Sebastian Moleski wrote:
On 3/31/07, Robert Horning
I disagree that the damage that somebody using
checkuser privileges is
necessarily irreversible and necessarily causes too many legal problems
"for themselves and the foundation." There is obviously an extreme case
or two where this may be the case, but on the whole I can't really seen
where revealing the IP address of a user is necessarily going to be a
major problem. At best, the worst damage that can happen is to document
what computer an edit actually took place on. Only with 3rd party
records would it even be remotely possible to tie this with a specific
The laws regarding such things vary wildly between regions. In comparison to
American privacy laws, for instance, the laws in manz European countries are
much more strict. Disclosing personal information without the consent of the
person the information belongs to can be prosecuted in criminal and civil
court in some instances. Note that many of these laws aren't primarily meant
to restrict the government from accessing the information but other private
entities. The legal implications of checkuser shouldn't be underestimated.
In addition, any user, including anonymous users, can trace the IP
I would like to point out that if you connect to the internet from any
connection, you are "broadcasting" who you are and where you are at. I
know this is something that some individuals look at differently, but
trying to maintain anonymity on the internet is a complex task at the
best and futile at its worst. I know some of this has to do with what a
server operator claims to do with their usage logs, but you really
shouldn't expect to have your privacy maintained, so far as the address
to the computer is concerned, if you are using any internet connection.
I have seen some server operators actually publish all access logs to
their website in a very public manner.
An IP address is not a personally identifying piece of information by
itself, as compared to a nationally issued ID number or your full legal
name. As I mentioned here above, you must used additional information
such as signed logs or billing records of the ISP in order to tie a
particular IP address to a specific individual.
If a 10-year-old has been given bureaucrat privileges on a Wikimedia
project, I would be very surprised.
There is at least one fifteen old user who is a bureaucrat on a Wikimedia
That is a major accomplishment, and congratulations to that individual.
And to get there, they must have demonstrated a huge degree of maturity
as well. This is also something self-correcting as this particular
bureaucrat will be 18 in three years, making any argument about this
particular individual moot in time.
It may also present some
interesting legal problems for the WMF in terms
of liability for that
user's actions, but I also believe that any such user who has achieved
that level of trust in a particular project is going to have a level of
maturity to keep from abusing the checkuser tool as well.
Actual abuse isn't necessary to be subject to a lawsuit. People who
volunteer to perform checkuser functions must be fully aware of the
responsibilities their actions incur and the possible consequences of those
actions. It may be customary to assume good faith in Wikimedia projects.
Unfortunately, the real world doesn't always work that way.
I've heard a whole bunch of bluster here about how this abuse "may be
subject to a lawsuit". Is there any clear legal examples of this
happening with other ISPs in situations similar to a disclosure by a
volunteer operator/moderator of an IP address? How is this different
from admins who have to delete (or undelete) copyrighted material, or
set themselves up for potential liability issues and other legal matters
by performing user blocks? Or even ordinary users setting themselves up
with libel issues based on what they write on Wikimedia projects?
I believe that the hyperparanoia over the permission of check user
access is actually a short coming to improving Wikimedia projects, and
removing a very valuable tool to help fight vandalism and other
mischief. Particularly for smaller Wikimedia projects the current rules
place huge obstacles to being able to help fight those who mean harm.
These discussions to even further limit the scope of those eligible
(even if mainly symbolic) smacks of the elitism that I perceived even
when the check user policy was issued in the first place.
Certainly in the case of somebody trying to demonstrate eligibility for
becoming a member of the board of trustees, an age requirement is
absolutely necessary. What is missing here in these discussions is what
the actual legal requirements would be according to the laws of a
specific country for some volunteer coordinator who has access to
information tied between a user name and an IP address, and what both
the liability to the foundation would be if they accidentally or
intentionally disclosed this information. Furthermore, if the person
who did this disclosure was a minor, would that substantially increase
the liability of the WMF? Sure anything can trigger a lawsuit, but has
any similar lawsuit been filed in this kind of situation, ever? And
been successful and not thrown out as laughable by the judge?
-- Robert Horning