Talk:Privacy policy/Archives/2013 (2)

There's a small paragraph after the table of translations that seems odd to me:

We also recognize that some of you know the ins and outs of tracking pixels while others associate the term “cookie” exclusively with the chocolate variety. Whether you are brand new to privacy terminology or you are an expert who just wants a refresher, you might find our Glossary of Key Terms helpful.

The problem here is the switch to using such technical language seems abrupt since tracking pixels and cookies are introduced after this paragraph in the next section (in "Use of info" / "Information We Collect"). (It seems as if the text text may have been re-ordered at some point.) I think just mentioning that they are "technical terms" helps alleviate this problem. I also think "some" over-estimates how many people know that stuff, so "only a few" would make less people feel inadequate. My attempt at improving this paragraph reads like this:

We recognize that only a few of you are familiar with technical terms like “tracking pixels” and “cookies” (hint: these can't be dunked in milk) used in the privacy policy. Whether you are brand new to privacy terminology or you are an expert who just wants a refresher, you might find our Glossary of Key Terms helpful.

Jason Quinn (talk) 21:14, 9 September 2013 (UTC)

Hi Jason Quinn! Thank you for your suggestion! I'm going to tweak the language to:

We recognize that only a few of you are familiar with technical terms like “tracking pixels” and “cookies” (hint: we're not referring to the chocolate variety) used in the Privacy Policy. Whether you are brand new to privacy terminology or you are an expert who just wants a refresher, you might find our Glossary of Key Terms helpful.

I like your "these can't be dunked in milk" joke, but unfortunately, I'm told that the concept of dunking cookies in milk doesn't translate very well. Hopefully, my modification of your suggestion is ok. =) Thanks again! Mpaulson (WMF) (talk) 19:36, 20 September 2013 (UTC)

(Source for China: [1]; only 30 % in USA too it seems.[2]. --Nemo 20:13, 20 September 2013 (UTC))

The privacy policy is OK in theory. In practice I find that:

1. Some editors use their cloak of anonymity to behave in a way in way that would not happen in real life. They are uncivil and unreasonable, and any conflicts of interest are hidden from scrutiny.
2. Other editors like myself use usernames based on their real name, and their real life identities can readily be ascertained. That should not be a reason to do so. My own background and affiliates have been regularly used against me. ie. I have no privacy.

There is an apparent double standard here. Editors that are more open should not be disadvantaged. --Iantresman (talk) 17:12, 10 September 2013 (UTC)

Thank you for sharing your thoughts, Iantresman! You are correct in that different people have different comfort levels about what they choose to share with the public about themselves (both in their username and elsewhere). But can you elaborate a little more about what you mean that there is a double standard? And how editors who are more open are disadvantaged? Mpaulson (WMF) (talk) 23:35, 10 September 2013 (UTC)

• Editors may have conflicts of interest (COI). An editor who is a Republican, went to Harvard, and personally knows the editor of the New York Times, may have a COI editing articles on the those subjects. But anonymity means these details remain private and unchallenged. Editors such as myself have a username that is a trivial representation of my real life name. But this is not an invitation to access my background, and my affiliations, whic can and have been used against me. This is the double standard. Anonymous editors ensure their privacy is guarded, editors with links to their real-life identity, lose their privacy. This is not right, as it disadvantages those who are more open.
• Anonymous editors may also make unfounded claims. I had one claiming to be a professor, and also allowed another editor to perpetuate the claim, even though it was false. In this respect, anonymity means there is no accountability. Then I had an anonymous editor claim that I was a leyman, despite me having two university degrees that I choose not to publicise. The privacy of more open editors, is also open to abuse. --Iantresman (talk) 11:54, 11 September 2013 (UTC)

Hi Iantresman. I understand your points. Yes, there are disadvantages in disclosing your real name as people can find out more about your background as a result. This is unfortunately a trade-off that people who choose to disclose their real names must face. And yes, there are also disadvantages to permitting anonymous editing as there are fewer ways to verify the claims made by anonymous users without being able to look into their backgrounds. I'm a little confused as to what the relation of your comments are to the privacy policy draft though...could you clarify? Mpaulson (WMF) (talk) 18:19, 20 September 2013 (UTC)

Hello. I received the following question via wmf:Answers. I am posting it here for response and will point out to the correspondent where it is. --Maggie Dennis (WMF) (talk) 01:26, 11 September 2013 (UTC)

As you can imagine, with all the knowledge now available to everyone about the vast extent of USA and other countries’ spying networks, we all know that Wikimedia can be forced rather easily to give up every bit of personal, location, metadata, and other data you have. People who use Wikipedia are often people with a broad range of interests or people researching data for writing a paper for school or a work of literature, etc. They may visit sites in which they have no personal interest other than fulfilling a specific need at a specific time. However, there are probably a good many “trigger” words or phrases used by NSA and others that they would deem indicative of potential criminal or terrorist activity. They may ask for data on anyone who has visited any of the pages using those words or phrases within the last ten to twenty years! That makes everyone who uses Wikimedia a potential target. Perhaps, in the interest of securing the privacy of innocent parties, Wikimedia should NOT collect any information on which pages are visited. I realize this would put a big chunk information you should be able to use for the betterment of the sites out of reach, but with spying run amok, this may be a necessary sacrifice. Billions of your users are now getting very paranoid!

• Additional comments above Here (diff) and in general in Strip Wikimedia Data Collection to the Barest Minimum - Introduction and related sections under that on amount of user tracking, Jalexander (talk) 03:56, 11 September 2013 (UTC)
• We also have an email from a user who would like us to rethink any ideas to 'tailor' the experience automatically because their needs change day to day and they feel that tailoring it more will hurt the usefulness of the site in this way. They have been invited to join in here or elsewhere on the page if desired. Jalexander (talk) 03:56, 11 September 2013 (UTC)

Hi wmf:Answers,

I personally and the WMF as an organization worry about the recent revelations that Edward Snowden has made. Our legal counsel has written a detailed blog post about our position regarding PRISM. We have enabled SSL for all our readers on most Wikimedia projects. So we are committed to protect the privacy of all our users!

I think it's important to realize that we are not storing data for long periods of time, and certainly not for 20 years. We are currently working on a separate Data Retention Guidelines that explains how long we store it. We cannot store no webrequest data -- we need it for performance monitoring, capacity planning, providing key performance indicators for all our projects. What we can do is to store the data no longer then we absolutely have to and that's what we are doing.

Best,

Drdee (talk) 21:28, 1 October 2013 (UTC) (in my role as Product Manager Analytics @ WMF)

The old privacy policy contains 16.790 characters in its main text versus the 33.582 characters of this draft as of now. So a doubling. - Is this a good development? Where's the summary, where's listing of principles? - Isn't that what we should be discussing, and not some long winded explanation and elaboration (even with cute animals)? --Anjoe (talk) 08:36, 12 September 2013 (UTC)

Hi Anjoe. IMHO, I don't think word count is the only relevant variable. The draft policy, in my opinion, does a better job explaining our collection, use, and storage of data; incorporates many more topics than the original policy (see above summary at the beginning of the discussion); adopts many global principles of data management; and uses introductory texts and summaries to make the policy more comprehensible. Now, no doubt, we can improve on this draft, including phrasing and looking for opportunities for succinct writing. But that is the opportunity for this 4-month consultation. With respect to your questions: There is a user-friendly summary at the very beginning that you should feel free to comment on, as others have already done. The most important principles are set out in this summary and the Welcome paragraph at the beginning. Obviously we are always interested in others' thoughts whether anything else should be included in that summary and welcome paragraph. Thanks. Geoffbrigham (talk) 13:00, 12 September 2013 (UTC)

I notice that in a couple of places the policy states that WMF will "seek to" do something: We seek to put requirements, such as confidentiality agreements, in place and we seek to put requirements, such as reasonable technical and contractual protections, in place to protect privacy. (The same language is used above by User:Mpaulson (WMF).) This is presumably intentional, and to the extent that it is intentional, unacceptably feeble. WMF policy must surely be to succeed in putting these measures in place to protect privacy, not merely to seek to do so. If WMF is unable to put measures in place to adequately protect private information in the hands of third parties, it should not be giving the information to those parties at all. Spectral sequence (talk) 21:24, 12 September 2013 (UTC)

Ditto. This is the only thing I noticed worth inquiring about. ImperfectlyInformed (talk) 22:20, 12 September 2013 (UTC)

Oh, dear. It seems we all want a perfect world. Unfortunately, it isn't. I suppose you would like to see guarantees that martial law won't be introduced later today and everything will be seized by the government, or that sometimes technical hitches and miscalculations WILL happen. In the immortal words of Homer Jay Simpson, "Stuff happens." There are no legal guarantees regarding unforeseen events, inadvertent errors or absolute security, therefore the language of this legal document (that's what it is: a serious, legal document) cannot reflect impossible or, at least, implausible absolutes. Would you be satisfied with them saying, "We promise that we'll try really, really, really hard to do our best but can't ensure that stuff won't happen."? Apologies for being a tad short about this, but what you're asking for is nothing short of ludicrous. Questions surrounding the wording of the policy ought to be realistic. --Iryna Harpy (talk) 01:18, 13 September 2013 (UTC)

I would like a perfect world but am not expecting the WMF to deliver it. I am suggesting that that the policy be to require effective measures to be in place and not give out private information unless those measures are in place. I don't think that's ludicrous at all. It would be ludicrous to expect those measures to be 100% effective, I did not say that and do not expect that. I said, and say, that they should be adequate, and they should be in place. To merely "seek" to put measures in place, is to allow the option of giving away information without adequate measures, and that is unacceptable. Spectral sequence (talk) 06:21, 13 September 2013 (UTC)

In which case, Spectral sequence, your concern IS a reasonable one, and I apologise for the snarky response. HOWEVER, surely you must understand that you're still asking for something the legal department is not going to commit to whether or not your expectations are met. Being the legal department, their interests lie with protecting the WMF from being sued, meaning that despite presenting this fluffy prototype supposedly with the explicit intent of making policy as clear and concise as possible, they will continue to use evasive and ambiguous terminology.

That is actually why quite a number of people are railing against the fluffy presentation. So far, it has not delivered on being concise. I think most people would prefer a dry but succinct document over a document which is overly verbose & cutesy where unnecessary, and is failing to address salient issues. It's easier to hide behind a lot of "seek to" clauses when your blinding people with a lack of science. What you've detected is going to resonate far more without Rory and "cool stuff". It's also why I'd suggest that ImperfectlyInformed should revisit his/her appraisal as, "Ditto. This is the only thing I noticed worth inquiring about." There's a lot more to notice about what the this draft method of delivery is concealing. --Iryna Harpy (talk) 10:45, 13 September 2013 (UTC)

Thanks for that, glad to hear we were in agreement after all. You may be right about whether WMF will commit themselves to implementing these measures, but it will be interesting to hear their response. Spectral sequence (talk) 16:51, 13 September 2013 (UTC)

Agreed. Before seeing this thread, I asked,

Any objections to the edit s/seek to put requirements/put requirements/g ?

I see no reason to be so wishy-washy. If there are to be exceptions, I feel the policy must state that any such exceptions will be specified, say, in the noted FAQ section. We already have the non-wishy-washy, "We will never use third-party cookies," so I see this seek to crud as unjustifiable. Legal: Are there any exceptions that will need to be noted? --Elvey (talk) 22:20, 13 September 2013 (UTC)

Well, Legal, the consensus regarding your understanding of simple English and the end users' understanding of simple English seem distinctly different. Thus far, cuddly-speak and cute mascots have been sprinkled liberally throughout the draft document obfuscating a clear understanding of a policy which is still harbouring those nasty legalese terms. If I were seeking to translate legalese into a simple English version, I'd write, “Hi! We might put confidentiality agreements in place but, hey, we probably won't!” and, “We might put reasonable technical and contractual protections in place, but you won't find out until you've already uploaded your stuff here.” You see? I'm good with instilling a little tasteful humour. I beg your pardon? Oh, you don't find that humorous? How extraordinary that our tastes don't coincide. Here's hoping you manage to create something genuinely set out in lay terms and transparent with your next attempts. --Iryna Harpy (talk) 06:31, 14 September 2013 (UTC)

┌─────────────────────────────────┘
In my day-job I actually work as a government regulator so I'm used to seeing wishy-washy legal language; however, I'm also used to telling companies that in some cases they don't get to have wishy-washy language, and they usually get the picture. Not really in the same position here. :) I don't know that much about privacy (altho GLB privacy, FCRA, and data brokers are professional as well as personal interests) and especially not about the whole domestic spying mess. However, some of these clauses do not refer to cases where "stuff happens". Either you have confidentiality agreements with your vendors or you don't. If you can't get these agreements, then don't suggest that they exist. If you can get them from some of your vendors but not others, maybe disclose that. I would split this out from technical protections, which is indeed broader and much more complex. To be honest, given the already public nature of my Wikipedia contributions, privacy is pretty low on the list of my concerns, which is why this is the main thing I'm commenting on. ImperfectlyInformed (talk) 09:57, 15 September 2013 (UTC)

Now that you've explained the, "ditto", I can empathise... well, other than in as much as being familiar with Australian privacy laws and having been involved in interpreting it/changes to it for the tertiary education sector a couple of times in a professional capacity: that is, working directly with a specific university's Legal department appended to HR. Naturally, as the explicit aim was to comprehend how it impacted on staff and students, the end policy documents were best attempts to be as concise as was humanly possible about what aspects of the privacy policy were enforceable by law and which aspects were tenuous (basically, a forewarning of 'iffy' areas).

At the end of the day, the only approach I'd consider to be honest and informative would be to delineate what can be assured and stipulate what can't be assured. As potentially 'boring' as such an approach might be, it would exclude anything outside of that which is absolutely relevant, "Just the facts, ma'am." Aiming at the lowest common denominator (kid friendly?) inevitably backfires. Most kids wouldn't even see this as condescension but as a bunch of old farts trying to be cool, unable to even grasp youth culture terminology without making asses of themselves. The 'background info' would go to the bottom of the pile and be replaced with, "If you are under the age of 18/21 (whatever is deemed to be the standard adult legal age in the USA) or do not fully understand any aspect of this policy, please ask a responsible adult for advice on areas that you aren't clear about before you set up an account or post anything here." The demographic known as 'minors' springs to mind. --Iryna Harpy (talk) 04:53, 16 September 2013 (UTC)

ImperfectlyInformed, Spectral sequence, Elvey, Iryna Harpy and others in this discussion: thank you! I think you are right that we need to tighten the language. We will discuss internally this week and probably come back with other proposed language. I greatly appreciate your observations and wisdom here. Geoffbrigham (talk) 10:36, 15 September 2013 (UTC)

Apologies for butting in between your thank you and the response by ImperfectlyInformed, Geoffbrigham. At least I feel that Legal are actually paying attention to input. I'm afraid that the brashness of my comments have been informed by the ongoing fiasco with VE on Wikipedia which has left a bad taste in my mouth regarding all things WMF. --Iryna Harpy (talk) 04:53, 16 September 2013 (UTC)

We have modified the language on the policy to read "We put requirements, such as confidentiality agreements" and "we put requirements, such as reasonable technical and contractual protections" in order to remove the wishy-washiness you have mentioned. Please let us know if you have further concerns on this. Thank you for the feedback! --JVargas (WMF) (talk) 23:53, 6 November 2013 (UTC)

Were the drafters of this policy given or did they look at any other policies as models of policies that do it right? Which ones? I don't recall the site names offhand, but do recall a few sites that had great policies. What privacy policies do folks think are exemplary? Perhaps some good ones to look at: EFF?, FSF?, Yelp just updated theirs; it's relatively good, ...? What makes for an exemplary policy, IMO? It's short. It's specific. In terms of language, if not meaning, it's the opposite of the typical privacy policy.--Elvey (talk) 22:32, 13 September 2013 (UTC)

Hah, I had a similar idea and just came here to announce a new page: Privacy policy/Examples. It's a start. :-) --MZMcBride (talk) 14:43, 14 September 2013 (UTC)

We did examine extensively other privacy policies in this drafting process from a wide variety of organizations, and it makes sense to continue doing so. (For example, I really like the use of icons and margin notes in the LinkedIn policy and maybe that makes sense for us - we already have the icons, but the margin notes also add clarity.) Privacy policies are usually tailored to the organization, so examples are useful, but cutting-and-pasting text or ideas should be done with caution. I would suggest that writing a privacy policy in our movement is a bit more challenging than for other traditional organizations. For example, we are not a for-profit corporation that embraces commercial values in the collection, processing, and use of customer data while tightly controlling all its processes. We fortunately have a unique collaborative community that supports the projects interactively, in multiple ways that are unprecedented elsewhere, requiring a somewhat different approach in our privacy policy and its descriptions. We need to explain our somewhat complex practices in ways that others will understand. We also are the fifth most popular website in the world, with the challenges of any major internet site, so smaller organizations may provide some best practices in their privacy polices, but may not have the complete answer for us. Thanks for raising and discussing. Geoffbrigham (talk) 16:33, 14 September 2013 (UTC)

http://en.wikipedia.org/wiki/Policy: "A policy is a principle or protocol to guide decisions and achieve rational outcomes. A policy is a statement of intent.." http://en.wikipedia.org/wiki/Wikipedia:Policies_and_guidelines: "Policies explain and describe standards that all users should normally follow.."

So the privacy policy is not a hard ruling but a guideline to reach a hypothetical outcome and reality may be completely different? What's the use? --Aviertje (talk) 15:34, 14 September 2013 (UTC)

Hi Aviertjel - I believe a privacy policy is a bit different. Privacy policies are required by law, such as in California where the Wikimedia Foundation is based, because users provide data and should know how their data is used. Privacy is also an important value to our community, so a policy should outline transparently how we collect, use, and store data. Privacy policies generally are not discretionary; organizations should be complying with their privacy policy. Indeed, the term "privacy policy" is a bit misleading. The policy is more than a piece of paper; it also describes the internal processes used to collect, store and use information. Take care. Geoffbrigham (talk) 16:11, 14 September 2013 (UTC)

Thanks. I found a link Online Privacy Protection Act of 2003 - California Business and Professions Code sections 22575-22579 on http://oag.ca.gov/privacy/privacy-laws. Does this law apply? It speaks of "a commercial Web site or online service" --Aviertje (talk) 18:48, 14 September 2013 (UTC)

Hi Avierje. In my view, our site is not a commercial site and therefore is not technically subject to the law, for among other reasons. So, in short, your point is quite well taken here. The principle driving this law speaks directly to our values as a movement, and, accordingly, it does establish a good practice, even if not mandatory. The purpose of a privacy policy is to tell users how their data is collected and used, and an up-to-date privacy policy is particularly important for an organization like ours, which strives to be transparent and accountable in its work. Thanks for your insightful comment and help in clarifying the issue. Geoffbrigham (talk) 19:57, 16 September 2013 (UTC)

Weitergabe von Daten aus gesetzlichen Gründen. Nicht alle Datensammelwut dient dem Schutz vor Anschlägen, Mitunter dient sie auch dem Schutz von Straftätern in Staatsdiensten.

Hm, information collected in the donation-process are partially covered by the vague point "Information We Collect". But since the point "service improvement" can be used to justify the collection of almost every possible type of data, the entire policy loses its protective nature. And once those information have been collected, WP can be forced to hand them over on a legal basis, or give them to a third party for scientific research or whatever. Alexpl (talk) 09:03, 15 September 2013 (UTC)

My apologies for my lack of German language skills, but I'm a little confused about what the original question or comment is in relation to the section title of "Donations". Could you clarify? If your question regards donations, donations are actually covered by the Donor Privacy Policy rather than the main Privacy Policy. Hope that helps. Mpaulson (WMF) (talk) 00:59, 20 September 2013 (UTC)

Under the heading Use, the policy talks about what would be my data, or my experience and then continues to how we ("we", WF Inc) would understand the aforementioned better. For the latter undertaking, the text fails to give legal or technical or economical reasons in most of this section (and others). The text does appeal, though, to readers' susceptibility to advertising by using phrases like

• "more relevant", "faster", "more effective", "greater security", "optimize applications", "customize content", and so on.

These trade event buzzwords do not seem adequate for a privacy policy.

Given this impression, a simple change involving the users can make the policy more acceptable to them, I think: in place of what could be termed “deflective rhetorics” (seemingly copying other companies'), require every individual user to opt for being measured. This way, a user will clearly give permission to WF Inc to measure this user's behavior.

