I'm frequently reminded how thankful I am to live in a country with a strong, positive international reputation. Even ignoring actual quality-of-life stuff associated with where I live - simply not being from a country with a "dodgy" reputation makes many things so much easier.
I don't have to think about blocked websites. Companies accept my payments. Couriers ship to me. With my passport, I walk straight to the front of the fast lane, past the large queue of people who didn't happen to be born somewhere rich, western and politically stable.
I don't take it for granted, and it makes me sad that this distinction exists.
For half my life I had an Egyptian passport, and for the other a German passport. Having experienced both sides, that bit of paper is without a doubt the most valuable thing I own.
It's hard to quantify the kinds of doors it has opened for me. I was able to get a scholarship to study in the UK that covered home/EU rates (a third of international rates, while I might not have been able to get even a student loan otherwise), get government funding for a PhD that would not have been accessible to me otherwise and other grants, travel to international conferences without thinking twice about visas (unlike many colleagues) meeting people that would impact my career and skipping all sorts of and barriers along the way, and never had to worry about deportation because of the EU settlement scheme, easily become a founder (no visa sponsorship needed), and so much more! Even travelling/business in the the middle East, being German rather than Egyptian is an entirely different life, one that my cousins cannot even begin to imagine.
There's a parallel universe where I'm stuck making ends meet in Cairo where I was born, dreaming of a brighter future, feeling all my potential fade away. I know because my immediate family is that version of me - no less talented or worthy of the opportunities I got because of my nationality!
I see the kind of freedom that I have because of that passport as one of the biggest modern injustices.
> I see the kind of freedom that I have because of that passport as one of the biggest modern injustices.
I think you're confusing a vague and abstract problem of "injustice" with a very concrete and real difference in ways different countries manage their public services and institutions.
You only listed personal benefits that a country like Germany provides to their citizens and the higher education institutions built up by the UK, and how it contrasts with the ones provided by Egypt.
Quite bluntly, this is a discussion over privileges. Not injustice, but privileges. I assure you that countless people from Germany, UK, the EU, or anywhere in the world, would desperately want to have access to the same opportunities. Depicting this as a matter of being granted a passport is at best survivorship bias, and at worse an affront to those who had it but still weren't lucky enough to benefit from the same opportunities.
> different countries manage their public services and institutions.
This is the injustice. The decisions made by these institutions are not just. Sometimes they're business decisions (e.g. a university can make more money price gouging international students, when we're getting an identical education).
There can be an overlap with privilege, but at that point you're arguing semantics. For example, I'm privileged if I don't get racially profiled by the police, but it is also unjust for police to racially profile me. To say that it's down to the institutions/countries/individuals making the decisions is the same argument as "well that bakery is a private business, they can decide not to serve you because of your nationality".
Of course there are Germans and Brits that haven't had the same opportunities that I have had, and of course it wasn't handed to me on a silver platter either; I still had to work hard. But my point is that if I were Egyptian _no_ amount of hard work or luck would have gotten me where I am. It would have been quite literally impossible.
I'm not even going to begin to crack open the can of worms that is the colonial history of the same countries (in my case the real and lingering effect that the UK has had on Egypt). The way you compare the institutions "built by the UK" and the ones "provided by Egypt" makes it sound like "well maybe Egypt should just do better m" when the reality is that the prosperity of these very countries is built on centuries of injustice and blood. Call it what you want but it's injustice all the way down.
I live in Russia and I've never experienced most of the things you're describing. And it's become so much worse after 24/02/2022. We even had Spotify for a year! It was starting to genuinely feel like a first-world country.
Now you have to open a bank account in a different country for foreign companies to consider taking your money at all. The internet is utterly broken. The government blocks quite a lot, AND some foreign services block Russian IPs from their side. I even made a thread about running into Cloudflare's "you're blocked" pages randomly throughout the web: https://mastodon.social/@grishka/111934602844613193
Few of them do have an effect on the military, but hardly a significant one. Some of them forced the government officials to eat their own dog food. Most of them, however, feel like mocking petty revenge. If anything, those sanctions that disproportionately affect regular powerless people only reinforce the official propaganda's view that "we're encircled by enemies".
In my own opinion, a good step in the right direction would be if we could travel to European countries as easily as we used to be able to. Then more people could see with their own eyes that they're being lied to.
> In my own opinion, a good step in the right direction would be if we could travel to European countries as easily as we used to be able to.
I don't agree. Russia's regime threatens Europe with invasion and nuclear bombs almost on a daily basis, and vilify everyone who doesn't enthusiastically support their invasion of Ukraine. A few years ago Russia even had a nuclear bomber circling the coast of western Europe.
This behavior is not limited to government. It's not unheard of having Russian tourists insulting and threatening locals. In Europe or in any corner of the world. There are also Russian citizens attacking refugees and asylum seekers in foreign soil, even Russia's own war dodgers.
You cannot expect to systematically threat neighbors and still demand or even expect them to continue to cater to the whims of the agressor. It is a voluntary relationship that cuts both ways.
When you start a war, you should expect to experience war.
> It's not unheard of having Russian tourists insulting and threatening locals. In Europe or in any corner of the world.
I live in one of the most touristic cities in the world (Rio de Janeiro) and after meeting hundreds of Russians, that's the first time I hear about it.
> European here, Russia is not threatening anyone here, not sure who told you that nonsense.
I call bullshit. European here. Even if somehow you somehow ignore Georgia or Ukraine, and turn a blind eye to the baltic nations and pretend that Poland doesn't exist, for decades we can't go a single month without Russia throwing any veiled and not so veiled threat. Either tanks in Berlin in x days, tanks in Lisbon in x weeks, sinking Britain with nuclear tsunamis, etc etc etc.
And I'm not even touching on the terrorist and sabotage campaigns.
You need to be wilful ignorant to pretend Russia hasn't been threatening everyone left of right for decades.
European here, Russia is not threatening anyone here, not sure who told you that nonsense.
Since 2014, Russia (that is, its government) has:
- Shot down a passenger jet departing from Amsterdam, murdering 298 persons (including 211 citizens from European countries)
- Carried out (or attempted) targeted killings in the UK, Germany and Spain
- Blown up a Czech munitions plant, poisoned a Bulgarian arms dealer
- Organized sabotage acts against Poland
- Abducted an Estonian security officer at gunpoint inside Estonian territory, and dragged him across the border
- Engaged in numerous maritime and border provocations, especially against the Sweden and the Baltic states
- Issued numerous menacing and/or provocative statements against Poland and the Baltic states (e.g. reminding Poland that its borders were "a gift from Stalin")
- And just the other day, Medvedev literally threatened to nuke Kyiv (saying it could turn into "a big grey lump")
It's plenty obvious you don't care about Ukraine (since you seem to have forgotten that it's part of Europe, also), but I'm pretty sure you understand that a nuclear attack on Kyiv would have certain decidedly negative effects on the rest of Europe as well.
Both the parent and grandparent were talking primarily about the Russian government, not regular people.
(The parent also went on an annoying stupid tangent about Russian tourists, but their main point was about Russian government's repeated threats to basically start an all-out nuclear war if its latest colonial project is not allowed to succeed, including Medvedev's not so subtle threat from just the other day).
Yeah sometimes Chinese tourists are also annoying here. So what? I feel like every country has these kinds of stereotypes about foreign tourists. I always treat everyone with respect by default and expect the same from others.
Russians didn’t start a war. They are not the agressor. The ruling powers of Russia did. You are saying that it’s good to punish those already affected by their governments violence additionally. And with that unfortunate perspective, you will not win the population over, to the contrary.
The anger is justified, but misdirected.
Would every US American be happy to be identified as Trump and Project2025 supporter, in case he wins the elections?
How much is it my responsibility what my government does, if all I have is basically one vote, if even that, and it is life threatening to even voice (and form) my opinion?
That's industrial-grade gaslighting. A regime doesn't simply start an invasion. It's not even the first one in recent years, too. Russia's regime decided to invade Ukraine in 2014, and make it a full blown military invasion in 2022. You can't weasel-word your way around that.
How does that contradict what I said? You conflate Russian government and rulers (the „Russian regime“), and the population who happen to live or originate from there with no say in any of it („Russians“), all into one. That creates confusion and misunderstandings. You are making it appear as if it’s right and just to punish the population, and support their regime in isolating them from the world.
Also, you may want to look at the definition of „gaslighting“, where you create another confusion by applying it to this context.
I think he mistook your "Russia didn't start the war" as an attempt to blame Ukraine, whereas you were trying do distance population from the government. Nevertheless, that's wrong.
Yeah right because when someone calls people and asks effectively "do you support the war or do you want to go to jail" you totally get data that is not skewed in any way whatsoever.
Being openly against the war is literally illegal.
In short, speculationg how people "really" think is pointless if they support the war in words and actions. Actions shape the world, not innermost thoughts that are never revealed to anyone. Your anti-war thoughts are worthless if you show up at a munitions factory every morning and produce artillery shells all day long.
> Yeah right because when someone calls people and asks effectively "do you support the war or do you want to go to jail" you totally get data that is not skewed in any way whatsoever.
That line of argument is old and tired and debunked. We also have witnessed in Europe the sad spectacle that is Russian diasporas throwing protests in support of Russia's invasion of Ukraine, and repeated violent attacks from Russian expats targeting Ukrainian refugees.
Hate to have to point this out - but not only is this a complete non-story (just from first principles) -- but the piece you're quoting is itself is basically a standard tabloid-style scare article. I mean, just look at the title, will you:
Russians Are Hunting Down Ukrainian Refugees in Heart of NATO
That in itself should clue you into to the article's primary purpose -- not to provide useful information, but to keep you titillated by "that awful shiny thing over there", and inevitably wanting more, more, more.
But it actually gets worse from there. Quoting Bild (a real-life, old school tabloid), when in all probability they could have connected with any of the fine regional papers up there, should have been another major red flag. Oh and did you try reading and breaking down the actual 3 stories it cites to support its grand thesis? Pop quiz - do they even pertain to the article's actual substantive claim? (Answer: the headline story doesn't apply at all; the second does (but it's an isolated incident with 1 confirmed perpetrator); and the last one does but only partially, as it obviously conflates with an entirely different issue).
That's all it is, this article -- just adrenaline-pumping garbage. All rather harrowing what happened to the victims identified, and maybe there is something nefarious happening in Slovakia -- but articles like these just aren't useful go-to sources for any sense of what's really happening in the large.
They exist simply to distract, distract, distract.
And even if it was true, that opinion would simply be an indicator of the success of government propaganda. (Lies and myths and skewed narratives, not to be confused with gaslighting.)
Russians in Europe - where they have excellent access to free media and are under no such pressure - hold similar views, toned down due to public stigma. They refuse to condemn the war, blame it on Ukrainians, etc. A significant number of people refuse to answer the questions at all; this is something that Levada stresses does not happen with their surveys in Russia.
Yes and now how do you get Russians in Russia to change their mind? By punishing and isolating them, or by inviting them over to talk to them? That was the original point regarding sanctions.
Vladimir Zolkin is an Ukrainian journalist who has recorded hundreds of hours of interviews with Russian POWs and published them on Youtube. He started in the first weeks of the war and is still going. By now he's probably interviewed over a thousand of them. These are long interviews, in depth, usually up to an hour or even more, including POWs' calls home and interviewing their relatives too if they agree. According to his own words, he has entirely given up trying to "change their mind". These are just completely brainwashed people, incapable of independent thought, apathetic like zombies, automatically repeating instilled thoughts as soon as certain keywords are hit. Change will only come when they are replaced by a new generation that is free of this programming. Until then, the best course of action for us is to build a tall wall between us and hope that they won't attempt to drive a tank through it.
What you are pointing at is nothing new. Naive attempts to "build bridges" with people who see bridges only as an easy way of driving a tank over to us is how we got here in the first place:
Misguided attempts to build relations with countries run by criminal gangs have made no positive impact on them, but have poisoned us by opening up our politics, businesses, and other areas of life to their criminal networks.
> In my own opinion, a good step in the right direction would be if we could travel to European countries as easily as we used to be able to. Then more people could see with their own eyes that they're being lied to.
This and even more has been already tried, albeit somewhat inadvertently. Look at the neighboring Belarus. After Chernobyl, a fair share of kids and teens went on to spend their vacations in EU countries: Italy, UK, Austria, Belgium were the most welcoming, AFAIR.
At least 1/3 of Belarusian kids have been
through one of the many Chernobyl kids programmes, many of them multiple times.
I was among those kids, as well as Svetlana Tsikhanouskaya who continued accompanying kids as a student, then as a teacher until her 30ies.
This definitely changed many individual lives for the better, but has it changed the country for better? I bet no.
