Stewards' noticeboard
- This is not the place for stewards requests. To make a new request, see steward requests and requests and proposals.
- For illustration of steward policies and use, see the steward handbook.
- See also: Access to nonpublic personal data policy noticeboard.
- This page is automatically archived by SpBot. Threads older than 30 days will be moved to the archive.
 |
SpBot archives all sections tagged with {{Section resolved|1=~~~~}} after 2 days and sections whose most recent comment is older than 30 days.
|
Intrusive surveillance script at trwiki
[edit]I talked about this in the Wikimedia Community Discord, and I was directed here by a steward (@AntiCompositeNumber:). Apparently 2 years ago the Turkish Wikipedia added a script to its common.js that monitors the browsers of every Wikipedia reader, logged in or otherwise, and publicly reports changes to the HTML using the "inspect element" tool of the browser. Here's the script, and here's the frankly way too short discussion in trwiki about its implementation.
I found out about this after another user tried to talk about this in the Turkish Wikipedia's village pump, but it was reverted as a "troll" just a few hours later. I tried it to see if it was true after reading about its reverted discussion. I was threatened with a block for this experiment, so I did not continue. Thanks for your attention. Betseg (talk) 23:07, 10 April 2026 (UTC)
- To add a bit more context here, the script causes the user to make an edit on a report page if the user uses the console to edit their username specifically for the purposes of impersonating an administrator. Apparently there has been a problem with users using the console to change the username and then take screenshots for use off-wiki. Would appreciate someone a bit more technically minded confirming exactly how the script does that and if it is violating user privacy in doing so - at a glance I don't see anything myself. – Ajraddatz (talk) 23:49, 10 April 2026 (UTC)
- The primary problem I see is that this script is causing automated revisions to be published under the logged-in user account without an intentional action to publish. As a result, a revision is attributed to that user and licensed under CC BY-SA, undermining the expectation of informed consent. This does not appear to require emergency intervention, as the script does not appear to capture or publish any sensitive information (such as browser or OS data). This seems like an inappropriate use of common.js and is trivial for bad actors to bypass. I suggest this project look into using AbuseFilter or other server-side mechanisms to log suspicious edits instead. — xaosflux Talk 00:40, 11 April 2026 (UTC)
- I'm not sure that the abusefilter would work here, as there are no edits that could be flagged. I agree generally with the concern around forcing the user to publish an edit. However if WMF legal has already reviewed I'm not sure what else we would be able to do here, other than nudging the community to make changes or re-evaluate the need for the script. – Ajraddatz (talk) 03:21, 11 April 2026 (UTC)
- Ah ok, so these are people that aren't even attempting to publish a revision - that are then being tricked in to publishing a revision without being show and agreeing to the TOU and Copyright notice - that seems like an issue itself. Not sure if that specific concern was brought up to legal. — xaosflux Talk 13:51, 11 April 2026 (UTC)
- This is not a security problem. If interface admins want to do weird stuff they will. If the trwiki community is OK with what that script is doing I don't see a problem. I would personally avoid doing such things, but hey, some LTA are weird and dumb so maybe that works. I mean this should only work once. Nux (talk) 22:18, 12 April 2026 (UTC)
- I'm not sure that the abusefilter would work here, as there are no edits that could be flagged. I agree generally with the concern around forcing the user to publish an edit. However if WMF legal has already reviewed I'm not sure what else we would be able to do here, other than nudging the community to make changes or re-evaluate the need for the script. – Ajraddatz (talk) 03:21, 11 April 2026 (UTC)
- The primary problem I see is that this script is causing automated revisions to be published under the logged-in user account without an intentional action to publish. As a result, a revision is attributed to that user and licensed under CC BY-SA, undermining the expectation of informed consent. This does not appear to require emergency intervention, as the script does not appear to capture or publish any sensitive information (such as browser or OS data). This seems like an inappropriate use of common.js and is trivial for bad actors to bypass. I suggest this project look into using AbuseFilter or other server-side mechanisms to log suspicious edits instead. — xaosflux Talk 00:40, 11 April 2026 (UTC)
- Read WMF Legal's comment here: [1]. Nemoralis (talk) 02:43, 11 April 2026 (UTC)
- So is blocking users for editing their local HTML, and threatening to block users and calling them a troll for trying to start a discussion about this, ok? Betseg (talk) 05:26, 2 May 2026 (UTC)
