[Owasp-board] [Owasp-leaders] [Owasp-community] IAB Statement on the Trade in Security Technologies
Jim Manico
jim.manico at owasp.org
Mon Jun 22 01:35:39 UTC 2015
This is not about changing OWASP's charter. It's a warning that we are
engaging in activity that is on the edge of trying to influence
legislation and that we should proceed with caution.
Also, I am concerned that we are losing focus here and implore the
community to focus less on announcements like this and to focus more on
application security in a more direct way via projects and technical
documentation.
- Jim
On 6/21/15 3:32 PM, Jerry Hoff wrote:
> Agreed - but I was under the strong impression this entire discussion
> was on putting out a statement similar to the IAB. Apologies if I
> misunderstood. I was voicing support on that specific action.
>
> I didn't see anywhere in the thread (though I may have missed it)
> anyone advocating political campaigning or to change the OWASP charter
> such that influencing legislation would be a substantial activity.
>
> --
> Jerry Hoff
> jerry at owasp.com <mailto:jerry at owasp.com>
> @jerryhoff
>
> On Jun 21, 2015, at 21:25, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
>> Jerry,
>>
>> I'm a fan of OWASP taking technical stands such as the IAB Statement
>> on Internet Confidentiality
>> https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/
>> and similar.
>>
>> What our 501(c)(3) foundation needs to to steer clear of from my
>> understanding is...
>>
>> 1) ... not to engage in political campaigning
>> 2) ... not to attempt to influence legislation as a substantial part
>> of our activities
>>
>> I am no fan of NACL's but this is a very important topic.
>>
>> The exact quote from the IRS is
>> (http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501(c)(3)-Organizations)
>>
>> "...it may not attempt to influence legislation as a substantial part
>> of its activities and it may not participate in any campaign activity
>> for or against political candidates..."
>>
>> So as long as our "official foundation statement" on this matter
>> steers clear of these issues, I will support it.
>>
>> We will be discussing this at the June 24th meeting, I hope you can
>> make it.
>>
>> https://www.owasp.org/index.php/June_24,_2015
>>
>> Aloha,
>> Jim
>>
>> On 6/21/15 3:16 PM, Jerry Hoff wrote:
>>> I believe this debate is based off wrong assumptions - for example
>>> the EFF is 501(c)(3) and that does not prevent them from taking a
>>> position on relevant issues as an organization.
>>>
>>> --
>>> Jerry Hoff
>>> jerry at owasp.com <mailto:jerry at owasp.com>
>>> @jerryhoff
>>>
>>> On Jun 21, 2015, at 21:05, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>> With respect, I disagree with your take on this Jeff. Official
>>>> OWASP public statements should be done with care.
>>>>
>>>> Also, this issue is not resolved yet and I am simply stating *my
>>>> opinion* on the matter backed by research and references to IRS
>>>> guidelines discussing this matter. And again I've stated that this
>>>> is a nebulous area even by IRS regulation.
>>>>
>>>> _*We are discussing this at the June 24 board meeting*__*- a
>>>> meeting in which I hope that you and the community attend.*_
>>>>
>>>> Making a big statement like this as an official message of the
>>>> OWASP foundation - especial since it's political in nature - does
>>>> in my opinion require board discussion. I know you want us to "jump
>>>> on this" immediately - and we are Jeff - in just a few days.
>>>>
>>>> In fact, if the language is crafted in a way that keeps clear of
>>>> specific legislation, I will likely vote to push this out. I agree
>>>> with it 100%, I am only concerned if it's the right thing for OWASP
>>>> to be making such a public statement.
>>>>
>>>> It is critical for all of us in OWASP leadership to be aware of the
>>>> limits of what a 501(c)(3) should be doing, and when I hear that
>>>> the members of foundation want OWASP to make a public and
>>>> politically charged statement of intent, I think it's crucial for
>>>> the board to be a part of it since the board holds legal
>>>> responsibility for the operations of the foundation.
>>>>
>>>> See you June 24th?
>>>>
>>>> https://www.owasp.org/index.php/June_24,_2015
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 6/21/15 2:47 PM, Jeff Williams wrote:
>>>>> This is a false dichotomy -- OWASP can and should do both. The
>>>>> Board should work to assist and support *any* idea consistent with
>>>>> our mission...even if...especially if... you don't think it will work.
