[Foundation-l] New draft of privacy policy

Mon Jun 16 18:12:52 UTC 2008

On Mon, Jun 16, 2008 at 1:48 PM, Andrew Whitworth <wknight8111 at gmail.com> wrote:
> On Mon, Jun 16, 2008 at 1:27 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
>> Okay. So why do we give a checkuser equivalent (releasing the IPs of
>> unregistered users) to the entire world for something around half our
>> contributors?
>
> We don't "release" IPs, they are visible by default unless a person
> chooses to create an account.  A person's IP is visible unless a
> person chooses to make it private. Anonymous users don't have an
> expectation of their IPs being kept private unless they've taken steps
> to make it so. Registered users do have that expectation.

"Anonymous" people don't have the expectation of being .. anonymous. Funny that.
Meanwhile registered users routinely manage to edit logged-out with
negative consequences.... Even really technically competent users.

In both cases I think it is clear that we are frequently failing the
expectations of our contributors.

Being realistic, most new people editing Wikipedia have no clue what
an IP address is and are quite likely unaware of the consequences of
their actions until they are too late.  Even if they manage to realize
their IP will be public, and that it could allow someone to identify
them, many people can't imagine that someone would bother digging up
some random edit on a website and turn it into a press event.   No
amount of angry red explanatory text can really solve that.

Saying that we don't release them is, in my view, playing an unhelpful
semantic game.  The world would not know their IPs if we did not
configure out software to publish them.   Mediawiki is one of fairly
few web applications which publicly display user's IPs. It's certainly
not the norm on the internet.

The brilliance of modern industrial safety standards is that they
realize that people are often uninformed, inattentive, and sometimes
outright stupid and they strive to design systems which do not cause
serious harm when combined with typical users.   Making a nearly
irreversible public disclosure of a persons IP simply because they
clicked a button without reading a kilobyte of largely irrelevant text
can not be called a harm-minimizing technique.    I'm a bit puzzled
that a list that can produce hundreds of messages about stalking
doesn't stand up and recognize this sort of surprise avoidance as an
ethical necessity.

On Mon, Jun 16, 2008 at 1:56 PM, Gerard Meijssen
<gerard.meijssen at gmail.com> wrote:
> We have always indicated to people who were interested in this that true
> anonymity can not be found in anonymous editing. We have always indicated
> that anonymity will be better preserved by making use of a user handle.

And yet we continue to find that people are surprised and confused by
our practices and language.
Merely telling people is not enough in all cases.  If we are realistic
we will realize that many people do not read or do not understand.  We
can not save everyone from themselves but we should strive to achieve
the best outcome for the user in the majority of cases.

> As you are continuing your game of silly buggers, it is a choice to use a
> user or not. If people are not troubled by sub optimal anonymity, it is
> their choice. At the same time they provide us with the handles to help
> fight vandals. Changing this will not help us produce more or better content
> for our projects. It makes our servers less responsive so I do not think
> this should have much or any priority..

You say that people are making a conscious choice to be less anonymous
(by using our 'anonymous editing'),  but most Wikipedians would agree
that unregistered users are a larger source of trouble edits than
named users.  If your goal was to cause trouble and you were able to
make an informed choice, wouldn't you always choose to be more
anonymous rather than less?

I think it's a lot more likely that many people have no clue.

Ah... Forget it.  We won't come to an understanding.    ... At least I tried.