[Feature Request] Block certain countries from downloading or viewing repositories

[jasonbcox]

Select Topic Area

Product Feedback

Body

Feature Request

I want to be able to block users in certain countries from downloading or viewing my repositories. Ideally this setting would be available at org-level as well, but a repository-level setting on its own would be very useful.

Why?

Short answer: I was sued in the United Kingdom for writing open source code in the United States. As a consequence, I no longer want to share any of my repositories in the UK.

Long answer: I've been dragged into litigation in the UK over writing code related to Bitcoin. Despite presence of the MIT License, which makes it abundantly clear that the authors hold no liability, the lawsuit claims I have fiduciary duties to users. I believe my rights in the US would be upheld rather quickly, but that is not the case in the UK. Even though I've never had customers in the UK, I no longer wish to make my repositories available there. The legal liability simply isn't worth it if the UK court is interested in going after open source developers.

I wrote an open letter to the open source industry at fossdef.org that goes into more details and asks for support in the lawsuit. This is striking directly at my livelihood, so if I cannot control repository access on Github, there's a good chance I will have to leave the platform altogether.

I believe other developers in similar positions as me will also find this feature useful.

Github can alleviate this concern by implementing an access control setting.

---

EDIT 1: More examples keep coming to light, such as:

Example 1: New cryptoasset laws attempt to regulate promotion of cryptocurrencies. See https://fca.org.uk/publications/good-poor-practice/firms-preparations-cryptoasset-financial-promotions-regime
"If a UK consumer can access and respond to cryptoasset promotions to engage in the cryptoasset activities, such as through websites, apps and/or social media, it is likely that those promotions will be capable of having an effect in the UK. This applies regardless of the location of the firm making the promotion or who it was primarily aimed at."

This effectively means the UK is attempting to police free speech in the US and elsewhere.

Example 2: This article provides commentary on the dangerous implications of revisions to UK's 2016 Investigatory Powers Act: https://justsecurity.org/87615/changes-to-uk-surveillance-regime-may-violate-international-law/
It goes into more detail how the application notice requirements would impact globally. This clearly affects free speech, even if only by chilling effect.

---

EDIT 2: The bitcoin.org example I referred to in my open letter got an update: https://x.com/CobraBitcoin/status/1703842580117455147 The defendant owes a mind boggling $640,000 in default judgment. That's right, he didn't even defend himself, bitcoin.org can no longer serve software to the UK, and the defendant still owes lots of money.

[deadalnix]

Seconding the need for that feature. For the UK as well especially.

[ghost]

nope. nope. nope. nope. nope.

If I am traveling, or happen to be using a VPN for whatever reason, I dont want to visit your page and find nothing. this can, and has, caused me anger, frustration and confusion many, many times. I will visit some site I KNOW exists, only to find it gone because of geo blocking or because the owner simply doesn't like me. if you want to police who can view your code, you should host it on your own server. I dont think this is GitHub's duty, or even in their interest to entertain this.

[jasonbcox]

I'm not ideologically supportive of this feature either. But it is a necessity due to legal issues. I cannot control UK law, but it would be nice if GitHub can limit my exposure to that backwards country's legal system.

[jasonbcox]

If you don't like a setting like this, you can simply not use it.

[ghost]

If you don't like a setting like this, you can simply not use it.

that doesn't make logical sense. my concern was never about ME using it, it was about YOU using it. if YOU use it, then it hurts ME. I thought I made that painfully clear in my original comment, but it seems the point didn't get across.

[HostFat]

Well, if GitHub doesn't had this feature, then devs will not put their code here, to avoid possible UK lawsuits. (or other countries)

Then with or without vpn you will not find their code here.

Still, devs will use and enable this feature only if they want.

[jasonbcox]

that doesn't make logical sense. my concern was never about ME using it, it was about YOU using it. if YOU use it, then it hurts ME. I thought I made that painfully clear in my original comment, but it seems the point didn't get across.

You won't be able to access the repositories in either case. Scenario A: GitHub implements access controls and you won't be able to view them from certain places. Scenario B: GitHub doesn't implement access controls and affected repositories are taken off the platform entirely.

In both scenarios, you are negatively effected. But only scenario B is the wider open source community negatively impacted the most. GitHub is certainly negatively impacted by B the most as well.

[aalfiann]

This is a good feature.
Seems using MIT License is not 100% protecting us to writing code in UK.

GitHub should follow the UK regulation, then just block UK.

[mpaperno]

As another "use case" for such a feature, one may wish to simply exclude some visitors from, say, certain war-mongering or otherwise offensive nations that you do not wish to share with.

Though I would say the legal ramifications presented here are more important.

One could put such clauses in one's license I suppose (eg. "not licensed for use by nationals of ...."), and probably should, but it would be a lot more effective and to the point to deny direct access in the first place. If someone circumvents that deliberately, eg. with a VPN, at least they can't claim ignorance (as easily).

[nghiacc]

If you don't like a setting like this, you can simply not use it.

that doesn't make logical sense. my concern was never about ME using it, it was about YOU using it. if YOU use it, then it hurts ME. I thought I made that painfully clear in my original comment, but it seems the point didn't get across.
Geoblocking is for specific repos due to the regulations. If you want to use it, there is still VPN. The point is to protect users from legal issues, which may come at any point of time.

[takeda]

Sounds like this is something that more properly would be resolved by a license, no? i.e. "I don't allow my code to be used by residents of X country".

Also I don't know your exact case, but I wouldn't be certain that you are immune from lawsuits from outside of UK.

I mean let assume somebody created a ponzi scheme in form a computer software, you fire it up, place some investment and then get more money back from people who fired it up after you. The app is released under MIT license, does that mean the scammer has no liability?

Again, I don't know what the actual case was, but since the lawsuit mentioned fiduciary duty, that sounds like the OP was accused to not work in best interest of the user. And I see that lawsuit could happen in lot of places, including US.

[jasonbcox]

I'm in the US. Restricting UK users via the license might work for some cases, but the MIT License did not help me in this case. While I could modify all of my licenses, I would prefer to do that in conjunction with an access control setting.

[takeda]

MIT license talks about you not providing a warranty if your software malfunctions. But you were accused of not acting in the good faith and in the best interest of the user when dealing with money. There are some responsibilities that you cannot waive with a license.

[deadalnix]

And the UK court decided that it did not matter. If a country with a medieval legal system decides to assault people providing software for free on the internet, then it is only sensible to provided these people with the tools they need to protect themselves.

[jasonbcox]

I made an edit to the original request giving more examples.

I continue to run into these examples popping up and as a result I lodged a similar feature request on X/Twitter: https://twitter.com/jasonbcox0/status/1701286692509118753
It would be nice if GitHub and X can coordinate on a proper solution. I don't expect them to be identical for both platforms, but I imagine they will look similar. Free speech is free speech no matter the formatting (plain text vs code).

[jasonbcox]

I made another edit to show what happens when random open source projects get sued by these kinds of people.

Hopefully we can get some sort of indication from GitHub that someone is looking into this.