Forwarding to Wikitech-l for the benefit of Wikitech-l subscribers who do
not subscribe to Wikimedia-l.
Pine
(
https://meta.wikimedia.org/wiki/User:Pine )
---------- Forwarded message ----------
From: Gregory Varnum <gvarnum(a)wikimedia.org>
Date: Fri, Mar 16, 2018 at 6:57 PM
Subject: [Wikimedia-l] Notification about problem identified with a recent
CentralNotice banner
To: Wikimedia Mailing List <wikimedia-l(a)lists.wikimedia.org>
On 14 March and 15 March 2018, a CentralNotice banner appeared to some
logged-out users viewing English Wikipedia pages. The banner contained
JavaScript hosted by Facebook, which allowed Facebook to collect traffic
data from those who visited a page with a banner. The banner was prepared
by the Wikimedia Foundation. The Foundation turned the banner off as soon
as we learned how the script was running, and its potential scope. We have
also removed all references to the code in question from CentralNotice on
Meta-Wiki.
The code utilized in this banner was based on an unused prototype created
by an outside vendor. Because the prototype was never enabled, the vendor’s
prototype code was not subjected to our standard quality assurance process.
However, we made the mistake of reusing the code for a different purpose,
and implementing it based on recommendations in documentation from Twitter
and Facebook to improve the appearance of shared links. At the time, our
understanding was that the platforms would only receive traffic data if the
user clicked on the link. Although this was true for Twitter, the Facebook
code operated differently.
We discovered the problematic link configurations during our ongoing
monitoring of live banners. The recommended code enhanced not only the
appearance of links, it also enhanced Facebook's ability to collect
information on people visiting non-Facebook sites. As soon as we realized
these banners were sharing information without even having to click the
link, we disabled them and began an investigation. Staff in multiple
departments are collaboratively reviewing the incident as well as
procedural and technical improvements to prevent future incidents.
While this sort of tracking is commonplace today across most of the
internet, it is not consistent with our policies. We are disappointed that
this type of hidden data collection is routinely recommended by major
platforms, without clearer disclosure.
These practices are why we all must regularly take routine steps to
maintain a secure computer and account. As the Wikimedia Foundation
continues to explore ways we can do that within Wikimedia's platform, we
encourage you to consider tools which block unwanted third-party scripts
like the one provided by Facebook.
We apologize for sending this late on a Friday (San Francisco time).
However, we wanted to provide this information as quickly as possible.
_______________________________________________
Wikimedia-l mailing list, guidelines at:
https://meta.wikimedia.org/
wiki/Mailing_lists/Guidelines and
https://meta.wikimedia.org/
wiki/Wikimedia-l
New messages to: Wikimedia-l(a)lists.wikimedia.org
Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe>