Legality of IETF meetings in PRC. Was: Re: Request for community guidance on issue concerning a futuremeetingof the IETF

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




I have done a little digging around on the questions I asked and thought I might summarize some of the responses I got back to my email.

More inline .... Note all the comments below do not refer to the "Special Administrative Regions". I strongly support Ted's suggestion that running the meeting in one of theses zones would eliminate the concerns I have raised.

On Sep 23, 2009, at 9:45 PM, Cullen Jennings (fluffy) wrote:


IAOC,

I'm trying to understand what is political speech in China. The
Geopriv WG deals with protecting users' location privacy. The policies
of more than one country have come up in geopriv meetings in very
derogatory terms. There have been very derogatory comments made by
people about the US's wiretap policy. Unless someone can point me at
specifics of what is or is not OK, I would find this very concerning.
We also regularly discuss issues around Taiwan/China, cryptography,
wiretap, DNS root server location, reverse engineering, and so on.
Clearly most the people involved with IETF would never want to break
the laws of the country they are visiting but the question is do we
actually understand the laws and what impact do they have on our
technical work? To help us make informed decision about whether these
terms are issues or not:

1) What is political speech in China? And can we explain that to IETF
participants well enough that they know what is OK and what is not.


Got a few reposes to this - none very solid but they seemed generally along the lines of "If you are looking for something crisp, forget it"

2) Are there any special rules about publishing and broadcasting? I
note that the IETF, unlike most other groups having meetings,
broadcasts the meetings live over the internet, which will be both
publishing the material and exporting it outside of the PRC.


Got answer from non legal person of yes you need a license for this but they could not point me to the actually regulations. Still hoping to get a better answer. Hs the IAOC got legal advice on this?


3) Are there any rules around discussion, publication, or export of of
cryptography algorithms and technology? publishing weaknesses of
national crypto algorithms?


The advice I got was that unless we got a license if the IETF developed crypto in China and we exported it out, then this would be illegal in PRC. It was pointed out PRC is not part of Wassenaar Arrangement. I was advised our broadcasts of and export of minutes from meetings would be "Deemed Export". It seems pretty hard to argue that the IETF does not develop any crypto. Has the IAOC received any legal advice on this?

4) Many of our participants use communications products (like jabber
clients) that they helped develop and include strong cryptography. Do
they need permission to use these in China?


One person with what I view as a reasonable background in PRC law told me this would be illegal and violate State Council Order No. 273, "Commercial Use Password Management Regulations" among other things. The "clarification letter" does not seem to change this. It seems this would be illegal there without a license. Has the IAOC received legal advice on how this impacts us.



5) When discussing what I think of as technical issues, many
participants regularly treat Taiwan and PRC as two different countries
and currently recognize both of them as separate countries in their
own right. I'd actually venture a guess that there is strong IETF
consensus they should be treated this way.  Could any discussions like
this be viewed as political speech? What are the rules on this?

Still gathering data on this one. If you know something, let me know. I heard a rumor that on our registration form, when we asked what country you are from, we would not be allowed to ask Taiwan or PRC. Does anyone know any truth value to this rumor?


6) It is not core to IETF work but some of us do some interop of
running code for IETF protocols under development sometimes at IETF.
This would be about the right timing for running P2PSIP code, but that
requires us to to run a local CA. Is any special permission needed to
run a CA in China?


A license is needed to run a CA in PRC. What we normally do would be illegal there.


7) Would we be OK running a BOF on techniques for firewall advancement
in general and in particular on getting around any firewalls China
runs? [Seriously, you know someone will propose this BOF, the
questions is could we run it or not?]


Answer I got was discussion of security policies of PRC's firewall and methods to get around it would definitely not be OK to discuss. Two of the many problems would be:

1) this is defamatory towards the state agency that run the firewalls
2) this could be considered release of state secrets

Answer seemed pretty solid that this topic was not one that most people would consider a really bad idea to discuss in PRC.


8) Given the Chairs for WG set the agendas and such, I am assuming
that a reasonable person would consider all the presentation done by
presenters at the front of the room to be things that are under
control of the client. Is this the assumption the IAOC is working
under too?


9) What is the IETF's potential liability here. If the meeting was
canceled on Monday, everyone checked out of hotels early and paid a
one day change fee, would the IETF be responsible for the hotel's loss
of revenue for the Wednesday through Friday nights?

10) If the meeting is canceled, will the IETF be reimbursing the
registration fees?

11) Given the IETF would be depending on the actions of the
participants of the meeting to meet the contract, it would seem very
prudent to me to make sure that each participant agreed to this. Will
you be asking each participant to sign an agreement agreeing to these
terms?


Really love to hear the IAOC thoughts on this one ....

12) Do you all feel like you need a beer yet?

I'm trying to get to the bottom about what is legal and what is not in
the PRC.  Ignorance is not an excuse for the law in any country and
when I don't know if something is legal or not, I don't do it.

As an interesting side note, it seems that some people think that many of these things are officially illegal but they are fine to do anyway because other meetings are doing them etc. This is not a position I share and more importantly, it is not a position where I am willing to ask our WG Chairs, authors, and other volunteers to do something illegal because it will all be fine. Even if there are no short term consequences, I can imagine a case where 10 years later someone is seeking security clearance and this comes back to bite them.

Right
now I am looking for input from knowledgeable people on these
questions. I imagine the IAOC has looked into many of these and would
appreciate understanding what you have found.

Thanks, Cullen




The answer I have got are very disturbing from a legal point of view. I believe the IAOC has received requirements front the IESG around the minimum things needed for a meeting. For the IAOC to understand if they can meet these requirements, I believe IAOC needs to get legal advice from a PRC lawyer around if the questions I am asking about certain discussions being legal or not in PRC and make the results of that advice public. Anything less would be in my view a failure of their fiduciary responsibilities. The advice I have gotten so far has not been advice from definite experts that I am sure is correct so I am hesitant to rely on it too strongly but so far it has indicated that some of these things all are not legal in the PRC but clearly the IAOC should get to the bottom of this before making a decision and inform the community of what they learn so that individual can make informed decisions about their own attendance.





_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]