search

w3c / process

W3C Process Document
https://www.w3.org/policies/process/drafts/
196 stars 130 forks source link

Confidentiality Levels and Redactions #722

Closed joshco closed 7 months ago

joshco commented 1 year ago

Add inline definition of "reasonable efforts" as "including, but not limited to, Confidentiality Levels and Redaction"

Preview | Diff

joshco commented 1 year ago

Adjusted grammar thing/action. (This PR doesn't seem urgent enough to complicate AB review. )

The origin of this was on the last CG call, discussing the edge case of a message or other status update that was set to confidentiality level Public or Member, but a contained piece of information needed to remain confidential. Personal or company identifying information could be redacted within the status update which was set to Public or Member.

The word redact wasn't present in the document, and there wasn't really a binding between "must use efforts" and what those "efforts" are. A newcomer might not implicitly make the assumption.

I'm keying off statements I've heard about the doc being long, or difficult to consume. (Verbosity: The curse of being a standards wonk) While I'm new to W3C's process, I was the founding chair of DMTF's Process Committee 2006-20121. We were documenting unwritten rules and adding new processes as the org evolved. So feel free to let me know to to help best.

TallTed commented 1 year ago

@joshco — Nit in your https://github.com/w3c/w3process/pull/722#issuecomment-1509486443. 2012[1](https://www.dmtf.org/about/officers/history) would be better 2012 [[1](https://www.dmtf.org/about/officers/history)] which renders as you will see below, instead of being easily read as a confusing probable typo, 20121.

2012 [1]

joshco commented 1 year ago

How about we come to consensus on the next call?

frivoal commented 9 months ago

@joshco , I'd like to confirm I understand what you're trying to achieve here. I believe your goal is to state that "use reasonable efforts to maintain the proper level of confidentiality" involves (at least):

Is that the core of it, or are you trying for something else?

nigelmegitt commented 8 months ago

I think this sort of change warrants an issue before opening the PR, so that we can come to consensus around the problem and the shape of the solution.

I share the concerns around the wording change, specifically that it is unclear what "applying Confidentiality Levels" means beyond what is already obvious from the text.

My general expectations around this kind of thing are:

Redaction is a technique that can be used to create a new document (or other version of the source information) that can have a less restrictive confidentiality level. A whole other set of questions arises if it is being introduced here, like "what is the process for determining that the redaction is adequate to allow the remainder of the information to be made available at a less restrictive confidentiality level?" and "who needs to be involved in that process?"

For example, I don't believe that, as a Member, I automatically have the right to decide which parts of some Member-only resource (that may be nothing to do with me) need to be redacted to make that resource public. It's not even clear that any redaction might lead to such an outcome, since the existence of the resource might itself be Member-confidential.

joshco commented 8 months ago

@frivoal You are correct in your assumption of my goal.

@nigelmegitt the issues you raise are good questions.

I'm new to the document, so for me, it wasn't clear what the section means in practice. Eg, what is someone supposed to do?

css-meeting-bot commented 8 months ago

The Revising W3C Process CG just discussed Confidentiality Levels and Redactions.

The full IRC log of that discussion <fantasai> Subtopic: Confidentiality Levels and Redactions
<fantasai> -> Confidentiality Levels and Redactions
<fantasai> github: Confidentiality Levels and Redactions
<fantasai> s/-> Confidentiality Levels and Redactions//
<fantasai> s/github: Confidentiality Levels and Redactions//
<fantasai> github: https://github.com/w3c/w3process/pull/722
<fantasai> florian: I don't think the wording in the PR is quite right
<fantasai> ... but I also can't figure out what Josh is *trying* to solve
<fantasai> -> https://github.com/w3c/w3process/pull/722#issuecomment-1983778164
<fantasai> joshco: Nigel asked the questions that came up to me
<fantasai> ... unclear to me what is expected to happen
<fantasai> ... are people actually doing this, is it actually happening?
<fantasai> plh: Nigel was asking, what is the issue associated with the PR
<fantasai> ... where you trying to address an actual issue?
<fantasai> joshco: It was while I was reviewing the text, I didn't understand what it was expecting
<fantasai> florian: [quotes text]
<fantasai> ... you expanded in order to explain it
<fantasai> ... but it's wrong, not supposed to use redaction for confidential information to make it public, supposed to not make it public
<fantasai> ... Team has procedures for changing confidentiality levels
<fantasai> ... The sentence is more general, it's making reasonable effort to maintain confidentiality
<fantasai> ... How is context-dependent
<fantasai> ... so I think your clarifications aren't correct. Whether we need other clarifications, I don't know
<fantasai> joshco: The audience of this is not the people who are deciding the confidentiality level
<fantasai> ... this is about readers of the document should respect the confidentality level of the document
<fantasai> florian: That would be a clarification to the first point
<fantasai> ... respecting appropriate level of confidentiality
<fantasai> ... second point is about applying proper care
<fantasai> ... is that reasonable?
<fantasai> joshco: Yeah
<fantasai> florian: OK I'll try to come up with a PR
frivoal commented 8 months ago

Action on me to create an alternative pull request, based on the understanding gained from the discussion as captured in the minutes above.

frivoal commented 7 months ago

Rejected in favor of #835