Mr. Starling, thanks for your response. I have to preface this by saying my opinions are legitimate criticism and rightly motivated, but I nevertheless fear that they won't be allowed on the mailing list and that I will be kicked off it because of them.
I don't know what identifying people with checkuser permissions is meant to achieve, when they are not liable for a breach of the privacy policy. I can understand requiring identification for Board members, who have legal responsibilities. But what is the point of having a photocopy of a CheckUser's passport when there are no conceivable circumstances under which you would give that photocopy to police?
No, there are plenty conceivable circumstances under which the WMF would be compelled to identify a community administrator to the police, such as a lawsuit for cyberstalking. For example WMF Steward "Tbloemink" and global sysop "JurgenNL" engaged in the stalking of Moiramoira via IRC, harassing phonecalls, and a visit to her home in which they peeped in her windows (http://meta.wikimedia.org/wiki/Requests_for_comment/Privacy_violation_by_TBl...). They did use their advanced administrative rights to identify her. So a criminal or civil case could be brought in which a subpoena for the passport would be lawfully issued.
In the broader picture, requiring identification would improve the behavior of any bad administrator that has slipped through the cracks and uses the advanced tools to violate users' privacy. Why? Because anonymity reduces the risks involved with bad behavior. So they are no longer restrained by personal accountability in checkusering people. They can do as they like, use the information in any way they like, and, beyond desysoping I guess, can never be held to account.
Maybe the idea is that if a CheckUser publically doxes someone for some petty purpose, such as revenge, then the victim may subpoena identifying records from the Foundation as part of a suit against the CheckUser. Note that I have done my fair share of troll hunting, it occupied quite a bit of my time between when I first got shell access in early 2004 and when I introduced CheckUser in late 2005. I have publically discussed identifying information of logged-in users. I never heard any credible theory on how my actions at that time might have created legal liability. Surely, if there was such a legal remedy, trolls would constantly threaten to use it.
Your presumption here is that administrators across the board are honorable troll hunters fulfilling a community duty, but the reality is somewhat different. The demonization of an editor as "troll" and "sockpuppet" and so forth is often falsely used by the administrator as an excuse for acting on his or her personal antipathies. They become irritated at an editor and set out to attack him or her, there are no controls on or standards for their actions.
I think that the most important practical measure we can take to protect users' privacy against CheckUser is to regularly audit the CheckUser logs. We should also work to improve their auditability. The logs have hundreds of entries of the form:
Yeah, that's a great idea, but further make it *publicly* auditable. Redact the privacy (IP) information and let the public know whom the checkusers are checkusering. Another great step would be to force entry of a *reason* before the checkuser tool can be used. As I understand it from all I've read, the checkuser tool now has a "reason" field, but it can be left blank. Reconfigure the tool to force entry of a reason for its use. And this also would immensely improve the ability to audit the logs.
13.04.2015, 01:56, "Tim Starling" tstarling@wikimedia.org:
On 13/04/15 00:12, Trillium Corsage wrote:
<text clipped for brevity>