Re: [Gendispatch] I-D Action: draft-halpern-gendispatch-antitrust-01.txt

[Jay Daley <jay@staff.ietf.org>]

> On 15/11/2021, at 7:14 AM, Toerless Eckert <tte@cs.fau.de> wrote:
> 
> On Sun, Nov 14, 2021 at 01:39:37AM -0500, Joel M. Halpern wrote:
>> Toerless, several reactions to this email.
>> 
>> First, I (and my co-authors I am confident) do not intend to ignore any
>> input.  We may or may not agree with it, but it will not be ignored.
>> 
>> With regard to your question, the answer, to a first approximation as far as
>> my intentions go is both.  Which we tried to say in the document.
>> word-smithing suggestions are appreciated.
> 
> Ok. i do not read that from the text. But before wordsmithing, i wonder
> if it is prudent or even possible to achieve both. The legal constraints
> for the institutions are different as those of every participant:
> 
> The IETF does not have to care about a particular attendees home/citizenship
> country/countries legal concerns. Participants who are not US residents
> may not need/want to care about US law unless being on US soil. And we
> all, IETF and participants somehow need to figure out what we should
> specifically do about any other countries laws when we have an IETF there.
> 
> For example think of a university researcher from a european
> country who actually has a collaboration with Huawei. Now this ressearcher
> is talking with his collaborator on the hallway of an IETF and explains
> a cool new technical, non-published idea she has. This would be fine in all
> places, except if this IETF was happening on US soil. In that case, that researcher
> has violated US EAR regulations, exporting dual-use weapons technology
> (.eg.: "anything with routers") to an EAR listed entity because by being on US
> soil, of course US laws/regulations apply to her.
> 
> The reason for this example is that if we really want to help IETF participants,
> we probably cannot constrain ourselves to just anti-trust law.
> 
> But back to what i would recommend:
> 
> I for once would love to see really first an as short as possible
> "defense of IETF" version of the document from Bratt, e.g.: lawyer talk that ensures
> that IETF as an organization is as much as possible protected from legislation
> by the USA in case of IETF participant misbehavior. Does not have to be
> any easier to read by participants than any US law/regulation. Pretty
> much (IMHO) the same goal as the "Note Well" (which i understand to be
> protection of the IETF against, copyright/ownership/secrecy claim on
> anything that the IETF would want to record/publish). Aka: this is the
> behavior that IETF expects from you as as an IETF participant so that
> IETF can operate legally save as a US corporation.
> 
> This starting document should have IMHO not only protection against anti-trust
> US laws, but also important other law like EAR. If IETF could be co-accused
> as an enabler of any US law, whether it is anti-trust, EAR or whatever i do not
> know about, just because IETF provided the venue for such a public or private
> conversation, then this should be part of this "IETF defense" version of the document.
> 
> This version of the document IMHO does not need to have a lot of community
> input except from those who feel they have relevant US law input.
> 
> Then that legal IETF defense version needs some good faith effort to go
> beyond US law for all the times IETF happens in person in a differnt country.
> This is likeyl hand-waiving, BUT: it could self-oblige IETF to publish in time
> before any "overseas" IETF some statement as a result of investigation of
> additional rules to comply to in that country. These likely could be
> just per-country summaries on www.ietf.org <http://www.ietf.org/> that would accumulate and then
> hopefully not need to be redone when we just go back to the same countries
> over and over again.
> 
> In any case: IMHO it does not make sense to first focus on what we
> as participants think before we're code-complete as to what the IETF
> as an institution needs.
> 
> The whole side-thread about how we are supposed to be individual contributors
> exists only because we may have different understandings of whether or
> not the IETF could protect itself being accused as a party in anti-trust
> behavior by just claiming all participants are individual contirbutors,
> when we currend do, and IMHO need to be able to create evidence to the contrary.
> 
> So, i would primarily like to understand how each of the statements of the
> document protects the IETF from what legal risk. And maybe stash anything that
> doesn't serve this purpose away (appendix, whatever). Not because i don't think
> we should ultimately have more stringent expectations than what is legally
> necessary, but because i would like to have a clear distinction between
> (a) third party caused "legal/expectations" and (b) self-made "culture/rules",
> tht are not third-party caused (eg. not legally required).
> 
>> The caveat is that it is hard enough to arrange useful advice in the IETF
>> context. Generalizing and adding to it for other context is left to the
>> reader, or the reader's lawyer.
> 
> What i was trying to get to was the distinction between (a) and (b).
> For all intent and purpose, i could write "ACME" instead of IETF in all of
> (a), but would need to write IETF for (b). Given how we do not want to write
> "ACME", we need some way to distingish the two (a)/(b).
> 
>> Beyond that, I am waiting to give the chairs time to figure out what they
>> think the dispatch answer is.  (As I said at the time, I did not expect an
>> answer yet.)  And to talk with my co-authors about what changes we think
>> make sense for the issues we want to address even before dispatching.
>> (After dispatching, the dispatching mechanism will help us determine what
>> path to take.  It will, I hope, become a community document with us
>> responsible to abide by the rough consensus.)
> 
> I am alway for community document, but of course (a) above is primarily a
> lawyer issue. Community input on that part would be around scope for example.
> E.g.: which legal requirements are in-scope. Why only anti-trust if something
> like EAR may be an even bigger risk to IETF (no idea if this is true of course, i
> am just guessting...).
> 
> The other problem with community consensus is that normal IETF
> process IMHO only works for documents not impacting those not interested
> in them (very simplified statement). Aka: most technical documents.
> 
> For community rules applicable to all, we should add elements to 
> community consensus, such as questionaires to really poll a much larger
> part of the community. Given How you have "Mr Questionaire" (;-p) as one
> of the co-authors, i'd hope we could count on him doing one for this
> work, once it is in the best shape for such a quiestionare from the whole
> community.

