česky | deutsch | english | français

NewBackgroundCheck

Contents

NewBackgroundCheck
1. Overview
2. Goal of the Background Check
  1. Non-Goals
Proposal for an interview script
On Interviewers
Historic Section
Footnotes

Overview

This page is a Work-InProgress document which wants to establish a new procedure for background checks based on the ideas stated by PhillipDunkel.

Security procedures require that people acting in some critical positions have "passed" a background check. The current (pre 2020) process how to do this is called "Arbitrated Background Check" (ABC). This process is considered broken by Arbitrations/a20140124.1. Since there was no progress in fixing the existing process for over 5 years, we are now trying to find a completely new process.

Goal of the Background Check

The goal of the old ABC process, as described by the Arbitration case mentioned above was "Initially proof a person's integrity in regards to control by or interrelations with security agencies or other organisations with goals opposing CAcert's principles." To put it (a bit polemically) in simple words, the old ABC should "proof that the candidate is a good person".

We now understand that this goal, although perfectly valid, is very ambitious, and can probably not be achieved by means available to CAcert.

So, the goal of the new procedure was stated to be more "to make the person aware of risks that result from acting in a critical position at CAcert, and of ways to mitigate some of these risks". Consequently this kind of background check cannot be "passed" or "failed" in the usual way. Ideally the applicants themselves decide themselves whether they want to accept the risks or not. But of course, if something very grave should surface during the interview, the interviewers should refuse to finish the report, or include a prominent (but very generic) warning.

As a heritage from the old ABC, a list of questions about relations to "problematic" organisations has been included. The intention is more or less to deter people who don't want to disclose such things. And at least the "commercial competitors" might indeed be a bit afraid that, if their "agent" does something bad, they'll have to show up before Arbitration, which might result in very bad publicity.

To stress it again, the background check is not intended to "tear off the mask from the faces of secret service agents", or even to convict people accustomed and willing to blatantly lie during the interview. We have only very few resources to verify statements given by the candidates. So we have to assume that the candidates are more or less good-willing and, to a reasonable extent, honest in their answers.

If they are honest and disclose their potential conflicts of interest, they are documented in the report. Then CAcert Inc. board has to decide if these are tolerable for the specific job they have in mind for the candidate.

Non-Goals

Currently the filtering of "bad people" must rely more on social protocol. As candidates must already have spent some time working for CAcert, their co-workers had a better chance to find out the darker spots in the candidate's character. And if they decide that they want to have someone doing a critical job they have to take this into account.

Also, it is not the goal of the Background Check to evaluate the candidate's "fitness for a specific job". This is all but impossible during the one hour of the typical interview. Once more, their co-workers have much more time and occasions to evaluate a candidate's skills.

Proposal for an interview script

I chose to write this in form of a handout for the candidate. It may make sense to indeed point the candidates to this page so they know what they are up to. This leaves them the option to bail out early from their application for (or, more commonly, their acceptance of) a critical job.

Note that I've come some way off my initial "no decision" proposal while trying to integrate some of the ideas of the "old" background check...

Preparation for the Interview

A meeting should be scheduled between an applicant and two interviewers
One of the interviewers should send a link to this page to the applicant
The applicant should take time to prepare for the official questions (Parts 1 to 3)

Part 0: Warmup

This part is more or less a little smalltalk, to get known to each other. It may be quite short if you and the interviewers already know each others very well, otherwise expect some curious questions about your relation to CAcert, people and areas you hava already worked for at CAcert. As well as about life, universe and everything.

You yourself are encouraged to ask about the process, intention and implementation of the background check.

Information disclosed during this warmup will normally not be part of the report as such, but may be picked up during Part 3 of the interview. If you agree, the interviewers may include some facts of your curriculum vitae and your relation to CAcert into the report. This may be especially useful if you are not (yet) widely known among the active community members, and may safe you the work of writing an introduction yourself.