Emphasize opt in, that is, not opt out! — GeorgBauhaus (talk) 11:52, 15 September 2013 (UTC)

Georg, I am a researcher at WMF and part of my job is to help people who design new features make informed decisions about their impact on readers and editors like you. We strive to make the type of data we collect transparently available and auditable and to publicly report the results of our analysis in the form of dashboards, research reports and aggregate or anonymized open datasets. We measure the aggregate behavior of groups or cohorts of users, we do not collect data to target or profile individuals for the purpose of selling or advertising, and to be blunt: this is not deflective rhetorics, but it's what the organization needs to operate Wikimedia's sites. An opt-in model where we would ask individual users permission to collect data undermines our ability to tell whether a new user interface is working or causing problems, whether the site is reachable or it takes hours to load a single page, whether spambots are targeting our sites and so on. I do agree with you that we should do a better job at explaining how – as a user – you can browse anonymously and protect your privacy when visiting or contributing to our sites. I disagree that it's the job of a privacy policy to explain the "technical or economical reasons" that drive our research or our need to collect data (these can be found in the Foundation's annual plan or in individual project or program pages), but to disclose what data we collect, how long we keep it and define your rights as a user when it comes to this data. DarTar (talk) 23:19, 19 September 2013 (UTC)

Logging IPs of logged in users is a tool of surveillance. It is unnecessary. This only opens the door to governments who will ask you to hand over these IPs in order to get more information about their target. Stop it now, before it is too late. Who cares about the 10000 sock puppets if you can protect the human right on anonymity for the rest(>1000000) users? That only "a few admins will have access to the IPs" does not help. Who controls the controler? Who controls what happens in secret with the data ? You might add it s not secret that we collect the data: "We stated it in the policy that the data would be collected". But it s secret (not viewable) who accesses the stored data and when it was accessed. Storing the IP of logged in users is against https://en.wikipedia.org/wiki/Wikipedia:Wikipedia_is_anonymous . You can derive too many things by the knowledge of the IP to say that the user stays anonymous. SO DO NOT STORE IT. IT IS NOT NECESSARY. --92.193.47.88 20:16, 16 September 2013 (UTC)

Well - wikis would face even worse vandalism if they didn't keep the IP: in that case a vandal could e.g. easily make a bot that creates new accounts, and make one vandal edit per account. However, it would be good if the privacy policy stated for how long the IP is kept at a maximum, since it's probably not necessary to keep the info indefinitely. //Shell 20:34, 16 September 2013 (UTC)

Hi Shell! We actually plan on going into more detail about how long we keep IP addresses in the forthcoming Data Retention Guidelines. Sorry that we don't have those out for you yet, but we're working to get a draft out as soon as we can! Mpaulson (WMF) (talk) 21:13, 19 September 2013 (UTC)

Hi Anonymous! Thank you for voicing your opinion. I certainly understand that logging of IPs is a sensitive topic, especially given the recent events regarding the actions of the NSA. The Foundation has made its position clear with regard to PRISM and any other secret governmental surveillance program. Additionally, we plan on releasing Requests for User Information Procedures & Guidelines in the coming weeks to be transparent about the heightened legal standards any third party has to meet before the Foundation will release any user data. And with regard to the admins who have access to nonpublic data, such as the IP addresses of logged-in users, the new Access to Nonpublic Information Policy draft is also up for review by the community and goes into more detail about the duties of these admins and the situations under which they are permitted to access nonpublic information.

As to your question as to why we collect IP addresses from logged-in users -- we use IP addresses for research and analytics; to better personalize content, notices, and settings for you; to fight spam, identity theft, malware, and other kinds of abuse; and to provide better mobile and other applications. As as Shell noted, IP addresses are vital in vandalism investigations. Mpaulson (WMF) (talk) 21:13, 19 September 2013 (UTC)

I'm an admin on the English language Wikipedia. We don't have access to the IPs of logged in users and I don't believe that admins have on other wikis. As far as I'm aware only checkusers, developers, Arbs and maybe oversighters have access to this data. Absolutely they need access to that data, otherwise we have no way to deal with sockpuppetry and various other problems, but they only need it and it is only kept, for short periods of time - I think a few months. It would be a good idea to extend that for certain bad faith accounts so that we could spot them when they return after a few months, I suspect that informal practice is to keep such information anyway, but it would be good to formalise that and maybe put some limits and controls on it. WereSpielChequers (talk) 12:34, 23 September 2013 (UTC)

Hi WereSpielChequers. You are correct in that not all admins have access to IP addresses. The Access to Nonpublic Information Policy is only meant to cover admins that have specific rights that give them access to sensitive data. Thanks for pointing that out! And yes, we hope to formalize retention practices in the forthcoming Data Retention Guidelines, so that there will be better known, consistent procedures and practices as to how long we keep data. Thank you for your input with regards to bad faith accounts. Mpaulson (WMF) (talk) 22:39, 26 September 2013 (UTC)

Well it is interesting to see so many sharing concerns about IP addresses. I have an idea for your consideration - Hashed IP addresses. As I am sure you (as organization with a large website) are aware, hashing is often performed on users passwords. An interesting tutorial about this can be found on *****://crackstation.net/hashing-security.htm#normalhashing . Passwords are often hashed with salt for security reasons, however if wikipédia instead of logging IP addresses were to hash the addresses of users without accounts without salt, the hash produced (the same for each IP address) would still be useful to prevent article vandalism in a more privacy preserving fashion. If these HIPs as opposed to IP addresses were logged whistle-blowers or people with privileged or rare knowledge would have a higher, although far from perfect, degree of security contributing to wikipédia. I would very much like to see wikipédia leading the way to a more privacy friendly Internet.

"IP adress.. which could be used to infer your geographical location". This is similar to discrimination. I'm fed up of websites using my IP address to categorise me. I happen not to be a native of the IP address given to me by my provider so I recieve all the wrong assumptions based on my IP adresss. The point is the assumption (geo location) should not be made in the first place. It's like tailoring your services to the user based on the color of his skin, language, location...

Hi, we do not use IP addresses to make assumptions on user demographics (if we do, we really shouldn't :), but there are various important reasons for counting requests as a function of their country or region of location, for example to determine whether our data centers can adequately serve traffic originating from a given region, if we're blocking users from giving regions failing to reach our websites via HTTPS or if we have a large amount of visits from locations with mobile devices that we don't currently support. We also use geolocation for functionality like Nearby that we offer on mobile web. DarTar (talk) 00:16, 20 September 2013 (UTC)

I'm in the UK, I receive info about lots of events and also tell other UK editors about lots of events via watchlist notices. I don't want to see the full list of worldwide events, and I doubt that someone in either Georgia would like their watchlist cluttered with events about London. So this is similar to discrimination, but in an OK sense. Like driving at 50mph in a 55 mph limit is similar to driving at 60mph, but is within the bounds of acceptability. WereSpielChequers (talk) 12:42, 23 September 2013 (UTC)

Last time I wrote a program which gathered all the IP addresses of the "recent changes" page and fed them to nmap with one click, that was fun, but not cool. So what about that? Greets--82.113.121.77 21:56, 5 September 2013 (UTC)

Vous avez peut-être raison. Est-ce que l'affichage des IPs est vraiment utile ? Ne pourrait-on pas le remplacer par un autre système plus respectueux de nos données personnelles ? On peut de plus se poser la question de la légalité d'un tel affichage public 78.251.243.204 22:11, 5 September 2013 (UTC)

Attempt to translate 78.251.243.204 message : « You may be right. Is IP adresses' display really useful? Couldn't we replace it by an other system more respectful of our personal data? Moreover, we can ask the issue of the public display's legality. » Jules78120 (talk) 22:49, 5 September 2013 (UTC)

Was soll der Mist? Du kannst nicht erwarten das jeder französisch spricht. Schreib am besten auf englisch, dann ist wenigstens die change höher das jemand was zurück schreibt. Gruss--82.113.121.77 22:21, 5 September 2013 (UTC)

Na ja, ich schreibe einfach in meiner besten Sprache, Sie können aber auch nicht erwarten, dass jeder Englisch spricht (in der Schule habe ich Deutsch gelernt, kein Englisch, tut mir leid!)! Jeder kann vielleicht dennoch, so wie ich, ein Übersetzungsprogramm benutzen, es ist doch nicht so schwer zu finden, oder? Solch ein Programm können Sie einfach auf Internet kostenlos finden... Wir sind ja im ein-und-zwanzigsten Jahrhundert! Und ich lese lieber Ihr gutes Deutsch als Ihr schlechtes Englisch :-) Am besten schreibt jeder in seiner eigenen Sprache, und dann ist Ihr Liebingsübersetzungsprogramm auch Ihr Lieblingsfreund 78.251.243.204 01:03, 6 September 2013 (UTC)

I'm opposed to the idea of hiding editors' IP addresses, as they're necessary to identify and expose shills, astroturfers, propagandists and vandals in general. A typical example is the recent case of a member of the US Senate being caught red-handed vandalising the Edward Snowden page, changing the description of Snowden from "dissident" to "traitor". Slatedorg (talk) 16:29, 9 September 2013 (UTC)

It's interesting that you would use Snowden's name in an argument advocating more data collection. Do you genuinely believe that these rare instances of catching a fool who didn't think to create an account outweigh the loss to privacy from mass-scale data collection? CP\M (talk) 17:42, 9 September 2013 (UTC)

It can hardly be described as "more data collection" if that is in fact the current amount of data that's already collected. I'm merely proposing no change to the existing policy in that regard. And yes, I do think the advantages greatly outweigh the disadvantages, given the number of times such high-profile acts of vandalism have been exposed - something that's very much in the public interest. Moreover, Wikipedia is a public space, not private communications, so I don't see this as any particular threat to anyone ... except the vandals, of course. Slatedorg (talk) 07:37, 11 September 2013 (UTC)

Hi All. Thank you for participating in this consultation period. We appreciate questions and comments in all languages. =) I just wanted to let you know that I have passed your questions along to members of our Tech team, who may be able to better address your questions. Mpaulson (WMF) (talk) 22:41, 5 September 2013 (UTC)

The attribution of edits by logged-out users to IP addresses, and all the mechanics that go along with that (mechanisms for blocking users, tracking edits etc.) are pretty fundamental to how MediaWiki and most wiki software that allows logged-out user editing works, and how the community responds to edits by those users. So I consider this issue out of scope for a privacy policy discussion; rather, it is a larger technical conversation that should be influenced and guided by community input. A policy change does not magically create a workable alternative.

That said, I do agree that this is an area where we can do better -- the incontinent fashion in which wikis treat IP addresses is inconsistent with user expectations. The community recognizes this and has generally created pretty prominent warnings about this software behavior. Further technical improvements in this area range from easy to difficult, and significant payoff could be achieved with some of the easier improvements, so our intent in the near term is to focus on those.

For instance, right now it is possible to look for IP addresses of logged-in (!) users by trying to find edits that the user made while being accidentally logged-out. The software could reduce the incidence rate of accidental disclosures by doing a better job at helping users see that they are logged out, and making it possible to log in without leaving the edit page (tricky to do securely unless/until we switch over to HTTPS for all editing, though). Similarly, prompts to create accounts could be tested and optimized for effectiveness.--Eloquence (talk) 06:53, 12 September 2013 (UTC)

More importantly, any editor that first tries Wikipedia out as an anonymous editor and then creates an account - a path encouraged by Wikipedia policies - has, in all likelihood, permanently published his IP address for everyone to see. Come across a bad article you can easily improve, do it, register, keep improving it... gotcha. I tried this myself once and successfully so.

We shouldn't have such easy access to private information. And whether an editor takes a Checkuser request to dig out his IP or merely an attentive user shouldn't depend on the dice roll of which article they started their editing with. This isn't accident or carelessness, we actually hope to recruit editors through allowing them start "anonymously" - and this is what they get slapped with if they do. Warnings just aren't sufficient because most internet users care nothing for their privacy until it bites them.

While, understandably, IP addresses still have to be logged, I've made a minimalistic suggestion on how to reduce this leak here. In short, run the IP through an encryption function before doing anything else with it. Logging, block checks, signatures, anything that is done, keep doing it, only the value is different. It should allow legacy routines to run with minimal if any changes (as long as old block lists are updated), while decryption to actual IPs can be restricted to sysop+ users.

It's not an overnight change, but, other than the burden of converting legacy tables, it should still lie somewhere on the easy side of the spectrum. CP\M (talk) 08:05, 12 September 2013 (UTC)

Closing off as stale discussion for now. I think this is a discussion that is going to have to happen outside of the privacy policy discussion with tech, legal and the community if we want to go forward with it. Jalexander--WMF 22:31, 6 November 2013 (UTC)

Reopening because of discussion at Still lacking IP privacy protection which was waiting for response from Erik which he did here. Will point that section up here. Jalexander--WMF 22:56, 6 November 2013 (UTC)

Hi everyone. We appreciate greatly the helpful feedback that we have heard to date on using images, like the above ones of Rory, with the proposed privacy policy. Our intent, given the importance of the document, is to find a way to ensure that everyone reads it, while being consistent with our values and culture as a community. We were using the above images to introduce the main parts of the privacy policy in a less legalistic way than most privacy policies. Those topics were: “Introduction,” “Use of info,” “Sharing,” “Protection,” and “Important Info.” Each image of Rory corresponded to each of these themes in the draft privacy policy.

We’ve had a bunch of comments both supporting and expressing concerns about the use of images or Rory in particular. Some of the past discussion may be found here. (Since the community consultation period started, we also received about 18 private emails, many of which were playful, in apparent support of Rory.)

That said, in light of your comments and concerns, I think it is important that we at WMF give a little more thought about the idea of Rory. We accordingly are going to retire Rory from the privacy policy for now, and go back to the drawing board. One line of feedback was that the purpose of Rory was unclear. So we may brainstorm on that issue as a team, and, if we think we have a good idea of how to make that purpose more clear and effective, we will share it here. One theme I like in the discussion is including summary bullets in the left margin, so we are going to reflect about that as well.

Again thanks for taking the time for reading this draft and giving us thoughtful comments both for and against provisions in this draft. Take care. Geoffbrigham (talk) 21:49, 17 September 2013 (UTC)

In principle, I personally liked the presence of some pictures. It helps navigate a document - a good example is how forums that allow user avatars can remain usable at much higher post per page counts than no-avatars forums.

What I personally didn't like, and I think what most users didn't like, is that the images just didn't seem to belong with the rest of the document. They didn't contribute to it, they had minimal relevance, and the overall tone was just too removed from something that addresses security concerns. Making a nod to the section at hand just isn't enough to make it relevant.

I think the perfect solution would be to fit the policy with pictures that properly contribute to it. Incorporating cchematics and diagrams would be best for this purpose. Something illustrating the cycle of data collection-storage-use-removal, or the chain of potential issues and their mitigation. Or anything else, just any aspects of the policy that you can come up with a way to summarize or elaborate on in visual form.

Whether there is a mascot or not is probably not as important as whether the pictures are relevant and useful to the matter. CP\M (talk) 09:17, 20 September 2013 (UTC)

Hi CP\M - I definitely hear you on this. What do you think of using bullet points summarizing major themes in the margin, like the LinkedIn terms of use? Geoffbrigham (talk) 12:11, 20 September 2013 (UTC)

Geoffbrigham, I think that would be a good idea because not everyone will have the time (or would want) to read extensive text about their legal rights and responsibilities. At least with summaries in plain language, people can read briefly about what section is about and if necessary, read in further detail to learn more. I noticed a lot of other major websites do that, perhaps, because it shows better transparency. For example, Google (easy to read language), Facebook (in sections with descriptions), & Twitter and Twitter, again (short tips to summarize important areas). 184.146.118.35 00:48, 23 September 2013 (UTC)

Thanks. Your thoughts have been really helpful here. I believe we will likely experiment with margin summaries. We are a little busy on other things in the legal department right now, but we hope to propose some language in the coming month or so - well before the end of the consultation process. Geoffbrigham (talk) 16:56, 28 September 2013 (UTC)

Current version of /zh has problems (If code not converted at the top, some simplified Chinese characters display). I am unable to remedy it, because for some reason I'm prevented from doing so. Penwhale (talk) 23:46, 17 September 2013 (UTC)

Can you give specific changes needed? PiRSquared17 (talk) 23:48, 17 September 2013 (UTC)

Yes, Penwhale, we'd love to help, but as PiRSquared17 mentioned, we need some more detail about what exactly is happening and what should be changed. Mpaulson (WMF) (talk) 00:53, 20 September 2013 (UTC)

In the current privacy policy sentence-style capitalization is used in titles (headers). Exactly what style of capitalization is used now? And what is the reason for changing? Is the new capitalization style presumed to be more clear?

There seems to be a few capitalization errors in the titles. I suggest to fix them. --Aviertje (talk) 23:38, 18 September 2013 (UTC)

Hi Aviertje! We are following AP guidelines for title capitalization in the new policy. This was simply a stylistic choice intended to make the draft read more easily. We apologize for the inconsistency in application and we are now fixing it. Thank you very much for bringing this to our attention! DRenaud (WMF) (talk) 21:42, 19 September 2013 (UTC)

The team behind the proposed draft of the new privacy policy have provided us with a nice summary of what the changes are supposed to be, and have been very patient at answering the many questions coming from community members involved in the discussion above. However, I haven't been able to find any information as to why we need a new privacy policy. The summary only says that we need a new policy because the previous one did not anticipate many technologies that we are using today; this is a very vague statement, and one that I'm not really comfortable with. (Really? Didn't we know in 2008 that GPS existed?) I would like to see a more thorough explanation from the Legal team as to why we need a new privacy policy; I'm quite sure I'm not the only one asking this question to myself. odder (talk) 20:29, 30 September 2013 (UTC)

One big reason is that the current policy is way too vague and high-level. It doesn't actually include many specifics about what is permitted or not, beyond not retaining cookies beyond 30 days. For example, the current policy says, "When a visitor requests or reads a page, or sends email to a Wikimedia server, no more information is collected than is typically collected by web sites." Whoa. That is so open-ended you could drive a bus through it. Today many web sites typically collect all kinds of horrific data used to invade people's privacy, usually for the purposes of serving you advertising. We need a policy, like the current draft, that actually outlines why we might collect data about users, how we use that data, how long we keep it, and lots of other details that are necessary for us to keep Wikimedia readers and editors informed about their privacy. Steven Walling (WMF) • talk 17:56, 1 October 2013 (UTC)

As long as we leak top level userdata to the public, we are second to none of those websites. (October 2013 private data security issue) The best privacy policy wont do, if we dont have the technical ability to protect the information which should be private - may that be as a result of incompetence - or worth. Alexpl (talk) 13:51, 8 October 2013 (UTC)

Several times it is mentioned that information is used to make the Wikimedia Sites better. Why not ask the user if he wants to contribute in making the Wikimedia Sites better? --Aviertje (talk) 22:38, 30 September 2013 (UTC)

Does the WMF need consent to improve their sites? PiRSquared17 (talk) 15:41, 3 October 2013 (UTC)

This section is a lot too vague and opens the door for all kinds of intrusive techniques well known from commercial search engines and social networks. Consider item 3:

• Understand how you use the Wikimedia Sites, so that we know what works and what is useful. For example, we might use tracking pixels in our notifications to make sure that you don’t miss important information from us just because our notification accidentally end up in your spam folder; or we might use cookies to learn about the list of articles you are following on your watchlist so that we can recommend similar articles that you may be interested in.

If tracking pixels are used to track whether notifications have been viewed, this should be stated explicitely instead of suggesting Wikemedia is going to hijack the users' spam folders. The statement about learning "about the list of articles you are following" sounds like personal profiling.

In my opinion, usage information should only be stored if this is strictly necessary for a very specific purpose; and, in addition, all information stored should be transparently visible to the users at all times. Using locally stored data that "can be anything" to "make your experience with the Wikimedia Sites safer and better", or to "generally improve our services" is just the opposite. --109.45.180.100 04:36, 6 September 2013 (UTC)

Thank you for your comments. I have passed them along to some pertinent members of our tech team who work these tools and may better able to address your concerns. They should be responding shortly. Mpaulson (WMF) (talk) 20:56, 6 September 2013 (UTC)

Hi Anonymous!

Thank you for your thoughtful question. I believe you are asking why is the new Privacy Policy vague regarding the information that will be collected and the technologies used and does this vagueness open us up for abusive practices.

The reason for not giving an exhaustive list of technologies or types of information that we want to constrain ourselves by our principles rather than constraining ourselves a-priori either by the technology that we use or the information that we might need. Three out of the four the principles that guide us, as mentioned in the new Privacy Policy, relate directly to what type of data we collect and how long we store it.

Technology changes so fast and, even though we have an Analytics team, we cannot predict the future in terms of what technologies will be available 2, 3 or 5 years from now, nor do we know what features we will be rolling out by then. But on a high level, we do know that we need to be able to:

1. measure the impact of our new features, to help guide us in prioritizing what we should continue developing and what should be shelved (e.g., testing whether more users complete an edit using Visual Editor or wikitext)
2. refine existing features based on whether or not our users are successfully able to take full advantage of their functionality
3. minimize errors and bugs that may not get surfaced by users directly reporting them to us
4. ensure that our features are helping more new users become frequent, productive contributors to our projects

What you might not be aware of, is that we are already very transparent about the information we collect when assessing the efficacy of a new feature. We use EventLogging to instrument our features. For example, the mobile team created a schema to determine the number of upload attempts using the mobile Commons app, in order to measure whether new educational UI features were helping more people make their first upload. The schema will tell you exactly what information is collected and for what purpose and if you have a question you can interact with the developers through the talk page.

Regarding the abusive practices, I am not entirely sure which ones you had specific in mind, there are many :) A huge safeguard that we offer is that we do not allow third-parties to track our users nor do we sell your data, ever, period. Whatever we collect about you cannot be correlated to other sources, and we will keep your data for a limited time.

I like your idea regarding making it transparent what information we have stored about an individual user, it’s definitely something we, WMF & the community, should think about.

I hope this addresses your concerns.

Best regards,

(in my role as Product Manager Analytics @ WMF)

Drdee (talk) 22:10, 6 September 2013 (UTC)

Thank you, Drdee, for the detailed reply and the explanations. Best regards, --109.45.141.106 17:02, 9 September 2013 (UTC)

{{resolved|Looks resolved for now and stale, archiving in 24-48 hours unless reopened. Jalexander (talk) 00:06, 19 September 2013 (UTC)}}

Dearchived; I don't see an answer on being more specific about tracking pixels. --Nemo 20:24, 24 September 2013 (UTC)

I'll poke them to see if we can get a better answer on that piece. Jalexander (talk) 23:28, 24 September 2013 (UTC)

If I understand Drdee correctly, the reason for not giving an exhaustive list of types of information is that the WMF doesn't want to constrain itself in using the information it might need. I can understand that the WMF wants that. But what about what the user wants? I don't think you can do whatever you want with personal information. California Constitution gives each citizen the right to obtain privacy. So everyone should be able to decide for themselves if they want their personal information to be used. Privacy is not obtainable if people are not told what personal information is used and for what purpose. I think transparency is a necessity by law. I think the Online Privacy Protection Act of 2003 - California Business and Professions Code sections 22575-22579 is an implementation of this. And a privacy policy is not enough to inform people. For example, mentioning in the privacy policy how the email address is used is not enough. It should also be mentioned when the email address is retrieved from the user. When a user enters an email address in his user profile, he is not properly informed about the use of this email adress. A privacy policy is a bad way to inform people, because it is after the fact and privacy policies are not flexible. Privacy policies are particularly useful to inform people about the use of personal information when this cannot be told while the information is retrieved from the user. --Aviertje (talk) 23:34, 24 September 2013 (UTC)

Hi Nemo, thanks for raising the issue of tracking pixels. Speaking on behalf of the editor engagement team responsible for the Notifications project (code-named Echo), I am happy to confirm that we are not tracking any invisible pixels in HTML emails sent by our notification tools (unlike other top sites that do this routinely). We considered that option in early stages of this project and ruled it out, due to privacy concerns expressed by community members. We have no intention to use this method in future releases, unless the community asks us for it (please note that we now have very limited data on HTML email usage as a result of this policy). I hope this addresses any concerns you might have about this particular issue, as it relates to notifications. I defer to our legal team to address any other issues not covered by this statement. Regards as ever, Fabrice Florin (WMF) (talk) 00:55, 25 September 2013 (UTC)

Thanks Fabrice, very good news. Legals, can you then please adjust the wording of the policy to exclude such invasive practices that techies have already ruled out? In addition to tracking pixels, also #Collection of "unique device identification numbers"; and probably any other information which is able or potentially able to identify/fingerprint a user uniquely. --Nemo 15:00, 27 September 2013 (UTC)

Just wanted to point out in this thread that the language was updated accordingly. Thank you to everyone who helped improve this section. Mpaulson (WMF) (talk) 18:36, 22 November 2013 (UTC)

The following view/questions/comments are based on revision 5788377 of the draft. I've used tags to differentiate my comments according to importance:

• FIXME : Very important. Should really be fixed/changed.
• SUGGESTION : May be technical/legal/humourous.
• QUESTION : Stuff that needs clarification (either here or in the draft)

Feel free to reply between this report (just maintain indentation for the replies, wrong indentation gives me headache in reading).--Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)

Siddhartha - thank you for your comments. I look forward to reviewing with the legal team over the next couple of days and getting back to you. Have a good weekend. Geoffbrigham (talk) 08:58, 7 September 2013 (UTC)

Hello @Siddhartha Ghai:, thank you for providing such detailed comments. I have responded to some your points below, and reformatted the comments using subheadings so that they can be addressed specifically. Best, Stephen LaPorte (WMF) (talk) 22:51, 11 September 2013 (UTC)

Summary

Text: If you add content or make a change to a Wikimedia Site without logging in, that content or change will be publicly and permanently attributed to your IP address rather than a username.

SUGGESTION:

Many users may not have a permanent IP address and hence may find this slightly confusing. How about this:

If you add content or make a change to a Wikimedia Site without logging in, that content or change will be publicly and permanently attributed to the IP address you were using at the time, rather than a username.

or simply:

If you add content or make a change to a Wikimedia Site without logging in, that content or change will be publicly and permanently attributed to the IP address you were using at the time. --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)

Yes, you are correct that unregistered users are attributed via their IP address used at the time, and the attribution will remain the same if a user’s IP address changes. I updated the policy based on your suggestion. Stephen LaPorte (WMF) (talk) 22:51, 11 September 2013 (UTC)

Welcome!

Text:

We do not sell or rent your information, nor do we use it to sell you anything.

QUESTION:

This sounds great, but can't this be construed to mean that "your information" (your username) won't be used on any CD/DVD versions of wikipedia. I don't know if the versions are brought out by the WMF itself, or if its through volunteers/chapters/other organisations, but if it's the WMF, the BY of CC-BY-SA would require use of the username (which would take place even if the user states on his/her userpage that he/she releases all contributions under PD.)

Perhaps clarify on this? --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)

This is a good question. The Wikimedia Foundation is a nonprofit organization, so it does not sell or rent user nonpublic personal information. Usually, if we were to make CD/DVD versions of Wikipedia available, it will be noncommercial and free of charge. You are correct that other organizations may use public Wikipedia data commercially, but under this policy, we will not sell access to our nonpublic data. I updated the policy based on your suggestion. Stephen LaPorte (WMF) (talk) 22:51, 11 September 2013 (UTC)

Account Information and Registration

Text:

However, if you contribute without signing in, your contribution will be publicly attributed to the IP address associated with your device.

SUGGESTION:

However, if you contribute without signing in, your contribution will be publicly attributed to the IP address which was associated with your device at the time the contribution was made.

or

However, if you contribute without signing in, your contribution will be publicly attributed to the IP address which was associated with your device at the time of making the contribution. --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)

This is updated as well. Stephen LaPorte (WMF) (talk) 22:59, 11 September 2013 (UTC)

Information We Receive Automatically

Text:

This information includes the type of device you are using (possibly including unique device identification numbers), the type and version of your browser,

SUGGESTION:

Shouldn't this be clarified that information about versions of all browsers on the device are sent? I saw a http GET request sent to a wikipedia and its query urls seemed to contain names and version numbers of all the browsers on my computer.

QUESTION: Also, don't the requests specify the timezone? I'm wondering how the time-related magic words function on a per-user basis if they don't know which timezone the user is in. (Or do they treat all IPs as being UTC?) --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)

Wikipedia has a list of HTTP header fields, which is standard data that may be delivered whenever you visit any site on the Internet. This may depend on your browser’s privacy settings, so your browser’s documentation may explain more about what is sent automatically. Stephen LaPorte (WMF) (talk) 22:51, 11 September 2013 (UTC)

Text:

Similarly, tracking pixels and JavaScript can be used to help us understand whether a page has been visited, and may be associated with personal information like your IP address.

QUESTION:

What other personal information like IP address may be associated with visited pages? Are usernames associated with visited pages? If yes, how is this information utilized? Is this used only aggregately for a large number of users, or is it possible that individual cases may be analyzed for specific purposes of improving the site?

Text:

by using cookies, we can learn about the topics searched so that we can optimize the search results we deliver to you.

QUESTION:

Is this applicable for computers (laptop/desktop/ultrabook) or only for mobile devices (smartphones/feature phones/tablets/phablets). Basically what I want to know is whether search results for a logged in user are optimized on the basis of his/her past searches (I think google does something similar). If they are, how is the data for past searches stored, and how is it used?

Text:

we might use cookies to learn about the list of articles you are following on your watchlist so that we can recommend similar articles that you may be interested in.

FIXME

This seems to suggest (to me atleast) that there is going to be some backend program/software analysing people's watchlist and wikipedia category structure or something to find and recomment related articles. Though I haven't actually seen this feature on wp yet, it sorta gives me the creeps. Any internal program accessing user watchlists means that access to watchlists is more open than I anticipated. It also means that anyone who can find a loophole in the program which does the suggesting, can theoretically view users' watchlist. If what I'm saying about there being a software (current or future) is correct, I'd like to know the level of security surrounding it (what level of encryption is being used, etc). I know it may be difficult to explain the security measures in detail without the security risk of making technical details public (and hence availaible to potential hackers), but any information will be appreciated.

Text:

Understand how you use the Wikimedia Sites across different devices, so that we can make our varied Wikimedia Sites more efficient and effective for you.

QUESTION:

Again, is this data used in aggregated form or is it possible that it may be used per user for feature improvement? --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)

The term “personal information” is defined in the introduction of the policy, and the section on "Information we collect" explains how this information is used. Diederik, from the Analytics team, provided more detail how use this information. As he explains, the technical details may change from time to time (as technology always does), but the policy includes specific principles and restrictions about how the data may be used. We make a general commitment to keep data as short as necessary (see “How long do we keep your data?”). Additionally, the ’’data retention policy’’ -- which will be shared with the community for comment -- includes more detail about the length that data will be retained. Stephen LaPorte (WMF) (talk) 22:51, 11 September 2013 (UTC)

@Slaporte (WMF):: I've looked at Diederik's response, and understand that the WMF doesn't wish to limit itself by technology, but rather by principles.

I can see that providing an exhaustive list in this document wouldn't be possible. I'd recommend that technology-specific stuff be added to a sub-page (like the FAQ, glossary etc.) But I would like the WMF to give a list of the technology usage in the current scenario. This list may be updated from time-to-time as new features are added to the sites.

The questions I asked above are specifically for handling of data in the current technological scenario. And none of those has been answered as far as I can see. So awaiting a response :) --Siddhartha Ghai (talk) 16:39, 15 September 2013 (UTC)

I hope this has been helpful so far -- User:Drdee is more familiar with these specific points, so I will share your questions with him. Stephen LaPorte (WMF) (talk) 01:01, 20 September 2013 (UTC)

Hi Siddhartha Ghai,

Let me try to answer your three questions:

1) do we store usernames associated with page visits?

2) are we customizing/optimizing search results based on past searches?

3) how do we analyze watchlists?

I believe your questions refer to current practise (September 2013) so these answers might change over time.

1) At this moment, we are not associating usernames with page visits.

2) Right now we are not customizing / optimizing search resutls based on past searches.

3) Currently we are not analyzing watchlists and this example is probably not the best in this policy as we already could do such an analysis because there is a 'watchlist' table in Mediawiki.

Hope this answers your questions.

(in my role as Product Manager Analytics @ WMF) Drdee (talk) 20:39, 20 September 2013 (UTC)

Emails

Text:

so we can pursue the evil wizard who is impersonating us.

SUGGESTION: Sounds too much Harry Potter/Dungeons and Dragons. More Star Wars please :D

so we can pursue the Sith lord who is impersonating us. --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)

Now that you mention it, Darth Vader's catch phrase does sound familiar ... Stephen LaPorte (WMF) (talk) 01:28, 20 September 2013 (UTC)

IP Addresses

Text:

Finally, when you visit any of Wikimedia Sites, we automatically receive the IP address of your device (or your proxy server) you are using to access the Internet,

SUGGESTION:

Grammatically incorrect maybe? Possibly this:

Finally, when you visit any of Wikimedia Sites, we automatically receive the IP address of your device (or the proxy server) you are using to access the Internet,

Text:

If you are visiting Wikimedia Sites with your mobile device, we may use your IP address to provide anonymized or aggregated information to service providers regarding the volume of usage in certain areas.

FIXME Who are these "service providers"? The cellphone company whose network the user is using? Also, if the info is either anonymized or aggregated, in case anonymized info is given, how does that really help in determining volume? (This needs fixing.) --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)

Hello @Siddhartha Ghai:, yes this refers to cellphone service providers, which is related to Wikipedia Zero programs. Service providers are interested in evaluating how much these programs are used, and so anonymized data can be totaled to show the volume of traffic to Wikipedia Zero. Best, Stephen LaPorte (WMF) (talk) 01:01, 20 September 2013 (UTC)

If the Organization is Transferred (Really Unlikely!) and Changes to This Privacy Policy

FIXME:

In case this apocalypse does happen, I would like that the WMF offer atleast a month's notice, and not only on the mailing list, but highly visibly, possibly using CentralNotice (the thingy used to announce this discussion), and notifications on village pumps (may be coordinated through meta). Also, since any transfer of information would mean the possibility of the data coming under a new privacy policy, I would like that the WMF offer the option of users not accepting the new policy and requesting deletion of their data (this may not be possible for IPs, but should definitely be there for logged in users). And I would like this to be specified in this version and all future versions of the privacy policy. --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)

Based on your suggestion, I added a 30 day notice period. We would provide notice via CentralNotice (or another prominent place on the site), as well as via the announcement mailing list. I should emphasize that this is an extremely unlikely possibility: as a nonprofit organization, there are legal limitations on how we could transfer the organization. For example, based on our bylaws, our assets are irrevocably dedicated to a charitable purpose. Stephen LaPorte (WMF) (talk) 01:01, 20 September 2013 (UTC)

To Protect You, Ourselves, and Others

Text:

We may need to share your personal information if we reasonably believe it is necessary to enforce or investigate potential violations of our Terms of Use, this Privacy Policy, or any Foundation or user community-based policies.

FIXME:

If I remember correctly, there was some talk some time ago of a majority of users on a wikipedia belonging to a particular nation, with Muslim majority, thinking about implementing policies on wikipedia based on the Shar'ia. Although I really doubt I'll ever have anything to do with the wiki, it is not impossible that certain policies/guidelines on certain wikipedias are culture-specific, and someone from another wikipedia may accidentally end up offending the users and breaking those guidelines. In such cases, I won't like the WMF releasing such a users' information to the wikipedia users, only to have a fatwa issued against the said user. Possible complications in this would include users doing something which is illegal in their country, and other users (either good faith or on a vendetta spree) asking for user information from the WMF in order to file legal complaints against the user. Potential examples: The map of India used on WMF sites, for NPOV purposes, shows Pakistan-occupied Kashmir as part of Pakistan, and Askai Chin as part of China. Both these portions are claimed by India as part of the state of Jammu and Kashmir. So anyone using an infobox on an India article and adding coordinates to the infobox is basically adding a map to the article. And the distribution of that map is illegal in India. So such a user can theoretically be prosecuted for aiding/abetting a criminal offence. I wouldn't like the WMF to release users' data to other users on the basis of such a complaint. --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)

We are working to adopt best practices in responding to legal orders. Consistent with our current practices, this policy explains that we are committed to fighting orders that are legally invalid or an abuse of the legal system. We also provide notice to users in advance when possible, to allow a user the opportunity to oppose an improper order and obtain legal counsel. We hope to publish soon a draft document for law enforcement, which will include more detail about our strict procedures for responding to orders. Stephen LaPorte (WMF) (talk) 22:51, 11 September 2013 (UTC)

FIXME:

Possibly add what the WMF intends to do in case the security is breached. And possibly also add that once fixed, affected users will be notified of all security breaches. This may be done via email, or publicly, through the blog, CentralNotice/Meta, or something alike. --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)

Hello @Siddhartha Ghai: This is a good point, which we considered when preparing the draft. We plan to provide reasonable notification when we know of a breach, and we may be required to provide certain types of notifications under security breach notification laws, regardless of how it is mentioned in the policy. However, if we include it in the policy it may be difficult explain these requirements in an informative and concise manner. For example, would you find this helpful: "We will provide notifications if your data is affected by a security breach, by email if you have provided it or another reasonable manner, as required by applicable law"? Are there other data protection measures that you would like more information about? Stephen LaPorte (WMF) (talk) 23:37, 26 September 2013 (UTC)

@Slaporte (WMF): Ok, so here's a bunch of questions:

1. Which state's security breach notification laws would apply, the state where the servers are located, the state where WMF is incorporated (Florida), or the state where it's headquartered(California)? In the last case the relevant law is probably sb 1386 (correct me if I'm wrong)
2. Does the physical server location vary by project?
3. What about backup servers? Are they in the same state or a different state?

As far as explaining the requirements goes, the policy could simply state something along the lines of: "In case your nonpublic data is affected by a security breach, we will provide notifications in accordance with foobar law of the state of baz." with foobar law being linked to the original text of the law and baz being the statename whose law applies. I'd like an explicit naming of the concerned law, so that if a change in the physical location of the servers entails a change in the applicable law, wmf has to notify users (since it has to change the wording of the privacy policy). Also, are there any federal and/or international laws applicable here? If they are, probably mention them too?--Siddhartha Ghai (talk) 02:33, 27 September 2013 (UTC)

Considering the October 2013 private data security issue, this should really be clarified in here.--Siddhartha Ghai (talk) 12:38, 3 October 2013 (UTC)

Hello @Siddhartha Ghai: Unfortunately, the variety of data breach disclosure laws are not easy to analyze in the abstract. The applicable law may depend on the location of the affected users, and the type of affected data. It's more difficult than citing the rules in jurisdictions that are connected to our servers -- the applicable law will depend on the particular facts and circumstances of a breach. Stephen LaPorte (WMF) (talk) 23:33, 6 November 2013 (UTC)

I don't think this Privacy Policy adequately provides information on how the Wikimedia Foundation collects information from children under the age of 13 (as required by the Children's Online Privacy Protection Act. How does the Foundation receive consent from someone who is not the age of majority (i.e. requiring parental permission before using the Sites)? Will the Foundation permit the usage of the Sites by those under 13 (i.e. some websitse on the Internet don't allow children under 13 using their site because of this law)? What will the Foundation do to ensure the safety of children on Wikimedia Sites (i.e. the disclosure of personal information of a minor or communication taking place on the Site between a child and an adult)? 184.146.126.95 22:20, 6 September 2013 (UTC)

Thanks 184, just to let you know that the legal team is working on a response to this that should be ready tomorrow (they're doing a writing sprint to answer a bunch of questions). Jalexander (talk) 01:25, 11 September 2013 (UTC)

Sorry folks. We have been sidetracked on something else and will have a posting shortly. Geoffbrigham (talk) 10:08, 17 September 2013 (UTC)

Hi Anonymous! Thank you for your questions. The Children’s Online Privacy Protection Act (“COPPA”) applies to websites and online services operated for commercial purposes. Those sites often solicit detailed personal information proactively from children for the purpose of marketing products and services for a profit. As a general matter, COPPA does not apply to nonprofit organizations like the Wikimedia Foundation. The Wikimedia projects do not proactively market commercial products and services to children - they are sites dedicated to making educational information freely available to everyone.

As with all users, including minors (older and younger than 13 years), we do not ask for any basic personal information, like age, name, address, or telephone number. We do not market third-party commercial products or services directly to our users, including minors, or sell their data to others for advertising. Our terms of use explicitly prohibit anybody from soliciting personal information for an improper purpose from users or minors.

While the Wikimedia sites ask for minimal information from users and our terms provide certain protections, we also encourage parents and guardians to work with their children to ensure that children use the sites in an appropriate manner. One way to do this is for parents to collaborate with their children in editing articles so that they can understand the process that their children engage in when they contribute to an article.

Hope this helps address your concerns and if it doesn't, please let us know and we'll do our best to clarify. Mpaulson (WMF) (talk) 17:25, 20 September 2013 (UTC)

So you don't differentiate between minors and adults. You process the same personal information as for adults, they are also assumed to enter binding agreements and messages about their contract will be sent to them by e-mail or by screen. Correct? --Aviertje (talk) 19:50, 20 September 2013 (UTC)

Hello Mpaulson, thank you for your response to my question. I have a follow-up response:

When you say "...we also encourage parents and guardians to work with their children to ensure that children use the sites in an appropriate manner", is this said in an official policy somewhere that is easily accessible for concerned parents and/or children to locate on the sites? If so, can you provide a link? I cannot find any context in the Privacy Policy, Terms of Use or similar policies on the Sites.

In addition, what processes on the Sites are available for minors to seek help when they feel uncomfortable or are experiencing harassment without posting on a public location?

Although the Wikimedia Foundation is not a commercial entity, I think that as an organization that provides a knowledge base to persons of all ages, including minors, that the Foundation provides important information to parents and/or children in plain text, readable language about their privacy and other issues mentioned. Yours, 184.146.122.95 23:00, 21 September 2013 (UTC)

While WMF might not be technically bound by the provisions that COPPA impose on a commercial site, it would be reasonable to explicitly consider what those provisions are and which of them, if any, WMF decides to adopt for itself. It would also be interesting to hear which WMF will not adopt, and why. Spectral sequence (talk) 08:35, 22 September 2013 (UTC)

Hi Spectral sequence - More on COPPA can be found here. We do not collect personal information from children for the purpose of marketing to them for a profit, so many of the protections in COPPA to prevent such aggressive non-parental consensual marketing are not directly relevant in the context of a nonprofit educational site like ours (which also collects the most minimal of data). So, with all due respect, I'm not sure how useful the above exercise would be. It is sort of comparing apples and oranges, in my opinion. Thanks. Geoffbrigham (talk) 21:45, 15 November 2013 (UTC)

If you are a visitor: Basically here you can put the Information We Collect section. And you have to warn about if the user shares an IP direction, a box telling him that has a new message could appear (see anonymous contributor)

"We do not sell or rent your information, nor do we use it to sell you anything." Is not fully in accord with current practice. The most expensive things I've bought through this site have been registrations at Wikimania, but we should be careful to talk to merchandising as well. One of these years I'm hoping to be able to buy some Wikimedia calenders or flip flops that leave a trail of "citation needed" down the beach. It would be a shame if this privacy policy were to be seen as precluding this. WereSpielChequers (talk) 16:18, 7 September 2013 (UTC)

WereSpielChequers - I'm really happy to be hearing your voice here; your ideas are always so constructive. With respect to your present comment, I think I need a little more clarity here from you. Now, a separate privacy policy applies to our Wikimedia Store (as made clear in the draft policy), so merchandizing from the store is not at issue. We say this in the Introduction of the proposed draft: "This Privacy Policy does not cover some situations where we may gather or process information. For example, some uses may be covered by separate privacy policies (like those of the Wikimedia Shop or sites or services run by third parties, such as third-party developer projects on Wikimedia Labs)." We would happily sell you the calendars and flip-flops under the Store's privacy policy, but we would not use your registration information on Wikipedia to market it to you.  :) I don't know of any examples where we take user information obtained through registration on the projects to actively sell Wikimedia registrations or other products or services, but I may not have full knowledge here. If you or others have known examples, I would be interested in them. Geoffbrigham (talk) 16:50, 7 September 2013 (UTC)

The WMF run a CentralNotice campaign on en.wiki to promote the shop, IIRC targeted to registered users (possibly with some editing activity requirements), as well as some talk page promotion if I'm not mistaken. With some stretching, that could possibly be considered "targeted advertising" (even if at loss...). It's quite far fetched though! --Nemo 17:01, 7 September 2013 (UTC)

Hi Geoff and Nemo and thanks for the welcome, I don't think anyone would object at the "wikimedia" things that we try and sell on Wikimedia sites, so to some extent I am being pedantic. But I'm pretty sure that what we are considering would be technically breached by some current practices. Having a separate policy for the shop does reduce the practical issues - they need to process financial transactions. But I would suggest we drop the words "nor do we use it to sell you anything". WereSpielChequers (talk) 17:48, 7 September 2013 (UTC)

Well, I think that here is necessary more clarity about what kind of information collects WMF for what kind of user, what WMF do with it, and if WMF could communicate to you in different way according to your user status. You should create a section for each kind of user as the follow:

{

The intro states:

It is essential to understand that, by using any of the Wikimedia Sites, you consent to the collection, transfer, processing, storage, disclosure, and use of your information as described in this Privacy Policy. That means that reading this Policy carefully is important. As important as eating your greens.

We (communities on individual projects) try to make it easy to contribute. Few people will read the policy carefully. Rather than stating it is important to read the policy, the policy should be made such that there is no need to read it, to the largest extent possible.

There are issues on the Internet, which people should be aware of. As far as they concern all sites or all sites in USA, people should be made aware of them at home, in school, in newspapers and in Wikipedia articles. Repeating the information in the policy may be legally sound and good for completeness, but it should be old news for any concerned reader.

Where issues on Wikimedia sites differ from those on Internet in general, the special circumstances here should be pointed out as clearly and briefly as possible in the introduction, before any legalese.

• The Wikimedia sites operate under the laws of USA, which allow [NSA & al] to [get more info than the contributor may expect]
• Contributions to the wikis, including questions on discussion pages, are logged for eternity, with user name or IP address
• Visiting a page on a formerly unvisited WMF project may cause the account to be automatically registered there, thus leaving a trace in the logs without your making any contribution.
• ....

The "surprising" points should be few and short enough that anybody can read them in seconds. The details should of course be sorted out later in the policy for those interested.

--LPfi (talk) 08:51, 9 September 2013 (UTC)

Hi LPfi! Thank you for taking the time to comment. We agree that people should be able to get the basics of a major policy in seconds. We recognize that some users like greater detail and will read the entirety of legal policies, while others just want a basic summary. That's why we created the "user-friendly summary" that precedes this privacy policy draft (as well as one that precedes our Terms of Use). However, we are are looking for ways to make the user-friendly summary more helpful to those who read it during this community consultation period. Are there particular things that you think are missing from the summary that should be in there? Are there items that could be better phrased or elaborated on to be clearer? I'm very interested in hearing your thoughts on this.

With regards to the three suggested bullet points you have already: (1) we could add something about the Wikimedia Sites being operated under the laws of the US if you think that is an important point to call out; (2) I think the indefinite nature of edits are already addressed in the "Be Aware" section of the user-friendly summary ("Any content you add or any change that you make to a Wikimedia Site will be publicly and permanently available."); and (3) I'm not sure what you are referring to with your third suggestion...visiting a formerly unvisited WMF project doesn't cause an account to be automatically registered there as far as I know.

Thanks again for your suggestions! Mpaulson (WMF) (talk) 18:33, 10 September 2013 (UTC)

It does. Actually, you don't even have to visit them, but that is/was just a bug. --Nemo 19:01, 10 September 2013 (UTC)

I would say that, if the current long-winded language of the main policy is kept as is (it probably could use trimming), then it's best if at least the Summary dispenses with justifications and digressions, but instead covers everything of matter in the form of bullet points.

The first paragraph of the summary is a fairly good example. I'd skip the "Because..." part for brevity, perhaps, but it states what it needs to.

The second, on the other hand - Because we want to understand how Wikimedia Sites are used so we can make them better for you, we collect some information when you... - is not.

"Some" in it just acts as a teaser, "read below to find out what". Rather than explaining the why, I believe the space would be better spent briefly listing what exactly is collected in each case.

This is just one example. Since changing the summary has no effect on the policy's legal implications, I hope the community will work out the rest. But a good goal would be to provide a concise yet reasonably complete listing of what is collected and when. Work out any whys below. CP\M (talk) 19:15, 10 September 2013 (UTC)

I don't think we can briefly and accurately summarize what exactly is being collected; that is why the section below is so verbose. That said, if you'd like to try your hand at it, we're all ears for specific, concrete suggestions (perhaps in a separate section)? -LVilla (WMF) (talk) 00:01, 7 November 2013 (UTC)

I think point #1, about being in the US, is adequately addressed by "Where is the Foundation and What Does That Mean for Me?" under "Important Info". I don't think adding speculation about how that compares with people's expectations (often incorrect) about their own jurisdictions is sensible. -LVilla (WMF) (talk) 00:01, 7 November 2013 (UTC)

• the draft itself is full of unnecessary drivel, obviously designed to stop anybody reading the "juicy bits" -- that is the unnecessary use of tracking images etc. The guideline is also too US-centric (the style is like one of those Microsoft manuals for Americans imbeciles), where much stricter laws apply. There are other WP sections, with offices [3] who will be subject to such laws. Certain European states require a cookie opt-out option etc. At least for WPs in pertinent languages such laws ought to be complied with.

BTW: what will happen to the collected data

1. 'when the NSA, or any other agency of any other government, is tapping it (which it probably done already)? Say a filter checking for "user:TinyTaliban" (living in say a Parisian banlieu) looked up en:Ricin Plot. will the plane he is using on his next holiday to fly to Venezuela be intercepted?
2. Jimbo & Co. decide to go commercial? -- and sell the data. This is not such a far off suggestion, see what happened at couchsurfing.com, now called a "benefit corporation" Background ...

(Using my right to make a comment without log in -- you'll find me anyway ...)

To the first question: we're moving to https to help reduce the ability of third parties (governments, others) to tap communications between us and our users. That said, where http is not implemented yet, or where governments develop the ability to crack https, there is little we can do to control what they do with the information that is transmitted to us. (It might also be worth noting that the most important information a government can conceivably want - who reads and edits which articles - simply must be transmitted over the network; if your concern is government tapping of the network between us and you, there is no way, other than https, for us to prevent the transmission of that data and still maintain the functionality of the site.)

To the second question: as you know, the organization is controlled by the board, half of who are selected by the community. That's the most important protection users have about control of the organization. More specifically, the policy discusses that issue in the section "If the Organization is Transferred (Really Unlikely!)". If you have specific ways you'd like us to clarify that section, I'd welcome serious suggestions. -LVilla (WMF) (talk) 00:20, 7 November 2013 (UTC)

• Just to add to this discussion that we've received a similar email asking for the ability to time limit storage of data linked to a user account, specific geographic servers for user data and procedures to deny access to information even if required to by law. The emailer has been invited to participate in this discussion as well. Jalexander (talk) 03:36, 11 September 2013 (UTC)

About time limiting storage: we can't feasibly allow individual users to set per-user preferences for how long their data is kept. We will be posting more detailed information about the defaults in a new data retention policy, as mentioned in the FAQ.

Servers limited to a specific geography do not help the problem. Instead, they multiply the number of governments that can access the data. So we do not think this is feasible or wise.

With regards to "denying access to information even if required by law": if we have data, and we are required by law to disclose it, we must comply. However, we will generally limit this in three ways: limiting the amount of data we collect; limiting the amount of time we retain it; and (where feasible) challenging claims that we are actually required to do something by law (as the policy says, "we will try our best to fight it"). This is not ideal, but so far it has been an effective strategy for reducing government requests for data - because we follow these steps, we get many fewer requests than other large websites.

I realize that these are somewhat unsatisfactory, since there are no magic bullets for these difficult questions. However, I hope they address the questions. Also, since the user submitted these by email, I'm closing, but if the user sees this, please feel free to reopen.-LVilla (WMF) (talk) 00:47, 7 November 2013 (UTC)

Overall, the policy is a good one. However, it is unclear in at least one area.

The User-friendly summary of the policy says "This Privacy Policy does not apply to all of the Wikimedia Sites ..." yet the What This Privacy Policy Does & Doesn't Cover section of the policy itself says "This Privacy Policy applies to our collection and handling of information about you that we receive as a result of your use of any [commenter's formatting] of the Wikimedia Sites." These are, of course, direct contradictions, and leaves the reader confused as to what the policy does and does not cover.

It's important that the policy be very clear in what it does and does not cover. If there are some sites to which the policy does not apply, then the policy should clearly say that. Truthanado (talk) 00:32, 10 September 2013 (UTC)

You are right, see also #"Wikimedia Sites". Sadly, this is not a minor problem but something that defeats the purpose of the policy completely. In general, the proposal has to IMHO be re-thought from scratch.

Instead of making overly broad statements and then add a bunch of clarifications and exceptions, it should focus on the important things and say them clearly. We know what a failure the unified privacy policy by Google was; they needed to transfer the personal data from one service to another, but we don't have this need so we can and should be cautious and not add loopholes for half a billion users just for the sake of a few dozens using some obscure corner of the platform. --Nemo 05:41, 10 September 2013 (UTC)

Hi Truthanado - I see your point. We are going to change some language and see if that works for you. Those changes should be up within a couple of hours. Thanks. Geoffbrigham (talk) 00:46, 7 November 2013 (UTC)

The policy provides for the privacy of email addresses but does not mention the handling of emails sent through WMF systems. This should be addressed and of course the policy should be that the content of such emails is kept completely private. Spectral sequence (talk) 16:55, 13 September 2013 (UTC)

Hi SS.

Excellent point. I see an "Emails" section in the current draft, but it doesn't seem to address user-to-user e-mailing.

If you have a confirmed e-mail address, you can contact other confirmed e-mail address holders on the same wiki via Special:EmailUser. It seems reasonable to note this somewhere, if it isn't already included. --MZMcBride (talk) 14:46, 14 September 2013 (UTC)

Hi Spectral Sequence and MZMcBride! Thank you for your comments. As I understand it, the "Email User" feature does not actually result in WMF storing the content of emails sent through that feature. Emails are sent to the email address designated by user you have chosen to email, meaning that the contents of the email may be stored by whichever email provider that user has chosen. Because WMF does not have access to or control over the content of your email (the user you sent the email to and their email provider do), it is not covered by the privacy policy draft. In fact, it is specifically excluded under the "Examples of What This Privacy Policy Doesn't Cover" section under "direct communications between users".

However, (while there are no current plans to do so) if, in the future, WMF does provide a private, user-to-user messaging system that would result in WMF storing the content of those messages, we would generally require a legally valid warrant prior to releasing that information. This commitment is to be specified in our forthcoming Requests for User Information Procedure & Guidelines, which will make clear the heightened standards any third party requesting nonpublic user information must meet before WMF will release information.

I hope this addresses your concerns, but if not, please let me know and I will try to help the best I can. Mpaulson (WMF) (talk) 16:04, 20 September 2013 (UTC)

There is no way that emailing other users within the Wikimedia Sites is direct communication between users. WMF is providing the service, handling the emails and hiding the email address of the recipient for the sender. It's not relevant for how long WMF is storing emails. WMF has complete control over the emails. What is sent, how it is sent, how well it is protected and for how long the emails are stored.

The use of email addresses for this purpose should also be mentioned in the privacy policy. --Aviertje (talk) 21:22, 20 September 2013 (UTC)

Hi Aviertje. I think the language of the policy could be more precise in terms with regard to calling these interactions "direct communications between users". What we are trying to describe as not covered by the Privacy Policy draft would probably be more accurately described as "communications received by other users" in that we do not have control over the sharing of the content of your communications that are sent to other people. To the extent that we act as an intermediary in the way you describe, that information is considered nonpublic information. I will see what I can do to make that clearer in the policy. Mpaulson (WMF) (talk) 23:57, 26 September 2013 (UTC)

The policy makes provision for changes and states that continued use would constitute acceptance of the new policy. It is not clear what would happen to information gathered under the current policy once a new policy came into effect. Does WMF commit to handling information collected at some time under the policy in force at the time indefinitely, or does it expect to allow itself to vary the policy at some future date but apply that change retrospectively? Spectral sequence (talk) 08:50, 22 September 2013 (UTC)

Hi Spectral sequence. Basically, content collected by the Foundation is governed by the policy it was collected under. So the information collected while this policy is in force will be governed by this policy and the information collected under a future policy will be governed by the provisions of that policy. However, it's worth noting that a privacy policy describes the minimum protections provided. If a future policy is able to provide for greater protections than the previous policy (for example, if we get the technological ability to provide greater protections), we may apply those greater protections to information collected under previous policies. But we will not provide fewer protections to information collected under a previous policy. Does that make sense? Mpaulson (WMF) (talk) 21:35, 26 September 2013 (UTC)

Thanks, that is what I was hoping to hear. Spectral sequence (talk) 17:19, 27 September 2013 (UTC)

Correct, Spectral sequence. It is a good question. This needs not be written in the policy; it is a matter of legal principle. Cheers. Geoffbrigham (talk) 20:29, 15 November 2013 (UTC)

+1. But, where is it written? Is it consequence of some law or of some passage in the policy? --Nemo 17:28, 27 September 2013 (UTC)

The sentence We may also disclose your personal information if we reasonably believe it necessary to detect, prevent, or otherwise assess and address potential spam, malware, fraud, abuse, unlawful activity, and security or technical concerns seems unduly broad. "Technical concerns" could, and indeed does, mean any thought WMF might form about anything and everything connected with the site, and if read literally more-or-less negates everything else in the policy, especially since "disclose" is quite unlimited in scope. This clause should be made much more restrictive. Spectral sequence (talk) 18:49, 4 October 2013 (UTC)

Hi Spectral sequence! I understand your concerns with the term "technical concerns" and am open to more restrictive language, but want to be sensitive to the fact that overly specific language may restrict our ability to address technical issues that do not fall into a specific enumerated category, but very well may be actively harmful to the sites. Do you have any suggestions as to how we could do that? I'm very interested in hearing your thoughts. Mpaulson (WMF) (talk) 19:31, 1 November 2013 (UTC)

Really! Truly! I know you don't mean to sound like you are talking down to us, but gosh, I feel like everyone at the Foundation just wants to give us happy smiles & hugs & wishes us all unicorn farts. Not only does it sounds creepy, yo ulose all credibility.

First, I want to know if this warm-&-fuzzy language accurately reflects what the policy is. And some passages don't give me a warm & fuzzy feeling that it does.

Second, it is possible to explain things in plain English without sounding like a demented variant of a Cub Scout Den Leader. Take, for example the section "Account Information & registration". (Was the person who wrote that high on antidepressants?) Everything in that section could be explained quite simply & maturely as follows:

You are not required to create an account to read or contribute to a Wikimedia Site. However, if you contribute without signing in, your contribution will be publicly attributed to the IP address associated with your device. If you want to create a standard account, we do not require you to submit any personal information to do so. All that is required is a username and a password. We do not ask for a legal name or date of birth, nor an email address, and definitely not for credit card information; we consider that information unnecessary to contribute to Wikipedia. There are rules and considerations regarding a username, so please think carefully before you use your real name as your username. Your password is only used to verify that the account is yours.

Notice how more mature this paragraph reads? Yet most of the language is what currently appears on the front page; all I did was take out the fluff. And there is a lot more fluff in this policy statement that needs to come out before the final draft. -- Llywrch (talk) 18:34, 4 September 2013 (UTC)

Really agree with this approach. Wikipedia has a varied usership. We need to communicate clearly for the benefit of everyone. Without the unnecessary fluff. Although some readers may like it, others will find it a distraction. It is unsuited to the serious character of the subject matter. To some people it could appear alienating. MistyMorn (talk) 15:02, 19 September 2013 (UTC)

OK, given the feedback, we will be taking out the jokes (and have already retired Rory). Thanks. Geoffbrigham (talk) 22:23, 15 November 2013 (UTC)

A bit painful

With due respect, some of the phrasing is pretty cringe-worthy.

"Some features we offer are way cooler to use if we know what area you are in."

"If you choose to help us make the Wikimedia Sites better by participating in an optional survey or providing feedback, we think you are awesome."

"We also recognize that some of you know the ins and outs of tracking pixels while others associate the term “cookie” exclusively with the chocolate variety."

Such attempts to be chatty have no place in such a document, in my opinion. 86.169.185.183 21:02, 4 September 2013 (UTC)

Mostly, I'd be interested in tasting a cookie which is a chocolate variety (in Italian, saying that "cioccolato" is "biscotto" is a lexical and etymological absurd). Do such things really exist in USA? We may need a food culture table conversion for such weirdnesses in the text. --Nemo 21:47, 4 September 2013 (UTC)

You will be assimilated. Resistance is futile... We are Wikiborg.Oaktree b (talk) 22:23, 4 September 2013 (UTC)

• Please remove (Introduction): "As important as eating your greens."^{{cringe}}

tl;dr version: While appreciating the aims of this work, and especially the need for a plain-English guide (as prefigured in the summary box), I wish I could be more positive about the style in which the main body of the page is currently couched. Sorry to have to say this, but I find the "cuddly" tone both unfunny and patronizing—a disincentive to reading, and therefore ultimately to my understanding of the content. Unlike with orechiette ai broccoli [4], I find the many privacy policies we're all dutifully expected to ingest across the internet a nerve-jangling annoyance. As others have observed, a "cuddly" style of writing does not sweeten the pill here, or help readers scan the page efficiently to assimilate pertinent information. In brief, I feel the document could usefully be redrafted without the cuddly bits. MistyMorn (talk) 19:07, 17 September 2013 (UTC)

OK - light of the above feedback, we will be removing the jokes. Thanks. Geoffbrigham (talk) 22:25, 15 November 2013 (UTC)

Informal tone

I'm wondering why the WMF has decided to use a very informal tone in this new draft. Is it intended to make the policy appeal to a younger audience? I have nothing against the occasional use of "cool", "awesome", or similar words, but I don't understand why they should be in what is essentially a legal document. @Jalexander: any comment? PiRSquared17 (talk) 21:59, 4 September 2013 (UTC)

I also think it's okay to have a bit of fun and have some in-jokes in internal Wikimedia pages, but it might hurt the WMF's reputation if added to such an important, highly visible document. However, I trust the authors of the document. PiRSquared17 (talk) 22:01, 4 September 2013 (UTC)

Also informal text can have official character. ;) The intention was obviously to make the text comprehensible also for non-Legalese native speakers. ^^ --თოგო ^(D) 22:36, 4 September 2013 (UTC)

I'm happy that it is more comprehensible and written in Simple/Plain English, but that does not mean we should have text like "[...]we think you are awesome". I'm not explicitly against this kind of informal tone, but I'm afraid that readers may get a bad impression of Wikimedia. It might make WP seem like a website run by "cool kids". ;) PiRSquared17 (talk) 22:41, 4 September 2013 (UTC)

I obviously appreciate your feedback on this and will make sure the lawyers know too (we're keeping track of what people say on both a spreadsheet and I sit very close to Michelle who is the main one in charge of coordinating it) and I think it's something to hear about from others as well to gauge how it comes across. From a personal opinion side though I disagree, I think simple/plain english is one thing (and for legal document incredibly tough) it can't be the only piece. The formal 'voice' and tone are one of the big things that turns people away from reading long documents like this and absorbing the information given. I think the informal tone keeps it flowing and makes it much easier to completely read. In the end I would prefer for people to think we're a bit of a 'silly bunch of people' (which, let's be fair, they already think since we write an online encyclopedia for fun) then for them not to read what is quite a lot of text but is very important in this internet day and age when they give up large amounts of information without even knowing it. Jalexander (talk) 23:46, 4 September 2013 (UTC)

I disagree with this, as I mentioned above. The insertion of inappropriate words such as "cool" and "awesome" does not make the document more readable, it just makes it look self-conscious and a bit ridiculous. 86.169.185.183 00:16, 5 September 2013 (UTC)

Sigh. Did you bother to read my revision of one paragraph of this document? It is informal but dignified. No one will respect a document that is written by a bunch of airhead PR flacks who sound as if they are giggling as they writing--which is the voice this document currently has. And I hope & assume no one working at the Foundation wants to be thought of as an airhead PR flack.--Llywrch (talk) 02:57, 5 September 2013 (UTC)

Honestly, at the time not yet, but I did later and have it on a list for people to look at. I was answering here because @PiRSquared17: specifically pinged me and I wanted to respond to him directly. I actually think I misread initially though and came across as harsher then I felt (too many things at once I guess). I want to find the right balance, and am not completely sure where it is yet. I didn't write the policy and I have my own thoughts but I'm not yet sure exactly what is best. I just wanted to characterize the thought process and some of my own thoughts (about trying to find ways to keep them reading and help them understand). Jalexander (talk) 08:14, 5 September 2013 (UTC)

I thought the exact same thing as PirSquared17 and I disagree with "The formal 'voice' and tone are one of the big things that turns people away from reading long documents like this and absorbing the information given. I think the informal tone keeps it flowing and makes it much easier to completely read." In fact the informal tone distracts from the information given and let the reader thinks that the information is not important since it's presented in a "funny" way, we "unconsciously" think that it must be a joke or something alike. I don't mean the text should be full of legalese stuff and I agree that it should be written in plain/simple English, but the "informal tone" does the same as the "legalese and complicated tone" for non-Native English speakers, it makes the text harder to understand (and let be honest such text won't be translated in all languages so, yes, a lot of non-Native English speakers will have to read it in English). Amqui (talk) 02:48, 5 September 2013 (UTC)

The informal tone doesn't bother me much. The document is still pure egregious legalese (i.e. designed to give headaches), see all the instances of "A, BUT! X, Y, W, Z, ..." so that in the end you read three times as much and don't remember what you are agreeing to, being more exceptions than rules, and the WMF is fully protected from users.

