Hi!
For my part, I don't think the WMF *should* have any power over privacy policy. The end users should have that power. If they want to browse anonymously, there are plenty of tools out there to do that. If they just want to stop giving referer information, there are plenty of tools for that too.
Yay, let's just give away all logs to the public, everyone will be happy, and the ones concerned about privacy will be able to use Tor. Or some anonymous proxy . Why should WMF have power over that? Because the potential target for the privacy violation attacks is the one who doesn't know about the possibility.
Anyway, this is wrong place to discuss privacy policy. I just mention that there're technical issues where we'd fail to comply with it.
Reducing costs and improving user experience are fairly synonymous. If you can cut costs, then you can either spend the extra money improving user experience or you can have fewer or less obnoxious fundraising drives.
Of course, instead of buying a luxury car, you can buy two cheaper ones and drive both at the same time ;-) Now there're bits of experience, which are not completely synonymous with reduced costs. That means being more up than down, getting higher quality images, faster response times, etc. Every decision like that has a cost. I guess we should hire some consultants to do cost/benefit analysis for us, then we could give that to board to decide on. ;-)