Draft Privacy Policy June 2008/Collaboration

The purpose of this document is to outline the privacy policies of the Wikimedia Foundation (see also explanatory material).

Private information edit

This policy primarily covers certain personally identifying information collected or stored by the Foundation in relation to the wikis and communities hosted on Wikimedia servers, that is not public upon creation and not intended by the Foundation to be made public, or which (if posted publicly) has been removed to a point where ordinary users and administrators are unable to view it. Examples include IP and other technical information derived from server logs, most OTRS and certain other emails, password and email address settings for a user account on a hosted wiki, and oversighted (but not ordinarily deleted) content. (definition needed - stab taken)

Consistent with the Data Retention Policy, the Wikimedia Foundation collects and retains the least amount of personally identifiable information needed to fulfill the operational needs and legal obligations of the Foundation and counter abuse.

Note that a large number of administrators have the ability to hide, restore and review hidden edits, using a tool known colloquially as "deletion". A public post does not become "private" merely through ordinary administrative deletion, and this policy does not apply to edits hidden by means of ordinary administrative deletion. (By contrast, this policy does apply to correctly oversighted edits.)

Collection of information edit

Private information may come to be stored on WMF servers or held by the Foundation and its staff and appointees in a variety of ways - as system logs created automatically upon use of the web server, by private account settings or voluntary communications, by public readable posts and activities, by unsolicited edits, and by information or conclusions by other users that result in edits or actions on a WMF wiki.


means of user interaction
A variety of means exist by which members of the public may interact with each other and with the various projects and the Foundation, on systems whose infrastructure is provided by the Foundation. These include (but are not limited to), browsing and editing Foundation hosted wikis, use of the wiki "email user" function, subscribing and posting to Foundation hosted email lists, and corresponding with volunteers via the Foundation's ticketing system ("OTRS").
Users may also interact by other means which do not involve storage or holding of personally identifying information by the Foundation, including (but not limited to) privately sent emails, posts on other websites and social networking sites, instant messenger and text chat (including chatting via Internet Relay Chat, or "IRC"; note that IRC channels are not the formal responsibility of the Foundation nor does the Foundation host these or regulate their usage or 'logging'), voice communication and telephone, or in-person dialog. In general, this policy only applies to private information stored or held by the Foundation. Many of these may reveal your IP address (and possibly other personal information) indiscriminately, when you interact. Users wishing to use private methods of communication should assess the information provided, their understanding of the risks, and their own need for privacy, before using these or other methods of communication.
public nature of wiki editing
Anyone with internet access and who is not restricted from doing so, may edit the publicly editable pages of these sites, and these edits form part of the history of the project. By doing this, you are in effect creating a published document, and a public record of every word you add, subtract, or change. This is a public act, and (to the extent any identifying information exists) you are identified publicly with that edit as its author. All contributions made to a Foundation wiki and all publicly available information about those contributions, are irrevocably licensed and may be freely copied, freely quoted, and freely reused and freely adapted by third parties with few restrictions.
Users should assume that all edits, and most information about the creation of those edits, will be indefinitely accessible and may be read by anyone. Generally only the most recent version of a page to have been "indexed" will be returned when using a search engine. Historical revisions of pages are tagged by the Wikimedia web servers as "not to be indexed or followed" by popular search engines or web spiders, and will soon cease to be shown in many search engines when the page is updated. However they will still be visible via the edit history, and possibly on some third party websites which re-use Wikimedia content or caches outside Wikimedia Foundation control, and searches may show results from those sites as well.

Information routinely collected or stored by the Foundation:

