[Governance] Formal Complaint Against Josh Sokol

Josh Sokol josh.sokol at owasp.org
Thu May 15 22:36:50 UTC 2014


>> Please find the relevant quote from two e-mails sent to Josh Sokol in
>> April 2014 related to confidentiality:

I would request that Christian elaborate on what is either proprietary or
sensitive regarding the statement I made on the Board list a month ago.
Confidentiality agreements (of which I have none with Christian) are
typically only binding until such time as the information has been publicly
disclosed.  At the time of my notification of the Board and Martin (my
fiduciary responsibility to the OWASP Foundation), all details disclosed
were a matter of public record by virtue of it being a formal legal
proceeding in Australian courts.  At no point did I share information that
was either proprietary or sensitive as I do not have access to any
information that is proprietary or sensitive on this matter.

>>The service of a subpoena is not harassment.
>>
>>Prior to issuing the subpoena, I had made a reasonable request to
>>Sarah, Tobias and Josh of what I was seeking and Josh immediately
>>became evasive, obstructive and elected himself to deal with the
>>Australian courts.  Both Tobias and Sarah were much more reasonable.

There was no service of a subpoena.  The original request was for me to
give Christian confidential information relating to a phone call that I had
conducted as part of a Board investigation.  There was no evasion or
obstruction either, I simply let Christian know that OWASP would maintain
confidentiality on this matter unless instructed by a court to do
otherwise.  And my "election to deal with the Australian courts" was due to
my having the information that Christian was seeking.  So, yes, I told him
that I was more than happy to speak with the Australian authorities on the
matter.  Christian first insisted that I give him the recording, then
threatened OWASP with legal recourse if we did not give him the recording,
then became insistent on an Australian address to deliver a subpoena to (of
which we have none), then threatened to deliver it to Norman as the chapter
leader.  While the service of a subpoena is not harassment, the threats and
bullying certainly was and being contacted twice after telling him I
considered it harassment and asking for it to stop showed a continued
disregard for my feelings.

>> I put it to OWASP that their intent is not produce the information
>> requested or assist in confirming specific facts in the matter so that
>> other parties within Australia could be subpoenaed for information
>> that I am seeking instead of OWASP and have demonstrated a total
>> disregard of their stated ethics of openness and transparency.

What Christian is actually asking for is a breach of the confidentiality of
something that is actually confidential while accusing me of breaching
confidentiality for something that is not.  I've made it clear to Christian
from the beginning that I have the data that he is looking for and am happy
to comply with a court order to provide it.  Christian, to date, has
provided no such court order.  Christian is incorrect in that the OWASP
ethics do not state openness and transparency, but they do state
confidentiality, which I have maintained despite Christian's repeated
threats, bullying, and now formal complaint.

The path is clear and simple and Christian has already referenced it in his
other e-mail.  The Hague Convention provides for the proper procedure for
subpoena of a foreign party.  I would be more than happy to comply with the
law.  I am not, however, compelled to comply via intimidation.  I have
apologized for what I believe may have been misunderstandings of the
situation, and certainly not intentional, but I fail to see any breach of
the OWASP Code of Ethics that Christian has stated nor implied.

~josh


On Thu, May 15, 2014 at 4:44 PM, Christian Heinrich <
christian.heinrich at cmlh.id.au> wrote:

