Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft COI policy #3

Closed

Conversation

@blacklight447-ptio
Copy link
Member

blacklight447-ptio commented Feb 3, 2020

This is a first draft policy to intergrate a conflict of interest policy into our code of conduct.
see this thread for relevant previous discussion: https://forum.privacytools.io/t/preventing-privacytools-conflicts-of-interest-ensuring-privacytools-integrity/2517

This is a first draft policy to intergrate a conflict of interest policy into our code of conduct.
see this thread for relevant previous discussion: https://forum.privacytools.io/t/preventing-privacytools-conflicts-of-interest-ensuring-privacytools-integrity/2517
@LizMcIntyre

This comment has been minimized.

Copy link

LizMcIntyre commented Feb 4, 2020

This is a great start @blackligh447-ptio!

It's important to keep all comments public for the record for transparency. I'm not sure if this section means that comments of others can be edited or removed completely ("hidden" is understandable in some cases):

Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or

Do you plan to add a section on service/corporate behavior so organizations are aware of appropriate protocol during sensitive times?

@blacklight447-ptio

This comment has been minimized.

Copy link
Member Author

blacklight447-ptio commented Feb 4, 2020

Hey there liz!

About your first section, its about allowing the team to remove comments and such were people overstepped the bounds of the CoC. For example, if i were to head over to the forum, and start cussing and swearing, then the team has to right to remove those harmfull comments. That way we can keep the ptio community spaces welcoming and family friendly, so to speak. Its really just for moderation in case of obvious abuse.

As for the second point, im not quite sure what you mean exactly, could you maybe type out an example of what you envision?

@@ -40,6 +40,14 @@ Project maintainers are responsible for clarifying the standards of
acceptable behavior and are expected to take appropriate and fair
corrective action in response to any instances of unacceptable behavior.

Members of the official team are required to disclose any interests

This comment has been minimized.

Copy link
@Mikaela

Mikaela Feb 4, 2020

Member

I think official is a bit ambiguous here considering how we have four GitHub teams and then some around the internet (Matrix moderators, Reddit moderators, Discourse moderators) while there is overlap.

The four GitHub teams

This comment has been minimized.

Copy link
@blacklight447-ptio

blacklight447-ptio Feb 4, 2020

Author Member

Official means anyone with a privacytools email account

@@ -40,6 +40,14 @@ Project maintainers are responsible for clarifying the standards of
acceptable behavior and are expected to take appropriate and fair
corrective action in response to any instances of unacceptable behavior.

Members of the official team are required to disclose any interests

This comment has been minimized.

Copy link
@Mikaela

Mikaela Feb 4, 2020

Member

Also where should the interests be disclosed?

This comment has been minimized.

Copy link
@blacklight447-ptio

blacklight447-ptio Feb 4, 2020

Author Member

Good catch, ill give this some thought.

This comment has been minimized.

Copy link
@blacklight447-ptio

blacklight447-ptio Feb 6, 2020

Author Member

After thinking this through for a bit, i think the following method is the best: the conflict of interest may posted in any of the community spaces, whether it is the forum or riot chat. if wished for, it may either be in a team only space, or a public one.
If it is determined to be a conflict indeed, then it will be made public. if it is determined that it is not a conflict, then it may be kept private(or made public if the member itself wishes to do so). This should give us a good balance between transparency and the privacy of team members: actual conflicts will be reported, and in cases where it does not matter (so if its not a conflict) they may choose to keep it private.

I would love to get feedback on this, as its a quite important decision. @LizMcIntyre @davegson

This comment has been minimized.

Copy link
@LizMcIntyre

LizMcIntyre Feb 6, 2020

If it is determined to be a conflict indeed, then it will be made public. if it is determined that it is not a conflict, then it may be kept private(or made public if the member itself wishes to do so).

It is critical that any believed conflict of interest be posted publicly for the sake of transparency. The recent case where a whistleblower (Mikaela) identified a post as having a COI is the perfect example. Had she not come forward, we might never have known about the COI.

What's more, the person with the COI removed the COI label, and there are some who contended (and may still contend) that a conflict of interest never existed. (There was a COI from the moment Startpage offered to discuss an opportunity with a Team Member. Auditor here.)

I believe we also need a whistleblower policy to protect Team Members when they provide critical information to the public, like the recent COI.

This comment has been minimized.

Copy link
@blacklight447-ptio

blacklight447-ptio Feb 7, 2020

Author Member

hey there @LizMcIntyre !

Okay, so after thinking about this more, I agree with your first conclusion.

My idea now is that someone should first disclose his potentional conflict of interest. Then the team should overlook whether something really is a COI. If it is determined that there is NOT a COI, it shall be made public with the note that there was a discussion with all the details , but that the member will keep his voting rights(as there is no COI). I don't really agree that there is a conflict the moment an offer is made, especially if the team member declines the offer. Assuming that would be a COI would make it trivially easy to just send invites to specific members, and cause them to have to forfeit there voting rights, maybe even leaving only the member which they might have bribed.

If there IS a COI however, it shall be made public, and the voting rights will be removed from the member on that topic. After that participation in discussions is allowed (in the form of opinions), but only if the person agrees to disclose his affiliation with every message, so people new to the discussion know whats up.

About a whistleblower policy, I would have to read a bit into that, as its pretty hard to implement something like that were it would be actually meaningfull. ill come back to you about that one in few days. I do think it would be a good idea though, especially as our organization grows and more folks get involved.

What would you think of that?

This comment has been minimized.

Copy link
@blacklight447-ptio

blacklight447-ptio Feb 7, 2020

Author Member

P.s. i already created a draft issue for a whistleblowers policy, so further discussion about it should be done on the appropriate issue:#5

This comment has been minimized.

Copy link
@Mikaela

Mikaela Feb 7, 2020

Member

After thinking this through for a bit, i think the following method is the best: the conflict of interest may posted in any of the community spaces, whether it is the forum or riot chat.

I think it has to be something that is not a real time communication platform first. The RTCs are too busy and active at all times and finding information and what has been said before is difficult in them.

The wording in the version of the CoI policy I previously saw seemed to call for a single place where to see all the CoIs, so maybe the team page should be extended or bios could get a new field for affiliations? That may again go to #3 (comment) though or the question what is a significant affiliation?

This comment has been minimized.

Copy link
@blacklight447-ptio

blacklight447-ptio Feb 7, 2020

Author Member

Above I was talking about the discustions about whether something is a COI or not, which may be in chat but could also be on the forum. The place where the reports/conclusions end up and are made visable is another question.

CODE_OF_CONDUCT.md Outdated Show resolved Hide resolved
CODE_OF_CONDUCT.md Outdated Show resolved Hide resolved
@Mikaela

This comment has been minimized.

Copy link
Member

Mikaela commented Feb 4, 2020

Asking here also just in case, what is #4 ?

…g is a COI
Copy link
Member

Mikaela left a comment

Mostly my issues are of branding and one inconsistent "he" within mostly singular they:ed writing.

CODE_OF_CONDUCT.md Outdated Show resolved Hide resolved
CODE_OF_CONDUCT.md Outdated Show resolved Hide resolved
CODE_OF_CONDUCT.md Outdated Show resolved Hide resolved
CODE_OF_CONDUCT.md Outdated Show resolved Hide resolved
@dngray

This comment has been minimized.

Copy link
Member

dngray commented Feb 5, 2020

I made some changes in blacklight447-ptio@b7664f0 wrapped to 80 chars and reworded. I think it sounds much better.

blacklight447-ptio and others added 4 commits Feb 5, 2020
Co-Authored-By: Mikaela Suomalainen <mikaela@mikaela.info>
Co-Authored-By: Mikaela Suomalainen <mikaela@mikaela.info>
Co-Authored-By: Mikaela Suomalainen <mikaela@mikaela.info>
Copy link
Member

Mikaela left a comment

I happened to notice that we are still linking to the forum which was supposed to be a temporary measure until the website got an about page

reported by contacting blacklight447 via email on
blacklight447@privacytools.io or [any team member on our forum].
reported by contacting blacklight447 via email on blacklight447@privacytools.io
or [any team member on our forum].

This comment has been minimized.

Copy link
@Mikaela

Mikaela Feb 7, 2020

Member
Suggested change
or [any team member on our forum].
or [any team member].
blacklight447@privacytools.io or [any team member on our forum].
reported by contacting blacklight447 via email on blacklight447@privacytools.io
or [any team member on our forum].

The reports should include information on whether they can be shared to
other team members and how much may be told.

[any team member on our forum]:https://forum.privacytools.io/g/team

This comment has been minimized.

Copy link
@Mikaela

Mikaela Feb 7, 2020

Member
Suggested change
[any team member on our forum]:https://forum.privacytools.io/g/team
[any team member]:https://www.privacytools.io/about/
@LizMcIntyre

This comment has been minimized.

Copy link

LizMcIntyre commented Feb 7, 2020

Hi @blacklight447-ptio.

My idea now is that someone should first disclose his potentional conflict of interest. Then the team should overlook whether something really is a COI. If it is determined that there is NOT a COI, it shall be made public with the note that there was a discussion with all the details , but that the member will keep his voting rights(as there is no COI).

For full transparency sake, ALL potential COI's should be reported for review -- not just ones determined to NOT be COI's. The Team Member's name is not critical, but the circumstances are.

I liked your idea to have an unbiased non-Team-Member (or outside group) available to jointly assess potential COI's. Someone like @Supernova seems to have a good sense of audit principles, and it wouldn't surprise me if he or she has an audit background.

I don't really agree that there is a conflict the moment an offer is made, especially if the team member declines the offer.

If the offer is outright rejected and reported to PTIO, you are correct.

Even a "wink wink" or side comment about how a Team Member seems so talented and so perfect for an opening or how the company would love to donate to PTIO...should trigger disclosure. Organizations should be put on notice in formal policies that making any kind of offer during a sensitive period will be outed. This is essential for public trust.

In the Startpage situation, the Conflict of Interest started from the moment Startpage/System1 offered a Team Member the possibility of compensation during delisting/relisting discussions. He himself documented in separate posts how he went back and forth with Startpage for well over a month regarding potential work. Til the very end, some Team Members were still questioning whether this was a true COI at any point, which shows that PTIO could benefit from public input. (I'm saying this as a former professional auditor, btw. I'm very familiar with assessing COI.)

Any COI's and circumstances/decisions surrounding them should be made public. Again, the Team Member name is not essential, thought the company should be outed.

Note: We don't want to get too extreme. If a reasonable auditor would determine the situation or offer to be a COI, then it's likely a COI. If it walks like a duck, quacks like a duck...

@blacklight447-ptio

This comment has been minimized.

Copy link
Member Author

blacklight447-ptio commented Feb 8, 2020

Hey there, so i think you misunderstood my comment above.
I meant to say that every discussion will be disclosed, but not every discussion will results in the loss of voting rights, as it would make it trivially easy to make everyone unable to vote except a select few my simply sending invites/offers.
So normal are also listed when they are reported to the team and community, but they wont necessarily cause a loss of voting rights :).

@davegson

This comment has been minimized.

Copy link

davegson commented Feb 8, 2020

Reading through the PR there are already great points made! I'd like to summarize and define a few things which I already feel you are up to anyway.

The COI policy should cover two stages

1. Investigation (or Discussion) period

1.1 Public Reporting

Whenever a potential COI comes up, this stage starts. Always call out the external entity.

Company X made a job offer to a PTIO member

Company Y sent amazon gift cards to members X, Y, Z

Whether the team member wants to disclose their identity or not is up to them. It is not necessary.

1.2.1 Impact on the listing process

If the project/company is currently in a process of being listed, immediately disclose the COI investigation, also directly on the PR. Also, immediately freeze the listing process until the verdict comes in. Informing the community is key and calls out potential bad behavior by the external entity. And put everything on hold to prevent nasty mess. Like if the report is:

Company X made a job offer to one of the PTIO members

Now anything any team member says will be questioned and nurture mistrust in some community members.

1.2.2 Impact on a de-listing process

If the project/company is currently in a process of being de-listed immediately disclose the COI investigation, also directly on the PR. Freeze all votes "in favor of keeping" the project/company until the verdict comes in. This has very similar effects as above.


The whole point of 1. is to freeze all possible benefits a company/project might receive from creating a potential COI.

1.3 PTIO Investigation

Now the investigation at PTIO starts. It is the time where the situation can be calmly checked by the team. They can take their time, since all potential gains from the external company/project have been ruled out anyway.

@ALL: if I missed potential abuse please chime in

I also like the idea to include unbiased non-Team-Members or groups to take part in the assessment.

2. Verdict / Conclusion

2.1 Public Announcement

As soon as the PTIO team came to a conclusion, they must publicly announce their verdict.

2.1.1 there is no COI

Here, I feel the team member must not be outed.

Company X made a job offer to one of our team members which got rejected.

2.1.1 there is a COI

Company X made a job offer to one of our team members which got accepted by team member Y.

Here, the team member must be outed since the person will lose voting rights according to the policy.

2.2 Unfreeze processes

If all investigations of a COI regarding a company/project got clarified then the unfreezing can happen.


By decoupling these two steps it should be made a lot easier to publicly disclose anything and everything.

What should be reported?

I lean towards @LizMcIntyre

For full transparency sake, ALL potential COI's should be reported for review

but what is a "potential COI" that should be reported & investigated? As Liz mentions, context matters. I feel there are three types of external entities:

  1. An entity not affiliated in any way with PTIO
  2. An entity currently listed on PTIO
  3. An entity currently in the process of (de)listing

According to that context different measures of reporting are required.


Context 1: An entity not affiliated in any way with PTIO

I first thought nothing in 1. should be reported, but what if a team member of yours starts working at an ad company? Maybe this is not in the scope of this policy, but rather something that would trigger an evaluation if the team member is fit for PTIO as a whole?


Context 2: An entity currently listed on PTIO

Number 2. should definitely have some defined rules. Like any company making a job offer should be announced. Or all present above the value of X (50$?) to the team should be announced. And so on.


Context 3: An entity currently in the process of (de)listing

Number 3. seems easier since, As @LizMcIntyre mentioned, in this context any "wink wink" comment should be announced. It is crucial to be very strict in this context.

Company X praised one of our team members while applying to be listed on PTIO

Announce it both on the official place as well as on the PR itself. With such a policy, it basically tells any company in the listing process to refrain from any bullshit. Basically, they should shut up except when clarifying things on the PR itself. Which is a good thing fmpov.


Still, I feel this section needs more input and work. These are just some thought popping out in dire need of feedback. And it is crucial to define what a "potential COI" is in what context, since this will both give team members and companies a well defined rulebook, which makes it easy to act "correct".

Where to publish

I agree with @Mikaela that RTC is not a good place. It needs a universal place to both announce COI investigations and their verdicts. Ideally this would be a dedicated site on your homepage, showing all relevant information with the verdict next to the investigation as soon as it's done.

Immediately call out companies, but not the members. If that company is currently in the listing/delisting process, make it mandatory to communicate the investigation on the PR.

Only reference this in the CoC

I really believe this is a crucial policy with so much potential. When defined well it will encourage all involved parties for good behavior.

It will discourage companies are from manipulation and foul play. The team will have a well outlined handbook and be encouraged to report every potential COI accordingly. And ultimately this leads to transparency towards the community, showing them what is happening and strengthen community trust.

Hence, I believe this deserves its own document. And reference it by stating each team member has the responsibility to act according to the COI_Policy.

This will also make it easier to fine-tuning certain aspects of it in the future.

Final Notes on Time Limits

Also, an aspect I did not touch was whether or not there should be time limits to report any potential COI to the team and to the public. Immediately is hard to follow, so I feel days should be reasonable.
But really do not know what would be 'correct'.

Huge braindump here, thanks for reading :)

@Mikaela

This comment was marked as resolved.

Copy link
Member

Mikaela commented Feb 8, 2020

Number 2. should definitely have some defined rules. Like any company making a job offer should be announced. Or all present above the value of X (50$?) to the team should be announced. And so on.

This is especially something I have been wondering recently, let me disclose a potential Conflict of Interest / job offer as an example whether it counts as a CoI.

On 2020-01-07 a Google recruiter approached me (for the third time, the second time was before my time in PrivacyTools and the first time when I was in vocational college before I came out as trans or even knew by myself) due to my background in "software engineering" and asked if I would be open to talking about a role at Google. Having difficulties with my life currently I replied late on 2020-01-27 including

Sadly I don't have a background in software engineering, and I am more
on the bug finding and reporting department. I am also missing
programming abilities and my interests are more towards human languages,
so I fear that you aren't looking for me.

in my answer and I also referred to the forum on how I would have to disclose it if there was a serious chance for me to work for them and they replid along the lines that I am correct that they aren't looking for me and that they would make a note in case any of their collegues would be looking something matching my skill set. The email thread was left here. I don't think I can publish the full texts, but I have given them to the team in #team:privacytools.io.

(Recruiter in question, if you are reading this, I I think I have to disclose this and I apologise if it's inconvenient for you.)

Is this a conflict of interest that should be disclosed? Even while the job offer has been made without looking fully through https://github.com/Mikaela that with closer look would reveal that I haven't written a single line of code (at most changed some help text or similar) or in other words the job offer obviously required qualification higher than I have?

Another question is should I disclose what businesses I am trying to apply to, while they have nothing to do with privacy tools and I cannot see them doing anything that would warrant them getting listed? What if that resulted Social Insurance Institution or Unemployment Services to take a view that by publishing such a list, I am delibately underminining my chances to become employed and heavily cut unemployment support that I am receiving as unemployed jobseeker?

Oh and should the job offerers and/or job applications I write include a mentioning on my status as PrivacyTools team member and a link to the COI policy? What if that again makes the employer think that I am even more undesirable employee by that in addition to autism making me difficult to employ?

I am feeling anxious typing this and publicly talking about my insecurities, enought that I won't attend social event where I would start being late from, but I don't know how this could be discussed otherwise and as this is still a draft, I hope my concerns can still be addressed and result this to be something that doesn't permanently block me ever getting employed and still ensure that PrivacyTools listing cannot be bought and the COI policy can be a success. Maybe the policy should require everyone to be employed and I should resign so that issues like mine cannot become a problem? But employed people can also be unhappy with their jobs and seek better ones ending up to a COI situation?

@davegson

This comment has been minimized.

Copy link

davegson commented Feb 8, 2020

Thank you for all your input @Mikaela - it is invaluable! It makes my view on the difficulties a lot clearer.

The bottom line of all your thoughts is that it underlines the importance to structure this correctly. Especially for team members, this should not impact your privacy & professional careers.


The important part is that the PTIO team members as well as the external entities listed on PTIO absolutely have to respect the fact that possible COIs might evolve in a context described above (2. or 3.) - hence disclosure is necessary according to the policy.

But this leads to the conclusion for you team members: Outside all listed entities on PTIO feel free to do whatever works for you. This should never drastically limit your careers: We should not expect the PTIO team members to disclose every application they are seeking or job they have, shooting themselves in the foot by doing so. And no, the companies you work for do not have to have the same ethical standards as PTIO. It's fine to have a job that is not perfect but pays the bills and not disclosing this. I trust your inner ethics that you would not volunteer to PTIO and at the same time work for Cambridge Analytica - it would be a paradox ;).

So no, you do not have to disclose what businesses you apply to except any listed entities on PTIO. And no, you do not have to mention your PTIO membership or link to the COI policy except you apply for (or are approached by) an entity listed on PTIO.


I think this needs to be part of the policy too - better over communicate than say too little.

@blacklight447-ptio

This comment has been minimized.

Copy link
Member Author

blacklight447-ptio commented Feb 9, 2020

Great input here people, it is very much appriciated!

Now, we are rolling out a mediawiki so we can more broadly type out our new policies, insted of pushing them all inside our code of conduct(wiki.privacytools.io)

So I think its wise to wait a few days, so I can move everything over to the wiki and then reformulate the COI policy as its own document.
Anyway, great work so far folks, this policy is shaping up pretty nicely. The work we are doing here will be foundational to PrivacyTools's future.

EDIT: I went ahead an created a draft version of the COI policy on our wiki.
@davegson I lend some of your previous comment to get started on the proccess of investigation section.

@JonahAragon

This comment has been minimized.

Copy link
Member

JonahAragon commented Feb 13, 2020

.github is not the correct location for these files, so I'm closing this issue. We'll work on this entirely on the wiki.

See: https://wiki.privacytools.io/view/PrivacyTools_Conflict_of_Interest_Policy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

6 participants
You can’t perform that action at this time.