Policy talk:Privacy policy: Difference between revisions

The IP addresses of logged-in users may occasionally be reviewed from the server logs while investigating cases of vandalism.

Who will investigate these logs ? Maintenance people only, or any sysop who ask for them ?

�

So far, mainly me or Jimbo, though excerpts may sometimes get posted publicly. --Brion VIBBER 13:36 Feb 9, 2003 (UTC)

what defines when excerpts are posted publicly ? Who can ask for them and why ?

Would it be possible to make a link to the Draft privacy policy page on the page where you can log in of make a new user account. It took me a very long time to find any mention of any privacy information, and I found the draft privacy policy very useful.

Thank you

Hey, someone else who finds privacy policies useful! This draft is looking pretty good to me so far. I don't know how the process works, but I imagine a link to a more polished version of this document will be appearing on all Wikipedia pages soon (?).

Does the term "aggregate statistics" refer to statistics in which all or most personally identifiable information has been stripped? Can someone define this term or elaborate on it?

What user information falls under the GFDL? If I get a SQL database dump, are there email addresses, IP addresses, etc. in the dump? -- EvanProdromou

I've noticed that MeatballWiki gives no IPs for anon users, but (what I presume to be) reverse DNS lookups. Has this been proposed/discussed/rejected here? Martin

The old usemod wikipedias also show the hostname. I would be nice to have option to select between IP adres and hostname. Giskart 18:39 Mar 15, 2003 (UTC)

Except in rare cases (dynamic IPs), IPs and hostnames are equivalent, but hostnames are sometimes considered more privacy-invasive, as they often explicitly specify a person's university, workplace, or local ISP by name in text for all to see, which information would require a separate lookup with an IP. That, and we'd have to do reverse lookups on every visitor in order to obtain the information -- that'll slow things down a little. --Brion

This would be useful information, though, in helping to judge such a user's contribution. For example, if the BBCi article was modified by someone with a bbc.co.uk hostname, one might expect it to be accurate, but potentially biased. If the Java programming language was modified by someone with a university hostname, one might expect a certain, more theoretical, slant. If someone with an French-based hostname posted to US plan to invade Iraq, one might want to check for an anti-US slant - and also copyedit the spelling+grammar of someone who may not be a fluent English speaker. Martin

A few points:

• Shouldn't IP adresses of viewers be deleted periodically, say once a month? That way it wouldn't matter if any authorities asked for them because they would not be available.
  • They already are.
    • OK. It should be noted along with the frequency. I am assuming that any backups done do not contain the purged information (i.e. purge, then backup). Dori
• Would it be possible to associate tempID's to IP addresses for edits when users are not logged in. This way the public and/or authorities could not exact revenge/hunt down/other evil things the editors, yet at the same time such IP's could be banned by administrators if need be. These matchings would also need to be flushed periodically.
  • If you don't wish to be identified by other visitors, log in and use a pseudonym instead of your real name or your real network address, and screen your language, writing style, and the domain of things you write about very carefully to avoid tipping people off. If you're writing things that are likely to get people to "exact revenge" upon you, you're either not following NPOV or you're in an unhealthy environment which is a bigger problem for you than anything Wikipedia does. --Brion VIBBER 23:39, 20 Oct 2003 (UTC)
    • I already use my login. It was intended for others (those who don't know any better, don't want to, don't care, etc). By protecting others for their own good we can make the environment safer, which in turn will convinve more people to contribute. You do not have to write in POV style to get someone to be angry at you. Sometimes, all it takes is a factual statement. I think we should foster an environment where people are not afraid to speak out as long as they are telling the truth. This may seem theoretical, but it could happen. Dori
• Shouldn't the IP's of editors that are logged in be deleted periodically? If you have the login name, you may not need the IP address. I could see where this would come in handy for long-term troublemakers, but we must weigh privacy issues more.
  • They aren't stored other than in the webserver log which is already cleared periodically, see above.
    • OK. Again, it should be noted. Perhaps it wasn't clear what exactly is meant by "logs" Dori 01:35, 21 Oct 2003 (UTC)

Most people might see this as having to do with the US government and terrorism, but that, while still a valid concern, may not be the worst case scenario. Say someone edits an article having to do with a dictator, mafia member, government official in a way that angers the latter entity. Since the IP's are public, the editor could be tracked down rather easily.

just a few things to consider, Dori 23:08, 20 Oct 2003 (UTC)

I think the draft in such a state where it could be presented to the public as is (well, almost, must answer and remove notes). I think it is better to have this unfinished draft, than none at all. Also, this policy would probably have to be presented to all the 'pedias. Dori 04:28, 21 Oct 2003 (UTC)

RDNS lookups can be misleading because there is no requirement that they be factual. ISP-run DNS servers are likely to run fairly true, but there is nothing to prevent someone with a block of 255 or more IPs from running their own RDNS and setting the hostname of an IP to, say, www.drudgereport.com. There is no requirement that it match a forward lookup. Thus, hostnames-only may not provide as effective an audit trail. UninvitedCompany 19:50, 24 Dec 2003 (UTC)

If anything substantive from here is missing from the new text, please reintegrate.

While serious contributors are encouraged to back their contributions with their real names, this is not required; a user account may be created using a pseudonym (but please see Wikipedia:No offensive usernames), or you may continue to edit anonymously (but see note about IP addresses below).

Many of the project's major contributors are pseudonymous, and some choose not to reveal their real name.

You may optionally provide your e-mail address when creating a user account, or update it in your preferences. This is not required, but if you do choose to submit your e-mail address:

• Other signed-in contributors may send you direct e-mail via your user page and vice-versa; your address will be revealed only to those to whom you send e-mail, and to those who send e-mail to you only if you respond
• If you lose your password, you can have it reassigned through the login page and a temporary password sent to you.

Users' e-mail addresses are stored only on the main Wikipedia server, accessible only to the site maintainers, and are not included in the publicly available article database dumps.

They will be passed on to the government... upon request under the relevant legislation?

Wikipedia has to comply with the laws of the United States and the state of California, where the server is located. (And possibly the state of Florida, where the Wikimedia Foundation is incorporated, but I'm not sure how that comes into things.) Hypothetically, if ordered by a court of law, records that exist may have to be turned over.

-My guess is Wikimedia foundation might provide information of users when asked by foreign law enforcement officers as well. Police of a country may request Wikimedia to submit some IP address information for reasons like defamation, obscenity, invasion of other's privacy, etc., and Wikipedia might cooperate, I guess. Tomos 03:53, 22 Oct 2003 (UTC)

They will be passed on to third parties... never? They are stored... indefinately?

They're stored indefinitely unless you log in and change the e-mail address listed in your account, at which point it's gone. The SMTP mail server logs may include references to any mail sent to or from you through Wikipedia, but without any connection to your account name, the subject or the content of the mail sent.

What about the mailing lists?

Like the wiki, the mailing lists are public. The archives are public. Anything you send to them is being published publically. Don't publish things you'll regret.

The subscriber list for the mailing lists is as far as I know limited to list admins only, though obviously if you send anything to a list the whole world now knows your email address. A number of different people admin the various lists. If you don't like it, subscribe with a throwaway hotmail account.

Can you subsequently remove your email address if you change your mind? If you do, is the old address stored anywhere?

You can change the email address in your wiki preferences at any time, and the old address is not stored in association with your account. I'm not sure how the mailing list stores its subscriber lists, so I don't know if an address would stick anywhere (besides the mail server logs) in connection with a mailing list after being unsubscribed. Check with the GNU Mailman people for info.

Depending on how you are connected to the Internet, your IP address may generally identify your Internet service provider, or uniquely identify the computer from which you are connecting.

The IP addresses of anonymous contributors are permanently recorded in the publicly viewable page histories. If you do not wish to publicly reveal your IP address, you should create a user account; your user name (which may be a pseudonym) will then be recorded in place of the IP address.

Internal server logs include the IP address of every viewer; this information is used for aggregate statistics.

The IP addresses of logged-in users may occasionally be reviewed from the server logs while investigating cases of vandalism. Excerpts may be published... when? where? by whom? What about other reasons to review logs - eg bug-tracking?

IP addresses will likely be seen by developers during bug hunting if this involves looking at the logs to get information on diagnosing the bug, but will not be published. Publishing of IP addresses may happen when tracking vandalism, as blocking a logged-in vandal requires also blocking the IP address to prevent the same person from simply creating another account immediately, and the IP block list is public for accountability reasons.

