-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can contributors use pseudonyms to sign the participation agreement? #93
Comments
@annevk and @domenic - from the agreement status page -
This is preventing whatwg/html#4530 from being accepted for three months. It would be great if you expedited the process. |
The SG is responsible for resolving this issue, not the editors. |
@domenic - who/where should I ping, then? |
The thread at #93 is the appropriate place to ping. You can read about how the SG makes decisions at https://whatwg.org/sg-policy |
@bengoodger Thank you. |
Apologies for the delay. We will also consult with lawyers. |
Consider the SG pinged, thanks for the reminder. We’ve discussed but not driven to a conclusion, sorry!
… On Jul 15, 2019, at 08:36, PhistucK ***@***.***> wrote:
@domenic - who/where should I ping, then?
IRC? A mailing list of some sort? An organization?
Would an approval from single organization that participates in the steering group (for example, Google) suffice?
Or is a consensus required?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
@bengoodger |
Apologies on the delay here. We have been discussing and trying to find a way to make this work. Based on the strong advice of our lawyers in this regard, the steering group has decided that contributors cannot use pseudonyms to sign the participation agreement. Without confirming the real identity of the individual, we cannot confirm the validity of the contract with WHATWG, and can also not make a determination about whether the participation agreement can be signed as an individual, or needs to be signed by the employer. Due to these reasons, we cannot allow contributors to sign the participation agreement using pseudonyms. However, we completely understand that you want to use your pseudonym to make contributions, and not your real identity. We are open to designing a way in which, once you sign the agreement with your real identity, it can be kept out of the public domain. That way, your contributions could only show your pseudonym. I am not sure how exactly that would work in practice, and what changes (if any) are needed in the infrastructure to make that work seamlessly, but we can discuss that ([email protected]), if this is a feasible option for you. Again, apologies on the delay here, this has been a tricky one. But, we value your contributions and would like to find a way to make this work for you. |
@henceproved - thank you for the thoughtful reply. I would prefer to know who exactly has access to my details, including notification about access expansion (adding another person to the access list). I am not sure this is a strong requirement, let me know if this is surely unfeasible. And of course, I would need to know that my details (specifically, my name) are not disclosed with anyone outside of the limited number of people via a clause in the contributor agreement (I did not check whether this already exists). |
I don't really understand the SG's reply or how we are meant to enforce that. What tells a pseudonym apart from a GitHub username? How would https://github.com/whatwg/participate.whatwg.org#process-for-editors be modified to account for this? |
I think it's pretty easy for editors to use human judgment to tell when something is a pseudonym. If all else fails, you can ask the contributor directly whether they signed this legal contract using the same name they use to sign other legal contracts. I suspect most would not lie. If the editor's judgment still disagrees after asking for confirmation, they can escalate to the SG. I am sure legal procedures exist for when someone attempts to sign a paper contract as "InternetPerson1234" and you want to call their bluff. I think it's important for editors to do our best to safeguard the legal foundation of our IPR commitments. |
There's another instance that's blocked on a resolution here. |
I'd like to make a concrete proposal for the SG's consideration:
It's not clear whether this will satisfy all contributors. For example some might not be comfortable with anyone having access to their legal name. And, #93 (comment) contains a number of additional asks which this does not attempt to address (and I don't propose building infrastructure for). But, it seems like a reasonable middle ground that may gain us a few contributors we might not otherwise have. |
What would still be visible if someone hides their legal name? |
No legal names would be visible in the WHATWG/participant-data repository at all, only GitHub usernames. |
So the SG discussed this yesterday -- while I think @othermaciej may also post a summary, I wanted to give my take here: While I've seen open source projects follow procedures like the one above, I think my concern with it is basically the following: One of the benefits of our IPR policy is that those who implement and use the specifications know that patent commitments have been made by contributors to those specifications. Knowing who made those commitments is part of the value -- if somebody using or implementing the spec is sued for patent infringment, they'd like to know if the party suing them has made patent licensing commitments for the spec. And, at least in the case where the suing party did make commitments, we'd probably like to tell the party being sued. (At least, I would.) So if we did this, we'd probably need to say under what conditions we would break the confidentiality in order to benefit the value of the patent policy. Would it be only if compelled to do so by a legal proceeding (where "compelled" might vary between countries), or would there be other conditions? I think we'd probably need legal advice on framing such a policy. Then there's also the tradeoff that different pseudonymous contributors might have different standards for what policy on breaking confidentiality would be acceptable to them -- and we'd need to trade those different preferences against their effects on the effectiveness of the patent policy. |
