<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><span></span></div><div><div>Just to be clear again - no one in this entire thread (that I have read at least) has suggested we actively lobby politicians. Putting out a statement on proposed legislation is not the same as actively lobbying government as defined below. </div><div><br></div><div>The entire thread is based on Jeff's statement that  OWASP should put out a single statement similar to the IAB's.  That's it.  I'm not sure how the conversation has drifted so substantially from that  request.</div><div><br></div><div>--<div>Jerry Hoff</div><div><a href="mailto:jerry@owasp.com">jerry@owasp.com</a></div><div>@jerryhoff</div></div><div><br>On Jun 21, 2015, at 21:42, Jim Manico <<a href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>> wrote:<br><br></div><blockquote type="cite"><div>
  
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  
  
    And in the interest in fairness, here is the counter-point as to why
    we should do MORE lobbying at OWASP. <br>
    <br>
<a class="moz-txt-link-freetext" href="http://www.asaecenter.org/Resources/whitepaperdetail.cfm?ItemNumber=12202">http://www.asaecenter.org/Resources/whitepaperdetail.cfm?ItemNumber=12202</a><br>
    <br>
    <meta charset="utf-8">
    <h5 style="box-sizing: border-box; margin: 0.2rem 0px 0px; padding:
      0px; font-family: 'Helvetica Neue', Helvetica, Helvetica, Arial,
      sans-serif; font-weight: 500; font-style: normal; color: black;
      text-rendering: optimizeLegibility; line-height: 1.4; font-size:
      0.938rem; font-variant: normal; letter-spacing: normal; orphans:
      auto; text-align: start; text-indent: 0px; text-transform: none;
      white-space: normal; widows: 1; word-spacing: 0px;
      -webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
      255);">1. 501(c)(3)s cannot lobby and will lose their tax
      exemption if they engage in lobbying.</h5>
    <p style="box-sizing: border-box; margin: 0px 0px 1.25rem; padding:
      0px; font-family: 'Helvetica Neue', Helvetica, Helvetica, Arial,
      sans-serif; font-weight: normal; line-height: 1.6; text-rendering:
      optimizeLegibility; color: rgb(51, 51, 51); font-size:
      15.0080003738403px; font-style: normal; font-variant: normal;
      letter-spacing: normal; orphans: auto; text-align: start;
      text-indent: 0px; text-transform: none; white-space: normal;
      widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255);">Absolutely not. 501(c)(3)
      organizations can, and often should, lobby at all levels of
      government. Federal tax law has always permitted some lobbying by
      nonprofits. The 1976 lobbying tax law passed by Congress made that
      expressly clear. The Internal Revenue Service ("IRS") followed
      with implementing regulations. The federal government clearly
      supports lobbying by 501(c)(3) organizations. Together, the law
      and regulations provide wide latitude for 501(c)(3) organizations
      to lobby.</p>
    <p style="box-sizing: border-box; margin: 0px 0px 1.25rem; padding:
      0px; font-family: 'Helvetica Neue', Helvetica, Helvetica, Arial,
      sans-serif; font-weight: normal; line-height: 1.6; text-rendering:
      optimizeLegibility; color: rgb(51, 51, 51); font-size:
      15.0080003738403px; font-style: normal; font-variant: normal;
      letter-spacing: normal; orphans: auto; text-align: start;
      text-indent: 0px; text-transform: none; white-space: normal;
      widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255);">The law makes it very clear
      how much a 501(c)(3) organization can spend on lobbying - up to $1
      million depending on the size of the organization - if the 501(h)
      election is made. The law also makes it clear which activities are
      lobbying and which are not. For example, lobbying occurs only when
      there is an<span class="Apple-converted-space"> </span><i style="box-sizing: border-box; font-style: italic; line-height:
        inherit;">expenditure of money</i><span class="Apple-converted-space"> </span>by the 501(c)(3) for the
      purpose of attempting to influence legislation. Where there is no
