Talk:CheckUser policy/Proposition 2005

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search
Archive This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

Hi. What should be added is rules about when it is possible to ask for ip check. Remember that this is borderline with privacy policy, so information should only be given if there is a valid reason. It probably means that no request may be done by one user only (but must be approved by others) and a motive always given. It may be that information is only partially offered to the user asking (eg, not giving an ip number, but saying "this fit with another user information, or not). Anthere 04:51, 6 September 2005 (UTC)

The Steward will answer you if these two users are from the same IP, same proxy, same network, same country, or are they completly unrelated.
And... I think that's all ;) Datrio 18:34, 10 September 2005 (UTC)

Notification: Notify user

There is no consense if a user has to be notified when CheckUser is run on him. In my opinion it is essential to automatically notify him in every case. Even if nine out of ten investigations would be false alarms you have to tell people that their privacy has been harmed. This will also prevent abuse of CheckUser. Of course some people will complain but if it's a community consense to use CheckUser then it should be able to convince them why they have been checked. No secret observations please -- Nichtich 08:06, 21 September 2005 (UTC)

Hmm... This is a good suggestion. Though it can't be made automatically, it should be done manually, by a steward. Although, a user should be notified even earlier, before the check - during the voting. Datrio 16:08, 21 September 2005 (UTC)
Voting? Huh?

I have removed the notification of the proposal. Anthere 17:33, 28 October 2005 (UTC)

Every user is (privately) notified by a steward or by the user doing the check when CheckUser is run on him.

though I would love that, I think it is unpractical and should not be in policy Anthere 08:26, 9 October 2005 (UTC)
Yes, it would be a major PITA. Its main effect would be to stifle the process with red tape. If a malicious user has created 100 socks, shall I place a notice on all their talk pages? I think not, I think I would go ahead with the check and say "so fire me" - David Gerard 09:12, 17 October 2005 (UTC)
removed from the proposal. Anthere 17:44, 28 October 2005 (UTC)

CheckUser cannot be discussed sufficiently, if notification is ignored as a major topic of this feature.
So this sensitive point badly needs specification on the part of Datrio and Anthere who appear as proposers. Please determine whether notification is a must or not in your proposal, and if yes, please state, how it should be assured. --:Bdk: 04:07, 2 November 2005 (UTC)

I clarified that notification was not mandatory, but could be done if thought best for community peace or for the check user peace of mind; Anthere
Thanks for your quick clarification and the other additions, Anthere. Now it's possible to discuss the proposal much better than before. --:Bdk: 07:31, 2 November 2005 (UTC)

Current users with access

.. is not complete, or? -- MichaelDiederich 09:25, 21 September 2005 (UTC)

I clarified the list. Anthere 17:33, 28 October 2005 (UTC)

That's a horrible proposal

Problem 1 - CheckUser must not be done be stewards. The only things Stewards should be able to do are administrating low-activity wikis, and various stuff for exceptional circumstances. CheckUser is a routine administration task, and on most wikis local bureaucrats or other trusted users should have such access, not outsiders stewards.

Problem 2 - people who look for sockpuppets (each wiki's admins) need full CheckUser output, not just "same network/not same network". My experience with Kwiecień's sockpuppets on pl.wp is very clear here - I often had to use nmap, whois etc., and without some IT experience one wouldn't be able to spot the pattern and clearly establish whether someone is or is not a sockpuppet. Stewards usually do not have such experience. Also, some knowledge of country's network is often very useful, for someone who doesn't know the Polish part of the Internet, and can't look for this information (because of not knowing Polish), it would be more difficult to look for sockpuppets. Therefore it's a lot more efficient to give CheckUser access to local bureaucrats.

