Hello,
I want to know if there is a privacy concern on the Dutch Wikipedia.
The short story:
When you got blocked on the Dutch Wikipedia for socking you can remove the block by sending a copy of your passport to a user thats trusted by the community. After he checks your passport or all the passports involved if you have a shared connection the block will be removed.
The user where you have to send it to isn't indentified by the foundation and you have to send it by snailmail not to OTRS.
The foundations privacy policies does that allow this to happen?
Hoi, If you do not trust the person involved, you are crazy to send him a copy of your passport. This is a common sense. This policy as it obviously works.. what is really your issue ?
Do we really need a theoretical approach that only can bring us less functionality ? I do not think so. Thanks, GerardM
On 9 July 2011 09:52, Huib Laurens sterkebak@gmail.com wrote:
Hello,
I want to know if there is a privacy concern on the Dutch Wikipedia.
The short story:
When you got blocked on the Dutch Wikipedia for socking you can remove the block by sending a copy of your passport to a user thats trusted by the community. After he checks your passport or all the passports involved if you have a shared connection the block will be removed.
The user where you have to send it to isn't indentified by the foundation and you have to send it by snailmail not to OTRS.
The foundations privacy policies does that allow this to happen?
-- Kind regards, Abigor _______________________________________________ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
The rather big deal for me is that when i edit a Wikimedia project there is a privacy policy, and next to that there is a policy that only people who identified themselfs to the foundation can handle non-public date. I guess that there this is the case also.
So wouldn't it be more secure and inside the Wikimedia policies when it would be send to OTRS and that trusted identified users can handle those?
I do see a big concern, cuz I send my passport somewhere for Wikipedia... If something happens it would make Wikimedia responsible, because I send it to them (to a Dutch adress) So do we want a policy that works but could endanger the Foundation because they are still responsible.
2011/7/9 Gerard Meijssen gerard.meijssen@gmail.com
Hoi, If you do not trust the person involved, you are crazy to send him a copy of your passport. This is a common sense. This policy as it obviously works.. what is really your issue ?
Do we really need a theoretical approach that only can bring us less functionality ? I do not think so. Thanks, GerardM
On 9 July 2011 09:52, Huib Laurens sterkebak@gmail.com wrote:
Hello,
I want to know if there is a privacy concern on the Dutch Wikipedia.
The short story:
When you got blocked on the Dutch Wikipedia for socking you can remove
the
block by sending a copy of your passport to a user thats trusted by the community. After he checks your passport or all the passports involved if you have a shared connection the block will be removed.
The user where you have to send it to isn't indentified by the foundation and you have to send it by snailmail not to OTRS.
The foundations privacy policies does that allow this to happen?
-- Kind regards, Abigor _______________________________________________ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Huib,
The WMF is not responsible for private mails you send to anyone. The only people who "officialy" can receive a copy of any ID you may have are Philippe http://meta.wikimedia.org/wiki/User:Philippe_%28WMF%29, Christinehttp://meta.wikimedia.org/wiki/User:Christine_%28WMF%29or Megan http://meta.wikimedia.org/wiki/User:Mhernandez. If you send a copy of your ID to anyone else is not WMF problem. _____ *Béria Lima* http://wikimedia.pt/(351) 925 171 484
*Imagine um mundo onde é dada a qualquer pessoa a possibilidade de ter livre acesso ao somatório de todo o conhecimento humano. É isso o que estamos a fazer http://wikimediafoundation.org/wiki/Nossos_projetos.*
2011/7/9 Huib Laurens sterkebak@gmail.com
The rather big deal for me is that when i edit a Wikimedia project there is a privacy policy, and next to that there is a policy that only people who identified themselfs to the foundation can handle non-public date. I guess that there this is the case also.
So wouldn't it be more secure and inside the Wikimedia policies when it would be send to OTRS and that trusted identified users can handle those?
I do see a big concern, cuz I send my passport somewhere for Wikipedia... If something happens it would make Wikimedia responsible, because I send it to them (to a Dutch adress) So do we want a policy that works but could endanger the Foundation because they are still responsible.
2011/7/9 Gerard Meijssen gerard.meijssen@gmail.com
Hoi, If you do not trust the person involved, you are crazy to send him a copy of your passport. This is a common sense. This policy as it obviously
works..
what is really your issue ?
Do we really need a theoretical approach that only can bring us less functionality ? I do not think so. Thanks, GerardM
On 9 July 2011 09:52, Huib Laurens sterkebak@gmail.com wrote:
Hello,
I want to know if there is a privacy concern on the Dutch Wikipedia.
The short story:
When you got blocked on the Dutch Wikipedia for socking you can remove
the
block by sending a copy of your passport to a user thats trusted by the community. After he checks your passport or all the passports involved
if
you have a shared connection the block will be removed.
The user where you have to send it to isn't indentified by the
foundation
and you have to send it by snailmail not to OTRS.
The foundations privacy policies does that allow this to happen?
-- Kind regards, Abigor _______________________________________________ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
-- Kind regards,
Huib Laurens WickedWay.nl
Webhosting the wicked way. _______________________________________________ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
On 9 July 2011 11:02, Béria Lima berialima@gmail.com wrote:
The WMF is not responsible for private mails you send to anyone. The only people who "officialy" can receive a copy of any ID you may have are Philippe http://meta.wikimedia.org/wiki/User:Philippe_%28WMF%29, Christinehttp://meta.wikimedia.org/wiki/User:Christine_%28WMF%29or Megan http://meta.wikimedia.org/wiki/User:Mhernandez. If you send a copy of your ID to anyone else is not WMF problem.
I do think it is absolutely a problem when people on a WMF-hosted wiki are using an unofficial mechanism to demand copies of people's passports.
Note that WMF does not allow local communities to do other things that would violate the privacy policy, such as run Google Analytics, even if the local community is all for it.
When passports are requested of people on the wiki, does the requester stress that this is not WMF-official, not covered by the privacy policy and there is no official oversight whatsoever of the mechanism?
It looks to me like Huib has alerted us to a potentially disastrous privacy time bomb.
- d.
If there is any advice on the Dutch Wikipedia that users have to send in a copy of their passport to anyone, including OTRS, then it should be removed. In most cases of interest, OTRS agents can confirm identity by checking that a source email matches an official registered domain or that it is the address given on an official website. Passport images are of particular concern due to the prevalent misuse of such images for fraud and I would have serious concerns if such images were retained on OTRS as the system has no special or demonstrably robust security measures.
Cheers, Fae -- http://enwp.org/user_talk:fae Guide to email tags: http://j.mp/faetags
On 9 July 2011 09:52, Huib Laurens sterkebak@gmail.com wrote:
Hello,
I want to know if there is a privacy concern on the Dutch Wikipedia.
The short story:
When you got blocked on the Dutch Wikipedia for socking you can remove the block by sending a copy of your passport to a user thats trusted by the community. After he checks your passport or all the passports involved if you have a shared connection the block will be removed.
The user where you have to send it to isn't indentified by the foundation and you have to send it by snailmail not to OTRS.
The foundations privacy policies does that allow this to happen?
-- Kind regards, Abigor
David Gerard, 09/07/2011 12:46:
On 9 July 2011 11:02, Béria Limaberialima@gmail.com wrote:
The WMF is not responsible for private mails you send to anyone. The only people who "officialy" can receive a copy of any ID you may have are Philippehttp://meta.wikimedia.org/wiki/User:Philippe_%28WMF%29, Christinehttp://meta.wikimedia.org/wiki/User:Christine_%28WMF%29or Meganhttp://meta.wikimedia.org/wiki/User:Mhernandez. If you send a copy of your ID to anyone else is not WMF problem.
I do think it is absolutely a problem when people on a WMF-hosted wiki are using an unofficial mechanism to demand copies of people's passports.
While Beria is technically right (probably), I agree with David.
Gerard Meijssen, 09/07/2011 10:06:
If you do not trust the person involved, you are crazy to send him a
copy of
your passport. This is a common sense. This policy as it obviously
works..
what is really your issue ?
Do we really need a theoretical approach that only can bring us less functionality ? I do not think so.
Gerard is right as well. This system makes sense and could work as an extension of those occasions when a trusted user says "oh, but I met both User:Whatever and User:AllegedSockpuppet in person at that wikimeetup, I grant you they really exist!", but probably there shouldn't be any "official" page, policy or guideline suggesting people to send private data like Huib described.
Nemo
Just to give this a bit of context, without taking any position:
On the Dutch Wikipedia, you can get blocked for sockpuppet abuse. This block has an infinite length because the opinion of the community has been that sockpuppet abuse is unacceptable. This has happened to Huib - it was concluded he abused sockpuppetse and he got blocked for infinite duration. This /besides/ a finite block by the arbitration committee for other issues.
Quite a while ago, there were some cases where people did get blocked, but they wanted to change for the better. Individuals provided these people the option to send them a physical letter with identification. The idea behind this was mainly (as I understood) that it would give a significant threshold to the person requesting to get unblocked, but it would also ensure it would only happen once. Of course this physical letter with a promise to never do it again would not be legally enforced in the end. If you get caught once again after that, there will be no extra options any more to get unblocked.
So let it at least be clear that there is no obligation whatsoever to send your identity to someone. It is the main route to get unblocked after an infinite block for sockpuppet abuse. From what I can tell, it is quite clear that the letter and identification goes to an individual. The individual usually taking care of this (but it could be any trusted user) is a former board member of Wikimedia Nederland, but currently holds no position. He is active on OTRS too, but it was explicitely chosen to make this a snail mail process.
Just to state it once again: I do not intend to take *any* position on this, but rather to explain the facts as I understand them.
With kind regards, Lodewijk
2011/7/9 Federico Leva (Nemo) nemowiki@gmail.com
David Gerard, 09/07/2011 12:46:
On 9 July 2011 11:02, Béria Limaberialima@gmail.com wrote:
The WMF is not responsible for private mails you send to anyone. The
only
people who "officialy" can receive a copy of any ID you may have are Philippehttp://meta.wikimedia.org/wiki/User:Philippe_%28WMF%29, Christinehttp://meta.wikimedia.org/wiki/User:Christine_%28WMF%29or Meganhttp://meta.wikimedia.org/wiki/User:Mhernandez. If you send a
copy
of your ID to anyone else is not WMF problem.
I do think it is absolutely a problem when people on a WMF-hosted wiki are using an unofficial mechanism to demand copies of people's passports.
While Beria is technically right (probably), I agree with David.
Gerard Meijssen, 09/07/2011 10:06:
If you do not trust the person involved, you are crazy to send him a
copy of
your passport. This is a common sense. This policy as it obviously
works..
what is really your issue ?
Do we really need a theoretical approach that only can bring us less functionality ? I do not think so.
Gerard is right as well. This system makes sense and could work as an extension of those occasions when a trusted user says "oh, but I met both User:Whatever and User:AllegedSockpuppet in person at that wikimeetup, I grant you they really exist!", but probably there shouldn't be any "official" page, policy or guideline suggesting people to send private data like Huib described.
Nemo
foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Gerard Meijssen, 09/07/2011 10:06:
If you do not trust the person involved, you are crazy to send him a
copy of
your passport. This is a common sense. This policy as it obviously
works..
what is really your issue ?
Do we really need a theoretical approach that only can bring us less functionality ? I do not think so.
Like what David pointed out, it may be more of a problem when it is not clearly stated that the person receiving the letter is not a WMF staff or officially authorised personnel. People *may *think that they are dealing with official personnel but when they find out that they aren't, it may cause dispute. But anyway there isn't much information in this thread to tell.
Best, [[User:Bencmq]] / Benjamin Chen
Hello,
Is mentioned in a offiical policy on the Dutch Wikipedia here: http://nl.wikipedia.org/wiki/Wikipedia:Sokpopmisbruik
2011/7/10, Benjamin Chen cnchenminqi@gmail.com:
Gerard Meijssen, 09/07/2011 10:06:
If you do not trust the person involved, you are crazy to send him a
copy of
your passport. This is a common sense. This policy as it obviously
works..
what is really your issue ?
Do we really need a theoretical approach that only can bring us less functionality ? I do not think so.
Like what David pointed out, it may be more of a problem when it is not clearly stated that the person receiving the letter is not a WMF staff or officially authorised personnel. People *may *think that they are dealing with official personnel but when they find out that they aren't, it may cause dispute. But anyway there isn't much information in this thread to tell.
Best, [[User:Bencmq]] / Benjamin Chen _______________________________________________ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
On 10 July 2011 10:55, Huib Laurens sterkebak@gmail.com wrote:
Is mentioned in a offiical policy on the Dutch Wikipedia here: http://nl.wikipedia.org/wiki/Wikipedia:Sokpopmisbruik
The relevant paragraph appears to be http://nl.wikipedia.org/wiki/Wikipedia:Sokpop#Ontsnappingsclausule
The Google translation is "In order to be unblocked, the person behind the corresponding IP address is a letter (paper) to a community trust staff."
Does it actually mean "staff" in Dutch? Does it imply *in any way* that the person to contact is officially sanctioned to deal with private information?
http://nl.wikipedia.org/wiki/Wikipedia:Blokkeringsmeldingen#Ontsnappingsclau...
The Google translation for this one appears to quite definitely be trying to imply official status. Does it carry such implications in the original Dutch?
It doesn't matter if Huib was blocked for good reason. This still looks very like a privacy disaster in the making, and the Foundation, and particularly the staff relating to privacy concerns, need to look into it very closely.
- d.
Medewerker can mean staff - but literally it just means "cooperator", and it is generally used for anyone editing the encyclopedia on a regular basis. (ie. active community members). It is however open for misinterpretation.
Just to be clear: the alternative situation was, and would probably be, that people who currently can choose to use this clause, would simply be blocked forever without a way of getting unblocked.
Still not taking any stand or opinion,
Lodewijk
2011/7/10 David Gerard dgerard@gmail.com
On 10 July 2011 10:55, Huib Laurens sterkebak@gmail.com wrote:
Is mentioned in a offiical policy on the Dutch Wikipedia here: http://nl.wikipedia.org/wiki/Wikipedia:Sokpopmisbruik
The relevant paragraph appears to be http://nl.wikipedia.org/wiki/Wikipedia:Sokpop#Ontsnappingsclausule
The Google translation is "In order to be unblocked, the person behind the corresponding IP address is a letter (paper) to a community trust staff."
Does it actually mean "staff" in Dutch? Does it imply *in any way* that the person to contact is officially sanctioned to deal with private information?
http://nl.wikipedia.org/wiki/Wikipedia:Blokkeringsmeldingen#Ontsnappingsclau...
The Google translation for this one appears to quite definitely be trying to imply official status. Does it carry such implications in the original Dutch?
It doesn't matter if Huib was blocked for good reason. This still looks very like a privacy disaster in the making, and the Foundation, and particularly the staff relating to privacy concerns, need to look into it very closely.
- d.
foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Just to be clear: the alternative situation was, and would probably be, that people who currently can choose to use this clause, would simply be blocked forever without a way of getting unblocked.
That's the approach most projects take... and anyway copies of identity documents don't prove very much at all.
Tom
On 10 July 2011 11:50, Thomas Morton morton.thomas@googlemail.com wrote:
Just to be clear: the alternative situation was, and would probably be, that people who currently can choose to use this clause, would simply be blocked forever without a way of getting unblocked.
That's the approach most projects take... and anyway copies of identity documents don't prove very much at all.
Particularly not photographs or scans. These are comically trivial to create these days.
- d.
Do they have notaries in the Netherlands? Why not simply ask them to mail a notarized statement that "I am Foo at such an address and request an ublock so I may edit as Bar"? I still am not sure if this is something I would completely endorse, but at least it would be meaningful and not so easily forged.
BirgitteSB
On Jul 10, 2011, at 5:46 AM, Lodewijk lodewijk@effeietsanders.org wrote:
Medewerker can mean staff - but literally it just means "cooperator", and it is generally used for anyone editing the encyclopedia on a regular basis. (ie. active community members). It is however open for misinterpretation.
Just to be clear: the alternative situation was, and would probably be, that people who currently can choose to use this clause, would simply be blocked forever without a way of getting unblocked.
Still not taking any stand or opinion,
Lodewijk
2011/7/10 David Gerard dgerard@gmail.com
On 10 July 2011 10:55, Huib Laurens sterkebak@gmail.com wrote:
Is mentioned in a offiical policy on the Dutch Wikipedia here: http://nl.wikipedia.org/wiki/Wikipedia:Sokpopmisbruik
The relevant paragraph appears to be http://nl.wikipedia.org/wiki/Wikipedia:Sokpop#Ontsnappingsclausule
The Google translation is "In order to be unblocked, the person behind the corresponding IP address is a letter (paper) to a community trust staff."
Does it actually mean "staff" in Dutch? Does it imply *in any way* that the person to contact is officially sanctioned to deal with private information?
http://nl.wikipedia.org/wiki/Wikipedia:Blokkeringsmeldingen#Ontsnappingsclau...
The Google translation for this one appears to quite definitely be trying to imply official status. Does it carry such implications in the original Dutch?
It doesn't matter if Huib was blocked for good reason. This still looks very like a privacy disaster in the making, and the Foundation, and particularly the staff relating to privacy concerns, need to look into it very closely.
- d.
foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
On 10 July 2011 18:08, Birgitte_sb@yahoo.com wrote:
Do they have notaries in the Netherlands? Why not simply ask them to mail a notarized statement that "I am Foo at such an address and request an ublock so I may edit as Bar"? I still am not sure if this is something I would completely endorse, but at least it would be meaningful and not so easily forged.
Notaries usually charge for that kind of thing. It's not usually much, but it's substantially more than the cost of a stamp, which is all the current policy costs.
The next question becomes....and what does this "trusted person" do with the information? If it is destroyed promptly, then there's really not much point; if it is retained, I'd like to see how this meets local and EU privacy policies.
I agree pretty much entirely with David Gerard on this one; I'm not seeing an upside to this practice, and a huge number of downsides. Strongly encourage the project to revisit this.
Risker/Anne
On 10 July 2011 13:08, Birgitte_sb@yahoo.com wrote:
Do they have notaries in the Netherlands? Why not simply ask them to mail a notarized statement that "I am Foo at such an address and request an ublock so I may edit as Bar"? I still am not sure if this is something I would completely endorse, but at least it would be meaningful and not so easily forged.
BirgitteSB
On Jul 10, 2011, at 5:46 AM, Lodewijk lodewijk@effeietsanders.org wrote:
Medewerker can mean staff - but literally it just means "cooperator", and
it
is generally used for anyone editing the encyclopedia on a regular basis. (ie. active community members). It is however open for misinterpretation.
Just to be clear: the alternative situation was, and would probably be,
that
people who currently can choose to use this clause, would simply be
blocked
forever without a way of getting unblocked.
Still not taking any stand or opinion,
Lodewijk
2011/7/10 David Gerard dgerard@gmail.com
On 10 July 2011 10:55, Huib Laurens sterkebak@gmail.com wrote:
Is mentioned in a offiical policy on the Dutch Wikipedia here: http://nl.wikipedia.org/wiki/Wikipedia:Sokpopmisbruik
The relevant paragraph appears to be http://nl.wikipedia.org/wiki/Wikipedia:Sokpop#Ontsnappingsclausule
The Google translation is "In order to be unblocked, the person behind the corresponding IP address is a letter (paper) to a community trust staff."
Does it actually mean "staff" in Dutch? Does it imply *in any way* that the person to contact is officially sanctioned to deal with private information?
http://nl.wikipedia.org/wiki/Wikipedia:Blokkeringsmeldingen#Ontsnappingsclau...
The Google translation for this one appears to quite definitely be trying to imply official status. Does it carry such implications in the original Dutch?
It doesn't matter if Huib was blocked for good reason. This still looks very like a privacy disaster in the making, and the Foundation, and particularly the staff relating to privacy concerns, need to look into it very closely.
- d.
foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
On Sun, Jul 10, 2011 at 19:18, Risker risker.wp@gmail.com wrote:
The next question becomes....and what does this "trusted person" do with the information? If it is destroyed promptly, then there's really not much point; if it is retained, I'd like to see how this meets local and EU privacy policies.
Well I don't know about your EU but in ours we have a method called "collecting private data by agreement for a given purpose" and it is completely legal. If I say to you that you have to provide this and that private data if you want me to do this and that and I will collect your private data for that very purpose, and you agree, then I am legally allowed to collect and handle it. You have the right to disagree and leave the agreement and not to use the given service.
My 2 'cents. Peter
On 10 July 2011 21:28, Peter Gervai grinapo@gmail.com wrote:
Well I don't know about your EU but in ours we have a method called "collecting private data by agreement for a given purpose" and it is completely legal. If I say to you that you have to provide this and that private data if you want me to do this and that and I will collect your private data for that very purpose, and you agree, then I am legally allowed to collect and handle it. You have the right to disagree and leave the agreement and not to use the given service.
We're not saying it's illegal. We're saying it's grossly unfit for Wikimedia and laughs at the privacy policy.
However, you say that pointing out that something ridiculously bad is ridiculously bad is "impolite". So I guess that makes it all okay then.
- d.
On Sun, Jul 10, 2011 at 22:53, David Gerard dgerard@gmail.com wrote:
On 10 July 2011 21:28, Peter Gervai grinapo@gmail.com wrote:
We're not saying it's illegal.
He just said that. I did not reply to your statements. :-)
We're saying it's grossly unfit for Wikimedia and laughs at the privacy policy.
Possibly, and you seem quite cautious forming opinion in strong words. Others, however, seemed to start by calling the firing squad.
The current privacy policy is a good one, which doesn't mean that the dutch method originated in Satan's will. Identity verification and desockpuppetisation :-) seems to be a logical pairing to me, even if I find it a bit extreme, too. Seem to work though. And if the details of the handling of private data is well outlined and confined it could be a good thing to have.
However, you say that pointing out that something ridiculously bad is ridiculously bad is "impolite". So I guess that makes it all okay then.
Not really what I said. I intended to say that calling something "ridiculously bad" without examining all the backgrounds and the way it's used and its effectiveness and its real life problems (if there ever has any) is impolite. It's like calling someone "stupid" without trying to understand his reasoning.
I do not find it "ridiculously bad", for example, but that is strictly my opinion.
g
Seem to work though.
Does it? Where is the evidence for this? I'm not being hasty in forming a firm judgement here - other than to say it doesn't, on the face of it, seem like a good idea for a project to be doing this.
And if the details of the handling of private data is well outlined and
confined it could be a good thing to have.
Indeed, if. But again, no word or evidence of such things so far.
I do think this is a serious problem that needs investigating:
- The argument that this is essentially an optional function is not really appealing, and is easily said by those who are not blocked. Saying "if you want to edit send a stranger your identity" does not sit comfortably with me. (this is just my personal view, but I include it for completeness)
- Saying this is disconnected from Wikipedia/the Foundation is a red herring - it is organised via the website, so for any user utilising this service it looks to some extent "official". The Foundation have a reasonable duty of care to its users and at this point they are not able to properly audit or oversight the handling of personal details.
- The whole idea is a "false flag" anyway because identity is beyond trivial to fake. So, it is not about identity, but about some slightly high barrier of action for an individual to take - the idea being it filters out the more casual bad guys. In which case; a more suitable alternative to identity could be used. Perhaps a hand written letter asking for an unblock? That seems much better system.
- EU data protection laws *explicitly* apply to the handling of personal data by private individuals. And as an enabling medium Dutch Wikipedia could easily also be considered a controller within the scope of the law (they are intentionally very broad). This means if the data does end up being misused then it will be a major blow; hence it seems sensible to require some investigation of this process. -- As an addendum to that the process described on the Dutch Wikipedia at the very least need to comply with EU directives. For example the person processing the data must reveal his name and address (I realise that is likely to happen, but I see no clarity on the matter and no oversight to ensure this occurs) and the details of *precisely* what will be done with the data need to be published (and kept to) -- We need to establish (prefferably with a lawyer) to what extent this process is considered necessary or relevant; because if it is one or neither then it is non-compliant.
There is also an extended risk here; something simple like an admin unblocks the account of "Bram van Rijn" and, when unblocking him, says "There you go Bram, enjoy editing!". Something simple and innocent is now non-compliant.
For that reason people handling identity in a capacity relating to Wikipedia, even semi-officially, need to be well vetted.
I have argued this before several times in relation to other such things on English Wikipedia, and I realise my view may be stronger than the majorities. But in this case it appears not even a cursory check is being undertaken.
Tom
I would personally recomend you people to send your questions to RonaldBhttp://nl.wikipedia.org/wiki/Gebruiker:RonaldB(the *one and only* person who receive those datas)
I'm not dutch, but that system is in place since Jully 2007http://nl.wikipedia.org/w/index.php?title=Wikipedia:Sokpop&diff=next&oldid=8590452, and Huib is the first one to complain about it - a 4 years working system with only 1 complain seems to be just fine to me. _____ *Béria Lima* http://wikimedia.pt/(351) 925 171 484
*Imagine um mundo onde é dada a qualquer pessoa a possibilidade de ter livre acesso ao somatório de todo o conhecimento humano. É isso o que estamos a fazer http://wikimediafoundation.org/wiki/Nossos_projetos.*
2011/7/10 Thomas Morton morton.thomas@googlemail.com
Seem to work though.
Does it? Where is the evidence for this? I'm not being hasty in forming a firm judgement here - other than to say it doesn't, on the face of it, seem like a good idea for a project to be doing this.
And if the details of the handling of private data is well outlined and
confined it could be a good thing to have.
Indeed, if. But again, no word or evidence of such things so far.
I do think this is a serious problem that needs investigating:
- The argument that this is essentially an optional function is not really
appealing, and is easily said by those who are not blocked. Saying "if you want to edit send a stranger your identity" does not sit comfortably with me. (this is just my personal view, but I include it for completeness)
- Saying this is disconnected from Wikipedia/the Foundation is a red
herring
- it is organised via the website, so for any user utilising this service
it looks to some extent "official". The Foundation have a reasonable duty of care to its users and at this point they are not able to properly audit or oversight the handling of personal details.
- The whole idea is a "false flag" anyway because identity is beyond
trivial to fake. So, it is not about identity, but about some slightly high barrier of action for an individual to take - the idea being it filters out the more casual bad guys. In which case; a more suitable alternative to identity could be used. Perhaps a hand written letter asking for an unblock? That seems much better system.
- EU data protection laws *explicitly* apply to the handling of personal
data by private individuals. And as an enabling medium Dutch Wikipedia could easily also be considered a controller within the scope of the law (they are intentionally very broad). This means if the data does end up being misused then it will be a major blow; hence it seems sensible to require some investigation of this process. -- As an addendum to that the process described on the Dutch Wikipedia at the very least need to comply with EU directives. For example the person processing the data must reveal his name and address (I realise that is likely to happen, but I see no clarity on the matter and no oversight to ensure this occurs) and the details of *precisely* what will be done with the data need to be published (and kept to) -- We need to establish (prefferably with a lawyer) to what extent this process is considered necessary or relevant; because if it is one or neither then it is non-compliant.
There is also an extended risk here; something simple like an admin unblocks the account of "Bram van Rijn" and, when unblocking him, says "There you go Bram, enjoy editing!". Something simple and innocent is now non-compliant.
For that reason people handling identity in a capacity relating to Wikipedia, even semi-officially, need to be well vetted.
I have argued this before several times in relation to other such things on English Wikipedia, and I realise my view may be stronger than the majorities. But in this case it appears not even a cursory check is being undertaken.
Tom _______________________________________________ foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
On 10 July 2011 16:28, Peter Gervai grinapo@gmail.com wrote:
On Sun, Jul 10, 2011 at 19:18, Risker risker.wp@gmail.com wrote:
The next question becomes....and what does this "trusted person" do with
the
information? If it is destroyed promptly, then there's really not much point; if it is retained, I'd like to see how this meets local and EU privacy policies.
Well I don't know about your EU but in ours we have a method called "collecting private data by agreement for a given purpose" and it is completely legal. If I say to you that you have to provide this and that private data if you want me to do this and that and I will collect your private data for that very purpose, and you agree, then I am legally allowed to collect and handle it. You have the right to disagree and leave the agreement and not to use the given service.
I'm thinking more of whether or not it is retained, and precisely how it is retained. Is it kept in a locked box somewhere? Sitting on someone's desk? Accessible to other individuals?
Of course, there's no guarantee that the personal information submitted actually belongs to the person whose account is blocked, either.
It seems an awfully complex process fraught with multiple opportunities for problems. Frankly, I cannot understand why the presentation of personal identification documents changes anything with respect to the manner in which this user will interact with the community.
Risker/Anne
On Sun, Jul 10, 2011 at 23:10, Risker risker.wp@gmail.com wrote:
I'm thinking more of whether or not it is retained, and precisely how it is retained. Is it kept in a locked box somewhere? Sitting on someone's desk? Accessible to other individuals?
Which is clearly the good way to ask the questions. It's how the process works, why this way, how is it effective? How the data handled, secured, used and destroyed? And what are the experiences, how effective it was, what problems it caused (apart from trolls coming to and fro complaining)?
I do not know, I ain't no dutch, and haven't been banned so far. ;-) I'm an outsider.
g
Are you calling me a troll now?
2011/7/10 Peter Gervai grinapo@gmail.com
On Sun, Jul 10, 2011 at 23:10, Risker risker.wp@gmail.com wrote:
I'm thinking more of whether or not it is retained, and precisely how it
is
retained. Is it kept in a locked box somewhere? Sitting on someone's
desk?
Accessible to other individuals?
Which is clearly the good way to ask the questions. It's how the process works, why this way, how is it effective? How the data handled, secured, used and destroyed? And what are the experiences, how effective it was, what problems it caused (apart from trolls coming to and fro complaining)?
I do not know, I ain't no dutch, and haven't been banned so far. ;-) I'm an outsider.
g
foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
This a serious and urgent problem; and the foundation need to look into it quickly.
In no circumstances should Wikipedia users be receiving copies of other people's identity documents - it is a privacy nightmare!
Tom
On 10 July 2011 11:03, David Gerard dgerard@gmail.com wrote:
On 10 July 2011 10:55, Huib Laurens sterkebak@gmail.com wrote:
Is mentioned in a offiical policy on the Dutch Wikipedia here: http://nl.wikipedia.org/wiki/Wikipedia:Sokpopmisbruik
The relevant paragraph appears to be http://nl.wikipedia.org/wiki/Wikipedia:Sokpop#Ontsnappingsclausule
The Google translation is "In order to be unblocked, the person behind the corresponding IP address is a letter (paper) to a community trust staff."
Does it actually mean "staff" in Dutch? Does it imply *in any way* that the person to contact is officially sanctioned to deal with private information?
http://nl.wikipedia.org/wiki/Wikipedia:Blokkeringsmeldingen#Ontsnappingsclau...
The Google translation for this one appears to quite definitely be trying to imply official status. Does it carry such implications in the original Dutch?
It doesn't matter if Huib was blocked for good reason. This still looks very like a privacy disaster in the making, and the Foundation, and particularly the staff relating to privacy concerns, need to look into it very closely.
- d.
foundation-l mailing list foundation-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
On Sun, Jul 10, 2011 at 12:46, Thomas Morton morton.thomas@googlemail.com wrote:
This a serious and urgent problem; and the foundation need to look into it quickly.
In no circumstances should Wikipedia users be receiving copies of other people's identity documents - it is a privacy nightmare!
It is always pretty easy to form a strong opinion as an outsider about an external community and without examining the background.
I belive that established, viable and useful methods have to be examined very thoughtfully and thoroughly before anyone form an opinion, ESPECIALLY when this someone is not involved in the said project. It is not just wise but a polite way to go.
Peter
On Sun, Jul 10, 2011 at 12:03 PM, David Gerard dgerard@gmail.com wrote:
The relevant paragraph appears to be http://nl.wikipedia.org/wiki/Wikipedia:Sokpop#Ontsnappingsclausule
The Google translation is "In order to be unblocked, the person behind the corresponding IP address is a letter (paper) to a community trust staff."
Does it actually mean "staff" in Dutch? Does it imply *in any way* that the person to contact is officially sanctioned to deal with private information?
The Dutch word is "medewerker" which most closely translates to "coworker", it does not have official connotations.
http://nl.wikipedia.org/wiki/Wikipedia:Blokkeringsmeldingen#Ontsnappingsclau...
The Google translation for this one appears to quite definitely be trying to imply official status. Does it carry such implications in the original Dutch?
I don't think so, but to be sure I would want to know from which wording you are drawing these implications.
It doesn't matter if Huib was blocked for good reason. This still looks very like a privacy disaster in the making, and the Foundation, and particularly the staff relating to privacy concerns, need to look into it very closely.
I do think it's a bad policy - apart from the privacy concerns I see no good reason for it either. It's not like it's easier to check whether someone is using a sock puppet when we know who they are (that's a part of the policy that I DO agree with: that when someone who has abused sock puppets is allowed re-entry in the project, they may not use sock puppets any more even non-abusively).
On 10 July 2011 11:48, Andre Engels andreengels@gmail.com wrote:
On Sun, Jul 10, 2011 at 12:03 PM, David Gerard dgerard@gmail.com wrote:
http://nl.wikipedia.org/wiki/Wikipedia:Blokkeringsmeldingen#Ontsnappingsclau... The Google translation for this one appears to quite definitely be trying to imply official status. Does it carry such implications in the original Dutch?
I don't think so, but to be sure I would want to know from which wording you are drawing these implications.
I was reluctant to given the translation doesn't look very high-quality, and nuance and implications are the issue, which is why I was asking Dutch speakers what it actually meant.
The machine translation is:
"In order to be unblocked, it (and) the person (s) behind the IP address are sent a letter (paper) to a community by the trusted employee . This can be done via the mail function on the left under "Tools" from his talk page will be mailed and provide a mailing address. In that letter they have their identity make this under construction with a (copy of) a valid identity card, promising to henceforth in one account will work out which user that will be (or another choice) and a working email address specify . Assign to block that user on that provision, blocking the function of the email account originally created not count. This clause does not apply to logged vandals who continue with their activities through sokpopperij."
Evidently "employee" is incorrect here. The original Dutch reads:
"Om gedeblokkeerd te worden, moet(en) degene(n) die achter het betreffende IP adres zitten een brief sturen (papier) naar een door de gemeenschap vertrouwde medewerker. Deze kan via de emailfunctie links in het kader "hulpmiddelen" van zijn overlegpagina gemaild worden en zal dan een postadres verstrekken. In die brief moeten zij hun identiteit kenbaar maken, dit onderbouwen met een (kopie van een) geldig identiteitsbewijs, beloven om voortaan onder één account te zullen werken, aangeven met welke gebruikersnaam dat zal zijn (of een nieuwe kiezen) en een werkend emailadres opgeven. Wijs bij het blokkeren de betreffende gebruiker op deze clausule en blokkeer de emailfunctie van de oorspronkelijk aangemaakte account niet mee. Deze clausule geldt uiteraard niet voor ingelogde vandalen die doorgaan via sokpopperij met hun activiteiten."
Could someone please supply a translation into English which is nuance-accurate, if that's possible?
- d.
On 10 July 2011 13:20, David Gerard dgerard@gmail.com wrote:
I was reluctant to given the translation doesn't look very
high-quality, and nuance and implications are the issue, which is why I was asking Dutch speakers what it actually meant.
The original Dutch reads:
"Om gedeblokkeerd te worden, moet(en) degene(n) die achter het betreffende IP adres zitten een brief sturen (papier) naar een door de gemeenschap vertrouwde medewerker. Deze kan via de emailfunctie links in het kader "hulpmiddelen" van zijn overlegpagina gemaild worden en zal dan een postadres verstrekken. In die brief moeten zij hun identiteit kenbaar maken, dit onderbouwen met een (kopie van een) geldig identiteitsbewijs, beloven om voortaan onder één account te zullen werken, aangeven met welke gebruikersnaam dat zal zijn (of een nieuwe kiezen) en een werkend emailadres opgeven. Wijs bij het blokkeren de betreffende gebruiker op deze clausule en blokkeer de emailfunctie van de oorspronkelijk aangemaakte account niet mee. Deze clausule geldt uiteraard niet voor ingelogde vandalen die doorgaan via sokpopperij met hun activiteiten."
Roughly:
In order to be unblocked, the person(s) behind the IP address need to send a (paper) letter to a collaborator *(i.e. someone who works on/for Wikipedia, open for interpretation) *trusted by the community. That person can be reached via the email function in the "toolbox" box on the left; he/she will then give* (the blocked person) *a postal mail address.
In the letter they *(i.e. the people behind the IP address) *will have to reveal their identity, offer proof of their identity with a (copy of a) valid identity document, promise to henceforth work using just one account, indicate which account they choose (or choose a new account), and give a working email address.
Point out this clause to the *(blocked) *user and do not block the original account's email function. This clause is obviously not applicable for logged in vandals who continue their activity via sock puppetry.
Michel
I'm struggling to see the point of this policy. At first, I assumed it was a way of proving an account isn't a sockpuppet (each sends a copy of their passport, thus proving there are two real people involved - not particularly conclusive proof, given how easy it is to get hold of a scan of someone else's passport, though).
Now, it seems it's just supposed to be an arbitrary hoop to jump through to weed out people that are just in it for a laugh and don't care enough to go to the trouble of sending a letter. I really don't think it is appropriate to request such sensitive personal information for such a reason.
If this policy is going to continue, then the Dutch community need to work with the WMF to ensure it is done in keeping with the privacy policy. I don't think the current wording of the policy makes it clear that it is outside the privacy policy and I also don't think an individual project should be allowed to unilaterally decide that the privacy policy doesn't apply, even if the affected people consent to it (especially if they are required to consent to it in order to edit the project).
Well I guess that people get blocked by good reasons and along with policies, and they would stay blocked. No need to send anything to anyone, they stay blocked, everything's normal.
If someone want to have an extreme exception and want to show a good reason to be extremely exeptionaly handled s/he can choose this extremely exceptional way to have this _infinite_ block nevertheless removed. The whole process is exceptional and happens by the choice of the given person, I do not see any urge or need to use it. I'm sure that if the block was not justified it can be removed by normal process, right?
g
Robin McCain, 10/07/2011 07:43:
If I might interject, it seems that the sole purpose of the snail mail described is to link a physical person to a login name in such a way that there is some accountability for one's actions that is acceptable to the organization. Is it really necessary to copy an identity document? Could a document with a notary seal accomplish much the same purpose without the need for a copy (and thus avoid possible legal issues arising from making such a copy)?
We had similar identity concerns when CAcerthttp://www.cacert.org/ became intercontinental - originally one had to go through a somewhat complicated process with two notarys, etc. to gain certain trust levels, but as the project grew and the founders began to travel all over the world it became possible to meet in person with an "Assurer" and present one's identity documents (which were NOT copied) and thus gain points towards becoming a trusted person to the certification authority (ie. able to generate server keys chained to the CAcert organization's root keys, etc.).
In our case it would be enough to take part in a wikimeetup (let's do more of them!). :-D Or to join a chapter (why haven't you yet?!). (Just kidding.)
Nemo
wikimedia-l@lists.wikimedia.org