Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Draft COI policy #3
This is a first draft policy to intergrate a conflict of interest policy into our code of conduct.
This is a first draft policy to intergrate a conflict of interest policy into our code of conduct. see this thread for relevant previous discussion: https://forum.privacytools.io/t/preventing-privacytools-conflicts-of-interest-ensuring-privacytools-integrity/2517
This is a great start @blackligh447-ptio!
It's important to keep all comments public for the record for transparency. I'm not sure if this section means that comments of others can be edited or removed completely ("hidden" is understandable in some cases):
Do you plan to add a section on service/corporate behavior so organizations are aware of appropriate protocol during sensitive times?
Hey there liz!
About your first section, its about allowing the team to remove comments and such were people overstepped the bounds of the CoC. For example, if i were to head over to the forum, and start cussing and swearing, then the team has to right to remove those harmfull comments. That way we can keep the ptio community spaces welcoming and family friendly, so to speak. Its really just for moderation in case of obvious abuse.
As for the second point, im not quite sure what you mean exactly, could you maybe type out an example of what you envision?
For full transparency sake, ALL potential COI's should be reported for review -- not just ones determined to NOT be COI's. The Team Member's name is not critical, but the circumstances are.
I liked your idea to have an unbiased non-Team-Member (or outside group) available to jointly assess potential COI's. Someone like @Supernova seems to have a good sense of audit principles, and it wouldn't surprise me if he or she has an audit background.
If the offer is outright rejected and reported to PTIO, you are correct.
Even a "wink wink" or side comment about how a Team Member seems so talented and so perfect for an opening or how the company would love to donate to PTIO...should trigger disclosure. Organizations should be put on notice in formal policies that making any kind of offer during a sensitive period will be outed. This is essential for public trust.
In the Startpage situation, the Conflict of Interest started from the moment Startpage/System1 offered a Team Member the possibility of compensation during delisting/relisting discussions. He himself documented in separate posts how he went back and forth with Startpage for well over a month regarding potential work. Til the very end, some Team Members were still questioning whether this was a true COI at any point, which shows that PTIO could benefit from public input. (I'm saying this as a former professional auditor, btw. I'm very familiar with assessing COI.)
Any COI's and circumstances/decisions surrounding them should be made public. Again, the Team Member name is not essential, thought the company should be outed.
Note: We don't want to get too extreme. If a reasonable auditor would determine the situation or offer to be a COI, then it's likely a COI. If it walks like a duck, quacks like a duck...
Hey there, so i think you misunderstood my comment above.
Reading through the PR there are already great points made! I'd like to summarize and define a few things which I already feel you are up to anyway.
The COI policy should cover two stages
1. Investigation (or Discussion) period
1.1 Public Reporting
Whenever a potential COI comes up, this stage starts. Always call out the external entity.
Whether the team member wants to disclose their identity or not is up to them. It is not necessary.
1.2.1 Impact on the listing process
If the project/company is currently in a process of being listed, immediately disclose the COI investigation, also directly on the PR. Also, immediately freeze the listing process until the verdict comes in. Informing the community is key and calls out potential bad behavior by the external entity. And put everything on hold to prevent nasty mess. Like if the report is:
Now anything any team member says will be questioned and nurture mistrust in some community members.
1.2.2 Impact on a de-listing process
If the project/company is currently in a process of being de-listed immediately disclose the COI investigation, also directly on the PR. Freeze all votes "in favor of keeping" the project/company until the verdict comes in. This has very similar effects as above.
The whole point of 1. is to freeze all possible benefits a company/project might receive from creating a potential COI.
1.3 PTIO Investigation
Now the investigation at PTIO starts. It is the time where the situation can be calmly checked by the team. They can take their time, since all potential gains from the external company/project have been ruled out anyway.
@ALL: if I missed potential abuse please chime in
I also like the idea to include unbiased non-Team-Members or groups to take part in the assessment.
2. Verdict / Conclusion
2.1 Public Announcement
As soon as the PTIO team came to a conclusion, they must publicly announce their verdict.
2.1.1 there is no COI
Here, I feel the team member must not be outed.
2.1.1 there is a COI
Here, the team member must be outed since the person will lose voting rights according to the policy.
2.2 Unfreeze processes
If all investigations of a COI regarding a company/project got clarified then the unfreezing can happen.
By decoupling these two steps it should be made a lot easier to publicly disclose anything and everything.
What should be reported?
I lean towards @LizMcIntyre
but what is a "potential COI" that should be reported & investigated? As Liz mentions, context matters. I feel there are three types of external entities:
According to that context different measures of reporting are required.
Context 1: An entity not affiliated in any way with PTIO
I first thought nothing in 1. should be reported, but what if a team member of yours starts working at an ad company? Maybe this is not in the scope of this policy, but rather something that would trigger an evaluation if the team member is fit for PTIO as a whole?
Context 2: An entity currently listed on PTIO
Number 2. should definitely have some defined rules. Like any company making a job offer should be announced. Or all present above the value of X (50$?) to the team should be announced. And so on.
Context 3: An entity currently in the process of (de)listing
Number 3. seems easier since, As @LizMcIntyre mentioned, in this context any "wink wink" comment should be announced. It is crucial to be very strict in this context.
Announce it both on the official place as well as on the PR itself. With such a policy, it basically tells any company in the listing process to refrain from any bullshit. Basically, they should shut up except when clarifying things on the PR itself. Which is a good thing fmpov.
Still, I feel this section needs more input and work. These are just some thought popping out in dire need of feedback. And it is crucial to define what a "potential COI" is in what context, since this will both give team members and companies a well defined rulebook, which makes it easy to act "correct".
Where to publish
I agree with @Mikaela that RTC is not a good place. It needs a universal place to both announce COI investigations and their verdicts. Ideally this would be a dedicated site on your homepage, showing all relevant information with the verdict next to the investigation as soon as it's done.
Immediately call out companies, but not the members. If that company is currently in the listing/delisting process, make it mandatory to communicate the investigation on the PR.
Only reference this in the CoC
I really believe this is a crucial policy with so much potential. When defined well it will encourage all involved parties for good behavior.
It will discourage companies are from manipulation and foul play. The team will have a well outlined handbook and be encouraged to report every potential COI accordingly. And ultimately this leads to transparency towards the community, showing them what is happening and strengthen community trust.
Hence, I believe this deserves its own document. And reference it by stating each team member has the responsibility to act according to the COI_Policy.
This will also make it easier to fine-tuning certain aspects of it in the future.
Final Notes on Time Limits
Also, an aspect I did not touch was whether or not there should be time limits to report any potential COI to the team and to the public. Immediately is hard to follow, so I feel days should be reasonable.
Huge braindump here, thanks for reading :)
This is especially something I have been wondering recently, let me disclose a potential Conflict of Interest / job offer as an example whether it counts as a CoI.
On 2020-01-07 a Google recruiter approached me (for the third time, the second time was before my time in PrivacyTools and the first time when I was in vocational college before I came out as trans or even knew by myself) due to my background in "software engineering" and asked if I would be open to talking about a role at Google. Having difficulties with my life currently I replied late on 2020-01-27 including
in my answer and I also referred to the forum on how I would have to disclose it if there was a serious chance for me to work for them and they replid along the lines that I am correct that they aren't looking for me and that they would make a note in case any of their collegues would be looking something matching my skill set. The email thread was left here. I don't think I can publish the full texts, but I have given them to the team in
(Recruiter in question, if you are reading this, I I think I have to disclose this and I apologise if it's inconvenient for you.)
Is this a conflict of interest that should be disclosed? Even while the job offer has been made without looking fully through https://github.com/Mikaela that with closer look would reveal that I haven't written a single line of code (at most changed some help text or similar) or in other words the job offer obviously required qualification higher than I have?
Another question is should I disclose what businesses I am trying to apply to, while they have nothing to do with privacy tools and I cannot see them doing anything that would warrant them getting listed? What if that resulted Social Insurance Institution or Unemployment Services to take a view that by publishing such a list, I am delibately underminining my chances to become employed and heavily cut unemployment support that I am receiving as unemployed jobseeker?
Oh and should the job offerers and/or job applications I write include a mentioning on my status as PrivacyTools team member and a link to the COI policy? What if that again makes the employer think that I am even more undesirable employee by that in addition to autism making me difficult to employ?
I am feeling anxious typing this and publicly talking about my insecurities, enought that I won't attend social event where I would start being late from, but I don't know how this could be discussed otherwise and as this is still a draft, I hope my concerns can still be addressed and result this to be something that doesn't permanently block me ever getting employed and still ensure that PrivacyTools listing cannot be bought and the COI policy can be a success. Maybe the policy should require everyone to be employed and I should resign so that issues like mine cannot become a problem? But employed people can also be unhappy with their jobs and seek better ones ending up to a COI situation?
Thank you for all your input @Mikaela - it is invaluable! It makes my view on the difficulties a lot clearer.
The bottom line of all your thoughts is that it underlines the importance to structure this correctly. Especially for team members, this should not impact your privacy & professional careers.
The important part is that the PTIO team members as well as the external entities listed on PTIO absolutely have to respect the fact that possible COIs might evolve in a context described above (2. or 3.) - hence disclosure is necessary according to the policy.
But this leads to the conclusion for you team members: Outside all listed entities on PTIO feel free to do whatever works for you. This should never drastically limit your careers: We should not expect the PTIO team members to disclose every application they are seeking or job they have, shooting themselves in the foot by doing so. And no, the companies you work for do not have to have the same ethical standards as PTIO. It's fine to have a job that is not perfect but pays the bills and not disclosing this. I trust your inner ethics that you would not volunteer to PTIO and at the same time work for Cambridge Analytica - it would be a paradox ;).
So no, you do not have to disclose what businesses you apply to except any listed entities on PTIO. And no, you do not have to mention your PTIO membership or link to the COI policy except you apply for (or are approached by) an entity listed on PTIO.
I think this needs to be part of the policy too - better over communicate than say too little.
Great input here people, it is very much appriciated!
Now, we are rolling out a mediawiki so we can more broadly type out our new policies, insted of pushing them all inside our code of conduct(wiki.privacytools.io)
So I think its wise to wait a few days, so I can move everything over to the wiki and then reformulate the COI policy as its own document.
EDIT: I went ahead an created a draft version of the COI policy on our wiki.