phistuck
commented
5 years ago Google as well as jQuery consulted with a lawyer.
Closed domenic closed 2 years ago
phistuck
commented
5 years ago Google as well as jQuery consulted with a lawyer.
phistuck
commented
5 years ago @annevk and @domenic - from the agreement status page -
After an agreement is submitted, it is verified by the WHATWG. This is a manual process, but is usually completed quickly if it's preventing a pull request from being accepted.
This is preventing https://github.com/whatwg/html/pull/4530 from being accepted for three months. It would be great if you expedited the process.
domenic
commented
5 years ago The SG is responsible for resolving this issue, not the editors.
phistuck
commented
5 years ago @domenic - who/where should I ping, then? IRC? A mailing list of some sort? An organization? Would an approval from single organization that participates in the steering group (for example, Google) suffice? Or is a consensus required?
domenic
commented
5 years ago The thread at https://github.com/whatwg/sg/issues/93 is the appropriate place to ping. You can read about how the SG makes decisions at https://whatwg.org/sg-policy
phistuck
commented
5 years ago @bengoodger @vmunix @darinadler @JasonJosephWeber It would be great if you assisted here.
Thank you.
othermaciej
commented
5 years ago Apologies for the delay. We will also consult with lawyers.
michaelchampion
commented
5 years ago Consider the SG pinged, thanks for the reminder. We’ve discussed but not driven to a conclusion, sorry!
On Jul 15, 2019, at 08:36, PhistucK notifications@github.com wrote:
@domenic - who/where should I ping, then? IRC? A mailing list of some sort? An organization? Would an approval from single organization that participates in the steering group (for example, Google) suffice? Or is a consensus required?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
phistuck
commented
4 years ago @bengoodger @vmunix @darinadler @JasonJosephWeber @michaelchampion @othermaciej Another ping. Please...
henceproved
commented
4 years ago Apologies on the delay here. We have been discussing and trying to find a way to make this work. Based on the strong advice of our lawyers in this regard, the steering group has decided that contributors cannot use pseudonyms to sign the participation agreement. Without confirming the real identity of the individual, we cannot confirm the validity of the contract with WHATWG, and can also not make a determination about whether the participation agreement can be signed as an individual, or needs to be signed by the employer. Due to these reasons, we cannot allow contributors to sign the participation agreement using pseudonyms.
However, we completely understand that you want to use your pseudonym to make contributions, and not your real identity. We are open to designing a way in which, once you sign the agreement with your real identity, it can be kept out of the public domain. That way, your contributions could only show your pseudonym. I am not sure how exactly that would work in practice, and what changes (if any) are needed in the infrastructure to make that work seamlessly, but we can discuss that (sg@whatwg.org), if this is a feasible option for you.
Again, apologies on the delay here, this has been a tricky one. But, we value your contributions and would like to find a way to make this work for you.
phistuck
commented
4 years ago @henceproved - thank you for the thoughtful reply. I think I am open to such an option, provided that there would be very limited visibility (a very limited number of people could see my details) into the details I enter.
I would prefer to know who exactly has access to my details, including notification about access expansion (adding another person to the access list). I am not sure this is a strong requirement, let me know if this is surely unfeasible. It would also be nice if I could use two e-mail addresses (one for signing and one for contributing), but this is not a strong requirement.
And of course, I would need to know that my details (specifically, my name) are not disclosed with anyone outside of the limited number of people via a clause in the contributor agreement (I did not check whether this already exists).
annevk
commented
4 years ago I don't really understand the SG's reply or how we are meant to enforce that. What tells a pseudonym apart from a GitHub username?
How would https://github.com/whatwg/participate.whatwg.org#process-for-editors be modified to account for this?
domenic
commented
4 years ago I think it's pretty easy for editors to use human judgment to tell when something is a pseudonym. If all else fails, you can ask the contributor directly whether they signed this legal contract using the same name they use to sign other legal contracts. I suspect most would not lie.
