Talk:Privacy policy/Archives/2011

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search
Warning! Please do not post any new comments on this page. This is a discussion archive first created in 2011, although the comments contained were likely posted before and after this date. See current discussion or the archives index.

disclosure of user realnames - no policy?

I've always thought that the disclosure of the realname of a person behind a user account by another user on talkpages or in edit-commentaries, as it happens sometimes in edit-conflicts between users, is a no-no in all Wikimedia projects. However, when looking for written policy, I couldn't find anything about that. Any hint? --Túrelio 08:26, 14 September 2009 (UTC)

I don't think that a global "anonymity policy" exists for that. The current privacy policy certainly doesn't cover it. However, such edits are allowed to be deleted by Oversight policy (#1) from which I would deduce that they are not allowed in any project. --Tinz 01:26, 16 December 2009 (UTC)
Thanks. Better late than never ;-). --Túrelio 19:22, 1 January 2010 (UTC)

What if that information is available in the history of the user's page? Isn't all the material on the user's page history covered by the same content rules that apply to all Wikimedia material?


Virgilio A. P. Machado

Vapmachado 03:37, 10 July 2010 (UTC)

I'm not sure if I understand your question correctly. It should not matter whether personal information of a user is disclosed in an article or on a user page. You can ask any Oversight (or Steward, if your project has no oversights) to remove that information. Or do you mean cases in which the user himself has made his own information public at some earlier point? I don't think that a global policy exists for this, but in the projects I know, the wish to become anonymous is respected. The old versions are deleted and other users are asked to respect his wish to "become" anonymous. --Tinz 17:47, 22 July 2010 (UTC)

Thank you so much for addressing my question. I'll take you and all other readers, particularly my very good friend and member of our mutual admiration society Sir Lestaty de Lioncourt, through a step by step example, to make it easier on everybody, and present a clear case, hopefully without violating anybody's privacy. You are welcome to post your answers right after each question.

Consider Alexanderps.

I would like to know if it is disclosure of private data of another user account without that user permission, to post on one of your own subpages the following:

1) The name Alexanderps uses in his signature, like on this example [1] ?

(You are welcome to post your answers right after each question on the space below.)

2) Space for next question


Virgilio A. P. Machado

Vapmachado 18:27, 22 July 2010 (UTC)

Sorry, I don't really like this interview style, it makes me feel like a student about to get outwitted by Socrates :-)
As a former ombudsman, I visit this page from time to time to help in case of problems with the understanding of the privacy policy.
If you think that the privacy policy was broken then you should contact the current Ombudsman commission.
However, your problem doesn't really seem to be related to any violations of the privacy policy (which deals mostly with private information that checkusers have). It sounds more like a problem that you have with other users of pt Wikipedia or maybe with the anonymity policies of ptwiki (which I don't know). In any case, this talk page is the wrong place to resolve these problems. A better way would be to seek conflict resolution on pt-wiki itself. Alternatively, you could probably start a RFC here. Regards, --Tinz 13:57, 26 July 2010 (UTC)

Thank you so much for your suggestion, according to which this request for comment has been started and announced. As a former ombudsman you must surely know something that might help answer my question. It would be an honor if you were the first to post your comment there. Thanks for your compliment, but it is highly exaggerated. There's no comparison between Socrates and me. I believe that the Socrates you're referring to is dead :-)


Virgilio A. P. Machado

Vapmachado 23:11, 26 July 2010 (UTC)

Two layers of privacy

Draft amendments to the rules
The case of privacy policy has at least two 'layers' both focusing upon certain civil rights of an individual seeking to defend his anonymity.

Encouraging everybody to post, edit and discuss articles, Wikimedia (as well as thousands of other interactive facilities in the Internet) offers an option to show his authorship:

  1. as some IP which automatically appears as a 'singature' above/under/besides his message;
  2. as some pseudonym which one may choose for that purpose

Since an IP is automatically generated upon some technical data which to a certain extent may show the way to the originating computer and through this to a specific individual — the formula for the first 'layer' is ”IP vs nick”.

Since the very first days of the Internet folks preferred to identify theirselves by pseudonyms (nicks). With the further development of Internet (especially since the namespace boundaries have been overcome) people found it possible to use their actual civilian names as 'nicks'. Although it's obvious that it was their personal will to disclose their anonymity in this way (below I'll make some reservations upon that), another disputable layer of privacy appeared in the Internet communities, that is ”real” vs fictitious nick.

In addition to the explicit writing of personal data I shall mention some indirect means, as URLs and other kind of external links to the sources where their personal data is written. The netiquette explicitly treats as a gross breach when a third person discloses somebody's private information in that way. Having occured within some community (e.g. Wikipedia registered users) and its common editable workspace — it is suppressed by its in-law. However this case is too flat to deserve a thourough investigation here. I suppose that to be sufficiently covered in the existing rules of behaviour in Wikimedia.

The yawning gap in our rulings here is in unsufficient clarity and unambiguity concerning the case when somebody claims that equating his «”real” name nick» to an apparently fictitious nick is a violation of his privacy. The most recent example:

  • Arbiter 'A' creates a sockpuppet 'S' for his personal investigation purposes
  • Checkuser 'C' founds that a sockpuppet 'S' = 'A'.
  • Arbiter 'A' insists, that 'C' has infringed his privacy by revealing that 'S' = 'A', since he claims 'A' to be an abbreviation of his real name.

Let us leave aside all derivative issues that may arise in connection with the specific circumstances of this case. I shall rather insist that both this one and the series of similar disputes shall have their doubtful grounds until Wikimedia shall clearly define that

  1. Observing privacy is primarily a matter of a user. He is personally responsible for the chosen degree of similarity between his nick and his real name and other personal data.
  2. Since Wikimedia has no legal means to certify that '[User:John Johnson]' is exactly that Mr. John Johnson (age, address, driver licence…) who opened an abovenamed user account, it shall not support any claims of [User:John Johnson] of infringment against his privacy as Mr. John Johnson, in particular because
    a) it was his original will to appear in the community with a certain extent of disclosure of its personality;
    b) the opposite treatment shall discriminate the owners of a really fictitious nicks against the owners of «”real” name» nicks putting the latter in the privileged position.
  3. Identification of personalities by Wikimedia is limited within the scope of issues related to the further public interaction with users outside the virtual workspace (jobs, conferences etc.) However this data as well as technical and other evidences of identity between [User:John Johnson] and Mr. John Johnson which might have been forwarded to Wikimedia shall be ignored in all judicial and extrajudicial sues which derive from a prerequisite of identity between an individual and his nick.

Note. Clause 2-a is necessary for the case when checkusers and stewards are required to establish compliance between nicks and IP's — for example, in investigation of abuses with open proxies.

Example (has a real basis, however not investigated yet). User 'X' (assume he is unknown) enters Wikipedia aiming to set an article for deletion (AfD). Since the article is outside his 'national' workspace, he

  • sets his browser to work via a foreign open proxy server, so his AfD request is 'signed' with an IP of this proxy.
  • having suddenly found an error in his edit, he urgently switches to another browser seeking for solution. For some reason (rush, carelessness) he corrects his error from another window which is not set to an open proxy. This edit is signed with an IP originally assigned by his ISP
  • last, the AfD discussion page is 'signed' again with a faked IP (of an open proxy).

Now suppose that a checkuser establishes an identity: 'X'='Quasi Real Name'. But the underlying evidences of this output are IPs, so in the absence of ruling that the 'reality' of a nickname is a problem of an account owner, 'Quasi Real Name' shall have the grounds to counter-claim against the violation of his 'privacy'. Such lawlessness shall undermine all our further attempts to halt cross-wiki-vandalism!

* * *

I realize that a lack of knowledge of local regulations may weaken certain statements of my proposals. However the underlying problems in my examples are actual and they are awaiting their solution. Anyway I hope that the discussion of this subject shall contribute to the strengthening of the rules for all the projects of Wikimedia. Thank you in advance for the studying of this project. Cherurbino 06:48, 31 January 2011 (UTC)


Is the policy sufficiently comprehensive. These seem like important questions as 200x dates start to feel like the relatively distant past. Technology continues to advance and how can we create a global environment in which a meaningful conversation is possible. 23:34, 12 January 2011 (UTC)

Document structure and formatting

It seems to me that there is something wrong with the document structure and headings. "Reading projects", "Editing projects", "Discussions" are level 5 headings under one paragraph "User contributions". I guess they should be promoted to the same level as "General expectations" (level 3), since this makes little sense otherwise. I am not sure what was the original format presented to the board, however.  « Saper // @talk »  12:52, 17 January 2011 (UTC)

Bold text== PHPSESSID ==

PHPSESSID is not anormal cookie, but asession, i will ask to agnolege the user about this,. The preceding unsigned comment was added by (talk • contribs) 15:33, 18 February 2011‎ (UTC)

Editing: spelling notes

General scope

There's written there: «Consistent with its Data Retention Policy, the Foundation collects and retains the least amount of personally identifiable information needed to fulfill the Projects' operational needs.»

Fulfill” is underlined red by my spell-checker.

LONGMAN Dictionary of English:

ful-fil /.../ v -ll- (also fulfill AmE) ...“ (and so on).
What standard of spelling are we to keep to?

Lincoln Josh 13:14, 4 March 2011 (UTC)

Request to include the ACC Tool user privileges (access to IP and email addresses) in the privacy policy

A majority of ACC Tool users[2] are not checkusers and have not been formally identified by the Foundation. They have critical access and knowledge about the ip addresses and email addresses of users requesting new accounts at the English Wikipedia. Can we, therefore, include references to the ACC Tool in the privacy policy? (Note: We also have the Wikipedia:ACC tool users' pledge that attempts to voluntarily encourage ACC Tool users to adhere to our privacy policy).♪ ♫ Wifione ♫ ♪ 12:37, 23 March 2011 (UTC)

hm, I'm not sure if I understand this ACC tool completely: These users see only the data of users who tried to create an account on the english Wikipedia, had problems (e.g. failed to decipher the captcha), and then applied for an account manually. They don't see the data of users who register the usual way, right? It surprises me that a team of ~100 users is needed for this task, maybe our captcha needs to be improved?
But it seems to me that their role is somewhat comparable to the role of the OTRS volunteer response team, so did you think of mentioning ACC in the section on OTRS of the privacy policy? --Tinz 17:48, 24 March 2011 (UTC)
Hi Tinz. You are right. The ACC tool allows users to apply for an account when they're not able to decipher the captcha or when their name is perchance too similar to an existing name. The role of ACC tool users is somewhat similar to the OTRS volunteer response team, the difference being that the OTRS team is identified by the Foundation, while the ACC tool volunteers remain anonymous by choice. And yes, I wished to mention them in the OTRS section of the privacy policy. My intent is that any person reading our privacy policy gets informed that even on the ACC tool, the interface account handlers have access to ip addresses, email addresses of new account requesting users. Thanks.♪ ♫ Wifione ♫ ♪ 18:11, 24 March 2011 (UTC)

Батбаатарын батням

Боржигин овогт Батбаатбрын Батням нь 1991,04,21 нд Монгол The preceding unsigned comment was added by Aganaa (talk • contribs) 06:27, 8 June 2011‎ (UTC)

Browsing triggers publically logged account creation - violation of privacy policy

Please see the discussion at Basically, when I visit a Mediawiki site for the first time, even if only to read a page, the server detects that I have a globally unified account, and creates my account on that site, and this account creation is publicly logged. This would seem to be a straight-forward violation of the privacy policy as currently worded:

"When a visitor requests or reads a page... no more information is collected than is typically collected by web sites. The Wikimedia Foundation may keep raw logs of such transactions, but these will not be published or used to track legitimate users." (my emphasis)

Hesperian 01:05, 24 June 2011 (UTC)

  • When you first log in to Wikipedia make sure you uncheck the "Log me in globally" check box. That way you'll be logged only into the Wikipedia you log in to. If you leave the box checked you will create a new local account each time you visit a new wiki for the first time. Although each person gets a global account they also get local accounts at each wiki they join. Since you would have had "log me in globally" checked you created accounts every where you visited. The global account and local accounts are separate entities. Hope this helps. fr33kman 02:54, 24 June 2011 (UTC)
So does the information around global login explicitly explain that that this will happen? That is to say, that when you tick this box, that an account will be created on your first visit to a site and that account names are visible to all users; typically that you will be welcomed to the site. billinghurst sDrewth 02:59, 24 June 2011 (UTC)
I don't think it does. I'm not a mediawiki technical type. I suppose it's a interesting question, but wouldn't it be mostly moot since if a person has a user account they are a person likely to make an edit and hence divulge their username in any event. Still, I guess it is something for those that maintain it to answer. fr33kman 03:07, 24 June 2011 (UTC)
In fact, in the name of transparency, there is an IRC channel where these "unifications" scroll by live whilst they are being made. fr33kman 03:10, 24 June 2011 (UTC)
From the technical aspect, the centralauth extension automatically creates your account when you view a Wikimedia site for the first time. I would also not classify the extension's automatic actions as in violation of the privacy policy (from a practical standpoint, anyways), as the website is not collecting data from the viewer's computer, but from Wikimedia's servers, and the information that is collected is well within the "no more information is collected than is typically collected by web sites" clause. I won't get too much into that, though, as I am not a lawyer. The event is publicly logged, though it does not appear in the recent changes, and as fr33kman alluded to, the log is public for transparency. Ajraddatz (Talk) 03:49, 24 June 2011 (UTC)
I've emailed the general consul with a link to this thread.  ono  05:32, 24 June 2011 (UTC)
RESOLVED DUPLICATE / This bug has been marked as a duplicate of bug 19161. Cbrown1023 talk 15:47, 24 June 2011 (UTC)

I'm not really happy with the response I've received here. Fr33kman assumes that I don't understand global login, and if I did I wouldn't have a problem. Fr33kman, I've been around Wikimedia projects for nearly seven years, longer indeed than the GlobalAuth extension, I know perfectly well what it does, and I don't need you to teach my grandmother to suck eggs.

Cbrown1023 makes the legitimate and interesting point that this could be used to in an exploit that extracts further information that ought to be private. But I'm not talking about this as a vulnerability that might release further information. I'm talking about the information that has already been released. The privacy policy clearly states that When a visitor requests or reads a page... the Wikimedia Foundation may keep raw logs of such transactions, but these will not be published.... Here we have a real-world non-hypothetical situation where a visitor has read a page, the fact that they did so has triggered an entry in a public log, so that they cannot deny that they have read a page on that site, and they are uncomfortable with this. Is that not a straight-forward violation of the privacy policy, already, non-withstanding any further information that might be released via an exploit?

Hesperian 02:34, 26 June 2011 (UTC)

I'm sorry for being nice and trying to help, since that offends you. fr33kman 04:18, 26 June 2011 (UTC)
It didn't offend me that you were "being nice and trying to help". That's twice now you've been too eager to reply, to bother to try to understand what I actually said. Hesperian 13:22, 26 June 2011 (UTC)
I understand, and understood, what you were/are trying to say but since I don't know who you are I thought I'd tell you how to stop the auto creation log in case you were unaware. I can't really speak to the privacy policy since the board decided that, not the community. Perhaps asking User:Philippe (WMF) about it may help? fr33kman 18:42, 26 June 2011 (UTC)
You're sending me elsewhere?? I'm pretty sure Talk:Privacy policy is the right forum for someone to raise concerns about a possible privacy policy violation. It might possibly be the wrong forum for someone who "can't really speak to the privacy policy" to nonetheless expound on unrelated matters. Hesperian 04:29, 27 June 2011 (UTC)
While it doesn't bother me that my reading of various wikis has been logged, I can see how it could be a big problem to some people, and it looks to me like it still happens. WereSpielChequers 23:11, 29 September 2011 (UTC)


The bit about IRC probably needs updating to reflect the fact that there are now official WMF office hours on IRC. WereSpielChequers 12:53, 27 November 2011 (UTC)

Watchlists and preferences

There's quite a bit of "private" information that some users accumulate here, especially in things like their watchlists. Some of this information is then collected and used in an aggregated way, for example unwatched pages are available to trusted editors but we try not to release them to vandals. I think the Privacy policy should cover this - at present I think it insufficiently covers reality. WereSpielChequers 13:06, 27 November 2011 (UTC)


One area which has grown has been meetups, and these especially the residential ones do tend to require disclosure of real names. I would suggest that the Privacy policy should cover this WereSpielChequers 13:06, 27 November 2011 (UTC)

Identification to the office

Certain tools such as Oversight and checkuser are only available to editors who have identified to the Office. I would suggest that this policy should cover that process and in the process disclose whether the identity information is held and if so how long for. WereSpielChequers 13:14, 27 November 2011 (UTC)