Talk:Privacy policy/Archive 2

Once created, user accounts can not be removed.

Yes they can, you probably meant to say "won't". —Ævar Arnfjörð Bjarmason 00:53, 11 Apr 2005 (UTC)

Indeed, though there are several places where it is said quite explicitly that there is no chance of this happening, so we might want to make it a little stronger than "won't". Perhaps "user accounts will never be removed"?

James F. (talk) 00:55, 11 Apr 2005 (UTC)

I have a concern about committing to that clause in the very long term. I put it at Talk:Right to vanish but maybe should have posted it here. Any thoughts? Rossami 23:03, 12 Apr 2005 (UTC)

However, remember to disconnect yourself after using a pseudonym to avoid allowing others to use your identity.

This sentence seems a bit confusing to me. (Disconnect yourself? From where? Do you mean "log out"?) And, is it a good idea to add such general advice to a page stating policy, anyway? --Mormegil 18:47, 16 Apr 2005 (UTC)

I rephrased it the way I understood it.--Patrick 15:45, 6 December 2005 (UTC)[reply]

If you contribute to the Wikimedia projects, you are publishing every word you post publicly. If you write something, assume that it will be retained forever. This includes articles, user pages and talk pages. Some limited exceptions are described below.

Does this include images and audio? or am I being too pedantic.

You're not being too pedantic. Yes, it includes images and audio. Unless the media in question is deleted (because of suspected copyright infringement) the image or audio is here forever. See, for example, this image I placed on Wikipedia of New York City w:Image:Area_code_347.png area codes 347, 718 and 917, which is the corrected version I re-uploaded when someone informed me that the distant New Jersey area codes were reversed. The original (incorrect) map I did is still available here on Wikipedia. Paul Robinson (Rfc1394)

¿Shouldn't be said to the President of WMF instead of To Jimbo Wales? --Ascánder 17:14, 30 Apr 2005 (UTC)

Wouldn't it make more sense for it to refer to the Board than either of those? Angela

Agreed. And that was my question: why the other four at the Board isn't eligible to access this sort of infromation? --Aphaia++ 12:16, 5 November 2005 (UTC)[reply]

I need help! I contributed to something MONTHS ago without logging in. Yes, I know it was a stupid mistake. When I googled my name and city together, up comes my name as a contributor to this article that quite frankly could get me in trouble professionally. I need to know if there is a way to delete myself from this article when I WASN't logged in. If anyone can help, please email me cbflagginc@yahoo.com - Thank you!

I get a 404 when I click on the site statistics pages link in the Private logging section. Js-js2 01:55, 10 May 2005 (UTC)[reply]

I need help! I contributed to something MONTHS ago without logging in. Yes, I know it was a stupid mistake. When I googled my name and city together, up comes my name as a contributor to this article that quite frankly could get me in trouble professionally. I need to know if there is a way to delete myself from this article when I WASN't logged in. If anyone can help, please email me cbflagginc@yahoo.com - Thank you!

I am not sure I understand the meaning of this:

Data on users, such as the times at which they edited and the number of edits they have made are publicly available via "user contributions" lists, and occasionally in aggregated forms published by other users.

Some user make 'aggregators' available for various purposes - such as Interiot's edit counter, which collates information from your 'user contributions' to give details of how many edits you've made, what months they were in and so on. Cynical 11:35, 21 May 2006 (UTC)[reply]

As far as I know Mediawiki does not store users' password, it merely stores password hashes, from which actual passwords can not be recovered. Privacy policy should state this so user can be concerned about more important matters. --195.113.65.10 14:55, 29 Jun 2005 (UTC) It should mention current password store technologies in use by wikipedia, noting that they may change.

I think we should have a good community discussion to review our privacy policy with an eye towards revising it in order to allow some limited additional access to our access logs for credible academic researchers who are willing to sign a strong non disclosure agreement.

This sort of data is of intense interest to researchers -- I am getting more and more requests for it -- and I think that the results of the research would be incredibly helpful to our global mission. We make a lot of decisions based on our own theories of how the community really works, but I wonder what facts about ourselves we don't realize because they are lost in the data.

--Jimbo (on Foundation-l, 9 August 2005)

According to the "account creation / log-in" form, Wikipedia will never release our email addresses to anyone. However, according to "Sharing information with third parties", Wikipedia will accede to a subpeona, warrant, or other legally required request.

Since all email addresses from before the privacy policy existed were gathered on the promise that they would "never" be released, wouldn't it be unethical (or perhaps a breach of contract, etc.) to release them simply because of a legal requirement? This privacy policy seems to retroactively redefine the terms under which Wikimedia is allowed to release my email address, which I am *very* uncomfortable with.

It comes down to common sense: Wikimedia does not have an army to stop the authorities from seizing a server and getting the email address themselves. Would you say that it's unethical to release an email address when all that refusing will achieve is legal escalation and having the server confiscated? -- Jeronim 21:55, 24 August 2005 (UTC)[reply]

Definately let authorities come and seize it .... at least wikimedia Foundation wouldn't have co-operated like google has done in China, and because of that someone who spoke their mind freely is in jail now for 10 years!

