Re: Who is who in PAB? (and who votes on bahalf of who?)

Kent Crispin (kent@songbird.com)
Thu, 18 Dec 1997 08:26:26 -0800


[This is a little long. But the issues are complicated...]

On Mon, Dec 15, 1997 at 11:34:36AM +0200, Amadeu Abril i Abril wrote:
> (Summary: I represent different companies in PAB. More concretely I am the PAB> rep of two companies that are completely separate. May I vote for both?}

As I understand the current rules, where PAB membership is defined to
be an entity that has signed the MoU, and not the particular
individual behind the associated email address, you should be able to
vote as the PAB representative in each case. From a technical point
of view (if not a policy point of view) the vote must come from
distinct email addresses.

Whether this should persist in the long run raises interesting
questions. First comes a discussion, you can skip to my opinions at
the bottom.

I see three related issues that are raised by your question:

The first is: what defines a voting PAB member? The second is: what
constitutes conflict of interest? The third is: how much of these and
related policies should be codified in formal rules?

Definition of a Voting PAB Member

According to the MoU, a PAB member is a signatory of the MoU who
elects to be a PAB member, so the question backs up to who can be a
signatory of the MoU. However, the structure of PAB is left very
undefined, so it is quite possible for PAB to put further controls in
place.

In practice it seems there are no significant restrictions on who can
sign the MoU, and the signatories range from sole proprietorships
(like Songbird) to giant international corporations or associations.
-- as things are currently configured, the flea Songbird has one vote,
and the elephant DEC has one vote.

However, the wording of the MoU leans towards organizations, and the
politics of the matter makes large organizations look more impressive
than small organizations. Furthermore, if the number of signatories
gets very large -- say 10000 or so -- management of the signatories
would probably be a problem, just in manpower demands at the ITU, if
nothing else.

An interesting further question is what checking is done to verify
that the signatories of the MoU are who they claim to be. What
checking is done, for example, to verify that the same organization
isn't signing up multiple times, or that a signatory is who they say
they are? [Could I sign as Microsoft?] [Recall that different chapters
of the ISOC signed -- these entities were obviously treated as
distinct, though they are all under the same blanket.]

The MoU is sparse on this topic -- it says (section 5a) "Signatories
to this MoU may choose to voluntarily participate..." and (section 5c)
"The PAB shall apply rough consensus modes for determining its
recommendations to the POC."

Section 5c is actually quite helpful, however -- the term "rough
consensus" has a very well developed meaning in the context of the
IETF, and IMO the IETF is the clear source and model for that clause
(POC members correct me if I am wrong.) The model becomes a
bit complex when you consider the management structure of the IETF --
the IESG and the IAB are intertwined with the ISOC -- but if you
investigate a bit, a very important principle underlies it all. It
is expressed very succinctly and clearly in rfc1601 "Charter of the
Internet Architecture Board (IAB)":

Members of the IAB shall serve as individuals, and not as
representatives of any company, agency, or other organization.

When you look at the IETF as a whole this principle is pervasive --
everybody is treated as an individual, not as a representative of a
company or group. [Of course, some of those individuals will in fact
be reflecting the point of view of some organization or another, and
things are complex in reality. But in the eyes of the IETF milieu,
everyone is an individual. This approach is not above question --
Cisco sent over 60 engineers to the last IETF -- but in practice it
seems to work pretty well...]

So I would propose the following for consideration:

a. any person or entity may sign the MoU.
b. any signatory of the MoU is permitted to designate a single
*individual* as their PAB representative.
c. PAB ignores all affiliations, and therefore, for voting
purposes, each representative gets precisely one vote.

Under this rule, Amadeu would get only one vote, since he is treated
as an individual.

There are positives and negatives to this model, and, to tell you the
truth, my own feelings on it are mixed. I'm not sure that the IETF
model will really work in this environment. And in fact, I'm not sure
that the IETF model will continue to work in the IETF environment --
the Internet has changed a lot in the last few years...

What constitutes a conflict of interest?

Following the above model, many conflict of interest issues become
less visible, if not totally moot -- everybody is presumed to be
following their *individual* interest, and thus there can be no
conflict. At one level this is a tautology; at another level it is
hopelessly naive.

It seems to me that, concretely, we are trying to avoid a couple of
bad things: First, we don't want PAB to be taken over by any narrow
constituency -- this might be more accurately termed voter fraud.
Second, since one of the primary purposes of PAB is oversight of the
CORE registrars (a largely commercial group), it is especially
important that PAB remain aloof from any improper entanglement with
CORE.

I think the IETF experience indicates that a concern about voter
fraud is probably unwarranted (old time IETFers can correct me...) --
in practice there are too many different constituencies, and
individuals are too unpredictable, for voter fraud to be much of a
problem.

However, the issue of conflict of interest vis a vis CORE oversight is
a totally different matter, and, IMO, the IETF does not provide a good
model. PAB is essentially part of a regulatory framework. Its
primary responsibility, therefore, is to the "public", not to CORE.
For example, PAB may be called upon to make decisions that could
result in some CORE registrars going out of business. A registrar
with lots of money (say that NSI signed the MoU, for example) could
sway PAB (or POC) in lots of subtle ways, not only with respect to
issues with the public, but with respect to issues dealing with other
registrars.

In situations like this, the rule is not only that you must avoid
conflict of interest, you must avoid even the *appearance* of
conflict of interest.

How formal should we be?

The really tough part of dealing with conflict of interest problems is
that many PAB members are in fact associated with registrars. People
we know and like personally. People whose personal integrity we hold
in high regard. Talented, competent people, who can contribute a
great deal to PAB. If we institute formal policies that single out
people associated (in some to be defined way) with a registrar, and
bar them from voting (for example), we may lose the contributions of
some excellent people. OTOH, if someone is simultaneously head of
CORE and chair of PAB, the outside world will surely question the
integrity of the whole process.

If we didn't live in a fishbowl, this might not matter. But we do,
and people are throwing rocks all the time.

Therefore, I do believe we need a set of formal policies concerning
conflict of interest. Possibilities include:

1) "No individual may be an officer of PAB and an officer of CORE
simultaneously"

2) "No member of CORE or employee thereof may be voting member of PAB"

3) "No member of CORE or employee thereof may be an officer of PAB"

4) "PAB recognizes the possibility of conflict of issues with
CORE. Such conflicts are to be avoided; any member who is in a
conflict of interest situation should recuse themselves from
participating in any election where such a conflict might arise.
PAB may enact further policies if warranted."

We can probably think of other examples.

One of the problems that has been mentioned several times is the "gray
area" issue -- what, precisely, determines who is an "employee" of a
registrar? Is a contractor hired by a registrar an employee? Does an
employee of a contractor hired by a registrar count? How about an
employee of a parent company of the registrar?

I think this concern is a bit of a red herring, frankly. Of course
there are gray areas. But there are also areas where it is fairly
black or white. IMO you write the policy to cover the black and
white areas, and to set the "spirit" for the gray areas, and then you
define a procedure for adjudicating the gray areas. Also, policies
can be modified if they are found not to work

Summary

I think that for voting purposes PAB members should be considered as
individuals, not roles, using the IETF model as described above. I
believe also that we should have a formal policy on conflict of
interest with CORE.

-- 
Kent Crispin				"No reason to get excited",
kent@songbird.com			the thief he kindly spoke...
PGP fingerprint:   B1 8B 72 ED 55 21 5E 44  61 F4 58 0F 72 10 65 55
http://songbird.com/kent/pgp_key.html