[Foundation-l] Re: Privacy concerns

[Any File]

Chris Jenkinson  wrote on Privacy concerns

> Hi all,
>
> We had a rather large discussion today on privacy and its application on
> Wikipedia (specifically anonymous editing and the checkuser tool which
> is the subject of much debate at the moment).
>
> I am curious to whether the Wikimedia Foundation's privacy policy is
> compatible with EU legislation on privacy (which is tightly regulated),
> and whether it is obliged to be, as the Foundation hosts servers in the
> European Union (which are presumably subject to EU law).

Are any server located in the UE? Are only Paris and Amsterdam squid
present in UE or something more?

As a fist answer (actully problem in answering to this question) is
that there *NOT* exists a UE law on privacy, UE has approvved a law
about that but it is not a law in the strict sense. Every state of UE
has approved its own law about that basing that on the rights
explained in the UE decisions (yes, I know it is a very difficult
thing, very difficult to understand).

I have read the UE law years ago an I do not rember it well at the
moment. I remember the Italian legislation. It is very lacking and
fill of a lot of burocratic obbligation but with a lot of exception,
exemption, waivers and lacks in many important expects (even tese
expects were previously declared important)

The main important point of the Italian legislation is that (it may be
not an exaustive list, may be I am forgetting something)
1) you should inform people when you are gathering peronal information
(note that the law is about personal data only of people, there is no
protection on data of society, bussiness firm and so on) and who is
managing the data, in what matter and why and the instruction to use
their right about their data
2)You should give the right to people (and give them instruction on
how to obtian them) to know what datas you hold about them and to
required them to be delete on request. (Note that this rights are not
respect even by public and statal organization with the excuse of
being in duties of keeping datas by some other laws).
3) You should inform if datas will be keept on the state or if they
are going to be transitted abroad

Point 2 could be a little be problematic. Can we delete some datas if
people request it?

But the law is difficult to interpret and to understand what does it
mean. What really does personal information rellay mean? It certanly
includes the case when you ask people to give you personal date (e.g.
when you ask their name and address to mail them) and this apply even
if this is done on the web. But is just logging internet acess a
gathering of personal informations? Is it gathering of
nickname/username among personal datas? What if the user give as
username his/her real name?

On the other hand collectiong of e-mail address is a personal data
collectiong (even if you do not know the real name becouse you can
contact him/her with this data). One problem I have notice is that in
the login/registration page the user is not informed that if e-mail
address is given by default every user could send e-mail to it via the
"e.mail user interface" (even if without knowing the address and even
if this feature can be disable in options)

It is my opinion (but it just just this) that IP numbers are not a
personal informations (since they are just  numbers.

Thake note that many different laws make compulsory to ISP service to
log and keep for a very  long time much more information. The real
part of information that make possible to connect one IP to a person
(well actually even this is obiectable) is the part of datas hold by
the ISP (and how they could gather and keep them in violation of
people rights is a big problems are politicians are just ignoring
...as usual)

But the important and very difficult part to understand is about the
limit of the law about the geographic position. Are people outside EU
in the need to respect this law? If someone access to some personal
data on a server in EU (or Italy) from a different state is this a
trasfert of personal data. A tipical example of data trasfert is if
someone collect persoanl data in one state (say for exaple Italy) and
then send them to a society abroad to have them statistically analyzed
or for using them as a mailing lists address. In these example the
collector actively send the whole of the datas aborad. But is
accessing to some data from abroad the same thing or not? If data are
kept on a server in the same state and someone access to this server
from abroad can this be qualified as an abroad transfert or not?

But a crucial point is if gathering data about access to server is or
not a personal data (keep in mind that law is about only to personal
data, thing such knowing that the user who accessed the web server
today is the same of yesterday without knowing who the user is (e.g.
with a cooky) is *IN MY opinion* not compleately qualifing as personal
data)

On the other hands I strongly see the need that an editor of a page is
*STRONGLY* informed that everifing he/she send to the wiki... will
became immediately visible by every people accessing to the page and
so he/she should do it only if accept this (in particular, but not
limited to, personal data). I have found some people (even if I put
many rilevant note on that) send story on the Italian wikinews giving
their persoanl data (such as real name, mobile phone number and so on)
acting us they belive that the message will be only visible by the
"journalist" (like when you send a letter to a newspaper)

>
> I would also like to propose that any person with access to server logs
> (which include IP addresses), including people with access to the
> checkuser tool, should sign a legal agreement of some sort with the
> Wikimedia Foundation concerning non-disclosure of this information.
>

The more important part is not about disclusure, but that they act on
personal data in respect on the people's legal right and use them just
for the porpuse stated in the information given to people.

> I am unsure whether or not an IP address qualifies as "personal
> information" under EU law and I have contacted the UK Information
> Commissioner's Office asking them for their opinion.
>
> Thoughts on the legal agreement proposal, and answers to the question of
> legal obligations are much appreciated.
>

I am strongly in favor, if we want to expand ourselvese in EU, to
strongly search for EU support. Beside of economical support we can
also gather cosuling about these thing from EU
(Usaully the hardest part is to find out where to apply for a request
of support)


Brion Vibber wrote on Privacy concerns

> Chris Jenkinson wrote:
> > We had a rather large discussion today on privacy and its application on
> > Wikipedia (specifically anonymous editing and the checkuser tool which
> > is the subject of much debate at the moment).
>
> That's two distinct issues:

Completely agree

> > I am curious to whether the Wikimedia Foundation's privacy policy is
> > compatible with EU legislation on privacy (which is tightly regulated),
> > and whether it is obliged to be, as the Foundation hosts servers in the
> > European Union (which are presumably subject to EU law).


>
> I've been asking this for years... Check South Korea's laws as well, as
> we have servers there too.

This European squid server are a particular case. I do not know how
the legislation will consider it. The log on the squid about the squid
are surelly pertinent to UE, but what about the datas that just
transit on the squid to be delivered to the Florida server? People
belive that data are just sent to the wikipedia server well actually I
do not know where people belive it is)

Of course here there is a serious lacking in legislation on what and
who should be competent over the internet.

The squid case anyway is very similar to the cache server case and I
suppose that this case should be already discussed somewhere.


Chris Jenkinson wrote on  Privacy concerns
> Brion Vibber wrote:
> > * If you contribute to the wiki without creating an account, your edits
> > are publicly identified with your network location instead of a name.
>
> Is this information made known to an anonymous contributor before they
> actually make the edit?
>

Well I have noticed that it is not really clear

AnyFile