<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Jerry,<br>
    <br>
    Per IRS guidelines, it's not just about lobbying politicians. The
    limit is also on trying to influence legislation. The original IAB
    link from Tobias was about export control law (ie: legislation)
    which is why I emailed words of caution.<br>
    <br>
    - Jim<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 6/21/15 3:52 PM, Jerry Hoff wrote:<br>
    </div>
    <blockquote
      cite="mid:4F829A81-4C69-404E-94B7-42474752CE15@owasp.org"
      type="cite">
      <meta http-equiv="content-type" content="text/html; charset=utf-8">
      <div><span></span></div>
      <div>
        <div>Just to be clear again - no one in this entire thread (that
          I have read at least) has suggested we actively lobby
          politicians. Putting out a statement on proposed legislation
          is not the same as actively lobbying government as defined
          below. </div>
        <div><br>
        </div>
        <div>The entire thread is based on Jeff's statement that  OWASP
          should put out a single statement similar to the IAB's.
           That's it.  I'm not sure how the conversation has drifted so
          substantially from that  request.</div>
        <div><br>
        </div>
        <div>--
          <div>Jerry Hoff</div>
          <div><a moz-do-not-send="true" href="mailto:jerry@owasp.com">jerry@owasp.com</a></div>
          <div>@jerryhoff</div>
        </div>
        <div><br>
          On Jun 21, 2015, at 21:42, Jim Manico <<a
            moz-do-not-send="true" href="mailto:jim.manico@owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>>
          wrote:<br>
          <br>
        </div>
        <blockquote type="cite">
          <div>
            <meta content="text/html; charset=utf-8"
              http-equiv="Content-Type">
            And in the interest in fairness, here is the counter-point
            as to why we should do MORE lobbying at OWASP. <br>
            <br>
            <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.asaecenter.org/Resources/whitepaperdetail.cfm?ItemNumber=12202">http://www.asaecenter.org/Resources/whitepaperdetail.cfm?ItemNumber=12202</a><br>
            <br>
            <meta charset="utf-8">
            <h5 style="box-sizing: border-box; margin: 0.2rem 0px 0px;
              padding: 0px; font-family: 'Helvetica Neue', Helvetica,
              Helvetica, Arial, sans-serif; font-weight: 500;
              font-style: normal; color: black; text-rendering:
              optimizeLegibility; line-height: 1.4; font-size: 0.938rem;
              font-variant: normal; letter-spacing: normal; orphans:
              auto; text-align: start; text-indent: 0px; text-transform:
              none; white-space: normal; widows: 1; word-spacing: 0px;
              -webkit-text-stroke-width: 0px; background-color: rgb(255,
              255, 255);">1. 501(c)(3)s cannot lobby and will lose their
              tax exemption if they engage in lobbying.</h5>
            <p style="box-sizing: border-box; margin: 0px 0px 1.25rem;
              padding: 0px; font-family: 'Helvetica Neue', Helvetica,
              Helvetica, Arial, sans-serif; font-weight: normal;
              line-height: 1.6; text-rendering: optimizeLegibility;
              color: rgb(51, 51, 51); font-size: 15.0080003738403px;
              font-style: normal; font-variant: normal; letter-spacing:
              normal; orphans: auto; text-align: start; text-indent:
              0px; text-transform: none; white-space: normal; widows: 1;
              word-spacing: 0px; -webkit-text-stroke-width: 0px;
              background-color: rgb(255, 255, 255);">Absolutely not.
              501(c)(3) organizations can, and often should, lobby at
              all levels of government. Federal tax law has always
              permitted some lobbying by nonprofits. The 1976 lobbying
              tax law passed by Congress made that expressly clear. The
              Internal Revenue Service ("IRS") followed with
              implementing regulations. The federal government clearly
              supports lobbying by 501(c)(3) organizations. Together,
              the law and regulations provide wide latitude for
              501(c)(3) organizations to lobby.</p>
            <p style="box-sizing: border-box; margin: 0px 0px 1.25rem;
              padding: 0px; font-family: 'Helvetica Neue', Helvetica,
              Helvetica, Arial, sans-serif; font-weight: normal;
              line-height: 1.6; text-rendering: optimizeLegibility;
              color: rgb(51, 51, 51); font-size: 15.0080003738403px;
              font-style: normal; font-variant: normal; letter-spacing:
              normal; orphans: auto; text-align: start; text-indent:
              0px; text-transform: none; white-space: normal; widows: 1;
              word-spacing: 0px; -webkit-text-stroke-width: 0px;
              background-color: rgb(255, 255, 255);">The law makes it
              very clear how much a 501(c)(3) organization can spend on
              lobbying - up to $1 million depending on the size of the
              organization - if the 501(h) election is made. The law
              also makes it clear which activities are lobbying and
              which are not. For example, lobbying occurs only when
              there is an<span class="Apple-converted-space"> </span><i
                style="box-sizing: border-box; font-style: italic;
                line-height: inherit;">expenditure of money</i><span
                class="Apple-converted-space"> </span>by the 501(c)(3)
              for the purpose of attempting to influence legislation.
              Where there is no expenditure by the organization for
              lobbying (such as lobbying by members or volunteers),
              there is no lobbying by the organization.</p>
            <p style="box-sizing: border-box; margin: 0px 0px 1.25rem;
              padding: 0px; font-family: 'Helvetica Neue', Helvetica,
              Helvetica, Arial, sans-serif; font-weight: normal;
              line-height: 1.6; text-rendering: optimizeLegibility;
              color: rgb(51, 51, 51); font-size: 15.0080003738403px;
              font-style: normal; font-variant: normal; letter-spacing:
              normal; orphans: auto; text-align: start; text-indent:
              0px; text-transform: none; white-space: normal; widows: 1;
              word-spacing: 0px; -webkit-text-stroke-width: 0px;
              background-color: rgb(255, 255, 255);">The right of
              citizens to petition their government is basic to our
              democratic way of life, and associations, including
              501(c)(3)s, are one of the most effective vehicles for
              making use of citizen participation in shaping public
              policy. Fortunately, the legislation passed by Congress in
              1976 makes it possible for 501(c)(3)s to lobby freely for
              the causes, communities and constituencies they serve.</p>
            <p style="box-sizing: border-box; margin: 0px 0px 1.25rem;
              padding: 0px; font-family: 'Helvetica Neue', Helvetica,
              Helvetica, Arial, sans-serif; font-weight: normal;
              line-height: 1.6; text-rendering: optimizeLegibility;
              color: rgb(51, 51, 51); font-size: 15.0080003738403px;
              font-style: normal; font-variant: normal; letter-spacing:
              normal; orphans: auto; text-align: start; text-indent:
              0px; text-transform: none; white-space: normal; widows: 1;
              word-spacing: 0px; -webkit-text-stroke-width: 0px;
              background-color: rgb(255, 255, 255);">Generally,
              organizations that make the 501(h) election under the 1976
              lobbying law may spend 20% of the first $500,000 of their
              annual expenditures on lobbying ($100,000), 15% of the
              next $500,000, and so on, up to $1 million dollars.</p>
            <p style="box-sizing: border-box; margin: 0px 0px 1.25rem;
              padding: 0px; font-family: 'Helvetica Neue', Helvetica,
              Helvetica, Arial, sans-serif; font-weight: normal;
              line-height: 1.6; text-rendering: optimizeLegibility;
              color: rgb(51, 51, 51); font-size: 15.0080003738403px;
              font-style: normal; font-variant: normal; letter-spacing:
              normal; orphans: auto; text-align: start; text-indent:
              0px; text-transform: none; white-space: normal; widows: 1;
              word-spacing: 0px; -webkit-text-stroke-width: 0px;
              background-color: rgb(255, 255, 255);">Finally, by not
              engaging in lobbying, your organization may be failing to
              employ a very important activity that could be enormously
              helpful in carrying out its mission.</p>
            <br>
            <br>
            <div class="moz-cite-prefix">On 6/21/15 3:32 PM, Jerry Hoff
              wrote:<br>
            </div>
            <blockquote
              cite="mid:741675FD-A590-42D8-A175-EA0672ECD616@owasp.org"
              type="cite">
              <meta http-equiv="content-type" content="text/html;
                charset=utf-8">
              <div>Agreed - but I was under the strong impression this
                entire discussion was on putting out a statement similar
                to the IAB.  Apologies if I misunderstood. I was voicing
                support on that specific action.</div>
              <div><br>
              </div>
              <div>I didn't see anywhere in the thread (though I may
                have missed it) anyone advocating political campaigning
                or to change the OWASP charter such that influencing
                legislation would be a substantial activity. <br>
                <br>
                --
                <div>Jerry Hoff</div>
                <div><a moz-do-not-send="true"
                    href="mailto:jerry@owasp.com">jerry@owasp.com</a></div>
                <div>@jerryhoff</div>
              </div>
              <div><br>
                On Jun 21, 2015, at 21:25, Jim Manico <<a
                  moz-do-not-send="true"
                  class="moz-txt-link-abbreviated"
                  href="mailto:jim.manico@owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>>

                wrote:<br>
                <br>
              </div>
              <blockquote type="cite">
                <div>
                  <meta content="text/html; charset=utf-8"
                    http-equiv="Content-Type">
                  Jerry,<br>
                  <br>
                  I'm a fan of OWASP taking technical stands such as the
                  IAB Statement on Internet Confidentiality <a
                    moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/"><a class="moz-txt-link-freetext" href="https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/">https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/</a></a>
                  and similar. <br>
                  <br>
                  What our 501(c)(3) foundation needs to to steer clear
                  of from my understanding is...<br>
                  <br>
                  1) ... not to engage in political campaigning<br>
                  2) ... not to attempt to influence legislation as a
                  substantial part of our activities<br>
                  <br>
                  I am no fan of NACL's but this is a very important
                  topic.<br>
                  <br>
                  The exact quote from the IRS is (<a
                    moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501%28c%29%283%29-Organizations%29"><a class="moz-txt-link-freetext" href="http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501(c)(3)-Organizations)">http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501(c)(3)-Organizations)</a></a><br>
                  <br>
                  <meta charset="utf-8">
                  <span style="color: rgb(0, 0, 0); font-family:
                    sans-serif; font-size: 13px; font-style: normal;
                    font-variant: normal; font-weight: normal;
                    letter-spacing: normal; line-height:
                    16.0029983520508px; orphans: auto; text-align:
                    start; text-indent: 0px; text-transform: none;
                    white-space: normal; widows: 1; word-spacing: 0px;
                    -webkit-text-stroke-width: 0px; display: inline
                    !important; float: none; background-color: rgb(255,
