Draft COI policy #3
Conversation
This is a first draft policy to intergrate a conflict of interest policy into our code of conduct. see this thread for relevant previous discussion: https://forum.privacytools.io/t/preventing-privacytools-conflicts-of-interest-ensuring-privacytools-integrity/2517
|
This is a great start @blackligh447-ptio! It's important to keep all comments public for the record for transparency. I'm not sure if this section means that comments of others can be edited or removed completely ("hidden" is understandable in some cases):
Do you plan to add a section on service/corporate behavior so organizations are aware of appropriate protocol during sensitive times? |
|
Hey there liz! About your first section, its about allowing the team to remove comments and such were people overstepped the bounds of the CoC. For example, if i were to head over to the forum, and start cussing and swearing, then the team has to right to remove those harmfull comments. That way we can keep the ptio community spaces welcoming and family friendly, so to speak. Its really just for moderation in case of obvious abuse. As for the second point, im not quite sure what you mean exactly, could you maybe type out an example of what you envision? |
CODE_OF_CONDUCT.md
Outdated
| @@ -40,6 +40,14 @@ Project maintainers are responsible for clarifying the standards of | |||
| acceptable behavior and are expected to take appropriate and fair | |||
| corrective action in response to any instances of unacceptable behavior. | |||
|
|
|||
| Members of the official team are required to disclose any interests | |||
There was a problem hiding this comment.
I think official is a bit ambiguous here considering how we have four GitHub teams and then some around the internet (Matrix moderators, Reddit moderators, Discourse moderators) while there is overlap.
There was a problem hiding this comment.
Official means anyone with a privacytools email account
CODE_OF_CONDUCT.md
Outdated
| @@ -40,6 +40,14 @@ Project maintainers are responsible for clarifying the standards of | |||
| acceptable behavior and are expected to take appropriate and fair | |||
| corrective action in response to any instances of unacceptable behavior. | |||
|
|
|||
| Members of the official team are required to disclose any interests | |||
There was a problem hiding this comment.
Also where should the interests be disclosed?
There was a problem hiding this comment.
Good catch, ill give this some thought.
There was a problem hiding this comment.
After thinking this through for a bit, i think the following method is the best: the conflict of interest may posted in any of the community spaces, whether it is the forum or riot chat. if wished for, it may either be in a team only space, or a public one.
If it is determined to be a conflict indeed, then it will be made public. if it is determined that it is not a conflict, then it may be kept private(or made public if the member itself wishes to do so). This should give us a good balance between transparency and the privacy of team members: actual conflicts will be reported, and in cases where it does not matter (so if its not a conflict) they may choose to keep it private.
I would love to get feedback on this, as its a quite important decision. @LizMcIntyre @davegson
There was a problem hiding this comment.
If it is determined to be a conflict indeed, then it will be made public. if it is determined that it is not a conflict, then it may be kept private(or made public if the member itself wishes to do so).
It is critical that any believed conflict of interest be posted publicly for the sake of transparency. The recent case where a whistleblower (Mikaela) identified a post as having a COI is the perfect example. Had she not come forward, we might never have known about the COI.
What's more, the person with the COI removed the COI label, and there are some who contended (and may still contend) that a conflict of interest never existed. (There was a COI from the moment Startpage offered to discuss an opportunity with a Team Member. Auditor here.)
I believe we also need a whistleblower policy to protect Team Members when they provide critical information to the public, like the recent COI.
There was a problem hiding this comment.
hey there @LizMcIntyre !
Okay, so after thinking about this more, I agree with your first conclusion.
My idea now is that someone should first disclose his potentional conflict of interest. Then the team should overlook whether something really is a COI. If it is determined that there is NOT a COI, it shall be made public with the note that there was a discussion with all the details , but that the member will keep his voting rights(as there is no COI). I don't really agree that there is a conflict the moment an offer is made, especially if the team member declines the offer. Assuming that would be a COI would make it trivially easy to just send invites to specific members, and cause them to have to forfeit there voting rights, maybe even leaving only the member which they might have bribed.
If there IS a COI however, it shall be made public, and the voting rights will be removed from the member on that topic. After that participation in discussions is allowed (in the form of opinions), but only if the person agrees to disclose his affiliation with every message, so people new to the discussion know whats up.
About a whistleblower policy, I would have to read a bit into that, as its pretty hard to implement something like that were it would be actually meaningfull. ill come back to you about that one in few days. I do think it would be a good idea though, especially as our organization grows and more folks get involved.
What would you think of that?
There was a problem hiding this comment.
P.s. i already created a draft issue for a whistleblowers policy, so further discussion about it should be done on the appropriate issue:#5
There was a problem hiding this comment.
