Talk:Privacy policy/Archives/2004

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search
Warning! Please do not post any new comments on this page. This is a discussion archive first created in 2004, although the comments contained were likely posted before and after this date. See current discussion or the archives index.

Personal pages

The purpose of the project is to produce an encyclopedia. To facilitate this, user and user talk pages are provided, in a different namespace from the encyclopedia. Since those pages are not part of the encyclopedia, the Wikipedia will use whatever technical means are reasonably convenient to inhibit to whatever degree reasonably convenient the wide disclosure and searchability of those pages. Except to the extent that they contain text clearly intended for a Wikipedia article, these personal pages are not released under the GFDL but are instead released solely for internal use within the project.

I've added a further section based on discussion here and over at Wikinfo, where one Wikinfo technical person indicated that it was not happy to have users prevent the display of their user pages there, even though that has been requested and so far has been accepted by them. Since it doesn't seem to inhibit our ability to build an encyclopedia I've eliminated the GFDL release of user and user (but not article!) talk pages to non-GFDL for use here only, making GFDL only items intended for the encyclopedia. This will let us better assist our countributors if there's a desire to remove their personal information from mirrors, which currently could claim a GFDL right to distribute information we're removed. I'm not envisioning any immediate or rapid technical change - I'm aware that databases are combined and a variety of other technical issues mean that it is currently convenient to distribute everything as a package, and that multiple licensing is currently most conveniently done via user pages. I'm also aware that we use Google as a fallback search engine, and that limiting it would be problematic and do not propose any immediate change to search engine crawling while we need this capability. This is mainly to eliminate the "you can't stop us" argument which seems to make some of our contributors unhappy. With regrets to other sites, I want happy Wikipedia contributors, not those who don't feel free to discuss freely because of fear that their discussion will be mirrored and searchable forever, everywhere. Jamesday 12:42, 16 Feb 2004 (UTC)

I've moved the above text to the talk page since it's most certainly not the present policy (though whether it should be is open for discussion). --Brion VIBBER 15:36, 16 Feb 2004 (UTC)
Thanks - I'd forgotten that header saying current. Jamesday 14:14, 25 Feb 2004 (UTC)
I would support not having User and User talk: pages not be under the GFDL, but I don't know what the ramifications would be. Would everyone have to write new pages (the old ones are already under the GFDL)? How would this affect being able to hold temporary articles on user pages while they're being worked on? What about copying and pasting comments between other namespaces with regard to comments? There are many issues that would need to be resolved first. Dori | Talk 15:53, 16 Feb 2004 (UTC)
I guess that's a good point. For a different reason, there is a discussion at Japanese wikipedia regarding introducing a second license (called something like in-site public domain license). It permits copying, modification and translation of any posted contents within wikipedia (of any language) and other projects. That kind of solution may work to an extent, maybe?
In addition, such a re-licensing would take agreements from the copyrightowners, I suppose. Still, the past versions are released GFDL already, and it cannot be revoked, I suppose.
If the purpose is to prevent others from copying those pages based on GFDL terms, maybe it is easier to remove these pages from the database dump. Tomos 23:35, 16 Feb 2004 (UTC)
One issue which caused me to make this change is wikinfo, which takes them from the site when the page is requested, rather than from a database dump. Web crawlers (except Google, which we use as a backup search engine) also really need to be blocked, just so things like the internet archive don't save them forever. I like the sound of that Japanese move. Please let me (or all here) know what happens with that idea - I like it very much. Jamesday 14:14, 25 Feb 2004 (UTC)
Within the Wikipedia and except for text intended for articles seems to cover the moving things around needs, since it allows those things between namespaces. If you don't think it does, please suggest clarifications. I don't think that the old pages are under the GFDL - the edit page the last time I looked specified that items for the Wikipedia are under the Wikipedia license and the Wikipedia is clearly defined as the free encyclopedia, which personal pages aren't part of. However, it's arguable enough (and was argued at wikinfo) that clearly saying they aren't is worth doing, which is why I added this paragraph to make it completely clear that they aren't under the GFDL, so we can speak more freely.
One advantage for this split is that it makes it much easier to argue that source material we may discuss is not intended for republication. I'd like some way to do that for article talk as well, but I'm not sure that I want to go so far as suggesting that article talk pages should also be clearly not under the GFDL, hence not for publication. I don't actually think that article talk needs to be GFDL either but it's got a much better case than user or user talk pages. Views on whether article talk pages really do need to be GFDL or whether saying that text for the wikipedia can be placed in them on the way to going into an article is sufficient are welcome.
Barring objections and in a week or two (on the usual slow is good schedule:)) I'll put this back into the proposal and indicate that the proposal isn't intended to be the current practice only but is intended to be future practice (and I'll also include a note requesting that possible changes be clearly indicated, so they can be discussed). Jamesday 14:14, 25 Feb 2004 (UTC)
I'm not sure what I think about this. The logic of this idea seems reasonable, but I am uneasy with the idea of user and user_talk pages being different in terms of licensing. I have some vague sense that there would be some unintended consequences about this -- can I stop someone from releasing what they write on my talk page? Can they alter my comments on their page because they own it more that other pages? Etcetera, etcetera, etcetera... -- BCorr|Брайен 01:28, 6 Apr 2004 (UTC)

Filtering out web bugs and viruses in forwarded email

Should we try to prevent people sending web bugs in email that we forward? E.g. by requiring only plain text, or safe html or something, like some mailing lists do? Or is HTML email important for some correspondents? I'd prefer to only get plain-text mail without potentially dangerous or virus-infested attachments or web bug. But of course there is some development effort. The GPL'd Mailman software can do this. Nealmcb 18:11, 14 May 2004 (UTC)

Are you referring to the mailing lists (which run on GNU mailman), or to the 'Email this user' form in the wiki? In the case of the former, it should be set to strip HTML mail as it is. If you see a list misconfigured, please say which. For the latter, it should only be possible to send plaintext. If you can show otherwise, this is a bug which should be fixed immediately. Please let us know. --Brion VIBBER 22:02, 14 May 2004 (UTC)

Should we add a "Send a Private Message to this user" link in the interest of greater privacy?

The idea came up on IRC last night that it might be a good thing to ask a developer people to set up a way for people to send private messages to each other directly through the wiki software as an alternative to communication through talk pages. The idea is that it is a way to increase communication, reduce the level of public conflict, keep conversations from polarizing quickly, and allowing more frank discussions, etc. One concern raised about this is that there is a certain "check" involved in discussions being searchable and archived, i.e. people should feel more accountable for what they say.

Opinions? Thoughts? Alternatives? -- BCorr|Брайен 14:25, 29 May 2004 (UTC)

Is this going to offer any advantage over email? I also wonder if it might encourage people to use our wikis as chat rooms if there is no check on whether what people are writing is wikimedia-relevant. Angela 21:10, 31 May 2004 (UTC)
I don't see the point. Everything on the wiki itself should be open, you want to keep it private, take it outside (i.e. e-mail). Dori | Talk 04:07, 1 Jun 2004 (UTC)
For an opposing viewpoint, see MeatBall:GetARoom. Wikis need not be entirely open, and private conversation has benefits to the community. UninvitedCompany 21:32, 15 Jun 2004 (UTC)
I generally dislike things going to email. I much prefer private messages on the site concerned when that feature is available, in part because it keeps all things related to the site netly in one place and in part because I try to keep mail only for personal and high priority (my priority) things. If someone started to routinely use the email link instead of my talk page and declined to stop on request, I might well add them to my spam filter to prevent it from continuing. Jamesday 08:28, 14 Jul 2004 (UTC)

Multiple accounts and Password protection

The discussion arose from a concern about a recent leak of shared passwords that is documented at Wikipedia:User talk:Tim Starling/Password matches and at Wikipedia:Votes for deletion/User:Tim Starling/Password matches. In that case, a well-intentioned admin created a list of probable sock puppets by searching for matching passwords. My concern (and that of more than a few other users) is that an innocent person who happened to choose the same (probably weak) password will get swept up in the accusation and that, further, by releasing the list their password will be exposed to the real vandal who will now be able to highjack the account.

Some consider this a remote possiblity, but I worry that it is a real threat. It might go something like this:

  • User A is a vandal. User A creates sock puppet identities B through G, all using the same password so he can keep them straight.
  • User H happens to choose the same password.
  • Admin Z matches passwords and publishes a list of A-H as probable sock puppets.
  • User A, being a vandal and probably knowing that he is being targeted, looks for and finds Admin Z's page. User A recognizes H as a new ID - not a sock puppet he created.
  • User A knows that H's password must be the same as his. A can now sign in as H, commit vandalism that will be attributed to H and even change H's password thereby reserving a new account with a respected edit history to his own illicit use.
  • User H can no longer even sign in to his own account to complain about the theft of his identity.

I support the hunt for vandal. I agree with the exposure of sock puppets for what they are. I can even support the use of password matching as one tactic to support the accusation of sock puppetry. However, I think that publication of the list with the statement that it was based on password matching creates an unacceptable risk that a valid user's password will be exposed. Passwords deserve extraordinary protection.

I added the section on Multiple Accounts (sock puppets) as a lead in to the section on password disclosures. If there is a better place for either of these clauses, please move them. Rossami 16:51, 13 Jul 2004 (UTC)

I wholeheartedly agree with Rossami's concerns on this issue. Because of the potential security risk to innocent users, this blatant disregard for privacy is the sort of thing that will very quickly lose me (and many others, I would imagine) as contributers to the Wiki projects if it is not addressed in a timely fashion.

Though it has been stated that the "ends justify the means" in this instance, I do not believe that vandalism warrants this breach of privacy. Vandalism can already be quickly detected and easily fixed by any Wiki contributer so long as people remain diligent in patrolling the recent changes lists.

Sockpuppetry is, of course, also a concern in matters unrelated to vandalism, such as voting. In such cases, password matching is a powerful and useful tool available to the admins, but I feel it is unnecessary for the results of such matching to be made public. It is just as effective for admins to patrol the more crucial polls amongst the Wiki pages (polls concerning policy changes and requests for adminship particularly) and run password matching and/or check IP logs should they suspect that a user and his/her sockpuppets is slanting the poll.

In summary, revealing password matches is unnecessary for the management of vandals, for vandalism (whether by sockpuppets, single users, or anonymous users) can already be readily monitored by the recent changes pages. In addition, serial vandals can be monitored and their actions corrected by the vandalism in progress page. In cases of other sockpuppetry issues, I welcome admins to use password matching in conjunction with IP logs, observation of editing style, and other evidence to build up a case against sockpuppet accounts. However, such information need not and should not become public until such a time as admins have satisfactorially established that the accounts in question are vandalous or otherwise harmful sockpuppet accounts and have been banned by necessity.

Anyone wishing to discuss the points I have made here are welcome to do so either here or on my talk page. Spectatrix 21:59, 13 Jul 2004 (UTC)

Tim didn't list all of the examples. He hand selected those where a number of accounts with the same password appeared to have been problematic. 7044 passwords on en have more than one account using them (one is one of mine) and one password has 823 users on en. Admins cannot check password matches or IP addresses - only developers can do it. Identifying sock puppets and trolls quickly has been a major and growing concern because, unlike vandals, they can waste significant amounts of the time of productive contributors. It's likely that the community will accept more measures like this one to assist with the task. Jamesday 09:43, 14 Jul 2004 (UTC)

Vhile Jamesday has good points, I think that publically listing any password information is likely to cause more harm than good. Perhaps only admins should have any access to it, but then that creates a power differential and attendant issues. I still don't believe in trolls — what does "troll" even mean in a Wikipedia context anyway? Jeeves 01:43, 17 Jul 2004 (UTC)

Wikimedia and child protection

A few days ago I posted a query on the Village Pump of Wikipedia asking about the ages of Wikipedians, sparked off by reading about an 82 year old on a talk page. In the response there was discussion about a 7-year old who regularly takes part. Various Wikipedians had been on touch with him on his talk page putting him right where he went wrong - as we all do of course! Somebody asked about his parents involvement. There are evidently a number of young teenagers as well. This discussion has now been removed, by the way, as part of Angela's latest weeding.

In view of the events of the past few years with on-line chat rooms being abused by paedophiles, I pose the question about how Wikimedia and the Foundation stands on this. Does the way we have set things up, allowing people to list their ages on Wikipedia, and allowing a direct Email link between editors make us vulnerable. The Talk page link seems fine, since it can be read by anyone but the direct email link is private, and potentially open to abuse, and I am uneasy that we are not following best-practice here I would hate us to be hammered for being sloppy - the press could well have a field day.

If we get more school-age participants, and I hope we do, not only for research but also for helping, this is likely to be a growing problem - there was a link put up recently on the home page addressed to educationalists on how to make use of Wikipedia. Since Wikipedia will interest intellectually-inclined youngsters who we need to be fostering, I urge we address this with some urgency and see how we might be more secure. Any thought? Apwoolrich 18:52, 4 Sep 2004 (UTC)

Do you have any recommendations? --Brion VIBBER 21:50, 5 Sep 2004 (UTC)]]
Look at safe-surfing practice and see where we might be out of line; think about if we really need a page where Wikipedian ages can be posted; add something to the 'Welcome/beginners' pages aimed at youngsters and point out safe surfing practice. It might be superficially attractive to have a kind of well-monitored 'Junior Wikipedia', to where their activity might be restricted but feel this will be counter productive. So far as as I am aware we have not had complaint from the 'moral majority' out there about suitability for youngsters of the some of the content of Wikipedia on eg pornography, but perhaps that will come.
My children are both adult and have families of their own, so I have never been faced with supervising web use by a youngster. I am aware of the danger of the possibility of hysteria in this: in the UK organisations like schools and churches have instituted child protection rules which have the effect of making the administration of organisations difficult - eg a parent not being allowed to dole out cups of orange squash at a school fete until they have been Police vetted; a proposal that all Anglican church bell ringers must be police vetted before they can ring. Apwoolrich 07:27, 6 Sep 2004 (UTC)
a parent not being allowed to dole out cups of orange squash at a school fete until they have been Police vetted sounds a little extreme! But anyway, posting your age (I assume you are referring to Wikimedians by age) is voluntary, and most people wouldn't find that page anyway. Of course, that doesn't stop someone from revealing their age so nothing much can be done. Same with email, it is optional, but children could still fill it in (and nowadays they probably all have email addresses). Prehaps it would be neccessary to remove the email feature. As for other suggestions, prehaps it could be possible to include parental controls which could be activated for a particular account: these would allow for the blocking of the email address, control over any content-blocking features (as proposed elsewhere to allow users to block potentially offensive images, text, or articles), etc. A youngster's beginners page sounds like a good idea also. Are there any professional or government guidelines or resources available regarding online child protection? TPK 07:30, 8 Sep 2004 (UTC)


I'd like this draft to be finalised for translation fairly soon and have at least the English version ready to go live by the end of the year. Some thoughts on what needs to happen before then:

  • Needs to be linked from every page
  • Needs to be translated (translations could be "unofficial" in the same way as the GFDL)
  • Should be protected? (have one official protected one on the Foundation site and others unprotected maybe?)
  • "Right to Vanish" section - do we actually give this as a right? Since developers choose whether or not to respond to username changes, perhaps it needs to be clear that there is no guarantee this will be done. It's a nice option, but not something we should be offering on any official level. (Now moved to another page)
  • E-mail: Is this really never going to be used for anything other than user-to-user communication? There has been talk of sending out emails to all users. Can we state this will never happen? (Now clarified)
  • User contributions. Every one of these and the time it was made is stored. Should this be mentioned? Are the graphs of edit counts over time a problem/ever likely to be a problem? (Now added a "User data" section)
  • I'm very unsure about "The Wikipedia will delete personal information about contributors (most likely on on user and user talk pages) at their request". I don't think this is official, and whether it happens is largely up to the admins of the wiki concerned. If we can't guarantee this will happen, it shouldn't be mentioned here. If it does stay in, it needs to mention that we have no control over the mirrors which might still contain that information. (Removed this section now)
  • The "Multiple accounts" section seems misplaced. Does this need to be part of the privacy policy? It seems a separate issue to me. (Removed this section now)
  • The following points still need to be added or clarified:
    • Needs clarification on how often logs are deleted
    • Search is not currently mentioned. Will the terms people search for ever be shared? Will that only be available as aggregated data?
  • Two very clear policies are Wikitravel and Google. It might be worth comparing these to Wikimedia's policy and seeing if it can be made clearer.

Angela 08:02, 7 Nov 2004 (UTC)/ 02:51, 13 Nov 2004 (UTC)

Well, I am for having unofficial translations. Every local project links the document in their own language if possible, and the translated document says it is unofficial and provides a link to the original (English?) policy.
As for right to vanish, I am suspicious if it is good to have it as a right. Developers are volunteers so how can we say there is a right to demand them? If vanishing is a right, it would bring something mundatory into developers' task. Can we assure the users who want to use right to vanish, their vanishment would be done by those voluntary developers? (Although I don't doubt they are willingly to help us)
"The Wikipedia will delete personal information about contributors (most likely on on user and user talk pages) at their request". It sounds a gurantee, in my openion we could only say "most of Wikimedia projects will delete personal information about contributors following to their own criteria". I'm afraid a case a requesting person and a project have different opinion what personal information is, and a case such request taks a time to be done. In my view we could only say the most projects would consider such request respectively. Sorry for my random thought.--Aphaia 06:23, 13 Nov 2004 (UTC)

If this is going to be that much of an official policy document, it should refer to following points:

  • The policy is possibly changed without prior notice by the discretion of the board. (Or something else that addresses how policy could be changed).
  • Wikimedians and other site visitors are considered to have agreed with the policy after the change. (Or something else regarding the retroactive nature of the policy).
  • If your personal information obtained through the WMF's servers is treated by others in violation of this policy, you can appeal the treatment to the board by sending email to ... (Or something else regarding the enforcement issue).
  • WMF have no plan to start selling or sharing your information with the third party. Commercialism is not something unanimously supported by the WMF projects' members. If this happens, that is only after a community-wide discussion.
  • If and to what extent the privacy information is "protected." If there is any possibility that information could be "stolen."

Also, I think consulting especially with some developers is a good idea since they are in the position to get some information from the server log.

If this is not a "contract-like promise of what we do" but more of an "explanation of what are the existing practices," then maybe we do not need some of the above stuff. Tomos 20:40, 13 Nov 2004 (UTC)

Release of data by developers

The policy used to say that data will be released:

To all curious/interested parties, sometimes except the user concerned, when it is believed that an IP address may be associated with a banned or otherwise abusive contributor, as part of the process of trying to determine whether this is in fact the case. because this has been done in the past - not sure if it will be in the future...

I don't think we should release the IP address of a user on suspicion that it may be associated with a banned or otherwise abusive contributor. We should release the IP addresses associated with the vandalism or trolling itself. We should also be able to release any private data associated with a username which has been persistently used for vandalism or trolling.

Someone said:

The last motive for ip display certainly need more description. There is a recurrent issue that this is illegal and not acceptable. I would support that we have a clearer policy on this.

I'd like to know exactly what law it is breaking, if any. I'm not being sarcastic. As far as I'm concerned, if someone vandalises Wikipedia, I'll deal with them to the best of my ability, within the limits of applicable law. I'd also argue against any voluntary policy which prevents me from doing so. I'll respect the privacy of users who contribute in good faith, but I'm not going to spare any strategy when dealing with people who attempt to damage the site. So far the difference between good and bad users has been left to my discretion, and the discretion of any other developer who wishes to get involved in this stuff. I don't think a privacy policy should be the place to change that, it should be an internal matter. -- Tim Starling 01:53, 17 Nov 2004 (UTC)