Hello, everyone.
I’m Maggie Dennis, the Wikimedia Foundation’s Vice President of Community Resilience & Sustainability.[1] I’m reaching out to you today to talk about a series of actions the Foundation has recently taken to protect communities across the globe.
I apologize in advance for the length and the ambiguity in certain areas. These are complicated issues, and I will try to summarize a lot of what may be unfamiliar information to some of you succinctly. I will answer questions to the best of my ability within safety parameters, and I will be hosting an office hour in a few weeks where I can discuss these issues in more depth. We’re currently getting that set up in regards to availability of support staff and will announce it on Wikimedia-L and Meta as soon as that information is prepared.
Many of you are already aware of recent changes that the Foundation has made to its NDA policy. These changes have been discussed on Meta, and I won’t reiterate all of our disclosures there,[2] but I will briefly summarize that due to credible information of threat, the Foundation has modified its approach to accepting “non-disclosure agreements” from individuals. The security risk relates to information about infiltration of Wikimedia systems, including positions with access to personally identifiable information and elected bodies of influence. We could not pre-announce this action, even to our most trusted community partner groups (like the stewards), without fear of triggering the risk to which we’d been alerted. We restricted access to these tools immediately in the jurisdictions of concern, while working with impacted users to determine if the risk applied to them.
I want to pause to emphasize that we do not mean to accuse any specific individual whose access was restricted by that policy change of bad intent. Infiltration can occur through multiple mechanisms. What we have seen in our own movement includes not only people deliberately seeking to ingratiate themselves with their communities in order to obtain access and advance an agenda contrary to open knowledge goals, but also individuals who have become vulnerable to exploitation and harm by external groups because they are already trusted insiders. This policy primarily served to address the latter risk, to reduce the likelihood of recruitment or (worse) extortion. We believe that some of the individuals impacted by this policy change were also themselves in danger, not only the people whose personal information they could have been forced to access.
Today, the Foundation has rolled out a second phase of addressing infiltration concerns, which has resulted in sweeping actions in one of the two currently affected jurisdictions. We have banned seven users and desysopped a further 12 as a result of long and deep investigations into activities around some members of the unrecognized group Wikimedians of Mainland China.[3] We have also reached out to a number of other editors with explanations around canvassing guidelines and doxing policies and requests to modify their behaviors.
When it comes to office actions, the Wikimedia Foundation typically defaults to little public communication, but this case is unprecedented in scope and nature. While there remain limits to what we can reveal in order to protect the safety and privacy of users in that country and in that unrecognized group, I want to acknowledge that this action is a radical one and that this decision was not easily made. We struggled with not wanting to discourage and destroy the efforts of good faith users in China who have worked so hard to fight for free and open knowledge, including some of those involved in this group. We do not want them to fear that their contributions are unwelcome. We also could not risk exposing them to danger by doing nothing to protect them after we became aware of credible threats to their safety.
While some time ago we limited the exposure of personal information to users in mainland China, we know that there has been the kind of infiltration we describe above in the project. And we know that some users have been physically harmed as a result. With this confirmed, we have no choice but to act swiftly and appropriately in response.
I take it as both a triumph and a challenge that in the years of my own involvement I have seen Wikimedia go from a suspect non-mainstream website to a highly trusted and widely relied upon source across the world. When I first started editing the projects in about 2007, I already believed Wikimedia had the capacity to be one of the greatest achievements of the world--collective knowledge, at your fingertips. What an amazing gesture of goodwill on the part of all of its many editors. It didn’t take me long after I started editing to realize how entrenched the battles could be over how to present information and how that can be exploited to achieve specific ends. I’m not trying to suggest that I was astonishingly prescient; I think there were many who realized that risk long before I stumbled naively on the scene. I do think that the risk is greater than ever now, when Wikimedia projects are widely trusted, and when the stakes are so high for organized efforts to control the information they share.
Community “capture” is a real and present threat. For years, the movement has been widely aware of challenges in the Croatian Wikipedia, with documentation going back nearly a decade. The Foundation recently set up a disinformation team, which is still finding its footing and assessing the problem, but which began by contracting an external researcher to review that project and the challenges and help us understand potential causes and solutions for such situations.[4] We have also recently staffed a human rights team to deal with urgent threats to the human rights of communities across the group as a result of such organized efforts to control information. The situation we are dealing with today has shown me how much we need as a movement to grapple with the hard questions of how we remain open to editing by anyone, anywhere, while ensuring that individuals who take us up on that offer are not harmed by those who want to silence them.
With respect to the desysopping, we hope to connect with the international Chinese language community in the near future to talk about approaches to elections that avoid the risk of project capture and ensure that people are and feel safe contributing to the Chinese language Wikipedia. We need to make sure that the community can hold fair elections, without canvassing or fraud. We hope that helping to establish such a fair approach to elections will allow us to reinstate CheckUser rights in time.
I want to close this email by noting that I am personally deeply sorry to those of you for whom this will be a shock. This will undoubtedly include those who wonder if they should fear that their personal information has been exposed (we do not believe so; we believe we acted in time to prevent that) and also those who fear that further such bold action is in the works which may disrupt them and their work and their communities (at this point, with this action, we believe the identified risks have been contained in the short to medium term). I am also truly sorry to those communities who have been uneasy in the shadow of such threats for some time. The Foundation continues to build our capacity to support every community that wants or needs its support - and we are still learning how to do so well when we do. One of the key areas we seek improvement is in our ability to understand our human rights impact and in our ability to address those challenges. You have not had the service you’ve deserved. We can’t fix things immediately, but we are working to improve, actively, intentionally, and with focus.
To the 4,000 active Chinese language Wikimedians distributed across the world and serving readers in multiple continents,[5][6] I would like to communicate my sorrow and regret. I want to assure you that we will do better. The work you do in sharing knowledge to Chinese readers everywhere has great meaning, and we are committed to supporting you in doing this work into the future, with the tools you need to succeed in a safe, secure, and productive environment.
Again, I will answer what questions I can, also relying on the support of others in Legal and perhaps beyond. We’re setting up a page on Meta to talk, and I will be hosting an office hour in coming weeks.
Best regards,
Maggie
[1]
https://meta.wikimedia.org/wiki/Community_Resilience_and_Sustainability
[2]
https://meta.wikimedia.org/wiki/Talk:Access_to_nonpublic_personal_data_policy#Policy_adjustment_on_behalf_of_Legal
[3]
https://meta.wikimedia.org/wiki/Wikimedians_of_Mainland_China
[4]
https://meta.wikimedia.org/wiki/Croatian_Wikipedia_Disinformation_Assessment-2021
[5]
https://stats.wikimedia.org/#/zh.wikipedia.org
[6]
https://stats.wikimedia.org/#/zh.wikipedia.org/reading/page-views-by-country/normal|map|last-month|(access)~desktop*mobile-app*mobile-web|monthly
***
大家好
我是 Maggie Dennis, 维基媒体基金会社团及延续性的领导。[1] 今天我想和大家分享维基媒体基金会在全球保护社团采取的一系列办事行动。
我在这里先向大家说声对不起。这封信会比较长,有些方面也会比较歧义。这些事的确比较复杂,但我会尽量简化但明确的把这些资料和大家分享。我会在安全范围内尽我所能的回答问题,我也会在未来的几个星期主办 office hour 在和大家更详细的研讨。我们正在设置有关于人力资源上的问题并会在 Wikimedia-L 和 Meta 发布讯息。
相信大家已经知道基金会在几周前对 NDA 政策的改变。这些改变已经在 Meta 讨论过了,我也不必在这里重申,[2]但让我在这里简要地说明。基金会收到了有关各人威胁的可信消息并调整了接受各人“non-disclosure agreements”的姿态。这个安全风险是有关于浸入及索取基金会的系统,也包括取数个人识别资料和选举管理机构的影响。我们不能预先宣布这新的策略即使是我们最信任的团体 (stewards), 为了不触发这些风险。我们在受影响的区域限制了使用权并且和受影响的使用者讨论风险对它们的影响。
我想在这里强调不是某个受影响的人藏了恶意而是浸入发生可以有很多种。我们知道在维基百科里有不良角色和社团迎合为了就是取数和推进反开放知识的目标这也包括某人受了不良角色的影响而屈服因为他们已经是认可的知情人。这策略改变的目的是为了减少后者的风险,招募或更严重的敲诈勒索。我们相信有些受影响的用户自己有以上的风险而不限制与有可能被逼盗用有个人资料使用者。
今天,维基媒体基金会在两个受影响的区域之一,推出了第二阶段寻址浸入风险的扫荡行动。经过了深入调查非附属团体 Wikimedians of Mainland China 的活动, 我们禁止了七个用户和删除了十二个管理员权限。[3] 我们还联系了一些其他编辑,解释了有关拉票指南和人肉政策的解释,,并要求它们调整这些行为。
有关于办事行动维基媒体基金会通常不会向外公开但这个案件的范围和性质是前所未有的。在安全和隐私的范围内我们不能透露在非附属团体的这些用户,但我想承认这行动是激进的,而且做出这一决定并不容易。 我们努力地不想阻止和破坏中文真诚用户的努力,他们为自由和开放的知识而努力奋斗,包括参与该群体的一些人。我们也不想让真诚的用户觉得不实欢迎,当我们收到了对它们安全可信的威胁,我们也不能冒险采取任何措施保护他们,从而使他们面临危险。
一些时间前, 我们限制了在中国用户的个人资料暴露,也知道在中文维基百科有相似的浸入。我们也确认了有些用户为某些因故而受了身体伤害。我们别无选者必须快速做回应。
当我回顾我在维基媒体的这些年,从一个非主流的网站转变成一个全求都信任的线上百科全书,我把这个案件当作是一个挑战和胜利。 在2007年当我钢开始改编的时候我已经相信维基媒体会是全球最大成就之一, 那就是集体知识,在手指上。 不用多久时间,我就发现了许多编辑人员善意的姿态和那些用来呈现资料角度的战争。我不是在暗示我有预见性的警告,我觉得很多用户在我参与前就知道这事会发生。我不认为这个风险在这个时候比较高,当维基媒体的项目收到这么庞大的信任,还有组织的努力来控制我们分享的知识。
团体“占领” 是一个真是的风险。多年已来,基金会意识到的克罗地亚维基百科面临的挑战。我们也有进十年的文档。基金会在最近设立了虚假信息团队,但是我们还在评估克罗地亚维基百科的问题。这些问题是基金会较早前聘请的承包商来帮我们理解原因和解决办法。[4] 为了应付团体组织的资料控制,我们也设立了一组人权团队来应对紧急人权危机。我们惊天所免领的问题也让我看到了我们所需要的来应付这些困难问题,像是如何继续开放编辑给每个人,在每个地方但能够确保我们的用户在编辑中受到被封的威胁下感到安全。
在管理员权限,我们希望能够与国际华语群体链接来参与及讨论选举的方向为了避免团体占领也绕着不知让中文维基百科的用户感到安全也绝对是安全。 我们也必须确认中文项目的用户可以举办公平的选举,没有拉票或欺诈。 我们希望建设这些公平的法则来维持选举能够让我们在未来恢复 CheckUser 权利.
我想在结束这封电子邮件时指出,我个人对你们中的那些感到震惊的人深表歉意。这无疑将包括那些想知道他们是否应该担心他们的个人信息被暴露的人(我们不这么认为;我们相信我们及时采取了行动以防止这种情况发生)以及那些担心进一步采取这种大胆行动的人可能会扰乱他们及其工作和社区(此时,通过这一行动,我们相信已识别的风险已在中短期内得到控制)。我也对那些在这种威胁的阴影下一段时间感到不安的社区深表歉意。基金会继续建设我们的能力,以支持每个想要或需要其支持的社区我们仍在学习如何在我们这样做的时候做得很好。我们寻求改进的关键领域之一是了解我们的人权影响的能力以及我们应对这些挑战的能力。你没有得到你应得的服务。我们无法立即解决问题,但我们正在积极、有意识地、专注地努力改进。
向分布在世界各地、服务于多个大洲的读者的4000名活跃中文维基人,[5][6]我想传达我的悲伤和遗憾。我想向你保证,我们会做得更好。您为世界各地的中文读者分享知识所做的工作意义重大,我们致力于支持您在未来开展这项工作,并提供您在安全、可靠和高效的环境中取得成功所需的工具。
同样,我将回答我能回答的问题,也依赖于法律领域甚至其他领域的其他人的支持。我们正在 Meta 上建立一个页面来讨论,我将在未来几周内主办 office hour 在和大家更详细的研讨。
此致,
Maggie
[1]
https://meta.wikimedia.org/wiki/Community_Resilience_and_Sustainability
[2]
https://meta.wikimedia.org/wiki/Talk:Access_to_nonpublic_personal_data_policy#Policy_adjustment_on_behalf_of_Legal
[3]
https://meta.wikimedia.org/wiki/Wikimedians_of_Mainland_China
[4]
https://meta.wikimedia.org/wiki/Croatian_Wikipedia_Disinformation_Assessment-2021
[5]
https://stats.wikimedia.org/#/zh.wikipedia.org
[6]
https://stats.wikimedia.org/#/zh.wikipedia.org/reading/page-views-by-country/normal|map|last-month|(access)~desktop*mobile-app*mobile-web|monthly