Community Wishlist Survey 2022/Anti-harassment/Access log of oversighted contents

Access log of oversighted contents

  • Problem: Oversighted revisions often contain non-public personal information, which can be accessed to arbitrarily by oversighters. There is a risk of oversighters being bribed to search for oversighted information, in order to dox someone.
  • Proposed solution: Each access to oversighted contents should generate a private log entry, and thus abnormal information collections could be detected. It's not applied to recent oversighted contents for review convenience.
  • Who would benefit: People who have personal information oversighted.
  • More comments:
  • Phabricator tickets:
  • Proposer: Lt2818 (talk) 15:23, 14 January 2022 (UTC)Reply[reply]


  • I agree. However, I think that checkuser log, and oversight log should be publicly logged in order for normal users to find abnormal actions of the checkuser or the oversighters. Thingofme (talk) 15:33, 15 January 2022 (UTC)Reply[reply]
    That request is not feasible under the privacy policy today. Izno (talk) 00:23, 17 January 2022 (UTC)Reply[reply]
  • IP access is soon going to be logged, so this seems like a reasonable request. Pretty sure it's not what I would want the team to spend time on though. --Izno (talk) 00:22, 17 January 2022 (UTC)Reply[reply]
    And maybe, logging any deleted view access? I still do not think arbitrary people would be able to see the logs per the privacy policies... that said, not sure of the size of this request. Izno (talk) 00:24, 17 January 2022 (UTC)Reply[reply]
    @Izno I don't think logging any deleted views would be useful, since they don't generally contain any sensitive data (unlike oversighted material and IP addresses after they are masked). ~~~~
    User:1234qwer1234qwer4 (talk)
    20:14, 7 February 2022 (UTC)Reply[reply]
  • A public OS log would not be permitted - and at times would be actively counterproductive. In regards to Thingofme's comment, a public CU log would be catastrophically counterproductive - think how orangemoody would have done if the editors in question could have known the noose was tightening. Nosebagbear (talk) 13:15, 18 January 2022 (UTC)Reply[reply]
The CUs on enwiki have explained quite well why the CU log is private: they check some accounts and decide that there was a violation. They then check all the accounts' IP addresses to look for additional socks, and any account they find on the said IPs for confirmation that it is in fact a sock (and frequently decide some aren't). If the check log were public, that would be a huge amount of private data revealed to the public. 18:52, 22 January 2022 (UTC)Reply[reply]
Could you give an example of such private data? ··gracefool 22:13, 4 February 2022 (UTC)Reply[reply]
yeah, sure... /s ~~~~
User:1234qwer1234qwer4 (talk)
20:11, 7 February 2022 (UTC)Reply[reply]
  • In case of legal need, I am pretty sure HTTP access logs already allow WMF or legal authority to check all log accesses. -- Pols12 (talk) 13:44, 29 January 2022 (UTC)Reply[reply]
    I'm not sure how long the HTTP access logs are kept. This proposal will let other volunteers (oversighters & stewards) be aware of permission abuse, before a WMF investigation. Lt2818 (talk) 16:05, 29 January 2022 (UTC)Reply[reply]
  • To respond to those saying we should "trust functionaries" - that attitude is simply naive. "Who watches the watchmen?" It's a basic principle of human nature that oversight needs oversight. Everyone needs accountability, no-one is perfectly trustworthy, and even if they were, it doesn't hurt to prove it. ··gracefool 22:13, 4 February 2022 (UTC)Reply[reply]
    We should trust them, because they have got to where they are by showing that they are suitable for the role by many years of work and have earned the trust granted to them over years, and often more than a decade of service. They will have been through community approval (such as Request for Adminship), likely several times over. Their real identities are all known by the WMF as well. Mako001 (talk) 03:16, 5 February 2022 (UTC)Reply[reply]
    I don't think access logs imply distrust of functionaries, but just in case. Do you think CU logs are unnecessary too? Lt2818 (talk) 05:10, 5 February 2022 (UTC)Reply[reply]
    This, essentially. It's not like there haven't been cases of CU abuse/misuse either, and viewing oversighted material certainly has potential for abuse. ~~~~
    User:1234qwer1234qwer4 (talk)
    20:22, 7 February 2022 (UTC)Reply[reply]


  •   Support --NGC 54 (talkcontribs) 22:55, 28 January 2022 (UTC)Reply[reply]
  •   Oppose OOS for Community Wishlist, why not just report via ca for abusing of Oversight rights? --Liuxinyu970226 (talk) 07:50, 29 January 2022 (UTC)Reply[reply]
  •   Support After my edit suggestion, I think I do not understand about the proposal. It would mean to limit the abuse, with the abuse reported to ca Thingofme (talk) 14:09, 29 January 2022 (UTC)Reply[reply]
  •   Support As a rule, where abuse is possible some method of review/oversight should be available. François Robere (talk) 11:56, 30 January 2022 (UTC)Reply[reply]
  •   Oppose Per Liuxinyu. If we can't trust functionaries then no one else. NguoiDungKhongDinhDanh 12:01, 30 January 2022 (UTC)Reply[reply]
  •   Oppose Per Liuxinyu --g (talk) 14:51, 30 January 2022 (UTC)Reply[reply]
  •   Oppose Do we trust people chosen by ourselves or not? --L736Etell me 15:07, 30 January 2022 (UTC)Reply[reply]
  •   Oppose Liuxinyu said well. --LittleWhites (talk) 15:12, 30 January 2022 (UTC)Reply[reply]
  •   Oppose Hors sujet Bub's (talk) 20:35, 30 January 2022 (UTC)Reply[reply]
  •   Support Theamigakiller (talk) 09:00, 31 January 2022 (UTC)Reply[reply]
  •   Support JuanGLP (talk) 15:02, 31 January 2022 (UTC)Reply[reply]
  •   Support XavierItzm (talk) 20:07, 1 February 2022 (UTC)Reply[reply]
  •   Support I think it can be usefull.--Andriy.v (talk) 23:53, 1 February 2022 (UTC)Reply[reply]
  •   Support KingAntenor (talk) 05:59, 2 February 2022 (UTC)Reply[reply]
  •   Support ··gracefool 21:45, 4 February 2022 (UTC)Reply[reply]
  •   Support ·addshore· talk to me! 22:37, 4 February 2022 (UTC)Reply[reply]
  •   Support Mere good sense. - Darwin Ahoy! 01:56, 5 February 2022 (UTC)Reply[reply]
  •   Oppose This and any derivative of it, would, first, risk undermining the privacy policy (and could actually expose the WMF to legal issues). Second, functionaries have got to where they are by years of valuable contributions, and have earned the community trust over many years. They will have been in the hotseat to obtain community approval several times, and are by far the most universally trusted users. This is at best, unnecessary, and at worst, harmful. Mako001 (talk) 03:26, 5 February 2022 (UTC)Reply[reply]
  •   Support Ayumu Ozaki (talk) 23:45, 5 February 2022 (UTC)Reply[reply]
  •   Support --Ciao • Bestoernesto 02:31, 6 February 2022 (UTC)Reply[reply]
  •   Oppose for the privacy reasons raised above, but also because we don't need our CUs hesitating over every action in case they get dragged to some noticeboard by a disgruntled troll. SpinningSpark 12:48, 6 February 2022 (UTC)Reply[reply]
  •   Support Trust is good, control is better Bas dehaan (talk) 23:08, 6 February 2022 (UTC)Reply[reply]
  •   Support I'm surprised this doesn't exist yet. A private list that logs views of oversighted data makes sense for the same reason that a private list of CU views. There have been cases of checkusers loosing the tools because of misuse, so the argument that no-one needs to watch the watchmen doesn't apply even in practice. Uanfala (talk) 15:47, 7 February 2022 (UTC)Reply[reply]
  •   Support I was quite surprised recently when I found out that this didn't exist yet, and Uanfala pretty much sums up what I was going to say. Also, "no need to watch the watchmen" is objectively not consistent with procedures of projects having an arbcom or comparable institution. ~~~~
    User:1234qwer1234qwer4 (talk)
    20:30, 7 February 2022 (UTC)Reply[reply]
  •   SupportTheDJ (talkcontribs) 22:02, 7 February 2022 (UTC)Reply[reply]
  •   Support a private log of views of OS data. We have had cases of private information misuse by editors in very high positions in the past. A tool for accountability is not the same thing as distrust. — Bilorv (talk) 12:29, 9 February 2022 (UTC)Reply[reply]
  •   Support Prawdziwy Mikołajek (talk) 17:39, 9 February 2022 (UTC)Reply[reply]
  •   Support Sunpriat (talk) 22:55, 10 February 2022 (UTC)Reply[reply]
  • I can't tell whether this is suggesting that the log (including info on if a lookup happened at all, not just the contents) would be only visible to the relevant functionaries. If so, then   Support and I'm also surprised this doesn't already exist. --Yair rand (talk) 23:39, 10 February 2022 (UTC)Reply[reply]
  •   Oppose We trust our institutions for a reason ;). Nadzik (talk) 13:54, 11 February 2022 (UTC)Reply[reply]