IP addresses may become more widely viewable in the future, pending discussions.

These logs are stored... indefinitely??

Logs are rotated daily; the archives are cleared out every couple weeks (deletion schedule not automated yet).

The logs will be passed on to the US government... upon request under the appropriate legislation? Which means what in practice?

In practice, this means never. Hypothetically law enforcement could serve a warrant asking for log data relating to some investigation, and we'd probably have to comply to the extent that the requested information exists (eg Patriot Act).

Server logs may include the operating system and browser version that viewers use; this information is used for aggregate statistics.

If you or someone else adds personal information to a wikipedia page, such as your user page, it will be stored indefinately, even if you subsequently edit it to remove it. Do not publish information that you don't want published! Wikipedia is not a private chat room.

... then we have no control over what they may choose to do with IP addresses and/or emails.

True enough of all websites.

But it never hurts to say it!

Seems relevant here...

Cookies are required to log in. If you choose 'remember my password', a cookie will be stored with a hash of your password. This may be a bad idea if your computer isn't very much yours and you're paranoid.

The main functioning of the login system uses a session cookie which expires at the end of your browser session.

Also set on login are cookies storing your user id number and name, which are used to fill in the last-used name in the login box when you next visit. If you don't like this, clear your cookies after logging out. These cookies last 30 days IIRC.

This draft does not seem to be getting much more attention. Maybe the notes should be removed and the draft linked from the main page (better this version than none, plus it would get more attention from editors). Maybe I am the only one who feels that Wikipedia should have a privacy policy, so I'll shut up after this. Dori 00:35, 16 Nov 2003 (UTC)

The Wikitravel privacy policy might be worth comparing and contrasting. --Evan 22:21, 17 Dec 2003 (UTC)

This has been discussed elsewhere, but I think it deserves a mention in the privacy policy.

Personally I think a logged in user should have the right to control the content in their own page. I've seen instances of people reverting blanking of another user's (a "bad" user) talk page, and there are talks at personal subpages saying that they should not be deleted.

The user pages are not part of the encyclopedia, they should be deleted upon request. Keeping them viewable by everyone against the user's will is, in my opinion, a misuse of the GFDL.

tristanb (not logged in) 203.96.104.226 00:27, 21 Dec 2003 (UTC)

I disagree. User talk pages are there to support the development of the encyclopedia, and as such include information that is relevant to particular articles. Perhaps that should have gone on the article talk page, but often it doesn't, and the talk pages provide a very useful history of how particular articles and issues were developed. The user talk page is not supposed to be something private. If you want a private discussion with someone, you can do that by e-mail, so I see no reason why these pages should be made part of the privacy policy. The same might not apply to user pages. Angela 01:28, 21 Dec 2003 (UTC) (see below)

I strongly agree with tristanb, to the point that I'm considering using an off-Wikipedia wiki to post my replies to talk comments, then pointing people there, avoiding releasing simple discussions under the GFDL. If something contains text intended for the encyclopedia, of course, I would be deliberately place that in an article-related area, rather than a personal area. I'm here to make an encyclopedia, not to have simple workplace discussions recorded forever by my "employer" here. Jamesday 09:01, 21 Dec 2003 (UTC)

Often the concerns relating to user pages et al are of people seeking to continue to contribute to Wikipedia, while trying to remove criticism from their user talk page (etc). Insofar as Wikipedia is in some sense a deliberative democracy, stifling criticism can have some side effects that make people rightly cautious. However, where people have decided to leave Wikipedia, I agree with JamesDay and Tristan that it makes sense to grant the right to vanish, and such users should have pretty much free reign. The only exception is where someone has been banned, where we want to have a record of why we banned them, and how long the ban is for.

