I'm writing to get an answer (from anybody at the WMF) on the status of the WMF's policy access to private (i.e. IP, Browser, etc.) information. Each day thousands of people edit Wikipedia and deserve to know what measures, if any, are taken to avoid divulging to the wrong sort of people this sensitive information about them.
On 25 April last year, the board of trustees approved, in a non-public and scantily-documented meeting, a policy that accords Checkuser and Oversight and other statuses to "community" members appointed by a community process with essentially a mere two requirements: provide an email address, and assert that you are 18 or over. Name, address, NOT required. Is this truly an adequate way to protect the privacy interests of all those that edit Wikipedia? Well, I don't think so, but my purpose right now is to try to eliminate the ambiguity of what is actually occurring at this time.
One source of this ambiguity is the edit of the WMF's James Alexander (http://wikimediafoundation.org/w/index.php?title=Access_to_nonpublic_data_po...) on 6 June, in which he wrote: "This policy has been replaced by a new [[m:Access to non public information policy|Access to non public information policy]], which was approved by the Board of Trustees on 25 April 2014. However, this policy remains in force until the new processes mandated by the new policy are put into place. A future announcement will be made to those affected before the new policy goes in effect." It's now the future (and after nine months, quite so), so what is the policy?
The old policy mandated that those seeking the accesses fax or secure email a from of identification. Casual and rank-and-file Wikipedia editors were repetitively told that the checkusers and oversighters etc. were "identified to the WMF." This was incredibly misleading because the practice of Philippe Beaudette was to shred and otherwise destroy the identifications after marking the noticeboard. It is apparent to any plain-spoken individual, I think, that you can't tell people that those granted these accesses are "identified to the WMF" when you have shredded the documents and all that is left (except in Mr. Beaudette's memory) is a checkmark by a username on a noticeboard. It wasn't a semantic dodge predicated on the definition of "identified," rather it was in my opinion a smoke-screen. Mr. Beaudette felt loyalty to the privacy of the administrators, and evidently none to the common editors whose IPs and so forth he was exposing to them.
The immediately above is not necessarily a criticism of the old policy, which taken at face value strongly implies that the WMF keeps the identifications on file, on a secure computer, or in a physical safe. It's rather that Mr. Beaudette operated for years in open defiance of the policy. To his credit though, apparently he impelled the Board to rewrite the policy in a manner corresponding to his actions.
BUT MY QUESTION NOW is: "What is the status of the policy?" For example English Wikipedia just got three new checkusers: Bbb23, Callanecc, and Mike V. What information were they required to provide? Proper documents, or merely an email address and assertion that they are over 18?
Trillium Corsage
Have you considered that you might get a better response to your messages if you - and this is just an idea drawn of idle whimsy, here - not spend quite so much of them on an extended trip off the reservation in order to attack and critique someone under their real name in public while hiding any identification of who you are? While we're discussing privacy, here.
Seriously: you've spent a lot of this email indulging in the paranoid fantasy that Philippe controls the board (he doesn't. One way you can tell is that they don't wear sweaters literally everywhere :p).
If we're asking questions we've already seemingly made our minds up about, and prefacing them with lots of grumping, let me get in on this - exactly what response do you expect? How do you think your claim of a Philippe Occupied Government enhances the utility of your message and the value a reader takes from it?
On Sunday, 12 April 2015, Trillium Corsage trillium2014@yandex.com wrote:
I'm writing to get an answer (from anybody at the WMF) on the status of the WMF's policy access to private (i.e. IP, Browser, etc.) information. Each day thousands of people edit Wikipedia and deserve to know what measures, if any, are taken to avoid divulging to the wrong sort of people this sensitive information about them.
On 25 April last year, the board of trustees approved, in a non-public and scantily-documented meeting, a policy that accords Checkuser and Oversight and other statuses to "community" members appointed by a community process with essentially a mere two requirements: provide an email address, and assert that you are 18 or over. Name, address, NOT required. Is this truly an adequate way to protect the privacy interests of all those that edit Wikipedia? Well, I don't think so, but my purpose right now is to try to eliminate the ambiguity of what is actually occurring at this time.
One source of this ambiguity is the edit of the WMF's James Alexander ( http://wikimediafoundation.org/w/index.php?title=Access_to_nonpublic_data_po...) on 6 June, in which he wrote: "This policy has been replaced by a new [[m:Access to non public information policy|Access to non public information policy]], which was approved by the Board of Trustees on 25 April 2014. However, this policy remains in force until the new processes mandated by the new policy are put into place. A future announcement will be made to those affected before the new policy goes in effect." It's now the future (and after nine months, quite so), so what is the policy?
The old policy mandated that those seeking the accesses fax or secure email a from of identification. Casual and rank-and-file Wikipedia editors were repetitively told that the checkusers and oversighters etc. were "identified to the WMF." This was incredibly misleading because the practice of Philippe Beaudette was to shred and otherwise destroy the identifications after marking the noticeboard. It is apparent to any plain-spoken individual, I think, that you can't tell people that those granted these accesses are "identified to the WMF" when you have shredded the documents and all that is left (except in Mr. Beaudette's memory) is a checkmark by a username on a noticeboard. It wasn't a semantic dodge predicated on the definition of "identified," rather it was in my opinion a smoke-screen. Mr. Beaudette felt loyalty to the privacy of the administrators, and evidently none to the common editors whose IPs and so forth he was exposing to them.
The immediately above is not necessarily a criticism of the old policy, which taken at face value strongly implies that the WMF keeps the identifications on file, on a secure computer, or in a physical safe. It's rather that Mr. Beaudette operated for years in open defiance of the policy. To his credit though, apparently he impelled the Board to rewrite the policy in a manner corresponding to his actions.
BUT MY QUESTION NOW is: "What is the status of the policy?" For example English Wikipedia just got three new checkusers: Bbb23, Callanecc, and Mike V. What information were they required to provide? Proper documents, or merely an email address and assertion that they are over 18?
Trillium Corsage
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-request@lists.wikimedia.org javascript:; ?subject=unsubscribe>
Very strange response, Oliver. I guess I'll take it one step at a time.
1) Well into the email I certainly "critiqued" Philippe for shredding the identification documents, but it is a step too far to say I "attacked" him.
2) That he (and you) goes by his real name is a rightful aspect of his WMF (a public charity) employment. Yes, I strive to protect my online privacy and speak here from an obvious nickname or pseudonym. While I limit my statements to what I think is reasonable, I don't think I'm obligated to disclose my identity as he must. I also have never sought the ability to block others or to access their IP etc. information on Wikipedia, which would be a good argument that I identify.
3) Am I in the grip of a "paranoid fantasy" that Philippe Beaudette "controls the WMF's board of trustees?" No, I spoke only of the one matter. But okay, in that specific matter I gave him credit for forcing the board to change the access-to-private-information policy. While drawing pay, he flouted and defied the prior WMF policy. It's a matter of record that WMF Legal's Michelle Paulson was alarmed by this and brought it to the attention of the board, which then strongly impliedly endorsed Beaudette's actions by changing the policy. I dunno if he could similarly move the board on policy he's not intimately involved with implementing, I'd say not.
Okay, then.
Trillium Corsage
12.04.2015, 17:20, "Oliver Keyes" ironholds@gmail.com:
Have you considered that you might get a better response to your messages if you - and this is just an idea drawn of idle whimsy, here - not spend quite so much of them on an extended trip off the reservation in order to attack and critique someone under their real name in public while hiding any identification of who you are? While we're discussing privacy, here.
Seriously: you've spent a lot of this email indulging in the paranoid fantasy that Philippe controls the board (he doesn't. One way you can tell is that they don't wear sweaters literally everywhere :p).
If we're asking questions we've already seemingly made our minds up about, and prefacing them with lots of grumping, let me get in on this - exactly what response do you expect? How do you think your claim of a Philippe Occupied Government enhances the utility of your message and the value a reader takes from it?
On Sunday, 12 April 2015, Trillium Corsage trillium2014@yandex.com wrote:
I'm writing to get an answer (from anybody at the WMF) on the status of the WMF's policy access to private (i.e. IP, Browser, etc.) information. Each day thousands of people edit Wikipedia and deserve to know what measures, if any, are taken to avoid divulging to the wrong sort of people this sensitive information about them.
On 25 April last year, the board of trustees approved, in a non-public and scantily-documented meeting, a policy that accords Checkuser and Oversight and other statuses to "community" members appointed by a community process with essentially a mere two requirements: provide an email address, and assert that you are 18 or over. Name, address, NOT required. Is this truly an adequate way to protect the privacy interests of all those that edit Wikipedia? Well, I don't think so, but my purpose right now is to try to eliminate the ambiguity of what is actually occurring at this time.
One source of this ambiguity is the edit of the WMF's James Alexander ( http://wikimediafoundation.org/w/index.php?title=Access_to_nonpublic_data_po...) on 6 June, in which he wrote: "This policy has been replaced by a new [[m:Access to non public information policy|Access to non public information policy]], which was approved by the Board of Trustees on 25 April 2014. However, this policy remains in force until the new processes mandated by the new policy are put into place. A future announcement will be made to those affected before the new policy goes in effect." It's now the future (and after nine months, quite so), so what is the policy?
The old policy mandated that those seeking the accesses fax or secure email a from of identification. Casual and rank-and-file Wikipedia editors were repetitively told that the checkusers and oversighters etc. were "identified to the WMF." This was incredibly misleading because the practice of Philippe Beaudette was to shred and otherwise destroy the identifications after marking the noticeboard. It is apparent to any plain-spoken individual, I think, that you can't tell people that those granted these accesses are "identified to the WMF" when you have shredded the documents and all that is left (except in Mr. Beaudette's memory) is a checkmark by a username on a noticeboard. It wasn't a semantic dodge predicated on the definition of "identified," rather it was in my opinion a smoke-screen. Mr. Beaudette felt loyalty to the privacy of the administrators, and evidently none to the common editors whose IPs and so forth he was exposing to them.
The immediately above is not necessarily a criticism of the old policy, which taken at face value strongly implies that the WMF keeps the identifications on file, on a secure computer, or in a physical safe. It's rather that Mr. Beaudette operated for years in open defiance of the policy. To his credit though, apparently he impelled the Board to rewrite the policy in a manner corresponding to his actions.
BUT MY QUESTION NOW is: "What is the status of the policy?" For example English Wikipedia just got three new checkusers: Bbb23, Callanecc, and Mike V. What information were they required to provide? Proper documents, or merely an email address and assertion that they are over 18?
Trillium Corsage
_______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:wikimedia-l-request@lists.wikimedia.org javascript:; ?subject=unsubscribe>
-- Sent from my mobile computing device of Lovecraftian complexity and horror. _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Trilium,
My understanding is that the new policy is now active, meaning that identification documents are not required for checkusers and oversighters. I believe that identification documents are still required for WMF Board, FDC, Board Elections Committee, and Board Audit Committee appointments.
Can you explain what it is that worries you about this change in policy for checkusers and oversighters?
Thanks,
Pine
On Sun, Apr 12, 2015 at 10:37 AM, Pine W wiki.pine@gmail.com wrote:
Trilium,
My understanding is that the new policy is now active, meaning that identification documents are not required for checkusers and oversighters. I believe that identification documents are still required for WMF Board, FDC, Board Elections Committee, and Board Audit Committee appointments.
Can you explain what it is that worries you about this change in policy for checkusers and oversighters?
tldr: It isn't rolled out yet, however I'm hoping to do so during my free moments over the next month as we set up the election.
Actually, the policy is not yet active for anyone and identification is still required from checkusers and oversighters. Because of logistical (including that we needed to have a tool for the sign off and some adjustments to the confidentiality agreement itself to ensure it made more sense) and resource (both the lawyers involved and the CA staff have been slammed for the past year) issues the speed moving forward has been incredibly slow. The confidentiality agreement text has final approval from meta now (I haven't updated meta but I will early this week), at this point the only thing left is for translation of the agreement and for me to write up the announcements the teams who are affected and then notify them. That will start the 3 month time window and I hope to do so very soon. The upcoming board election is my number one priority, however this is my 2nd.
There is no doubt that we would have preferred to have finished this long ago at this point. However in the end the combination of figuring out exactly how to do the agreement and just finding time to do the necessary steps prevented us from going forward how we wanted too. We had to make quite a few compromises from how it was originally envisioned technically both throwing out the original idea of a unique tool to do it (in favor of using Phabricator legal pad) and not being able to do everything we originally expected in Phabricator. For better or worse the people responsible for the rollout on both the Legal and CA side are also some of the most over scheduled members of those teams during the past year and so the speed of advancement hasn't been what we'd like because other responsibilities had to take priority given that the existing policy was still in place.
James Alexander Community Advocacy Wikimedia Foundation (415) 839-6885 x6716 @jamesofur
On 13/04/15 00:12, Trillium Corsage wrote:
On 25 April last year, the board of trustees approved, in a non-public and scantily-documented meeting, a policy that accords Checkuser and Oversight and other statuses to "community" members appointed by a community process with essentially a mere two requirements: provide an email address, and assert that you are 18 or over. Name, address, NOT required. Is this truly an adequate way to protect the privacy interests of all those that edit Wikipedia? Well, I don't think so, but my purpose right now is to try to eliminate the ambiguity of what is actually occurring at this time.
I was not involved in the development of this policy, either the original one or the current iteration. So what follows are my independent, unofficial thoughts on the issue.
I don't know what identifying people with checkuser permissions is meant to achieve, when they are not liable for a breach of the privacy policy. I can understand requiring identification for Board members, who have legal responsibilities. But what is the point of having a photocopy of a CheckUser's passport when there are no conceivable circumstances under which you would give that photocopy to police?
Maybe the idea is that if a CheckUser publically doxes someone for some petty purpose, such as revenge, then the victim may subpoena identifying records from the Foundation as part of a suit against the CheckUser. Note that I have done my fair share of troll hunting, it occupied quite a bit of my time between when I first got shell access in early 2004 and when I introduced CheckUser in late 2005. I have publically discussed identifying information of logged-in users. I never heard any credible theory on how my actions at that time might have created legal liability. Surely, if there was such a legal remedy, trolls would constantly threaten to use it.
I think that the most important practical measure we can take to protect users' privacy against CheckUser is to regularly audit the CheckUser logs. We should also work to improve their auditability. The logs have hundreds of entries of the form:
* AdminUser got IP addresses for Spambot10255787 (Investigating spam) * AdminUser got users for 11.22.33.44/16 (Investigating spam)
What auditor is ever going to do another CheckUser request to make sure that 11.22.33.44 really was an IP address used by Spambot10255787? How can we tell if AdminUser was interested in 11.22.33.44 for some other reason? Linked log entries should probably be explicitly annotated by the software.
-- Tim Starling
Mr. Starling, thanks for your response. I have to preface this by saying my opinions are legitimate criticism and rightly motivated, but I nevertheless fear that they won't be allowed on the mailing list and that I will be kicked off it because of them.
I don't know what identifying people with checkuser permissions is meant to achieve, when they are not liable for a breach of the privacy policy. I can understand requiring identification for Board members, who have legal responsibilities. But what is the point of having a photocopy of a CheckUser's passport when there are no conceivable circumstances under which you would give that photocopy to police?
No, there are plenty conceivable circumstances under which the WMF would be compelled to identify a community administrator to the police, such as a lawsuit for cyberstalking. For example WMF Steward "Tbloemink" and global sysop "JurgenNL" engaged in the stalking of Moiramoira via IRC, harassing phonecalls, and a visit to her home in which they peeped in her windows (http://meta.wikimedia.org/wiki/Requests_for_comment/Privacy_violation_by_TBl...). They did use their advanced administrative rights to identify her. So a criminal or civil case could be brought in which a subpoena for the passport would be lawfully issued.
In the broader picture, requiring identification would improve the behavior of any bad administrator that has slipped through the cracks and uses the advanced tools to violate users' privacy. Why? Because anonymity reduces the risks involved with bad behavior. So they are no longer restrained by personal accountability in checkusering people. They can do as they like, use the information in any way they like, and, beyond desysoping I guess, can never be held to account.
Maybe the idea is that if a CheckUser publically doxes someone for some petty purpose, such as revenge, then the victim may subpoena identifying records from the Foundation as part of a suit against the CheckUser. Note that I have done my fair share of troll hunting, it occupied quite a bit of my time between when I first got shell access in early 2004 and when I introduced CheckUser in late 2005. I have publically discussed identifying information of logged-in users. I never heard any credible theory on how my actions at that time might have created legal liability. Surely, if there was such a legal remedy, trolls would constantly threaten to use it.
Your presumption here is that administrators across the board are honorable troll hunters fulfilling a community duty, but the reality is somewhat different. The demonization of an editor as "troll" and "sockpuppet" and so forth is often falsely used by the administrator as an excuse for acting on his or her personal antipathies. They become irritated at an editor and set out to attack him or her, there are no controls on or standards for their actions.
I think that the most important practical measure we can take to protect users' privacy against CheckUser is to regularly audit the CheckUser logs. We should also work to improve their auditability. The logs have hundreds of entries of the form:
Yeah, that's a great idea, but further make it *publicly* auditable. Redact the privacy (IP) information and let the public know whom the checkusers are checkusering. Another great step would be to force entry of a *reason* before the checkuser tool can be used. As I understand it from all I've read, the checkuser tool now has a "reason" field, but it can be left blank. Reconfigure the tool to force entry of a reason for its use. And this also would immensely improve the ability to audit the logs.
13.04.2015, 01:56, "Tim Starling" tstarling@wikimedia.org:
On 13/04/15 00:12, Trillium Corsage wrote:
<text clipped for brevity>
wikimedia-l@lists.wikimedia.org