After thinking this through for a bit, i think the following method is the best: the conflict of interest may posted in any of the community spaces, whether it is the forum or riot chat.
I think it has to be something that is not a real time communication platform first. The RTCs are too busy and active at all times and finding information and what has been said before is difficult in them.
The wording in the version of the CoI policy I previously saw seemed to call for a single place where to see all the CoIs, so maybe the team page should be extended or bios could get a new field for affiliations? That may again go to #3 (comment) though or the question what is a significant affiliation?
There was a problem hiding this comment.
Above I was talking about the discustions about whether something is a COI or not, which may be in chat but could also be on the forum. The place where the reports/conclusions end up and are made visable is another question.
|
Asking here also just in case, what is #4 ? |
|
I made some changes in blacklight447@b7664f0 wrapped to 80 chars and reworded. I think it sounds much better. |
Co-Authored-By: Mikaela Suomalainen <[email protected]>
Co-Authored-By: Mikaela Suomalainen <[email protected]>
Co-Authored-By: Mikaela Suomalainen <[email protected]>
| reported by contacting blacklight447 via email on | ||
| [email protected] or [any team member on our forum]. | ||
| reported by contacting blacklight447 via email on [email protected] | ||
| or [any team member on our forum]. |
There was a problem hiding this comment.
| or [any team member on our forum]. | |
| or [any team member]. |
| [email protected] or [any team member on our forum]. | ||
| reported by contacting blacklight447 via email on [email protected] | ||
| or [any team member on our forum]. | ||
|
|
||
| The reports should include information on whether they can be shared to | ||
| other team members and how much may be told. | ||
|
|
||
| [any team member on our forum]:https://forum.privacytools.io/g/team |
There was a problem hiding this comment.
| [any team member on our forum]:https://forum.privacytools.io/g/team | |
| [any team member]:https://www.privacytools.io/about/ |
|
Hi @blacklight447-ptio.
For full transparency sake, ALL potential COI's should be reported for review -- not just ones determined to NOT be COI's. The Team Member's name is not critical, but the circumstances are. I liked your idea to have an unbiased non-Team-Member (or outside group) available to jointly assess potential COI's. Someone like @Supernova seems to have a good sense of audit principles, and it wouldn't surprise me if he or she has an audit background.
If the offer is outright rejected and reported to PTIO, you are correct. Even a "wink wink" or side comment about how a Team Member seems so talented and so perfect for an opening or how the company would love to donate to PTIO...should trigger disclosure. Organizations should be put on notice in formal policies that making any kind of offer during a sensitive period will be outed. This is essential for public trust. In the Startpage situation, the Conflict of Interest started from the moment Startpage/System1 offered a Team Member the possibility of compensation during delisting/relisting discussions. He himself documented in separate posts how he went back and forth with Startpage for well over a month regarding potential work. Til the very end, some Team Members were still questioning whether this was a true COI at any point, which shows that PTIO could benefit from public input. (I'm saying this as a former professional auditor, btw. I'm very familiar with assessing COI.) Any COI's and circumstances/decisions surrounding them should be made public. Again, the Team Member name is not essential, thought the company should be outed. Note: We don't want to get too extreme. If a reasonable auditor would determine the situation or offer to be a COI, then it's likely a COI. If it walks like a duck, quacks like a duck... |
|
Hey there, so i think you misunderstood my comment above. |
|
Reading through the PR there are already great points made! I'd like to summarize and define a few things which I already feel you are up to anyway. The COI policy should cover two stages1. Investigation (or Discussion) period 1.1 Public Reporting Whenever a potential COI comes up, this stage starts. Always call out the external entity.
Whether the team member wants to disclose their identity or not is up to them. It is not necessary. 1.2.1 Impact on the listing process If the project/company is currently in a process of being listed, immediately disclose the COI investigation, also directly on the PR. Also, immediately freeze the listing process until the verdict comes in. Informing the community is key and calls out potential bad behavior by the external entity. And put everything on hold to prevent nasty mess. Like if the report is:
Now anything any team member says will be questioned and nurture mistrust in some community members. 1.2.2 Impact on a de-listing process If the project/company is currently in a process of being de-listed immediately disclose the COI investigation, also directly on the PR. Freeze all votes "in favor of keeping" the project/company until the verdict comes in. This has very similar effects as above. The whole point of 1. is to freeze all possible benefits a company/project might receive from creating a potential COI. 1.3 PTIO Investigation Now the investigation at PTIO starts. It is the time where the situation can be calmly checked by the team. They can take their time, since all potential gains from the external company/project have been ruled out anyway. @ALL: if I missed potential abuse please chime in I also like the idea to include unbiased non-Team-Members or groups to take part in the assessment. 2. Verdict / Conclusion 2.1 Public Announcement As soon as the PTIO team came to a conclusion, they must publicly announce their verdict. 2.1.1 there is no COI ❌ Here, I feel the team member must not be outed.
