I'm frequently reminded how thankful I am to live in a country with a strong, positive international reputation. Even ignoring actual quality-of-life stuff associated with where I live - simply not being from a country with a "dodgy" reputation makes many things so much easier.
I don't have to think about blocked websites. Companies accept my payments. Couriers ship to me. With my passport, I walk straight to the front of the fast lane, past the large queue of people who didn't happen to be born somewhere rich, western and politically stable.
I don't take it for granted, and it makes me sad that this distinction exists.
For half my life I had an Egyptian passport, and for the other a German passport. Having experienced both sides, that bit of paper is without a doubt the most valuable thing I own.
It's hard to quantify the kinds of doors it has opened for me. I was able to get a scholarship to study in the UK that covered home/EU rates (a third of international rates, while I might not have been able to get even a student loan otherwise), get government funding for a PhD that would not have been accessible to me otherwise and other grants, travel to international conferences without thinking twice about visas (unlike many colleagues) meeting people that would impact my career and skipping all sorts of and barriers along the way, and never had to worry about deportation because of the EU settlement scheme, easily become a founder (no visa sponsorship needed), and so much more! Even travelling/business in the the middle East, being German rather than Egyptian is an entirely different life, one that my cousins cannot even begin to imagine.
There's a parallel universe where I'm stuck making ends meet in Cairo where I was born, dreaming of a brighter future, feeling all my potential fade away. I know because my immediate family is that version of me - no less talented or worthy of the opportunities I got because of my nationality!
I see the kind of freedom that I have because of that passport as one of the biggest modern injustices.
I live in Russia and I've never experienced most of the things you're describing. And it's become so much worse after 24/02/2022. We even had Spotify for a year! It was starting to genuinely feel like a first-world country.
Now you have to open a bank account in a different country for foreign companies to consider taking your money at all. The internet is utterly broken. The government blocks quite a lot, AND some foreign services block Russian IPs from their side. I even made a thread about running into Cloudflare's "you're blocked" pages randomly throughout the web: https://mastodon.social/@grishka/111934602844613193
Do you think the sanctions are having a significant effect in terms of slowing down the war effort?
Few of them do have an effect on the military, but hardly a significant one. Some of them forced the government officials to eat their own dog food. Most of them, however, feel like mocking petty revenge. If anything, those sanctions that disproportionately affect regular powerless people only reinforce the official propaganda's view that "we're encircled by enemies".
Vladimir Kara-Murza expressed the same ideas much more eloquently on the press conference that followed the prisoner swap in August: https://newsukraine.rbc.ua/news/russian-opposition-figure-ka...
In my own opinion, a good step in the right direction would be if we could travel to European countries as easily as we used to be able to. Then more people could see with their own eyes that they're being lied to.
> In my own opinion, a good step in the right direction would be if we could travel to European countries as easily as we used to be able to. Then more people could see with their own eyes that they're being lied to.
This and even more has been already tried, albeit somewhat inadvertently. Look at the neighboring Belarus. After Chernobyl, a fair share of kids and teens went on to spend their vacations in EU countries: Italy, UK, Austria, Belgium were the most welcoming, AFAIR.
At least 1/3 of Belarusian kids have been through one of the many Chernobyl kids programmes, many of them multiple times.
I was among those kids, as well as Svetlana Tsikhanouskaya who continued accompanying kids as a student, then as a teacher until her 30ies.
This definitely changed many individual lives for the better, but has it changed the country for better? I bet no.
> In my own opinion, a good step in the right direction would be if we could travel to European countries as easily as we used to be able to.
I don't agree. Russia's regime threatens Europe with invasion and nuclear bombs almost on a daily basis, and vilify everyone who doesn't enthusiastically support their invasion of Ukraine. A few years ago Russia even had a nuclear bomber circling the coast of western Europe.
This behavior is not limited to government. It's not unheard of having Russian tourists insulting and threatening locals. In Europe or in any corner of the world. There are also Russian citizens attacking refugees and asylum seekers in foreign soil, even Russia's own war dodgers.
You cannot expect to systematically threat neighbors and still demand or even expect them to continue to cater to the whims of the agressor. It is a voluntary relationship that cuts both ways.
When you start a war, you should expect to experience war.
Russians didn’t start a war. They are not the agressor. The ruling powers of Russia did. You are saying that it’s good to punish those already affected by their governments violence additionally. And with that unfortunate perspective, you will not win the population over, to the contrary.
The anger is justified, but misdirected.
Would every US American be happy to be identified as Trump and Project2025 supporter, in case he wins the elections?
How much is it my responsibility what my government does, if all I have is basically one vote, if even that, and it is life threatening to even voice (and form) my opinion?
> Russians didn’t start a war.
That's industrial-grade gaslighting. A regime doesn't simply start an invasion. It's not even the first one in recent years, too. Russia's regime decided to invade Ukraine in 2014, and make it a full blown military invasion in 2022. You can't weasel-word your way around that.
How does that contradict what I said? You conflate Russian government and rulers (the „Russian regime“), and the population who happen to live or originate from there with no say in any of it („Russians“), all into one. That creates confusion and misunderstandings. You are making it appear as if it’s right and just to punish the population, and support their regime in isolating them from the world.
Also, you may want to look at the definition of „gaslighting“, where you create another confusion by applying it to this context.
I think he mistook your "Russia didn't start the war" as an attempt to blame Ukraine, whereas you were trying do distance population from the government. Nevertheless, that's wrong.
The population overwhelmingly supports the war: https://www.levada.ru/cp/wp-content/uploads/2024/08/3.png
The support is surprisingly uniform across age groups and urban/rural divide: https://www.levada.ru/cp/wp-content/uploads/2024/08/4.png
> The population overwhelmingly supports the war
Yeah right because when someone calls people and asks effectively "do you support the war or do you want to go to jail" you totally get data that is not skewed in any way whatsoever.
Being openly against the war is literally illegal.
Exactly. Even calling it one is.
European here, Russia is not threatening anyone here, not sure who told you that nonsense.
Tourists being annoying, wow, what else is new? You should check out how Americans behave in Mexico and the British in mainland Europe.
Don’t think foreigners care about asylum seekers.
Well we tanked our economies and Russia is doing just fine, so any more bright ideas?
European here, Russia is not threatening anyone here, not sure who told you that nonsense.
Since 2014, Russia (that is, its government) has:
- Shot down a passenger jet departing from Amsterdam, murdering 298 persons (including 211 citizens from European countries)
- Carried out (or attempted) targeted killings in the UK, Germany and Spain
- Blown up a Czech munitions plant, poisoned a Bulgarian arms dealer
- Organized sabotage acts against Poland
- Abducted an Estonian security officer at gunpoint inside Estonian territory, and dragged him across the border
- Engaged in numerous maritime and border provocations, especially against the Sweden and the Baltic states
- Issued numerous menacing and/or provocative statements against Poland and the Baltic states (e.g. reminding Poland that its borders were "a gift from Stalin")
- And just the other day, Medvedev literally threatened to nuke Kyiv (saying it could turn into "a big grey lump")
It's plenty obvious you don't care about Ukraine (since you seem to have forgotten that it's part of Europe, also), but I'm pretty sure you understand that a nuclear attack on Kyiv would have certain decidedly negative effects on the rest of Europe as well.
