Mr. Starling, thanks for your response. I have to preface this by saying my opinions are
legitimate criticism and rightly motivated, but I nevertheless fear that they won't be
allowed on the mailing list and that I will be kicked off it because of them.
I don't know what identifying people with
checkuser permissions is
meant to achieve, when they are not liable for a breach of the privacy
policy. I can understand requiring identification for Board members,
who have legal responsibilities. But what is the point of having a
photocopy of a CheckUser's passport when there are no conceivable
circumstances under which you would give that photocopy to police?
No, there are plenty conceivable circumstances under which the WMF would be compelled to
identify a community administrator to the police, such as a lawsuit for cyberstalking. For
example WMF Steward "Tbloemink" and global sysop "JurgenNL" engaged in
the stalking of Moiramoira via IRC, harassing phonecalls, and a visit to her home in which
they peeped in her windows
(
http://meta.wikimedia.org/wiki/Requests_for_comment/Privacy_violation_by_TB…).
They did use their advanced administrative rights to identify her. So a criminal or civil
case could be brought in which a subpoena for the passport would be lawfully issued.
In the broader picture, requiring identification would improve the behavior of any bad
administrator that has slipped through the cracks and uses the advanced tools to violate
users' privacy. Why? Because anonymity reduces the risks involved with bad behavior.
So they are no longer restrained by personal accountability in checkusering people. They
can do as they like, use the information in any way they like, and, beyond desysoping I
guess, can never be held to account.
Maybe the idea is that if a CheckUser publically doxes
someone for
some petty purpose, such as revenge, then the victim may subpoena
identifying records from the Foundation as part of a suit against the
CheckUser. Note that I have done my fair share of troll hunting, it
occupied quite a bit of my time between when I first got shell access
in early 2004 and when I introduced CheckUser in late 2005. I have
publically discussed identifying information of logged-in users. I
never heard any credible theory on how my actions at that time might
have created legal liability. Surely, if there was such a legal
remedy, trolls would constantly threaten to use it.
Your presumption here is that administrators across the board are honorable troll hunters
fulfilling a community duty, but the reality is somewhat different. The demonization of an
editor as "troll" and "sockpuppet" and so forth is often falsely used
by the administrator as an excuse for acting on his or her personal antipathies. They
become irritated at an editor and set out to attack him or her, there are no controls on
or standards for their actions.
I think that the most important practical measure we
can take to
protect users' privacy against CheckUser is to regularly audit the
CheckUser logs. We should also work to improve their auditability. The
logs have hundreds of entries of the form:
Yeah, that's a great idea, but further make it *publicly* auditable. Redact the
privacy (IP) information and let the public know whom the checkusers are checkusering.
Another great step would be to force entry of a *reason* before the checkuser tool can be
used. As I understand it from all I've read, the checkuser tool now has a
"reason" field, but it can be left blank. Reconfigure the tool to force entry of
a reason for its use. And this also would immensely improve the ability to audit the
logs.
13.04.2015, 01:56, "Tim Starling" <tstarling(a)wikimedia.org>rg>:
On 13/04/15 00:12, Trillium Corsage wrote:
<text clipped for brevity>