You make a good point, however, that the draft text is three times as long as the current wmf:Privacy policy (49 KB vs. 16 KB counting only the text included in the page directly) and it's full of long digressions. Perhaps, per TTO in #Some notes, the digressions and other accessory text may be moved to speech bubbles coming out of Rory, so that both translators and readers can more easily prioritise how they consume the document. --Nemo 06:03, 5 September 2013 (UTC)

I've changed my mind about this. Maybe it is better for people to think we're silly than to avoid reading the policy, as James said. If it actually gets people to read through it, and it doesn't detract attention from the actual content, then it's fine. PiRSquared17 (talk) 01:15, 6 September 2013 (UTC)

Most people will still not read it just because of the length, no matter if you put smiling tigers beside each section or not. So why bother the actual people who will read it with fluff that they don't care about, because, let be honest, the vast majority of the people who will take the time to read the Privacy policy are not the casual readers. Amqui (talk) 03:51, 6 September 2013 (UTC)

Agreed. Let the document's organization, flow and use of examples carry the day. Informality works for fiction, but this document is characterless nonfiction by design. Overall, I'm impressed with the draft. The informal asides are well-intentioned clutter. Even proficient English speakers may pause when reading "coolness." Did they miss something? Was there a redesign? What's being communicated? That said, these are issues that can be hammered out in later drafts after the substantive issues have been deliberated.--Knowlengr (talk) 03:12, 8 September 2013 (UTC)

Good point about the translator, informal tone like that is also harder to translate easily and directly than direct and plain formal English, and since we rely on volunteer translators, that's a point to keep in mind. Amqui (talk) 03:43, 6 September 2013 (UTC)

I do not understand what the informal child friendly tone of the policy is seeking. When I read the proposed policy I'm reading a tutorial of treatment of data, not really a policy. A privacy policy is a document that establishes clauses of what the web site will do or will not do with the data that can identify the user. Privacy terms are released not with the purpose to teach to the visitor what is the purpose of the Wikimedia Foundation, or what is a cookie or why the web site collects data (although, sometimes is necessary explain it), these terms are a declaration of the host about what it will do or not with your data, I mean, because the host decides treat the data as he want. If WMF establishes that will be public the IP and location of the visitor then, the IP and location will be public (for example). Each web site could treat the data in different ways, and it is the reason because each web site have to give to you it's own privacy policy. I see that is a tendency in websites to make the privacy policy more "friendly", but actually, a list of bullets about what the site will do or will not do is the easiest and simplest form to do that. For example "WMF will recollect cookies with the purpose…", "WMF will not give your data to third parties…" and so on. Moreover, privacy policy is the kind of document in that I do not want to expend much time to read, in that sense, proposed policy is a whole treaty. And, in addition, is not the kind of document that needs a mascot (seriously, what the policy writers were thinking when decided that to include Rory in the policy was a good idea?). In other hand, the policy terms should not treat you as if you were ignorant of everything. For example that line "Because everyone (not just lawyers) should be able to easily understand how and why their information is collected and used, we use common language instead of more formal terms" can be changed to this "Some terms that will be used in this policy must be understood with the following meanings". Finally, I expect a simple, short and formal text about privacy policy, if you want to keep the current text as a tutorial named WMF privacy policy for dummies, I agree with that, but I think an informal redaction should be an auxiliary, not the main document. --SirWalter (talk) 05:53, 6 September 2013 (UTC)

The issues at hand here, even though I may sound harsh, are as such:

• There appears to be a substantive and justifiable dislike for this cuddly, overly verbose presentation of the 'Privacy policy'. To be honest, I've never read the privacy policy prior this as I haven't had cause to concern myself with it, only having drawn on various supplementary material available here for Wikipedia & having cleaned up some conflicting and confusing information surrounding relevant media. I was completely taken aback by what I saw when I finally found a moment to respond to the call for comment on the 'new' policy entry. In as much as it may seem desirable to be welcoming & reconstructing the 'legalese', it is a legal document and should aim to be as succinct as possible.
• That which may be deemed to be a sweet & welcoming page by the administrators/editors here in actuality presents as being the antithesis. It is duplicitous to make serious policy appear so innocuous and cutesy that it may as well say, "What the heck, you don't need to read this because it's obviously all about goodness and niceness." Condescension is not valuable as the Privacy policy is serious matter. Even if there are young contributors here, the deployment of 'plain speak' requires serious deconstruction & explanation in concrete terms. If this presentation is considered to be a clever method of avoiding scaring younger users/contributors away, it is abundantly clear that those who chose the methodology have no grounding in behavioural psychology and are making uninformed assumptions in feeding people swathes of reconstituted pap.
• Note, also, that at some point, younger users/contributors are going to have to familiarise themselves with 'legalese'. For their sake, it is preferable that they become acquainted with it before they turn 30. By all means, present the salient points of the policy informally as collapsible 'plain speak' auxiliary information, but most of us probably don't want to wade through 'cute'. At a glance is undoubtedly far more useful and desirable. --Iryna Harpy (talk) 05:59, 8 September 2013 (UTC)

OK, in light of the feedback, we will revisit some of the language mentioned here. Thanks. Geoffbrigham (talk) 22:27, 15 November 2013 (UTC)

Oatmeal vs. Dora the explorer

I saw feedback to the whole illustration and mascot theme is solicited above. I wanted to point out the subtle difference being lost here. Illustrations don't necessarily have to be dumbed down, or be intended for an immature audience. The whole mascot theme, terminology and tone being employed doesn't fit well together. I'm not commenting on the quality of the artwork or the character work for the record, both of which seem fine and probably took a lot of time and effort. It's really hard to cater to an adult audience through this medium but it's not new either - twitter fail whale, firefox fox, google's android etc. all have used their mascots and used them well - I think this could be done better (if this route is going to be taken). But to do that - start by aiming for oatmeal, not Dora or Disney. Regards. Theo10011 (talk) 22:33, 4 September 2013 (UTC)

Unfortunately, Wikimedia wikis don't have a mascot. --MZMcBride (talk) 14:48, 14 September 2013 (UTC)

Thanks for the feedback. We have retired Rory, as explained below. Cheers. Geoffbrigham (talk) 12:38, 18 September 2013 (UTC)

Why a tiger?

Why does the banner for the new privacy policy include a drawing of a tiger? We're not children. --Cryptic C62 (talk) 02:52, 5 September 2013 (UTC)

I don't work for the WMF, so I can't explain why they chose to use the tiger, but here's some sort of explanation: The WMF has a stuffed animal tiger in their offices called wmf:Rory. The usage of Rory illustrations has been discussed above, in other sections. PiRSquared17 (talk) 02:55, 5 September 2013 (UTC)

As someone who believes that tigers are the work of Satan, I'd add that we're not Satanists. –76.108.183.43 03:30, 10 September 2013 (UTC)

Was this sarcastic? --MZMcBride (talk) 14:50, 14 September 2013 (UTC)

Please see below discussion where we have retired Rory. For the record, it was not because I found Rory satanic.  :) Geoffbrigham (talk) 12:37, 18 September 2013 (UTC)

Offputting for adult readers

The policy reads as if aimed at schoolchildren, with the cuddly tiger, "way cooler", "eat your greens", "evil wizard", "You're still awesome" (or "... brilliant" in GB english version). It is possible to write clear English in a neutral, adult, way: see The Plain English Campaign and its guides if you need help. The Privacy Policy is an important document and should be written in a clear and serious tone, not as if it's written by teenagers for children. We are trying to recruit new subject-expert editors, with the introduction of Visual Editor: if a high-power professor reads this proposed text, offered as the Privacy Policy, they are unlikely to take Wikipedia seriously enough to want to contribute their time and expertise. PamD (talk) 07:55, 5 September 2013 (UTC)

Thanks for the link, I'm adding it to Writing clearly. --Nemo 11:42, 5 September 2013 (UTC)

Thanks for all the above comments. To be honest, from my personal viewpoint, I'm actually OK with this, and I'm known as a pretty stuffy and formal lawyer.  :) Our challenge is to explain a complicated topic to everyone, including casual readers of our projects. As I note above, we are repeatedly told that few ever read privacy policies, those who start often don't finish, and when they do, they often misunderstand them. For that reason, we have tried a few ideas, like the user-friendly summary at the beginning of the policy, plainer English (with no doubt a few exceptions), more transparent and hopefully easier-to-understand explanations in the text, and, yes, humor. In my humble opinion, I like it. To my ear, it is not condescending but is respectful, underscoring that we expect the reader to read the policy and we are making efforts to help them enjoy it. For me, humor helps get through dry material. My take on the proposed rewrite above it that it is fine, but I honestly like the version in the draft privacy policy better: it helps explain better in plain terms where we are going, and it may actually help people remember themes in the document. We did have non lawyers read through various drafts. Their ongoing feedback pointed us in this direction. I definitely respect the opinion of those who disagree with me, and, of course, during the 4-month consultation period, we will be listening closely on this issue. In any case, I really appreciate all of you reading and responding ... quite helpful in thinking through this topic. Many thanks. Geoffbrigham (talk) 14:14, 5 September 2013 (UTC)

"We are repeatedly told that few ever read privacy policies, those who start often don't finish, and when they do, they often misunderstand them. For that reason, we have tried a few ideas, like the user-friendly summary at the beginning of the policy, plainer English (with no doubt a few exceptions), more transparent and hopefully easier-to-understand explanations in the text, and, yes, humor.": +1 Ocaasi (talk) 18:19, 5 September 2013 (UTC)

That's not humor, that's an embarrassment. You should target the common average of users(german: Schnittmenge), and not only a specific group. But I'm used to such nonesense in wikipedia. Most of the editors suffer from brain damage or mental retardation I think, so no suprise. Whatever, good luck. Greets--82.113.121.77 22:14, 5 September 2013 (UTC)

Don't you guys just love it when someone pops in, offers no help, is a jerk, and then promptly leaves? Unfortunately, he forgot to create an account which means his IP address is open for everyone to see! ; ) As for this new policy, I actually like the cuddly tiger (though some of the words are a tad cringe-worthy) and seriously wonder why some people worry about wikipedia "not being taken seriously" when it is already leagues above everything else on the web. BallroomBlitzkriegBebop (talk) 17:38, 6 September 2013 (UTC)

The policy in itself my read as if it is aimed at schoolchildren at first glance but it seems as though it is a combination of something everyone can deal with. The "adult readers" who visit Wikipedia and contribute should know that Wikipedia may be edited by anyone and thus, teenagers and even children may contribute. Wikipedia already has made a name for itself being the project that it is. I do not know anyone who doesn't take Wikipedia as a site seriously. I know of a few examples where when writing essays for a project, a teacher may have desired better references or more references than just Wikipedia but that was on the basis that Wikipedia may be edited by anyone. Everyone has to compromise and as Geoffbrigham brought out, it is because the challenge is to explain a complicated topic to everyone. Even the suggestion of "you should target the common average of users" brought out by 82.113.121.77 is in itself, targeting a specific group. From what I've seen of the Privacy Policy (which is very little), I like how it is presented. Koi Sekirei (talk) 17:38, 8 September 2013 (UTC)

I have read the policy, in part indeed to test its readability, and I have to say that some of the language used led me to misunderstand it. Being fairly experienced with most things internet and a bit with legalese, I later realized that I still missed many of the points later brought on by editors on this talk page. If anything, the reason for these misunderstandings was the overly narrative, embellished and long-winded style of writing. It glosses over important points, handwaves issues away, and buries the points it does address between explanations of completely non-privacy-related wiki elements and entire paragraphs of filler delivering no information at all.

This document spends a lot more words and does a much better job of convincing a casual reader that it's an awesome policy than of telling him what the policy actually is. I understand that you've tested it for ease of reading and positive reaction. But did these tests include "reading comprehension" question checks - whether most readers actually got an understanding of various aspects of the policy in the end? CP\M (talk) 08:33, 10 September 2013 (UTC)

An excellent point, CP\M. If this were being treated as a serious pedagogical issue (which it purports to be), the most important part of the process of adopting it would be to test whether it meets its objective, being that of genuine comprehension. Has there been a component for testing comprehension of the policy built into the feedback? --Iryna Harpy (talk) 22:14, 10 September 2013 (UTC)

I agree with all exposed by Iryna Harpy at this point. Basically, if the objective of the new draft is not purely legalistic, not only the legal counsel team of the WMF had to write the draft. Some experts or professionals in translate legal documents in simple terms and, considering the worldwide scope of Wikimedia projects, professionals in languages had to participate in the writing of the draft, (see the exposed by Sir48 below). At this point, counselors sustain that the tone and language of the proposed policy is amazing because they proposed it, they not give reasons neither arguments that sustain how the draft becomes in a master piece. Moreover, nobody proposed the change to informal tone, by contrast, is a legal counselor whom states that they want "to avoid legalese as much as possible" (at all, could add). That looks like a whim from the legal council, not a request from the community. Impose the not well known mascot for the legal office may be a proof of this.--SirWalter (talk) 01:37, 11 September 2013 (UTC)

┌─────────────────────────────────┘
I believe that SirWalter has driven home some excellent points regarding how this has evolved (or devolved) into this proposal. The proposal, as I understand it, was that the 2008 privacy policy was in need of updating to reflect changes in technology and that, somehow, it was identified as being desirable to present the legalese using more 'user friendly' terminology.

The structure of the current policy document doesn't seem to have come into the equation until (I can only assume) the legal department, in collaboration with other unknown parties(?), identified some sort of problems with what appears to be a perfectly serviceable model for presentation which they deemed could be redressed by inserting cuddly mascots and a desperate lack of concise information. Updating the contents of the policy and aiming to make it more accessible by the use of simplified/lay English is something I can understand. What I fail to be able to comprehend is how, when, where, who, what and why was simplified English and 'user-friendly' transmogrified into cuddly mascots?

It's difficult not to come to the conclusion that the legal office are completely stumped and have intentionally thrown a cutesy mess at the community for comment in order to conceal a lack of imagination or desire to put some serious work into a genuinely well thought out proposal & are simply waiting for the blanks to be filled in by the community who are promptly picking up on areas that need to be expanded, elaborated on, qualified and clarified.

I'd suggest that there are enough queries about the proposed new 'structure' to merit a reasonable explanation as to why we should accept that mascots are 'user-friendly' and how this will assist in the reading of the document. For all the noises about how certain individuals have felt it to be less intimidating and having encouraged them to read the policy (which of the condensed one-liners in particular were found to be 'friendlier'?), how familiar were they with the complex issues deciphered(?) by the end of their cheerful read. I'm sceptical about being being herded into taking a leap of faith because a few people have claimed the matter to be so, therefore propose that some empirical data be presented to back up claims that it is a genuinely effective strategy, i.e. a little background into, "We did have non lawyers read through various drafts. Their ongoing feedback pointed us in this direction." Who were the 'non lawyers' and what were the qualifications of those interpreting this 'ongoing feedback'?. --Iryna Harpy (talk) 05:39, 11 September 2013 (UTC)

Sry I've(of course) meant: The average human, and not the average wikipedia user(who are nerds and geeks anyway). Of course you have to target some groups of people, and that should be the group of attributes of groups which all groups have in common(or something, you know what I mean). Does the language have to be childish to explain it better? Hell no ! Will the probality increase that some serious person are scared off of it? Maybe. Will it attract more younger people? If you look how many "children"(not the adult ones who behave like ones here) wikipedia use then I think, no. Greets--82.113.122.164 21:40, 11 September 2013 (UTC)

Some thoughts for consideration from legal

Thanks to everyone for their comments (under this section and others). I really appreciate people taking the time to read the document and giving us your frank feedback.

Just above I shared some thoughts on this topic for consideration. To state it a little differently here, in the legal department, we have reflected quite a bit about tone as we took this draft through multiple versions, testing them out informally. What we heard was that non-lawyers (who were adults and well educated) preferred this less legalistic tone, including some limited insertions of humor. IMHO, this approach shows an effort to help the reader understand the document and demonstrates our expectation (and respect) that the reader will read it. As I say elsewhere, most Wikimedians are fine with formal language expressing complicated concepts. Indeed, I love the fact that our community is made up of wiki-lawyers who have a strong interest in legal issues and the formalities that naturally follow that interest. That said, many of our users to whom this policy applies are readers from different backgrounds. I feel we need to use tools to encourage all types of people to read the policy throughout and to the end – like the user-friendly summary; like plainer, less formal English; like icons and maybe other visuals; and like humor.

And, to be honest, it also works for me. I enjoy reading the draft privacy policy more because of the tone and humor. I also like what it says: we think it is unreasonable to put dense legal documents before readers without helping them understand the document and enjoy the experience. As I noted above, I think the above rewrite of one paragraph by Llywrch is fine, but, in my personal opinion, I frankly like the version in the draft privacy policy more: the first line of text helps the reader understand where the discussion is going in a simple non-legalistic way. I do appreciate Llywrch’s efforts in illustrating his point, however.

We talk about the use of illustrations elsewhere, but one idea I like out of this conversation is the concept of using bullet points, maybe in the margins to summarize certain critical themes. The community will decide on the mascot idea, but simplified bullet points - such as proposed by Theo above - may be another way of addressing this. I know that is not exactly what you are proposing SirWalter, but the idea is related. I think both of you have good arguments there.

Now I say all this with the understanding that we are in a 4-month consultation period, and we are listening to your views on this. So far, there are some who have commented positively on the language and approach, but I definitely respect the contrary point of view. I’m seeing some points more clearly based on our exchange. For example, it resonates with me when people say some humor doesn't translate well into other languages. And there are no doubt some sentences that we will want to rewrite based on community feedback. Overall, I’m fine with the tone; I even like it, and, personally, I would like to keep it. But, if some specific language really strikes the community as wrong, we will change it, obviously.

Thanks again for taking the time to read this draft and to share your comments. We know people are busy and have other priorities, so we really appreciate it. Geoffbrigham (talk) 07:45, 6 September 2013 (UTC)

I have three comments about this:

• Guys, fun is ok, but the Wikimedia projects are not the place to it. Wikimedia is a serious web site, not serious in the sense of a drill instructor, but in the meaning of trusty and accurate information. I think everybody, regardless of age, nationality or educational level can understand that the legal issues are serious issues. If you want to get fun, go to the Encyclopedia Dramatica, paradoxically, their privacy policy is better than the draft that you are proposing.
• Wikimedia projects are not the sort of websites that intensively recollect personal information or get profit with it. Most of the data recollected is result of the way in that internet servers work. I do not understand why a simple upgrade in the policy becomes in a complete senseless renovation.
• Privacy policy is a legal text with legal consequences. With your "cool" way to redact it, you are introducing ambiguity in the terms. And the ambiguity in a written contract will be construed against the drafter. If you want to fight in a trial in that somebody felt offended because thinks that he/she looks great in his eight year old picture or, because somebody interprets the "evil wizard" in an inconvenient sense, you are in the right way. By the way, I find, more than 40 paragraphs since the beginning of the policy text, the statement that "if you do not agree with this Privacy Policy, you may not use the Wikimedia Sites"; of course, is well known that you have to put the Important Info at the end of a legal text.

