Network Working Group A. Farrel Internet Draft Juniper Networks Category: Informational P. Resnick Qualcomm Expires: 25 October 2012 25 April 2012 Sanctions Available for Application to Violators of IETF IPR Policy draft-farrresnickel-ipr-sanctions-05.txt Abstract The IETF has developed and documented policies that govern the behavior of all IETF participants with respect to Intellectual Property Rights (IPR) about which they might reasonably be aware. The IETF takes conformance to these IPR policies very seriously. However, there has been some ambiguity as to what the appropriate sanctions are for the violation of these policies, and how and by whom those sanctions are to be applied. This document discusses these issues and provides a suite of potential actions that may be taken within the IETF community. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents Farrel and Resnick Expires October 2012 [Page 1] draft-farrresnickel-ipr-sanctions-05.txt April 2012 (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. 1. Introduction The IETF has developed and documented policies that govern the behavior of all IETF participants with respect to intellectual property about which they might reasonably be aware. These are documented in [BCP79] and are frequently brought to the attention of IETF participants. The policies state that each individual participant is responsible for disclosing or ensuring the disclosure of Intellectual Property Rights (IPR) where: - they are aware of the IPR - the IPR is relevant to the IETF work they are participating in - the IPR is owned by a company that employs or sponsors the individual's work. Conformance to these IPR policies is very important, and there is a need to understand both what sanctions may be applied to participants who violate the policies, and who may apply those sanctions. This document discusses these issues and provides a suite of potential actions that may be taken by the IETF community. All of these sanctions are currently available in IETF processes, and two instances of violation of the IPR policy have been handled using some of the sanctions listed. As explicitly called out in Section 4, a posting rights (PR) action described in [RFC2418] as updated by [RFC3934], and in [RFC3683] is an applicable sanction for the case of a breach of the IETF's IPR policy. This document does not consider the parallel, but important issue of ways to actively promote conformance with the IETF's IPR policy. That topic is discussed in [Promote]. 2. Description of IETF IPR Policy The IETF's IPR policy is set out in [BCP79]. Nothing in this document defines or redefines the IETF's IPR policy. This section simply highlights some important aspects of those policies. Additional information on the IETF's IPR policy may be found at [URLIPR] and [URLIESGIPR]. Farrel and Resnick Expires October 2012 [Page 2] draft-farrresnickel-ipr-sanctions-05.txt April 2012 2.1. Responsibilities of IETF Participants and Timeliness According to [BCP79], individual IETF participants have a personal responsibility to disclose or ensure the timely disclosure of IPR of which they are aware and which they own or which is owned by a company that employs or sponsors them, and which impinges upon the contribution that they make to the IETF. A "contribution" is also defined in [BCP79] and includes Internet- Drafts, emails to IETF mailing lists, presentations at IETF meetings, and comments made at the microphone during IETF meetings. The timeliness of disclosure is very important within [BCP79]. No precise definition of "timeliness" is given in [BCP79] and it is not the purpose of this document to do so. But it is important to understand that the impact that an IPR disclosure has on the smooth working of the IETF is an inverse function of its timeliness. Thus, a disclosure made on a published RFC is very likely to be more disruptive to the IETF than such a disclosure on an early revision of an individual submission of an Internet-Draft. Third-party disclosures may also be made by anyone who believes that IPR may exist. It is important to note that each individual IETF participant has a choice under the IETF's IPR policy. If the individual is unwilling or unable to disclose the existence of relevant IPR in a timely manner, that individual has the option to refrain from participating in IETF discussions about the technology covered by the IPR 2.2. How Attention is Drawn to These Responsibilities The IETF draws the attention of all participants to the IPR policy [BCP79] through the "Note Well" statement on the IETF web pages [URLNoteWell], presentations at working group and plenary meetings, and in printed materials handed out at IETF meetings, as well as in the boilerplate text appearing in each Internet-Draft and RFC. [Promote] suggests a number of additional ways in which the attention of IETF participants can be drawn to the IPR policy. 2.3. How IPR Disclosures are Made The procedure for filing IPR disclosures is shown on the IETF's web site at [URLDisclose]. Third-party disclosures may also be made by email to the IETF Secretariat or via the web page. Note that early disclosures or warnings that there might be IPR on a technology may also be made. Farrel and Resnick Expires October 2012 [Page 3] draft-farrresnickel-ipr-sanctions-05.txt April 2012 2.4. How Working Groups Consider IPR Disclosures In the normal course of events, a working group that is notified of the existence of IPR must make a decision about whether to continue with the work as it is, or whether to revise the work to attempt to avoid the IPR claim. This decision is made on the working group's mailing list using normal rough consensus procedures. However, discussions of the applicability of an IPR claim or of the appropriateness or merit of the IPR licensing terms are outside the scope of the WG. The IPR situation is considered by working group participants as the document advances through the development process [RFC2026], in particular at key times such as adoption of the document by the working group, and during last call. It needs to be clearly understood that the way that the working group handles an IPR disclosure is distinct from the sanctions that may be applied to the individuals who violated the IETF's IPR policy. That is, the decision by a working group to, for example, entirely re-work an Internet-Draft in order to avoid a piece of IPR that has been disclosed should not be seen as a sanction against the authors. Indeed, and especially in the case of a late IPR disclosure, that a working group decides to do this may be considered a harmful side effect on the working group (in that it slows down the publication of an RFC and may derail other work the working group could be doing) and should be considered as one of the reasons to apply sanctions to the individuals concerned as described in the next two sections 2.5. The Desire for Sanctions Not conforming to the IETF's IPR policy undermines the work of the IETF, and sanctions should be applied against offenders. 2.6 Severity of Violations Clearly there are different sorts of violations of IPR policy. Sometimes, a working group participant simply does not realize that the IPR that they invented applies to a particular working group draft. Sanctions (if any) need not be at all severe. However, a working group document editor who waits until near the publication of a document to reveal IPR of which they themselves are the author should be subject to more serious sanctions. These are judgments that can be made by the working group chairs and area director. This topic forms the bulk of the material in Sections 5 and 6. Farrel and Resnick Expires October 2012 [Page 4] draft-farrresnickel-ipr-sanctions-05.txt April 2012 3. Who May Call For and Apply Sanctions Any IETF participant can call for sanctions to be applied to anyone they believe has violated the IETF's IPR policy. This can be done by sending email to the appropriate IETF mailing list. Normally, however, the working group chairs and area directors assume the responsibility for ensuring the smooth-running of the IETF and for the enforcement of IETF policies including the IPR policy. Thus, when sanctions are called for, working group chairs will be the first actors when there is an active working group involved in the technical work, and area directors will be the first actors in other cases. Working group chairs are already empowered to take action against working group participants who flout the IPR rules and so disrupt the smooth running of the IETF or a specific working group, just as they can take such action in the face of other disruptions. The working group chairs have the responsibility to select the appropriate actions since they are closest to the details of the issue. Where there is no working group involved or where making the decision or applying the sanctions is uncomfortable or difficult for the working group chairs, the responsible AD is available to guide or direct the action if necessary. 