[Foundation-l] Internal wiki(s) and confidential committee communications

Gerard Meijssen gerard.meijssen at gmail.com
Sun Feb 5 16:56:20 UTC 2006 

Brion Vibber wrote:
> Erik Moeller wrote:
>   
>> Hiding page content is not too hard; it gets
>> a bit more complicated if we want to make sure that people cannot even
>> see page _titles_ outside their given namespace access, as these are
>> currently shown all over the place. Perhaps a gradual implementation
>> would be sufficient.
>>     
>
> I have strong reservations on this due to the large number of ways open to
> access page content in MediaWiki. I have consistently recommended against third
> parties attempting to hack MediaWiki for this; anyone who actually requires this
> sort of multiple-group confidentiality levels in a single wiki could lose their
> job when it fails (and it probably would fail).
>   
This is a great argument why it should not be third parties to attempt 
to hack MediaWiki for this. It is not an argument why it should not be 
done. Given that you have expressed your reservations on multiple 
occasions, there is a clear demand for this functionality, there is also 
the present expressed requirement.. The fact that this is NOT the first 
time that it is discussed for use within the Wikimedia Foundation gives 
weight to the argument that it should be developed. It is not only but 
also useful for the Wikimedia Foundation, it does provide functionality 
that cannot be done well by third parties. It is known that this 
functionality has been hacked multiple times. You make a great case for 
the development of this functionality.
> In addition to page titles there are summaries, extracts, fragments, search
> results, templates, old versions, watchlist entries, raw loads, diffs, logs, RSS
> feeds, export, and god knows what else.
>
> I can pretty much assume that lots of time would be spent cleaning up after
> mistakes, where confidential material was placed into the wrong page / edit
> summary / log entry / whatever that's hard to remove.
>
> So while we could try, I recommend strongly against it if legal confidentiality
> is actually a requirement (as I cannot guarantee we can provide it with software
> diametrically opposed to it) and I recommend against it if it's not a
> requirement (why bother?)
>
>   
When there is no legal confidentiality required, it makes for an ideal 
environment for creating this functionality. It is ideal because as the 
people involved are trusted, it means that a failure of the security 
implemented does not create a genuine security situation.

When there is legal confidentiality required, it means that a 
confidential wiki with low security requirements is selected and will be 
used to test the security features. As confidence in these security 
features grows, content can be merged into this wiki in order from low,  
medium to high confidentiality requirements. The trust of the people who 
are /not /given permission to view content is still implicit, the 
difference in approach is because of the legal requirements.

Creating an environment with increased needs for confidentiality is 
however a dangerous thing. There is cost associated both with being open 
and with being closed. I have the impression that we only hear arguments 
for having closed / confidential information. The discussion of these 
arguments also seem to be rather closed / confidential. People who are 
not "in the know" are likely to see increased secrecy as being not 
benign. The consequence/ is/ that the group that is in the know becomes 
more isolated. This leads to less migration into and out of the group 
that is privy to information and therefore to a more centralised 
organisation that in time becomes increasingly likely to look for new 
people outside of the Wikimedia communities.

At this moment the activity in the Wikimedia Foundation is 
overwhelmingly Western; American or European. It is extremely important 
that the organisation of the Wikimedia Foundation remains open; this 
will allow for the hoped for infusion of people and ideas that are not 
Western.
> If we're going to try hiding things,
> * What are we hiding, from whom?
> * How much do we trust them?
> * Do we trust them enough not to peek?
> * If we don't trust them, why are they there?
> * If we do trust them, why are we hiding information?
>
> If the only requirement is to protect against casual reading of pages by
> highly-trusted individuals in another workgroup, maybe it's good enough. But do
> we need it then?
There are two ways of looking at MediaWiki, either it is seen in a 
Wikimedia centred way or, it is seen as software that is used by many 
organisations with Wikimedia as the principal user. The second approach 
acknowledges that organisations like Wikicities, or like schools, etc 
use MediaWiki.

There are arguments outside of Wikimedia that plead for the 
implementation of this functionality. Please take these into account.

Thanks,
   GerardM

More information about the foundation-l mailing list