I've been digging around in our cookie jar, as part of my work with Fundraising, and I have a few questions about the cookies we set on anonymous users.
First, I am deeply impressed with the care we have taken to respond to the community's privacy concerns, and after first-hand experience negotiating with our lawyers to implement an additional cookie, I think that WMF deserves its place as a model to the rest of the internet. I would like to help clean up or at least explain the few oversights I identify below, so that we can be fully confident that we are doing everything we can to prevent abuse of our visitors' privacy.
1) Anonymous users are given a 1-year cookie which uniquely identifies them. After logging out and clearing all cookies from my browser, I visited en.wikipedia.org and received this cookie. Why would an anonymous user be given an identifying token?
mediaWiki.user.id=oDNtHcMSeGMSZyRehhuC7ypQRuPEGk3a; expires=Wed, 18 Dec 2013 18:25:38 GMT; path=/; domain=en.wikipedia.org
2) Anonymous users are enrolled in clicktracking. I was surprised because the extension page at http://www.mediawiki.org/wiki/Extension:ClickTracking specifies that it affects "users", and I think it should very explicitly state that it affects "logged-in users and anonymous visitors" if that is really the intention.
clicktracking-session=0orJJTU79otWR6x1m8ykUAyasVpZJBn2x; path=/; domain=en.wikipedia.org
3) Registered user's cookies are not cleared at logout. This seems like a pretty basic fix.
enwikiUserName=Adamw; expires=Sun, 16 Jun 2013 18:43:51 GMT; path=/; domain=en.wikipedia.org; Secure; HttpOnly
Ideally, an anonymous user, whether or not they have ever been logged in as a registered user, will not transmit any personally identifying information in their requests. All three of these cookies violate that principle. I have not found any public debate on the issue, hopefully others are interested in this topic.
Regards, Adam Wight
1) This I have no idea about, but it's definitely not in the core, because my test wiki doesn't set this cookie. It has to be an extension.
2) "users" does not imply "logged-in users". The extension page says it tracks users' clicks, which is accurate as that is exactly what it does. If it meant to say only logged in users, it would have said that. However, it may be wise for a functionality to be introduced in that extension that does actually restrict clicktracking to only logged in users if configured that way. On the other hand, this isn't a privacy issue since it does not associate the user's tracking with their identity in any way (even when logged in, the clicktracking session is separate from their actual session).
3) That is done on purpose. It's a convenience feature. Notice how when you logout and then go back to the login page that your username is already filled in for you. AFAIK, it isn't used in any way by MediaWiki to identify the user.
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Tue, Dec 18, 2012 at 1:57 PM, Adam Wight awight@wikimedia.org wrote:
I've been digging around in our cookie jar, as part of my work with Fundraising, and I have a few questions about the cookies we set on anonymous users.
First, I am deeply impressed with the care we have taken to respond to the community's privacy concerns, and after first-hand experience negotiating with our lawyers to implement an additional cookie, I think that WMF deserves its place as a model to the rest of the internet. I would like to help clean up or at least explain the few oversights I identify below, so that we can be fully confident that we are doing everything we can to prevent abuse of our visitors' privacy.
- Anonymous users are given a 1-year cookie which uniquely identifies
them. After logging out and clearing all cookies from my browser, I visited en.wikipedia.org and received this cookie. Why would an anonymous user be given an identifying token?
mediaWiki.user.id=**oDNtHcMSeGMSZyRehhuC7ypQRuPEGk**3a; expires=Wed, 18 Dec 2013 18:25:38 GMT; path=/; domain=en.wikipedia.org
- Anonymous users are enrolled in clicktracking. I was surprised because
the extension page at http://www.mediawiki.org/wiki/** Extension:ClickTrackinghttp://www.mediawiki.org/wiki/Extension:ClickTrackingspecifies that it affects "users", and I think it should very explicitly state that it affects "logged-in users and anonymous visitors" if that is really the intention.
clicktracking-session=**0orJJTU79otWR6x1m8ykUAyasVpZJB**n2x; path=/; domain=en.wikipedia.org
- Registered user's cookies are not cleared at logout. This seems like a
pretty basic fix.
enwikiUserName=Adamw; expires=Sun, 16 Jun 2013 18:43:51 GMT; path=/; domain=en.wikipedia.org; Secure; HttpOnly
Ideally, an anonymous user, whether or not they have ever been logged in as a registered user, will not transmit any personally identifying information in their requests. All three of these cookies violate that principle. I have not found any public debate on the issue, hopefully others are interested in this topic.
