Opened 8 months ago

Last modified 5 months ago

#32558 new task

clarify what happens to email when we retire a user

Reported by: anarcat Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: gk Actual Points:
Parent ID: #32519 Points:
Reviewer: Sponsor:

Description

As part of improving the offboarding process (#32519), we should especially look at how email works.

Right now, when we retire a user, their account is first "locked" which means their access to various services is disabled. But their email still works for 186 days (~6 months). After that date, in theory, their email aliases start completely dropping email (needs to be onfirmed).

It's unclear if that's the right policy to follow. Some people feel that an email alias should stay around forever, as it is an inalienable human right.

Others feel that certain administrative roles should be forwarded when a person leave. If, say, "Alice" (fictive name) was doing fundraising but was using alice@torproject.org for that work. When they leave, should we forward alice@ to fundraising@torproject.org?

But then what if Alice was using their work email for private correspondance either? Maybe the fundraising team shouldn't be able to see *those* communications.

One proposal could be that the default policy is this:

  1. email @torproject.org is "function" email and is destined only for torproject.org related work
  2. when a person leave their position, that email gets deactivated after a 6 months delay
  3. in extreme cases, some forward may be *temporarily* enabled to reset accesses or re-establish contacts with a provider or third-party

It is also possible that there could be *two* policies, one for TPI employees and one for other TPO people.

Child Tickets

Change History (5)

comment:1 Changed 7 months ago by arma

First and foremost, I think we need to communicate a policy to people when they get their @tpo email forward. That is, they should know the expected way that we will handle their email address when they move on from Tor.

Part of the problem we have now is that we haven't been clear to people in the past, so I imagine people have a variety of expectations. We're going to keep surprising people until we have a policy and we've communicated it.

One of the culture clashes here is between a free software community project, where email addresses are tied to a person who is contributing, and a company, where email addresses are 'owned' by the company and of course you shouldn't expect any email privacy or even to control who gets your email now and in the future. And some people are on both sides of the line: for example, I became arma@tpo back when it was a free software community project, and now I'm an employee and officer.

One reason this matters is because people will quite reasonably use their email addresses in different ways depending on the expected persistence. If I knew that we planned to possibly redirect my tpo mail to somebody else, or if I knew that our policy is that my tpo email address will be unreliable at getting email to me in the future, I would switch to using a domain that I know I'll continue to control.

Ok, with all this in mind, let me try to talk through some concrete options.

Option one, we decide our policy is that soon after you stop being an employee or stop being a core contributor, by default your email address goes away. I think this would be a poor choice. It would mean that folks who take a break from working on Tor will see a disruption in their contact address -- the email address they used, and likely also the one they used in their git commits -- and they will feel less wanted when considering whether to return. If this is our policy, I would get new business cards with some other domain, and probably change my git commit addresses. People would ask why my Tor card has a freehaven.net email address, and it would be embarrassing, both to me and to Tor, when I explain why.

Option two, when we are adding a new email forward, we decide whether it's in the "company" or "hacker" category, and we make it clear to the person getting it. If it's in the company category, then they know that it will go away after they leave, possibly get redirected, and all the things that company people expect to happen to their email addresses. If it's the hacker category, we'll plan by default to leave it in place unless special circumstances make us need to do something else. I think this approach would be a fine choice. There are some details still to be worked out, like how to handle the existing addresses (I think we could go through and categorize them), and how to recognize when a person has shifted category, but I think they're solvable.

Option three is like option two except the division is "are they a core contributor or not". That is, in this policy, if you have been voted in as a core contributor, you are like the "hacker" category above. Whereas if you have an email address but you didn't get it by being voted in as a core contributor, then you're like the "company" category above. I'd be fine with this approach too. In many ways it's cleaner than option two.

I also don't have any need to force a permanent email address on people who didn't expect it. I'd be fine with an approach for the hacker side where, when they become less active, we ask them if they plan to make use of the address in the future, and then they can say yes or no.

And there will definitely be exceptions where we choose to disassociate ourselves from a person, e.g. after we fire them or after the community council kicks them out of the community. I am talking here about our default policy, and exceptional circumstances can and should produce rare exceptions.

Yet another complexity comes from the conflict in how to handle company vs hacker for folks who fit into both categories. But if, when people switch from the hacker category to the company category, they give up the expectation of having a reliable email address for the future, we should make that clear to them as a tradeoff they are choosing.

comment:2 in reply to:  1 Changed 7 months ago by gk

Cc: gk added

Replying to arma:

[snip]

Option one, we decide our policy is that soon after you stop being an employee or stop being a core contributor, by default your email address goes away. I think this would be a poor choice. It would mean that folks who take a break from working on Tor will see a disruption in their contact address -- the email address they used, and likely also the one they used in their git commits -- and they will feel less wanted when considering whether to return.

Yes, We really should avoid that scenario if possible. From a project's perspective it's important to realize that contributors that come to us and want to work with us up to the point that they get a tpo address are a very scarce resource (if you don't believe me just look at, say, the last couple of years and count how many new people we got during that time). Thus, I would not want to alienate any of them with that option.

Option two, when we are adding a new email forward, we decide whether it's in the "company" or "hacker" category, and we make it clear to the person getting it. If it's in the company category, then they know that it will go away after they leave, possibly get redirected, and all the things that company people expect to happen to their email addresses. If it's the hacker category, we'll plan by default to leave it in place unless special circumstances make us need to do something else. I think this approach would be a fine choice. There are some details still to be worked out, like how to handle the existing addresses (I think we could go through and categorize them), and how to recognize when a person has shifted category, but I think they're solvable.

