Hacker News new | past | comments | ask | show | jobs | submit login
Mattermost [update: isn't] suspending our licenses because of 'US sanctions'
26 points by ntauthority on June 23, 2022 | hide | past | favorite | 17 comments
Update: See the reply below (https://news.ycombinator.com/item?id=31853107). Incorrect email.

Context:

We're a B.V. (Dutch LLC) incorporated in the Netherlands, ran by me from the Netherlands with contractors from around the world. Two of these contractors were located in Russia, one of them has recently moved to the Netherlands on a skilled migrant visa, another is still in the process of obtaining the required travel documents and is still communicating (albeit unable to be paid) with us. It should be noted that neither of these contractors are in any way related to a sanctioned entity according to EU legislation, nor should they be related to any such entity according to US legislation either.

We use Mattermost 'Enterprise' (self-hosted!) for our organization's internal communications. This was a logical option as we thought Mattermost was a modern organization, it had a fancy on-boarding flow, an open source variant of their products, and a lot of transparency.

During the order process, I had provided the information for the B.V., and my personal details, both indicating very clearly that the organization is based in and operates from the Netherlands.

What happened:

I received an email from Mattermost today claiming 'Our understanding is that your organization is located in either Russia or Belarus. Because of this, we must pause interactions with your organization until the sanctions are lifted.', which I'll quote verbatim in the comments due to the HN character limit.

My interpretation:

First off, it worries me that they do not provide the data on which they have based this 'understanding that [our] organization is located in Russia'. This probably implies there's telemetry being sent on the IP addresses our self-hosted install is being accessed from, which currently still includes one (singular) Russian user, as there is no other way they can have derived any such (wrong) information.

Secondly, we do not have a 'legal counsel' specialized in 'U.S. sanctions rules', in fact we have no relationship with the USA at all, so we can not contact their compliance department whatsoever, as they also explicitly say that due to this misunderstanding, they can not answer any questions from us whatsoever.

We're glad we're using the self-hosted version of their product, as at least we can still export our data and eventually migrate to an actual open source solution like Zulip in case this isn't resolved, nor does there seem to be a kill switch on the self-hosted product (but given there is likely unexpected telemetry, we can't be sure this isn't the case either! the Enterprise Edition is actually a binary blob Golang binary).

As we're explicitly not allowed to contact Mattermost, Inc. without legal counsel experienced in U.S. sanctions rules, and we are effectively unable to communicate as an organization now as we are 'asked not to use our license key', I've ended up with the usual route for tech corporations being unwilling to cooperate: posting a plea for help (and a warning to other users of Mattermost Enterprise that they're not the transparent organization they claim to be) on a public forum like this.




Hi all, Mattermost CEO here,

We've had administrative error in our compliance automation. If you received an email from compliance@mattermost.com on June 23, 2022 titled "Our limitations due to new United States sanctions" please disregard it.

Ian


Also, I apologize for the confusion this has caused.


I think the most interesting part about OP’s story is the question about how did self-hosted solution notify Mattermost server about potential Russian/Belarus connection? Even if the compliance automation was faulty, it’s still interesting how Mattermost found out of a Russian connection at all. (I am assuming this compliance email wasn’t sent out to everyone/larger group of people by mistake, and the OP happened to have a Russian user)


Mattermost CEO here, Thanks for the question. Like many companies we use a 3rd party service to check if someone we’re doing business with a company that has been flagged on export compliance.

This was more a blanket error than on specific to an account, tweeted about it just now as it’s hit a number of customers: https://twitter.com/iantien/status/1540039939089367040?s=21&...


Hi all,

To answer some of the other questions on this thread, no customer logs nor PII get submitted to the 3rd party service that we use, which is called Descartes: https://www.descartes.com/solutions/global-trade-intelligenc...

We pass name and billing address only.

HN has a lot of people building SaaS and open core companies, so hopefully this thread is a good way to learn about export compliance, which is something we've been doing for many years, though it's gotten extra important in 2022 due to so many new sanctions showing up.

Think of it this way (in a simplified, high level view that doesn't capture all the detail, but intended to share the aesthetic):

1. When you're an early stage company based in the U.S. starting to sell open core licenses or SaaS you typically hire a lawyer to do the legal agreements and help negotiate contracts.

2. If it's a good lawyer, they might talk about "export compliance" and how your company might need to think about doing an assessment on how your product is classified in the context of U.S. export compliance restrictions.

3. If they're a really good lawyer, they may even recommend an export compliance consultant for you to use.

4. After you get your export compliance classification, you're going to need a way to implement the right checks to ensure you're not violating U.S. export compliance laws based on your classification and your customers.

5. You quickly realize you need to buy a tool to do this--not only to check at the time of transaction, but also to alert you if the status of a customer changes (for example, if a customer is added to a list of organizations flagged by public sector organizations).

6. You look at different options, and end up purchasing one and integrating it with your other systems, including Salesforce (sales automation) and Marketo (email automation). In this case, we purchased a subscription to Descartes.

Hopefully that helps share context. Please feel free to ask other questions here.

PS: Here's our ECCN classification for those interested: https://docs.mattermost.com/about/certifications-and-complia...


Ian, you might want to clarify that the only thing submitted to the 3rd party service is the company name of the customer and there was no submission of any customer logs.

Some other commenters in this thread think that you log their ip and submit their ip.


Those people are jumping to conclusions without evidence.


It's a pretty reasonable conclusion when the vendor claims to know where you're using the software, and the evidence is that the vendor claims to know where you're using the software.


Fuck I don't know, maybe they looked at the website of the company? Like, is what country your business in supposed to be secret? Good grief.


My impression from the OP is that the company does not claim to operate out of Russia or Belarus. Presumably, neither would the website. Clearly there's some other method by which that third party makes that determination, and clearly that method produces false positives.


Thanks @jsprogram, agree, hopefully this response and links to details help out the folks on this thread: https://news.ycombinator.com/item?id=31852914#31854019


> Like many companies we use a 3rd party service to check if someone we’re doing business with a company that has been flagged on export compliance.

Can you elaborate on which service y'all use and what data y'all provide to that service?



Thanks.


Can you please explain why a legal counsel is necessary to even ask you why you did this?


The verbatim email:

---

Our limitations due to new United States sanctions

Dear sir,

Due to recent sanctions from the United States government, we have reviewed the organizations we have been communicating with to understand to which organizations the new laws apply.

Our understanding is that your organization is located in either Russia or Belarus. Because of this, we must pause interactions with your organization until the sanctions are lifted.

This includes: We must pause on selling, issuing or renewing a Mattermost subscription or license key to your organization. If you have a Mattermost license key, a trial key, or a Not-for-Resale license key we ask that you not use it. We are not permitted to provide you technical support for our software. Moreover, we cannot answer questions about our software. We are not permitted to provide our software, including any updates, upgrades or cloud hosted versions to your organization. We must ask that you do not use any software or online services provided by Mattermost, Inc., including any versions that have been provided online to the general public. We deeply apologize for the inconvenience. We must abide by United States laws. We hope after sanctions are lifted that we can support your interest once again.

The sanctions applying here can be found online at: https://www.bis.doc.gov/index.php/policy-guidance/lists-of-p...

If you believe we have made an error, we ask that your legal counsel please review the U.S. sanctions rules and send their interpretation to compliance@mattermost.com

Sincerely,

Mattermost Export Controls Compliance Team

---


The fact that they track your activity and customers should already give you proper hints that you should look for an alternative ASAP

Also you are in EU, they are American, i'm pretty sure what they are doing is illegal

I will investigate




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: