Talk:Privacy policy/Archives/2008

I highly suggest at some point in the future changing policy to allow for one very specific hole to deleting user names: emergencies as deemed by the systems administrators. This concern stems from recent research in defeating CAPTCHAs. Properly motivated (i.e., with enough skill in math & programming experience to put to practice), an attacker could fairly reliably defeat the CAPTCHAs that are employed on most Wikimedia projects, therein bypassing the check against automated account registration. Therefore, I believe that should anyone try to use this as a form of attack, there should be in place the ability for the actual Wikimedia systems administrators to repair the damage by deleting the maliciously-added accounts outright. Otherwise, the attacker would have a viable long-term attack plan-- simply keep running the attack.

To clarify, I would like everything to remain the same, except that only systems administrators (i.e., the same people who are needed to permanently delete material even after Oversight) are able to delete user names manually. I feel that this is a safe amendment, because absolute worst-case scenario, there are still physical backups of any data deleted. However, if I'm overlooking something here, please definitely let me know, as I obviously want this change to be as conservative as possible while still maintaining the safety of the network. --slakr 00:28, 12 September 2007 (UTC)

Systems administrators can already mass-remove this data through direct SQL queries. Nakon 03:20, 27 January 2008 (UTC)

A fi-wiki administrator has attempted to inject Google Analytics code into our MediaWiki:Copyright page, which would effectively allow Google Analytics to record information of all of our visitors. Since Google Analytics shows host names of individual visitors (usually just an ISP hostname, but some people may have fullname.net style addresses) and the plan is to let pretty much anyone to access this information, it's pretty evident that this is a violation of the Wikimedia Privacy Policy.

Moreover, since the code would be on MediaWiki:Copyright, it will capture every single visitor from the first pageview onwards, and there's no fair way to let users choose if they want their information recorded.

Any thoughts? MikkoM 12:29, 10 December 2007 (UTC)

We reached a compromise allowing Analytics access only to people with CheckUser privileges. So the issue is resolved. MikkoM 13:09, 10 December 2007 (UTC)

This issue is now resolved by removing Google Analytics. --Many 06:50, 11 December 2007 (UTC)

In relation to a recent lawsuit and Wikipedia's release of registered users info, there is an ongoing discussion regarding the WMF privacy policy, specifically the rules for releasing the identifying user info to third parties, at [1]. Those who are interested in this aspect of the privacy policy are encouraged to participate in the discussion. Regards, Nsk92 23:59, 13 January 2008 (UTC)

"dependant" is misspelled

I would like to make two suggestions for changes in privacy policy regarding releasing registered user identifying data (IP addresses, e-mails, etc) to third parties in response to court subpoenas. These suggestions are motivated by a recent incident where the IP data of sixteen registered Wikipedia users (including mine) were released in response to a subpoena in a lawsuit. There was an extensive discussion of the incident and the related issues at Wikipedia's Village Pump in January 2008, see [2].

My basic suggestions are:

(1) To add a clause to the privacy policy stating that WMF will notify the affected registered users when their identifying info is being requested by a third party subpoena and when and if such a release actually occurs.

(2) To add a sentence or two to the privacy policy explaining the basic principles used in responding to third party subpoenas (e.g. presumptive compliance with all valid subpoenas vs, say, case-by-case considerations of when to comply or contest a particular subpoena based on First amendment or other considerations).

My main suggestion is (1) so I'll concentrate on it.

Reasons for instituting a notification requirement

The current privacy policy does not require any kind of notification of registered users whose info is being sought by third parties, and, apparently, no such notification occurred in the incident mentioned above (again, see the discussion at [3]). The Supreme Court has traditionally recognized and stressed the right to and the importance of anonymous free speech, including anonymous free speech on the Internet. Of course, this right is not absolute, but it does exist and needs to be protected. This is a long-standing position of the Electronic Frontier Foundation, the ACLU, the Public Citizen and other free speech advocacy groups whose goals are in large part aligned with those of WMF. See, for example: [4], [5], [6], [7], [8], [9], and so on. The courts have maintained that anonymous internet posters have a right to contest the release of their identifying data to third parties, but, of course, to exercise this right, they need to be notified at the time such release is requested. Here is a quote from the June 2002 ACLU press release: ""You can't fight to protect your privacy and anonymity when you don't even know that it's being attacked,"" said Paul Levy of the Public Citizen Litigation Group.[10]. As far back as 2001-2002, EEF, ACLU, the Public Citizen, and others, advocated requiring ISPs to include the notification requirement in their privacy policies. Again, from the June 2002 ACLU press release: "A coalition of civil liberties and privacy groups today called on Internet Service Providers (ISPs) and other online companies to adopt policies protecting their users' right to anonymous speech on the Internet. That right has come under attack in recent years through a growing number of ""cyberSLAPP"" lawsuits, in which companies file suit just to discover the identity of their online critics - often in order to silence or intimidate them. In a cyberSLAPP suit, the target of anonymous online criticism typically files a lawsuit against a "John Doe" defendant and then issues an identity-seeking subpoena to an ISP. There is currently no legal requirement that ISPs notify their customers before complying with such subpoenas - even though many of the lawsuits are frivolous and have no chance of prevailing in court."[11] Note the phrase "and other online companies" in the above quote.