I don't think you would have to remove the comments completely though in order for someone to vanish. This could be done through a name change. Also, agreeing to delete a user talk page doesn't really solve anything if comments they would rather vanish from also appear on article talk pages, which is quite likely to be the case. Article talk pages are obviously not going to be deleted, so there needs to be a solution that can apply to both these and to user talk pages. I can't see any strong reason to treat these differently. I'm also not sure you can state different privacy rules for banned users. It's possible that they might be the ones most wanting to hide their past on Wikipedia after they are made to leave. Angela 23:07, 29 Dec 2003 (PST) (see below)

My thoughts on this have changed now following an experience on another wiki where I did leave and requested my talk page be deleted. A talk page and user page is something more personal than what you write on article pages. User and article talk pages already follow different rules. For example, a user is, in nearly all cases, allowed to refactor and delete comments on their own user/talk page in a way that would not be regarded as acceptable on article talk pages. Therefore, it makes sense for those differences to apply to deletion of the pages as well. People are more attached to their pages than to their comments on article pages, and I think it is this level of attachment that would cause someone to feel uncomfortable about leaving an undeleted user page behind when they exercise their right to leave. It doesn't solve the problem of not vanishing from article talk, but if the user feels separated from these in a way they don't from their own pages, then there is reason to treat the pages differently. Deletion of your user/talk page may also be a way of psychologically breaking away from a wiki, which has a stronger effect than just walking away. Perhaps when people leave they need this as some sort of final statement that they have left, and not only that, but a statement that they no longer wish to be associated with it at all. The history of user talk pages can be fascinating and offer huge insights into the working of the wiki, but this isn't what they are there for. The aim is to build an encyclopædia, not to provide insights into how the community works or to document how individuals played a part in that. So, I now feel that the privacy policy should state that a user/talk page will be deleted on request after someone leaves. Angela 14:50, 2 Jan 2004 (UTC)

Having seen how differently I write on IRC you might also consider whether the user talk pages should be crawlable by search engines. As you've seen, people can act very differently when everything they say is being recorded compared to how they are when that is not the case. Jamesday 20:11, 25 Jan 2004 (PST)

The purpose of the project is to produce an encyclopedia. To facilitate this, user and user talk pages are provided, in a different namespace from the encyclopedia. Since those pages are not part of the encyclopedia, the Wikipedia will use whatever technical means are reasonably convenient to inhibit to whatever degree reasonably convenient the wide disclosure and searchability of those pages. Except to the extent that they contain text clearly intended for a Wikipedia article, these personal pages are not released under the GFDL but are instead released solely for internal use within the project.

I've added a further section based on discussion here and over at Wikinfo, where one Wikinfo technical person indicated that it was not happy to have users prevent the display of their user pages there, even though that has been requested and so far has been accepted by them. Since it doesn't seem to inhibit our ability to build an encyclopedia I've eliminated the GFDL release of user and user (but not article!) talk pages to non-GFDL for use here only, making GFDL only items intended for the encyclopedia. This will let us better assist our countributors if there's a desire to remove their personal information from mirrors, which currently could claim a GFDL right to distribute information we're removed. I'm not envisioning any immediate or rapid technical change - I'm aware that databases are combined and a variety of other technical issues mean that it is currently convenient to distribute everything as a package, and that multiple licensing is currently most conveniently done via user pages. I'm also aware that we use Google as a fallback search engine, and that limiting it would be problematic and do not propose any immediate change to search engine crawling while we need this capability. This is mainly to eliminate the "you can't stop us" argument which seems to make some of our contributors unhappy. With regrets to other sites, I want happy Wikipedia contributors, not those who don't feel free to discuss freely because of fear that their discussion will be mirrored and searchable forever, everywhere. Jamesday 12:42, 16 Feb 2004 (UTC)

I've moved the above text to the talk page since it's most certainly not the present policy (though whether it should be is open for discussion). --Brion VIBBER 15:36, 16 Feb 2004 (UTC)

Thanks - I'd forgotten that header saying current. Jamesday 14:14, 25 Feb 2004 (UTC)

I would support not having User and User talk: pages not be under the GFDL, but I don't know what the ramifications would be. Would everyone have to write new pages (the old ones are already under the GFDL)? How would this affect being able to hold temporary articles on user pages while they're being worked on? What about copying and pasting comments between other namespaces with regard to comments? There are many issues that would need to be resolved first. Dori | Talk 15:53, 16 Feb 2004 (UTC)

I guess that's a good point. For a different reason, there is a discussion at Japanese wikipedia regarding introducing a second license (called something like in-site public domain license). It permits copying, modification and translation of any posted contents within wikipedia (of any language) and other projects. That kind of solution may work to an extent, maybe?

In addition, such a re-licensing would take agreements from the copyrightowners, I suppose. Still, the past versions are released GFDL already, and it cannot be revoked, I suppose.

If the purpose is to prevent others from copying those pages based on GFDL terms, maybe it is easier to remove these pages from the database dump. Tomos 23:35, 16 Feb 2004 (UTC)

One issue which caused me to make this change is wikinfo, which takes them from the site when the page is requested, rather than from a database dump. Web crawlers (except Google, which we use as a backup search engine) also really need to be blocked, just so things like the internet archive don't save them forever. I like the sound of that Japanese move. Please let me (or all here) know what happens with that idea - I like it very much. Jamesday 14:14, 25 Feb 2004 (UTC)

Within the Wikipedia and except for text intended for articles seems to cover the moving things around needs, since it allows those things between namespaces. If you don't think it does, please suggest clarifications. I don't think that the old pages are under the GFDL - the edit page the last time I looked specified that items for the Wikipedia are under the Wikipedia license and the Wikipedia is clearly defined as the free encyclopedia, which personal pages aren't part of. However, it's arguable enough (and was argued at wikinfo) that clearly saying they aren't is worth doing, which is why I added this paragraph to make it completely clear that they aren't under the GFDL, so we can speak more freely.

One advantage for this split is that it makes it much easier to argue that source material we may discuss is not intended for republication. I'd like some way to do that for article talk as well, but I'm not sure that I want to go so far as suggesting that article talk pages should also be clearly not under the GFDL, hence not for publication. I don't actually think that article talk needs to be GFDL either but it's got a much better case than user or user talk pages. Views on whether article talk pages really do need to be GFDL or whether saying that text for the wikipedia can be placed in them on the way to going into an article is sufficient are welcome.

Barring objections and in a week or two (on the usual slow is good schedule:)) I'll put this back into the proposal and indicate that the proposal isn't intended to be the current practice only but is intended to be future practice (and I'll also include a note requesting that possible changes be clearly indicated, so they can be discussed). Jamesday 14:14, 25 Feb 2004 (UTC)

I'm not sure what I think about this. The logic of this idea seems reasonable, but I am uneasy with the idea of user and user_talk pages being different in terms of licensing. I have some vague sense that there would be some unintended consequences about this -- can I stop someone from releasing what they write on my talk page? Can they alter my comments on their page because they own it more that other pages? Etcetera, etcetera, etcetera... -- BCorr|Брайен 01:28, 6 Apr 2004 (UTC)

Should we try to prevent people sending web bugs in email that we forward? E.g. by requiring only plain text, or safe html or something, like some mailing lists do? Or is HTML email important for some correspondents? I'd prefer to only get plain-text mail without potentially dangerous or virus-infested attachments or web bug. But of course there is some development effort. The GPL'd Mailman software can do this. Nealmcb 18:11, 14 May 2004 (UTC)[reply]

Are you referring to the mailing lists (which run on GNU mailman), or to the 'Email this user' form in the wiki? In the case of the former, it should be set to strip HTML mail as it is. If you see a list misconfigured, please say which. For the latter, it should only be possible to send plaintext. If you can show otherwise, this is a bug which should be fixed immediately. Please let us know. --Brion VIBBER 22:02, 14 May 2004 (UTC)[reply]

The idea came up on IRC last night that it might be a good thing to ask a developer people to set up a way for people to send private messages to each other directly through the wiki software as an alternative to communication through talk pages. The idea is that it is a way to increase communication, reduce the level of public conflict, keep conversations from polarizing quickly, and allowing more frank discussions, etc. One concern raised about this is that there is a certain "check" involved in discussions being searchable and archived, i.e. people should feel more accountable for what they say.

Opinions? Thoughts? Alternatives? -- BCorr|Брайен 14:25, 29 May 2004 (UTC)[reply]

Is this going to offer any advantage over email? I also wonder if it might encourage people to use our wikis as chat rooms if there is no check on whether what people are writing is wikimedia-relevant. Angela 21:10, 31 May 2004 (UTC)[reply]