Dan,
I missed this reply in November to which you referred:
Do the advantages of keeping unanonymized IP reader logs for potential debugging needs outweigh the privacy disadvantages?
Judging from prior postings to this list the community members interest in correctness of pageview data, pageview tools and pageview API far outweights the concerns with a 60 day retention of raw IPs.
Is that the official position of the Foundation? It is has been explicitly contradicted by the Executive Director, and is not considered an acceptable practice by the EFF:
https://www.eff.org/pages/eff-ad-wired
or the American Library Association:
http://www.ala.org/advocacy/intfreedom/librarybill/interpretations/privacy
http://www.ala.org/advocacy/library-privacy-guidelines-data-exchange-between...
http://www.ala.org/advocacy/privacyconfidentiality
or this law review article:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006
or news media expose articles such as:
https://www.washingtonpost.com/news/the-switch/wp/2016/10/11/facebook-twitte...
- Can Ops use access logs in which the article names have never been
stored on permanent, non-RAM media?
- Can the users who require logs of article names use those in which
the IP address, proxy information, and geolocation has never been stored on permanent media?
The implicit assumption here is that reasonable means are not being taken to safeguard user data by Technical Operations
Such measures do not address the subpoena-related concerns of the EEF, the ALA, the law review article, or the news media expose. Furthermore, it has been shown that the reader data leaves the custody of Technical operations on page 20 here:
http://infolab.stanford.edu/~west1/pubs/West_Dissertation-2016.pdf
That says, "We have access to Wikimedia’s full server logs, containing all HTTP requests to Wikimedia projects." Page 19 indicates that this information includes the "IP address, proxy information, and user agent." See also:
https://youtu.be/jQ0NPhT-fsE&t=25m40s
You have also made other technical assumptions, such as that one can only use volatile storage to safely store data.
On the contrary, the assumption is that it's safer to not store PII on nonvolatile storage if it can be associated with the names of articles being read.
If a GET web request comes in from a reader, and the article name is stored in one disk file with the time accurate to the hour, and the IP and proxy information with an exact timestamp is stored in another file, would that meet all of the Foundation's and research community's needs?