On 13/04/15 00:12, Trillium Corsage wrote:
On 25 April last year, the board of trustees approved, in a non-public and scantily-documented meeting, a policy that accords Checkuser and Oversight and other statuses to "community" members appointed by a community process with essentially a mere two requirements: provide an email address, and assert that you are 18 or over. Name, address, NOT required. Is this truly an adequate way to protect the privacy interests of all those that edit Wikipedia? Well, I don't think so, but my purpose right now is to try to eliminate the ambiguity of what is actually occurring at this time.
I was not involved in the development of this policy, either the original one or the current iteration. So what follows are my independent, unofficial thoughts on the issue.
I don't know what identifying people with checkuser permissions is meant to achieve, when they are not liable for a breach of the privacy policy. I can understand requiring identification for Board members, who have legal responsibilities. But what is the point of having a photocopy of a CheckUser's passport when there are no conceivable circumstances under which you would give that photocopy to police?
Maybe the idea is that if a CheckUser publically doxes someone for some petty purpose, such as revenge, then the victim may subpoena identifying records from the Foundation as part of a suit against the CheckUser. Note that I have done my fair share of troll hunting, it occupied quite a bit of my time between when I first got shell access in early 2004 and when I introduced CheckUser in late 2005. I have publically discussed identifying information of logged-in users. I never heard any credible theory on how my actions at that time might have created legal liability. Surely, if there was such a legal remedy, trolls would constantly threaten to use it.
I think that the most important practical measure we can take to protect users' privacy against CheckUser is to regularly audit the CheckUser logs. We should also work to improve their auditability. The logs have hundreds of entries of the form:
* AdminUser got IP addresses for Spambot10255787 (Investigating spam) * AdminUser got users for 11.22.33.44/16 (Investigating spam)
What auditor is ever going to do another CheckUser request to make sure that 11.22.33.44 really was an IP address used by Spambot10255787? How can we tell if AdminUser was interested in 11.22.33.44 for some other reason? Linked log entries should probably be explicitly annotated by the software.
-- Tim Starling