      expenditure by the organization for lobbying (such as lobbying by
      members or volunteers), there is no lobbying by the organization.</p>
    <p style="box-sizing: border-box; margin: 0px 0px 1.25rem; padding:
      0px; font-family: 'Helvetica Neue', Helvetica, Helvetica, Arial,
      sans-serif; font-weight: normal; line-height: 1.6; text-rendering:
      optimizeLegibility; color: rgb(51, 51, 51); font-size:
      15.0080003738403px; font-style: normal; font-variant: normal;
      letter-spacing: normal; orphans: auto; text-align: start;
      text-indent: 0px; text-transform: none; white-space: normal;
      widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255);">The right of citizens to
      petition their government is basic to our democratic way of life,
      and associations, including 501(c)(3)s, are one of the most
      effective vehicles for making use of citizen participation in
      shaping public policy. Fortunately, the legislation passed by
      Congress in 1976 makes it possible for 501(c)(3)s to lobby freely
      for the causes, communities and constituencies they serve.</p>
    <p style="box-sizing: border-box; margin: 0px 0px 1.25rem; padding:
      0px; font-family: 'Helvetica Neue', Helvetica, Helvetica, Arial,
      sans-serif; font-weight: normal; line-height: 1.6; text-rendering:
      optimizeLegibility; color: rgb(51, 51, 51); font-size:
      15.0080003738403px; font-style: normal; font-variant: normal;
      letter-spacing: normal; orphans: auto; text-align: start;
      text-indent: 0px; text-transform: none; white-space: normal;
      widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255);">Generally, organizations
      that make the 501(h) election under the 1976 lobbying law may
      spend 20% of the first $500,000 of their annual expenditures on
      lobbying ($100,000), 15% of the next $500,000, and so on, up to $1
      million dollars.</p>
    <p style="box-sizing: border-box; margin: 0px 0px 1.25rem; padding:
      0px; font-family: 'Helvetica Neue', Helvetica, Helvetica, Arial,
      sans-serif; font-weight: normal; line-height: 1.6; text-rendering:
      optimizeLegibility; color: rgb(51, 51, 51); font-size:
      15.0080003738403px; font-style: normal; font-variant: normal;
      letter-spacing: normal; orphans: auto; text-align: start;
      text-indent: 0px; text-transform: none; white-space: normal;
      widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;
      background-color: rgb(255, 255, 255);">Finally, by not engaging in
      lobbying, your organization may be failing to employ a very
      important activity that could be enormously helpful in carrying
      out its mission.</p>
    <br>
    <br>
    <div class="moz-cite-prefix">On 6/21/15 3:32 PM, Jerry Hoff wrote:<br>
    </div>
    <blockquote cite="mid:741675FD-A590-42D8-A175-EA0672ECD616@owasp.org" type="cite">
      <meta http-equiv="content-type" content="text/html; charset=utf-8">
      <div>Agreed - but I was under the strong impression this entire
        discussion was on putting out a statement similar to the IAB.
         Apologies if I misunderstood. I was voicing support on that
        specific action.</div>
      <div><br>
      </div>
      <div>I didn't see anywhere in the thread (though I may have missed
        it) anyone advocating political campaigning or to change the
        OWASP charter such that influencing legislation would be a
        substantial activity. <br>
        <br>
        --
        <div>Jerry Hoff</div>
        <div><a moz-do-not-send="true" href="mailto:jerry@owasp.com">jerry@owasp.com</a></div>
        <div>@jerryhoff</div>
      </div>
      <div><br>
        On Jun 21, 2015, at 21:25, Jim Manico <<a moz-do-not-send="true" href="mailto:jim.manico@owasp.org"></a><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>>
        wrote:<br>
        <br>
      </div>
      <blockquote type="cite">
        <div>
          <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
          Jerry,<br>
          <br>
          I'm a fan of OWASP taking technical stands such as the IAB