I do not understand what you mean here. The output of the tool is not at all "same network/not same network".
besides, though it is probably true for some wikis, on most wikis, there is absolutely no garantee the bureaucrat will be in the "right" country. Wikis are based on language, not country. Finally, I have no reason whatsoever to think that bureaucrats have better IT knowledge than stewards. In short, I see many arguments for not giving this access automatically to bureaucrats (they were not voted to have access on that tool, and on small wikis, they are not even elected), and few arguments to give them this access preferentially over others. Anthere
Let's see. if an editor you have never heard of ask you to make a check in the arabic wikipedia... and suppose you do it. Which information will you provide him exactly ? In my last checks, the request was done by editors I have known for a long time and fully trust, so I gave them the ip information and reminded them to keep it for themselves. If the same request is done by someone I absolutely do not know, what do you suggest I do and which information do I give exactly ? Anthere 17:36, 28 October 2005 (UTC)
By the way, Grin proposal on hu, proposes exactly this 'same network or not, same person or not' etc... so ? Anthere

Problem 3 - users should not be notified about being checked. Their privacy was not compromised in any way. Every reasonable privacy policy must be understood to read that people involved in protecting the network may investigate every suspicious activity at will, and there's no reason to notify anyone. Only if the data was to be disclosed to more people, one needs to think about the privacy. Moreover, CheckUser logs usually contain very little private information. It's possible that someone has one account for general editing, and other for writing on sensitive subjects, but it seems to be an extremely unusual situation. Taw 16:22, 21 September 2005 (UTC)

I rather agree. This said, I have seen the checks being done without any vandalism, but rather for "political" reason (because the editor disagreed with a proposal. There was no valid reason to do that check. I definitly confirm you that many editors have various account to write on sensitive subjects. The fact it is unusual does not make it a valid reason for considering it is suspicious. Anyway, I removed the mention of "notification". Remains the issue of peer review. For now, nobody is doing any peer-review on YOUR activity (nor anyone on MY activity). Anthere

  • 1) there's a need for a process for low sock-infested wikis
  • 3) I agree. They may be notified if the check matches, but they going to be anyway, since there must be a reason to check on the first hand... --grin 20:04, 22 September 2005 (UTC)

Taw: full ack. -- MichaelDiederich 18:05, 27 September 2005 (UTC)

I pretty much agree. You need to pick trustworthy people, then trust them all the way. Anything less is just going to be completely half-arsed. And you're absolutely right on 3: if you have CheckUser, you're exercising a low-level sysadmin function for the good of the network. All proposed notification requirements I've seen will only result in stifling the function in red tape, even in the cases where that wasn't the intention; given onerous notification requirements, I'll just say "here, you can have it back, have fun with the socks guys!"
The local network knowledge one is an important point, but they'll gain that with experience. See the 'Hints and tips' I've added to Help:CheckUser.
Of course, the important thing is that socks are first suspected because of human factors, e.g. notably similar editing or writing styles; IP checks may just confirm or deny that. So the other local knowledge is patterns of troublemaking - David Gerard 23:12, 17 October 2005 (UTC)
problem is there is not always a "reason" to check them first hand. Some were check just because they voiced opinions opposing some major leader of opinion. Anthere

My policy on huwiki

As I mentioned I have transalated my published policy at this page, feel free to analyse, use or ignore it. :) Please leave comments on my enwiki or huwiki talk page (latter is faster).

Feel free to fix grammatical or style mistakes, I did it in a hurry. :) --grin 20:00, 22 September 2005 (UTC)

checkuser user authorisation

I would remove the rule that the person has to be a member of the arbitration committee - I would make it that they have to be selected by the arbitration committee. The technical knowledge required is neither great nor rare, but it's quite possible no-one on a given AC would have it - David Gerard 09:12, 17 October 2005 (UTC)

modified in the proposal. Anthere

Some suggestions based on the above, and other stuff

Who may gain access to Checkuser 
Each project or community should develop their own policy regarding selecting who should have this, with the following limitation: only two persons per site.
Users being checked do not need to be notified. This creates an onerous task for those involved in checking users. Although it would be a nice-to-do, it is a complication which is not necessary as, in most cases, the person checking is a trusted community member involved in a site security action and will not be making any of the information available publicly unless the account is found to be a sock puppet - in which case there will be other repercussions.
CheckUser abuse 
This will be difficult to be seen by members of a site. For this reason, it would be suggested that a regular review of sock puppet checks be done, perhaps annually, by someone outside the site.

