<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><span class=""><blockquote type="cite">On review, these properties have been deemed sensitive
by our security folks:<br>
<br>
<span class="m_8361524918275897056gmail-m_-5098447359950011784gmail-transaction-comment">user_properties:
language, skin, timecorrection, varient</span></blockquote>
<br></span>
Perhaps "our security folk" should make up their mind?<br>
<br>
That list was specifically approved by legal as okay. See
<a class="m_8361524918275897056moz-txt-link-freetext" href="https://phabricator.wikimedia.org/T66115" target="_blank">https://phabricator.wikimedia.<wbr>org/T66115</a> and the (long, involved)
prior discussion leading to it at bz 58196 (did we keep an archive
of those)?</div></blockquote><div><br></div><div>Just like code can be rewritten to be better or solve bugs, so should security policy be updated if new vulnerabilities are found. I applaud our security team for re-visiting decisions. Security is neither easy nor static.</div></div></div></div>