[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T349595

Clarify if NDAs (to access #WMF-NDA protected Phab tasks) are on paper or in Legalpad's L2 or both
Closed, ResolvedPublic
Actions

Description

Splitting from T341272 to cover the general issue; temporarily assigning to @KFrancis per last comment, as I wondered again how to best proceed in T348520:

In T341272#8997885, @Dzahn wrote:

There is a process described at https://wikitech.wikimedia.org/wiki/Volunteer_NDA that says what is needed is signing "the NDA" (which links to the old "L2" document on Phabricator -> https://phabricator.wikimedia.org/L2) and then approval from a C-Level and then we could grant that access.

Then of course we also have _the other NDA_ process which we usually have been following lately, which includes adding you and then the users singing the document you provide to them etc, as is described at:

https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty/Access_requests#NDA_Group

This is usually done when user are added to the "LDAP group nda" (https://wikitech.wikimedia.org/wiki/SRE/LDAP/Groups#NDA_group), but in this case we don't need the additional access that this would grant.

When we hand out the equivalent access to WMF staff, we add them to the "LDAP group wmf" and then _a rule was added that we always ALSO add them to the "WMF-NDA" group on phabricator. (cc: @Aklapper who once requested that to simplify the process).

It is still unclear whether the same rule should apply to volunteers. To determine that is an unresolved ticket at https://phabricator.wikimedia.org/T299839.

Since this repeatedly has caused discussions how to handle the access requests the right way, here are some questions for you:

  • Would it be ok or wrong to grant access to private data only based on L2 and manager/c-level approval but without the volunteer ever signing anything directly with legal?
  • When we share private tickets with volunteers, should they go through you and sign with you in general? If we do that, can we skip the C-level approvals?
  • Does it matter to you if the sharing of information is limited to sharing private tickets vs handing our other logins via the LDAP group called "nda"?

Based on your responses I think we should maybe update https://wikitech.wikimedia.org/wiki/Volunteer_NDA and/or https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty/Access_requests#NDA_Group to make clear what applies where and is the currently valid one.

In T341272#8998112, @Aklapper wrote:

Agreeing with what Dzahn wrote in the previous comment. For historical context: It seems WMF Legal gave its OK in 2015 to using Legalpad in T655. However given fluctuation I'm not sure if everybody is still fully aware of it and the implications. I admit I am also confused when an NDA on file with WMF-Legal dept is required, and when signing L2 in Phabricator Legalpad is sufficient, and it also seems that either there is no consistent policy or public documentation is potentially outdated. Question: Should this get revised, preferably in a separate task?
(See also T111271 for a random example of using Legalpad in the past for [in my understanding] WMF-driven stuff - in this case, OTRS=Znuny.)

In T341272#8998430, @KFrancis wrote:

Hi all, Let me do some research and get back to you! Thanks!!!

Related Objects
Search...

Event Timeline

Aklapper triaged this task as Medium priority.Oct 24 2023, 10:36 AM
Aklapper created this task.
Restricted Application added a comment. · View Herald TranscriptOct 24 2023, 10:36 AM

As the WMF-Legal project tag was added to this task, some general information to avoid wrong expectations:
Please note that public tasks in Wikimedia Phabricator are in general not a place where to expect feedback from the Legal Team of the Wikimedia Foundation due to the scope of the team and/or nature of legal topics. See the project tag description.
Please see https://meta.wikimedia.org/wiki/Legal for when and how to contact the Legal Team. Thanks!

Aklapper mentioned this in T341272: Volunteer NDA for RhinosF1.Oct 24 2023, 10:38 AM
Peachey88 subscribed.Oct 25 2023, 1:44 AM
KFrancis added a comment.Oct 26 2023, 9:13 PM

Hi all, my apologies or the delay on this. Would it be possible to either get access to https://phabricator.wikimedia.org/L2 OR could you copy and past the content from this link? I don't have access and neither does the relevant legal counsel member who may be able to provide an answer for you.

Aklapper added a comment.Oct 26 2023, 9:56 PM

@KFrancis: No problem! :) I think you should be able to access L2 now.

KFrancis added a comment.Oct 26 2023, 11:26 PM

Thanks so much! Would you please add access for James Buatti jbuatti@wikimedia.org as well?

