Jump to content

Harassment consultation 2015/Ideas/Review of privacy policy enforcement

From Meta, a Wikimedia project coordination wiki

Project idea[edit]

Idea by:Neotarf

What is the problem you're trying to solve?[edit]

While the Foundation has a fairly comprehensive Privacy policy, there is no reliable means of enforcing it.

1) The privacy policy is currently a 6548-word block of text. The criteria for what users can expect to be treated as private information is in a table marked "definitions". The foundation has identified 17 different "definitions" of "personal information" "that could be used to personally identify you". There is no way to link to a specific definition for the purposes of communicating with oversighters.

2) Currently, oversighters speak various languages, and may speak English or understand English slang with varying degrees of fluency. It may be difficult to communicate with such a person exactly what you are asking them to oversight and why, especially when it is not possible to link to the exact part of the policy you are asking them to enforce.

3) The policy states unequivocally "For the protection of the Wikimedia Foundation and other users, if you do not agree with this Privacy Policy, you may not use the Wikimedia Sites." Unfortunately, the paragraph structure of the document does not allow linking to this specific statement, only to the 6000-some page document as a whole. There is no way to enforce this policy.

4) According to the policy, "the relevant community... are not permitted to create new exceptions or otherwise reduce the protections offered by this Policy", however deletion of private data may be refused by oversighters unless it is specifically listed in the enwiki policy as well. Again, it is not possible to link directly to this statement in the policy or even provide a paragraph number for reference.

5) Oversighters may set other personal criteria for oversights: the person requesting deletion may be expected to "prove" they would be put in "danger" without the oversight, but no criteria is offered for what would constitute acceptable "proof".

6) Oversighters may refuse to oversight privacy violations for members of groups they do not like, while oversighting material not specified in policy for groups they do like, such as removing information about user names on external websites.

7) Oversighters may refuse to oversight privacy violations because they say they have seen other similar privacy violations that have not been oversighted elsewhere.

8) Oversighters may refuse to oversight privacy violations by other oversighters.

9) There is no supervision of oversighters, or any chain of command for reporting problems with oversighting.

10) The failure of the privacy system can disproportionately effect users who are female, LGTB, or who live in the Global South, as these individuals may be more likely to experience gender-based backlash, or find it more difficult to freely express themselves, to edit on particular topics, or topics that might later be considered risky in a particular geographical location, and may cause them to restrict their level of public engagement, worry about how their employers or schools might respond if they are targeted, or it may even interfere with their tangible life opportunities by limiting their ability to accept work contracts in areas where they were accustomed to safely work before.

What is your solution?[edit]

A privacy policy is useless unless it results in removal of personal information.

Privacy violations should be removed as quickly and quietly as possible. Users who have been doxed should not have to make repeated requests, or have to argue with oversighters, or have to send repeated emails from insecure locations.

There needs to be a central location where one request can be made and the information removed, the first time. This needs to be a staff member who is accountable to the Foundation, or the oversighters need to be supervised by a staff member who has enough authority to deal with any problems, and if necessary, to remove the information themselves. The name of the responsible staff person needs to be made available to users.

Oversighters who have knowledge about the location of unsuppressed personal information should be required to either remove it themselves or report its location so it can be removed by someone who is willing to follow the policy.

The privacy policy page needs to be restructured with proper TOC or at least numbered paragraphs for referencing.

Discuss this idea at: Talk:Harassment consultation 2015/Ideas/Review of privacy policy enforcement
Return to the Consultation main page