Talk:Volunteer Response Team/Confidentiality agreement
This is incomprehensible jargon[edit]
I came here from Confidentiality agreement for nonpublic information.
I read this as best I can, but in my opinion, there is no way that anyone can understand this without legal training and studying. It is written with intent to make it incomprehensible jargon and inaccessible to the general public or normal Wikipedia volunteers. I understand that the Wikimedia Foundation must provide an agreement, and that people overseeing these things work with what they have, and that this agreement is where we are starting as we build community infrastructure.
I am agreeing to this, but to be reasonable and practical - there should be a translation of this agreement into layman terms to match the needs of the users who will sign this agreement. It is not reasonable to expect that the people who are asked to sign this agreement should be able to understand it as it is written. Please make plans to translate it at least to the level of the two related agreements, Confidentiality agreement for nonpublic information and Access to nonpublic information policy, which unlike this agreement are written for humans.
In the sense that it is normal in contemporary society for people to sign long incomprehensible agreements, I agree with this one and am signing the document. See en:End-user_license_agreement#Criticism for sample criticism in this space. Blue Rasberry (talk) 18:56, 29 September 2015 (UTC)
- I'm pretty much with Blue Rasberry on this. The checkuser/oversighter one was bad enough, but this one is more complex; in fact I believe it is unnecessarily complex. I do not believe it reflects longstanding existing practice (e.g., I think the entire "permissions" queue is on shaky grounds if this is to be enforced), and there has been no discussion that I can find to figure out how normal, routine actions linked to OTRS tickets will be affected by this. Unlike Blue Rasberry, I'm not sure I'm going to sign it. I will reflect further when I have several hours to review it. There is an irony that my primary use of OTRS is to respond to Oversight request tickets and tickets related to checkuser requests. I'd probably have to throw in my Oversight permissions if I don't sign this. Risker (talk) 12:50, 30 September 2015 (UTC)
- A layman version is certainly possible. It is not meant to be a substitute, but if it helps in understanding well why not. - Mailer Diablo (talk) 16:51, 1 October 2015 (UTC)
- Please take a page from the playbook of the WMF Legal team. Community discussion. Simple language. Illustrative examples. Most of us have already signed the actual confidentiality agreement, but the document overleaf, entitied "OTRS/Confidentiality agreement" is by your own admission a POLICY, which means it is not a confidentiality agreement. There is a big difference. There is absolutely no precedent anywhere in the Wikimedia world for users to have to sign off on policies in which they have had no opportunity to provide comment or feedback; in fact, they're never signed off. People are expected to abide by the policies and are removed from the applicable project(s) if they do not. There is no benefit to anyone to have OTRS agents sign the OTRS policy, and the document you have mistitled is not a confidentiality agreement. Let's sit down and sort out the policy and, only if it is absolutely necessary after the policy is done, have the additional OTRS confidentiality agreement. But this is not what is happening. I'm actually quite disappointed that there wasn't more OTRS community discussion about this before we wound up in this mess. Risker (talk) 17:00, 1 October 2015 (UTC)
- I am sorry but I can't say that I fully understand what is written and in general I am really reluctant with signing anything that I don't fully understand. Maybe my English skills are simply not good enough though I never had this problem before when reading legal documents, scientific papers or pretty much anything else before so I would really appreciate a version in plain English. Natuur12 (talk) 18:09, 2 October 2015 (UTC)
- Please take a page from the playbook of the WMF Legal team. Community discussion. Simple language. Illustrative examples. Most of us have already signed the actual confidentiality agreement, but the document overleaf, entitied "OTRS/Confidentiality agreement" is by your own admission a POLICY, which means it is not a confidentiality agreement. There is a big difference. There is absolutely no precedent anywhere in the Wikimedia world for users to have to sign off on policies in which they have had no opportunity to provide comment or feedback; in fact, they're never signed off. People are expected to abide by the policies and are removed from the applicable project(s) if they do not. There is no benefit to anyone to have OTRS agents sign the OTRS policy, and the document you have mistitled is not a confidentiality agreement. Let's sit down and sort out the policy and, only if it is absolutely necessary after the policy is done, have the additional OTRS confidentiality agreement. But this is not what is happening. I'm actually quite disappointed that there wasn't more OTRS community discussion about this before we wound up in this mess. Risker (talk) 17:00, 1 October 2015 (UTC)
- A layman version is certainly possible. It is not meant to be a substitute, but if it helps in understanding well why not. - Mailer Diablo (talk) 16:51, 1 October 2015 (UTC)
Violation?[edit]
I think I've understood most of the agreement. My understanding is that until 3f happens, 3g specifically states that, for example, C:Special:Diff/170610237/173866000 was a violation, since there is zero common-sense wiggle room. I do not immediately see how to report myself... is it to check-disclosure@wikimedia.org? Is my understanding correct? Storkk (talk) 14:55, 30 September 2015 (UTC)
- Or is this covered by 3d3, which is not in turn covered by 3g? Storkk (talk) 14:59, 30 September 2015 (UTC)
- Sorry if I seem a little dense - I'm recovering from a head cold at the moment, and the cobwebs haven't entirely lifted. Storkk (talk) 15:09, 30 September 2015 (UTC)
- My read is that Storkk is correct, it is a violation (one that is made thousands of times a year) because there really are no exceptions that cover this. I notice how neither the lawyers nor the OTRS admins are commenting here. I suppose they figure if they get most of us to sign, it doesn't really matter. Risker (talk) 12:15, 1 October 2015 (UTC)
- I will only comment on the latter of your reply, Risker. I want to reiterate two points:
- We (OTRS admins) drafted the OTRS agreement, not the WMF nor its lawyers
- I (apparently) am the only active OTRS administrator at the moment so i resent the insinuation that we're simply stalling as you implied.
