-
Notifications
You must be signed in to change notification settings - Fork 146
Update the moderation policy to OpenJS escalation path, have TSC handle TSC reports #990
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Update the moderation policy to OpenJS escalation path, have TSC handle TSC reports #990
Conversation
Signed-off-by: Matteo Collina <[email protected]>
cc @nodejs/tsc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One small suggestion. Otherwise LGTM
Co-authored-by: James M Snell <[email protected]>
Co-authored-by: Benjamin Gruenbaum <[email protected]>
Signed-off-by: Matteo Collina <[email protected]>
Adjusted to follow @tobie clarification in #990 (comment). |
Any code of conduct report, and any decision made by the moderation team, can | ||
be escalated to the [OpenJS Code of Conduct Team](https://github.com/openjs-foundation/cross-project-council/blob/main/conduct/COC_POLICY.md#escalation). | ||
|
||
Upon request, any information regarding an escalated report requested by the OpenJS Code of Conduct team will be supplied to them by the moderation team |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still think we need to have some sort of on-record/off-record process to make sure that the information being shared is clearly on-record, and avoid accidentally leaking the information shared to the moderation team member that is not meant to be on-record and shared to another party without prior consent.
For a purely hypothetical example, if I filed a CoC complaint because of discriminatory conduct against my nationality, and during the handling I shared to a moderation team member (whose political tendencies were known to me and made me feel comfortable) about my views or plans about my nationality, I would prefer this communication to not be shared to people with unknown political tendencies, as there would not necessarily be evidence that the OpenJS CoC team member being delegated to handle the case has a political tendency that would make me feel comfortable about sharing these information. It would make the whole thing much more comfortable if I was notified beforehand whether the conversation would be shared to somebody else, so that I could go off-record when sharing those views that may be necessary as context to people who I trust, but keep the on-record information less explicit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest raising this with the CPC. IMHO, this is best handled by folks being explicit about the confidentiality of what they’re sharing with someone and not formalizing this further, but others may have different opinions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is best handled by folks being explicit about the confidentiality of what they’re sharing with someone and not formalizing this further
Note that in nodejs/node#58837, several TSC member stressed that "not objecting to being recorded should not be interpreted as agreeing to be recorded" and raised the legal risks about privacy protection, and nodejs/node#58925 took great care to make sure that recording or summarizing the private meetings within the TSC, or sharing it to anyone outside the meeting must obtain approval. I think this means if any part of the moderation process ended up being touched on in the TSC meeting and the information - even just a summary - from the meeting got automatically shared to a party not present at the meeting without approval, it would be in conflict with the TSC governance documentation, unless we modify the TSC governance to make exception to skip consent collection for moderation appeals.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You will indeed have to fix whatever prevents you from abiding by the CoC policy. Imho, circulating meeting notes / minutes after a CoC incident-related call should give everyone a chance to avoid being misquoted and address the concerns raised.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IANAL but out of curiosity, I looked it up in GDPR and I think at least in EU this may be a situation where GDPR applies (https://gdpr.eu/article-2-processing-personal-data-by-automated-means-or-by-filling-system/) and in the example I hypothesized, automatically transmitting that part of the communication between the two groups as part of a filing system may have been straight up forbidden: https://gdpr.eu/article-9-processing-special-categories-of-personal-data-prohibited/ - like what the TSC governance doc tries to do, requesting consent might be the easiest way to avoid breaching it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe that’s covered by the privacy policy and would fall under legitimate interest from a GDPR perspective. Either way, that’s a foundation counsel issue, not something we should be discussing here. If you have concerns with the foundation’s privacy policy, feel free to raise it with the CPC.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree it should be raised to CPC for more oversight - @mcollina can you bring it to the CPC? It seems to me the privacy policy does not automatically exempt the current wording, as it doesn't go into details about "necessity" and "balancing". e.g. from the GDPR guideline https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf:
Assessing what is “necessary” involves ascertaining whether in practice the legitimate data processing
interests pursued cannot reasonably be achieved just as effectively by other means less restrictive of the
fundamental rights and freedoms of data subjects. If there are reasonable, just as effective, but less
intrusive alternatives, the processing may not be considered to be “necessary”. In this context, the CJEU
expressly recalled that the condition relating to the need for processing must be examined in conjunction
with the “data minimisation” principle enshrined in Article 5(1)(c) GDPR, in accordance with which
personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes
for which they are processed”.
So while a summary about the hypothetical conversation, with sensitive details reducted, might meet the three part test of GDPR, a complete export of the chat history - even if it's requested - may not. Also in the hypothetical example, the sensitive information (political opinion) is in a special category where the three-part test is not enough to justify sharing and the justification has to come from specific cases https://gdpr.eu/article-9-processing-special-categories-of-personal-data-prohibited/ - among which AFAICT only an explicit consent would apply. Given the nature of CoC incidents, a lot of information may fall into the special category and requesting consent might be the most applicable escape hatch most of the times.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feel free to open an issue yourself, @joyeecheung, and come and explain your concerns to the CPC directly.
tracking issue with the `moderation-review` label. Any such Moderation action | ||
may be overturned through a TSC vote. | ||
Any code of conduct report, and any decision made by the moderation team, can | ||
be escalated to the [OpenJS Code of Conduct Team](https://github.com/openjs-foundation/cross-project-council/blob/main/conduct/COC_POLICY.md#escalation). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By the way, the CoC policy makes a distinction between escalation and appeal and your policy should address both.
This change updates the escalation path from an 8-year-old process defined in the Node.js Foundation era to what was agreed to when the OpenJS Foundation was established. We should have done it long ago, but we forgot to update this one.
I took the occasion to remove the
moderation-review
label and directly upstream the problem of escalation to the OpenJS CoC Team. Alternatively, we could have an internal appeal process plus the OpenJS appeal process.I've also changed the verbiage to have the TSC self-moderate.
The current set of documents from OpenJS can be found at https://github.com/openjs-foundation/cross-project-council/blob/main/conduct/COC_POLICY.md#escalation.