Enable ability to have pseudonimity for EasyCLA.

[TheLarkInn]

Reference: webpack/webpack#17329

We have had multiple contributors (this referenced pull request just being the latest) have expressed concerns with the EasyCLA's requirement to provide a mailing address for their contributions.

Is there a potential path that we can take to provide a middle ground here of pseudonymity instead? We really value our contributors privacy concerns and want to try to find a solution if there is one. If not, then perhaps we can provide a documented/legal answer as to why providing the address is required so we can explain this to potential contributors.

[ovflowd]

I do lack legal knowledge on why addresses are needed, but I can imagine the why's.

I wonder tho if for one-timer contributions we could have a less-restrictive CLA that could allow one-time contributions. (Like a one-time sign-off), as I definitely believe that having the requirement of having an address to be provided is invasive... Even more for small contributions.

It's non-inclusive and excluding and definitely would make a few people think twice before contributing to certain projects 😓

[tobie]

The foundation's IP policy doesn't specify implementation requirements (rightfully, imho). I have found other CLA implementations to cause less friction (e.g. CLA Assistant) and believe we should switch.

[rginn]

I'll run this by legal.

[tobie]

@rginn offered to organize a session with legal where this topic (among others?) could be discussed.

[tobie]

I've found some recommendations on the minimum required information collection necessary for CLAs in the "Model CLA Policy and Rationale" guidelines, part of the Open Source Casebook published by Google's OSPO:

Minimizing the collection of signee personally identifiable information (PII) reduces maintenance costs and protects signees’ privacy, but a certain amount of information collection is indispensable. One should be able to trace title from a given submission to a known human being or entity. The two pieces of information that should always be collected from CLA signees are email address and name. For corporate CLAs, the name of the corporation and the signee’s corporate title should also be collected.

Email address verification serves three critical purposes: identity verification, company employee status verification, and means of contact.

Obtaining the name of the signee is indispensable for identity verification, but is also necessary for substantiating the agreement.

In the case of corporate CLAs, the collection of this information not only furnishes evidence of the agreement in the event of suit, it provides the criteria for establishing apparent authority. The email address establishes that the signee really is an employee of the company they represent and are acting in their capacity as an agent of the company. The title establishes whether the company has conferred authority upon the signee to execute the agreement.

[ovflowd]

@rginn offered to organize a session with legal where this topic (among others?) could be discussed.

I'd like to take part of the session. That sounds highly interesting :)