[Labs-l] Labs privacy policy questions

Pine W wiki.pine at gmail.com
Tue Mar 8 08:11:51 UTC 2016 

Hi Andrew,

Does "username/password combination for accounts created in Labs services"
refer to service-specific Labs passwords rather than Wikimedia login
credentials?

I'm deeply uncomfortable with the idea that someone who logs into a Labs
account could have their IP made public, and it also seems to me that any
Labs tool owners who capture the IPs of tool users should be required to
pass a similar level of scrutiny as is applied to Checkusers. Is this
something that I should bring up with James Alexander and/or Michelle
Paulson?

Pine


On Mon, Mar 7, 2016 at 9:25 PM, Andrew Bogott <abogott at wikimedia.org> wrote:

> Pine --
>
> I was not involved in crafting the language of this policy, but I can at
> least start to answer your questions.
>
> On 3/7/16 9:54 PM, Pine W wrote:
>
> The Wikimetrics login screen [1] presents me with this information:
>
> "By using this project, you agree that any private information you give to
> this project may be made publicly available and not be treated as
> confidential.
>
> "By using this project, you agree that the volunteer administrators of
> this project will have access to any data you submit. This can include your
> IP address, your username/password combination for accounts created in Labs
> services, and any other information that you send. The volunteer
> administrators of this project are bound by the Wikimedia Labs Terms of
> Use, and are not allowed to share this information or use it in any
> non-approved way.
>
> "Since access to this information is fundamental to the operation of
> Wikimedia Labs, these terms regarding use of your data expressly override
> the Wikimedia Foundation's Privacy Policy as it relates to the use and
> access of your personal information."
> I have two questions to start.
>
> 1. Why would my IP, password, or other "private information" that I give
> to Labs ever "be made publicly available and not treated as confidential"?
>
> Clearly that's a question for the project admins -- I don't know what
> they're planning to do with your data.  The main take-away is that you are
> giving your information to them, /not/ to NDA-bound WMF staff.  In my
> (non-legal) option, that means we're already outside the realm of
> 'confidential'.  Furthermore, project membership is only informally
> managed, and most likely any member of the wikimetrics project can also
> access identifying information.
>
> I can think of lots of good reasons why a user's IP address might be
> interesting as research data and might legitimately find it's way into
> public view, /if a user willingly discloses it/.  That's exactly why we
> have disclosures like this:  so that real, confidential Wikimedia projects
> don't quietly dump their traffic into a Labs back-end without seriously
> considering the possible breaches of privacy that might result.
>
>
>
> 2. Why would Labs volunteer administrators ever have access to my
> password? To the best of my knowledge, even WMF staff never have access to
> plaintext passwords of anyone but themselves unless someone chooses to
> disclose their password on a one-time basis.
>
> I believe you're referring to this text:
>
> "This can include your IP address, your username/password combination for
> accounts created in Labs services, and any other information that you send."
>
> Again, the point is that you are logging into software that is created and
> maintained by volunteers -- therefore by definition your information is
> passing through their hands.  Clearly a well-made project will not present
> plaintext passwords to actual human eyes, but you are typing your password
> into a text field maintained by actual human volunteers, which in terms of
> security amounts to the same thing:  you are trusting those volunteers with
> your password.
>
> I hope that helps!  I don't think there's a lot of wiggle-room here... if
> you are uncomfortable with the terms of use for a given labs project, best
> not to use it.
>
> -Andrew
>
>
> Thanks,
>
> Pine
>
>
> [1]
> https://metrics.wmflabs.org/login?next=%2Freports%2Fprogram-global-metrics
>
>
> _______________________________________________
> Labs-l mailing listLabs-l at lists.wikimedia.orghttps://lists.wikimedia.org/mailman/listinfo/labs-l
>
>
>
> _______________________________________________
> Labs-l mailing list
> Labs-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/labs-l
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/labs-l/attachments/20160308/0edc54a1/attachment-0001.html>

More information about the Labs-l mailing list