Legal talk:Data retention guidelines: Difference between revisions

The examples list "email and gender in account settings" as examples of non-public data; however the account settings 'gender' property is publicly disclosed by necessity due to its purpose in producing grammatically correct strings.

Is this meant only to treat the combination of the two as private? Otherwise, we're leaking gender-by-username... --brion (talk) 21:24, 9 January 2014 (UTC)[reply]

Someone removed it, so ... :D --brion (talk) 21:41, 9 January 2014 (UTC)[reply]

Michelle did, but her login is apparently still on vacation :) It was removed in response to this remark. —LVilla (WMF) (talk) 21:49, 9 January 2014 (UTC)[reply]

Information you provide us or information we collect from you that could be used to personally identify you. Reads a bit strange. Maybe a full sentence would be better here? Something like "Personal information means information you provide ..." maybe? --თოგო ^(D) 22:14, 9 January 2014 (UTC)[reply]

Hi თოგო. Thank you for your suggestion! We have adjusted the language accordingly. Mpaulson (WMF) (talk) 00:41, 10 January 2014 (UTC)[reply]

Maybe the policy should contain information about a place where users can go if they feel that the policy was breached. --თოგო ^(D) 22:17, 9 January 2014 (UTC)[reply]

Thank you თოგო for your comment - this makes sense. What if we added this sentence to the last section of the document (“Ongoing handling…”):

Would that address your concern? Any suggestions on how to improve it? :--JVargas (WMF) (talk) 00:14, 10 January 2014 (UTC)[reply]

Hi თოგო. I've went ahead and implemented Jorge's suggested language by adding a new section to the guidelines. Thank you for this helpful suggestion. Mpaulson (WMF) (talk)

Does this mean WMF? Or does this mean Wikimedia sites in general? --Rschen7754 23:46, 9 January 2014 (UTC)[reply]

Thanks for the question, Rschen7754! Whenever you see "we" / "us" / "our" in the text, we are indeed referring to the The Wikimedia Foundation, Inc., the non-profit organization that operates the Wikimedia Sites. This explanation is part of the “Definitions” section of the new Privacy Policy draft. Would it help if we added something like this to the document?

--JVargas (WMF) (talk) 00:26, 10 January 2014 (UTC)[reply]

Yes, that would be helpful. --Rschen7754 00:28, 10 January 2014 (UTC)[reply]

We changed the "Definition of Personal Information" section to "Definitions" in the document, and we added the above sentence at the end of it. Thanks again!--JVargas (WMF) (talk) 00:52, 10 January 2014 (UTC)[reply]

• Introduction
  • "Data is important. It is how we can learn and grow as an organization and a movement..." It's not the only way to learn and grow. Is there a way to rephrase it to say that it's an (important) way to learn and grow?

    What about simply "Data is important. It is one of the ways we can learn and grow as an organization and a movement..."? Mpaulson (WMF) (talk) 00:51, 10 January 2014 (UTC)[reply]

    This is much better! Sounds less extreme, while essentially saying the same thing. //Shell 09:09, 10 January 2014 (UTC)[reply]

    Great, done! Mpaulson (WMF) (talk) 14:14, 10 January 2014 (UTC)[reply]

  • "for the shortest possible time that is consistent with maintenance, understanding, and improving the Wikimedia Sites, and our obligations under applicable U.S. law" This exact text is not (any longer?) in the privacy policy, though two very similar sections are there. You might want to have the two sections actually say the same thing also in the privacy policy.

    Good catch! I have corrected this sentence. Mpaulson (WMF) (talk) 00:58, 10 January 2014 (UTC)[reply]

    Good. //Shell 09:09, 10 January 2014 (UTC)[reply]

• How long do we retain non-public data?
  • "After no more than 90 days..." I had to think twice about what it means. Would it be possible to say "After at most 90 days..."?

    Good suggestion. I've made the change. Mpaulson (WMF) (talk) 01:03, 10 January 2014 (UTC)[reply]

    Nice. //Shell 09:09, 10 January 2014 (UTC)[reply]

  • "Anonymized" What does this mean? Does it mean that it becomes very difficult to associate the data to a specific user, or that it's completely impossible? (Clarification: Especially for small projects, say 5 editors a normal day)
  • "Email address in account settings: Indefinitely" Does this mean that if I remove or change my email address, the old address will still be kept? Is that the meaning? Is it desirable? Not sure how to rephrase it to only be about the current email address.
  • "Non-personal information associated with a user account: Collected from user: Indefinitely" While the given examples seem okay, this category seems broad and that's particularly bad since the data is kept indefinitely. The given examples seem okay, since they're almost already public data (first edit, when a user has verified email, and whether the user edits through mobile are public data). E.g. the list of read articles is not public, but could be covered by this category.
  • "Non-personal information associated with a user account: Optionally provided by a user: Logs of terms entered into the site's search box" I realize that "optional" here means that not every WM site visitor must search, but since it's a key part of any wiki it doesn't feel like I "optionally provided" it - I must do it to see the article I'm interested in (ignoring other search engines). No biggie, but feels a bit weird.

    I see your point here, Shell. We weren't sure how to best phrase the differentiation between information collected from the user and information provided by the user. We're open to suggestions though if you or anyone else has one. Mpaulson (WMF) (talk) 01:17, 10 January 2014 (UTC)[reply]

    Would it be possible to remove "optionally" and just say "Provided by a user"? //Shell 09:09, 10 January 2014 (UTC)[reply]

    I would be fine with doing that. I think we originally added "optionally" to more clearly distinguish that kind of data from data that is collected either automatically or actively by us. But obviously, if it makes it less clear rather than helping, we can remove it. Mpaulson (WMF) (talk) 14:32, 10 January 2014 (UTC)[reply]

    I was confused about search terms being optional, since they feel necessary to use the site, while the email address is usually mandatory, but in the Wikimedia case it's optional. So, I wouldn't mind adding back "optional" to the "personal information" one, but it's more consistent not to. //Shell 19:04, 10 January 2014 (UTC)[reply]

  • Do you intend to have most common data in this table, in the form of examples? It would be nice to see a complete list somewhere (though that might be asking too much).

    The table is meant to address broad categories of data so that we address the treatment of as much data as we can in these guidelines. That said, we are going to try to improve the table (and the exceptions section) with more examples over time as we refine our practices. Mpaulson (WMF) (talk) 01:21, 10 January 2014 (UTC)[reply]

    It would be nice to have as many examples as possible, so I could imagine that there was a long list in this table, but collapsed by default. //Shell 09:09, 10 January 2014 (UTC)[reply]

    I agree. The hope is that we will gradually expand the guidelines with more examples over time. I will talk to people internally and see what additional examples (if any) we can add now though. I imagine if the table gets unwieldy, we'll experiment with formatting so that it's as easy-to-read as we can make it. Mpaulson (WMF) (talk) 14:20, 10 January 2014 (UTC)[reply]

    Great. Since there are already examples that feel representative, it's not a big deal, but it'd be nice to eventually have an almost complete list. //Shell 19:04, 10 January 2014 (UTC)[reply]

• Definition of personal information (good job!)
  • I can think of a couple more items to put in (b), though I'm not sure if it's necessary: (current) city (clarification: which is different/broader than address), marital status, family ties

    I added "marital and familial status" to the definition. I'm checking internally whether it makes sense to add current city. Mpaulson (WMF) (talk) 18:41, 10 January 2014 (UTC)[reply]

    I was thinking about city, since that something you can "easily" get from an IP address, but street address is not.

    Of course there's lots of other private information, but maybe it's unnecessary to add that, since I don't see how Wikimedia would get the info: income level/economic situation, level of education, profession, current job situation, hobbies/interests (though interests could be gleaned from what pages a user visits).

    There's also the user-agent info: OS/browser version, browser language(s), screen size etc. which websites almost never make public, but which could potentially uniquely identify a user over multiple websites[1]. //Shell 19:04, 10 January 2014 (UTC)[reply]

• Exceptions to these guidelines: "Data may be retained in system backups for longer periods of time." Is there any restriction on how long those backups can exist? Would it be possible, for instance, to delete, aggregate, or anonymize them after at most 5 years?
• Design of new systems: "inclusion of privacy considerations in the code review process". Would this be added to some checklist, or is it just a general guideline?

Great to see this stuff be explicit. //Shell 00:15, 10 January 2014 (UTC)[reply]

Hi Shell! Thank you for taking the time to comment and help us improve these guidelines. Your suggestions are always helpful and greatly appreciated. We will respond in-line to your comments as we work through them. Mpaulson (WMF) (talk) 00:51, 10 January 2014 (UTC)[reply]

I've responded to your comments. (and clarified a couple of things) //Shell 09:09, 10 January 2014 (UTC)[reply]

Why exactly is this data needed at all?Geni (talk) 00:44, 10 January 2014 (UTC)[reply]

Hi Geni, it's needed at least for debugging purposes. There are some searches that trigger bugs or performance problems, and we need to be able to go back and correlate searches with the bugs that get triggered. Sometimes malicious users may actually try to cause performance problems on the site via search, so we need to have the information correlated with IP addresses so that we can take action if necessary. We don't yet do much in the way of analytics on search traffic (that I'm aware of), but I could see that being of use in the future. -- RobLa-WMF (talk) 02:01, 10 January 2014 (UTC)[reply]

It might be worth expanding on what is actually meant by non-public data and what data is public by default. For example, this page talks about IP addresses for visitors, which might be confused with IP addresses for editors which are either publicly visible (where an anonymous edit is made) or kept private but presumably kept indefinitely (for user accounts). I think most of this is in the privacy policy, but it might be worth summarising here. Thanks. Mike Peel (talk) 08:26, 10 January 2014 (UTC)[reply]

Hi Mike. Thanks for the suggestion! You are correct in that it is addressed more fully in the Privacy Policy draft, but we will draft some language to make that clear as well as give some basic examples. Mpaulson (WMF) (talk) 14:10, 10 January 2014 (UTC)[reply]

Thanks Michelle. :-) Mike Peel (talk) 14:44, 10 January 2014 (UTC)[reply]

Just to let you know, we added some language. Let me know if that works! Mpaulson (WMF) (talk) 18:56, 10 January 2014 (UTC)[reply]

I think it's much better now. The info is in the privacy policy, but you can't expect everybody to read it. //Shell 19:07, 10 January 2014 (UTC)[reply]

Presumably this page isn't intended to cover donor data? It might be worth linking to wmf:Donor_policy. Thanks. Mike Peel (talk) 08:28, 10 January 2014 (UTC)[reply]

Hi Mike! While this document does not currently address donor data, we are hoping to eventually include retention practices in relation to donor data. These guidelines are meant to be a starting point for us and will get more detailed over time. In the meantime, I will see about getting navigational tools to other privacy-related documents (including the donor policy) added. Thanks for the suggestion! Mpaulson (WMF) (talk) 13:34, 10 January 2014 (UTC)[reply]

Does the 90 day rule for IP address applied to sampled data? As far as I know, the main motivation behind deleting IP addresses is to prevent tracking site usage back to a specific person. If site usage data is (sufficiently) sampled, it is much harder to do this regularly. Ottomata (talk) 16:01, 10 January 2014 (UTC)[reply]

It should apply. Your ISP might keep the correlation data IP address<->customer indefinitely, thus making it personally identifiable regardless of frequency. //Shell 19:09, 10 January 2014 (UTC)[reply]

Yes, the intent is that it should apply. This does probably mean there will have to be changes to certain existing setups, but as noted in the Audit section, that's a process we expect to occur gradually. —LVilla (WMF) (talk) 22:43, 10 January 2014 (UTC)[reply]

Are the examples in the table supposed to be exhaustive? If the WMF retain other types of non-public data, I believe this guideline should explain all of them but at the moment it does not read that way. --Fæ (talk) 08:00, 11 January 2014 (UTC)[reply]

The examples are not intended to be exhaustive (they're examples, after all ;) It would be both impractical and not very useful to readers if we listed every type of data we collect. That said, the "data types" should be exhaustive - everything we collect/retain should all fit into one of those categories. Hope that helps. —LVilla (WMF) (talk) 21:40, 14 January 2014 (UTC)[reply]

Indefinite retention of emails

Why would emails be retained indefinitely? I would have expected that if an account gets "officially" closed, the user identifies under a new account and declares the old one as discontinued, or exercises their Right to Vanish, these are all scenarios where an email would not be kept on record forever. --Fæ (talk) 08:03, 11 January 2014 (UTC)[reply]