[Wikimedia-l] CheckUser openness

classic Classic list List threaded Threaded
43 messages Options
123
Reply | Threaded
Open this post in threaded view
|

[Wikimedia-l] CheckUser openness

John Doe-27
This is something that has been bugging me for a while. When a user has
been checkusered they should at least be notified of who preformed it and
why it was preformed. I know this is not viable for every single CU action
as many are for anons. But for those users who have been around for a
period, (say autoconfirmed) they should be notified when they are CU'ed and
any user should be able to request the CU logs pertaining to themselves
(who CU'ed them, when, and why) at will. I have seen CU's refuse to provide
information to the accused.

See the Rich Farmbrough ArbCom case where I suspect obvious fishing, where
the CU'ed user was requesting information and the CU claimed it would be a
violation of the privacy policy to release the time/reason/performer of the
checkuser.

This screams of obfuscation and the hiding of information. I know the
ombudsman committee exists as a check and balance, however before something
can be passed to them evidence of inappropriate action is needed. Ergo
Catch-22

I know checkusers  keep a private wiki
https://checkuser.wikimedia.org/wiki/Main_Page and I know according to our
privacy policy we are supposed to purge our information regularly (on wiki
CU logs exist for 90 days) however who oversees the regular removal of
private information on the wiki?

My proposal would be for all users who are at least auto confirmed to be
notified and be able to request all CU logs regarding themselves at any
point, and any mentions of themselves on the CU wiki should be retrievable.

John
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

Risker
On 13 June 2012 19:18, John <[hidden email]> wrote:

> This is something that has been bugging me for a while. When a user has
> been checkusered they should at least be notified of who preformed it and
> why it was preformed. I know this is not viable for every single CU action
> as many are for anons. But for those users who have been around for a
> period, (say autoconfirmed) they should be notified when they are CU'ed and
> any user should be able to request the CU logs pertaining to themselves
> (who CU'ed them, when, and why) at will. I have seen CU's refuse to provide
> information to the accused.
>
> See the Rich Farmbrough ArbCom case where I suspect obvious fishing, where
> the CU'ed user was requesting information and the CU claimed it would be a
> violation of the privacy policy to release the time/reason/performer of the
> checkuser.
>
> This screams of obfuscation and the hiding of information. I know the
> ombudsman committee exists as a check and balance, however before something
> can be passed to them evidence of inappropriate action is needed. Ergo
> Catch-22
>
> I know checkusers  keep a private wiki
> https://checkuser.wikimedia.org/wiki/Main_Page and I know according to our
> privacy policy we are supposed to purge our information regularly (on wiki
> CU logs exist for 90 days) however who oversees the regular removal of
> private information on the wiki?
>
> My proposal would be for all users who are at least auto confirmed to be
> notified and be able to request all CU logs regarding themselves at any
> point, and any mentions of themselves on the CU wiki should be retrievable.
>
>
>
Perhaps some full disclosure should be made here John.  You are a checkuser
yourself, have access to the checkuser-L mailing list and the checkuser
wiki, helped to set up the Audit Subcommittee on the English Wikipedia
(which carries out reviews of checkuser/oversighter actions on request);
you are also a member of the English Wikipedia functionaries mailing list
because you are a former arbitrator, a checkuser and an oversighter on
enwp. (so have access there to express your concerns or suggest changes in
standards),   It seems you are complaining about a specific case, and
instead of talking things out about this specific case, you've decided to
propose an entirely different checkusering standard.  I'll point out  in
passing that half of the spambots blocked in recent weeks by checkusers
were autoconfirmed on one or more projects, and even obvious vandals can
hit the autoconfirmed threshold easily on most projects.

Full disclosure on my part: I am also an Enwp checkuser and a member of the
Arbitration Committee.

Risker
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

John Doe-27
I am not a checkuser, I do not have access to checkuser-l, the CU wiki, or
any other private information. This goes far beyond the one case, I was
just using it as a recent example

On Wed, Jun 13, 2012 at 7:34 PM, Risker <[hidden email]> wrote:

> On 13 June 2012 19:18, John <[hidden email]> wrote:
>
> > This is something that has been bugging me for a while. When a user has
> > been checkusered they should at least be notified of who preformed it and
> > why it was preformed. I know this is not viable for every single CU
> action
> > as many are for anons. But for those users who have been around for a
> > period, (say autoconfirmed) they should be notified when they are CU'ed
> and
> > any user should be able to request the CU logs pertaining to themselves
> > (who CU'ed them, when, and why) at will. I have seen CU's refuse to
> provide
> > information to the accused.
> >
> > See the Rich Farmbrough ArbCom case where I suspect obvious fishing,
> where
> > the CU'ed user was requesting information and the CU claimed it would be
> a
> > violation of the privacy policy to release the time/reason/performer of
> the
> > checkuser.
> >
> > This screams of obfuscation and the hiding of information. I know the
> > ombudsman committee exists as a check and balance, however before
> something
> > can be passed to them evidence of inappropriate action is needed. Ergo
> > Catch-22
> >
> > I know checkusers  keep a private wiki
> > https://checkuser.wikimedia.org/wiki/Main_Page and I know according to
> our
> > privacy policy we are supposed to purge our information regularly (on
> wiki
> > CU logs exist for 90 days) however who oversees the regular removal of
> > private information on the wiki?
> >
> > My proposal would be for all users who are at least auto confirmed to be
> > notified and be able to request all CU logs regarding themselves at any
> > point, and any mentions of themselves on the CU wiki should be
> retrievable.
> >
> >
> >
> Perhaps some full disclosure should be made here John.  You are a checkuser
> yourself, have access to the checkuser-L mailing list and the checkuser
> wiki, helped to set up the Audit Subcommittee on the English Wikipedia
> (which carries out reviews of checkuser/oversighter actions on request);
> you are also a member of the English Wikipedia functionaries mailing list
> because you are a former arbitrator, a checkuser and an oversighter on
> enwp. (so have access there to express your concerns or suggest changes in
> standards),   It seems you are complaining about a specific case, and
> instead of talking things out about this specific case, you've decided to
> propose an entirely different checkusering standard.  I'll point out  in
> passing that half of the spambots blocked in recent weeks by checkusers
> were autoconfirmed on one or more projects, and even obvious vandals can
> hit the autoconfirmed threshold easily on most projects.
>
> Full disclosure on my part: I am also an Enwp checkuser and a member of the
> Arbitration Committee.
>
> Risker
> _______________________________________________
> Wikimedia-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

Risker
My apologies to you John - and also to John Vandenberg, whose name popped
up when I cursored over this.

Please do consider expressing a concern to the Audit Subcommittee with
respect to this case, or alternately to the Ombudsman.

