The Comrel webpage does not document whether information submitted to comrel will be kept private, or whether bugs concerning issues submitted to comrel will be kept private. I think that having an explicit policy would be HIGHLY beneficial: * Anybody coming forward with a concern understands whether their info will be kept private. * Anybody handling this information (either in Comrel, or in Council for an appeal) has a clear policy to refer to about how this info ought to be maintained. * It plants a firm position for the distro so that it can be the subject of debate if necessary. * Procedures for protecting this information can be designed with a clear policy objective in mind. * It could be referred to in the event of a legal dispute, or in the event of a negative public relations issue. Use of this bug is up to those making the decisions but I'd suggest using this bug just to track the issue and not as a place to hold discussion around what the policy ought to be.
Note, I submitted this using the Comrel product, but would recommend making this bug public. I added the council alias only anticipating that it would be made public - failing that the individual members should be added (probably after the election).
The bug came up in council@'s monthly bug review. comrel@, can you post an update? Any plan to clarify the current status? Thanks!
Update from 2021-01-10 council@ meeting: gyakovlev@ will follow up with comrel@.
I've reached comrel members about this, we've started drafting.
Updated https://wiki.gentoo.org/wiki/Project:ComRel page with the following: Privacy Considerations Private case information shall not be shared outside of comrel members unless explicit permission from all affected parties granted.
(In reply to Georgy Yakovlev from comment #5) > Updated https://wiki.gentoo.org/wiki/Project:ComRel page with the following: > Privacy Considerations > Private case information shall not be shared outside of comrel members > unless explicit permission from all affected parties granted. I won't re-open as this isn't up to me, but you might consider adding language about Council appeals. I'm assuming you want to ensure that all evidence collected can be shared with the Council in the event of an appeal. (Not requiring this could waste a lot of time as Council could end up overturning decisions simply from having a different set of evidence to consider.)
Ugh - I should have remembered this before I submitted, but you might also want to consider some kind of disclaimer about "except where required by law" or something like that. While I'm sure it is unlikely it is possible some court somewhere might order information to be turned over. I'm not sure if such a disclaimer is really necessary - I'd hope that this would be implicit or at least not creating liability, but...
My take is “Let’s not over complicate it”. This paragraph is not a legal binding or legal document, it’s a wiki page that documents that in most cases participating parties can expect that data will be kept private and they will be contacted if need to share arises. If you strongly disagree with that please reopen the bug, provide simple amended text, we’ll gladly discuss and vote on it, and update the page of needed. We agreed to keep it simple for now. But please don’t translate it to legalese. That’s my opinion, not project’s, but we are on the same page lately ;-)
(In reply to Georgy Yakovlev from comment #8) > My take is “Let’s not over complicate it”. This paragraph is not a legal > binding or legal document, it’s a wiki page that documents that in most > cases participating parties can expect that data will be kept private and > they will be contacted if need to share arises. Well, up to council, but consider that community member abc says that dev xyz harassed them. Comrel takes action against xyz. Then xyz appeals to council. You promised abc that you won't share anything with council (which isn't part of comrel) without their permission. So, now you have to go back to abc, who could decline to give that permission. Now council has zero evidence that xyz did anything wrong, so they're likely to reverse the decision, making the whole process a complete waste of time. Of course, everybody could agree to share everything and then there is no issue. Also, will council even find out that there was information excluded from their consideration? The other scenario is what happens if a government (such as a court) asks for information? Will it be disclosed? Will that create a problem? I honestly don't know the answer to that. > > If you strongly disagree with that please reopen the bug, provide simple > amended text, we’ll gladly discuss and vote on it, and update the page of > needed. > We agreed to keep it simple for now. I'll defer to Council/Trustees on that one - it mainly impacts them. It isn't like I need access to Comrel case info or will have to deal with any legal fallout.
(In reply to Richard Freeman from comment #9) > (In reply to Georgy Yakovlev from comment #8) > > My take is “Let’s not over complicate it”. This paragraph is not a legal > > binding or legal document, it’s a wiki page that documents that in most > > cases participating parties can expect that data will be kept private and > > they will be contacted if need to share arises. > > Well, up to council, but consider that community member abc says that dev > xyz harassed them. Comrel takes action against xyz. Then xyz appeals to > council. You promised abc that you won't share anything with council (which > isn't part of comrel) without their permission. So, now you have to go back > to abc, who could decline to give that permission. Now council has zero > evidence that xyz did anything wrong, so they're likely to reverse the > decision, making the whole process a complete waste of time. I mean I find your efforts admirable, if a bit of beating a dead horse. This isn't a trial. Ideally the effort to uncover any additional information would be public and would be done even if no additional information was available (so e.g. during every appeal you'd ask people if they consented to sharing the private information; even if there was no private information for this particular case.) That being said appeals are rare, so I hesitate to say we need to make them perfect. > > Of course, everybody could agree to share everything and then there is no > issue. > > Also, will council even find out that there was information excluded from > their consideration? > > The other scenario is what happens if a government (such as a court) asks > for information? Will it be disclosed? Will that create a problem? I > honestly don't know the answer to that. Are you suggesting some wiki page will enable Gentoo Foundation Inc or some random internet volunteers to violate a legal court order? I find this...laughable. > > > > > If you strongly disagree with that please reopen the bug, provide simple > > amended text, we’ll gladly discuss and vote on it, and update the page of > > needed. > > We agreed to keep it simple for now. > > I'll defer to Council/Trustees on that one - it mainly impacts them. It > isn't like I need access to Comrel case info or will have to deal with any > legal fallout.
