<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>+100 Tobias.</div><div>Charities such as Amnesty International, Green Peace etc also make statements which are in line with their mission and also help drive the organisation achieving its goal. </div><div>I'm unsure where lobbying / political activitisim needs to fit in here. It's more about speaking out for what the foundation believes in. </div><div><br><br>Eoin Keary<div>OWASP Volunteer</div><div>@eoinkeary</div><div><span style="font-size: 13pt;"><br></span></div><div><br></div></div><div><br>On 22 Jun 2015, at 11:47, Tobias <<a href="mailto:tobias.gondrom@owasp.org">tobias.gondrom@owasp.org</a>> wrote:<br><br></div><blockquote type="cite"><div>
  
    <meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
  
  
    <div class="moz-cite-prefix">Guys, <br>
      <br>
      just fyi: we had this discussion before. Last time in January
      2014. <br>
      And I believe reading the material provided by Jim at the time, we
      can in fact determine that OWASP can make statements that are in
      line with our mission. <br>
      <br>
      IMHO: It is good to be cautious in life, but to be so cautious as
      to remain silent on topics that are relevant and will be a problem
      for the security of the web and the Internet as a whole is IMHO a
      mistake. <br>
      <br>
      For the full and detailed analysis from our discussion in Jan
      2014, please refer to here: <br>
      <a href="http://lists.owasp.org/pipermail/owasp-board/2014-January/012872.html">http://lists.owasp.org/pipermail/owasp-board/2014-January/012872.html</a><br>
      <br>
      In short: <br>
      <i>"</i><i><b>"Your organization can engage in legislative
          advocacy and issue-related advocacy, as long as it follows
          certain rules and steers clear of political campaigning. "</b></i><i>
        (for those interested in what these certain rules are: that a
        non-profit does not have "substantial part" of its overall
        activities relates to influencing legislation or carrying on
        propaganda. Roughly anything under 5% of the overall budget is
        considered not substantial, while expenditures of above 15%
        would probably be considered substantial - e.g. 5% would be with
        our current budget size spending of more than USD 100.000(!) on
        lobbying....)</i><i><br>
      </i><i><br>
      </i><i>We are free and safe to advocate our mission and to make
        public statements to communicate our mission. (And nobody would
        want for OWASP to politically campaign for the next candidate
        for presidency, governor,</i><i><br>
      </i><i>mayor or political party of any country.)</i><i>"</i><i><br>
        <br>
      </i><br>
      Furthermore: that's also the reason why the IAB/IETF has no
      problem at all making this statement....<br>
      And the Internet Society which is basically the "communication"
      arm of the IETF (and a 501(c) 3 tax-exempt charitable
      organization, <a href="http://www.internetsociety.org/tax-exempt-charitable-organization">http://www.internetsociety.org/tax-exempt-charitable-organization</a>)
      has no problems engaging in political debate about an open and
      secure Internet. And in fact is doing that very effectively. <i><br>
      </i><br>
      Best regards, Tobias<br>
      <br>
      <br>
      <br>
      On 22/06/15 03:57, Jim Manico wrote:<br>
    </div>
    <blockquote cite="mid:55876B76.4030608@owasp.org" type="cite">
      <meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
      Jerry,<br>
      <br>
      Per IRS guidelines, it's not just about lobbying politicians. The
      limit is also on trying to influence legislation. The original IAB
      link from Tobias was about export control law (ie: legislation)
      which is why I emailed words of caution.<br>
      <br>
      - Jim<br>
      <br>
      <br>
      <div class="moz-cite-prefix">On 6/21/15 3:52 PM, Jerry Hoff wrote:<br>
      </div>
      <blockquote cite="mid:4F829A81-4C69-404E-94B7-42474752CE15@owasp.org" type="cite">
        <meta http-equiv="content-type" content="text/html;
          charset=windows-1252">
        <div><span></span></div>
        <div>
          <div>Just to be clear again - no one in this entire thread
            (that I have read at least) has suggested we actively lobby
            politicians. Putting out a statement on proposed legislation
            is not the same as actively lobbying government as defined
            below. </div>
          <div><br>
          </div>
          <div>The entire thread is based on Jeff's statement that
             OWASP should put out a single statement similar to the
            IAB's.  That's it.  I'm not sure how the conversation has
            drifted so substantially from that  request.</div>
          <div><br>
          </div>
          <div>--
            <div>Jerry Hoff</div>
            <div><a moz-do-not-send="true" href="mailto:jerry@owasp.com">jerry@owasp.com</a></div>
            <div>@jerryhoff</div>
          </div>
          <div><br>
            On Jun 21, 2015, at 21:42, Jim Manico <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>>

            wrote:<br>
            <br>
          </div>
          <blockquote type="cite">
            <div>
              <meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
              And in the interest in fairness, here is the counter-point
              as to why we should do MORE lobbying at OWASP. <br>
              <br>
              <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.asaecenter.org/Resources/whitepaperdetail.cfm?ItemNumber=12202">http://www.asaecenter.org/Resources/whitepaperdetail.cfm?ItemNumber=12202</a><br>
              <br>
              <meta charset="utf-8">
              <h5 style="box-sizing: border-box; margin: 0.2rem 0px 0px;
                padding: 0px; font-family: 'Helvetica Neue', Helvetica,
                Helvetica, Arial, sans-serif; font-weight: 500;
                font-style: normal; color: black; text-rendering:
                optimizeLegibility; line-height: 1.4; font-size:
                0.938rem; font-variant: normal; letter-spacing: normal;
                orphans: auto; text-align: start; text-indent: 0px;
                text-transform: none; white-space: normal; widows: 1;
                word-spacing: 0px; -webkit-text-stroke-width: 0px;
                background-color: rgb(255, 255, 255);">1. 501(c)(3)s
                cannot lobby and will lose their tax exemption if they
                engage in lobbying.</h5>
              <p style="box-sizing: border-box; margin: 0px 0px 1.25rem;
                padding: 0px; font-family: 'Helvetica Neue', Helvetica,
                Helvetica, Arial, sans-serif; font-weight: normal;
                line-height: 1.6; text-rendering: optimizeLegibility;
                color: rgb(51, 51, 51); font-size: 15.0080003738403px;
                font-style: normal; font-variant: normal;
                letter-spacing: normal; orphans: auto; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; widows: 1; word-spacing: 0px;
                -webkit-text-stroke-width: 0px; background-color:
                rgb(255, 255, 255);">Absolutely not. 501(c)(3)
                organizations can, and often should, lobby at all levels
                of government. Federal tax law has always permitted some
                lobbying by nonprofits. The 1976 lobbying tax law passed
                by Congress made that expressly clear. The Internal
                Revenue Service ("IRS") followed with implementing
                regulations. The federal government clearly supports
                lobbying by 501(c)(3) organizations. Together, the law
                and regulations provide wide latitude for 501(c)(3)
                organizations to lobby.</p>
              <p style="box-sizing: border-box; margin: 0px 0px 1.25rem;
                padding: 0px; font-family: 'Helvetica Neue', Helvetica,
                Helvetica, Arial, sans-serif; font-weight: normal;
                line-height: 1.6; text-rendering: optimizeLegibility;
                color: rgb(51, 51, 51); font-size: 15.0080003738403px;
                font-style: normal; font-variant: normal;
                letter-spacing: normal; orphans: auto; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; widows: 1; word-spacing: 0px;
                -webkit-text-stroke-width: 0px; background-color:
                rgb(255, 255, 255);">The law makes it very clear how
                much a 501(c)(3) organization can spend on lobbying - up
                to $1 million depending on the size of the organization
                - if the 501(h) election is made. The law also makes it
                clear which activities are lobbying and which are not.
                For example, lobbying occurs only when there is an<span class="Apple-converted-space"> </span><i style="box-sizing: border-box; font-style: italic;
                  line-height: inherit;">expenditure of money</i><span class="Apple-converted-space"> </span>by the 501(c)(3)
                for the purpose of attempting to influence legislation.
                Where there is no expenditure by the organization for
                lobbying (such as lobbying by members or volunteers),
                there is no lobbying by the organization.</p>
              <p style="box-sizing: border-box; margin: 0px 0px 1.25rem;
                padding: 0px; font-family: 'Helvetica Neue', Helvetica,
                Helvetica, Arial, sans-serif; font-weight: normal;
                line-height: 1.6; text-rendering: optimizeLegibility;
                color: rgb(51, 51, 51); font-size: 15.0080003738403px;
                font-style: normal; font-variant: normal;
                letter-spacing: normal; orphans: auto; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; widows: 1; word-spacing: 0px;
                -webkit-text-stroke-width: 0px; background-color:
                rgb(255, 255, 255);">The right of citizens to petition
                their government is basic to our democratic way of life,
                and associations, including 501(c)(3)s, are one of the
                most effective vehicles for making use of citizen
                participation in shaping public policy. Fortunately, the
                legislation passed by Congress in 1976 makes it possible
                for 501(c)(3)s to lobby freely for the causes,
                communities and constituencies they serve.</p>
              <p style="box-sizing: border-box; margin: 0px 0px 1.25rem;
                padding: 0px; font-family: 'Helvetica Neue', Helvetica,
                Helvetica, Arial, sans-serif; font-weight: normal;
                line-height: 1.6; text-rendering: optimizeLegibility;
                color: rgb(51, 51, 51); font-size: 15.0080003738403px;
                font-style: normal; font-variant: normal;
                letter-spacing: normal; orphans: auto; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; widows: 1; word-spacing: 0px;
                -webkit-text-stroke-width: 0px; background-color:
                rgb(255, 255, 255);">Generally, organizations that make
                the 501(h) election under the 1976 lobbying law may
                spend 20% of the first $500,000 of their annual
                expenditures on lobbying ($100,000), 15% of the next
                $500,000, and so on, up to $1 million dollars.</p>
              <p style="box-sizing: border-box; margin: 0px 0px 1.25rem;
                padding: 0px; font-family: 'Helvetica Neue', Helvetica,
                Helvetica, Arial, sans-serif; font-weight: normal;
                line-height: 1.6; text-rendering: optimizeLegibility;
                color: rgb(51, 51, 51); font-size: 15.0080003738403px;
                font-style: normal; font-variant: normal;
                letter-spacing: normal; orphans: auto; text-align:
                start; text-indent: 0px; text-transform: none;
                white-space: normal; widows: 1; word-spacing: 0px;
                -webkit-text-stroke-width: 0px; background-color:
                rgb(255, 255, 255);">Finally, by not engaging in
                lobbying, your organization may be failing to employ a
                very important activity that could be enormously helpful
                in carrying out its mission.</p>
              <br>
              <br>
              <div class="moz-cite-prefix">On 6/21/15 3:32 PM, Jerry
                Hoff wrote:<br>
              </div>
              <blockquote cite="mid:741675FD-A590-42D8-A175-EA0672ECD616@owasp.org" type="cite">
                <meta http-equiv="content-type" content="text/html;
                  charset=windows-1252">
                <div>Agreed - but I was under the strong impression this
                  entire discussion was on putting out a statement
                  similar to the IAB.  Apologies if I misunderstood. I
                  was voicing support on that specific action.</div>
                <div><br>
                </div>
                <div>I didn't see anywhere in the thread (though I may
                  have missed it) anyone advocating political
                  campaigning or to change the OWASP charter such that
                  influencing legislation would be a substantial
                  activity. <br>
                  <br>
                  --
                  <div>Jerry Hoff</div>
                  <div><a moz-do-not-send="true" href="mailto:jerry@owasp.com">jerry@owasp.com</a></div>
                  <div>@jerryhoff</div>
                </div>
                <div><br>
                  On Jun 21, 2015, at 21:25, Jim Manico <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>>


                  wrote:<br>
                  <br>
                </div>
                <blockquote type="cite">
                  <div>
                    <meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
                    Jerry,<br>
                    <br>
                    I'm a fan of OWASP taking technical stands such as
                    the IAB Statement on Internet Confidentiality <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/">https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/</a>
                    and similar. <br>
                    <br>
                    What our 501(c)(3) foundation needs to to steer
                    clear of from my understanding is...<br>
                    <br>
                    1) ... not to engage in political campaigning<br>
                    2) ... not to attempt to influence legislation as a
                    substantial part of our activities<br>
                    <br>
                    I am no fan of NACL's but this is a very important
                    topic.<br>
                    <br>
                    The exact quote from the IRS is (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501%28c%29%283%29-Organizations%29">http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501(c)(3)-Organizations)</a><br>
                    <br>
                    <meta charset="utf-8">
                    <span style="color: rgb(0, 0, 0); font-family:
                      sans-serif; font-size: 13px; font-style: normal;
                      font-variant: normal; font-weight: normal;
                      letter-spacing: normal; line-height:
                      16.0029983520508px; orphans: auto; text-align:
                      start; text-indent: 0px; text-transform: none;
                      white-space: normal; widows: 1; word-spacing: 0px;
                      -webkit-text-stroke-width: 0px; display: inline
                      !important; float: none; background-color:
                      rgb(255, 255, 255);">"...it may not attempt to
                      influence legislation as a substantial part of its
                      activities and it may not participate in any
                      campaign activity for or against political
                      candidates..."</span><br>
                    <br>
                    So as long as our "official foundation statement" on
                    this matter steers clear of these issues, I will
                    support it.<br>
                    <br>
                    We will be discussing this at the June 24th meeting,
                    I hope you can make it.<br>
                    <br>
                    <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/June_24,_2015">https://www.owasp.org/index.php/June_24,_2015</a><br>
                    <br>
                    Aloha,<br>
                    Jim<br>
                    <br>
                    <div class="moz-cite-prefix">On 6/21/15 3:16 PM,
                      Jerry Hoff wrote:<br>
                    </div>
                    <blockquote cite="mid:A2E4A344-4519-4A6B-A86A-B240A09E68DD@owasp.org" type="cite">
                      <meta http-equiv="content-type" content="text/html; charset=windows-1252">
                      <div>I believe this debate is based off wrong
                        assumptions - for example the EFF is 501(c)(3)
                        and that does not prevent them from taking a
                        position on relevant issues as an organization.<br>
                        <br>
                        --
                        <div>Jerry Hoff</div>
                        <div><a moz-do-not-send="true" href="mailto:jerry@owasp.com">jerry@owasp.com</a></div>
                        <div>@jerryhoff</div>
                      </div>
                      <div><br>
                        On Jun 21, 2015, at 21:05, Jim Manico <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>>



