Re: Proposal to have NDAs for sysadmins

[Olav Vitters <olav vitters nl>]

On Tue, Nov 04, 2014 at 11:05:44PM +0000, Ekaterina Gerasimova wrote:
> community members do. To this end, it would be very helpful if the
> members of the sysadmin team would be willing to sign an NDA
> (non-disclosure agreement) with the Foundation which would cover the
> handling of user data.

I don't like signing. NDA, copyright assignments, contributor license
agreements, they're all the same to me. I'm ok to make a statement.

Signing is way too one-sided. For one, it should be a given that I can
be trusted. I'm not an active sysadmin by any measure. During the time
that I was I was putting in a lot of hours for GNOME. Instead of being
appreciated, I need to put myself through understanding an NDA and
investigating possible legal risk.

What do I get out of it except hassle, uncertainty and legal risk?

What could be a result?

> "I agree and confirm that I will not publish, sell, transfer or
> otherwise share any information gained in the scope of my sysadmin
> work for the GNOME Foundation with anyone outside the sysadmin team
> and the Foundation board without prior written approval from the
> board. Amongst other things, this includes user passwords for GNOME

"Any information gained in the scope of my sysadmin work". That's very
broad. It then says "Amongst other things", but it can really be
anything. Too vague.

> services and IP addresses of visitors to GNOME websites. I will take

In case of weird stuff happening, I have posted IP addresses and ranges
in #sysadmin. Non-sysadmins are in that channel. This NDA is too black
and white. Sharing a few IP addresses during investigation is totally
different from sharing the entire access log.

In case of weird behaviour I have sent logs to the network admins of
those ranges. Apparently that's going to require red tape in future. I'd
prefer a slightly more vague text with a clearer intention. Say
something that I should do my utmost not to disclose any confidential or
private information. If deemed needed for sysadmin work, then ok. In
doubt, ask board.
PS: Maybe an additional thing that as sysadmin, I won't just read
confidential stuff even if able to (the "just because I could does not
make it ok"). This is a bit difficult though, because that is more to do
with clear confidential info, not access logs (NDA lumps everything
together).

Another example is for instance the access that has been granted to
someone logging into webapps or e.g. bugzilla. They'll have access to
the apache logs as well. Did a sysadmin now disclose things to a
non-sysadmin? Is that person limited by an NDA?

Examples like above make me not want to sign anything.

In the time I was only a bugmaster (not a sysadmin), I regularly
downloaded the entire Bugzilla database. Including passwords, IP
addresses and all.

> all reasonable steps to protect the secrecy of and avoid disclosure or
> use any of this confidential information. I will notify the board in

This is too vague vague. IP addresses aren't confidential, they can
affect someones privacy. I understand the reasoning behind the text, but
it is written in a way where I could pretend that I can disclose
confidential information. The text refers to "this confidential
information" with IP addresses. Instead it should start with
confidential and privacy related information and say that these things
should not be disclosed if learned during sysadmin work.

e.g. the wiki has a lot private stuff on there, the focus of the text
seems a bit off IMO.

To be clear: I'm very careful with confidential information and anything
privacy related. In almost same extreme as confidential information I
take legal texts; for confidential info I try to avoid to even know
(e.g. the wiki stuff I know through seeing the titles appear in
RecentChanges. I don't want to read it and have not read it) and will
take a lot before I'd ever disclose the stuff that I do know.

> writing of any misuse or misappropriation of or request for
> confidential information may come to my attention. Notwithstanding the
> above, confidential information shall not include information which:
> (i) was rightfully known by me prior to my receiving the information
> in the course of my sysadmin duties; (ii) is publicly available
> through no fault of mine or failure of me to act; or (iii) is required
> to be disclosed by law. Additionally, all private information which
> was submitted by a user may be shared freely by the sysadmin team with
> that user once suitable steps have been taken to verify the identity
> of the user."


-- 
Regards,
Olav