Part 1: Making sure you know what is expected from you

In this part we explain things to you which you probably already know. But after signing the report there is no more excuse "why didn't you tell me this before". So be sure that you ask about things which are not completely clear.

The interviewers will ask a few questions about each topic, trying to get a feeling if you understand the implication of each topic.

What are the Principles of CAcert? Can you name some of them?
While working for CAcert, or when relying on CAcert certificates, you have to accept the CAcert Community Agreement (CCA). Can you name some important points contained in the CCA?
Do you know your obligations, which are stated in the CCA?
Do you know what CAcert Arbitration is good for? Why is Arbitration important for the CAcert community?
Do you know something about CAcert Inc? What is the relation between CAcert Inc and the CAcert community?
Do you know the meaning of a "CAcert Assurer Reliable Statement", often abbreviated as CARS?

Part 2: Things CAcert wants to know from you

These are some formal questions that CAcert wants you to answer. The answers you give will be part of the report, and therfore archived by CAcert Inc. If it should be discovered that you knowingly gave false answers to those questions this may get you into troubles. Probably Arbitration will have to decide about the consequences.

Be assured that giving the "wrong" answer here does not automatcally lead to your exclusion from a job. But probably there has to be some discussion about details, and it might be helpful to include such details in the written report.

Have you worked for a national security agency or secret service, currently or in the past? Do you have other close relations to such services?
Have you worked for, or do you have other close relations to law enforcement or similar authorities?
Have you worked for, or do you have other close relations to private investigation companies?
Have you worked for, or do you have other close relations to companies offering commercial CA services?
Do you know of other conflicts with CAcert?

You are obliged to notify CAcert Inc if there is a change in your situation in the future which would significantly change the answers given to these questions, for as long as you still act in a role where a background check is a requirement, or if you apply for such a role in the future use an earlier background check as a reference!

To put it in plain words: If you work on a critical job, CAcert must always know the current answers to these questions.

Part 3: The tricky part...

This part intends to find out problems (we like to call them "dark spots", or "difficult situations") in your present and future situation which may get you and/or CAcert into troubles if you are working in a critical job. For examples things that may be used as leverages for blackmailing you into doing things harmful to CAcert.

Since probably everyone has some of those dark spots, another intention of this part is to discuss ways to mitigate the impact of such problems.

There is no fixed script for this part. The interviewers will present some examples of difficult situations. Please do not be offended, these are examples, not insinuations! Take into account that you might encounter such a situation in the future. This discussion might help you to anticipate such a situation more early, and as such may increase your chances to avoid it.

The obvious mitigation when encountering such a difficult situation in real life will be to resign from the critical job. But often there are other ways to reduce the impact, depending on the situation. Together, you and the interviewers should try to outline possible alternatives for some situations.

The report will have to include some statement about this part. Hopefully this will be some set phrase that no problems were identified. If it is not, the interviewers will discuss with you what should be part of the report.

The Report

As a result of the interview the interviewers will write a report about the results of the interview.

The inclusion of some CV-style information from Part 0 of the interview is completely optional. The report will include a rough overview of topics discussed in Part 1 and the answers given to the questions of Part 2.

It will include a statement about the discussion during Part 3. Dependent on your authorisation, a summary of topics may be included. Also, if you want to have it, some details may be included. The interviewers may give proposals in the summary, like discussing some potentially controversal issue in a meeting between you and the board of CAcert Inc.

This report will be sent to the board of CAcert Inc and be considered in the decision whether you will be appointed fo a critical job or not. It will only be sent if you, as well as the interviewers, confirm that the report is correct and may be sent. Both sides always have the option to stop the process, in which case no report will be sent, an no information gained during the interview will be disclosed. Obviously this is in fact the withdrawal of your application for the critical job.

The report will be digitally signed by at least one of the interviewers, and sent to you only. You then have the final decision whether you want to forward the report to CAcert board or not. Of course, if you don't forward the report this will probably be interpreted as a withdrawal of your application for the critical job.

There are no other implications about your community membership or your involvance in other (non-critical) jobs at CAcert.

The report will be archived by CAcert while you are appointed to a critical job. Routinely the report will be deleted/destrroyed five years after you have resigned the last critical job, unless you explicitly agree that it should be kept longer (because, for example, you plan to apply for another critical job after a sabattical). On your request it will be deleted earlier, but not before one year has passed after your resignation.

And now?

Now the ball is in board's turf. They will decide what additional questions they want to ask you, what additional information has to be provided (for example more extensive contact information for the Key Persons List, depending on the job intended for you) and whether you have the necessary experience and compentence for the job.

But this is a completely different story.

On Interviewers

The one essential requirment on interviewers is that both CAcert board and the candidate trust in them to complete the process in a fair, discreet and competent way. Neither side should be forced to accept any interviewer.

Of course, CAcert board may decide on some formal requirements on interviewers they'll accept. I'd advise against setting too strict requirements.

Potential interviewers who are members of CAcert board have some obvious Conflict of Interest. After all the whole process was built to avoid that candidates have to discuss their lives with CAcert board! Nevertheless, as long as the fact is disclosed and they are accepted by both sides, I'd not exclude board members from serving as interviewers.

It should be needless to say that the interviewers are strictly reqired not to disclose anything learned during an interview with any outsider. Even the content of the report is only discussed between the participients and finally sent to the candidate, who then decides whether to disclose it with anyone else or not. There may be exceptions if the candidate explicitly authorizes the disclosure. As an example, I can imagine a situation where a canidate claims that a topic was discussed during the interview, but was decided not to be included in the report. If the candidate authorizes it, an interviewer may confirm the fact.

Historic Section

This section is meant for people who want to understand the flow of discussion which lead to the above result.

Goal of the Background Check (initial idea)

The goal of the old ABC process, as described by the Arbitration case mantioned above was "Initially proof a person's integrity in regards to control by or interrelations with security agencies or other organisations with goals opposing CAcert's principles." To put it (a bit polemically) in simple words, the old ABC should "proof that the candidate is a good person".

We now understand that this goal, although perfectly valid, is very ambitious, and can probably not be achieved by means available to CAcert.

To stress it one again, the background check is not intended to "tear off the mask from the faces of secret service agents", or even to convict people accustomed and willing to blatantly lie during the interview. We have only very few resources to verify statements given by the candidates. So we have to assume that the candidates are more or less good-willing and, to a reasonable extent, honest in their answers.

Currently the filtering of "bad people" relies more on social protocol. As candidates must already have spent some time working for CAcert, their co-workers already had a better chance to find out the darker spots in the candidate's character. And if they decide that they want to have someone doing a critical job they have to take this into account.

It is not yet decided if the new peocedure also should include a more standard test about some basic knowledge. But that surely will not be the main goal, the "technical fitness" for a specific job has to be evaluated by other processes!

Ideas on formal things

The content of the interview naturally is to be considered strictly confidential! This may find some juristical limits in extreme cases, that we hopefully will never encounter. And, if we decide to go that way, the interviewers might have to give a formal assessment of the candidates, which must not go into any details. If the candidates want to disclose details they have to do it themselves.
The candidates should be allowed to reject an interviewer. Maybe the candidatess can even propose their own interviewer, but of course CAcert¹ has to approve them.
The candidates may always choose to withdraw their application for (or acceptance of) the job, with the result of immediately stopping the background check, without any asessment being made.
It migt be a good idea to present the candidates a list of reference situations and ask if they already have encountered a similar situation. They only have to answer with yes or no, without having to go into more details initially. Then the interviewers have to decide what they can advise the candidate with the level of details the candidate is willing to provide.

