Wikimedia Foundation Transparency Report/Frequently Asked Questions

Wikimedia Foundation Transparency Reports
Wikimedia Foundation Transparency Reports

All transparency reports

Privacy-related WMF Policies


What sort of user information gets requested?

All sorts of identifying information, public and nonpublic, gets requested. Requests tend to be broad in nature, in order to capture as much information as possible. However, most information on the projects is public: for instance, talk pages or information relating to a page’s edit history. We store very little nonpublic information. Some of it is collected automatically (such as the IP address of the user's device or their proxy server and user agent information), while other types of nonpublic information are optionally provided by the user (such as an email address). Regardless, nonpublic information that includes personal information of any particular user is only kept for a short amount of time. You can learn more about the types of information we collect and how long we retain that information in our Privacy Policy and Data Retention Guidelines

In some transparency reports, you may have seen a distinction made between “content” and “non-content” information. This distinction comes from the Electronic Communications Privacy Act, or ECPA (18 U.S.C. § 2703 et seq.). “Content information” refers to the contents of user communications. “Non-content” information refers to data about those communications. One common (if imperfect) analogy for explaining this is the difference between letters and envelopes. The information visible on the outside of an envelope, such as routing information, is considered non-content information. On the Wikimedia projects, this might include user agent information, IP addresses, or email addresses. The letter inside the envelope, however, is considered content information. On the Wikimedia projects, one example would be information on a Wikipedia page, which is already public. Because of the public nature of the projects, we very rarely receive requests for content information.

Does WMF have different standards for granting requests depending upon who makes the request? How are these requests processed?

No. Regardless of who is requesting user data—be it an individual, a government, or a law enforcement officer—the Wikimedia Foundation only discloses nonpublic user information in accordance with our Terms of Use, Privacy Policy, and applicable US law, including the Electronic Communications Privacy Act (ECPA) (18 U.S.C. §§ 2510-2522, 18 U.S.C. §§ 2701-2711, and 18 U.S.C. §§ 3121-3127). We typically do not produce information as a result of a request unless we have received proper legal process. Submitted requests must be reasonable, specific and relevant. Requests must include contact information for the requester, and a specific deadline. Finally, requests must be legally valid and enforceable under United States law, in the form of a court order, subpoena, warrant, or request served under the mutual legal assistance treaty or letters rogatory process.

Additionally, we may disclose information in response to emergency requests in accordance with the ECPA (18 U.S.C. 2702(b)(8)) when there is a credible and imminent threat of death or serious bodily harm. These requests must meet specific criteria, including detailing the nature of the emergency, why it is believed to be imminent, and the specific information requested and how it is necessary to prevent the threat from being carried out.

For more information on the procedures for requesting user information and making an emergency request, see our Requests for User Information Procedures & Guidelines.

What happens when you receive a request from abroad?

Per our Requests for User Information Procedures & Guidelines, we require that requests originating from outside of the United States to follow the mutual legal assistance treaty (MLAT) process or letters rogatory process so that a U.S. court will issue the required U.S. legal process to the Wikimedia Foundation.

Help! My personal information is being sought because of something I did on the Wikimedia projects. What should I do?

If you are the subject of a subpoena, it is highly recommended that you consult your own lawyer immediately. There are a number of organizations that will fight on a user's behalf, like the American Civil Liberties Union (ACLU) or the Electronic Frontier Foundation (EFF). If you need help finding an attorney, WMF may be able to put you in touch with some of these organizations or help you secure an attorney at reduced or pro-bono rates. In rare cases, assistance may also be available under our Legal Fees Assistance Program or Defense of Contributors Program.

Additionally, in certain situations, WMF may challenge a subpoena on a user’s behalf if it is unnecessarily broad or burdensome, or if we believe the subpoena threatens the free speech of users on our projects. For more information about subpoenas, see our Subpoena FAQ.

What do you mean by 'information produced'?

When we say 'information produced', we mean that as a result of a legal process (such as a subpoena) that was legally valid, some or all of the nonpublic user information requested by that legal process was produced by WMF to the requesting party. ‘Information produced’ also applies to rare situations where we voluntarily disclose personal information to law enforcement, usually in order to prevent imminent bodily harm or death.

