Closed Bug 1065570 Opened 10 years ago Closed 9 years ago

All Mozillians who have signed an NDA should be a member of the 'nda' Mozillians group

Categories

(Participation Infrastructure :: API Requests, task)

Product:
Participation Infrastructure
Component:
API Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: lyre.calliope, Assigned: kinger)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20140902214533 Steps to reproduce: As a Mozilla Rep who has signed an NDA, I should have access to certain protected resources such as the MoCo meetings on Air Mozilla. Signing into Air Mozilla with my Mozillians connected Persona didn't get me access to MoCo meeting until I discovered and joined the 'nda' group on Mozillians: https://mozillians.org/en-US/group/nda/ Actual results: I signed an NDA, but had no way of knowing I had to join a group on Mozillians in order to get access permissions to protected resources. Currently, there are 157 members of this group, far less than the number of Mozillians that have signed NDAs. Expected results: When a vouched community member signs the appropriate NDA, they should either be invited to join this group, or even better, should be automatically added to this group once legal has verified. Further, there is a backlog of Mozillians who have signed NDAs that need to be added to this group before the Mozillians site can be a truly viable tool for managing access to protected resources.
I'm not sure this bug is in the right place... Legal, perhaps? Gerv
I had assumed that since the relevant parties had signed an NDA, legal's part was done; this looks like it's on the seam between security and policy.
I think we need a list from Legal of all NDAed Mozillians, and a process set up whereby new people get added. Not sure if that's automated or manual, but we need some channel for information about new signings to flow to a mozillians.org NDA group admin. Gerv
Agreed. It does seem to be on the seam, and legal's part isn't completely done if a new ongoing process must be put in place that requires their participation. Who should we pull into this bug to discuss specific steps that can be taken towards figuring this out? I'm thinking someone from legal and/or HR, WilliamR, and the group curator Payam Keshtbod? 'Legal' was also my first filing instinct but I couldn't find it and then Mike suggested here. Feel free to move it if there's a more appropriate location.
Liz: who in Legal deals with the process of Mozillians signing NDAs? Gerv
Flags: needinfo?(liz)
I'm not sure. I'll bring this up in our team meeting Monday and then post a substantive response.
Flags: needinfo?(liz)
It appears that Legal hasn't been involved very much, so Jishnu is going to check into it.
Assignee: nobody → gerv
I'm fairly sure this isn't security-sensitive. It's not about people getting access when they shouldn't, it's about exactly the opposite. Gerv
Group: websites-security
Flags: needinfo?(jmenon)
Assigning to Jishnu as the action here is with him. Gerv
Assignee: gerv → jmenon
Does anyone know the current process for Mozillians to sign NDAs? As far as I can tell, these don't go through Legal. What NDA form are people signing? Who decides who needs access to confidential info and thus should sign an NDA? Once signed, what happens to the NDA?
CCing David and Brian for comment 10. Gerv
(In reply to Liz Compton [:liz] (please use need info) from comment #10) > Does anyone know the current process for Mozillians to sign NDAs? As far as > I can tell, these don't go through Legal. What NDA form are people signing? > Who decides who needs access to confidential info and thus should sign an > NDA? Once signed, what happens to the NDA? Here's what I know about the current NDA status. Some of this may be out of date. * There is a generic NDA document that volunteers can sign. This is not used often and has been used in an ad hoc way in the past. For example, Jess from Engagement was investigating having some volunteers who were helping her sign an NDA (I don't think she ended up doing that though). * Most volunteers who have signed an NDA have done it as part of another agreement. The Reps agreement, for example, has an NDA as part of it. I'm not sure if there are other agreements like this. * For who decides, anyone working with a volunteer could, in theory, decide. * For what happens after they are signed, I don't know. We should have a way to track all agreements volunteers have signed, not just the NDAs people have signed.
Thanks David, that's very helpful and makes sense that most volunteers are signing another agreement that contains confidentiality language. If the same Mozilla Reps Agreement is being used as was when I was involved, it includes an NDA as David said. According to this page: https://wiki.mozilla.org/ReMo/Application_Process Reps are supposed to email back the signed agreement. William - what happens to the Agreement once it's emailed back? If you've given them to me and I've just spaced out on that, don't feel uncomfortable saying that. Also, do you have any process for adding reps to the Mozillians.org NDA group?
Flags: needinfo?(williamr)
(In reply to Liz Compton [:liz] (please use need info) from comment #13) > William - what happens to the Agreement once it's emailed back? If you've > given them to me and I've just spaced out on that, don't feel uncomfortable > saying that. Also, do you have any process for adding reps to the > Mozillians.org NDA group? Signed Reps agreements are stored by Rosana and Brian, managers of the Reps Program, in a limited-access Google Drive. We also allow our Firefox OS Launch Team members to join the NDA, since they have signed an NDA. This is managed by Jessica. I don't know how she stores those agreements. For adding a contributor to the Mozillians.org NDA group, that contributor must visit the group page on Mozillians.org and click the 'Request to Join' button. Payam, the group curator, then verifies the person has signed the Reps agreement or NDA, and if so, he adds them to the group.
Flags: needinfo?(williamr)
Thanks so much William. I'm reassigning this to you since there's a process in place and the ask isn't a legal one. I'm also removing Jishnu and me as I don't think we're needed on this any longer.
Assignee: jmenon → williamr
Flags: needinfo?(jmenon)
Related to Boswell's comment that there should be a way to track all agreements volunteers have signed, I think we should have a single process for tracking and verifying everyone who has signed NDAs beyond just Reps. Today there are 173 members of this group. With just Reps alone, this number should be at least 470. As for the existing process for joining the group, I worry that it's too steep an ask.. if that ask is even being made. If we're using the NDA group to grant permissions to protected resources, and we're not making absolutely sure that everyone who has signed an NDA is able to get access to these protected resources, then we are effectively failing to administer trust to the community. Signing an NDA becomes more a symbolic gesture of trust rather than the actual gesture when the legal and technical administration aren't tied together. A few questions I have: 1) Can we change the process by which Mozillians are added to the NDA group so that when someone signs and returns an NDA, a process to add them to the NDA group without additional action on their part is set in motion? 2) Can we figure out how to extend this process to be inclusive of people who sign NDAs across Mozilla? 3) Is there a way we can get a verified list of all Mozillians who are actively under NDA so we can bulk add anyone who is missing?
Lyre, I'd love to solve all these issues you raised. I think we need to setup a task force to tackle this. Right now the opt-in process means this isn't as inclusive as it should be. Part of updating the process should be having clear communications of what the responsibilities are for those who are under NDA. I don't believe this is documented anywhere currently.
Brian, who do you think should be involved in such a task force? What do you recommend as a next step?
(In reply to Captain Calliope from comment #18) > Brian, who do you think should be involved in such a task force? What do you > recommend as a next step? How about you and me to start? We can pull in more people if/as needed.
Assignee: williamr → bking
Status: UNCONFIRMED → NEW
Ever confirmed: true
Vidyo'd with Brian today to discuss starting points. We're starting with documenting existing processes in detail on the wiki and then evaluating them for quick wins and long-term needs/opportunities. Discussion notes here: https://cbt.etherpad.mozilla.org/community-nda-processes
Hi you should speak to Marcia about this As Marcia also deals with the ndas
(In reply to David Weir (satdav) from comment #21) > Hi you should speak to Marcia about this > > As Marcia also deals with the ndas I deal with Commit Access forms, not specially NDAs.
Lucy is this relevant a to what you are doing with NDA, can we close this?
Flags: needinfo?(lharris)
I think this is covered by the upcoming changes. Please reach out to me directly if there are any more questions about this!
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(lharris)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.