We're not talking about the government here. We're talking about regular people.
Both the parent and grandparent were talking primarily about the Russian government, not regular people.
(The parent also went on an annoying stupid tangent about Russian tourists, but their main point was about Russian government's repeated threats to basically start an all-out nuclear war if its latest colonial project is not allowed to succeed, including Medvedev's not so subtle threat from just the other day).
Regular people create value that makes the war possible and pay taxes that finance the war.
[flagged]
> European here, Russia is not threatening anyone here, not sure who told you that nonsense.
I call bullshit. European here. Even if somehow you somehow ignore Georgia or Ukraine, and turn a blind eye to the baltic nations and pretend that Poland doesn't exist, for decades we can't go a single month without Russia throwing any veiled and not so veiled threat. Either tanks in Berlin in x days, tanks in Lisbon in x weeks, sinking Britain with nuclear tsunamis, etc etc etc.
And I'm not even touching on the terrorist and sabotage campaigns.
You need to be wilful ignorant to pretend Russia hasn't been threatening everyone left of right for decades.
Yeah sometimes Chinese tourists are also annoying here. So what? I feel like every country has these kinds of stereotypes about foreign tourists. I always treat everyone with respect by default and expect the same from others.
Thanks -- those are some useful data points.
What about the freezing (and probable eventual seizure) of $300b of CBRF assets (apparently 60 percent its total foreign currency reserves)? That's got to be causing some significant pain, somewhere.
Not sure if it's caused by this or the sanctions related to USD and EUR currencies themselves, but CBRF has introduced limitations on foreign currency transactions in March 2022. They were supposed to last 6 months but every time they're about to expire they get extended for 6 more months.
You can't withdraw more than $10k of USD or EUR cash combined from all foreign currency accounts in each bank, and you can only withdraw the money that was there before March 2022. Past that limit and for any money you received after March, you can only withdraw it as rubles at the CBRF exchange rate, iirc. Most banks also treat dollars and euros like they're radioactive and will hit you with monthly fees if you have too much. So in the end we have three different exchange rates for these currencies: the CBRF one, the one for online operations with those "virtual" dollars and euros in currency accounts, and the "real" one for cash.
I'm not an expert and don't have the necessary and verifiable information to asses the consequences in regards to economy/industry, but the sociocultural effects are negative.
1. Sanctions sped up the formation of the class of war beneficiaries. Sanctions created the demand for sanction circumvention. Since their scope is huge, the demand is accordingly very high (from civil consumers to the government). This led to formation of new supply chains that keep being profitable only while the war and sanctions continue. Now thousands of people engaged in these activities have the monetary incentive to support the war and the government course. This one I deem to be the most consequential in the long term.
2. Any noticeable conflict or rights violation happening with Russian citizens abroad is to be blown out of proportion and presented as a confirmation of pervasive anti-Russian sentiment and support the government narrative of existing encircled by enemies.
3. The lack of accessible ways of integration of the emigrants into local societies (especially in Europe) led to thousands of them coming back, some unwillingly, some grudgingly and feeling disillusioned. This is a huge wasted opportunity and I don't get why it happened (I don't buy the "we must secure our countries against possible threat actors and dirty money" explanation).
Sanctions have an effect, the government complains about them a lot.
Random people in Russia complaining about the inconvenience of not being able to travel to Europe because of Russia's invasion of Ukraine and all around imperialism is also an expected effect.
It's also telling that the reaction from those affected is to complain that sanctions should be reverted because they both don't work and are inconvenient and a nuisance.
I don't see how "they don't work" and "they are inconvenient" are contradictory statements. They would've been if there were feedback mechanisms that we could use to communicate our point of view the government, but there aren't any, so in the end it's just a punishment for having been born in a wrong place at a wrong time.
So in the end it's just a punishment for having been born in a wrong place at a wrong time.
That's what war is, unfortunately. Millions of people in Ukraine are currently being "punished" for exactly the same offense, only in ways infinitely worse, as I don't need to tell you.
There was absolutely no reason the war had to coming into being at all. But now that we're stuck with it, the only effective questions are -- what can be done to hasten its end; provide some level of justice for those affected the worst; and to make it clear to the responsible parties that something like this can never be allowed to happen on European soil ever again?
For their own part -- it's not like the Western governments really have any other choice. Even though the sanctions are having a far more limited effect than they initially hoped -- they simply couldn't keep doing business with Russia as usual after what happened in 2022. That's all there is to it.
Meaning, they've no choice but to apply the strongest possible sanctions as they might reasonably be able to (for some definition of "reasonable"). It's a cold and calculated strategy - but again, they didn't chose this situation, and that's the moral calculus that they are now forced to adopt in response to the situation that Putin created for them.
> it's not like the Western governments really have any other choice ... after what happened in 2022.
I like how you absolve the Western governments of any agency of their own. For 30 years they couldn't do anything at all. Oh, those $5 billions? Just appeared out of thin air. You know, the usual democratic process.
For 30 years those Western governments along with the main exporter of the democracy on the planet had the choice. They preferred the war.
> I like how you absolve the Western governments of any agency of their own.
Cut the crap. Russia's regime decided to start a war of invasion. It's an initiative from Russia and Russia alone, and all consequences are derived from Russia's actions. There is no way around it.
> I don't see how "they don't work" and "they are inconvenient" are contradictory statements. They would've been if there were feedback mechanisms that we could use to communicate our point of view the government, but there aren't any, so in the end it's just a punishment for having been born in a wrong place at a wrong time.
The feedback mechanism you're complaining about is a problem on the side of those being inconvenienced. If they want to complain, they need to direct their complains to their own regime, and address the problems they are causing everyone around them.
It's also very telling that the reaction is to complain about mild inconveniences while turning a blind eye to the whole war of aggression, terrorism, and pervasive threats of global Armageddon from their very own government. That, strangely enough, is not an inconvenience nor an issue requiring attention.
Tourism seems to be a right to them, but others don't even have a right to exist?
Does that warrant any accountability at all, or does the blame lie always elsewhere?
> If they want to complain, they need to direct their complains to their own regime
And get arrested and charged with "discrediting the armed forces", right. Must be nice to write all that from the comfort of your Western home.
> And get arrested and charged with "discrediting the armed forces", right.
If you don't register that as a problem but somehow limiting your tourism options is a concern, that is already telling regarding what your priorities are.
I do register that as a problem but it's the same kind of problem as bad weather. Nothing can be done about it.
I live in a small EU country.
There are many, many american sites that just block the whole EU IP ranges becaus they don't want to deal with GDPR.
