New draft of privacy policy

classic Classic list List threaded Threaded
59 messages Options
123
Reply | Threaded
Open this post in threaded view
|

New draft of privacy policy

Florence Devouard-3
Hello participants !

"term used on purpose"...

Mike has drafted a new version of the privacy policy. Given that this
policy is one of the nearest thing to define terms of agreements between
WMF and editors, I invite you to not only read it carefully, but please
also inform your community members on the relevant village pump.

Your input is welcome. Please note that voting on this policy is planned
next week-end during the 21st of June board meeting. So, input is
welcome NOW.

Thank you

Anthere

THE PAGE: http://meta.wikimedia.org/wiki/Draft_Privacy_Policy_June_2008


_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Jesse (Pathoschild)
On Sat, Jun 14, 2008 at 4:55 AM, Florence Devouard <[hidden email]> wrote:
> Your input is welcome. Please note that voting on this policy is planned
> next week-end during the 21st of June board meeting. So, input is
> welcome NOW.

While the draft is very good as a supporting explanatory essay, I
don't think it's written as a policy; it's unnecessarily verbose,
reads like an essay or opinion piece, makes incorrect assumptions
(like "everyone can contribute", "history [...] is preserved
indefinitely", or "you are encouraged but not required to register
with your real name" (some wikis specifically discourage that due to
stalking, etc)), significantly addresses non-privacy subjects (like
community values, copyright, or user access hierarchy), and uses
redundant section numbering (sections are numbered automatically in
the table of contents). I think the explanatory material should be
moved to a separate essay, so that the policy only contains policy.

I've drafted a rewritten policy that addresses these and other
concerns (such as undue references to en-Wikipedia) at
<http://meta.wikimedia.org/wiki/Talk:Draft_Privacy_Policy_June_2008#Rewrite>.
I'd also appreciate input on that rewritten draft.

--
Yours cordially,
Jesse Plamondon-Willard (Pathoschild)

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Ray Saintonge
In reply to this post by Florence Devouard-3
Florence Devouard wrote:

> Hello participants !
>
> "term used on purpose"...
>
> Mike has drafted a new version of the privacy policy. Given that this
> policy is one of the nearest thing to define terms of agreements between
> WMF and editors, I invite you to not only read it carefully, but please
> also inform your community members on the relevant village pump.
>
> Your input is welcome. Please note that voting on this policy is planned
> next week-end during the 21st of June board meeting. So, input is
> welcome NOW.
>
> Thank you
>
> Anthere
>
> THE PAGE: http://meta.wikimedia.org/wiki/Draft_Privacy_Policy_June_2008
>
>
>  
This proposal looks more like an essay full of excess verbiage.  There
is much in there that has absolutely nothing to do with privacy; it may
be valid policy, but it belongs in a different document.

The detailed explanatory portions of the document should not be treated
as policy.  They can be useful, but where they conflict with the actual
policy the policy itself should prevail.

In my view any policy document should be succinct and to the point.

Ec

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Florence Devouard-3
In reply to this post by Jesse (Pathoschild)
Jesse Plamondon-Willard wrote:

> On Sat, Jun 14, 2008 at 4:55 AM, Florence Devouard <[hidden email]> wrote:
>> Your input is welcome. Please note that voting on this policy is planned
>> next week-end during the 21st of June board meeting. So, input is
>> welcome NOW.
>
> While the draft is very good as a supporting explanatory essay, I
> don't think it's written as a policy; it's unnecessarily verbose,
> reads like an essay or opinion piece, makes incorrect assumptions
> (like "everyone can contribute", "history [...] is preserved
> indefinitely", or "you are encouraged but not required to register
> with your real name" (some wikis specifically discourage that due to
> stalking, etc)), significantly addresses non-privacy subjects (like
> community values, copyright, or user access hierarchy), and uses
> redundant section numbering (sections are numbered automatically in
> the table of contents). I think the explanatory material should be
> moved to a separate essay, so that the policy only contains policy.
>
> I've drafted a rewritten policy that addresses these and other
> concerns (such as undue references to en-Wikipedia) at
> <http://meta.wikimedia.org/wiki/Talk:Draft_Privacy_Policy_June_2008#Rewrite>.
> I'd also appreciate input on that rewritten draft.
>

Hello Pathoschild,

I've dropped input on the rewritten draft.
My main concern with it is that it is rewritten in such a way that
* it only addresses privacy issue on the projects themselves (rather
than on all activities related to the projects, eg, mailing lists, OTRS).
* it totally neglects issues related to special access users (in
particular checkusers etc...)
* it also removes some new decisions recently made by the board (eg,
notification of a user when private data has been released upon legal
request)

I agree that the original document is a bit verbiose and could be
simplified in some parts.
I also agree that part of it is "descriptive" rather than "policy".
However, "simplification" should keep all the meat.

I wonder if it would not be possible to separate this document in two
documents.
* One describing the philosophy and the data kept.
* The other being more policy oriented.

OR
Separating more clearly in the document, points related to "projects"
and points related to other activities (mailing lists, irc, otrs etc...)

Ant


_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Anthony-73
In reply to this post by Florence Devouard-3
Someone should answer Gregory's question first: "Why do we grant the
equivalent of checkuser rights over a majority of our contributors to
every person on the planet?"

"Historical accident" was the only thing I could come up with.

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

geni
2008/6/15 Anthony <[hidden email]>:
> Someone should answer Gregory's question first: "Why do we grant the
> equivalent of checkuser rights over a majority of our contributors to
> every person on the planet?"
>
> "Historical accident" was the only thing I could come up with.

It's hard not to. If we were to say assign a random number to every IP
then by now someone would have published a partial list of number to
IP relationships. If the number assigns keep changing well we know the
problems that we had with AOL back in the day.



--
geni

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Thomas Dalton
2008/6/15 geni <[hidden email]>:

> 2008/6/15 Anthony <[hidden email]>:
>> Someone should answer Gregory's question first: "Why do we grant the
>> equivalent of checkuser rights over a majority of our contributors to
>> every person on the planet?"
>>
>> "Historical accident" was the only thing I could come up with.
>
> It's hard not to. If we were to say assign a random number to every IP
> then by now someone would have published a partial list of number to
> IP relationships. If the number assigns keep changing well we know the
> problems that we had with AOL back in the day.

You can do it with a hash. Each hash could be mapped to from multiple
IP addresses, so it's impossible to work out the IP address from the
hash. Of course, you then have the risk of collisions, but that can be
kept fairly small, and isn't the end of the world - we get collisions
anyway when multiple people use one IP address.

That said, I don't have a problem with publishing IP addresses of anon
users - it's made clear to them that that will happen, and they have
the option of registering if they have want to keep it hidden. The
risk from having your IP address publicly known is really pretty
minimal (mine is 82.152.59.121 (or 122 if you want my actual computer,
rather the router, but the router is what's reported to the outside
world) - do with it what you will!!).

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

David Gerard-2
2008/6/15 Thomas Dalton <[hidden email]>:
> 2008/6/15 geni <[hidden email]>:
>> 2008/6/15 Anthony <[hidden email]>:

>>> Someone should answer Gregory's question first: "Why do we grant the
>>> equivalent of checkuser rights over a majority of our contributors to
>>> every person on the planet?"
>>> "Historical accident" was the only thing I could come up with.

>> It's hard not to. If we were to say assign a random number to every IP
>> then by now someone would have published a partial list of number to
>> IP relationships. If the number assigns keep changing well we know the
>> problems that we had with AOL back in the day.

> You can do it with a hash. Each hash could be mapped to from multiple
> IP addresses, so it's impossible to work out the IP address from the
> hash. Of course, you then have the risk of collisions, but that can be
> kept fairly small, and isn't the end of the world - we get collisions
> anyway when multiple people use one IP address.
> That said, I don't have a problem with publishing IP addresses of anon
> users - it's made clear to them that that will happen, and they have
> the option of registering if they have want to keep it hidden. The
> risk from having your IP address publicly known is really pretty
> minimal (mine is 82.152.59.121 (or 122 if you want my actual computer,
> rather the router, but the router is what's reported to the outside
> world) - do with it what you will!!).