                    255, 255);">"...it may not attempt to influence
                    legislation as a substantial part of its activities
                    and it may not participate in any campaign activity
                    for or against political candidates..."</span><br>
                  <br>
                  So as long as our "official foundation statement" on
                  this matter steers clear of these issues, I will
                  support it.<br>
                  <br>
                  We will be discussing this at the June 24th meeting, I
                  hope you can make it.<br>
                  <br>
                  <a moz-do-not-send="true"
                    class="moz-txt-link-freetext"
                    href="https://www.owasp.org/index.php/June_24,_2015">https://www.owasp.org/index.php/June_24,_2015</a><br>
                  <br>
                  Aloha,<br>
                  Jim<br>
                  <br>
                  <div class="moz-cite-prefix">On 6/21/15 3:16 PM, Jerry
                    Hoff wrote:<br>
                  </div>
                  <blockquote
                    cite="mid:A2E4A344-4519-4A6B-A86A-B240A09E68DD@owasp.org"
                    type="cite">
                    <meta http-equiv="content-type" content="text/html;
                      charset=utf-8">
                    <div>I believe this debate is based off wrong
                      assumptions - for example the EFF is 501(c)(3) and
                      that does not prevent them from taking a position
                      on relevant issues as an organization.<br>
                      <br>
                      --
                      <div>Jerry Hoff</div>
                      <div><a moz-do-not-send="true"
                          href="mailto:jerry@owasp.com">jerry@owasp.com</a></div>
                      <div>@jerryhoff</div>
                    </div>
                    <div><br>
                      On Jun 21, 2015, at 21:05, Jim Manico <<a
                        moz-do-not-send="true"
                        class="moz-txt-link-abbreviated"
                        href="mailto:jim.manico@owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>>


                      wrote:<br>
                      <br>
                    </div>
                    <blockquote type="cite">
                      <div>
                        <meta content="text/html; charset=utf-8"
                          http-equiv="Content-Type">
                        With respect, I disagree with your take on this
                        Jeff. Official OWASP public statements should be
                        done with care.<br>
                        <br>
                        Also, this issue is not resolved yet and I am
                        simply stating *my opinion* on the matter backed
                        by research and references to IRS guidelines
                        discussing this matter. And again I've stated
                        that this is a nebulous area even by IRS
                        regulation.<br>
                        <br>
                        <u><b>We are discussing this at the June 24
                            board meeting</b></u><u><b> - a meeting in
                            which I hope that you and the community
                            attend.</b></u> <br>
                        <br>
                        Making a big statement like this as an official
                        message of the OWASP foundation - especial since
                        it's political in nature - does in my opinion
                        require board discussion. I know you want us to
                        "jump on this" immediately - and we are Jeff -
                        in just a few days.<br>
                        <br>
                        In fact, if the language is crafted in a way
                        that keeps clear of specific legislation, I will
                        likely vote to push this out. I agree with it
                        100%, I am only concerned if it's the right
                        thing for OWASP to be making such a public
                        statement. <br>
                        <br>
                        It is critical for all of us in OWASP leadership
                        to be aware of the limits of what a 501(c)(3)
                        should be doing, and when I hear that the
                        members of foundation want OWASP to make a
                        public and politically charged statement of
                        intent, I think it's crucial for the board to be
                        a part of it since the board holds legal
                        responsibility for the operations of the
                        foundation.<br>
                        <br>
                        See you June 24th?<br>
                        <br>
                        <a moz-do-not-send="true"
                          class="moz-txt-link-freetext"
                          href="https://www.owasp.org/index.php/June_24,_2015">https://www.owasp.org/index.php/June_24,_2015</a><br>
                        <br>
                        Aloha,<br>
                        Jim<br>
                        <br>
                        <br>
                        <br>
                        <br>
                        <br>
                        <div class="moz-cite-prefix">On 6/21/15 2:47 PM,
                          Jeff Williams wrote:<br>
                        </div>
                        <blockquote
cite="mid:815ED4954DD4EA87.AC9F30B4-B882-4DBD-8F06-A2CC09F2B771@mail.outlook.com"
                          type="cite">
                          <div>This is a false dichotomy -- OWASP can
                            and should do both. The Board should work to
                            assist and support *any* idea consistent
                            with our mission...even if...especially
                            if... you don't think it will work.</div>
                          <div><br>
                          </div>
                          <div>You can't let *your* judgement influence
                            the decision to support a project. If you
                            do, then all we will ever get is Board
                            ideas.  And, respectfully, I don't trust you
                            or any other individual to think up the next
                            great AppSec idea.</div>
                          <div><br>
                          </div>
                          <div>The Board shouldn't interfere at all
                            unless somebody is doing something harmful
                            to the organization or the mission. And even
                            then should try to figure out a productive