- I have brought up the comments on this page to the OTRS admins list and it would seem not many other admins are around. Unfortunately, I personally cannot control that however I am no happier about it than you are. Rjd0060 (talk) 12:23, 1 October 2015 (UTC)
- Fair enough, Rjd0060; if you are the only active OTRS admin, then it was unreasonable of me to expect that there would be more active participation by that group here. So when you say your team drafted the OTRS agreement, are we referring to the page overleaf, i.e. OTRS/Confidentiality agreement? I do not understand why the standard confidentiality agreement was not sufficient, and I think all of us deserve an explanation. Parts of the content of emails to OTRS, including identities, are routinely published on public projects, either directly (e.g., permissions) or indirectly (through edits made that include a link to an OTRS ticket). I do not see a way that such routine, and in some cases legally important, actions can continue after signing this agreement. Risker (talk) 12:30, 1 October 2015 (UTC)
- Hi Risker - I completely understand the issue with regards to permissions as I explained to Storkk below. As I stated, I was under the impression that such issues/exception(s) were covered elsewhere in the document. I will really need to yield to other admins to help me clarify what we did there. I've poked them all again via email few moments ago - as today I will be away for most of the day.
- We (the OTRS admins) were working on a confidentiality agreement (yes, OTRS/Confidentiality agreement is what we created, not the WMF) before the Foundation began to implement theirs. It just so happened that we ended up started discussions together at the right time and rolled it out together for simplicity. We felt the need for an OTRS agreement for several reasons such as, but certainly not limited to, an explanation with an expectation of understanding confidentiality issues due to issues experienced over the last year and noticing a lack of coverage in this area, on a policy standpoint. I'm sorry this was brief but I'm shortly out the door. I encourage any (follow-up) questions you may have. Thank you. Rjd0060 (talk) 12:37, 1 October 2015 (UTC)
- Hi Risker and Storkk, my understanding is that if the Information published is covered under 3(d) then it is safe (which does cover routine activities). 3(d) is not affected by 3(f) [which covers (e)(5)] and 3(g). The scope of tasks performed on OTRS is very wide, and we have thought hard on several routine scenarios. However, there is always something we may miss out or did not contemplate a certain scenario. This is where 3(e)(5) will come in useful. Our explanation of this agreement as a whole is in the preamble. - Mailer Diablo (talk) 15:56, 1 October 2015 (UTC)
- I do not agree that it is covered under 3(d); if I make an edit to an article or a talk page of an article and refer it to an OTRS ticket, I have essentially disclosed the content of the OTRS ticket, even though the correspondent may not wish the information to be public. In fact, many changes remove information because the correspondent does NOT want it public. YOU know what you mean, but it's not what it says; I do not feel safe in relying upon your interpretation, because the next OTRS admin may have a different interpretation. Drafting documents which are intended to be binding is very difficult and the fact that it has not been drafted by a lawyer actually concerns me a lot.
But my key question is, why is the general confidentiality agreement not sufficient? This is so needlessly complex that I cannot bring myself to sign it. I think you should start over again and say what *can* be disclosed. Risker (talk) 16:07, 1 October 2015 (UTC)
- Because the nonpublic info policy refers to "policies that govern the tools". This is the policy for OTRS, and OTRS admins rewrote it from scratch. And respectfully, this brings us to the heart of our dilemma: "this is too long/complicated!" and "but it doesn't cover X!". If OTRS admins were to write up every conceivable situation out there, not only would it take forever, the agreement will be as complex as an Apple EULA and even I would object to its length. Efforts were made to keep this simple. On the other hand, oversimplification is risky because it creates potential loopholes and there is the possibility that something is not included. - Mailer Diablo (talk) 16:32, 1 October 2015 (UTC)
- I do not believe that what has been written by this very small group of people, with very minimal (if any) feedback accurately reflects current accepted practice, and is subject to wildly varying interpretations, which tells me that it isn't doing what it's intended to do. It's nice that you folks got together and wrote this. But we're the ones who are subject to it. I do not recall at any point being asked to participate in its development or to provide feedback on this. I cannot sign this as it is because I believe this policy creates a situation where following current practices could put me personally, and other OTRS agents at genuine risk of external legal action. My personal reputation, especially as it relates to privacy matters, is very, very important to me. Again, I point out the irony that the net effect will be my being forced to restrict my use of privacy-related tools (oversight) and possibly resign those tools, in order to protect myself from allegations of privacy violations simply by following practices that have been in place for years.