Risker

On 13 June 2012 19:37, John <[hidden email]> wrote:

> I am not a checkuser, I do not have access to checkuser-l, the CU wiki, or
> any other private information. This goes far beyond the one case, I was
> just using it as a recent example
>
> On Wed, Jun 13, 2012 at 7:34 PM, Risker <[hidden email]> wrote:
>
> > On 13 June 2012 19:18, John <[hidden email]> wrote:
> >
> > > This is something that has been bugging me for a while. When a user has
> > > been checkusered they should at least be notified of who preformed it
> and
> > > why it was preformed. I know this is not viable for every single CU
> > action
> > > as many are for anons. But for those users who have been around for a
> > > period, (say autoconfirmed) they should be notified when they are CU'ed
> > and
> > > any user should be able to request the CU logs pertaining to themselves
> > > (who CU'ed them, when, and why) at will. I have seen CU's refuse to
> > provide
> > > information to the accused.
> > >
> > > See the Rich Farmbrough ArbCom case where I suspect obvious fishing,
> > where
> > > the CU'ed user was requesting information and the CU claimed it would
> be
> > a
> > > violation of the privacy policy to release the time/reason/performer of
> > the
> > > checkuser.
> > >
> > > This screams of obfuscation and the hiding of information. I know the
> > > ombudsman committee exists as a check and balance, however before
> > something
> > > can be passed to them evidence of inappropriate action is needed. Ergo
> > > Catch-22
> > >
> > > I know checkusers  keep a private wiki
> > > https://checkuser.wikimedia.org/wiki/Main_Page and I know according to
> > our
> > > privacy policy we are supposed to purge our information regularly (on
> > wiki
> > > CU logs exist for 90 days) however who oversees the regular removal of
> > > private information on the wiki?
> > >
> > > My proposal would be for all users who are at least auto confirmed to
> be
> > > notified and be able to request all CU logs regarding themselves at any
> > > point, and any mentions of themselves on the CU wiki should be
> > retrievable.
> > >
> > >
> > >
> > Perhaps some full disclosure should be made here John.  You are a
> checkuser
> > yourself, have access to the checkuser-L mailing list and the checkuser
> > wiki, helped to set up the Audit Subcommittee on the English Wikipedia
> > (which carries out reviews of checkuser/oversighter actions on request);
> > you are also a member of the English Wikipedia functionaries mailing list
> > because you are a former arbitrator, a checkuser and an oversighter on
> > enwp. (so have access there to express your concerns or suggest changes
> in
> > standards),   It seems you are complaining about a specific case, and
> > instead of talking things out about this specific case, you've decided to
> > propose an entirely different checkusering standard.  I'll point out  in
> > passing that half of the spambots blocked in recent weeks by checkusers
> > were autoconfirmed on one or more projects, and even obvious vandals can
> > hit the autoconfirmed threshold easily on most projects.
> >
> > Full disclosure on my part: I am also an Enwp checkuser and a member of
> the
> > Arbitration Committee.
> >
> > Risker
> > _______________________________________________
> > Wikimedia-l mailing list
> > [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> >
> _______________________________________________
> Wikimedia-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

John Doe-27
In reply to this post by John Doe-27
PS I am not a former arb, do not have access to functionaries mailing list,
I do not have access nor have ever had access to any of the above including
Oversight. I was just throwing out autoconfirmed as a line in the sand, we
can adjust the line so that normal users can be notified while excluding
spambots. One point could be say 50 edits and at least a month old account?
The nature and required secrecy for such a open project is scary in this
regards.

John

On Wed, Jun 13, 2012 at 7:37 PM, John <[hidden email]> wrote:

> I am not a checkuser, I do not have access to checkuser-l, the CU wiki, or
> any other private information. This goes far beyond the one case, I was
> just using it as a recent example
>
>
> On Wed, Jun 13, 2012 at 7:34 PM, Risker <[hidden email]> wrote:
>
>> On 13 June 2012 19:18, John <[hidden email]> wrote:
>>
>> > This is something that has been bugging me for a while. When a user has
>> > been checkusered they should at least be notified of who preformed it
>> and
>> > why it was preformed. I know this is not viable for every single CU
>> action
>> > as many are for anons. But for those users who have been around for a
>> > period, (say autoconfirmed) they should be notified when they are CU'ed
>> and
>> > any user should be able to request the CU logs pertaining to themselves
>> > (who CU'ed them, when, and why) at will. I have seen CU's refuse to
>> provide
>> > information to the accused.
>> >
>> > See the Rich Farmbrough ArbCom case where I suspect obvious fishing,
>> where
>> > the CU'ed user was requesting information and the CU claimed it would
>> be a
>> > violation of the privacy policy to release the time/reason/performer of
>> the
>> > checkuser.
>> >
>> > This screams of obfuscation and the hiding of information. I know the
>> > ombudsman committee exists as a check and balance, however before
>> something
>> > can be passed to them evidence of inappropriate action is needed. Ergo
>> > Catch-22
>> >
>> > I know checkusers  keep a private wiki
>> > https://checkuser.wikimedia.org/wiki/Main_Page and I know according to
>> our
>> > privacy policy we are supposed to purge our information regularly (on
>> wiki
>> > CU logs exist for 90 days) however who oversees the regular removal of
>> > private information on the wiki?
>> >
>> > My proposal would be for all users who are at least auto confirmed to be
>> > notified and be able to request all CU logs regarding themselves at any
>> > point, and any mentions of themselves on the CU wiki should be
>> retrievable.
>> >
>> >
>> >
>> Perhaps some full disclosure should be made here John.  You are a
>> checkuser
>> yourself, have access to the checkuser-L mailing list and the checkuser
>> wiki, helped to set up the Audit Subcommittee on the English Wikipedia
>> (which carries out reviews of checkuser/oversighter actions on request);
>> you are also a member of the English Wikipedia functionaries mailing list
>> because you are a former arbitrator, a checkuser and an oversighter on
>> enwp. (so have access there to express your concerns or suggest changes in
>> standards),   It seems you are complaining about a specific case, and
>> instead of talking things out about this specific case, you've decided to
>> propose an entirely different checkusering standard.  I'll point out  in
>> passing that half of the spambots blocked in recent weeks by checkusers
>> were autoconfirmed on one or more projects, and even obvious vandals can
>> hit the autoconfirmed threshold easily on most projects.
>>
>> Full disclosure on my part: I am also an Enwp checkuser and a member of
>> the
>> Arbitration Committee.
>>
>> Risker
>> _______________________________________________
>> Wikimedia-l mailing list
>> [hidden email]
>> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>>
>
>
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

metasj
On Wed, Jun 13, 2012 at 7:42 PM, John <[hidden email]> wrote:
> PS I am not a former arb, do not have access to functionaries mailing list,
> I do not have access nor have ever had access to any of the above including
> Oversight. I was just throwing out autoconfirmed as a line in the sand, we
> can adjust the line so that normal users can be notified while excluding
> spambots. One point could be say 50 edits and at least a month old account?

Using a similarly arbitrary high threshhold: how often are checks -
order of magnitude - made on users who are eligible to vote in arbcom
elections?

SJ

_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

Nathan Awrich
On Wed, Jun 13, 2012 at 8:34 PM, Samuel Klein <[hidden email]> wrote:

> On Wed, Jun 13, 2012 at 7:42 PM, John <[hidden email]> wrote:
> > PS I am not a former arb, do not have access to functionaries mailing
> list,
> > I do not have access nor have ever had access to any of the above
> including
> > Oversight. I was just throwing out autoconfirmed as a line in the sand,
> we
> > can adjust the line so that normal users can be notified while excluding
> > spambots. One point could be say 50 edits and at least a month old
> account?
>
> Using a similarly arbitrary high threshhold: how often are checks -
> order of magnitude - made on users who are eligible to vote in arbcom
> elections?
>
> SJ
>

At least every day, there are 5 or 6 who qualify by edit count waiting for
CU on SPI right now.

~Nathan
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

Thomas Dalton
In reply to this post by Risker
Why shouldn't spambots and vandals be notified? Just have the software
automatically email anyone that is CUed. Then the threshold is simply
whether you have an email address attached to your account or not.

