The Linux Foundation on global regulations and sanctions

Okay, this is not sanctions-specific, but sounds very much like the British legal concept of "Knew or should have known". If you do something that may or may not be criminal - trespass is a classic example - the line for criminal liability is defined as "you should have known you weren't welcome". So a big sign saying "Trespassers will be prosecuted" converts a minor misdemeanor into a criminal act. And the fact that you can't read will simply be met with "well you should have asked someone what the sign said!".

Cheers,
Wol

Specifically, it explicitly states to restrict availability to sanctioned entities and to use various sources to determine whether a user or organisation could possibly be subject to sanctions. Github generally knows a lot more than just the user name (such as mail addresses, payment history, commit, push, and interaction history, remote IP addresses, etc), and it does not need to come to a definite conclusion; it can already limit accounts on mere suspicion and require proof of identification (such as a valid credit card). Github also summarily blocks entire geographic regions. It used to block all of Iran, until it obtained a special license from the US government to restore services to Iran.

As such, Github exists as some kind of a walled garden where sanctioned entities are not present, and within with users can reasonably assume that other users legitimate or they'd not be on the platform in the first place. But the Linux Foundation runs its own infrastructure, and thus needs to care for this itself.

All of what you're describing in your comment literally exists in the more or less the very form; you were just lucky enough not to notice so far, because frankly, reddit discussions are not usually not a place where serious business is done, and neither are LWN comments.

But organisations doing serious business, especially in sensitive fields, will likely do their own checks for significant Github contributions or prolonged collaboration with external Github users. I know that my organisation would. It has a whole policy document about doing open source which includes regulations for accepting significant contributions which include concerns of export control and sanctions, and it's not even a US-based organisation.

And I'd like to remind you that under many jurisdiction export control and sanctions laws come with specific personal liability. Contrary to, say, financial regulations or product liability or customer safety you cannot routinely disclaim personal responsibility for violations done on behalf of your employer. Breaching sanctions or export control regulations is routinely a personal criminal offence, for which you're immediately liable, even if you did so on behalf of your employer, which is why no one is particularly keen to test the limits of these regulations in court.

> That said, if the Government is unaware of a particular file name, it still must show
> with some reasonable particularity that it seeks a certain file and is aware, based on other
> information, that (1) the file exists in some specified location, (2) the file is possessed by the
> target of the subpoena, and (3) the file is authentic.

But that is defeated just by regular full device encryption. You don't need hidden volumes to get there. Granted, the court did talk about hidden volumes, because that was the particular technology that this defendant chose to use, but in my reading, full device encryption would have done just as well.

The original use case for hidden volumes was altogether more bizarre. The idea was, roughly speaking, that you might end up in a situation where some authority (legitimate or otherwise) is threatening you (with rubber-hose cryptography, criminal charges, or whatever) if you don't decrypt your hard drive, and you "comply" by decrypting the innocuous non-hidden volume. But that has never made any logical sense, because you have to leave a large hole that never gets decrypted, which will make it hard to plausibly deny the hidden volume's existence. Moreover, if the authority is legitimate, lying about the hidden volume is not only a crime, but it may constitute a waiver of any Fifth Amendment rights (or the local equivalent) you might otherwise have had. It's actively making your situation worse, for no upside.