Florence Devouard <Anthere9(a)yahoo.com> wrote: The text about notification is present under ==Access to and publication of information==: "In the event of such a legally compulsory request, the Foundation will attempt to notify the affected user [...]." I think the other points are already fixed in the draft FT2 and I worked on (see the talk page). -- Yours cordially, Jesse Plamondon-Willard (Pathoschild)

2008/6/15 geni <geniice(a)gmail.com>om>: You can do it with a hash. Each hash could be mapped to from multiple IP addresses, so it's impossible to work out the IP address from the hash. Of course, you then have the risk of collisions, but that can be kept fairly small, and isn't the end of the world - we get collisions anyway when multiple people use one IP address. That said, I don't have a problem with publishing IP addresses of anon users - it's made clear to them that that will happen, and they have the option of registering if they have want to keep it hidden. The risk from having your IP address publicly known is really pretty minimal (mine is 82.152.59.121 (or 122 if you want my actual computer, rather the router, but the router is what's reported to the outside world) - do with it what you will!!).

On Sun, Jun 15, 2008 at 10:31 AM, David Gerard <dgerard(a)gmail.com> wrote: By this logic we should grant access to Special:Checkuser to everyone. No? Explain. :)

On Sun, Jun 15, 2008 at 6:55 PM, David Gerard <dgerard(a)gmail.com> wrote: I only asked why we give the equivalent checkuser on half our users to the general public. So far only Anthony has provided a reasonable explanation. To make you happy I'll go ahead and make an argument for fixing something: I don't see any logical cause for the inconsistency in how we treat registered and unregistered users. There is no particular reason is has to be this way, it seems to be historical accident as Anthony suggested. Instead we could publish the IPs of all edits, we could use opaque identifiers for anons, or we could completely dissallow anonymous editing. All of these would be consistent solutions. The current inconsistent situation generates a lot of problems: Careful COI pushers are rewarded for being smart enough to log in while at the same time normal users are harmed by accidentally getting logged out and having their IP surprisingly leaked. The edit histories of our articles are frequently sliced and diced to hide the IPs of established contributors and this sometimes makes the article history misleading. For example, see my edits on meta today (I swear I didn't do that intentionally to make a point, I have no clue how I ended up logged out) ... my IP edits couldn't be hidden without making the history misleading due to the timing of Cimon's edits. ... and the service of IP edit oversighting is generally only available to the Wiki(p|m)edia elite, if for no other reason than few others know it is available. Unregistered users account for roughly half of the contributors on at least one of the largest projects (EnWP). They make many valid and useful contributions (along with a bunch of junk...). We often mislead them about their privacy by calling their contributions "anonymous" when they are far less anonymous than the edits made by many registered users. Checkuser is by far one of the most highly regulated activities on all the projects. We keep a very tight fist over it. Yet, its equivalent is given freely over an enormous subset of the contributors. This smacks of favoritism. I think our behavior should probably be changed to remove the inconsistency. By removing the inconsistency we will prevent unpleasant surprises. I think the ability to *know* and *understand* the privacy posture you have when editing Wikipedia is more important than what the posture is, so I don't care which path to consistency is taken. I would presume that of the three I suggested most users would prefer replacing IPs with unique identifiers. The primary harm this path would cause is an increase in need for checkusers. If need-be the increased need for checkusers could be addressed by creating a lower class of checkusers who only have the ability to view the (previously public) information related to unregistered users. Such a solution would preserve an inconsistency but I believe it would be strictly more consistent than the current behavior.

On Mon, Jun 16, 2008 at 1:21 AM, John Vandenberg <jayvdb(a)gmail.com> wrote: It would be nearly trivial to feed the IP through a 32bit block cipher, convert that to base 36 (or just an integer), and use that as the user_text. I'm pretty confident that a reasonably clean solution wouldn't be hard. ::shrugs:: But does anyone anywhere want that behavior in mediawiki? Indeed. note my comment at the bottom of that ticket. :) People are also surprised when deletion fails to successfully hide information. Considering how trivial it is to run a script that saves every change as it is made.. all we can really hope to do is minimize the bleeding. It would be less revealing but it would greatly amplify the ability to hide because it would be far more anonymous. Depending on the implementation it could be used as a force multiplier with a single user on a single IP churning out dozens of guest ids by flushing their cookies. Obscuring the IP would convert the IPs into effective pseudonymous names, similar to real account names. The above would create something much closer to actual anonymous edits. I doubt most Wikimedia Wikis would support a proposal like that. (though, personally, I suspect life would go on if it were done).

Hoi, This is becoming a nice game of silly buggers. I will bite anyway. One reason why we should not grant access to Special:Checkuser to everyone is because it would have all kinds of really nasty side effects. For one it would make the life of stalkers that much easier. Giving stalkers the use of this tool would effectively harm first the community and because of the implications it would then harm the project. Thanks, GerardM On Mon, Jun 16, 2008 at 12:23 AM, Gregory Maxwell <gmaxwell(a)gmail.com> wrote:

On Mon, Jun 16, 2008 at 1:27 PM, Gregory Maxwell <gmaxwell(a)gmail.com> wrote: We don't "release" IPs, they are visible by default unless a person chooses to create an account. A person's IP is visible unless a person chooses to make it private. Anonymous users don't have an expectation of their IPs being kept private unless they've taken steps to make it so. Registered users do have that expectation. --Andrew Whitworth

Switching from IPs to randomized or encrypted numerical identifiers strikes me as a major change at first, but thinking about it and reading Gregory's rationale I'm not so sure. We could easily implement it so that administrators automatically see IPs or can convert in one step, meaning issues of tracking and dealing with vandalism wouldn't apply. I'm sure I'm missing the other technical and procedural drawbacks - can someone explain them to me? It'd obviously disable Wikiscanner as a public tool, and it would more than likely hit the press at some level, but what other detrimental effects would this change have? Nathan

2008/6/17 Henning Schlottmann &lt;h.schlottmann(a)gmx.net&gt;et>: On en:wp, it warns as clearly as it can: "You are not currently logged in. Editing this way will cause your IP address to be recorded publicly in this page's edit history. If you create an account, you can conceal your IP address and be provided with many other benefits. Messages sent to your IP can be viewed on your talk page." I suppose we could wrap it in <font color="red"><big><blink> ... - d.

Hoi, We have always indicated to people who were interested in this that true anonymity can not be found in anonymous editing. We have always indicated that anonymity will be better preserved by making use of a user handle. As you are continuing your game of silly buggers, it is a choice to use a user or not. If people are not troubled by sub optimal anonymity, it is their choice. At the same time they provide us with the handles to help fight vandals. Changing this will not help us produce more or better content for our projects. It makes our servers less responsive so I do not think this should have much or any priority.. Thanks, GerardM On Mon, Jun 16, 2008 at 7:27 PM, Gregory Maxwell &lt;gmaxwell(a)gmail.com&gt; wrote:

Thanks for announcing this on the mailing list, Florence. Some interesting discussion at http://meta.wikimedia.org/wiki/Talk:Draft_Privacy_Policy_June_2008 -- in particular regarding a rewritten (and considerably shorter) draft. On Sun, Jun 15, 2008 at 2:06 PM, Matthew Brown &lt;morven(a)gmail.com&gt; wrote: Not specifically replying to this, but it was a tempting snippet to quote. Seems easiest to specify the retention period outside of the privacy policy -- it may be enough to just say it's discarded periodically. -Luna

On Sat, Jun 21, 2008 at 3:22 PM, Brion Vibber &lt;brion(a)wikimedia.org&gt; wrote: "the least of amount personally identifiable information consistent with maintenance of its services, with its privacy policy, or as required by state or federal legal provisions under United States of America law" is fairly specific. If you can keep less, but still fulfill your services, the privacy policy, and the law, then the data retention policy states that you should do so.

Anthony wrote: The key phrase is "consistent with maintenance of its services", which is very much open-ended. It does not say anything specific about what we can or can't keep, or how quickly we should discard data or how long we must keep it, but simply indicates that we should: * keep any data as required by law * keep any data as long as we need it for an actual purpose * not keep data we don't need for an actual purpose This is not to say that we will look up everyone's IP and store a giant table forever listing your address that we looked up on Google Maps with a picture of your house. :) The point is simply that the data retention policy (which states our preference to not retain unnecessary data, as a goal to *drive* our actual behavior, for the company) is not redundant to the privacy policy (which lists specific things we do keep, as a *description* of our actual behavior, for the end-user). -- brion

Quick response, since you're in a hurry and I don't have much time right now: 1) Still too long and rambling. It's clearly written with the intention of educating users about privacy on Wikimedia projects, rather than primarily as a binding policy on WMF, yet no user is ever going to read it. Users will load the page, see how long it is and close the page again. If you want to educate users, you need another way to do it. Make the privacy policy simply a policy, a list of things that WMF commits to doing. 2) Why abbreviate "Wikimedia projects" to "WMProjects"? It's not a commonly used abbreviation, isn't much shorter and just makes the text harder to read. Either keep the full name, or abbreviate to "the projects". Tango PS I'm trying to remember to sign my emails since it's been brought to my attention that a lot of people seem to think I'm someone completely different, which can't be a good thing (either for him or me, I haven't decided!! ;)).

Florence Devouard wrote: "The Wikimedia Foundation that maintaining and preserving the privacy of user data is an important value." That sentence has no verb... Yours; Jussi-Ville Heiskanen

Hoi, Please eat your own dog food ... TL;DR is what ? Thanks, GerardM On Sun, Jun 22, 2008 at 9:13 AM, Ryan &lt;wiki.ral315(a)gmail.com&gt; wrote: