[Wikimedia-l] storing IP addresses and their geolocations?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Wikimedia-l] storing IP addresses and their geolocations?

James Salsman-2
Dario Taraborelli wrote, in reply to my question:
>>...
>> Is there any legitimate research or any other need to save IP
>> addresses associated with HTTP GET web logs to disk prior to
>> creating a secure hash of them?
>
> these are considerations that the analytics / ops team are best suited to
> answer, I encourage you to relay them to analytics-l if you want to have a
> more technical discussion.

I asked there, and there have been two detailed answers:

https://lists.wikimedia.org/pipermail/analytics/2016-November/005506.html

https://lists.wikimedia.org/pipermail/analytics/2016-November/005508.html

Since the analytics team considers the justification for storing
personally identifying information such as IP address, proxy
information, and geolocation (which we apparently perform on every
reader request) to be based on the needs of Research and Ops, I would
like to ask two further questions in light of this recent news
article:

https://www.washingtonpost.com/news/the-switch/wp/2016/10/11/facebook-twitter-and-instagram-sent-feeds-that-helped-police-track-minorities-in-ferguson-and-baltimore-aclu-says/

1. What are the advantages and disadvantages of storing each reader
request's geolocation?

2. Has Ops ever actually used reader GET request IP addresses to solve
a problem which could not have been solved, for example, with POST
requests for debugging?

3. If a research partner with access to the raw IP addresses, proxy
information, and geolocation of our readers' requests were served with
a subpoena by a US or overseas law enforcement organization, a
national security letter, or were blackmailed or bribed, would the
Foundation have any way to know?

I repeat my request that the IP and proxy information be anonymized
with a secure cryptographic has before being stored to nonvolatile
media, and suggest that storing the geolocation of every reader
request is not within the letter or the spirit of the Foundation's
privacy policy, which explicitly requires consent for the use of
geolocation:

"Some features we offer work better if we know what area you are in.
But it's completely up to you whether or not you want us to use
geolocation tools to make some features available to you. If you
consent, we can use GPS (and other technologies commonly used to
determine location) to show you more relevant content."

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006 may be
helpful for understanding my motivations about this issue.

_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] storing IP addresses and their geolocations?

Leila Zia
​Hi James,​

On Thu, Nov 10, 2016 at 9:23 AM, James Salsman <[hidden email]> wrote:

>
> I repeat my request that the IP and proxy information be anonymized
> with a secure cryptographic has before being stored to nonvolatile
> media,


When you're ready to suggest a change, can you suggest this on that same
thread (
https://lists.wikimedia.org/pipermail/analytics/2016-November/005508.html
), or on a different thread in analytics-l? ​The Analytics team is
responsible for the infrastructure and storage of the data you're referring
to and these discussions are well suited for that list where you have the
expertise to respond to your questions/comments.

Best,
Leila



> _______________________________________________
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] storing IP addresses and their geolocations?

Nuria Ruiz
In reply to this post by James Salsman-2
> that storing the geolocation of every reader
>request is not within the letter or the spirit >of the Foundation's
>privacy policy, which explicitly requires >consent for the use of geolocation

No, this is not correct. The reasons why this statement is incorrect have already been discussed in the already mentioned thread.



> On Nov 10, 2016, at 9:23 AM, James Salsman <[hidden email]> wrote:
>
> I repeat my request that the IP and proxy information be anonymized
> with a secure cryptographic has before being stored to nonvolatile
> media, and suggest that storing the geolocation of every reader
> request is not within the letter or the spirit of the Foundation's
> privacy policy, which explicitly requires consent for the use of
> geolocation:

_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] storing IP addresses and their geolocations?

James Salsman-2
In reply to this post by James Salsman-2
>> storing the geolocation of every reader request is not within
>> the letter or the spirit of the Foundation's privacy policy,
>> which explicitly requires consent for the use of geolocation
>
> No, this is not correct. The reasons why this statement is
> incorrect have already been discussed in the already mentioned thread.

The only such discussion I see on the analytics list is:

> The privacy policy talks about client side geo location to offer you
> geo-specific features on the client side, which is an entirely different
> topic of what we are taking about here. IP addresses are going to be
> sent via HTTP regardless with your request and the geo location we
> do (to be able to report  for example pages per country, one of the
> reports most sought after by our community) has nothing to do with
> geolocated features.

On the contrary, all geolocation services, processing, and logging
is performed on Foundation servers, not client equipment. Every
reader's request is currently being geolocated without regard to
whether consent has been asked or obtained. If readers' refuse
consent for their GPS information to be used (which is the only
consent we ask even though the Privacy Policy says we require
consent to use any geolocation) we store their IP addresses in
the clear with their associated geolocation anyway, and make
them available to several external researchers at Stanford, the
École polytechnique fédérale de Lausanne, and the Leibniz
Institute for the Social Sciences.

_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>
Reply | Threaded
Open this post in threaded view
|

Re: [Wikimedia-l] storing IP addresses and their geolocations?

Nuria Ruiz
James:

Seems (to me, I might be wrong) that you are mixing different issues,
technical aspects and concerns in order to create drama. On my end I try to
give my very limited time and attention to threads that foster
collaboration and this really doesn't seem one of those.

Thanks,

Nuria






On Sun, Nov 13, 2016 at 8:47 AM, James Salsman <[hidden email]> wrote:

> >> storing the geolocation of every reader request is not within
> >> the letter or the spirit of the Foundation's privacy policy,
> >> which explicitly requires consent for the use of geolocation
> >
> > No, this is not correct. The reasons why this statement is
> > incorrect have already been discussed in the already mentioned thread.
>
> The only such discussion I see on the analytics list is:
>
> > The privacy policy talks about client side geo location to offer you
> > geo-specific features on the client side, which is an entirely different
> > topic of what we are taking about here. IP addresses are going to be
> > sent via HTTP regardless with your request and the geo location we
> > do (to be able to report  for example pages per country, one of the
> > reports most sought after by our community) has nothing to do with
> > geolocated features.
>
> On the contrary, all geolocation services, processing, and logging
> is performed on Foundation servers, not client equipment. Every
> reader's request is currently being geolocated without regard to
> whether consent has been asked or obtained. If readers' refuse
> consent for their GPS information to be used (which is the only
> consent we ask even though the Privacy Policy says we require
> consent to use any geolocation) we store their IP addresses in
> the clear with their associated geolocation anyway, and make
> them available to several external researchers at Stanford, the
> École polytechnique fédérale de Lausanne, and the Leibniz
> Institute for the Social Sciences.
>
> _______________________________________________
> Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/
> wiki/Mailing_lists/Guidelines
> New messages to: [hidden email]
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> <mailto:[hidden email]?subject=unsubscribe>
>
_______________________________________________
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
New messages to: [hidden email]
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, <mailto:[hidden email]?subject=unsubscribe>