NewBackgroundCheck

Overview

This page is a Work-InProgress document which wants to establish a new procedure for background checks based on the ideas stated by PhillipDunkel.

Security procedures require that people acting in some critical positions have "passed" a background check. The current (pre 2020) process how to do this is called "Arbitrated Background Check" (ABC). This process is considered broken by Arbitrations/a20140124.1. Since there was no progress in fixing the existing process for over 5 years, we are now trying to find a completely new process.

Goal of the Background Check

The goal of the old ABC process, as described by the Arbitration case mantioned above was "Initially proof a person's integrity in regards to control by or interrelations with security agencies or other organisations with goals opposing CAcert's principles." To put it (a bit polemically) in simple words, the old ABC should "proof that the candidate is a good person".

We now understand that this goal, although perfectly valid, is very ambitious, and can probably not be achieved by means available to CAcert.

So, the goal of the new procedure was stated to be more "to make the person aware of risks that result from acting in a critical position at CAcert, and of ways to mitigate some of these risks". Consequently this kind of background check cannot be "passed" or "failed" in the usual way. Ideally the applicants themselves decide themselves whether they want to accept the risks or not. But of course, if something very grave should surface during the interview, the interviewers should refuse to finish the report, or include a prominent (but very generic) warning.

As a heritage from the old ABC, a list of questions about relations to "problematic" organisations has been included. The intention is more or less to deter people who don't want to disclose such things. And at least the "commercial competitors" might indeed be a bit afraid that, if their "agent" does something bad, they'll have to show up before Arbitration, which might result in very bad publicity.

To stress it again, the background check is not intended to "tear off the mask from the faces of secret service agents", or even to convict people accustomed and willing to blatantly lie during the interview. We have only very few resources to verify statements given by the candidates. So we have to assume that the candidates are more or less good-willing and, to a reasonable extent, honest in their answers.

If they are honest and disclose their potential conflicts of interest, they are documented in the report. Then CAcert Inc. board has to decide if these are tolerable for the specific job they have in mind for the candidate.

Non-Goals

Currently the filtering of "bad people" must rely more on social protocol. As candidates must already have spent some time working for CAcert, their co-workers had a better chance to find out the darker spots in the candidate's character. And if they decide that they want to have someone doing a critical job they have to take this into account.

Also, it is not the goal of the Background Check to evaluate the candidate's "fitness for a specific job". This is all but impossible during the one hour of the typical interview. Once more, their co-workers have much more time and occasions to evaluate a candidate's skills.

Proposal for an interview script

I chose to write this in form of a handout for the candidate. It may make sense to indeed point the candidates to this page so they know what they are up to. This leaves them the option to bail out early from their application for (or, more commonly, their acceptance of) a critical job.

Note that I've come some way off my initial "no decision" proposal while trying to integrate some of the ideas of the "old" background check...

Part 0: Warmup

This part is more or less a little smalltalk, to get known to each other. It may be quite short if you and the interviewers already know each others very well, otherwise expect some curious questions about your relation to CAcert, people and areas you hava already worked for at CAcert. As well as about life, universe and everything.

You yourself are encouraged to ask about the process, intention and implementation of the background check.

Information disclosed during this warmup will normally not be part of the report as such, but may be picked up during Part 3 of the interview. If you agree, the interviewers may include some facts of your curriculum vitae and your relation to CAcert into the report. This may be especially useful if you are not (yet) widely known among the active community members, and may safe you the work of writing an introduction yourself.

Part 1: Making sure you know what is expected from you

In this part we explain things to you which you probably already know. But after signing the report there is no more excuse "why didn't you tell me this before". So be sure that you ask about things which are not completely clear.

The interviewers will ask a few questions about each topic, trying to get a feeling if you understand the implication of each topic.