>>>>>
>>>>> You can't let *your* judgement influence the decision to support a
>>>>> project. If you do, then all we will ever get is Board ideas.
>>>>> And, respectfully, I don't trust you or any other individual to
>>>>> think up the next great AppSec idea.
>>>>>
>>>>> The Board shouldn't interfere at all unless somebody is doing
>>>>> something harmful to the organization or the mission. And even
>>>>> then should try to figure out a productive path for that energy.
>>>>>
>>>>> Again respectfully, you should get out of the way.
>>>>>
>>>>> --Jeff
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Jun 21, 2015 at 5:27 PM -0700, "Jim Manico"
>>>>> <jim.manico at owasp.org> wrote:
>>>>>
>>>>> Jeff,
>>>>>
>>>>> My take on this is that "talk is cheap" and that "actions are
>>>>> more powerful words". I'd rather keep out of legislation and
>>>>> focus on making important projects like ESAPI, ASVS, Security
>>>>> Shepard and others more powerful.
>>>>>
>>>>> I am sorry you are disappointed in current board action, but
>>>>> there is good reason behind the perspective I am stating.
>>>>> Also, this is my opinion alone, not the entire boards.
>>>>>
>>>>> Again, take a look at Whisper Systems. They are providing
>>>>> incredibly well created and well assessed open source projects
>>>>> for secure communications. These open source projects are now
>>>>> being integrated into various Operating Systems and other
>>>>> projects.
>>>>>
>>>>> If ESAPI was not a abandoned, it could have been serving our
>>>>> mission - planet level. I want to see it and other key
>>>>> projects revived and well funded.
>>>>>
>>>>> The power of a well built security project is worth more than
>>>>> a thousand words. Talk is cheap. Actions that change the world
>>>>> take sweat, blood and staying the course even when it's no
>>>>> longer financially beneficial to do so.
>>>>>
>>>>> Respectfully,
>>>>> --
>>>>> Jim Manico
>>>>> Global Board Member
>>>>> OWASP Foundation
>>>>> https://www.owasp.org <https://www.owasp.org/>
>>>>> Join me at AppSecUSA <http://appsecusa.org/> 2015 in San
>>>>> Francisco!
>>>>>
>>>>> On Jun 21, 2015, at 2:12 PM, Jeff Williams
>>>>> <jeff.williams at owasp.org> wrote:
>>>>>
>>>>>> For the record, the IAB is part of the IETF, which *is* a
>>>>>> 501c3. Even though 501c3 organizations *can* do some
>>>>>> lobbying (as long as expenditures are not substantial), the
>>>>>> IAB is careful not to talk about legislation or urge anyone
>>>>>> to contact representatives about legislation.
>>>>>> As the creator and longtime Chair of the OWASP Board, I'm
>>>>>> frustrated that the current Board isn't falling over
>>>>>> themselves to support efforts like this. IMO the whole
>>>>>> purpose of the Board is to create a great platform to support
>>>>>> and amplify the efforts of anyone willing to contribute to
>>>>>> our important cause. Does't matter the topic, but instead of
>>>>>> saying no or criticizing ideas or projects, figure out a way
>>>>>> to make it work or make them better.
>>>>>> In this case, and a million other topics, it would be
>>>>>> incredibly easy to stick to the technical realities and
>>>>>> feasibility of any approaches being discussed in the news.
>>>>>> No need to mention legislation.
>>>>>> --Jeff
>>>>>>
>>>>>> Jeff Williams | CTO
>>>>>> Contrast Security
>>>>>> 410.707.1487 <tel:410.707.1487> | @planetlevel @contrastsec
>>>>>>
>>>>>>
>>>>>> _____________________________
>>>>>> From: Jim Manico <jim.manico at owasp.org
>>>>>> <mailto:jim.manico at owasp.org>>
>>>>>> Sent: Sunday, June 21, 2015 7:37 PM
>>>>>> Subject: Re: [Owasp-leaders] [Owasp-community] [Owasp-board]
>>>>>> IAB Statement on the Trade in Security Technologies
>>>>>> To: McGovern, James <james.mcgovern at hp.com>
>>>>>> Cc: <owasp-community at lists.owasp.org
>>>>>> <mailto:owasp-community at lists.owasp.org>>, OWASP Board List
>>>>>> <owasp-board at lists.owasp.org
>>>>>> <mailto:owasp-board at lists.owasp.org>>, owasp-leaders
>>>>>> <owasp-leaders at lists.owasp.org
>>>>>> <mailto:owasp-leaders at lists.owasp.org>>
>>>>>>
>>>>>>
>>>>>> I will - for sure - put this on the June 24th Board meeting
>>>>>> agenda. My opinion (based on research over the years trying
>>>>>> to understand my duty to the foundation) is to keep AWAY from
>>>>>> any even slight attempt to influence legislation.
>>>>>>
>>>>>> In general I see projects, documentation efforts and
>>>>>> conferences doing much to unite us in our shared mission.
>>>>>> But start discussing politics and it will go a long way to
>>>>>> divide us as a community.
>>>>>>
>>>>>> I suggest that we focus on •doing something• vs •saying
>>>>>> something•.
>>>>>>
>>>>>> Imagine funding open source projects similar to Whisper
>>>>>> Systems or enhancing our documentation projects to be much
>>>>>> more up to date and relevant our building professional open
>>>>>> source training material? This is how I think the foundation
>>>>>> can best face these issues while at the same time serve our
>>>>>> mission while at the same time keep away from influencing
>>>>>> legislation. :)
>>>>>>
>>>>>> And for what it's worth, I strongly dislike the fact that I'm
>>>>>> bringing these things up. I'm not trying to ruin anyones
>>>>>> party here. But I do feel it's my duty as your elected board
>>>>>> member to do so.
>>>>>>
>>>>>> Aloha,
>>>>>> --
>>>>>> Jim Manico
>>>>>> Global Board Member
>>>>>> OWASP Foundation
>>>>>> https://www.owasp.org
>>>>>> Join me at AppSecUSA <http://appsecusa.org/> 2015 in San
>>>>>> Francisco!
>>>>>>
>>>>>> On Jun 21, 2015, at 1:23 PM, McGovern, James <
>>>>>> james.mcgovern at hp.com> wrote:
>>>>>>
>>>>>> Jim, while you are going to the board for legal
>>>>>> clarification, please inquire:
>>>>>>
>>>>>> 1. 501c3 is a US thing. Can we influence non-US
>>>>>> government and still comply?
>>>>>> 2. Understanding the US political issues sometimes will
>>>>>> put us on a partisan path. For example, in CT I have
>>>>>> commented in the past in a political context on why smart
>>>>>> guns are just plain stupid. This particular issue leans
>>>>>> more conservative/libertarian than it does Liberal.
>>>>>> Therefore, we must attempt to understand the flow of
>>>>>> politics on any given Sunday.
>>>>>> 3. Maybe we could somehow solve this by having a policy
>>>>>> that encourages legislators of all parties to reach out
>>>>>> to their local chapter leader for an informed opinion.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: owasp-community-bounces at lists.owasp.org
>>>>>> <mailto:owasp-community-bounces at lists.owasp.org>
>>>>>> [mailto:owasp-community-bounces at lists.owasp.org] On
>>>>>> Behalf Of Jim Manico
>>>>>> Sent: Saturday, June 20, 2015 4:37 PM
>>>>>> To: Kevin W. Wall
>>>>>> Cc: OWASP Board List; owasp-community at lists.owasp.org;
>>>>>> owasp-leaders
>>>>>> Subject: Re: [Owasp-community] [Owasp-board] IAB
>>>>>> Statement on the Trade in Security Technologies
>>>>>>
>>>>>> I agree with you Kevin. Even the IRS is cagey about this
>>>>>> topic.
>>>>>>
>>>>>> However, this is an organization risk that I feel we
>>>>>> should be aware of before charging to far into policy. It
>>>>>> would behoove is to get legal review before going to far.
>>>>>> I'll bring this up at the next board meeting.
>>>>>>
>>>>>> Aloha,
>>>>>> --
>>>>>> Jim Manico
>>>>>> @Manicode
>>>>>> (808) 652-3805 <tel:%28808%29%20652-3805>
>>>>>>
>>>>>> On Jun 20, 2015, at 9:47 AM, Kevin W. Wall
>>>>>> <kevin.w.wall at gmail.com> wrote:
>>>>>>
>>>>>>
>>>>>> Jim,
>>>>>>
>>>>>>
>>>>>> On Sat, Jun 20, 2015 at 2:55 PM, Jim Manico
>>>>>> <jim.manico at owasp.org> wrote:
>>>>>>
>>>>>> That is fair Michael.