- Thanks @Betseg for raising this concern here. The script is written in good faith, and I understand the underlying problem that it is intended to mitigate. However, I have major concerns, one of which is that the TrWiki community did not give an informed consent to this script. It was discussed only within the "technical" sub page of the local village pump, which many community members do not follow in detail. What the script is doing should have been explained in plain language in the more commonly followed section of the village pump. Community members who asked questions about this were ignored, and who (possibly) experimented with this were sanctioned. It is a piece software that runs in a user's browser in a way that is against their own interests, and uses the media-wiki interface to force an edit on the user which they did not intend to make; publicly revealing, at the very least, exactly what time they were online, against their will. @EMagallanes (WMF), @PBradley-WMF : Curious if the legal team needs to reassess this. Again, this is not a criticism about the author of the script, but a legitimate concern about its presence on Turkish Wikipedia, and it being served from Wikimedia servers. Best, TheJoyfulTentmaker (talk) 02:05, 29 May 2026 (UTC)
- I think legal currently has their hands full with the union busting stuff, can't really give attention to this small matter. Betseg (talk) 04:53, 29 May 2026 (UTC)
- Thanks @Betseg for raising this concern here. The script is written in good faith, and I understand the underlying problem that it is intended to mitigate. However, I have major concerns, one of which is that the TrWiki community did not give an informed consent to this script. It was discussed only within the "technical" sub page of the local village pump, which many community members do not follow in detail. What the script is doing should have been explained in plain language in the more commonly followed section of the village pump. Community members who asked questions about this were ignored, and who (possibly) experimented with this were sanctioned. It is a piece software that runs in a user's browser in a way that is against their own interests, and uses the media-wiki interface to force an edit on the user which they did not intend to make; publicly revealing, at the very least, exactly what time they were online, against their will. @EMagallanes (WMF), @PBradley-WMF : Curious if the legal team needs to reassess this. Again, this is not a criticism about the author of the script, but a legitimate concern about its presence on Turkish Wikipedia, and it being served from Wikimedia servers. Best, TheJoyfulTentmaker (talk) 02:05, 29 May 2026 (UTC)
I'm doubtful that this RFC has achieved success that the initiator has hoped for. Should've been closed earlier, IMO. George Ho (talk) 12:37, 28 May 2026 (UTC)
Requests for comment/Restrict non-confirmed users of all wikis from crosswiki-uploading files to Commons
[edit]Perhaps close this too....?: Requests for comment/Restrict non-confirmed users of all wikis from crosswiki-uploading files to Commons
Surpassed by a Wishlist page of the proposal, now "under review". George Ho (talk) 17:09, 28 May 2026 (UTC)
Mass manipulation of maps in articles about Russia, Ukraine, and Georgia by a user from the Russian Wikipedia.
[edit]A user is replacing maps across different wikis without consensus, showing occupied territories. I write to this user yesterday, but he continued today. Examples: Расія,Georgia 𝐖𝐢𝐤𝐢𝐁𝐚𝐲𝐞𝐫 👤💬 (WikiBayerCatHelper) 14:47, 31 May 2026 (UTC)
Account vanishing to avoid scrutiny
[edit]I requested this be undeleted but I realize with it being done as a vanish request this may be a steward issue.
This vanish request was done several hours after the named account was raised at WP:COIN for problematic paid editing. The account vanishing removed the userpage with disclosed list of articles edited by the paid account, the disclosure of paid editing, and breaks a chain of discussions linking problematic edits to the company in question. I believe this vanish request is being used abusively. ~2026-24188-14 (talk) 18:32, 14 June 2026 (UTC)
- For the record, account vanishing does not remove userpages – it moves them to the new username. In this case, the userpage was deleted by an administrator per user request before the vanishing went through, then restored (under the old name) after the vanishing went through: [2]. Perhaps it should be moved manually to clear up the situation. Matma Rex (talk) 18:51, 15 June 2026 (UTC)
- Thanks, I think I got a bit turned around by deletion request coupled with the vanish. I still do worry about this vanish breaking the relationship between paid edits and discussions of paid edits on those pages, since they've come up before. It's at WP:COIN now, I think I should let others weigh in before another noticeboard. ~2026-24188-14 (talk) 23:57, 15 June 2026 (UTC)
Not done per above, you may want to ask over at w:en:Wikipedia:Administrators' noticeboard, as this is a local page management issue. — xaosflux Talk 18:55, 15 June 2026 (UTC)
This section is resolved and can be archived. If you disagree, replace this template with your comment. — xaosflux Talk 18:55, 15 June 2026 (UTC) Request for Restoration of Bureaucrat Status
[edit]I recently noticed that my Bureaucrat access flag was removed by a bot. After investigating, I understand this was due to recent automated security measures regarding two-factor authentication (2FA).
I have now successfully enabled Two-Factor Authentication (2FA) on my account to meet the required security standards.
I kindly request the restoration of my Bureaucrat permissions, or further guidance if there are any additional steps I need to take. Thank you. --Manojk (talk) 10:59, 17 June 2026 (UTC)
Done per conclusion that these rights can be restored on request at stewards' discretion. EPIC (talk) 11:07, 17 June 2026 (UTC)
- Just a general note: this type of discretionary restoration is specific for class of use case - where a recent system-based revocation was the source. — xaosflux Talk 13:34, 17 June 2026 (UTC)
This section is resolved and can be archived. If you disagree, replace this template with your comment. — xaosflux Talk 13:35, 17 June 2026 (UTC)