[HCoop-Discuss] Draft data confidentiality policies

[ntk]

As I mentioned in my hcoop-misc emails, I think that the one of the most
important policies we need to implement for HCoop is about protection of
confidential member information.  In particular, what is it, when it can be
accessed or shared, and how we will enforce this.

There are other policies that are very important for any organization that
I would like to see enacted down the road like conflicts of interest,
environmental responsibility, and anti-discrimination.  However this one is
core to our particular mission and especially timely with the FISA
legislation that seems to be around the corner.

I have drafted two complementary policies that I would like comments on,
that I would like to see develop into something we can pass within the next
week or two.

The first one (Policy 1) is a pretty simple anti-FISA policy that makes it
clear that just because the government is trying create pressure and make
it easier with immunities to share data and surveillance illegally with
unauthorized, unlawful goverment investigations, we won't do that.  Section
4 may be a bit over the top, but I want it to be crystal clear that the
kind of stupid goverment justifications that are always put forth for
illegal investigations will not be acceptable and that we have a defense
against such illegality.  This policy is relatively short and
straightforward, so I see no reason why we can't get this passed soon as is
or modified slightly.

Policy 2 is a more general, expansive privacy policy on who can access and
disclose what, when, and how, and whether or when the members need to be
told when their confidential data has been accessed or disclosed.  As a
result this policy is longer and involves a lot more specific choices.  It
may need to be reworked, reworded, or reorganized a bit, and people may
have differing opinions as to what standards should be used.  It may take
longer to get this policy up to shape and passed, but I do want to say
this: right now we have no policy at all other than the general discretions
in our Terms of Service, which are good, but not at all specific.  It would
be better to have an imperfect policy that we can improve later than to go
on forever with no policy at all.

Lastly, I am putting this on hcoop-discuss to get feedback from members,
and I really do want feedback about this to get people's consensus and
improvements, so that this isn't just my idea of what a privacy policy
should look like.  However at the end of the day this will be a
board-enacted policy under section 405 of our bylaws, so do not expect this
to go out to the general membership for a vote over every provision. 
Ultimately it will be up to Davor, Adam and myself to enact it (unless this
drags out until April when we have a new, five-member board), because
that's our job.

Nathan Kennedy
Secretary, HCoop

Here are the policies:

Policy 1.  Anti-FISA

Whereas, the executive administration of the United States and the United
States Congress have been advancing legislation that would grant expansive
surveillance powers to law enforcement, and provide broad immunities to
facilitators of illegal government surveillance, and,

Whereas, the members of HCoop, Inc., have a strong privacy interest in
their data and communications, and a special need for the protection of
this privacy against the pressure of illegal, overbroad, and overbearing
government surveillance, therefore, be it

Resolved, that the following be enacted as an official policy of HCoop,
Inc.:

1. No member, director, officer, system administrator, staff, agent, or
contractor of the corporation shall assist any law enforcement, any agency
of the government of the United States, or any other third party in
conducting surveillance or other investigation of the corporation’s
members or of confidential data or transmissions on the corporation’s
hardware or networks when doing so is contrary to the laws or regulations
of the United States, Pennsylvania, or any other controlling jurisdiction.

2. Any director, officer, system administrator, staff, agent, or contractor
of the corporation who becomes aware of illegal surveillance or
investigation by any government agency of the type described in the
preceding section must, to the extent permitted by law, make full
disclosure of such activity to all members of the board of the corporation.
 If such disclosure is not lawfully permitted, then such person must, if
possible, make reasonable lawful disclosure to another government agency,
other than the agency or agents conducting the illegal activity, in order
to stop the illegality.

3. Such assistance is forbidden and such disclosure is required regardless
of any grant of immunity from civil or criminal liability, either for the
individual or for the corporation, and regardless of the source of any such
immunity.

4. Such assistance is forbidden and such disclosure is required regardless
of any putative purpose for such surveillance or investigation, including,
but not limited to, investigation or prevention of any crime, economic
harm, serious bodily injury or death, breaches of national security,
nuclear warfare, or total destruction of the entire universe.

5. Provision of such assistance as in section 1 or failure to disclose as
required in section 2 is grounds for termination of membership, employment,
and contracts, and removal of directors from the board.

6. The corporation shall seek to impose terms in all relevant contracts to
enforce the provisions of this policy.

7. Nothing in the terms of this policy shall be construed to prevent anyone
from lawfully cooperating with a government agency to expedite the lawful
carrying out of any government investigation, where otherwise permitted by
corporate policies.



Policy 2.  Privacy

Whereas, the members of HCoop, Inc., have a strong privacy interest in
their data and communications, and,

Whereas, some access to such data may be required internally by the
corporation to ensure the reliable operation of its services and compliance
with its policies, or to comply with the law or assist in lawful government
investigations, and,

Whereas, members and staff of the corporation need notice of what privacy
expectations will respected and what actions are permissible by staff,
therefore, be it

Resolved, that the following be enacted as an official policy of HCoop,
Inc.:

1. Members are responsible for setting appropriate technical prom

2. All network transmissions, regardless of source, destination, or content
are confidential.  Aggregate statistics of network transmissions are
public.

3. Stored information that is ordinarily inaccessible to ordinary users is
to be treated as confidential.  Aggregate statistics of stored data are
public.

4. Stored information that is ordinarily accessible to ordinary users is
presumed to be public.  This does not include material that is accessible
to ordinary users who actively circumvent software or hardware controls due
to some bug, vulnerability, or other defect, no matter how trivial the
exploit or how obvious the vulnerability.

5. The presumption of the above section may be rebutted when the
circumstances indicate that data was intended to be protected and
confidentiality may still be maintained.  For instance, obviously
confidential stored data of one member accessible to other ordinary system
users due to incorrect permission settings should be treated as
confidential as soon as this is realized.  Notice should be given to the
owner of the data so that it can be secured.  However, the presumption may
not be rebutted if the information is published so prominently and
accessibly that it is no longer possible to maintain its confidentiality. 
An example would be information accidentally mailed to a mailing list,
published prominently on a website, or otherwise actively made public by
the owner’s own error.

6. Unauthorized persons may not access or intercept confidential data of
any other member or of the corporation.

7. Unauthorized persons may probe for or attempt to exploit any security
vulnerability in the corporation’s systems.  “Probing” here means
running code or transmitting data to search for particular vulnerabilities.
 It does not extend to inferring the presence of vulnerabilities from
public sources of system information.  Should any unauthorized member
suspect or find that a vulnerability may be exist, they must not attempt to
diagnose, exploit, or fix it, but instead should notify a system
administrator, officer, or authorized agent of the corporation.

8. Violation of sections 6 and 7 is grounds for expulsion of the member in
question.

9. System administrators and other authorized agents of the corporation may
access confidential data to extent necessary to maintain the system.  They
may not communicate this data to any other person, except to other
authorized persons only to the extent necessary to maintain the system. 
“Maintaining the system” includes, but is not limited to, making
backups, responding to member service requests, dealing with performance
problems, and so on.  The member who owns the confidential data need not be
notified unless two or more people have accessed nontrivial confidential
data, in which case the owner must be notified within a reasonable time
after the data has been accessed.
 
10. System administrators and other authorized agents of the corporation
may view confidential data to the extent necessary to enforce the
corporation’s policies.  This includes technical policies such as
bandwidth and storage limits, as well as policies such as those forbidding
spam.  Any non-routine or expansive investigation under this section must
be specifically authorized by the board of directors.  The member who owns
the confidential data must be notified within a reasonable time of the
investigation’s conclusion, unless only trivial confidential data has
been accessed by a single authorized person in a routine investigation.

11. The board of directors of the corporation may access and disclose
confidential data to a government agency in cooperation with a lawful
investigation to the extent permissible by law, even when not required,
when the investigation either (a) involves direct use of the
corporation’s services in furtherance of a central element of an illegal
activity, or (b) the investigation relates to an actual or a reasonably
likelihood of serious bodily injury or death.

12. The board of directors of the corporation may access and disclose
confidential data to a government agency when required by a lawful, valid
court order or subpoena authorized by a tribunal in a controlling
jurisdiction, or when such access or disclosure is otherwise required by a
controlling law.

13. Any person encountering confidential data under any circumstance that
indicates that a member is either violating corporate policies or using
corporate services in furtherance of any illegal activity may notify the
board of directors, which may initiate an investigation and disclosure to
law enforcement as otherwise permitted in this policy.

14. Whenever confidential data is accessed or disclosed under sections 11
through 13, notice must be given to the extent lawfully permitted to the
member within a reasonable time of the conclusion of the investigation as
to the nature and extent of such access and disclosure.

15. The board of directors of the corporation may access and disclose
confidential data to the extent necessary to in a legal action or dispute
with a member, or to facilitate the expulsion or other remedy against that
member when such disclosure cannot be avoided, such as by voluntary
resignation or restitution.

16. No authorized person may view or disclose confidential data for
purposes unrelated to their authorized duties, or to an extent greater than
reasonably necessary for the authorized purpose.  Violations of this
section may be punishable by termination of employment or authorized
status, expulsion from the cooperative, removal from the board of
directors, as appropriate.

17. The corporation shall seek to impose terms in all relevant contracts to
enforce the provisions of this policy.

18. Nothing in the terms of this policy shall be construed to prevent
anyone from disclosing confidential data to a goverment agency to the
extent necessary when the board has been notified and has failed to act
when required by law.