          Statement on Internet Confidentiality <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/"></a><a class="moz-txt-link-freetext" href="https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/">https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/</a>
          and similar. <br>
          <br>
          What our 501(c)(3) foundation needs to to steer clear of from
          my understanding is...<br>
          <br>
          1) ... not to engage in political campaigning<br>
          2) ... not to attempt to influence legislation as a
          substantial part of our activities<br>
          <br>
          I am no fan of NACL's but this is a very important topic.<br>
          <br>
          The exact quote from the IRS is
          (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501%28c%29%283%29-Organizations%29">http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501(c)(3)-Organizations)</a><br>
          <br>
          <meta charset="utf-8">
          <span style="color: rgb(0, 0, 0); font-family: sans-serif;
            font-size: 13px; font-style: normal; font-variant: normal;
            font-weight: normal; letter-spacing: normal; line-height:
            16.0029983520508px; orphans: auto; text-align: start;
            text-indent: 0px; text-transform: none; white-space: normal;
            widows: 1; word-spacing: 0px; -webkit-text-stroke-width:
            0px; display: inline !important; float: none;
            background-color: rgb(255, 255, 255);">"...it may not
            attempt to influence legislation as a substantial part of
            its activities and it may not participate in any campaign
            activity for or against political candidates..."</span><br>
          <br>
          So as long as our "official foundation statement" on this
          matter steers clear of these issues, I will support it.<br>
          <br>
          We will be discussing this at the June 24th meeting, I hope
          you can make it.<br>
          <br>
          <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/June_24,_2015">https://www.owasp.org/index.php/June_24,_2015</a><br>
          <br>
          Aloha,<br>
          Jim<br>
          <br>
          <div class="moz-cite-prefix">On 6/21/15 3:16 PM, Jerry Hoff
            wrote:<br>
          </div>
          <blockquote cite="mid:A2E4A344-4519-4A6B-A86A-B240A09E68DD@owasp.org" type="cite">
            <meta http-equiv="content-type" content="text/html;
              charset=utf-8">
            <div>I believe this debate is based off wrong assumptions -
              for example the EFF is 501(c)(3) and that does not prevent
              them from taking a position on relevant issues as an
              organization.<br>
              <br>
              --
              <div>Jerry Hoff</div>
              <div><a moz-do-not-send="true" href="mailto:jerry@owasp.com">jerry@owasp.com</a></div>
              <div>@jerryhoff</div>
            </div>
            <div><br>
              On Jun 21, 2015, at 21:05, Jim Manico <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org"></a><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>>

              wrote:<br>
              <br>
            </div>
            <blockquote type="cite">
              <div>
                <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
                With respect, I disagree with your take on this Jeff.
                Official OWASP public statements should be done with
                care.<br>
                <br>
                Also, this issue is not resolved yet and I am simply
                stating *my opinion* on the matter backed by research
                and references to IRS guidelines discussing this matter.
                And again I've stated that this is a nebulous area even
                by IRS regulation.<br>
                <br>
                <u><b>We are discussing this at the June 24 board
                    meeting</b></u><u><b> - a meeting in which I hope
                    that you and the community attend.</b></u> <br>
                <br>
                Making a big statement like this as an official message
                of the OWASP foundation - especial since it's political
                in nature - does in my opinion require board discussion.