                            path for that energy.</div>
                          <div><br>
                          </div>
                          <div>Again respectfully, you should get out of
                            the way.<br>
                            <br>
                            <div class="acompli_signature">--Jeff<br>
                            </div>
                          </div>
                          <br>
                          <br>
                          <br>
                          <div class="gmail_quote">On Sun, Jun 21, 2015
                            at 5:27 PM -0700, "Jim Manico" <span
                              dir="ltr"><<a moz-do-not-send="true"
                                class="moz-txt-link-abbreviated"
                                href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>></span>
                            wrote:<br>
                            <br>
                            <blockquote class="gmail_quote"
                              style="margin:0 0 0 .8ex;border-left:1px
                              #ccc solid;padding-left:1ex">
                              <div dir="3D"ltr"">
                                <meta http-equiv="content-type"
                                  content="text/html; charset=utf-8">
                                <div>Jeff,</div>
                                <div><br>
                                </div>
                                <div>My take on this is that "talk is
                                  cheap" and that "actions are more
                                  powerful words". I'd rather keep out
                                  of legislation and focus on making
                                  important projects like ESAPI, ASVS,
                                  Security Shepard and others more
                                  powerful.</div>
                                <div><br>
                                </div>
                                <div>I am sorry you are disappointed in
                                  current board action, but there is
                                  good reason behind the perspective I
                                  am stating. Also, this is my opinion
                                  alone, not the entire boards.</div>
                                <div><br>
                                </div>
                                <div>Again, take a look at Whisper
                                  Systems. They are providing incredibly
                                  well created and well assessed open
                                  source projects for secure
                                  communications. These open source
                                  projects are now being integrated into
                                  various Operating Systems and other
                                  projects.</div>
                                <div><br>
                                </div>
                                <div>If ESAPI was not a abandoned, it
                                  could have been serving our mission -
                                  planet level. I want to see it and
                                  other key projects revived and well
                                  funded.</div>
                                <div><br>
                                </div>
                                <div>The power of a well built security
                                  project is worth more than a thousand
                                  words. Talk is cheap. Actions that
                                  change the world take sweat, blood and
                                  staying the course even when it's no
                                  longer financially beneficial to do
                                  so.</div>
                                <div><br>
                                </div>
                                <div>Respectfully,<br>
                                  <div>--</div>
                                  <div>Jim Manico</div>
                                  <div>
                                    <div apple-content-edited="true"
                                      class="">
                                      <div class="" style="word-wrap:
                                        break-word; -webkit-nbsp-mode:
                                        space; -webkit-line-break:
                                        after-white-space;">
                                        <div class=""><span
                                            style="background-color:
                                            rgba(255, 255, 255, 0);">Global
                                            Board Member</span></div>
                                        <span style="background-color:
                                          rgba(255, 255, 255, 0);">OWASP
                                          Foundation</span>
                                        <div class=""><a
                                            moz-do-not-send="true"
                                            href="https://www.owasp.org/"
                                            class=""
                                            style="background-color:
                                            rgba(255, 255, 255, 0);"><font
                                              color="#000000"><a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></font></a></div>
                                      </div>
                                    </div>
                                    <div class=""><span
                                        style="background-color:
                                        rgba(255, 255, 255, 0);">Join me
                                        at <a moz-do-not-send="true"
                                          href="http://appsecusa.org/"
                                          target="_blank" class="">AppSecUSA</a> 2015

                                        in San Francisco!</span></div>
                                  </div>
                                </div>
                                <div><br>
                                  On Jun 21, 2015, at 2:12 PM, Jeff
                                  Williams <<a moz-do-not-send="true"
                                    class="moz-txt-link-abbreviated"
                                    href="mailto:jeff.williams@owasp.org">jeff.williams@owasp.org</a>>



                                  wrote:<br>
                                  <br>
                                </div>
                                <blockquote type="cite">
                                  <div>
                                    <div>For the record, the IAB is part
                                      of the IETF, which *is* a 501c3.