                        wrote:<br>
                        <br>
                      </div>
                      <blockquote type="cite">
                        <div>
                          <meta content="text/html;
                            charset=windows-1252" http-equiv="Content-Type">
                          With respect, I disagree with your take on
                          this Jeff. Official OWASP public statements
                          should be done with care.<br>
                          <br>
                          Also, this issue is not resolved yet and I am
                          simply stating *my opinion* on the matter
                          backed by research and references to IRS
                          guidelines discussing this matter. And again
                          I've stated that this is a nebulous area even
                          by IRS regulation.<br>
                          <br>
                          <u><b>We are discussing this at the June 24
                              board meeting</b></u><u><b> - a meeting in
                              which I hope that you and the community
                              attend.</b></u> <br>
                          <br>
                          Making a big statement like this as an
                          official message of the OWASP foundation -
                          especial since it's political in nature - does
                          in my opinion require board discussion. I know
                          you want us to "jump on this" immediately -
                          and we are Jeff - in just a few days.<br>
                          <br>
                          In fact, if the language is crafted in a way
                          that keeps clear of specific legislation, I
                          will likely vote to push this out. I agree
                          with it 100%, I am only concerned if it's the
                          right thing for OWASP to be making such a
                          public statement. <br>
                          <br>
                          It is critical for all of us in OWASP
                          leadership to be aware of the limits of what a
                          501(c)(3) should be doing, and when I hear
                          that the members of foundation want OWASP to
                          make a public and politically charged
                          statement of intent, I think it's crucial for
                          the board to be a part of it since the board
                          holds legal responsibility for the operations
                          of the foundation.<br>
                          <br>
                          See you June 24th?<br>
                          <br>
                          <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/June_24,_2015">https://www.owasp.org/index.php/June_24,_2015</a><br>
                          <br>
                          Aloha,<br>
                          Jim<br>
                          <br>
                          <br>
                          <br>
                          <br>
                          <br>
                          <div class="moz-cite-prefix">On 6/21/15 2:47
                            PM, Jeff Williams wrote:<br>
                          </div>
                          <blockquote cite="mid:815ED4954DD4EA87.AC9F30B4-B882-4DBD-8F06-A2CC09F2B771@mail.outlook.com" type="cite">
                            <div>This is a false dichotomy -- OWASP can
                              and should do both. The Board should work
                              to assist and support *any* idea
                              consistent with our mission...even
                              if...especially if... you don't think it
                              will work.</div>
                            <div><br>
                            </div>
                            <div>You can't let *your* judgement
                              influence the decision to support a
                              project. If you do, then all we will ever
                              get is Board ideas.  And, respectfully, I
                              don't trust you or any other individual to
                              think up the next great AppSec idea.</div>
                            <div><br>
                            </div>
                            <div>The Board shouldn't interfere at all
                              unless somebody is doing something harmful
                              to the organization or the mission. And
                              even then should try to figure out a
                              productive path for that energy.</div>
                            <div><br>
                            </div>
                            <div>Again respectfully, you should get out
                              of the way.<br>
                              <br>
                              <div class="acompli_signature">--Jeff<br>
                              </div>
                            </div>
                            <br>
                            <br>
                            <br>
                            <div class="gmail_quote">On Sun, Jun 21,
                              2015 at 5:27 PM -0700, "Jim Manico" <span dir="ltr"><<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>></span>
                              wrote:<br>
                              <br>
                              <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px
                                #ccc solid;padding-left:1ex">
                                <div dir="3D"ltr"">
                                  <meta http-equiv="content-type" content="text/html;
                                    charset=windows-1252">
                                  <div>Jeff,</div>
                                  <div><br>
                                  </div>
                                  <div>My take on this is that "talk is
                                    cheap" and that "actions are more
                                    powerful words". I'd rather keep out
                                    of legislation and focus on making
                                    important projects like ESAPI, ASVS,
                                    Security Shepard and others more
                                    powerful.</div>
                                  <div><br>
                                  </div>
                                  <div>I am sorry you are disappointed
                                    in current board action, but there
                                    is good reason behind the
                                    perspective I am stating. Also, this
                                    is my opinion alone, not the entire
                                    boards.</div>
                                  <div><br>
                                  </div>
                                  <div>Again, take a look at Whisper
                                    Systems. They are providing
                                    incredibly well created and well
                                    assessed open source projects for
                                    secure communications. These open
                                    source projects are now being
                                    integrated into various Operating
                                    Systems and other projects.</div>
                                  <div><br>
                                  </div>
                                  <div>If ESAPI was not a abandoned, it
                                    could have been serving our mission
                                    - planet level. I want to see it and
                                    other key projects revived and well
                                    funded.</div>
                                  <div><br>
                                  </div>
                                  <div>The power of a well built
                                    security project is worth more than
                                    a thousand words. Talk is cheap.
                                    Actions that change the world take
                                    sweat, blood and staying the course
                                    even when it's no longer financially
                                    beneficial to do so.</div>
                                  <div><br>
                                  </div>
                                  <div>Respectfully,<br>
                                    <div>--</div>
                                    <div>Jim Manico</div>
                                    <div>
                                      <div apple-content-edited="true" class="">
                                        <div class="" style="word-wrap:
                                          break-word; -webkit-nbsp-mode:
                                          space; -webkit-line-break:
                                          after-white-space;">
                                          <div class=""><span style="background-color:
                                              rgba(255, 255, 255, 0);">Global

                                              Board Member</span></div>
                                          <span style="background-color:
                                            rgba(255, 255, 255, 0);">OWASP

                                            Foundation</span>
                                          <div class=""><font color="#000000"><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></font></div>
                                        </div>
                                      </div>
                                      <div class=""><span style="background-color:
                                          rgba(255, 255, 255, 0);">Join
                                          me at <a moz-do-not-send="true" href="http://appsecusa.org/" target="_blank" class="">AppSecUSA</a> 2015


                                          in San Francisco!</span></div>
                                    </div>
                                  </div>
                                  <div><br>
                                    On Jun 21, 2015, at 2:12 PM, Jeff
                                    Williams <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:jeff.williams@owasp.org">jeff.williams@owasp.org</a>>




                                    wrote:<br>
                                    <br>
                                  </div>
                                  <blockquote type="cite">
                                    <div>
                                      <div>For the record, the IAB is
                                        part of the IETF, which *is* a
                                        501c3.  Even though 501c3
                                        organizations *can* do some
                                        lobbying (as long as
                                        expenditures are not
                                        substantial), the IAB is careful
                                        not to talk about legislation or
                                        urge anyone to contact
                                        representatives about
                                        legislation.</div>
                                      <div>As the creator and longtime
                                        Chair of the OWASP Board, I'm
                                        frustrated that the current
                                        Board isn't falling over
                                        themselves to support efforts
                                        like this.  IMO the whole
                                        purpose of the Board is to
                                        create a great platform to
                                        support and amplify the efforts
                                        of anyone willing to contribute
                                        to our important cause. Does't
                                        matter the topic, but instead of
                                        saying no or criticizing ideas
                                        or projects, figure out a way to
                                        make it work or make them
                                        better.</div>
                                      <div>In this case, and a million
                                        other topics, it would be
                                        incredibly easy to stick to the
                                        technical realities and
                                        feasibility of any approaches
                                        being discussed in the news.  No
                                        need to mention legislation.</div>
                                      <div>
                                        <div class="acompli_signature">--Jeff<br>
                                          <br>
                                          Jeff Williams | CTO<br>
                                          Contrast Security<br>
                                          <a moz-do-not-send="true" href="tel:410.707.1487" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="0/1">410.707.1487</a>
                                          | @planetlevel @contrastsec<br>
                                          <br>
                                        </div>
                                        <br>
                                      </div>
                                      <div class="gmail_quote">_____________________________<br>
                                        From: Jim Manico <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>><br>
                                        Sent: Sunday, June 21, 2015 7:37
                                        PM<br>
                                        Subject: Re: [Owasp-leaders]
                                        [Owasp-community] [Owasp-board]
                                        IAB Statement on the Trade in
                                        Security Technologies<br>
                                        To: McGovern, James <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:james.mcgovern@hp.com">james.mcgovern@hp.com</a>><br>
                                        Cc: <<a moz-do-not-send="true" href="mailto:owasp-community@lists.owasp.org" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="5">owasp-community@lists.owasp.org</a>>,




                                        OWASP Board List <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:owasp-board@lists.owasp.org">owasp-board@lists.owasp.org</a>>,




                                        owasp-leaders <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:owasp-leaders@lists.owasp.org">owasp-leaders@lists.owasp.org</a>><br>
                                        <br>
                                        <br>
                                        <meta content="text/html;
                                          charset=utf-8">
                                        <div> I will - for sure - put
                                          this on the June 24th Board
                                          meeting agenda. My opinion
                                          (based on research over the
                                          years trying to understand my
                                          duty to the foundation) is to
                                          keep AWAY from any even slight
                                          attempt to influence
                                          legislation. </div>
                                        <div> <br>
                                        </div>
                                        <div> In general I see projects,
                                          documentation efforts and
                                           conferences doing much to
                                          unite us in our shared
                                          mission. But start discussing
                                          politics and it will go a long
                                          way to divide us as a
                                          community. </div>
                                        <div> <br>
                                        </div>
                                        <div> I suggest that we focus on
                                          •doing something• vs •saying
                                          something•.  </div>
                                        <div> <br>
                                        </div>
                                        <div> Imagine funding open
                                          source projects similar to
                                          Whisper Systems or enhancing
                                          our documentation projects to
                                          be much more up to date and
                                          relevant our building
                                          professional open source
                                          training material? This is how
                                          I think the foundation can
                                          best face these issues while
                                          at the same time serve our
                                          mission while at the same time
                                          keep away from influencing
                                          legislation. :) </div>
                                        <div> <br>
                                        </div>
                                        <div> And for what it's worth, I
                                          strongly dislike the fact that
                                          I'm bringing these things up.
                                          I'm not trying to ruin anyones
                                          party here. But I do feel it's
                                          my duty as your elected board
                                          member to do so. </div>
                                        <div> <br>
                                        </div>
                                        <div> Aloha, </div>
                                        <div> -- <br>
                                          <div> Jim Manico </div>
                                          <div>
                                            <div class="">
                                              <div class="" style="word-wrap:
                                                break-word;
                                                -webkit-nbsp-mode:
                                                space;
                                                -webkit-line-break:
                                                after-white-space;">
                                                <div class=""> <span style="background-color:
                                                    rgba(255, 255, 255,
                                                    0);">Global Board
                                                    Member</span> </div>
                                                <span style="background-color:
                                                  rgba(255, 255, 255,
                                                  0);">OWASP Foundation</span>
                                                <div class=""> <font color="#000000"><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></font>
                                                </div>
                                              </div>
                                            </div>
                                            <div class=""> <span style="background-color:
                                                rgba(255, 255, 255, 0);">Join

