Page MenuHomePhabricator

Clarify if NDAs (to access #WMF-NDA protected Phab tasks) are on paper or in Legalpad's L2 or both
Open, MediumPublic

Description

Splitting from T341272 to cover the general issue; temporarily assigning to @KFrancis per last comment, as I wondered again how to best proceed in T348520:

There is a process described at https://wikitech.wikimedia.org/wiki/Volunteer_NDA that says what is needed is signing "the NDA" (which links to the old "L2" document on Phabricator -> https://phabricator.wikimedia.org/L2) and then approval from a C-Level and then we could grant that access.

Then of course we also have _the other NDA_ process which we usually have been following lately, which includes adding you and then the users singing the document you provide to them etc, as is described at:

https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty/Access_requests#NDA_Group

This is usually done when user are added to the "LDAP group nda" (https://wikitech.wikimedia.org/wiki/SRE/LDAP/Groups#NDA_group), but in this case we don't need the additional access that this would grant.

When we hand out the equivalent access to WMF staff, we add them to the "LDAP group wmf" and then _a rule was added that we always ALSO add them to the "WMF-NDA" group on phabricator. (cc: @Aklapper who once requested that to simplify the process).

It is still unclear whether the same rule should apply to volunteers. To determine that is an unresolved ticket at https://phabricator.wikimedia.org/T299839.

Since this repeatedly has caused discussions how to handle the access requests the right way, here are some questions for you:

  • Would it be ok or wrong to grant access to private data only based on L2 and manager/c-level approval but without the volunteer ever signing anything directly with legal?
  • When we share private tickets with volunteers, should they go through you and sign with you in general? If we do that, can we skip the C-level approvals?
  • Does it matter to you if the sharing of information is limited to sharing private tickets vs handing our other logins via the LDAP group called "nda"?

Based on your responses I think we should maybe update https://wikitech.wikimedia.org/wiki/Volunteer_NDA and/or https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty/Access_requests#NDA_Group to make clear what applies where and is the currently valid one.

Agreeing with what Dzahn wrote in the previous comment. For historical context: It seems WMF Legal gave its OK in 2015 to using Legalpad in T655. However given fluctuation I'm not sure if everybody is still fully aware of it and the implications. I admit I am also confused when an NDA on file with WMF-Legal dept is required, and when signing L2 in Phabricator Legalpad is sufficient, and it also seems that either there is no consistent policy or public documentation is potentially outdated. Question: Should this get revised, preferably in a separate task?
(See also T111271 for a random example of using Legalpad in the past for [in my understanding] WMF-driven stuff - in this case, OTRS=Znuny.)

Hi all, Let me do some research and get back to you! Thanks!!!

Event Timeline

Aklapper triaged this task as Medium priority.Oct 24 2023, 10:36 AM
Aklapper created this task.

As the WMF-Legal project tag was added to this task, some general information to avoid wrong expectations:
Please note that public tasks in Wikimedia Phabricator are in general not a place where to expect feedback from the Legal Team of the Wikimedia Foundation due to the scope of the team and/or nature of legal topics. See the project tag description.
Please see https://meta.wikimedia.org/wiki/Legal for when and how to contact the Legal Team. Thanks!

Hi all, my apologies or the delay on this. Would it be possible to either get access to https://phabricator.wikimedia.org/L2 OR could you copy and past the content from this link? I don't have access and neither does the relevant legal counsel member who may be able to provide an answer for you.

@KFrancis: No problem! :) I think you should be able to access L2 now.

Thanks so much! Would you please add access for James Buatti jbuatti@wikimedia.org as well?

Thank you so much! I'll have Jim review that page and I'll get back to you soon!

Hi @Aklapper I have this inquiry in with legal counsel and should have an answer for you by the end of the week. I received an inquiry about an NDA for user https://phabricator.wikimedia.org/p/Xqt/. It looks like they signed the online NDA doc that we are working on the answer for you. I do not receive copies of the online NDA, so that is why they are not on the tracking sheet. If you need me to process the usual NDA on my end, I can take are of that. Please let me know!

Hi @Aklapper I have this inquiry in with legal counsel and should have an answer for you by the end of the week. I received an inquiry about an NDA for user https://phabricator.wikimedia.org/p/Xqt/. It looks like they signed the online NDA doc that we are working on the answer for you. I do not receive copies of the online NDA, so that is why they are not on the tracking sheet. If you need me to process the usual NDA on my end, I can take are of that. Please let me know!

Relevant task for future reference T348520: Grant access to nda LDAP group to xqt

If you need me to process the usual NDA on my end, I can take are of that. Please let me know!

Whether we need that or not is a bit unclear and basically part of this task to figure that out once and for all.

Hi all, a couple questions... Do you have information in whomever created the https://phabricator.wikimedia.org/L2 form and do you know where the e-signed completed forms go?

Hi all, a couple questions... Do you have information in whomever created the https://phabricator.wikimedia.org/L2 form and do you know where the e-signed completed forms go?

L2 was created on Dec 19 2014 by @Qgil (@QuimGil)

The list of signatures can be viewed at https://phabricator.wikimedia.org/legalpad/signatures/2/

@KFrancis see above. L2 is part of "Legalpad" (https://phabricator.wikimedia.org/legalpad/) a Phabricator extension created for Legal back then.

(https://phabricator.wikimedia.org/project/view/4/)

There are open tickets and all tickets can be seen here: https://phabricator.wikimedia.org/maniphest/query/3pZV9GHovfw4/#R

This is where it was enabled in 2014: T656

Interesting are the first 2 comments. ".. I'd rather prefer that WMF-Legal launches their project here instead of in a separate site, generating content that perhaps one day must be migrated"..

@KFrancis: Could you please ask any of the five folks listed as "Members" on https://phabricator.wikimedia.org/project/members/28/ to also add your account as a member? In my understanding of the setup, this should give you access. Thanks!

Hi @KFrancis I don't have the permissions to add people to the WMF-Legal group but as Aklapper said above for example Stephen LaPorte, Jacob Rogers, Aeryn Palmer or Chuck Roslof should be able to add you.

I wonder if https://phabricator.wikimedia.org/L3 would also be in scope for this question, as moving it elsewhere would allow us to decommission Legalpad?

If yes, this would also need an onboarding process change for SREs.

moving it elsewhere would allow us to decommission Legalpad

Legalpad is also used for signing the ANPDP confidentiality agreements, L37 and L45 (plus the other translated versions).

Question... Historically, do you have a policy or guideline on your end for using https://phabricator.wikimedia.org/legalpad/signatures/2/ rather than getting an NDA done through me?

Hello @Dzahn, my sincere apologies for the length of time it has taken to resolve this open issue! After consulting with legal counsel, and careful consideration, in order to keep with consistent legal practices, we've determined https://phabricator.wikimedia.org/L3 should be retired and all NDA requests should go directly through legal. Do you need additional information or written confirmation from legal counsel to close this form? If so please let me know as soon as possible! Thank you again for your patience while we sorted this out.