It's also entirely unclear how this proposal would actually cause a
better encyclopedia, dictionary, media archive, quote database etc. to
be written. You know, the stuff we're supposed to be here for. Project
first, then community.


- d.

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Anthony-73
In reply to this post by Florence Devouard-3
Something else I think is worth pointing out: "the raw log data is not
made public, and is normally discarded after about two weeks." has
changed to "The raw log data is kept indefinitely, but is not made
public."

I get the impression that this isn't a change in policy, so much as a
change in wording.  But then, it does seem to contradict the Data
Retention Policy
(http://wikimediafoundation.org/wiki/Resolution:Data_Retention_Policy).

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Matthew Brown-5
On Sun, Jun 15, 2008 at 7:54 AM, Anthony <[hidden email]> wrote:
> Something else I think is worth pointing out: "the raw log data is not
> made public, and is normally discarded after about two weeks." has
> changed to "The raw log data is kept indefinitely, but is not made
> public."
>
> I get the impression that this isn't a change in policy, so much as a
> change in wording.  But then, it does seem to contradict the Data
> Retention Policy
> (http://wikimediafoundation.org/wiki/Resolution:Data_Retention_Policy).

Not necessarily a contradiction, given the ambiguity of wording of
both statements.  'Indefinitely' just means "for an undefined period
of time", after all.  It just means that the privacy policy no longer
states any retention period.

-Matt

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Luna-4
Thanks for announcing this on the mailing list, Florence.

Some interesting discussion at
http://meta.wikimedia.org/wiki/Talk:Draft_Privacy_Policy_June_2008 -- in
particular regarding a rewritten (and considerably shorter) draft.

On Sun, Jun 15, 2008 at 2:06 PM, Matthew Brown <[hidden email]> wrote:

> 'Indefinitely' just means "for an undefined period
> of time", after all.  It just means that the privacy policy no longer
> states any retention period.


Not specifically replying to this, but it was a tempting snippet to quote.
Seems easiest to specify the retention period outside of the privacy policy
-- it may be enough to just say it's discarded periodically.

-Luna
_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Gregory Maxwell
In reply to this post by David Gerard-2
On Sun, Jun 15, 2008 at 10:31 AM, David Gerard <[hidden email]> wrote:
> It's also entirely unclear how this proposal would actually cause a
> better encyclopedia, dictionary, media archive, quote database etc. to
> be written. You know, the stuff we're supposed to be here for. Project
> first, then community.

By this logic we should grant access to Special:Checkuser to everyone.
No?  Explain.

:)

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Gregory Maxwell
In reply to this post by geni
On Sun, Jun 15, 2008 at 10:15 AM, geni <[hidden email]> wrote:

> 2008/6/15 Anthony <[hidden email]>:
>> Someone should answer Gregory's question first: "Why do we grant the
>> equivalent of checkuser rights over a majority of our contributors to
>> every person on the planet?"
>>
>> "Historical accident" was the only thing I could come up with.
>
> It's hard not to. If we were to say assign a random number to every IP
> then by now someone would have published a partial list of number to
> IP relationships.

How?   I can't see how they could do this except by even more limited
means than they can use to currently publish User name->IP
connections.

The only means I can see someone connecting an opaque ID with an IP is:

1. Actually editing from that IP and recording the result.
2. Tricking a user on that IP into following an external link.
3. Checkuser
4. Compromise of the foundation servers.

...

All of those are a much higher hurdle than the casual leaks users
perform on their own all the time.  For example, today, just minutes
after complaining about it I was somehow logged out on meta and
managed to accidentally disclose my IP.   It's a constant problem.

We could also do blocked encryption for partial addresses:  Encrypt
the first 24 bits, then the whole 32 bits.  This would leak a lot more
information, but it would preserve the ability for everyone to quickly
tell if two unregistered users are on the same /24.

> If the number assigns keep changing well we know the
> problems that we had with AOL back in the day.

I don't see a huge need to make the numbers change.. but we could
address this if we wanted to.

We could provide a two part identifier for unregistered users:

Enc(Secret[n-1], IP), Enc(Secret[n], IP)   and increment N every 3
months, so if a particular IP goes 6 months between edits the
connection will be broken.  Given the rate of IP reassignment in the
internet doing this would be reasonable.. but I don't see why it would
be necessary.

For example,  On day one an unregistered user would look like

User:.AY3BXQM,B4WVJAM

Three months later:

User:.B4WVJAM,W93GI2A

Three months later:

User:.W93GI2A,CT7WLMA

If the user didn't make the middle edit the unregistered identities
would become disconnected except for checkusers. ::shrugs:: As I said,
I don't see the need of anything that complex.

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

David Gerard-2
In reply to this post by Gregory Maxwell
2008/6/15 Gregory Maxwell <[hidden email]>:
> On Sun, Jun 15, 2008 at 10:31 AM, David Gerard <[hidden email]> wrote:

>> It's also entirely unclear how this proposal would actually cause a
>> better encyclopedia, dictionary, media archive, quote database etc. to
>> be written. You know, the stuff we're supposed to be here for. Project
>> first, then community.

> By this logic we should grant access to Special:Checkuser to everyone.
> No?  Explain.


You originally claimed something was in need of fixing; support it.


- d.

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Gregory Maxwell
On Sun, Jun 15, 2008 at 6:55 PM, David Gerard <[hidden email]> wrote:

> 2008/6/15 Gregory Maxwell <[hidden email]>:
>> On Sun, Jun 15, 2008 at 10:31 AM, David Gerard <[hidden email]> wrote:
>>> It's also entirely unclear how this proposal would actually cause a
>>> better encyclopedia, dictionary, media archive, quote database etc. to
>>> be written. You know, the stuff we're supposed to be here for. Project
>>> first, then community.
>
>> By this logic we should grant access to Special:Checkuser to everyone.
>> No?  Explain.
>
> You originally claimed something was in need of fixing; support it.

I only asked why we give the equivalent checkuser on half our users to
the general public.   So far only Anthony has provided a reasonable
explanation. To make you happy I'll go ahead and make an argument for
fixing something:

I don't see any logical cause for the inconsistency in how we treat
registered and unregistered users. There is no particular reason is
has to be this way, it seems to be historical accident as Anthony
suggested. Instead we could publish the IPs of all edits, we could use
opaque identifiers for anons, or we could completely dissallow
anonymous editing.  All of these would be consistent solutions.

The current inconsistent situation generates a lot of problems:
Careful COI pushers are rewarded for being smart enough to log in
while at the same time normal users are harmed by accidentally getting
logged out and having their IP surprisingly leaked.

The edit histories of our articles are frequently sliced and diced to
hide the IPs of established contributors and this sometimes makes the
article history misleading. For example, see my edits on meta today (I
swear I didn't do that intentionally to make a point, I have no clue
how I ended up logged out) ... my IP edits couldn't be hidden without
making the history misleading due to the timing of Cimon's edits.  ...
and the service of IP edit oversighting is generally only available to
the Wiki(p|m)edia elite, if for no other reason than few others know
it is available.

Unregistered users account for roughly half of the contributors on at
least one of the largest projects (EnWP).  They make many valid and
useful contributions (along with a bunch of junk...).  We often
mislead them about their privacy by calling their contributions
"anonymous" when they are far less anonymous than the edits made by
many registered users.   Checkuser is by far one of the most highly
regulated activities on all the projects. We keep a very tight fist
over it. Yet, its equivalent is given freely over an enormous subset
of the contributors.  This smacks of favoritism.

I think our behavior should probably be changed to remove the
inconsistency. By removing the inconsistency we will prevent
unpleasant surprises. I think the ability to *know* and *understand*
the privacy posture you have when editing Wikipedia is more important
than what the posture is, so I don't care which path to consistency is
taken.

I would presume that of the three I suggested most users would prefer
replacing IPs with unique identifiers.  The primary harm this path
would cause is an increase in need for checkusers.

If need-be the increased need for checkusers could be addressed by
creating a lower class of checkusers who only have the ability to view
the (previously public) information related to unregistered users.
Such a solution would preserve an inconsistency but I believe it would
be strictly more consistent than the current behavior.

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Jesse (Pathoschild)
In reply to this post by Florence Devouard-3
Florence Devouard <[hidden email]> wrote:
> * it also removes some new decisions recently made by the board (eg,
> notification of a user when private data has been released upon legal
> request)

The text about notification is present under ==Access to and
publication of information==: "In the event of such a legally
compulsory request, the Foundation will attempt to notify the affected
user [...]." I think the other points are already fixed in the draft
FT2 and I worked on (see the talk page).

--
Yours cordially,
Jesse Plamondon-Willard (Pathoschild)

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

John Mark Vandenberg
In reply to this post by Gregory Maxwell
On Mon, Jun 16, 2008 at 9:20 AM, Gregory Maxwell <[hidden email]> wrote:

> On Sun, Jun 15, 2008 at 6:55 PM, David Gerard <[hidden email]> wrote:
>> 2008/6/15 Gregory Maxwell <[hidden email]>:
>>> On Sun, Jun 15, 2008 at 10:31 AM, David Gerard <[hidden email]> wrote:
>>>> It's also entirely unclear how this proposal would actually cause a
>>>> better encyclopedia, dictionary, media archive, quote database etc. to
>>>> be written. You know, the stuff we're supposed to be here for. Project
>>>> first, then community.
>>
>>> By this logic we should grant access to Special:Checkuser to everyone.
>>> No?  Explain.
>>
>> You originally claimed something was in need of fixing; support it.
>
> I only asked why we give the equivalent checkuser on half our users to
> the general public.   So far only Anthony has provided a reasonable
> explanation.

There is a much more obvious answer: nobody has written the code to do
otherwise.  An IP is a fixed size which helps with storage, and the
properties of IP numbering and re-use are well-known, allowing people
to roughly guess when it is a different person on the same IP.

Any change to mediawiki to remove or obscure IPs needs to also give a
similar ability back to editors; we are human and we like to know how
many editors we are working with, even more so when editing behaviour
is suspicious.

> To make you happy I'll go ahead and make an argument for
> fixing something:
>
> I don't see any logical cause for the inconsistency in how we treat
> registered and unregistered users. There is no particular reason is
> has to be this way, it seems to be historical accident as Anthony
> suggested. Instead we could publish the IPs of all edits, we could use
> opaque identifiers for anons, or we could completely dissallow
> anonymous editing.  All of these would be consistent solutions.

It is very strange that we call IP edits "anonymous" yet they are
often more revealing than edits made when logged in.

> The current inconsistent situation generates a lot of problems:
> Careful COI pushers are rewarded for being smart enough to log in
> while at the same time normal users are harmed by accidentally getting
> logged out and having their IP surprisingly leaked.
>
> The edit histories of our articles are frequently sliced and diced to
> hide the IPs of established contributors and this sometimes makes the
> article history misleading. For example, see my edits on meta today (I
> swear I didn't do that intentionally to make a point, I have no clue
> how I ended up logged out) ... my IP edits couldn't be hidden without
> making the history misleading due to the timing of Cimon's edits.  ...
> and the service of IP edit oversighting is generally only available to
> the Wiki(p|m)edia elite, if for no other reason than few others know
> it is available.

The oversight tool desperately needs finer granularity.  If the IP is
the element that needs to be hidden, it shouldnt be necessary to
pretend that the edit didnt happen.  Anyone know when the new
oversight tool is going to land?

https://bugzilla.wikimedia.org/show_bug.cgi?id=3576

Also, many people are not aware that oversight needs to be done before
the next dump in order to be useful.  I often see admins removing six
months old IP talk contribs, for privacy reasons, and are a bit
surprised and annoyed when I show them the dumps.

> Unregistered users account for roughly half of the contributors on at
> least one of the largest projects (EnWP).  They make many valid and
> useful contributions (along with a bunch of junk...).  We often
> mislead them about their privacy by calling their contributions
> "anonymous" when they are far less anonymous than the edits made by
> many registered users.   Checkuser is by far one of the most highly
> regulated activities on all the projects. We keep a very tight fist
> over it. Yet, its equivalent is given freely over an enormous subset
> of the contributors.  This smacks of favoritism.
>
> I think our behavior should probably be changed to remove the
> inconsistency. By removing the inconsistency we will prevent
> unpleasant surprises. I think the ability to *know* and *understand*
> the privacy posture you have when editing Wikipedia is more important
> than what the posture is, so I don't care which path to consistency is
> taken.
>
> I would presume that of the three I suggested most users would prefer
> replacing IPs with unique identifiers.  The primary harm this path
> would cause is an increase in need for checkusers.

Rather than adding a layer on top of IP to hide the IP, it would be
less revealing to automatically assign each new IP session with a
cookie managed identifier, i.e. "Guest1234" (or a long random string
that does not repeat, such as a GUID ) and then allow the user to
rename this "guest account" when they finally learn how to.  Also when
a user has accidentally logged out, when they log back in from a guest
account to their main account, the system could allow the user to
merge those guest edit into their main account.

--
John

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Mike Godwin-3
In reply to this post by Florence Devouard-3

Pathoschild writes:

> While the draft is very good as a supporting explanatory essay, I
> don't think it's written as a policy; it's unnecessarily verbose,
> reads like an essay or opinion piece, makes incorrect assumptions
> (like "everyone can contribute", "history [...] is preserved
> indefinitely", or "you are encouraged but not required to register
> with your real name" (some wikis specifically discourage that due to
> stalking, etc)), significantly addresses non-privacy subjects (like
> community values, copyright, or user access hierarchy), and uses
> redundant section numbering (sections are numbered automatically in
> the table of contents). I think the explanatory material should be
> moved to a separate essay, so that the policy only contains policy.

Thank you for the nice long sentence commenting on the unnecessary  
verbosity of the draft!  :)

I think it's good that people feel invested in improving the draft,  
which represents an attempt to explain a lot of stuff that is pretty  
much unexplained to non-technical users in the current draft, in my  
view.

Without commenting in detail on all proposed criticisms, let me  
express two small preferences.

First, I think an articulation of privacy principles (perhaps more  
than one) is absolutely necessary for a good policy.   The current  
privacy policy doesn't explain what the organization's *values* are,  
and I think all policies should be informed by values that are clearly  
stated and understood.  That is something I take to be essential,  
speaking as a constitutional lawyer.

Second, and this is less important but still non-trivial -- I  
understand the preference in our circles for framing documents as  
hypertext/html/linked text, etc.  I think this actually makes the  
exposition of documents and policies *less* accessible because you see  
chunks rather than a comprehensive explanation that takes you from  
beginning to end.

I'll note that the existing policy -- not the draft -- is not  
hypertextual to any great degree.  It's essentially the opposite of an  
essay, because the ideas don't build easily on what goes before.  
There are structural benefits to non-hypertextual documents, such as,  
for example The Universal Declaration of Human Rights, adopted by the  
United Nations in 1948. (See <http://www.un.org/Overview/ 
rights.html>.) You'll notice that the United Nations was not shy about  
articulating rights guarantees in terms of general principles,  
although it had less to say about turning over IP addresses to the  
government and/or data retention and/or anonymity.

Finally, I think it's important to remember that we were attempting to  
systematize the rights in the existing WMF policy, which can be found  
here:

<http://wikimediafoundation.org/w/index.php?title=Privacy_policy&oldid=14088 
 >.  The outcome was longer, I agree, but we were aiming for something  
more holistic and accessible to the non-technical reader, in the  
expectation that, in the future, more non-technical readers will be  
trying to digest our systematic privacy policies and philosophy.  At  
the same time, we wanted to explain the provisions that were already  
included in the existing policy. Maybe that was asking too much, but I  
hope our goals were clear.  (By the same token, I also think all  
calculus books are three or four times too long, but that's a subject  
for another day.)

