Comment by kube-system
3 years ago
> I've also been informed by at least one C-level exec that it was vitally important that we prohibit North Korean internet users from using our website.
What's wrong with that?
3 years ago
> I've also been informed by at least one C-level exec that it was vitally important that we prohibit North Korean internet users from using our website.
What's wrong with that?
The problem is, all you can virtually do is to block North Korean IP space [1], but you're still legally liable if North Korean users, say, use a foreign VPN service to interact with you.
International sanctions laws are pure and utter madness, with extremely high stakes if the government changes its course on selective enforcement, so everyone is "playing it safe" rather than "doing what makes sense and question outright bullshit".
[1] https://www.trendmicro.com/en_us/research/17/j/a-closer-look...
The OFAC isn't going to expect you to bend space and time, but they do expect due diligence.
My point is, what is the definition of "due diligence"? Who can say "yes, you're doing everything required"?
Usually, that's court cases and resulting case law, as well as executive fines... which means there is an insane amount of risk attached to everything related to sanctions, and additionally enforcement may vary between different governments.
1 reply →
I shadowban anyone with the surname 'Kim' on account creation just to be sure.
How would you be able to tell? And what sensitive information could they access? It’s defacto public.
> How would you be able to tell?
There are many ways. The most common are: If the users tell you they're from North Korea, you can tell that they're from North Korea. Also, if they connect from a North Korean IP, you can tell that they're from North Korea.
> And what sensitive information could they access? It’s defacto public.
The request likely had nothing to do with "sensitive information", but instead, sanctions.