How about we remove the deadline and we have a genuine OTRS community discussion on this? That has not happened. My first inclination would be to have separate guidelines or policies for different types of queues, because trying to cover the diverse activities of OTRS is not working at all. This document is a mess. We don't have to pretend to be Apple. We can do better than this. Risker (talk) 16:50, 1 October 2015 (UTC)
- As for the deadline, that probably needs discussion with other OTRS admins. You are welcome to start a discussion at Café on the OTRS wiki or on the Mailing Lists. - Mailer Diablo (talk) 17:05, 1 October 2015 (UTC)
- I do not believe that what has been written by this very small group of people, with very minimal (if any) feedback accurately reflects current accepted practice, and is subject to wildly varying interpretations, which tells me that it isn't doing what it's intended to do. It's nice that you folks got together and wrote this. But we're the ones who are subject to it. I do not recall at any point being asked to participate in its development or to provide feedback on this. I cannot sign this as it is because I believe this policy creates a situation where following current practices could put me personally, and other OTRS agents at genuine risk of external legal action. My personal reputation, especially as it relates to privacy matters, is very, very important to me. Again, I point out the irony that the net effect will be my being forced to restrict my use of privacy-related tools (oversight) and possibly resign those tools, in order to protect myself from allegations of privacy violations simply by following practices that have been in place for years.
- Because the nonpublic info policy refers to "policies that govern the tools". This is the policy for OTRS, and OTRS admins rewrote it from scratch. And respectfully, this brings us to the heart of our dilemma: "this is too long/complicated!" and "but it doesn't cover X!". If OTRS admins were to write up every conceivable situation out there, not only would it take forever, the agreement will be as complex as an Apple EULA and even I would object to its length. Efforts were made to keep this simple. On the other hand, oversimplification is risky because it creates potential loopholes and there is the possibility that something is not included. - Mailer Diablo (talk) 16:32, 1 October 2015 (UTC)
- I do not agree that it is covered under 3(d); if I make an edit to an article or a talk page of an article and refer it to an OTRS ticket, I have essentially disclosed the content of the OTRS ticket, even though the correspondent may not wish the information to be public. In fact, many changes remove information because the correspondent does NOT want it public. YOU know what you mean, but it's not what it says; I do not feel safe in relying upon your interpretation, because the next OTRS admin may have a different interpretation. Drafting documents which are intended to be binding is very difficult and the fact that it has not been drafted by a lawyer actually concerns me a lot.
- Fair enough, Rjd0060; if you are the only active OTRS admin, then it was unreasonable of me to expect that there would be more active participation by that group here. So when you say your team drafted the OTRS agreement, are we referring to the page overleaf, i.e. OTRS/Confidentiality agreement? I do not understand why the standard confidentiality agreement was not sufficient, and I think all of us deserve an explanation. Parts of the content of emails to OTRS, including identities, are routinely published on public projects, either directly (e.g., permissions) or indirectly (through edits made that include a link to an OTRS ticket). I do not see a way that such routine, and in some cases legally important, actions can continue after signing this agreement. Risker (talk) 12:30, 1 October 2015 (UTC)
- I will only comment on the latter of your reply, Risker. I want to reiterate two points:
- Storkk - I understand the issue with regards to permissions tickets. I know we addressed this prior to making the agreement live but I need to clarify which section does include release of information throughout the course of normal OTRS (permissions) operations. Until I speak with the co-authors (co-OTRS admins), I cannot elaborate with certainty. I personally apologize for the delays.Rjd0060 (talk) 12:25, 1 October 2015 (UTC)
- @Rjd0060: @Mailer diablo: I understand, thank you both for your input. My cold made this extremely difficult to figure out. I do think 3(d) should be worded to cover what is "reasonably believed" to be regarded as public, because I think that could be a very hairy line. I have wider and more philosophical misgivings, given that signing feels like it's turning OTRS into a cabal (somehow even if it was, de facto, until now, actually signing this makes me a little uncomfortable). But the above issue has been answered to my personal satisfaction. Storkk (talk) 12:59, 5 October 2015 (UTC)
- My read is that Storkk is correct, it is a violation (one that is made thousands of times a year) because there really are no exceptions that cover this. I notice how neither the lawyers nor the OTRS admins are commenting here. I suppose they figure if they get most of us to sign, it doesn't really matter. Risker (talk) 12:15, 1 October 2015 (UTC)
Wikimedia Foundation editor?[edit]
What does "Wikimedia Foundation editor, user" on 3.(b) mean? I surmise they are
- who edits Wikimedia project wiki,
- who reads Wikimedia project wiki.
Right? --aokomoriuta (talk) 17:03, 30 September 2015 (UTC)
- From my understand that is a yes: readers write to OTRS regularly. - Mailer Diablo (talk) 16:00, 1 October 2015 (UTC)
- I don't know any place other than this page which calls so. It might be confused with the Foundation wiki's editor and user (i.e. WMF staff). Could we modify it?--aokomoriuta (talk) 12:21, 2 October 2015 (UTC)