[Foundation-l] Privacy concerns

Thomas Morton morton.thomas at googlemail.com
Sun Jul 10 22:20:44 UTC 2011 

> Seem to work though.

Does it? Where is the evidence for this? I'm not being hasty in forming a
firm judgement here - other than to say it doesn't, on the face of it, seem
like a good idea for a project to be doing this.

> And if the details of the handling of private data is well outlined and
confined it could be a good thing to have.

Indeed, if. But again, no word or evidence of such things so far.

I do think this is a serious problem that needs investigating:

- The argument that this is essentially an optional function is not really
appealing, and is easily said by those who are not blocked. Saying "if you
want to edit send a stranger your identity" does not sit comfortably with
me. (this is just my personal view, but I include it for completeness)

- Saying this is disconnected from Wikipedia/the Foundation is a red herring
- it is organised via the website, so for any user utilising this service it
looks to some extent "official". The Foundation have a reasonable duty of
care to its users and at this point they are not able to properly audit or
oversight the handling of personal details.

- The whole idea is a "false flag" anyway because identity is beyond trivial
to fake. So, it is not about identity, but about some slightly high barrier
of action for an individual to take - the idea being it filters out the more
casual bad guys. In which case; a more suitable alternative to identity
could be used. Perhaps a hand written letter asking for an unblock? That
seems  much better system.

- EU data protection laws *explicitly* apply to the handling of personal
data by private individuals. And as an enabling medium Dutch Wikipedia could
easily also be considered a controller within the scope of the law (they are
intentionally very broad). This means if the data does end up being misused
then it will be a major blow; hence it seems sensible to require some
investigation of this process.
-- As an addendum to that the process described on the Dutch Wikipedia at
the very least need to comply with EU directives. For example the person
processing the data must reveal his name and address (I realise that is
likely to happen, but I see no clarity on the matter and no oversight to
ensure this occurs) and the details of *precisely* what will be done with
the data need to be published (and kept to)
-- We need to establish (prefferably with a lawyer) to what extent this
process is considered necessary or relevant; because if it is one or neither
then it is non-compliant.

There is also an extended risk here; something simple like an admin unblocks
the account of "Bram van Rijn" and, when unblocking him, says "There you go
Bram, enjoy editing!". Something simple and innocent is now non-compliant.

For that reason people handling  identity in a capacity relating to
Wikipedia, even semi-officially, need to be well vetted.

I have argued this before several times in relation to other such things on
English Wikipedia, and I realise my view may be stronger than the
majorities. But in this case it appears not even a cursory check is being
undertaken.

Tom

More information about the foundation-l mailing list