[Foundation-l] Wikipedia tracks user behaviour via third party companies #2

[Aryeh Gregor]

On Fri, Jun 5, 2009 at 5:58 PM, Tisza Gergő<gtisza at gmail.com> wrote:
> I do argue that it is not in violation of the privacy policy (whether the people
> here find it acceptable is another question).

It may be within the letter of the privacy policy.  I think that's
entirely arguable, since the policy is so vague.  However, it's very
clearly against the *intent* of the privacy policy as dictated by the
Board.  Domas Mitzuas and Michael Snow are both Board members and have
both made it clear that they think there's no question that the script
in question violated the privacy policy.

I believe the major problems with the script are

1) It sent data to a server not directly controlled by the Wikimedia
Foundation.  No personally identifiable information should be sent in
bulk to any non-Wikimedia server.  Operation of any server hosting
significant amounts of sensitive information must be directly and
immediately accountable to Wikimedia's normal chain of command.

2) This use of data was not specifically authorized by the Wikimedia
Foundation, via either the Board or appropriate officers.  Peter may
be a checkuser, but that gives him authorization only to use checkuser
functions, not to collect or harvest other types of data.  As has been
noted, the data collected includes much more than checkusers can
access in the course of using their checkuser rights.

Neither of these points is made clear in the written privacy policy,
however, if they are in fact intended.

Last I heard, Erik Zachte is working on improved statistics for all
Wikimedia projects.  These are running on Wikimedia servers and
specifically approved by Wikimedia.  It seems like the best course of
action would be for people to point out what they think is lacking in
his statistics, and perhaps offer to help improve them.