You guys need to fix your dictator quickly before someone else decides to. They’ll be much less surgical than you’d want. See Israel/Palestine. It’s on the Russian people to choose their path or continue complying with the regime that’s driving the country into the ground.
What about the freezing (and probable eventual seizure) of $300b of CBRF assets (apparently 60 percent its total foreign currency reserves)? That's got to be causing some significant pain, somewhere.
Not sure if it's caused by this or the sanctions related to USD and EUR currencies themselves, but CBRF has introduced limitations on foreign currency transactions in March 2022. They were supposed to last 6 months but every time they're about to expire they get extended for 6 more months.
You can't withdraw more than $10k of USD or EUR cash combined from all foreign currency accounts in each bank, and you can only withdraw the money that was there before March 2022. Past that limit and for any money you received after March, you can only withdraw it as rubles at the CBRF exchange rate, iirc. Most banks also treat dollars and euros like they're radioactive and will hit you with monthly fees if you have too much. So in the end we have three different exchange rates for these currencies: the CBRF one, the one for online operations with those "virtual" dollars and euros in currency accounts, and the "real" one for cash.
I'm not an expert and don't have the necessary and verifiable information to asses the consequences in regards to economy/industry, but the sociocultural effects are negative.
1. Sanctions sped up the formation of the class of war beneficiaries. Sanctions created the demand for sanction circumvention. Since their scope is huge, the demand is accordingly very high (from civil consumers to the government). This led to formation of new supply chains that keep being profitable only while the war and sanctions continue. Now thousands of people engaged in these activities have the monetary incentive to support the war and the government course. This one I deem to be the most consequential in the long term.
2. Any noticeable conflict or rights violation happening with Russian citizens abroad is to be blown out of proportion and presented as a confirmation of pervasive anti-Russian sentiment and support the government narrative of existing encircled by enemies.
3. The lack of accessible ways of integration of the emigrants into local societies (especially in Europe) led to thousands of them coming back, some unwillingly, some grudgingly and feeling disillusioned. This is a huge wasted opportunity and I don't get why it happened (I don't buy the "we must secure our countries against possible threat actors and dirty money" explanation).
Random people in Russia complaining about the inconvenience of not being able to travel to Europe because of Russia's invasion of Ukraine and all around imperialism is also an expected effect.
It's also telling that the reaction from those affected is to complain that sanctions should be reverted because they both don't work and are inconvenient and a nuisance.
I don't see how "they don't work" and "they are inconvenient" are contradictory statements. They would've been if there were feedback mechanisms that we could use to communicate our point of view the government, but there aren't any, so in the end it's just a punishment for having been born in a wrong place at a wrong time.
> I don't see how "they don't work" and "they are inconvenient" are contradictory statements. They would've been if there were feedback mechanisms that we could use to communicate our point of view the government, but there aren't any, so in the end it's just a punishment for having been born in a wrong place at a wrong time.
The feedback mechanism you're complaining about is a problem on the side of those being inconvenienced. If they want to complain, they need to direct their complains to their own regime, and address the problems they are causing everyone around them.
It's also very telling that the reaction is to complain about mild inconveniences while turning a blind eye to the whole war of aggression, terrorism, and pervasive threats of global Armageddon from their very own government. That, strangely enough, is not an inconvenience nor an issue requiring attention.
Tourism seems to be a right to them, but others don't even have a right to exist?
Does that warrant any accountability at all, or does the blame lie always elsewhere?
> And get arrested and charged with "discrediting the armed forces", right.
If you don't register that as a problem but somehow limiting your tourism options is a concern, that is already telling regarding what your priorities are.
You keep coming back to the tourism and inconvenience angle, but if you dial back to what the commenter -- who is also taking a significant risk in talking to us, so that you and I might have some hope of finding out how things are viewed by people in the country who are well-informed and definitely not brainwashed, outside of what the media echo chamber tells us to think -- actually said, that very clearly wasn't their point at all. And the point that they did make was perfectly valid.
Go back and read more carefully please.
(And also: they very obviously do register the problem you're referring to, and there's no way to read their statement otherwise).
> I do register that as a problem but it's the same kind of problem as bad weather. Nothing can be done about it.
Yes there is. From Europe's side, one of the most basic things that can be done is stop taking in tourists from a nation hell-bent on starting wars of invasion with neighboring countries and threaten the whole world with nuclear Armageddon.
Cutting economic ties is also a good strong start.
If those hypothetical tourists don't feel strongly about their own nation conducting genocide or bombing hospitals or blowing up damns then perhaps in the very least they should understand that it's something that can negatively affect them too and perhaps, even for the worst possible reasons such as inconveniencing their travel plans, that should not be something they support.
And yet here we are, arguing that changes in travel plans are unfair while ignoring a full blown existencial war.
> If those hypothetical tourists don't feel strongly about their own nation
We do feel strongly about it but we can't act on these feelings. The government is not taking any feedback.
Again, it's like screaming into the void at something you can't change, like weather. Except in this case, if you scream loudly enough, you will get arrested and charged with "discrediting the Russian armed forces" or "spreading fake information about the use of Russian armed forces". First time it's a fine, subsequent times it's a felony.
> We do feel strongly about it but we can't act on these feelings. The government is not taking any feedback.
That's a problem you need to solve.
Again, it's very telling that this only registers as a concern when the subject of mild inconveniences, such as not benefiting from the privilege of visiting some countries as tourists, is brought up.
It's also very telling that the only argument that's expressed in favour of dropping sanctions against Russia is this puerile expectation that Russian citizens should not be subjected to mild inconveniences. Aren't Ukrainians or Georgians entitled to the same expectations?
I'm open to suggestions about possible solutions to this problem.
And by the way, I'm not talking about myself as a tourist right now. I was saying that Russian people in general being able to easily visit European countries would lessen the Russian official propaganda's grip on the population.
And those sanctions against the civil aviation industry are nothing but straight vandalism.
So in the end it's just a punishment for having been born in a wrong place at a wrong time.
That's what war is, unfortunately. Millions of people in Ukraine are currently being "punished" for exactly the same offense, only in ways infinitely worse, as I don't need to tell you.
There was absolutely no reason the war had to coming into being at all. But now that we're stuck with it, the only effective questions are -- what can be done to hasten its end; provide some level of justice for those affected the worst; and to make it clear to the responsible parties that something like this can never be allowed to happen on European soil ever again?
For their own part -- it's not like the Western governments really have any other choice. Even though the sanctions are having a far more limited effect than they initially hoped -- they simply couldn't keep doing business with Russia as usual after what happened in 2022. That's all there is to it.
Meaning, they've no choice but to apply the strongest possible sanctions as they might reasonably be able to (for some definition of "reasonable"). It's a cold and calculated strategy - but again, they didn't chose this situation, and that's the moral calculus that they are now forced to adopt in response to the situation that Putin created for them.
> I like how you absolve the Western governments of any agency of their own.
Cut the crap. Russia's regime decided to start a war of invasion. It's an initiative from Russia and Russia alone, and all consequences are derived from Russia's actions. There is no way around it.
Ah, yes. Just one day Putin woke up and decided to start it. Nothing before.
But you know, the most funny thing here is what you would never say "USA's regime decided to start a war of invasion in Iraq/Afghanistant/Yugoslavia. It's an initiative from US and US alone, and all consequences are derived from US's actions. There is no way around it."
Actually in the case of Iraq at least, not only do many, many, many people say exactly that -- they were saying so at the time it happened, and not only saying it but marching in the streets, in crowds of hundreds of thousands, and screaming it at the top of their lungs -- in the vain hope that someone might listen.
In fact I'll say it right now (minus your jingoistic lingo about the USA's "regime" which really doesn't apply to its government of course):
The US government decided to start a war of invasion in Iraq. It's an initiative from the US and the US alone, and all consequences are derived from the US's actions. There is no way around it.
There, done. And guess what -- the exact same description applies 100 percent to Putin's invasion of Ukraine. It really was just as voluntary and made-up and evil and stupid as the Iraq invasion. It's an initiative from Russia and Russia alone, and all consequences are derived from Russia's actions. There is no way around it. And (just as with Iraq) anyone can see through the fog, and see the situation for exactly what it is they want to.
More fundamentally: you know, the whole "hypocrisy" debate is really quite impotent and useless as applies to these situations, across the board. Much better to focus on why the evil happened, who is responsible and how to stop the evil currently and prevent it from ever happening again.
Do you pay taxes to the russian government? If you do, then you are helping them wage war against europe.
Russia is a dictatorship, what are you doing to change that? Just complaining that there isn't anything you can do won't change anything.
Why should we in the west go out of our way to not inconvenience you? If you are not resisting the russian government, then you are passively helping them, why would I even consider it negative that sanctions bother you?
Sadly the EU doesn't really communicate this very well, and doesn't care to call out outright propaganda from ad tech and surveillance businesses, but the regulation is not actually hard to be compliant with.
It literally just asks that you don't spy on people. That's it. Not spying on users? Great, you don't even have to do anything.
I would be extremely surprised to see any attempt at enforcement against a website that didn't collect PII on some technicality such as not having the right footer or a contact person.
It's more than just not spying on people. You have to be able to prove you don't spy on people. And any vendors or contractors you use also don't spy on people, and respond to requests from anyone about all the data you have on them. And delete all of the data you have for anyone who cancels their account. Sure in some cases, that isn't a huge burden, like if you have a website that doesn't handle any customer data. But if you have a non-trivial app where you need to handle a lot of customer data for your app to work, it is a significant burden. And deleting someone's data as soon as they cancel can be really bad if someone accidentally cancels, so you probably want some kind of delayed deletion.
You don't have to delete as soon as they cancel; you can store it in an encrypted backup which you remove after 90 days (and throw away the key). There are a lot of 'for a reasonable period' things; meaning, you cannot store PII (including IPs) forever and you cannot store it at all in case you do not need it in the first place for your app to function (example; SaaS asking for my home address which they don't ship anything).
> you can store it in an encrypted backup which you remove after 90 days (and throw away the key)
Sure. But that is much easier said than done. Especially if your previous strategy was to just keep everything, because storage is cheap, development cost is expensive, and then the data will still be there if the customer decides to return in a few years.
And in many (most?) cases it's not like you just have a single file with all the user's data, that data is spread around in many different database tables , and possibly even multiple databases. The development work to figure out how to clean everything up, without accidentally deleting anything wrong or leaving anything out can be a considerable amount of effort.
It's also not always black and white who data belongs to. If I upload an image onto a document that was shared with me, should that image be deleted if I cancel my account? What about something I posted publicly on a social media platform? Or posted privately in a group chat or DM? Does it make a difference if the content of an image or text I wrote included PII? Hopefully you have a lawyer that understands the nuances involved.
I see this and I feel I must ask: why would you EVER engineer ANY application under the idiotic assumption that none of your users will ever want to remove the data that they had stored in it?!
Absolutely baffling.
Of course, if a business is that short-sighted and careless, it will struggle to implement GDPR.
It's slightly more involved than this, but not extraordinarily so.
For example seemingly innocuous implementations like loading fonts directly off Google Fonts without consent (i.e. providing Google with information about visitors' browsing habits) would technically be on the wrong side of the GDPR, but I think it's very unlikely that anyone would complain about it, legally speaking.
Maybe that's the problem, I thought the (mostly local media) companies that were blocking EU citizens were doing it out of spite or to make a point, because it doesn't make sense (for one, they're not subject to gdpr if they don't explicitly do business with EU citizens).
But maybe it's just because the US environment is so hostile that they assume it's the same in the EU.
But national regulators in the EU don't waste their time with foreign companies that might by oversight not be totally compliant since they're not even under their jurisdiction (worst is they could be fined and have to pay it if ever they incorporate in that country in the near future? Nobody's going to waste time in that).
And nobody can sue a company on gdpr grounds and get a payout. They're only fines, they benefit to central states and are a negligible amount in regard to national budgets.
There already exist ways to proxy those requests in ways that avoid exposing anything about the visitors to Google.
It's in the grey area wrt Google's own ToS, but then, it's that or GDPR.
As someone that knows next to nothing about it, I was curious and googled how to adhere to the GDPR, and read through the top recommended article. Here's some choice quotes:
"Complying with the GDPR is a huge undertaking"
"GDPR compliance (occupies) a huge amount of IT time and resources"
"Moving your organization into GDPR compliance is a process you ideally started long ago"
The article links to some ICO GDPR data processing checklist, which is a list of 18 different processes you need to have put in place.
"The GDPR is made up of 99 articles that provide a detailed description of the regulation". <- 99 different articles to understand and adhere to ...
