Draft policies.
1. Anti-FISA
Whereas, the executive administration of the United States and the United States Congress have been advancing legislation that would grant expansive surveillance powers to law enforcement, and provide broad immunities to facilitators of illegal government surveillance, and,
Whereas, the members of HCoop, Inc., have a strong privacy interest in their data and communications, and a special need for the protection of this privacy against the pressure of illegal, overbroad, and overbearing government surveillance, therefore, be it
Resolved, that the following be enacted as an official policy of HCoop, Inc.:
1. No member, director, officer, system administrator, staff, agent, or contractor of the corporation shall assist any law enforcement, any agency of the government of the United States, or any other third party in conducting surveillance or other investigation of the corporation’s members or of confidential data or transmissions on the corporation’s hardware or networks when doing so is contrary to the laws or regulations of the United States, Pennsylvania, or any other controlling jurisdiction.
2. Any director, officer, system administrator, staff, agent, or contractor of the corporation who becomes aware of illegal surveillance or investigation by any government agency of the type described in the preceding section must, to the extent permitted by law, make full disclosure of such activity to all members of the board of the corporation. If such disclosure is not lawfully permitted, then such person must, if possible, make reasonable lawful disclosure to another government agency, other than the agency or agents conducting the illegal activity, in order to stop the illegality.
3. Such assistance is forbidden and such disclosure is required regardless of any grant of immunity from civil or criminal liability, either for the individual or for the corporation, and regardless of the source of any such immunity.
4. Such assistance is forbidden and such disclosure is required regardless of any putative purpose for such surveillance or investigation, including, but not limited to, investigation or prevention of any crime, economic harm, serious bodily injury or death, or breaches of national security.
5. Provision of such assistance as in section 1 or failure to disclose as required in section 2 is grounds for termination of membership, employment, and contracts, and removal of directors from the board.
6. No member, director, officer, system administrator, staff, agent, or contractor of the corporation shall use HCoop services for criminal purposes.
7. The corporation shall seek to impose terms in all relevant contracts to enforce the provisions of this policy.
8. Nothing in the terms of this policy shall be construed to prevent anyone from lawfully cooperating with a government agency to expedite the lawful carrying out of any government investigation, where otherwise permitted by corporate policies or 18 U.S.C 2702(b) & (c).
2. Privacy
Whereas, the members of HCoop, Inc., have a strong privacy interest in their data and communications, and,
Whereas, some access to such data may be required internally by the corporation to ensure the reliable operation of its services and compliance with its policies, or to comply with the law or assist in lawful government investigations, and,
Whereas, members and staff of the corporation need notice of what privacy expectations will respected and what actions are permissible by staff, therefore, be it
Resolved, that the following be enacted as an official policy of HCoop, Inc.:
1. Members are responsible for setting appropriate permissions to restrict access to their stored data.
2. All network transmissions, regardless of source, destination, or content are confidential. Aggregate statistics of network transmissions are public.
3. Stored information that is ordinarily inaccessible to ordinary users is to be treated as confidential. Aggregate statistics of stored data are public.
4. Stored information that is ordinarily accessible to ordinary users is presumed to be public. This does not include material that is accessible to ordinary users who actively circumvent software or hardware controls due to some bug, vulnerability, or other defect, no matter how trivial the exploit or how obvious the vulnerability.
5. The presumption of the above section may be rebutted when the circumstances indicate that data was intended to be protected and confidentiality may still be maintained. For instance, obviously confidential stored data of one member accessible to other ordinary system users due to incorrect permission settings should be treated as confidential as soon as this is realized. Notice should be given to the owner of the data so that it can be secured. However, the presumption may not be rebutted if the information is published so prominently and accessibly that it is no longer possible to maintain its confidentiality. An example would be information accidentally mailed to a mailing list, published prominently on a website, or otherwise actively made public by the owner’s own error.
6. Unauthorized persons may not access or intercept confidential data of any other member or of the corporation.
7. Unauthorized persons may not probe for or attempt to exploit any security vulnerability in the corporation’s systems. “Probing” here means running code or transmitting data to search for particular vulnerabilities. It does not extend to inferring the presence of vulnerabilities from public sources of system information. Should any unauthorized member suspect or find that a vulnerability may exist, they must not attempt to diagnose, exploit, or fix it, but instead should notify a system administrator, officer, or authorized agent of the corporation.
8. Violation of sections 6 and 7 is grounds for expulsion of the member in question.
9. System administrators and other authorized agents of the corporation may access confidential data to the extent necessary to maintain the system. They may not communicate this data to any other person, except to other authorized persons only to the extent necessary to maintain the system. “Maintaining the system” includes, but is not limited to, making backups, responding to member service requests, dealing with performance problems, and so on. The member who owns the confidential data need not be notified unless two or more people have accessed nontrivial confidential data, in which case the owner must be notified within a reasonable time after the data has been accessed.
10. System administrators and other authorized agents of the corporation may view confidential data to the extent necessary to enforce the corporation’s policies. This includes technical policies such as bandwidth and storage limits, as well as policies such as those forbidding spam. Any non-routine or expansive investigation under this section must be specifically authorized by the board of directors. The member who owns the confidential data must be notified within a reasonable time of the investigation’s conclusion, unless only trivial confidential data has been accessed by a single authorized person in a routine investigation.
11. The board of directors of the corporation may access and disclose confidential data to a government agency in cooperation with a lawful investigation to the extent permissible by law, even when not required, when the investigation either (a) involves direct use of the corporation’s services in furtherance of a central element of an illegal activity, or (b) the investigation relates to an actual serious bodily injury or death, or to the reasonable likelihood of such.
12. The board of directors of the corporation may access and disclose confidential data to a government agency when required by a lawful, valid court order or subpoena authorized by a tribunal in a controlling jurisdiction, or when such access or disclosure is otherwise required by a controlling law.
13. Any person encountering confidential data under any circumstance that indicates that a member is either violating corporate policies or using corporate services in furtherance of any illegal activity may notify the board of directors, which may initiate an investigation and disclosure to law enforcement as otherwise permitted in this policy.
14. Whenever confidential data is accessed or disclosed under sections 11 through 13, notice must be given to the extent lawfully permitted to the member within a reasonable time of the conclusion of the investigation as to the nature and extent of such access and disclosure.
15. The board of directors of the corporation may access and disclose confidential data to the extent necessary in a legal action or dispute with a member, or to facilitate the expulsion or other remedy against that member when such disclosure cannot be avoided, such as by voluntary resignation or restitution.
16. No authorized person may access or disclose confidential data for purposes unrelated to their authorized duties, or to an extent greater than reasonably necessary for the authorized purpose. Violations of this section may be punishable by termination of employment or authorized status, expulsion from the cooperative, or removal from the board of directors, as appropriate.
17. The corporation shall seek to impose terms in all relevant contracts to enforce the provisions of this policy.
18. Nothing in the terms of this policy shall be construed to prevent anyone from disclosing confidential data to a goverment agency to the extent necessary when the board has been notified and has failed to act when required by law.