Option three is like option two except the division is "are they a core contributor or not". That is, in this policy, if you have been voted in as a core contributor, you are like the "hacker" category above. Whereas if you have an email address but you didn't get it by being voted in as a core contributor, then you're like the "company" category above. I'd be fine with this approach too. In many ways it's cleaner than option two.

I think option three is a good idea to explore, in particular as it incorporates the core contributor idea, which we worked hard to establish, as the central category for our community part.

comment:3 Changed 7 months ago by anarcat

wow that's a lot of text. :) if i may, here's a summary of the three options arma proposed:

  1. deactivation delay. when a person leaves (either stops contributing to TPO or is not part of TPI), email stops working after a delay
  1. two systems, with grand-father clause. like the two systems case below, but with a "grand-father" clause that give a "TPO" (or "hacker") access (ie. it doesn't get closed) to the email if they were already core before joining TPI
  1. two systems: hacker and corporate. the hacker group is: if you are part of "core", your email keeps working when you leave, and never gets redirected. the corporate group includes people who did *not* get the email by being admitted in the "core" group, those emails are disabled or redirected when they leave.

I hope that's a good summary, please correct any misconceptions I might have carried.


That said, I'm not sure I see the distinction between option 2 and 3 above, nor what that distinction would bring in the first place. Maybe it tries to fix the "some details still to be worked out" problem, but I find those two confusing.

Furthermore, I think it misses a key idea that should be formally proposed:

  1. email is private, forwards for function. ie. with exceptions, emails keep working when we grant people access to @torproject.org. this includes "corporate" people that were not admitted to "core". emails are not forwarded ever, except in rare cases where accounts legitimitaly belonging to TPI/TPO should be reset and are associated with a personal email address. all "function-level" communications should happen through official channels ("fundraisigin@", "accounting@", "torproject-admin@", etc)

I understand there are strong feelings, especially in TPI, that we *need* to be able to forward people's emails when they leave. I would argue that is a sign of a problem in our communications more than a policy that we should adopt formally.

If people contact anarcat@ instead of torproject-admin@, that's a problem which we need to fix, for example. If only because it's possible that I eventually leave the organisation, or more likely go on a long vacation, during which time it's absolutely irrelevant to write me directly for help about TPA. I constantly remind people of this, and it generally works. If we do *not* institute that policy correctly, we will have a lot of trouble keeping track of those roles in the first place - using forwards is not really going to help us anyways.


Besides, it seems to me we are trying two different and somewhat unrelated problems:

  • A. what happens when someone leaves: do they keep their forward?
  • B. can we read other people's mail: specifically, when A happens, do we, can we, should we forward their emails to some one else?

The four proposals on the table can be formatted in this matrix, from what I understand:

Proposal A. Expiry B. Forward Notes
1. deactivation delay yes maybe? policy on forwards not clarified
2. two systems with grand-father if TPI if TPI depends on how the user got the account originally
3. two systems if TPI if TPI emails can expire and redirect if not core
4. private no no emails don't expire at all and do not forward, with exceptions

I will end by mentioning that proposal 1 is the current status quo. The retire-a-user procedure I have now *does* deactivate users accounts and emails after a delay, and has been applied to people already. I have only *recently* made a note in that procude that people *might* need to keep their email, but that's definitely unclear.

So we definitely need more clarity on this procedure, otherwise mistakes like the one I did last week will keep on happening.

comment:4 in reply to:  3 Changed 5 months ago by teor

Replying to anarcat:

Furthermore, I think it misses a key idea that should be formally proposed:

  1. email is private, forwards for function. ie. with exceptions, emails keep working when we grant people access to @torproject.org. this includes "corporate" people that were not admitted to "core". emails are not forwarded ever, except in rare cases where accounts legitimitaly belonging to TPI/TPO should be reset and are associated with a personal email address. all "function-level" communications should happen through official channels ("fundraisigin@", "accounting@", "torproject-admin@", etc)

I understand there are strong feelings, especially in TPI, that we *need* to be able to forward people's emails when they leave. I would argue that is a sign of a problem in our communications more than a policy that we should adopt formally.

If people contact anarcat@ instead of torproject-admin@, that's a problem which we need to fix, for example. If only because it's possible that I eventually leave the organisation, or more likely go on a long vacation, during which time it's absolutely irrelevant to write me directly for help about TPA. I constantly remind people of this, and it generally works. If we do *not* institute that policy correctly, we will have a lot of trouble keeping track of those roles in the first place - using forwards is not really going to help us anyways.

Sending email to a person also makes it very difficult for us to distribute workload. Some people have a huge email workload. And they could do with some help handling it.

Using role-based addresses is one solution to this issue. Multiple people can get access to a role-based account. And people can redirect all their role-based mail when they are busy with other tasks, or when they go on leave.

Besides, it seems to me we are trying two different and somewhat unrelated problems:

  • A. what happens when someone leaves: do they keep their forward?
  • B. can we read other people's mail: specifically, when A happens, do we, can we, should we forward their emails to some one else?

I also think we should be very careful of the ethical and legal implications of reading other people's mail. We talk a lot about human rights, and the right to privacy. We should recognise and respect the privacy rights of Tor staff and volunteers.

We also work with people in Europe, and other jurisdictions with strong privacy laws. I'm not a lawyer, but we should talk to lawyers before creating policies where we read other people's mail.

comment:5 Changed 5 months ago by anarcat

we should talk to lawyers before creating policies where we read other people's mail.

I strongly agree with this, but I'll also note that this policy already exists and there are individual email forwards from previous staff to role addresses, right now.

Note: See TracTickets for help on using tickets.