Talk:Privacy policy/Archives/2013

Perhaps the term "social security number" in the "A Little Background" section should be broadened to include non-US equivalents, as well as other material like driver license numbers or passport numbers? --Rschen7754 05:54, 4 September 2013 (UTC)

Yes, good point. In fact, a 'social security' number is rather strictly an American thing. Driver's license numbers and passport numbers are universal. --Daydreamer302000 (talk) 08:44, 4 September 2013 (UTC)

I'd suggest "numbers on government-issued identification" and at some point add "credit card numbers" somewhere, as it's something that we oversight once or twice a month on enwiki. Risker (talk) 14:18, 4 September 2013 (UTC)

Hi Rschen7754, Daydreamer30200, and Risker! These are excellent suggestions! We will definitely address this issue in the policy. Thank you for taking the time to give this feedback. Mpaulson (WMF) (talk) 18:14, 4 September 2013 (UTC)

Done This has been changed on the english definitions draft here Jalexander (talk) 18:45, 4 September 2013 (UTC)

The X on the banner does not seem to work. Nurg (talk) 06:19, 4 September 2013 (UTC)

Thank you Nurg! I think I fixed it, it looks like the old standard it was using no longer worked. Please let me know if you have any other issues that is OBVIOUSLY not what we want (though I did start to think about some 'well we didn't want to give you a cookie' joke ;) ). Jalexander (talk) 06:28, 4 September 2013 (UTC)

Thanks, that's good now. Nurg (talk) 09:03, 4 September 2013 (UTC)

Privacy is not the biggest concern for me when using Wikimedia pages, I'm more concerned about self proclaimed editors, I always thought you were free to edit and add to articles. However, something that has happened to me in the last month has made me change my mind about donating to Wikipedia and buy a printed encyclopedia instead, check this article discussion and all the changes that have been made in the last month. List of Virtual Console games for Wii (North America) If we can't edit, then lock the pages and let the editors to look at the comments in the talk pages, just stop saying is "free".

Benutzer Seewolf ist hauptverantwortlicher Bearbeiteter der nicht für die Öffentlichkeit einsehbaren privaten Bearbeitungs- UND IP-FILTER

und er war tätig bei Wikimedia Deutschland e.V. -

See more at: http://shtoink.de/category/machtstrukturen-wikipedia/page/3

Öffentliche Filter: 50

Für die Öffentlichkeit oder Wikipedia Community nicht einsehbare Filter: 75

Filterbearbeiter: Hauptnutzer und Bearbeiter der Filter sind die Benutzer Lustiger seth (32 Filter) und Seewolf (55 Filter).

Benutzer Lustiger seth bearbeitet vor allem öffentlich einsehbare Filter bearbeitet (25 Filter)

Die öffentlich nicht kontrollierten Filter sind die Domäne des Benutzers Seewolf (44 Filter)

Personenbezogene Filter: 32

Nahezu alle privat. Oft werden bei personenbezogenen Filtern dabei in der Wikipedia einzelne Artikel, die Wikipedia Funktionsseiten und Benutzerseiten für ganze IP-Bereiche gesperrt.

Die Benennung “Personenbezogener Filter ist insofern missverständlich; das am häufigsten benutzte IP Erkennungsmuster deckt maximal 65534 potentielle Benutzer ab.

Der Kollateralschaden – Sperrungen Unbeteiligter – kann also beträchtlich sein.

- See more at: http://shtoink.de/category/machtstrukturen-wikipedia/page/3/#sthash.tfGrmO5Y.dpuf

german User:Seewolf is mainly responsible Worked the non-accessible
to the public and private processing filters.
He worked he at Wikimedia Germany eV -
See more at: http://shtoink.de/category/machtstrukturen-wikipedia/page/3

1. #Public filters: 50

For the public, or Wikipedia community non-visible filters: 75

Filter Editor:

primary users and the user agent of the filter are Funny seth (32 filters) and

german User:Seewolf (55 filters). Funny edit user seth mainly publicly available filter processes (25 filters)

The public is not controlled filters are the domain of the user german User:Seewolf (44 Filters)

2. Personal filter: 32 Almost all private.

Often in personal filters are employed in the individual Wikipedia articles that feature disabled Wikipedia pages and user pages for entire IP ranges.

The term "Person-specific filter is so far misleading, the most commonly used IP detection pattern covers more than 65,534 potential users.

The collateral damage - innocent bystander closures - can therefore be considerable.

Thanks

— The preceding unsigned comment was added by 77.24.61.140 (talk) 20:27, 4 September 2013 (UTC)

Pretty nonsense here. -jkb- 22:43, 4 September 2013 (UTC)

Sorry -jkb-, ::

are you self a germnan Admin and Editor of this List? ::

but the German IP and USER Filter and the German USER Seewolf are real ;(

Some IP -addresses are publicly visible see ""Liste der Schurken im Wikipedia-Universum""

[ http://de.wikipedia.org/wiki/Benutzer:Seewolf/Liste_der_Schurken_im_Wikipedia-Universum]

Some entries are malicious prosecutions of IP und WP User...

For example, the CAD Troll by Benutzer:Ralf Roletschek

This is not a pretty nonsense here, this is real of a german WP

Sorry , this list is not Wiki -Like ...

— The preceding unsigned comment was added by ‎ 77.24.151.44 (talk) 5 sep 2013 05:20 (UTC)

The AbuseFilter (German: Missbrauchsfilter) is meant, like the name says it already, to prevent abuse users. If users, especially long term abusers, are smart enough to evade the filter by seeing what regex the filter uses. That's why some filters are private there. Concerning the public availability of IP's: That could have been prevented if the user in question had put __NOINDEX__ at the top or the bottom of their page. The list in findable in searh engines, but how many anonymous users will end up searching that page? I think almost none or a few. Aswell I see no name of any user account at the "CAD Troll" section of that page, so saying that putting IP's on that page is a privacy violation is kinda nonse in my opinion. This is because IP adresses can be seen in the history of the article and sometimes change fast between owners. Note: I don't have any relation with the German Wikipedia and what I say is based on facts I know myself and could find on the German Wikipedia. --Wiki13 _talk 05:55, 5 September 2013 (UTC)

//edit conflict// The abuse filter on the German WP works precisely the saame way and no other one just like the abuse filters on other Wikipedias and respects all regulations on it. The linked List "Liste der Schurken im Wikipedia-Universum" (a list of blocked users, trolls and vandals using more sockpuppets) is manualy made and has no connection to the abuse filter. On the German WP some users think the IP ist one of the blocked vandals. -jkb- 09:19, 5 September 2013 (UTC)

The abusefilter are a violation of german law, because this filter produce "Personenbezogene Information" which is recorded and this is against the german law. IP numbers a not obvious, as long the author is using an account name. Seewpöf and others nevertheless take this information from the so called Missbrauchsfilter and publish this information, a criminal act in germany. :) Acidbony (talk) 09:16, 5 September 2013 (UTC)

Sorry, this ""AbuseFilter"" (German: Missbrauchsfilter) is used today

for entries are malicious prosecutions of IP und WP User...

For example: for hounding the entry CAD Troll named by Benutzer:Ralf Roletschek...

The name of this list "villains in the Wikipedia universe" ("Liste der Schurken im Wikipedia-Universum") is a direct accusation and public discrimination of a real IP-WP-Editors!

This public "abusefilter" at german WP is today a real current violation of german law, 
because this filter produce "Personenbezogene Information" which is recorded 
and this is against the german law...

german WP-User:Seewolf is mainly responsible worked his public and other private processing filters.

He worked self at Wikimedia Germany e.V. - and created self this ""AbuseFilter""

with Name: "villains in the Wikipedia universe" ("Liste der Schurken im Wikipedia-Universum")

Sorry, but this thing is going too far...

resolved This does not seem to be the best place for this discussion. If there are issues that can't be addressed on the wikis involved the Ombudsman deal with possible privacy policy breaches and the Meta RfC process is available. Will archive in 24-48 hours. Jalexander (talk) 20:08, 5 September 2013 (UTC)]]

this is not solved. And criminal acts of User:Seewolf could not be solved by an Ombudsman. Thomas198 (talk) 16:44, 6 September 2013 (UTC)

I don't like this new policy. It needs to be changed.

Please elaborate. Which part do you believe should be changed specifically, and why? PiRSquared17 (talk) 20:45, 4 September 2013 (UTC)

This Privacy Policy does not cover some situations where we may gather or process information. Some may be covered by separate privacy policies (like the Wikimedia Shop) or sites or services run by third parties (like third-party developer projects on Wikimedia Labs). Learn more about other situations that are not covered by this Privacy Policy.

Either the parenthetical "(like the Wikimedia Shop)" was closed too early, or there's something significantly wrong with the adjacent clause "or sites or services...", because the situations won't be covered by sites or services - I think you mean to say something like ", or they may be sites or services run by third parties (...), which may not be subject to our policies."

Hope that helps! --MarkTraceur (talk) 16:47, 4 September 2013 (UTC)

Yes I just came across that too when translating to Esperanto. Could somebody please fix the sentence to whatever was actually meant, because I don't really understand it? Thanks. darkweasel94 (talk) 10:24, 5 September 2013 (UTC)

Yep. How about:

"This Privacy Policy does not cover some situations where we may gather or process information. For example, some uses may be covered by separate privacy policies (like those of the Wikimedia Shop or sites or services run by third parties, such as third-party developer projects on Wikimedia Labs)."

Does that work? Or is it still too cryptic? Great catch and thanks! Geoffbrigham (talk) 13:42, 5 September 2013 (UTC)

That at least makes sense grammatically, so yeah, that works well enough for translation. darkweasel94 (talk) 13:56, 5 September 2013 (UTC)

• Done changed in text Jalexander (talk) 01:41, 6 September 2013 (UTC)

Euh... Ca veut dire quoi, feedback ? Si vous traduisez, s'il vous plaît, essayez de le faire correctement ! 78.251.246.17 20:52, 4 September 2013 (UTC)

Bonjour ! Le mot "feedback" veut dire "commentaires en réaction". Voir aussi : #Feedback, wikt:fr:feedback#Anglais. Cdlt, PiRSquared17 (talk) 20:56, 4 September 2013 (UTC)

Merci :-) 78.251.246.17 22:42, 4 September 2013 (UTC)

There is a typo in the first paragraph of the "Sharing" complete text. "We may share you information for a particular purpose" should read "We may share your information for a particular purpose", I beleive. You can delete this when noticed... Have a nice day. Letartean (talk) 12:33, 5 September 2013 (UTC)

Thanks! Fixed. --MZMcBride (talk) 14:35, 5 September 2013 (UTC)

Sorry for the fact I didn't do it myself, I tought the page was protected and english is not my first language, so I wanted to be sure to have someone who would review. Letartean (talk) 15:07, 5 September 2013 (UTC)

Thanks for catching that, Letartean! Very much appreciated. Mpaulson (WMF) (talk) 22:36, 5 September 2013 (UTC)

Content page invites one to comment but seemingly fails to tell one where to comment. Here? On this talk page? Somewhere else?

Presentation is rather "cutsie" reminds me of the annoying paper clip helper mess of Microsoft.--64.134.41.87 13:51, 4 September 2013 (UTC)

Yes, please comment here for the privacy policy. We are definitely listening to feedback on the use of Rory (the tiger image). Veteran Wikimedians most likely need nothing like that. On the other hand, we want to facilitate reading the policy for everyone (including readers and new editors), so we are experimenting with the idea during this consultation period. Your feedback is greatly appreciated. Geoffbrigham (talk) 14:04, 4 September 2013 (UTC)

I just wanted to say that I love Rory's drawings, anyway :) --Elitre (WMF) (talk) 15:09, 4 September 2013 (UTC) PS - can I get a quick link to the colored version in the banner? I don't think I can find it on Commons, but I searched very quickly.

@Elitre (WMF) and Elitre: wmf:File:Rory intro colored 02 banner transparent.png. See MediaWiki:Centralnotice-template-PrivacyPolicyDiscussion Rory1, Special:CentralNoticeBanners/edit/PrivacyPolicyDiscussion_Rory1 for more info on this banner. PiRSquared17 (talk) 19:03, 4 September 2013 (UTC)

Thanks PiRSquared17. Good thing I did not spend too much time looking for it on Commons then... --Elitre (talk) 13:53, 5 September 2013 (UTC)

I agree that there needs to be an improvement on this. It took me a while to figure out that i should comment in talk section, as it felt like they are asking for feedback but providing no way for us to give any. I also find the editing of talk pages a shifty way of commenting and would like a better system, but we have what we have.

It looks like you will get your wish for a new discussion system: Flow. PiRSquared17 (talk) 15:43, 7 September 2013 (UTC)

This is in the first sentence of the nutshell of the draft, and is mentioned in several other places. However, if one tries to edit without logging in on English Wikipedia, at the top of the screen appears this editnotice: "You are not logged in. Your IP address will be publicly visible if you make any edits. Please log in or create an account to have your edits associated with a user name, among other benefits. "

The last sentence really pushes people to register accounts, and is written to sound as though it is pretty much required. It's something of a mixed message. If the last sentence started with "If you log in or create an account, your edits will be asociated...." it would more accurately reflect this policy, and to stay on the same message. Risker (talk) 14:36, 4 September 2013 (UTC)

Hey Risker. I actually wrote that copy. :) I think the reword for the last sentence you suggested is good. Let's do it! Steven Walling (WMF) • talk 17:03, 4 September 2013 (UTC)

I agree needs to change- Anonymous

I've boldly made this change, with one minor alteration (changed "associated with" to "attributed to"). Steven Walling (WMF) • talk 22:01, 9 September 2013 (UTC)

I think some clarification on the data retention policy would be helpful : in the section of the draft on "How Long Do We Keep Your Data", there is a link ("(Check out our list of examples") to what can be "retained indefinitely". The link sends to a page with the following statement : "You can learn more about how long we keep different types of data in our data retention guidelines and procedures [LINK]", where the link is void. Also, today's post on the Foundation's blog says : "In the coming months, we will also be releasing Data Retention Guidelines ... which [will] address many of the most prominent concerns we heard during the initial consultation period [and] explain our data collection and retention practices under the new Privacy Policy in greater detail". Does this mean the data retention policy is to be clarified here and now or later ? Is the current data retention policy to be replaced by another document ? Is there a difference made between "guidelines" and "policy" ? Will a draft on these matters be submitted later to the community ? Thanks, — Racconish^Tk 18:51, 4 September 2013 (UTC)

The German Wiki has also the internal Data retention ;(((

• Aye, sorry about the [link]. My understanding is that the Data Retention Guidelines will be put out soon (most likely in the next couple weeks), but definitely out before this discussion is over. The last date I heard was in 2-3 weeks but I may be wrong on that. Will see if I can get a more specific answer on the guidelines vs policy question (I think I know but don't want to be wrong on that). Jalexander (talk) 07:51, 5 September 2013 (UTC)

Thanks. — Racconish^Tk 08:59, 5 September 2013 (UTC)

Hi Racconish! LCA is working closely with Tech to draft some basic Data Retention Guidelines in the coming weeks. We will be able to release them for community feedback in 1-2 months. I'm sorry that I can't give you an exact date yet as the release date heavily depends on how the internal conversations go (availability, consensus, etc.) The guidelines will differ from a traditional "policy" in a few ways. First, we envision the guidelines being updated as needed so we can address how we handle new types of data or new uses of data on an ongoing basis. A policy, such as the privacy policy, is meant to be finalized and static for hopefully the next 5 years or so (assuming no major change in practice occurs in that time). The guidelines are meant to provide practical, specific, everyday guidance for WMF staff on how we handle data. And while guidelines will be public (both to be transparent and to help the community understand some of our practices better), the application of the guidelines are more internal. Policies, on the other hand, tend to be broader and outward-facing and outline principles we wish to uphold and promote. I hope that answers your question. If you have more questions or would like further clarification, we are happy to provide it. Mpaulson (WMF) (talk) 21:53, 5 September 2013 (UTC)

You know, I'm all in favour of revisiting the Privacy policy. But we do have an existing privacy policy, and there isn't even a link to it on the page titled "Privacy policy". I am quite certain this is an oversight, and that a Meta administrator can fix this. (Yes, I know the links at the bottom of the page go to the current version on wmf wiki. But if I search for "Privacy policy" here on Meta, I'm being taken to the draft.) Risker (talk) 21:36, 4 September 2013 (UTC)

That's a very good point. I'm fixing. Philippe (WMF) (talk) 21:45, 4 September 2013 (UTC)

Done with this edit. Philippe (WMF) (talk) 21:49, 4 September 2013 (UTC)

Umm, not good enough. It should be a separate bolded line that says the same thing you just posted in the box, and should not be in the box itself. It took me four tries to find it without clicking your link here. Suggested wording: CLICK HERE to read the current Privacy policy (with the link at "click here"). Risker (talk) 21:54, 4 September 2013 (UTC)

"Click here" is language that's not recommended to be used anywhere, for usability reasons. Steven Walling (WMF) • talk 23:41, 4 September 2013 (UTC)

Steven, I don't really care what language is used as long as the link to the current policy is easily visible, large and really obvious. Call it whatever you want. Just don't bury it, as it is buried right now. Having looked at the link you've provided, I'll simply say that the type of links they're recommending are pretty much the kind of links that I avoid like the plague on a website I don't know, and I'd say that as knowledgeable about the web as some of their reference sources may be, they actually don't know much about usability, which is ensuring that the site acts in the way that users expect and intend. If this is the kind of stuff that the WMF is using as its usability standards, then it explains an awful lot about the usability problems that have been introduced over the last several years. Risker (talk) 01:14, 5 September 2013 (UTC)

• I've moved it out of the template and centered it up on top, how does that look? Jalexander (talk) 07:43, 5 September 2013 (UTC)

• Thanks, James, it is better. I might have left some white space between, but that would be my only quibble. Risker (talk) 03:27, 6 September 2013 (UTC)

From various sections: "Learn more about some options you have." "Learn more about email and notifications and how to change your preferences." "(Learn more about re-identification.)"
These statements are borderline nonsense if the links are removed, and seem rather unprofessional. "You may learn more about your options at our privacy policy FAQ." (and similar) seems better to me. (I also question whether the last one should be parenthesed.)

I like your suggestion. It definitely reads better the way you suggested. We will work on changing these accordingly. Thank you so much for taking the time to help improve our privacy policy draft. Mpaulson (WMF) (talk) 19:42, 6 September 2013 (UTC)

There's also an extraneous space at From GPS & Other Location Technologies, "You can learn more by checking out our list of examples of how we use these technologies ." --81.232.114.228 15:28, 6 September 2013 (UTC)

Nice catch. Thank you for letting us know! We will get that fixed right away. Mpaulson (WMF) (talk) 19:36, 6 September 2013 (UTC)

• Done both of these done.

