|
← Revision 1 as of 2004-03-09 18:57:24
Size: 315
Comment:
|
← Revision 2 as of 2004-03-09 19:00:57 →
Size: 5639
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| Line 7: | Line 6: |
|
TomOffermann wants to focus on legal issues related to Ops Team operated nodes first, as they open PTP to the most liability. TomOffermann provided this proposal to the proposed members of the PolicyCommittee (TomHiggins, DrewWoods, JerrittCollard and MichaelWeinberg): My main interest in helping to create policy is so that the PTP organization can protect itself from liability that results from illegal, harmful, or malicious use of its network, or from our installation and management of PTP nodes. I also feel that a policy committee would be useful to consider questions about how node owners and node users could protect themselves as well. But, that should be a secondary focus of the Committee, I think. The key questions I would like to discuss: 1) Does PTP need additional policies to protect itself? 2) If so, is a Policy Committee the best way to consider these questions? 3) What activities or scenarios put PTP at risk? 4) What policies (if any) can PTP put in place to mitigate those risks? Below are my thoughts on these questions. If you won't be able to able to make tomorrow's meeting, please send feedback via email. Thanks, Tom PURPOSE OF POLICY COMMITTEE As I see it, the purpose of the Policy Committee is not to decide PTP policy. Instead, our purpose should be to consider policies and make recommendations. All policy decisions should be made by the Board and by PTP Members. FOCUS OF POLICY COMMITTEE Because of the active involvement of the Ops Team on what I call "Ops Nodes", I feel that there is a much greater chance for PTP to be held liable for some kind of "bad activity" on Ops nodes, and so the policy committee should focus first on questions surrounding these nodes. DEFINITIONS "Ops Nodes": Nodes that have been installed, and are actively managed by the Ops Team. In the absence of any formal definition, I consider these nodes to include any PTP node with my public SSH key on it. Private Nodes: Nodes that are official PTP nodes, but that are installed and managed by individual owners. OPS NODE ISSUES Installatiion of Ops Nodes * Licensing What are non-contractors allowed to do? What kind of work requires a contrator's license? Run cable? Mount equipment on walls? Mount antennas on rooftops? What are the relevant building/construction codes that PTP should be aware of? * Insurance Do PTP members need insurance for any installation activity? (Climbing on rooftops, etc.) * Injury What happens if a PTP member is injured during an install? How can we insure that PTP is not liable? How can we insure that the node owner is not liable? Operation of Ops Nodes For the following "bad" activities: 1) Spam 2) Pornography (especially Child Pornography) 3) Security breach of Node Owner network/computer. What if the firewall for between the PTP access point and the Node Owner network is breached? Should PTP have a standard firewall policy when we are installing a node on a network that is also used for business? 4) Violating the ISP's AUP Should PTP insist that a node owner uses an ISP with an acceptable AUP? Should that be the node owner's decision? If so, how can PTP protect itself? 5) Network is unreliable (Drew's "Bungled Stock Trade" example) See http://www.personaltelco.net/index.cgi/LegalIssues 6) Network is insecure (Drew's "VoIP Eavesdropping" example) * What are the possible consequences for the PTP organization? * What are the possible consequences for the node owner? * What can PTP do to protect itself? Possibilities include: Captive Portal, signed Node Owner Agreements between all node owners and PTP. Others? * What can the node owner do to protect itself? PTP should help node owners protect themselves. Management of Ops Nodes * Monitoring of users Under the Patriot Act, could PTP be forced to install monitoring software on the Ops Nodes (without telling the users)? Can PTP organize itself, or structure it's network, to prevent that? Is that even an important goal? * Logging What kind of data should we log? Could PTP be compelled to turn over log files by court order? If so, does that change what we log? PRIVATE NODE ISSUES * What advice can PTP give private node owners about protecting themselves, in terms of network security, legal protection, etc. Should PTP even give advice like this? What happens if PTP gives bad advice? * Is the PTP organization responsible/liable for any activity on private nodes? TECHNOLOGY * How can PTP accommodate new technologies, while still protecting itself? For example, how can we enable VoIP phones to work on the PTP network, while still keeping any necessary protection in place for the PTP organization? Technology questions should NOT be decided by the Policy Committee, of course. But, we should recognize that all technology questions should also be considered in terms of their impact on PTP policies. |
Initial discussion on Policy Committee:
TomFitzgerald likes the idea, but is concerned about another committee bogging down folks time.
DrewWoods, TomHiggins and JerrittCollard argue that the committee can free people's time by handling policy issues that are currently being hashed out in general forums.
TomOffermann wants to focus on legal issues related to Ops Team operated nodes first, as they open PTP to the most liability.
TomOffermann provided this proposal to the proposed members of the PolicyCommittee (TomHiggins, DrewWoods, JerrittCollard and MichaelWeinberg):
My main interest in helping to create policy is so that the PTP organization can protect itself from liability that results from illegal, harmful, or malicious use of its network, or from our installation and management of PTP nodes.
I also feel that a policy committee would be useful to consider questions about how node owners and node users could protect themselves as well. But, that should be a secondary focus of the Committee, I think.
The key questions I would like to discuss:
- 1) Does PTP need additional policies to protect itself? 2) If so, is a Policy Committee the best way to consider these
- questions?
- risks?
Below are my thoughts on these questions. If you won't be able to able to make tomorrow's meeting, please send feedback via email.
Thanks, Tom
PURPOSE OF POLICY COMMITTEE
As I see it, the purpose of the Policy Committee is not to decide PTP policy. Instead, our purpose should be to consider policies and make recommendations. All policy decisions should be made by the Board and by PTP Members.
FOCUS OF POLICY COMMITTEE
Because of the active involvement of the Ops Team on what I call "Ops Nodes", I feel that there is a much greater chance for PTP to be held liable for some kind of "bad activity" on Ops nodes, and so the policy committee should focus first on questions surrounding these nodes.
DEFINITIONS
"Ops Nodes": Nodes that have been installed, and are actively managed by the Ops Team. In the absence of any formal definition, I consider these nodes to include any PTP node with my public SSH key on it.
Private Nodes: Nodes that are official PTP nodes, but that are installed and managed by individual owners.
OPS NODE ISSUES
Installatiion of Ops Nodes
- Licensing
- What are non-contractors allowed to do? What kind of work requires a contrator's license? Run cable? Mount equipment on walls? Mount antennas on rooftops? What are the relevant building/construction codes that PTP should be aware of?
- Insurance
- Do PTP members need insurance for any installation activity? (Climbing on rooftops, etc.)
- Injury
- What happens if a PTP member is injured during an install? How can we insure that PTP is not liable? How can we insure that the node owner is not liable?
Operation of Ops Nodes
- For the following "bad" activities:
- 1) Spam 2) Pornography (especially Child Pornography) 3) Security breach of Node Owner network/computer.
- What if the firewall for between the PTP access point and the Node Owner network is breached? Should PTP have a standard firewall policy when we are installing a node on a network that is also used for business?
- Should PTP insist that a node owner uses an ISP with an acceptable AUP? Should that be the node owner's decision? If so, how can PTP protect itself?
- 1) Spam 2) Pornography (especially Child Pornography) 3) Security breach of Node Owner network/computer.
- What are the possible consequences for the PTP organization?
- What are the possible consequences for the node owner?
- What can PTP do to protect itself?
- Possibilities include: Captive Portal, signed Node Owner Agreements between all node owners and PTP. Others?
- What can the node owner do to protect itself?
- PTP should help node owners protect themselves.
Management of Ops Nodes
- Monitoring of users
- Under the Patriot Act, could PTP be forced to install monitoring software on the Ops Nodes (without telling the users)? Can PTP organize itself, or structure it's network, to prevent that? Is that even an important goal?
- Logging
- What kind of data should we log? Could PTP be compelled to turn over log files by court order? If so, does that change what we log?
PRIVATE NODE ISSUES
- What advice can PTP give private node owners about protecting
- themselves, in terms of network security, legal protection, etc. Should PTP even give advice like this? What happens if PTP gives bad advice?
- Is the PTP organization responsible/liable for any activity on
- private nodes?
TECHNOLOGY
- How can PTP accommodate new technologies, while still protecting
- itself? For example, how can we enable VoIP phones to work on the PTP network, while still keeping any necessary protection in place for the PTP organization? Technology questions should NOT be decided by the Policy Committee, of course. But, we should recognize that all technology questions should also be considered in terms of their impact on PTP policies.