                                                me at <a moz-do-not-send="true" href="http://appsecusa.org/" class="">AppSecUSA</a> 2015 in San
                                                Francisco!</span> </div>
                                          </div>
                                        </div>
                                        <div> <br>
                                          On Jun 21, 2015, at 1:23 PM,
                                          McGovern, James < <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:james.mcgovern@hp.com">james.mcgovern@hp.com</a>> wrote:
                                          <br>
                                          <br>
                                        </div>
                                        <blockquote>
                                          <div> <span>Jim, while you
                                              are going to the board for
                                              legal clarification,
                                              please inquire:</span> <br>
                                            <span></span> <br>
                                            <span>1. 501c3 is a US
                                              thing. Can we influence
                                              non-US government and
                                              still comply?</span> <br>
                                            <span>2. Understanding the
                                              US political issues
                                              sometimes will put us on a
                                              partisan path. For
                                              example, in CT I have
                                              commented in the past in a
                                              political context on why
                                              smart guns are just plain
                                              stupid. This particular
                                              issue leans more
                                              conservative/libertarian
                                              than it does Liberal.
                                              Therefore, we must attempt
                                              to understand the flow of
                                              politics on any given
                                              Sunday.</span> <br>
                                            <span>3. Maybe we could
                                              somehow solve this by
                                              having a policy that
                                              encourages legislators of
                                              all parties to reach out
                                              to their local chapter
                                              leader for an informed
                                              opinion.</span> <br>
                                            <span></span> <br>
                                            <span>-----Original
                                              Message-----</span> <br>
                                            <span>From: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:owasp-community-bounces@lists.owasp.org">owasp-community-bounces@lists.owasp.org</a>
                                              [<a moz-do-not-send="true" href="mailto:owasp-community-bounces@lists.owasp.org">mailto:owasp-community-bounces@lists.owasp.org</a>]
                                              On Behalf Of Jim Manico</span>
                                            <br>
                                            <span>Sent: Saturday, June
                                              20, 2015 4:37 PM</span> <br>
                                            <span>To: Kevin W. Wall</span>
                                            <br>
                                            <span>Cc: OWASP Board List;
                                              <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:owasp-community@lists.owasp.org">owasp-community@lists.owasp.org</a>;
                                              owasp-leaders</span> <br>
                                            <span>Subject: Re:
                                              [Owasp-community]
                                              [Owasp-board] IAB
                                              Statement on the Trade in
                                              Security Technologies</span>
                                            <br>
                                            <span></span> <br>
                                            <span>I agree with you
                                              Kevin. Even the IRS is
                                              cagey about this topic. </span>
                                            <br>
                                            <span></span> <br>
                                            <span>However, this is an
                                              organization risk that I
                                              feel we should be aware of
                                              before charging to far
                                              into policy. It would
                                              behoove is to get legal
                                              review before going to
                                              far. I'll bring this up at
                                              the next board meeting.</span>
                                            <br>
                                            <span></span> <br>
                                            <span>Aloha,</span> <br>
                                            <span>--</span> <br>
                                            <span>Jim Manico</span> <br>
                                            <span>@Manicode</span> <br>
                                            <span><a moz-do-not-send="true" href="tel:%28808%29%20652-3805" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="18/1">(808)

                                                652-3805</a></span> <br>
                                            <span></span> <br>
                                            <blockquote> <span>On Jun
                                                20, 2015, at 9:47 AM,
                                                Kevin W. Wall <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:kevin.w.wall@gmail.com">kevin.w.wall@gmail.com</a>>

                                                wrote:</span> <br>
                                            </blockquote>
                                            <blockquote> <span></span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>Jim,</span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span></span>
                                              <br>
                                            </blockquote>
                                            <blockquote>
                                              <blockquote> <span>On
                                                  Sat, Jun 20, 2015 at
                                                  2:55 PM, Jim Manico
                                                  <<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>>

                                                  wrote:</span> <br>
                                              </blockquote>
                                            </blockquote>
                                            <blockquote>
                                              <blockquote> <span>That
                                                  is fair Michael.</span>
                                                <br>
                                              </blockquote>
                                            </blockquote>
                                            <blockquote>
                                              <blockquote> <span></span>
                                                <br>
                                              </blockquote>
                                            </blockquote>
                                            <blockquote>
                                              <blockquote> <span>But I
                                                  do want to warn the
                                                  community that this is
                                                  a slippery slope, we </span>
                                                <br>
                                              </blockquote>
                                            </blockquote>
                                            <blockquote>
                                              <blockquote> <span>are
                                                  being watched, and
                                                  trying to influence
                                                  legislation is one of
                                                  the </span> <br>
                                              </blockquote>
                                            </blockquote>
                                            <blockquote>
                                              <blockquote> <span>few
                                                  ways OWASP can lose
                                                  it's charitable
                                                  status. And if that
                                                  happens, </span> <br>
                                              </blockquote>
                                            </blockquote>
                                            <blockquote>
                                              <blockquote> <span>the
                                                  debate about what to
                                                  do with our funds will
                                                  quickly change for the
                                                  worse.</span> <br>
                                              </blockquote>
                                            </blockquote>
                                            <blockquote> <span></span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>I don't
                                                think that it is
                                                impossible for
                                                charitable organizations
                                                to </span> <br>
                                            </blockquote>
                                            <blockquote> <span>comment
                                                on public possible
                                                without loosing their
                                                501(c)(3) status, but </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>it just
                                                has to be done in the
                                                right way. (However,
                                                IANAL, so I don't </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>even
                                                begin to know the
                                                details of what that
                                                "right way" would
                                                entail.)</span> <br>
                                            </blockquote>
                                            <blockquote> <span></span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>As a
                                                case in point, the ACM
                                                has a 501(c)(3)
                                                not-for-profit status,
                                                and </span> <br>
                                            </blockquote>
                                            <blockquote> <span>yet
                                                their public policy
                                                arm--the USACM--has
                                                certainly tried to </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>influence

