<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Actually that makes me more concerned. If you’re going out of your way to log people’s passwords, even if they are non-WMF passwords for WMF users, that should be disclosed in big red font.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Also session handling should be separated from stack traces. There’s no reason for a stack trace to print session data.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>I’ve never ever had an unexpected exception resulting in session data being printed into a stack trace.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Peachy for example, dumps a record of its communications it does to a log file, but I made sure that private data is not spilled there.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Cyberpower678<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>English Wikipedia Account Creation Team<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Mailing List Moderator<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Global User Renamer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Labs-l [mailto:labs-l-bounces@lists.wikimedia.org] <b>On Behalf Of </b>Magog The Ogre<br><b>Sent:</b> Tuesday, March 08, 2016 7:49 AM<br><b>To:</b> Wikimedia Labs <labs-l@lists.wikimedia.org><br><b>Subject:</b> Re: [Labs-l] Labs privacy policy questions<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>And just to clarify, I go out of my way log the password, and I'm sure Magnus doesn't either. But any information that is stored in session can accidentally leak into logs by one means or another (stack traces that aren't handled carefully, PHP dumps, etc.)<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I hope this answers everyone's concerns.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Magog<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Tue, Mar 8, 2016 at 7:23 AM, Magog The Ogre <<a href="mailto:magog.the.ogre@gmail.com" target="_blank">magog.the.ogre@gmail.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><p class=MsoNormal>May I remind everyone about TUSC (<a href="http://tools.wmflabs.org/tusc/" target="_blank">http://tools.wmflabs.org/tusc/</a>)? This is a tool used for authentication built around a username-password. Tools by nature must have a copy of the password before passing it to TUSC. While users are encouraged not to use their Commons passwords, the tool cannot enforce it.<o:p></o:p></p><div><div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The tool is deprecated in favor of OAuth. I have personally been trying to get off the ground with OAuth for a while now (see my email from this weekend). I am not sure but if there are any tools left other than my own which still use TUSC.<o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#888888'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>Magog<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'><o:p> </o:p></span></p></div></div></div></div><div><div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Tue, Mar 8, 2016 at 7:13 AM, Maximilian Doerr <<a href="mailto:maximilian.doerr@gmail.com" target="_blank">maximilian.doerr@gmail.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal>I must also say that I am deeply uncomfortable with the username/password. No tool labs tool or project has any business collecting usernames and passwords unless it's a local tool login completely separate login from WMF wikis. If I am interpreting this incorrectly, I apologize.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>That also goes without saying the collecting Access tokens of OAuth users is completely unacceptable too.<br><br>Cyberpower678<o:p></o:p></p><div><p class=MsoNormal>English Wikipedia Account Creation Team<o:p></o:p></p></div><div><p class=MsoNormal>ACC Mailing List Moderator<o:p></o:p></p></div><div><p class=MsoNormal>Global User Renamer<o:p></o:p></p></div></div><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>On Mar 8, 2016, at 04:57, Merlijn van Deen (valhallasw) <<a href="mailto:valhallasw@arctus.nl" target="_blank">valhallasw@arctus.nl</a>> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal>Hi Pine,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>On 8 March 2016 at 09:11, Pine W <<a href="mailto:wiki.pine@gmail.com" target="_blank">wiki.pine@gmail.com</a>> wrote:<o:p></o:p></p></div><div><div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><div><p class=MsoNormal><span style='color:black'>Does "username/password combination for accounts created in Labs services" refer to service-specific Labs passwords rather than Wikimedia login credentials?</span><o:p></o:p></p></div></div></div></blockquote><div><p class=MsoNormal>Yes. It refers to e.g. the username/password combination you use on <a href="https://phab-01.wmflabs.org/" target="_blank">https://phab-01.wmflabs.org/</a> or <a href="http://en.wikipedia.beta.wmflabs.org" target="_blank">http://en.wikipedia.beta.wmflabs.org</a>. Wikimetrics uses OAuth, so it will not get to know your credentials.<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><div><p class=MsoNormal><span style='color:black'>I'm deeply uncomfortable with the idea that someone who logs into a Labs account could have their IP made public, and it also seems to me that any Labs tool owners who capture the IPs of tool users should be required to pass a similar level of scrutiny as is applied to Checkusers. Is this something that I should bring up with James Alexander and/or Michelle Paulson?</span><o:p></o:p></p></div></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>> <span style='color:black'>someone who logs into a Labs account could have their IP made public</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='color:black'>Wikitech itself falls within the WMF Privacy Policy, so creating a Labs account (and logging in to Wikitech) will not share your IP with any projects. </span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='color:black'>Using web tools hosted on Labs could, however, and </span>realistically there not much we can do about it. For example, in the case of Tool Labs, we do not pass the IP address of the user to the tool, but a malicious tool could load an external resource and track users using that external resource. This means we would need to require checkuser-level scrutiny for <i>every</i> labs user, which would just mean people will host their tools off labs. The requirement to show a warning when private information is logged (cf. <a href="https://wikitech.wikimedia.org/wiki/Wikitech:Labs_Terms_of_use#What_information_should_I_provide_to_users.3F" target="_blank">https://wikitech.wikimedia.org/wiki/Wikitech:Labs_Terms_of_use#What_information_should_I_provide_to_users.3F</a> ) is a compromise.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In practice, Labs projects should be considered the same as any external resource: they might store private information. We just require labs project to be clear about this in advance.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Merlijn<o:p></o:p></p></div></div></div></div></div></blockquote></div></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>_______________________________________________<br>Labs-l mailing list<br><a href="mailto:Labs-l@lists.wikimedia.org" target="_blank">Labs-l@lists.wikimedia.org</a><br><a href="https://lists.wikimedia.org/mailman/listinfo/labs-l" target="_blank">https://lists.wikimedia.org/mailman/listinfo/labs-l</a><o:p></o:p></p></div></blockquote></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Labs-l mailing list<br><a href="mailto:Labs-l@lists.wikimedia.org" target="_blank">Labs-l@lists.wikimedia.org</a><br><a href="https://lists.wikimedia.org/mailman/listinfo/labs-l" target="_blank">https://lists.wikimedia.org/mailman/listinfo/labs-l</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>