                                       Even though 501c3 organizations
                                      *can* do some lobbying (as long as
                                      expenditures are not substantial),
                                      the IAB is careful not to talk
                                      about legislation or urge anyone
                                      to contact representatives about
                                      legislation.</div>
                                    <div>As the creator and longtime
                                      Chair of the OWASP Board, I'm
                                      frustrated that the current Board
                                      isn't falling over themselves to
                                      support efforts like this.  IMO
                                      the whole purpose of the Board is
                                      to create a great platform to
                                      support and amplify the efforts of
                                      anyone willing to contribute to
                                      our important cause. Does't matter
                                      the topic, but instead of saying
                                      no or criticizing ideas or
                                      projects, figure out a way to make
                                      it work or make them better.</div>
                                    <div>In this case, and a million
                                      other topics, it would be
                                      incredibly easy to stick to the
                                      technical realities and
                                      feasibility of any approaches
                                      being discussed in the news.  No
                                      need to mention legislation.</div>
                                    <div>
                                      <div class="acompli_signature">--Jeff<br>
                                        <br>
                                        Jeff Williams | CTO<br>
                                        Contrast Security<br>
                                        <a moz-do-not-send="true"
                                          href="tel:410.707.1487"
                                          x-apple-data-detectors="true"
x-apple-data-detectors-type="telephone"
                                          x-apple-data-detectors-result="0/1">410.707.1487</a>
                                        | @planetlevel @contrastsec<br>
                                        <br>
                                      </div>
                                      <br>
                                    </div>
                                    <div class="gmail_quote">_____________________________<br>
                                      From: Jim Manico <<a
                                        moz-do-not-send="true"
                                        class="moz-txt-link-abbreviated"
href="mailto:jim.manico@owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>><br>
                                      Sent: Sunday, June 21, 2015 7:37
                                      PM<br>
                                      Subject: Re: [Owasp-leaders]
                                      [Owasp-community] [Owasp-board]
                                      IAB Statement on the Trade in
                                      Security Technologies<br>
                                      To: McGovern, James <<a
                                        moz-do-not-send="true"
                                        class="moz-txt-link-abbreviated"
href="mailto:james.mcgovern@hp.com"><a class="moz-txt-link-abbreviated" href="mailto:james.mcgovern@hp.com">james.mcgovern@hp.com</a></a>><br>
                                      Cc: <<a moz-do-not-send="true"
href="mailto:owasp-community@lists.owasp.org"
                                        x-apple-data-detectors="true"
                                        x-apple-data-detectors-type="link"
x-apple-data-detectors-result="5">owasp-community@lists.owasp.org</a>>,



                                      OWASP Board List <<a
                                        moz-do-not-send="true"
                                        class="moz-txt-link-abbreviated"
href="mailto:owasp-board@lists.owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:owasp-board@lists.owasp.org">owasp-board@lists.owasp.org</a></a>>,



                                      owasp-leaders <<a
                                        moz-do-not-send="true"
                                        class="moz-txt-link-abbreviated"
href="mailto:owasp-leaders@lists.owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:owasp-leaders@lists.owasp.org">owasp-leaders@lists.owasp.org</a></a>><br>
                                      <br>
                                      <br>
                                      <meta content="text/html;
                                        charset=utf-8">
                                      <div> I will - for sure - put this
                                        on the June 24th Board meeting
                                        agenda. My opinion (based on
                                        research over the years trying
                                        to understand my duty to the
                                        foundation) is to keep AWAY from
                                        any even slight attempt to
                                        influence legislation. </div>
                                      <div> <br>
                                      </div>
                                      <div> In general I see projects,
                                        documentation efforts and
                                         conferences doing much to unite
                                        us in our shared mission. But
                                        start discussing politics and it
                                        will go a long way to divide us
                                        as a community. </div>
                                      <div> <br>
                                      </div>
                                      <div> I suggest that we focus on
                                        •doing something• vs •saying
                                        something•.  </div>
                                      <div> <br>
                                      </div>
                                      <div> Imagine funding open source
                                        projects similar to Whisper
                                        Systems or enhancing our
                                        documentation projects to be
                                        much more up to date and
                                        relevant our building
                                        professional open source
                                        training material? This is how I
                                        think the foundation can best
                                        face these issues while at the
                                        same time serve our mission
                                        while at the same time keep away
                                        from influencing legislation. :)
                                      </div>
                                      <div> <br>
                                      </div>
                                      <div> And for what it's worth, I
                                        strongly dislike the fact that
                                        I'm bringing these things up.
