Confidential Info
1 Summary
1.1 Principles
1.1.1 Containment by small/constrained team (output/status)
1.1.2 Multiple small teams
1.1.3 Full disclosure
1.1.4 Need-to-work
1.1.5 Define several levels of disclosure (Chatham House rules)
1.1.6 How to protect sensitive info? Attribution -- to a specific organization or shared anonymously Yes No -- what mechanism for sharing? Attempt to obtain/produce info without need for NDAs have the source "sanitize" the information before sharing it Share w/ICANN staff -- or independent 3rd party Sanitizing -- not just identity -- strategic/"real" info Tradeoff -- protecting information vs useful report
1.1.7 Levels of confidentiality What is sensitive Who defines it as sensitive? Ascertain sensitive info from source Chatham House is the lower level of confidentiality Levels Highest "most sensitive" material Confidential or Classified - available only to some WG members, proprietary informations. Mid-level(s) More sensitive - available for internal use to all WG members (with attribution/description) Chatham House "When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed." Lowest Public - can be published on the WG wiki, with attribution Disclosure Internal to Sub-team Internal to DSSA External Yes or no Published or not Need to clearly define/track who is internal to DSSA WG and sub-teams?
1.1.8 NDAs Sign legal document Use section in the DSSA charter, non-disclosure agreement, no additional agreement Sign agreement from the start or for special occasions? -- Mandatory to sign at the beginning.
1.2 Mechanisms for:
1.2.1 Agreeing to public output
1.2.2 Enforcement
1.2.3 Sharing without attribution
1.2.4 Mechanism for classification
1.3 Types of confidential material
1.3.1 Data (for analysis)
1.3.2 Internal processes/trade secrets May require compartmentalization
1.4 Platform (prototype) NEISAS
1.4.1 Share confidential information in a trusted model
1.4.2 Share messages
1.4.3 Share documents
1.4.4 ?Security? CSIRTs use this tool
1.4.5 How much does it cost?
1.4.6 web site -- (maybe) Action item: explore Neisas and report back to the group
1.5 Code of conduct for group?
1.5.1 Charter sufficient?
2 Charter
2.1 Principles
2.1.1 Sub-working groups may need to access sensitive or proprietary information in order for the DSSA to do its work
2.1.2 These procedures are an exception to accountability and transparency standards
2.1.3 No formal NDA required for membership in the DSSA
2.2 Sub-working groups
2.2.1 Only required where members of sub-working groups need to access and protect confidential information If needed: sub-WG members sign formal Affirmation of Confidentiality and Non-Disclosure agreement If needed: project or issue-specific Non-Disclosure Agreement If needed: separate private sub-working group email lists