If the editor's judgment still disagrees after asking for confirmation, they can escalate to the SG. I am sure legal procedures exist for when someone attempts to sign a paper contract as "InternetPerson1234" and you want to call their bluff.
I think it's important for editors to do our best to safeguard the legal foundation of our IPR commitments.
annevk
commented
4 years ago There's another instance that's blocked on a resolution here.
domenic
commented
4 years ago I'd like to make a concrete proposal for the SG's consideration:
It's not clear whether this will satisfy all contributors. For example some might not be comfortable with anyone having access to their legal name. And, https://github.com/whatwg/sg/issues/93#issuecomment-557646764 contains a number of additional asks which this does not attempt to address (and I don't propose building infrastructure for). But, it seems like a reasonable middle ground that may gain us a few contributors we might not otherwise have.
othermaciej
commented
4 years ago What would still be visible if someone hides their legal name?
domenic
commented
4 years ago No legal names would be visible in the WHATWG/participant-data repository at all, only GitHub usernames.
dbaron
commented
4 years ago So the SG discussed this yesterday -- while I think @othermaciej may also post a summary, I wanted to give my take here:
While I've seen open source projects follow procedures like the one above, I think my concern with it is basically the following: One of the benefits of our IPR policy is that those who implement and use the specifications know that patent commitments have been made by contributors to those specifications. Knowing who made those commitments is part of the value -- if somebody using or implementing the spec is sued for patent infringment, they'd like to know if the party suing them has made patent licensing commitments for the spec. And, at least in the case where the suing party did make commitments, we'd probably like to tell the party being sued. (At least, I would.) So if we did this, we'd probably need to say under what conditions we would break the confidentiality in order to benefit the value of the patent policy. Would it be only if compelled to do so by a legal proceeding (where "compelled" might vary between countries), or would there be other conditions? I think we'd probably need legal advice on framing such a policy.
Then there's also the tradeoff that different pseudonymous contributors might have different standards for what policy on breaking confidentiality would be acceptable to them -- and we'd need to trade those different preferences against their effects on the effectiveness of the patent policy.
phistuck
commented
4 years ago Here is a thought. In case someone would not sign the agreement due to privacy issues, would it be fine if they just wrote that they waive all rights to their contribution in the pull request and someone who already signed it would just take over? Or does the legal issue still apply no matter who actually commits/take over the commit? I ask because I repeatedly waived all rights in that pull request and no one took over (despite having no work left except committing it, if I understand correctly) and I wonder whether that was because of a reason I am missing (other than being overloaded).
domenic
commented
4 years ago As an editor, I at least, would need legal counsel before accepting such a declaration of rights waivers from a pseudonymous individual. It's not clear to me whether waiving rights is a well-defined concept, or if it is, whether it can be done with a GitHub comment (as opposed to, say, signing an agreement using a legal name).
dwsinger
commented
4 years ago jumping in here as a bystander...it's an interesting puzzle.
Let's walk the scenarios. There's a commit from someone who signed the agreement using an alias, say Nemo. Someone, let's call them Cool, enthusiastically implements, and later gets sued by either (a) a person, A.N. Other, or (b) an entity, Example Corp.
how does Cool determine either that A.N. Other and Nemo are in fact the same person, and they granted a license, or that Nemo was a person who worked for, or was, Example Corp. at the time and also gave a license, or that no license could be required?
If Nemo worked for Example Corp. at the time of the contribution, and is under an agreement that all IPR they develop in their field of employment belongs to their employer, how do we know that they can waive rights?
domenic
commented
4 years ago Here is a new draft of the concrete proposal at https://github.com/whatwg/sg/issues/93#issuecomment-623521089, with some clarifications to address @othermaciej's comments and additional process to address @dbaron's comment.
phistuck
commented
4 years ago @domenic - sounds good. Regarding WHATWG Workstream editors - The linked page states -
Note that per the Workstream Policy, the official Editors listed here may have delegated responsibilities and editing duties to deputy editors for any given Living Standard.