At the end, you are more involved in the project, and you will carry with the consequences of all this. --SirWalter (talk) 19:02, 6 September 2013 (UTC)

I take your point quick seriously, SirWalker. I thought about this lots before the rollout. I came to the Wikimedia Foundation from a for-profit major internet company. I think many saw me as quite formalistic as a lawyer.  :) So I get what you are saying. Yet, after seeing similar examples elsewhere, I have come around to the position that a less legalistic style and humor can be helpful in facilitating understanding, especially when you are addressing a diverse community. I don't think it would be appropriate for me to comment on the quality of others’ privacy policies, but I will say that our site has unusual and complicated issues in a collaborative community that need to be addressed in an understandable way in our privacy policy - a need that is not really satisfied with a policy made up of short bullet points. (That said, I do like the idea of using bullet points in the margins to summarize major themes, if the community wants that format.) Also I firmly believe in honest transparency with our community. This means we need to explain in plain English how we collect and employ user information, and I think this draft does a better job in that respect, though it takes words to do that. I think you are right to be concerned about ambiguity in any contract, but I would respectfully disagree that this causes any real legal risk; to be frank, if I thought it did, I would strike it. I hear your point about changing the placement of the highlighted sentence ("if you do not agree with this Privacy Policy, you may not use the Wikimedia Sites"); I have no objection moving it towards the front of the document (like the Introduction) or putting the concept in as a bullet point in the user-friendly summary if the community supports that view. Other detailed reasons for the rewrite are set out above under the opening template on this talk page, explaining the need for this new draft. I say we watch the community feedback. I’m seeing support for our approach, but I am also hearing the words of caution. During the course of the consultation, we may well make modifications that address some of your concerns. I know that we may disagree on some points, but I want to reemphasize how much I appreciate your reading the document and raising these points. It does help everyone as we work towards the right final draft for the community. Geoffbrigham (talk) 07:50, 7 September 2013 (UTC)

There is a difference between plain English and childishness. At this moment, the draft reads as if it's trying to appeal to the reader, explain itself to him, and at times almost butter him up, rather than to inform him. I agree with others in thinking it should neither trivialize serious privacy matters nor put its own appeal ahead of its informative value.

For instance, this entire paragraph - Wikimedia Sites are collaborative, with users writing most of the policies and selecting from amongst themselves people to hold certain administrative rights. These rights may include access to limited amounts of otherwise nonpublic information about recent contributions and activity by other users. They use this access to help protect against vandalism and abuse, fight harassment of other users, and generally try to minimize disruptive behavior on the Wikimedia Sites. - has almost nothing to do with privacy and engages instead in broad overview and advertisement of Wikimedia's self-management policies.

I don't believe that such long-winded digressions are consistent with the first stated principle: Be clear and concise in language. CP\M (talk) 13:03, 9 September 2013 (UTC)

• The issue is the difference between the expression of the policy and the presentation of the policy. The policy is what drives, guides or constrains the behaviour of the WMF and as such will have formal expression in a working business document written in a formal style suitable for use in decision-making. In a real sense that document is the policy. The presentation of the policy is how the policy as enshrined in the formal expression is communicated to audiences who need to understand it: those audiences might be, for example, junior WMF staff, new contributors to WMF projects, experienced contributors, technically-expert readers of WMF material, or editors with enhanced rights. Those presentations might, and probably do, need to be different for the different audiences. What we have here is a one-size-fits-all version which is attempting to be all of those things at once.

I believe that the formal policy should be exposed for discussion by and the use of all the stakeholder groups. We can take it. There is no need to patronise us with cute furry animals and little pats on the head. The more cutesy version can be published as well and it may indeed be helpful for some readers, or not. I really find it hard to believe that round the WMF boardroom table, when trying to decide on whether a proposed strategic direction is consistent with the privacy policy, the assembled trustees, director or senior executives will be helped by wading through wording that tells them that their users are "great", or that their use of the site is "cool", or that the policy is "as important as eating their greens", or that a picture of Tony the Tiger will help them take the right decision. If they don't need that stuff, we don;t need it either. Spectral sequence (talk) 16:16, 14 September 2013 (UTC)

Thanks for the feedback. As an update, we are retiring the image of Rory from the privacy policy, per this discussion. Cheers. Geoffbrigham (talk) 11:35, 18 September 2013 (UTC)

So is removing the image sufficient to resolve the difference between the formal policy -- which we now understand is intended to be legally binding on both WMF and users -- and its explanation? I think that it does not.

I remain genuinely concerned about what I (and, I believe, others) perceive as a patronizing ("condescending") tone in some of the content ("fluff"). It's not just a question of formality. To me, the sentence about "eating your greens" is emblematic of this issue about how Wikipedia presents both itself and its privacy policy. I may have missed something, but I have yet to see a response to this live concern. MistyMorn (talk) 20:25, 26 September 2013 (UTC)

In my opinion, the tone of the document is fine. I think the biggest pushback from the community is Rory (who we are retiring with tears in his eyes) and the jokes. If people don't like specific jokes, we can take those out. However, I'm seeing a mixed response in the feedback to be honest. Geoffbrigham (talk) 22:28, 1 November 2013 (UTC)

One obvious explanation for a "mixed feedback" to the jokes is that the sort of readers they were conceived for are more likely to appreciate them, whereas others probably won't. I believe Wikipedia should 'belong' to everyone, and that use of the most universally acceptable style possible should be a key consideration when drafting an explanatory document that is intended to be as open as possible to the entire usership. Simple plain English should be the stylistic touchstone here imo. Regards, —MistyMorn (talk) 15:05, 10 November 2013 (UTC)

OK, we will take out all the jokes. It will take us a few days to do that. Thanks. Geoffbrigham (talk) 21:27, 15 November 2013 (UTC)

Thanks for your patience, —MistyMorn (talk) 10:40, 17 November 2013 (UTC)

┌─────────────────────────────────┘
The "joke" about eating your greens is still there and has now been approved for translation. —MistyMorn (talk) 14:00, 25 November 2013 (UTC)

The policy does not clearly express its own legal status. Is it intended be, or form part of, some legally binding agreement between users of WMF sites and the WMF? Are other parties supposed to be bound by it in any way? Do it create any enforceable obligations on the WMF? In particular, what is the intended legal status of the sentence "For the protection of the Wikimedia Foundation and other users, if you do not agree with this Privacy Policy, you may not use the Wikimedia Sites"? Clearly I can use those sites whether or not I agree with the policy. What does it mean to say that I may not? What does "agree" mean? Is it implying that by using the site I am agreeing with the policy in a legal sense? Spectral sequence (talk) 16:24, 14 September 2013 (UTC)

Hello Spectral Sequence! The privacy policy is a legal document, binding on both the Foundation and the users of the projects. This means that the Foundation is bound to only collect and use user information as provided for in the privacy policy. Similarly, while you are correct that you can use the sites whether or not you agree with the policy, by using the sites you are accepting the terms of the policy and will be bound by those terms. Thank you for eliciting this clarification! DRenaud (WMF) (talk) 21:36, 19 September 2013 (UTC)

If it is intended that this policy placed the user under some kind of legal obligation, that needs to be made clear in the policy and it also needs to be made clear in the Terms of Use. It would be a good idea to summarise the obligations the user is entering into under this policy. I also believe that insofar as the privacy policy is intended to be legally binding on users, it becomes even less appropriate for the formal policy to contain informal language such as "we think you are awesome". (Am I contractually obliged to be awesome, or are you just obliged to think me so?). Spectral sequence (talk) 13:23, 21 September 2013 (UTC)

The policy should also probably clarify whether this page itself is the complete legal contract, or do its subpages like the FAQ and glossary also form part of the contract.--Siddhartha Ghai (talk) 17:15, 25 September 2013 (UTC)

Wow, this is a good catch. Our original drafts included that language but somehow it did not make its way to this on-wiki version. So we will include language that makes clear that the following documents are not technically part of the legal privacy policy: (1) the FAQ; (2) the Glossary of key terms; and (3) the Subpoena FAQ. The language should read something like this: "This FAQ [Glossary] is not part of the privacy policy. It is not even a legal document. We do hope however that you will find it helpful." To facilitate navigation, we will also include a insert box on each of these documents and the privacy policy with cross links to each one. We may not get to making these changes immediately because our staff is working on another project, but we are putting it on our list of things to do within the next couple of weeks. Many thanks! Geoffbrigham (talk) 21:01, 15 November 2013 (UTC)

In my opinion the introduction should only contain redundant information. People expect the introduction to contain only redundant information and often skip it.

I think the introduction should be followed by a chapter about the scope of the privacy policy. This should include information about the identity of the Foundation and whether the Foundation has to comply with the provisions in the privacy policy. --Aviertje (talk) 15:34, 19 September 2013 (UTC)

Hi Aviertje! Thank you for your suggestion. The purpose of the introduction is to give the privacy policy draft some context. It outlines some of our guiding principles and lays out the scope of the policy draft. I think it plays an important role in the draft for those reasons. Providing redundant information in the introduction only serves to make the policy draft longer without reason. Every section of the policy draft has been included for a reason and should be read in full. I understand that some people may skip the introduction (or any other section that does not interest them), and part of the reason why we have subsections (like "What This Privacy Policy Does & Doesn't Cover") is to make it less likely that people will accidentally skip a section that is important to them.

As to your second comment about having a chapter about the scope of the privacy policy, I'm not sure I understand. The scope of the privacy policy draft is actually covered as a subsection of the introduction (following the "Welcome" and "A Little Background" subsections), and is entitled "What This Privacy Policy Does & Doesn't Cover". Could you clarify?

As to your comment about explaining the identity of the Foundation, can you explain what you mean exactly? In the "A Little Background" section, we state by ""the Wikimedia Foundation" / "the Foundation" / "we" / "us" / "our"", we mean "The Wikimedia Foundation, Inc., the non-profit organization that operates the Wikimedia Sites." What additional information do you think we should include to make the identity of the Foundation a little clearer?

And finally, regarding your question about whether the Foundation has to comply with the provisions of the privacy policy. The answer is yes, a privacy policy is a legal document that outlines the Foundation's practices with regard to the collection and use of user information and the Foundation is supposed to follow it. Any alleged violations of the privacy policy should be brought to the attention of the Foundation's legal team or the Ombudsman Commission so that it can be investigated and addressed as appropriate to the particular situation.

Thank you again for taking the time to bring these issues up. I look forward to hearing clarification of some of your points and hope we can make the draft better as a result. Mpaulson (WMF) (talk) 17:51, 19 September 2013 (UTC)

I meant not to make the privacy policy longer, but to move important information like "What This Privacy Policy Does & Doesn't Cover" out of the introduction into a separate chapter.

Concerning my comment about the identity of the Foundation, I was thinking of the information in the section "Where is the Foundation and What Does that Mean for Me?" I suggest to move this information to the beginning. First things first. A privacy policy should state who is responsible for processing personal data, what data is processed and for what purpose. It seems logical to me to use this order.

There doesn't seem to be a law saying the Foundation has to comply with the provisions in the privacy policy, see section "What's the use of this policy?" on this talk page. And there doesn't seem to be a statement in the terms of use or privacy policy explicitly stating the Foundation has to comply. Since this is a legal document, what's not stated, doesn't count. Anyway, I think it would be good to include explicit statements saying the Foundation has to comply with certain things. The terms of use and privacy policy seem to be very one-sided agreements. It's all about protecting the interest of the Foundation. The users are forced to consent with everything. The Foundation doesn't commit to anything. Not explicitly stated anyway. --Aviertje (talk) 15:24, 20 September 2013 (UTC)

Aviertje, can you point to language in other privacy policies that would be along the lines of what you are recommending re binding nature of the privacy policy? As a side note, I would question that this is a one-sided agreement, especially given the commitment to collect relatively minimal information compared to other major website. We understand your other points and will monitor this discussion to see how others feel as well. Thanks. Geoffbrigham (talk) 09:23, 25 September 2013 (UTC)

I don't know examples by heart from other privacy policies and I don't have the time to research this. Sorry.

Let me ask you a question. Can you point me to language in the proposed privacy policy where user rights are protected? Compare that with the times the rights of the Foundation are protected.

Can you also point me to language in the proposed privacy policy where the Foundation explicitly commits to collect relatively minimal information? --Aviertje (talk) 14:09, 25 September 2013 (UTC)

Standard for most privacy policies, there are various places where protection of user rights is mentioned (e.g., "We do not sell or rent your nonpublic information, nor do we use it to sell you any third-party products or services."). There are also provisions regarding protection of the rights of the Foundation (e.g., "We may need to share your personal information if we reasonably believe it is necessary to enforce or investigate potential violations of our Terms of Use, this Privacy Policy, or any Foundation or user community-based policies.").

With regard to our data collection practices, as we have pointed out, for example, “you do not have to provide things like your real name, address, or date of birth to sign up for a standard account or contribute content to the Wikimedia Sites.”

Courts often apply contract law to online policies. We will be including some language to make this clearer. Geoffbrigham (talk) 23:26, 30 September 2013 (UTC)

After reviewing the proposed privacy policy again, I give in. I was wrong.

I think I was put off by things like "This Privacy Policy explains how the Wikimedia Foundation ... collects, uses, and shares information we receive from you .... It is essential to understand that ... you consent to the collection, transfer, processing, storage, disclosure, and use of your information as described in this Privacy Policy." While the Foundation merely gives an explanation, I have to consent. There is a lot of attention to informing the user he is giving consent. Is it the intention to get consent from the user, or is it the intention to make the user aware of how his information is used? --Aviertje (talk) 08:56, 1 October 2013 (UTC)

Hi Aviertje. I am not sure I understand your question exactly, so please let me know if I'm not answering it. Our main goal is to inform the users - including readers - about how their information is used, though their use of the site constitutes consent legally. Geoffbrigham (talk) 20:29, 22 November 2013 (UTC)

Recently when I visited Wikipedia I was presented a banner saying something like "Wiki Loves Monuments: Photograph a monument for Wikipedia and win!" This kind of advertisement is a clear invasion of privacy. There doesn't seem to be an option in the preferences to turn this off and the privacy policy does not mention banners, does it? --Aviertje (talk) 16:15, 19 September 2013 (UTC)

Hi Aviertje! Thank you for your question. You are correct that sometimes the Wikimedia Sites display banners to users. The purpose of these banners are to alert you about certain things that involve the Wikimedia movement -- sometimes they will encourage you to donate to the Wikimedia Foundation (after all, the Wikimedia Sites are supported almost entirely from donations from the community), sometimes the banners let you know about interesting Wikimedia-related events that are going on (like the Wiki Loves Monuments competition, which encourages people to contribute to Wikimedia Commons), and sometimes they alert you to discussions about important topics that might impact you as a user (like the privacy policy draft discussion). They are never used for subjects that are not related to or could impact the Wikimedia projects or the Wikimedia movement.

Could you clarify why you believe the banners are an invasion of privacy? Displaying banners does not, itself, result in the collection of any personal information. Clicking on a banner may result in the collection of some personal information, such as IP address, through the use of JavaScript (a method of information collection we use not just for banners and which is described in the "Information We Collect" section of the draft). You are correct in that the privacy policy draft does not directly address the banners. Do you think adding specific language under the "Information We Collect" section would be helpful in this regard?

As to your question about turning off banners, we try to not overwhelm you with banners (we actually use cookies to try to limit the number of times that you see a banner), but there is not an option to turn them off completely. This is because there may be times where we need to alert users about important information. For example, when a major legal policy is changed and is going to go into effect, we use banners to provide users notice of the impending changes. This method of notice is particularly important because we do not have another equally effective way of reaching all of our users as we do not require contact information to use Wikimedia Sites or even when you register an account.

Hope that helps address some of your concerns. Mpaulson (WMF) (talk) 00:49, 20 September 2013 (UTC)

You ask why banners with advertisements are an invasion of privacy? Because I have "the right to be let alone" [5]. When I request a page with information from WMF's server, an advertisement is sent directly to me personally. I don't appreciate spam. Not by e-mail, not by phone and not by answering http requests. --Aviertje (talk) 13:49, 20 September 2013 (UTC)

A banner is part of the wiki page itself, it is shown to everyone who looks up a page without looking to who is looking. All major sites use or have used banners in certain cases that are considered important, as there is no other way to communicate to all users together. The Wikimedia Foundation does not advertise for commercial benefit (spam). There is a difference between spam and a notice. The Wikimedia Foundation only uses banners for notices as the worldwide community is in general against advertisements. What is a notice? A notice is a message to everyone about the conditions of the website and changes in those or about activities that are organized on the website. Examples are the implementation of a privacy policy (change in condition), asking for a donation for maintenance/etc of the website (condition) and the organisation of the largest photo competition in the world (activity). So don't mix up spam with notices, we do not call a cat a dog either. If you visit whatever website, you can only retrieve the complete web page from the server, which includes all texts, images, links and notices. That has nothing with privacy but the wish someone has to visit a page we created with all the information we have put on it, not just for that person, but for everyone. Romaine (talk) 02:13, 21 September 2013 (UTC)

An advertisement doesn't have to be for commercial benefit for it to be considered spam.

The Foundation provides the service Wikipedia. The function of this service is to be a free encyclopedia that anyone can edit. It's function is not to send notices for the Foundation to everyone. The Foundation has its official website and blog for that. I can accept to be bothered by a banner on Wikipedia when the Foundation wants to announce new terms of use or a new provicacy policy. For anything else, I don't see why I should be bothered. Leave me alone while enjoying the free service. At the least, make receiving other notices optional. --Aviertje (talk) 22:42, 22 September 2013 (UTC)

Err, any user can hide the banners fairly easily. If you're unregistered, you can use client-side CSS or JavaScript in your Web browser. If you're a registered user, you can use server-side JavaScript and CSS pages to do this. For example: w:en:User:MZMcBride/hidebanner.js. There's also a close mechanism (usually via an "X" icon) associated with every(?) banner that's deployed. The banners are certainly optional if you put in a modicum of work. :-)

I'll try not to take the bait regarding "leave me alone while enjoying the free service." That's just silliness. --MZMcBride (talk) 01:07, 23 September 2013 (UTC)

Although the Foundation has a blog and an official website, only involved members of the community would know about these. The privacy policy discussion is important for all users, and casual readers may even be interested in Wiki Loves Monuments. Compare Wikimedia's donation banners to websites with real ads, and you'll see they're in a very different league. More like a (possibly target by language/country) notice or announcement. Not spam. You may opt out [if you have cookies enabled] of CentralNotice banners by clicking the "X" (sometimes "hide"?) button, or by using user CSS (in Special:MyPage/common.css on any wikis you read) to hide all CN and even local (SiteNotice) banners.

#siteNotice, #fundraiser, #centralNotice, .fundraiser-box { display:none !important; }

PiRSquared17 (talk) 01:15, 23 September 2013 (UTC)

Clicking the "X" only disables the current displayed banner. It does not opt out for receiving such banners.

Disabling the feature yourself is a violation of the terms of use, see Terms_of_use 17. Other_Terms: "You agree that we may provide you with notices, including those regarding changes to the Terms of Use, by email, regular mail, or postings on Project websites."

Unlike regular ads, the notices are not clearly distinguishable as Advertisements. For one thing they are not marked as being ads. This makes it unclear that they are meant for everybody to read if they are interested. In fact, they are not messages displayed to everyone, optionally to read.

The terms of use says "You agree that we may provide you.." It does not say "You agree that we may provide everybody.." The notices are addressed to each person individually. Advertisements sent this way are a form a direct marketing. I don't know the ins and outs of the law of California. But I understand the California Constitution gives each citizen an inalienable right to pursue and obtain privacy. That may very well mean that you can always object to direct marketing. --Aviertje (talk) 13:16, 23 September 2013 (UTC)

I don't see how displaying a banner is a violation of privacy. Think of it as part of the web page. Compare that to sites (e.g. Wikia) with real ads. If hiding banners is against the ToU, then MZM and I have been violating it... @Mpaulson (WMF): comment? PiRSquared17 (talk) 13:40, 23 September 2013 (UTC)

PiRSquared17, why did you remove the banner? --Aviertje (talk) 11:44, 24 September 2013 (UTC)

Hi Aviertje, PiRSquared17, and MZMcBride. Aviertje, I'm not sure exactly how you have derived the right not to see banners from a general right to privacy provided in the California Constitution. Can you point us to some statutory or case law supporting your theory? I am unaware of any such interpretation under California law, but would be happy to examine any materials you have. PiRSquared and MZ, I do not believe you have violated the Terms of Use by hiding some banners. The Terms of Use language cited in this discussion simply means that you have agreed to permit us to provide you notice by email, regular mail, or postings to the sites. It does not mean that you hiding the banner or throwing away mail that we send you results in a violation of the Terms of Use. Mpaulson (WMF) (talk) 22:11, 26 September 2013 (UTC)

My protest is not against banners in general, but against the banners in the mentioned case. A banner is just the means, it's about the contents of the banner. Like spam isn't the same as email.

I said: "I don't know the ins and outs of the law of California. .... That may very well mean.." It should be obvious that I was raising questions rather than giving answers. I have done a quick scan on California law now. Surely you can't derive much from California Constitution. But I do see the same basic principles concerning privacy being applied. For example, direct marketing is definitely related to privacy. What's the Foundation's policy about own direct marketing (not by third parties)? And can people object to it?

What legal implications does hiding the banner or throwing away mail have? Does the Foundation still consider new terms of use and new privacy policy binding when notices about these new terms are being hidden and thrown away? --Aviertje (talk) 21:30, 30 September 2013 (UTC)

Hi Aviertje, I really don't see any legal issues here. Banners are notices to which users agree to in the terms of use. Michelle has answered above with respect the hiding of the banner. Take care, Geoffbrigham (talk) 20:51, 22 November 2013 (UTC)

The section To Protect You, Ourselves, and Others states "We may need to share your personal information if we reasonably believe it is necessary to enforce or investigate potential violations of our Terms of Use, this Privacy Policy, or any Foundation or user community-based policies. [...] Wikimedia Sites are collaborative, with users writing most of the policies and selecting from amongst themselves people to hold certain administrative rights." What happens when a community policy conflicts with or contradicts the provisions of this policy? Which takes precedence? The answer needs to be made explicit. Spectral sequence (talk) 18:49, 22 September 2013 (UTC)

Hi Spectral sequence! That's a great question. The Terms of Use does not, to the best of knowledge, contain anything that contradicts the Privacy Policy draft (it only reiterates some things in the current Privacy Policy and the Privacy Policy draft), as they are meant to cover different subject matter. As for community-based policies, they should be in adherence to the Privacy Policy. Although, it should be noted that the Privacy Policy is meant to describe the minimum protections provided and does not prevent other Foundation or community policies or practices from being more protective of privacy. Are there any particular policies that come to mind that you are concerned about? Would adding language like this be helpful: "In the event that a community-based policy relating to a Wikimedia Site covered by this Privacy Policy conflicts with this Privacy Policy, this Privacy Policy takes precedence to the extent the community-based policy conflicts with this Privacy Policy." Mpaulson (WMF) (talk) 18:54, 26 September 2013 (UTC)

I would prefer a "ratchet" clause that stated that the WMF privacy policy provided a minimum level of protection and that community policies were invalid to the extent that they provided a lower level, but valid to the extent that they provided a higher level of protection. Spectral sequence (talk) 17:18, 27 September 2013 (UTC)

@Spectral Sequence: Good idea. How about, at the end of "What This Privacy Policy Does & Doesn't Cover": "Where community policies govern information, such as the CheckUser policy, the relevant community may add to the rules and obligations set out in this policy. However, they cannot create new exceptions or otherwise reduce the protections offered by this policy." Sound good?

@WereSpielChequers: you raised a similar question before, that I addressed in a comment but didn't adjust the policy to reflect. Does this help? Thanks to both of you for prodding us. -LVilla (WMF) (talk) 21:34, 15 November 2013 (UTC)

@Spectral Sequence: @WereSpielChequers: I've now added this language to the policy; thanks for the suggestions! Closing this section, but if someone wants to reopen to discuss this addition, please feel free. -LVilla (WMF) (talk) 18:58, 9 December 2013 (UTC)

Expanding the section on Examples of What This Privacy Policy Doesn't Cover reveals some things that don't quite seem to make sense. We read Some sites the Wikimedia Foundation operates have separate privacy policies or provisions that differ from this Privacy Policy which makes perfect sense, but is then followed by the phrase these particular situations have separate privacy policies that do not incorporate this Privacy Policy: where "situation" is not at all the same thing as "site". The list then includes some sites (like the shop) and then Administrative groups, such as CheckUsers or Stewards. Should that bullet come after the comment This Privacy Policy only covers the way we collect and handle information, where in passing "we" should be replaced by "the WMF"?

I think it would be much clearer to say something like: This privacy policy applies only to the way WMF collects and handles data and only on certain of WMF sites. Some WMF sites have their own policies; other parties than WMF have access to data on WMF servers and different policies apply to them. Specifically: ....

Spectral sequence (talk) 20:59, 16 October 2013 (UTC)

Hi Spectral sequence. I agree that we should move down the bullet point as you suggested. I also agree that we change "we" to "WMF" as you have suggested. I have given those instructions.

You also are correct that we need more clarity here. I generally like your wording, but I might suggest redrafting a bit. How about something like the following:

This Privacy Policy does not cover all sites where WMF or others may gather or process data. For example, this Privacy Policy may not apply to sites that have their own independent WMF privacy policies or to sites that are run by third parties other than WMF. This Privacy Policy may not apply to certain community administrative groups in specified circumstances. You can find examples where this Privacy Policy does not apply below: .... .

Does this work?

Thanks, Geoffbrigham (talk) 21:21, 1 November 2013 (UTC)

Please note that we have restructured the What This Privacy Policy Does & Doesn't Cover section for clarity. Please let us know what you think! Mpaulson (WMF) (talk) 20:34, 22 November 2013 (UTC)

Interesting read: http://blog.archive.org/2013/10/25/reader-privacy-at-the-internet-archive/ Among other things:

The web servers on Archive.org and OpenLibrary.org were modified to take the IP addresses, and encrypt them with a key that changes each day making it very difficult to reconstruct any users behavior.

It seems the ever-growing collection of data about users behaviour is not an irresistible trend in all corners of the web. --Nemo 17:30, 25 October 2013 (UTC)

Very interesting reading, Nemo. Thank you for sharing. Mpaulson (WMF) (talk) 19:34, 1 November 2013 (UTC)

Is the staff planning to release some updated draft at some point of the feedback period and if yes roughly when? Or is it planned to follow a waterfall model, incorporating all changes at once shortly before sending it to the board? --Nemo 17:30, 25 October 2013 (UTC)

We are making edits as we go throughout the 4.5 month consultation period. We're a bit behind on incorporating some of the changes and waiting for more community feedback before implementing other changes, but you should be able to see what we have done so far in the history. And a lot more should be done over the next week. Mpaulson (WMF) (talk) 18:58, 1 November 2013 (UTC)

I'm not seeing any substantial edit and root questions about the proposal (and I don't mean mine, but others') are routinely closed above without any visible change to the proposal. If you have some sort of queue of things you plan to change/address, it would be useful to keep such todos somewhere here (or to keep the corresponding sections open).

Considering that the feedback period is coming to an end soon, you may also want to make first things clear first, rather than when it's too late. We still don't know what purpose(s) this proposal serves, for instance, so it's almost impossible to comment on details of it. The underlying reasons and premises for the proposal, unknown to the public and apparently non-negotiable (if nothing else because it's impossible to discuss them), seem to make the discussion impossible apart from commas and make-up.

When we discovered something, for instance in #Collection of "unique device identification numbers", edits to the page went in the opposite direction (Brion says mobile doesn't need them, an edit added that mobile is an example of a need for it [6]). --Nemo 10:02, 8 November 2013 (UTC)

Hello @Nemo bis: First, I responded to your substantive question on "unique device identification numbers" above. (We can continue that conversation if any further clarification is necessary, but I suggest moving it to the section up above for organization's sake.) Second, we are making edits to the policy in an ongoing basis. Most of the edits are being coordinated by James, and we are also trying to credit users who suggest changes via the edit summary. In total so far, I think the policy has improved with the help of everyone's productive comments, and we will continue to update it based on feedback. Stephen LaPorte (WMF) (talk) 21:12, 22 November 2013 (UTC)

Hi! Is the privacy policy FAQ part of the policy, or a non-binding supplement? Emufarmers (talk) 19:00, 8 November 2013 (UTC)

The FAQ is not part of the legal privacy policy. That allows us to make changes rapidly in the FAQ to explain issues that may come up in the practical application of the policy. Thanks for the question. Geoffbrigham (talk) 20:21, 15 November 2013 (UTC)

Thanks for your response! Does this mean that things like cookie expirations could now be adjusted freely? I ask because my impression was that session lengths were adjusted from 180 to 30 days to comply with the language in the current privacy policy (please correct me if I'm wrong about that), and it would be nice if they could be increased again once the new policy is approved. Emufarmers (talk) 05:34, 17 November 2013 (UTC)

Hi Emufarmers, you're right that it was adjusted to comply with the current policy. Because this table is in the FAQ, it can be changed to reflect the appropriate expiration times and the fact that technology changes fast. YWelinder (WMF) (talk) 19:09, 22 November 2013 (UTC)

I'm a little confused as to what point the new draft policy is up to. I was under the impression that it was being closed off for revision and a fresh call for comment would alert us to the fact that a revised proposal was up. --Iryna Harpy (talk) 00:22, 11 November 2013 (UTC)

Yes it is. We are revising the draft policy online as we receive feedback. We expect to close the discussion about mid-January. Take care, Geoff Geoffbrigham (talk) 20:20, 15 November 2013 (UTC)

Apologies for the belated response, Geoff. I re-tweaked my various wiki email filters a few weeks ago and, somehow, notifications re. this subject ended up in my 30 day spam folder. Good thing I checked it before it was automatically deleted! I've had a cursory read and it's certainly evolving into a solid, informative document. If I make any more whining noises, they're not going to amount to much aside from nitpicking over details. Commendations on the serious work that's gone into it! --Iryna Harpy (talk) 21:30, 1 December 2013 (UTC)

Many thanks. Your help and that of other constructive community members have made this a much better document. We really appreciate the time that you have put into this. Geoffbrigham (talk) 18:44, 9 December 2013 (UTC)

There is a lot of discussion recently concerning paid editors, especially about the en:WP:COI guideline saying that businesses may discuss issues concerning the business on an article's talk page. So someone claiming to be from XYZ corp. can make a fairly public statement, apparently on behalf of the corporation. It strikes me that it would be very embarrassing for all concerned if that person did NOT represent the business. I think this is called "spoofing." Is there a way to require that a person claiming to represent a business divulge (at least semi-publicly) enough information to be sure that he or she represents the business, and that the representatives "confirmed" status be made public? Would that in any way be contrary to this policy?

Something similar might come up with regard to businesses providing copyright releases on information they've written to be placed on Wikipedia or given to 3rd parties to place on Wikipedia. Is there any way consistent with this policy to keep track of which business has provided copyright releases for which articles? Smallbones (talk) 23:16, 21 November 2013 (UTC)

Hi Smallbones. You always ask great questions. With respect to the first question, our terms of use does put some limits in place. For example, a purported representative of a business cannot "[w]ith the intent to deceive, post[] content that is false or inaccurate; [a]ttempt[] to impersonate another user or individual, misrepresent[] [its] affiliation with any individual or entity, or us[e] the username of another user with the intent to deceive; [or] [e]ngag[e] in fraud." There is nothing that would prevent the community from putting in a process that would allow for public verification for parties who consent to such a process.

If I am not mistaken, OTRS keeps tracks of the releases and includes a template when permission is given. Here is an example.

Thanks. Geoffbrigham (talk) 18:56, 22 November 2013 (UTC)

Thank you. Smallbones (talk) 15:34, 23 November 2013 (UTC)

Paragraph 1 of Information We Collect:

"We actively collect some types of information with a variety of commonly used technologies. These may include tracking pixels, JavaScript, and a variety of “locally stored data” technologies, such as cookies and local storage. We realize that a couple of these terms do not have the best reputation in town and can be used for less-than-noble purposes. So we want to be as clear as we can about why we use these methods and the type of information we use them to collect."

I strongly object to this policy as proposed. Clear about what is collected? Not yet! No mention of screen / window resolution, plugin versions, fonts available, or lots more. Let's not set a bad example and be deceitful about what we collect and justify it (to ourselves) as necessary for security reasons.

Is it appropriate for users to edit the draft directly at this time? Is the last sentence even a sentence? The draft sure seems to be an early draft, and it's not edit-protected. I could swap in something like this:

(Newer suggestion below.)"We actively collect some types of information with a variety of commonly used technologies. These generally include WP:tracking pixels, JavaScript, cookies, and a variety of other “locally stored data” technologies, such WP:local storage, and may include collected information regarding screen / window resolution, plugin versions, fonts available and more. We realize that a couple of these technologies have poor reputations and can be used for less-than-noble purposes. Therefore, we want to be as clear as we can about why we use these methods and the type of information we collect using them."

--Elvey (talk) 22:38, 8 September 2013 (UTC)

Hi Elvey, thanks for your comments. We are going to check with Tech on this and get back to you. Geoffbrigham (talk) 03:22, 9 September 2013 (UTC)

Dear Elvey,

Thank you for raising this issue. I believe you are asking why we have not included a comprehensive list of the information we are collecting or may collect in the future and you mention a couple of examples including: screen / window resolution, plugin versions and fonts available.

My first response would be that we are already transparent about the information we collect when assessing the efficacy of a new feature. I believe that a better place to disclose that information is not within the Privacy Policy, because it’s a policy which stipulates our principles and guidelines. Those principles and guidelines are embodied when we actually run experiments and collect data. For example, currently we use EventLogging to instrument our features. The mobile team created a schema to determine the number of upload attempts using the mobile Commons app, in order to measure whether new educational UI features were helping more people make their first upload. The schema will tell you exactly what information is collected and for what purpose and if you have a question you can interact with the developers through the talk page.

My second response is that it seems that you are alluding to the practice of browser sniffing to uniquely identify a reader by collecting as much information about the browser as possible including plugins and fonts. The EFF has a website called panopticlick that shows you how unique your browser is based on this technique.

This technique can be used to keep tracking people even when they clear their cookies after each session. Suffice to say, we will never employ this technique because it would violate our principle of collecting as little data as possible.

You are right that you could edit the new Privacy Policy but it would complicate the discussion significantly as we would not refer to the same draft anymore. The Legal Team will make changes in response to feedback from the community after the discussion regarding such change has been fleshed out and they are also trying to track changes internally, both things that would not work very well if everyone was editing the draft.

I hope this addresses your concerns but please feel free to add a follow-up question.

Best regards,

(in my role as Product Manager Analytics @ WMF)

Drdee (talk) 21:21, 11 September 2013 (UTC)

NOTE: what follows is a back and forth with Elvey and Drdee; indentation indicates who said what.

Thanks so much, for a thorough response!

I'm pleased to see that we 'are already transparent about the information we collect when assessing the efficacy of a new feature,' as your example shows. On the other hand, indeed, I strongly object to this policy as proposed, because I don't see that we 'are already transparent about the information we collect,' in general, yet. The place to disclose the latter is within the Privacy Policy, IMO.

I believe we are transparent about the information we collect: we clearly identify different types of information that we collect and for what purpose.

Re. your second response: Indeed, that is what concerns me. We disagree; I do not see browser sniffing as necessarily incompatible with the principle of collecting as little data as is consistent with maintenance, understanding, and improvement of the Wikimedia Sites; I can think of cases where it would aid security. However, I would be happy to see language in the policy that made it clear(er) that browser sniffing is incompatible with policy. What language do you suggest we add to do so, if you are amenable? How 'bout we swap in something like this?:

"We actively collect some types of information with a variety of commonly used technologies. These generally include EN:tracking pixels, JavaScript, cookies, and a variety of other “locally stored data” technologies, such W:local storage, and may include collected information regarding screen / window resolution. We realize that a couple of these technologies have poor reputations and can be used for less-than-noble purposes. Therefore, we want to be as clear as we can about why we use these methods and the type of information we collect using them. Extensive browser sniffing is incompatible with this policy; we will not collect plugin versions, fonts available, HTTP_ACCEPT headers, or color depth information."

I cannot imagine how browser sniffing would ever be compatible with this Privacy Policy (see also my follow-up comment).

Umm, you don't have to imagine. I've already said I can think of cases where browser sniffing would aid security. So unless I'm imagining those cases (and I'm confident that they're not imaginary), does that not mean that the policy allows browser sniffing because it allows collection to aid security, which is part of maintenance. If not, why not?

Any objections to s/seek to put requirements/put requirements/g ? I see no reason to be so wishy-washy. If there are to be exceptions, I feel the policy must state that any such exceptions will be specified, say, in the noted FAQ section. [Update: I see this is discussed already at #Seek_or_find.3F We already have the non-wishy-washy, "We will never use third-party cookies," so I see this seek to crud as unjustifiable.]

We are looking into this to see if it's feasible but it will require a bit of thought and we also look if we should do it in combination with the Data Retention Policy. Stay tuned.

As there were no objections, I did the substitution some days ago. If someone does s/put requirements/has not but plans to to put requirements/g, at least we'll have clarity - it'll be clear that we don't have the requirements in place, and if not, it'll be clear that we do, when this becomes policy.

A desire to 'refer to the same draft' is reasonable, but already out the window; the draft is rapidly evolving due to many recent edits by both the legal team and others. (In future, when a draft is proposed, clarity around this could be created with a statement, perhaps enforced with technical measures, or perhaps just noted with a permalink to the version as proposed.)

In-line reply encouraged. --Elvey (talk) 21:47, 13 September 2013 (UTC)

In-line replies: Drdee (talk) 20:40, 18 September 2013 (UTC)

In-line replies: --Elvey (talk) 17:46, 30 October 2013 (UTC)

┌───────────────────┘
Hello @Elvey: Are there questions here that I can help resolve? Best, Stephen LaPorte (WMF) (talk) 19:36, 11 December 2013 (UTC)

Two suggestions for the privacy policy:

1. Lose the cutesy language and cartoons being used to make Wikimedia's disturbingly extensive user tracking seem less threatening
2. Eliminate Wikimedia's disturbingly extensive user tracking.

It is fundamentally misleading to tell users that Wikimedia does not require any personal information to create an account, and then to actually collect vastly more behavioral information on each user than could ever be requested in a sign-up form, under the guise of "understanding our users better" — exactly the creepy line of every Orwellian data-vacuuming Web site today.

And ironically what is all this "understanding" producing? A site with fairly gruesome usability that's barely changed years and years later. Yet Wikimedia wants to keep track of every piece of content read by every "anonymous" user — associated with information like IP address and detailed browser info, which today in malevolent hands can often easily be associated with real name, address, Kindergarten academic record, likelihood to support an opposition candidate, and favorite desert topping.

It's just not Wikimedia's concern that someone is interested in both Pokemon and particle physics. That doesn't improve either article. That doesn't improve the interface. That doesn't improve the Byzantine and Kafkaesque bureaucracy of trying to find somewhere to report a gang of editors controlling and distorting an article.

To find the phrase "tracking pixels" here is jaw dropping. This is inherently a hacking-like technique to install a spyware file on a user's computer, to evade their express effort not to be tracked by clearing cookies. Web developers bringing these "normal" techniques used by "every other Web site" to Wikimedia, apparently don't understand, that "every other Web site" today is evil — and Wikimedia sites are supposed to be a radically different exception to this.

For readability this comment continues in "Strip Wikimedia Data Collection to the Barest Minimum - Privacy Specifics"

— Privacycomment (talk)Privacycomment

Hi Privacycomment,

Sorry for the slow response -- I understand your concerns as follows:

1) Why are you misleading users when saying they do not need to provide personal information to create an account but meanwhile you collect a lot of behavioral data?

2) Can you demonstrate the benefits of understanding our users better?

3) Why is Wikimedia interested in creating an interest graph?

4) Why are we using tracking pixels?

Question 1: Interacting with our servers will provide us with some data: url visited, timestamp, used browser, etc. It seems that you define this as behavioral data but in fact it is not -- it is non-analyzed webrequest data that we have to store, for a minimum amount of time, to be able to monitor server performance and provide key performance indicators about usage of all the Wikimedia projects (those are two very important use cases). Without that data we would be flying in the dark -- how could we even do capacity planning?

In theory, we could analyze data and infer behavior from that, such as you mention in your paragraph about reader behavior, but atm we are not doing such things.

It's also very important to note that we do not buy 3rd party databases to add demographic data to our data and obviously we would never disclose webrequest data containing Personal Identifiable Information in raw form nor sell it. So I do not agree that we are misleading the users, in fact we are really trying to be as transparent and clear as possible.

Question 2: Our efforts to understand our users in the context of how they use new features have only begun quite recently. The Product team was formed in February 2012 and the E2 / E3 teams (now renamed to Core Features and Growth) started in March 2012. I do not agree that there has been no progress: for example, the E3 team worked on simplifying the account creation process and those improvements were the result of data-inspired decision-making. Other new features that we have rolled out / are rolling out like mw:VisualEditor, mw:Echo and mw:Flow are all supported by data-informed decision-making. I am sure we will see the fruits of this approach soon.

Question 3: AFAICT, there are currently no plans to make an interest graph of the readers but your example is actually a great use case! It could help uncover articles that are being targeted by vandals and in that way it could alleviate the work pressure on patrollers, oversighters and admins.