This seems like a good idea. People have a right to know what is being done
with their data.
On Jun 14, 2012 12:35 AM, "Risker" <[hidden email]> wrote:

> On 13 June 2012 19:18, John <[hidden email]> wrote:
>
> > This is something that has been bugging me for a while. When a user has
> > been checkusered they should at least be notified of who preformed it and
> > why it was preformed. I know this is not viable for every single CU
> action
> > as many are for anons. But for those users who have been around for a
> > period, (say autoconfirmed) they should be notified when they are CU'ed
> and
> > any user should be able to request the CU logs pertaining to themselves
> > (who CU'ed them, when, and why) at will. I have seen CU's refuse to
> provide
> > information to the accused.
> >
> > See the Rich Farmbrough ArbCom case where I suspect obvious fishing,
> where
> > the CU'ed user was requesting information and the CU claimed it would be
> a
> > violation of the privacy policy to release the time/reason/performer of
> the
> > checkuser.
> >
> > This screams of obfuscation and the hiding of information. I know the
> > ombudsman committee exists as a check and balance, however before
> something
> > can be passed to them evidence of inappropriate action is needed. Ergo
> > Catch-22
> >
> > I know checkusers  keep a private wiki
> > https://checkuser.wikimedia.org/wiki/Main_Page and I know according to
> our
> > privacy policy we are supposed to purge our information regularly (on
> wiki
> > CU logs exist for 90 days) however who oversees the regular removal of
> > private information on the wiki?
> >
> > My proposal would be for all users who are at least auto confirmed to be
> > notified and be able to request all CU logs regarding themselves at any
> > point, and any mentions of themselves on the CU wiki should be
> retrievable.
> >
> >
> >
> Perhaps some full disclosure should be made here John.  You are a checkuser
> yourself, have access to the checkuser-L mailing list and the checkuser
> wiki, helped to set up the Audit Subcommittee on the English Wikipedia
> (which carries out reviews of checkuser/oversighter actions on request);
> you are also a member of the English Wikipedia functionaries mailing list
> because you are a former arbitrator, a checkuser and an oversighter on
> enwp. (so have access there to express your concerns or suggest changes in
> standards),   It seems you are complaining about a specific case, and
> instead of talking things out about this specific case, you've decided to
> propose an entirely different checkusering standard.  I'll point out  in
> passing that half of the spambots blocked in recent weeks by checkusers
> were autoconfirmed on one or more projects, and even obvious vandals can
> hit the autoconfirmed threshold easily on most projects.
>
> Full disclosure on my part: I am also an Enwp checkuser and a member of the
> Arbitration Committee.
>
> Risker
> _______________________________________________
> Wikimedia-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

Risker
Each project has its own standards and thresholds for when checkusers may
be done, provided that they are within the limits of the privacy policy.
These standards vary widely.  So, the correct place to discuss this is on
each project.

Risker

On 13 June 2012 21:02, Thomas Dalton <[hidden email]> wrote:

> Why shouldn't spambots and vandals be notified? Just have the software
> automatically email anyone that is CUed. Then the threshold is simply
> whether you have an email address attached to your account or not.
>
> This seems like a good idea. People have a right to know what is being done
> with their data.
> On Jun 14, 2012 12:35 AM, "Risker" <[hidden email]> wrote:
>
> > On 13 June 2012 19:18, John <[hidden email]> wrote:
> >
> > > This is something that has been bugging me for a while. When a user has
> > > been checkusered they should at least be notified of who preformed it
> and
> > > why it was preformed. I know this is not viable for every single CU
> > action
> > > as many are for anons. But for those users who have been around for a
> > > period, (say autoconfirmed) they should be notified when they are CU'ed
> > and
> > > any user should be able to request the CU logs pertaining to themselves
> > > (who CU'ed them, when, and why) at will. I have seen CU's refuse to
> > provide
> > > information to the accused.
> > >
> > > See the Rich Farmbrough ArbCom case where I suspect obvious fishing,
> > where
> > > the CU'ed user was requesting information and the CU claimed it would
> be
> > a
> > > violation of the privacy policy to release the time/reason/performer of
> > the
> > > checkuser.
> > >
> > > This screams of obfuscation and the hiding of information. I know the
> > > ombudsman committee exists as a check and balance, however before
> > something
> > > can be passed to them evidence of inappropriate action is needed. Ergo
> > > Catch-22
> > >
> > > I know checkusers  keep a private wiki
> > > https://checkuser.wikimedia.org/wiki/Main_Page and I know according to
> > our
> > > privacy policy we are supposed to purge our information regularly (on
> > wiki
> > > CU logs exist for 90 days) however who oversees the regular removal of
> > > private information on the wiki?
> > >
> > > My proposal would be for all users who are at least auto confirmed to
> be
> > > notified and be able to request all CU logs regarding themselves at any
> > > point, and any mentions of themselves on the CU wiki should be
> > retrievable.
> > >
> > >
> > >
> > Perhaps some full disclosure should be made here John.  You are a
> checkuser
> > yourself, have access to the checkuser-L mailing list and the checkuser
> > wiki, helped to set up the Audit Subcommittee on the English Wikipedia
> > (which carries out reviews of checkuser/oversighter actions on request);
> > you are also a member of the English Wikipedia functionaries mailing list
> > because you are a former arbitrator, a checkuser and an oversighter on
> > enwp. (so have access there to express your concerns or suggest changes
> in
> > standards),   It seems you are complaining about a specific case, and
> > instead of talking things out about this specific case, you've decided to
> > propose an entirely different checkusering standard.  I'll point out  in
> > passing that half of the spambots blocked in recent weeks by checkusers
> > were autoconfirmed on one or more projects, and even obvious vandals can
> > hit the autoconfirmed threshold easily on most projects.
> >
> > Full disclosure on my part: I am also an Enwp checkuser and a member of
> the
> > Arbitration Committee.
> >
> > Risker
> > _______________________________________________
> > Wikimedia-l mailing list
> > [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> >
> _______________________________________________
> Wikimedia-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

John Doe-27
Yet another attempt from a checkuser to make monitoring their actions and
ensuring our privacy more difficult.

On Wed, Jun 13, 2012 at 9:10 PM, Risker <[hidden email]> wrote:

> Each project has its own standards and thresholds for when checkusers may
> be done, provided that they are within the limits of the privacy policy.
> These standards vary widely.  So, the correct place to discuss this is on
> each project.
>
> Risker
>
> On 13 June 2012 21:02, Thomas Dalton <[hidden email]> wrote:
>
> > Why shouldn't spambots and vandals be notified? Just have the software
> > automatically email anyone that is CUed. Then the threshold is simply
> > whether you have an email address attached to your account or not.
> >
> > This seems like a good idea. People have a right to know what is being
> done
> > with their data.
> > On Jun 14, 2012 12:35 AM, "Risker" <[hidden email]> wrote:
> >
> > > On 13 June 2012 19:18, John <[hidden email]> wrote:
> > >
> > > > This is something that has been bugging me for a while. When a user
> has
> > > > been checkusered they should at least be notified of who preformed it
> > and
> > > > why it was preformed. I know this is not viable for every single CU
> > > action
> > > > as many are for anons. But for those users who have been around for a
> > > > period, (say autoconfirmed) they should be notified when they are
> CU'ed
> > > and
> > > > any user should be able to request the CU logs pertaining to
> themselves
> > > > (who CU'ed them, when, and why) at will. I have seen CU's refuse to
> > > provide
> > > > information to the accused.
> > > >
> > > > See the Rich Farmbrough ArbCom case where I suspect obvious fishing,
> > > where
> > > > the CU'ed user was requesting information and the CU claimed it would
> > be
> > > a
> > > > violation of the privacy policy to release the time/reason/performer
> of
> > > the
> > > > checkuser.
> > > >
> > > > This screams of obfuscation and the hiding of information. I know the
> > > > ombudsman committee exists as a check and balance, however before
> > > something
> > > > can be passed to them evidence of inappropriate action is needed.
> Ergo
> > > > Catch-22
> > > >
> > > > I know checkusers  keep a private wiki
> > > > https://checkuser.wikimedia.org/wiki/Main_Page and I know according
> to
> > > our
> > > > privacy policy we are supposed to purge our information regularly (on
> > > wiki
> > > > CU logs exist for 90 days) however who oversees the regular removal
> of
> > > > private information on the wiki?
> > > >
> > > > My proposal would be for all users who are at least auto confirmed to
> > be
> > > > notified and be able to request all CU logs regarding themselves at
> any
> > > > point, and any mentions of themselves on the CU wiki should be
> > > retrievable.
> > > >
> > > >
> > > >
> > > Perhaps some full disclosure should be made here John.  You are a
> > checkuser
> > > yourself, have access to the checkuser-L mailing list and the checkuser
> > > wiki, helped to set up the Audit Subcommittee on the English Wikipedia
> > > (which carries out reviews of checkuser/oversighter actions on
> request);
> > > you are also a member of the English Wikipedia functionaries mailing
> list
> > > because you are a former arbitrator, a checkuser and an oversighter on
> > > enwp. (so have access there to express your concerns or suggest changes
> > in
> > > standards),   It seems you are complaining about a specific case, and
> > > instead of talking things out about this specific case, you've decided
> to
> > > propose an entirely different checkusering standard.  I'll point out
>  in
> > > passing that half of the spambots blocked in recent weeks by checkusers
> > > were autoconfirmed on one or more projects, and even obvious vandals
> can
> > > hit the autoconfirmed threshold easily on most projects.
> > >
> > > Full disclosure on my part: I am also an Enwp checkuser and a member of
> > the
> > > Arbitration Committee.
> > >
> > > Risker
> > > _______________________________________________
> > > Wikimedia-l mailing list
> > > [hidden email]
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > >
> > _______________________________________________
> > Wikimedia-l mailing list
> > [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> >
> _______________________________________________
> Wikimedia-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