"[I]t is impossible to provide an exact prescription that will guarantee your organization is in compliance"
"One of the most onerous obligations of the GDPR is to provide “Data Subjects” – the people whose data you are processing – with access to the data that you hold about them (Article 15)",
"They can also request rectification or completion of data if it is inaccurate or incomplete, and they can request that you delete their personal data"
"This is onerous because Data Subjects can make requests in writing or verbally, and you need to be able to comply with the requests “without undue delay"
^-- All that seems to go against your assertion that you just have to "not track them", if you have to build out a system for everyone to access all data you hold about them, rectify it, delete it, verbally or in writing, without delay.
I'm not even half way through the article and I'm skipping over tons of what it's saying needs to be done, with all the security measures that need to put in place, whether or not encrypted data is needed, breach notification, and so on.
It seems like a heck of a lot more than just "not track people", or a trivial amount of work.
You listed just one slightly onerous requirement: allowing people access and agency over their data. If you don't store their data, you don't have to do that.
It's a bit hyperbolic to say that you're, "not even half way through the article and I'm skipping over tons of what it's saying needs to be done", when you've literally only listed one thing.
> "This is onerous because Data Subjects can make requests in writing or verbally, and you need to be able to comply with the requests “without undue delay"
I'm sure each case might be different, but I can't but help to think this is just a cheap excuse to inflate the work that is required ro comply with data Protection Regulation.
I've worked already on a few projects involving data protection, and they all boil down to two steps:
- only store anonymous data. No personal data? No problem.
- if you need to store personally identifiable information, support deleting it on request.
It might be easier to incorporate these requirements at the design stage, but by now this is a very basic set if requirements.
> ^-- All that seems to go against your assertion that you just have to "not track them", if you have to build out a system for everyone to access all data you hold about them, rectify it, delete it, verbally or in writing, without delay.
If you don't track people's data, that "system" becomes an automated email reply with "we don't have any data about you".
But if you deal with individuals, probably you do want to collect at least some data that would be subject to the GDPR protections, and it is definitely easier to forget all about it.
Given that most things are personal data under the GDPR (e.g., IP addresses have been considered personal data, and things like usernames are clearly personal data), I don't think most companies can get off quite that trivially, short of being completely stateless and never logging anything.
You can log with log if you have good reason; you just have to delete them after a reasonable time. Nothing about this is hard or costly if you think about from the start. Your 'forever data' basically should never contain PII as some users might have terminated their accounts etc so then their info cannot be in some cold store tape archive. Again, not complex; delete backups after a reasonable time and throw away the encryption key.
The intent of the gdpr is that you think about all of this and not simply store everything to mine, have stolen, leak or sell later on. The problem is that many companies or the software they use is literally build to abuse that data so then it is indeed 'hard' and expensive to comply.
Sure, but regardless of your data-retention period, you still have to know where to find everything derived from anything user-generated, if you want to accurately respond to requests. You're free to argue that the GDPR is making companies do things that they already ought to have been doing, but my point is that "just don't be one of those evil user-tracking companies" is not a viable compliance policy in itself.
If your data retention period is less than your response time (which has to be less than a month), can you not say "everything we had at the time of request is deleted" and be done with it?
A reminder that we're talking about passing visitors without accounts here, and for logging and analytics there shouldn't be a need to store anything longer than a couple days.
All of that is about complying with gdpr, assuming you're sharing customer data. If you don't, there's nothing to do. It's like "international shipping of live animals is a massive undertaking and takes lots of time" - cool, it's true - I'm not doing that so I'm done.
Sure, you have to comply with data requests, but if you don't store/share it... that's also trivial.
GDPR does not regulate “sharing,” it regulates any use of personal data. IP address is considered personal data, so you can’t avoid GDPR compliance if you are running a website at all (since you must process IP addresses in order to serve a website).
I'm using simplified language here, not writing a legal document. The first use was also supposed to be "storing/sharing", but it's processing in practice. But here you go:
> GDPR does not regulate “sharing,”
13.1.e requires at least the notification of the recipients of the data. With the requirement about the purpose of use, it effectively regulates sharing.
> since you must process IP addresses in order to serve a website
That's right and that places the IP in the 4.1.f "processing is necessary for the purposes of the legitimate interests pursued by the controller" area which doesn't require consent.
It doesn’t require a consent dialogue but it requires user notifications and data processing agreements with anyone who is helping you serve your site and an agent available to EU jurisdictions to answer inquiries. Granted a lot of people don’t bother or slide by with some vague crappy language they downloaded from somewhere.
The irony here is that the people who think they’re standing up for GDPR are actually the ones not taking it seriously, while the people who take it seriously are the ones who know what a pain it is to comply with.
Have you got some support for this from people experienced with legal matters? Because not only I've never heard of the internet provider notification being required and can't find any act which would apply, I can't even find any European page which does that, including https://op.europa.eu/en/web/about-us/privacy-statement which is responsible for publishing gdpr itself.
That publisher's page lists the third party processors for the documents, (as expected) but not the hosting provider. I'd love to see a counterexample.
My experience was the months I spent with a very competent (and no doubt expensive) French law firm to help my employer implement GDPR compliance. None of that is public info that I can link to, however.
I’ll edit to add that the user must be notified that you are collecting and processing personal data, which includes IP address. And the hard part is that you must also have internal paper trails that prove that you have written that notification in full knowledge of all the data processing done on your behalf by all your service providers. Is a data center owner routing traffic to your server? You need paperwork in which they commit not to store the IP addresses of your visitors, for example. That is not public-facing but must be available to regulators upon their request.
That’s the hard part of compliance and what most people skip. They click OK on the standard agreements with service providers and put up a standard privacy template. That is not actually compliant but folks are essentially betting that they are small enough that data regulators won’t ever come call them on it.
There's a known side effect of highly paid legal work... it will produce lots of results. But was it all required or just-in-case-CYA? Is one highly paid lawyer more correct than a sample of European institutions? Maybe...
sum the amount of "you simply <x>" in this thread, then account for the fact that we're talking about running afoul of a regulation if you don't understand it, and you end up with a hassle. I'm not weighing in on whether or not it's bad, I'm just saying what I said. If you aren't accounting for a significant portion of revenue to justify it, you're going to get blocked because you represent a liability.
I’ve been noticing more and more US state and local government websites blocking traffic from outside the US. (And I’m not talking about traffic from North Korea, I’m talking about traffic from ANZUS/AUKUS/FVEY ally Australia.)
It seems stupid because just because someone is overseas doesn’t mean they can’t have valid business with a US state or local government. Maybe they are an American who is travelling and has to attend to some official business back home while they are away. Foreigners are allowed to purchase US real estate and incorporate companies in the US, which gives them heaps of legitimate reasons for interacting with local and state governments. In part due to these kinds of issues, many use some local agent in the US to handle government interactions for them, but a person can have valid reasons to engage directly.
Another annoying one is bank apps being unavailable from other countries. For example Australian bank apps when you're in the UK. Or the Vodafone app the other way around. People travel, it's ok to install an app abroad.
I’ve never heard of any Australian authorities making legal demands of US state and local governments.
I don’t necessarily agree with various official Australian attempts to impose Australian law on foreign non-government websites, but I don’t see how that is relevant to whether US governmental websites permit access from Australia
It's much easier to say "I'm going to make it impossible for us to have to worry about the Australian government filing a lawsuit against $my-state-agency, because legal said so" than "Well, if we allow Australian IPs to access this website, there's a 0.x% chance that we get sued by Australia, but it's worth it for the sake of the 0.00x% of American expats in Australia."
Here's a analogously real example from current US-Ukraine policy:
> For example, one current social goal in the U.S., given the geopolitical conflict with Russia, is to avoid facilitating activities that could aid the adversary. As Russia has invaded Ukraine, the U.S. has positioned itself in opposition to Russia but not Ukraine. Banks, therefore, need to align with these geopolitical stances, leading to decisions that might catch some individuals in the crossfire, even if they’re not directly involved.
> Financial institutions often interpret this as: if they're not deeply specialized in doing business in Ukraine, they should avoid it altogether. They fear they won’t be able to consistently ensure compliance with these complex directives from the government [especially because there's a chance those directives might change in a week, or a month, or 3 months].
> This creates a split-brain problem within U.S. decision-making. The government intends to say, "Please cut down on oligarch money laundering that supports Russia’s war effort." However, financial institutions hear this as, "Under no circumstances should you fund anything related to Ukraine," including, for example, scholarships for Ukrainian high schoolers—a slight exaggeration, but not far from the reality in some cases.
> It's much easier to say "I'm going to make it impossible for us to have to worry about the Australian government filing a lawsuit against $my-state-agency, because legal said so" than "Well, if we allow Australian IPs to access this website, there's a 0.x% chance that we get sued by Australia, but it's worth it for the sake of the 0.00x% of American expats in Australia."
I personally doubt US state and local governments are specifically targeting Australia in the way you suggest.
I actually doubt they are thinking about Australia at all. I also doubt their legal departments are worried about the Australian government, since the Australian government taking legal action against a foreign government (even a local or subnational one) would in most cases be illegal under all three of international, Australian and foreign law due to sovereign state immunity, and diplomatically they wouldn’t do it to the US because it would offend their American allies. If for some strange reason an Australian government agency had a bone to pick with some US state or county, they’d aim to solve it with the US State Department. Private corporations and individuals are not protected by the same legal doctrines or diplomatic protocols.
I think they just see some option in their firewall config (or Cloudflare or whatever) called “limit countries allowed to access”, they turn it on and add only the US, and then they think “see I’ve kept all the foreign hackers out now!”.
Are there? I only someones stumble upon some medical website that redirects me to a "tracking free" empty static page[1] if I come from Europe and opt-out of cookies (which I always do anyway). Maybe we visit other parts of the internet, I don't read a lot of non-IT English things.
Absolutely. Many small regional newspapers are inaccessible from Europe; omny.info (which would be very interesting to tourists visiting NYC, as you can pull your trip reports there) bans most EU IPs too (but weirdly leaves some countries open).
Most frustrating is not even being able to cancel things like a US streaming service subscription from an EU IP (of course these things usually have no contact email address available either).
Europeans usually have no reason to read these, the only reason I know is that I googled a few of my American friends at one point and kept hitting these.
I have done that exact configuration for several of my clients who didn't realize any/much revenue in the EU. For them it was the obvious best move but I wish there was a better option.
It's more that you are on the right side in a unipolar world. When the world shifts to multipolarity in the next few years, the problem will solve itself.
I'm a globalist and all but when people say "multipolar" doesn't that usually mean "the USA shouldn't rule everyone, I want to also rule over some countries "
Unless you happen to not be aligned with or really on the wrong side of that fabled ideal power monopole. It can quickly knock you from ignorance to reality. Imagine Russia was that monopole of power. Or look no further than a dictatorship. Great if your interests align or you're willing to bend them until they do, hell if they don't.
The US is the closest thing we have to a monopole these days and I'm sure it's sweet for some and very bitter for others.
"According to a 2024 analysis by The Washington Post, 60% of low-income countries were under some form of U.S. financial sanction. The analysis also concluded that the U.S. imposes three times as many sanctions as any other country or international body." - from https://en.wikipedia.org/wiki/United_States_sanctions
Really quite ridiculous that there are sanctions on something like 1/3 of the world.
From that same link, financial sanctions against a country can be one of any of the following:
* authority to prohibit U.S. citizens from engaging in financial transactions with the individuals, entities, or governments on the list, except by license from the U.S. government
* requiring the United States to oppose loans by the World Bank and other international financial institutions,
* diplomatic immunity waived, to allow families of terrorism victims to file for civil damages in U.S. courts,
* tax credits for companies and individuals denied, for income earned in listed countries,
* duty-free goods exemption suspended for imports from those countries, and
* prohibition of U.S. Defense Department contracts above $100,000 with companies controlled by countries on the list.
If we look at the map on that same page, we can see that very few countries have a total financial sanction such as the likes of Iran.
> Really quite ridiculous that there are sanctions on something like 1/3 of the world.
Sanctions are one of the de facto tools in the arsenal of American soft diplomacy. To be frank, the US has so many sanctions because the USD is so powerful.
> the US has so many sanctions because the USD is so powerful
That's appealing to sanctions' effectiveness. It's unclear they are. Instead, they're a potent signalling mechanism that's more palatable than shipping arms or worse, soldiers.
I'm not sure I understand. That's exactly the point of sanctions, to use the power of the US economy and the USD to exert American influence. You're right, they're not always effective at achieving their immediate goals, but they signal US disapproval and help pursue long-term goals without shipping those arms or soldiers anywhere.
