Re: Proposal to have NDAs for sysadmins



2014-11-10 13:48 GMT+01:00 Olav Vitters <olav vitters nl>:
On Mon, Nov 10, 2014 at 01:11:44PM +0100, Andrea Veri wrote:
2014-11-10 2:07 GMT+01:00 Olav Vitters <olav vitters nl>:

In case of weird stuff happening, I have posted IP addresses and ranges
in #sysadmin. Non-sysadmins are in that channel. This NDA is too black
and white. Sharing a few IP addresses during investigation is totally
different from sharing the entire access log.

Honestly that's a very bad habit, you should not post any IP address
on a public channel with or without a NDA in place. The idea is to
communicate that information privately to the user having difficulties
accessing the service itself. What I generally do is:

I was talking about strange behaviour. Meaning: a DDoS or potential
spammer. Then *I POSSIBLY WILL* (and have) mention that IP address in
e.g. the sysadmin channel. That is complete normal behaviour. NDA means
I can be sued as a result.

A NDA creates a synallagma between the entity proposing it and the
individual signing it. The individual signing the NDA is supposed to
never disclose the private information the NDA is protecting. A breach
on the NDA should result in enforcing a set of consequences the NDA
should include (i.e the Sysadmin gets the access revoked) and as a
last istance the sysadmin should be sued for damages.

At first I thought the consequences of a breach might only relate to
the relationship between the entity that proposed the NDA and the
individual who signed it and an eventual access revocation in case of
a breach but seems I wasn't taking into account the fact you could
actually get sued. (I must admit that would be a very rare case as a
possible private information disclosure is definitely not going to
cause any profit damage to justify someone to sue you)

Honestly speaking talking about "being sued" takes in more problems
especially on the court competence field. Let's say an italian
sysadmin breaches the NDA (introduced by an US entity) against an UK
user, which court should the user appeal to?

In the time I was only a bugmaster (not a sysadmin), I regularly
downloaded the entire Bugzilla database. Including passwords, IP
addresses and all.

Yes, and that's legit as long as you don't disclose the private
contents of the database itself which is the point of the NDA.

Not my point. As a bugmaster, it seems you don't need to sign the NDA.
Thus totally ok to share the information. Thus bad if as a sysadmin I'd
grant bugzilla shell to anyone. Sharing any IP address with a bugmaster:
could be sued. I think I am a good judge when something should be kept
private and when not. I have shared IP addresses to just bugmasters.
That's a breach of this NDA!

Well, the problem really isn't laying there as the text could just be
extended to include "all the people with shell access to the GNOME
Infrastructure and to the log files (so members of the bugzilla,
gnomeweb groups)". This would add extra complexity though and would
not solve the legal problems I outlined above.

Instead it should start with confidential and privacy related information and say that these things
should not be disclosed if learned during sysadmin work.

This is exactly what the text I quoted above says. Any information you
could gather during your sysadmin work should never be disclosed to
third parties, *including* IP addresses and user passwords.

The text is legal text. The way I read it, it doesn't state above. There
is a big uncertainty

The way I start seeing it after reading all the replies and comments
today is our duties being really too various to write them down in a
single paragraph. Covering all the single occurrences we might cope
with is definitely hard and can create confusion between contributors
doing this for free and would discourage them from contributing at
all.

I'll probably move the discussion back to the Board as many items I
would like to find out more were raised in my head today,
specifically:

1. what consequences would be taken in in case of a breach on the US
law? also would the US law be the one applicable? (if yes, suing
someone from EU would hardly result in any real consequence for an
individual given the special matter we are discussing and the totally
different applicable law between the US and the various EU countries,
i.e common law vs civil law)
2. and most importantly: would it be possible to turn the NDA into a
Code of Conduct the Sysadmins should adhere when joining? that way no
legal consequences would ever take place

Thanks for the brainstorming session!

-- 
Cheers,

Andrea

Debian Developer,
Fedora / EPEL packager,
GNOME Infrastructure Team Coordinator,
GNOME Foundation Board of Directors member,
GNOME Foundation Membership & Elections Committee Chairman

Homepage: http://www.gnome.org/~av


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]