| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 116.1 | Of course they are. | STAR::BECK | Paul Beck | Mon May 05 1986 00:19 | 7 |
| I'm not a lawyer, but I'd be amazed if the content of all files
(notes or otherwise) resident on DEC equipment is other than
the property of Digital Equipment Corporation. That should be
the operative assumption in considering the disposition of any
material found there. This is why the presence of unlicensed
third-party material is such a risk (which is off the subject,
but related in principle).
|
| 116.2 | There are interlocked rights here | HUMAN::BURROWS | Jim Burrows | Mon May 05 1986 00:46 | 28 |
| I'll sit sort of in the middle on this one (don't I always?)
First, as Paul Beck points out, DEC owns the EasyNet and
the products of our labors (at least those related to our
job and/or DEC's business). Thus the company has definite
rights regarding the contents of any conference, and care
should be taken not to abuse those rights.
Additionally, authors have the right to assume that what they
write won't be abused. Since noting is much like public or
semi-public speaking, absolute confidence can't be assumed.
However, plagarism and misrepresentation are definite abuses.
Republishing a note as one's own work is clearly wrong.
Similarly, presenting a note out of context or in altered
form is not allowable.
On the other hand, as I mentioned above, when you note you are
putting your views into black and white, and in a moderately
public forum. It is reasonable to assume that many other
people--virtually anybody, in fact--will become aware of
what you said.
On the whole, I would say that respect and caution are called
for in the writing and use of notes. Don't say what you don't
want public; be careful not to abuse the company's resources
and rights; and be sensative to the rights of other noters.
JimB.
|
| 116.3 | It's not a black and white issue | TLE::FELDMAN | LSE, zealously | Mon May 05 1986 01:44 | 19 |
| While confidentiality and privacy are important values, there are a few
more important ones. While I believe Digital to be quite an ethical
company, whistle blowing still has it's place.
Suppose someone foolishly but accurately implicates either the company
or an individual in a serious felony. Then, depending on
circumstances, it may be appropriate to put aside confidentiality and
take the information outside the company (in my opinion).
My point here is that the issues are very complicated, and are not
as simple as saying "you're not allowed to reveal the contents of
notesfiles." I don't want to start a philosophical discussion on
the ethics of whistle blowing; I think that would be too heated
for this conference.
In any event, the example above is purely hypothetical; to keep
temperatures at a low broil, let's keep things hypothetical.
Gary
|
| 116.4 | I keep it In... | CYGNUS::COOK | | Mon May 05 1986 20:11 | 19 |
|
I will keep this reply short and sweet...
In my opinion all contents of notes files are Company Confidential,
with exceptions to non-work related topics. Even in these notes
if I do extract a note, I keep it to myself and do not distribute
it outside no matter what the content.
re.3 >whistle blowing still has it's place
Yes, for the right reasons. It is definitely still alive more
than ever.
I also believe if there is a problem as in the one that has been
talked about, I would keep it inside the company.
enough rambling for now...
PrC
|
| 116.5 | Dissent | RANI::LEICHTERJ | Jerry Leichter | Tue May 06 1986 00:24 | 56 |
| If you check the rules on this, you'll find that confidential stuff, when
written, is supposed to be marked as such. This is part of a general legal
tradition of "putting people on notice": To maintain a copyright on material,
you have to mark all publicly-distributed copies of it with notice of that
fact. Land has to be fenced off, or posted "no trespassing". For something
easily available to the public, the default is generally that the public is
free to use it (where use is more-or-less non-exclusive - obviously, parking
my car on a public street, even with the keys in it, doesn't transfer it to
anyone walking by, by default).
Files are a new kind of object, but in fact the rules we've tended to apply
to them are generally consistent with those we've applied to paper. For
example, widely-distributed internal documents that are for internal use only
are usually so marked; certainly, all the commonly-used spec boilerplate
includes such markings. Files not intended for public distribution need
not be so marked; the direct analogy is to internal notes and other so-called
"work product", which is protected when it's on paper in common practice.
MAIL is somewhat problematical since even for paper mail the rules are not
universally agreed upon. Usually, letters are considered to be owned by
their author, and the recipient is supposed to ask permission before using
them directly. (Note that magazines, newspapers, and contest blanks always
specify that letters/entries are owned by the recipient, NOT the author.)
However, this rule is commonly bent in many situations. For electronic
mail, stuff sent to a distribution list shades over into true publication,
but not that, absent an explicit notice of claim to copyright, or something
analogous, anything broadly distributed will generally be taken to have
fallen into the public domain.