                I know you want us to "jump on this" immediately - and
                we are Jeff - in just a few days.<br>
                <br>
                In fact, if the language is crafted in a way that keeps
                clear of specific legislation, I will likely vote to
                push this out. I agree with it 100%, I am only concerned
                if it's the right thing for OWASP to be making such a
                public statement. <br>
                <br>
                It is critical for all of us in OWASP leadership to be
                aware of the limits of what a 501(c)(3) should be doing,
                and when I hear that the members of foundation want
                OWASP to make a public and politically charged statement
                of intent, I think it's crucial for the board to be a
                part of it since the board holds legal responsibility
                for the operations of the foundation.<br>
                <br>
                See you June 24th?<br>
                <br>
                <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/June_24,_2015">https://www.owasp.org/index.php/June_24,_2015</a><br>
                <br>
                Aloha,<br>
                Jim<br>
                <br>
                <br>
                <br>
                <br>
                <br>
                <div class="moz-cite-prefix">On 6/21/15 2:47 PM, Jeff
                  Williams wrote:<br>
                </div>
                <blockquote cite="mid:815ED4954DD4EA87.AC9F30B4-B882-4DBD-8F06-A2CC09F2B771@mail.outlook.com" type="cite">
                  <div>This is a false dichotomy -- OWASP can and should
                    do both. The Board should work to assist and support
                    *any* idea consistent with our mission...even
                    if...especially if... you don't think it will work.</div>
                  <div><br>
                  </div>
                  <div>You can't let *your* judgement influence the
                    decision to support a project. If you do, then all
                    we will ever get is Board ideas.  And, respectfully,
                    I don't trust you or any other individual to think
                    up the next great AppSec idea.</div>
                  <div><br>
                  </div>
                  <div>The Board shouldn't interfere at all unless
                    somebody is doing something harmful to the
                    organization or the mission. And even then should
                    try to figure out a productive path for that energy.</div>
                  <div><br>
                  </div>
                  <div>Again respectfully, you should get out of the
                    way.<br>
                    <br>
                    <div class="acompli_signature">--Jeff<br>
                    </div>
                  </div>
                  <br>
                  <br>
                  <br>
                  <div class="gmail_quote">On Sun, Jun 21, 2015 at 5:27
                    PM -0700, "Jim Manico" <span dir="ltr"><<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org"></a><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>></span>
                    wrote:<br>
                    <br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="3D"ltr"">
                        <meta http-equiv="content-type" content="text/html; charset=utf-8">
                        <div>Jeff,</div>
                        <div><br>
                        </div>
                        <div>My take on this is that "talk is cheap" and
                          that "actions are more powerful words". I'd
                          rather keep out of legislation and focus on
                          making important projects like ESAPI, ASVS,
                          Security Shepard and others more powerful.</div>
                        <div><br>
                        </div>
                        <div>I am sorry you are disappointed in current
                          board action, but there is good reason behind
                          the perspective I am stating. Also, this is my
                          opinion alone, not the entire boards.</div>
                        <div><br>
                        </div>
                        <div>Again, take a look at Whisper Systems. They
                          are providing incredibly well created and well
                          assessed open source projects for secure
                          communications. These open source projects are
                          now being integrated into various Operating
                          Systems and other projects.</div>
                        <div><br>
                        </div>
                        <div>If ESAPI was not a abandoned, it could have
                          been serving our mission - planet level. I
                          want to see it and other key projects revived
                          and well funded.</div>
                        <div><br>
                        </div>
                        <div>The power of a well built security project
                          is worth more than a thousand words. Talk is
                          cheap. Actions that change the world take
                          sweat, blood and staying the course even when
                          it's no longer financially beneficial to do
                          so.</div>
                        <div><br>
                        </div>
                        <div>Respectfully,<br>
                          <div>--</div>
                          <div>Jim Manico</div>
                          <div>
                            <div apple-content-edited="true" class="">
                              <div class="" style="word-wrap:
                                break-word; -webkit-nbsp-mode: space;
                                -webkit-line-break: after-white-space;">
                                <div class=""><span style="background-color: rgba(255,
                                    255, 255, 0);">Global Board Member</span></div>
                                <span style="background-color: rgba(255,
                                  255, 255, 0);">OWASP Foundation</span>
                                <div class=""><a moz-do-not-send="true" href="https://www.owasp.org/" class="" style="background-color:
                                    rgba(255, 255, 255, 0);"><font color="#000000">https://www.owasp.org</font></a></div>
                              </div>
                            </div>
                            <div class=""><span style="background-color:
                                rgba(255, 255, 255, 0);">Join me at <a moz-do-not-send="true" href="http://appsecusa.org/" target="_blank" class="">AppSecUSA</a> 2015
                                in San Francisco!</span></div>
                          </div>
                        </div>
                        <div><br>
                          On Jun 21, 2015, at 2:12 PM, Jeff Williams
                          <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:jeff.williams@owasp.org">jeff.williams@owasp.org</a>>


                          wrote:<br>
                          <br>
                        </div>
                        <blockquote type="cite">
                          <div>
                            <div>For the record, the IAB is part of the
                              IETF, which *is* a 501c3.  Even though
                              501c3 organizations *can* do some lobbying
                              (as long as expenditures are not
                              substantial), the IAB is careful not to
                              talk about legislation or urge anyone to
                              contact representatives about legislation.</div>
                            <div>As the creator and longtime Chair of
                              the OWASP Board, I'm frustrated that the
                              current Board isn't falling over
                              themselves to support efforts like this.