I hope this note explains a bit how we were thinking when we developed  
the current draft.  I'll probably refrain from comment further in this  
thread, in order to encourage the freest possible discussion.


--Mike






--Mike






_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Gregory Maxwell
In reply to this post by John Mark Vandenberg
On Mon, Jun 16, 2008 at 1:21 AM, John Vandenberg <[hidden email]> wrote:
> There is a much more obvious answer: nobody has written the code to do
> otherwise.  An IP is a fixed size which helps with storage, and the
> properties of IP numbering and re-use are well-known, allowing people
> to roughly guess when it is a different person on the same IP.
>
> Any change to mediawiki to remove or obscure IPs needs to also give a
> similar ability back to editors; we are human and we like to know how
> many editors we are working with, even more so when editing behaviour
> is suspicious.

It would be nearly trivial to feed the IP through a 32bit block
cipher, convert that to base 36 (or just an integer), and use that as
the user_text.  I'm pretty confident that a reasonably clean solution
wouldn't be hard.  ::shrugs::   But does anyone anywhere want that
behavior in mediawiki?

> It is very strange that we call IP edits "anonymous" yet they are
> often more revealing than edits made when logged in.

Indeed.

> The oversight tool desperately needs finer granularity.  If the IP is
> the element that needs to be hidden, it shouldnt be necessary to
> pretend that the edit didnt happen.  Anyone know when the new
> oversight tool is going to land?
>
> https://bugzilla.wikimedia.org/show_bug.cgi?id=3576

note my comment at the bottom of that ticket. :)

> Also, many people are not aware that oversight needs to be done before
> the next dump in order to be useful.  I often see admins removing six
> months old IP talk contribs, for privacy reasons, and are a bit
> surprised and annoyed when I show them the dumps.

People are also surprised when deletion fails to successfully hide information.

Considering how trivial it is to run a script that saves every change
as it is made.. all we can really hope to do is minimize the bleeding.

> Rather than adding a layer on top of IP to hide the IP, it would be
> less revealing to automatically assign each new IP session with a
> cookie managed identifier, i.e. "Guest1234" (or a long random string
> that does not repeat, such as a GUID ) and then allow the user to
> rename this "guest account" when they finally learn how to.  Also when
> a user has accidentally logged out, when they log back in from a guest
> account to their main account, the system could allow the user to
> merge those guest edit into their main account.

It would be less revealing but it would greatly amplify the ability to
hide because it would be far more anonymous.  Depending on the
implementation it could be used as a force multiplier with a single
user on a single IP churning out dozens of guest ids by flushing their
cookies.

Obscuring the IP would convert the IPs into effective pseudonymous
names, similar to real account names. The above would create something
much closer to actual anonymous edits.  I doubt most Wikimedia Wikis
would support a proposal like that. (though, personally, I suspect
life would go on if it were done).

_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
Reply | Threaded
Open this post in threaded view
|

Re: New draft of privacy policy

Gerard Meijssen-3
In reply to this post by Gregory Maxwell
Hoi,
This is becoming a nice game of silly buggers. I will bite anyway.

One reason why we should not grant access to Special:Checkuser to everyone
is because it would have all kinds of really nasty side effects. For one it
would make the life of stalkers that much easier. Giving stalkers the use of
this tool would effectively harm first the community and because of the
implications it would then harm the project.

Thanks,
      GerardM

On Mon, Jun 16, 2008 at 12:23 AM, Gregory Maxwell <[hidden email]>
wrote:

> On Sun, Jun 15, 2008 at 10:31 AM, David Gerard <[hidden email]> wrote:
> > It's also entirely unclear how this proposal would actually cause a
> > better encyclopedia, dictionary, media archive, quote database etc. to
> > be written. You know, the stuff we're supposed to be here for. Project
> > first, then community.
>
> By this logic we should grant access to Special:Checkuser to everyone.
> No?  Explain.
>
> :)
>
> _______________________________________________
> foundation-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
>
_______________________________________________
foundation-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
123