Apart from these general considerations, protecting the right to anonymous free speech on the internet is central to the core mission of the Wikimedia Foundation. The great majority of its users use pseudonyms rather than real names, as their user IDs. While these users need to behave responsibly when editing, WMF does have the responsibility to protect the privacy of these users against frivolous attacks via CyberSLAPP lawsuits. Fairness requires that registered users of WMF projects be notified in some way when their identifying info is being sought. To do otherwise has the potential for creating the atmosphere of fear and intimidation, that could have a substantial chilling effect and compromise the quality of the editorial process and the actual outcome of the WMF projects. CyberSLAPP lawsuits are being increasingly used as a tool of intimidation by big companies and by govermental entities (again, see [12]).

In the Village Pump discussion [13] one of the arguments made was that it is not so bad for WMF to release IP addresses of its users in response to a subpoena since then the buck is passed to the Internet Service Providers, who have greater financial resources and greater legal protections than does WMF in contesting subpoenas of this sort. I strongly disagree with this argument. First, I think that the primary responsibility in protecting free speech rights rests with the host of the content in question (in this case WMF) rather than with the ISPs. Second, many registered users do not use commercial ISPs but rather edit from computers belonging to some businesses, governmental organizations, military, educational institutions, etc. These entities may not be interested, and may not have the necessary resources, in contesting a CyberSLAPP lawsuit subpoena. Also, many IP addresses themselves provide too much identifying information.

Specific form of notification

Based on the Village Pump discussion, I propose an "open notification" model: when a release of user data is requested by a third party subpoena, WMF would place a short notification at the affected user's talk page stating that the user's info is requested by X via a subpoena in a lawsuit Y filed at court Z. (plus maybe a link to the privacy policy and a sentence about how to contact WMF). If a user has an e-mail account associated with their profile, a more detailed notification may be sent there, in addition to the open notification at the talk page. The same if the user info is actually released: an open notification at the talk page and an e-mail, if possible. Most users monitor their own talk pages regularly and should be able to see the notification message quickly and to remove it quickly if they want to. If a few other users see it, I don't see much harm in that either. This way the affected users will, with high degree of certainty, find out when their info is being sought, and will be able to decide if they want to hire a lawyer and contest the subpoena right away, or just start preparing for the future.

The other possibility is a closed notification model where WMF would leave a message at the talk page of the user asking the user to contact WMF "about a legal matter", and then establish some kind of authentication protocol. I think that the open notification model is cheaper, simpler and more effective.

One of the posters in the Village Pump discussion noted that if a notification occurs, the fact that it occurred may also by subject to the discovery motion by a third party. Again, I don't see much harm if the third party in question does find out about the fact that an open notification occurred. If there is some legal downside in this, I'd like for the knowledgeble people with legal training to comment here.

In a sense, an open notification model is fairly consistent with the current internal practices and principles of Wikipedia. Thus, all warning messages from Wikipedia administrators and other users, messages about blocks, messages from the Arbitration Committee, etc, are left at the affected user's talk page, where everyone, who happens to stop by, can see them. Most of the other information about the activities of a particular user, such as that user's contributions and a block log, are openly available as well. Regards, Nsk92 13:05, 10 March 2008 (UTC)

Rearding suggestion (2)

I realize that it is impractical and in fact counterproductive to give a detailed list of circumstances when the user info would be released. However, I think that the current wording of the privacy policy "may be released..." is insufficient. I think that WMF users deserve to know a little more about the general principles used in responding to third-party subpoenas.

One possibility for a policy is that presumptively, all valid subpoenas will generally be complied with to the extent possible, with exceptions in extreme cases. This is certainly a cost-effective and efficient way of dealing with the issue (although I personally hope that a more discriminating approach is taken). It is possible that that is what the current de facto WMF practice is. If yes, then WMF users certainly deserve to know about it.

Another possibility is to say something to the effect that third party subpoenas are evaluated on a case-by-case basis and may be contested for public policy reasons if WMF feels that the underlying lawsuit is a SLAPP lawsuit. (or something like that).

Regards, Nsk92 18:32, 5 March 2008 (UTC)

While it may be accepted by the board to allow individuals to be notified when a subpoena is received, there are situations where not only would informing the individual be irresponsible, but illegal. If we're going to request that the board modify a policy this fundamental, we should take that into account. ~Kylu (u|t) 16:16, 6 March 2008 (UTC)

Yes, sure, I have absolutely no objections to adding some explicit provisors of the type "unless forbidden by law or a court order" or something like that. In fact, I would not mind even having a general exception provision of some sort stating that WMF may waive the notification requirement in exceptional circumstances. Regards, Nsk92 16:30, 6 March 2008 (UTC)

Another possible wrinkle

I suggest that a multistage method of contacting users be attempted. A special committee of users or admins akin to OTRS could be pressed into service to assist in this regard if it is deemed necessary. 1. users should be contacted by email if at all possible 2. If a user has elected to remove the ability for email contact from their account, or never activated it, some effort be made to obtain their email address from their associates and "friends" on WP. I have noticed that often if someone on WP needs to contact someone else who has disabled their email, they just contact the editor's friends on WP, and often someone has the email address, even if it is not generally available on the talk page. 3. If 1 and 2 fail, then put a bland notice on the user's talk page to contact the foundation through login at some special page.

Obviously some simple method of authentication should be adopted so the user sought would have some assurance that it really was the Foundation that wanted to contact him or her, and that the Foundation was reasonably sure that this was the user. The knowledge of the user's password might be deemed enough, or the user's password plus the answer to some "secret question" posed when the account is set up. Of course these measures can be defeated, but they are better than nothing. It is possible that in some cases the user could be contacted through their internet provider, but I would suggest that this be only considered in extreme circumstances and avoided if at all possible for a variety of reasons, including privacy considerations and causing more disruption, even to the point of discouraging users from contributing to WP at all. The importance of having an email account might be stressed when the WP account is established, and an option might be presented where a user could decide if the email account is available through the WP talk page, through the WP talk page and to the foundation, to the foundation only, or not available at all.

Also, putting a notice on the user's talk page might cause their WP friends to email them anyway.

Some of these measures require recoding a bit of software, so are mildly expensive. However there is no need to adopt the full solution immediately, but to set the full solution as a goal to implement eventually, as the software is modified. Less expensive stopgap methods can be adopted before a more extensive solution is available.--Filll 13:31, 8 March 2008 (UTC)

Now that I think about it, I very much like your idea of a "secret question" that is a part of the user profile and is not publicly visible. Indeed, it can be used for a simple one-step authentication procedure when a user contacts WMF. This could make it unnecessary to provide any details about the lawsuit involved at the affected user's talk page, just a general brief message to contact WMF. Regards, Nsk92 19:34, 8 March 2008 (UTC)

Thanks a lot for participating. Let me first make another pitch in favor of the open notification model. The main drawback there is that if a notification message is posted at a user's talk page, somebody else may see it. As I said, I don't see much of a problem with this, provided that these things are specified in the privacy policy up front and people know about them. Yes, some users may not want other WP users to know that they are being targeted in a lawsuit. But making this knowledge public only compromises, to a point, the privacy of the "cyber identity" of the user involved. The privacy consideration of the real life identity are certainly more important, and I think that most people would agree to such a trade-off if the policy is known up front. The only possible exception I can see is if a WP user uses their real name as there user-id or if the real name is mentioned by the user in their user page. It is hard to imagine, however, that if the real name of the user is known, that someone would try to subpoena WMF for that user's info.

Now, regarding your specific suggestions. I very much like your idea of a technological solution (more on this below). I am not sure that trying to go through friends etc is a very practical approach. There are too many variables and subjective judgment calls involved here: who and how decides who is a friend of a particular user, etc, and what and how much to tell them. Also, as a practical matter, this approach would be more labor intensive and costly. I have no idea how many subpoenas for user info WMF receives monthly on average and how much resources they have in responding to them and handling various legal matters. That is why I would prefer a simple and cost-efficient approach.

Regarding the specific suggestion for having an e-mail address, associated with the user account, with several degrees of availability, I like this idea. I do not know how feasible it is technologically and cost-wise, but I hope that WMF will look into it.

In fact, another technological solution could potentially solve most of these problems, namely an equivalent of a "private message". Most discussion boards now have a private message feature when one user may send another user a private message not visible to others, and that the recipient can view from their user profile page. I don't know if it is possible to implement such a feature for WMF projects, such as WP, or if WMF would want to host such private traffic between its users. A more limited possibility is to only enable the private message feature for communications between the user and WMF.