Checklist for the Interview

By acting in a critical position for CAcert a candidate will become more publicly visible. Consider those scenarios:

A journalist is doing research on CAcert, discovers "some dark spot" in the candidate's past and places those findings in some lurid headlines.
Someone knowing the candidate from the past and bearing some old grudge gets aware of the candidate's new position and seeks revenge, though completely unrelated to CAcert.
A commercial competitor of CAcert tries to use some knowledge about the candidate's past to put CAcert out of business. Maybe by blackmailing the candidate into doing something harmful to CAcert or by simply starting a shitstorm against CAcert.

Some examples of possible "dark spots" include:

being involved in some (possibly minor) crime
being in a "financially difficult situation", for example:
- having drawn on an unusual high amount of loans
- being addicted to gambling, drugs or similar things

Things which can mitigated easily by publication and openness:

working for a "commercial competitor" of CAcert in the present or the past
working for an intelligence service, or for a company active in this area

Obviously difficult issues which would require going into details:

being accused in a criminal case involving fraud, or things summarized as "black hat hacking"

One easy way to mitigate some risks is to disclose them. If the candidate states in advance that they have worked for some evil government agency in the past, it is CAcert's job to decide whether this poses a problem or not.

1:1 or 2:1 ?

There is still some discussion whether there should be a single interviewer or two interviewers, but there's a general consensus that it should be not more than two.

The big advantage of a one-on-one interview is that this is probably the most comfortable variant for the candidates, as they have to share their secrets only with a single other person.

The big disadvantage is, that it is very difficult for a single interviewer to make a just decision about the "trustworthyness" of a candidate, especially since the whole scenario only makes sense if the content of the interview has to remain absolutely confidential.

Two interviewers can at least discuss the content of the interview between themselve and come to a conclusion with a considerably reduced chance to be arbitrarily.

Bits and Pieces

Security Manual currently details requirements for the background check, and is very specific to follow the old ABC.
Current roles requiring a background check:
- Support (but not Triage)
- Software Assessment (but not coding or testing)
- Critical (but not infrastructure)
- Access Admin (datacenter access, provided by secure-u e.V)
The interview should include some formal instructions that while working for CAcert the candidates are subject to the CAcert Community agreement and therefor they have to accept and respond to CAcert Arbitration. In their report to board, the interviewers should explicitly point to the fact that this instruction has been given and Arbitration has been accepted by the candidates.
The report given by the interviewers could also include a few very specific statements (and the answers of the candidates), like
- "The candidate does have some connection to one or more of this list of organisations: CIA, NSA, MI5, MAD, BND, Verfassungsschutz, ..." (or just "National Security Agencies"?)
- "The candidate does have some connection to any commercial CA"
- If the answer is to one of those is yes, then CAcert board will probably ask for details to be disclosed, or otherwise refuse the application.
- The report should be signed by the candidate, which would probably fulfil similar goals as the old ABC

Rejected Ideas

The following ideas have been discussed and have been rejected at the current state of the discussion. This decision of course is not cast in stone...

Request a criminal record from candidates

Con:

May be not allowed in some (e.g. in german) legislations
It's very hard to judge the relevance of a foreign criminal record
Usually there's a fee carged for issuing a criminal record
If the candidates are good willing they'll tell relevant issues during the interview voluntarily. If they really want to keep it secret, it is quite easy to forge the document.

Pro:

It's a simple procedure (at least on the interviewer's side): you can tick off one point in your checklist and don't have to think about it any more.

Asking for an agreement to contact "referrers", to verify recommendations

People giving a recommendation often are very careful not to say things which can get them in a position to be sued. So negative or problematic facts are more often not disclosed.
It is very hard to judge the trustworthyness of the referrers

... at least when it comes to referrers outside the CAcert community. Of course there should be good recommendations from inside the CAcert community, since the candidates should have contributed to CAcert for some time (rule of thumb: 1 year?) before being eligable to fill a critical position.

Footnotes

Who will act on CAcert's behalf in such a case? Probably Board? (1)