So, what about notesfiles? There is not really much precedent - "common
practice" - to fall back on. Some notesfiles are restricted, and participants
are put on explicit notie that the material is protected; SECURITY is an
example. Others are not restricted, but an explicit notice appears in Note 1;
I think VMSPHASE0 is an example. Most notesfiles contain nothing either way.
It's important to note that the existance of ANY files WITH explicit notifica-
tion would be taken as evidence that "common practice" does NOT imply such
notification by default!
Consider: How are notesfiles different from Usenet postings? Yet, does anyone
want to claim that posting Usenet articles to a notesfile is some sort of
violation of privacy?
I find the claim of confidentiality of material posted, with no notice, in a
location visible to many tens of thousands of people, difficult to maintain.
Notesfiles containing sensitive material should be appropriately "marked"
in Note 1. In fact, it would probably be a good thing if Notes V2 added
the ability to mark the notesfile itself. A marking so added to a notesfile
would be visible when any note from the file was displayed, and would be
propagated whenever material was extracted - by EXTRACT or FORWARD, for
example - from a notesfile. This would likely be overkill for "Internal
Use Only" notesfiles - though an "Internal Use Only" notification that appeared
(once) every time the file was opened would be a good idea; but stricter
classification should use it. (Yes, I know there are only 3 official levels
of classification, at the moment; but in practice there is a lot of variation
within "Digital Internal Use Only".
-- Jerry
|
| 116.6 | I don't want to have to write it again... | 2LITTL::BERNSTEIN | ITS over to you. | Tue May 06 1986 01:44 | 6 |
| I wrote what I thought was a nice response (basicaly agreeing
with .5) to this topic in DEBATE before it disappeared. If it's
still around somewhere, or if someone has a copy of my whole response,
I hereby give express permission to post it here.
Ed
|
| 116.7 | Three types of confidential information | HUMAN::SZETO | | Tue May 06 1986 09:24 | 32 |
| The following is excerpted from U.S. Personnel Policies and Procedures,
Section 8.03:
POLICY
------
2. The best way to protect proprietary information is by classifying and
labeling it so Digital employees will know its relative importance and
guard it properly. The group in Digital that creates or maintains a
particular set of proprietary information should classify it as one
of these three types:
A. _Restricted Distribution_: Information so confidential and important
it should _only_ be distributed to people _inside_ Digital who _need_
to know it. Proprietary information our customers or vendors give
us _must_ be put in this class. Information in this class cannot
be disclosed _to anyone else_ without talking to the group that created,
received or maintains it.
B. _For Internal Use Only_: Information which can be distributed to
Digital _employees_ but should _not_ be given to customers, competitors,
vendors or consultants.
C. _Personnel Confidential_: This is _personal_ information about a
Digital employee, such as his or her salary, performance evaluation,
medical problems and so on. It should not be distributed _outside_
Digital at all, without authorization and internally it should be
treated with _at least_ the same sensitivity as you want for your
own _most personal_ records. For further information on this subject
see Section 6.18, Employee Privacy in the Personnel Policies and
Procedures Manual.
|
| 116.8 | How to order the PP&P manual | HUMAN::SZETO | | Tue May 06 1986 09:28 | 3 |
| See topic 39 for information on how to order the U.S. Personnel
Policies and Procedures Manual.
|
| 116.9 | It is "For Internal Use Only" | HUMAN::SZETO | | Tue May 06 1986 09:30 | 3 |
| "For Internal Use Only" means for internal use in Digital. The
official phrase does not have the word "Digital" in it.
|
| 116.10 | more official info on the classification | JEDI::DTL | | Tue May 06 1986 09:55 | 81 |
| ************************
FOR INTERNAL USE ONLY
************************
[note: this is a work-related topic extracted form the Digital Corporate
Security Policies and Standards Manual (rev Feb86)]
<<< HUMAN::ARKD$:[NOTES$LIBRARY]SECURITY_POLICY.NOTE;2 >>>
-< Worldwide Software Security Policies >-
================================================================================
Note 21.0 Labeling for classified information [Corporate] No replies
PRSIS3::DTL "Software Security" 60 lines 3-FEB-1986 10:14
--------------------------------------------------------------------------------
There are three degrees of classification, according to Corporate
Security Standard #10.3 (1-jul-1982)
>>> "All Digital proprietary information is confidential. For the purposes
>>> of labeling, the term "Company Confidential" should not be used.
