[Foundation-l] Wikipedia tracks user behaviour via third party companies #2

Tisza Gergő gtisza at gmail.com
Fri Jun 5 21:44:01 UTC 2009 

Mark (Markie <newsmarkie at ...> writes:

> I still fail to see how, at this point (not before when there was no policy)
> this can be considered to be acceptable.  IP information etc is still being
> passed to an external server, regardless of who it is being operated by.  As
> we can see at http://meta.wikimedia.org/wiki/Privacy and copied below I
> don't see where this is acceptable.
> 
> Release: Policy on Release of Data
> 
> It is the policy of Wikimedia that personally identifiable data collected in
> the server logs, or through records in the database via the CheckUser
> feature, or through other non-publicly-available methods, may be released by
> Wikimedia volunteers or staff, in any of the following situations:
> 
>    1. In response to a valid subpoena or other compulsory request from law
>    enforcement,
>    2. With permission of the affected user,
>    3. When necessary for investigation of abuse complaints,
>    4. Where the information pertains to page views generated by a spider or
>    bot and its dissemination is necessary to illustrate or resolve technical
>    issues,
>    5. Where the user has been vandalizing articles or persistently behaving
>    in a disruptive way, data may be released to a service provider, carrier, or
>    other third-party entity to assist in the targeting of IP blocks, or to
>    assist in the formulation of a complaint to relevant Internet Service
>    Providers,
>    6. Where it is reasonably necessary to protect the rights, property or
>    safety of the Wikimedia Foundation, its users or the public.
> 
> Except as described above, Wikimedia policy does not permit distribution of
> personally identifiable information under any circumstances.

It also says, a few sentences earlier, that "Sharing information with other
privileged users is not considered distribution." And Peter has identified
himself to the foundation according to the access to nonpublic data policy, so
he is a privileged user. I still don't see any violation there - the point of
the privacy policy is to regulate release of personally identifiable information
from those who have access to those who have not, and in this case no such
release happened.

> Also there *may* be issues with the security
> of that server that means it could be compromised and could probably be
> accessed by the web hosting company if they so wished.

Peter is CTO of a Hungarian ISP; he is the one hosting the server, and he
certainly has the required expertise. Anyway, the privacy policy explicitly
disclaims any responsibility for unauthorized access; while the security of the
server is certainly a valid issue, it is not an issue with the privacy policy.

More information about the foundation-l mailing list