authorship and edit information
Each edit made and action taken on a project is available in a public history of edits, which also includes authorship information such as user name (or IP address if not logged in), timestamp, and what was changed. This information is also available in filtered forms, such as by user (see user contributions), page edited (see page history), date (see recent changes), or action type (see Special:Logs). You may contribute to public projects without logging in, and such edits will be credited in edit histories to your IP address at the time of editing, a series of four numbers that identifies your internet connection at that time. This information may be retained indefinitely, unless deliberately removed such as in response to a privacy violation or court order.
user accounts
The name you edit under when logged in is chosen by you, at the point of registration. If you choose to be (or become) identifiable, or use a username that you go by elsewhere, people looking you up on the internet may see your username and others' comments and discussion of your editing. Once created, user accounts will not be removed. It may be possible for a user name to be changed, depending on the policies of the wiki to which you contribute. The Wikimedia Foundation does not guarantee that a user name will be changed on request. A registered user who edits both logged-in and logged-out may have their logged-in edits identified with their IP edits by other editors.
user account passwords
Users' passwords are confidential and used to verify your ownership of an account. No person should disclose, or knowingly expose, user passwords.
You may optionally provide a working email address in your user preferences, which allows other users to send email to you through the wiki. This email address will never be made public by the Foundation other than as described below, with one exception - if you yourself send an email to another person using Wikimedia's email-user feature, the recipient will be told your email address in order that they may reply. If another logged-in user emails you with this facility, your email address will not be revealed to them unless you respond, or possibly if the email bounces. Participation in any Wikimedia hosted mailing lists is outside the email-user feature, and your email address (and for many lists, your comments) will be publicly available if you email a mailing list.
If you communicate with other users or the Foundation via email or other non-public systems, it will usually be assumed that any response may be sent to you the same way. Replies of this kind will be assumed to be private in delivery to you and upon receipt by you, and may include copies of the original, or past, messages. (Needed - to ensure good-faith email replies to OTRS or other emails, can't accidentally be breaches of privacy)
IP and other technical information
Every time you visit a web page or send an email, you automatically send technical information to the recipient's web server. This commonly includes request headers, the IP address which the request is sent from, and (for email and some page requests) routing information. Most servers routinely maintain access logs with a portion of this information for operational purposes (as described below), and when you request or read a page, or send an email to a Wikimedia server, no more information is collected than is typically collected by web sites in general. The Wikimedia Foundation may keep the raw logs, but these will not be published or used to track legitimate users.
When you edit (either logged in or not), the server confidentially stores this information for a limited period of time. This information is automatically deleted after a set period. When you edit without logging in, the IP address used is publicly and permanently credited as the author of the edit. Depending on your connection, this address may be traceable only to a large Internet service provider, or specifically to your school, place of business, or home. It may be possible for a third party to identify you from this IP address in conjunction with any other information available. Logging in allows you to better preserve your privacy in this situation.
The sites will set a temporary session cookie on your computer when you visit the site. If you do not intend to log in or edit, you may deny this cookie. It will be deleted when you close your browser session.
More cookies may be set when you log in to maintain your logged-in status. If you choose to save your user name and password on your terminal, that information will be saved for up to 30 days, and this information will be resent to the server every time you visit the same wiki. If you are using a public machine and do not wish to expose your user name to future users of the machine, you may clear these cookies after use.

Other information which may be stored or held:

other information
As part of site operations, various information may be stored or held, including but not limited to information needed to process emails between users, information needed to maintain accounts and email lists, information provided or being used to address problems or facilitate development, information temporarily held in web server caches or other temporary storage, system and data backups, self-identification provided to the Foundation for the purpose of being granted access to restricted software tools, edits by others that relate to you or to your editing, and self-disclosed and voluntary information provided by you.

Uses of information edit

Non-public information is kept and used by the Foundation and selected volunteers, for a variety of purposes, including:

  • To identify (where applicable), investigate, address and respond to breach of terms of use, misuse of the wikis, complaints, and third party communications: A number of mechanisms exist to prevent or remedy abusive activities in WMF projects, and to resolve queries, third party inquiries and complaints, disputes, and other matters. For example, when investigating abuse of a wiki or the blocking of a user, including the suspected use of malicious "sockpuppets" (editorial abuse), vandalism, harassment of other users, or disruption, private information may be used by authorized users, to help identify and investigate the likely source(s) of prima facie abusive behavior. They are also used on occasion, to examine (and try to resolve) more significant user disputes and other concerns, communications, and complaints.
  • To provide site statistics: The Foundation statistically samples raw log data from users' visits to produce site statistics. The raw log data is not made public.
  • To solve technical problems or improve server and site performance: Log data may be examined by developers and others delegated by the Foundation, for maintenance and development purposes.

Access to and publication of private information edit

The Wikimedia Foundation will not sell or share private information such as email addresses with any third parties, unless you agree to release this information, or it meets the criteria in this section.

non-public information
Certain users often have access to private information (in the sense of the above definition). These may include, but are not limited to, users who have access to OTRS, or to the Checkuser and Oversight functions, mailing list administrators for hosted mailing lists (check - seems accurate but does this have implications?), users with access to certain non-public wikis (typically used for administrative and operational collaboration) (likewise check), users elected by the editing communities to serve as stewards, Wikimedia Foundation employees, trustees, appointees, and contractors and agents employed by the Foundation, and developers and others with high levels of server access. Access to and publication of this information is governed by the Access to nonpublic data policy, as well as specific policies covering some of the functions in question. It is the policy of Wikimedia that personally identifiable data collected or stored may be released under the following situations. Distribution to other users authorized to access private information and no other persons, is not considered either "public" or "release". This should generally be done with a view to reducing the amount of private information disclosed:
  1. In response to a valid subpoena or other compulsory request from law enforcement. As a general principle, the access to, and retention of, personally identifiable data in all WMF projects should be minimal and should be used only internally to serve the well-being of the projects. Occasionally, however, the Foundation may receive a subpoena or other compulsory request from a law-enforcement agency or a court or equivalent government body that requests the disclosure of information about a registered user. On such occasions, the Foundation may be compelled by law to comply with the request. In the event of such a legally compulsory request, the Foundation will attempt (if legally permitted) to notify the affected user within three business days after the arrival of such subpoena by sending a notice by email to the email address (if any) that the affected user has listed in his or her user preferences. If no email address is set, then it is possible you may not be informed in the event that such a request is made.

    If you receive such notification, the Foundation cannot advise you regarding the law or an appropriate response to a subpoena. The Foundation does note, however, that you may have the legal right to resist or limit that information in court by filing a motion to quash the subpoena. Should you wish to oppose a subpoena or other compulsory requests, you should seek legal advice concerning applicable rights and procedures that may be available. If the Foundation receives a court-filed motion to quash or otherwise limit the subpoena as a result of action by you or your lawyer, the Foundation will not disclose the requested information until Wikimedia receives an order from the court to do so.

  2. With permission of the user who will be affected. (In the case of a user who is a minor, with permission of the user or a person confirmed to be their parent or legal guardian.) (An issue. Discuss?).
  3. To the chair of Wikimedia Foundation, the Foundation's legal counsel, or the chair's designee.
  4. Where the information pertains to page views generated by a spider or bot and its dissemination is necessary to illustrate or resolve technical issues.
  5. Where there is good cause to believe a user or account has interacted in a disruptive or problematic way, or is associated with disruptive, problematic activity, data may be released (or the relationship between an IP editor or user account with another user account may be disclosed) in order to inform discussion, assist in the targeting or explanation of IP blocks, reduce further disruptive activity, or in exceptional cases, assist in the formulation of a complaint to relevant Internet Service Providers, businesses, organizations, schools, and the like, who handle complaints about the internet connection(s) in question.
  6. Where it is reasonably necessary to protect the rights, property or safety of the Wikimedia Foundation, its users or the public.
Wikimedia policy does not permit public distribution of such information under any other circumstances.
removal of content
In some cases specific revisions can be hidden ("deleted") from public view, for example if there is a significant breach of this policy or by court order. Note that hiding is not guaranteed in any given case, and that especially, disclosures facilitated by your own edits, or examination and discussion of concerns in your editing, may not be removed, or only removed to a limited extent. Individual wikis may also have their own guidelines and decision-making process governing this.
Administrators and a number of other users have access to certain deleted content. Some deleted content may be made available for good cause, whilst extreme types of deleted content governed by oversight policy will usually not be released without a court order.

Disclaimer edit

The Wikimedia Foundation holds that maintaining and preserving the privacy of user data is an important value. This Privacy Policy, together with other policies, resolutions, and actions by the Foundation, represents a committed effort to safeguard the security of the limited user information that is collected and retained on our servers. Nevertheless, the Foundation cannot guarantee that your user information will necessarily remain private. We acknowledge that, in spite of our committed effort to protect private user information, determined individuals may still develop various data-mining and other methods to uncover such information and disclose it, or that enforcement despite our efforts may not on every occasion meet perfection. For this reason, the Foundation can and will make no guarantee against unauthorized access to any information you may provide (voluntarily or otherwise) in the course of participating in WMF projects or related communities.