Erik Moeller wrote:
So, what to do? My main suggestion is to organize a broad request for comments and input on possible paths forward. I think we’re doing the right thing by initially implementing these exemptions -- but I do think this decision needs to finally rest with the Board of the Wikimedia Foundation, based on community input, taking the tradeoffs into account.
Thanks for writing out these thoughts. A broad request for comments and input seems reasonable, though there seems to be quite a bit of work needed to get ready to begin such a discussion.
My own stance, which I will continue to argue for (and which is my view as an individual -- there are many divergent opinions on this even inside WMF), is clear: I think we should set a deadline for the current approach, and shift to HTTPS for all traffic, for all sites, for all users, by default, after that deadline passes. This will force us to take the consequences of that shift seriously, and to explore alternatives to designing our technical policies around the practices of regimes that undermine web security in order to better censor and monitor their citizens.
I think it would help the conversation to have more data. Everybody knows that there are over a billion people in China. However, how many people globally can't use HTTPS (for whatever reason)? What is that breakdown by country? How many users have opted out of HTTPS via user preference?
There's merit to the idea of ignoring user-hostile countries such as Iran and China and cutting them off: certainly it's a mess of their own making. But it seems to me that this idea is orthogonal to the idea that Wikimedia needs to make a political point, engage in political advocacy, or take a stand. Wikimedia is in the business of spreading free educational content. It seems to me that getting involved in politics leads down a perilous path that could ultimately destroy Wikimedia.
Of course, we've already decided to act by specifically exempting certain countries from the new HTTPS requirement. But there might be a strong contingent of users in the community that feels we should stop exempting countries (i.e., treat everybody the same), but also _not_ be involved in attempting to subvert whichever government monitoring we feel is most egregious. While we can pretend as though it's only China and Iran, many countries are spying on their own people at various levels.
And it becomes a question of cost versus benefit, much like everything else that Wikimedia decides to work on. There's a very public trail of any edits that you make. What information, exactly, are we trying to prevent governments from getting ahold of? I think a stronger, clearer case for what benefits Wikimedia will see would help justify (or help eliminate) some of the proposed costs.
Both the community and the Board need to think about these questions and their answers and ultimately address how to move forward.
MZMcBride