[Foundation-l] check user...

Robert Horning robert_horning at netzero.net
Sun Apr 1 19:31:41 UTC 2007

Sebastian Moleski wrote:
> On 3/31/07, Robert Horning <robert_horning at netzero.net> wrote:
>> I disagree that the damage that somebody using checkuser privileges is
>> necessarily irreversible and necessarily causes too many legal problems
>> "for themselves and the foundation."  There is obviously an extreme case
>> or two where this may be the case, but on the whole I can't really seen
>> where revealing the IP address of a user is necessarily going to be a
>> major problem.  At best, the worst damage that can happen is to document
>> what computer an edit actually took place on.  Only with 3rd party
>> records would it even be remotely possible to tie this with a specific
>> individual.
> The laws regarding such things vary wildly between regions. In comparison to
> American privacy laws, for instance, the laws in manz European countries are
> much more strict. Disclosing personal information without the consent of the
> person the information belongs to can be prosecuted in criminal and civil
> court in some instances. Note that many of these laws aren't primarily meant
> to restrict the government from accessing the information but other private
> entities. The legal implications of checkuser shouldn't be underestimated.
> In addition, any user, including anonymous users, can trace the IP
I would like to point out that if you connect to the internet from any 
connection, you are "broadcasting" who you are and where you are at.  I 
know this is something that some individuals look at differently, but 
trying to maintain anonymity on the internet is a complex task at the 
best and futile at its worst.  I know some of this has to do with what a 
server operator claims to do with their usage logs, but you really 
shouldn't expect to have your privacy maintained, so far as the address 
to the computer is concerned, if you are using any internet connection.  
I have seen some server operators actually publish all access logs to 
their website in a very public manner.

An IP address is not a personally identifying piece of information by 
itself, as compared to a nationally issued ID number or your full legal 
name.  As I mentioned here above, you must used additional information 
such as signed logs or billing records of the ISP in order to tie a 
particular IP address to a specific individual.
>> ...
>> If a 10-year-old has been given bureaucrat privileges on a Wikimedia
>> project, I would be very surprised.
> There is at least one fifteen old user who is a bureaucrat on a Wikimedia
> project.
That is a major accomplishment, and congratulations to that individual.  
And to get there, they must have demonstrated a huge degree of maturity 
as well.  This is also something self-correcting as this particular 
bureaucrat will be 18 in three years, making any argument about this 
particular individual moot in time.
> It may also present some
>> interesting legal problems for the WMF in terms of liability for that
>> user's actions, but I also believe that any such user who has achieved
>> that level of trust in a particular project is going to have a level of
>> maturity to keep from abusing the checkuser tool as well.
> Actual abuse isn't necessary to be subject to a lawsuit. People who
> volunteer to perform checkuser functions must be fully aware of the
> responsibilities their actions incur and the possible consequences of those
> actions. It may be customary to assume good faith in Wikimedia projects.
> Unfortunately, the real world doesn't always work that way.
> Regards,
> Sebastian

I've heard a whole bunch of bluster here about how this abuse "may be 
subject to a lawsuit".  Is there any clear legal examples of this 
happening with other ISPs in situations similar to a disclosure by a 
volunteer operator/moderator of an IP address?  How is this different 
from admins who have to delete (or undelete) copyrighted material, or 
set themselves up for potential liability issues and other legal matters 
by performing user blocks?  Or even ordinary users setting themselves up 
with libel issues based on what they write on Wikimedia projects?

I believe that the hyperparanoia over the permission of check user 
access is actually a short coming to improving Wikimedia projects, and 
removing a very valuable tool to help fight vandalism and other 
mischief.  Particularly for smaller Wikimedia projects the current rules 
place huge obstacles to being able to help fight those who mean harm.  
These discussions to even further limit the scope of those eligible 
(even if mainly symbolic) smacks of the elitism that I perceived even 
when the check user policy was issued in the first place.

Certainly in the case of somebody trying to demonstrate eligibility for 
becoming a member of the board of trustees, an age requirement is 
absolutely necessary.  What is missing here in these discussions is what 
the actual legal requirements would be according to the laws of a 
specific country for some volunteer coordinator who has access to 
information tied between a user name and an IP address, and what both 
the liability to the foundation would be if they accidentally or 
intentionally disclosed this information.  Furthermore, if the person 
who did this disclosure was a minor, would that substantially increase 
the liability of the WMF?  Sure anything can trigger a lawsuit, but has 
any similar lawsuit been filed in this kind of situation, ever?  And 
been successful and not thrown out as laughable by the judge?

-- Robert Horning

More information about the foundation-l mailing list