                               IMO the whole purpose of the Board is to
                              create a great platform to support and
                              amplify the efforts of anyone willing to
                              contribute to our important cause. Does't
                              matter the topic, but instead of saying no
                              or criticizing ideas or projects, figure
                              out a way to make it work or make them
                              better.</div>
                            <div>In this case, and a million other
                              topics, it would be incredibly easy to
                              stick to the technical realities and
                              feasibility of any approaches being
                              discussed in the news.  No need to mention
                              legislation.</div>
                            <div>
                              <div class="acompli_signature">--Jeff<br>
                                <br>
                                Jeff Williams | CTO<br>
                                Contrast Security<br>
                                <a moz-do-not-send="true" href="tel:410.707.1487" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="0/1">410.707.1487</a>
                                | @planetlevel @contrastsec<br>
                                <br>
                              </div>
                              <br>
                            </div>
                            <div class="gmail_quote">_____________________________<br>
                              From: Jim Manico <<a moz-do-not-send="true" href="mailto:jim.manico@owasp.org" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="2"></a><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>><br>
                              Sent: Sunday, June 21, 2015 7:37 PM<br>
                              Subject: Re: [Owasp-leaders]
                              [Owasp-community] [Owasp-board] IAB
                              Statement on the Trade in Security
                              Technologies<br>
                              To: McGovern, James <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:james.mcgovern@hp.com"></a><a class="moz-txt-link-abbreviated" href="mailto:james.mcgovern@hp.com">james.mcgovern@hp.com</a>><br>
                              Cc: <<a moz-do-not-send="true" href="mailto:owasp-community@lists.owasp.org" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="5">owasp-community@lists.owasp.org</a>>,


                              OWASP Board List <<a moz-do-not-send="true" href="mailto:owasp-board@lists.owasp.org" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="6"></a><a class="moz-txt-link-abbreviated" href="mailto:owasp-board@lists.owasp.org">owasp-board@lists.owasp.org</a>>,


                              owasp-leaders <<a moz-do-not-send="true" href="mailto:owasp-leaders@lists.owasp.org" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="7"></a><a class="moz-txt-link-abbreviated" href="mailto:owasp-leaders@lists.owasp.org">owasp-leaders@lists.owasp.org</a>><br>
                              <br>
                              <br>
                              <meta content="text/html; charset=utf-8">
                              <div> I will - for sure - put this on the
                                June 24th Board meeting agenda. My
                                opinion (based on research over the
                                years trying to understand my duty to
                                the foundation) is to keep AWAY from any
                                even slight attempt to influence
                                legislation. </div>
                              <div> <br>
                              </div>
                              <div> In general I see projects,
                                documentation efforts and  conferences
                                doing much to unite us in our shared
                                mission. But start discussing politics
                                and it will go a long way to divide us
                                as a community. </div>
                              <div> <br>
                              </div>
                              <div> I suggest that we focus on •doing
                                something• vs •saying something•.  </div>
                              <div> <br>
                              </div>
                              <div> Imagine funding open source projects
                                similar to Whisper Systems or enhancing
                                our documentation projects to be much
                                more up to date and relevant our
                                building professional open source
                                training material? This is how I think
                                the foundation can best face these
                                issues while at the same time serve our
                                mission while at the same time keep away
                                from influencing legislation. :) </div>
                              <div> <br>
                              </div>
                              <div> And for what it's worth, I strongly
                                dislike the fact that I'm bringing these
                                things up. I'm not trying to ruin
                                anyones party here. But I do feel it's
                                my duty as your elected board member to
                                do so. </div>
                              <div> <br>
                              </div>
                              <div> Aloha, </div>
                              <div> -- <br>
                                <div> Jim Manico </div>
                                <div>
                                  <div class="">
                                    <div class="" style="word-wrap:
                                      break-word; -webkit-nbsp-mode:
                                      space; -webkit-line-break:
                                      after-white-space;">
                                      <div class=""> <span style="background-color:
                                          rgba(255, 255, 255, 0);">Global
                                          Board Member</span> </div>
                                      <span style="background-color:
                                        rgba(255, 255, 255, 0);">OWASP
                                        Foundation</span>
                                      <div class=""> <font color="#000000"><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.owasp.org"></a><a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></font>
                                      </div>
                                    </div>
                                  </div>
                                  <div class=""> <span style="background-color: rgba(255,
                                      255, 255, 0);">Join me at <a moz-do-not-send="true" href="http://appsecusa.org/" class="">AppSecUSA</a> 2015 in
                                      San Francisco!</span> </div>
                                </div>
                              </div>
                              <div> <br>
                                On Jun 21, 2015, at 1:23 PM, McGovern,
                                James < <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:james.mcgovern@hp.com">james.mcgovern@hp.com</a>>


                                wrote: <br>
                                <br>
                              </div>
                              <blockquote>
                                <div> <span>Jim, while you are going to
                                    the board for legal clarification,
                                    please inquire:</span> <br>
                                  <span></span> <br>
                                  <span>1. 501c3 is a US thing. Can we
                                    influence non-US government and
                                    still comply?</span> <br>
                                  <span>2. Understanding the US
                                    political issues sometimes will put
                                    us on a partisan path. For example,
                                    in CT I have commented in the past
                                    in a political context on why smart
                                    guns are just plain stupid. This
                                    particular issue leans more
                                    conservative/libertarian than it
                                    does Liberal. Therefore, we must
                                    attempt to understand the flow of
                                    politics on any given Sunday.</span>
                                  <br>
                                  <span>3. Maybe we could somehow solve
                                    this by having a policy that
                                    encourages legislators of all
                                    parties to reach out to their local
                                    chapter leader for an informed
                                    opinion.</span> <br>
                                  <span></span> <br>
                                  <span>-----Original Message-----</span>
                                  <br>
                                  <span>From: <a moz-do-not-send="true" href="mailto:owasp-community-bounces@lists.owasp.org">owasp-community-bounces@lists.owasp.org</a>
                                    [<a moz-do-not-send="true" href="mailto:owasp-community-bounces@lists.owasp.org">mailto:owasp-community-bounces@lists.owasp.org</a>]
                                    On Behalf Of Jim Manico</span> <br>
                                  <span>Sent: Saturday, June 20, 2015
                                    4:37 PM</span> <br>
                                  <span>To: Kevin W. Wall</span> <br>
                                  <span>Cc: OWASP Board List; <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:owasp-community@lists.owasp.org"></a><a class="moz-txt-link-abbreviated" href="mailto:owasp-community@lists.owasp.org">owasp-community@lists.owasp.org</a>;
                                    owasp-leaders</span> <br>
                                  <span>Subject: Re: [Owasp-community]
                                    [Owasp-board] IAB Statement on the
                                    Trade in Security Technologies</span>
                                  <br>
                                  <span></span> <br>
                                  <span>I agree with you Kevin. Even the
                                    IRS is cagey about this topic. </span>
                                  <br>
                                  <span></span> <br>
                                  <span>However, this is an organization
                                    risk that I feel we should be aware
                                    of before charging to far into
                                    policy. It would behoove is to get
                                    legal review before going to far.