Here is a thought. In case someone would not sign the agreement due to privacy issues, would it be fine if they just wrote that they waive all rights to their contribution in the pull request and someone who already signed it would just take over? |
As an editor, I at least, would need legal counsel before accepting such a declaration of rights waivers from a pseudonymous individual. It's not clear to me whether waiving rights is a well-defined concept, or if it is, whether it can be done with a GitHub comment (as opposed to, say, signing an agreement using a legal name). |
jumping in here as a bystander...it's an interesting puzzle. Let's walk the scenarios. There's a commit from someone who signed the agreement using an alias, say Nemo. Someone, let's call them Cool, enthusiastically implements, and later gets sued by either (a) a person, A.N. Other, or (b) an entity, Example Corp. how does Cool determine either that A.N. Other and Nemo are in fact the same person, and they granted a license, or that Nemo was a person who worked for, or was, Example Corp. at the time and also gave a license, or that no license could be required? If Nemo worked for Example Corp. at the time of the contribution, and is under an agreement that all IPR they develop in their field of employment belongs to their employer, how do we know that they can waive rights? |
This would complicate the implementation a decent amount. Not impossible, but it changes this from a trivial change to one involving two interacting fields that need to be synchronized. And I don't really agree with that being norm. Even within the WHATWG names are not generally visible by default. You have to go digging through the participant-data repository to find them, and that only works for individuals, not for those associated with an entity.
I think in this kind of rare case it's OK to require it be official editors only. (Official editors of any standard, that is.)
In the proposed model here, this remains the editors job. Whether the contributor is pseudonymous or not, the editors are responsible for ensuring that they signed the correct agreement, individual vs. entity. (This is already the case.) |
@phistuck wrote above:
Sorry, missed this comment earlier, but I'd like to answer now: I think that's not sufficient, because of the following: Suppose user anon123 contributes a pull request making substantive changes to a specification, and says they waive all rights to a pull request. Somebody else commits it. It's then implemented by Acme, Inc. A few years later, Acme, Inc. is sued for patent infringement by Jane Smith, who owns a patent covering the material that was added to the specification in the PR originally written by anon123. Even if the waiver of rights written by user anon123 is written so that it covers patents appropriately, how would Acme, Inc. show that Jane Smith is anon123? (Remember that patent infringement doesn't care about the path that ideas took; it's still infringement even if you invent something independently.) The problem here is that one of the key goals of the patent policy is to have rules that prevent people from trying to insert things that infringe their patents into standards, in order to later get royalties from those implementing the standard. The patent policy doesn't realistically protect against all unknown patent claims that might theoretically exist out in the world; what it is really made to protect against (and what I think the W3C's policy has been effective at over the past 17 years) is manipulation of the standards process to cause use of specifications to infringe known patents. The above problem is, I think, a vector that would allow manipulation of the standards process in order to insert known-patented material into a specification, and is thus something that I think we should be trying to prevent. |
We should find out from W3C what exactly their process is for this case. We know that they allow pseudonymous contributors, and that a trusted person or small set of people knows their legal name. However, we don't know under what circumstances (if any) they would reveal that name. |
Speaking informally and personally, if I happened to be the one who knew the legal name of any pseudonymous contributor, there are no circumstances at all under which I would reveal to anyone else any private details that pseudonymous contributor has trusted me to keep confidential — not their legal name, nor any other non-public details I might know about them. |
This is interesting and raises further questions:
|
The point isn’t knowing the person’s legal name. There’s no point just in any of us knowing any each other’s legal names. That piece of information has zero in and of itself. And that point in me providing confirmation to others that a particular pseudonymous contributor is clear to participate isn’t that I just know their name — instead it’s that I’m confirming that I’ve communicated with them sufficiently to learn enough about their identity that I can confidently assert to others there’s nothing about their identity that would suggest in any way that they’re trying to conceal patent claims or otherwise trying to pull off some other kind of fraud by keeping details of their identity private.
The point is of not revealing it is that it’s a trust relationship — in a number of ways. When we work with each other we need to trust each other about a lot of different things. If you assert to me that you’ve done due diligence to confirm that there’s no details about someones identity to suggest that they’re trying to conceal patent claims or otherwise trying to commitf fraud, then I trust that. And if someone shares their confidential details with you under the understanding that by doing so, they’ll be allowed to contribute and that you won’t share those details with anyone else, then they’re putting their trust in you to protect their privacy — and that otherwise, if there were some circumstances under which you anticipate you would share their confidential information with someone else despite them having trusted you not to, then would not be agreeing to contribute under those conditions to begin with.
I think the defense is the same as it would be for a contributor with a publicly-known legal name is found to have abused the patent policy. No matter what the known details are about a contributor who has been found to have abused the patent policy, I don’t actually know what the actions are that would need to be taken. If I understood what those actions are, I guess I could then consider how they might be different in the case where the contributor’s legal name wasn’t publicly known. |
OK, that makes sense, but would require the knower of names to do some up front research before approving pseudonymous contribution.
I'm not a lawyer so not really an expert on this. But here's an example of something lawyers could do: if a change is contributed by a person with a known legal identity, then they could try to discover whether that person had any present or past affiliation with the party bringing the suit. If so, and the party knowingly used the individual to work around the patent policy, they could argue that they are entitled to licensing under the relevant IPR policy. After thinking about it, it seems like having a trusted party know the person's legal name, but not reveal it unless legally compelled, makes the cases close to equivalent, though with additional inconvenient process. |
The Steering Group (@annevk, @travisleithead and I) discussed this today. Our current thinking is that we can tweak https://whatwg.org/invitation-policy to also cover this case. As part of evaluating a request for Workstream Participant Invitation status, some member of the Steering Group would talk to the requesting person to confirm everything is in order. Like other invitations it would usually be valid for 36 months. Does that sounds like an acceptable path forward to folks? |
Fine by me, as long as my name is not revealed to the public, sure. |
The legal mechanics of someone signing the agreement under a pseudonym seem like the potential biggest hurdle there, but I guess you'd consult with the lawyers at each company to get their signoff on such a plan. |
Right, we should have some guidance for what to enter as Name, City + Country, and Signature in a case like this, or possibly change the form to allow them to be omitted. And yes, in the process of considering a request, steering group members might ask for legal advice, but I think we'll treat that as an implementation detail that's invisible in our policy. |
That sounds to me like a great resolution for this — assuming care is taken to not record any needs-to-be-kept-private info about contributors in any place in github where it seems like there’s a risk it could end up getting leaked accidentally, or getting exposed through a breach or something. I think in general if a project stores private information about individuals anywhere at all online, that information needs to be considered more sensitive than even say, shared passwords or other credentials that the project needs to keep secret — because the thing is, if there’s a breach and the passwords/credentials get exposed, then you can at least change/replace the passwords/credentials after the fact, to prevent any further damage. But if a person’s private information gets exposed, there is no way to fix or mitigate the damage from that after the fact. |
@annevk Re whatwg/html#7382 (comment): What was necessary for you to approve PhistucK 2 years ago? whatwg/participant-data@9056efb |
That was an error. |
If and when it comes to merging the PR we will find a solution. I see there was a discussion about identification to the SG? |
As I wrote elsewhere:
|
I'm sad to report that while the Steering Group (SG) managed to make meaningful progress on this issue, it's unfortunately ended up as not solvable. There's an inherent complexity in allowing pseudonymous contributors when intellectual property rights are involved as that means there has to be some way to find out who the contributor is, even for seemingly trivial tasks such as patent review. Ensuring there's a fair process for accessing that information for all contributors while also guaranteeing pseudonymity is not a problem the SG feels equipped to tackle and as far as the SG knows other standards organizations haven't either. It continues to be possible to contribute pseudonymously if you are part of an organization that signed the agreement. |
whatwg/html#4530 has @phistuck attempting to contribute a small fix, but I am unsure whether signing a legal agreement using a pseudonym is something the SG would agree to. He points out that other CLAs have accepted that in the past, although I don't know if they consulted their lawyers in each case.
SG help on this would be appreciated.
The text was updated successfully, but these errors were encountered: