w3process
w3process copied to clipboard
w3c
Confidentiality Levels and Redactions
Add inline definition of "reasonable efforts" as "including, but not limited to, Confidentiality Levels and Redaction"
Adjusted grammar thing/action. (This PR doesn't seem urgent enough to complicate AB review. )
The origin of this was on the last CG call, discussing the edge case of a message or other status update that was set to confidentiality level Public or Member, but a contained piece of information needed to remain confidential. Personal or company identifying information could be redacted within the status update which was set to Public or Member.
The word redact wasn't present in the document, and there wasn't really a binding between "must use efforts" and what those "efforts" are. A newcomer might not implicitly make the assumption.
I'm keying off statements I've heard about the doc being long, or difficult to consume. (Verbosity: The curse of being a standards wonk) While I'm new to W3C's process, I was the founding chair of DMTF's Process Committee 2006-20121. We were documenting unwritten rules and adding new processes as the org evolved. So feel free to let me know to to help best.
@joshco — Nit in your https://github.com/w3c/w3process/pull/722#issuecomment-1509486443. 2012[1](https://www.dmtf.org/about/officers/history) would be better 2012 [[1](https://www.dmtf.org/about/officers/history)] which renders as you will see below, instead of being easily read as a confusing probable typo, 20121.
2012 [1]
@joshco , I'd like to confirm I understand what you're trying to achieve here. I believe your goal is to state that "use reasonable efforts to maintain the proper level of confidentiality" involves (at least):
- respecting confidentiality levels classification
- if having to expose a document/information to a broader confidentiality level, redacting the parts that wouldn't be appropriate to share
Is that the core of it, or are you trying for something else?
I think this sort of change warrants an issue before opening the PR, so that we can come to consensus around the problem and the shape of the solution.
I share the concerns around the wording change, specifically that it is unclear what "applying Confidentiality Levels" means beyond what is already obvious from the text.
My general expectations around this kind of thing are:
- for public information there should be no requirement for authentication
- for Member-only or Team-only information the user attempting to access the information needs to be authenticated and their credentials checked to determine if they have the required access level.
Redaction is a technique that can be used to create a new document (or other version of the source information) that can have a less restrictive confidentiality level. A whole other set of questions arises if it is being introduced here, like "what is the process for determining that the redaction is adequate to allow the remainder of the information to be made available at a less restrictive confidentiality level?" and "who needs to be involved in that process?"
For example, I don't believe that, as a Member, I automatically have the right to decide which parts of some Member-only resource (that may be nothing to do with me) need to be redacted to make that resource public. It's not even clear that any redaction might lead to such an outcome, since the existence of the resource might itself be Member-confidential.
@frivoal You are correct in your assumption of my goal.
@nigelmegitt the issues you raise are good questions.
I'm new to the document, so for me, it wasn't clear what the section means in practice. Eg, what is someone supposed to do?
The Revising W3C Process CG just discussed Confidentiality Levels and Redactions.
The full IRC log of that discussion
<fantasai> Subtopic: Confidentiality Levels and Redactions<fantasai> -> Confidentiality Levels and Redactions
<fantasai> github: Confidentiality Levels and Redactions
<fantasai> s/-> Confidentiality Levels and Redactions//
<fantasai> s/github: Confidentiality Levels and Redactions//
<fantasai> github: https://github.com/w3c/w3process/pull/722
<fantasai> florian: I don't think the wording in the PR is quite right
<fantasai> ... but I also can't figure out what Josh is *trying* to solve
<fantasai> -> https://github.com/w3c/w3process/pull/722#issuecomment-1983778164
<fantasai> joshco: Nigel asked the questions that came up to me
<fantasai> ... unclear to me what is expected to happen
<fantasai> ... are people actually doing this, is it actually happening?
<fantasai> plh: Nigel was asking, what is the issue associated with the PR
<fantasai> ... where you trying to address an actual issue?
<fantasai> joshco: It was while I was reviewing the text, I didn't understand what it was expecting
<fantasai> florian: [quotes text]
<fantasai> ... you expanded in order to explain it
<fantasai> ... but it's wrong, not supposed to use redaction for confidential information to make it public, supposed to not make it public
<fantasai> ... Team has procedures for changing confidentiality levels
<fantasai> ... The sentence is more general, it's making reasonable effort to maintain confidentiality
<fantasai> ... How is context-dependent
<fantasai> ... so I think your clarifications aren't correct. Whether we need other clarifications, I don't know
<fantasai> joshco: The audience of this is not the people who are deciding the confidentiality level
<fantasai> ... this is about readers of the document should respect the confidentality level of the document
<fantasai> florian: That would be a clarification to the first point
<fantasai> ... respecting appropriate level of confidentiality
<fantasai> ... second point is about applying proper care
<fantasai> ... is that reasonable?
<fantasai> joshco: Yeah
<fantasai> florian: OK I'll try to come up with a PR
Action on me to create an alternative pull request, based on the understanding gained from the discussion as captured in the minutes above.