                                        I'm not trying to ruin anyones
                                        party here. But I do feel it's
                                        my duty as your elected board
                                        member to do so. </div>
                                      <div> <br>
                                      </div>
                                      <div> Aloha, </div>
                                      <div> -- <br>
                                        <div> Jim Manico </div>
                                        <div>
                                          <div class="">
                                            <div class=""
                                              style="word-wrap:
                                              break-word;
                                              -webkit-nbsp-mode: space;
                                              -webkit-line-break:
                                              after-white-space;">
                                              <div class=""> <span
                                                  style="background-color:
                                                  rgba(255, 255, 255,
                                                  0);">Global Board
                                                  Member</span> </div>
                                              <span
                                                style="background-color:
                                                rgba(255, 255, 255, 0);">OWASP

                                                Foundation</span>
                                              <div class=""> <font
                                                  color="#000000"><a
                                                    moz-do-not-send="true"
class="moz-txt-link-freetext" href="https://www.owasp.org"><a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></a></font>
                                              </div>
                                            </div>
                                          </div>
                                          <div class=""> <span
                                              style="background-color:
                                              rgba(255, 255, 255, 0);">Join
                                              me at <a
                                                moz-do-not-send="true"
                                                href="http://appsecusa.org/"
                                                class="">AppSecUSA</a> 2015
                                              in San Francisco!</span> </div>
                                        </div>
                                      </div>
                                      <div> <br>
                                        On Jun 21, 2015, at 1:23 PM,
                                        McGovern, James < <a
                                          moz-do-not-send="true"
                                          class="moz-txt-link-abbreviated"
href="mailto:james.mcgovern@hp.com"><a class="moz-txt-link-abbreviated" href="mailto:james.mcgovern@hp.com">james.mcgovern@hp.com</a></a>> wrote:
                                        <br>
                                        <br>
                                      </div>
                                      <blockquote>
                                        <div> <span>Jim, while you are
                                            going to the board for legal
                                            clarification, please
                                            inquire:</span> <br>
                                          <span></span> <br>
                                          <span>1. 501c3 is a US thing.
                                            Can we influence non-US
                                            government and still comply?</span>
                                          <br>
                                          <span>2. Understanding the US
                                            political issues sometimes
                                            will put us on a partisan
                                            path. For example, in CT I
                                            have commented in the past
                                            in a political context on
                                            why smart guns are just
                                            plain stupid. This
                                            particular issue leans more
                                            conservative/libertarian
                                            than it does Liberal.
                                            Therefore, we must attempt
                                            to understand the flow of
                                            politics on any given
                                            Sunday.</span> <br>
                                          <span>3. Maybe we could
                                            somehow solve this by having
                                            a policy that encourages
                                            legislators of all parties
                                            to reach out to their local
                                            chapter leader for an
                                            informed opinion.</span> <br>
                                          <span></span> <br>
                                          <span>-----Original
                                            Message-----</span> <br>
                                          <span>From: <a
                                              moz-do-not-send="true"
                                              href="mailto:owasp-community-bounces@lists.owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:owasp-community-bounces@lists.owasp.org">owasp-community-bounces@lists.owasp.org</a></a>
                                            [<a moz-do-not-send="true"
                                              href="mailto:owasp-community-bounces@lists.owasp.org">mailto:owasp-community-bounces@lists.owasp.org</a>]
                                            On Behalf Of Jim Manico</span>
                                          <br>
                                          <span>Sent: Saturday, June 20,
                                            2015 4:37 PM</span> <br>
                                          <span>To: Kevin W. Wall</span>
                                          <br>
                                          <span>Cc: OWASP Board List; <a
                                              moz-do-not-send="true"
                                              class="moz-txt-link-abbreviated"
href="mailto:owasp-community@lists.owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:owasp-community@lists.owasp.org">owasp-community@lists.owasp.org</a></a>;
                                            owasp-leaders</span> <br>
                                          <span>Subject: Re:
                                            [Owasp-community]
                                            [Owasp-board] IAB Statement
                                            on the Trade in Security
                                            Technologies</span> <br>
                                          <span></span> <br>
                                          <span>I agree with you Kevin.