In the user-friendly summary, it says, "Register for an account without providing your real name or email address." There's an ambiguity problem with the scope of the word "real" here. This sentence could be interpreted as saying you can register an account without providing a real e-mail address. Well, supposing I don't need to provide a real e-mail address, it still allows that I give a fake or false one. I doubt this is intended. The sentence would be better written as, "Register for an account without providing an e-mail address or real name." This doesn't say that fake or false e-mail address are excluded (that would have to be the job of other wording elsewhere) but it does not give permission to such things, like the current wording does. Jason Quinn (talk) 05:21, 8 September 2013 (UTC)

Jason, good catch! Thank you. I like your rewrite. We will make that change. Geoffbrigham (talk) 06:15, 8 September 2013 (UTC)

Privacy policy/de (Where is this discussed?) Ich habe Probleme mit dem Text im Kasten Dies ist eine benutzerfreundliche Zusammenfassung der Datenschutzrichtlinie:

1. ) "Da wir der Ansicht sind, dass du nicht verpflichtet sein solltest,... alle Wikimedia-Seiten ohne Einrichtung eines Kontos lesen, bearbeiten oder nutzen." und (vor allem) "Inhalte, die du einer Wikimedia-Seite hinzufügst oder Änderungen, die du an einer Wikimedia-Seite vornimmst, sind öffentlich und dauerhaft verfügbar." —— Ist das jetzt eine Änderung gegenüber altem Recht (nie wieder Benutzer- und Seitensperrungen?) Ich glaube kaum. Bitte verdeutlichen, was gemeint ist.
2. ) "Da wir verstehen wollen, wie Wikimedia-Seiten genutzt werden, ... erfassen wir einige Informationen, wenn du öffentliche Beiträge machst." —— Was ist ein öffentlicher Beitrag? Gemeint ist wohl jedeweder Beitrag bei Wikimedia ausgenommen E-Mails per Spezial:E-Mail_senden/USER. Bitte verdeutlichen, was gemeint ist.
3. ) "In dieser Datenschutzrichtlinie ... deine Daten niemals zu verkaufen oder sie für Marketingzwecke an Dritte weiterzugeben" —— Was ist mit der Weitergabe ohne Verkaufsabsicht und ohne Marketingzwecke? (ich meine hier nicht Wikimedia-Seitenverbesserung, Einhaltung von Gesetzen oder Nutzerschutz)
4. ) "Inhalte, die du einer Wikimedia-Seite hinzufügst oder Änderungen, die du an einer Wikimedia-Seite vornimmst, sind öffentlich und dauerhaft verfügbar." —— Wäre neu, ist mir aber unklar. Es sind heute nicht alle Beiträge dauerhaft verfügbar, es gibt Versionslöschungen, Artikellöschungen usw., es müßte kurz auf Ausnahmen hingewiesen werden (z.B. "mit Ausnahmen"). Der Zusatz "oder Änderungen, die du an einer Wikimedia-Seite vornimmst" ist redundant.

--Mattes (talk) 08:29, 4 September 2013 (UTC), erg. --Mattes (talk) 22:28, 4 September 2013 (UTC)

The whole translation seems to be a bit rough. There are many sentences which could be phrased less complicated. Where would be the best place to suggest such alternatives? --trm 10:10, 4 September 2013 (UTC)

Jo, ich sehe Gnom u.a. haben da auch schon Hand angelegt. Vermutlich am besten das im Wochenverlauf durchzugehen sobald die erste Welle der globalen Fassung sich etwas gesetzt hat. Gruß, --Jan (WMF) (talk) 13:37, 5 September 2013 (UTC)

Hi, trm. :) If you press the "translate" tab on the German translation page, it will pull up the translation interface, where you will see the English and German side by side. Clicking on the paragraph in German that you want to edit will open an edit box for that paragraph. On one side, you will have the option to add suggestions. Alternatively, you can go ahead and just edit the paragraph if you're pretty confident in your alternative. Your help improving the translation would be welcome. More information on how to use the translation extension is here: mw:Help:Extension:Translate/Translation example. :)

However, it's fine to discuss proposed changes here, since the German translation talk page redirects here. --Maggie Dennis (WMF) (talk) 10:36, 4 September 2013 (UTC)

La version allemande est un peu compliquée. La version française n'est pas mal, mais pareil, c'est un peu compliqué, beaucoup de phrases ne sonnent pas naturel. Cela est dû au fait que bien traduire est un métier difficile, et que donc, quand on traduit de l'anglais vers le français des phrases pensées en anglais, ça sonne très bizarre, à moins peut-être d'être un traducteur vraiment excellent. C'est aussi la raison pour laquelle je suis contre les traductions d'articles : on obtient des phrases pas naturelles du tout, difficiles à lire. Pour cette Charte de confidentialité, c'est pareil, on devrait s'éloigner carrément du texte et écrire des versions totalement indépedantes. Pas la même manière de penser entre langues différentes, pas la même manière d'écrire, ça donne des traductions alambiquées, pas simples du tout à lire 78.251.243.204 22:02, 5 September 2013 (UTC)

Je vous remercie. Les versions allemande et française sont des traductions juridiques professionnels. Mon expérience est que nous avons besoin d'habitude de membres de la communauté de prendre les versions professionnelles à travers une révision ou deux. Pour cette raison, nous avons invité la communauté pour améliorer les traductions dans la mesure où cela est possible. Geoffbrigham (talk) 08:11, 6 September 2013 (UTC)

J'ai il y a quelques jours commencé à essayer d'apporter quelques améliorations à la traduction en français mais ce n'est pas facile car : je ne suis pas un excellent traducteur ; les textes sont trèèèès longs, on se fatigue vite ; je n'ai pas trouvé où se traduisaient certains morceaux du texte, par exemple Informations importantes 78.251.253.2 10:58, 6 September 2013 (UTC)

blog.wikimedia.org runs the WordPress software, but I'm pretty sure it actually isn't hosted by WordPress. I just spoke with Brion in #wikimedia-tech who said that he's pretty sure the blog is hosted on one of the WMF's servers. Legoktm (talk) 19:19, 4 September 2013 (UTC)

So I checked with the ops folks in private chat; apparently there's some talk about switching the blog to WordPress's hosted servers, but it hasn't been done yet. (Main reason to move it is that it's a pain for the ops people to keep one extra web service up, running, up to date, and tuned for occasional high-traffic spikes, while WordPress.com does that for a living.) But yeah, the text should be .... current with actual practice I suppose! --brion (talk) 19:23, 4 September 2013 (UTC)

The blog is planned to move to third-party hosting pretty soon, probably this month, as part a general redesign of the blog. I understand the new privacy policy won't go live before 2014. Regards, Tbayer (WMF) (talk) 19:51, 4 September 2013 (UTC)

Yeah, as Tilman says this is planned well in advance of this becoming practice and so was written in as a known example. Jalexander (talk) 07:48, 5 September 2013 (UTC)

The blog is being moved to third-party hosting? Does WordPress.com follow our privacy policy? --MZMcBride (talk) 12:12, 5 September 2013 (UTC)

I know that legal is currently in discussion with their General Counsel/Legal staff about changes to their privacy policy for us. I know that while we were currently expect to use wordpress.com if that falls through they have been looking at other hosting options to make sure we're comfortable. Jalexander (talk) 22:31, 5 September 2013 (UTC)

"This information includes [...] the website that referred you to the Wikimedia Sites and the website you exited the Wikimedia Sites from"

"the website you exited the Wikimedia Sites from" is hard to understand. Does it mean that when you click an external link the identity of the referring page is sent to the external website? 86.169.185.183 20:53, 4 September 2013 (UTC)

It seems trivial but does sound clumsy. It can be rephrased. Theo10011 (talk) 21:21, 4 September 2013 (UTC)

How about "the website from which you exited the Wikimedia Sites"... Chase me ladies, I'm the Cavalry (talk) 13:12, 5 September 2013 (UTC)

That may help in a cosmetic way, but it doesn't fix the main problem which is that the statement fundamentally does not make sense. I think the text has got muddled or garbled or the intent got misunderstood somewhere along the way. It may have been intended to say what I described above, but it definitely does not succeed in that. 86.167.19.217 17:41, 5 September 2013 (UTC)

That's definitely clear wording, Chase me. But unfortunately, it doesn't convey what I'm trying to say (which indicates that we need to keep trying with the phrasing). What I'm trying to describe is the next website that you go to when you exit a Wikimedia Site. For example, if I am reading a WP article and then click through to an external source link, the data automatically received by us includes what the external source website was. Any ideas as to how to better phrase that? Mpaulson (WMF) (talk) 00:54, 6 September 2013 (UTC)

I don't think that's actually the case, though. When you click an external link, WP doesn't automatically get any notification of that (there are ways to gather this information, but they're not automatic and I don't think WMF uses them). On the other hand, if someone is reading WP and follows an external link, then that external site will often be automatically informed that the visitor reached their site by following a link from the WP page. (For clarity: if the user is reading WP via https and clicks an http external link, the browser is supposed to not send that "referrer" information. But clicking an https external link or reading WP via http is fair game) In the same vein, it's also likely that the information automatically received would include not only that you loaded both "A" and "B", but that you reached "B" by following a link from "A"; I don't know that that's worth mentioning.

On the other hand, I note the section about information received automatically doesn't mention IP addresses (although they are mentioned elsewhere). Anomie (talk) 14:09, 6 September 2013 (UTC)

Hi Anomie! I followed up with members of our tech team on this issue and you are correct, the page you exit to from a Wikimedia Site is not received automatically by us, but can be collected with relative ease if elected to do so (which most websites do.) While this information may be helpful (for example, learning how users use and interact with the References section of a Wikipedia article), we do not currently collect this information. Our tech department indicates that there may be a possibility that we may collect this information in the future, if the need arises, but there are no plans to at the moment. Based on that, I'm going to remove that language from the automatically received section and see if there is a more appropriate place to put it. Thank you for catching that! Mpaulson (WMF) (talk) 16:28, 8 September 2013 (UTC)

If you do, note that the previous wording "the website you exited the Wikimedia Sites from" does not have the correct meaning. At minimum "from" should be "to", but possibly it needs further clarification if mentioned at all. For example, the concept of "exited" is doubtful when people like me almost always have the new page open in a new tab in such circumstances. I'm not "exiting" Wikipedia, but could you still potentially detect that click? 86.160.215.210 20:58, 9 September 2013 (UTC)

The policy states that "This Privacy Policy does not apply to all of the Wikimedia Sites, such as Wikimedia Sites that have their own privacy policy (like the Wikimedia Shop) or third-party actions and sites (like third-party developer projects on Wikimedia Labs)." What happens when we include code from Labs or Toolserver into standard pages (for example GeoHack; there is no indication that it might be under a different policy) -- how do we ensure compliance to the policy for those included snippets? Or how do we clearly mark on our projects that a tool is external? Mwalker (WMF) (talk) 20:58, 4 September 2013 (UTC)

Hi, Matt; thanks for taking the time to read the policy at this level of careful detail - much appreciated.

Our intent is that if something from a third party is actually included into a standard page on one of the covered sites (like GeoHack on Wikipedia pages) then it must comply with the privacy policy. This language is intended to cover cases where the Labs tool is standalone, or accessed by people making affirmative choices to go to Labs (like clicking on a link). If that's not clear, we could perhaps work to clarify this; suggestions welcome.

It might be useful to note that, to make this easy, legal has worked with the Labs team so that Labs projects embedded in covered sites should be compliant by default. This involved two steps: first, technologically, we filtered the information passed to a Labs tool (i.e., IP addresses and user agent information) so that it would be technically difficult for Labs tools to get at information that might violate the policy. Second, legally, the Labs terms of use should be more restrictive about data collection than this main policy, so that Labs projects shouldn’t be sneaking around the Labs technical restrictions in order to grab PII, and so that we can immediately kill any projects that do that.

For the case where people are clicking a link that will take them off-site to Labs, we could conceivably add a requirement that there be some sort of notification (like an icon next to the link, or an interstitial), but we’re not currently planning that. - LVilla (WMF) (talk) 00:37, 6 September 2013 (UTC)

Translation pages especially in Turkish need protection. Nazif İlbek 05:26, 5 September 2013 (UTC)

Why? Speaking of which, do the banners automatically link the correct language? --Nemo 05:44, 5 September 2013 (UTC)

Hi Nazif ILBEK! Would you might clarifying your reasons for thinking that the Turkish translations need protection? Mpaulson (WMF) (talk) 02:12, 6 September 2013 (UTC)

Nemo: They do as soon as I'm able to, it's a bit of a manual process atm, getting them to check for a translation has been a constant struggle and I've tried a couple different options. I may try another at some point for this but it's generally still a bit manual. I'm going to update them now for example and so in 15-20 minutes any page that is translated will be linked from the banner. Jalexander (talk) 05:36, 6 September 2013 (UTC)

I think this draft is a great example of how it should be done: Extensive discussions lead to a draft that is written in language that people whithout a law degree can understand, followed by a feedback period. Well done, Legal Team. Thank you for that!--Pavel Richter (WMDE) (talk) 09:08, 5 September 2013 (UTC)

Thank you Pavel! Our aim is to draft policies that adhere to the community's values and which are, at the same time, accessible to the community at large. We greatly appreciate your support! Mpaulson (WMF) (talk) 23:15, 5 September 2013 (UTC)

What is this about? Never ask?

And there have been recent talks about being more aggressive in collecting an e-mail address during account registration. I'm not sure whose principle this is. --MZMcBride (talk) 12:23, 5 September 2013 (UTC)

I don't see any reason why an email address shouldn't be asked for. Although it is easy to make one(gmail etc) it will provide some degree of contact if contact was required to verify something? — The preceding unsigned comment was added by anon (talk)

Peut-être parce que certaines personnes n'ont tout simplement pas d'adresse e-mail, et pas envie d'en avoir ? Est-ce si extraordinaire ? Et peut-être que certaines personnes ont une adresse e-mail mais refusent de la communiquer à quelque site que ce soit, parce qu'on ne sait pas ce qui peut en être fait ? Si vous communiquez votre adresse e-mail à tout le monde, ne vous étonnez pas que vos boîtes aux lettres électronique croulent sous la pub ! 78.251.243.204 18:46, 5 September 2013 (UTC)

@MZMcBride: There's no current plan to be more aggressive about requesting email addresses. I proposed it as a topic of discussion when we were A/B testing new signup forms, but it's not really a priority. Plenty of people who want to are already opting in to email notifications without use being more aggressive, so just keeping it as a very much optional thing is fine. Steven Walling (WMF) • talk 22:45, 5 September 2013 (UTC)

S: The page currently reads:

This first draft was motivated by four principles: [...] Never ask for contact information.

We ask for contact information with every account creation, I think, don't we? We ask for an e-mail address and then attempt to verify it. I'm not sure it's a principle to say we never ask for contact information. --MZMcBride (talk) 01:39, 6 September 2013 (UTC)

We have a spot for one but clearly mark it optional, perhaps 'never require' ? Jalexander (talk) 05:33, 6 September 2013 (UTC)

I think "never require" is probably more accurate. Steven Walling (WMF) • talk 16:39, 6 September 2013 (UTC)

• Done This has been changed in the template. Jalexander (talk) 23:10, 6 September 2013 (UTC)

In a regular context, it is considered to use "/" to mean "or" between two possibilities given.

Not quite sure if I understand your comment. Are you suggesting that we use "/" in lieu of "or." Thanks! Geoffbrigham (talk) 08:18, 6 September 2013 (UTC)

There are obviously a lot of things to talk about and if you aren't interested in this piece of it please feel free to start a new section with your discussion point/question/concern/etc. As you can probably see both here and on some of the other policies and draft pages we rolled out we're trying the idea of having illustrations and light humor in the text. These are not in anyway 'set' and may not appear in the final version if they're not appreciated. Legal documents tend to be lengthy, weighty and difficult to read (and rarely read at that) especially when you consider how many sites the average user visits. We want to make these documents as accessible as possible to as many people as possible. We hope to keep everyone's attention with the illustrations and a bit of levity. This is especially the case in the privacy policy but we've seeded them in a couple other locations as well. Do you like them? Hate them? Any specific ones work well or not work well? Should we think about another scene for a specific area? Jalexander (talk) 01:50, 4 September 2013 (UTC)

I think the illustrations are a waste of screen space and the web page would be physically easier to read without them - eg I wouldn't need to scroll horizontally when reading in a narrow window.

The levity and humour in the text is unnecessary and possibly counter-productive. It's hard to take a policy seriously when it compares itself to "eating your greens". "Plain English" (instead of "legalese") is a very good thing, but making it too informal or "chatty":

• may create a perception that you don't really care at all - because you're joking about it.
• may create ambiguity or uncertainty because the less formal the language, the less precise it risks becoming.

The policy needs to be easy to read and factual; it does not need to be entertaining. Mitch Ames (talk) 06:55, 4 September 2013 (UTC)

Yes, something like http://creativecommons.org/licenses/by-sa/2.0/ is perfect, but "funny" images are IMHO a poor idea.

Sorry but this "Hi, I'm Rory! I'm here to help explain this privacy policy. Welcome!" is terrible. It is straight from stupid commercial and/or something for a small children. Bulwersator (talk) 07:03, 4 September 2013 (UTC)

Agrre with all of the above. Wikipedia (& Wikimedia) is not a children's book. -Nabla (talk) 09:06, 4 September 2013 (UTC)

Gotta agree with Bulwesator & Nabla. Now if Rory were something with roots in the community (like Wikipe-Tan), I wouldn't be bothered hy this illustration half as much, however Rory is just some plush toy at the Foundation offices, giving the impression this is an initiative from the Foundation & foistering an us-vs.-them feeling to this proposed policy. (Yes, that is an issue that has been hammered ad nauseum, but presently there is a fair amount of distrust from the community about anything the Foundation does. Unforutnately clumsy stuff like this only aggrivates this distrust.) -- Llywrch (talk) 15:43, 4 September 2013 (UTC)

I agree, this Rory feels like a reincarnation of Clippy - "one of the worst software design blunders in the annals of computing". I think we can do much better here... I understand the desire to make this policy more friendly, but it must first and foremost be clear and believable. I personally feel that any cute character used on this document will only serve to undermine its legitimacy in the eyes of serious users. -- JonathanCross (talk)

I personally enjoyed the illustrations and the style of speech as well. In my eyes this is a good way to encourage readers to study the whole document and not stop reading after the first paragraph. Besides that, horizontal scrolling should be prevented through better html. --trm 10:07, 4 September 2013 (UTC)

I also like the illustration too. Given that some of our contributors and readers are kids, we want them to know how it affects them. Plus, nobody (adults and kids alike) likes to read a text block of quasi-legal stuff. The illustration helps retain some of their attention while they read through the page. OhanaUnited^{Talk page} 18:36, 4 September 2013 (UTC)

To my definition of a kid is someone who is under the age of teenager. I'm fairly sure that very very few contributors on this site fit my definition of a kid. I'm sure no kid would ever read the policy, consider that most them wouldn't able to understand that much. Even for readers, kids would only made up a very small portion of the total wikipedia readers (I barely can come up with any reasons why any kid would come to read Wikipedia's articles rather than watching TV or doing something fun). I expect this site to be a grown-up one not a website for kids.184.97.201.174 02:06, 5 September 2013 (UTC)

Look at the 2 things separately - Illustrations are fine, talking down like we're in kindergarten and we're being read a bedtime story, is probably not. I seriously doubt a lot of kids will be reading this quasi-legal, rather lengthy policy with things about metadata, subpoenas and access to nonpublic information policy etc.. With that said, It's actually a good idea to inject some levity in the mix with illustrations (I loved the kittens that used to be in other project and small cutesy things added here and there - but a mascot talking down might not be right for this audience). A little consideration for the audience would go a long way - I would suggest 'In a nutshell' blurbs accompanying the illustration would be more helpful - something like tl;dr version in 2-3 bullet-points. Hope that helps. Theo10011 (talk) 21:09, 4 September 2013 (UTC)

It says at the beginning that Rory is "here to help explain this privacy policy", but that never really happens. Some fuzzy drawings of something that looks like a cross between ET and a fluffy toy doing indistinct actions is not much of a help to me, at least. 86.169.185.183 01:26, 5 September 2013 (UTC)

I think we could explain more but for now I've removed that piece and he just says "Hi, I'm Rory". You're right, that for now he isn't really explaining anything. Jalexander (talk) 02:44, 5 September 2013 (UTC)

Hi everyone - I really appreciate the feedback on the use of images (namely, Rory, the tiger) in the privacy policy. He does represent something novel in our thinking about how to communicate a policy to a wide audience of readers and users. We like the concept, but, recognizing this is a bit of an experiment, we are definitely listening closely to your views - both pro and con.

