Executive summary: I think the discussion so far highlights some
problems with the Consultation statement itself. In particular,
I think that conflating the three "circumstances" is unwise and
could lead to some unfortunate and unnecessary conclusions that
might be harmful to free and open discussions to proposals for
standardization or other IETF actions. For reasons explained
below, I would encourage the LLC to separate the question of
what should be done if we are confronted by an actual (and
presumably applicable) court order from assorted behaviors that
might subject the IETF to legal liability, to pose several
questions to the sources of the legal advice received, and then
to reissue the Consultation (or, ideally, two of them) with
answers to those questions included and more information by
which the community can help to make important distinctions,
possibly including ones about what should be handled by the
IETF/IESG (possibly with some modifications to existing
procedures and with LLC assistance) and what should be (or is
necessarily) left to the LLC.
Details below.
--On Thursday, June 30, 2022 13:32 +0000 "Livingood, Jason"
<Jason_Livingood=40comcast.com@xxxxxxxxxxxxxx> wrote:
>> please define the courts with jurisdiction over IETF LLC.
>
> For better or worse the IETF LLC is required to operate within
> the law. For example, US courts could serve the LLC with legal
> orders and we must comply with US tax laws (and other US laws
> and state laws). When we held a meeting in Vienna, we had to
> comply with local Austrian laws, and so on. When we meet in
> Philadelphia, US federal laws, Pennsylvania state laws, and
> Philadelphia local laws will apply - and each have their
> respective court systems.
I think this is fine and, AFAIK, completely correct. I also
think it is mostly irrelevant to most of the questions Jay posed
in the consultation announcement, so I'd like to come back to
that and suggest splitting it up a bit, in the process getting
back to the question I would have been trying to get at had I
asked Lloyd's "jurisdiction" question. In particular, the
consultation identified three separate cases ("circumstances"):
1. When an individual is using IETF systems to
seriously harass another and all attempts to get them to
voluntarily desist have failed.
2. When an individual is using IETF systems to
repeatedly infringe the intellectual property rights of
one or more third parties and all attempts to get them
to voluntarily desist have failed.
3. When ordered to do so by a court order from a court
with jurisdiction over the IETF LLC.
It seems to me that, so far, almost all of this thread
(including your response above) has focused on the third. I
think the answer there is obvious and is covered by both your
response and Jay's earlier one: If the LLC gets a court order,
Counsel is consulted about whether that court order is valid and
applicable. IANAL, but I would guess the legal questions might
be somewhat subtle and not necessarily the same if "access to IT
systems" (see the first paragraph of the consultation) were
sending traffic to or receiving messages from IETF mailing
lists, use of IETF/LLC-maintained systems such as the
datatracker or rfc-editor.org, or use of non-IETF facilities to
engage in IETF work (such as github and perhaps Meetecho,
Gather, etc.). While I would encourage the LLC and its Counsel
to not roll over too easily (e.g., there are organizations that
will change behavior on the threat of someone seeking a court
order rather than waiting for one, examining it, or thinking
about jurisdiction questions, and I hope that, as a general
practice, we would not go there), ultimately, if the LLC gets a
court order and is advised by Counsel that it is binding and
enforceable, the LLC follows it. The only question there
involves the circumstances under which the LLC might fight such
an order, a question the consultation, as written, appears to
leave out.
So, within the scope of the consultation and the third
circumstance, I believe that, as the condition is stated and
consistent with your comment above, the answer is, as the
consultation indicates, "not needed because this should be left
to the lawyers to advise and the LLC to follow their advice".
I do believe that it would be helpful for the LLC to propose,
and get community advice about, the degree to which it would be
appropriate to resist (e.g., file briefs opposing, consider
appeals) access restrictions that could appear to reasonable
people to restrict open and free discussion of matters that
would fall broadly within the IETF's scope (noting that the
boundaries of that scope are probably a matter for the IESG
rather than the LLC).
As an extreme (and I hope thoroughly unlikely) example, suppose
some country decided to ban the use of encryption except under
tightly controlled conditions, noticed that the LLC-chosen CDN
provider provided services or had equipment in its jurisdiction,
and, on that basis, its courts issued an order banning
discussions of strong encryption using IETF facilities. I would
expect that the LLC, presumably with the support of that CDN
provider, would fight that order vigorously and/or figure out
how to avoid its effects rather than simply trying to enforce
the ban against anyone who brought up that topic. But, again,
the consultation does not seem to address that issue or
possibilities like it.
For that third circumstance, the other "key questions" in the
consultation (with the exception of the last one), would almost
certainly be moot: if a valid and enforceable (as advised by
Counsel) court order says "do X" or "don't do Y", that is what
the LLC is going to do and questions about who decides exactly
what should be done and how would either be irrelevant or
matters of negotiation with the courts, not with IETF policy.
An exception would clearly arise if the LLC received a court
order that was as vague as (as an extreme and perhaps silly
example) "something nasty is going on here, we order you to do
something of your choice to mitigate it" but, as a layperson,
I've heard of few such court orders. If Counsel have advised
that we need policies to govern our behavior in case of orders
that are very vague or give us significant flexibility about how
to interpret them or respond, more details from them would be
useful.
The exception, again at least for that third circumstance, is
the final question: if the LLC is taking action in response to a
court order, both the court order and the exact action taken
(including any measures the LLC does take or might take and
decided not to) should be public except as limited by the court
order itself. Any other choice would almost certainly be
damaging to the IETF and, absent a secret court order, would not
protect anyone's legitimate privacy or other rights.
I see the first two cases/ circumstances as entirely different
because the decisions as to what to do, even if strongly
influenced by concerns about potential legal action, are up to
the IETF and/or the IETF Administration LLC. There it seems to
me that SM's questions about implications to the standards
process and the boundaries set by BCP 101 are entirely
appropriate (regardless of what one thinks the answers should
be). Those questions and the answers might be informed by a
cluster of questions I would like to see the LLC address with
Counsel and then come back to us with the answers and, if they
do not make a course of action obvious, launch a separate
consultation on the issues involved. For example, given that an
individual behaves in a fashion that consistently violates the
IETF Code of Conduct, anti-harassment policies, or related rules
and cannot be persuaded to "voluntarily" stop doing so, what
actions can the IETF take to protect itself from legal liability
for those individual behaviors? As possible protections for the
IETF, should we have mechanisms to seek court orders against
those individuals and their behavior? Should we be revising RFC
3683 to make applying it faster in some cases and/or to allow
applying broader sanctions than revocation of posting rights
(IIR, at the time 3683 was written, the IETF was maintaining and
using a much narrower range of IT services and believed (on
advice on Counsel at the time) that problems resulting from
serious violations of IPR policies or laws would fall on the
violator, not the IETF?
thanks,
john
