The proposal frames CheckUser access more clearly as a permission – used by different status – with defined rights.
It highlights the need to follow both local and WMF-wide policies.
Lead sections
Current text
CheckUser status
CheckUser is an interface for users with the checkuser permission. A user with the checkuser permission on a wiki can, in particular, check if a user is a sockpuppet of another user on that wiki (not on all wikis). By using it, users are able to:
Determine from which IP addresses an account has performed edits, logged actions, or password resets on the Wikimedia wiki;
Determine all edits, logged actions, login attempts, and password resets that were performed on the Wikimedia wiki from a specific IP address (including users who were logged in with an account);
Determine whether the account being checked has sent an email using the MediaWiki interface to any other user. The time of the event is logged; the destination email address and destination account is obscured.
This information is only stored for a short period (currently 90 days), so edits made prior to that will not be shown via the CheckUser tool. A log is kept of who has made queries using the tool. This log is available to those with the checkuser-log permission:
[...]
See Help:CheckUser for the user manual.
[...]
Mailing list
There is a closed mailing list (CheckUser-l) to which all stewards and CheckUsers should have access. Email the list moderators to gain access. Use this mailing list to ask for help, ideas and second opinions if you're not sure what the data means.
IRC channel
There is a private IRC channel (wikimedia-checkuser) to which all stewards and CheckUsers who use IRC should have access. This channel serves the same purpose as the mailing list, but in real-time. Contact any channel member to gain access; a channel manager will grant permanent access. Ask a steward if you need help gaining access.
Proposed text
CheckUser access refers to the ability to view non-public information, such as IP addresses and other technical details associated with user activity on Wikimedia projects. This access is tightly restricted and is available to CheckUsers, Stewards, and users in the staff global user group.
CheckUser access represents the permission to use the tools provided by the Extension:CheckUserto monitor and investigate potential abuses, in accordance with community-established policies (such as this CheckUser policy) and Wikimedia Foundation policies.
Rights
On Wikimedia wikis, users in checkuser group have the following rights by default. Some wikis may have additionnal rights.
'checkuser' — Check users' IP addresses and other information – Access to special pages (see below)
'checkuser-log' — View the checkuser log
'checkuser-temporary-account' — View IP addresses used by temporary accounts
'ipinfo-view-full' — Access a full view of the IP information attached to revisions or log entries
'ipinfo-view-log' — View a log of who has accessed IP information
They may also have access to closed and private features:
mailing list: there is a closed mailing list (CheckUser-l) to which all stewards and CheckUsers should have access. Email the list moderators to gain access. Use this mailing list to ask for help, ideas and second opinions if you're not sure what the data means.
wiki: there is a private wiki to which all stewards and CheckUsers should have access.
IRC channel: there is a private IRC channel (#wikimedia-checkuserconnect) to which all stewards and CheckUsers who use IRC should have access. This channel serves the same purpose as the mailing list, but in real-time. Contact any channel member to gain access; a channel manager will grant permanent access. Ask a steward if you need help gaining access.
monitor actions performed by other users with CheckUser access.
Note, however, that local communities may grant “full access” (investigation and monitoring) or limit it to just one of the two functions. For example, a community-run body with CheckUser access may be authorized to monitor only, or it may be granted full access.
There are different types of CheckUsers: individuals elected or appointed in their own capacity, and those who are members of a user group which has CheckUser access (such as an Arbitration Committee).
It allows local communities to distinguish the « different roles » between these types of CheckUsers.
It introduces a new concept which is part of the proposal called « community-run body ».
Current text
None
Proposed text
Note, however, that local communities may grant “full access” (investigation and monitoring) or limit it to just one of the two functions. For example, a community-run body with CheckUser access may be authorized to monitor only, or it may be granted full access.
Avoids vague phrasing such as “use of the tool” by specifying the actions involved (investigation)
The main reasons for conducting investigations remain unchanged
Current text
Use of the tool
The tool is to be used to fight vandalism, spamming, to check for sockpuppet abuse, and to limit disruption of the project. It must be used only to prevent damage to any of the Wikimedia projects.
The tool should not be used for political control, to apply pressure on editors, or as a threat against another editor in a content dispute. There must be a valid reason to use the CheckUser tools to investigate a user. Note that alternative accounts are not forbidden, so long as they are not used in violation of the policies (examples of violations include double-voting, increasing the apparent support for any given position, or to evade blocks or bans).
Notification to the account that is checked is permitted but is not mandatory. Similarly, notification of the check to the community is not mandatory, but may be done subject to the provisions of the privacy policy.