What’s the difference between 'information produced (partial)' and 'information produced (all)'?

Beginning with the July 2016 Transparency Report, we decided to provide additional information about the ways in which the Foundation responds to requests for user information. “Information produced (all)” refers to situations where we provided all of the nonpublic user information requested in the requester’s initial message to us. “Information produced (partial)” refers to situations in which we provided some nonpublic user information, but less than what was requested in the requester’s initial message. For example, this may happen when some of the information requested is information that we do not collect or store, when the requester asked for information that has already been deleted from our systems under our Data Retention Guidelines, or if the requester served us with valid legal process regarding some, but not all, of the information they wanted.

What do you mean by 'informal non-government requests'?

When we say 'informal non-government requests', we mean a request for user information from a non-governmental entity that does not involve a formal legal process. For example, this would include a situation where a corporation sends us a letter or an email requesting nonpublic information about one of our users.

What do you mean by 'informal government requests'?

When we say 'informal government requests', we mean a request for user information from a governmental entity that does not involve a formal legal process. For example, this would include a situation where a government sends us a letter or an email requesting nonpublic information about one of our users.

What do you mean by 'civil subpoena'?

When we say 'civil subpoena', we mean a legal process received by the Wikimedia Foundation from a third-party individual or organization requesting nonpublic user information, that usually relates to a legal dispute between two or more individuals or organizations. Civil subpoenas generally do not require review by a judge or a magistrate.

What do you mean by 'criminal subpoena'?

When we say 'criminal subpoena', we mean a legal process received by the Wikimedia Foundation requesting nonpublic user information that is typically issued by a government attorney or grand jury, in connection with an official criminal investigation.

What do you mean by 'administrative subpoena'?

When we say ‘administrative subpoena’, we mean a legal process received by the Wikimedia Foundation requesting nonpublic user information that has been issued directly by a government agency, without judicial oversight.

What do you mean by 'search warrant'?

When we say a 'search warrant', we mean a warrant issued under the procedures of the Federal Rules of Criminal Procedure or equivalent state warrant procedures, based upon a showing of probable cause that specific information held by the Wikimedia Foundation may be related to a crime. Search warrants are generally reviewed by a judge or a magistrate.

What do you mean by 'court order'?

When we say 'court order', we mean an order issued by a U.S. court of competent jurisdiction directed at the Wikimedia Foundation. Court orders for user data may be issued under various U.S. federal and state laws, such as section 2703(d) of the Electronic Communications Privacy Act ('ECPA'), a federal privacy law.

For the avoidance of doubt, we believe a warrant is required by the 4th Amendment to the United States Constitution, which prohibits unreasonable search and seizure and overrides conflicting provisions in the ECPA. We believe that the ECPA needs to be updated so that equivalent protections are granted to electronic communications and documents that have already been granted to the physical documents one keeps at home or in their office. To that end, we are a member of the Digital Due Process Coalition to help in that effort.

What do you mean by 'national security request'?

'National security requests' include national security letters and orders issued under the Foreign Intelligence Surveillance Act.

What is a 'wiretap' or a 'pen register', and why doesn’t the Wikimedia Foundation list them in its Transparency Report?

A wiretap order (see The Wiretap Act, 18 U.S.C. § 2511 et seq.) is an order that requires the real-time interception of the content of telephone or internet communications. A pen register order (see The Pen Register Statute, 18 U.S.C. § 3121 et seq.) requires the real-time interception of non-content information associated with telephone or internet communications (such as routing information). We have never received a wiretap or pen register order. Should we receive such an order, we will disclose it in this report if allowed to do so by law.

What do you mean by user accounts potentially affected?

This number represents the number of unique user accounts implicated by requests for user data and whose data would have been disclosed if we had granted every request we received. This number may not reflect the number of unique individuals implicated by requests for user data; if an individual has multiple accounts across all Wikimedia projects, and we receive requests for more than one of these accounts, we record each user account separately. As a result, this number might overestimate the number of individuals implicated by user data requests.

What do you mean by user accounts actually affected?

