of GitHub's products and services comply with all applicable laws
  and regulations, including US export control laws.

Note that I think we are interested in "GitHub.com" here, not "GitHub
Enterprise" which is not a repository in the same sense.


Thanks for your attention,
Ian.


[1] https://www.gnu.org/software/repo-criteria-evaluation.html

[2a] https://github.com/github/roskomnadzor
[2b] https://help.github.com/articles/github-and-export-controls/

-- 
Ian Jackson <address@hidden>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.