Andrew Suffield wrote:
The project does not exist as a legal entity.
It's more complicated than you think.Is Debian a legal entity? The answer is unquestionably yes. The only question is what kind of legal entity it is. The most likely two are:
1. An unincorporated association that has a contractual relationship with a public-benefit corporation.
2. A division of a public-benefit corporation.Which kind of entity we are may be an important part of any future legal defense, and may well be decided by the court.
An unincorporated association is what your organization is until you go through a legal process to change it into something else. It is a legal entity. It can sue and be sued, and its members can be criminally prosecuted in connection with it. It passes most of its liability on to the people associated with it. We don't have any hope of proving that Debian is not an organization.
We would probably want to appear as a division of a corporation. The corporation is an artificial person under the law, and the corporation can sometimes take the fall when otherwise you would be the one prosecuted. It's not total protection, however. The corporate officers are probably the ones with the worst liability.
In the case that we are an unincorporated association, the officers and the people doing various kinds of work are the most obvious fall guys, but not the only ones. Members of the organization would probably be considered to be accomplices. After all, they are contributors to the aggregate product of which the objectionable material is a part. Governments often want to send a message to organizations that they can't fully reach concerning questionable material, and they may well choose to send that message through you.
Who would be in that position? The local mirror operators are in a pretty bad position, because they do distribution within their national boundaries. It strikes me that some of the material in question would be in violation of the Internet policies of most institutions or companies that host our mirrors, as well as the applicable national laws.
Historically, when an institution is faced with this sort of violation, they do not take the hit themselves but place the blame on the person who actually made the decision to host the mirror. They generally assert that the hosting of the content was unauthorized. Then, they cooperate in the prosecution. So, operating a Debian mirror can be hazardous.
Description: S/MIME Cryptographic Signature