In a western country google would have refused and made a courtcase out of it. But 1 billion chinese consumers are to big of a lure. Google publically admitted they have provided the data. For me it is also a personal thing. Would you feel it is right if I would be arrested because I protested the dictatorship in Thailand on a talkpage? And Thailand is developing in a dictatorship unfotunately which is what is worrying me. And I am disappointed in google and yahoo and other big sites who co-operate much more with governments like the Chinese one than they have to. Just follow the news on this subject. Basically China has succeeded in censoring the internet for its citizens. Even wikipedia does selfcensorship to appease Beijing. And other Asian countries and governments are following the developments and want to implement it in their own countries. Like Thaksin here in Thailand, so I say resist. Waerth 17:06, 13 September 2005 (UTC)[reply]

I find it confusing that translations and other suggestions happen at the same time. Translations make comment from everybody easier, but surely we want to translate the finalised version? When will we know the official version? --Alias 08:20, 5 October 2005 (UTC)[reply]

This line in the Wikipedia privacy policy ..."# To Jimbo Wales, his legal counsel, or his designee, when necessary for investigation of abuse complaints." ... seems like a potentially large error to me? I think it should reference the Wikimedia Board or designee, not Jimbo. Jimbo Wales, Wikimedia Trustee, Chief of the Board, or similar title might be ok. It is my understanding that the laws in the U.S. which provide protection between corporate responsibility and personal responsiblity depend upon the Corporation or NGO being managed in accordance with Laws and the charter. Courts have found that individuals and officers managing or abusing organizations for their own purposes or as their own property can be held liable personally (personal assets are at risk) for mistakes that made in managing the organization. If Wikimedia has access to legal talent pro bono or has funds to pay for legal expertise then I think it would be a wise investment to consult a lawyer regarding this issue. user:lazyquasar

It seems unusual to explicitly name an individual in a document of this sort. More usual would be to name a role for which he was the current incumbent or owner

--BozMo 20:21, 1 November 2005 (UTC)[reply]

agreed Anthere 10:48, 4 January 2006 (UTC)[reply]

I think both the Wikipedia and the hopefully impending Wikiversity could benefit by meeting all requirements for self certification according to USA/EU "Safe Harbor" agreement regarding the handling of private information. Both projects are global in nature so the sooner we are in full compliance the less risk we are exposed to and the less likely we are to encounter impacts or cause others harm from unfortunate errors or misunderstanding.

• http://www.export.gov/safeharbor/
• http://www.export.gov/safeharbor/sh_overview.html
• http://www.export.gov/safeharbor/FAQ1sensitivedataFINAL.htm

w:user:lazyquasar

I read the german translation a few minutes ago. Statements like If you only read the Wikimedia project websites, no more information is collected than is typically collected in server logs by web sites in general. ist too general. The User should know which information about him are collected. That means: his user name, his IP-Number, time, and maybe more? Not everyone is an internet-specialist.

The Policy on release of data derived from page logs (esp. rules for giving away the IP-Username-log) is very general too. There isn't any guarantee that these files will not be publishished to all users (for example in case of "vandalism") Some people maybe have a profile with their clear name and one with an nickname. I dont think that most of them want to publish this connection, but the rules are not hard enough to guarantee this. That should be made clear for every user. Hadhuey 23:27, 29 November 2005 (UTC)[reply]

saying:"no more information is collected than is typically collected in server logs by web sites in general" does not disclose the extent and scope of information recorded by a sites users which is required by law. You cannot hide behind 'common practice' to mask ones activities. This privacy policy needs to be changed to be explicit and complete as to what the foundation records about its users. It seems the foundation stores absolutely everything it can about its users and its promise 'not to track' its users with session cookies is un-convincing. If it wanted to be clear it could say that detailed access logs will not be collated except for contain situations, or detail out exactaly what these logs contain or how long they are stored. By not saying how long information is stored they are also breaking at least common practice and allowing themselves everything without disclosing it. This privacy policy is extremely poor. Google extended their privacy policy to make clearer how they collect information in response to new laws in California and elsewhere.^[1] The Wikimedia Foundation is required to be explicit about what degree they are storing and using personal information, this policy does not do that.75.165.17.166 02:20, 5 January 2009 (UTC)[reply]

Hi. I wonder if someone (a Board member, perhaps?) can clarify one thing. The sixth item on "Policy on release of data derived from page logs" - is this talking about en:Necessity, a legal term? Or is it just a layman's term?

Tomos 02:44, 21 December 2005 (UTC)[reply]

Translation into catalan on catalan wikipedia

Pérez 05:34, 27 December 2005 (UTC)[reply]

Kate[edit]

Kate ( http://tools.wikimedia.de/~kate/cgi-bin/count_edits?user= ) might be considered a breach of policy §7 Privacy_policy#User_data which states : Data on users, such as the times at which they edited and the number of edits they have made are publicly available via "user contributions" lists, and occasionally in aggregated forms published by other users. Kate is not an other user but a tool displayed on a website owned by the Wikimedia Foundation. Kate is not an "occasional" publication, but a systematic tool available 24 hours a day, and providing informations on all users, not a smaller set of users selected on a particular occasion. The "disclaimer" section on Kate's main page seems to be the result of an inaccurate reading of the above mentioned §7. Kate is a controversial tool : see en:Wikipedia:Editcountitis for further reading.--Theo F 10:36, 4 January 2006 (UTC)[reply]

Can't see a problem here. Kate's & Interiot's tools don't publish anything that isn't in MediaWiki's user contribs. If there were external aggregation tools doing the same thing by connecting to Wikipedia & parsing it's HTML output - that wouldn't be a violation. So, why it's a violation when it's done by querying databse directly? And don't forget, these tools are extremely useful for teacking sockpuppets and evaluating user's contributions during RfA's. MaxSem 18:34, 4 March 2006 (UTC)[reply]

Special:unwatchedpages[edit]

According to Wikizine #6, Special:unwatchedpages gives a listing of the first 5000 pages that are not on someones watchlist. It is a static list updated regularly (hopefully). This is only for "users with protect permission". Sysops have access. Seems to be live on all wikis.source. That means that this tool is spying, on a regular basis, users' watchlists and transmitting data from the users' watchlists to the sysops. That means that the Wikimedia Foundation allows itself to spy on data supposed to be protected by a password. In order to build a trusting relationship with the Wikipedia users, the Foundation should clearly renounce such intrusive behaviour. A motto « Wikipedia is not GMail » is mostly welcome. See en:Gmail#Privacy for further reading.--Theo F 10:36, 4 January 2006 (UTC)[reply]

This is true: Wikipedia is in breach of privacy policy --anon 11:14, 5 January 2006 (UTC)

That's a bit inaccurate, at least in my opinion. In order for that page to be a breach of policy, it has to provide information that can track down a particular user; this tool provides an aggregate report, and does not contain any information that could be used to identify a particular user, so there is no breach of policy there. Titoxd 20:44, 3 March 2006 (UTC)[reply]

If all users but one share together which pages they watch, and use the aggregated data, they can make a substraction and find out which pages are watched by the remaining user. When a page never watched before suddenly becomes watched, you could have a look at the list of newly created accounts and make the hypothesis that the newly watched page is being watched by the user who just created a new account.

More generally, when a landlord rents a flat, he should not keep a key and enter the flat without the tenant's consent. By the same token, when you give somone an account with a password, you should not enter this password-kept area without the password holder's consent.

IMHO, this feature should be available on an "opt in" basis only. Theo F 10:32, 4 March 2006 (UTC)[reply]

That reasoning contains one major flaw: to be able to figure out the pages that a user watches, you first need to know the pages that every other user watches, which is not revealed anywhere. Besides, this is a server-side feature, data of who watches what page is never transmitted to a sysop, nor a sysop can in any practical scenario derive the information. Titoxd 22:19, 4 March 2006 (UTC)[reply]

If all the other users organize a tea party, and during this tea party decide to share their watchlists, they can perform the substraction and extract what the remaining watchlists contain. I think the trend of accessing data which are by nature private, without the account holder's knowledge, without the account holder's consent, is not a good trend. The owner of the account should be told how his data are going to be processed, and for which purpose, so that he can quit, or simply renounce to open an account, if he disagrees with the purposes of the data processing. If the landlord wants to keep a key and enter the flat every time he wants, that should be written on the rental agreement. Theo F 09:04, 7 March 2006 (UTC)[reply]

The thousands of them?! You must be kidding. This could be realistic only in small wikis where only tens of users actively participate and watch the pages. ACrush ^?!/_© 16:51, 18 April 2006 (UTC)[reply]

Interiot count edits [1][edit]

This new tool raises the same questions as Kate (see above) Theo F 11:54, 3 March 2006 (UTC)[reply]

Does Wikipedia keep a log of ALL IP addresses ever used by a user for admins/sysops, developers or other officials?

I would hope only the most recent one gets "logged"/"tracked", otherwise this could potentially reveal a lot of personal information to the right kind of person.. (and let's not pretend that a sociopath can't become an admin, psychotics can pretend to be quite nice sometimes.) --72.36.221.10 11:14, 5 January 2006 (UTC)[reply]

These data are only stored for one week, so edits made prior to that will not be shown via CheckUser says CheckUser Policy. I don't know if that means that prior edits could be available through other means. --Theo F 14:28, 5 January 2006 (UTC)[reply]

Here is the Danish translation, could it be added to the list of languages?

http://da.wikipedia.org/wiki/Wikipedia:Privacy_policy

It should be named Beskyttelse af personlige oplysninger.

OK, done. McDutchie 03:26, 28 February 2006 (UTC)[reply]

• http://en.wikipedia.org/wiki/User:Aleksei
• http://en.wikipedia.org/wiki/User:Drahcir
• http://en.wikipedia.org/wiki/User:Princess_Homestar
• http://en.wikipedia.org/wiki/Wikipedia:New_user_log

My name is Daniel. I'm 10. I like reading and especially like Harry Potter books...

I am not a lawyer, but I think we may need to include COPPA checks and disclaimers. Wikimedia Foundation has "actual knowledge" that children under 13 are providing personal information (e.g., email addresses) when using the site or registering an user account. I am not sure how the non--profit status of WMF plays into this, but NASA and LiveJournal are doing the same.

Thanks, GChriss 19:15, 19 February 2006 (UTC)[reply]

This looks like a good suggestion. Not only the United States have laws about privacy. Most European Union countries, and Switzerland do. Wikipedia should provide ways to make Wikipedians comfortable with the privacy standards used in their home country. Theo F 12:18, 3 March 2006 (UTC)[reply]

There is a link in there (second paragraph) which links to http://meta.wikimedia.org/stats even though that is an invalid link. It's quite confusing when it happens on an 'official' page like it has. I'd fix it if I knew where it was supposed to link to...

Does anyone else think it would make sense to block search engine and archive bots from harvesting Talk: pages? This would prevent anonymous contributors from being "unmasked" by employers etc from IP address using a simple Google or Internet Archive search, but wouldn't stop abusive users being tracked by the Admins here (and since Wikipedia keeps its own archives anyway, nothing would be lost). I think you could block the talk pages easily enough with the line: Disallow: /Talk: ... in the "robots.txt" file.

The existing "robots.txt" seems to cover "edit" and "history" pages anyway: "# Friendly, low-speed bots are welcome viewing article pages, but not

1. dynamically-generated pages please."

... but if these get harvested too then I'd argue for them being blocked in the same way.