Question 4: Regarding tracking pixels -- I think we need to unravel this concept a bit more clearly. There are three use cases of tracking pixels:

1) as a very light way to push data from the browser to the server

2) a specific technique of bypassing browser origin restrictions

3) a method to infer whether an email message was opened / read

I suspect that you have big concerns regarding 3) and Fabrice Florin's answer regarding the use of tracking pixels was in this context. On the other hand, mw:EventLogging uses constructing of image requests to push data to server which is 1). I am not aware of an exampe of 2) in our context but given that we have many domain names I would not be entirely surprised that we would use 2) as well.

I hope this addresses your concerns,

Drdee (talk) 21:36, 1 October 2013 (UTC) (in my role as Product Manager Analytics @ WMF)

Regarding tracking pixels, perhaps part of the problem is in terminology. The term "tracking pixels" heavily implies use case #3. I'm not sure there is a widely-recognized term for use cases #1 and #2; any such term would probably be quickly adopted as a euphemism by those using use case #3, leading to the euphemism treadmill. Regarding use case #2, things these days are more likely to use techniques such as CORS as these are less restrictive. Regarding use case #3, I note that many email clients will specifically block externally-loaded images to prevent this.

I suppose CentralAuth's use of such pixel-images might be considered an instance of use case #2: it loads a 1x1 transparent pixel from all the other domains to attempt to set the login cookies for those domains, because the current domain can't set cookies on all those other domains. This could be done (possibly better) in other ways, but it has the advantage of working even when the client has JavaScript disabled. BJorsch (WMF) (talk) 14:31, 2 October 2013 (UTC)

We have edited the tracking pixel language to reflect feedback received in this discussion thread and others like it. Please let us know if you have any further questions or concerns regarding the applicable tracking pixel language. Thanks! Mpaulson (WMF) (talk) 19:22, 22 November 2013 (UTC)

This is what Wikimedia should know about its users —

For anonymous readers, the sole data collected should be IP address, URL visited, and basic user-agent data (as specifics can be quasi-identifying): platform, browser name, major version, screen size. And this data should be immediately split into three separate log files, each separately randomized in half-hour time blocks, with the default Web server log disabled or immediately obliterated. So that, that secret governmental order to hand over every Wikipedia article read by a particular IP address simply can't be complied with. And so that that great new Wikimedia employee, who no one would suspect is working for a supragovernmental/governmental/corporate/mafia espionage operation, can't get at it either.

For anonymous editors the sole data collected should be that of anonymous readers, plus:

• the data of the actual edit of course

• the IP address of the edit, stored for one week (without data backups) and then obliterated, and viewable only by administrators investigating potential spam, vandalism, or other violations of Wikimedia rules during that week.

Public-facing edit records, and administrator-facing edit records after one week, should associate only the phrase "Anonymous Edit" or "One-Time Edit by [ad hoc nickname]". Wikimedia should use automated systems to detect any administrator accessing the IP address data associated with edits which are not likely to be spam, vandalism, or other violations of Wikimedia rules.

For logged-in users the sole data collected should be that of anonymous editors, plus:

• their username at sign-up and log-in
• their email address at sign-up if given
• a public-facing list of their edits (of all types) on their user page
• the contents of a Wikimedia browser cookie, set when they log in to a Wikimedia site, and deleted if/when they log out, which contains solely their username and encrypted password
• an administration-facing log of Wikimedia messaging and banners which they have already received
• an optional administration-facing flag in their account, indicating that they have donated to Wikimedia in month/year, without further identifying data, so as to suppress fundraising banners (if they have elected to overtly identify themselves with a Wikimedia username when making a donation).

Email addresses should be accessible for use for bulk mailings only by Wikimedia employees, and the email list file should be encrypted to prevent theft by corrupt or disgruntled Wikimedia employees.

For basic-level administrators the sole data collected should be that of logged-in users, plus their (pseudonymously-signed) administrator contract.

And no Wikimedia server or office should be located in any country — whether admitting to be a dictatorship or still pretending to be a democracy — which overtly, or by secret order, requires Wikimedia to collect or retain any data other than that specified here for these non-commerce functions.

Thank you for your consideration of these points,

— Privacycomment (talk)Privacycomment

No, I'm not going to harp on about using Rory as it appears that you're determined to use him whether he is redundant gimmick or not.

Other than feeling that one instance of his use is sufficient, if he is to be used as currently stands, serious consideration needs to be given to rules of thumb pertaining to desktop publishing and website development. Culturally, the English language is read from left to right, meaning that English readers are acclimatised to the left hand side of the page being the central focal point when dealing with anything text orientated. Not only is there no word-wrap around the Rory images in order to allow for a longer continuum of text (remembering that we read ahead by a minimum of several words at a time), the entire left side of the document disturbs the reader's expectations by sandwiching the text (and tables!) to the right. Bear in mind that these rules of thumb were developed through experience and behavioural studies over many years, right down to serif being preferred for paper documents, while sans serif reads more comfortably online. It's foolhardy to disregard certain standards which have been proven in order to 'experiment' with other techniques.

I've spent over three decades involved with pedagogical issues surrounding visual teaching methods/delivery, from secondary education to Post Graduate research presentation (I'm speaking of delivery at tertiary MA and PhD level by 100% research), so I'm not just blowing smoke.

If Rory is to be used, the 'culturally logical' layout for any Latin script language is to about-face the set-out of current draft and have him on the right-hand side. I'd also suggest that he could be made a little smaller and that word-wrap be used. --Iryna Harpy (talk) 04:21, 10 September 2013 (UTC)

Hi Iryna Harpy! Thank you for bringing this point up. I know that some of the decision involved in placing Rory on the left-hand side of the page and not wrapping the text around him had to do with making the format easily adaptable to different scripts and different screen/window sizes. I'll have one of the people who helped with the layout address those issues in more detail on this thread.

On a related note, based on community feedback, we are going to experiment with how to make Rory more useful in explaining the major concepts of the privacy policy over the next week. Some of the ideas we are going to try are either providing Rory with a narrative or with bullet points about the big concepts. If you have other ideas, we'd love to hear them. We're going to try to get some prototypes out to the community to see if they think that adds value. I'm hoping once we have a better idea of what text would accompany Rory (if any and assuming Rory stays in the policy), we can experiment with the layout to see if there are ways to make it more readable as you suggested. Mpaulson (WMF) (talk) 23:47, 10 September 2013 (UTC)

Right. I'm seeing both support for and opposition to Rory, but I want to make clear we have not "determined to use him." As explained above, we are playing with the idea, which is why your feedback for or against is important. If, after taking into account community feedback, it doesn't make sense after some experimentation, we won't use him; if it does, we might. That said, IMHO, visuals are important, as I suggested above. So alternative ideas are also welcome. Many thanks. Geoffbrigham (talk) 07:44, 11 September 2013 (UTC)

Thank you both (Mpaulson (WMF) & Geoffbrigham) for your responses. I suspect I speak for quite a few people responding to the draft policy when I say that my main concern was that Rory had already been locked into the presentation and was going to be worked in regardless of whether his 'presence' was superfluous or not. As I'm now feeling a little more assured that he's not a given, I'll abstain from further critiques regarding that aspect of the updated policy until the proposed prototypes are up and will judge as objectively as is possible at that point. I'm certainly not going to approach the subject with prejudice and will reserve judgement bearing context in mind. Cheers! --Iryna Harpy (talk) 02:01, 12 September 2013 (UTC)

I agree one hundred percent with Iryna Harp's concerns about text layout. As I understand the purpose is: "We want to make these documents as accessible as possible to as many people as possible." Congratulations, you have managed to do the opposite.

The big text boxes at the top, which are not part of the Privacy Policy, are not helping either. It's even hard to find out where the actual proposed privacy policy begins.

I believe you have successfully managed to prevent the majority of people of reading the proposed privacy policy.

Suggestions:

1. If you do something special with the layout like text placement, illustrations and use of big icons, make sure it increases accessibility and not the opposite.
2. Make the page look like a regular Wikipedia article page where people can start reading the proposed privacy policy immediately.
3. Rename the page so it's clear from the name that this is a proposal and not the current privacy policy. For example "Proposed privacy policy" or "Privacy policy (draft)" or "Privacy policy (proposal)".
4. Remove the side notes that are not part of the proposal. Instead, add a side bar at the right linking to side notes.

Cheers! --Aviertje (talk) 09:06, 16 September 2013 (UTC)

(Reply to second suggestion. Moved by Aviertje (talk) 18:50, 17 September 2013 (UTC))

I think we should provide a link at top to the main policy, as we did with the Terms of Use. See http://wikimediafoundation.org/wiki/Terms_of_Use Geoffbrigham (talk) 10:32, 17 September 2013 (UTC)

Geoffbrigham, I moved your in text replies down. I hope you approve. I also added numbering to my suggestions.

Providing a link at the top to the main policy would certainly help. But I don't understand putting in an obstacle and providing a link to move past it. There shouldn't be any obstacle accessing the terms of use or privacy policy. When people want to consult the terms of use or privacy policy, they want to read the real deal and not any unofficial comments. Any accompanying comments should not form an obstacle. --Aviertje (talk) 18:50, 17 September 2013 (UTC)

I understand your point, Aviertje, but, in the context of the terms of use, the user-friendly summary was in fact proposed by the community (not WMF), and we have received a number of positive comments about it since. In this discussion, people are saying that they want nutshell summaries of our privacy principles, and, as I see it, the user-friendly summary will satisfy that need. So, if you don't mind, I would like to monitor this issue and see if others feel strongly. In the meantime, I will have this link put above the user-friendly summary:

This is a summary of the [draft] Privacy Policy. To read the full terms, scroll down or click here.

Thanks. Geoffbrigham (talk) 11:54, 18 September 2013 (UTC)

The unofficial summary and the official privacy policy (or terms of use) serve completely different purposes and should not be mixed. I looked up the proposal for an informal summary and looked at the following edits to this proposal. It was suggested to create a separate informal summary containing a link to the official terms of use and managed by the community. Placing this unofficial summary above the official terms of use seems to be your own initiative. The fact that people value the unofficial summary does not mean it should be located here. It might be a good idea though to include such summary (officially) in the introduction of the privacy policy/terms of use. --Aviertje (talk) 22:03, 18 September 2013 (UTC)

Let's see if we hear additional objections. I know the user-friendly summary was posted at the top of the terms of use for some time during the consultation, and I don't recall any objection. Now that the issue has been raised, I will monitor and see if there is any other opposition to its placement vis-a-vis the privacy policy. Tx. Geoffbrigham (talk) 22:53, 18 September 2013 (UTC)

(Reply to fourth suggestion. Moved by Aviertje (talk) 18:50, 17 September 2013 (UTC))

I'm sorry. Could you explain this a bit more. Thanks. Geoffbrigham (talk) 10:32, 17 September 2013 (UTC)

With 'side bar' I meant a sidebar, a box at the right like on the page with the current privacy policy.

With side notes I meant all comments that are not part of the proposed privacy policy. Like the "This draft Privacy Policy needs your feedback..", "Want to help translate?..", "This is a user-friendly summary of the privacy policy..". Even the "This is a draft of a proposed privacy policy.." can be removed if the title is changed like I suggested in suggestion 3 above. --Aviertje (talk) 18:50, 17 September 2013 (UTC)

Thanks. I am monitoring to see if others feel the same way. Geoffbrigham (talk) 21:53, 15 November 2013 (UTC)

Lots of small details.

• Your Public Contributions: "Please do not contribute any information that you are uncomfortable making permanently public, like the picture of you in that terrible outfit your mom forced you to wear when you were eight." Such a picture is unlikely to be kept anyway, so it's not a good example. I'd either remove the example or change it into something like: ...permanently public. For instance, if you reveal your real name somewhere, it will be permanently linked to your other contributions. (A better example/phrasing would be appreciated)
  • Thanks for that practical suggestion -- I changed the example in the draft policy. Stephen LaPorte (WMF) (talk) 01:08, 7 November 2013 (UTC)

    Good. //Shell 06:19, 11 November 2013 (UTC)

• Account Information & Registration:
  • There's a link Privacy policy FAQ#standardaccount, but that section/ID doesn't exist on the page.
    • Looks like an issue with the {{anchor}} on the FAQ. It should be fixed now. Stephen LaPorte (WMF) (talk) 01:08, 7 November 2013 (UTC)

      Works now. //Shell 06:19, 11 November 2013 (UTC)

  • "Your username will be publicly visible, so please think carefully before you use your real name as your username." Slightly ambiguous (to me): Could be interpreted as the username should be your real name, so think carefully whether you want to sign up. The preceding sentence and the following paragraph make it clearer, but I'd still rephrase it (not sure how though - also not a big deal).
    • Would it be clearer to say:

Your username will be publicly visible, so please be careful if you choose to use your real name as your username

I find the current privacy policy much more clear than the new one. It's much easier to retrieve information from it. One of the reasons I think is because there are redundant headings in the proposed new privacy policy. If you remove the headers "Welkom!", "Use of info", "Sharing", "Protection" and "Important info", the document suddenly makes much more sense.

It looks like meaningless headers were added, only to provide for short descriptions for the big icons. I suppose this is done to make the document look more attractive to a younger audience and to lure people into clicking the icons at the top. Also the numbering of chapters seems to be removed to support the structure created by the big icons. It may look more cool and attractive and you perhaps get more clicks, but I'm sure the actual information comes across much harder. --Aviertje (talk) 15:15, 19 September 2013 (UTC)

Hi Aviertje. Thank you for your suggestion. The purpose of the icons was to make it easy for people to skip to sections that they are looking for or are the most interested in. I see what you're saying about some being redundant, such as when the "Sharing" icon and heading is immediately followed by the subsection heading "When May We Share Your Information?". However, other times, the icon and accompanying heading help group together related subsections. For example, the "Important Info" icon and heading groups together "Where is the Foundation and What Does that Mean for Me?", "Changes to This Privacy Policy", "Contact Us", and "Thank You!". The Introduction icon and heading do something similar.

The hope was not to make the document look attractive (although that's not the worst thing to do if you are trying to encourage people to read something), but to make it more navigable. What do others think? Do the icons and section headings help? Mpaulson (WMF) (talk) 18:12, 19 September 2013 (UTC)

It's funny that you mention "Important info" as an example. "Important info" says absolutely nothing. Each chapter could be named that. Naming it "I don't know what to name this" would even be more informative.

BTW. "Welcome!" is a bad title, because the section is not about welcoming the reader. It can be a greeting if you make it normal text instead of a header. "A Little Background" is also a bad title. The inconsistent use of the informal word "info" looks strange. --Aviertje (talk) 16:34, 20 September 2013 (UTC)

Hi Aviertje. If you have suggestions as to what the titles should be renamed as, I'd like to hear them and hear what other community members think, both about the current titles and your proposed titles. Mpaulson (WMF) (talk) 22:31, 26 September 2013 (UTC)

Like I said at the beginning lose the meaningless headers "Welkom!", "Use of info", "Sharing", "Protection" and "Important info". As to "A Little Background", what do you think of "Language used in this policy"? --Aviertje (talk) 22:15, 30 September 2013 (UTC)

I would like to hear if others feel the same way. Thanks. Geoffbrigham (talk) 20:31, 15 November 2013 (UTC)

Cookies help us deliver our services. By using our services, you agree to our use of cookies. [button]OK[/button] [link]Learn more[/link]

It is in the best interest of users and the Foundation to include a similar message indicating to that effect the use of cookies and an explicit click of the "OK" button indicating the user's acceptance to the Privacy Policy. This is particularly helpful rather than stating that the user automatically agrees to the Policy when said user visits the Sites. 184.147.55.86 21:33, 2 October 2013 (UTC)

Great idea. A volunteer started to document cookies used by WMF sites at cookie jar, but it is not even close to being complete. By the way, I believe that google.co.uk asks the user about cookies because of the EU's E-Privacy Directive. The Wikimedia Foundation might legally need to do so because they use cookies that are not "strictly necessary", but I'm sure they would have done so by now if legally required. Let's leave that to Legal. Even if it's not legally required, it may be better to inform users, however, as you say. PiRSquared17 (talk) 21:55, 2 October 2013 (UTC)

A lot of European websites inform about cookies because of that directive. As Wikimedia Foundation projects are hosted in the United States, I would assume that the Wikimedia Foundation doesn't have to do this, but nothing prevents the Foundation from informing about cookies either. --Stefan2 (talk) 10:26, 3 October 2013 (UTC)

We have seen this in several places here recently: the rationale, explicit, implict or presumed, that if WMF is not legally required to do something then it need not. While that may be correct legally, it suggests a somewhat limited commitment to users' privacy. There is no technical reason not to follow the European practice voluntarily, and I for one would suggest that WMF sites should do so as a matter of good practice. Could we hear an explicit reason why WMF has decided not to do so in these cases: a reason, that is, going beyond "we don't have to". Spectral sequence (talk) 18:42, 4 October 2013 (UTC)

I agree that this is a good idea. Could someone make a mockup of this? PiRSquared17 (talk) 02:42, 5 October 2013 (UTC)

Hi All. Thank you for bringing this issue up. This possibility was actually discussed internally when we were formulating this draft of the privacy policy. We decided not to explore this option further mostly because we were concerned that such pop-ups would take away from the user experience -- people generally do not like pop-ups as part of their interactions with a site. We don't think that having such a pop-up would be wrong or inappropriate per se, but it's a trade-off. If there was a significant call from the community to implement such pop-ups, we would happily discuss this possibility with the tech team again. Mpaulson (WMF) (talk) 20:36, 1 November 2013 (UTC)

• Support for pop-ups, as nominator. 184.146.127.142 22:47, 4 November 2013 (UTC)

The draft EU Data Protection Regulation will probably come into force in 2016. It is proposed that it will apply to all non-EU companies processing the data of EU citizens. While of course we appreciate that the WMF is legally situated in the USA, its interactions with users situated in the EU will be affected by the Regulation. How does the proposed Privacy Policy sit with respect to the EU proposals? Spectral sequence (talk) 17:28, 6 October 2013 (UTC)

Hi Spectral sequence! We are aware of the upcoming draft and are tracking the regulation accordingly. The privacy policy draft was written with EU principles in mind and reviewed by EU counsel, but does not incorporate every EU regulation or proposal. Frankly, there is a lot that can happen to the content of proposed EU Data Protection Regulation between now and actually implementation of the regulation and we don't think it's wise to speculate quite yet as to how this will impact the privacy policy draft. We will, of course, keep tracking it and once the language of the regulation has been finalized and an adoption timeline is being established, we reevaluate the privacy policy to see if any changes are needed. Mpaulson (WMF) (talk) 19:22, 1 November 2013 (UTC)

I've rewritten the discussion of what the policy doesn't cover,[7] after an earlier discussion with Nemo about the clarity and organization of it. The substance is largely the same (or is intended to be), but hopefully it is easier to find relevant sections now. Please review and leave any comments here. Thanks! -LVilla (WMF) (talk) 19:52, 21 November 2013 (UTC)

"We believe that you shouldn't have to provide personal information to participate in the free knowledge movement."/"If you want to create a standard account, we do not require you to submit any personal information to do so" -- According to your definition of "personal information," this term refers, among other things, to "address, phone number, email address, password, identification number on government-issued ID, IP address, credit card number". Bur clearly you provide your IP address when creating an account. — Pajz (talk) 06:31, 1 December 2013 (UTC)

Interesting point, Pajz; I think we intended to say that we don't force you to provide that information; whereas IP address must be provided by the nature of the architecture of the internet. So, yes, this is possibly contradictory, but I think only in a minor way. We're considering tweaking that definition for other reasons, so we'll try to take that into account when we revise it. -LVilla (WMF) (talk) 20:22, 3 December 2013 (UTC)

In discussing this comment after I posted it, I realized that I had misunderstood how we handle IPs when new user accounts are created. So I'd propose changing the "standard account" sentence to read: "If you want to create a standard account, we require only a username and a password. Your username will be publicly visible, so please be careful about using your real name as your username. Your password is only used to verify that the account is yours. Your IP address is also automatically submitted to us, and we record it temporarily to help fight spam. No other personal information is required: no name, no email address, no date of birth, no credit card information." -LVilla (WMF) (talk) 21:36, 3 December 2013 (UTC)

It's used for more than just fighting spam though. "prevent abuse" is probably more accurate, though a little more vague. Legoktm (talk) 20:23, 4 December 2013 (UTC)

Yes, that makes sense; will make that change. Anyone else have other comments/suggestions? -LVilla (WMF) (talk) 19:03, 9 December 2013 (UTC)

And I've made the change. Thanks for the comments, both of you. I'm closing this; if anyone else has comments on the new language, please open a new discussion section. -LVilla (WMF) (talk) 23:18, 18 December 2013 (UTC)

Err, that's not what I suggested. I said not to say "fight spam". Legoktm (talk) 16:24, 19 December 2013 (UTC)

Gah, copy-paste fail. Fixed. -LVilla (WMF) (talk) 19:38, 19 December 2013 (UTC)