                                            Even the IRS is cagey about
                                            this topic. </span> <br>
                                          <span></span> <br>
                                          <span>However, this is an
                                            organization risk that I
                                            feel we should be aware of
                                            before charging to far into
                                            policy. It would behoove is
                                            to get legal review before
                                            going to far. I'll bring
                                            this up at the next board
                                            meeting.</span> <br>
                                          <span></span> <br>
                                          <span>Aloha,</span> <br>
                                          <span>--</span> <br>
                                          <span>Jim Manico</span> <br>
                                          <span>@Manicode</span> <br>
                                          <span><a
                                              moz-do-not-send="true"
                                              href="tel:%28808%29%20652-3805"
x-apple-data-detectors="true" x-apple-data-detectors-type="telephone"
                                              x-apple-data-detectors-result="18/1">(808)
                                              652-3805</a></span> <br>
                                          <span></span> <br>
                                          <blockquote> <span>On Jun 20,
                                              2015, at 9:47 AM, Kevin W.
                                              Wall <<a
                                                moz-do-not-send="true"
                                                class="moz-txt-link-abbreviated"
href="mailto:kevin.w.wall@gmail.com"><a class="moz-txt-link-abbreviated" href="mailto:kevin.w.wall@gmail.com">kevin.w.wall@gmail.com</a></a>>
                                              wrote:</span> <br>
                                          </blockquote>
                                          <blockquote> <span></span> <br>
                                          </blockquote>
                                          <blockquote> <span>Jim,</span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span></span> <br>
                                          </blockquote>
                                          <blockquote>
                                            <blockquote> <span>On Sat,
                                                Jun 20, 2015 at 2:55 PM,
                                                Jim Manico <<a
                                                  moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>>
                                                wrote:</span> <br>
                                            </blockquote>
                                          </blockquote>
                                          <blockquote>
                                            <blockquote> <span>That is
                                                fair Michael.</span> <br>
                                            </blockquote>
                                          </blockquote>
                                          <blockquote>
                                            <blockquote> <span></span>
                                              <br>
                                            </blockquote>
                                          </blockquote>
                                          <blockquote>
                                            <blockquote> <span>But I do
                                                want to warn the
                                                community that this is a
                                                slippery slope, we </span>
                                              <br>
                                            </blockquote>
                                          </blockquote>
                                          <blockquote>
                                            <blockquote> <span>are
                                                being watched, and
                                                trying to influence
                                                legislation is one of
                                                the </span> <br>
                                            </blockquote>
                                          </blockquote>
                                          <blockquote>
                                            <blockquote> <span>few ways
                                                OWASP can lose it's
                                                charitable status. And
                                                if that happens, </span>
                                              <br>
                                            </blockquote>
                                          </blockquote>
                                          <blockquote>
                                            <blockquote> <span>the
                                                debate about what to do
                                                with our funds will
                                                quickly change for the
                                                worse.</span> <br>
                                            </blockquote>
                                          </blockquote>
                                          <blockquote> <span></span> <br>
                                          </blockquote>
                                          <blockquote> <span>I don't
                                              think that it is
                                              impossible for charitable
                                              organizations to </span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span>comment on
                                              public possible without
                                              loosing their 501(c)(3)
                                              status, but </span> <br>
                                          </blockquote>
                                          <blockquote> <span>it just
                                              has to be done in the
                                              right way. (However,
                                              IANAL, so I don't </span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span>even begin
                                              to know the details of
                                              what that "right way"
                                              would entail.)</span> <br>
                                          </blockquote>
                                          <blockquote> <span></span> <br>
                                          </blockquote>
                                          <blockquote> <span>As a case
                                              in point, the ACM has a
                                              501(c)(3) not-for-profit
                                              status, and </span> <br>
                                          </blockquote>
                                          <blockquote> <span>yet their
                                              public policy arm--the
                                              USACM--has certainly tried
                                              to </span> <br>
                                          </blockquote>
                                          <blockquote> <span>influence
                                              public policy. (Recall the
                                              crypto debate from the
                                              late </span> <br>
                                          </blockquote>
                                          <blockquote> <span>1990s? The
                                              USACM and IEEE wrote a
                                              letter to Sen. John McCain
                                              to try to </span> <br>
                                          </blockquote>
                                          <blockquote> <span>influence
                                              the US legislation not to
                                              pass laws to mandate weak
                                            </span> <br>
                                          </blockquote>
                                          <blockquote> <span>encryption.
                                              E.g., see</span> <br>
                                          </blockquote>
                                          <blockquote> <span><<a
                                                moz-do-not-send="true"
                                                class="moz-txt-link-freetext"
href="http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri"><a class="moz-txt-link-freetext" href="http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri">http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri</a></a></span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span>vacy%20and%20Security>.)</span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span></span> <br>
                                          </blockquote>
                                          <blockquote> <span>So I'm
                                              guessing that the devil is
                                              in the details of how it
                                              is done.  </span> <br>
                                          </blockquote>
                                          <blockquote> <span>In fact,
                                              according to Spaf's blog
                                              at </span> <br>
                                          </blockquote>
                                          <blockquote> <span><<a
                                                moz-do-not-send="true"
                                                class="moz-txt-link-freetext"
href="https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t"><a class="moz-txt-link-freetext" href="https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t">https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t</a></a></span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span>he_attack_on_encryption/>



                                              the USACM is going through
                                              this same this </span> <br>
                                          </blockquote>
                                          <blockquote> <span>this
                                              again. Like I said, I am
                                              not a lawyer and maybe
                                              this attempt to </span> <br>
                                          </blockquote>
                                          <blockquote> <span>influence
                                              public policy doesn't
                                              strictly qualify as
                                              "lobbying" in the </span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span>eyes of
                                              the IRS. But it certainly
                                              doesn't seem impossible.</span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span></span> <br>
                                          </blockquote>
                                          <blockquote> <span>Also, we
                                              can--and should--all speak
                                              out strongly against
                                              things that </span> <br>
                                          </blockquote>
                                          <blockquote> <span>we believe
                                              are against the OWASP
                                              mission, but we don't have
                                              to do it </span> <br>
                                          </blockquote>
                                          <blockquote> <span>in a
                                              manner as representing
                                              OWASP. Do that on your
                                              personal blogs or </span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span>social
                                              media instead of OWASP
                                              mailing lists and there
                                              shouldn't be an </span> <br>
                                          </blockquote>
                                          <blockquote> <span>issue,
                                              especially if you add a
                                              short disclaimer as to how
                                              your opinion </span> <br>
                                          </blockquote>
                                          <blockquote> <span>does not
                                              necessarily affect the
                                              opinion of OWASP overall
                                              (in the cases when there
                                              might be some doubt).</span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span></span> <br>
                                          </blockquote>
                                          <blockquote> <span>So perhaps
                                              if we decide that we
                                              officially want to speak
                                              out on </span> <br>
                                          </blockquote>
                                          <blockquote> <span>certain
                                              public policy as an
                                              organization in order to
                                              influence public </span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span>policy in
                                              accordance with our
                                              mission statements, then
                                              someone who </span> <br>
                                          </blockquote>
                                          <blockquote> <span>understands
                                              the nuances of the
                                              501(c)(3) IRS regulations
                                              could help </span> <br>
                                          </blockquote>
                                          <blockquote> <span>OWASP
                                              navigate these waters.</span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span></span> <br>
                                          </blockquote>
                                          <blockquote> <span>-kevin</span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span>--</span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span>Blog: <a
                                                moz-do-not-send="true"
                                                class="moz-txt-link-freetext"
href="http://off-the-wall-security.blogspot.com/"><a class="moz-txt-link-freetext" href="http://off-the-wall-security.blogspot.com/">http://off-the-wall-security.blogspot.com/</a></a></span>
                                            <br>
                                          </blockquote>
                                          <blockquote> <span>NSA: All
                                              your crypto bit are belong
                                              to us.</span> <br>
                                          </blockquote>
                                          <span>_______________________________________________</span>
                                          <br>
                                          <span>Owasp-community mailing
                                            list</span> <br>
                                          <span><a
                                              moz-do-not-send="true"
                                              href="mailto:Owasp-community@lists.owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:Owasp-community@lists.owasp.org">Owasp-community@lists.owasp.org</a></a></span>
                                          <br>
                                          <span><a
                                              moz-do-not-send="true"
                                              href="https://lists.owasp.org/mailman/listinfo/owasp-community"><a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-community">https://lists.owasp.org/mailman/listinfo/owasp-community</a></a></span>
                                          <br>
                                        </div>
                                      </blockquote>
                                      <br>
                                      <br>
                                    </div>
                                  </div>
                                </blockquote>
                              </div>
                            </blockquote>
                          </div>
                        </blockquote>
                        <br>
                      </div>
                    </blockquote>
                    <blockquote type="cite">
                      <div><span>_______________________________________________</span><br>
                        <span>OWASP-Leaders mailing list</span><br>
                        <span><a moz-do-not-send="true"
                            href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a></span><br>
                        <span><a moz-do-not-send="true"
                            href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br>
                      </div>
                    </blockquote>
                  </blockquote>
                  <br>
                </div>
              </blockquote>
            </blockquote>
            <br>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </body>
</html>