Gitting out of this lab - director resigns over discrimination policies.

[williamcll]

 

 

(Please kindly remind yourself of the community standards)

Ever since Github was bought out by Microsoft, some users have decided to move away from the site in worry about corporate meddling, with gitlab one of the main destination. Recently a director from the company resigned after her concerns about who can't be hired was turned a deaf ear and resigned in protest. It should be noted that the company also recently overturned a controversial policy what customers they can work with.

Quote

GitLab's director of global risk and compliance, Candice Ciresi, has resigned from the company, accusing the code hosting biz of engaging in discriminatory and retaliatory behavior.

Ciresi declined to discuss the matter with The Register, but the cause of her departure appears to be a company plan to refuse to hire engineers in China or Russia or to let current employees with access to customer data move there.

 

Ciresi's resignation post is no longer publicly accessible, though it has been screen-captured. In an email to The Register on Friday, a GitLab spokesperson said, "GitLab can confirm that Candice Ciresi has resigned from GitLab. We can not comment further on personnel departures." GitLab is an "all-remote company" that lets people work from home, or wherever a network connection can be had, and has employees in more than 60 countries around the world. But as of last month, the biz proposed through a git Issues post – its favored method of distributed management – to adopt a "job family country-of-residence block" for employees with access to customer data. The proposal has not yet been formally adopted.

 

GitLab's habit of hashing its corporate policies out in public yielded some confusion last month when the company asserted it would work with any customer, regardless of moral considerations, and banned employees from talking politics. Pilloried on social media and internally for embracing amorality and censorship, the company reversed its ill-considered policy the next day.

GitLab's latest concern, as spelled out by VP of engineering Eric Johnson, is that workers in China and Russia might be pressured by local authorities or whoever to surrender customer data or to subvert GitLab product code.

Three weeks ago, Ciresi questioned why China and Russia had been singled out since there's no law that prevents hiring employees in those countries, with the exception of the Crimean Region of the Ukraine. "It seems odd that we proclaim that we will accept any customer not prohibited by law (b5a35716) but we are implementing controls that impact employees based on a perceived political climate," Ciresi wrote. "This is contradictory. If the concern is the contribution of employees from these regions, could we not find a more moderate solution such as ensuring that the contributions of those employees are vetted before release?"

 

Rejoining the discussion a week ago, she called out the arbitrariness of the proposed restrictions on hiring in China and Russia, noting,"The highest risk countries for hackers are: Romania, Brazil, Taiwan, Russia, Turkey, China and the United States. ...If hackers are the basis for restricting employees, then we would be foolish to not exclude the US for future hiring." This issue came up for Twitter recently: The US government just indicted two Twitter employees, one a US citizen and one a Saudi citizen, for leaking internal Twitter account data to the Saudi royal family. Ciresi went on to argue that China and Russia were not selected because of legal requirements, risk analysis, or other legitimate criteria. "I do hope they were not selected because a customer asked for it – or that could violate anti-boycott laws," she wrote. "In fact, having no objective basis for the restrictions is not conservative – it is careless.

 

It's suggested in the discussion that an enterprise customer asked specifically for a guarantee that admins in China and Russia could not access its data through GitLab and GitLab has no technical means to prevent that. GitLab's CFO Paul Machle says in the discussion thread that the US government has made similar requests. Individuals participating in the discussion who appears to be located in China and Russia mostly object to the proposal. And there are those who point out that the company's stance makes a mockery of its stated values of diversity and inclusion.

 

On Friday afternoon, Pacific Time, the company's executive group held a meeting to discuss the situation. At the time this article was filed, the outcome of that meeting had not been made public. 

Source:https://www.businessinsider.com/gitlab-director-resigns-retaliatory-behavior-2019-11 (paywall, turning off javascript does not work)

https://www.theregister.co.uk/2019/11/09/gitlab_exec_resigns/

Thoughts: Honestly there's not even a reason for me to leave github right now, and certainly not this site if I were to ever consider. I do wonder what drove this company to consider putting forth this action when pretty much every other gits do not do this-

 

This makes a lot more sense now.

[elfensky]

(•_•)  I guess they were...
( •_•)>⌐□-□
(⌐□_□) Outfoxed.

I'm not sure I understand the issue.

So GitLab is a completely work-at-home company, so there are no offices, and people just remote into a server from home, is that correct, and they are against people from China and Russia having access to their servers?

I mean I can see how that can seem discriminatory, but even I find that to be a fairly reasonable and understandable policy? It's one thing to hire a Russian or Chinese in the US, there's much less potential risk there as he or she has a citizenship, life and given the person moved away probably doesn't love his home country all that much.
Meanwhile, having someone from those places have remote/admin access, makes it much easier to get a mole in. All they have to do is fake their own country's documentation.

I completely understand both Gitlab and gitlab's enterprise customers reason for doing so. It's not as much hackers in the "lone blackhat" sense that they seem weary of, it's major intellectual property theft on a governmental level. At least that's what I feel like.

 

[mr moose]

1 hour ago, elfensky said:

Meanwhile, having someone from those places have remote/admin access, makes it much easier to get a mole in. All they have to do is fake their own country's documentation.

 

 

The argument is that remote access from anywhere poses exactly the same risk and there is no data to suggest china or russia are a bigger risk than allowing someone from the US to remote in.

 

I can see this argument, if they can't show a legitimate reason for excluding hiring from a country, then by extension that decision is discriminatory.

 

 

[Taf the Ghost]

IN-Q-TEL is the CIA's Investment Fund, if anyone didn't know.

[Crowbar]

This is a "nothing burger" issue.

 

SJW'S gonna SJW.

 

I'm sure it's no loss to the company that she quit. She probably did them a favor as HR has less whiney bullshit to deal with now.

[mr moose]

8 minutes ago, Crowbar said:

This is a "nothing burger" issue.

 

SJW'S gonna SJW.

 

I'm sure it's no loss to the company that she quit. She probably did them a favor as HR has less whiney bullshit to deal with now.

And you would have no issues if someone said you couldn't work at company X because of where you live?

 

[Crowbar]

1 minute ago, mr moose said:

And you would have no issues if someone said you couldn't work at company X because of where you live?

 

None what so ever when it's a matter of security.

[AngryBeaver]

33 minutes ago, mr moose said:

 

The argument is that remote access from anywhere poses exactly the same risk and there is no data to suggest china or russia are a bigger risk than allowing someone from the US to remote in.

 

I can see this argument, if they can't show a legitimate reason for excluding hiring from a country, then by extension that decision is discriminatory.

 

 

I can tell you now depending on where you are there are a lot of legal issues with it. Being in Infosec for example in the USA for example it would not be allowed. You would be hard pressed to land any job in this field if you have any ties to those countries as well. I won't get in to depth at all the reasons why it isn't done and why it is mostly justifiable. I will just say that privacy there is an issue. They also have a massive cyber crime footprint and lots of nation state cyber involvement.

 

Now look at something like a code repository. Think of the implications of having any type of potential threat inside the company. Then you have to weight the issues you might have with Homeland Security and the NSA.

[mr moose]

it's not a matter of security in this case though, that's the whole point if it being a problem. 

[mr moose]

Just now, AngryBeaver said:

I can tell you now depending on where you are there are a lot of legal issues with it. Being in Infosec for example in the USA for example it would not be allowed. You would be hard pressed to land any job in this field if you have any ties to those countries as well. I won't get in to depth at all the reasons why it isn't done and why it is mostly justifiable. I will just say that privacy there is an issue. They also have a massive cyber crime footprint and lots of nation state cyber involvement.

 

Now look at something like a code repository. Think of the implications of having any type of potential threat inside the company. Then you have to weight the issues you might have with Homeland Security and the NSA.

This is not a matter of government policy,  And the claim is there is no evidence to suggest security is an issue.

 

So until that claim is can be established as false then arguments about security being an issue are moot.

[AngryBeaver]

6 minutes ago, mr moose said:

This is not a matter of government policy,  And the claim is there is no evidence to suggest security is an issue.

 

So until that claim is can be established as false then arguments about security being an issue are moot.

Any time you are allowing anyone some type of elevated access or credentials from either of those countries it is a security issue. If they choose they can literally MITM any and all traffic coming in and out of them. Now that is not super likely, but they have already done it at a targeted level. They do not have the same privacy standards and are not regulated in the same way as say the EU.

 

So it comes down to this. You either mitigate the inherent risks of those 2 countries by not allowing them access to anything elevated or you have to accept the risk (which can be more than your company is even worth in this case). The best decision is the one that has been made... and they don't have to even justify it. If they decide to restrict things on geo location that is 100% within their ability to do so.

[mr moose]

4 minutes ago, AngryBeaver said:

Any time you are allowing anyone some type of elevated access or credentials from either of those countries it is a security issue. If they choose they can literally MITM any and all traffic coming in and out of them. Now that is not super likely, but they have already done it at a targeted level. They do not have the same privacy standards and are not regulated in the same way as say the EU.

Remote access can be compromised anywhere.  It is not specifically a Chinese or Russian issue.

 

4 minutes ago, AngryBeaver said:

So it comes down to this. You either mitigate the inherent risks of those 2 countries by not allowing them access to anything elevated or you have to accept the risk (which can be more than your company is even worth in this case). The best decision is the one that has been made... and they don't have to even justify it. If they decide to restrict things on geo location that is 100% within their ability to do so.

Again, the claimed argument is the risk is no higher than allowing someone from the US to have the same privileges.  Therefore until that argument is proven false, then it is still discrimination. 

 

First we have to prove that there is a higher risk of security breach when employing someone from china or Russia over someone from the US before the policy is not about discrimination.  

[leadeater]

22 minutes ago, AngryBeaver said:

They also have a massive cyber crime footprint and lots of nation state cyber involvement

Yes the US does, and the rest of the world?

 

And yea that is a joke while also being serious. Employing a US citizen has exactly equal risk of the person being malicious, or a fool, or operator error at some point, or a billion other risks that has zero to do with their origin citizenship. This is GitLab not the NSA or Homeland security, I actually don't have a problem with those types of agencies imposing such restrictions even if it's actually fairly flawed logic overall but it does reduce the pool of applicants you have to vet and simplifies the vetting process by not having to deal with international laws.

 

If I were a CEO of a large multinational company what would happen if I then requested no US citizens have any access our company data because of extremely well documented and publicized evidence of US citizen spying, data breaching and US government cyber security and surveillance policies? Does GitLab now have to no longer hire any US citizens?

 

The cited issue is not remote access it's the citizenship of the employee.

[AngryBeaver]

3 minutes ago, mr moose said:

Remote access can be compromised anywhere.  It is not specifically a Chinese or Russian issue.

 

Again, the claimed argument is the risk is no higher than allowing someone from the US to have the same privileges.  Therefore until that argument is proven false, then it is still discrimination. 

 

First we have to prove that there is a higher risk of security breach when employing someone from china or Russia over someone from the US before the policy is not about discrimination.  

Not entirely related, but the tip of the iceberg so to speak.

 

https://www.wired.com/story/china-russia-vpn-crackdown/

[Bacon soup]

2 hours ago, elfensky said:

they are against people from China and Russia having access to their servers?

they fear employees from those countries will be forced by their governments to become spies. Recently here in NZ, around the HK protests, some chinese students walked around one of our universities wearing PLA uniforms to intimidate the other chinese students. They were letting the chinese students know that the PLA is everywhere. These poor kids have family trapped in china. Shit's real in those nations.

 

 

 

[AngryBeaver]

1 minute ago, leadeater said:

Yes the US does, and the rest of the world?

 

And yea that is a joke while also being serious. Employing a US citizen has exactly equal risk of the person being malicious, or a fool, or operator error at some point, or a billion other risks that has zero to do with their origin citizenship. This is GitLab not the NSA or Homeland security, I actually don't have a problem with those types of agencies imposing such restrictions even if it's actually fairly flaw logic overall but it does reduce the pool of applicants you have to vet and simplifies the vetting process by nothing having to deal with international laws.

 

If I were a CEO of a large multinational company what would happen if I then requested no US citizens have any access our company data because of extremely well documented and publicized evidence of US citizen spying, data breaching and US government cyber security and surveillance policies? Does GitLab now have to no longer hire any US citizens?

 

The cited issue is not remote access it's the citizenship of the employee.

If  they take that stance even direct at the USA I am not against that. They are not required to hire from another country if they so choose. That is assuming they do not have a actual headquarters there.

[leadeater]

Just now, AngryBeaver said:

If  they take that stance even direct at the USA I am not against that. They are not required to hire from another country if they so choose. That is assuming they do not have a actual headquarters there.

Then GitLab hiring pool is zero countries, ok maybe some Pacific islands or something but even then they are partnered with NZ and Aus and come under our cyber protection so they are out too. Good luck running a company with zero employees.

[AngryBeaver]

Just now, leadeater said:

Then GitLab hiring pool is zero countries, ok maybe some Pacific islands or something but even then they are partnered with NZ and Aus and come under our cyber protection so they are out too. Good luck running a company with zero employees.

You missed my point. As a private company they can choose which countries they hire in and do business with. They are not required to hire from there and should not be forced to. If they decide that not hiring from those countries is in their best interest then they are 100% free to make that decision. The only recourse anyone has is to just not use their service/product.

 

[mr moose]

5 minutes ago, AngryBeaver said:

Not entirely related, but the tip of the iceberg so to speak.

 

https://www.wired.com/story/china-russia-vpn-crackdown/

again, you first have to prove that in gitlabs position the security issues are higher in those countries than the US.  The documents linked in the OP claim that is not the case.  So first we must show why that is not true before we can use it as reasoning in the argument.

[AngryBeaver]

1 minute ago, mr moose said:

again, you first have to prove that in gitlabs position the security issues are higher in those countries than the US.  The documents linked in the OP claim that is not the case.  So first we must show why that is not true before we can use it as reasoning in the argument.

Here is another nice article from the Wall street journal on the risks.

 

https://blogs.wsj.com/cio/2014/06/27/how-to-protect-business-data-in-china-or-russia/

[leadeater]

5 minutes ago, AngryBeaver said:

You missed my point. As a private company they can choose which countries they hire in and do business with. They are not required to hire from there and should not be forced to. If they decide that not hiring from those countries is in their best interest then they are 100% free to make that decision. The only recourse anyone has is to just not use their service/product.

 

No I didn't, you missed the issue. GitLab is responding to requests by governments and some companies and in doing so violating their own company's hiring policies and ignoring their own Director of Global Risk and Compliance.

 

You're free to hire anyone you like, but I'll break your arm if you hire from <countries>. But yes you have 100% freedom to the decision.

[AngryBeaver]

3 minutes ago, mr moose said:

again, you first have to prove that in gitlabs position the security issues are higher in those countries than the US.  The documents linked in the OP claim that is not the case.  So first we must show why that is not true before we can use it as reasoning in the argument.

But they don't need to make an argument. They are a private company and can make that decision without any justification.

[amdorintel]

3 minutes ago, AngryBeaver said:

But they don't need to make an argument. They are a private company and can make that decision without any justification.

true, but they have to abide by the laws of their own country

besides its better to hire within their own country!

[mr moose]

3 minutes ago, AngryBeaver said:

But they don't need to make an argument. They are a private company and can make that decision without any justification.

 

You seem to have missed the point, their own departments said there was no risk in hiring from china, so when the company refuses to hire from china (for whatever reason) that is called discrimination.   I don't care if people like it or not, actively choosing not to employ someone based only on their location is discrimination.

 

And as leadeater pointed out, artificially reducing your talent pool is not good for a company.

[leadeater]

2 minutes ago, mr moose said:

You seem to have missed the point, their own departments said there was no risk in hiring from china, so when the company refuses to hire from china (for whatever reason) that is called discrimination.   I don't care if people like it or not, actively choosing not to employ someone based only on their location is discrimination.

Well the solution is actually simple, tear up the company anti discrimination policies and stop flying that flag. It's only actually an issue if you claim to be and act differently.