Ultimately, any of the changes discussed here would be an improvement over the status quo. Even if WMF decides, for the time being, to only provide notification by e-mail and only to those users who have e-mail addresses associated with their profiles, that would be much better than the current situation. Regards, Nsk92 15:01, 8 March 2008 (UTC)

I don't plan to spend time here debating the best method of notifying users if their IP information is about to be released. But I strongly agree with Nsk92 that the WMF should make their best effort to notify people with accounts when their IP info is released, and also believe they should notify people with accounts if someone is asking for IP info (even if the WMF plans to fight its release), and finally agree that whatever current policy is (an earlier incident seems to indicate they will, or at least may, release IP addresses without fighting the subpoena), the privacy policy should be made clearer that getting an account does not necessarily protect your IP address as much as the current wording implies. --Barneca 21:18, 9 March 2008 (UTC)

The absolute minimum that the foundation should do is to email users who have email turned on to let them know a subpoena has been filed by someone requesting their IP or any other information associated with their account. Naturally when the demand for info is from the U.S. government and the disclosure of the demand is illegal, that is a different matter. But for ordinary subpoenas there should be prompt notification, which apparently was not done in the recent case as discussed at Village Pump. 24.12.175.26 21:51, 9 March 2008 (UTC)

When signing up, for example with wikipedia a user is only told "Before choosing a username please understand that all contributions are permanently recorded, searchable by username (see Help:User contributions), and publicly visible in the history of any page you edit." Thats it. No mention of the privacy policy. No mention of the IP address the way way Wikia will track/connect a username to an IP address and let certain users (check user etc.) view it. The user at no time is even informed of the existance or asked to accept the privacy policy.

The privacy policy is extremely important because a registered user, through no fault of their own, could have their IP address publicly exposed: "When using a pseudonym, your IP address will not be available to the public except in cases of abuse, including vandalism of a wiki page by you or by another user with the same IP address.".

Having a link to privacy policy at the bottom is really not good enough, its not even clear when you are on wikipedia that you are in any way agreeing to a wikimedia privacy policy. The account creation screens should contain a clear warning: "Wikimedia may collect and use your information as per the Privacy Policy. Please read it for more information." --155.144.251.120 03:13, 20 March 2008 (UTC)

I agree. I think the privacy warnings of the type discussed in the above post should be given more prominently and more explicitly when new users sign up. Similarly, I also agree that a link to the privacy policy needs to be much more prominently displayed on the sign-up screen. Regards, Nsk92 12:51, 21 March 2008 (UTC)

RE: "It is requested that this notice be translated and moved to the Wikimedia Foundation site, from which it is linked from the footer (MediaWiki:Copyright) of every page." Same text is at wikimedia:Privacy_policy. It looks like that should read MediaWiki:Privacypage --mikeu 19:05, 27 March 2008 (UTC)

If I understand correctly, the Wikimedia policies like the privacy policy are GFDL-licensed, so I believe that Wikimedia will not feel angry if I copy them taking care to delete references to Wikimedia and its project and replace them with mine. Correct me if I am wrong. NerdyNSK 23:46, 17 October 2008 (UTC)

Are login cookies attached to ip address, used to track click streaming etc, most sites do this and there fore i do not cnotribute nor accept cookies from them. I feel my clicks should never be an endorsement for any page or practice just beacause i was momentarily interested.

Rumor at Wikiscanner article talk page is there is a new one on the way to replace this outdated one. So two questions I'd like answers to and should be inpolicy here and at WP:harassment are:

• If one suspects people are editing from work to take out negative info about a person or other topic, is it acceptable to warn people on the talk page in general about existence of wikiscanning and that it has been used in past to reveal WP:COI partisans removing negative info on their employers. Frankly, I mentioned it generally once recently after noticed all the 2007 corporate edits on a certain law and suddenly most of the repeated Anon IP deletions of WP:RS material about the topic stopped. So guidance on whether to mention wikiscanning in general as a preventative measure when this kind of whitewashing obviously is happening would be helpful.
• I assume one cannot say editor XXX's edit against such and such info came from YYY Company/Activist group's IP that doesn't want that info in there. But since this material has ended up in the media, it's hard to keep it off talk pages. Clarifying the policies before new wikiscanner gets going would help. Thanks Carolmooredc 17:07, 10 November 2008 (UTC) Carolmooredc

This is a wikiarticle of a caliber like I have never seen in wikipedia... It is a model article for wikipedia but unfortunately it is not even in wikipedia. This must change. http://www.psychwiki.com/wiki/The_Schachter-Singer_Theory_of_Emotion--Nonymous-raz 07:29, 20 December 2008 (UTC)