Ridiculous in what sense? Perhaps those low-income countries should get their shit together and stop sponsoring terrorists, introduce multiparty democracy with free elections, allow free-market capitalism, extradite wanted criminals, and adhere to the treaties that they've ratified. The USA is under no obligation to trade with unfriendly countries.
Is it? Why should a random third world country be allowed to trade with Russia, Iran, North Korea or China? If anything, it would make sense if there were more sanctions, not less, with how things are going.
> The next day after Autherine was dismissed the paper came out with this headline: 'Things are quiet in Tuscaloosa today. There is peace on the campus of the university of Alabama.' Yes things were quiet in Tuscaloosa. yes there was peace on the campus, but it was peace at a great price. It was peace that had been purchased at the exorbitant price of an inept trustee board succoming to the whims and carprices of a vicious mob. It was peace that had been purchased at the price of allowing mobocracy to reign supreme over democracy. It was peace that had been purchased at the price of the capitulating to the forces of darkness. This is the type of peace that all men of goodwill hate. It is the type of peace that is obnoxious. It is the type of peace that stinks in the nostrils of the almighty God.
Of course, you could either view this sentiment as trivially applying to international politics or so different as to be a category error. But it's enough of an opening to suggest that these loaded terms are not as easily transferrable to ethical context as invested parties might want you to believe. It is difficult for folks to place their values firmly before external pressures when a country is much less empathizable with than an obviously abused person, but I think americans would be surprised at how giving a little might invite a larger revelation about their role in the world stage than desired by the powers that be.
I do not want to find out that hegemonic stability theory is false, that would definitely make the rest of my lifespan worse, even if the odds are remote
Sure, this is the natural reaction of people living in the imperial core, but this isn't true for the majority of people in the world, especially as global warming accelerates.
World-systems theory is typically the alternative to the theory that pax americana (i.e. peace for me but not for thee) is universally desirable.
I doubt the "next few years", and if the world shifts to multipolar, it won't solve the problem, it will just move everyone to the "bad side" where frictions big and small abound.
This whole issue of blocking Iranian IPs and not allowing them to download Docker containers for ‘legal’ reasons is ridiculous. Additionally, trying to detect and ban VPNs used by Iranians, which will affect the next user of that IP, is equally absurd
1. avoid geoip blocks because geoip is inaccurate 2. When maintaining geoip don’t mark servers physically located in DE but used by a foreign company as located somewhere else because it will quickly go stale and misleading in the first place
This is not limited to Cloudflare. Google has the same issue and it turns out the IPs were being used by the Iranian hosting companies connected to internet surveillance but they keep moving around. So far we only observed this in Hetzner German DCs, which is consistent with the news about illicit activities by Iranian companies in Germany, two years ago during the last uprising against the Iranian government (the Woman, Life, Freedom movement)
Happened to use with GCP too. We had Oracle Cloud instances being flagged as from Iran and had to file forms with them to get them to not block the IPs.
it's pretty absurd that cloudflare can just effectively cripple a cloud provider by tagging part of their IPv4 range as Iranian and not fixing their issues in over a year (and AFIK have no intention to fix them at all)
like I wonder if Hetzner has any way to legally force them to stop misclassifying their IP
What's absurd to me is that Cloudflare gains more and more control over the internet, by people voluntarily submitting to its domination.
My favorite is trying to go someone's random blog with like 5 posts (because they have a singular post about the technical topic I'm trying to figure something out about) and I can't access the site because Cloudflare has decided my locked-down Firefox ("resist fingerprinting" + strict privacy mode etc.) running on OpenBSD is somehow malicious. So much for the open web. (nevermind the audacity that "we can't spy on you sufficiently" is enough to serve a 403 Forbidden response header)
It is extremely hard to stop DDOS attacks without CF; my hoster has DDOS protection, but when there was a very large attack on our site, only CF could remedy it, and did so immediately when we panicked-moved dns and switched on bot fight. Entire attack that my hoster couldn't stop was gone. How do you do this without CF if you are a small company?
There are *so* many options out there. Saying you don't know how to do it without using an evil, monopolistic company is like saying you can't host email without using Google. It's lazy, untechnical and just plain untrue.
Enlighten me please; I have asked many times and everyone keeps sending me to cloudflare, even some hosters. When you search for anything like this, it ends up being very expensive which is not lazy; we cannot afford it. Botfight is free.
Maybe if people knew about alternatives, they would use CF less. I wouldn't use them at all (and don't; I switch when my hoster cannot handle the attack which happened once only).
I don't use them myself, but I only choose colocation providers that have a good handle on their own protections. A quick search, though, shows lots of reviews and options:
No idea about the content of those links, but considering the amount of research I do before selecting a colo provider, it'd be trivial in comparison to research a DDoS protection service.
But you didn't check those sites; they all recommend cloudflare or either very expensive (we all know what it means when there are no prices on the site and sales can call me) solutions, hard to use solutions or solutions you cannot use unless you are a certain type of site (the google one).
So basically the choice is cloudflare if you are not cashed up enough. So nothing to do with lazy; there are no other viable options for most if it's a large attack.
You're right that I didn't check them. I said that.
It's like doing research for colo, like my example. If you have the need, then a couple of hours of research is well worthwhile. I don't have the need, so I'm not going to do it now, but that's how one starts.
The colo example is apt - colo providers that don't have pricing are invariably too expensive, so I skip them, but there are plenty of others to check out that aren't Cloudflare. The one article I skimmed even says whether the providers are pricy or affordable.
Nobody needs Cloudflare. If (most) people were aware of how much Cloudflare breaks visibility across the world, they'd likely avoid Cloudflare, too.
I would avoid cloudflare and i did this research before; there simply aren't any affordable competitors. That is why everyone keeps coming back to them.
Like what? When I last tried to DIY it, weeks of work resulted in maybe a 20% decrease in spam traffic. Then we tried Cloudflare and overnight it pretty much went to zero.
That was like ten years ago though. What are some good alternatives?
You should design your site to be resilient to spam traffic, not try to filter until it's gone. By filtering, you've become unreachable by much of the world, spammers or not.
Well, that sounds easier said than done. Do you have any advice or tutorials on how to do that effectively?
We did try, casually at first over the years, then intensely as a focused effort over several weeks, to little effect. We tried blocklists, fail2ban, firewall rules, heuristics, CDNs, other non-Cloudflare services, etc. It cost us dozens of hours of labor and thousands of dollars of other service provider fees, but the spam didn't abate much. It was causing excessive server load, many credit card authorization attempts (they didn't go through, thankfully), sometimes fake PO orders, screwing up our analytics, etc.
Then out of desperation, we found Cloudflare. It took maybe half an hour to set up, cost $20/mo at the time, and overnight all our spam problems stopped. For a small business, it was a godsend, freeing up our devs to work on actual features instead of fighting bots all the time, and saving us thousands of dollars in hosting fees.
> By filtering, you've become unreachable by much of the world, spammers or not.
But... that's the whole point! We weren't some huge enterprise SaaS trying to advertise to the whole world, just a small US-only business. We had no business in China, Russia, India, etc., where most of the spam was from. We tried in vain to block that traffic on purpose, but couldn't easily do it until Cloudflare.
Then Cloudflare let us flip a toggle... and it all magically worked. Our staff was much happier, our actual customers never noticed (they were all US/Canada based, or rarely Europe), nobody ever complained, and we saved thousands of dollars a year.
It's not just about DDoS (which we did get on occasion, and our host did help us with) but the consistent drive-by bot scraping, pen testing, port scanning, etc.
Cloudflare sometimes gets a lot of hate here, but for small website operators, they are a HUGE lifesaver. I've never actually heard a complaint from a real customer about this, but even if we hypothetically lost a handful, the time and money saved not dealing with spammers is worth it to many businesses.
The internet has long since stopped being the open wonderland where everyone is nice and contributes positively. The overwhelming majority of it is worthless bot traffic, and you could make an entire career out of trying to prevent it... or just give Cloudflare a few dollars and a few minutes. Sorry, I don't see them as evil, just... practical? Useful?
I will describe what we do at IPinfo to avoid such a messup. First of all because we do active measurements and our data is usually less prone to errors like this and when it comes to IP location it is as good as it gets.
We have a support team active 247. Then is the issue of update rollout, when things goes wrong (rarely if ever) we can push data updates immediately. We work with our customers and users and try to push immediate fixes.
But the most important thing in my opinion we do is this comment itself. If things go wrong we will address it before you come to our support team.
Maybe this is more of a Europe vs. US observation than a programmer vs. lawyer observation, but I have indeed made the observation that US companies are often satisfied with "identity verification" that would absolutely not fly elsewhere. A PDF of a utility bill as "proof of residency", knowing somebody's SSN as "identity verification"...
Yes, they might be definitionally best practice and accordingly enough from a legal perspective, but I don't see them having any value in actually keeping out bad actors. A fence that surrounds 99% of your pasture indeed has no value if the wolves know where the 1% gap is.
That's not really a EU Vs US thing though, but a "country with mandatory official declaration of residence" vs not.
France is the same as the US there, and I would assume the UK as well. Well I now realise the UK is not in the EU anymore... but France is probably not the only remaining country in the EU where you can move without some kind of administrative declaration?
Anyway the point for these countries is to not have a centralised record of where citizens live, for anti-surveillance reasons and resilience against potentially hostile authorities. So you can't ask the state to prove that you live somewhere because it doesn't have a record or if it has it cannot legally communicate it to anyone.
In contrast, Belgium for example has centralised records of residents and if your car is parked wrongly, the local police can look up the plate and call you on your registered phone number or knock to your door at your registered address, to tell you to move it. It's practical, but I find it creepy and dangerous. A hostile government would have so much power here.
> the point for these countries is to not have a centralised record of where citizens live
In the US, state DMVs effectively still know everybody's address, don't they?
And even if they wouldn't – that information is only one data broker query away in the US.
I've recently experienced this by signing up for a financial company that, after entering only my phone number and SSN, presented me with my full address and asked me whether everything looks accurate. I understand that historically and value-wise, this is part of where the resistance to centralized government databases is coming from. But practically, they already exist.
In the US, resistance against government ID for private contracts seems to come more from an intention of not wanting the government to be able to interfere with the right of people to legally transact with each other without government mandate or intervention. But even that resistance is largely over – I had to show my driver's license to every bank I ever opened an account with.
That's what happens when government is regulated but companies aren't. The kind of process you describe is totally illegal and unheard of in the EU.
In France banks also take utilities bills as proof of residence (but they also ask for id or passport to check your identity). ID cards do have an address as well as passports and driving licences, but even the government doesn't accept them as proof of residence because they're often out of date.
In my case they all have different addresses and none of them has my current address. My Belgian ID though has to be reissued every time I move to a different municipality.
Oh and regarding DMV having addresses yes, but (in France) they are indexed by a DMV-specific key that cannot easily be matched to another database, say social security or taxes (which also independently have addresses on most citizens). Driving license number, fiscal number, SSN, cannot legally be used anywhere else than with their respective services. There is of course the names that can be used, but no system is perfect I guess.
Anyway these are just implementation details, but my point is that the EU has many different administrative systems and in at least some of them, utilities are the only legal proof of residence.
If the law says that providing a fake document to a financial institution is considered fraud / money laundering and can be prosecuted, it makes a lot more sense.
This puts criminals in an untenable position. If they provide fake documents to a bank, they save the police a lot of work. If tere's ever any suspicion of criminal activity in their accounts, nobody has to prove anything beyond the fact that they provided fake documents, which isn't that hard. That's enough to send them to prison. They can always provide real documents of course, but there's a reason they were use fake ones in the first place.
It's not a falsehood though. IP address is a reasonably reliable means of geolocation. Lawyers tend to be more comfortable with gray areas than engineers. Intent counts for a lot in assessing legal compliance.
But it isn't a grey area: it simply doesn't work. It doesn't matter if it correctly identifies most people: it has to correctly identity most terrorists, and it simply doesn't do that, because if you are a terrorist you just keep rotating through IP addresses on cloud providers and VPNs until the entire service is burnt. It isn't that it sometimes doesn't work: it's that it doesn't work at all when it actually needs to work. We could argue that the services shouldn't let you do that in the first place, but the reality is that services currently do work like that, no one is trying to change that, and if they did try to change it we would all be even less happy with the resulting even-more-powerful surveillance state.
Wrong. At this level there is no compliance requirement to specifically identify "terrorists". And the sanctions against Iran, while partly based on state sponsorship of terrorism, aren't limited to just designated terrorist entities.
Most services aren't required to blanket block all traffic from Iran. Only certain specific transactions are prohibited. But a lot of companies choose to block everything identified as coming from Iran (and other sanctioned countries) just to play it safe.