That expands the permission scope somewhat, or am I mistaken?
othermaciej
commented
4 years ago We've learned more about W3C's model for supporting pseudonymous contributors. They have only one trusted person who has access to the contributor's real name. That person also verifies the person's identity, and reviews affiliation with entities that may require the person to be covered by the entity agreement rather than individual.
A process like that would be more complicated to implement than @domenic 's proposal, but would perhaps be more thorough at protecting real names.
I suggest we go with the option that is easier to implement, so long as people who want to contribute pseudonymously are comfortable with it. Also worth noting: under existing WHATWG process, a pseudonymous contributor employed by an organization that has signed the entity agreement can participate freely without having to tell anyone their real name.
othermaciej
commented
4 years ago @domenic feedback/questions on the proposal:
- We move the full legal names (current and future) into the whatwg/participant-data-private repository, which only the SG and editors have access to.
Perhaps we should only hide legal names for participants who so request? It seems to be a norm in many other web standards groups that the names of participants are visible by default.
- The editors continue to be responsible for checking if someone is signing the legal agreement using their legal name. But now they do so by consulting the participant-data-private repository.
Per comment above would this be official editors only, or also deputy editors?
The SG can field private requests of the form "has person with legal name X signed the contributor agreement as an individual", if the requesting party can document that they are entangled in potential IPR litigation with legal name X or someone associated with them.
It may be difficult to know what legal personal name to probe for if the party is entangled in potential IPR litigation with an entity. Probing for all of the entity's current and former employees and contractors is likely infeasible without a subpoena. It may often be more useful to ask, "is person with pseudonym/GitHub account X affiliated with entity Y". But this is hard to answer without doing some research at the time the person signs the agreement.
One advantage of the W3C sale model, described in an earlier comment, is that it makes this type of query less relevant, or if relevant, answerable. The trusted person would have checked entity affiliations and verified that the entity agreement is not required before approving.
domenic
commented
4 years ago Perhaps we should only hide legal names for participants who so request? It seems to be a norm in many other web standards groups that the names of participants are visible by default.
This would complicate the implementation a decent amount. Not impossible, but it changes this from a trivial change to one involving two interacting fields that need to be synchronized.
And I don't really agree with that being norm. Even within the WHATWG names are not generally visible by default. You have to go digging through the participant-data repository to find them, and that only works for individuals, not for those associated with an entity.
Per comment above would this be official editors only, or also deputy editors?
I think in this kind of rare case it's OK to require it be official editors only. (Official editors of any standard, that is.)
One advantage of the W3C sale model, described in an earlier comment, is that it makes this type of query less relevant, or if relevant, answerable. The trusted person would have checked entity affiliations and verified that the entity agreement is not required before approving.
In the proposed model here, this remains the editors job. Whether the contributor is pseudonymous or not, the editors are responsible for ensuring that they signed the correct agreement, individual vs. entity. (This is already the case.)
dbaron
commented
4 years ago @phistuck wrote above:
Here is a thought. In case someone would not sign the agreement due to privacy issues, would it be fine if they just wrote that they waive all rights to their contribution in the pull request and someone who already signed it would just take over?
Sorry, missed this comment earlier, but I'd like to answer now: I think that's not sufficient, because of the following:
Suppose user anon123 contributes a pull request making substantive changes to a specification, and says they waive all rights to a pull request. Somebody else commits it. It's then implemented by Acme, Inc. A few years later, Acme, Inc. is sued for patent infringement by Jane Smith, who owns a patent covering the material that was added to the specification in the PR originally written by anon123. Even if the waiver of rights written by user anon123 is written so that it covers patents appropriately, how would Acme, Inc. show that Jane Smith is anon123? (Remember that patent infringement doesn't care about the path that ideas took; it's still infringement even if you invent something independently.)
