Erik Moeller wrote:
On 9/14/07, Tim Starling
<tstarling(a)wikimedia.org> wrote:
For a while now, we've been releasing squid
log data, stripped of
personally identifying information such as IP addresses, to groups at
two universities: Vrije Universiteit and the University of Minnesota. We
now have a request pending from a third group, at Universidad Rey Juan
Carlos in Spain. They are asking if they can have the full data stream
including IP addresses, and they are prepared to sign a confidentiality
agreement to get it.
"Wikimedia will not sell or share private information, such as email
addresses, with third parties, unless you agree to release this
information, or it is required by law to release the information."
http://wikimediafoundation.org/wiki/Privacy_policy
Under the current policy I would not support it, even if "private
information" is somewhat ambiguous: we must err on the side of
caution.
Yes. The first question is, would providing this data violate the
privacy policy, which protects "private information" - often but not
always assumed to mean personally-identifiable information. If we
consider the squid log data to include potentially
personally-identifiable/private information, then we can't release it
to a third party. Regardless of how much we trust them, or what they
are willing to sign.
If the release does NOT violate the privacy policy, then the question
becomes whether it violates existing community standards & practices.
I don't know the answer to that. But there has been lots of discussion
here, which may suggest there's not a clear consensus view.
IMO we want to help academics and we share lots of their values.. but
it is more important that we protect our own community of
users/contributors. So we want to err on that side.
I might support a research exemption clause in future versions of the
policy _if_ a compelling case can be made that such an exemption is
needed, and that no alternative research method would produce results
of approximately the same quality. So far no such case has been made.
Yes. Regardless, that would apply on a going-forward basis only; we
obviously could not change the terms of use
retroactively/non-consensually.
Whatever we do, it is crucial that we make it clear to our users
through our privacy policy what is going on. In that spirit, I would
also appreciate it if the privacy policy could be updated to describe
the existing agreements with universities, and the work that is being
done on the toolserver.