Part 2: Things CAcert wants to know from you

These are some formal questions that CAcert wants you to answer. The answers you give will be part of the report, and therfore archived by CAcert Inc. If it should be discovered that you knowingly gave false answers to those questions this may get you into troubles. Probably Arbitration will have to decide about the consequences.

Be assured that giving the "wrong" answer here does not automatcally lead to your exclusion from a job. But probably there has to be some discussion about details, and it might be helpful to include such details in the written report.

You are obliged to notify CAcert Inc if there is a change in your situation in the future which would significantly change the answers given to these questions!

Part 3: The tricky part...

This part intends to find out problems (we like to call them "dark spots", or "difficult situations") in your present and future situation which may get you and/or CAcert into troubles if you are working in a critical job. For examples things that may be used as leverages for blackmailing you into doing things harmful to CAcert.

Since probably everyone has some of those dark spots, another intention of this part is to discuss ways to mitigate the impact of such problems.

There is no fixed script for this part. The interviewers will present some examples of difficult situations. Please do not be offended, these are examples, not insinuations! Take into account that you might encounter such a situation in the future. This discussion might help you to anticipate such a situation more early, and as such may increase your chances to avoid it.

The obvious mitigation when encountering such a difficult situation in real life will be to resign from the critical job. But often there are other ways to reduce the impact, depending on the situation. Together, you and the interviewers should try to outline possible alternatives for some situations.

The report will have to include some statement about this part. Hopefully this will be some set phrase that no problems were identified. If it is not, the interviewers will discuss with you what should be part of the report.

The Report

As a result of the interview the interviewers will write a report about the results of the interview.

The inclusion of some CV-style information from Part 0 of the interview is completely optional. The report will include a rough overview of topics discussed in Part 1 and the answers given to the questions of Part 2.

It will include a statement about the discussion during Part 3. Dependent on your authorisation, a summary of topics may be included. Also, if you want to have it, some details may be included. The interviewers may give proposals in the summary, like discussing some potentially controversal issue in a meeting between you and the board of CAcert Inc.

This report will be sent to the board of CAcert Inc and be considered in the decision whether you will be appointed fo a critical job or not. It will only be sent if you, as well as the interviewers, confirm that the report is correct and may be sent. Both sides always have the option to stop the process, in which case no report will be sent, an no information gained during the interview will be disclosed. Obviously this is in fact the withdrawal of your application for the critical job.

The report will be digitally signed by at least one of the interviewers, and sent to you only. You then have the final decision whether you want to forward the report to CAcert board or not. Of course, if you don't forward the report this will probably be interpreted as a withdrawal of your application for the critical job.

There are no other implications about your community membership or your involvance in other (non-critical) jobs at CAcert.

The report will be archived by CAcert while you are appointed to a critical job. Routinely the report will be deleted/destrroyed five years after you have resigned the last critical job, unless you explicitly agree that it should be kept longer (because, for example, you plan to apply for another critical job after a sabattical). On your request it will be deleted earlier, but not before one year has passed after your resignation.

And now?

Now the ball is in board's turf. They will decide what additional questions they want to ask you, what additional information has to be provided (for example more extensive contact information for the Key Persons List, depending on the job intended for you) and whether you have the necessary experience and compentence for the job.

But this is a completely different story. :-)

On Interviewers

The one essential requirment on interviewers is that both CAcert board and the candidate trust in them to complete the process in a fair, discreet and competent way. Neither side should be forced to accept any interviewer.

Of course, CAcert board may decide on some formal requirements on interviewers they'll accept. I'd advise against setting too strict requirements.

Potential interviewers who are members of CAcert board have some obvious Conflict of Interest. After all the whole process was built to avoid that candidates have to discuss their lives with CAcert board! Nevertheless, as long as the fact is disclosed and they are accepted by both sides, I'd not exclude board members from serving as interviewers.

It should be needless to say that the interviewers are strictly reqired not to disclose anything learned during an interview with any outsider. Even the content of the report is only discussed between the participients and finally sent to the candidate, who then decides whether to disclose it with anyone else or not. There may be exceptions if the candidate explicitly authorizes the disclosure. As an example, I can imagine a situation where a canidate claims that a topic was discussed during the interview, but was decided not to be included in the report. If the candidate authorizes it, an interviewer may confirm the fact.

Historic Section

This section is meant for people who want to understand the flow of discussion which lead to the above result.

Goal of the Background Check (initial idea)

The goal of the old ABC process, as described by the Arbitration case mantioned above was "Initially proof a person's integrity in regards to control by or interrelations with security agencies or other organisations with goals opposing CAcert's principles." To put it (a bit polemically) in simple words, the old ABC should "proof that the candidate is a good person".

We now understand that this goal, although perfectly valid, is very ambitious, and can probably not be achieved by means available to CAcert.

So, the goal of the new procedure was stated to be more "to make the person aware of risks that result from acting in a critical position at CAcert, and of ways to mitigate some of these risks". Consequently this kind of background check cannot be "passed" or "failed" in the usual way. Ideally the applicants themselves decide themselves whether they want to accept the risks or not.

To stress it one again, the background check is not intended to "tear off the mask from the faces of secret service agents", or even to convict people accustomed and willing to blatantly lie during the interview. We have only very few resources to verify statements given by the candidates. So we have to assume that the candidates are more or less good-willing and, to a reasonable extent, honest in their answers.

Currently the filtering of "bad people" relies more on social protocol. As candidates must already have spent some time working for CAcert, their co-workers already had a better chance to find out the darker spots in the candidate's character. And if they decide that they want to have someone doing a critical job they have to take this into account.

It is not yet decided if the new peocedure also should include a more standard test about some basic knowledge. But that surely will not be the main goal, the "technical fitness" for a specific job has to be evaluated by other processes!

Other views on the topic

Ian (one of the initiators of the "old" Arbitrated Background Check) gave an explanation on the motives of the old procedure.

In short (I hope that I got it correct) the idea was to include an Arbitrator in the team of interviewers so that false answers to the interview questions could be considered equivalent to "lies before the court". Therefor, if someone explicitly lied during the ABC and then did something evil they could be dragged before Arbitration and be "publicly burned" for all future.

This would not so much detect, but deter secret services and commercial competitors, who usually fear "public burning" above anything else.

Ideas on formal things

Checklist for the Interview

By acting in a critical position for CAcert a candidate will become more publicly visible. Consider those scenarios:

Some examples of possible "dark spots" include:

Things which can mitigated easily by publication and openness:

Obviously difficult issues which would require going into details:

One easy way to mitigate some risks is to disclose them. If the candidate states in advance that they have worked for some evil government agency in the past, it is CAcert's job to decide whether this poses a problem or not.

1:1 or 2:1 ?

There is still some discussion whether there should be a single interviewer or two interviewers, but there's a general consensus that it should be not more than two.

The big advantage of a one-on-one interview is that this is probably the most comfortable variant for the candidates, as they have to share their secrets only with a single other person.

The big disadvantage is, that it is very difficult for a single interviewer to make a just decision about the "trustworthyness" of a candidate, especially since the whole scenario only makes sense if the content of the interview has to remain absolutely confidential.

Two interviewers can at least discuss the content of the interview between themselve and come to a conclusion with a considerably reduced chance to be arbitrarily.

Bits and Pieces

Rejected Ideas

The following ideas have been discussed and have been rejected at the current state of the discussion. This decision of course is not cast in stone...

Request a criminal record from candidates

Con:

Pro:

Asking for an agreement to contact "referrers", to verify recommendations

... at least when it comes to referrers outside the CAcert community. Of course there should be good recommendations from inside the CAcert community, since the candidates should have contributed to CAcert for some time (rule of thumb: 1 year?) before being eligable to fill a critical position.

Footnotes

  1. Who will act on CAcert's behalf in such a case? Probably Board? (1)