Just to share a perspective for your consideration:

Our chief concern is to find a way to encourage everyone to read the privacy policy, given its importance to our readers and contributors. We are told that privacy policies are hard to read, that people read them infrequently, and that, when they do read them, people misunderstand them often. We are looking for ways not to fall into that norm. For example, we have included a user-friendly summary at the beginning of the policy - which was a great idea suggested by the community when we were consulting on the terms of use. We believe that, in addition to avoiding legalese, our use of visuals might also improve interest and readability in longer documents like our privacy policy.

Most Wikimedians hardly need a visual to read through a complicated document, but, of course, this policy is for everyone, including readers who may not be as familiar with our sites and projects. In the ideal world, we want to attract as many people as possible to read the privacy policy since it does govern their use of our projects and the expectations of the community and WMF.^[1]

Now our present use of the visuals is only illustrative. We are looking at ways to leverage the pictures to better explain aspects of the policy. The text box under the Rory image in the “Welcome” section is meant to help inspire ideas on how to use such images to facilitate readability and understanding. Based on some comments here, we are going to change the present text to avoid confusion, but we would be interested in your ideas on how to best use images (if you think that would be a good idea). For example, we could use other text boxes in the margins to help link to relevant FAQs on the topic or to highlight critical parts of the policy, if you thought that was useful.

Anyhow, we are really interested in your views on this idea and how we could leverage it. Also, if you have other ideas on how to improve readability through visuals, that would be helpful as well.

Thanks again for your time, comments, and insights. I greatly appreciate it. Geoffbrigham (talk) 03:31, 5 September 2013 (UTC)

Found on second paragraph in Privacy policy#Account Information & Registration. Is there any reason to have a link to a user page on policy page? – Kwj2772 (msg) 07:14, 4 September 2013 (UTC)

Just as a note the specific account is a created 'example' (you can see a little comment/note in the edit window ). Jalexander (talk) 07:30, 4 September 2013 (UTC)

I think the joke still works if you put a disclaimer right on the user page. Steven Walling (WMF) • talk 17:05, 4 September 2013 (UTC)

Hi Steven and Kwj2772! We are contemplating possible changes based on this input, but want to wait to see what other comments we receive on this joke prior to making any changes. Mpaulson (WMF) (talk) 19:06, 4 September 2013 (UTC)

I don't think this joke translates well. PiRSquared17 (talk) 19:10, 4 September 2013 (UTC)

I removed this sentence. It's a bad joke and isn't appropriate for this document. --MZMcBride (talk) 12:28, 5 September 2013 (UTC)

Of course this would have been much more funny if it had linked to Jimmy Wales saying how he hated the fact that he'd be called Jimbo for the rest of his life, even when he's 80. Don't know if he ever said/thought that, but it would definitely have been funnier.--117.225.126.52 16:51, 15 September 2013 (UTC)

Heh, it would have but yeah don't know if true :) Jalexander (talk) 02:12, 17 September 2013 (UTC)

• I expected Rory to actually say more stuff as the page went on. As it is, he is pretty useless.

Thanks, This, that and the other. I appreciate your taking the time to read and post. I hear you re Rory. I did a posting on this, which you can find here. I agree that, if we do decide to use visuals, we will need to find ways of doing so in a helpful way. Geoffbrigham (talk) 13:02, 5 September 2013 (UTC)

• Under "More On What This Privacy Policy Doesn't Cover", the use of the phrase "are supposed to" implies that some stewards or checkusers might be able to get away without agreeing to follow the other policies. I suggest that you use "must" here instead.

Thanks. I have been going back and forth on this since community members don't work for the Wikimedia Foundation. How about we say "are required to"? This would refer to the requirements of the new draft of the Access to nonpublic information policy. Would that work? Geoffbrigham (talk) 13:06, 5 September 2013 (UTC)

Thanks This, that and the other! We have changed the policy to "are required to" as Geoff suggested. Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)

• Under "Your Public Contributions", we have "Your contribution (even if you just removed something) will show when it was made and your username (if you are signed in) or your IP address (if you are not signed in)." While I think I get what this means, it still comes across as a bit ambiguous. Please recast this sentence so it is better structured and pronouns are used in a clearer way.

I see what you mean. If you have time, could you give us some proposed language. If not, don't worry. We will think about it a bit ourselves. Geoffbrigham (talk) 13:14, 5 September 2013 (UTC)

We have redrafted so that it reads: "The page history will show when your contribution or deletion was made, as well as your user name (if you are signed in) or your IP address (if you are not signed in)." I hope this helps with the clarity issue. Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)

• Humor is fine, but a lot of this humor is quite bad humor :( Some examples:
  • "... the picture of you in that terrible outfit your mom forced you to wear when you were eight." It's just not funny.
  • Get rid of "ericsgrl4evah". The link is funny, but inappropriate and confusing. Or at the very least, go and full-protect her user and user talk pages on enwiki.
  • Under "Information We Collect", "While removing or disabling our locally stored data does not cause lasers to shoot out of your device" is silly, and could conceivably be taken literally.

We have actually gotten different types of feedback on this, sometimes quite positive. I tend to think humor is fine if it encourages the reader to read the document and actually enjoy that experience. We have seen other policies do this successfully. Indeed, I don't believe legal documents should be stuffy or overly formal. It does not affect the legal effect of the document. That said, we are definitely listening to this type of feedback. After we hear from others, we may want to revisit how we are approaching it. (P.S. Will get to your other comments shortly.) Geoffbrigham (talk) 13:19, 5 September 2013 (UTC)

• "the website you exited the Wikimedia Sites from". What is this? Surely you exit the Wikimedia Sites from the Wikimedia Sites themselves?

This was phrased improperly. Thank you for catching that. It has been changed to "the website you exited to when you left the Wikimedia Sites". Hope that is a little clearer now. Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)

• JavaScript, please.

I believe MZMcBride already changed this. Thanks for pointing that out! Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)

• Under "How Long Do We Keep Your Data?" the bit "such as your IP address if you edit while not logged in and any public contributions to the Wikimedia Sites." needs to be recast. Suggesting "such as your IP address (if you edit while not logged in) and any public contributions you make to the Wikimedia Sites."

Thanks! I have revised according to your suggestion. Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)

• Link WikimediaAnnounce-L every time.

Thanks! This is been revised according to your suggestion. Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)

Nice work, though. This, that and the other (talk) 07:43, 4 September 2013 (UTC)

I too concur on the point that Rory is an absolutely stupid and redundant idea. It should be removed. Privacy policies aren't comedic, they're serious business. Having some chump character introduce itself then serve absolutely no purpose just gives me the vibe that someone doodled something, thought it was gods gift to art, then pushed an agenda to have it incorporated. It's redundant, superfluous, and should be removed to minimize distraction of future readers. BaSH PR0MPT (talk) 02:57, 5 September 2013 (UTC)

I think this is a valid view, BaSH PROMPT, but I think the use of visuals could be helpful. I did post something on that above. I am also seeing some interesting alternative ideas. Thanks. Geoffbrigham (talk) 13:23, 5 September 2013 (UTC)

Hi This, that and the other. You should be able to edit the page yourself. :-) I removed the "Ericsgrl4evah" sentence and corrected the spelling of JavaScript just now. --MZMcBride (talk) 12:46, 5 September 2013 (UTC)

I've responded in-line above. We really appreciate your comments, This, that and the other. They have already made the draft better. Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)

• In the summary change this: "This Privacy Policy does not apply to all of the Wikimedia Sites, such as ..." to this: "This Privacy Policy does not apply to some of the Wikimedia Sites, such as .... " To say it does not apply to all sites is ambiguous and could be taken to mean that it does not apply to any sites.

What is changing in the new Policy relative to the current one? Can anyone knowledgeable, probably those proposing it, make a diff please? - 09:08, 4 September 2013 (UTC)

+1

I have no big problem with this policy but knowing what's diferent helps to decide if it is 1 step forward or not. --Madlozoz (talk) 14:23, 4 September 2013 (UTC)

Also agree that it would be useful to know the actual changes in the policy - it could be done as a chart in a subpage since I can't see how one could give a "diff". Risker (talk) 14:28, 4 September 2013 (UTC)

Obviously a plain simple diif was not possible, if it was, there would be no point in asking for a changes list, we would do the diff, right? :-) - Nabla (talk) 20:24, 7 September 2013 (UTC)

See also #So, what is the purpose of all this?. --Nemo 05:44, 5 September 2013 (UTC)

Footer is linking to clearly superior http://wikimediafoundation.org/wiki/Privacy_policy 89.74.119.184 15:30, 5 September 2013 (UTC)

Second the motion PauAmma (talk) 15:50, 5 September 2013 (UTC)

Agreed, it's a nice looking document and quite readable, but I don't understand what and how it has changed. Ocaasi (talk) 16:39, 5 September 2013 (UTC)

+1 78.251.243.204 22:17, 5 September 2013 (UTC)

Thanks for asking about this. As Risker noted, it would be impossible to show the changes in a diff given that this is a completely new policy. Instead, I would like to outline some important changes here.

As a general matter, because the current privacy policy was written in 2008, it did not anticipate many technologies that we are using today. Where the current policy is silent, the new draft spells out to users how their data is collected and used. Here are some specific examples:

1. Cookies: The current policy mentions the use of temporary session cookies and broadly states some differences in the use of cookies between mere reading and logged-in reading or editing. The FAQ in the new draft lists specific cookies that we use and specifies what they are used for and when they expire. The draft policy further clarifies that we will never use third-party cookies without permission from users. It also outlines other technologies that we may consider using to collect data like tracking pixels or local storage.
2. Location data: Whereas the current policy does not address collection and use of location data, the draft policy spells out how you may be communicating the location of your device through GPS and similar technologies, meta data from uploaded images, and IP addresses. It also explains how we may use that data.
3. Information we receive automatically: The current policy does not clearly explain that we can receive certain data automatically. The new draft explains that when you make requests to our servers you submit certain information automatically. It also specifies how we use this information to administer the sites, provide greater security, fight vandalism, optimize mobile applications, and otherwise make it easier for you to use the sites.
4. Limited data sharing: The current policy narrowly states that user passwords and cookies shouldn’t be disclosed except as required by law, but doesn’t specify how other data may be shared. The new draft expressly lists how all data may be shared, not just passwords and cookies. This includes discussing how we share some data with volunteer developers, whose work is essential for our open source projects. It also includes providing non-personal data to researchers who can share their findings with our community so that we can understand the projects and make them better.
5. Never selling user data: The current policy doesn’t mention this. While long-term editors and community members understand that selling data is against our ethos, newcomers have no way of knowing how our projects are different from most other websites unless we expressly tell them. The new draft spells out that we would never sell or rent their data or use it to sell them anything.
6. Notifications: We introduced notifications after the current policy was drafted. So, unsurprisingly, it doesn’t mention them. The new draft explains how notifications are used, that they can sometimes collect data through tracking pixels, and how you can opt out.
7. Scope of the policy: The current policy states its scope in general terms, and we want to be clearer about when the policy applies. The new draft includes a section explaining what the policy does and doesn’t cover in more detail.
8. Surveys and feedback: The current policy doesn’t specifically address surveys and feedback forms. The new draft explains when we may use surveys and how we will notify you what information we collect.
9. Procedures for updating the policy: The new draft includes specific instructions on how we will notify you if the policy needs to be changed. This is consistent with our current practice, but we want to make our commitment clear: we will provide advance notice for substantial changes to the privacy policy, allow community comment, and provide those changes in multiple languages.

The purpose of a privacy policy is to inform users about what information is collected, how it is used, and whom it is shared with. The current policy did this well back when it was written, but it is simply outdated. We hope that with your help the new policy will address all the relevant information about use of personal data on the projects. YWelinder (WMF) (talk) 01:07, 6 September 2013 (UTC)

Thank you. - Nabla (talk) 20:24, 7 September 2013 (UTC)

PS: If someone could remove my previous, un-logged, post, I would appreciate. Thanks in advance. And if I wasn't forced to log in to meta while already logged at enwiki, it would also be useful (it should be obviously so, no?) - Nabla (talk) 20:24, 7 September 2013 (UTC)

A couple community members got to it way before I saw the request :) You're set. Jalexander (talk) 03:28, 10 September 2013 (UTC)

There is no such thing as privacy on Wikipedia or its sister projects. If you post anything, you can be banned. Chutznik (talk) 21:07, 8 September 2013 (UTC)

Hi Chutznik. I'm not sure if I understand your comment. Can you elaborate, please? Thanks. Geoffbrigham (talk) 12:02, 9 September 2013 (UTC)

I will add to the above that users what post from multiple IP accounts have been victimized in past for having "sock-puppet" accounts, when in reality, they preferred simply to post anonymously from various locations -i.e. post from home and post from their work-places. Over-zealous admin (or even other posters) were meticulous about tracking them down and attempting to "expose" them, publicly shame them, etc., especially when they found they sometimes logged in from those same I.P.s (for example, to upload images or start new articles, something you can't do from an anonymous I.P. only account). So I would agree with the sentiment, though perhaps not the wording, that some of the privacy policy is merely high-minded sounding while many of its proponents are failing to live up to its ideals in practice.198.161.2.241 18:32, 9 September 2013 (UTC)

What is being discussed here is policy, while you're criticizing the implementation/practice. I'm not even saying I disagree (nor agree), I just think it is not necessarily relevant to the policy proposal. Pundit (talk) 16:19, 11 September 2013 (UTC)

Chutznik has since been blocked. Tiptoety ^talk 16:21, 11 September 2013 (UTC)

You can't visit wikipedia while using Tor. Do something about it. Let's discuss: GO ! --82.113.122.164 21:54, 11 September 2013 (UTC)

Can't visit?! For what it's worth, NOP was just updated. Check it. --Nemo 21:56, 11 September 2013 (UTC)

You are right, sry I'm a miserable guy. Greets--82.113.122.164 22:01, 11 September 2013 (UTC)

To understand and experiment needs some elaboration. I am annoyed by the fact that many websites do not really explain how third parties can take a "limited" amount of user data for "analysis." Where are requests to use aggregated data posted (to determine who is using this data), what is the application process, what is the format in which the data is transferred to the requesting organization, what is the maximum amount of data that the organization can receive, and how is the data limited (list types of user data that the requesting party can only choose)? Longbyte1 (talk) 23:24, 5 September 2013 (UTC)

On this subject, I'd like to learn what does this mean for researchers of Wikipedia in practice. Will we get new data? Will we loose access to some? How can the data be obtained, in practice? --Piotrus (talk) 05:15, 6 September 2013 (UTC)

Excellent questions, in fact the Research Committee started to flesh out a process and a set of requirements for data requests for research purposes (cc Daniel Mietchen). That proposal was never fully executed, because of the lack of community and WMF policies that the RCom could use to enforce it. With a new privacy policy making it explicit under which conditions data can be shared, I would really like us to work on a policy mandating for researchers who get access to private data under an NDA that (1) they publicly document their requests, (2) share aggregate data within a predefined timeline and (3) make the research output of any work based on this data publicly available in an open access format. I don't think the privacy policy is the appropriate place to specify the process and the terms of this mandate, but I agree these should be captured in an official policy. --DarTar (talk) 19:48, 6 September 2013 (UTC)

I completely agree with DarTar on this. -- Daniel Mietchen (talk) 21:59, 8 September 2013 (UTC)

Just wanted to speak up for the possible majority of Wikipedia users and say "Meh, not a big deal, I don't care, I support whatever changes you guys think are best." 198.96.35.90 07:29, 6 September 2013 (UTC)

:) Thanks! Geoffbrigham (talk) 08:17, 6 September 2013 (UTC)

Agree Wholeheartedly. Thats why the silent Majority usually stays silent! Vague 12345 (talk) 12:14, 6 September 2013 (UTC)

But: who is "you"? The Wikimedia Foundation Board of Trustees? The staff in general? The ED specifically? Legal? The WMF as a whole? --Nemo 15:11, 6 September 2013 (UTC)

Good point. And also why you two can't represent it, as you've just been non-silent. ;) --Nemo 15:13, 6 September 2013 (UTC)

I have contributed something today for the simple purpose of saying that this poster is right. And he is right because every policy on every site has such majority. thats because vocal minority is always minority. Any case when majority became vocal, we named them revolutions. So while it is nice that they listen to suggestions, its worth remembering that this is after all a vocal minority.

Affirmer : « La majorité silencieuse est de mon avis », voilà bien un argument de dictateur ! 85.170.120.230 10:22, 8 September 2013 (UTC)

I won't argue the vocal minority or the silent majority as they are what they are, but you can't let the absence of the silent majority prevent a change that may be required from occurring. Wikipedia is trying to get the input from all of its users (from what I've been able to determine) by hanging the banner on the top saying "Let your voice be heard! Give your input on the draft of our new privacy policy." From editing on the English Wikipedia, I can see by that banner that all visitors to Wikipedia have the opportunity to participate in the discussion whether they choose to or not. Koi Sekirei (talk) 17:56, 8 September 2013 (UTC)

D'accord avec vous. Je dis juste que la majorité silencieuse... reste silencieuse. Ne lui faisons donc pas dire ce qu'elle n'a justement pas dit. Lui faire dire qu'elle soutient (ou rejette) le changement, ce serait de l'imposture 85.170.120.230 01:35, 9 September 2013 (UTC)

To: 85.170.120.230 - Ah...I will admit that I hadn't translated what you said before now. Sorry about that. I was merely commenting on the sixth and unsigned comment right before yours...unless that was yours just in English. Koi Sekirei (talk) 04:17, 9 September 2013 (UTC)

I'd like to see a change of policy regarding anonymising VPNs. Currently these are blocked as 'open proxies', which they aren't. Though I also think open proxies should be allowed as well. I know that there have been instances of abuse by anonymous users but I think that blocking all anonymising services is a bridge too far. Perhaps a solution would be to allow users to edit via anonymising services if they register an account? Either way to just say anonymous users do too much damage is a cop out. The price of freedom is eternal vigilance. If the admins can't cope, get more admins.58.6.101.181 23:32, 6 September 2013 (UTC)

In the end the foundation (and this privacy policy) does not stop VPNs (or open proxies) from being used. For reading nothing is blocked but for editing the issue is up to the community, both the local communities and the global stewards for global issues. All projects that I know of have a way for you to ask for and receive an 'exemption' flag that will let you edit from blocked IPs, each of them have different rules that the community has set. Jalexander (talk) 08:41, 7 September 2013 (UTC)

Wikipedia certainly does stop users editing when they access via anonymising VPNs. I use a VPN and I can't edit when I am using it as it gives me a message saying I am editing from an open proxy, which it certainly isn't. I'd like to see more information on the method you mention of getting permission to edit from blocked IPs as I have never heard of it. I have tried repeatedly to be able to edit via my VPN but have always been assured that it is forbidden. But I do think that even if specific projects have a way to give someone permission of the kind you mentioned that is a serious limitation. Users might not only wish to edit pages of a particular project or indeed to seek permission for such approval if they are in a situation where their anonymity is important. If wikipedia really wants for everyone to be able to edit it then we shouldn't be limiting users based solely on the fact that they wish to be anonymous. It seems that the main reason given is that it is too much work for admins to deal with. The solution to that should be to get more admins not remove the ability to be anonymous because some people have behaved badly. 203.57.208.89

Yeah, Wikipedia (individual projects or the global community here on Meta) block access to some anonymizing services but in the end that's up to them and it isn't something that we're able to really change much. We have to give the specific projects the ability to control vandalism, sadly there are many people who use anonymising services to vandalize or abuse the sites in other ways. The warning you get about 'open proxies' is the message for why the block was placed but it was placed there by the community, usually because people from that IP/VPN were causing disruption or problems and 'acting' like an open proxy even if they aren't in actuality one. You can find the English Wikipedia policy on IP Block Exemption as well as the Global request page (global requests are for globally blocked IPs, i does not exempt you from local blocks). Obviously there are projects (such as zhWiki) which are more free in allowing the exemption then others (such as enWiki). In the end this is not something the foundation is going to impose on the individual projects, they NEED to have the ability to block these if they determine it's necessary to protect the project. Jalexander (talk) 03:46, 10 September 2013 (UTC)

"Never require for contact information, and collect little data otherwise;" I suspect would read better without "for", but again we have some examples where we do require contact information. Functionaries for example have to identify to the office. I think that the Principle which we follow is for minimal requirement, or that "for the vast majority of Wikimedians we don't require contact details". WereSpielChequers (talk) 17:59, 7 September 2013 (UTC)

Maybe something like this, roughly speaking:

"Never require contact information to use the Wikimedia Sites, and collect little data otherwise."