>>> The classifications and labels of "Restricted Distribution", "For
>>> Internal Use Only" and "Personnel Confidential" are more descriptive
>>> of the information contained within the medium"
[I took from these lines that, when no labeling is done, the lowest level
ia applicable, ie Internal Use Only]
o Standard 10.3.1 LABELING OF RESTRICTED DISTRIBUTION INFORMATION
[parts]
"../.. Restricted Distribution Notice mandatory ../.."
"../.. each page of the document must be marked "Restricted
Distribution" ../.."
o RESTRICTED DISTRIBUTION NOTICE
RESTRICTED DISTRIBUTION
This information shall not be disclosed to
non-Digital personnel or generally distributed
within Digital. Distribution is restricted
to persons authorized and designated by the
responsible engineer/manager. This document
shall not be left unattended, and, when not
in use, shall be stored in a locked storage
container.
These restrictions are to be enforced until
_______________ (date)
_________________________________________________
(responsible engineer/manager) date
o standard 10.3.2 LABELING OF "FOR INTERNAL USE ONLY" MATERIALS
(rev 1 Jan 1983)
>>> "Printed materials classified as "For Internal Use Only" shall be
>>> marked "For Internal Use Only" on the cover of the document and on
>>> each applicable page thereafter.
[shall all notes and replies be marked so?]
Computer media classified as "For Internal Use Only" shall be labeled
"For Internal Use Only"."
o standard 10.3.3 LABELING OF PERSONAL CONFIDENTIAL MATERIALS
(rev 1 Jan 1983)
"All materials that contain confidential personnel information should
be labeled "Personnel Confidential" on each document"
Computer media containing information that is Personnel Confidential
shall bear a label with the words "Personnel Confidential"."
Didier
|
| 116.11 | Some aspects of the security policy | LATOUR::AMARTIN | Alan H. Martin | Tue May 06 1986 18:54 | 46 |
| .10>[I took from these lines that, when no labeling is done, the lowest level
.10>ia applicable, ie Internal Use Only]
I didn't see that stated or implied anywhere. What I got from it was that
there are three flavors of confidential material, and "Company
Confidential" is not one of them. That is, labelling something "Company
Confidential" is against policy - a totally unacceptable practice.
If something is company confidential, then use one of the three labels.
.10>[shall all notes and replies be marked so?]
My reading of the policy is that if a note had internal-use-only
information in it, then the person who wrote it is violating the policy
if they didn't label the note file that way. And if someone wanted
to complain that internal-use-only information was leaked to the outside
world from that note, they would:
1. Be exposing the authors of the confidential information to reprimand
for not properly labelling the material they wrote.
-and/or-
2. Have harder time convincing people that the information was indeed
confidential, since it was not labelled as such. It doesn't automatically
release such information for public review, but it places the burden
on the complainant to prove it was supposed to be kept secret. If people
properly labelled data in the first place, they might potentially be
able to prevent or retard disclosure of their weekly grocery list merely
by labelling and handling it properly according to the policy.
Now, what if I were to examine notes 1.* as well as the notes on a particular
topic of a conference, and they didn't say "For Internal Use Only"?
The quoted portions of the security policy make me feel somewhat skeptical that
someone could successfully argue that if material unrelated to Digital's
business were extracted from such a conference and revealed to the public,
that this would be a violation of the security policy.
Frankly, I would not want the policy to be written such that I could be
disciplined for revealing someone's bean soup recipe posted in an
unrestricted access conference, even if it had been indiscriminitely
plastered with "For Internal Use Only" markings. (This assumes Digital
does not enter the soup business). I can imagine the issue being investigated,
but I would not want to be fearful of the eventual outcome relating
to that policy. (Whether this action, OR the action of posting recipes
for bean soup where anyone can read violate some other policies, won't
comment on).
/AHM
|
| 116.12 | Policy must be stated | LATOUR::MURPHY | Dan Murphy | Wed May 07 1986 00:40 | 19 |
| Reply 116.5 has a lot of merit, and I agree that the policy,
whatever it may be, should be clearly stated with each notes
file. (I would hope we don't have to go to the extreme of
labelling each note to meet some perverse legal criteria.)
An unfortunate fact is that many people have assumed that
"for internal use only" would automatically apply to notes,
and have written accordingly. I am one such person. Call
it a learning experience. Everyone using a notes file should
be made aware of the policy surrounding it.
There is a spectrum of possible uses for notes. At one end is
something like the "letters to the editor" section of the
newspaper -- you are writing for publication to the world. At the
other is something like mail among a set of friends/coworkers --
you use notes rather than a distribution list for each message
because it's more efficient and orderly. By use of policy,
membership lists, etc. notes can and should support many of
these uses.
|