[HCoop-Discuss] Draft data confidentiality policies

Franklin Gordon Bynum frank at hcoop.net
Mon Feb 18 01:52:47 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nice work, Nathan.

I would really love for us to implement something like this
http://gplv3.fsf.org/comments/gplv3-draft-4.html
for this type of review.  It would makes collaborating much easier.

But for now...

> Policy 1.  Anti-FISA

How about "Cooperation with law enforcement agencies"?

> Whereas, the executive administration of the United States and the

The term "executive administration of the United States" has been used in only one court opinion ever in this country.  (If you're keeping score at home, it's Decatur v. Paulding, a U.S. Supreme Court case from 1840.)

I would prefer we use something simpler and more common.  Like "the President and Congress" or "the President, and Congress" or "both the President and the Congress of the United States."

> United States Congress have been advancing legislation that would
> grant expansive surveillance powers to law enforcement, and provide
> broad immunities to facilitators of illegal government surveillance,
> and,
> 
> Whereas, the members of HCoop, Inc., have a strong privacy interest in
> their data and communications, and a special need for the protection
> of this privacy against the pressure of illegal, overbroad, and
> overbearing government surveillance, therefore, be it

This windup is more about the administration in one country than our cooperative.  I understand the political issues here and share ntk's alarm at FISA legislation.  However, I would prefer a less political, more descriptive set of introductory clauses that is less about the U.S. government and more about Hcoop, what it does, and what it's supposed to do.  

Whereas, Hcoop, Inc. is a provider of Internet hosting services to its members; and,

Whereas, the members of Hcoop, Inc. store personal data on equipment owned by Hcoop, Inc.; and,

Whereas, Hcoop, Inc. is under an obligation to protect the privacy of its members data, including but not limited to preventing disclosure of that information unless under lawful court order; 


> Resolved, that the following be enacted as an official policy of
> HCoop, Inc.:
> 
> 1. No member, director, officer, system administrator, staff, agent,
> or contractor of the corporation 

"Staff" here is plural while the other items are singular.  Using the normal "staff member" isn't appropriate here, either, because of the special meaning of "member" to us.  What about "employee"?  That's covered by agent, though.

> shall assist any law enforcement,
> any agency of the government of the United States, or any other third
> party in conducting surveillance or other investigation of the
> corporation’s members or of confidential data or transmissions on the
> corporation’s hardware or networks when doing so is contrary to the
> laws or regulations of the United States, Pennsylvania, or any other
> controlling jurisdiction.

I would prefer for this to be more straightforward.  Under what specific circumstances will Hcoop, Inc. cooperate with the government?  Saying only that we will not act contrary to law is a bit murky.  National security letters are particularly of some concern here.
http://en.wikipedia.org/wiki/National_security_letter
http://en.wikipedia.org/wiki/Doe_v._Ashcroft

I believe that there is one and only one situation where Hcoop, Inc. should cooperate with the government: when a competent court, possessing subject matter and personal jurisdiction over Hcoop, Inc., issues an order directing Hcoop, Inc.'s cooperation.  That's it.  This categorically excludes administrative subpoenas issued by an executive agency.  If there is resistance 

> 2. Any director, officer, system administrator, staff, agent, or
> contractor of the corporation who becomes aware of illegal
> surveillance or investigation by any government agency of the type
> described in the preceding section must, to the extent permitted by
> law, make full disclosure of such activity to all members of the
> board of the corporation. If such disclosure is not lawfully
> permitted, then such person must, if possible, make reasonable lawful
> disclosure to another government agency, other than the agency or
> agents conducting the illegal activity, in order to stop the
> illegality.

Our language here protects us less because we're making judgment statements where they're not necessary.  "Illegal surveillance or investigation" is particularly unclear.  Does illegal modify investigation?  Certainly we want disclosure of ANY surveillance or cooperation with the government.

I think our policy should be immediate disclosure to all members of the cooperative unless under a gag order issued by a competent court, possessing subject matter and personal jurisdiction over Hcoop, Inc.  No other restraint on Hcoop, Inc.'s speech should be recognized.

> 3. Such assistance is forbidden and such disclosure is required
> regardless of any grant of immunity from civil or criminal liability,
> either for the individual or for the corporation, and regardless of
> the source of any such immunity.

What is "such assistance"?  I would prefer each paragraph have independent meaning.  

"3. This policy is operative regardless of any grant of immunity from civil or criminal liability, either for the individual or for the corporation, and regardless of the source of any such immunity."

> 4. Such assistance is forbidden and such disclosure is required
> regardless of any putative purpose for such surveillance or
> investigation, including, but not limited to, investigation or
> prevention of any crime, economic harm, serious bodily injury or
> death, breaches of national security, nuclear warfare, or total
> destruction of the entire universe.

This can be collapsed into three, to the extent it's even necessary.  I think it's self-evident that the government's stated reasons for the government's actions are irrelevant.  As long as we narrowly define the objective circumstances under which the corporation will cooperate, we don't need to get into subjective justifications on either side.

> 5. Provision of such assistance as in section 1 or failure to
> disclose as required in section 2 is grounds for termination of
> membership, employment, and contracts, and removal of directors from
> the board.

What mechanism will be used for removal?  Board vote?  Or is it automatic?  We should spell that out. (see my notes at the end of this message)

> 6. The corporation shall seek to impose terms in all relevant
> contracts to enforce the provisions of this policy.
> 
> 7. Nothing in the terms of this policy shall be construed to prevent
> anyone from lawfully cooperating with a government agency to expedite
> the lawful carrying out of any government investigation, where
> otherwise permitted by corporate policies.

Something like seven is necessary, but this seven goes too far.  It's not our job to "expedite" for the government.  It's our job to get it right, and to cooperate only to the extent required by law.

"7. Nothing in this policy shall compel any member of the board of directors to act contrary to the laws of the United States, the Commonwealth of Pennsylvania, or any other controlling jurisdiction."

This policy may have to be watered down to account for our current Peer1 contract, which does not have a rider.  I doubt we'd be able to get such a rider at this point.  We just got settled here, and I don't particularly want (to say nothing of the admins!!) to rip up stakes and go somewhere else, be it another Peer1 location or to a provider that will give us a rider.  

Fact is, though, that we are going to enter into contracts that may not honor this policy.  Somewhere up the communications line, a provider will cooperate with the government in a way inconsistent with this policy, and there's little we can do about it.  We could cut off our own foot and terminate the contract, but deleuze, mire and krunk aren't much use to our members if they're not connected to a network.

"5. Any member of Hcoop, Inc. who violates section 1 or section 2 of the policy shall be removed from membership in the manner provided by the Articles of Incorporation of Hcoop, Inc."

I'll take a crack at the privacy policy in a bit.

frank

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHuSs/MjXkO6QSj4kRAiK5AJ9Ro3pTcGgo1kJal+gYa5buh+zNAQCZAZw3
LfFY72O4YNBNc/LiSILYVBM=
=Hcu+
-----END PGP SIGNATURE-----

More information about the HCoop-Discuss mailing list