Draft Privacy Policy June 2008

All comments should be left on the talk page.

Privacy Policies for Wikimedia Foundation Projects edit

The purpose of this document is to outline the privacy policies of the Wikimedia Foundation (WMF) and the philosophy that underlies those policies.

I. Preamble. edit

To understand the Wikimedia Foundation's privacy policies, it helps to review the characteristics that WMF projects have in common. Specifically, WMF projects are massive multiuser collaborations whose purpose is to encourage the development of free-content educational and informational resources that may be created, used, and reused by the entire human community. At their heart, these projects are primarily organized and maintained by volunteer communities of users who share a core set of values; freedom, accessibility and quality, independence, commitment to openness and diversity, transparency, and community itself are among these values. Other values held by the community may be in tension with one another -- for example, while the projects to some degree favor accountability of creators and editors, our communities have also long held that anonymous and pseudonymous creators should be accommodated as well. How can anonymity and pseudonymity be balanced with accountability? The WMF privacy policies reflect an ongoing effort by the WMF Board, in collaboration with the communities of users, to strike the right balance.

II. Contributing To A Project -- Identity Issues. edit

One of the guiding principles of WMF projects is that everyone can contribute to a project through editing. Nobody has to log in or register in order to edit a project. All major projects of the Wikimedia Foundation are collaboratively developed by its users using the MediaWiki software. All contributions are licensed under the GNU Free Documentation License (Only a few project use different licenses, as Wikinews for example, which is licensed under Creative Commons Attribution 2.5), meaning that their content may be freely used, freely edited, freely copied and freely redistributed subject to the restrictions of that license. (See http://wikimediafoundation.org/wiki/Our_projects).

III. Editing Histories and Registered and Unregistered Users. edit

Another of the guiding principles is that the history of contributions by editors (whether self-identified, pseudonymous, or anonymous) is preserved indefinitely. This is a choice we have made in order to enable our communities to build reputation systems among editors and to enable editors to qualify over time for administrative positions and privileges. Editors with administrative privileges are a critical safeguard that enable communities to improve the quality of project entries and to counter vandalism and other problems.

Edit histories are part of the public records of WMF projects. If you contribute to the Wikimedia projects, you are creating a publicly accessible record of every word you add, subtract, or change. When you edit any page in the wiki, you are in effect, publishing a document. This is a public act, and (to the extent you supply any identifying information in the course of your edit) you are identified publicly with that edit as its author.

Both registered and unregistered users can edit entries in WMF projects. To promote open communication among users and to promote the accountability of the Wikimedia projects, you are encouraged but not required to register with your real name. Nevertheless, because we recognize that in many cases the use of your real name may hinder free and open discussion in certain contexts, you may register instead with a pseudonym.

Whether you register with your real name or with a pseudonym, you should note that registered users may gain more access to the Wikimedia projects. For example, only registered users can create a new page on the English language Wikipedia. (See: http://en.wikipedia.org/wiki/Wikipedia:User_access_levels.)

If you are registered, you may have a user page, on which you can add further information about yourself. A typical URL (for "uniform resource locator") of your user page will be the URL of the project, followed by your username (for example: http://en.wikipedia.org/wiki/User:Username). Your user page is also a wiki that is released under the same license of the project you contribute to, and its content may be freely used, edited, copied and redistributed subject to the restrictions of that license.

If you are registered, when you edit a page in the wiki, you may be logged in or not. If you are logged in, your contribution will be identified by your user name. If you are not registered, or if you are registered but choose not to log in for an edit, your contribution will be identified by your network IP address (a series of four numbers that identifies the Internet address from which you are contacting the wiki).

IV. Reputation Systems and Community Governance. edit

As we have said, Wikimedia projects are primarily run by users. Although contributions from both registered and unregistered users may be equally valuable, WMF project governance relies on a reputation system that is largely based upon the history of registered users who are at least willing to provide either an identifiable real name or a consistent pseudonym. Within this reputation system, part of the responsibility for maintaining users' reputational integrity necessarily lies with the users themselves. Consider passwords, for example. Strong user passwords are a primary guarantee of the integrity of a user's edit history. You are encouraged to select strong passwords and to never share them. No one shall knowingly expose the password of another user to public release either directly or indirectly.