                                    I'll bring this up at the next board
                                    meeting.</span> <br>
                                  <span></span> <br>
                                  <span>Aloha,</span> <br>
                                  <span>--</span> <br>
                                  <span>Jim Manico</span> <br>
                                  <span>@Manicode</span> <br>
                                  <span><a moz-do-not-send="true" href="tel:%28808%29%20652-3805" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="18/1">(808) 652-3805</a></span> <br>
                                  <span></span> <br>
                                  <blockquote> <span>On Jun 20, 2015,
                                      at 9:47 AM, Kevin W. Wall <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:kevin.w.wall@gmail.com"></a><a class="moz-txt-link-abbreviated" href="mailto:kevin.w.wall@gmail.com">kevin.w.wall@gmail.com</a>>
                                      wrote:</span> <br>
                                  </blockquote>
                                  <blockquote> <span></span> <br>
                                  </blockquote>
                                  <blockquote> <span>Jim,</span> <br>
                                  </blockquote>
                                  <blockquote> <span></span> <br>
                                  </blockquote>
                                  <blockquote>
                                    <blockquote> <span>On Sat, Jun 20,
                                        2015 at 2:55 PM, Jim Manico <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org"></a><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>> wrote:</span>
                                      <br>
                                    </blockquote>
                                  </blockquote>
                                  <blockquote>
                                    <blockquote> <span>That is fair
                                        Michael.</span> <br>
                                    </blockquote>
                                  </blockquote>
                                  <blockquote>
                                    <blockquote> <span></span> <br>
                                    </blockquote>
                                  </blockquote>
                                  <blockquote>
                                    <blockquote> <span>But I do want to
                                        warn the community that this is
                                        a slippery slope, we </span> <br>
                                    </blockquote>
                                  </blockquote>
                                  <blockquote>
                                    <blockquote> <span>are being
                                        watched, and trying to influence
                                        legislation is one of the </span>
                                      <br>
                                    </blockquote>
                                  </blockquote>
                                  <blockquote>
                                    <blockquote> <span>few ways OWASP
                                        can lose it's charitable status.
                                        And if that happens, </span> <br>
                                    </blockquote>
                                  </blockquote>
                                  <blockquote>
                                    <blockquote> <span>the debate about
                                        what to do with our funds will
                                        quickly change for the worse.</span>
                                      <br>
                                    </blockquote>
                                  </blockquote>
                                  <blockquote> <span></span> <br>
                                  </blockquote>
                                  <blockquote> <span>I don't think that
                                      it is impossible for charitable
                                      organizations to </span> <br>
                                  </blockquote>
                                  <blockquote> <span>comment on public
                                      possible without loosing their
                                      501(c)(3) status, but </span> <br>
                                  </blockquote>
                                  <blockquote> <span>it just has to be
                                      done in the right way. (However,
                                      IANAL, so I don't </span> <br>
                                  </blockquote>
                                  <blockquote> <span>even begin to know
                                      the details of what that "right
                                      way" would entail.)</span> <br>
                                  </blockquote>
                                  <blockquote> <span></span> <br>
                                  </blockquote>
                                  <blockquote> <span>As a case in
                                      point, the ACM has a 501(c)(3)
                                      not-for-profit status, and </span>
                                    <br>
                                  </blockquote>
                                  <blockquote> <span>yet their public
                                      policy arm--the USACM--has
                                      certainly tried to </span> <br>
                                  </blockquote>
                                  <blockquote> <span>influence public
                                      policy. (Recall the crypto debate
                                      from the late </span> <br>
                                  </blockquote>
                                  <blockquote> <span>1990s? The USACM
                                      and IEEE wrote a letter to Sen.
                                      John McCain to try to </span> <br>
                                  </blockquote>
                                  <blockquote> <span>influence the US
                                      legislation not to pass laws to
                                      mandate weak </span> <br>
                                  </blockquote>
                                  <blockquote> <span>encryption. E.g.,
                                      see</span> <br>
                                  </blockquote>
                                  <blockquote> <span><<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri"></a><a class="moz-txt-link-freetext" href="http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri">http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri</a></span>
                                    <br>
                                  </blockquote>
                                  <blockquote> <span>vacy%20and%20Security>.)</span>
                                    <br>
                                  </blockquote>
                                  <blockquote> <span></span> <br>
                                  </blockquote>
                                  <blockquote> <span>So I'm guessing
                                      that the devil is in the details
                                      of how it is done.  </span> <br>
                                  </blockquote>
                                  <blockquote> <span>In fact, according
                                      to Spaf's blog at </span> <br>
                                  </blockquote>
                                  <blockquote> <span><<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t"></a><a class="moz-txt-link-freetext" href="https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t">https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t</a></span>
                                    <br>
                                  </blockquote>
                                  <blockquote> <span>he_attack_on_encryption/>


                                      the USACM is going through this
                                      same this </span> <br>
                                  </blockquote>
                                  <blockquote> <span>this again. Like I
                                      said, I am not a lawyer and maybe
                                      this attempt to </span> <br>
                                  </blockquote>
                                  <blockquote> <span>influence public
                                      policy doesn't strictly qualify as
                                      "lobbying" in the </span> <br>
                                  </blockquote>
                                  <blockquote> <span>eyes of the IRS.