Aklapper added a comment.Oct 27 2023, 7:29 AM

Sure! Also added @JbuattiWMF.

KFrancis added a comment.Oct 27 2023, 6:49 PM

Thank you so much! I'll have Jim review that page and I'll get back to you soon!

Dzahn awarded a token.Oct 31 2023, 7:40 PM
KFrancis added a comment.Nov 1 2023, 3:52 PM

Hi @Aklapper I have this inquiry in with legal counsel and should have an answer for you by the end of the week. I received an inquiry about an NDA for user https://phabricator.wikimedia.org/p/Xqt/. It looks like they signed the online NDA doc that we are working on the answer for you. I do not receive copies of the online NDA, so that is why they are not on the tracking sheet. If you need me to process the usual NDA on my end, I can take are of that. Please let me know!

Aklapper moved this task from To Triage to Policies on the Phabricator board.Nov 2 2023, 10:46 AM
Peachey88 added a comment.EditedNov 2 2023, 10:57 AM
In T349595#9298822, @KFrancis wrote:

Hi @Aklapper I have this inquiry in with legal counsel and should have an answer for you by the end of the week. I received an inquiry about an NDA for user https://phabricator.wikimedia.org/p/Xqt/. It looks like they signed the online NDA doc that we are working on the answer for you. I do not receive copies of the online NDA, so that is why they are not on the tracking sheet. If you need me to process the usual NDA on my end, I can take are of that. Please let me know!

Relevant task for future reference T348520: Grant access to nda LDAP group to xqt

Dzahn added a comment.Nov 2 2023, 7:52 PM
In T349595#9298822, @KFrancis wrote:

If you need me to process the usual NDA on my end, I can take are of that. Please let me know!

Whether we need that or not is a bit unclear and basically part of this task to figure that out once and for all.

KFrancis added a comment.Nov 3 2023, 9:51 PM

Hi all, a couple questions... Do you have information in whomever created the https://phabricator.wikimedia.org/L2 form and do you know where the e-signed completed forms go?

Dzahn added subscribers: QuimGil, Qgil.Nov 3 2023, 10:01 PM
In T349595#9305974, @KFrancis wrote:

Hi all, a couple questions... Do you have information in whomever created the https://phabricator.wikimedia.org/L2 form and do you know where the e-signed completed forms go?

L2 was created on Dec 19 2014 by @Qgil (@QuimGil)

The list of signatures can be viewed at https://phabricator.wikimedia.org/legalpad/signatures/2/

Dzahn added a comment.Nov 3 2023, 10:05 PM

@KFrancis see above. L2 is part of "Legalpad" (https://phabricator.wikimedia.org/legalpad/) a Phabricator extension created for Legal back then.

(https://phabricator.wikimedia.org/project/view/4/)

There are open tickets and all tickets can be seen here: https://phabricator.wikimedia.org/maniphest/query/3pZV9GHovfw4/#R

This is where it was enabled in 2014: T656

Interesting are the first 2 comments. ".. I'd rather prefer that WMF-Legal launches their project here instead of in a separate site, generating content that perhaps one day must be migrated"..

Aklapper removed a subscriber: QuimGil.Nov 4 2023, 6:01 PM
KFrancis added a comment.Nov 8 2023, 12:36 AM

Hi @Dzahn, would it be possible for me to get access to https://phabricator.wikimedia.org/legalpad/signatures/2/?

Aklapper added a comment.Nov 8 2023, 9:15 AM

@KFrancis: Could you please ask any of the five folks listed as "Members" on https://phabricator.wikimedia.org/project/members/28/ to also add your account as a member? In my understanding of the setup, this should give you access. Thanks!

Dzahn added a comment.Nov 8 2023, 6:13 PM

Hi @KFrancis I don't have the permissions to add people to the WMF-Legal group but as Aklapper said above for example Stephen LaPorte, Jacob Rogers, Aeryn Palmer or Chuck Roslof should be able to add you.

LSobanski subscribed.Nov 22 2023, 1:45 PM
LSobanski added a comment.Nov 30 2023, 4:56 PM

I wonder if https://phabricator.wikimedia.org/L3 would also be in scope for this question, as moving it elsewhere would allow us to decommission Legalpad?