4. Available Sanctions This section lists some of the sanctions available to handle the case of an individual who violates the IETF's IPR policies. It is not intended to be an exhaustive list, nor is it suggested that only one sanction be applied in any case. Furthermore, it is not suggested here that every case of IPR policy infringement is the same or that the severest sanctions should be applied in each case. The sanctions are listed in approximate order of severity, but the ordering should not be taken as definitive or as driving different decisions in different cases. Section 6 gives some guidance on selecting an appropriate sanction in any specific case, while Section 5 provides some notes on fairness. a. A private discussion between the working group chair or area director and the individual to understand what went wrong and how it can be prevented in the future. b. A formal, but private warning that the individuals must improve their behavior or risk one of the other sanctions. Farrel and Resnick Expires October 2012 [Page 5] draft-farrresnickel-ipr-sanctions-05.txt April 2012 c. A formal warning on an IETF mailing list that the individuals must improve their behavior or risk one of the other sanctions. d. Announcement to the working group of failure by the individuals ("name and shame"). e. On-going refusal to accept the individuals as editors of any new working group documents. The appointment of editors of working group documents is entirely at the discretion of the working group chairs acting for the working group as explained in [RFC2418]. f. Removal of the individuals as working group document editors on specific documents or across the whole working group. g. Re-positioning of the individual's attribution in a document to the "Acknowledgements" section with or without a note explaining why they are listed there and not in the "Authors' Addresses" section (viz. the IPR policy violation). This action can also be recorded by the area director in the datatracker entries for the documents concerned. h. Deprecation or rejection of the individual document (whether it be an RFC or Internet-Draft) or cessation of work on the affected technology. i. Application of a temporary suspension of posting rights to a specific mailing list according to the guidelines expressed in [RFC2418] and updated by [RFC3934]. Such bans are applied to specific to individual working group mailing lists at the discretion of the working group chairs for a period of no more than 30 days. j. The removal of posting privileges using a Posting Rights Action (PR Action) as per [RFC3683]. This is a more drastic measure that can be applied when other sanctions are considered insufficient or to have been ineffective. When a PR action is in place, the subjects have their posting rights to a particular IETF mailing list removed for a period of a year (unless the action is revoked or extended), and maintainers of any IETF mailing list may, at their discretion and without further recourse to explanation or discussion, also remove posting rights PR actions are introduced by an area director and are considered by the IETF community and the IESG in order to determine IETF consensus. Farrel and Resnick Expires October 2012 [Page 6] draft-farrresnickel-ipr-sanctions-05.txt April 2012 In many cases, it may be appropriate to notify a wider IETF community of the violation and sanctions so that patterns of behavior can be spotted and handled. Note that individuals who have supplied text that is included in an IETF document (RFC or Internet-Draft) have a right to be recognized for their contribution. This means that authors names cannot be entirely removed from a document in the event that they violate the IETF's IPR policy unless the text they contributed is also completely removed. But the individual's name can be removed from the front page and even moved from the "Authors' Addresses" section so long as proper acknowledgement of the contribution is given in the "Acknowledgements" section. 4.1. An Additional Note on the Applicability of PR Actions The applicability of PR actions in the event of IPR policy possibly needs some explanation. According to [RFC3683], a PR action may be considered as a practice for use by the IETF in the case that "a participant has engaged in a denial-of-service attack to disrupt the consensus-driven process." [RFC3683] further cites [RFC2418] and [RFC3005] for guidelines for dealing with abusive behavior. [RFC2418] is updated by [RFC3934] in this matter. In some cases, ignoring or flouting the IETF's IPR policy may be considered as disruptive to the smooth operation of a working group or of the whole IETF such that the offender might be deemed to be a disruptive individual under the terms of [RFC2418], [RFC3934] and [RFC3683], and so is liable to be the subject of a sanction that restricts their rights to post to IETF mailing lists as described in bullets h and i of Section 4 of this document. 5. A Note on Fairness and Appealing Decisions As with all decisions made within the IETF, any person who feels that they have been subject to unfair treatment or who considers that a decision has been made incorrectly may appeal the decision. The IETF's appeals procedures are described in Section 6.5 of [RFC2026] and reinforced in the IESG statement at [URLIESG2026]. Any sanctions described above may be appealed using these procedures. 