2.1.1 there is a COI ✅
Here, the team member must be outed since the person will lose voting rights according to the policy. 2.2 Unfreeze processes If all investigations of a COI regarding a company/project got clarified then the unfreezing can happen. By decoupling these two steps it should be made a lot easier to publicly disclose anything and everything. What should be reported?I lean towards @LizMcIntyre
but what is a "potential COI" that should be reported & investigated? As Liz mentions, context matters. I feel there are three types of external entities:
According to that context different measures of reporting are required. Context 1: An entity not affiliated in any way with PTIO I first thought nothing in 1. should be reported, but what if a team member of yours starts working at an ad company? Maybe this is not in the scope of this policy, but rather something that would trigger an evaluation if the team member is fit for PTIO as a whole? Context 2: An entity currently listed on PTIO Number 2. should definitely have some defined rules. Like any company making a job offer should be announced. Or all present above the value of X (50$?) to the team should be announced. And so on. Context 3: An entity currently in the process of (de)listing Number 3. seems easier since, As @LizMcIntyre mentioned, in this context any "wink wink" comment should be announced. It is crucial to be very strict in this context.
Announce it both on the official place as well as on the PR itself. With such a policy, it basically tells any company in the listing process to refrain from any bullshit. Basically, they should shut up except when clarifying things on the PR itself. Which is a good thing fmpov. Still, I feel this section needs more input and work. These are just some thought popping out in dire need of feedback. And it is crucial to define what a "potential COI" is in what context, since this will both give team members and companies a well defined rulebook, which makes it easy to act "correct". Where to publishI agree with @Mikaela that RTC is not a good place. It needs a universal place to both announce COI investigations and their verdicts. Ideally this would be a dedicated site on your homepage, showing all relevant information with the verdict next to the investigation as soon as it's done. Immediately call out companies, but not the members. If that company is currently in the listing/delisting process, make it mandatory to communicate the investigation on the PR. Only reference this in the CoCI really believe this is a crucial policy with so much potential. When defined well it will encourage all involved parties for good behavior. It will discourage companies are from manipulation and foul play. The team will have a well outlined handbook and be encouraged to report every potential COI accordingly. And ultimately this leads to transparency towards the community, showing them what is happening and strengthen community trust. Hence, I believe this deserves its own document. And reference it by stating each team member has the responsibility to act according to the COI_Policy. This will also make it easier to fine-tuning certain aspects of it in the future. Final Notes on Time Limits Also, an aspect I did not touch was whether or not there should be time limits to report any potential COI to the team and to the public. Immediately is hard to follow, so I feel days should be reasonable. Huge braindump here, thanks for reading :) |
This comment has been minimized.
This comment has been minimized.
|
Thank you for all your input @Mikaela - it is invaluable! It makes my view on the difficulties a lot clearer. The bottom line of all your thoughts is that it underlines the importance to structure this correctly. Especially for team members, this should not impact your privacy & professional careers. The important part is that the PTIO team members as well as the external entities listed on PTIO absolutely have to respect the fact that possible COIs might evolve in a context described above (2. or 3.) - hence disclosure is necessary according to the policy. But this leads to the conclusion for you team members: Outside all listed entities on PTIO feel free to do whatever works for you. This should never drastically limit your careers: We should not expect the PTIO team members to disclose every application they are seeking or job they have, shooting themselves in the foot by doing so. And no, the companies you work for do not have to have the same ethical standards as PTIO. It's fine to have a job that is not perfect but pays the bills and not disclosing this. I trust your inner ethics that you would not volunteer to PTIO and at the same time work for Cambridge Analytica - it would be a paradox ;). So no, you do not have to disclose what businesses you apply to except any listed entities on PTIO. And no, you do not have to mention your PTIO membership or link to the COI policy except you apply for (or are approached by) an entity listed on PTIO. I think this needs to be part of the policy too - better over communicate than say too little. |
|
Great input here people, it is very much appriciated! Now, we are rolling out a mediawiki so we can more broadly type out our new policies, insted of pushing them all inside our code of conduct(wiki.privacytools.io) So I think its wise to wait a few days, so I can move everything over to the wiki and then reformulate the COI policy as its own document. EDIT: I went ahead an created a draft version of the COI policy on our wiki. |
|
See: https://wiki.privacytools.io/view/PrivacyTools_Conflict_of_Interest_Policy |
This is a first draft policy to intergrate a conflict of interest policy into our code of conduct.
see this thread for relevant previous discussion: https://forum.privacytools.io/t/preventing-privacytools-conflicts-of-interest-ensuring-privacytools-integrity/2517