I'm surprised I don't see it more. You can't impose a regulatory burden more troublesome than your traffic is worth
The burden of not tracking people is quite small.
As someone that knows next to nothing about it, I was curious and googled how to adhere to the GDPR, and read through the top recommended article. Here's some choice quotes:
"Complying with the GDPR is a huge undertaking"
"GDPR compliance (occupies) a huge amount of IT time and resources"
"Moving your organization into GDPR compliance is a process you ideally started long ago"
The article links to some ICO GDPR data processing checklist, which is a list of 18 different processes you need to have put in place.
"The GDPR is made up of 99 articles that provide a detailed description of the regulation". <- 99 different articles to understand and adhere to ...
"[I]t is impossible to provide an exact prescription that will guarantee your organization is in compliance"
"One of the most onerous obligations of the GDPR is to provide “Data Subjects” – the people whose data you are processing – with access to the data that you hold about them (Article 15)",
"They can also request rectification or completion of data if it is inaccurate or incomplete, and they can request that you delete their personal data"
"This is onerous because Data Subjects can make requests in writing or verbally, and you need to be able to comply with the requests “without undue delay"
^-- All that seems to go against your assertion that you just have to "not track them", if you have to build out a system for everyone to access all data you hold about them, rectify it, delete it, verbally or in writing, without delay.
I'm not even half way through the article and I'm skipping over tons of what it's saying needs to be done, with all the security measures that need to put in place, whether or not encrypted data is needed, breach notification, and so on.
It seems like a heck of a lot more than just "not track people", or a trivial amount of work.
You listed just one slightly onerous requirement: allowing people access and agency over their data. If you don't store their data, you don't have to do that.
It's a bit hyperbolic to say that you're, "not even half way through the article and I'm skipping over tons of what it's saying needs to be done", when you've literally only listed one thing.
> ^-- All that seems to go against your assertion that you just have to "not track them", if you have to build out a system for everyone to access all data you hold about them, rectify it, delete it, verbally or in writing, without delay.
If you don't track people's data, that "system" becomes an automated email reply with "we don't have any data about you".
But if you deal with individuals, probably you do want to collect at least some data that would be subject to the GDPR protections, and it is definitely easier to forget all about it.
Given that most things are personal data under the GDPR (e.g., IP addresses have been considered personal data, and things like usernames are clearly personal data), I don't think most companies can get off quite that trivially, short of being completely stateless and never logging anything.
You can log with log if you have good reason; you just have to delete them after a reasonable time. Nothing about this is hard or costly if you think about from the start. Your 'forever data' basically should never contain PII as some users might have terminated their accounts etc so then their info cannot be in some cold store tape archive. Again, not complex; delete backups after a reasonable time and throw away the encryption key.
The intent of the gdpr is that you think about all of this and not simply store everything to mine, have stolen, leak or sell later on. The problem is that many companies or the software they use is literally build to abuse that data so then it is indeed 'hard' and expensive to comply.
Sure, but regardless of your data-retention period, you still have to know where to find everything derived from anything user-generated, if you want to accurately respond to requests. You're free to argue that the GDPR is making companies do things that they already ought to have been doing, but my point is that "just don't be one of those evil user-tracking companies" is not a viable compliance policy in itself.
If your data retention period is less than your response time (which has to be less than a month), can you not say "everything we had at the time of request is deleted" and be done with it?
A reminder that we're talking about passing visitors without accounts here, and for logging and analytics there shouldn't be a need to store anything longer than a couple days.
Yes, that's true, it is part of the intent though, that's why people say this I guess.
All of that is about complying with gdpr, assuming you're sharing customer data. If you don't, there's nothing to do. It's like "international shipping of live animals is a massive undertaking and takes lots of time" - cool, it's true - I'm not doing that so I'm done.
Sure, you have to comply with data requests, but if you don't store/share it... that's also trivial.
GDPR does not regulate “sharing,” it regulates any use of personal data. IP address is considered personal data, so you can’t avoid GDPR compliance if you are running a website at all (since you must process IP addresses in order to serve a website).
I'm using simplified language here, not writing a legal document. The first use was also supposed to be "storing/sharing", but it's processing in practice. But here you go:
> GDPR does not regulate “sharing,”
13.1.e requires at least the notification of the recipients of the data. With the requirement about the purpose of use, it effectively regulates sharing.
> since you must process IP addresses in order to serve a website
That's right and that places the IP in the 4.1.f "processing is necessary for the purposes of the legitimate interests pursued by the controller" area which doesn't require consent.
It doesn’t require a consent dialogue but it requires user notifications and data processing agreements with anyone who is helping you serve your site and an agent available to EU jurisdictions to answer inquiries. Granted a lot of people don’t bother or slide by with some vague crappy language they downloaded from somewhere.
The irony here is that the people who think they’re standing up for GDPR are actually the ones not taking it seriously, while the people who take it seriously are the ones who know what a pain it is to comply with.
Have you got some support for this from people experienced with legal matters? Because not only I've never heard of the internet provider notification being required and can't find any act which would apply, I can't even find any European page which does that, including https://op.europa.eu/en/web/about-us/privacy-statement which is responsible for publishing gdpr itself.
That publisher's page lists the third party processors for the documents, (as expected) but not the hosting provider. I'd love to see a counterexample.
My experience was the months I spent with a very competent (and no doubt expensive) French law firm to help my employer implement GDPR compliance. None of that is public info that I can link to, however.
I’ll edit to add that the user must be notified that you are collecting and processing personal data, which includes IP address. And the hard part is that you must also have internal paper trails that prove that you have written that notification in full knowledge of all the data processing done on your behalf by all your service providers. Is a data center owner routing traffic to your server? You need paperwork in which they commit not to store the IP addresses of your visitors, for example. That is not public-facing but must be available to regulators upon their request.
That’s the hard part of compliance and what most people skip. They click OK on the standard agreements with service providers and put up a standard privacy template. That is not actually compliant but folks are essentially betting that they are small enough that data regulators won’t ever come call them on it.
"since you must process IP addresses in order to serve a website"
That's complete nonsense.
> assuming you're sharing customer data. If you don't, there's nothing to do.
This is 100% not true and would be a violation under the GDPR. You need not share any data and if you do nothing, you'd be violating the GDPR.
> Sure, you have to comply with data requests, but if you don't store/share it... that's also trivial.
Nope, this is also not true. At least, it's not just "data requests."
You are in violation of the GDPR.
If you don't have the data, it is trivial; you send an automated mail you don't store anything (of course if you really don't).
But why do these companies care? The EU cannot impose this on US companies in the US, so why block? Just do nothing?
It absolutely can if those companies want to do business with EU citizens.
Sadly the EU doesn't really communicate this very well, and doesn't care to call out outright propaganda from ad tech and surveillance businesses, but the regulation is not actually hard to be compliant with.
It literally just asks that you don't spy on people. That's it. Not spying on users? Great, you don't even have to do anything.
I would be extremely surprised to see any attempt at enforcement against a website that didn't collect PII on some technicality such as not having the right footer or a contact person.
It's more than just not spying on people. You have to be able to prove you don't spy on people. And any vendors or contractors you use also don't spy on people, and respond to requests from anyone about all the data you have on them. And delete all of the data you have for anyone who cancels their account. Sure in some cases, that isn't a huge burden, like if you have a website that doesn't handle any customer data. But if you have a non-trivial app where you need to handle a lot of customer data for your app to work, it is a significant burden. And deleting someone's data as soon as they cancel can be really bad if someone accidentally cancels, so you probably want some kind of delayed deletion.
You don't have to delete as soon as they cancel; you can store it in an encrypted backup which you remove after 90 days (and throw away the key). There are a lot of 'for a reasonable period' things; meaning, you cannot store PII (including IPs) forever and you cannot store it at all in case you do not need it in the first place for your app to function (example; SaaS asking for my home address which they don't ship anything).
> you can store it in an encrypted backup which you remove after 90 days (and throw away the key)
Sure. But that is much easier said than done. Especially if your previous strategy was to just keep everything, because storage is cheap, development cost is expensive, and then the data will still be there if the customer decides to return in a few years.
And in many (most?) cases it's not like you just have a single file with all the user's data, that data is spread around in many different database tables , and possibly even multiple databases. The development work to figure out how to clean everything up, without accidentally deleting anything wrong or leaving anything out can be a considerable amount of effort.
It's also not always black and white who data belongs to. If I upload an image onto a document that was shared with me, should that image be deleted if I cancel my account? What about something I posted publicly on a social media platform? Or posted privately in a group chat or DM? Does it make a difference if the content of an image or text I wrote included PII? Hopefully you have a lawyer that understands the nuances involved.
I see this and I feel I must ask: why would you EVER engineer ANY application under the idiotic assumption that none of your users will ever want to remove the data that they had stored in it?! Absolutely baffling. Of course, if a business is that short-sighted and careless, it will struggle to implement GDPR.
It might be more nefarious when companies do that, but on the other hand, Hanlon's razor.
It's slightly more involved than this, but not extraordinarily so.
For example seemingly innocuous implementations like loading fonts directly off Google Fonts without consent (i.e. providing Google with information about visitors' browsing habits) would technically be on the wrong side of the GDPR, but I think it's very unlikely that anyone would complain about it, legally speaking.
There already exist ways to proxy those requests in ways that avoid exposing anything about the visitors to Google. It's in the grey area wrt Google's own ToS, but then, it's that or GDPR.
> would technically be on the wrong side of the GDPR, but I think it's very unlikely that anyone would complain about it, legally speaking.
The American in me says that sounds like "someone will definitely complain about it, eventually, if only because they're hoping for a payout".
Maybe that's the problem, I thought the (mostly local media) companies that were blocking EU citizens were doing it out of spite or to make a point, because it doesn't make sense (for one, they're not subject to gdpr if they don't explicitly do business with EU citizens).
But maybe it's just because the US environment is so hostile that they assume it's the same in the EU.
But national regulators in the EU don't waste their time with foreign companies that might by oversight not be totally compliant since they're not even under their jurisdiction (worst is they could be fined and have to pay it if ever they incorporate in that country in the near future? Nobody's going to waste time in that).
And nobody can sue a company on gdpr grounds and get a payout. They're only fines, they benefit to central states and are a negligible amount in regard to national budgets.
I’ve been noticing more and more US state and local government websites blocking traffic from outside the US. (And I’m not talking about traffic from North Korea, I’m talking about traffic from ANZUS/AUKUS/FVEY ally Australia.)
It seems stupid because just because someone is overseas doesn’t mean they can’t have valid business with a US state or local government. Maybe they are an American who is travelling and has to attend to some official business back home while they are away. Foreigners are allowed to purchase US real estate and incorporate companies in the US, which gives them heaps of legitimate reasons for interacting with local and state governments. In part due to these kinds of issues, many use some local agent in the US to handle government interactions for them, but a person can have valid reasons to engage directly.
Another annoying one is bank apps being unavailable from other countries. For example Australian bank apps when you're in the UK. Or the Vodafone app the other way around. People travel, it's ok to install an app abroad.
Well, perhaps Australia should stop threatening non-Australian websites that don’t comply with AUS law.
I’ve never heard of any Australian authorities making legal demands of US state and local governments.
I don’t necessarily agree with various official Australian attempts to impose Australian law on foreign non-government websites, but I don’t see how that is relevant to whether US governmental websites permit access from Australia
It's much easier to say "I'm going to make it impossible for us to have to worry about the Australian government filing a lawsuit against $my-state-agency, because legal said so" than "Well, if we allow Australian IPs to access this website, there's a 0.x% chance that we get sued by Australia, but it's worth it for the sake of the 0.00x% of American expats in Australia."
Here's a analogously real example from current US-Ukraine policy:
> For example, one current social goal in the U.S., given the geopolitical conflict with Russia, is to avoid facilitating activities that could aid the adversary. As Russia has invaded Ukraine, the U.S. has positioned itself in opposition to Russia but not Ukraine. Banks, therefore, need to align with these geopolitical stances, leading to decisions that might catch some individuals in the crossfire, even if they’re not directly involved.
> Financial institutions often interpret this as: if they're not deeply specialized in doing business in Ukraine, they should avoid it altogether. They fear they won’t be able to consistently ensure compliance with these complex directives from the government [especially because there's a chance those directives might change in a week, or a month, or 3 months].
> This creates a split-brain problem within U.S. decision-making. The government intends to say, "Please cut down on oligarch money laundering that supports Russia’s war effort." However, financial institutions hear this as, "Under no circumstances should you fund anything related to Ukraine," including, for example, scholarships for Ukrainian high schoolers—a slight exaggeration, but not far from the reality in some cases.
(source: https://www.complexsystemspodcast.com/episodes/true-crime-ba...)
> It's much easier to say "I'm going to make it impossible for us to have to worry about the Australian government filing a lawsuit against $my-state-agency, because legal said so" than "Well, if we allow Australian IPs to access this website, there's a 0.x% chance that we get sued by Australia, but it's worth it for the sake of the 0.00x% of American expats in Australia."
I personally doubt US state and local governments are specifically targeting Australia in the way you suggest.
I actually doubt they are thinking about Australia at all. I also doubt their legal departments are worried about the Australian government, since the Australian government taking legal action against a foreign government (even a local or subnational one) would in most cases be illegal under all three of international, Australian and foreign law due to sovereign state immunity, and diplomatically they wouldn’t do it to the US because it would offend their American allies. If for some strange reason an Australian government agency had a bone to pick with some US state or county, they’d aim to solve it with the US State Department. Private corporations and individuals are not protected by the same legal doctrines or diplomatic protocols.
I think they just see some option in their firewall config (or Cloudflare or whatever) called “limit countries allowed to access”, they turn it on and add only the US, and then they think “see I’ve kept all the foreign hackers out now!”.
Are there? I only someones stumble upon some medical website that redirects me to a "tracking free" empty static page[1] if I come from Europe and opt-out of cookies (which I always do anyway). Maybe we visit other parts of the internet, I don't read a lot of non-IT English things.
[1]A big troll that I respect.
Absolutely. Many small regional newspapers are inaccessible from Europe; omny.info (which would be very interesting to tourists visiting NYC, as you can pull your trip reports there) bans most EU IPs too (but weirdly leaves some countries open).
Most frustrating is not even being able to cancel things like a US streaming service subscription from an EU IP (of course these things usually have no contact email address available either).
A lot of local American newspapers do this.
Europeans usually have no reason to read these, the only reason I know is that I googled a few of my American friends at one point and kept hitting these.
I have done that exact configuration for several of my clients who didn't realize any/much revenue in the EU. For them it was the obvious best move but I wish there was a better option.
Hey, this is me, I do this.
You are likely overreacting. If you don't slap random trackers on the website, it doesn't ask you to do much at all.
> they don't want to deal with GDPR
or cannot afford to. add in DSA and DMA as additional burdens.
It's more that you are on the right side in a unipolar world. When the world shifts to multipolarity in the next few years, the problem will solve itself.
I'm a globalist and all but when people say "multipolar" doesn't that usually mean "the USA shouldn't rule everyone, I want to also rule over some countries "
Not really, it is just used to mean the termination of unipolarity. Though frankly it's looking more like a bipolar West vs. BRICS+ situation.
Multipolarity is a more dangerous world, as we have seen Russia asserts itself at the expense of Ukraine.
Unless you happen to not be aligned with or really on the wrong side of that fabled ideal power monopole. It can quickly knock you from ignorance to reality. Imagine Russia was that monopole of power. Or look no further than a dictatorship. Great if your interests align or you're willing to bend them until they do, hell if they don't.
The US is the closest thing we have to a monopole these days and I'm sure it's sweet for some and very bitter for others.
"According to a 2024 analysis by The Washington Post, 60% of low-income countries were under some form of U.S. financial sanction. The analysis also concluded that the U.S. imposes three times as many sanctions as any other country or international body." - from https://en.wikipedia.org/wiki/United_States_sanctions
Really quite ridiculous that there are sanctions on something like 1/3 of the world.
From that same link, financial sanctions against a country can be one of any of the following:
* authority to prohibit U.S. citizens from engaging in financial transactions with the individuals, entities, or governments on the list, except by license from the U.S. government
* requiring the United States to oppose loans by the World Bank and other international financial institutions,
* diplomatic immunity waived, to allow families of terrorism victims to file for civil damages in U.S. courts,
* tax credits for companies and individuals denied, for income earned in listed countries,
* duty-free goods exemption suspended for imports from those countries, and
* prohibition of U.S. Defense Department contracts above $100,000 with companies controlled by countries on the list.
If we look at the map on that same page, we can see that very few countries have a total financial sanction such as the likes of Iran.
> Really quite ridiculous that there are sanctions on something like 1/3 of the world.
Sanctions are one of the de facto tools in the arsenal of American soft diplomacy. To be frank, the US has so many sanctions because the USD is so powerful.
> the US has so many sanctions because the USD is so powerful
That's appealing to sanctions' effectiveness. It's unclear they are. Instead, they're a potent signalling mechanism that's more palatable than shipping arms or worse, soldiers.
I'm not sure I understand. That's exactly the point of sanctions, to use the power of the US economy and the USD to exert American influence. You're right, they're not always effective at achieving their immediate goals, but they signal US disapproval and help pursue long-term goals without shipping those arms or soldiers anywhere.
Ridiculous in what sense? Perhaps those low-income countries should get their shit together and stop sponsoring terrorists, introduce multiparty democracy with free elections, allow free-market capitalism, extradite wanted criminals, and adhere to the treaties that they've ratified. The USA is under no obligation to trade with unfriendly countries.
[dead]
Is it? Why should a random third world country be allowed to trade with Russia, Iran, North Korea or China? If anything, it would make sense if there were more sanctions, not less, with how things are going.
Why should they be allowed to trade? Because the US isn't the boss of the entire world?
[flagged]
[flagged]
Yes, but "safety" or "peace" is not always desirable. MLK himself said it best: https://kinginstitute.stanford.edu/king-papers/documents/whe...
A short snippet:
> The next day after Autherine was dismissed the paper came out with this headline: 'Things are quiet in Tuscaloosa today. There is peace on the campus of the university of Alabama.' Yes things were quiet in Tuscaloosa. yes there was peace on the campus, but it was peace at a great price. It was peace that had been purchased at the exorbitant price of an inept trustee board succoming to the whims and carprices of a vicious mob. It was peace that had been purchased at the price of allowing mobocracy to reign supreme over democracy. It was peace that had been purchased at the price of the capitulating to the forces of darkness. This is the type of peace that all men of goodwill hate. It is the type of peace that is obnoxious. It is the type of peace that stinks in the nostrils of the almighty God.
Of course, you could either view this sentiment as trivially applying to international politics or so different as to be a category error. But it's enough of an opening to suggest that these loaded terms are not as easily transferrable to ethical context as invested parties might want you to believe. It is difficult for folks to place their values firmly before external pressures when a country is much less empathizable with than an obviously abused person, but I think americans would be surprised at how giving a little might invite a larger revelation about their role in the world stage than desired by the powers that be.
I do not want to find out that hegemonic stability theory is false, that would definitely make the rest of my lifespan worse, even if the odds are remote
Sure, this is the natural reaction of people living in the imperial core, but this isn't true for the majority of people in the world, especially as global warming accelerates.
World-systems theory is typically the alternative to the theory that pax americana (i.e. peace for me but not for thee) is universally desirable.
I doubt the "next few years", and if the world shifts to multipolar, it won't solve the problem, it will just move everyone to the "bad side" where frictions big and small abound.
Nah. The other "pole" looks to be China. They aren't going to treat random people from poor countries any better.
Hey OP. On behalf of Cloudflare, we take information accuracy very seriously.
I raised the linked issue internally with the team, and they have reason to suspect this has already been addressed.
That being said, if you (or anyone else here) are still seeing this issue occur, please raise a ticket with our support team (https://developers.cloudflare.com/support/contacting-cloudfl...) so we can investigate further.
Thanks :)
[dead]
This probably wasn’t cloudflare doing per se. It was probably Maxmind, which is the most widely used IP to Geolocation service out that.
And cloudflare uses it as well.
This is not limited to Cloudflare. Google has the same issue and it turns out the IPs were being used by the Iranian hosting companies connected to internet surveillance but they keep moving around. So far we only observed this in Hetzner German DCs, which is consistent with the news about illicit activities by Iranian companies in Germany, two years ago during the last uprising against the Iranian government (the Woman, Life, Freedom movement)
We also wrote about this https://blog.cloud66.com/hetzner-connectivity-issues-due-to-...
Happened to use with GCP too. We had Oracle Cloud instances being flagged as from Iran and had to file forms with them to get them to not block the IPs.
This whole issue of blocking Iranian IPs and not allowing them to download Docker containers for ‘legal’ reasons is ridiculous. Additionally, trying to detect and ban VPNs used by Iranians, which will affect the next user of that IP, is equally absurd
What do you suggest, then? What’s your legal opinion?
1. avoid geoip blocks because geoip is inaccurate 2. When maintaining geoip don’t mark servers physically located in DE but used by a foreign company as located somewhere else because it will quickly go stale and misleading in the first place
it's pretty absurd that cloudflare can just effectively cripple a cloud provider by tagging part of their IPv4 range as Iranian and not fixing their issues in over a year (and AFIK have no intention to fix them at all)
like I wonder if Hetzner has any way to legally force them to stop misclassifying their IP
What's absurd to me is that Cloudflare gains more and more control over the internet, by people voluntarily submitting to its domination.
My favorite is trying to go someone's random blog with like 5 posts (because they have a singular post about the technical topic I'm trying to figure something out about) and I can't access the site because Cloudflare has decided my locked-down Firefox ("resist fingerprinting" + strict privacy mode etc.) running on OpenBSD is somehow malicious. So much for the open web. (nevermind the audacity that "we can't spy on you sufficiently" is enough to serve a 403 Forbidden response header)
Might have something to do with how that particular website is using Cloudflare.
It is extremely hard to stop DDOS attacks without CF; my hoster has DDOS protection, but when there was a very large attack on our site, only CF could remedy it, and did so immediately when we panicked-moved dns and switched on bot fight. Entire attack that my hoster couldn't stop was gone. How do you do this without CF if you are a small company?
There are *so* many options out there. Saying you don't know how to do it without using an evil, monopolistic company is like saying you can't host email without using Google. It's lazy, untechnical and just plain untrue.
Enlighten me please; I have asked many times and everyone keeps sending me to cloudflare, even some hosters. When you search for anything like this, it ends up being very expensive which is not lazy; we cannot afford it. Botfight is free.
Maybe if people knew about alternatives, they would use CF less. I wouldn't use them at all (and don't; I switch when my hoster cannot handle the attack which happened once only).
Kinda seems like it might have legs as a defamation lawsuit...
I will describe what we do at IPinfo to avoid such a messup. First of all because we do active measurements and our data is usually less prone to errors like this and when it comes to IP location it is as good as it gets.
We have a support team active 247. Then is the issue of update rollout, when things goes wrong (rarely if ever) we can push data updates immediately. We work with our customers and users and try to push immediate fixes.
But the most important thing in my opinion we do is this comment itself. If things go wrong we will address it before you come to our support team.
That probably explains the issues I’m having sometimes when pulling images from Elastic registry on hetzner boxes. At least now I know the reason behind that
Might be pertinent to suffix this with (2023), though I see there are still recent replies
It's a still-unresolved issue as far as I know; the linked ticket was only closed last year because Gitlab has no control over it as long as they want to continue using Cloudflare. The companies which do have control over it have not fixed it so far.
Falsehoods lawyers believe about the Internet: You can identify a person (and their jurisdiction) from “their” IP address.
Falsehoods programmers believe about law: the fact that an identification method isn't 100% accurate means that it has no value
Maybe this is more of a Europe vs. US observation than a programmer vs. lawyer observation, but I have indeed made the observation that US companies are often satisfied with "identity verification" that would absolutely not fly elsewhere. A PDF of a utility bill as "proof of residency", knowing somebody's SSN as "identity verification"...
Yes, they might be definitionally best practice and accordingly enough from a legal perspective, but I don't see them having any value in actually keeping out bad actors. A fence that surrounds 99% of your pasture indeed has no value if the wolves know where the 1% gap is.
> A PDF of a utility bill as "proof of residency"
That's not really a EU Vs US thing though, but a "country with mandatory official declaration of residence" vs not.
France is the same as the US there, and I would assume the UK as well. Well I now realise the UK is not in the EU anymore... but France is probably not the only remaining country in the EU where you can move without some kind of administrative declaration?
Anyway the point for these countries is to not have a centralised record of where citizens live, for anti-surveillance reasons and resilience against potentially hostile authorities. So you can't ask the state to prove that you live somewhere because it doesn't have a record or if it has it cannot legally communicate it to anyone.
In contrast, Belgium for example has centralised records of residents and if your car is parked wrongly, the local police can look up the plate and call you on your registered phone number or knock to your door at your registered address, to tell you to move it. It's practical, but I find it creepy and dangerous. A hostile government would have so much power here.
> the point for these countries is to not have a centralised record of where citizens live
In the US, state DMVs effectively still know everybody's address, don't they?
And even if they wouldn't – that information is only one data broker query away in the US.
I've recently experienced this by signing up for a financial company that, after entering only my phone number and SSN, presented me with my full address and asked me whether everything looks accurate. I understand that historically and value-wise, this is part of where the resistance to centralized government databases is coming from. But practically, they already exist.
In the US, resistance against government ID for private contracts seems to come more from an intention of not wanting the government to be able to interfere with the right of people to legally transact with each other without government mandate or intervention. But even that resistance is largely over – I had to show my driver's license to every bank I ever opened an account with.
That's what happens when government is regulated but companies aren't. The kind of process you describe is totally illegal and unheard of in the EU.
In France banks also take utilities bills as proof of residence (but they also ask for id or passport to check your identity). ID cards do have an address as well as passports and driving licences, but even the government doesn't accept them as proof of residence because they're often out of date.
In my case they all have different addresses and none of them has my current address. My Belgian ID though has to be reissued every time I move to a different municipality.
Oh and regarding DMV having addresses yes, but (in France) they are indexed by a DMV-specific key that cannot easily be matched to another database, say social security or taxes (which also independently have addresses on most citizens). Driving license number, fiscal number, SSN, cannot legally be used anywhere else than with their respective services. There is of course the names that can be used, but no system is perfect I guess.
Anyway these are just implementation details, but my point is that the EU has many different administrative systems and in at least some of them, utilities are the only legal proof of residence.
Ah. So I can log IP addresses that connect to my service and store them forever?
IP addresses are great for identifying traffic patterns, figuring out where your audience is roughly located etc. as long as you don't use them to selectively block users – since then nobody has a real incentive to "cloak" theirs.
Once you start doing that, you've completely destroyed the measurement, and at the same time you're still not keeping out unintended users – because these will just use a VPN.
To go with an analogy: Imagine a bank enforcing embargo/sanction policies by just asking everyone at the entrance for their name but not checking their ID! You'd get a lot of personal data (since most people won't lie), yet you won't keep any sanction evaders out.
I think we have the same perspective on this. I should have been more specific about my snark - what I was really calling out was the GDPR considering IP address as PII, which is widely lauded on this forum.
It's not a falsehood though. IP address is a reasonably reliable means of geolocation. Lawyers tend to be more comfortable with gray areas than engineers. Intent counts for a lot in assessing legal compliance.
But it isn't a grey area: it simply doesn't work. It doesn't matter if it correctly identifies most people: it has to correctly identity most terrorists, and it simply doesn't do that, because if you are a terrorist you just keep rotating through IP addresses on cloud providers and VPNs until the entire service is burnt. It isn't that it sometimes doesn't work: it's that it doesn't work at all when it actually needs to work. We could argue that the services shouldn't let you do that in the first place, but the reality is that services currently do work like that, no one is trying to change that, and if they did try to change it we would all be even less happy with the resulting even-more-powerful surveillance state.
Wrong. At this level there is no compliance requirement to specifically identify "terrorists". And the sanctions against Iran, while partly based on state sponsorship of terrorism, aren't limited to just designated terrorist entities.
Most services aren't required to blanket block all traffic from Iran. Only certain specific transactions are prohibited. But a lot of companies choose to block everything identified as coming from Iran (and other sanctioned countries) just to play it safe.
From a "best practice"/CYA perspective, sure.
But I'm not a lawyer, and looking purely at the outcome of IP blocks (which is usually that regular people are inconvenienced, but the people such policies are actually designed to keep out just shrug and use a $5/month VPN), I can still say that it looks a bit silly.
No need for anticipatory obedience though. If whois says it's not Iran - who cares.
This makes me wonder, though: Who started the IP checks? I think there's a high chance this by itself was anticipatory obedience, since it's fairly easy and cost-effective to do and it gives companies at least something to point at in case of a lawsuit.
But my point is that all of this compliance theater does add up; every once in a while mistakes (as outlined in TFA) do happen.
Even if they don't, almost free isn't the same thing as free – and some company will inevitably go even further, it'll set a precedent, and the cost to everybody will increase, with questionable benefit.
I was recently reviewing my Google account session history and saw an active session from some small town in western China. Obviously freaked out, rolled all passwords, spent hours scouring what they could’ve had access to, etc.
Only for the next day, when Google updates the exact same sessions location to my exact real location on another continent.
Google of course won’t show the IP address of sessions anymore, just the “location” so there was no way of confirming beforehand.
It should be illegal for providers to override the location information provided by the owner of the IP. Hopefully the FTC will look into this abuse. In the real world this would be the equivalent of me putting my shipping address on an order but the store deciding to ship it to some random place because they “believe” that’s my actual address.
Does this kind of thing affect Hetzner IPs in their US datacenters?
It looks like they use different ASNs for the US datacenters, so probably not in this case. Nuremberg, Falkenstein and Helsinki all share the problematic AS24940 block mentioned in the OP, but Ashburn is on AS213230 and Hillsboro is on AS212317.
Is Apple store working in Iran? For example, Apple store is working in Russia.
I genuinely do not understand how logic works between 1.sanctions 2... 3.let's ban some IPs. What is the chain of reasoning happens on step 2? Why this is not applicable to Google/Apple?
There are definitely sanctions against Russia, yet Apple/Play stores work just fine.
> For example, Apple store is working in Russia.
Apple hasn't officially sold any hardware in Russia in the last 2+ years. Any Apple devices you can buy come from "parallel import" and are priced 1.5x compared to other countries.
As far as I know, the only way you can pay on the app store is from your prepaid balance at some carriers. Play store doesn't accept payments at all, it pops up a modal saying "payments in Russia are paused".
I can't understand what these sanctions are intended to achieve either. They just make us angrier because there's nothing we can do besides wait it out.
> They just make us angrier because there's nothing we can do besides wait it out.
You are not angry enough.
Get angrier, go out, kill the highest sitting official you can get your hands on, then be beaten, jailed, signed up to war where you will die and receive a posthumous medal?
Not only is Apple store working in Russia. Apple, who supposedly has stopped selling hardware there, works closely with russian government to remove apps like VPNs from the store.
So how that works?
The same sanctions:
- CloudFlare - block IPs ( why? what part of sanctions says that )
- Apple / Google - do nothing
I genuinely want to know.
Would be an easy way to conduct an adhoc trade war...AWS doesn't need competition from a pesky German host let's just make things faintly awkward...
I wonder if this is related to something I found when I moved my hosting from DO to Hetzner: https://on-no.net/posts/moving-providers-and-tainted-ips/
TL;DR is that the IP that my new instance was assigned had previously been used as part of an advertising CDN based in Iran. It wouldn't surprise me if this is some game of whack-a-mole between interested parties who are at turns applying and attempting to evade blocks.
This seems to be more than a year ago. Why is it suddenly trending now?
https://geolocatemuch.com/ is the way.
Yeah, google does it too. I could not use certain Hetzner IPs to download container image on my kubernetes nodes at all. Even the official registry.k8s.io registry is hosted on Google Cloud Services and basic stuff like the pause image cant be pulled.
Google's IP to location mapping is so bad it has to be intentional. I was in Japan and using my home network as a VPN quite a bit, after a while Google decided my home comcast IP had to be located in Japan. Even though others in the household were still there, they started getting default-Japanese pages on google/maps/youtube/... It didn't fix itself back until a couple weeks after I got home, even filled out https://support.google.com/websearch/contact/ip
They finger print your browser. You need to vpn to your home and serve from your US browser not tunnel traffic back to your Japan machine.
I'd be more willing to bet that it's because my GPS location is in Japan, which is the strongest signal of my physical location. Nevertheless, my home IP is used by multiple people, they probably know who they are and that they're not in Japan. My own signals are a mix of VPN'd/non-VPN'd apps on my phone and laptop (not strict about the VPN, some Japan sites require a Japanese IP), and I do often NoMachine back to my home machine and access google services just like I do at home.
I can confirm this. All Google container registries, including the official k8s repos are unaccessible via some hetzner ipv4 domains.
There is a GitHub issue that also covers the problem and it states you should report thos IPS to their support. I did but support says they can't do anything until the ip region list is updated.
IPv6 as a workaround is also difficult because some of the image I need are on GitHub and they are still not ipv6 accessible
For a while, Google was blocking IPv6 from Linode, to similar effect.
I mean, so? Why should it matter where they are located?
You may be surprised to discover that services will filter traffic by location.
In my previous jobs we didn't have any business in china and banning all IP ranges was a cheap an easy strategy to remove 50% of unsuccessful login attempts.
It's the interpretation of some cloud providers that exchanging datagrams with entities in OFAC-sanctioned countries constitutes a prohibited transaction.
The actual sanctions are complicated.[1]
There's a big list of allowed Internet activity between the US and Iran.[2] It is explicitly US policy to not cut off Iran from the Internet. The State Department wants people in Iran to get info from the outside world. However, the US does not allow US domain registrations or web hosting "for or on behalf of the Government of Iran".
The Office of Foreign Assets Control can be queried for case by case info. That's appropriate here.
[1] https://www.ecfr.gov/current/title-31/subtitle-B/chapter-V/p...
[2] https://www.ecfr.gov/current/title-31/subtitle-B/chapter-V/p...
Which is plainly stupid.
They should interpret the law to mean "We will treat every request from Iran as a non-paying customer, and won't offer anything outside the free-tier"
Even if that isn't the way was written, it is plain that it falls within the intent of the law, and is beneficial to US businesses.
How is it stupid?
You de-risk your enterprise significantly by cutting Iran out completely, and you only lose the handful of dollars this would’ve translated into down the road.
Some customers aren’t worth having.
I'm a Hetzner customer in Australia that have moved away a big part of my workloads which was CI related as most build would start to fail with some access denied error calling various registries. I had a bunch of deep integration through their API as well which had to be reworked because that issue made it a no go anymore.
Banning an entire country and punishing its innocent citizens feels extreme. It doesn't seem right that, for example, an Iranian student can't use cloud services. Ban commercial and government entities, not the individuals.
This is a political argument, not a business one. Now that Uncle Sam has swung the banhammer on a particular country, pity the exec who exposes their company to doing business with the enemy.
Isn't intent of sanctions to weaken the adversary? Providing services, even free-tier (or, may be, especially so), to sanctioned countries is exactly the opposite of that.
The adversary is the government and businesses associated with the government, not all of the 90 million people living in Iran.
As long as government controls the country, it's the country as a whole. Because that's where the government gets its resources.
That's just not true. You don't know what you're talking about.
I encourage you to skim through the sanctions. I promise you that you will find plenty of exemptions telling you not to block every Iranian citizen from communicating, not to block them access to information, not to block them from free-to-use services, not to prevent them from traveling etc etc.
If you just cut the whole country off the internet, how do you expect them to organise towards overthrowing the government? Via carrier pigeons?
It makes US service providers, like Google and Amazon, very unattractive for businesses that require worldwide coverage - for example wikipedia.
I would argue that for unpaid services (for example serving up web content), we should not be applying sanctions. Those specific sanctions are so easy for the iranians to work around (VPN), and so damaging to our businesses (no worldwide service).
> It makes US service providers, like Google and Amazon, very unattractive for businesses that require worldwide coverage
You know what is much more unattractive to these businesses? Getting on the wrong side of the US government. And honestly, I don't see any business (except for ones in Russia, China and Iran) changing provider because they don't provide service to Iran.
> damaging to our businesses (no worldwide service)
I'm confused, are you arguing here for allowing free-tier services under the sanction regime, or for getting rid of sanctions against Iran altogether? If it's the latter, then the argument is self-consistent. But if it's the former, then you're effectively saying that an american business which currently doesn't provide any services to iranian customers would instead prefer to provide free-tier services for them without any way to get them to paid tier, and that doesn't make any sense. If you know that users from a certain region would always be at 0% conversion, you would get nothing by providing them with a free tier.
Imagine wikipedia was looking for new hosting.
They consider Google cloud, but then reject it because GCP cannot serve users in Iran, and Wikipedia's policy is to be globally available.
Google loses worldwide revenue from all of wikipedia.
(I have met multiple companies who have dismissed GCP for this reason. Even companies with no current business in Iran might one day want to expand there, so don't want to make infrastructure choices which lock them out).
Do you think the people who makes rules and legislation are that smart?
No, but I expect the judges who interpret the law to see that.
No judge will send a google employee to prison because someone located in Iran managed to download a copy of the docker image to Alpine Linux from the google/amazon container registry...
They also won’t reimburse said employee for the lawyer they needed to hire or the lost revenue from being in court and not at work.
Even if vindicated, the process can be costly.
A lot of US resources ban traffic outside the US. Or, at least, from "suspicious" or "sanctioned" locations. Some ban EU due to GDPR.
You never know such things when you are in US though...
but the traffic is _clearly coming from Germany_, the issue is that cloudflare/google have tagged certain ip addresses as Iranian no matter where the traffic actually originates from
> but the traffic is _clearly coming from Germany_
How do you know that if the only thing you see on the receiving side is an IP address, which is marked as Iranian?
Marked where? With the assigning authority of the IP address which has been granted the legal right to manage the IP space (a common good)? Or in the database of some arbitrary company?
BGP full view and traceroutes? It's pretty hard to fake the path that a packet takes to that IP address.
My servers ban huge swaths of IPs from certain places that originates enormous amounts of spam, scanners, and other nefarious traffic. It's very effective
If I followed your strategy I would be blocking all of Google. Back in the days I operated my own mail server >50% of all spam was from Google USA... YMMV.
I do that on several of my hobby nodes. I block entire ASN's for all the major platforms. Real people can still reach them just fine. To your point I do less of that on my self hosted mail servers and instead use a regex methodology called S25R created by a mail admin in Japan a long time ago and it works great.
Tricky thing about Google is quite a lot of my contacts are on Gmail or some domain hosted by Gmail so blocking Google's ASN is a no go for me. I'm now with Fastmail -- they use Spamassassin (plus I suspect their own custom rules) which uses a range of different metrics to determine whether an email is spam. That is is far more effective than straight up blocking ASNs and the like.
Yup that's why on my mail nodes I use the S25R regular expression methodology. Google passes the regex checks.
So you ban US and China, aka two places where most spam, ddos and malware is coming from. Right?
China yes
Sturgeon’s law [0] apply to all sorts of things, including web visitors
So, all the cloud, vps, and hosting providers?
I block most of them but something I noticed was that the more affordable a provider is the more garbage that comes from them.
US sanctions prohibit transfer of goods, technologies, information, etc. to Iran.
As a company, this means BSTS (better safe than sorry) CYA (cover your ass) measures for good or worse.
Curiosity may get me on this one, but is sharing information (such as this post/comment) an example of transfer of information (to potentially all countries)?
Yes. Which is why you can't post ITAR information online.
Edit: it also wouldn't surprise me if hacker news blocks traffic from Iran.
My theory is lots of people who want to circumvent Iranian internet censorship rely on tunnels/VPNs hosted on Hetzner, which correlates those IPs with `Accept-Language: fa` and GPS locations collected from Android or other similar behavior.
That's almost certainly the case. I use Tor semi-regularly and many Tor exit relay IPs are identified as being in Iran which is just not possible.
I think a more likely explanation is that Hetzner just acquired some IPv4 address ranges that were previously used in Iran
I think that might be less likely given the trade restrictions. There's no way an Iranian ISP just gave Hetzner those IPv4 addresses free of charge.
Yeah, I had the same theory when Google did this with a free-tier VPN IP that was in Turkey. It claimed I was in Tehran - and, when I looked at the map of servers, the Turkish server I was connected to was the closest to Tehran.
ok