Thoughts? - Geoffbrigham (talk) 06:46, 8 September 2013 (UTC)

What does "use" mean? --Nemo 08:51, 8 September 2013 (UTC)

Actually, I think this is just a typo. The "for" was never supposed to be there. It's been corrected. Thanks for catching that! Mpaulson (WMF) (talk) 17:41, 8 September 2013 (UTC)

"for" probably was a typo and taking it out fixes one problem, but there are some circumstances where we do require contact information. Geoff's wording "Never require contact information to use the Wikimedia Sites, and collect little data otherwise." might work, but it could leave people wondering at the ambiguity. Howabout: "We only require contact information from users who request certain high level access rights to these sites. Or sometimes to send you things like Tshirts." Though the last clause might need tweaking, other parts of the document already read like confirmation of the old joke about the WMF talking to the community like a bunch of twenty somethings trying to relate to a bunch of adolescents, and inadvertently offending the silver surfers who increasing predominate in it. WereSpielChequers (talk) 23:14, 9 September 2013 (UTC)

I think your first sentence suggestion would work. I'll get that changed. Thanks, WereSpielChequers! Mpaulson (WMF) (talk) 16:36, 10 September 2013 (UTC)

by users

"The Wikimedia Sites are collaborative labors of love that were created, and by constantly maintained and updated, a global community of volunteer users." might read better as "The Wikimedia Sites are collaborative labors of love that were created, and constantly maintained and updated, by a global community of volunteers."

By was simply in the wrong place, users was redundant but also offensive to some. In my book our users are the people who use our site to look things up in a dictionary, image library or encyclopaedia. Our volunteers who contribute to the site are rather more than just users. WereSpielChequers (talk) 18:12, 7 September 2013 (UTC)

Nice catch. I think this was garbled when we wikified the draft for posting. Thanks. I like the rewrite (much better). I might say "volunteer editors and contributors" at the end since we use that phrase elsewhere (see, e.g., user-friendly summary). So it would read:

The Wikimedia Sites are collaborative labors of love that were created, and constantly maintained and updated, by a global community of volunteer editors and contributors.

Does that work? Geoffbrigham (talk) 06:51, 8 September 2013 (UTC)

Yes that works for me. WereSpielChequers (talk) 22:54, 9 September 2013 (UTC)

"Labours of love" and similar expressions like "Wikilove" much liked in the US does not work for me in any Danish (and I suppose any Nordic) translation, where love means the real thing. What about using "collaborative effort" or some similar expression instead? Sir48 (talk) 23:07, 9 September 2013 (UTC)

I'm not sure that needs changing on the English side, I don't think something like collaborative effort gets the idea across well there :-/. That said If we need to tweak it in other languages I think that's perfectly understandable. If you think that's the best phrasing to use I'd go with it for the translation, the idea of the labour of love is more of a task done for pleasure, not reward. Jalexander (talk) 18:54, 10 September 2013 (UTC)

Nevermind. You hid it in that FAQ, which does not seem to be an actual part of this page, for some reason, even though it is a change in policy. I'd rather be able to stay logged in forever, but 180 days is better than 30.

Honestly, I don't get why I would ever care to be logged out. Worst case scenario--someone gets access to my computer at my house and does something that gets me temporarily banned. I get another userid at a friends house and log in using it from now on.

Just as long as you don't pull a Google and make it where I can't fix this by just editing my login cookie, I guess I'm okay with that. Though explicitly letting me set how long I'll stay logged in would be a nice addition. Trlkly (talk) 02:47, 8 September 2013 (UTC)

Hi Trlkly! It was not our intent to hide information about login cookie duration. Quite the opposite, in fact! We're trying to provide more specific information about the cookies we use and their duration. However, we placed that information in the FAQ because (1) we want didn't want to make the main body of the privacy policy unnecessarily long; and (2) we want to be able to continue to add to/modify the cookie table in the FAQ to keep the table up-to-date and provide better transparency about our use of cookies and other locally-stored data. Mpaulson (WMF) (talk) 17:00, 8 September 2013 (UTC)

What happens when some contributor dies? There sometimes in memoradium pages, by important wikipedia contributors, but who is then responsible for the information?212.61.237.163 09:36, 8 September 2013 (UTC)

Hi 212.61 ... As set out in the privacy policy, data may be retained as long as necessary, and, if no longer necessary, it should be deleted (whether or not a person is living) per our data retention policy (which we will be sharing in draft form with the community for comments). Also the estate of a deceased individual often appoints a representative to exercise the rights of the deceased person, if necessary. Geoffbrigham (talk) 12:09, 9 September 2013 (UTC)

To be practical, we usually won't know when a contributor dies. I suspect in a century or so we will start assuming that the early editors are dead, but if someone retires after a year or a decade of editing then how would we learn of their death perhaps half a century later? WereSpielChequers (talk) 23:37, 10 September 2013 (UTC)

Who is the actual "sender of the message" behind this proposal? To me it does not seem to be a proposal at all but a prepared policy that the community must accept. Where is the discussion that lead up to this? Who is the real sender? — Jeblad 11:35, 8 September 2013 (UTC)

Il est vrai qu'on peut se demander si cette discussion est juste une opération de communication destinée à faire croire que la Charte est le résultat des réflexions de la communauté, ou si nos avis seront réellement pris en compte :-) 85.170.120.230 12:14, 8 September 2013 (UTC)

Hi Jeblad and 85.170... In June the Wikimedia Foundation - which hosts Wikipedia and its sister sites - requested feedback from the community on a proposed update of the present privacy policy; the community gave us a number of ideas; and those comments played an important role as we drafted this proposal, which we just offered as a draft for further community comment. The consultation period for this draft with the community is at least 4 months, and we are making significant efforts to get the word out to get further global community input, including providing translations, using site banners, blog posts, announcements, etc. We anticipate that the input from the community will be similar to our Terms of Use, where there were significant changes based on community feedback and negotiation. For background on how the community consultation worked for the Terms of Use, take a look at this blog. Once the privacy policy draft is modified based on the community feedback and discussions, that draft will be presented to the Wikimedia Foundation Board of Trustees, which includes at least 50% Wikimedians and community members as directors, for further consideration. So this is far from a fait accompli. Indeed, I'm unaware of any major website that undertakes this degree of consultation, negotiation, and change based on community feedback for policies as significant as the terms of use and privacy policy. I personally believe it is essential to do so: not only is community collaboration consistent with our values, but also it makes the policy better. That was definitely the case with the Terms of Use. Take care, and thanks for your question. Geoffbrigham (talk) 17:48, 8 September 2013 (UTC)

Super ! Si c'est comme vous le dites, je m'en réjouis :-) 85.170.120.230 01:40, 9 September 2013 (UTC)

I really don't know if I like this, the projects are community driven but this is driven by Foundation. The Foundation shall only be a necessary administrative level to do those things the community can't, but more and more it put itself in a leading role. I'm not sure if this is wise. — Jeblad 17:10, 9 September 2013 (UTC)

We may just need to agree to disagree, Jeblad. As the hosting company of the projects, WMF has a responsibility as a steward to the community to take the initiative, for example, when the policy needs updating for legal reasons. The alternatives include WMF doing it without community consultation or WMF doing it with significant community consultation with global outreach. We have been able to aim for the latter in the last policy rollouts, and I believe we are doing that here. I agree that any policy rollout must be a true partnership, not a fait accompli. I also agree that, in most cases, WMF should be hands off on community policies when there are no overarching critical need, like ensuring legal corrections or updating. Geoffbrigham (talk) 03:45, 11 September 2013 (UTC)

a current available WP-violation of a german law in Range "Privacy policy" is here not off-topic...

This list is not an official managed or checked list for german admins.

Each WP user, for example Benutzer:Ralf Roletschek can make the CAD-Troll Edit self

You can closures IP-ranges for WP-Edit without Admin approval.

Some entries are more than half a year old and still effective...

The [User:-jkb-

Hi Thomas,

I wanted to let you know that I archived your discussion on Talk:Privacy policy regarding deWiki edit filters. As I stated there the correct place for that discussion is either privately with the Ombudsman or the Meta RfC process. If you have already reached out and talked to the ombudsman you can email myself and/or Philippe but I must let you know that we put heavy influence on the Ombudsman and there decisions. Jalexander (talk) 12:06, 7 September 2013 (UTC)

As I stated before, this is not a question to an ombudsman, but is a legal question. German administrators violate heavily german law. This could not be solved by an ombudsman. For this reason, and the necessarity of public in this case, I redid your archivation. Kind Regards, Thomas198 (talk) 13:00, 11 September 2013 (UTC)

Benutzer Seewolf ist hauptverantwortlicher Bearbeiteter der nicht für die Öffentlichkeit einsehbaren privaten Bearbeitungs- UND IP-FILTER

und er war tätig bei Wikimedia Deutschland e.V. -

See more at: http://shtoink.de/category/machtstrukturen-wikipedia/page/3

Öffentliche Filter: 50

Für die Öffentlichkeit oder Wikipedia Community nicht einsehbare Filter: 75

Filterbearbeiter: Hauptnutzer und Bearbeiter der Filter sind die Benutzer Lustiger seth (32 Filter) und Seewolf (55 Filter).

Benutzer Lustiger seth bearbeitet vor allem öffentlich einsehbare Filter bearbeitet (25 Filter)

Die öffentlich nicht kontrollierten Filter sind die Domäne des Benutzers Seewolf (44 Filter)

Personenbezogene Filter: 32

Nahezu alle privat. Oft werden bei personenbezogenen Filtern dabei in der Wikipedia einzelne Artikel, die Wikipedia Funktionsseiten und Benutzerseiten für ganze IP-Bereiche gesperrt.

Die Benennung “Personenbezogener Filter ist insofern missverständlich; das am häufigsten benutzte IP Erkennungsmuster deckt maximal 65534 potentielle Benutzer ab.

Der Kollateralschaden – Sperrungen Unbeteiligter – kann also beträchtlich sein.

- See more at: http://shtoink.de/category/machtstrukturen-wikipedia/page/3/#sthash.tfGrmO5Y.dpuf

german User:Seewolf is mainly responsible Worked the non-accessible
to the public and private processing filters.
He worked he at Wikimedia Germany eV -
See more at: http://shtoink.de/category/machtstrukturen-wikipedia/page/3

1. #Public filters: 50

For the public, or Wikipedia community non-visible filters: 75

Filter Editor:

primary users and the user agent of the filter are Funny seth (32 filters) and

german User:Seewolf (55 filters). Funny edit user seth mainly publicly available filter processes (25 filters)

The public is not controlled filters are the domain of the user german User:Seewolf (44 Filters)

2. Personal filter: 32 Almost all private.

Often in personal filters are employed in the individual Wikipedia articles that feature disabled Wikipedia pages and user pages for entire IP ranges.

The term "Person-specific filter is so far misleading, the most commonly used IP detection pattern covers more than 65,534 potential users.

The collateral damage - innocent bystander closures - can therefore be considerable.

Thanks

— The preceding unsigned comment was added by 77.24.61.140 (talk) 20:27, 4 September 2013 (UTC)

Pretty nonsense here. -jkb- 22:43, 4 September 2013 (UTC)

Sorry -jkb-, ::

are you self a germnan Admin and Editor of this List? ::

but the German IP and USER Filter and the German USER Seewolf are real ;(

Some IP -addresses are publicly visible see ""Liste der Schurken im Wikipedia-Universum""

[ http://de.wikipedia.org/wiki/Benutzer:Seewolf/Liste_der_Schurken_im_Wikipedia-Universum]

Some entries are malicious prosecutions of IP und WP User...

For example, the CAD Troll by Benutzer:Ralf Roletschek

This is not a pretty nonsense here, this is real of a german WP

Sorry , this list is not Wiki -Like ...

— The preceding unsigned comment was added by ‎ 77.24.151.44 (talk) 5 sep 2013 05:20 (UTC)

The AbuseFilter (German: Missbrauchsfilter) is meant, like the name says it already, to prevent abuse users. If users, especially long term abusers, are smart enough to evade the filter by seeing what regex the filter uses. That's why some filters are private there. Concerning the public availability of IP's: That could have been prevented if the user in question had put __NOINDEX__ at the top or the bottom of their page. The list in findable in searh engines, but how many anonymous users will end up searching that page? I think almost none or a few. Aswell I see no name of any user account at the "CAD Troll" section of that page, so saying that putting IP's on that page is a privacy violation is kinda nonse in my opinion. This is because IP adresses can be seen in the history of the article and sometimes change fast between owners. Note: I don't have any relation with the German Wikipedia and what I say is based on facts I know myself and could find on the German Wikipedia. --Wiki13 _talk 05:55, 5 September 2013 (UTC)

//edit conflict// The abuse filter on the German WP works precisely the saame way and no other one just like the abuse filters on other Wikipedias and respects all regulations on it. The linked List "Liste der Schurken im Wikipedia-Universum" (a list of blocked users, trolls and vandals using more sockpuppets) is manualy made and has no connection to the abuse filter. On the German WP some users think the IP ist one of the blocked vandals. -jkb- 09:19, 5 September 2013 (UTC)

The abusefilter are a violation of german law, because this filter produce "Personenbezogene Information" which is recorded and this is against the german law. IP numbers a not obvious, as long the author is using an account name. Seewpöf and others nevertheless take this information from the so called Missbrauchsfilter and publish this information, a criminal act in germany. :) Acidbony (talk) 09:16, 5 September 2013 (UTC)

Sorry, this ""AbuseFilter"" (German: Missbrauchsfilter) is used today

for entries are malicious prosecutions of IP und WP User...

For example: for hounding the entry CAD Troll named by Benutzer:Ralf Roletschek...

The name of this list "villains in the Wikipedia universe" ("Liste der Schurken im Wikipedia-Universum") is a direct accusation and public discrimination of a real IP-WP-Editors!

This public "abusefilter" at german WP is today a real current violation of german law, 
because this filter produce "Personenbezogene Information" which is recorded 
and this is against the german law...

german WP-User:Seewolf is mainly responsible worked his public and other private processing filters.

He worked self at Wikimedia Germany e.V. - and created self this ""AbuseFilter""

with Name: "villains in the Wikipedia universe" ("Liste der Schurken im Wikipedia-Universum")

Sorry, but this thing is going too far...

resolved

It would be nice if the account can be removed. Thank You! --78.49.38.54 13:03, 4 September 2013 (UTC)

Sadly deleting an account is essentially impossible, if we delete an account then every edit made by that account isn't attributed to anyone and we can't allow that. Many wikis have a policy similar to English Wikipedia's Right to Vanish where you can be renamed to some obscure numbered name and your user page deleted but that's essentially the closest that we can get :(. Jalexander (talk) 20:11, 4 September 2013 (UTC)

A option to do that which ive seen done on other sites is to attribute all the things a person has written to account named "Deleted", which would solve this problem and allow the deletion of account from database. Of course there is the potential risk of people registering, vandalizing and deleting themselves not to trace them back. A possible solution could be that deletion ony gets confirmed after, say 24 hours, during which the vandalism gets noticed usually.

P.S. not sure if i did this formatting thing right

Call me brainwashed by my years in accounting audit and reading computer security logs, but I agree that the identity should be retained in some fashion, and not removed from the database. However, I think there is sufficient cause to allow identified persons to "retire" their identity. Yes, that begs a question or two. "Retiring" is not the same as deleting an identity. Their reasons could have to do with stalking or police state issues, or psychological concerns, but it would be the statesmanlike thing to do to permit it. I think there are better ideas than my initial suggestion here (i.e., research needed), but perhaps we can consider identifying such a person as "Retired." Timestamp and other data needed to maintain talk page threads to maintain Wikipedia standards for transparency would not be removed. Perhaps the identity information could be taken offline -- if there is such a notion in Wikipedia's architecture. It is true that third party archive engines could restore identities once deleted. Still, while the benefit is limited, it would be useful for most contributors. It should not be easy to retire oneself, as this could place a burden on the community. Ping me if you would like me to look at some suggestions in the literature. --Knowlengr (talk) 02:00, 8 September 2013 (UTC)

Hi All,

Thank you for your suggestions. As Jalexander mentioned above, there are significant difficulties in deleting an account altogether. However, providing a way to mark an account “retired” is an interesting suggestion and one worth further exploration.

From a privacy policy perspective, it is first worth noting that a privacy policy only outlines the baseline privacy protections that the Wikimedia Foundation will provide -- nothing prohibits the Wikimedia Foundation (or the community) from providing greater privacy protections now than those stated in the privacy policy or from providing more comprehensive protections in the future as new protections become available. For example, if we find a way to create more secure connections for users or ways to universally retire accounts, the privacy policy draft as it currently stands would permit those protections to be given.

From an implementation perspective, “retiring” an account is already somewhat available on select wikis. For example, the English Wikipedia has a Courtesy vanishing/Right to Vanish policy and a couple of other large wikis have similar policies. However, you can currently only rename an account one by one on each wiki where you (or your unified account) exist. Because of this, a global policy that would permit you to “retire” you account would be incredibly difficult to write and enforce.

In the future (hopefully soon), as we work towards finalizing our unified account system, we will be able to have a much easier global rename or “retirement” process and the community may be able to decide on a global vanishing or “retirement” process. Mpaulson (WMF) (talk) 00:18, 12 September 2013 (UTC)

Pro-tip: cross-wiki guidelines are more easily found by searching on Meta than on individual wikis. Right to vanish has been a global pseudo-guideline for years. --Nemo 06:51, 12 September 2013 (UTC)

This is true, but (for the reasons above) very difficult to do globally (I'd also say it's very 'pseudo guideline' and up to the local community, though something like it perhaps should become a more concrete rule with global rename. Jalexander (talk) 02:28, 17 September 2013 (UTC)

Consider this concept from the European privacy standards

". . . Subjects on whom data is held are given certain rights: 'the right of access to that data, the right to know where the data originated (if such information is available), the right to have inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to withhold permission to use their data in certain circumstances . . . ' "

I would like to see some mechanism provided to request that PII data to be corrected, and some right of recourse for misuse. Misuse could be due to hacking or simply abuse (intentional or otherwise) of data by third parties. Recourse, or stated in a more positive light, feedback, is one of the overlooked facets for maintaining data quality. I presume that PII is a minor part of data protection concerns for WMF, but breakdowns in the integrity of attribution could reflect broader data corruption. In addition, it is not hard to imagine that public or private sources might try to infer something about one's character from what content they are curating on Wikipedia. If this is (or is thought to be) a case of mistaken identity, WMF should provide a recourse. There are lightweight and heavyweight solutions to this, and for a nonprofit, lightweight may be good enough. Not because there is any obligation to follow the European model, but simply for reasons of data quality. As for "right to withhold permission," I would argue against fully deleting the identity, but there may be steps that can be taken to mitigate compromised identities. Data quality ombudsman? Hopefully this would be a relatively minor occurrence and easily separated from the casual editor's relatively more common misunderstanding of how Wikipedia works.--Knowlengr (talk) 03:48, 8 September 2013 (UTC)

Hi Knowlengr! Thank you for your suggestions. These European standards were actually concepts we considered in great detail and for a long time while putting together this draft. Unfortunately, it seems that at the point we do not have the capacity to provide users methods to request these things (although I hope we will be able to offer some in the future). That said, in the (hopefully) rare situation where someone believes that a particular attribution's integrity has been compromised, we would like to have that investigated and addressed. I will look into where someone can report such problems and get back to you. Mpaulson (WMF) (talk) 00:42, 12 September 2013 (UTC)

I'm told you can report it on Technical Village Pump and WMF's ops team will be notified accordingly. Hope that helps! Mpaulson (WMF) (talk) 00:49, 12 September 2013 (UTC)

I found this response "we do not have the capacity to provide users methods to request these things" interesting. Of course it's not actually impossible to bring systems up to European standards, and quite a large number of organisations have found it quite feasible. The comment should perhaps read "we don't have to, and we don't want to, so we're not going to". Again "we would like to" falls a long way short of "we will" and presumably the difference is intentional? Spectral sequence (talk) 11:41, 14 September 2013 (UTC)

Would it be relevant to add something along the lines of "From time to time, we may release non-personally-identifying information in the aggregate, e.g., by publishing analytical data..."

Do you think that's covered by the Experimentation section? "Similarly, we may share non-personal or aggregated information with researchers, scholars, academics, and other interested third parties who wish to study the Wikimedia Sites." or is there somewhere else you think it needs to be spelled out more? Jalexander (talk) 02:42, 5 September 2013 (UTC)

It is covered in the Experimentation section, but in the era of Big Data, one wonders whether enough attention is being paid to the provenance of Wiki data. Just a thought in this context; I suggest addressing data quality directly elsewhere.--Knowlengr (talk) 03:18, 8 September 2013 (UTC)

Hi Knowlengr, where do you think would be an appropriate place to address this? Would adding it to the user-friendly summary help? Maybe something like "As part of our commitment to education and research around the world, we occasionally release public information and aggregated or non-personal information to the general public through data dumps and data sets." Mpaulson (WMF) (talk) 23:18, 9 September 2013 (UTC)

Hi- That would fine so far as the policy's public face is concerned. I also think that WMF should add requirements upon data recipients -- consumers of such information -- to maintain provenance information from Wikipedia so that it is not unintentionally / intentionally merged with third party content, yet remain tagged as WMF or as WMF-derived with unclear provenance. This is a technical issue for Big Data provenance, and I'm not doing a good job here of explaining it.--Knowlengr (talk) 12:54, 11 September 2013 (UTC)

Hi Knowlengr. Ok, we will add that language to the summary. As far as the provenance information, this is an interesting idea and one I will pass on to the people within the Foundation who most often deal with disclosure of research data and the terms they are disclosed under. It might be something they consider putting into the terms of particular disclosures, but not really something we would address directly in the privacy policy. Thanks again for the ideas and suggestions! Mpaulson (WMF) (talk) 19:59, 20 September 2013 (UTC)

Je ne me suis jamais créé de compte. On ne m'a jamais obligé à le faire. Mais je dois dire que la pression pour le faire est assez importante (je le déplore). Méfiance exacerbée envers les contributeurs sous IP. Protections non justifiées de trop nombreux articles. Questions fréquentes (pas forcément méchantes, mais parfois si) demandant pourquoi on ne se crée pas de compte. Certains contributeurs refusent de discuter avec des IP. Etc.
Je suis très favorable à la possibilité de contribuer sous IP. Je trouve même que cela pourrait avec profit être rendu obligatoire dans la plupart des cas. D'après ce que j'ai lu des Règles de confidentialité, Wikimédia semble avoir compris l'importance de cette possibilité de contribuer sous IP. Mais il faudrait que cette compréhension ne soit pas restreinte à ces Règles, mais se répande dans la communauté. Dire et répéter que les simples IP sont bienvenus, pas forcément sanctionner (pas besoin de diviser la communauté) mais contredire ceux qui critiquent les Wikipédiens contribuant sous IP qui ne désirent pas s'inscrire, combattre les discriminations dont nous sommes fréquemment victimes (semi-protections de page parfois abusives, absence d'outils de suivi pour les IP, interdiction de participer à certaines discussions (pour les votes, je comprends, mais pour les discussions je ne comprends pas), etc.). Parce que d'un côté on a de beaux discours, mais dans les faits ça ne suit pas toujours :-) 78.251.248.20 01:42, 5 September 2013 (UTC)

I agree this point. --194.79.157.242 07:25, 5 September 2013 (UTC)

Pardonnez-moi, est-ce qu'il est votre proposition que il être rendu obligatoire qu'on peut contribuer seulement sous IP et pas du tout sous compte? Si c'est le cas, pouvez-vous expliquer pour quoi il est meilleur? DRenaud (WMF) (talk) 02:18, 6 September 2013 (UTC)

C'est mon avis, mais je n'en fais pas la proposition, car je ne crois pas qu'elle aurait beaucoup d'appui dans la communauté, et je ne veux pas ennuyer les Wikipédiens avec une idée qui n'est que personnelle :-)

Mais il est vrai que la contribution sous IP a beaucoup d'avantages. Je ne me suis jamais créé de compte sous Wikipédia car je n'en crée nulle part, où que ce soit : Facebook, Twitter, MSN. Pour Wikipédia, j'aurais certes un peu plus confiance, mais bon (n'oublions pas que, les serveurs étant situés aux EU, les lois françaises ou européennes ne s'appliquent pas complètement, et inversement, certaines lois américaines que je n'apprécie pas forcément s'appliquent). De plus, au fil des années, je me suis rendu compte que la contribution sous IP comportait beaucoup d'inconvénients (difficulté du suivi des pages, par exemple) mais aussi des avantages. Je trouve que la contribution sous IP est, par certains côtés, plus proche de l'esprit initial de Wikipédia : chez les IPs, pas de course au plus grand nombre de contributions, pas de clans ni de guéguerres de clans (d'où, certainement, moins de stress), parfois plus de respect entre contributeurs, pas de confiance ni de défiance a priori (parce que, il y a trois ans, nous étions d'accord ou opposés sur une question), etc. Bref, je crois que la contribution sous IP est souvent plus relax, plus sereine. Je la recommande à tous. Pour certaines tâches (travail d'administrateur, par exemple), il n'est peut-être pas possible de rester sous IP. Mais tous, et en premier lieu les administrateurs, devraient reprendre l'habitude de contribuer de temps en temps sous IP, pour vivre les situations du point de vue d'un IP. Parce que, quand la contribution en tant qu'utilisateur enregistré n'est pas nécessaire (travail d'administrateur, par exemple), quel est l'intérêt de se connecter à son compte ? 78.251.253.2 12:17, 6 September 2013 (UTC)

Thank you for taking the time to share your viewpoint. This issue is certainly one that warrants more discussion by the community at large. Mpaulson (WMF) (talk) 02:43, 6 September 2013 (UTC)

Bonjour. Je pense qu'il faut une politique de confidentialité mais qu'il ne faut pas que n'importe qui puisse changer les pages de wikipédia. Comme le dit le titre plus bas, je pense que les comptes anonymes peuvent être un fléau de wikipédia, bien qu'une fois inscrits dans la durée, la construction, les redactions postives soient de mises pour la plupart.--Zavatter (talk) 14:31, 8 September 2013 (UTC)

Edit privileges without logging in

I have to say I am not in favor of this. Wikimedia needs to be able to be a reputable site for information. If anyone can change anything at any time, it can loose that credibility.

Comment on above statement - I don't know who wrote the above, but I tend to agree with it. I read the whole privacy policy and think it was thoroughly thought out and like it. However, once in the past I wrote on one forum that I had reservations about allowing edits when the writer was not logged on. My argument was poorly received but I will say it again. Several times I have run into persons who wanted to make inappropriate edits or deletions of valid material. Many of these were done without the person having logging on, which can make it immensely difficult to track down the responsible individual (they can use any public or office computer to remain anonymous). I must note that most persons who edit outside of accounts make productive edits, while persons who work from registered accounts can make disruptive or vandalizing edits. In the latter case, however, there is always the possibility of using sanctions against the registered user.Wpollard (talk) 12:19, 5 September 2013 (UTC)

What you are asking for is something that just entirely goes outside of the wiki philosophy. The goal of the foundation isn't to be a reputable site for information. That's what peer-reviewed, formally published content in the academia is for. -129.107.225.212 17:12, 5 September 2013 (UTC)

Il y a aussi des possibilités de sanction pour les IPs : il suffit de la bloquer ! Et je ferais remarquer que les plus gros problèmes relationnels entre Wikipédiens ne sont pas le fait d'IPs mais d'utilisateurs inscrits. Certains utilisateurs inscrits croient avoir une réputation à défendre, font preuve d'arrogance, d'impolitesse, d'indélicatesse, d'acharnement contre d'autres utilisateurs, etc. C'est beaucoup moins voire pas du tout le cas avec les IPs, qui eux n'ont pas de stupide réputation à défendre 78.251.243.204 18:41, 5 September 2013 (UTC)

In the end I don't think this is a very good place to have this particular discussion. While it's in the privacy policy ( because the policy needs to be descriptive of what is actually happening) but this is an incredibly long standing and core piece of the projects. If it wants to change it's going to need to be a very large (and likely controversial) discussion of its own. Jalexander (talk) 01:12, 6 September 2013 (UTC)

• Summarizing a comment we received via email: The individual was concerned about the use of IPs to track authors because they don't reliably track user identities anyway and that one person's profile (edits) may be inappropriately construed to be another persons because of ISPs changing their IPs. He believes that it would be best to force everyone to login to edit to work around this issue. ( in responding to him and saying that I made this post I did let him know that this isn't a 'new' change which is what he thought but a continuation of an old policy). Jalexander (talk) 01:53, 11 September 2013 (UTC)
• We also have 2 other emails which were less specific but also focusing on the removal of the ability to have logged out edits to assist with vandalism. Jalexander (talk) 03:26, 11 September 2013 (UTC)

Anonymous editors are the bane of the Wikipedia

And quite a lot of subject-experts think so. This isn't news to anybody though. Evertype (talk) 17:57, 6 September 2013 (UTC)

Hi. Which part of the privacy policy do you want to be changed? Do you want anonymous editing to be disabled? (See the perennial proposals page on enwiki.) Also, what subject-experts are you referring to? Can you cite some experiment, or journal, or something else saying so? Thank you! PiRSquared17 (talk) 19:24, 6 September 2013 (UTC)

Considering how you used an account to type that up, the statement is quite ironic

Closing for now as it seems this discussion has played out without much of a place to go on this page. Archiving in 24-48 hours unless reopened. Jalexander (talk) 03:24, 10 September 2013 (UTC)

Reopening this myself for now because of some comments via email, posted above under 'Edit privileges without logging in' Jalexander (talk) 03:26, 11 September 2013 (UTC)

There's currently a mix of straight versus curly apostrophes in the policy. For example, there are four instances of don't and three instances of don’t. In total there are a bit over a dozen total instances of each style. The final document should have consistent usage. I would recommend (strongly) straight apostrophes over the curly ones. (See en:MOS:QUOTEMARKS for reasons.) It really aids text-based searching; for example, I was grammar checking the policy for "your" vs "you're" mistakes and found no instances of you're because the lone instance is typed you’re. Had I not considered also searching for you’re I would have missed it. The policy also uses curly double quotes, which I'd also convert to straight quotes. As a side-treat, this will trim the document length by one byte for each change. In general, I've noticed the WMF tends to use curly quotes a lot in its announcements. I have no idea why. Jason Quinn (talk) 04:23, 9 September 2013 (UTC)

Hi Jason. You have a great editor's eye. I will ask James to convert everything to straight quotes (unless I hear any significant objection from anyone). Many thanks. Geoffbrigham (talk) 11:56, 9 September 2013 (UTC)

The only objection I could think of is that curly quotes are prettier and more typographically “correct.” In fact, it has always bugged me that Wikimedia pages have straight quotes. Can’t the software automatically curlify the quotes, like what happens with many Markdown-based blogging engines? I think whether a search finds a curly when you search for a straight is up to the browser or rendering engine, isn’t it? For example, Safari 6 for Mac finds the curly quotes in this post when I type a straight quote into the search box.--ZevEisenberg (talk) 19:22, 12 September 2013 (UTC)

I would generally agree but sadly it's also clear that most of the browsers don't find it :( and so we have to work within that restriction some. Jalexander (talk) 00:20, 19 September 2013 (UTC)

hi, a silly (and really niche) question: certain Wikimedia and project functionaries, such as stewards, checkusers, ombudspeople, oversighters have to disclose their identity as well as provide scanned IDs. it is my understanding that this falls under the privacy policy of the WMF as well, but I can't pin it down to any specific paragraph. Scanned IDs are not mentioned on the list of types of data that the WMF may collect at all. Pundit (talk) 07:32, 8 September 2013 (UTC)

Hi Pundit, I think we've generally just kept specific pieces about it completely within the Access to nonpublic data policy (being the old one, with a new draft under discussion under it's new name Access to nonpublic information policy along with a separate confidentiality agreement) but I'll see if they think we need something specific in this policy as well. What are your thoughts? Jalexander (talk) 08:21, 8 September 2013 (UTC)

Thanks. I don't have any specific thoughts, I just think it is good to keep those niche cases in mind, and as I have not found this case specifically addressed, I thought that maybe it should be. Deferring to access to nonpublic information policy is one option, too, definitely - maybe even less confusing for casual users. Pundit (talk) 09:50, 8 September 2013 (UTC)

One more thought: it is unclear who within the WMF is authorized to have access to this most sensitive information (scanned IDs), how is it kept and protected, and what happens to it when a given user resigns/gets demoted from a function (I would imagine that the WMF should be given a right to keep the scanned IDs for a certain time for accountability reasons, but not longer). Pundit (talk) 09:54, 8 September 2013 (UTC)

These are excellent questions. We currently do not keep IDs of those who have access to nonpublic information, though our draft privacy policy would require that. We have an internal WMF policy on how to maintain these records when we do keep them, and I set it out below for your review. I'm open to any suggestions about how to improve this policy. Thanks again. Geoffbrigham (talk) 12:25, 9 September 2013 (UTC)

Many thanks, this is exactly what I had in mind and it is great to see that it is already in place :) Of course some explicit limitations to data retention would be nice to have (I don't know to what extent you'd be willing to put a fixed amount of time that the data is kept, with exceptions authorized by someone specific at senior level). Pundit (talk) 16:15, 11 September 2013 (UTC)

Wikimedia Foundation - Internal Policy

Purpose

The Wikimedia Foundation (“WMF”) may sometimes need to collect copies of identification documents (“IDs”) from community members pursuant to established policies of WMF or the community. Examples where community members may need to identify themselves include the following:

• Candidates for the WMF Board of Trustees
• Candidates for the Funds Dissemination Committee
• Recipients of WMF grants
• Representatives and agents of user groups and thematic organizations
• Community members with access to nonpublic user data information [GRB Note: we are currently not keeping such IDs on file.]

This internal policy summarizes the approach to be taken by WMF employees and contractors when handling and storing such community member IDs. The required ID depends on the criteria of the particular policy or practice, but may include copies of passports, driver’s licenses, and other government-issued documents showing real name and age.

Collection, Storage, and Access

Copies of IDs provided to WMF by community members will be kept confidential, consistent with any applicable requirements of the WMF privacy policy. Physical copies of IDs will be kept in locked cabinets designated for this purpose. Electronic copies of IDs will be protected by passwords or other electronic protections in files designated for this purpose.

Access to IDs will be limited to a “need to know” protocol determined by the program administrator. Usually that means only the principal administrators of a program will have access to those IDs. WMF will not share the IDs with outside third parties, unless required by law, covered by a non-disclosure agreement approved by Legal, or necessary to protect the rights, property, or safety of WMF and its employees and contractors.

Destruction

IDs will be kept as long as necessary to satisfy the need of the applicable policy and practice requiring the IDs. Such IDs will be destroyed as soon as the need for the ID has expired. Depending on the program, some IDs may need to be retained for a period of time for legal and financial purposes beyond the immediate purpose of the policy and practice. For example, IDs may need to be retained after the life of a grant to prove expenditure responsibility to government officials in the case of an audit. Check with Legal and Finance for any legal or finance record retention requirements.

V.1.1 (2013-03-14)

Maybe hide it as default or move to the bottom? There is nothing here that would be surprising or interesting for normal person and on encountering it half people will stop reading this document Bulwersator (talk) 07:10, 4 September 2013 (UTC)

Hi Bulwersator! Thank you for your suggestion! Hiding this section as a default is certainly an option if it seems that the majority of people already know this information, but moving it to the bottom probably wouldn't make organizational sense. What do other people think? Did the "A Little Background" section provide you with information you didn't already know? Should it remain as is or be changed to default hidden? Mpaulson (WMF) (talk) 18:42, 4 September 2013 (UTC)

Agree with Bulwersator. As it is "Privacy policy", it should deal directly with the standing privacy policy. Additional information is additional information. Nuts and bolts, please. --Iryna Harpy (talk) 03:57, 8 September 2013 (UTC)

Hi Iryna Harpy! Thank you for your input. I will continue to monitor this thread to see if there is a lot of support to change this section's default to hidden. Mpaulson (WMF) (talk) 20:37, 9 September 2013 (UTC)

Why this terminology? I'd appreciate consistency. Terms of use talks of Projects and Wikimedia Projects. --Nemo 21:08, 4 September 2013 (UTC)

+1. Theo10011 (talk) 21:22, 4 September 2013 (UTC)

Isn't is the case that WMF runs sites that are subject to the privacy policy but aren't projects? If so (the blog springs to mind), the current broader language seems me the better fit, best regards --Jan (WMF) (talk) 08:28, 5 September 2013 (UTC)

Actually that might be a distinction worth noting. Does this policy cover things like the blog or labs? I seem to recall the blog using third party software, instead of mediawiki, and labs having similar issues with deployed analytic, and users having access to other user's info. I assumed those 2 things meant this privacy policy probably won't cover those and only the projects. Anyway, it just sounds clunky, a better terminology must exist for this. Theo10011 (talk) 10:15, 5 September 2013 (UTC)

I appreciate this discussion. The definition of "Wikimedia Sites" is probably a bit broader than the projects. Specifically in the Introduction of the policy we have a list of definitions. "Wikimedia Sites" is defined as:

Wikimedia Sites and services (regardless of language), including our main projects, such as Wikipedia and Wikimedia Commons, as well as mobile applications, APIs, emails, and notifications; excluding, however, sites and services listed in the “What This Privacy Policy Doesn’t Cover” section below.

My thinking is that a casual reader of Wikipedia - to whom this privacy policy applies - may not understand what a "project" is naturally, but will understand what a "site" is. I can see good arguments either way, however, on correct wording. Geoffbrigham (talk) 14:37, 5 September 2013 (UTC)

I don't care much about the name you choose but I don't like inconsistency with the terms of use, so whatever choice you make please be consistent.

On the definition proposed and the casual reader, using common words doesn't necessarily make something more understandable, especially if you use them in uncommon ways. Applications are not sites. The WebAPI lives on the projects' domains. "Emails and notifications" is too broad and might mean anything; the important ones are those generated by MediaWiki i.e. included in the "Wikimedia projects" category. Finally, which of the hundreds of non-project domains (and this is only the wikimedia.org subdomains) fall under the definition of "Wikimedia Site" per the privacy policy? It's probably easier to use a specific, narrow term and definition to then add instances to it on a case by case basis, rather than use super-broad language and then be forced to endless lists of exceptions. --Nemo 10:44, 7 September 2013 (UTC)

This is intended to be broader than "Projects" in the ToU. We want the default to be that everything is covered, because that is a common legal standard for privacy policies, and because we want the things that are not covered to be deliberate and thoughtful choices, rather than "someone forgot to add this to the list".

That said, "Wikimedia Sites" should not be used in its own definition - we'll switch to "Wikimedia websites" within the definition. - LVilla (WMF) (talk) 23:35, 11 September 2013 (UTC)

Yes, I got that you want to be broader. You still failed to answer my question about which websites fall under the definition. Opting in to the privacy policy is not hard for a new domain, a link or a one line "the general privacy policy applies to this X" is enough. What's more risky is forgetting to add one of the hundreds of domains to the list of exceptions. Or, even worse, adding KB and KB of text to list exceptions as you currently do (with a questionable comprehensiveness anyway). --Nemo 06:56, 12 September 2013 (UTC)

I said that everything is covered. If you mean to ask what sites fall outside of the policy, that's a case-by-case thing, depending on the purpose of the specific site.

With regards to the risk of forgetting to add things to the list of exceptions, it is important to be clear: there is no risk if we forget to add something to the list of exceptions. If the site is supposed to be exception, it will have its own privacy policy, which will clearly state that it is covered by the alternate policy. In contrast, if we make the list an "opt-in" list, sites that forget to be opted in will not specifically be covered by any policy - which will be confusing and potentially problematic. -LVilla (WMF) (talk) 21:51, 17 September 2013 (UTC)

Ok. So, e.g. status.wikimedia.org is supposed to be covered by this proposed policy. Can you explain what this means, if and how it is or can be put in compliance? Also, if having a separate privacy policy is enough to opt-out, can you please remove the walls of text relating to exclusions e.g. for Wikimedia Labs? It would be a first step in reducing the explosion in size of the text. --Nemo 22:10, 17 September 2013 (UTC)

This puts the onus on the team that setup status.wikimedia.org to figure out compliance. It might be opting out (by writing a new privacy policy), it might be negotiating with the provider to comply with our terms, it might be shutting down the service. Obviously LCA will work with those teams to make all this happen, of course. And yes, there are a number of WMF-hosted sites that might be affected. This will result in some work, but it is better to begin making those consistent than simply leaving them not covered.

We'll think about how to better contextualize (and maybe shorten if we can) the list of exceptions, since obviously it is creating some confusion. -LVilla (WMF) (talk) 00:32, 18 September 2013 (UTC)

With regard to the inconsistency between use of the term "projects" in the TOU and the term "sites" in the privacy policy draft, we will change the TOU the next time we update it such that it also uses the broader term of "sites". Mpaulson (WMF) (talk) 22:11, 1 November 2013 (UTC)

I've looked at this some more, and I don't see a good way to reorganize or shorten the exception list. If someone wants propose specific edits, though, feel free, and we'll take a look. Otherwise, I think this topic can be closed.-LVilla (WMF) (talk) 22:30, 6 November 2013 (UTC)

Yes, I have a specific edit proposal: remove text from "For the sake of clarity" to "in which they use the CheckUser Tool"; remove from "The methods of collection and practices of third parties" to "so we can investigate further". --Nemo 22:47, 6 November 2013 (UTC)

That's not a simplification/reorganization, that's a removal of about 80% of it, including important notice to people about the variety of third parties who have access (like checkusers, labs users, etc.). Serious proposals (such as one that made the same edits, but proposed how else users would be notified about this) still welcome. -LVilla (WMF) (talk) 01:02, 7 November 2013 (UTC)

My proposal is serious. The "important notice" you mention would not be missing as you state, because it's already included in the section "To Protect You, Ourselves, and Others"; which also shows how it's false (or contradictory) that they are not covered by the policy. --Nemo 09:47, 8 November 2013 (UTC)

Instead of providing glossaries, can't you just use a single term? --Nemo 21:10, 4 September 2013 (UTC)

Hi Nemo! There are different reasons for using these various terms to describe the Wikimedia Foundation. We say "the Wikimedia Foundation" because it's our official name and depending on the sentence, formality or use of the full name is appropriate. However, we recognize that it's a rather long name and something that we frequently have to reference. Saying "the Wikimedia Foundation" every time we refer to the Wikimedia Foundation would have made the policy even longer...something we wanted to avoid, so we sometimes used "WMF" or simply "the Foundation" instead. As for "we", "us", and "our", we believed that informal terms would help improve readability and flow. For the avoidance of doubt, we added it to the Glossary to make it clear that these terms all refer to the Wikimedia Foundation. Hope that helps explain why we drafted as we did. Mpaulson (WMF) (talk) 00:08, 6 September 2013 (UTC)

Hello. Thanks for caring about the length of the document! A nice aim would be to reduce it by about 66 %, to stay more or less at the same level as the current one.

As for the specific case, avoiding the use of "WMF" and "the Foundation" would increase the byte count of the document by 0.10 %, if my math is correct. On "we", "us" and "our", either the definition is wrong or there is something wrong in what you said at #Exclusion of on-wiki actions from privacy policy, because in your interpretation "we" seems to include something more than the incorporated entity called the Wikimedia Foundation, Inc. (If that's the case, you may want to distinguish between the normal English "we" and the "WE" referring to the definition in question. That's one of the rare occasions where capitals serve some useful purpose, unlike the Title Case invading the text. If used in stead of “the Wikimedia Foundation” / “the Foundation” / “WMF”, it would also reduce byte length by 0.73 %!) --Nemo 19:10, 6 September 2013 (UTC)

I'm a little unclear about what you mean when you say that "we" seems to include more than WMF at #Exclusion of on-wiki actions from privacy policy. Could you specify? I think I only used "we" in "so we can investigate further" and in that instance, I did mean WMF only. Emailing privacy@ would trigger an investigation of the reported situation by WMF, not community members. But alerting WMF is only one way to handle a third-party data collection tool that violates the terms of the privacy policy. Community members can also remove the tool in question themselves if they believe the tool violates the privacy policy.

That said, I'd like to have "we" always mean WMF, without having to capitalize it as "We" as that tends to impact readability negatively, so if there is a place where I have used "we" incorrectly, I'd like to change it. Hopefully, the edited language I proposed in that discussion cleared that discrepancy up. But if it doesn't, let me know. Mpaulson (WMF) (talk) 01:15, 12 September 2013 (UTC)

Sorry for being unclear. I'll try to explain myself better but it would be easier if you first replied to my proposal in the section below, otherwise I have to multiply explanations/hypotheses. --Nemo 15:03, 27 September 2013 (UTC)

Ok, in that case, I will have James close this subsection out and continue this discussion below as you suggested. Mpaulson (WMF) (talk) 00:34, 28 September 2013 (UTC)

What is this thing or things the text talks about? Never heard of profiles on our wikis. --Nemo 21:19, 4 September 2013 (UTC)

Hi Nemo! This refers to information on your user page. We used the terms like "user profile" to be more accessible to casual users who may not be as familiar with the term "user page". However, I do believe that this phrase should be consistent within this document. Thank you for pointing out that it's called "account profile" in one place. We will get that changed. Mpaulson (WMF) (talk) 23:25, 5 September 2013 (UTC)

Actually, +1 on all 3. Consistency is very important in vetted documents like these that will be around for a long while. Theo10011 (talk) 21:25, 4 September 2013 (UTC)

Closing this up since no more responses in the past week or so. Will archive in 24-48 hours unless reopened with additional questions/responses. Jalexander (talk) 00:29, 26 September 2013 (UTC) .

This isn't anywhere near being closed, we're waiting for the answers/redrafts per above. --Nemo 14:16, 27 September 2013 (UTC)

My reading of this is that everything has been answered (I know that you don't agree with it all but that a decision had been made)... the only change I see that was to be done was the change to a consistent 'user profile' which I think has been done. Are there any unanswered proposals for changes that I'm missing? Jalexander--WMF 19:07, 30 September 2013 (UTC)

Yes. --Nemo 22:48, 6 November 2013 (UTC)

If that is so I would appreciate if you point them out to me so that I can try and point the legal team towards them. I may well be missing something but I am, currently, not seeing them. Jalexander--WMF 00:35, 7 November 2013 (UTC)

It's just been rejected above. Of course only unsubstantial edits not changing anything of the proposal are accepted. I see our only hope is to reject it entirely. Glad to know. --Nemo 09:47, 8 November 2013 (UTC)

Closing off bottom two sections as stale. Top still open given recent response. Jalexander--WMF 22:18, 6 November 2013 (UTC) Reopening for now give above. Jalexander--WMF 00:35, 7 November 2013 (UTC) I'm able to reopen the correct sections myself. --Nemo 09:47, 8 November 2013 (UTC)

Makes no sense, please kill. --Nemo 21:21, 4 September 2013 (UTC)

What about that makes no sense? It seems straightforward to me. Registration data, and demographic data about yourself. Philippe (WMF) (talk) 21:26, 4 September 2013 (UTC)

So you're saying that the users can delete registration data? Please tell me how. Is it a new feature that will be developed? --Nemo 21:32, 4 September 2013 (UTC)

I'm actually curious what demographic data is and where it is extracted from. There is no demographic data as far as I know besides gender info in the preference options, and even that isn't disclosed half the times. Also, did we add an option to disclose age at some point or is there more analytic data being extracted from elsewhere besides the preference option? Maybe I missed something. Theo10011 (talk) 21:34, 4 September 2013 (UTC)

Gender preference is not demographic data, it's grammatical information. --Nemo 21:44, 4 September 2013 (UTC)

I thought so too. But "we may ask you for more demographic information about yourself, such as gender or age." - seems to imply not. What exactly is the demographic data here then? Theo10011 (talk) 21:46, 4 September 2013 (UTC)

Gender preference certainly is grammatical information as well but there is no getting away from the fact that it is also demographic data (and that people don't always like it being known for varied reasons). Jalexander (talk) 21:56, 4 September 2013 (UTC)

James, is that all the demographic data is that is being referred to? I actually would like a clearer explanation if that kind of info is only pulled from the preference options or somewhere else and what other kind of info is there? Thanks. Theo10011 (talk) 22:00, 4 September 2013 (UTC)

Thanks Theo, I'll find someone who can give a more through answer. Jalexander (talk) 07:02, 5 September 2013 (UTC)

Currently, we collect information about gender for grammatical purposes, but it is still demographic information, even if we don’t use it that way. Language is another example of something that we collect right now for technical purposes, but is sometimes considered demographic information.

Gender and language aside, we don’t generally collect demographic information (though see Jeremyb's comment below for an example of specific, non-general demographic information collection). But we’re trying to build a policy that can grow with us in the future and allows us to better understand who contributes to our community and our mission. That’s why we put this in - not to cover something we do now, but to cover things we might do in the future. - LVilla (WMF) 02:18, 7 September 2013 (UTC)

Yes. This is not something we might ever want to do. Registration must require only necessary data, not demographic information. --Nemo 08:55, 8 September 2013 (UTC)

Research:Gender micro-survey seems relevant, and is definitely demographic and not related to grammar. --Jeremyb (talk) 20:58, 6 September 2013 (UTC)

That's not about registration. --Nemo 00:30, 7 September 2013 (UTC)

The policy doesn't say anything about demographic information being tied to or required for registration, other than the section heading. Can you point me to what language you find confusing/problematic? -LVilla (WMF) (talk) 21:56, 17 September 2013 (UTC)

Yeah, the header and the two preceding paragraphs... If the demographic information you are talking about is not related to accounts and registration (which would be good, because there is no reason to associate demographic information as such to accounts, nor to ask it on registration), then you definitely need to move it elsewhere or to clarify it's unrelated to what said a sentence before. --Nemo 22:06, 17 September 2013 (UTC)

Accounts and registration are related, but separate, concepts. You can have information tied to an account without requiring it at registration, like we do with the current gender field. -LVilla (WMF) (talk) 00:36, 18 September 2013 (UTC)

Sure. And what I'm saying is that we don't need to associate to accounts information of demographics nature in itself in general, so in particular we don't need to request it on registration. The gender option is not mainly of demographic nature, though one can infer information of demographic nature from it (just like I can infer the country of residence from the timezone options... but they are not demographics information). So this section is unnecessary and counterproductive. Remove it or replace it with something saying we never ask for demographics information per se, but at most options required by specific software features which might happen to have demographics correlations. --Nemo 07:08, 19 September 2013 (UTC)

The policy quite specifically says:

"If you want to create a standard account, we do not require you to submit any personal information to do so. Really. No name, no email address, no date of birth, no credit card information, nothing. Just a username that you make up and a password."

Nothing in the section we are discussing contradicts that, or implies a contradiction. So, as the policy already says, we will not require demographic information on registration. There is no need to repeat that in this section.

We may, of course, still request demographic information, in a variety of manners and for a variety of reasons. If we collect it to help software function, it is still demographic information. The purpose it is collected for does not change that. We may also collect it for other purposes. That is why this section is necessary and informative.

I understand you disagree, but at this point I see no reason to change the section. -LVilla (WMF) (talk) 01:02, 26 September 2013 (UTC)

You're right. So it's enough to remove it entirely. The only added value which would then be missing is "We will tell you if such information is intended to be public or private", a sentence which can easily follow "we do not require you to submit any personal information" with some minor adjustment, anticipating the following 5 wrap-up sentences of that first paragraph. --Nemo 14:36, 27 September 2013 (UTC)

We want to make it explicit that we can optionally request demographic information. If you have a better proposal for how to do that, great, but you have not made it yet. We will not simply remove it unless it is replaced elsewhere. -LVilla (WMF) (talk) 16:24, 30 September 2013 (UTC)

The "user-friendly summary" is not readable on my mobile because it is in a fixed width box; I can read the rest of the draft policy OK. PamD (talk) 06:53, 5 September 2013 (UTC)

Thanks Pam, we noticed the same thing yesterday (and while you can read the rest it isn't great on many phones as well) we're talking to some of our mobile team on some good ways to make it work better. Jalexander (talk) 07:42, 5 September 2013 (UTC)

I find the argument that changes are needed with regards to the privacy policy unconvincing. The specific modifications that were suggested would deprive Wikipedia from what it is most renowned for: a free Internet. Let me make my case.

1. The Wikimedia Foundation argues that changes are needed to "update" the privacy policy of 2008. The Wikimedia Foundation is in my eyes the wrong actor to call for these changes to the privacy policy. Such an initiative can only be taken – if it is to be legitimate – by the users of Wikipedia. If those users are not interested in a discussion, or any change to the privacy policy, i.e. if they don't care about it or if only an insignificant number of them cares about it, any change incited by the Wikimedia Foundation is illegitimate for it breaches with the idea that Wikipedia is a user-generated, bottom-up, collaborative project. If changes to the privacy policy would occur, Wikipedia would lose its status as a bottom-up, user-driven project and become one of those same old leadership-projects where some rule over others.

2. Not only is the wrong actor suggesting these changes (cf 1.). What has been suggested makes little sense. The meaning of the modifications proposed by the Wikimedia Foundation lie in their increase of data-gathering capacity. Recent (NSA; GCHQ) as well as long-term developments (decrease of social and economic human rights since 2001) suggest that the more data is gathered, the more it is used by those in power to control, surveil and repress common people. This has become clear recently as the documents leaked by Ed Snowden are evidence that Orwellian mass-surveillance and control are excessively used against what are considered to be both foreign as well as domestic enemies. This is becoming increasingly clear if we look at developments that are more long-term. Since 2001, the U.S. lead the discourse on "The War on Terror" which has led to what political philosopher Giorgio Agamben calls "The State of Exception". What does he mean? He means that sovereign power is increasingly used in blatant contradiction to ethics, i.e. written and unwritten law. In the field of international conflict, we see that happening in Guantanamo. In the field of personal liberties, we witness a state of exception as well as governments justify the invasion of the private sphere, the exploitation of all sorts of data with "national security interests". It becomes evident that the major westerns states themselves pose a threat to the security of most people. The Wikimedia Foundation's proposal to change privacy policy in a way that requires its users to give more data has to be seen in this context: it aids those who want to surveil and control populations by creating data that is not necessary to collect. If Wikipedia is to remain a symbol of a free internet, where people are not tracked down, surveiled, controled or mapped constantly, the privacy policy cannot be accepted.

If Wikipedia is to continue to be a symbol for a free internet, for one that makes knowledge accessible and negotiable across the world, if Wikipedia is to embody the single most impressive collective effort of humanity to understand the world, it cannot chose a path that leads us towards an old principle of leadership that has caused too much trouble already, and it cannot lead us astray from humanity's everlasting task of emancipation:

that we become more fully human, more fully free, and less controlled, less surveilled and less mapped. — The preceding unsigned comment was added by 78.53.120.152 (talk) 11:25, 7 September 2013 (UTC)

Why "should" we apply a heavily Schmittian basic design? Derrida, for example, developed a quite coherent alternative route, in The Beast and the Sovereign, in tackling the same issue and is heavily at odds with Agamben (granted: Derrida directly addresses Homo Sacer and not the later stages of camp logic developments spelled out by the Italian). Regards, --Jan eissfeldt (talk) 16:02, 7 September 2013 (UTC)

"We." (sic), 78.53.120.152? Hmm, Jan eissfeldt, I suspect that the moral of this diatribe is that one should never put all one's signifiers in one basket lest they turn one's cortex into an omelette. --Iryna Harpy (talk) 00:30, 13 September 2013 (UTC)

Perhaps, but I think you are right this section should be put to rest for the time being based on the insufficient state of the argument the IP outlined. Best, --Jan eissfeldt (talk) 11:28, 6 October 2013 (UTC)

I've only just now read Homo sacer, but I seriously doubt it's "heavily Schmittian"; it sounds like Schmitt but mainly is a bridge between Arendt and Foucault, I suspect one could say? Anyway, the point of the IP is obviously that the nuda vita/zoḗ needs not further exposure, simplistically said; we may be bored by the argument but at least it was brought up in a more original way than usual ;-) --Nemo 21:04, 6 October 2013 (UTC)

I believe that it has to be clear in the user-friendly summary that "Wikimedia will give any user-related data if it receives a sub-poena from the authorities" (or a slightly longer text giving a more accurate description). --FocalPoint (talk) 15:28, 7 September 2013 (UTC)

I see what you mean. How about something like this as a rough idea:

We may disclose information for different purposes, such as compliance with valid legal demands; protection of you, WMF, or others; or inclusion of service providers who help run or improve Wikimedia Sites.

I may want to wordsmith and reduce a bit more, but this is the basic idea. Interested in your thoughts. Thanks. Geoffbrigham (talk) 16:24, 7 September 2013 (UTC)

Actually, if the aim is to simplify the explanation, I'd suggest that it would be desirable to elaborate a little more as your rewrite is still tending towards being overly abstract. At least qualify "valid legal demands" with a couple of instances, i.e. subpoena from the authorities (what constitutes an 'authority'? US local laws? US federal laws? Laws you need to be aware of in your own country if you live outside of the US?). It still smacks of legalese vagueness which, I gather, is what you're trying to avoid. Cheers! --Iryna Harpy (talk) 01:38, 10 September 2013 (UTC)

I fully understand that the text has to have legal terms in order to embrace all circumstances, but I agree with Iryna Harpy: Give a couple of examples: We may disclose information for different purposes, such as compliance with valid legal demands (i.e. subpoena from US authorities); protection of you, WMF, or others; or inclusion of service providers who help run or improve Wikimedia Sites.

Thanks for the proposal. One thought ... We don't comply with all subpoenas from U.S. authorities. Indeed, we will push back aggressively if we find the subpoena too broad, not legally compliant with U.S. warrant laws, or issued from the wrong authority within the U.S. How about something like this: "such as compliance with valid legal demands (such as enforceable civil or criminal U.S. subpoenas) . . . . "? My only possible reservation about providing examples is that it makes the bullet point a bit too long for the user-friendly summary. Geoffbrigham (talk) 10:19, 17 September 2013 (UTC)

I do note that the user friendly summary does link directly to the provision on subpoenas, so maybe not so much detail is necessary in that summary ("Only sharing your information in limited circumstances, such as . . . to comply with the law . . . ."). Geoffbrigham (talk) 21:34, 30 September 2013 (UTC)

The section:

Information you provide us or information we collect from you that could be used to personally identify you. 
To be clear, while we do not necessarily collect all of the following types of information, we consider the 
following to be personal information if it can be used to identify you:

   your real name, date of birth, gender, sexual orientation, racial or ethnic origins, medical conditions or disabilities;
   address, phone number, email address, password, identification number on government-issued ID, IP address, credit card number;
   political affiliation, religion; and

Conflates two very different issues, data that could be used to identify people, and data that most people would consider should be kept private - "sensitive" data in European parlance. I suggest that this needs rethinking and separating out. We also need to differentiate between information disclosed, disclosed and redacted, imputed or alleged. The community has longstanding policies that impinge on this, and people have been banned for breaches of it. I would suggest that you need a section on information that could be used to identify, and that section needs to also include info on school or place of work. We also need to link to our child protection policies here, we allow adults to supply contact information but for obvious reasons oversight it when supplied by children. For example a University Professor is very welcome to link their userpage to the academic bio and vice versa, but we would not allow a minor to do that.

The section on "sensitive" data needs to say something along the lines of:

We understand that certain types of data can be more "personal" than others. We will only connect these types of data and store that 
with a link to identifiable people when we have a clear and pressing need, such as to supply appropriate food at an event. Where 
practical we will anonymise this data.

WereSpielChequers (talk) 17:39, 7 September 2013 (UTC)

Hi WereSpielChequers! Thank you for this thoughtful suggestion. We are familiar with the distinction between regular PII and "sensitive" information in EU parlance, but drafted the way we did mostly because we consider both categories of information to be "personal information" if it can be used to identify you and therefore subject to greater protections under this privacy policy draft. However, your suggestion is an interesting one. We will mull over how separating these categories of information could impact the draft in the next couple of days and get back to you, probably on Wednesday. Mpaulson (WMF) (talk) 00:40, 10 September 2013 (UTC)

Hi, Mpaulson, Wednesday which week? WereSpielChequers (talk) 12:47, 23 September 2013 (UTC)

Hi WereSpielChequers. Please accept my sincere apologies. I didn't realize that this didn't get answered in accordance with the timeline that I had set forth. We've worked out a possible solution to address this issue in the policy draft that LVilla has come up with and will explain shortly. Again, sorry for the delay! Mpaulson (WMF) (talk) 18:07, 24 September 2013 (UTC)

Sorry about that, WereSpielChequers! Like Michelle said, I think your question is thoughtful and useful; it took us a bit to think through it. Two parts to this answer:

First, after some thought, I don't think it is necessary to actually split out sensitive and personal information into different definitions. I think we can achieve the same effect more efficiently and clearly by making the following changes (emphasized) to the definition of "personal information":

Personal information: Information you provide us or information

we collect from you that could be used to personally identify

you, or that may be sensitive when it is tied to personally

identifying information. To be clear, while we do not

necessarily collect all of the following types of information,

we consider the following to be personal information if it can

be used to identify you or is otherwise tied to your personal

identity:

...

Information like political affiliation or racial information

(sometimes called "sensitive information") is not personal

information when it has been anonymized or aggregated so

that it cannot be tied back to you.

I think once these changes are made no changes are necessary to the rest of the policy, since (without using the term) it already requires aggregating or anonymizing sensitive data in "To Understand and Experiment" and "How Long Do We Keep Your Data". Please let us know what you think.

On the other issues (about conflicting with other policies): we do not intend for this to prevent other policies (created by either the community or the Foundation) that are more protective than what is laid out here. This only lays out the minimum level of protection. For example, if communities wish to be more aggressive in oversighting certain types of sensitive material, this policy should not prohibit that. If there are specific community policies that you think actually would conflict with this policy, then please bring them to our attention and we will try to understand the conflict and make any necessary changes.

Thanks again for this useful comment! -LVilla (WMF) (talk) 22:43, 24 September 2013 (UTC)

Thanks LVilla, I think that works, the scenario that I'm assuming will be most common will include things like people disclosing health and or religious info. We have had a few incidents of people disclosing health info and subsequently identifying themselves publicly. We've even had incidents where the community has required that people disclose a former account when doing so linked sensitive data to identifying data. Do you think this covers that? My preference would be that we adopt a rule that where people have multiple accounts and linking them would result in linking identifying data with sensitive data we specify that arbcom or similar bodies can require that individuals retire one or more accounts, and even that individuals can be forced to choose between not standing for positions of trust within the community and disclosing recent accounts that would link personal and sensitive data, but not that editors be required to disclose accounts that they've long discontinued. WereSpielChequers (talk) 20:01, 8 October 2013 (UTC)

This definitely doesn't prohibit adopting such a policy at the community level. -LVilla (WMF) (talk) 22:43, 6 November 2013 (UTC)

There is one area where identity and personal data is essential. It is imposible to give anonymous license permission if the identity cannot be verified. For example if an artist gives permission for his work to published/used in the commons, or his descendants. It is not posible to upload files in the commons without registering. Some explicit clarification would be usefull.212.61.237.163 09:32, 8 September 2013 (UTC)

Hi Anonymous! That's a great point. We will add clarifying language to the registration section accordingly. Thank you so much! Mpaulson (WMF) (talk) 00:51, 10 September 2013 (UTC)

I hoped that eventually Wikimedia would think of some way to keep user IP addresses private. Yes, they can register an account - but there's a high chance that one would accidentally make an edit while logged out. And it's very easy for that edit to reveal the editor's username.

Publicly displaying user IP addresses isn't necessary. There are other ways to accomplish what this mechanic does: for instance, the IP addresses of editing users could be replaced by a random ID assigned to each address. Same end result, but then actual IPs remain visible to admins only, for the rest it's just an ID. There is nothing at all a regular user would need to know another's IP for.

I don't know if it's difficult to do, but for any update to privacy policy, I would consider that change essential. Not much has been improved in terms of actual privacy, so it's just more detail on the same thing. I guess there's no harm, but neither is there a gain.

CP\M (talk) 21:26, 8 September 2013 (UTC)

It appears to be doable from a technical perspective - the question is how desirable. I personally agree that a discussion of removing IP addresses from display from at least some folks. While it is not a worry for me personally, I have argued about privacy, outings, drones, the NSA, and other topics enough to at least respect that it is a serious concern for a growing population of people - rightly or wrongly is not necessarily applicable here. If this is about assuring people and alleviating fears - a philosophical debate about online privacy in this specific regard may be moot. I think there would obviously need to be some users with certain rights that could see that information for blocking, usercheck, etc. reasons. However, there is already an assumption that those people are trusted with some sensitive data. There are some obvious problems regarding how to handle vandalism detection - functions not just limited to certain groups. Perhaps consider with just removing it from display to readers and anon contributors? Regular users would continue to see them. I recognize that has flaws from a privacy view as well, but is a start and probably an easier "sell" to folks doing vandalism work. --Varnent (talk)^(COI) 22:01, 8 September 2013 (UTC)

I don't really see what viewing someone's IP address accomplishes, for a regular editor. So I know the vandal used 225.122.52.16. What now? I'm certainly not going to seek out his ISP and pursue legal action, not that I even have any grounds for it. We just don't have any use for the actual IP.

The only value it offers is spotting another edit by 225.122.52.16. But this exact utility is completely reproducible by any other form of unique ID. Just salt and hash the address to produce a unique ID for any editing IP.

For instance, 225.122.52.16 would transform to XC12-KT75. It's easier to remember, covers the whole range, and it would hide user IP from anyone below sysop. CP\M (talk) 00:28, 9 September 2013 (UTC)

Tout à fait d'accord avec CP\M. Et même les administrateurs n'ont pas besoin de connaître l'adresse IP. Ils peuvent bloquer XC12-KT75, et c'est le programme derrière qui se débrouille pour que 225.122.52.16 soit bloqué. Ca ne me parait pas très difficile à mettre en oeuvre, techniquement 85.170.120.230 02:15, 9 September 2013 (UTC)

By posting from an IP, you partially make my point. Wikimedia has massive protections for registered editors' private data and IP addresses specifically. As easily seen from CheckUser policy, only a handful of people can see them, and only for 3 months. This is quite enough. But all this protection is in vain if the user ever makes a single edit without logging in that can be traced to his username. Many users do.

I actually had to destroy my whole userpage once - mark it for deletion - because I accidentally made an IP edit to it. That's all it takes. And I'm very careful in these matters, which is the only reason I ever noticed. Most people wouldn't, and someone who puts the effort into getting their IP is quite likely to succeed. Over the thousands of edits and years of activity as a Wikipedia editor, it's not unusual to slip once, and just once is enough.

When I was a mediator, it led me into some very heated disputes, where my position became that of a heatsink. No, I never feared for anything in regard to it, but there are some people online who can get uncomfortable. The pressure of having your account potentially easily connectable to IP and thus real name and address is a factor.

WMF tries to keep that from happening - but the public display of editing IP addresses is one very fragile weak link in this otherwise secure system. Sysops have reasons to see editor addresses - to distinguish proxies, public access points, dynamic IPs, manage IP range bans. For the rest of us it only serves as a unique ID, which purpose can be - and elsewhere usually is - served by a more secure randomized identifier or hash code.

Sorry if I'm repeating anything. But I feel that, if we're bringing up the privacy policy, this should be addressed. CP\M (talk) 10:24, 9 September 2013 (UTC)

I totally agree that this needs a rethink, and I've felt this way since forever. But it's not completely trivial to fix. Life would be a lot simpler if every IP address were unique as the progenitors of IPv6 fondly hoped. With a shared address, even if opaque behind a nonce, anyone sharing that nonce can spill the beans about physical location. Even behind a DSL line with a fixed IP, there can multiple users oblivious to each other (or not). Are these user agents sharing the same IP actually different people, or a sock-puppet pretending to have more children than Old Mother Hubbard? Actual IP addresses are somewhat resistant to this kind of game. Replacing the IP addresses with nonces might do harm by creating a false perception that these are necessarily less revealing (they aren't in many cases). The problem in my mind is that we let anonymous users escape from session management (logging in/out). Session management is normally tied to a fixed account, but doesn't need to be. Users could formally log in as an anonymous user to their current IP address and potentially have user preferences for the duration of that session (until they formally log out, or are logged out automatically on elapsed time). IP address pseudo-accounts (IPAPA) would not have persistent user preferences across sessions. A cookie might implement this, but that's a different story. Perhaps it should be a formal requirement on all editors to at least log at least transiently into their anonymous IPAPA. To prevent people with real accounts from logging into such an account by mistake, the IPAPA might require typing in the last decimal octet of the IP as a makeshift password. There might be a communication problem convincing faint-livered anonymous editors that they remain anonymous despite logging in under an IPIPA. Some faint-livered editors might blanch and give up. So it goes. I don't think it's possible to be strong on privacy without having to confront communication issues straight up. If it is also the case that for the most extreme anonymous editor Wikipedia is not even willing to store a cookie on the user agent (potentially identifying that the user agent was used to make an edit on Wikipedia) then you could simply require the user type the IP octet password for every edit. The "private window" feature of most user agents will burn such a cookie anyway (or so I wish to believe). In the rare case where a concerned user isn't willing or able to cover their tracks with a private window (or by manually erasing history and cookies) and they also don't want a cookie (which is technically insane if they allow their user agent's URL history to persist) IMO it's really not too much to ask them to type a last octet confirmation code with each edit. It's really not acceptable to expose long term editors with a proper account to the constant hazard of slipping up just once, if they have worked diligently to protect their identity. What such a person will never do is type the last three digits of their IP address as a confirmation code when making an edit. I think it's crazy that any identifier associated with a user is permanently displayed with no vetting process that isn't tied to what actually gets displayed (as passwords tie to user identity, or a last octet confirmation code would tie to the IP address). It can't be streamlined in any case to just slapping the enter key one more time. The hurdle needs to be consciously unique, so that in no case is it ever unconsciously or unwittingly crossed. In conclusion, I oppose the false obscurity of noncing the IP address displayed. Far more strongly, I think it's insane and unconscionable to permanently blow the cover of a conscientious editor by constant exposure to a trivial mishap in the first inattentive moment. That's my input FWIW. I doubt I'll return to engage in further debate. MaxEnt (talk) 12:08, 9 September 2013 (UTC)

While the proposed IPAPA does seem an interesting and useful mechanic, I would consider it part of a more serious debate and longer-term planning, since it's a more significant change. As for a confirmation code, it's on the other hand much more realistic than my suggestion. It doesn't, however, completely address the issue. For instance, if an editor begins as an anonymous contributor and then registers an account, it can be very trivial to connect their IP contributions to their account. They start a discussion as an IP, later reply from their account? You got them. Free checkuser for everyone, just takes a little data mining.

While it's possible for a nonce or hash code to be traced to an IP regardless, I would consider it a very small concern. It's a factor for shared addresses, which for that very reason are decoupled from their physical user. And then, of course, there is the possibility of rogue admins. But, by an large, just this small layer of encryption before revealing IP addresses to the whole world would still significantly cut down on the overall negative impact on privacy that Wikimedia's IP collection has. CP\M (talk) 17:58, 9 September 2013 (UTC)

Hmm. Do you really trust that no database dumps were made in the period between you making IP edits, and the deletions of your userpage (the later time which could of course be obtained from the deletion logs)? And do you trust that there are no Wikipedia admins among the 14 hundred on enwiki alone who would view the deleted page?

For that modicum of false privacy, it's worth breaking the CIDR range searches that let any bloke in the street easily detect vandalism from IP users run amok? I don't think so. To protect against the particular problem you appear to have encountered, there is a very, very, very simple solution. Just use a different skin on your account from the default one (OK, doesn't always work if you're steamed while editing). And if the Wikimedia foundation was actually interested in protecting user privacy? Well, they'd just ban editing from IP addresses- particularly from IPv6 addresses that expose all sorts of uniquely identifying information to the world. John Nevard (talk) 14:56, 14 September 2013 (UTC)

I'm OK with 1.5 thousand sysops being able to find out my IP address. I'm not OK with 1.5 billion internet users having the same access.

Yes, I believe that this magnitude of user privacy improvement is well worth restricting some of the more advanced anti-vandalism tools - far from anything a casual editor ever uses - to a narrower subset than "everyone in the world".

Your comment does raise another good point: the information gathered through range searches can be displayed without disclosing the exact IP. That can be used to further improve privacy by avoiding IP display even to admins or it can be used to keep the few IP-related anti-vandalism tools currently employed available to their current users. Flagging attention-requiring IDs, subnet match checks on two specific IDs, whatever is needed, all can be handled while limiting public data exposure.

It is the norm in the internet for user IPs to be only visible to website administrators and staff. Even when you post anonymously, IPs don't get published. Mediawiki's current situation is a jarring exception. Especially with the upcoming shift to IPv6 - which, like you state correctly, represents a grave privacy concern - it will, sooner or later, have to change.

Completely disabling editing from IPs has been proposed and rejected, because we want to welcome more editors into our community. But paying them back with making their IP and potentially identity public for eternity for accepting this welcome is worse. This is a double standard, first we tell them registration is optional, feel free to edit, then they discover the staggering price.

IP encryption is a compromise that's straightforward, compatible with legacy routines and practices, and can significantly improve on this weak link without compromising usability. CP\M (talk) 20:40, 14 September 2013 (UTC)

Yeah, we've all heard 'welcome users into the community' as a reason for anonymous and presumed-not-guilty editing from IP addresses before, and it's still nonsense, just like the idea of welcoming users into the community by giving them a confusing sub-Netscape Composer editor that screws up formatting even if you make the effort to use it right. While it is the norm for user IPs to only be visible to website admins where anonymous contributions are allowed, it is also the norm for such effectively anonymous contributions to be rubbish.

Even apart from the fact that it breaks useful anti-vandalism methods that are available to anyone who wants to contribute to the quest to stem the tide of anonymous vandalism and advocacy on Wikipedia, this is just a terrible idea. There is absolutely no forward anonymity.. there only has to be one disclosure, which would inevitably happen if such an idea was adopted, and a rainbow table for every single cloaked IP could be generated in a minute or two. In the time between the adoption of such a policy and the disclosure, non-registered users would have been editing under the utterly false perception that they were not revealing their identity to anyone, forever. John Nevard (talk) 22:44, 14 September 2013 (UTC)

Rainbow tables have been relevant a very long time ago and to standard hashing only. They have never been relevant to encrypted storage, they have never been relevant to salted inputs, and even in the few applications where they used to be relevant, OpenCL processing is outright faster than reading a rainbow table from a drive.

As for the the methods, their labeling as "useful" is highly contestable. 99% of the time they're perfectly useless and the other 1% they're only useful for the small handful of editors that actually knows what to do with this information, how, what to make of it, and has the dedication to put the effort in. Most of them are either already admins or could easily become, at least, members of a group that would have that specific access.

Your agenda is pretty clearly to disallow unregistered editing altogether. And it's been said a lot of times that this isn't on the table. Compromises may be available, on the other hand. CP\M (talk) 06:18, 15 September 2013 (UTC)

So basically, you admit that a) generating rainbow tables for every possible IP address+salt combination, once the hash was known, or b) searching through every possible IP address+salt combination once the hash was known is trivial. Actually, my only agenda is improving Wikipedia. Clearly, you seem to think that something else is more important than that. 125.237.153.167 17:52, 15 September 2013 (UTC)

Hi All! Thank you for this valuable input. I just wanted to let you know that I will be passing these thoughts and concerns on to relevant members of our tech department and they will respond to this thread directly within a few days. Thank you for patience and for participating in this process. Mpaulson (WMF) (talk) 17:16, 10 September 2013 (UTC)

Considering there's a finite number of IP addresses I'm not sure how we could more than superficially hide IP addresses from the UI. Anyone with a computer and willingness to do so would be able to create a list mapping IP addresses to our new obfuscated forms. ^demon (talk) 05:15, 12 September 2013 (UTC)

In the simplest implementation, a textbook cryptographic function where (Data+Salt)*Key->EncryptedData. To make a map, one would have to either crack the encryption, obtain the (private) Key, or actually edit Wikipedia from every IP address minus one; there's no other way to learn what a given address would resolve to. Either is more difficult than other ways of getting access (rogue admin).

This is far from perfect, but it's secure from the described attack. I can think of more secure schemes as well, where the displayed IDs would differ per article, but a match between them could be checked without resolving the actual IP. User-level check even, just enough to prevent data mining. Implementation shouldn't be a problem, there are well-developed cryptographic methods for just about anything one might want. CP\M (talk) 06:51, 12 September 2013 (UTC)

Yeah you're right, it's doable (it was late and I hadn't completely thought through my comments). Indeed if we salted the IP first that would probably be sufficient. My initial fear was something far more straightforward--without a salt or key then it'd be completely possible to generate such a list (since the code to do so would be part of MediaWiki and therefore public). ^demon (talk) 15:24, 12 September 2013 (UTC)

You may not view? What are you thinking - how can you enforce this prohibition? The legal reasoning, "For the protection of the Wikimedia Foundation and other users," would apply to editing, where you can ban and so forth. But this is a minority of users. - 173.28.94.175 00:57, 9 September 2013 (UTC)

Hi 173.28 ... This is a fairly typical provision in online terms of use and privacy policies. In the unlikely case of conflict or litigation, it allows a defense that one was not free to use our site when that person was not in agreement with the privacy policy. Thanks. Geoffbrigham (talk) 03:45, 9 September 2013 (UTC)

Anyone who sues was not allowed to use. Has it held up in court? - 173.28.94.175 13:45, 9 September 2013 (UTC)

I'm not sure if I understand your question 173.28 ... Could you possibly rephrase it? Thanks. Geoffbrigham (talk) 16:02, 9 September 2013 (UTC)

Or give citations to cases where it did not hold up. --Jeremyb (talk) 16:21, 9 September 2013 (UTC)

It reeks. How about putting it more softly, as in, for instance http://hosted2.ap.org/APDEFAULT/terms - 173.28.94.175 22:57, 9 September 2013 (UTC)

For the record, this seems to be the relevant parts of the AP policy:

1. Use of this Web site is conditioned on the acceptance, without modification, of all terms and conditions of this agreement. By using this Web site you represent that you have read and understand the terms and conditions and that you agree to be bound by these terms and conditions as set forth below.
3. If you do not agree with the terms and conditions of this Web site and do not wish to be bound by them, please do not use this Web site or download any materials from this Web site.

--Jeremyb (talk) 19:45, 11 September 2013 (UTC)

OK. I think I will monitor to see if there is other community concern about the issue. I believe we basically already say what is in the AP policy (please see the second paragraph of the privacy policy and the phrase being challenged in this discussion). We can always rephrase but I sort of like how the draft privacy policy does it. That said, I think we can place the above sentence ("If you do not agree with this ...") near the beginning of the policy (and maybe even in the user-friendly summary). Thanks. Geoffbrigham (talk) 13:16, 12 September 2013 (UTC)

As an update, I have requested that we include the above sentence ("if you do not agree with this ...") in the user summary to respond to the above concerns. Thanks. Geoffbrigham (talk) 00:49, 7 November 2013 (UTC)

We have added the sentence "For the protection of the Wikimedia Foundation and other users, if you do not agree with this Privacy Policy, you may not use the Wikimedia Sites." in the user friendly summary of the Privacy Policy. We expect this has addressed your concern. Thanks for the feedback! --JVargas (WMF) (talk) 00:54, 7 November 2013 (UTC)

One of the central uses of a privacy policy is to inform.

As such, mounting buckets of lawyer speak on a wall of text is precisely the opposite.

Whatever privacy policy you have you need to have a starting review segment of simple speak - the way you would describe the situation to your friends on a picnic without any pressure or need for unnecessary elaborate language.

Law-wise this useless, social-wise - priceless - as people don't have to suffer through every text the lawyer wrote to cover the possible loopholes and situations that may arise legally.

What you do and don't do can be covered in a group of brief, clear and easy to understand sentences - layman's terms if you will. It looks very much like the "This is a user-friendly summary of the privacy policy" intro you made to welcome people for input on this topic. The rest with all the details is also there, but it is not the only thing available for consumption.

Many companies ignore doing this and alienate users when it is discovered that somewhere in the abyss of text they've thrown a dubious or direct disregard of user interests not to mention basic ethics.

Whatever it is you are doing, if you make a simple statement about what it is, it is going to go much better than having to learn gossip about it from a third party that had the nerve to sit through and decode the swamp of text.

In case of this site, your operations have more hazards for the company than the users, make sure you are covered, we want the site to thrive.

Also address popular concerns here is an example of a simple intro: (may not be applicable but is just an example)

" PLEASE READ THIS! We have made an effort to design it to be concise and helpful and not the usual barrage of dubious language you can find allover the web.

In case you haven't used wikimedia - we are ...

We only retain ip addresses to manage unethical conduct such vandalism that disrupts the purpose of the site. It is done because there is no other way to maintain a civil interaction while everyone can come in and participate.

We don't know who you are and we don't ask, all we know is that you are not the same person that is editing the other article. Using this statistic how many different users we have, we plan the technical development of our site to be able to accommodate demand of traffic for our users and contributors. (make sure you clarify what exactly is entailed in this - Use information only to understand how we can make the sites better for you based on your use and needs - what information EXACTLY and how long, if you don't know how long - just say there is no schedule so people know it may be indefinite.)

We absolutely discourage you from providing any personal information in your profile and the rest of our site - as your information is not free from abuse by third parties that can obtain it by any manner without consulting us in any way. You take responsibility for any personal information you do disclose and what happens to it. We do not have the capability to monitor all information at all times.

We can not identify who you are, but the nature of how the technology necessary for this to work has ways available to identify you, which are through legal channels and unlawful conduct. We can not invent new technology that can completely shield your activities - and we don't need to, as the site isn't for secret developments. We take it - you understand that using the internet leaves your information vulnerable regardless if we existed or not.

Other than that we make sure the rights of others as well as ours are kept and respected on our site, as not everyone is willing to allow use of their proprietary information that complies the knowledge bases we have open for everyone.

Below you can find the full privacy policy with every aspect and detail of it.

Thank you for being part of this great project.

Wiki staff."

...

And yeah - Roy is a bad idea. The people who would care for Roy at this location usually wont bother to read your policy. You are either taking this topic seriously or fooling around it with. You can't have a serious topic with toy gimmicks and mascots. And having a informal topic sort of ruins the purpose of updating an official matter. It's why business people don't wear flip flops and cartoon stamped sweaters to firm meetings. And believe me I wish we could do it without getting hammered, but alas we do.

It might fit to the intro capacity I've covered. But it will still generate variable impressions, and I doubt that most will be good.

Hi - on the image and Rory issue, we have retired him for now. Please see this discussion. Thanks. Geoffbrigham (talk) 13:02, 18 September 2013 (UTC)

Also, btw, thanks for your other feedback on this with respect to the style of the writing. I agree that simplicity and accessibility is important in language. As I posted above and elsewhere, I believe we are doing this reasonably well with this draft. The user-friendly summary does highlight key concepts, and we are considering other suggestions in this area. Overall the policy language is explicative in laymen's terms as much as possible to facilitate understanding at a non-technical level when feasible. If I'm not addressing or getting your point, feel free to let me know. Many thanks. Geoffbrigham (talk) 18:55, 20 September 2013 (UTC)

Starting a new section based on an email we received, summarized here and the emailer pointed to the discussion:

• The emailer is happy about the desire to protect information from unauthorized disclosure and use but is concerned about government monitoring [Specifically in the UK but obviously this is a broader question as well]. They would like us to watch for the browser set 'Do Not Track' header and to collect only minimal data for any user with that setting. Jalexander (talk) 17:56, 11 September 2013 (UTC)

The email Jalexander references was fairly specific and well-written, so I will quote it here to give more context: "I think that some users, in some situations, have specific needs or desires not to be tracked. I think this means that wikimedia should support the 'Do Not Track' header and only collect minimal data for users with this. I could not find any information about a policy either way."

I think it will also be helpful, before answering, to clear up a common misconception about Do Not Track.

To quote from donottrack.us, the page about Do Not Track maintained by Stanford researchers (emphasis added): "Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit..."

The World Wide Web Consortium's Do Not Track standard, which is the formal definition of what Do Not Track means, similarly says (emphasis added):

If a first party receives a DNT:1 signal the first party may engage in its normal collection and use of information. This includes the ability to customize the content, services, and advertising in the context of the first party experience.

The first party must not pass information about this network interaction to third parties who could not collect the data themselves under this standard.

(It is important to note that the specification is unfortunately very far from finished; for example, there is still substantial discussion over what the definition of "track" is. So things may change before the definition is finalized.)

In other words, the official definition of the Do Not Track header specifically allows the websites you visit to record and track information. What it primarily prohibits is giving specific kinds of information to third parties. Unfortunately, many people are confused about this, and think that the DNT header prohibits any sort of tracking, not just third parties. I hope this comment clarifies that point.

Because the privacy policy already has fairly stringent protections for all user information (not just those who turn on Do Not Track), particularly about how/when we give information to third parties, and because DNT does not limit what we ourselves do with the data, we had not included a mention of DNT in the policy. However, we're open to that discussion - for example, if it would be useful, we could summarize this information about DNT a FAQ. And we will of course continue evaluating the standard as it progresses. Hope that helps answer the question.- LVilla (WMF) (talk) 19:26, 11 September 2013 (UTC)

It may be worth clarifying that we aim at being stricter than the opt-in DNT behaviour. --Nemo 21:56, 11 September 2013 (UTC)

Yes, that would probably make sense for a FAQ about DNT. I have started drafting something like that, but it'll probably be a few days.-LVilla (WMF) (talk) 19:40, 16 September 2013 (UTC)

We could even take the idea, that some users have a greater need to not be tracked, and allow for an opt out of some of the behavioural tracking, weather explicitly offering a choice somewhere or taking DNT as an indication of this desire and acting further than required by it. Its also worth noting and informing users of the limitations of DNT. --ZMD123 (talk) 23:13, 11 September 2013 (UTC)

Can you explain in more detail what the "greater needs" might be that you're thinking of? Implementing first-party DNT would be a lot of engineering effort, and I suspect that in most cases if we understood the specific concerns we might be able to find better/more specific solutions. -LVilla (WMF) (talk) 19:40, 16 September 2013 (UTC)

In #Our Response to Do Not Track (DNT) signals, you say: "this Policy is generally as or more protective than a formal implementation of the Do Not Track specification". There seems to be a missing as in that sentence; it could be parsed as this policy is generally as protective [than] a formal implementation of the specification", which makes no sense. AGK [•] 22:21, 14 October 2013 (UTC)

I see your point. Will make the language "as protective as, or more protective than, a ..." -LVilla (WMF) (talk) 22:51, 6 November 2013 (UTC)

The new way to present the policy must have had a little background about the purposes pursued. The legal staff threw the draft without explanations about why the changes in the pattern and language improved the policy. According to the stated at this discussion, I find two objectives. I have some comments on these.

(1).- "Ensure that everyone reads it".

• That is an impossible task. Rarely you can ensuring that people do something, even less in a web site. Intent to ensure that everyone reads the policy sounds as paternalistic as a parent trying to ensure that his/her child eat his vegetables… sounds familiar, does not it? But,

• You can encourage to read a document. In the scope of Wikimedia projects, I find a continuos messages about how is important read some policies as The Five Pillars or about that you can not upload copyrighted material. These messages appear in correct context, when you are trying to edit an article, or upload an archive. That is not about cuddly mascots or funny sentences, is about to show you how to do some task, and you can be interested in that information because is concerned with what are you doing.The Privacy policy is the kind of thing that needs to be shown when you are editing an article as anonymous contributor. You are warned about You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to a user name, among other benefits., you can aggregate to this sentence something as this: "Read our privacy policy to know how your data will be treated". You could emphasize the privacy policy when people are registering at the projects, or are giving to WMF their e-mail or other personal data. You could harass the visitors with a continuos banners about to read the privacy policy, but, that would be silly.

• I think images are not helpful to encourage, even less to ensure, that people read something. Icons and colors in a document can be helpful to make the reading visually attractive, and, as CP/M discusses above, most of the images in a writing are in it with the purpose to illustrate, simplify, reinforce or visually explain something. A cuddly tiger brandishing a sword does not help to understand the WMF efforts to protect my data, unless, literally, a tiger with a sword and shield (and blue Cookie Monster™ slippers) is safeguarding the Wikimedia servers, everything is possible! I found some cartoons ([1],[2]]) that try to explain some issues about licenses. They were created not in the aim to substitute the official policies but to synthesize and show some points about licenses.

(2).-Make possible that "readers who may not be as familiar with our sites and projects" and "everyone should be able to easily understand" the policy.

• First, explain the objectives of the WFM projects is not in the scope of the privacy policy. Other documents take care about it. As this or this . By the way, do not mix the privacy policy with the Terms of Use, most of added verbosity to the current draft is a result of include information that is treated in other documents.

• Translate legalese in a plane English is a laudable purpose. Nobody expects to find a document as Subject to the terms and restrictions set forth in this Agreement, Acme Inc. ("The Company"), hereby grants you a limited, non-exclusive, non-transferable, limited license to utilize the one copy of the product…. But simple English is that, simple, not friendly, not playful, not hilarious but simple.

• Most important. Legal staff is avoiding a very important fact. All Wikipedia articles are redacted in a formal and even scholar tone and Wikipedia is the 5th visited web site in entirely world. If your target audience are, mainly, visitors and users of Wikipedia, you do not have to put the policy in a lower level than the Wikipedia articles. People is intelligent, do not forget that.--SirWalter (talk) 06:28, 21 September 2013 (UTC)

Hi, SirWalter - thanks for taking the time to express your concerns. This is, as you point out, a difficult set of goals, but we've already discussed them at length earlier in this discussion, and have acted on some of them (such as the removal of the tigers). If you have specific concerns about specific passages, we're happy to discuss those separately. For example, we've changed specific jokes that have raised concerns with translators. But at this time we're comfortable with the overall tone and style of the policy and don't plan to change it. Thanks. -LVilla (WMF) (talk) 18:53, 30 September 2013 (UTC)

Well, that is frank. I have to say that I don't agree that the informal, jokey style is appropriate for a policy that is intended to be legally binding and to form part of the basis of a formal legal relationship between WMF and the users of its sites. I really think you need to revisit that decision. As I said below, what is the legal force of a sentence such as "We think you are awesome"? Spectral sequence (talk) 21:51, 30 September 2013 (UTC)

The word "may" is ambiguous and used often in the proposed privacy policy. What does it mean each time it is used? I suggest not using this word.

I suggest to remove "may" (twice) from "This Privacy Policy does not cover some situations where we may gather or process information. For example, some uses may be covered by separate privacy policies.." It is redundant here. --Aviertje (talk) 09:14, 25 September 2013 (UTC)

"May" is pretty unambiguous to me. It's used in cases where the policy permits us to do something, but either does not require it or we do not need to so something for every user in all cases. Changing language like this to "will" or "does" may not be appropriate in all cases. ;) Steven Walling (WMF) • talk 03:54, 26 September 2013 (UTC)

Hi Steven. Your definition is not in the dictionary. It is a combination of two possible meanings of the word. Also considering your definition would make the word even more ambiguous. --Aviertje (talk) 16:16, 26 September 2013 (UTC)

Do we need to explicitly define these words, like RFC 2119? PiRSquared17 (talk) 16:18, 26 September 2013 (UTC)

The policy is intended to be legally binding so ambiguity must be resolved. Spectral sequence (talk) 18:25, 26 September 2013 (UTC)

I agree that the specific sentences you cite are somewhat redundant, but I don't think "may" is the real source of the problem - the whole thing is a little awkward :) I'll redraft that - thanks for taking the time to point it out. As for "may" more generally:

There are many places in the policy where users or the Foundation must have the discretion or option to do something. This occurs in all legal documents - the parties can't foresee the future, so they use language that gives each other the option or choice to do certain things, sometimes only under certain conditions. We generally use "may" these situations, for a few reasons. First, the meaning is fairly well-defined: the Manual of Style for Contract Drafting, a standard legal resource, says may "means 'has discretion to', 'is permitted to', or 'is authorized to'". May is also part of Simple English, and one of the most common words in English (top 100 in many of the Wiktionary frequency lists), so it should be widely understood even by non-native speakers. Finally, it is also commonly used by lawyers to express discretion (and is what is recommended by the Manual of Style for this purpose).

In other words: may is used where the Foundation (and users!) have options. We can't simply eliminate the word altogether, because it is completely appropriate that there be options and flexibility within the document. However, if there are specific options in the policy that you think the Foundation or users should not have, please open a new section to discuss the specific option that you are concerned about. Thanks, and hope that explains our thinking on this issue. -LVilla (WMF) (talk) 21:23, 26 September 2013 (UTC)

Of course you can eliminate the word and use something else. You named some alternatives yourself. Thanks for the lesson in lawyer talk. At least, now I know what is meant.--Aviertje (talk) 19:57, 30 September 2013 (UTC)

By default, users to the Sites are sent to a http:// protocol (for example: http://en.wikipedia.org/wiki/Main_Page. Many users do not know that the Sites can be accessed using a secure server, as in a https:// protocol (for example: https://en.wikipedia.org/wiki/Main_Page). Firstly, I believe users should have the right to have their data encrypted using a secure protocol. Secondly, I believe users should have the right to know that they are able to access the Sites using encryption over a secure server. More specifically, I want the Policy to outline the capability of the Sites to handle users over a secure protocol. If possible, I would also like to see users automatically redirected over to a secure server rather than by default, sent to a http:// location. 184.147.55.86 21:28, 2 October 2013 (UTC)

The Wikimedia Foundation Operations team considered redirecting all traffic over HTTP to HTTPS, but there were some issues (e.g., China and Iran do not allow HTTPS access). For more information, please see HTTPS and this WMF blog post. PiRSquared17 (talk) 21:47, 2 October 2013 (UTC)

I don't think this belongs in the policy (especially since, as PiRSquared super-helpfully pointed out, this is mostly going to be moot in the longer term). But maybe a FAQ entry makes sense? Something like:

"Q: Can I connect to the Sites with https? A: Yes! Logins are always https, and you always have the option of using https when visiting pages, either by editing the URL or by using a tool like HTTPS Everywhere. We're also working to enable https much more widely. To learn more about that, see our HTTPS status page."

Interested to hear what people think about this. -LVilla (WMF) (talk) 22:26, 1 November 2013 (UTC)

• Support as nominator. 184.146.127.142 22:45, 4 November 2013 (UTC)

Great. Language will be added to the FAQ shortly. Let us know if you have further suggestions!-LVilla (WMF) (talk) 23:03, 6 November 2013 (UTC)