This number represents the number of unique user accounts whose nonpublic information was disclosed as a result of WMF receiving a valid request for user data. This number may not reflect the number of unique individuals whose data was disclosed as a result of a valid request for user data; if an individual has multiple accounts across all Wikimedia projects, and we receive requests for more than one of these accounts, we record each user account separately. As a result, this number might overestimate the number of individuals implicated by user data requests.

We are committed to notifying users if we plan on disclosing nonpublic personal information. We added the “user accounts notified” category in the July 2016 Transparency Report to refer to the number of users whom we notified about such a planned disclosure. However, we cannot notify a user account if we are legally restrained from doing so (e.g., by a gag order), if a credible threat to life or limb is present, or if the user has not provided us with an e-mail address or valid contact information. Since one person may have more than one user account, and provide no, or different contact information for those accounts, the number of user accounts notified may not reflect the number of people notified.

What do you mean by 'Emergency disclosure'?

An “Emergency Disclosure” refers to a case in which we become aware of statements on the projects that threaten harm to the user who made the statements and/or other individuals, and—on our initiative—choose to disclose nonpublic user information to a law enforcement agency. Such disclosures are rare; they are only made in accordance with the exceptions outlined in our Privacy Policy, such as to protect you, ourselves, and others from imminent and serious bodily harm or death.

An “Emergency Disclosure” may also refer to circumstances in which law enforcement has contacted us because of an imminent threat to life or limb, and we have decided to release information according to the process described in our Requests for User Information Procedures & Guidelines and the Electronic Communications Privacy Act (see 18 U.S.C. § 2702). When we feel that a law enforcement request does not rise to this level, we classify it as an “informal government request” instead.

Until the July 2016 Transparency Report, we referred to Emergency Disclosures as “Voluntary Disclosures.”

What do you mean by 'Right To Be Forgotten'?

The Right To Be Forgotten (RTBF) is a legal principle established in 2014 when a decision by the Court of Justice of the European Union, Google Spain v. AEPD and Mario Costeja González, granted EU individuals the ability to request that search engines “de-index” content about them. While Wikimedia projects are not search engines, we occasionally receive requests to remove content based on the RTBF. We began documenting such requests in July, 2014. For more information about our concerns regarding the Right to be Forgotten, see our August 2014 blog post

How are requests for user data calculated differently by WMF as compared to other organizations?

In this transparency report, WMF has included all types of requests for user information it receives, including governmental and non-governmental requests as well as informal and formal requests. Some other organizations, including several of those appearing in the 'Compared to other companies' graph in our report, only disclose requests originating from governments. Please visit the transparency reports of Facebook, Google, Twitter, and LinkedIn for more detail about the types of requests they receive.

Our core values of freedom of speech and access to information can be threatened by laws that compromise user privacy. For this reason, the Wikimedia Foundation has joined the fight to improve privacy laws around the world.

In 2013, we joined the Digital Due Process Coalition (DDPC), an organization focused on reforming the United States Electronic Communications Privacy Act (ECPA). The ECPA specifies standards for law enforcement access to electronic communications and associated data, thereby providing a degree of privacy to users of digital communication services. However, the ECPA was enacted in 1986, meaning that it does not adequately protect users anymore and only serves to provide inconsistent standards for law enforcement when dealing with 'new' technologies. The DDPC's mission is to simplify, clarify, and unify the ECPA standards—providing clearer privacy protections for users taking into account changes in technology and usage patterns, while preserving the legal tools necessary for government agencies to enforce the laws and protect the public.

In 2014, we signed onto the Necessary and Proportionate Principles, which strongly support the application of human rights to mass surveillance and set forth basic principles governments should adhere to when employing modern surveillance technologies. In March 2015, we took an even stronger stand. The Wikimedia Foundation joined eight other co-plaintiffs in filing a lawsuit against the U.S. National Security Agency over its “Upstream” mass surveillance program, which captures communications passing through the Internet “backbone.” We strongly oppose mass surveillance by any government or entity, and hope that this lawsuit becomes an important step in changing current practices.

How do users resolve content disputes and decide what should appear on the Wikimedia projects?

All content on the Wikimedia projects are written, uploaded, edited, and curated by people just like you from around the world. For the most part, users—not the Wikimedia Foundation—develop and enforce the policies and procedures that govern the content on the projects. This means that users decide what should and shouldn't be included on the projects, within the bounds of U.S. law.