Philippe Beaudette-2
I dunno, John, you almost had me convinced until that email. I saw in that mail a reasonable comment from Risker based on long time precedent.

As you may know, there are a number of checks and balances in place. First, the CUs watch each other. With a broad group, you can be assured they don't all always agree and there is healthy debate and dialogue. Second, enwp has an audit subcommittee that routinely audits the logs with a fine toothed comb.  They are NOT all previous checkusers, to avoid the sort of groupthink that appears to concern you. Then, the WMF has an ombudsman commission, which also may audit with commission from the Board. Those people take their role very seriously. And last, anyone with genuine privacy concerns can contact the WMF:  me, Maggie, anyone in the legal or community advocacy department.

Is it an iron clad assurance of no misbehavior?  Probably not, and we will continue to get better at it: but I will say that in 3 years of being pretty closely involved with that team, I'm impressed with how much they err on the side of protection of privacy. I have a window into their world, and they have my respect.

Best, PB
-----------------------
Philippe Beaudette
Director, Community Advocacy
Wikimedia Foundation, Inc


Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: John <[hidden email]>
Sender: [hidden email]
Date: Wed, 13 Jun 2012 21:17:09
To: Wikimedia Mailing List<[hidden email]>
Reply-To: Wikimedia Mailing List <[hidden email]>
Subject: Re: [Wikimedia-l] CheckUser openness

Yet another attempt from a checkuser to make monitoring their actions and
ensuring our privacy more difficult.

On Wed, Jun 13, 2012 at 9:10 PM, Risker <[hidden email]> wrote:

> Each project has its own standards and thresholds for when checkusers may
> be done, provided that they are within the limits of the privacy policy.
> These standards vary widely.  So, the correct place to discuss this is on
> each project.
>
> Risker
>
> On 13 June 2012 21:02, Thomas Dalton <[hidden email]> wrote:
>
> > Why shouldn't spambots and vandals be notified? Just have the software
> > automatically email anyone that is CUed. Then the threshold is simply
> > whether you have an email address attached to your account or not.
> >
> > This seems like a good idea. People have a right to know what is being
> done
> > with their data.
> > On Jun 14, 2012 12:35 AM, "Risker" <[hidden email]> wrote:
> >
> > > On 13 June 2012 19:18, John <[hidden email]> wrote:
> > >
> > > > This is something that has been bugging me for a while. When a user
> has
> > > > been checkusered they should at least be notified of who preformed it
> > and
> > > > why it was preformed. I know this is not viable for every single CU
> > > action
> > > > as many are for anons. But for those users who have been around for a
> > > > period, (say autoconfirmed) they should be notified when they are
> CU'ed
> > > and
> > > > any user should be able to request the CU logs pertaining to
> themselves
> > > > (who CU'ed them, when, and why) at will. I have seen CU's refuse to
> > > provide
> > > > information to the accused.
> > > >
> > > > See the Rich Farmbrough ArbCom case where I suspect obvious fishing,
> > > where
> > > > the CU'ed user was requesting information and the CU claimed it would
> > be
> > > a
> > > > violation of the privacy policy to release the time/reason/performer
> of
> > > the
> > > > checkuser.
> > > >
> > > > This screams of obfuscation and the hiding of information. I know the
> > > > ombudsman committee exists as a check and balance, however before
> > > something
> > > > can be passed to them evidence of inappropriate action is needed.
> Ergo
> > > > Catch-22
> > > >
> > > > I know checkusers  keep a private wiki
> > > > https://checkuser.wikimedia.org/wiki/Main_Page and I know according
> to
> > > our
> > > > privacy policy we are supposed to purge our information regularly (on
> > > wiki
> > > > CU logs exist for 90 days) however who oversees the regular removal
> of
> > > > private information on the wiki?
> > > >
> > > > My proposal would be for all users who are at least auto confirmed to
> > be
> > > > notified and be able to request all CU logs regarding themselves at
> any
> > > > point, and any mentions of themselves on the CU wiki should be
> > > retrievable.
> > > >
> > > >
> > > >
> > > Perhaps some full disclosure should be made here John.  You are a
> > checkuser
> > > yourself, have access to the checkuser-L mailing list and the checkuser
> > > wiki, helped to set up the Audit Subcommittee on the English Wikipedia
> > > (which carries out reviews of checkuser/oversighter actions on
> request);
> > > you are also a member of the English Wikipedia functionaries mailing
> list
> > > because you are a former arbitrator, a checkuser and an oversighter on
> > > enwp. (so have access there to express your concerns or suggest changes
> > in
> > > standards),   It seems you are complaining about a specific case, and
> > > instead of talking things out about this specific case, you've decided
> to
> > > propose an entirely different checkusering standard.  I'll point out
>  in
> > > passing that half of the spambots blocked in recent weeks by checkusers
> > > were autoconfirmed on one or more projects, and even obvious vandals
> can
> > > hit the autoconfirmed threshold easily on most projects.
> > >
> > > Full disclosure on my part: I am also an Enwp checkuser and a member of
> > the
> > > Arbitration Committee.
> > >
> > > Risker
> > > _______________________________________________
> > > Wikimedia-l mailing list
> > > [hidden email]
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > >
> > _______________________________________________
> > Wikimedia-l mailing list
> > [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> >
> _______________________________________________
> Wikimedia-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

John Doe-27
Risker comment was basically "lets not set a global accountability and
ability to get CU related logs of our self on a global level, instead take
it to each project and fight it out there" to me that reeks of obfuscation.
Realistically this should be a global policy, just like our privacy policy
is. Why shouldnt users know when they have been checkusered and why?