                                      But it certainly doesn't seem
                                      impossible.</span> <br>
                                  </blockquote>
                                  <blockquote> <span></span> <br>
                                  </blockquote>
                                  <blockquote> <span>Also, we can--and
                                      should--all speak out strongly
                                      against things that </span> <br>
                                  </blockquote>
                                  <blockquote> <span>we believe are
                                      against the OWASP mission, but we
                                      don't have to do it </span> <br>
                                  </blockquote>
                                  <blockquote> <span>in a manner as
                                      representing OWASP. Do that on
                                      your personal blogs or </span> <br>
                                  </blockquote>
                                  <blockquote> <span>social media
                                      instead of OWASP mailing lists and
                                      there shouldn't be an </span> <br>
                                  </blockquote>
                                  <blockquote> <span>issue, especially
                                      if you add a short disclaimer as
                                      to how your opinion </span> <br>
                                  </blockquote>
                                  <blockquote> <span>does not
                                      necessarily affect the opinion of
                                      OWASP overall (in the cases when
                                      there might be some doubt).</span>
                                    <br>
                                  </blockquote>
                                  <blockquote> <span></span> <br>
                                  </blockquote>
                                  <blockquote> <span>So perhaps if we
                                      decide that we officially want to
                                      speak out on </span> <br>
                                  </blockquote>
                                  <blockquote> <span>certain public
                                      policy as an organization in order
                                      to influence public </span> <br>
                                  </blockquote>
                                  <blockquote> <span>policy in
                                      accordance with our mission
                                      statements, then someone who </span>
                                    <br>
                                  </blockquote>
                                  <blockquote> <span>understands the
                                      nuances of the 501(c)(3) IRS
                                      regulations could help </span> <br>
                                  </blockquote>
                                  <blockquote> <span>OWASP navigate
                                      these waters.</span> <br>
                                  </blockquote>
                                  <blockquote> <span></span> <br>
                                  </blockquote>
                                  <blockquote> <span>-kevin</span> <br>
                                  </blockquote>
                                  <blockquote> <span>--</span> <br>
                                  </blockquote>
                                  <blockquote> <span>Blog: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://off-the-wall-security.blogspot.com/"></a><a class="moz-txt-link-freetext" href="http://off-the-wall-security.blogspot.com/">http://off-the-wall-security.blogspot.com/</a></span>
                                    <br>
                                  </blockquote>
                                  <blockquote> <span>NSA: All your
                                      crypto bit are belong to us.</span>
                                    <br>
                                  </blockquote>
                                  <span>_______________________________________________</span>
                                  <br>
                                  <span>Owasp-community mailing list</span>
                                  <br>
                                  <span><a moz-do-not-send="true" href="mailto:Owasp-community@lists.owasp.org">Owasp-community@lists.owasp.org</a></span>
                                  <br>
                                  <span><a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-community">https://lists.owasp.org/mailman/listinfo/owasp-community</a></span>
                                  <br>
                                </div>
                              </blockquote>
                              <br>
                              <br>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                    </blockquote>
                  </div>
                </blockquote>
                <br>
              </div>
            </blockquote>
            <blockquote type="cite">
              <div><span>_______________________________________________</span><br>
                <span>OWASP-Leaders mailing list</span><br>
                <span><a moz-do-not-send="true" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a></span><br>
                <span><a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br>
              </div>
            </blockquote>
          </blockquote>
          <br>
        </div>
      </blockquote>
    </blockquote>
    <br>
  

</div></blockquote></div></body></html>