[Wikimedia-l] Wikimedia and the politics of encryption

Mon Sep 2 16:08:12 UTC 2013

Erik Moeller wrote:
>So, what to do? My main suggestion is to organize a broad request for
>comments and input on possible paths forward. I think we’re doing the
>right thing by initially implementing these exemptions -- but I do
>think this decision needs to finally rest with the Board of the
>Wikimedia Foundation, based on community input, taking the tradeoffs
>into account.

Thanks for writing out these thoughts. A broad request for comments and
input seems reasonable, though there seems to be quite a bit of work
needed to get ready to begin such a discussion.

>My own stance, which I will continue to argue for (and which is my
>view as an individual -- there are many divergent opinions on this
>even inside WMF), is clear: I think we should set a deadline for the
>current approach, and shift to HTTPS for all traffic, for all sites,
>for all users, by default, after that deadline passes. This will force
>us to take the consequences of that shift seriously, and to explore
>alternatives to designing our technical policies around the practices
>of regimes that undermine web security in order to better censor and
>monitor their citizens.

I think it would help the conversation to have more data. Everybody knows
that there are over a billion people in China. However, how many people
globally can't use HTTPS (for whatever reason)? What is that breakdown by
country? How many users have opted out of HTTPS via user preference?

There's merit to the idea of ignoring user-hostile countries such as Iran
and China and cutting them off: certainly it's a mess of their own making.
But it seems to me that this idea is orthogonal to the idea that Wikimedia
needs to make a political point, engage in political advocacy, or take a
stand. Wikimedia is in the business of spreading free educational content.
It seems to me that getting involved in politics leads down a perilous
path that could ultimately destroy Wikimedia.

Of course, we've already decided to act by specifically exempting certain
countries from the new HTTPS requirement. But there might be a strong
contingent of users in the community that feels we should stop exempting
countries (i.e., treat everybody the same), but also _not_ be involved in
attempting to subvert whichever government monitoring we feel is most
egregious. While we can pretend as though it's only China and Iran, many
countries are spying on their own people at various levels.

And it becomes a question of cost versus benefit, much like everything
else that Wikimedia decides to work on. There's a very public trail of any
edits that you make. What information, exactly, are we trying to prevent
governments from getting ahold of? I think a stronger, clearer case for
what benefits Wikimedia will see would help justify (or help eliminate)
some of the proposed costs.

Both the community and the Board need to think about these questions and
their answers and ultimately address how to move forward.

MZMcBride