My personal opinion is we're suggesting a policy which requires trust. Until that trust is shown to be misplaced there is no need to hobble the people we're asking to help us. (On the third hand, it's possible this is one of those positions which no one should volunteer for; nominations only...) - Amgine 21:53, 27 October 2005 (UTC)

If you ask me in December about a check I ran in February, I'm vanishingly unlikely to remember the precise circumstances. Nor do I keep a personal log of every check and the reason - David Gerard 19:27, 28 October 2005 (UTC)
<grin> No, I meant something more simple, like checking the log for clear and unambiguous evidence of abuse. If someone is checking every new account on a site, that's probably abuse. - Amgine / talk 21:24, 2 November 2005 (UTC)

Removal of access

i need some minor clarification on 2 points:

  • Any checkUser inactive for more than a year will see his access be removed. Does it mean inactive as a checkUser or as a plain User?
  • To whom the possible abuses of checkUsers will be addressed? Who's judging it's an abusive behavior? The stewards, the local communities?

Besides i think there should be a way to replace checkUsers that have left (not that checking is done quite often, but that means the other checkUser is left on his own with no control) and to kick them out of position but that's mostly to local wikipedias to decide this. Otherwise it's a sound proposal. (:Julien:) 20:19, 29 October 2005 (UTC)

points have been clarified in the proposal. Thanks Anthere 20:49, 4 November 2005 (UTC)

Nice proposal

I like this proposed policy. Plain, simple, and logical. Ryo 10:11, 2 November 2005 (UTC)

I'm happy to have a clear and logical policy. Generally it seems fine but I found a phrase we could improve: "give a damage to the encyclopedia." -- I prefer to refer to the aimed project(s) also, like "to the encyclopedia as well other our projects", because it will be applied to all Wikimedia projects. --Aphaia++ 16:34, 2 November 2005 (UTC)
Ditto - this turned out nice. --Duk 18:21, 2 November 2005 (UTC)

thanks a lot for saying this :-) Aphaia, you have a very important point here :-) I changed the sentence of course. Anthere


  • i support this elegant policy. oscar 22:28, 2 November 2005 (UTC)
  • support -Romihaitza 15:41, 7 November 2005 (UTC)

The Log

The log of who used the tool on whom should be available publicly, not only to the in-group (the access to the deletions log isn't restricred to those who can delete, the access to the user-rights log isn't restricted to stewards, etc.) The transparency will ensure the tool is used responsibly (and not, for example, simply to satisfy a sysop's curiosity) and will stifle possbile accusactions of such use. By definition, there's no responsibility if one's sure they're never gonna be asked to account for their actions. tsca 22:31, 2 November 2005 (UTC)

I agree, but we can not publish the log as is, as it precisely gives some information which should not be public; I discussed the possibility to have a "restricted" log, and in particular a log "per project", but it seems there is a low motivation level to do it. So, at this point, we are stuck... ant

Full ACK tsca, at least a rudimentary log has to be publicly available. Of course, it is reasonable that a complete log with its sensible data can't be in the public. But I think the following can be made visible without further problems: which wiki - date/time - check user/sysop name - number of compared accounts/IPs - result (so it's still "anonymous" regarding the checked accounts). There could also be a possibility (not an obligation) to make a "public comment" (like "just a test run" or "suspicion of heavy offense against XY" etc). In addition, the existence of a public log can protect the users with CheckUser rights against unfair, but popular allegation of constant misuse. And, what is also realistic and a well-known experience of numerous other projects, a log prevents a user from his own curiosity, as tsca pointed out above. Regards --:Bdk: 19:25, 3 November 2005 (UTC)

German data privacy laws

The German data privacy law prohibits the storage of personal data (if the data is needn't or the user didn't agreed) . IP-adresses can be personal data. --Habakuk 17:48, 4 November 2005 (UTC)

yup. But with the privacy policy mentionned under all edit windows... the user actually agree with the site policy each time he clicks on the save button. So, this should not be a problem....once the privacy policy is in effect linked....Anthere

Could someone explain to these people that the disclaimer must say "by editing blablabla I AGREE that this and this..."

JBS proposal is :

Unless you are logged in, by editing Wikipedia you agree that your edit will be signed with your IP address. If you are logged in, by editing Wikipedia you agree that your edit will be signed with your user name. In both cases, you agree that these personal data will be used internally and publicly available. Please see our privacy policy.

Anthere 21:18, 4 November 2005 (UTC)

And let me add this link to my article on European Laws regarding Privacy : [[1]]