Another part of maintaining user reputational integrity is the volunteer system of governance over the WMF projects. As we have noted, WMF projects are primarily run by volunteer contributors. Some dedicated users are chosen by the community to be given privileged access and greater authority to govern these projects. As a Wikipedia user, for example, your level of access to Wikipedia is determined by your presence in various 'user groups', which can be found on http://en.wikipedia.org/wiki/Wikipedia:User_access_levels. Because some users have access to nonpublic data, the Foundation has a general “Access to Nonpublic Data Policy” that requires these users to identify themselves to the Foundation with satisfactory information. The identifying information these users disclose to the Foundation is treated as confidential and nonpublic information. (See the Access to Nonpublic Data Policy at http://wikimediafoundation.org/wiki/Access_to_nonpublic_data_policy.) Aside from this general policy, to combat vandalism the CheckUser policy (http://meta.wikimedia.org/wiki/CheckUser) gives certain users access to the IP addresses of logged-in users. The release of these personally identifiable information to third parties can only be done in accordance with this Policy (see below).

V. How Long Will Published Information Be Stored? edit

It's best to assume that any edits or other contributions you make to a WMF project will be retained forever. This includes articles, User pages and Talk pages. Removing text from a WMF project does not permanently delete it. Normally, in WMF project articles, anyone can look at a previous version and see what was there. Even if an article is "deleted", a user who is entrusted with "administrator" access may still see what was removed from public view. Information can be permanently deleted by those individuals with access to WMF servers, but aside from the rare circumstance when the Foundation is required to delete editing-history material in response to a court order or equivalent legal process, there is no guarantee any permanent deletion will happen.

Nor is editing-history information the only material that is retained over time. User contributions are also aggregated and publicly available. User contributions are aggregated according to their registration and login status. Data on user contributions, such as the times at which users edited and the number of edits they have made, are publicly available via "user contributions" lists, and in aggregated forms published by other users. (See http://meta.wikimedia.org/wiki/User_contributions.)

VI. Removal of User Accounts. edit

Once created, user accounts will not be removed. It may be possible for a username to be changed, depending on the policies of the project to which you contribute. The Wikimedia Foundation does not guarantee that a username will be changed on request.

VII. Being Active in WMF Projects – General Privacy Expectations. edit

Users may interact with Wikimedia projects in a variety of ways, with a range of degrees of engagement. This section outlines generally what kinds of ways you may interact with WMF projects and the associated communities, and what general privacy expectations you may associate with these interactions. (These privacy expectations are explored in more detail in Sec. IX below.) In general, you may be doing the following things on Wikimedia projects:
A. Browsing: You may simply browse the wiki pages on Wikimedia projects just the way you browse all other online resources.
B. Editing: You may take a step further to contribute to the wiki pages. You may do so with a registered username or may remain unregistered. If you are registered and logged in, your username will be shown as the author of the edit in the history of the page. If you are registered but are not logged in when making edits, or if you are unregistered, your edits will be identified by your network IP address. Note that your IP address can be used to identify your internet service provider (ISP) and, with the cooperation of your ISP, can be used to identify your computer.
C. Participating in discussions: You may also interact with other users by participating in various channels of discussion.
1. Wiki Discussion pages: On each wiki page there is a Discussion page on which you can post concerns and ideas of the subject and open them for discussion before developing an actual edit to include in the main page.
2. Private email: If you are a registered user, you may provide your email address in your Preferences and enable other logged-in users to send you email through the wiki.
3. Mailing lists: You may subscribe to any of the project mailing lists (http://meta.wikimedia.org/wiki/Mailing_lists/overview).
4. Information email addresses: Wikimedia projects are mostly run by users. A smaller group of users who monitor one project may utilize an Open-Source Ticket Request System (OTRS) to communicate with other contributors. Addresses that direct to the ticket system include:

   * info-de AT wikipedia DOT org
   * info-es AT wikipedia DOT org
   * info-fr AT wikipedia DOT org
   * info-it AT wikipedia DOT org
   * info-nl AT wikipedia DOT org
   * info-pl AT wikipedia DOT org
   * info AT wikimedia DOT tw
   * wikinews AT Wikimedia DOT org
   * info-en-c AT wikimedia DOT org
   * info-en AT wikiquote DOT org 

5. Internet Relay Chat (IRC): You may participate in the various IRC channels (http://meta.wikimedia.org/wiki/IRC_channels) to discuss issues with other users on the channel. While IRC channels are not officially part of Wikimedia proper, users on the Channel should still respect user-generated IRC related guidelines (e.g. IRC guidelines: http://meta.wikimedia.org/wiki/IRC_guidelines) to enhance the quality of the communication.

At its April 2008 meeting, the Wikimedia Foundation Board of Trustees adopted the following resolution regarding data retention policy (http://wikimediafoundation.org/wiki/Resolution:Data_Retention_Policy):

"Resolved, the Wikimedia Foundation Board of Trustees, consistent with its long-standing commitment to minimizing the data retention of users and editors, adopts the policy of retaining the least of amount personally identifiable information consistent with maintenance of its services, with its privacy policy, or as required by state or federal legal provisions under United States of America law."

This resolution supersedes any prior inconsistent data-retention or data-release policy of the Wikimedia Foundation, and all policy on the retention and release of data must be interpreted in a manner consistent with this resolution.

VIII. Why is User Information Ever Collected? edit

This section explains the purposes of the collecting of (limited) personally identifiable data. Consistent with its long-standing commitment to minimize the data retention of users, the Foundation collects and retains the least amount of personally identifiable information of each individual user, only to the extent that it fulfills the operational needs and legal obligations of the Foundation. In general, the Foundation limits the collection of personally identifiable data to fulfill the purposes that serve the well-being of WMF projects, including but not limited to the following:

A. To enhance the accountability of WMF projects. The Wikimedia Foundation recognizes that any system that is open enough to allow the greatest possible participation of the general public will also be vulnerable to certain kinds of abuse and counterproductive behavior. The Foundation and the Wikimedia communities have established a number of mechanisms to prevent or remedy abusive activities in WMF projects. For example, when investigating abuse of a wiki, including the suspected use of malicious “sockpuppets” (duplicate accounts), vandalism, harassment of other users, or disruption of the wiki, the IP addresses of users, derived either from those logs or from records in the database may be used to identify the source(s) of the abusive behavior. This information may be shared by users with administrative authority who are charged by their communities with protecting the projects.

B. To provide site statistics. The Foundation statistically samples raw log data from users' visits. These logs are used to produce the site statistics pages; the raw log data is not made public.

C. To solve technical problems: Log data may be examined by developers in the course of solving technical problems and in tracking down badly-behaved web spiders that overwhelm the site.

IX. Details of Retention of Private Information – General Information. edit

As we have noted in Sec. VII above, different activities may be associated with different privacy expectations. Sec. VIII above outlines the policy reasons that may justify collection of user data. The following sections are designed to go into greater detail about the specifics of the user data that may be collected. In general, we begin by asking "What kind of personally identifiable data will or will not be collected, and for how long will such data be retained?" The answer varies according to what kind of activity is being discussed. In this section we would like you to first note the two kinds of information that may be collected in any of your activities on Wikimedia projects.

A. Cookies:

The wiki will set a temporary session cookie (PHPSESSID) whenever you visit the site. If you do not intend to ever log in, you may deny this cookie, but you cannot log in without it. It will be deleted when you close your browser session.

More cookies may be set when you log in, to avoid typing in your user name (or optionally password) on your next visit. If you choose to save your username and password on your terminal, that information will be saved for up to 30 days, and these information will be resent to the server every time you visit the same webpage. If you are using a public machine and do not wish to expose your username to future users of the machine, you may clear these cookies after use. (If so, clear the browser cache as well.)

B. IP addresses and other personally identifiable data:

Every time you visit a web page, you send a lot of information to the web server. Most web servers routinely maintain access logs with a portion of this information, which can be used to get an overall picture of what pages are popular, what other sites link to this one, and what web browsers people are using. It is not the intention of the Wikimedia projects to use this information to keep track of legitimate users.

Here's a sample of a user's raw log data for one page view:

64.164.82.142 - - [21/Oct/2003:02:03:19 +0000]
"GET /wiki/draft_privacy_policy HTTP/1.1" 200 18084
"http://en.wikipedia.org/wiki/Wikimedia_projects:Village_pump"

"Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/85.7 (KHTML, like Gecko) Safari/85.5"

These logs are not produced for every single visit, but are only sampled statistically. The raw log data is kept indefinitely, but is not made public.

X. Details of Retention of Private Information – Browsing and Editing in WMF Projects. edit

Wikimedia projects collected only limited personally identifiable data for a limited period of time. To be more specific, the kinds and ranges of your personally identifiable data may vary according to the different activities you participate in Wikimedia projects. With regard to browsing and editing WMF projects, for example, there are a number of factors that should inform your privacy expectations:

A. Browsing.
If you only read the Wikimedia project websites, no more information is collected than is typically collected in server logs by web sites in general. Aside from the above raw log data that are collected for general purposes, simply visiting the web site does not expose your identity publicly. The above sampled raw log data may happen to record the IP address of any user, but it is not reproduced publicly.

B. Editing.
When editing a page on Wikipedia projects, your edits will be identified with your username or your network IP address, and your editing history will be aggregated in a contribution list. You should consider that such information will be available permanently on Wikimedia projects. The kind of information that is available will normally depend on whether you are a logged-in registered user or an "anonymous" user (that is, either a registered user who hasn't logged in, or an unregistered user).
1. Logged in registered users:
When you log in with a pseudonym, your IP address will not be available to the public except in cases of abuse, including vandalism of a wiki page by you or by another user with the same IP address. In all cases, your IP address will be stored on the wiki servers for a period of time and during that time can be seen by Wikimedia's server administrators and by users who have been granted "CheckUser" access.
Your IP address, and its connection to any usernames that share it may be released under certain circumstances (see below). If you use a company mail server from home or telecommute and use a DSL or cable Internet connection, it is likely to be very easy for your employer to identify your IP address and find all of your IP-based Wikimedia project contributions. Using a user name is a better way of preserving your privacy in this situation. However, remember to log out or disconnect yourself after each session using a pseudonym on a shared computer, to avoid allowing others to use your identity.
2. Unlogged-in registered users and unregistered users (a.k.a. "anonymous" users):
If you have not logged in, you may be identified by your network IP address. Depending on your connection, the IP address may be traceable only to a large Internet service provider, or specifically to your school, place of business, or home. It may be possible that the origin of this IP address could be used in conjunction with any information you express implicitly or explicitly by editing articles in a way that allows you -- even as an "anonymous" user -- to be identified by a third party. It may be either difficult or easy for a motivated individual to connect your network IP address with your real-life identity.

XI. Details of Retention of Private Information -- Discussions on Talk Pages and Outside WMF Projects. edit

For many individuals, browsing WMF projects and editing their content is their primary experience with these projects. But WMF projects have also given rise to many discussion forums, including User pages, Talk pages, email (including mailing lists), and live interactive discussions (such as Internet Relay Chat, also known as IRC). Depending on which type of forum you use, your personally identifiable information may become known to other users in various ways, and the length of time such information may remain available to other users may vary.

A. Wiki Discussion Pages (Including Talk and User Pages).

Because wikis are themselves designed to promote collaboration, any generally editable wiki page can theoretically be the location of a discussion, but in general discussions on WMF projects occur primarily in the User pages (associated with particular users), in the Talk pages (associated with particular articles) or in pages specially designated to function as forums (e.g., the Village Pump). The primary thing to remember is that discussion pages are essentially wiki pages as well, which means that all the privacy expectations we noted earlier for editing will also apply here. Your participation in a discussion page will be shown and recorded in just the same way that edits relating to a wiki article page are shown or recorded. The details of your personally identifiable information may be recorded from participation in wiki pages are discussed in Section IX above.

B. Private email.

You are not required to list any functioning email address when you register as a WMF project user. If, however, you provide your email address in your User preferences, you can enable other logged-in users to send email to you through the wiki. When you receive an email from other logged-in users, your email address will not be revealed to them unless you respond, or possibly if the email bounces. The email address you put into your User preferences may be used by the Wikimedia Foundation to communicate with you on the (rare) occasions when the Foundation emails users on a wider scale.

If you do not provide an email address, you will not be able to reset your password if you forget it. In such a situation, however, you may be able to contact one of the Wikimedia server administrators to enter a new mail address in your preferences. You can remove your email address from your preferences at any time to prevent it being used.

When corresponding with other users via private emails, your messages and email address may be saved by your correspondents and any email service they use and may remain available to them until such information is deleted.

C. Mailing lists.

If you subscribe to one of the project mailing lists, the email address you use to subscribe to that list will be exposed to any other subscriber. The list archives of most of Wikimedia's mailing lists are public, so your email address may be searchable on the Web, and your address also may find itself quoted in messages. The list archives are also archived by Gmane and other services. You should consider that any email addresses you use, as well as any messages you send to a mailing list, may be archived and may remain available to the public permanently.

D.Information email addresses.

Some email addresses (see below) may forward mail to a team of volunteers trusted by the Foundation to use a ticket system, such as OTRS, to view them and answer them. Mail sent to the system is not generally publicly visible, but is visible to a select group of Wikimedia volunteers. By sending a mail to one of these addresses, your address may become "public" within this group. The ticket system team may discuss the contents of your mail with other contributors in order to best answer your query.

Mail to private addresses of members of Board of Trustees and the staff of the Foundation may also be forwarded to the OTRS team.

Your messages and email address may be saved by members of the respective OTRS team and any email service they use and may remain available to them before they are deleted.

E. IRC (Internet Relay Chat).

IRC channels are not officially part of Wikimedia proper and are not operated on the Wikimedia server. Although over time Wikimedia users have developed some guidelines regarding what is considered as good behavior on IRC, these are only for reference and cannot be considered as official WMF policies for each channel. By participating in an IRC channel, your IP address may be exposed to other participants. Your privacy on each channel can only be protected according to the policies of the respective channel, which may differ from one channel to another. Different channels have different policies on whether logs may be published.

XI. WMF Policy on Data Retention and Release of Private Data. edit

A. Policy on Release of Data.

Wikimedia will not sell or share private information, such as email addresses, with third parties, unless you agree to release this information, or it is required by law to release the information.

It is the policy of Wikimedia that personally identifiable data collected in the server logs, or through records in the database via the CheckUser feature, may be released by the system administrators or users with CheckUser access, in any of the following situations:
1. In response to a valid subpoena or other compulsory request from law enforcement,
2. With permission of the affected user,
3. To the chair of Wikimedia Foundation, the Foundation's legal counsel, or the chair's designee, when necessary for investigation of abuse complaints,
4. Where the information pertains to page views generated by a spider or bot and its dissemination is necessary to illustrate or resolve technical issues,
5. Where the user has been vandalizing articles or persistently behaving in a disruptive way, data may be released to a service provider, carrier, or other third-party entity to assist in the targeting of IP blocks, or to assist in the formulation of a complaint to relevant Internet Service Providers,
6. Where it is reasonably necessary to protect the rights, property or safety of the Wikimedia Foundation, its users or the public.

Wikimedia policy does not permit public distribution of such information under any circumstances, except as described above.

B. Policy on Access to Personally Identifiable Data.

In general, the personally identifiable information of any ordinary user of a WMF Project is only available to another ordinary user of a WMF project if the first user has deliberately made that information available. Privileged users, such as administrators, may have more potential access to other users' personally identifiable data as a function of the administrative or oversight roles they play within the WMF projects and associated volunteer communities. These users normally gain their privileged access as a result of selection by the volunteer communities; more rarely, they may be given access as a function of a staff position or other special role within the Foundation. These users may have access to personally identifiable data that is not available to the public, which includes 1) user's IP address and 2) other personally identifiable information of a person that was made public by a third person and is expunged from any form of usual access. For example, users with 'Steward', 'CheckUser,' or 'Oversight' access may have access to one or more kinds of personally identifiable information. All users who have privileged access to nonpublic data must use such information with care and only for the wellbeing of the Wikimedia projects. Privileged users must comply with the Foundation policy on Access to Nonpublic Data. Privileged users who have access to personally identifiable information must comply with the provisions of this Privacy Policy.

C. Types of Privileged Users.

Among the categories of privileges users are:

1. Community-elected administrators. Wikimedia projects are mostly run by users, and more devoted users may be elected from and by the international community of the Wikimedia projects to manage user rights and fill requests on and from all Wikimedia wikis.
2. WMF-authorized administrators. The Foundation operates the platforms and infrastructure of the WMF projects. For the wellbeing of these projects, the Foundation may designate individuals with certain roles and responsibilities that involve access to personally identifiable information. For example, several of the Wikimedia developers with root access to the Wikimedia servers are granted permissions without using the normal approval channels, as the rights they entail are merely safer or more efficient alternatives to modifying the database directly. Some developers, for example, may have 'steward' rights although they were not elected.
3. Other authorized administrators. Some administrators may have the authority to grant other contributors the right of access to certain nonpublic information to perform certain administrative responsibilities. For example, 'Stewards' may grant CheckUser status to other volunteers to help combat vandalism.

D. Third-Party Access and Notifying Registered Users When Receiving Legal Process.

As a general principle, the access to, and retention of, personally identifiable data in all WMF projects should be minimal and should be used only internally to serve the well-being of the projects. Occasionally, however, the Foundation may receive a subpoena or other compulsory request from a law-enforcement agency or a court or equivalent government body that requests the disclosure of information about a registered user. On such occasions, the Foundation may be compelled by law to comply with the request. In the event of such a legally compulsory request, the Foundation will attempt to notify the affected user within three business days after the arrival of such subpoena by sending a notice by email to the email address (if any) that the affected user has listed in his or her user preferences.

If you receive such notification, the Foundation cannot advise you regarding the law or an appropriate response to a subpoena. The Foundation does note, however, that you may have the legal right to resist or limit that information in court by filing a motion to quash the subpoena. Should you wish to oppose a subpoena or other compulsory requests, you should seek legal advice concerning applicable rights and procedures that may be available. If the Foundation receives a court-filed motion to quash or otherwise limit the subpoena as a result of action by you or your lawyer, the Foundation will not disclose the requested information until Wikimedia receives an order from the court to do so.

Registered users are not required to provide an email address. However, when an affected registered user does not provide an email address, the Foundation will not be able to notify the affected user in private email messages when it receives request from law enforcement to disclose personally identifiable information about the user.

XII. Disclaimer. edit

The Wikimedia Foundation holds that maintaining and preserving the privacy of user data is an important value. This Privacy Policy, together with other policies, resolutions, and actions by the Foundation, represents a committed effort to safeguard the security of the limited user information that is collected and retained on our servers. Nevertheless, the Foundation cannot guarantee that your user information will necessarily remain private. We acknowledge that, in spite of our committed effort to protect private user information, determined individuals may still develop various data-mining and other methods to uncover such information and disclose it. For this reason, the Foundation can make no guarantee against unauthorized access to any information you may provide in the course of participating in WMF projects or related communities.