>>>>>>
>>>>>>
>>>>>> But I do want to warn the community that this is
>>>>>> a slippery slope, we
>>>>>>
>>>>>> are being watched, and trying to influence
>>>>>> legislation is one of the
>>>>>>
>>>>>> few ways OWASP can lose it's charitable status.
>>>>>> And if that happens,
>>>>>>
>>>>>> the debate about what to do with our funds will
>>>>>> quickly change for the worse.
>>>>>>
>>>>>>
>>>>>> I don't think that it is impossible for charitable
>>>>>> organizations to
>>>>>>
>>>>>> comment on public possible without loosing their
>>>>>> 501(c)(3) status, but
>>>>>>
>>>>>> it just has to be done in the right way. (However,
>>>>>> IANAL, so I don't
>>>>>>
>>>>>> even begin to know the details of what that "right
>>>>>> way" would entail.)
>>>>>>
>>>>>>
>>>>>> As a case in point, the ACM has a 501(c)(3)
>>>>>> not-for-profit status, and
>>>>>>
>>>>>> yet their public policy arm--the USACM--has certainly
>>>>>> tried to
>>>>>>
>>>>>> influence public policy. (Recall the crypto debate
>>>>>> from the late
>>>>>>
>>>>>> 1990s? The USACM and IEEE wrote a letter to Sen. John
>>>>>> McCain to try to
>>>>>>
>>>>>> influence the US legislation not to pass laws to
>>>>>> mandate weak
>>>>>>
>>>>>> encryption. E.g., see
>>>>>>
>>>>>> <http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri
>>>>>>
>>>>>>
>>>>>> vacy%20and%20Security>.)
>>>>>>
>>>>>>
>>>>>> So I'm guessing that the devil is in the details of
>>>>>> how it is done.
>>>>>>
>>>>>> In fact, according to Spaf's blog at
>>>>>>
>>>>>> <https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t
>>>>>>
>>>>>>
>>>>>> he_attack_on_encryption/> the USACM is going through
>>>>>> this same this
>>>>>>
>>>>>> this again. Like I said, I am not a lawyer and maybe
>>>>>> this attempt to
>>>>>>
>>>>>> influence public policy doesn't strictly qualify as
>>>>>> "lobbying" in the
>>>>>>
>>>>>> eyes of the IRS. But it certainly doesn't seem
>>>>>> impossible.
>>>>>>
>>>>>>
>>>>>> Also, we can--and should--all speak out strongly
>>>>>> against things that
>>>>>>
>>>>>> we believe are against the OWASP mission, but we
>>>>>> don't have to do it
>>>>>>
>>>>>> in a manner as representing OWASP. Do that on your
>>>>>> personal blogs or
>>>>>>
>>>>>> social media instead of OWASP mailing lists and there
>>>>>> shouldn't be an
>>>>>>
>>>>>> issue, especially if you add a short disclaimer as to
>>>>>> how your opinion
>>>>>>
>>>>>> does not necessarily affect the opinion of OWASP
>>>>>> overall (in the cases when there might be some doubt).
>>>>>>
>>>>>>
>>>>>> So perhaps if we decide that we officially want to
>>>>>> speak out on
>>>>>>
>>>>>> certain public policy as an organization in order to
>>>>>> influence public
>>>>>>
>>>>>> policy in accordance with our mission statements,
>>>>>> then someone who
>>>>>>
>>>>>> understands the nuances of the 501(c)(3) IRS
>>>>>> regulations could help
>>>>>>
>>>>>> OWASP navigate these waters.
>>>>>>
>>>>>>
>>>>>> -kevin
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Blog: http://off-the-wall-security.blogspot.com/
>>>>>>
>>>>>> NSA: All your crypto bit are belong to us.
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-community mailing list
>>>>>> Owasp-community at lists.owasp.org
>>>>>> <mailto:Owasp-community at lists.owasp.org>
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150621/98a4ff20/attachment-0001.html>
More information about the Owasp-board
mailing list