There’s a crucial point here that keeps getting missed - the *only* way that the IETF can be put into a tricky legal position is by the behaviour of participations and therefore the *only* ways that the IETF can 'defend' itself are by distancing/disowning the behaviour of participants, and/or by regulating the behaviour of participants.  If we assume for a moment that distancing/disowning is insufficient (noting that some feel it is sufficient) then we cannot separate out your a) and b) as you propose.

I understand that you do not see the linkage between each behaviour the draft recommends avoiding and antitrust law, but do you really think you need to understand that or is it not sufficient that one or more lawyers agree that these are the behaviours to be avoided?  In other words, do you need to be educated to the level of an antitrust lawyer by this draft?  Also, for the draft to explain this linkage it has to go into the very same level of detail that you argue against elsewhere.  

Rather than looking at this draft from the 'input' side where we get into all the complexities of different laws in different regimes etc, it’s likely more productive to look at it from 'output' side, i.e. how does each of these recommendations affect participation in the IETF?

Jay

> 
>> Yours,
>> Joel
>> 
>> On 11/13/2021 11:55 PM, Toerless Eckert wrote:
>>> On Sun, Nov 07, 2021 at 04:40:13PM -0500, Joel M. Halpern wrote:
>>>> I agree with some of your proposals, and disagree with others.
>>>> But I do not see any of the actual proposals as substantive enough to affect
>>>> the dispatching concern.  They all seem things we can fairly discuss once
>>>> dispatching has taken place.
>>> 
>>> Does that mean the authors will drop and forget input her from the list that
>>> is not marked as "unless this issue is resolve, i will not recommend for this
>>> document to be dispatched" ?
>>> 
>>> To repeat here on the list what i said during the WG meeting:
>>> 
>>> I do not recommend for this document to be dispatched until it is
>>> clearer written down agreed to, what actually the goal is. And i see two potentially
>>>  even conflicting possible goals:
>>> 
>>> a) To put into writing sufficient 'Cover My Behind' statements to protect
>>> the IETF from legal action in case participants partake in anti-trust
>>> behavior. This is not mentioned as a goal in the draft, but i have the
>>> strong believ that this must have played a role on writing this document.
>>> And i do support such a document, but it should explicitly state that
>>> purpose.
>>> 
>>> b) A document that is really intended to help participants to understand
>>> how to not get into anti-trust law issues. This is what the document claims
>>> it wants to achieve, but quite frankly i do not even understand the most
>>> basic connection between this goal and being an "IETF participant".
>>> 
>>> E.g.: what legal differences does it make for my compliance (or lack thereof) with
>>> anti-trust laws if my actions are performed at the IETF or at any other
>>> place ? Lets say when i am getting together "privately for dinner" at an evening
>>> of an IETF week with a bunch of folks i know who happen to also attend the
>>> IETF, and discuss exactly the same stuff there ? Unless there are really
>>> strange laws (which i would be curious to learn about), i'd say the only
>>> difference is (a), aka.: possible implication of the IETF into legal
>>> actions caused by its participants ("sponsoring anti-trust behavior").
>>> 
>>> I also think that for (a), we do not necessary need to add more explanatory
>>> text (however unfortunate i would think that is), but if the goal is (b),
>>> and someone like me is supposed to understand the guidance, then i'd certainly
>>> be asking for more explanatory text to be put into the document.
>>> 
>>> So, i really can't see how we can dispatch a document without being clearer
>>> about this goal. And if it is just me being confused here, great, please
>>> unconfuse me.
>>> 
>>> Cheers
>>>     Toerless
>>> 
> 
> -- 
> ---
> tte@cs.fau.de <mailto:tte@cs.fau.de>
-- 
Jay Daley
IETF Executive Director
exec-director@ietf.org