But I'm not a lawyer, and looking purely at the outcome of IP blocks (which is usually that regular people are inconvenienced, but the people such policies are actually designed to keep out just shrug and use a $5/month VPN), I can still say that it looks a bit silly.
This makes me wonder, though: Who started the IP checks? I think there's a high chance this by itself was anticipatory obedience, since it's fairly easy and cost-effective to do and it gives companies at least something to point at in case of a lawsuit.
But my point is that all of this compliance theater does add up; every once in a while mistakes (as outlined in TFA) do happen.
Even if they don't, almost free isn't the same thing as free – and some company will inevitably go even further, it'll set a precedent, and the cost to everybody will increase, with questionable benefit.
IP addresses are great for identifying traffic patterns, figuring out where your audience is roughly located etc. as long as you don't use them to selectively block users – since then nobody has a real incentive to "cloak" theirs.
Once you start doing that, you've completely destroyed the measurement, and at the same time you're still not keeping out unintended users – because these will just use a VPN.
To go with an analogy: Imagine a bank enforcing embargo/sanction policies by just asking everyone at the entrance for their name but not checking their ID! You'd get a lot of personal data (since most people won't lie), yet you won't keep any sanction evaders out.
I think we have the same perspective on this. I should have been more specific about my snark - what I was really calling out was the GDPR considering IP address as PII, which is widely lauded on this forum.
It's a still-unresolved issue as far as I know; the linked ticket was only closed last year because Gitlab has no control over it as long as they want to continue using Cloudflare. The companies which do have control over it have not fixed it so far.
It should be illegal for providers to override the location information provided by the owner of the IP. Hopefully the FTC will look into this abuse.
In the real world this would be the equivalent of me putting my shipping address on an order but the store deciding to ship it to some random place because they “believe” that’s my actual address.
It looks like they use different ASNs for the US datacenters, so probably not in this case. Nuremberg, Falkenstein and Helsinki all share the problematic AS24940 block mentioned in the OP, but Ashburn is on AS213230 and Hillsboro is on AS212317.
I was recently reviewing my Google account session history and saw an active session from some small town in western China. Obviously freaked out, rolled all passwords, spent hours scouring what they could’ve had access to, etc.
Only for the next day, when Google updates the exact same sessions location to my exact real location on another continent.
Google of course won’t show the IP address of sessions anymore, just the “location” so there was no way of confirming beforehand.
Yeah, google does it too. I could not use certain Hetzner IPs to download container image on my kubernetes nodes at all. Even the official registry.k8s.io registry is hosted on Google Cloud Services and basic stuff like the pause image cant be pulled.
Google's IP to location mapping is so bad it has to be intentional. I was in Japan and using my home network as a VPN quite a bit, after a while Google decided my home comcast IP had to be located in Japan. Even though others in the household were still there, they started getting default-Japanese pages on google/maps/youtube/... It didn't fix itself back until a couple weeks after I got home, even filled out https://support.google.com/websearch/contact/ip
I'd be more willing to bet that it's because my GPS location is in Japan, which is the strongest signal of my physical location. Nevertheless, my home IP is used by multiple people, they probably know who they are and that they're not in Japan. My own signals are a mix of VPN'd/non-VPN'd apps on my phone and laptop (not strict about the VPN, some Japan sites require a Japanese IP), and I do often NoMachine back to my home machine and access google services just like I do at home.
I can confirm this. All Google container registries, including the official k8s repos are unaccessible via some hetzner ipv4 domains.
There is a GitHub issue that also covers the problem and it states you should report thos IPS to their support. I did but support says they can't do anything until the ip region list is updated.
IPv6 as a workaround is also difficult because some of the image I need are on GitHub and they are still not ipv6 accessible
Is Apple store working in Iran?
For example, Apple store is working in Russia.
I genuinely do not understand how logic works between 1.sanctions 2... 3.let's ban some IPs. What is the chain of reasoning happens on step 2? Why this is not applicable to Google/Apple?
There are definitely sanctions against Russia, yet Apple/Play stores work just fine.
Apple hasn't officially sold any hardware in Russia in the last 2+ years. Any Apple devices you can buy come from "parallel import" and are priced 1.5x compared to other countries.
As far as I know, the only way you can pay on the app store is from your prepaid balance at some carriers. Play store doesn't accept payments at all, it pops up a modal saying "payments in Russia are paused".
I can't understand what these sanctions are intended to achieve either. They just make us angrier because there's nothing we can do besides wait it out.
> They just make us angrier because there's nothing we can do besides wait it out.
You are not angry enough.
Get angrier, go out, kill the highest sitting official you can get your hands on, then be beaten, jailed, signed up to war where you will die and receive a posthumous medal?
Correction: Get angrier, go out, kill the highest sitting official you can get your hands on, then be beaten, jailed, signed up to war where you will detract to the Ukrainian side, fight gloriously and be the first ever Ukrainian solder to enter Moscow, inscribing you name in the annals of Victory next to Julius Caesar.
Not only is Apple store working in Russia. Apple, who supposedly has stopped selling hardware there, works closely with russian government to remove apps like VPNs from the store.
TL;DR is that the IP that my new instance was assigned had previously been used as part of an advertising CDN based in Iran. It wouldn't surprise me if this is some game of whack-a-mole between interested parties who are at turns applying and attempting to evade blocks.
That probably explains the issues I’m having sometimes when pulling images from Elastic registry on hetzner boxes. At least now I know the reason behind that
In my previous jobs we didn't have any business in china and banning all IP ranges was a cheap an easy strategy to remove 50% of unsuccessful login attempts.
It's the interpretation of some cloud providers that exchanging datagrams with entities in OFAC-sanctioned countries constitutes a prohibited transaction.
There's a big list of allowed Internet activity between the US and Iran.[2]
It is explicitly US policy to not cut off Iran from the Internet.
The State Department wants people in Iran to get info from the outside world.
However, the US does not allow US domain registrations or web hosting "for or on behalf of the Government of Iran".
The Office of Foreign Assets Control can be queried for case by case info. That's appropriate here.
You de-risk your enterprise significantly by cutting Iran out completely, and you only lose the handful of dollars this would’ve translated into down the road.
I'm a Hetzner customer in Australia that have moved away a big part of my workloads which was CI related as most build would start to fail with some access denied error calling various registries. I had a bunch of deep integration through their API as well which had to be reworked because that issue made it a no go anymore.
Banning an entire country and punishing its innocent citizens feels extreme. It doesn't seem right that, for example, an Iranian student can't use cloud services. Ban commercial and government entities, not the individuals.
This is a political argument, not a business one. Now that Uncle Sam has swung the banhammer on a particular country, pity the exec who exposes their company to doing business with the enemy.
Isn't intent of sanctions to weaken the adversary? Providing services, even free-tier (or, may be, especially so), to sanctioned countries is exactly the opposite of that.
That's just not true. You don't know what you're talking about.
I encourage you to skim through the sanctions. I promise you that you will find plenty of exemptions telling you not to block every Iranian citizen from communicating, not to block them access to information, not to block them from free-to-use services, not to prevent them from traveling etc etc.
If you just cut the whole country off the internet, how do you expect them to organise towards overthrowing the government? Via carrier pigeons?
It makes US service providers, like Google and Amazon, very unattractive for businesses that require worldwide coverage - for example wikipedia.
I would argue that for unpaid services (for example serving up web content), we should not be applying sanctions. Those specific sanctions are so easy for the iranians to work around (VPN), and so damaging to our businesses (no worldwide service).
> It makes US service providers, like Google and Amazon, very unattractive for businesses that require worldwide coverage
You know what is much more unattractive to these businesses? Getting on the wrong side of the US government. And honestly, I don't see any business (except for ones in Russia, China and Iran) changing provider because they don't provide service to Iran.
> damaging to our businesses (no worldwide service)
I'm confused, are you arguing here for allowing free-tier services under the sanction regime, or for getting rid of sanctions against Iran altogether? If it's the latter, then the argument is self-consistent. But if it's the former, then you're effectively saying that an american business which currently doesn't provide any services to iranian customers would instead prefer to provide free-tier services for them without any way to get them to paid tier, and that doesn't make any sense. If you know that users from a certain region would always be at 0% conversion, you would get nothing by providing them with a free tier.
They consider Google cloud, but then reject it because GCP cannot serve users in Iran, and Wikipedia's policy is to be globally available.
Google loses worldwide revenue from all of wikipedia.
(I have met multiple companies who have dismissed GCP for this reason. Even companies with no current business in Iran might one day want to expand there, so don't want to make infrastructure choices which lock them out).
No, but I expect the judges who interpret the law to see that.
No judge will send a google employee to prison because someone located in Iran managed to download a copy of the docker image to Alpine Linux from the google/amazon container registry...
My servers ban huge swaths of IPs from certain places that originates enormous amounts of spam, scanners, and other nefarious traffic. It's very effective
If I followed your strategy I would be blocking all of Google. Back in the days I operated my own mail server >50% of all spam was from Google USA... YMMV.
I do that on several of my hobby nodes. I block entire ASN's for all the major platforms. Real people can still reach them just fine. To your point I do less of that on my self hosted mail servers and instead use a regex methodology called S25R created by a mail admin in Japan a long time ago and it works great.
Tricky thing about Google is quite a lot of my contacts are on Gmail or some domain hosted by Gmail so blocking Google's ASN is a no go for me. I'm now with Fastmail -- they use Spamassassin (plus I suspect their own custom rules) which uses a range of different metrics to determine whether an email is spam. That is is far more effective than straight up blocking ASNs and the like.
but the traffic is _clearly coming from Germany_, the issue is that cloudflare/google have tagged certain ip addresses as Iranian no matter where the traffic actually originates from
Marked where? With the assigning authority of the IP address which has been granted the legal right to manage the IP space (a common good)? Or in the database of some arbitrary company?
Curiosity may get me on this one, but is sharing information (such as this post/comment) an example of transfer of information (to potentially all countries)?
My theory is lots of people who want to circumvent Iranian internet censorship rely on tunnels/VPNs hosted on Hetzner, which correlates those IPs with `Accept-Language: fa` and GPS locations collected from Android or other similar behavior.
Yeah, I had the same theory when Google did this with a free-tier VPN IP that was in Turkey. It claimed I was in Tehran - and, when I looked at the map of servers, the Turkish server I was connected to was the closest to Tehran.
I don't have to think about blocked websites. Companies accept my payments. Couriers ship to me. With my passport, I walk straight to the front of the fast lane, past the large queue of people who didn't happen to be born somewhere rich, western and politically stable.
I don't take it for granted, and it makes me sad that this distinction exists.
It's hard to quantify the kinds of doors it has opened for me. I was able to get a scholarship to study in the UK that covered home/EU rates (a third of international rates, while I might not have been able to get even a student loan otherwise), get government funding for a PhD that would not have been accessible to me otherwise and other grants, travel to international conferences without thinking twice about visas (unlike many colleagues) meeting people that would impact my career and skipping all sorts of and barriers along the way, and never had to worry about deportation because of the EU settlement scheme, easily become a founder (no visa sponsorship needed), and so much more! Even travelling/business in the the middle East, being German rather than Egyptian is an entirely different life, one that my cousins cannot even begin to imagine.
There's a parallel universe where I'm stuck making ends meet in Cairo where I was born, dreaming of a brighter future, feeling all my potential fade away. I know because my immediate family is that version of me - no less talented or worthy of the opportunities I got because of my nationality!
I see the kind of freedom that I have because of that passport as one of the biggest modern injustices.
I think you're confusing a vague and abstract problem of "injustice" with a very concrete and real difference in ways different countries manage their public services and institutions.
You only listed personal benefits that a country like Germany provides to their citizens and the higher education institutions built up by the UK, and how it contrasts with the ones provided by Egypt.
Quite bluntly, this is a discussion over privileges. Not injustice, but privileges. I assure you that countless people from Germany, UK, the EU, or anywhere in the world, would desperately want to have access to the same opportunities. Depicting this as a matter of being granted a passport is at best survivorship bias, and at worse an affront to those who had it but still weren't lucky enough to benefit from the same opportunities.
This is the injustice. The decisions made by these institutions are not just. Sometimes they're business decisions (e.g. a university can make more money price gouging international students, when we're getting an identical education).
There can be an overlap with privilege, but at that point you're arguing semantics. For example, I'm privileged if I don't get racially profiled by the police, but it is also unjust for police to racially profile me. To say that it's down to the institutions/countries/individuals making the decisions is the same argument as "well that bakery is a private business, they can decide not to serve you because of your nationality".
Of course there are Germans and Brits that haven't had the same opportunities that I have had, and of course it wasn't handed to me on a silver platter either; I still had to work hard. But my point is that if I were Egyptian _no_ amount of hard work or luck would have gotten me where I am. It would have been quite literally impossible.
I'm not even going to begin to crack open the can of worms that is the colonial history of the same countries (in my case the real and lingering effect that the UK has had on Egypt). The way you compare the institutions "built by the UK" and the ones "provided by Egypt" makes it sound like "well maybe Egypt should just do better m" when the reality is that the prosperity of these very countries is built on centuries of injustice and blood. Call it what you want but it's injustice all the way down.
Now you have to open a bank account in a different country for foreign companies to consider taking your money at all. The internet is utterly broken. The government blocks quite a lot, AND some foreign services block Russian IPs from their side. I even made a thread about running into Cloudflare's "you're blocked" pages randomly throughout the web: https://mastodon.social/@grishka/111934602844613193
Vladimir Kara-Murza expressed the same ideas much more eloquently on the press conference that followed the prisoner swap in August: https://newsukraine.rbc.ua/news/russian-opposition-figure-ka...
In my own opinion, a good step in the right direction would be if we could travel to European countries as easily as we used to be able to. Then more people could see with their own eyes that they're being lied to.
I don't agree. Russia's regime threatens Europe with invasion and nuclear bombs almost on a daily basis, and vilify everyone who doesn't enthusiastically support their invasion of Ukraine. A few years ago Russia even had a nuclear bomber circling the coast of western Europe.
This behavior is not limited to government. It's not unheard of having Russian tourists insulting and threatening locals. In Europe or in any corner of the world. There are also Russian citizens attacking refugees and asylum seekers in foreign soil, even Russia's own war dodgers.
You cannot expect to systematically threat neighbors and still demand or even expect them to continue to cater to the whims of the agressor. It is a voluntary relationship that cuts both ways.
When you start a war, you should expect to experience war.
I live in one of the most touristic cities in the world (Rio de Janeiro) and after meeting hundreds of Russians, that's the first time I hear about it.
I call bullshit. European here. Even if somehow you somehow ignore Georgia or Ukraine, and turn a blind eye to the baltic nations and pretend that Poland doesn't exist, for decades we can't go a single month without Russia throwing any veiled and not so veiled threat. Either tanks in Berlin in x days, tanks in Lisbon in x weeks, sinking Britain with nuclear tsunamis, etc etc etc.
And I'm not even touching on the terrorist and sabotage campaigns.
You need to be wilful ignorant to pretend Russia hasn't been threatening everyone left of right for decades.
https://en.wikipedia.org/wiki/Cuban_Missile_Crisis
And Ukraine's NATO membership application was rejected, by NATO, 16 years ago.
Your analogy holds no water whatsoever.
Bullshit. Finland joined NATO and if anything Russia pulled out their military presence near the border.
Even Putin himself debunked the nonsense tall tale about NATO expansion. Are we expected to keep pretending this is a concern?
Since 2014, Russia (that is, its government) has:
- Shot down a passenger jet departing from Amsterdam, murdering 298 persons (including 211 citizens from European countries)
- Carried out (or attempted) targeted killings in the UK, Germany and Spain
- Blown up a Czech munitions plant, poisoned a Bulgarian arms dealer
- Organized sabotage acts against Poland
- Abducted an Estonian security officer at gunpoint inside Estonian territory, and dragged him across the border
- Engaged in numerous maritime and border provocations, especially against the Sweden and the Baltic states
- Issued numerous menacing and/or provocative statements against Poland and the Baltic states (e.g. reminding Poland that its borders were "a gift from Stalin")
- And just the other day, Medvedev literally threatened to nuke Kyiv (saying it could turn into "a big grey lump")
It's plenty obvious you don't care about Ukraine (since you seem to have forgotten that it's part of Europe, also), but I'm pretty sure you understand that a nuclear attack on Kyiv would have certain decidedly negative effects on the rest of Europe as well.
(The parent also went on an annoying stupid tangent about Russian tourists, but their main point was about Russian government's repeated threats to basically start an all-out nuclear war if its latest colonial project is not allowed to succeed, including Medvedev's not so subtle threat from just the other day).
The anger is justified, but misdirected.
Would every US American be happy to be identified as Trump and Project2025 supporter, in case he wins the elections?
How much is it my responsibility what my government does, if all I have is basically one vote, if even that, and it is life threatening to even voice (and form) my opinion?
That's industrial-grade gaslighting. A regime doesn't simply start an invasion. It's not even the first one in recent years, too. Russia's regime decided to invade Ukraine in 2014, and make it a full blown military invasion in 2022. You can't weasel-word your way around that.
Also, you may want to look at the definition of „gaslighting“, where you create another confusion by applying it to this context.
The population overwhelmingly supports the war: https://www.levada.ru/cp/wp-content/uploads/2024/08/3.png
The support is surprisingly uniform across age groups and urban/rural divide: https://www.levada.ru/cp/wp-content/uploads/2024/08/4.png
Yeah right because when someone calls people and asks effectively "do you support the war or do you want to go to jail" you totally get data that is not skewed in any way whatsoever.
Being openly against the war is literally illegal.
In short, speculationg how people "really" think is pointless if they support the war in words and actions. Actions shape the world, not innermost thoughts that are never revealed to anyone. Your anti-war thoughts are worthless if you show up at a munitions factory every morning and produce artillery shells all day long.
That line of argument is old and tired and debunked. We also have witnessed in Europe the sad spectacle that is Russian diasporas throwing protests in support of Russia's invasion of Ukraine, and repeated violent attacks from Russian expats targeting Ukrainian refugees.
https://www.newsweek.com/russians-ukrainian-refugees-attack-...
It's very odd how this whole talk of oppression and free speech crackdowns only surfaces in the context of sanctions.
Hate to have to point this out - but not only is this a complete non-story (just from first principles) -- but the piece you're quoting is itself is basically a standard tabloid-style scare article. I mean, just look at the title, will you:
Russians Are Hunting Down Ukrainian Refugees in Heart of NATO
That in itself should clue you into to the article's primary purpose -- not to provide useful information, but to keep you titillated by "that awful shiny thing over there", and inevitably wanting more, more, more.
But it actually gets worse from there. Quoting Bild (a real-life, old school tabloid), when in all probability they could have connected with any of the fine regional papers up there, should have been another major red flag. Oh and did you try reading and breaking down the actual 3 stories it cites to support its grand thesis? Pop quiz - do they even pertain to the article's actual substantive claim? (Answer: the headline story doesn't apply at all; the second does (but it's an isolated incident with 1 confirmed perpetrator); and the last one does but only partially, as it obviously conflates with an entirely different issue).
That's all it is, this article -- just adrenaline-pumping garbage. All rather harrowing what happened to the victims identified, and maybe there is something nefarious happening in Slovakia -- but articles like these just aren't useful go-to sources for any sense of what's really happening in the large.
They exist simply to distract, distract, distract.
Does the same apply to the Crimean status referendum?
But it's also a different topic (in a thread that has already drifted wildly off-topic).
And even if it was true, that opinion would simply be an indicator of the success of government propaganda. (Lies and myths and skewed narratives, not to be confused with gaslighting.)
Take Russians in Latvia, for example:
https://eng.lsm.lv/article/society/society/less-than-half-of... (2022)
https://eng.lsm.lv/article/society/society/13.07.2023-survey... (2023)
What you are pointing at is nothing new. Naive attempts to "build bridges" with people who see bridges only as an easy way of driving a tank over to us is how we got here in the first place:
https://en.wikipedia.org/wiki/Wandel_durch_Handel (German/EU policy towards Russia)
https://en.wikipedia.org/wiki/Russian_reset (Obama-era attempts)
Misguided attempts to build relations with countries run by criminal gangs have made no positive impact on them, but have poisoned us by opening up our politics, businesses, and other areas of life to their criminal networks.
This and even more has been already tried, albeit somewhat inadvertently. Look at the neighboring Belarus. After Chernobyl, a fair share of kids and teens went on to spend their vacations in EU countries: Italy, UK, Austria, Belgium were the most welcoming, AFAIR.
At least 1/3 of Belarusian kids have been through one of the many Chernobyl kids programmes, many of them multiple times.
I was among those kids, as well as Svetlana Tsikhanouskaya who continued accompanying kids as a student, then as a teacher until her 30ies.
This definitely changed many individual lives for the better, but has it changed the country for better? I bet no.
What about the freezing (and probable eventual seizure) of $300b of CBRF assets (apparently 60 percent its total foreign currency reserves)? That's got to be causing some significant pain, somewhere.
You can't withdraw more than $10k of USD or EUR cash combined from all foreign currency accounts in each bank, and you can only withdraw the money that was there before March 2022. Past that limit and for any money you received after March, you can only withdraw it as rubles at the CBRF exchange rate, iirc. Most banks also treat dollars and euros like they're radioactive and will hit you with monthly fees if you have too much. So in the end we have three different exchange rates for these currencies: the CBRF one, the one for online operations with those "virtual" dollars and euros in currency accounts, and the "real" one for cash.
1. Sanctions sped up the formation of the class of war beneficiaries. Sanctions created the demand for sanction circumvention. Since their scope is huge, the demand is accordingly very high (from civil consumers to the government). This led to formation of new supply chains that keep being profitable only while the war and sanctions continue. Now thousands of people engaged in these activities have the monetary incentive to support the war and the government course. This one I deem to be the most consequential in the long term.
2. Any noticeable conflict or rights violation happening with Russian citizens abroad is to be blown out of proportion and presented as a confirmation of pervasive anti-Russian sentiment and support the government narrative of existing encircled by enemies.
3. The lack of accessible ways of integration of the emigrants into local societies (especially in Europe) led to thousands of them coming back, some unwillingly, some grudgingly and feeling disillusioned. This is a huge wasted opportunity and I don't get why it happened (I don't buy the "we must secure our countries against possible threat actors and dirty money" explanation).
It's also telling that the reaction from those affected is to complain that sanctions should be reverted because they both don't work and are inconvenient and a nuisance.
The feedback mechanism you're complaining about is a problem on the side of those being inconvenienced. If they want to complain, they need to direct their complains to their own regime, and address the problems they are causing everyone around them.
It's also very telling that the reaction is to complain about mild inconveniences while turning a blind eye to the whole war of aggression, terrorism, and pervasive threats of global Armageddon from their very own government. That, strangely enough, is not an inconvenience nor an issue requiring attention.
Tourism seems to be a right to them, but others don't even have a right to exist?
Does that warrant any accountability at all, or does the blame lie always elsewhere?
And get arrested and charged with "discrediting the armed forces", right. Must be nice to write all that from the comfort of your Western home.
If you don't register that as a problem but somehow limiting your tourism options is a concern, that is already telling regarding what your priorities are.
Go back and read more carefully please.
(And also: they very obviously do register the problem you're referring to, and there's no way to read their statement otherwise).
Yes there is. From Europe's side, one of the most basic things that can be done is stop taking in tourists from a nation hell-bent on starting wars of invasion with neighboring countries and threaten the whole world with nuclear Armageddon.
Cutting economic ties is also a good strong start.
If those hypothetical tourists don't feel strongly about their own nation conducting genocide or bombing hospitals or blowing up damns then perhaps in the very least they should understand that it's something that can negatively affect them too and perhaps, even for the worst possible reasons such as inconveniencing their travel plans, that should not be something they support.
And yet here we are, arguing that changes in travel plans are unfair while ignoring a full blown existencial war.
We do feel strongly about it but we can't act on these feelings. The government is not taking any feedback.
Again, it's like screaming into the void at something you can't change, like weather. Except in this case, if you scream loudly enough, you will get arrested and charged with "discrediting the Russian armed forces" or "spreading fake information about the use of Russian armed forces". First time it's a fine, subsequent times it's a felony.
That's a problem you need to solve.
Again, it's very telling that this only registers as a concern when the subject of mild inconveniences, such as not benefiting from the privilege of visiting some countries as tourists, is brought up.
It's also very telling that the only argument that's expressed in favour of dropping sanctions against Russia is this puerile expectation that Russian citizens should not be subjected to mild inconveniences. Aren't Ukrainians or Georgians entitled to the same expectations?
I'm open to suggestions about possible solutions to this problem.
And by the way, I'm not talking about myself as a tourist right now. I was saying that Russian people in general being able to easily visit European countries would lessen the Russian official propaganda's grip on the population.
And those sanctions against the civil aviation industry are nothing but straight vandalism.
And the inconveniences aren't mild.
You're very plainly attacking a straw man here. Talk about puerile.
That's what war is, unfortunately. Millions of people in Ukraine are currently being "punished" for exactly the same offense, only in ways infinitely worse, as I don't need to tell you.
There was absolutely no reason the war had to coming into being at all. But now that we're stuck with it, the only effective questions are -- what can be done to hasten its end; provide some level of justice for those affected the worst; and to make it clear to the responsible parties that something like this can never be allowed to happen on European soil ever again?
For their own part -- it's not like the Western governments really have any other choice. Even though the sanctions are having a far more limited effect than they initially hoped -- they simply couldn't keep doing business with Russia as usual after what happened in 2022. That's all there is to it.
Meaning, they've no choice but to apply the strongest possible sanctions as they might reasonably be able to (for some definition of "reasonable"). It's a cold and calculated strategy - but again, they didn't chose this situation, and that's the moral calculus that they are now forced to adopt in response to the situation that Putin created for them.
Cut the crap. Russia's regime decided to start a war of invasion. It's an initiative from Russia and Russia alone, and all consequences are derived from Russia's actions. There is no way around it.
But you know, the most funny thing here is what you would never say "USA's regime decided to start a war of invasion in Iraq/Afghanistant/Yugoslavia. It's an initiative from US and US alone, and all consequences are derived from US's actions. There is no way around it."
Makes me wonder why.
In fact I'll say it right now (minus your jingoistic lingo about the USA's "regime" which really doesn't apply to its government of course):
There, done. And guess what -- the exact same description applies 100 percent to Putin's invasion of Ukraine. It really was just as voluntary and made-up and evil and stupid as the Iraq invasion. It's an initiative from Russia and Russia alone, and all consequences are derived from Russia's actions. There is no way around it. And (just as with Iraq) anyone can see through the fog, and see the situation for exactly what it is they want to.More fundamentally: you know, the whole "hypocrisy" debate is really quite impotent and useless as applies to these situations, across the board. Much better to focus on why the evil happened, who is responsible and how to stop the evil currently and prevent it from ever happening again.
Russia is a dictatorship, what are you doing to change that? Just complaining that there isn't anything you can do won't change anything.
Why should we in the west go out of our way to not inconvenience you? If you are not resisting the russian government, then you are passively helping them, why would I even consider it negative that sanctions bother you?
There are many, many american sites that just block the whole EU IP ranges becaus they don't want to deal with GDPR.
It literally just asks that you don't spy on people. That's it. Not spying on users? Great, you don't even have to do anything.
I would be extremely surprised to see any attempt at enforcement against a website that didn't collect PII on some technicality such as not having the right footer or a contact person.
Sure. But that is much easier said than done. Especially if your previous strategy was to just keep everything, because storage is cheap, development cost is expensive, and then the data will still be there if the customer decides to return in a few years.
And in many (most?) cases it's not like you just have a single file with all the user's data, that data is spread around in many different database tables , and possibly even multiple databases. The development work to figure out how to clean everything up, without accidentally deleting anything wrong or leaving anything out can be a considerable amount of effort.
It's also not always black and white who data belongs to. If I upload an image onto a document that was shared with me, should that image be deleted if I cancel my account? What about something I posted publicly on a social media platform? Or posted privately in a group chat or DM? Does it make a difference if the content of an image or text I wrote included PII? Hopefully you have a lawyer that understands the nuances involved.
For example seemingly innocuous implementations like loading fonts directly off Google Fonts without consent (i.e. providing Google with information about visitors' browsing habits) would technically be on the wrong side of the GDPR, but I think it's very unlikely that anyone would complain about it, legally speaking.
The American in me says that sounds like "someone will definitely complain about it, eventually, if only because they're hoping for a payout".
But maybe it's just because the US environment is so hostile that they assume it's the same in the EU.
But national regulators in the EU don't waste their time with foreign companies that might by oversight not be totally compliant since they're not even under their jurisdiction (worst is they could be fined and have to pay it if ever they incorporate in that country in the near future? Nobody's going to waste time in that).
And nobody can sue a company on gdpr grounds and get a payout. They're only fines, they benefit to central states and are a negligible amount in regard to national budgets.
"Complying with the GDPR is a huge undertaking"
"GDPR compliance (occupies) a huge amount of IT time and resources"
"Moving your organization into GDPR compliance is a process you ideally started long ago"
The article links to some ICO GDPR data processing checklist, which is a list of 18 different processes you need to have put in place.
"The GDPR is made up of 99 articles that provide a detailed description of the regulation". <- 99 different articles to understand and adhere to ...
"[I]t is impossible to provide an exact prescription that will guarantee your organization is in compliance"
"One of the most onerous obligations of the GDPR is to provide “Data Subjects” – the people whose data you are processing – with access to the data that you hold about them (Article 15)",
"They can also request rectification or completion of data if it is inaccurate or incomplete, and they can request that you delete their personal data"
"This is onerous because Data Subjects can make requests in writing or verbally, and you need to be able to comply with the requests “without undue delay"
^-- All that seems to go against your assertion that you just have to "not track them", if you have to build out a system for everyone to access all data you hold about them, rectify it, delete it, verbally or in writing, without delay.
I'm not even half way through the article and I'm skipping over tons of what it's saying needs to be done, with all the security measures that need to put in place, whether or not encrypted data is needed, breach notification, and so on.
It seems like a heck of a lot more than just "not track people", or a trivial amount of work.
It's a bit hyperbolic to say that you're, "not even half way through the article and I'm skipping over tons of what it's saying needs to be done", when you've literally only listed one thing.
I'm sure each case might be different, but I can't but help to think this is just a cheap excuse to inflate the work that is required ro comply with data Protection Regulation.
I've worked already on a few projects involving data protection, and they all boil down to two steps:
- only store anonymous data. No personal data? No problem.
- if you need to store personally identifiable information, support deleting it on request.
It might be easier to incorporate these requirements at the design stage, but by now this is a very basic set if requirements.
If you don't track people's data, that "system" becomes an automated email reply with "we don't have any data about you".
But if you deal with individuals, probably you do want to collect at least some data that would be subject to the GDPR protections, and it is definitely easier to forget all about it.
The intent of the gdpr is that you think about all of this and not simply store everything to mine, have stolen, leak or sell later on. The problem is that many companies or the software they use is literally build to abuse that data so then it is indeed 'hard' and expensive to comply.
A reminder that we're talking about passing visitors without accounts here, and for logging and analytics there shouldn't be a need to store anything longer than a couple days.
Sure, you have to comply with data requests, but if you don't store/share it... that's also trivial.
> GDPR does not regulate “sharing,”
13.1.e requires at least the notification of the recipients of the data. With the requirement about the purpose of use, it effectively regulates sharing.
> since you must process IP addresses in order to serve a website
That's right and that places the IP in the 4.1.f "processing is necessary for the purposes of the legitimate interests pursued by the controller" area which doesn't require consent.
The irony here is that the people who think they’re standing up for GDPR are actually the ones not taking it seriously, while the people who take it seriously are the ones who know what a pain it is to comply with.
That publisher's page lists the third party processors for the documents, (as expected) but not the hosting provider. I'd love to see a counterexample.
I’ll edit to add that the user must be notified that you are collecting and processing personal data, which includes IP address. And the hard part is that you must also have internal paper trails that prove that you have written that notification in full knowledge of all the data processing done on your behalf by all your service providers. Is a data center owner routing traffic to your server? You need paperwork in which they commit not to store the IP addresses of your visitors, for example. That is not public-facing but must be available to regulators upon their request.
That’s the hard part of compliance and what most people skip. They click OK on the standard agreements with service providers and put up a standard privacy template. That is not actually compliant but folks are essentially betting that they are small enough that data regulators won’t ever come call them on it.
That's complete nonsense.
This is 100% not true and would be a violation under the GDPR. You need not share any data and if you do nothing, you'd be violating the GDPR.
> Sure, you have to comply with data requests, but if you don't store/share it... that's also trivial.
Nope, this is also not true. At least, it's not just "data requests."
You are in violation of the GDPR.
We need more of the world to implement similar rules so that it becomes infeasible to choose that option.
It seems stupid because just because someone is overseas doesn’t mean they can’t have valid business with a US state or local government. Maybe they are an American who is travelling and has to attend to some official business back home while they are away. Foreigners are allowed to purchase US real estate and incorporate companies in the US, which gives them heaps of legitimate reasons for interacting with local and state governments. In part due to these kinds of issues, many use some local agent in the US to handle government interactions for them, but a person can have valid reasons to engage directly.
I don’t necessarily agree with various official Australian attempts to impose Australian law on foreign non-government websites, but I don’t see how that is relevant to whether US governmental websites permit access from Australia
Here's a analogously real example from current US-Ukraine policy:
> For example, one current social goal in the U.S., given the geopolitical conflict with Russia, is to avoid facilitating activities that could aid the adversary. As Russia has invaded Ukraine, the U.S. has positioned itself in opposition to Russia but not Ukraine. Banks, therefore, need to align with these geopolitical stances, leading to decisions that might catch some individuals in the crossfire, even if they’re not directly involved.
> Financial institutions often interpret this as: if they're not deeply specialized in doing business in Ukraine, they should avoid it altogether. They fear they won’t be able to consistently ensure compliance with these complex directives from the government [especially because there's a chance those directives might change in a week, or a month, or 3 months].
> This creates a split-brain problem within U.S. decision-making. The government intends to say, "Please cut down on oligarch money laundering that supports Russia’s war effort." However, financial institutions hear this as, "Under no circumstances should you fund anything related to Ukraine," including, for example, scholarships for Ukrainian high schoolers—a slight exaggeration, but not far from the reality in some cases.
(source: https://www.complexsystemspodcast.com/episodes/true-crime-ba...)
I personally doubt US state and local governments are specifically targeting Australia in the way you suggest.
I actually doubt they are thinking about Australia at all. I also doubt their legal departments are worried about the Australian government, since the Australian government taking legal action against a foreign government (even a local or subnational one) would in most cases be illegal under all three of international, Australian and foreign law due to sovereign state immunity, and diplomatically they wouldn’t do it to the US because it would offend their American allies. If for some strange reason an Australian government agency had a bone to pick with some US state or county, they’d aim to solve it with the US State Department. Private corporations and individuals are not protected by the same legal doctrines or diplomatic protocols.
I think they just see some option in their firewall config (or Cloudflare or whatever) called “limit countries allowed to access”, they turn it on and add only the US, and then they think “see I’ve kept all the foreign hackers out now!”.
[1]A big troll that I respect.
Most frustrating is not even being able to cancel things like a US streaming service subscription from an EU IP (of course these things usually have no contact email address available either).
Europeans usually have no reason to read these, the only reason I know is that I googled a few of my American friends at one point and kept hitting these.
or cannot afford to. add in DSA and DMA as additional burdens.
The US is the closest thing we have to a monopole these days and I'm sure it's sweet for some and very bitter for others.
Really quite ridiculous that there are sanctions on something like 1/3 of the world.
* authority to prohibit U.S. citizens from engaging in financial transactions with the individuals, entities, or governments on the list, except by license from the U.S. government
* requiring the United States to oppose loans by the World Bank and other international financial institutions,
* diplomatic immunity waived, to allow families of terrorism victims to file for civil damages in U.S. courts,
* tax credits for companies and individuals denied, for income earned in listed countries,
* duty-free goods exemption suspended for imports from those countries, and
* prohibition of U.S. Defense Department contracts above $100,000 with companies controlled by countries on the list.
If we look at the map on that same page, we can see that very few countries have a total financial sanction such as the likes of Iran.
> Really quite ridiculous that there are sanctions on something like 1/3 of the world.
Sanctions are one of the de facto tools in the arsenal of American soft diplomacy. To be frank, the US has so many sanctions because the USD is so powerful.
That's appealing to sanctions' effectiveness. It's unclear they are. Instead, they're a potent signalling mechanism that's more palatable than shipping arms or worse, soldiers.
A short snippet:
> The next day after Autherine was dismissed the paper came out with this headline: 'Things are quiet in Tuscaloosa today. There is peace on the campus of the university of Alabama.' Yes things were quiet in Tuscaloosa. yes there was peace on the campus, but it was peace at a great price. It was peace that had been purchased at the exorbitant price of an inept trustee board succoming to the whims and carprices of a vicious mob. It was peace that had been purchased at the price of allowing mobocracy to reign supreme over democracy. It was peace that had been purchased at the price of the capitulating to the forces of darkness. This is the type of peace that all men of goodwill hate. It is the type of peace that is obnoxious. It is the type of peace that stinks in the nostrils of the almighty God.
Of course, you could either view this sentiment as trivially applying to international politics or so different as to be a category error. But it's enough of an opening to suggest that these loaded terms are not as easily transferrable to ethical context as invested parties might want you to believe. It is difficult for folks to place their values firmly before external pressures when a country is much less empathizable with than an obviously abused person, but I think americans would be surprised at how giving a little might invite a larger revelation about their role in the world stage than desired by the powers that be.