On Wed, Jun 13, 2012 at 9:24 PM, Philippe Beaudette, Wikimedia Foundation <
[hidden email]> wrote:

> I dunno, John, you almost had me convinced until that email. I saw in that
> mail a reasonable comment from Risker based on long time precedent.
>
> As you may know, there are a number of checks and balances in place.
> First, the CUs watch each other. With a broad group, you can be assured
> they don't all always agree and there is healthy debate and dialogue.
> Second, enwp has an audit subcommittee that routinely audits the logs with
> a fine toothed comb.  They are NOT all previous checkusers, to avoid the
> sort of groupthink that appears to concern you. Then, the WMF has an
> ombudsman commission, which also may audit with commission from the Board.
> Those people take their role very seriously. And last, anyone with genuine
> privacy concerns can contact the WMF:  me, Maggie, anyone in the legal or
> community advocacy department.
>
> Is it an iron clad assurance of no misbehavior?  Probably not, and we will
> continue to get better at it: but I will say that in 3 years of being
> pretty closely involved with that team, I'm impressed with how much they
> err on the side of protection of privacy. I have a window into their world,
> and they have my respect.
>
> Best, PB
> -----------------------
> Philippe Beaudette
> Director, Community Advocacy
> Wikimedia Foundation, Inc
>
>
> Sent from my Verizon Wireless BlackBerry
>
> -----Original Message-----
> From: John <[hidden email]>
> Sender: [hidden email]
> Date: Wed, 13 Jun 2012 21:17:09
> To: Wikimedia Mailing List<[hidden email]>
> Reply-To: Wikimedia Mailing List <[hidden email]>
> Subject: Re: [Wikimedia-l] CheckUser openness
>
> Yet another attempt from a checkuser to make monitoring their actions and
> ensuring our privacy more difficult.
>
> On Wed, Jun 13, 2012 at 9:10 PM, Risker <[hidden email]> wrote:
>
> > Each project has its own standards and thresholds for when checkusers may
> > be done, provided that they are within the limits of the privacy policy.
> > These standards vary widely.  So, the correct place to discuss this is on
> > each project.
> >
> > Risker
> >
> > On 13 June 2012 21:02, Thomas Dalton <[hidden email]> wrote:
> >
> > > Why shouldn't spambots and vandals be notified? Just have the software
> > > automatically email anyone that is CUed. Then the threshold is simply
> > > whether you have an email address attached to your account or not.
> > >
> > > This seems like a good idea. People have a right to know what is being
> > done
> > > with their data.
> > > On Jun 14, 2012 12:35 AM, "Risker" <[hidden email]> wrote:
> > >
> > > > On 13 June 2012 19:18, John <[hidden email]> wrote:
> > > >
> > > > > This is something that has been bugging me for a while. When a user
> > has
> > > > > been checkusered they should at least be notified of who preformed
> it
> > > and
> > > > > why it was preformed. I know this is not viable for every single CU
> > > > action
> > > > > as many are for anons. But for those users who have been around
> for a
> > > > > period, (say autoconfirmed) they should be notified when they are
> > CU'ed
> > > > and
> > > > > any user should be able to request the CU logs pertaining to
> > themselves
> > > > > (who CU'ed them, when, and why) at will. I have seen CU's refuse to
> > > > provide
> > > > > information to the accused.
> > > > >
> > > > > See the Rich Farmbrough ArbCom case where I suspect obvious
> fishing,
> > > > where
> > > > > the CU'ed user was requesting information and the CU claimed it
> would
> > > be
> > > > a
> > > > > violation of the privacy policy to release the
> time/reason/performer
> > of
> > > > the
> > > > > checkuser.
> > > > >
> > > > > This screams of obfuscation and the hiding of information. I know
> the
> > > > > ombudsman committee exists as a check and balance, however before
> > > > something
> > > > > can be passed to them evidence of inappropriate action is needed.
> > Ergo
> > > > > Catch-22
> > > > >
> > > > > I know checkusers  keep a private wiki
> > > > > https://checkuser.wikimedia.org/wiki/Main_Page and I know
> according
> > to
> > > > our
> > > > > privacy policy we are supposed to purge our information regularly
> (on
> > > > wiki
> > > > > CU logs exist for 90 days) however who oversees the regular removal
> > of
> > > > > private information on the wiki?
> > > > >
> > > > > My proposal would be for all users who are at least auto confirmed
> to
> > > be
> > > > > notified and be able to request all CU logs regarding themselves at
> > any
> > > > > point, and any mentions of themselves on the CU wiki should be
> > > > retrievable.
> > > > >
> > > > >
> > > > >
> > > > Perhaps some full disclosure should be made here John.  You are a
> > > checkuser
> > > > yourself, have access to the checkuser-L mailing list and the
> checkuser
> > > > wiki, helped to set up the Audit Subcommittee on the English
> Wikipedia
> > > > (which carries out reviews of checkuser/oversighter actions on
> > request);
> > > > you are also a member of the English Wikipedia functionaries mailing
> > list
> > > > because you are a former arbitrator, a checkuser and an oversighter
> on
> > > > enwp. (so have access there to express your concerns or suggest
> changes
> > > in
> > > > standards),   It seems you are complaining about a specific case, and
> > > > instead of talking things out about this specific case, you've
> decided
> > to
> > > > propose an entirely different checkusering standard.  I'll point out
> >  in
> > > > passing that half of the spambots blocked in recent weeks by
> checkusers
> > > > were autoconfirmed on one or more projects, and even obvious vandals
> > can
> > > > hit the autoconfirmed threshold easily on most projects.
> > > >
> > > > Full disclosure on my part: I am also an Enwp checkuser and a member
> of
> > > the
> > > > Arbitration Committee.
> > > >
> > > > Risker
> > > > _______________________________________________
> > > > Wikimedia-l mailing list
> > > > [hidden email]
> > > > Unsubscribe:
> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > > >
> > > _______________________________________________
> > > Wikimedia-l mailing list
> > > [hidden email]
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > >
> > _______________________________________________
> > Wikimedia-l mailing list
> > [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> >
> _______________________________________________
> Wikimedia-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> _______________________________________________
> Wikimedia-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

Nathan Awrich
In reply to this post by Philippe Beaudette-2
On Wed, Jun 13, 2012 at 9:24 PM, Philippe Beaudette, Wikimedia Foundation <
[hidden email]> wrote:

> I dunno, John, you almost had me convinced until that email. I saw in that
> mail a reasonable comment from Risker based on long time precedent.
>
> As you may know, there are a number of checks and balances in place.
> First, the CUs watch each other. With a broad group, you can be assured
> they don't all always agree and there is healthy debate and dialogue.
> Second, enwp has an audit subcommittee that routinely audits the logs with
> a fine toothed comb.  They are NOT all previous checkusers, to avoid the
> sort of groupthink that appears to concern you. Then, the WMF has an
> ombudsman commission, which also may audit with commission from the Board.
> Those people take their role very seriously. And last, anyone with genuine
> privacy concerns can contact the WMF:  me, Maggie, anyone in the legal or
> community advocacy department.
>
> Is it an iron clad assurance of no misbehavior?  Probably not, and we will
> continue to get better at it: but I will say that in 3 years of being
> pretty closely involved with that team, I'm impressed with how much they
> err on the side of protection of privacy. I have a window into their world,
> and they have my respect.
>
> Best, PB
> -----------------------
> Philippe Beaudette
> Director, Community Advocacy
> Wikimedia Foundation, Inc
>
>
>
There is also the Meta checkuser policy; not all policy guidance for
checkusers is set locally, they all have to abide by the global policy on
checkuser usage (which incorporates by reference the privacy policy).

To make an analogy to the health world... In the United States, the privacy
and security of health information is governed by the Health Insurance
Portability And Accountability Act (HIPAA). Part of the act is the
requirement that access to health information be auditable, and that an
accounting of access to protected information be provided to the person
concerned upon request. It's not that far out to suggest that people should
be notified when their personally identifying information is accessed on
Wikimedia, if we invest that information with the significance that many
wish to. To be honest, I'm surprised Risker doesn't agree, given the
emphasis on personal privacy demonstrated in the IPv6 thread on this list.

Nathan
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

James Alexander-3
In reply to this post by John Doe-27
To be honest the biggest problem is that releasing this information can
hurt quite a lot. It can give away the techniques the checkuser (or
checkusers, more then one working together is very common to make sure
they're right) used to draw the connections. This is especially true for
technical information where it can easily give away 'tell-tale' signs used
as part of the determination.

Almost every time I've ever seen the information demanded it was quite
clear (usually even with out any type of technical information) that the
user was guilty as charged and now they just wanted one of those two
things: A target (the CU) or the information (to find out where they went
wrong).

Yes, if a horrible checkuser was checking you you wouldn't know instantly
but that's why we have so many checks and balances. Giving all of this
information to everyone, especially automatically, would make it almost
infinitely harder for checkusers to do their job.

James

On Wed, Jun 13, 2012 at 6:30 PM, John <[hidden email]> wrote:

> Risker comment was basically "lets not set a global accountability and
> ability to get CU related logs of our self on a global level, instead take
> it to each project and fight it out there" to me that reeks of obfuscation.
> Realistically this should be a global policy, just like our privacy policy
> is. Why shouldnt users know when they have been checkusered and why?
>
> On Wed, Jun 13, 2012 at 9:24 PM, Philippe Beaudette, Wikimedia Foundation <
> [hidden email]> wrote:
>
> > I dunno, John, you almost had me convinced until that email. I saw in
> that
> > mail a reasonable comment from Risker based on long time precedent.
> >
> > As you may know, there are a number of checks and balances in place.
> > First, the CUs watch each other. With a broad group, you can be assured
> > they don't all always agree and there is healthy debate and dialogue.
> > Second, enwp has an audit subcommittee that routinely audits the logs
> with
> > a fine toothed comb.  They are NOT all previous checkusers, to avoid the
> > sort of groupthink that appears to concern you. Then, the WMF has an
> > ombudsman commission, which also may audit with commission from the
> Board.
> > Those people take their role very seriously. And last, anyone with
> genuine
> > privacy concerns can contact the WMF:  me, Maggie, anyone in the legal or
> > community advocacy department.
> >
> > Is it an iron clad assurance of no misbehavior?  Probably not, and we
> will
> > continue to get better at it: but I will say that in 3 years of being
> > pretty closely involved with that team, I'm impressed with how much they
> > err on the side of protection of privacy. I have a window into their
> world,
> > and they have my respect.
> >
> > Best, PB
> > -----------------------
> > Philippe Beaudette
> > Director, Community Advocacy
> > Wikimedia Foundation, Inc
> >
> >
> > Sent from my Verizon Wireless BlackBerry
> >
> > -----Original Message-----
> > From: John <[hidden email]>
> > Sender: [hidden email]
> > Date: Wed, 13 Jun 2012 21:17:09
> > To: Wikimedia Mailing List<[hidden email]>
> > Reply-To: Wikimedia Mailing List <[hidden email]>
> > Subject: Re: [Wikimedia-l] CheckUser openness
> >
> > Yet another attempt from a checkuser to make monitoring their actions and
> > ensuring our privacy more difficult.
> >
> > On Wed, Jun 13, 2012 at 9:10 PM, Risker <[hidden email]> wrote:
> >
> > > Each project has its own standards and thresholds for when checkusers
> may
> > > be done, provided that they are within the limits of the privacy
> policy.
> > > These standards vary widely.  So, the correct place to discuss this is
> on
> > > each project.
> > >
> > > Risker
> > >
> > > On 13 June 2012 21:02, Thomas Dalton <[hidden email]> wrote:
> > >
> > > > Why shouldn't spambots and vandals be notified? Just have the
> software
> > > > automatically email anyone that is CUed. Then the threshold is simply
> > > > whether you have an email address attached to your account or not.
> > > >
> > > > This seems like a good idea. People have a right to know what is
> being
> > > done
> > > > with their data.
> > > > On Jun 14, 2012 12:35 AM, "Risker" <[hidden email]> wrote:
> > > >
> > > > > On 13 June 2012 19:18, John <[hidden email]> wrote:
> > > > >
> > > > > > This is something that has been bugging me for a while. When a
> user
> > > has
> > > > > > been checkusered they should at least be notified of who
> preformed
> > it
> > > > and
> > > > > > why it was preformed. I know this is not viable for every single
> CU
> > > > > action
> > > > > > as many are for anons. But for those users who have been around
> > for a
> > > > > > period, (say autoconfirmed) they should be notified when they are
> > > CU'ed
> > > > > and
> > > > > > any user should be able to request the CU logs pertaining to
> > > themselves
> > > > > > (who CU'ed them, when, and why) at will. I have seen CU's refuse
> to
> > > > > provide
> > > > > > information to the accused.
> > > > > >
> > > > > > See the Rich Farmbrough ArbCom case where I suspect obvious
> > fishing,
> > > > > where
> > > > > > the CU'ed user was requesting information and the CU claimed it
> > would
> > > > be
> > > > > a
> > > > > > violation of the privacy policy to release the
> > time/reason/performer
> > > of
> > > > > the
> > > > > > checkuser.
> > > > > >
> > > > > > This screams of obfuscation and the hiding of information. I know
> > the
> > > > > > ombudsman committee exists as a check and balance, however before
> > > > > something
> > > > > > can be passed to them evidence of inappropriate action is needed.
> > > Ergo
> > > > > > Catch-22
> > > > > >
> > > > > > I know checkusers  keep a private wiki
> > > > > > https://checkuser.wikimedia.org/wiki/Main_Page and I know
> > according
> > > to
> > > > > our
> > > > > > privacy policy we are supposed to purge our information regularly
> > (on
> > > > > wiki
> > > > > > CU logs exist for 90 days) however who oversees the regular
> removal
> > > of
> > > > > > private information on the wiki?
> > > > > >
> > > > > > My proposal would be for all users who are at least auto
> confirmed
> > to
> > > > be
> > > > > > notified and be able to request all CU logs regarding themselves
> at
> > > any
> > > > > > point, and any mentions of themselves on the CU wiki should be
> > > > > retrievable.
> > > > > >
> > > > > >
> > > > > >
> > > > > Perhaps some full disclosure should be made here John.  You are a
> > > > checkuser
> > > > > yourself, have access to the checkuser-L mailing list and the
> > checkuser
> > > > > wiki, helped to set up the Audit Subcommittee on the English
> > Wikipedia
> > > > > (which carries out reviews of checkuser/oversighter actions on
> > > request);
> > > > > you are also a member of the English Wikipedia functionaries
> mailing
> > > list
> > > > > because you are a former arbitrator, a checkuser and an oversighter
> > on
> > > > > enwp. (so have access there to express your concerns or suggest
> > changes
> > > > in
> > > > > standards),   It seems you are complaining about a specific case,
> and
> > > > > instead of talking things out about this specific case, you've
> > decided
> > > to
> > > > > propose an entirely different checkusering standard.  I'll point
> out
> > >  in
> > > > > passing that half of the spambots blocked in recent weeks by
> > checkusers
> > > > > were autoconfirmed on one or more projects, and even obvious
> vandals
> > > can
> > > > > hit the autoconfirmed threshold easily on most projects.
> > > > >
> > > > > Full disclosure on my part: I am also an Enwp checkuser and a
> member
> > of
> > > > the
> > > > > Arbitration Committee.
> > > > >
> > > > > Risker
> > > > > _______________________________________________
> > > > > Wikimedia-l mailing list
> > > > > [hidden email]
> > > > > Unsubscribe:
> > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > > > >
> > > > _______________________________________________
> > > > Wikimedia-l mailing list
> > > > [hidden email]
> > > > Unsubscribe:
> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > > >
> > > _______________________________________________
> > > Wikimedia-l mailing list
> > > [hidden email]
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > >
> > _______________________________________________
> > Wikimedia-l mailing list
> > [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > _______________________________________________
> > Wikimedia-l mailing list
> > [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> >
> _______________________________________________
> Wikimedia-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>



--
James Alexander
[hidden email]
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

John Doe-27
I am not asking for checkuser results, rather the basic logs about
when/why/who may have checkusered the account. I am not asking CUs to
release IP/user-agent/other info, but to let users know that they are being
CUed, by whom and why. and to be able to request that historical
information from the CU logs

On Wed, Jun 13, 2012 at 9:54 PM, James Alexander <[hidden email]>wrote:

