Statement on Restricting Access to IETF IT Systems

31 Oct 2022

IESG Statement on Restricting Access to IETF IT Systems

In discussions with IETF counsel, a number of potential circumstances have been identified under which the IESG should, after having been advised by counsel, restrict an individual from using IETF IT systems and/or from participating in IETF meetings, as not doing so would expose the IETF to serious legal risk.

The IESG expects that it will follow the advice of counsel and restrict access and/or restrict participation of an individual. The IESG intends to only take such drastic actions in response to legal advice by counsel, and not for other reasons. It is expected that this advice will only be received after all other reasonable attempts to address the issue, if any are possible, have been exhausted. The IESG publishes this statement to set out in advance the principles and procedural guidelines it will follow in taking such an action.

The circumstances currently identified under which such legal advice may be provided are as follows. This is not an exhaustive list and this statement will apply under any circumstance where legal advice of this nature is received:

1. When ordered to do so by a court that has jurisdiction over the IETF LLC or parts of its operations.
2. If an individual concerned is using those systems or meetings to threaten or otherwise seriously harass someone.

3. If an individual repeatedly shares copyrighted material – through IETF IT systems or at IETF meetings – that they do not have authority to share.
   The principles that the IESG will aim to maintain from the outset are as follows. These principles are listed in order of priority and where a conflict between them arises, the higher priority principle will take precedence:

4. To comply with the law and mitigate any serious legal risk to the IETF.

5. To preserve, as far as is possible, the integrity and openness of the standards process.
6. To preserve the current approach to identity for IETF engagement, noting that this varies according to context from anonymous (e.g., accessing RFCs), to pseudonymous (e.g., contributing to a mailing list), to identity verified (e.g., as a board member of the IETF LLC).
7. To only act as necessary to mitigate the serious legal risk and to avoid any over-reach.
8. To be fully transparent with the IETF community about the action taken, the reasons why, and who is affected.
   Some examples of a conflict between the principles are:

• Where a court order instructs us to keep an action secret.
• Where identifying an individual being acted against is considered likely to lead to an escalation of their behavior of harassment.
  The following procedural guidelines will be used when action is taken, unless overridden by the principles above:

1. The IESG will consult with other parts of the IETF as needed, including the Ombudsteam, the IRTF Chair, IETF LLC or any affected participants.
2. If the identity of an individual is reasonably well established, then the restriction will be against the individual, but if it is not, the restriction will be limited to their identifiers (e.g., usernames or email addresses).
3. If the restriction can reasonably be limited to one or more IT systems and/or forms of participation, then it will be, unless there is an expectation that broader restrictions will inevitably be required.
4. An individual will be notified of the IESG action by counsel and is expected to only correspond with counsel, not the IESG or others, on this matter.
5. An action will be announced to the ietf-announce mailing list and a public record will be kept on the IETF website.
   In addition, in order to ensure that the IETF is protected by the Safe Harbor regime of the US DMCA, the IETF and IRTF websites will include a page with the following warning alongside the specific contact information required by the DMCA:

The IETF reserves the right to terminate the use of IETF IT systems by IETF participants who violate the law by repeat copyright infringement. For full details, see the IESG Statement on Restricting Access.

The IESG recognises that restricting access to IETF systems will impact IRTF engagement as well as IETF engagement given that they share the same systems. The IESG has consulted with the IRTF Chair who agrees that this is an expected side effect and that the requirement to consult the IRTF Chair provides sufficient coordination.

In cases where the advice from counsel is to restrict an individual from using IRTF systems and/or from participating in IRTF meetings, the IRTF Chair will follow the same principles as noted above. Due to the potential impact on the standards process, due to shared infrastructure and joint meetings between IRTF and IETF, the IRTF Chair agrees that any such action will only be taken in consultation with the IESG.