Similarly, each project's community has created policies and procedures to handle disputes about whether certain content belongs on a particular project or meets that project's standards.

When a third party who, say, has a Wikipedia article written about them and doesn't like some unflattering content included in that article, the proper way to address their concerns is to take it up with the community itself, as opposed to the Wikimedia Foundation.

Help! I'm being sued because of something I did on the Wikimedia projects. What should I do?

Lawsuits against Wikimedia users are exceedingly uncommon—most disputes about content are resolved by working with the user community through community-driven processes. In fact, individuals and organizations that sue over content they wish to remove from the public's eye often end up causing that content to receive greater public attention as a result of the lawsuit, a phenomenon known as the Streisand Effect.

In the unlikely event that you are the subject of a lawsuit, it is highly recommended that you consult your own lawyer. There are a number of organizations that fight on a user's behalf, like the California Anti-SLAPP Project or the Electronic Frontier Foundation (EFF). If you need help finding an attorney, WMF may be able to put you in touch with some of these organizations or help you secure an attorney at reduced or pro-bono rates. Additionally, in rare cases, assistance may also be available under our Legal Fees Assistance Program or Defense of Contributors Program.

Does WMF ever remove content?

Absent the receipt of a legally valid DMCA notice, the Wikimedia Foundation will generally only remove content in exceptional circumstances. For example, we once removed a blogger’s unredacted travel visa after somebody else posted the image with his private information exposed.

What makes a DMCA takedown notice 'valid' or 'proper'?

The DMCA has several formal requirements for notices. However, our evaluation isn’t over when we receive a notice that meets all of these requirements. We will also analyze the copyright eligibility of the work being infringed, whether the allegedly infringing material actually infringes, and whether the allegedly infringing material is a fair use of the requester’s work. For more information, see our DMCA Policy.

How are you transparent about particular DMCA removals besides in this transparency report?

We record every DMCA takedown request that results in removal of content on our website. In addition, every DMCA removal is submitted to the Lumen database (Lumen), a web archive managed by the Electronic Frontier Foundation and several law school clinics. By collecting takedown notices from a variety of sources, Lumen provides a large set of data for analysis and allows recipients and senders of takedown notices to learn more about how the DMCA operates in the current online environment.

What is a DMCA counter-notice, and did you receive any?

When material is removed due to a DMCA takedown notice, the uploader of that content or a third party may believe that it did not violate copyright laws. If so, they may send us a DMCA counter-notice, stating their belief that the content did not infringe any copyrights. If the counter-notice complies with the statute, we will restore the content within 10-14 business days unless a lawsuit is filed by the copyright holder. Prior to the July 2016 Transparency Report, we had not received any DMCA counter-notices. Between January and June 2016, we received two.

Why is the information from July 2012 - June 2013 not available in six-month increments like the information from July 2013 forward?

During the July 2012 - June 2013 period, we recorded totals only for the entire period, rather than breaking the totals into six-month terms. In order to provide a better comparison with other reporting organizations, we changed the date ranges for our charts to line up with those used by those organizations starting in July 2013.

How do you count requests?

Each request received counts as one request in the transparency report, irrespective of the number of webpages, content, or users that request deals with. For example, a request for user information that asks for the information of three users counts as one request for user data, and a DMCA takedown request that requests the removal of 5 images is counted as one DMCA request. Duplicate requests regarding the same matter from the same requesting party are also counted as one request. For example, if a requesting party sends us multiple demand letters to take a particular Wikipedia article down, it counts as one request.

What do you mean when you say a Project was 'targeted' by a takedown, alteration, or DMCA request?

It means that a particular Project would have been altered if we had granted a particular request or that a particular Project was actually altered due to a particular request. For example, if the transparency report indicates that French Wiktionary was targeted by one content alteration request, it means that we received a content alteration request that demanded that we change content on French Wiktionary.

Do you have data for Projects potentially and actually affected from July 2012 to June 2013?

No, we started tracking requests in more detail beginning in July 2013, so this level of detail is not available for July 2012 to June 2013.