> To be honest the biggest problem is that releasing this information can
> hurt quite a lot. It can give away the techniques the checkuser (or
> checkusers, more then one working together is very common to make sure
> they're right) used to draw the connections. This is especially true for
> technical information where it can easily give away 'tell-tale' signs used
> as part of the determination.
>
> Almost every time I've ever seen the information demanded it was quite
> clear (usually even with out any type of technical information) that the
> user was guilty as charged and now they just wanted one of those two
> things: A target (the CU) or the information (to find out where they went
> wrong).
>
> Yes, if a horrible checkuser was checking you you wouldn't know instantly
> but that's why we have so many checks and balances. Giving all of this
> information to everyone, especially automatically, would make it almost
> infinitely harder for checkusers to do their job.
>
> James
>
> On Wed, Jun 13, 2012 at 6:30 PM, John <[hidden email]> wrote:
>
> > Risker comment was basically "lets not set a global accountability and
> > ability to get CU related logs of our self on a global level, instead
> take
> > it to each project and fight it out there" to me that reeks of
> obfuscation.
> > Realistically this should be a global policy, just like our privacy
> policy
> > is. Why shouldnt users know when they have been checkusered and why?
> >
> > On Wed, Jun 13, 2012 at 9:24 PM, Philippe Beaudette, Wikimedia
> Foundation <
> > [hidden email]> wrote:
> >
> > > I dunno, John, you almost had me convinced until that email. I saw in
> > that
> > > mail a reasonable comment from Risker based on long time precedent.
> > >
> > > As you may know, there are a number of checks and balances in place.
> > > First, the CUs watch each other. With a broad group, you can be assured
> > > they don't all always agree and there is healthy debate and dialogue.
> > > Second, enwp has an audit subcommittee that routinely audits the logs
> > with
> > > a fine toothed comb.  They are NOT all previous checkusers, to avoid
> the
> > > sort of groupthink that appears to concern you. Then, the WMF has an
> > > ombudsman commission, which also may audit with commission from the
> > Board.
> > > Those people take their role very seriously. And last, anyone with
> > genuine
> > > privacy concerns can contact the WMF:  me, Maggie, anyone in the legal
> or
> > > community advocacy department.
> > >
> > > Is it an iron clad assurance of no misbehavior?  Probably not, and we
> > will
> > > continue to get better at it: but I will say that in 3 years of being
> > > pretty closely involved with that team, I'm impressed with how much
> they
> > > err on the side of protection of privacy. I have a window into their
> > world,
> > > and they have my respect.
> > >
> > > Best, PB
> > > -----------------------
> > > Philippe Beaudette
> > > Director, Community Advocacy
> > > Wikimedia Foundation, Inc
> > >
> > >
> > > Sent from my Verizon Wireless BlackBerry
> > >
> > > -----Original Message-----
> > > From: John <[hidden email]>
> > > Sender: [hidden email]
> > > Date: Wed, 13 Jun 2012 21:17:09
> > > To: Wikimedia Mailing List<[hidden email]>
> > > Reply-To: Wikimedia Mailing List <[hidden email]>
> > > Subject: Re: [Wikimedia-l] CheckUser openness
> > >
> > > Yet another attempt from a checkuser to make monitoring their actions
> and
> > > ensuring our privacy more difficult.
> > >
> > > On Wed, Jun 13, 2012 at 9:10 PM, Risker <[hidden email]> wrote:
> > >
> > > > Each project has its own standards and thresholds for when checkusers
> > may
> > > > be done, provided that they are within the limits of the privacy
> > policy.
> > > > These standards vary widely.  So, the correct place to discuss this
> is
> > on
> > > > each project.
> > > >
> > > > Risker
> > > >
> > > > On 13 June 2012 21:02, Thomas Dalton <[hidden email]>
> wrote:
> > > >
> > > > > Why shouldn't spambots and vandals be notified? Just have the
> > software
> > > > > automatically email anyone that is CUed. Then the threshold is
> simply
> > > > > whether you have an email address attached to your account or not.
> > > > >
> > > > > This seems like a good idea. People have a right to know what is
> > being
> > > > done
> > > > > with their data.
> > > > > On Jun 14, 2012 12:35 AM, "Risker" <[hidden email]> wrote:
> > > > >
> > > > > > On 13 June 2012 19:18, John <[hidden email]> wrote:
> > > > > >
> > > > > > > This is something that has been bugging me for a while. When a
> > user
> > > > has
> > > > > > > been checkusered they should at least be notified of who
> > preformed
> > > it
> > > > > and
> > > > > > > why it was preformed. I know this is not viable for every
> single
> > CU
> > > > > > action
> > > > > > > as many are for anons. But for those users who have been around
> > > for a
> > > > > > > period, (say autoconfirmed) they should be notified when they
> are
> > > > CU'ed
> > > > > > and
> > > > > > > any user should be able to request the CU logs pertaining to
> > > > themselves
> > > > > > > (who CU'ed them, when, and why) at will. I have seen CU's
> refuse
> > to
> > > > > > provide
> > > > > > > information to the accused.
> > > > > > >
> > > > > > > See the Rich Farmbrough ArbCom case where I suspect obvious
> > > fishing,
> > > > > > where
> > > > > > > the CU'ed user was requesting information and the CU claimed it
> > > would
> > > > > be
> > > > > > a
> > > > > > > violation of the privacy policy to release the
> > > time/reason/performer
> > > > of
> > > > > > the
> > > > > > > checkuser.
> > > > > > >
> > > > > > > This screams of obfuscation and the hiding of information. I
> know
> > > the
> > > > > > > ombudsman committee exists as a check and balance, however
> before
> > > > > > something
> > > > > > > can be passed to them evidence of inappropriate action is
> needed.
> > > > Ergo
> > > > > > > Catch-22
> > > > > > >
> > > > > > > I know checkusers  keep a private wiki
> > > > > > > https://checkuser.wikimedia.org/wiki/Main_Page and I know
> > > according
> > > > to
> > > > > > our
> > > > > > > privacy policy we are supposed to purge our information
> regularly
> > > (on
> > > > > > wiki
> > > > > > > CU logs exist for 90 days) however who oversees the regular
> > removal
> > > > of
> > > > > > > private information on the wiki?
> > > > > > >
> > > > > > > My proposal would be for all users who are at least auto
> > confirmed
> > > to
> > > > > be
> > > > > > > notified and be able to request all CU logs regarding
> themselves
> > at
> > > > any
> > > > > > > point, and any mentions of themselves on the CU wiki should be
> > > > > > retrievable.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > Perhaps some full disclosure should be made here John.  You are a
> > > > > checkuser
> > > > > > yourself, have access to the checkuser-L mailing list and the
> > > checkuser
> > > > > > wiki, helped to set up the Audit Subcommittee on the English
> > > Wikipedia
> > > > > > (which carries out reviews of checkuser/oversighter actions on
> > > > request);
> > > > > > you are also a member of the English Wikipedia functionaries
> > mailing
> > > > list
> > > > > > because you are a former arbitrator, a checkuser and an
> oversighter
> > > on
> > > > > > enwp. (so have access there to express your concerns or suggest
> > > changes
> > > > > in
> > > > > > standards),   It seems you are complaining about a specific case,
> > and
> > > > > > instead of talking things out about this specific case, you've
> > > decided
> > > > to
> > > > > > propose an entirely different checkusering standard.  I'll point
> > out
> > > >  in
> > > > > > passing that half of the spambots blocked in recent weeks by
> > > checkusers
> > > > > > were autoconfirmed on one or more projects, and even obvious
> > vandals
> > > > can
> > > > > > hit the autoconfirmed threshold easily on most projects.
> > > > > >
> > > > > > Full disclosure on my part: I am also an Enwp checkuser and a
> > member
> > > of
> > > > > the
> > > > > > Arbitration Committee.
> > > > > >
> > > > > > Risker
> > > > > > _______________________________________________
> > > > > > Wikimedia-l mailing list
> > > > > > [hidden email]
> > > > > > Unsubscribe:
> > > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > > > > >
> > > > > _______________________________________________
> > > > > Wikimedia-l mailing list
> > > > > [hidden email]
> > > > > Unsubscribe:
> > https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > > > >
> > > > _______________________________________________
> > > > Wikimedia-l mailing list
> > > > [hidden email]
> > > > Unsubscribe:
> https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > > >
> > > _______________________________________________
> > > Wikimedia-l mailing list
> > > [hidden email]
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > > _______________________________________________
> > > Wikimedia-l mailing list
> > > [hidden email]
> > > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> > >
> > _______________________________________________
> > Wikimedia-l mailing list
> > [hidden email]
> > Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
> >
>
>
>
> --
> James Alexander
> [hidden email]
> _______________________________________________
> Wikimedia-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

David Richfield
So User:mfgaowener should get an automated mail saying "because you
did a pagemove with edit summary "Haggggers!" you were checkusered.
Please be more subtle in your vandalism next time."