I know that hiding your IP address is one of the "perks" of registering, but I for one didn't even know what an IP address was twelve months ago - it doesn't seem fair to penalise the less technologically minded contributors. An increasing number of sites are considering IP addresses pseudo-personal information. I can't think of a single other site that publishes users' IP addresses the way Wikipedia does, and this seems crazy considering the site's excellent privacy policies on usage logs.

On a related note, can formerly-anonymous users "reclaim" anonymous posts when they've registered (so their IP address gets replaced by their username)?

Here [2]. "can not" should be "cannot"

The Privacy policy at Wikimedia:Privacy policy is now out of date, since it precedes the large scale use of "CheckUser" and claims only "developers" have access to the IPs of logged in users.

I am suggesting a revised version at User:Angela/Privacy policy (see [3] for a diff from the current version).

The main changes are to these two paragraphs:

"IP addresses of users, derived either from those logs or from records in the database are frequently used to correlate usernames and network addresses of edits in investigating abuse of the wiki, including the suspected use of malicious "sockpuppets" (duplicate accounts), vandalism, harassment of other users, or disruption of the wiki."

"It is the policy of Wikimedia that personally identifiable data collected in the server logs, or through records in the database via the CheckUser feature, may be released by the system administrators or users with CheckUser access, in the following situations:"

I intend to propose that the Board accept the new draft as official policy, but would appreciate feedback or further improvements before then. Please add comments below.

Thanks. Angela 13:18, 14 April 2006 (UTC)[reply]

I am happy with the changes. Others' thoughts?

James F. (talk) 13:35, 14 April 2006 (UTC)[reply]

Good idea Angela. Could we check with Brad what he thinks of the overall policy ? Anthere

As a frequent user of CheckUser, I think these changes are reasonable and properly reflect the way the tool is used today. Please note that on enwiki we tend to interpret "behaving in a disruptive way" to mean a significant and sustained violation of local wiki policy in such a manner as to make relevant the fact that two or more accounts are being used by the same individual ("sockpuppetry"). The information to be revealed is limited to an estimate of the likelihood that such a situation exists, based on the totality of the evidence, and a credible case for the allegation of sockpuppetry must exist before a check is performed. (In other words, no fishing expeditions.) Furthermore, on enwiki, we (those of us with CheckUser privileges) have agreed not to release anything other than conclusory statements about an investigation. Inadvertently discovered sockpuppets or other "interesting" facts about editors are not to be revealed except when relevant to the conclusion that an editor is being abusive or disruptive.

The other use made of CheckUser is to assist in the process of identifying and blocking open proxies. There is a particular editing quirk that we've learned is associated with certain types of open proxies; when we find that quirk it is normal to run a CheckUser to determine the origin of the quirky edit and block the originating IP (or IP range, in certain cases). I generally do not announce the identities of the accounts using such proxies unless there is evidence of disruption in addition to the quirky editing behavior. It is my opinion that this usage of CheckUser is consistent with the proposed policy; if it is not, I would strongly urge that the policy be amended to permit this sort of security management activity as it has done a great deal to cut back on open proxy abuse on enwiki. Kelly Martin 04:04, 15 April 2006 (UTC)[reply]

I think that de User Elian has used CheckUser in an abusive way by checking assumed sockpuppetry of Dr. Volkmar Weiss who has not shown "behaving in a disruptive way". German wikipedia has no clear rules for sockpuppetry but the criteria for CheckUser (mainly deception in votings) were not fullfilled. CheckUser should be used more cautiously --84.60.197.141 03:08, 28 May 2006 (UTC)[reply]

Quote "Only developers can permanently delete information from Wikimedia projects and there is no guarantee this will happen except in response to legal action."

Wow. Rather severe. I understand no one is obligated to delete anything from an edit history except under legal action, but I hope you don't have to resort to legal action in most of these cases. I know some cases which should be open and shut and the contributors' request should be fulfilled. Cases where a contributor in her/his early days disclosed some personal information on a Wikipedia article talk page but later regretted it; removed it; but the information remains in the history. The information is not needed for any legal or Wikipedia purposes---if I were to request the deletion of such information from such an article talk page's history, I'm hoping it can be done without "legal action". Any thoughts? And how can one contact such a developer to make a request (of course, while logged in or via email)? 69.106.107.44 04:51, 8 May 2006 (UTC)[reply]

This is outdated. Some users have oversight, which means they can delete revisions for such reasons as posting personal details and the like. 59.167.125.117 06:35, 18 June 2006 (UTC).[reply]

Oversight is not deletion; it's hiding. Truly permanent deletion still requires a developer's assistance. Kelly Martin 06:42, 18 June 2006 (UTC)[reply]

On passwords, the policy says, "Many aspects of the Wikimedia projects' community interactions depend on the reputation and respect that is built up through a history of valued contributions. User passwords are the only guarantee of the integrity of a user's edit history. All users are encouraged to select strong passwords and to never share them. No one shall knowingly expose the password of another user to public release either directly or indirectly."

How can passwords possibly be secure, and total proof of a user's identity, when the passwords are sent unencrypted over the internet, allowing for any Eve who gets between a user and the login server to impersonate said user. And why should I choose a secure password, when using a secure password on Wikipedia might compromise the security of that same password being used on a secure, encrypted login? If password integrity is so important, why not use SSL?

- Armedblowfish 11:02, 15 June 2006 (UTC)[reply]

• you should use secure wikipedia and wikipedia logins should always be done securely, this is a major failing of wikipedia and wikimedia

see en:Wikipedia talk:Delete unused username after 90 days, passing this would require an amendment to the policyy. 70.26.113.6 01:08, 27 June 2006 (UTC)[reply]

"Whether specific user information is deleted is dependant on the deletion policies of the project that contains the information." 'Dependant' should be 'dependent' — The preceding unsigned comment was added by 167.202.196.71 (talk)

http://en.wikipedia.org/wiki/Brazil

http://en.wikipedia.org/wiki/Istanbul

i would like to lock the info specified below because as an istanbulian everyday i have to re-correct it

{{Infobox Settlement |official_name=İstanbul |settlement_type= |established_title= Founded |established_date=667 BC as Byzantium |established_title1=Roman/Byzantine period |established_date1=AD 330 as Constantinople |established_title2=Byzantium period |established_date2=until 1453 named as Constantinople and various other names in local languages |established_title2=Ottoman period |established_date2=starting from 1453 named as Istanbul by Ottoman Empire |established_title3=Turkish Republic period |established_date3=Istanbul since Ottoman Empire

About mailing lists:

Some email addresses ... may forward mail to a team of volunteers ... to use a ticket system such as OTRS ....

Mail to board AT wikimedia DOT org or to board members' private addresses may also be forwarded to the OTRS team.

The last line should be "to the voluneteer team". --Mongol 21:01, 10 July 2006 (UTC)[reply]

Can I use this as a basis for the Privacy Policy at my site? — The preceding unsigned comment was added by 140.209.124.24 (talk)

I've just noticed that there are very critical discrepancies between the English original and the Japanese translated version at the Foundation website. We need to update the Japanese Privacy Policy translation. I will post the same message at Talk:Privacy policy/Ja. Thank you. --Californiacondor 13:06, 14 November 2006 (UTC)[reply]

After looking around for 5 or 10 minutes I could not find anything about the privacy or lack thereof of searches. Is everything typed into the search box safe from the government (or other nairdowells)? Or is it all saved and distributed freely? Or something inbetween? Knowing something about what happens when you type into the search box is important (if privacy is important at all). — The preceding unsigned comment was added by 71.238.68.25 (talk)

It seems as if compaints about the privacy policy are intended to be handled by the m:Ombudsman commission (see w:Signpost, w:Wikipedia:Privacy policy). As far as I can tell, few people know about this. I think it might be helpful for the people who need it if the commission was mentioned on foundation:Privacy policy, similar to what is written, unoffically, at Wikipedia. Kenb215 03:07, 14 June 2007 (UTC)[reply]

Hello, could someone direct me to some content regarding whether individuals have the right to request the removal of details such as full name, age, occupation, location etc from articles, or the correct procedure for doing so? 58.173.165.12 08:07, 18 June 2007 (UTC)[reply]

• Some editors have decided to adopt pseudonyms as a username, and due to privacy, there is no scrutiny available, and no accountability.
• I believe in openness. My Wikipedia Username reflects by personal name,[4] and I have had a link on my Wiki User page,[5] to my personal home page.[6] (which is easily found on Google).
• Since they are publicly available, some editors have subjected my personal details to a level of scrutiny that is not available to them, and I believe that some are taking advantage, to argue that my education, affiliations and interest demonstrate an "agenda", or even a conflict of interest in certain articles.
• It seems unfair that an editor who is open about their identity, may be subject to a level of scrutiny that editors with pseudonyms are not.
• Does publicizing one's identify, and linking to a personal home page, mean that an "open" editor forgoes the right to "privacy" that is enjoyed by an anonymous editor? --Iantresman 08:10, 15 July 2007 (UTC)[reply]

In a couple of weeks I will be performing with a notable band. If my name goes into their WP article, do I have the right to edit it so that my stage name only is in the article, as I'd prefer to keep my real name offline? Also: if I do get in the article, would I be still allowed to edit any of the article, even bits I'm not mentioned in (eg discography), because of COI rules? Totnesmartin 11:23, 5 August 2007 (UTC)[reply]

(tap tap) Hello? Fat lot of good this place is...

I highly suggest at some point in the future changing policy to allow for one very specific hole to deleting user names: emergencies as deemed by the systems administrators. This concern stems from recent research in defeating CAPTCHAs. Properly motivated (i.e., with enough skill in math & programming experience to put to practice), an attacker could fairly reliably defeat the CAPTCHAs that are employed on most Wikimedia projects, therein bypassing the check against automated account registration. Therefore, I believe that should anyone try to use this as a form of attack, there should be in place the ability for the actual Wikimedia systems administrators to repair the damage by deleting the maliciously-added accounts outright. Otherwise, the attacker would have a viable long-term attack plan-- simply keep running the attack.

To clarify, I would like everything to remain the same, except that only systems administrators (i.e., the same people who are needed to permanently delete material even after Oversight) are able to delete user names manually. I feel that this is a safe amendment, because absolute worst-case scenario, there are still physical backups of any data deleted. However, if I'm overlooking something here, please definitely let me know, as I obviously want this change to be as conservative as possible while still maintaining the safety of the network. --slakr 00:28, 12 September 2007 (UTC)[reply]

Systems administrators can already mass-remove this data through direct SQL queries. Nakon 03:20, 27 January 2008 (UTC)[reply]

A fi-wiki administrator has attempted to inject Google Analytics code into our MediaWiki:Copyright page, which would effectively allow Google Analytics to record information of all of our visitors. Since Google Analytics shows host names of individual visitors (usually just an ISP hostname, but some people may have fullname.net style addresses) and the plan is to let pretty much anyone to access this information, it's pretty evident that this is a violation of the Wikimedia Privacy Policy.

Moreover, since the code would be on MediaWiki:Copyright, it will capture every single visitor from the first pageview onwards, and there's no fair way to let users choose if they want their information recorded.

Any thoughts? MikkoM 12:29, 10 December 2007 (UTC)[reply]

We reached a compromise allowing Analytics access only to people with CheckUser privileges. So the issue is resolved. MikkoM 13:09, 10 December 2007 (UTC)[reply]

This issue is now resolved by removing Google Analytics. --Many 06:50, 11 December 2007 (UTC)[reply]

In relation to a recent lawsuit and Wikipedia's release of registered users info, there is an ongoing discussion regarding the WMF privacy policy, specifically the rules for releasing the identifying user info to third parties, at [7]. Those who are interested in this aspect of the privacy policy are encouraged to participate in the discussion. Regards, Nsk92 23:59, 13 January 2008 (UTC)[reply]

"dependant" is misspelled

I would like to make two suggestions for changes in privacy policy regarding releasing registered user identifying data (IP addresses, e-mails, etc) to third parties in response to court subpoenas. These suggestions are motivated by a recent incident where the IP data of sixteen registered Wikipedia users (including mine) were released in response to a subpoena in a lawsuit. There was an extensive discussion of the incident and the related issues at Wikipedia's Village Pump in January 2008, see [8].

My basic suggestions are:

(1) To add a clause to the privacy policy stating that WMF will notify the affected registered users when their identifying info is being requested by a third party subpoena and when and if such a release actually occurs.

(2) To add a sentence or two to the privacy policy explaining the basic principles used in responding to third party subpoenas (e.g. presumptive compliance with all valid subpoenas vs, say, case-by-case considerations of when to comply or contest a particular subpoena based on First amendment or other considerations).

My main suggestion is (1) so I'll concentrate on it.

Reasons for instituting a notification requirement[edit]

The current privacy policy does not require any kind of notification of registered users whose info is being sought by third parties, and, apparently, no such notification occurred in the incident mentioned above (again, see the discussion at [9]). The Supreme Court has traditionally recognized and stressed the right to and the importance of anonymous free speech, including anonymous free speech on the Internet. Of course, this right is not absolute, but it does exist and needs to be protected. This is a long-standing position of the Electronic Frontier Foundation, the ACLU, the Public Citizen and other free speech advocacy groups whose goals are in large part aligned with those of WMF. See, for example: [10], [11], [12], [13], [14], [15], and so on. The courts have maintained that anonymous internet posters have a right to contest the release of their identifying data to third parties, but, of course, to exercise this right, they need to be notified at the time such release is requested. Here is a quote from the June 2002 ACLU press release: ""You can't fight to protect your privacy and anonymity when you don't even know that it's being attacked,"" said Paul Levy of the Public Citizen Litigation Group.[16]. As far back as 2001-2002, EEF, ACLU, the Public Citizen, and others, advocated requiring ISPs to include the notification requirement in their privacy policies. Again, from the June 2002 ACLU press release: "A coalition of civil liberties and privacy groups today called on Internet Service Providers (ISPs) and other online companies to adopt policies protecting their users' right to anonymous speech on the Internet. That right has come under attack in recent years through a growing number of ""cyberSLAPP"" lawsuits, in which companies file suit just to discover the identity of their online critics - often in order to silence or intimidate them. In a cyberSLAPP suit, the target of anonymous online criticism typically files a lawsuit against a "John Doe" defendant and then issues an identity-seeking subpoena to an ISP. There is currently no legal requirement that ISPs notify their customers before complying with such subpoenas - even though many of the lawsuits are frivolous and have no chance of prevailing in court."[17] Note the phrase "and other online companies" in the above quote.

Apart from these general considerations, protecting the right to anonymous free speech on the internet is central to the core mission of the Wikimedia Foundation. The great majority of its users use pseudonyms rather than real names, as their user IDs. While these users need to behave responsibly when editing, WMF does have the responsibility to protect the privacy of these users against frivolous attacks via CyberSLAPP lawsuits. Fairness requires that registered users of WMF projects be notified in some way when their identifying info is being sought. To do otherwise has the potential for creating the atmosphere of fear and intimidation, that could have a substantial chilling effect and compromise the quality of the editorial process and the actual outcome of the WMF projects. CyberSLAPP lawsuits are being increasingly used as a tool of intimidation by big companies and by govermental entities (again, see [18]).

In the Village Pump discussion [19] one of the arguments made was that it is not so bad for WMF to release IP addresses of its users in response to a subpoena since then the buck is passed to the Internet Service Providers, who have greater financial resources and greater legal protections than does WMF in contesting subpoenas of this sort. I strongly disagree with this argument. First, I think that the primary responsibility in protecting free speech rights rests with the host of the content in question (in this case WMF) rather than with the ISPs. Second, many registered users do not use commercial ISPs but rather edit from computers belonging to some businesses, governmental organizations, military, educational institutions, etc. These entities may not be interested, and may not have the necessary resources, in contesting a CyberSLAPP lawsuit subpoena. Also, many IP addresses themselves provide too much identifying information.

Specific form of notification[edit]

Based on the Village Pump discussion, I propose an "open notification" model: when a release of user data is requested by a third party subpoena, WMF would place a short notification at the affected user's talk page stating that the user's info is requested by X via a subpoena in a lawsuit Y filed at court Z. (plus maybe a link to the privacy policy and a sentence about how to contact WMF). If a user has an e-mail account associated with their profile, a more detailed notification may be sent there, in addition to the open notification at the talk page. The same if the user info is actually released: an open notification at the talk page and an e-mail, if possible. Most users monitor their own talk pages regularly and should be able to see the notification message quickly and to remove it quickly if they want to. If a few other users see it, I don't see much harm in that either. This way the affected users will, with high degree of certainty, find out when their info is being sought, and will be able to decide if they want to hire a lawyer and contest the subpoena right away, or just start preparing for the future.

