I've forwarded this to SBWASP, OC OWASP, & LA OWASP & my patent attorney as well :)
Sent: Thursday, March 23, 2017 at 11:06 PM
From: "IETF Chair" <chair@xxxxxxxx>
To: "IETF Announcement List" <ietf-announce@xxxxxxxx>
Cc: ietf@xxxxxxxx
Subject: IETF subpoena processes update and a request
From: "IETF Chair" <chair@xxxxxxxx>
To: "IETF Announcement List" <ietf-announce@xxxxxxxx>
Cc: ietf@xxxxxxxx
Subject: IETF subpoena processes update and a request
Occasionally the IETF is served with a subpoena, typically to assist
finding prior art, documents and list discussions, in an effort to
resolve patent disputes. We encourage everyone to just use our
publicly available resources instead of formal requests, but we
do get a few subpoenas every year. The IETF charges a fee
for the service. The IETF makes these civil subpoenas and
the primary response public at [1].
The IAOC Legal Committee has identified two issues with the
existing procedures [2]. First off, practices have evolved somewhat
since the procedures were last updated in 2007, and are out of
date. For instance, the subpoenas are today handled by IETF Legal
Counsel, the Legal Committee Chair, the IAD and record custodians
such as the Secretariat and the RFC Publisher. Others, such as the
IETF Chair are not usually involved, despite what the existing
procedures say.
Secondly, due to a recent request that we received, we now
realize that the existing procedures for the publication of
subpoenas do not address situations where we might be
ordered or requested by law enforcement authorities to not
post the subpoena and response. These may include cases
where a subpoena identifies a person or a company. These
are criminal rather than civil cases. We do not think it is
necessarily obvious what we should do here. For instance,
it might not be the right thing from the privacy point to
post details of requests that identify a person. There are
more cases, and some tradeoffs to consider.
Large Internet companies that hold user data have developed
policies to deal with some of these issues. The IETF’s situation
is of course somewhat different. For instance, most data that
the IETF has is publicly visible anyway. There’s some additional
data of course, and even for the public data our ability to vouch
for the authenticity of, e.g., an Internet-Draft from a given year
can be important. And of course, unlike the large Internet
companies, our legal department consists of much smaller
force, at least in terms of number of people :-)
The IAOC legal committee believes that we need two things.
First, we need an update of the procedures in general, which
is largely an internal organisational matter. Secondly, we need
to develop a policy to answer the cases where confidentiality
is either requested by law enforcement authorities or is
otherwise the right thing. This is a policy question which we
believe is best answered through community opinion, and
obviously also careful legal review.
The plan is for the Legal committee to do two things this
spring. First develop and post the general update, which we
post to the community for information and feedback. Second,
develop an initial approach regarding an answer to the policy
question and post it to the community for discussion. Please
participate in that discussion — we’ll send details about where
and how when we post the initial proposal. Once the community
discussion comes to a conclusion, we will adopt the policy as
defined by the community and the legal situation. If anyone
has input on this topic, let us know. It is also fine to send
suggestions before the proposal is posted.
Jari Arkko, IETF Chair
[1] https://iaoc.ietf.org/subpoenas.html
[2] https://iaoc.ietf.org/subpoena-procedures.html
finding prior art, documents and list discussions, in an effort to
resolve patent disputes. We encourage everyone to just use our
publicly available resources instead of formal requests, but we
do get a few subpoenas every year. The IETF charges a fee
for the service. The IETF makes these civil subpoenas and
the primary response public at [1].
The IAOC Legal Committee has identified two issues with the
existing procedures [2]. First off, practices have evolved somewhat
since the procedures were last updated in 2007, and are out of
date. For instance, the subpoenas are today handled by IETF Legal
Counsel, the Legal Committee Chair, the IAD and record custodians
such as the Secretariat and the RFC Publisher. Others, such as the
IETF Chair are not usually involved, despite what the existing
procedures say.
Secondly, due to a recent request that we received, we now
realize that the existing procedures for the publication of
subpoenas do not address situations where we might be
ordered or requested by law enforcement authorities to not
post the subpoena and response. These may include cases
where a subpoena identifies a person or a company. These
are criminal rather than civil cases. We do not think it is
necessarily obvious what we should do here. For instance,
it might not be the right thing from the privacy point to
post details of requests that identify a person. There are
more cases, and some tradeoffs to consider.
Large Internet companies that hold user data have developed
policies to deal with some of these issues. The IETF’s situation
is of course somewhat different. For instance, most data that
the IETF has is publicly visible anyway. There’s some additional
data of course, and even for the public data our ability to vouch
for the authenticity of, e.g., an Internet-Draft from a given year
can be important. And of course, unlike the large Internet
companies, our legal department consists of much smaller
force, at least in terms of number of people :-)
The IAOC legal committee believes that we need two things.
First, we need an update of the procedures in general, which
is largely an internal organisational matter. Secondly, we need
to develop a policy to answer the cases where confidentiality
is either requested by law enforcement authorities or is
otherwise the right thing. This is a policy question which we
believe is best answered through community opinion, and
obviously also careful legal review.
The plan is for the Legal committee to do two things this
spring. First develop and post the general update, which we
post to the community for information and feedback. Second,
develop an initial approach regarding an answer to the policy
question and post it to the community for discussion. Please
participate in that discussion — we’ll send details about where
and how when we post the initial proposal. Once the community
discussion comes to a conclusion, we will adopt the policy as
defined by the community and the legal situation. If anyone
has input on this topic, let us know. It is also fine to send
suggestions before the proposal is posted.
Jari Arkko, IETF Chair
[1] https://iaoc.ietf.org/subpoenas.html
[2] https://iaoc.ietf.org/subpoena-procedures.html