Some wikis allow an editor's IPs to be checked upon their request if, for example, there is a need to provide evidence of innocence against a sockpuppet allegation; note, however, that requesting a CheckUser in these circumstances is sometimes part of the attempt to disrupt.
Proposed text
Use
The use of investigation is approved to prevent harm to Wikimedia projects, including fighting vandalism, spamming, detecting sockpuppet abuse, and minimizing disruptions.
The tool must not be used for political control, pressuring editors, or threatening others in content disputes. A valid reason is required to conduct an investigation, as alternative accounts are allowed unless they violate policies (e.g., double-voting, manipulating support, or evading blocks/bans).
Notification to the checked account or to the community is optional but permitted, subject to the privacy policy.
In some wikis, editors may request IP checks to provide evidence against sockpuppet allegations, though such requests can sometimes be part of disruptive behavior.
Proposal E: « Requirements for local communities »
The old section « Appointing local CheckUsers » is splitted in two parts:
« Requirements for local communities », in which, the main two ideas (2 users with CheckUser access or none; advertise properly) remain unchanged.
In a new « Appointing local CheckUsers », which is reviewed later (below).
Two new ideas:
Local communities may set additional rules, but these must not conflict with global (e.g. this policy) or WMF policies.
Local communities are responsible for handling complaints — either directly or through appropriate bodies.
It introduces a new concept which is part of the proposal called « community-run body ».
Current text
Appointing local CheckUsers
[...]
On any wiki, there must be at least two users with CheckUser status, or none at all.
[...]
the community may approve local CheckUsers (stewards not counting as local CheckUsers)
[...]
The candidate must request the CheckUser statuswithin the local community and advertise this request properly (village pump, mailing list when available, special request page, etc.).
Proposed text
Requirements for local communities
Communities must comply with these requirements:
The candidate must request CheckUser accesswithin the local community and advertise this request appropriately (e.g., village pump, mailing list when available, special request page, etc.).
A wiki must have at least two local users[1] with CheckUser access to oversee and verify each other's actions; otherwise, no one should have access to the tools.[2]
While local communities may establish additional requirements to complement the global community-set standards[3], WMF-set requirements, or other Wikimedia Foundation policies, these additional requirements must not override or conflict with them.
The community must address complaints, especially those related to abuse or misuse, either directly or by referring them to the appropriate body:
Complaints involving private data may be handled both by a community-run body with CheckUser access and the Ombuds Commission;
Complaints related to other concerns, such as account inactivity, may be addressed by a community-run body with or without CheckUser access (e.g., Arbitration Committee, sysop-run body, Request for Comment) for resolution.
The main section « Privacy policy » remains unchanged.
The section « Information release » is reviewed:
The proposal is outlining what is and isn't permitted under these policies.
Ambiguous phrasing such as “it's best not to reveal personal information if possible” or “Generally, do not reveal IPs” has been reviewed and clarified.
On Wikimedia projects, privacy policy considerations are of tremendous importance. Unless someone is violating policy with their actions (e.g. massive bot vandalism or spam) and revealing information about them is necessary to stop the disruption, it is a violation of the privacy policy to reveal their IP, whereabouts, or other information sufficient to identify them, unless they have already revealed this information themselves on the project.
Information release
Even if the user is committing abuse, it's best not to reveal personal information if possible.
Generally, do not reveal IPs. Only give information such as same network/not same network or similar. If detailed information is provided, make sure the person you are giving it to is a trusted person and will not reveal it himself/herself.
If the user has said they're from somewhere and the IP confirms it, it's not releasing private information to confirm it if needed.
On Wikimedia projects, privacy policy considerations are of tremendous importance. Unless someone is violating policy with their actions (e.g. massive bot vandalism or spam) and revealing information about them is necessary to stop the disruption, it is a violation of the privacy policy to reveal their IP, whereabouts, or other information sufficient to identify them, unless they have already revealed this information themselves on the project.
Information release
Users with CheckUser access must not publicly disclose confidential information. However, they may:
Share any information with other users with CheckUser access;
Share public information (accessible otherwise than by using their tools, for example from Special:Log);
Communicate information that is too vague to be considered sensitive, such as:
↑If only one user with CheckUser access remains (e.g., due to resignation, retirement, or removal of the other), their CheckUser rights will be suspended until a second user with CheckUser access is appointed.
Local checkuser and oversight policies cannot be less strict than their global equivalents. However, local policies can be more strict if the community of that wiki wishes for them to be so. If a wiki has decided to operate with a stricter policy, then the Ombudsman Commission does not have the authority to recommend changes to this.