Regards, Adam Wight
______________________________**_________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/**mailman/listinfo/wikitech-lhttps://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 12/18/2012 03:28 PM, Tyler Romeo wrote:
- This I have no idea about, but it's definitely not in the core, because
my test wiki doesn't set this cookie. It has to be an extension.
Merely calling the mediaWiki.user.id() JavaScript function, which was introduced into core MediaWiki in https://www.mediawiki.org/wiki/Special:Code/MediaWiki/78539 , sets the one-year cookie. Nothing in core MW (except for the corresponding QUnit test) actually uses the function.
However, the following code in extensions/E3Experiments/experiments/openTask.js does call that function. I can confirm this code is executed merely by loading Wikipedia's Main Page.
// FIXME for anons, calling mw.user.id() simply ensures the // "mediaWiki.user.id" cookie is set, if it isn't already. if ( !$.cookie( 'mediaWiki.user.id' ) ) { if ( mw.user.id() === mw.user.getName() ) { $.cookie( 'mediaWiki.user.id', generateId(), { expires: 365, path: '/' } ); } }
- That is done on purpose. It's a convenience feature. Notice how when you
logout and then go back to the login page that your username is already filled in for you. AFAIK, it isn't used in any way by MediaWiki to identify the user.
Even if you do not check "Remember my login on this browser", the username is saved for 180 days (which, by the way, is four times the duration set out in the WMF privacy policy). As far as I can tell, this "feature" has existed at least since the phase3 reorg in 2003, if not before then.
Dario attempted to respond but mailman is bouncing his message. Posting on his behalf.
From: Dario Taraborelli dtaraborelli@wikimedia.org Subject: Re: [Wikitech-l] Anonymous user id on wikipedia? Date: December 18, 2012 2:09:56 PM PST To: Wikimedia developers wikitech-l@lists.wikimedia.org
To further clarify the use of this randomly assigned token, we use mediawiki.user.id to count client events that occur as part of a given funnel. For example: we count impressions, button clicks or submit events to measure whether an experimental version of a feature has a higher conversion rate than the default version. We rely on tokens to be able to deduplicate event counts and make sure that when users reload a form multiple times this doesn't affect conversion measurements. These measurements are being used to optimize feature design and to assess the impact of small experiments run by the Foundation's editor engagement teams.
As Kevin notes, the cookie is set by the mw.user.id() function – which you can call and test in your browser's JS console – and it persists across browser sessions. The function is currently called by a number of extensions that need to set a token and assign users to a bucket or test condition as part of testing.
Dario
-- Ori Livneh
On Tuesday, December 18, 2012 at 1:41 PM, Kevin Israel wrote:
On 12/18/2012 03:28 PM, Tyler Romeo wrote:
- This I have no idea about, but it's definitely not in the core, because
my test wiki doesn't set this cookie. It has to be an extension.
Merely calling the mediaWiki.user.id() JavaScript function, which was introduced into core MediaWiki in https://www.mediawiki.org/wiki/Special:Code/MediaWiki/78539 , sets the one-year cookie. Nothing in core MW (except for the corresponding QUnit test) actually uses the function.
However, the following code in extensions/E3Experiments/experiments/openTask.js does call that function. I can confirm this code is executed merely by loading Wikipedia's Main Page.
// FIXME for anons, calling mw.user.id() simply ensures the // "mediaWiki.user.id" cookie is set, if it isn't already. if ( !$.cookie( 'mediaWiki.user.id' ) ) { if ( mw.user.id() === mw.user.getName() ) { $.cookie( 'mediaWiki.user.id', generateId(), { expires: 365, path: '/' } ); } }
- That is done on purpose. It's a convenience feature. Notice how when you
logout and then go back to the login page that your username is already filled in for you. AFAIK, it isn't used in any way by MediaWiki to identify the user.
Even if you do not check "Remember my login on this browser", the username is saved for 180 days (which, by the way, is four times the duration set out in the WMF privacy policy). As far as I can tell, this "feature" has existed at least since the phase3 reorg in 2003, if not before then.
-- Wikipedia user PleaseStand http://en.wikipedia.org/wiki/User:PleaseStand
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org (mailto:Wikitech-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Tue, Dec 18, 2012 at 5:41 PM, Kevin Israel pleasestand@live.com wrote:
Even if you do not check "Remember my login on this browser", the username is saved for 180 days (which, by the way, is four times the duration set out in the WMF privacy policy). As far as I can tell, this "feature" has existed at least since the phase3 reorg in 2003, if not before then.
Not really. The cookie expiration was bumped to 180 days back in August of 2011. Before that we had a shorter expiry. See https://www.mediawiki.org/wiki/Special:Code/MediaWiki/94430 . Given that the user has to agree to the remember me function, I do not feel this is a privacy concern.
Ideally, an anonymous user, whether or not they have ever been logged in as a >registered user, will not transmit any personally identifying information in their >requests.
I'm not sure, but I thought I heard somewhere that we give logged out users cookies to ensure that some local caching is invalidated.
-bawolff
I'm not sure, but I thought I heard somewhere that we give logged out users cookies to ensure that some local caching is invalidated.
This is true. I believe it has to do with Squid and how it uses cookies to determine whether to serve a cached page or not.
I'm a little uneasy about this tracking, but I can understand the reasoning behind it.
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Tue, Dec 18, 2012 at 6:50 PM, bawolff bawolff+wn@gmail.com wrote:
On Tue, Dec 18, 2012 at 5:41 PM, Kevin Israel pleasestand@live.com wrote:
Even if you do not check "Remember my login on this browser", the username is saved for 180 days (which, by the way, is four times the duration set out in the WMF privacy policy). As far as I can tell, this "feature" has existed at least since the phase3 reorg in 2003, if not before then.
Not really. The cookie expiration was bumped to 180 days back in August of 2011. Before that we had a shorter expiry. See https://www.mediawiki.org/wiki/Special:Code/MediaWiki/94430 . Given that the user has to agree to the remember me function, I do not feel this is a privacy concern.
Ideally, an anonymous user, whether or not they have ever been logged in
as a >registered user, will not transmit any personally identifying information in their >requests.
I'm not sure, but I thought I heard somewhere that we give logged out users cookies to ensure that some local caching is invalidated.
-bawolff
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 12/18/2012 06:50 PM, bawolff wrote:
On Tue, Dec 18, 2012 at 5:41 PM, Kevin Israel pleasestand@live.com wrote:
Even if you do not check "Remember my login on this browser", the username is saved for 180 days (which, by the way, is four times the duration set out in the WMF privacy policy). As far as I can tell, this "feature" has existed at least since the phase3 reorg in 2003, if not before then.
Not really. The cookie expiration was bumped to 180 days back in August of 2011. Before that we had a shorter expiry. See https://www.mediawiki.org/wiki/Special:Code/MediaWiki/94430 . Given that the user has to agree to the remember me function, I do not feel this is a privacy concern.
No, I tested and Kevin is correct. The "remember me" controls whether the user_token cookie is set: https://www.mediawiki.org/wiki/Manual:User_table#user_token . In practice, this means you will be logged in for 180 days.
But even if you don't check it, your username and user id (but not password or "being logged in") will be cached in a cookie for 180 days.
I believe the relevant code starts at https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes... .
I have reported the 30 v. 180 discrepancy to legal@wikimedia.org
Matt Flaschen
Maybe I'm missing something, but where is the 180 days number coming from. When User::setCookies() sets the cookies, it gives it no expiry, so in reality the cookie persists until the browser removes it.
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Tue, Dec 18, 2012 at 11:07 PM, Matthew Flaschen mflaschen@wikimedia.orgwrote:
On 12/18/2012 06:50 PM, bawolff wrote:
On Tue, Dec 18, 2012 at 5:41 PM, Kevin Israel pleasestand@live.com
wrote:
Even if you do not check "Remember my login on this browser", the username is saved for 180 days (which, by the way, is four times the duration set out in the WMF privacy policy). As far as I can tell, this "feature" has existed at least since the phase3 reorg in 2003, if not before then.
Not really. The cookie expiration was bumped to 180 days back in August of 2011. Before that we had a shorter expiry. See https://www.mediawiki.org/wiki/Special:Code/MediaWiki/94430 . Given that the user has to agree to the remember me function, I do not feel this is a privacy concern.
No, I tested and Kevin is correct. The "remember me" controls whether the user_token cookie is set: https://www.mediawiki.org/wiki/Manual:User_table#user_token . In practice, this means you will be logged in for 180 days.
But even if you don't check it, your username and user id (but not password or "being logged in") will be cached in a cookie for 180 days.
I believe the relevant code starts at
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes... .
I have reported the 30 v. 180 discrepancy to legal@wikimedia.org
Matt Flaschen
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On 12/19/2012 12:47 AM, Tyler Romeo wrote:
Maybe I'm missing something, but where is the 180 days number coming from. When User::setCookies() sets the cookies, it gives it no expiry, so in reality the cookie persists until the browser removes it.
From User::setCookies():
foreach ( $cookies as $name => $value ) { if ( $value === false ) { $this->clearCookie( $name ); } else { $this->setCookie( $name, $value, 0, $secure ); } }
From the doc comment for User::setCookie():
@param $exp Int Expiration time, as a UNIX time value; if 0 or not specified, use the default $wgCookieExpiration
From WebResponse::setcookie():
if ( $expire == 0 ) { $expire = time() + $wgCookieExpiration; }
From DefaultSettings.php:
$wgCookieExpiration = 180*86400;
On 12/19/2012 12:47 AM, Tyler Romeo wrote:
Maybe I'm missing something, but where is the 180 days number coming from. When User::setCookies() sets the cookies, it gives it no expiry, so in reality the cookie persists until the browser removes it.
Here (https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes...) User::setCookies calls User::setCookie (singular) with expiration 0 for UserID and UserName. I don't know where you see no expiration.
However, User::setCookie (https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes...) itself says "if 0 or not specified, use the default $wgCookieExpiration"
It actually calls WebResponse::setcookie (https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes...). Both User::setCookie and WebResponse::setcookie default the $exp if it is not passed in, though it is in this case. setcookie does that expiration logic.
0 corresponds to expire = time() + $wgCookieExpiration.
I don't see any way there can be an infinite cookie.
Matt Flaschen
Ah, I see. Thanks for the explanation. It's a bit misleading, because in PHP's actual setcookie function, using 0 as the expiry makes it expire at the end of the session.
*--* *Tyler Romeo* Stevens Institute of Technology, Class of 2015 Major in Computer Science www.whizkidztech.com | tylerromeo@gmail.com
On Wed, Dec 19, 2012 at 1:07 AM, Matthew Flaschen mflaschen@wikimedia.orgwrote:
On 12/19/2012 12:47 AM, Tyler Romeo wrote:
Maybe I'm missing something, but where is the 180 days number coming
from.
When User::setCookies() sets the cookies, it gives it no expiry, so in reality the cookie persists until the browser removes it.
Here ( https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes... ) User::setCookies calls User::setCookie (singular) with expiration 0 for UserID and UserName. I don't know where you see no expiration.
However, User::setCookie ( https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes... ) itself says "if 0 or not specified, use the default $wgCookieExpiration"
It actually calls WebResponse::setcookie ( https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes... ). Both User::setCookie and WebResponse::setcookie default the $exp if it is not passed in, though it is in this case. setcookie does that expiration logic.
0 corresponds to expire = time() + $wgCookieExpiration.
I don't see any way there can be an infinite cookie.
Matt Flaschen
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
wikitech-l@lists.wikimedia.org