> Martin,
>
> On Fri, May 16, 2014 at 1:59 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > Norman says differently in the e-mail Christian referenced earlier.
>  "I've
> > recently returned to my day job from a period of leave, and upon
> checking my
> > email, I was most pleasantly surprised to find an email regarding our
> good
> > friend cmlh. Apparently, he has some kind of subpoena against OWASP?"  If
> > Christian says he never contacted Norman, then perhaps I misunderstood
> "find
> > an email regarding our good friend cmlh" to mean that Christian contacted
> > him instead of him meaning that he read another e-mail related to the
> > matter.  If I misinterpreted, then I'm sorry.  I thought that you had
> > carried out the action that you had threatened us with mid-April.  If
> that
> > is the case, then I'm not sure where the information Norman references
> would
> > have come from, but it didn't come from me.  I'd maintain that I did not
> > disclose anything in my response that hadn't already been disclosed
> publicly
> > at the time and I would still request that Christian provide a specific
> > example of the breach of confidentiality with which I am accused.
>
> Please find the relevant quote from two e-mails sent to Josh Sokol in
> April 2014 related to confidentiality:
>
> On Tue, Apr 15, 2014 at 1:05 PM, Christian Heinrich
> <christian.heinrich at cmlh.id.au> wrote:
> > Please do not approach Chris Gatford, Drazen Drazic, etc or discuss this
> > matter on public mailing lists
>
> On Wed, Apr 16, 2014 at 9:26 AM, Christian Heinrich
> <christian.heinrich at cmlh.id.au> wrote:
> > Also, please heed my warning about discussing this on a public mailing
> > list i.e.
> http://lists.owasp.org/pipermail/owasp-board/2014-April/013580.html
>
> On Fri, May 16, 2014 at 1:59 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > While I can appreciate Christian's perspective on what my correct course
> of
> > action should have been, my fiduciary duty is to protect the OWASP
> > Foundation, and Christian's continued harassment of OWASP members is of
> the
> > utmost concern.  I'd much rather our members know that they have rights
> and
> > that the Board stands behind them, rather than allowing Christian to
> bully
> > them into submission.
>
> The service of a subpoena is not harassment.
>
> Prior to issuing the subpoena, I had made a reasonable request to
> Sarah, Tobias and Josh of what I was seeking and Josh immediately
> became evasive, obstructive and elected himself to deal with the
> Australian courts.  Both Tobias and Sarah were much more reasonable.
>
> On Fri, May 16, 2014 at 1:59 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > Christian is correct that my autoresponder does not attempt to discern
> > contents.  It was put in place (for me) after telling Christian NINE (9)
> > times that I would not provide him with the information he was seeking to
> > maintain confidentiality unless a subpoena was issued to obtain it.  At
> > least two of these were after I had explicitly told Christian that his
> > contacting myself and other OWASP members was perceived as harassment and
> > after asking him to refrain from contacting me directly on this matter.
>  It
> > was done at the suggestion of OWASP legal counsel, with the support of
> the
> > Board, and instead of the OWASP Foundation filing a formal harassment
> > complaint against Christian.
>
> While this is addressed above the information I am seeking is not
> confidential as OWASP is an open and transparent organisation and
> furthermore I sought to subpoena the other parties rather than OWASP
> if Josh was able to confirm if the other parties had been informed of
> where to find the information sought.
>
> On Fri, May 16, 2014 at 1:59 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> > Again, while I can appreciate Christian's perspective on what my correct
> > course of action should have been, my fiduciary duty is to protect the
> OWASP
> > Foundation.  His persistent harassment of myself and other OWASP members
> (at
> > least two or three others that I am aware of) is what prompted my
> response.
> > If anyone is injuring Christian's professional reputation, it is him
> through
> > his words and actions against OWASP and it's members.  My providing
> passive
> > instructions on the proper response should they be contacted by him on
> this
> > manner, supported by OWASP legal counsel and the Board, was by no means
> an
> > attempt to injure Christian either personally or professionally.  If it
> was
> > perceived as otherwise, then I sincerely apologize.
>
> I have sought to have Sarah and Tobias instruct the legal counsel to
> prepare the subpoena for service in New York as the subpoena must be
> registered within their jurisdiction for it to be enforceable.
>
> I put it to OWASP that their intent is not produce the information
> requested or assist in confirming specific facts in the matter so that
> other parties within Australia could be subpoenaed for information
> that I am seeking instead of OWASP and have demonstrated a total
> disregard of their stated ethics of openness and transparency.
>
> I demand that Josh Sokol be reprimanded for his continued breaches of
> OWASP Code of Ethics.
>
>
> --
> Regards,
> Christian Heinrich
>
> http://cmlh.id.au/contact
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20140515/cd5ada6d/attachment-0001.html>


More information about the Governance mailing list