HashiCorp forbids its software being used in China
hashicorp.comHello, I'm a founder of HashiCorp and I'd like to explain this.
First, this document only applies to enterprise evaluation software. This doesn't apply to our OSS software and this shouldn't be linked anywhere near our OSS except in the context of signing up for an enterprise eval.
Most importantly: why is this here? This is NOT a political statement. This is a legal requirement. The encryption we use in Vault is subject to Chinese export control laws and it is illegal for us (by Chinese law) to sell in China.
To be able to sell Vault within China we'd have to restrict the encryption that could be used within Vault to government-acceptable versions.
We don't do this, therefore it is illegal for us to sell in China. We have to include this line in our enterprise terms.
EDIT: Our legal team has updated the copy in our terms to be more explicit. You can read the updated copy in the second paragraph here: https://www.hashicorp.com/terms-of-evaluation
It's interesting to me that it's Chinese export control laws that affect you. Normally when you hear about this kind of thing, it's the US export restrictions causing the issue. Does that not apply in this case? And wouldn't you be importing into China? (IANAL, genuinely asking)
It's not export controls in the case of China afaik. It's literally 'the party would like to read your data in the name of social harmony'
Ya, the word “export” was incorrect in OP’s post
Or inversely they want to make sure the ciphers they use are reviewed and not backdoorable by adversaries (in this case the US).
Perhaps they're referring to the Encryption Law https://www.cov.com/-/media/files/corporate/publications/201... in effect this year that discusses both the import and export of encryption.
Exactly, which is why OP's clarification is welcomed. I too made the same assumption as you did, or rather thought it was some political statement based on our current geopolitical climate.
But no, it's the Chinese looking to force a US company to use their pre-approved encryption for reasons that should be obvious.
Bravo.
Thanks for clarifying. It sounded a lot like a political statement at first, but this makes more sense.
That's clear now. Maybe add this explanation somewhere and link to it from your terms-of-evaluation.
Which encryption is it?
Exactly just laws of the United States.
you can request the title changed to be closer to your clearer explanation
From Mitchell Hashimoto, the founder of HashiCorp:
Whoa, wait, the founder's last name is Hashimoto? That's awesome. I always just assumed it was a portmanteau related to hash functions.
Ah that's interesting -- I've never associated it with hash functions though I can see how one might be led to.
Hashi to my ears sounds distinctively Japanese (I understand it either means "bridge" or "chopsticks").
https://twitter.com/mitchellh/status/1266396356572139526 According to the founder they use a Chinese approved encryption scheme for enterprise versions in China. I wonder what encryption that is.
I wonder if this includes Hong Kong
Or Taiwan!
Why would it include Taiwan? They are separate countries not separate "systems"
It says it only applies to the People's Republic of China, and in the notes above it's only because of the laws of the People's Republic of China.
In all practical senses Taiwan is a separate country, but there are reasons not to admit it: http://www.youtube.com/watch?v=4AivEQmfPpk&t=2m55s
Why exactly they do that?
Good question. It's not like IP protection is practical in China--this software WILL be used in China against license. It's also basically impossible to hold Chinese companies (often entangled with the communist government of China) accountable for things like fraud or IP theft.
Maybe it's just a political statement.
None of this is true. It's not political, it's not about IP, it's about Chinese law, and it doesn't apply to OSS.
What they are saying is that even in regards to OSS it wouldn't matter because China has such a disregard for non-Chinese law (and the citizens have blatant disregard for even some Chinese law) and property that they will just outright steal it or otherwise break any law that inconveniences them to just use the software anyway.
Weird that there is no official announcement from HashiCorp to explain this decision.
It would be great if they could explain this decision in more detail, but I guess they are still working on to explain this better and clearer.
Nice