At 04:08 09/12/2005, Lucy E. Lynch wrote:
On Fri, 9 Dec 2005, JFC (Jefsey) Morfin wrote:
<snip>
> NB1: I fully understand that people from the darkwing are jealous
> from those living on the brightside. :-)
channeling Lord Vader ... "The force is with you young Skywalker, but
you are not a Jedi yet."
Dear Lucy,
even billions years ago, by my network age, I am more Qui-Gon Jefsey :-)
> NB2: I still wait for my response concerning the legal responsibility
> of the Trust.
I believe that once the IETF Trust is signed, the Trustees will take
on the duties outlined in sec. 7, and , because the trustees are the
members of the IAOC, they will be answerable to the IETF community
under the provisions outlined in BCP 101 - is that the answer you're
looking for? Additional duties can be added by the community idf the
need arises.
No. "Legal" does not mean answerable to the community. It means
answerable to the Law. I will detail the response because I think it
is important. Very important for the network stability - where would
we go if the IETF was blocked.
Let be practical. The IETF, after approval of the IESG and the review
of the IAB, produces texts. It is therefore an author. An author has
legal responsibilities for the content of his texts. In addition this
publication is assumed by an editor (the RFC -Editor) the IAOC shares
into the organisation. Editors have legal responsibility. The more an
author has authority in his area, the more he has duties. This is a
cooperative work the rules of which underline (RFC 3935) the
obligations of competence and responsibility. This is a serious
published claim of trustability any Judge will consider.
In addition the IETF claims (RFC 3935) that its mission is to
"influence" those who "design, use and manage" the Internet. This
Internet is no more conceived as the user's adherence to the IETF
documents, what implied the necessary acceptance of the IETF
doctrine, solutions and authority, but as the common digital
ecosystem of the world, something co-own by everyone independently
from the IETF.
This means that the IETF, its editorial committee the IESG, its
review committee the IAB, its editor the RFC -Editor, its management
the IAOC and the Trustees of its IPRs share responsibilities in the
incitations published and in the influences seek by its authors.
Let consider the case of an RFC (wearing the diamond logo, IETF name,
etc.) where the IESG has accepted Security Considerations which do
not document an important risk. Someone (at this level it is likely
that that someone is an important entity or a Government) suffer or
wants to protects users from that risk, and sues the "IETF" for its
dangerous incitation and its responsibility by influence. Who is
legally responsible?
In the confusion of the IETF/IESG/IAB/IAOC/ISOC in the area of
responsibilities, IANAL but common sense is to think that legal,
ethic and financial responsibility will be found where is the IPR
claim. It is also likely that the WG members, the IESG and the IAB
members, and the authors will be individually or collectively
prosecuted if the case if of enough importance.
1. what is different about IETF from other SSDOs?
- the IETF wants to be partly binding (influencing) to the users
of an operational system its users co-own without reference to the IETF
- the IETF obliges itself to competence and responsibility in
what it says and in the most efficient use of that system
- the IETF is a loosely organized structure with no clearly
identified legal core and no adhesion statement waiving its/or its
participants' responsibilities.
- the waiver included in the Internet standard document cannot
cover the incitations these documents may contain nor the use the
IETF itself wants to make of them as an influence tool conforming to
its very mission.
- the IETF debates are supposed transparent and therefore show
to what extent and with which seriousness legal rights and societal
and political consequences have been considered, as well as the
attention brought to each country, community, individual interest.
- the IETF is a private entity protected by no international
mandate, with no official representation assuming responsibility in
front of national and international law. Its only protection is the
claim that the USG refused on its behalf (as the initial investor)
the UN form of international protection offered by the international
community
(http://usinfo.state.gov/eur/Archive/2005/Nov/16-685260.html). I am
not competent enough to know how, when and if such a protection could
be really obtained.
- however the concept that "the constitution is in the code",
i.e. in the standard, is a well known and accepted concept which
makes the IETF the source of an increasingly important part of the
world's constitution. However the IETF has not a structure to
consider the societal, political, sovereignty, economical, privacy,
etc. impact of its technical decisions.
2. what are possible cases the IETF can be sued for?
- the way an RFC disfavors economical, societal, national
interests. This is a well known issue. The IETF fully acknowledges it
through its appeal procedure. But the IETF interrupt the appeal
possibility to the IAB. As long as the issue concerns an IETF
document, endorsed by the IESG and reviewed by the IAB this is OK.
But when the content has a legal or political aspect beyond the
authorship authority of the IETF, what is the escalation against a
biased decision of the IAB?
- the IETF is an open house. It has studied its own financing
and functioning and the way it can be used by biased interests (RFC
3774 and RFC 3869). This shows that there are cases against biased
dominance, disloyal practices, etc. where the IETF can be considered
as an accomplice on a case per case basis, or for not having
structurally corrected a known situation.
- incitations is an important area. There are attitudes and
positions that the IETF considers as normal or even claim to
politically support however they are not technical. This may hurt
national laws. The way the IETF addresses the lingual issues can
easily be construed as an actual violation of the human rights. The
lack of warning about the possibilities permitted or increased by
RFCs concerning privacy violations, personal profiling over racial,
cultural, religious aspects, etc. are criminal by themselves.
- more generally, since 9/11 nations have documented the "nuclear
equivalent" risks the Internet represents for their citizens (in
particular the USA were the first to publish an analysis and to build
a set of requirements I often quote as fundamental, and I do not feel
meany read: http://whitehouse.gov/pcipb). Should such a risk
transform into a realty, as we all are conscious [from other
technology developments] it will at some stage, the prosecution and
the public opinion(s) will investigate the responsibility of the
self-proclaimed collective influencing authority having sponsored the
originating technical failure.
I note that in this I only consider the legal responsibility. But the
self chosen moral individual or collective responsibility is enormous
while the IETF offers no protection to its members. Should someone
propose something which can be misused or wrong with a deadly direct
or indirect impact, the "consensus" process of the IETF offers no
serious warranty that this will be corrected by the IETF collective mechanic.
This is only a quick and dirty response, to give you a rough picture.
Lawyers and politics could build a much more precise one. I note that
in front of a major privacy/racial information violation (as RFC
3066 bis prepares), or of a large number of foreseen deaths (as
considered by the White House document) legal theories do not hold
much even if they permit a posthumous victory. The Internet is more
and more part of everyone life. It MUST be protected from this kind of issues.
Tunis has accepted that for a short while this would be kept under
the responsibility of the USA through the current status quo. This is
a BIG responsibility on voluntary individuals and on a confuse
structure. At least this structure is to seriously consider its
protection and fuses. ICANN is currently protected by the GAC and the
USG/NTIA in case of a country suing them over a ccTLD delegation, but
it is commonly sued for it other decisions. What does protect the
IETF? All the more than RFC 3935 describes a non-consensual,
non-transparent IETF decision mechanism: who is legally responsible
for these decisions. What is the financial protection scheme signed
for the IAB and IESG members?
If I only take the case of the RFC 3066 bis I know well, there is a
very impressive number of reasons to legally assign the IETF, the
IESG, the members of the WG-ltru. We all know that today the point in
an assignation is not to win but to proceed. What is the use to be
right when one is dead? I know there are cheaper ways to kill the
IETF and to force a technology change or a status quo protection or
even only to block a competitive choice. But not everyone knows it:
the most common way we know everyone knows is to sue.
jfc
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf