Office actions/September 2021 statement/pwn
Regarding a series of serious office actions
djavadjavay a masantalj,
I’m Maggie Dennis, the Wikimedia Foundation’s Vice President of Community Resilience & Sustainability. I’m reaching out to you today to talk about a series of actions the Foundation has recently taken to protect communities across the globe.
I apologize in advance for the length and the ambiguity in certain areas. These are complicated issues, and I will try to summarize a lot of what may be unfamiliar information to some of you succinctly. I will answer questions to the best of my ability within safety parameters, and I will be hosting an office hour in a few weeks where I can discuss these issues in more depth. We’re currently getting that set up in regards to availability of support staff and will announce it on Wikimedia-L and Meta as soon as that information is prepared.
Many of you are already aware of recent changes that the Foundation has made to its NDA policy. These changes have been discussed on Meta, and I won’t reiterate all of our disclosures there, but I will briefly summarize that due to credible information of threat, the Foundation has modified its approach to accepting “non-disclosure agreements” from individuals. The security risk relates to information about infiltration of Wikimedia systems, including positions with access to personally identifiable information and elected bodies of influence. We could not pre-announce this action, even to our most trusted community partner groups (like the stewards), without fear of triggering the risk to which we’d been alerted. We restricted access to these tools immediately in the jurisdictions of concern, while working with impacted users to determine if the risk applied to them.
I want to pause to emphasize that we do not mean to accuse any specific individual whose access was restricted by that policy change of bad intent. Infiltration can occur through multiple mechanisms. What we have seen in our own movement includes not only people deliberately seeking to ingratiate themselves with their communities in order to obtain access and advance an agenda contrary to open knowledge goals, but also individuals who have become vulnerable to exploitation and harm by external groups because they are already trusted insiders. This policy primarily served to address the latter risk, to reduce the likelihood of recruitment or (worse) extortion. We believe that some of the individuals impacted by this policy change were also themselves in danger, not only the people whose personal information they could have been forced to access.
Today, the Foundation has rolled out a second phase of addressing infiltration concerns, which has resulted in sweeping actions in one of the two currently affected jurisdictions. We have banned seven users and desysopped a further 12 as a result of long and deep investigations into activities around some members of the unrecognized group Wikimedians of Mainland China. We have also reached out to a number of other editors with explanations around canvassing guidelines and doxing policies and requests to modify their behaviors.
When it comes to office actions, the Wikimedia Foundation typically defaults to little public communication, but this case is unprecedented in scope and nature. While there remain limits to what we can reveal in order to protect the safety and privacy of users in that country and in that unrecognized group, I want to acknowledge that this action is a radical one and that this decision was not easily made. We struggled with not wanting to discourage and destroy the efforts of good faith users in China who have worked so hard to fight for free and open knowledge, including some of those involved in this group. We do not want them to fear that their contributions are unwelcome. We also could not risk exposing them to danger by doing nothing to protect them after we became aware of credible threats to their safety.
While some time ago we limited the exposure of personal information to users in mainland China, we know that there has been the kind of infiltration we describe above in the project. And we know that some users have been physically harmed as a result. With this confirmed, we have no choice but to act swiftly and appropriately in response.
I take it as both a triumph and a challenge that in the years of my own involvement I have seen Wikimedia go from a suspect non-mainstream website to a highly trusted and widely relied upon source across the world. When I first started editing the projects in about 2007, I already believed Wikimedia had the capacity to be one of the greatest achievements of the world — collective knowledge, at your fingertips. What an amazing gesture of goodwill on the part of all of its many editors. It didn’t take me long after I started editing to realize how entrenched the battles could be over how to present information and how that can be exploited to achieve specific ends. I’m not trying to suggest that I was astonishingly prescient; I think there were many who realized that risk long before I stumbled naively on the scene. I do think that the risk is greater than ever now, when Wikimedia projects are widely trusted, and when the stakes are so high for organized efforts to control the information they share.
Community “capture” is a real and present threat. For years, the movement has been widely aware of challenges in the Croatian Wikipedia, with documentation going back nearly a decade. The Foundation recently set up a disinformation team, which is still finding its footing and assessing the problem, but which began by contracting an external researcher to review that project and the challenges and help us understand potential causes and solutions for such situations. We have also recently staffed a human rights team to deal with urgent threats to the human rights of communities across the group as a result of such organized efforts to control information. The situation we are dealing with today has shown me how much we need as a movement to grapple with the hard questions of how we remain open to editing by anyone, anywhere, while ensuring that individuals who take us up on that offer are not harmed by those who want to silence them.
With respect to the desysopping, we hope to connect with the international Chinese language community in the near future to talk about approaches to elections that avoid the risk of project capture and ensure that people are and feel safe contributing to the Chinese language Wikipedia. We need to make sure that the community can hold fair elections, without canvassing or fraud. We hope that helping to establish such a fair approach to elections will allow us to reinstate CheckUser rights in time.
I want to close this message by noting that I am personally deeply sorry to those of you for whom this will be a shock. This will undoubtedly include those who wonder if they should fear that their personal information has been exposed (we do not believe so; we believe we acted in time to prevent that) and also those who fear that further such bold action is in the works which may disrupt them and their work and their communities (at this point, with this action, we believe the identified risks have been contained in the short to medium term). I am also truly sorry to those communities who have been uneasy in the shadow of such threats for some time. The Foundation continues to build our capacity to support every community that wants or needs its support - and we are still learning how to do so well when we do. One of the key areas we seek improvement is in our ability to understand our human rights impact and in our ability to address those challenges. You have not had the service you’ve deserved. We can’t fix things immediately, but we are working to improve, actively, intentionally, and with focus.
To the 4,000 active Chinese language Wikimedians distributed across the world and serving readers in multiple continents, I would like to communicate my sorrow and regret. I want to assure you that we will do better. The work you do in sharing knowledge to Chinese readers everywhere has great meaning, and we are committed to supporting you in doing this work into the future, with the tools you need to succeed in a safe, secure, and productive environment.
Again, I will answer what questions I can, also relying on the support of others in Legal and perhaps beyond. We’re setting up a page on Meta to talk, and I will be hosting an office hour in coming weeks.
Updated Office Action on User 玄客
Upon recent information provided through our ca@ channel within Trust and Safety, we have reassessed one account locked as a result of this investigation. This account belongs to user 玄客. The information and supporting evidence received and authenticated by our investigators ascertains that user 玄客 is not, as originally identified, a sock of Walter Grassroot. As a result of this, user 玄客's account has been restored to full capacity.
We appreciate everyone who is using ca@ channel to send us additional information and evidence that substantiates or refutes the recently undertaken Office Action. This is an important part of the process, and the Foundation is reviewing each email and documents provided.
- Community Resilience and Sustainability
- Talk:Access to nonpublic personal data policy § Policy adjustment on behalf of Legal
- Wikimedians of Mainland China
- Croatian Wikipedia Disinformation Assessment-2021