World-systems theory is typically the alternative to the theory that pax americana (i.e. peace for me but not for thee) is universally desirable.
I raised the linked issue internally with the team, and they have reason to suspect this has already been addressed.
That being said, if you (or anyone else here) are still seeing this issue occur, please raise a ticket with our support team (https://developers.cloudflare.com/support/contacting-cloudfl...) so we can investigate further.
Thanks :)
And cloudflare uses it as well.
https://developers.cloudflare.com/network/ip-geolocation/
We also wrote about this https://blog.cloud66.com/hetzner-connectivity-issues-due-to-...
like I wonder if Hetzner has any way to legally force them to stop misclassifying their IP
My favorite is trying to go someone's random blog with like 5 posts (because they have a singular post about the technical topic I'm trying to figure something out about) and I can't access the site because Cloudflare has decided my locked-down Firefox ("resist fingerprinting" + strict privacy mode etc.) running on OpenBSD is somehow malicious. So much for the open web. (nevermind the audacity that "we can't spy on you sufficiently" is enough to serve a 403 Forbidden response header)
Maybe if people knew about alternatives, they would use CF less. I wouldn't use them at all (and don't; I switch when my hoster cannot handle the attack which happened once only).
https://www.techradar.com/news/best-ddos-protection
https://www.gartner.com/reviews/market/ddos-mitigation-solut...
https://expertinsights.com/insights/top-distributed-denial-o...
No idea about the content of those links, but considering the amount of research I do before selecting a colo provider, it'd be trivial in comparison to research a DDoS protection service.
So basically the choice is cloudflare if you are not cashed up enough. So nothing to do with lazy; there are no other viable options for most if it's a large attack.
It's like doing research for colo, like my example. If you have the need, then a couple of hours of research is well worthwhile. I don't have the need, so I'm not going to do it now, but that's how one starts.
The colo example is apt - colo providers that don't have pricing are invariably too expensive, so I skip them, but there are plenty of others to check out that aren't Cloudflare. The one article I skimmed even says whether the providers are pricy or affordable.
Nobody needs Cloudflare. If (most) people were aware of how much Cloudflare breaks visibility across the world, they'd likely avoid Cloudflare, too.
That was like ten years ago though. What are some good alternatives?
We did try, casually at first over the years, then intensely as a focused effort over several weeks, to little effect. We tried blocklists, fail2ban, firewall rules, heuristics, CDNs, other non-Cloudflare services, etc. It cost us dozens of hours of labor and thousands of dollars of other service provider fees, but the spam didn't abate much. It was causing excessive server load, many credit card authorization attempts (they didn't go through, thankfully), sometimes fake PO orders, screwing up our analytics, etc.
Then out of desperation, we found Cloudflare. It took maybe half an hour to set up, cost $20/mo at the time, and overnight all our spam problems stopped. For a small business, it was a godsend, freeing up our devs to work on actual features instead of fighting bots all the time, and saving us thousands of dollars in hosting fees.
> By filtering, you've become unreachable by much of the world, spammers or not.
But... that's the whole point! We weren't some huge enterprise SaaS trying to advertise to the whole world, just a small US-only business. We had no business in China, Russia, India, etc., where most of the spam was from. We tried in vain to block that traffic on purpose, but couldn't easily do it until Cloudflare.
Then Cloudflare let us flip a toggle... and it all magically worked. Our staff was much happier, our actual customers never noticed (they were all US/Canada based, or rarely Europe), nobody ever complained, and we saved thousands of dollars a year.
It's not just about DDoS (which we did get on occasion, and our host did help us with) but the consistent drive-by bot scraping, pen testing, port scanning, etc.
Cloudflare sometimes gets a lot of hate here, but for small website operators, they are a HUGE lifesaver. I've never actually heard a complaint from a real customer about this, but even if we hypothetically lost a handful, the time and money saved not dealing with spammers is worth it to many businesses.
The internet has long since stopped being the open wonderland where everyone is nice and contributes positively. The overwhelming majority of it is worthless bot traffic, and you could make an entire career out of trying to prevent it... or just give Cloudflare a few dollars and a few minutes. Sorry, I don't see them as evil, just... practical? Useful?
We have a support team active 247. Then is the issue of update rollout, when things goes wrong (rarely if ever) we can push data updates immediately. We work with our customers and users and try to push immediate fixes.
But the most important thing in my opinion we do is this comment itself. If things go wrong we will address it before you come to our support team.
Yes, they might be definitionally best practice and accordingly enough from a legal perspective, but I don't see them having any value in actually keeping out bad actors. A fence that surrounds 99% of your pasture indeed has no value if the wolves know where the 1% gap is.
That's not really a EU Vs US thing though, but a "country with mandatory official declaration of residence" vs not.
France is the same as the US there, and I would assume the UK as well. Well I now realise the UK is not in the EU anymore... but France is probably not the only remaining country in the EU where you can move without some kind of administrative declaration?
Anyway the point for these countries is to not have a centralised record of where citizens live, for anti-surveillance reasons and resilience against potentially hostile authorities. So you can't ask the state to prove that you live somewhere because it doesn't have a record or if it has it cannot legally communicate it to anyone.
In contrast, Belgium for example has centralised records of residents and if your car is parked wrongly, the local police can look up the plate and call you on your registered phone number or knock to your door at your registered address, to tell you to move it. It's practical, but I find it creepy and dangerous. A hostile government would have so much power here.
In the US, state DMVs effectively still know everybody's address, don't they?
And even if they wouldn't – that information is only one data broker query away in the US.
I've recently experienced this by signing up for a financial company that, after entering only my phone number and SSN, presented me with my full address and asked me whether everything looks accurate. I understand that historically and value-wise, this is part of where the resistance to centralized government databases is coming from. But practically, they already exist.
In the US, resistance against government ID for private contracts seems to come more from an intention of not wanting the government to be able to interfere with the right of people to legally transact with each other without government mandate or intervention. But even that resistance is largely over – I had to show my driver's license to every bank I ever opened an account with.
In France banks also take utilities bills as proof of residence (but they also ask for id or passport to check your identity). ID cards do have an address as well as passports and driving licences, but even the government doesn't accept them as proof of residence because they're often out of date.
In my case they all have different addresses and none of them has my current address. My Belgian ID though has to be reissued every time I move to a different municipality.
Oh and regarding DMV having addresses yes, but (in France) they are indexed by a DMV-specific key that cannot easily be matched to another database, say social security or taxes (which also independently have addresses on most citizens). Driving license number, fiscal number, SSN, cannot legally be used anywhere else than with their respective services. There is of course the names that can be used, but no system is perfect I guess.
Anyway these are just implementation details, but my point is that the EU has many different administrative systems and in at least some of them, utilities are the only legal proof of residence.
This puts criminals in an untenable position. If they provide fake documents to a bank, they save the police a lot of work. If tere's ever any suspicion of criminal activity in their accounts, nobody has to prove anything beyond the fact that they provided fake documents, which isn't that hard. That's enough to send them to prison. They can always provide real documents of course, but there's a reason they were use fake ones in the first place.
Most services aren't required to blanket block all traffic from Iran. Only certain specific transactions are prohibited. But a lot of companies choose to block everything identified as coming from Iran (and other sanctioned countries) just to play it safe.
But I'm not a lawyer, and looking purely at the outcome of IP blocks (which is usually that regular people are inconvenienced, but the people such policies are actually designed to keep out just shrug and use a $5/month VPN), I can still say that it looks a bit silly.
But my point is that all of this compliance theater does add up; every once in a while mistakes (as outlined in TFA) do happen.
Even if they don't, almost free isn't the same thing as free – and some company will inevitably go even further, it'll set a precedent, and the cost to everybody will increase, with questionable benefit.
Once you start doing that, you've completely destroyed the measurement, and at the same time you're still not keeping out unintended users – because these will just use a VPN.
To go with an analogy: Imagine a bank enforcing embargo/sanction policies by just asking everyone at the entrance for their name but not checking their ID! You'd get a lot of personal data (since most people won't lie), yet you won't keep any sanction evaders out.
Only for the next day, when Google updates the exact same sessions location to my exact real location on another continent.
Google of course won’t show the IP address of sessions anymore, just the “location” so there was no way of confirming beforehand.
There is a GitHub issue that also covers the problem and it states you should report thos IPS to their support. I did but support says they can't do anything until the ip region list is updated.
IPv6 as a workaround is also difficult because some of the image I need are on GitHub and they are still not ipv6 accessible
We reported a lot IPs to Hetzner, but since we use autoscaling new blocked ones just kept on appearing.
I genuinely do not understand how logic works between 1.sanctions 2... 3.let's ban some IPs. What is the chain of reasoning happens on step 2? Why this is not applicable to Google/Apple?
There are definitely sanctions against Russia, yet Apple/Play stores work just fine.
Apple hasn't officially sold any hardware in Russia in the last 2+ years. Any Apple devices you can buy come from "parallel import" and are priced 1.5x compared to other countries.
As far as I know, the only way you can pay on the app store is from your prepaid balance at some carriers. Play store doesn't accept payments at all, it pops up a modal saying "payments in Russia are paused".
I can't understand what these sanctions are intended to achieve either. They just make us angrier because there's nothing we can do besides wait it out.
You are not angry enough.
Get angrier, go out, kill the highest sitting official you can get your hands on, then be beaten, jailed, signed up to war where you will die and receive a posthumous medal?
The same sanctions:
- CloudFlare - block IPs ( why? what part of sanctions says that )
- Apple / Google - do nothing
I genuinely want to know.
TL;DR is that the IP that my new instance was assigned had previously been used as part of an advertising CDN based in Iran. It wouldn't surprise me if this is some game of whack-a-mole between interested parties who are at turns applying and attempting to evade blocks.
There's a big list of allowed Internet activity between the US and Iran.[2] It is explicitly US policy to not cut off Iran from the Internet. The State Department wants people in Iran to get info from the outside world. However, the US does not allow US domain registrations or web hosting "for or on behalf of the Government of Iran".
The Office of Foreign Assets Control can be queried for case by case info. That's appropriate here.
[1] https://www.ecfr.gov/current/title-31/subtitle-B/chapter-V/p...
[2] https://www.ecfr.gov/current/title-31/subtitle-B/chapter-V/p...
They should interpret the law to mean "We will treat every request from Iran as a non-paying customer, and won't offer anything outside the free-tier"
Even if that isn't the way was written, it is plain that it falls within the intent of the law, and is beneficial to US businesses.
You de-risk your enterprise significantly by cutting Iran out completely, and you only lose the handful of dollars this would’ve translated into down the road.
Some customers aren’t worth having.
I encourage you to skim through the sanctions. I promise you that you will find plenty of exemptions telling you not to block every Iranian citizen from communicating, not to block them access to information, not to block them from free-to-use services, not to prevent them from traveling etc etc.
If you just cut the whole country off the internet, how do you expect them to organise towards overthrowing the government? Via carrier pigeons?
I would argue that for unpaid services (for example serving up web content), we should not be applying sanctions. Those specific sanctions are so easy for the iranians to work around (VPN), and so damaging to our businesses (no worldwide service).
You know what is much more unattractive to these businesses? Getting on the wrong side of the US government. And honestly, I don't see any business (except for ones in Russia, China and Iran) changing provider because they don't provide service to Iran.
> damaging to our businesses (no worldwide service)
I'm confused, are you arguing here for allowing free-tier services under the sanction regime, or for getting rid of sanctions against Iran altogether? If it's the latter, then the argument is self-consistent. But if it's the former, then you're effectively saying that an american business which currently doesn't provide any services to iranian customers would instead prefer to provide free-tier services for them without any way to get them to paid tier, and that doesn't make any sense. If you know that users from a certain region would always be at 0% conversion, you would get nothing by providing them with a free tier.
They consider Google cloud, but then reject it because GCP cannot serve users in Iran, and Wikipedia's policy is to be globally available.
Google loses worldwide revenue from all of wikipedia.
(I have met multiple companies who have dismissed GCP for this reason. Even companies with no current business in Iran might one day want to expand there, so don't want to make infrastructure choices which lock them out).
No judge will send a google employee to prison because someone located in Iran managed to download a copy of the docker image to Alpine Linux from the google/amazon container registry...
Even if vindicated, the process can be costly.
[0] https://en.m.wikipedia.org/wiki/Sturgeon%27s_law
You never know such things when you are in US though...
How do you know that if the only thing you see on the receiving side is an IP address, which is marked as Iranian?
As a company, this means BSTS (better safe than sorry) CYA (cover your ass) measures for good or worse.
Edit: it also wouldn't surprise me if hacker news blocks traffic from Iran.