Occasionally the IETF is served with a subpoena, typically to assist finding prior art, documents and list discussions, in an effort to resolve patent disputes. We encourage everyone to just use our publicly available resources instead of formal requests, but we do get a few subpoenas every year. The IETF charges a fee for the service. The IETF makes these civil subpoenas and the primary response public at [1]. The IAOC Legal Committee has identified two issues with the existing procedures [2]. First off, practices have evolved somewhat since the procedures were last updated in 2007, and are out of date. For instance, the subpoenas are today handled by IETF Legal Counsel, the Legal Committee Chair, the IAD and record custodians such as the Secretariat and the RFC Publisher. Others, such as the IETF Chair are not usually involved, despite what the existing procedures say. Secondly, due to a recent request that we received, we now realize that the existing procedures for the publication of subpoenas do not address situations where we might be ordered or requested by law enforcement authorities to not post the subpoena and response. These may include cases where a subpoena identifies a person or a company. These are criminal rather than civil cases. We do not think it is necessarily obvious what we should do here. For instance, it might not be the right thing from the privacy point to post details of requests that identify a person. There are more cases, and some tradeoffs to consider. Large Internet companies that hold user data have developed policies to deal with some of these issues. The IETF’s situation is of course somewhat different. For instance, most data that the IETF has is publicly visible anyway. There’s some additional data of course, and even for the public data our ability to vouch for the authenticity of, e.g., an Internet-Draft from a given year can be important. And of course, unlike the large Internet companies, our legal department consists of much smaller force, at least in terms of number of people :-) The IAOC legal committee believes that we need two things. First, we need an update of the procedures in general, which is largely an internal organisational matter. Secondly, we need to develop a policy to answer the cases where confidentiality is either requested by law enforcement authorities or is otherwise the right thing. This is a policy question which we believe is best answered through community opinion, and obviously also careful legal review. The plan is for the Legal committee to do two things this spring. First develop and post the general update, which we post to the community for information and feedback. Second, develop an initial approach regarding an answer to the policy question and post it to the community for discussion. Please participate in that discussion — we’ll send details about where and how when we post the initial proposal. Once the community discussion comes to a conclusion, we will adopt the policy as defined by the community and the legal situation. If anyone has input on this topic, let us know. It is also fine to send suggestions before the proposal is posted. Jari Arkko, IETF Chair [1] https://iaoc.ietf.org/subpoenas.html [2] https://iaoc.ietf.org/subpoena-procedures.html
