The IETF Administration LLC (IETF LLC) has received legal advice that there are
specific circumstances where it may need to restrict an individual’s access to
IETF IT systems or face potentially serious legal consequences. The
circumstances identified so far are:
1. When an individual is using IETF systems to seriously harass another and
all attempts to get them to voluntarily desist have failed.
2. When an individual is using IETF systems to repeatedly infringe the
intellectual property rights of one or more third parties and all attempts to
get them to voluntarily desist have failed.
3. When ordered to do so by a court order from a court with jurisdiction over
the IETF LLC.
Please note that ‘IETF systems’ means mailing lists, Datatracker, remote
participation services (Meetecho, Webex and Zulip), and more.
Clearly each of the three circumstances described above are very different.
For circumstance 1 (harassment), there are existing processes that would be
followed initially, such as involving the Omdbudsteam and the RFC 3683 process
for revoking posting rights. However, this consultation is about what should
happen if and when any applicable processes have been followed and we still
reach the point where legal counsel advises us to restrict access.
For circumstance 2 (IPR infringement), the RFC 3683 process could also
potentially be used, but again this consultation is about what happens when
that doesn’t work or the infringement is not sufficiently addressed by that.
We also need a policy here because legal counsel has counseled us to define a
US Digital Millennium Copyright Act (DMCA) policy to benefit from the
associated ‘safe harbor’ regime and avoid potential significant risks the IETF
LLC could face in the absence of such a policy.
For circumstance 3 (court order), while our discretion to act would be very
limited, there are still important questions of how we do it and what we tell
the community.
With this context, the IETF LLC would like community feedback on what a draft
policy for restricting access should look like, working on the assumption that
such restriction will ultimately be necessary under certain circumstances and
it is therefore important to define such a policy in advance. The IETF LLC
will then draft a policy using this feedback and consult on that text.
The reason that this consultation is being issued by the IETF LLC rather than
say the IESG, is because the IETF LLC has the ultimate legal responsibility
here, as defined in RFC 8711 “The IETF LLC is responsible for establishing
and enforcing policies to ensure compliance with applicable laws, regulations,
and rules”. However, if anyone feels that an IETF LLC consultation is not the
appropriate mechanism to consider such a policy and it should instead be
handled through a community-led process, then please let us know.
Alternatively, some may feel that a consultation is not needed because this
should be left to the lawyers to advise and the LLC to follow their advice, in
which case please let us know.
While comments are welcome on any aspect of this, the key questions that the
IETF LLC seeks feedback on are:
* Who should be the decision maker(s) for any restriction of access under this
policy and what process should they be required to follow? For example, could
it be the IETF LLC board acting on a recommendation of the IETF Executive
Director and advice of legal counsel, and having consulted as appropriate, the
IESG, IAB, IRTF Chair, Ombudsman, etc?
* Should we restrict the person or the infringing logins, email addresses,
etc? It is recognised that people can get around restrictions by using
different email addresses, IP addresses, etc but the alternative of expecting
the IETF LLC to try to identify the person behind those may have unintended
consequences for those that choose to participate pseudonymously for reasons
unrelated to these circumstances.
* How should any restriction of access be structured, considering both the
severity of the limitation and the period of the restriction? For example,
should it begin with system access (such as sending an email or submitting an
I-D) being moderated and if that doesn’t work escalate to complete
disconnection? And for how long would any restriction apply?
* What right of appeal should anyone subject to access restriction have and to
whom?
* What information should be made public regarding any action to restrict
access?
Please provide your feedback either to the [email protected] public
mailing list, or to me directly at [email protected] by 7 August 2022.
--
Jay Daley
IETF Executive Director
[email protected]
_______________________________________________
IETF-Announce mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-announce