6. Guidance on Selecting and Applying Sanctions Whoever is applying sanctions for breaching the IETF's IPR policy will want to be sure that the chosen sanction matches the severity of the offence and considers all circumstances. The judgment needs to be Farrel and Resnick Expires October 2012 [Page 7] draft-farrresnickel-ipr-sanctions-05.txt April 2012 applied equitably should similar situations arise in the future. If in any doubt, the person selecting and applying the sanctions should seek the opinion of the relevant part of the IETF community or the community as a whole. Furthermore, the person should not hesitate to seek the advice of their colleagues (co-chairs, area directors, or the whole IESG). This is a judgment call based on all circumstances of each specific case. Some notes on guidance are supplied in Appendix A. 7. Security Considerations While nothing in this document directly affects the operational security of the Internet, failing to follow the IETF's IPR policies can be disruptive to the IETF's standards development processes and so may be regarded as an attack on the correct operation of the IETF. Furthermore, a late IPR disclosure (or a complete failure to disclose), could represent an attack on the use of deployed and operational equipment in the Internet. 8. IANA Considerations This document makes no requests for IANA action. 9. Acknowledgments Thanks to Lou Berger, Ross Callon, Stewart Bryant, Jari Arkko, and Peter Saint-Andre for comments on an early version of this document. Thanks to Subramanian Moonesamy and Tom Petch for their comments on the work. Thanks to Dan Wing, Tony Li, and Steve Bellovin for discussions. Thanks to Stephen Farrell for providing a thorough review as document shepherd. 10. Authors' Addresses Adrian Farrel Juniper Networks adrian@olddog.co.uk Pete Resnick Qualcomm presnick@qualcomm.com Farrel and Resnick Expires October 2012 [Page 8] draft-farrresnickel-ipr-sanctions-05.txt April 2012 11. References 11.1. Normative References [BCP79] S. Bradner, "Intellectual Property Rights in IETF Technology", BCP 79, RFC 3979, March 2005. [RFC2026] S. Bradner, "The Internet Standards Process - Revision 3", BCP 9, RFC 2026, October 1996. [RFC2418] S. Bradner, "IETF Working Group Guidelines and Procedures", BCP 25, RFC 2418, September 1998. [RFC3683] M. Rose, "A Practice for Revoking Posting Rights to IETF Mailing Lists", BCP 83, RFC 3683, March 2004. [RFC3934] M. Wasserman, "Updates to RFC 2418 Regarding the Management of IETF Mailing Lists", BCP 94, RFC 3934, October 2004. 11.2. Informative References [RFC3005] S. Harris, "IETF Discussion List Charter", BCP 45, RFC 3005, November 2000. [Promote] Polk, T. and Saint-Andre, P., "Promoting Compliance with Intellectual Property Rights (IPR) Disclosure Rules", draft-polk-ipr-disclosure, work in progress. [URLDisclose] http://www.ietf.org/ipr/file-disclosure [URLIESG2026] http://www.ietf.org/iesg/statement/appeal.html [URLIESGIPR] http://trac.tools.ietf.org/group/iesg/trac/wiki/IntellectualProperty [URLIPR] http://www.ietf.org/ipr/policy.html [URLNoteWell] http://www.ietf.org/about/note-well.html Farrel and Resnick Expires October 2012 [Page 9] draft-farrresnickel-ipr-sanctions-05.txt April 2012 Appendix A. Guidance on Selecting and Applying Sanctions As discussed in Section 6, the selection of sanctions needs to be a carefully made judgment call considering all relevant circumstances and events. This Appendix provides a list of things that might form part of that judgment. This list of considerations is for guidance and is not prescriptive or exhaustive, nor does it imply any weighting of the considerations. - How long has the participant been active in the IETF? - Was there some exceptional circumstance? - Are there special circumstances that imply that the individual would not have seen or understood the pointers to and content of [BCP79]? - How late was the disclosure? Is the document already a working group document? How many revisions have been published? How much time has elapsed? Have last calls be held? Has the work been published as an RFC? - Was the individual a minor contributor to the IETF work, or are they clearly a major contributor? - Is there a reason for the individual forgetting the existence of the IPR (for example, it was filed many years previous to the work in the IETF)? - Was the individual told by their company that disclosure was imminent, but then something different happened? - How speedy and humble was the individual's apology? - How disruptive to the IETF work are the disclosure and the associated license terms? A factor in this will be whether the IETF community sees the need to re-work the document or not. - Does the large number of patents that the individual has invented provide any level of excuse for failing to notice that one of their patents covered the IETF work? Farrel and Resnick Expires October 2012 [Page 10]