The other possibility is a closed notification model where WMF would leave a message at the talk page of the user asking the user to contact WMF "about a legal matter", and then establish some kind of authentication protocol. I think that the open notification model is cheaper, simpler and more effective.

One of the posters in the Village Pump discussion noted that if a notification occurs, the fact that it occurred may also by subject to the discovery motion by a third party. Again, I don't see much harm if the third party in question does find out about the fact that an open notification occurred. If there is some legal downside in this, I'd like for the knowledgeble people with legal training to comment here.

In a sense, an open notification model is fairly consistent with the current internal practices and principles of Wikipedia. Thus, all warning messages from Wikipedia administrators and other users, messages about blocks, messages from the Arbitration Committee, etc, are left at the affected user's talk page, where everyone, who happens to stop by, can see them. Most of the other information about the activities of a particular user, such as that user's contributions and a block log, are openly available as well. Regards, Nsk92 13:05, 10 March 2008 (UTC)[reply]

Rearding suggestion (2)[edit]

I realize that it is impractical and in fact counterproductive to give a detailed list of circumstances when the user info would be released. However, I think that the current wording of the privacy policy "may be released..." is insufficient. I think that WMF users deserve to know a little more about the general principles used in responding to third-party subpoenas.

One possibility for a policy is that presumptively, all valid subpoenas will generally be complied with to the extent possible, with exceptions in extreme cases. This is certainly a cost-effective and efficient way of dealing with the issue (although I personally hope that a more discriminating approach is taken). It is possible that that is what the current de facto WMF practice is. If yes, then WMF users certainly deserve to know about it.

Another possibility is to say something to the effect that third party subpoenas are evaluated on a case-by-case basis and may be contested for public policy reasons if WMF feels that the underlying lawsuit is a SLAPP lawsuit. (or something like that).

Regards, Nsk92 18:32, 5 March 2008 (UTC)[reply]

While it may be accepted by the board to allow individuals to be notified when a subpoena is received, there are situations where not only would informing the individual be irresponsible, but illegal. If we're going to request that the board modify a policy this fundamental, we should take that into account. ~Kylu (u|t) 16:16, 6 March 2008 (UTC)[reply]

Yes, sure, I have absolutely no objections to adding some explicit provisors of the type "unless forbidden by law or a court order" or something like that. In fact, I would not mind even having a general exception provision of some sort stating that WMF may waive the notification requirement in exceptional circumstances. Regards, Nsk92 16:30, 6 March 2008 (UTC)[reply]

Another possible wrinkle[edit]

I suggest that a multistage method of contacting users be attempted. A special committee of users or admins akin to OTRS could be pressed into service to assist in this regard if it is deemed necessary. 1. users should be contacted by email if at all possible 2. If a user has elected to remove the ability for email contact from their account, or never activated it, some effort be made to obtain their email address from their associates and "friends" on WP. I have noticed that often if someone on WP needs to contact someone else who has disabled their email, they just contact the editor's friends on WP, and often someone has the email address, even if it is not generally available on the talk page. 3. If 1 and 2 fail, then put a bland notice on the user's talk page to contact the foundation through login at some special page.

Obviously some simple method of authentication should be adopted so the user sought would have some assurance that it really was the Foundation that wanted to contact him or her, and that the Foundation was reasonably sure that this was the user. The knowledge of the user's password might be deemed enough, or the user's password plus the answer to some "secret question" posed when the account is set up. Of course these measures can be defeated, but they are better than nothing. It is possible that in some cases the user could be contacted through their internet provider, but I would suggest that this be only considered in extreme circumstances and avoided if at all possible for a variety of reasons, including privacy considerations and causing more disruption, even to the point of discouraging users from contributing to WP at all. The importance of having an email account might be stressed when the WP account is established, and an option might be presented where a user could decide if the email account is available through the WP talk page, through the WP talk page and to the foundation, to the foundation only, or not available at all.

Also, putting a notice on the user's talk page might cause their WP friends to email them anyway.

Some of these measures require recoding a bit of software, so are mildly expensive. However there is no need to adopt the full solution immediately, but to set the full solution as a goal to implement eventually, as the software is modified. Less expensive stopgap methods can be adopted before a more extensive solution is available.--Filll 13:31, 8 March 2008 (UTC)[reply]

Now that I think about it, I very much like your idea of a "secret question" that is a part of the user profile and is not publicly visible. Indeed, it can be used for a simple one-step authentication procedure when a user contacts WMF. This could make it unnecessary to provide any details about the lawsuit involved at the affected user's talk page, just a general brief message to contact WMF. Regards, Nsk92 19:34, 8 March 2008 (UTC)[reply]

Thanks a lot for participating. Let me first make another pitch in favor of the open notification model. The main drawback there is that if a notification message is posted at a user's talk page, somebody else may see it. As I said, I don't see much of a problem with this, provided that these things are specified in the privacy policy up front and people know about them. Yes, some users may not want other WP users to know that they are being targeted in a lawsuit. But making this knowledge public only compromises, to a point, the privacy of the "cyber identity" of the user involved. The privacy consideration of the real life identity are certainly more important, and I think that most people would agree to such a trade-off if the policy is known up front. The only possible exception I can see is if a WP user uses their real name as there user-id or if the real name is mentioned by the user in their user page. It is hard to imagine, however, that if the real name of the user is known, that someone would try to subpoena WMF for that user's info.

Now, regarding your specific suggestions. I very much like your idea of a technological solution (more on this below). I am not sure that trying to go through friends etc is a very practical approach. There are too many variables and subjective judgment calls involved here: who and how decides who is a friend of a particular user, etc, and what and how much to tell them. Also, as a practical matter, this approach would be more labor intensive and costly. I have no idea how many subpoenas for user info WMF receives monthly on average and how much resources they have in responding to them and handling various legal matters. That is why I would prefer a simple and cost-efficient approach.

Regarding the specific suggestion for having an e-mail address, associated with the user account, with several degrees of availability, I like this idea. I do not know how feasible it is technologically and cost-wise, but I hope that WMF will look into it.

In fact, another technological solution could potentially solve most of these problems, namely an equivalent of a "private message". Most discussion boards now have a private message feature when one user may send another user a private message not visible to others, and that the recipient can view from their user profile page. I don't know if it is possible to implement such a feature for WMF projects, such as WP, or if WMF would want to host such private traffic between its users. A more limited possibility is to only enable the private message feature for communications between the user and WMF.

Ultimately, any of the changes discussed here would be an improvement over the status quo. Even if WMF decides, for the time being, to only provide notification by e-mail and only to those users who have e-mail addresses associated with their profiles, that would be much better than the current situation. Regards, Nsk92 15:01, 8 March 2008 (UTC)[reply]

I don't plan to spend time here debating the best method of notifying users if their IP information is about to be released. But I strongly agree with Nsk92 that the WMF should make their best effort to notify people with accounts when their IP info is released, and also believe they should notify people with accounts if someone is asking for IP info (even if the WMF plans to fight its release), and finally agree that whatever current policy is (an earlier incident seems to indicate they will, or at least may, release IP addresses without fighting the subpoena), the privacy policy should be made clearer that getting an account does not necessarily protect your IP address as much as the current wording implies. --Barneca 21:18, 9 March 2008 (UTC)[reply]

The absolute minimum that the foundation should do is to email users who have email turned on to let them know a subpoena has been filed by someone requesting their IP or any other information associated with their account. Naturally when the demand for info is from the U.S. government and the disclosure of the demand is illegal, that is a different matter. But for ordinary subpoenas there should be prompt notification, which apparently was not done in the recent case as discussed at Village Pump. 24.12.175.26 21:51, 9 March 2008 (UTC)[reply]

When signing up, for example with wikipedia a user is only told "Before choosing a username please understand that all contributions are permanently recorded, searchable by username (see Help:User contributions), and publicly visible in the history of any page you edit." Thats it. No mention of the privacy policy. No mention of the IP address the way way Wikia will track/connect a username to an IP address and let certain users (check user etc.) view it. The user at no time is even informed of the existance or asked to accept the privacy policy.

The privacy policy is extremely important because a registered user, through no fault of their own, could have their IP address publicly exposed: "When using a pseudonym, your IP address will not be available to the public except in cases of abuse, including vandalism of a wiki page by you or by another user with the same IP address.".

Having a link to privacy policy at the bottom is really not good enough, its not even clear when you are on wikipedia that you are in any way agreeing to a wikimedia privacy policy. The account creation screens should contain a clear warning: "Wikimedia may collect and use your information as per the Privacy Policy. Please read it for more information." --155.144.251.120 03:13, 20 March 2008 (UTC)[reply]

I agree. I think the privacy warnings of the type discussed in the above post should be given more prominently and more explicitly when new users sign up. Similarly, I also agree that a link to the privacy policy needs to be much more prominently displayed on the sign-up screen. Regards, Nsk92 12:51, 21 March 2008 (UTC)[reply]

RE: "It is requested that this notice be translated and moved to the Wikimedia Foundation site, from which it is linked from the footer (MediaWiki:Copyright) of every page." Same text is at wikimedia:Privacy_policy. It looks like that should read MediaWiki:Privacypage --mikeu 19:05, 27 March 2008 (UTC)[reply]

If I understand correctly, the Wikimedia policies like the privacy policy are GFDL-licensed, so I believe that Wikimedia will not feel angry if I copy them taking care to delete references to Wikimedia and its project and replace them with mine. Correct me if I am wrong. NerdyNSK 23:46, 17 October 2008 (UTC)[reply]

Are login cookies attached to ip address, used to track click streaming etc, most sites do this and there fore i do not cnotribute nor accept cookies from them. I feel my clicks should never be an endorsement for any page or practice just beacause i was momentarily interested.

Rumor at Wikiscanner article talk page is there is a new one on the way to replace this outdated one. So two questions I'd like answers to and should be inpolicy here and at WP:harassment are:

• If one suspects people are editing from work to take out negative info about a person or other topic, is it acceptable to warn people on the talk page in general about existence of wikiscanning and that it has been used in past to reveal WP:COI partisans removing negative info on their employers. Frankly, I mentioned it generally once recently after noticed all the 2007 corporate edits on a certain law and suddenly most of the repeated Anon IP deletions of WP:RS material about the topic stopped. So guidance on whether to mention wikiscanning in general as a preventative measure when this kind of whitewashing obviously is happening would be helpful.
• I assume one cannot say editor XXX's edit against such and such info came from YYY Company/Activist group's IP that doesn't want that info in there. But since this material has ended up in the media, it's hard to keep it off talk pages. Clarifying the policies before new wikiscanner gets going would help. Thanks Carolmooredc 17:07, 10 November 2008 (UTC) Carolmooredc[reply]

This is a wikiarticle of a caliber like I have never seen in wikipedia... It is a model article for wikipedia but unfortunately it is not even in wikipedia. This must change. http://www.psychwiki.com/wiki/The_Schachter-Singer_Theory_of_Emotion--Nonymous-raz 07:29, 20 December 2008 (UTC)[reply]