I trust the current checks and balances, and I don't think the system
is getting significant levels of abuse.

--
David Richfield
[[:en:User:Slashme]]
+27718539985

_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

Stephanie Daugherty
On Thu, Jun 14, 2012 at 3:36 AM, David Richfield
<[hidden email]>wrote:

> So User:mfgaowener should get an automated mail saying "because you
> did a pagemove with edit summary "Haggggers!" you were checkusered.
> Please be more subtle in your vandalism next time."
>
> I trust the current checks and balances, and I don't think the system
> is getting significant levels of abuse.
>
> +1 on this. The methods that checkusers have are heavily constrained as it
is by privacy concerns, and they are very fragile. They only work
effectively within the tight privacy restrictions with a certain amount of
security through obscurity. For one, a checkuser needs to be able to
monitor a situation sometimes to be sure that they are casting a wide
enough net for a block to be effective. For another, the standard of
reasonable suspicion placed on the checkuser tool is high enough that with
enough practice, vandals would learn to be careful to never justify a
checkuser request within the privacy guidelines.

We're between a rock and a hard place, because to give the transparency
being asked for, we'd enter an arms race where we'd quickly have to relax
the checkuser standards to the point where it becomes "anything goes so
long as you don't disclose it".

-Stephanie
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

John Doe-27
I am not asking for full disclosure, what I am asking is that established
user have the right to be notified when and why they are being checkusered.
The evidence checkusers get do not need to be disclosed, Its as simple as:

 X performed a checkuser on you because Y at Z UTC

that provides clarity and openness while keeping the information checkusers
use confidential. A note like that would provide vandals with very little
information. And the second step of defining a threshold would eliminate
most of the vandal checks.

To me this screams of lets keep oversight of checkuser to a minimum. Right
now there is the ombudsman committee globally (to ask for review from them
we need evidence, realistically only other checkusers can provide that)
and on enwp there is the Audit Subcommittee, which 75% of are either arbcom
members (be defacto are granted CU ), former arbcom, or former CU. To me
that really reeks of lack of independent oversight. Notifying an
established user that they are subject to a CU doesnt harm the CU's ability
to do their job unless they themselves have something to hide. Its not like
I am asking for CU's to release IP addresses/user-agents or anything else
that could assist me in avoiding scrutiny.

On Thu, Jun 14, 2012 at 3:48 AM, Stephanie Daugherty
<[hidden email]>wrote:

> On Thu, Jun 14, 2012 at 3:36 AM, David Richfield
> <[hidden email]>wrote:
>
> > So User:mfgaowener should get an automated mail saying "because you
> > did a pagemove with edit summary "Haggggers!" you were checkusered.
> > Please be more subtle in your vandalism next time."
> >
> > I trust the current checks and balances, and I don't think the system
> > is getting significant levels of abuse.
> >
> > +1 on this. The methods that checkusers have are heavily constrained as
> it
> is by privacy concerns, and they are very fragile. They only work
> effectively within the tight privacy restrictions with a certain amount of
> security through obscurity. For one, a checkuser needs to be able to
> monitor a situation sometimes to be sure that they are casting a wide
> enough net for a block to be effective. For another, the standard of
> reasonable suspicion placed on the checkuser tool is high enough that with
> enough practice, vandals would learn to be careful to never justify a
> checkuser request within the privacy guidelines.
>
> We're between a rock and a hard place, because to give the transparency
> being asked for, we'd enter an arms race where we'd quickly have to relax
> the checkuser standards to the point where it becomes "anything goes so
> long as you don't disclose it".
>
> -Stephanie
> _______________________________________________
> Wikimedia-l mailing list
> [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
>
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

Nathan Awrich
On Thu, Jun 14, 2012 at 4:07 PM, John <[hidden email]> wrote:

> I am not asking for full disclosure, what I am asking is that established
> user have the right to be notified when and why they are being checkusered.
> The evidence checkusers get do not need to be disclosed, Its as simple as:
>
>  X performed a checkuser on you because Y at Z UTC
>
> that provides clarity and openness while keeping the information checkusers
> use confidential. A note like that would provide vandals with very little
> information. And the second step of defining a threshold would eliminate
> most of the vandal checks.
>
> To me this screams of lets keep oversight of checkuser to a minimum. Right
> now there is the ombudsman committee globally (to ask for review from them
> we need evidence, realistically only other checkusers can provide that)
> and on enwp there is the Audit Subcommittee, which 75% of are either arbcom
> members (be defacto are granted CU ), former arbcom, or former CU. To me
> that really reeks of lack of independent oversight. Notifying an
> established user that they are subject to a CU doesnt harm the CU's ability
> to do their job unless they themselves have something to hide. Its not like
> I am asking for CU's to release IP addresses/user-agents or anything else
> that could assist me in avoiding scrutiny.
>

Don't even need to go that far - just say "A checkuser viewed the
information stored by the web server about you, this information may
include [[xyz list if informations]]."
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] CheckUser openness

Risker
On 14 June 2012 16:36, Nathan <[hidden email]> wrote:

> On Thu, Jun 14, 2012 at 4:07 PM, John <[hidden email]> wrote:
>
> > I am not asking for full disclosure, what I am asking is that established
> > user have the right to be notified when and why they are being
> checkusered.
> > The evidence checkusers get do not need to be disclosed, Its as simple
> as:
> >
> >  X performed a checkuser on you because Y at Z UTC
> >
> > that provides clarity and openness while keeping the information
> checkusers
> > use confidential. A note like that would provide vandals with very little
> > information. And the second step of defining a threshold would eliminate
> > most of the vandal checks.
> >
> > To me this screams of lets keep oversight of checkuser to a minimum.
> Right
> > now there is the ombudsman committee globally (to ask for review from
> them
> > we need evidence, realistically only other checkusers can provide that)
> > and on enwp there is the Audit Subcommittee, which 75% of are either
> arbcom
> > members (be defacto are granted CU ), former arbcom, or former CU. To me
> > that really reeks of lack of independent oversight. Notifying an
> > established user that they are subject to a CU doesnt harm the CU's
> ability
> > to do their job unless they themselves have something to hide. Its not
> like
> > I am asking for CU's to release IP addresses/user-agents or anything else
> > that could assist me in avoiding scrutiny.
> >
>
> Don't even need to go that far - just say "A checkuser viewed the
> information stored by the web server about you, this information may
> include [[xyz list if informations]]."
>
>

I do see where folks are coming from. To the best of my knowledge, for the
past few years on English Wikipedia anyone who has asked the Audit
Subcommittee if they have been checked has been told the correct response,
and I think this is a good thing.

On the other hand, what's being proposed here is essentially providing
sockpuppeters or otherwise disruptive users (such as those under certain
types of sanctions) a how-to guide so they can avoid detection in the
future.

Risker
_______________________________________________
Wikimedia-l mailing list
[hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
123