The problem here is that one of the key goals of the patent policy is to have rules that prevent people from trying to insert things that infringe their patents into standards, in order to later get royalties from those implementing the standard. The patent policy doesn't realistically protect against all unknown patent claims that might theoretically exist out in the world; what it is really made to protect against (and what I think the W3C's policy has been effective at over the past 17 years) is manipulation of the standards process to cause use of specifications to infringe known patents. The above problem is, I think, a vector that would allow manipulation of the standards process in order to insert known-patented material into a specification, and is thus something that I think we should be trying to prevent.
othermaciej
commented
4 years ago We should find out from W3C what exactly their process is for this case. We know that they allow pseudonymous contributors, and that a trusted person or small set of people knows their legal name. However, we don't know under what circumstances (if any) they would reveal that name.
sideshowbarker
commented
4 years ago However, we don't know under what circumstances (if any) they would reveal that name.
Speaking informally and personally, if I happened to be the one who knew the legal name of any pseudonymous contributor, there are no circumstances at all under which I would reveal to anyone else any private details that pseudonymous contributor has trusted me to keep confidential — not their legal name, nor any other non-public details I might know about them.
othermaciej
commented
4 years ago Speaking informally and personally, if I happened to be the one who knew the legal name of any pseudonymous contributor, there are no circumstances at all under which I would reveal to anyone else any private details that pseudonymous contributor has trusted me to keep confidential — not their legal name, nor any other non-public details I might know about them.
This is interesting and raises further questions:
sideshowbarker
commented
4 years ago * What's the point of anyone at all knowing the legal name
The point isn’t knowing the person’s legal name. There’s no point just in any of us knowing any each other’s legal names. That piece of information has zero in and of itself. And that point in me providing confirmation to others that a particular pseudonymous contributor is clear to participate isn’t that I just know their name — instead it’s that I’m confirming that I’ve communicated with them sufficiently to learn enough about their identity that I can confidently assert to others there’s nothing about their identity that would suggest in any way that they’re trying to conceal patent claims or otherwise trying to pull off some other kind of fraud by keeping details of their identity private.
if it wouldn't be revealed under any circumstances?
The point is of not revealing it is that it’s a trust relationship — in a number of ways. When we work with each other we need to trust each other about a lot of different things. If you assert to me that you’ve done due diligence to confirm that there’s no details about someones identity to suggest that they’re trying to conceal patent claims or otherwise trying to commitf fraud, then I trust that. And if someone shares their confidential details with you under the understanding that by doing so, they’ll be allowed to contribute and that you won’t share those details with anyone else, then they’re putting their trust in you to protect their privacy — and that otherwise, if there were some circumstances under which you anticipate you would share their confidential information with someone else despite them having trusted you not to, then would not be agreeing to contribute under those conditions to begin with.
* What's the defense against abuse of the patent policy, for pseudonymous contributors where there's no ready way determine any entities they may be officiated with from their pseudonym alone?
I think the defense is the same as it would be for a contributor with a publicly-known legal name is found to have abused the patent policy. No matter what the known details are about a contributor who has been found to have abused the patent policy, I don’t actually know what the actions are that would need to be taken. If I understood what those actions are, I guess I could then consider how they might be different in the case where the contributor’s legal name wasn’t publicly known.
othermaciej
commented
4 years ago The point isn’t knowing the person’s legal name. There’s no point just in any of us knowing any each other’s legal names. That piece of information has zero in and of itself. And that point in me providing confirmation to others that a particular pseudonymous contributor is clear to participate isn’t that I just know their name — instead it’s that I’m confirming that I’ve communicated with them sufficiently to learn enough about their identity that I can confidently assert to others there’s nothing about their identity that would suggest in any way that they’re trying to conceal patent claims or otherwise trying to pull off some other kind of fraud by keeping details of their identity private.
OK, that makes sense, but would require the knower of names to do some up front research before approving pseudonymous contribution.
I think the defense is the same as it would be for a contributor with a publicly-known legal name is found to have abused the patent policy. No matter what the known details are about a contributor who has been found to have abused the patent policy, I don’t actually know what the actions are that would need to be taken. If I understood what those actions are, I guess I could then consider how they might be different in the case where the contributor’s legal name wasn’t publicly known.