(In reply to Alec Warner from comment #10) > (In reply to Richard Freeman from comment #9) > Ideally the effort to uncover any additional information > would be public and would be done even if no additional information was > available User A says that developer B harassed them and wants to keep it quiet. Fortunately we've promised to do just that so they come forward about it. Developer B appeals. Council announces publicly that A was harassed by B and asks if anybody knows anything about it. A might be upset about this. If you want to make appeals public, perhaps you would want to let A know about it before they come forward? > > The other scenario is what happens if a government (such as a court) asks > > for information? Will it be disclosed? Will that create a problem? I > > honestly don't know the answer to that. > > Are you suggesting some wiki page will enable Gentoo Foundation Inc or some > random internet volunteers to violate a legal court order? I find > this...laughable. I didn't suggest that at all. I really don't see how trying to protect the Foundation or our volunteers from lawsuits is funny. Consider this scenario. User in country A submits info to Comrel, understanding that it will not be shared with ANYBODY outside Comrel. A court in country B asks us for that information, and the info gets shared with the court. The court publishes the information. The original user gets upset and sues us in a court in country A. Consider that countries A and B could have completely different privacy laws, considerations for these sorts of issues, and the two countries may even dislike each other and have an interest in punishing organizations that comply with the laws in the other country. I'm not an expert in such things, but just suggest that it might be something you want to consider. After all, you're far more likely to end up getting named in such a lawsuit than I am... > > > > > > > > > If you strongly disagree with that please reopen the bug, provide simple > > > amended text, we’ll gladly discuss and vote on it, and update the page of > > > needed. > > > We agreed to keep it simple for now. > > > > I'll defer to Council/Trustees on that one - it mainly impacts them. It > > isn't like I need access to Comrel case info or will have to deal with any > > legal fallout.
(In reply to Richard Freeman from comment #11) > (In reply to Alec Warner from comment #10) > > (In reply to Richard Freeman from comment #9) > > Ideally the effort to uncover any additional information > > would be public and would be done even if no additional information was > > available > > User A says that developer B harassed them and wants to keep it quiet. > Fortunately we've promised to do just that so they come forward about it. > > Developer B appeals. Council announces publicly that A was harassed by B > and asks if anybody knows anything about it. sorry I don't mean public in the general sense; I mean the council always askes comrel for any private information (even if there is none.) The appeals are not public (and are not intended to be.) > > A might be upset about this. > > If you want to make appeals public, perhaps you would want to let A know > about it before they come forward? > > > > > The other scenario is what happens if a government (such as a court) asks > > > for information? Will it be disclosed? Will that create a problem? I > > > honestly don't know the answer to that. > > > > Are you suggesting some wiki page will enable Gentoo Foundation Inc or some > > random internet volunteers to violate a legal court order? I find > > this...laughable. > > I didn't suggest that at all. I really don't see how trying to protect the > Foundation or our volunteers from lawsuits is funny. > > Consider this scenario. User in country A submits info to Comrel, > understanding that it will not be shared with ANYBODY outside Comrel. A > court in country B asks us for that information, and the info gets shared > with the court. The court publishes the information. > > The original user gets upset and sues us in a court in country A. Consider > that countries A and B could have completely different privacy laws, > considerations for these sorts of issues, and the two countries may even > dislike each other and have an interest in punishing organizations that > comply with the laws in the other country. > > I'm not an expert in such things, but just suggest that it might be > something you want to consider. After all, you're far more likely to end up > getting named in such a lawsuit than I am... Cool I've considered it ;) -A > > > > > > > > > > > > > > > > > If you strongly disagree with that please reopen the bug, provide simple > > > > amended text, we’ll gladly discuss and vote on it, and update the page of > > > > needed. > > > > We agreed to keep it simple for now. > > > > > > I'll defer to Council/Trustees on that one - it mainly impacts them. It > > > isn't like I need access to Comrel case info or will have to deal with any > > > legal fallout.