                                                public policy. (Recall
                                                the crypto debate from
                                                the late </span> <br>
                                            </blockquote>
                                            <blockquote> <span>1990s?
                                                The USACM and IEEE wrote
                                                a letter to Sen. John
                                                McCain to try to </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>influence

                                                the US legislation not
                                                to pass laws to mandate
                                                weak </span> <br>
                                            </blockquote>
                                            <blockquote> <span>encryption.

                                                E.g., see</span> <br>
                                            </blockquote>
                                            <blockquote> <span><<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri">http://usacm.acm.org/privsec/details.cfm?type=Letters&id=18&cat=8&Pri</a></span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>vacy%20and%20Security>.)</span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span></span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>So I'm
                                                guessing that the devil
                                                is in the details of how
                                                it is done.  </span> <br>
                                            </blockquote>
                                            <blockquote> <span>In fact,
                                                according to Spaf's blog
                                                at </span> <br>
                                            </blockquote>
                                            <blockquote> <span><<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t">https://www.cerias.purdue.edu/site/blog/post/deja_vu_all_over_again_t</a></span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>he_attack_on_encryption/>




                                                the USACM is going
                                                through this same this </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>this
                                                again. Like I said, I am
                                                not a lawyer and maybe
                                                this attempt to </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>influence

                                                public policy doesn't
                                                strictly qualify as
                                                "lobbying" in the </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>eyes of
                                                the IRS. But it
                                                certainly doesn't seem
                                                impossible.</span> <br>
                                            </blockquote>
                                            <blockquote> <span></span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>Also, we
                                                can--and should--all
                                                speak out strongly
                                                against things that </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>we
                                                believe are against the
                                                OWASP mission, but we
                                                don't have to do it </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>in a
                                                manner as representing
                                                OWASP. Do that on your
                                                personal blogs or </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>social
                                                media instead of OWASP
                                                mailing lists and there
                                                shouldn't be an </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>issue,
                                                especially if you add a
                                                short disclaimer as to
                                                how your opinion </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>does not
                                                necessarily affect the
                                                opinion of OWASP overall
                                                (in the cases when there
                                                might be some doubt).</span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span></span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>So
                                                perhaps if we decide
                                                that we officially want
                                                to speak out on </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>certain
                                                public policy as an
                                                organization in order to
                                                influence public </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>policy
                                                in accordance with our
                                                mission statements, then
                                                someone who </span> <br>
                                            </blockquote>
                                            <blockquote> <span>understands

                                                the nuances of the
                                                501(c)(3) IRS
                                                regulations could help </span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>OWASP
                                                navigate these waters.</span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span></span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>-kevin</span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>--</span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>Blog: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://off-the-wall-security.blogspot.com/">http://off-the-wall-security.blogspot.com/</a></span>
                                              <br>
                                            </blockquote>
                                            <blockquote> <span>NSA: All
                                                your crypto bit are
                                                belong to us.</span> <br>
                                            </blockquote>
                                            <span>_______________________________________________</span>
                                            <br>
                                            <span>Owasp-community
                                              mailing list</span> <br>
                                            <span><a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Owasp-community@lists.owasp.org">Owasp-community@lists.owasp.org</a></span>
                                            <br>
                                            <span><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-community">https://lists.owasp.org/mailman/listinfo/owasp-community</a></span>
                                            <br>
                                          </div>
                                        </blockquote>
                                        <br>
                                        <br>
                                      </div>
                                    </div>
                                  </blockquote>
                                </div>
                              </blockquote>
                            </div>
                          </blockquote>
                          <br>
                        </div>
                      </blockquote>
                      <blockquote type="cite">
                        <div><span>_______________________________________________</span><br>
                          <span>OWASP-Leaders mailing list</span><br>
                          <span><a moz-do-not-send="true" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a></span><br>
                          <span><a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br>
                        </div>
                      </blockquote>
                    </blockquote>
                    <br>
                  </div>
                </blockquote>
              </blockquote>
              <br>
            </div>
          </blockquote>
        </div>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Owasp-board mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
    </blockquote>
    <br>
  

</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Owasp-board mailing list</span><br><span><a href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a></span><br><span><a href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a></span><br></div></blockquote></body></html>