I'm not a lawyer so not really an expert on this. But here's an example of something lawyers could do: if a change is contributed by a person with a known legal identity, then they could try to discover whether that person had any present or past affiliation with the party bringing the suit. If so, and the party knowingly used the individual to work around the patent policy, they could argue that they are entitled to licensing under the relevant IPR policy.
After thinking about it, it seems like having a trusted party know the person's legal name, but not reveal it unless legally compelled, makes the cases close to equivalent, though with additional inconvenient process.
foolip
commented
3 years ago The Steering Group (@annevk, @travisleithead and I) discussed this today. Our current thinking is that we can tweak https://whatwg.org/invitation-policy to also cover this case. As part of evaluating a request for Workstream Participant Invitation status, some member of the Steering Group would talk to the requesting person to confirm everything is in order. Like other invitations it would usually be valid for 36 months.
Does that sounds like an acceptable path forward to folks?
phistuck
commented
3 years ago Fine by me, as long as my name is not revealed to the public, sure.
domenic
commented
3 years ago The legal mechanics of someone signing the agreement under a pseudonym seem like the potential biggest hurdle there, but I guess you'd consult with the lawyers at each company to get their signoff on such a plan.
foolip
commented
3 years ago Right, we should have some guidance for what to enter as Name, City + Country, and Signature in a case like this, or possibly change the form to allow them to be omitted. And yes, in the process of considering a request, steering group members might ask for legal advice, but I think we'll treat that as an implementation detail that's invisible in our policy.
sideshowbarker
commented
3 years ago As part of evaluating a request for Workstream Participant Invitation status, some member of the Steering Group would talk to the requesting person to confirm everything is in order. Like other invitations it would usually be valid for 36 months.
Does that sounds like an acceptable path forward to folks?
That sounds to me like a great resolution for this — assuming care is taken to not record any needs-to-be-kept-private info about contributors in any place in github where it seems like there’s a risk it could end up getting leaked accidentally, or getting exposed through a breach or something.
I think in general if a project stores private information about individuals anywhere at all online, that information needs to be considered more sensitive than even say, shared passwords or other credentials that the project needs to keep secret — because the thing is, if there’s a breach and the passwords/credentials get exposed, then you can at least change/replace the passwords/credentials after the fact, to prevent any further damage.
But if a person’s private information gets exposed, there is no way to fix or mitigate the damage from that after the fact.
Kaleidea
commented
2 years ago @annevk Re https://github.com/whatwg/html/pull/7382#issuecomment-984663422: What was necessary for you to approve PhistucK 2 years ago? https://github.com/whatwg/participant-data/commit/9056efb590b289e4ec233a37018cf065b63ad5b3
annevk
commented
2 years ago That was an error.
Kaleidea
commented
2 years ago If and when it comes to merging the PR we will find a solution. I see there was a discussion about identification to the SG?
annevk
commented
2 years ago As I wrote elsewhere:
The SG is looking into this, but I suspect it will take quite a while before that has meaningfully progressed.
annevk
commented
2 years ago I'm sad to report that while the Steering Group (SG) managed to make meaningful progress on this issue, it's unfortunately ended up as not solvable.
There's an inherent complexity in allowing pseudonymous contributors when intellectual property rights are involved as that means there has to be some way to find out who the contributor is, even for seemingly trivial tasks such as patent review. Ensuring there's a fair process for accessing that information for all contributors while also guaranteeing pseudonymity is not a problem the SG feels equipped to tackle and as far as the SG knows other standards organizations haven't either. It continues to be possible to contribute pseudonymously if you are part of an organization that signed the agreement.
https://github.com/whatwg/html/pull/4530 has @phistuck attempting to contribute a small fix, but I am unsure whether signing a legal agreement using a pseudonym is something the SG would agree to. He points out that other CLAs have accepted that in the past, although I don't know if they consulted their lawyers in each case.
SG help on this would be appreciated.