[Wikimedia-l] New access to non-public information policy, re-ID requirements and data retention

Risker risker.wp at gmail.com
Thu Oct 24 13:37:48 UTC 2013 

On 24 October 2013 08:10, Fæ <faewik at gmail.com> wrote:

> ...
> > Apparently, legals say that the current policy is too flexible for the
> board
> > to have really meant approving it, so of course the board will like to
> > change his mind and make it much stricter, while if one wanted to keep
> it as
> > flexible as it is now one would need the board to change his mind.
> Hmmmmmm.
> >
> > Nemo
>
> Without an explanation of why this was an issue or a priority legal
> matter, it seems perfectly reasonable to fill in the gaps with wild
> fantasy and speculation. I rather like the idea that someone in the
> WMF legal team read something about privacy on their top of the range
> internet tablet, while drinking freshly ground top of the range
> coffee, and as it was an otherwise dull day on the subpoena front,
> decided to give this policy a poke to see the ants scurry about. It
> certainly seems to have kept many volunteers busy this week.
>
>
Wow, Fae. Just....wow.

Now, how about we look at this from the perspective of the editor whose
non-public personal information is available to checkusers, or who has to
rely on an oversighter to address an accidental logged-out edit.  If I am
that editor, I really want the WMF, who has granted those individuals
access to this personal (and in some cases private) information, to know
exactly who has that access.  I want them to know who those people are, I
want them to know how to contact them directly, and I want them to make
sure that those individuals have personally undertaken to keep any
information confidential with very limited exceptions.

This is actually a Privacy 101 situation:  an organization that grants
access to non-public personal information needs to know exactly who it is
granting that access to, and the person who has access to that information
needs to agree to keep it confidential.

The majority of the discussion in the last period has been about the
mechanics of collecting and retaining the identifying information of those
who have access.  There are some good points being raised by several
people, and they do need to be addressed; however, the underlying principle
is absolutely sound.  I'm actually kind of shocked that there would be much
debate about the core principle, and I find it concerning that there is the
suggestion some individuals who have access to huge amounts of non-public
personal information about others should be exempted from having their own
identity known to the organization responsible for keeping this non-public
information secure.

Risker

More information about the Wikimedia-l mailing list