[Labs-l] Labs privacy policy questions

John phoenixoverride at gmail.com
Wed Mar 9 13:26:42 UTC 2016 

Keep in mind there are two parts to labs. tools.wmflabs has a proxy in
front that filters out ip addresses, but non-tool projects may need user IP
info for one thing or another (UTRS for example)


On Wednesday, March 9, 2016, Tim Landscheidt <tim at tim-landscheidt.de> wrote:

> (anonymous) wrote:
>
> > I think the situation with passwords has been clarified. Thanks for that.
>
> > However, there is still the matter of Labs users potentially logging and
> > publishing the IPs of users who access the tool. My impression that this
> > forbidden by policy but not by technical means. Can the wording of "By
> > using this project, you agree that any private information you give to
> this
> > project may be made publicly available and not be treated as
> confidential."
> > be made more narrow to reflect that, in fact, it's not true that "any
> > private information you give to this project may be made publicly
> available
> > and not treated as confidential" unless a tool owner is breaking policy?
>
> > Also, I'm wondering what to do about the vulnerability of user IPs being
> > recorded and tracked. It sounds like there are three options:
> > 1. Use technical means to prevent Labs tools from loading external
> > resources that could potentially track IPs
> > 2. Prohibit this practice by policy, and run some kind of background
> check
> > on tool admins similar to what's done for CUs
> > 3. Keep the status quo of warning users of potential disclosure but not
> do
> > much to protect users against improper disclosure.
>
> > Finally, it seems to me that the penalty for publishing private
> information
> > in violation of Labs policy should involve far more than simply revoking
> > Labs permissions. I think that this would merit the same kind of legal
> > action that would likely be brought to bear if a checkuser or WMF
> employee
> > did the same thing. There can be real-world consequences for users whose
> > private information is made public, and therefore I think that it's
> > appropriate that real-world legal action be explicitly included in the
> > scope of possible consequences for misconduct of this kind, and I think
> > that this should be noted in the Labs Terms of Use.
>
> > Thoughts?
>
> > I'm also looping in Michelle and James.
>
> I live in a country where you need a court order to resolve
> an IP and a timestamp to a name and an address, so I would
> strongly recommend emigrating from countries where this is
> different or using a privacy service in a safe country.
>
> But even if I was concerned about my IP address, I would
> certainly not access Wikipedia with it where this precious
> datum can be accessed by an indeterminate and fluctuating
> number of employees and international contractors of a
> Florida organization with offices in San Francisco and a
> legal address in Los Angeles, but also by any administrator
> on the wiki with the power to add some JavaScript or tracker
> images.  Much less would I access any site where the de-
> clared purpose is that random users can host their brilliant
> tools with no review necessary so that functionality can be
> provided immediately and not with the years of delay typical
> of WMF software development.
>
> So if someone is blackmailed about their IP address, I would
> strongly recommend (even stronger than emigration) to report
> the blackmailer and the one emphasizing the danger!!!eleven!
> to the police so that law enforcement can deal with the
> criminal and investigate any links between the two.
>
> If someone is not blackmailed, they should have plenty of
> time to come up with a structure for tools not reviewed in
> any way where breaches of privacy are technically impossi-
> ble.  It rolls off the tongue like that, so it can't be that
> hard to implement.
>
> Tim
>
>
> _______________________________________________
> Labs-l mailing list
> Labs-l at lists.wikimedia.org <javascript:;>
> https://lists.wikimedia.org/mailman/listinfo/labs-l
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/labs-l/attachments/20160309/36815f09/attachment.html>

More information about the Labs-l mailing list