If yes, this would also need an onboarding process change for SREs.

JJMC89 subscribed.Nov 30 2023, 5:07 PM

moving it elsewhere would allow us to decommission Legalpad

Legalpad is also used for signing the ANPDP confidentiality agreements, L37 and L45 (plus the other translated versions).

KFrancis added a comment.Dec 21 2023, 9:52 PM

Question... Historically, do you have a policy or guideline on your end for using https://phabricator.wikimedia.org/legalpad/signatures/2/ rather than getting an NDA done through me?

Qgil unsubscribed.Dec 21 2023, 10:27 PM
Dzahn added a comment.Dec 22 2023, 2:01 AM

@KFrancis A reference to L2 is here: https://wikitech.wikimedia.org/wiki/Volunteer_NDA#Welcome_to_the_NDA_club!

Dzahn mentioned this in T358578: Add WMDE staff who have signed the NDA with the WMF to the WMF-NDA phabricator policy group.Feb 29 2024, 9:39 PM

This would also help to solve T358578

Dzahn added a subtask: T299839: Clarify whether members of ldap/nda should be added to #WMF-NDA.Feb 29 2024, 9:41 PM
KFrancis added a comment.Mar 4 2024, 8:25 PM

Hello @Dzahn, my sincere apologies for the length of time it has taken to resolve this open issue! After consulting with legal counsel, and careful consideration, in order to keep with consistent legal practices, we've determined https://phabricator.wikimedia.org/L3 should be retired and all NDA requests should go directly through legal. Do you need additional information or written confirmation from legal counsel to close this form? If so please let me know as soon as possible! Thank you again for your patience while we sorted this out.

Tobi_WMDE_SW subscribed.Mar 5 2024, 2:51 PM
Dzahn claimed this task.Mar 22 2024, 11:55 PM
Dzahn added a comment.Apr 19 2024, 5:27 PM

@KFrancis Thank you very much and apologies as well for the delay on my side.

You mention L3 here but I think you mean L2.

I have edited the text of L2 and a comment below to say that it is outdated and should not be used anymore and that people should go through a ticket tagged WMF-NDA-Requests and contact you.

https://phabricator.wikimedia.org/legalpad/view/2/#913

Dzahn mentioned this in T299839: Clarify whether members of ldap/nda should be added to #WMF-NDA.Apr 19 2024, 5:30 PM
Dzahn added a subscriber: Muehlenhoff.Apr 19 2024, 5:39 PM

I made the following edits to the "Volunteer NDA" docs to reflect this change:

https://wikitech.wikimedia.org/w/index.php?title=Volunteer_NDA&diff=2170935&oldid=2041944

cc: @Aklapper @Muehlenhoff

Dzahn closed this task as Resolved.Apr 19 2024, 5:41 PM
Dzahn mentioned this in T363009: Retire legalpad phabricator/phorge application?.Apr 19 2024, 5:57 PM
KFrancis added a comment.Apr 19 2024, 6:16 PM

@Dzahn Yes, thank you, I meant L2! I appreciate your edits to the page and your work on this as well!

In T349595#9730220, @Dzahn wrote:

@KFrancis Thank you very much and apologies as well for the delay on my side.

You mention L3 here but I think you mean L2.

I have edited the text of L2 and a comment below to say that it is outdated and should not be used anymore and that people should go through a ticket tagged WMF-NDA-Requests and contact you.

https://phabricator.wikimedia.org/legalpad/view/2/#913

Aklapper added a comment.Apr 23 2024, 9:33 AM

Big thanks to Daniel and Katie for clarifying this process! <3

BCornwall subscribed.Apr 23 2024, 4:47 PM
Aklapper mentioned this in T364088: Remove custom Legalpad API downstream changes.May 3 2024, 9:29 AM
Dzahn closed subtask T299839: Clarify whether members of ldap/nda should be added to #WMF-NDA as Resolved.Sep 6 2024, 8:34 PM
Aklapper mentioned this in T374995: Volunteer NDA for Antonin Delpeuch (Pintoch).Oct 9 2024, 10:45 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits