Policy talk:Privacy policy: Difference between revisions

Archives: See Talk:Privacy policy/archive for all comments made before the policy was approved by the Board in April 2005.

Once created, user accounts can not be removed.

Yes they can, you probably meant to say "won't". —User:Ævar Arnfjörð Bjarmason/Sig 00:53, 11 Apr 2005 (UTC)

Indeed, though there are several places where it is said quite explicitly that there is no chance of this happening, so we might want to make it a little stronger than "won't". Perhaps "user accounts will never be removed"?

James F. (talk) 00:55, 11 Apr 2005 (UTC)

I have a concern about committing to that clause in the very long term. I put it at Talk:Right to vanish but maybe should have posted it here. Any thoughts? Rossami 23:03, 12 Apr 2005 (UTC)

However, remember to disconnect yourself after using a pseudonym to avoid allowing others to use your identity.

This sentence seems a bit confusing to me. (Disconnect yourself? From where? Do you mean "log out"?) And, is it a good idea to add such general advice to a page stating policy, anyway? --Mormegil 18:47, 16 Apr 2005 (UTC)

I rephrased it the way I understood it.--Patrick 15:45, 6 December 2005 (UTC)[reply]

If you contribute to the Wikimedia projects, you are publishing every word you post publicly. If you write something, assume that it will be retained forever. This includes articles, user pages and talk pages. Some limited exceptions are described below.

Does this include images and audio? or am I being too pedantic.

You're not being too pedantic. Yes, it includes images and audio. Unless the media in question is deleted (because of suspected copyright infringement) the image or audio is here forever. See, for example, this image I placed on Wikipedia of New York City w:Image:Area_code_347.png area codes 347, 718 and 917, which is the corrected version I re-uploaded when someone informed me that the distant New Jersey area codes were reversed. The original (incorrect) map I did is still available here on Wikipedia. Paul Robinson (Rfc1394)

¿Shouldn't be said to the President of WMF instead of To Jimbo Wales? --Ascánder 17:14, 30 Apr 2005 (UTC)

Wouldn't it make more sense for it to refer to the Board than either of those? Angela

Agreed. And that was my question: why the other four at the Board isn't eligible to access this sort of infromation? --Aphaia++ 12:16, 5 November 2005 (UTC)[reply]

I get a 404 when I click on the site statistics pages link in the Private logging section. Js-js2 01:55, 10 May 2005 (UTC)[reply]

I am not sure I understand the meaning of this:

Data on users, such as the times at which they edited and the number of edits they have made are publicly available via "user contributions" lists, and occasionally in aggregated forms published by other users.

Some user make 'aggregators' available for various purposes - such as Interiot's edit counter, which collates information from your 'user contributions' to give details of how many edits you've made, what months they were in and so on. Cynical 11:35, 21 May 2006 (UTC)[reply]

As far as I know Mediawiki does not store users' password, it merely stores password hashes, from which actual passwords can not be recovered. Privacy policy should state this so user can be concerned about more important matters. --195.113.65.10 14:55, 29 Jun 2005 (UTC)

I think we should have a good community discussion to review our privacy policy with an eye towards revising it in order to allow some limited additional access to our access logs for credible academic researchers who are willing to sign a strong non disclosure agreement.

This sort of data is of intense interest to researchers -- I am getting more and more requests for it -- and I think that the results of the research would be incredibly helpful to our global mission. We make a lot of decisions based on our own theories of how the community really works, but I wonder what facts about ourselves we don't realize because they are lost in the data.

--Jimbo (on Foundation-l, 9 August 2005)

According to the "account creation / log-in" form, Wikipedia will never release our email addresses to anyone. However, according to "Sharing information with third parties", Wikipedia will accede to a subpeona, warrant, or other legally required request.

Since all email addresses from before the privacy policy existed were gathered on the promise that they would "never" be released, wouldn't it be unethical (or perhaps a breach of contract, etc.) to release them simply because of a legal requirement? This privacy policy seems to retroactively redefine the terms under which Wikimedia is allowed to release my email address, which I am *very* uncomfortable with.

It comes down to common sense: Wikimedia does not have an army to stop the authorities from seizing a server and getting the email address themselves. Would you say that it's unethical to release an email address when all that refusing will achieve is legal escalation and having the server confiscated? -- Jeronim 21:55, 24 August 2005 (UTC)[reply]

Definately let authorities come and seize it .... at least wikimedia Foundation wouldn't have co-operated like google has done in China, and because of that someone who spoke their mind freely is in jail now for 10 years!

In a western country google would have refused and made a courtcase out of it. But 1 billion chinese consumers are to big of a lure. Google publically admitted they have provided the data. For me it is also a personal thing. Would you feel it is right if I would be arrested because I protested the dictatorship in Thailand on a talkpage? And Thailand is developing in a dictatorship unfotunately which is what is worrying me. And I am disappointed in google and yahoo and other big sites who co-operate much more with governments like the Chinese one than they have to. Just follow the news on this subject. Basically China has succeeded in censoring the internet for its citizens. Even wikipedia does selfcensorship to appease Beijing. And other Asian countries and governments are following the developments and want to implement it in their own countries. Like Thaksin here in Thailand, so I say resist. Waerth 17:06, 13 September 2005 (UTC)[reply]

I find it confusing that translations and other suggestions happen at the same time. Translations make comment from everybody easier, but surely we want to translate the finalised version? When will we know the official version? --Alias 08:20, 5 October 2005 (UTC)[reply]

This line in the Wikipedia privacy policy ..."# To Jimbo Wales, his legal counsel, or his designee, when necessary for investigation of abuse complaints." ... seems like a potentially large error to me? I think it should reference the Wikimedia Board or designee, not Jimbo. Jimbo Wales, Wikimedia Trustee, Chief of the Board, or similar title might be ok. It is my understanding that the laws in the U.S. which provide protection between corporate responsibility and personal responsiblity depend upon the Corporation or NGO being managed in accordance with Laws and the charter. Courts have found that individuals and officers managing or abusing organizations for their own purposes or as their own property can be held liable personally (personal assets are at risk) for mistakes that made in managing the organization. If Wikimedia has access to legal talent pro bono or has funds to pay for legal expertise then I think it would be a wise investment to consult a lawyer regarding this issue. user:lazyquasar

It seems unusual to explicitly name an individual in a document of this sort. More usual would be to name a role for which he was the current incumbent or owner

--BozMo 20:21, 1 November 2005 (UTC)[reply]

agreed Anthere 10:48, 4 January 2006 (UTC)[reply]

I think both the Wikipedia and the hopefully impending Wikiversity could benefit by meeting all requirements for self certification according to USA/EU "Safe Harbor" agreement regarding the handling of private information. Both projects are global in nature so the sooner we are in full compliance the less risk we are exposed to and the less likely we are to encounter impacts or cause others harm from unfortunate errors or misunderstanding.

• http://www.export.gov/safeharbor/
• http://www.export.gov/safeharbor/sh_overview.html
• http://www.export.gov/safeharbor/FAQ1sensitivedataFINAL.htm

w:user:lazyquasar

I read the german translation a few minutes ago. Statements like If you only read the Wikimedia project websites, no more information is collected than is typically collected in server logs by web sites in general. ist too general. The User should know which information about him are collected. That means: his user name, his IP-Number, time, and maybe more? Not everyone is an internet-specialist.

The Policy on release of data derived from page logs (esp. rules for giving away the IP-Username-log) is very general too. There isn't any guarantee that these files will not be publishished to all users (for example in case of "vandalism") Some people maybe have a profile with their clear name and one with an nickname. I dont think that most of them want to publish this connection, but the rules are not hard enough to guarantee this. That should be made clear for every user. Hadhuey 23:27, 29 November 2005 (UTC)[reply]

Hi. I wonder if someone (a Board member, perhaps?) can clarify one thing. The sixth item on "Policy on release of data derived from page logs" - is this talking about en:Necessity, a legal term? Or is it just a layman's term?

Tomos 02:44, 21 December 2005 (UTC)[reply]

Translation into catalan on catalan wikipedia

Pérez 05:34, 27 December 2005 (UTC)[reply]

Kate

Kate ( http://tools.wikimedia.de/~kate/cgi-bin/count_edits?user= ) might be considered a breach of policy §7 Privacy_policy#User_data which states : Data on users, such as the times at which they edited and the number of edits they have made are publicly available via "user contributions" lists, and occasionally in aggregated forms published by other users. Kate is not an other user but a tool displayed on a website owned by the Wikimedia Foundation. Kate is not an "occasional" publication, but a systematic tool available 24 hours a day, and providing informations on all users, not a smaller set of users selected on a particular occasion. The "disclaimer" section on Kate's main page seems to be the result of an inaccurate reading of the above mentioned §7. Kate is a controversial tool : see en:Wikipedia:Editcountitis for further reading.--Theo F 10:36, 4 January 2006 (UTC)[reply]

Can't see a problem here. Kate's & Interiot's tools don't publish anything that isn't in MediaWiki's user contribs. If there were external aggregation tools doing the same thing by connecting to Wikipedia & parsing it's HTML output - that wouldn't be a violation. So, why it's a violation when it's done by querying databse directly? And don't forget, these tools are extremely useful for teacking sockpuppets and evaluating user's contributions during RfA's. MaxSem 18:34, 4 March 2006 (UTC)[reply]

Special:unwatchedpages

According to Wikizine #6, Special:unwatchedpages gives a listing of the first 5000 pages that are not on someones watchlist. It is a static list updated regularly (hopefully). This is only for "users with protect permission". Sysops have access. Seems to be live on all wikis.source. That means that this tool is spying, on a regular basis, users' watchlists and transmitting data from the users' watchlists to the sysops. That means that the Wikimedia Foundation allows itself to spy on data supposed to be protected by a password. In order to build a trusting relationship with the Wikipedia users, the Foundation should clearly renounce such intrusive behaviour. A motto « Wikipedia is not GMail » is mostly welcome. See en:Gmail#Privacy for further reading.--Theo F 10:36, 4 January 2006 (UTC)[reply]

This is true: Wikipedia is in breach of privacy policy --anon 11:14, 5 January 2006 (UTC)

That's a bit inaccurate, at least in my opinion. In order for that page to be a breach of policy, it has to provide information that can track down a particular user; this tool provides an aggregate report, and does not contain any information that could be used to identify a particular user, so there is no breach of policy there. Titoxd 20:44, 3 March 2006 (UTC)[reply]

If all users but one share together which pages they watch, and use the aggregated data, they can make a substraction and find out which pages are watched by the remaining user. When a page never watched before suddenly becomes watched, you could have a look at the list of newly created accounts and make the hypothesis that the newly watched page is being watched by the user who just created a new account.

More generally, when a landlord rents a flat, he should not keep a key and enter the flat without the tenant's consent. By the same token, when you give somone an account with a password, you should not enter this password-kept area without the password holder's consent.

IMHO, this feature should be available on an "opt in" basis only. Theo F 10:32, 4 March 2006 (UTC)[reply]

That reasoning contains one major flaw: to be able to figure out the pages that a user watches, you first need to know the pages that every other user watches, which is not revealed anywhere. Besides, this is a server-side feature, data of who watches what page is never transmitted to a sysop, nor a sysop can in any practical scenario derive the information. Titoxd 22:19, 4 March 2006 (UTC)[reply]

If all the other users organize a tea party, and during this tea party decide to share their watchlists, they can perform the substraction and extract what the remaining watchlists contain. I think the trend of accessing data which are by nature private, without the account holder's knowledge, without the account holder's consent, is not a good trend. The owner of the account should be told how his data are going to be processed, and for which purpose, so that he can quit, or simply renounce to open an account, if he disagrees with the purposes of the data processing. If the landlord wants to keep a key and enter the flat every time he wants, that should be written on the rental agreement. Theo F 09:04, 7 March 2006 (UTC)[reply]

The thousands of them?! You must be kidding. This could be realistic only in small wikis where only tens of users actively participate and watch the pages. ACrush ^?!/_© 16:51, 18 April 2006 (UTC)[reply]

Interiot count edits [1]

This new tool raises the same questions as Kate (see above) Theo F 11:54, 3 March 2006 (UTC)[reply]

Does Wikipedia keep a log of ALL IP addresses ever used by a user for admins/sysops, developers or other officials?

I would hope only the most recent one gets "logged"/"tracked", otherwise this could potentially reveal a lot of personal information to the right kind of person.. (and let's not pretend that a sociopath can't become an admin, psychotics can pretend to be quite nice sometimes.) --72.36.221.10 11:14, 5 January 2006 (UTC)[reply]

These data are only stored for one week, so edits made prior to that will not be shown via CheckUser says CheckUser Policy. I don't know if that means that prior edits could be available through other means. --Theo F 14:28, 5 January 2006 (UTC)[reply]

Here is the Danish translation, could it be added to the list of languages?

http://da.wikipedia.org/wiki/Wikipedia:Privacy_policy

It should be named Beskyttelse af personlige oplysninger.

OK, done. McDutchie 03:26, 28 February 2006 (UTC)[reply]

• http://en.wikipedia.org/wiki/User:Aleksei
• http://en.wikipedia.org/wiki/User:Drahcir
• http://en.wikipedia.org/wiki/User:Princess_Homestar
• http://en.wikipedia.org/wiki/Wikipedia:New_user_log

My name is Daniel. I'm 10. I like reading and especially like Harry Potter books...

I am not a lawyer, but I think we may need to include COPPA checks and disclaimers. Wikimedia Foundation has "actual knowledge" that children under 13 are providing personal information (e.g., email addresses) when using the site or registering an user account. I am not sure how the non--profit status of WMF plays into this, but NASA and LiveJournal are doing the same.

Thanks, GChriss 19:15, 19 February 2006 (UTC)[reply]

This looks like a good suggestion. Not only the United States have laws about privacy. Most European Union countries, and Switzerland do. Wikipedia should provide ways to make Wikipedians comfortable with the privacy standards used in their home country. Theo F 12:18, 3 March 2006 (UTC)[reply]

There is a link in there (second paragraph) which links to http://meta.wikimedia.org/stats even though that is an invalid link. It's quite confusing when it happens on an 'official' page like it has. I'd fix it if I knew where it was supposed to link to...

Does anyone else think it would make sense to block search engine and archive bots from harvesting Talk: pages? This would prevent anonymous contributors from being "unmasked" by employers etc from IP address using a simple Google or Internet Archive search, but wouldn't stop abusive users being tracked by the Admins here (and since Wikipedia keeps its own archives anyway, nothing would be lost). I think you could block the talk pages easily enough with the line: Disallow: /Talk: ... in the "robots.txt" file.

The existing "robots.txt" seems to cover "edit" and "history" pages anyway: "# Friendly, low-speed bots are welcome viewing article pages, but not

1. dynamically-generated pages please."

... but if these get harvested too then I'd argue for them being blocked in the same way.

I know that hiding your IP address is one of the "perks" of registering, but I for one didn't even know what an IP address was twelve months ago - it doesn't seem fair to penalise the less technologically minded contributors. An increasing number of sites are considering IP addresses pseudo-personal information. I can't think of a single other site that publishes users' IP addresses the way Wikipedia does, and this seems crazy considering the site's excellent privacy policies on usage logs.

On a related note, can formerly-anonymous users "reclaim" anonymous posts when they've registered (so their IP address gets replaced by their username)?

Here [2]. "can not" should be "cannot"

The Privacy policy at Wikimedia:Privacy policy is now out of date, since it precedes the large scale use of "CheckUser" and claims only "developers" have access to the IPs of logged in users.

I am suggesting a revised version at User:Angela/Privacy policy (see [3] for a diff from the current version).

The main changes are to these two paragraphs:

"IP addresses of users, derived either from those logs or from records in the database are frequently used to correlate usernames and network addresses of edits in investigating abuse of the wiki, including the suspected use of malicious "sockpuppets" (duplicate accounts), vandalism, harassment of other users, or disruption of the wiki."

"It is the policy of Wikimedia that personally identifiable data collected in the server logs, or through records in the database via the CheckUser feature, may be released by the system administrators or users with CheckUser access, in the following situations:"

I intend to propose that the Board accept the new draft as official policy, but would appreciate feedback or further improvements before then. Please add comments below.

Thanks. Angela 13:18, 14 April 2006 (UTC)[reply]

I am happy with the changes. Others' thoughts?

James F. (talk) 13:35, 14 April 2006 (UTC)[reply]

Good idea Angela. Could we check with Brad what he thinks of the overall policy ? Anthere

As a frequent user of CheckUser, I think these changes are reasonable and properly reflect the way the tool is used today. Please note that on enwiki we tend to interpret "behaving in a disruptive way" to mean a significant and sustained violation of local wiki policy in such a manner as to make relevant the fact that two or more accounts are being used by the same individual ("sockpuppetry"). The information to be revealed is limited to an estimate of the likelihood that such a situation exists, based on the totality of the evidence, and a credible case for the allegation of sockpuppetry must exist before a check is performed. (In other words, no fishing expeditions.) Furthermore, on enwiki, we (those of us with CheckUser privileges) have agreed not to release anything other than conclusory statements about an investigation. Inadvertently discovered sockpuppets or other "interesting" facts about editors are not to be revealed except when relevant to the conclusion that an editor is being abusive or disruptive.

The other use made of CheckUser is to assist in the process of identifying and blocking open proxies. There is a particular editing quirk that we've learned is associated with certain types of open proxies; when we find that quirk it is normal to run a CheckUser to determine the origin of the quirky edit and block the originating IP (or IP range, in certain cases). I generally do not announce the identities of the accounts using such proxies unless there is evidence of disruption in addition to the quirky editing behavior. It is my opinion that this usage of CheckUser is consistent with the proposed policy; if it is not, I would strongly urge that the policy be amended to permit this sort of security management activity as it has done a great deal to cut back on open proxy abuse on enwiki. Kelly Martin 04:04, 15 April 2006 (UTC)[reply]

I think that de User Elian has used CheckUser in an abusive way by checking assumed sockpuppetry of Dr. Volkmar Weiss who has not shown "behaving in a disruptive way". German wikipedia has no clear rules for sockpuppetry but the criteria for CheckUser (mainly deception in votings) were not fullfilled. CheckUser should be used more cautiously --84.60.197.141 03:08, 28 May 2006 (UTC)[reply]

Quote "Only developers can permanently delete information from Wikimedia projects and there is no guarantee this will happen except in response to legal action."

Wow. Rather severe. I understand no one is obligated to delete anything from an edit history except under legal action, but I hope you don't have to resort to legal action in most of these cases. I know some cases which should be open and shut and the contributors' request should be fulfilled. Cases where a contributor in her/his early days disclosed some personal information on a Wikipedia article talk page but later regretted it; removed it; but the information remains in the history. The information is not needed for any legal or Wikipedia purposes---if I were to request the deletion of such information from such an article talk page's history, I'm hoping it can be done without "legal action". Any thoughts? And how can one contact such a developer to make a request (of course, while logged in or via email)? 69.106.107.44 04:51, 8 May 2006 (UTC)[reply]

This is outdated. Some users have oversight, which means they can delete revisions for such reasons as posting personal details and the like. 59.167.125.117 06:35, 18 June 2006 (UTC).[reply]

Oversight is not deletion; it's hiding. Truly permanent deletion still requires a developer's assistance. Kelly Martin 06:42, 18 June 2006 (UTC)[reply]

On passwords, the policy says, "Many aspects of the Wikimedia projects' community interactions depend on the reputation and respect that is built up through a history of valued contributions. User passwords are the only guarantee of the integrity of a user's edit history. All users are encouraged to select strong passwords and to never share them. No one shall knowingly expose the password of another user to public release either directly or indirectly."

How can passwords possibly be secure, and total proof of a user's identity, when the passwords are sent unencrypted over the internet, allowing for any Eve who gets between a user and the login server to impersonate said user. And why should I choose a secure password, when using a secure password on Wikipedia might compromise the security of that same password being used on a secure, encrypted login? If password integrity is so important, why not use SSL?

- Armedblowfish 11:02, 15 June 2006 (UTC)[reply]

see en:Wikipedia talk:Delete unused username after 90 days, passing this would require an amendment to the policyy. 70.26.113.6 01:08, 27 June 2006 (UTC)[reply]

"Whether specific user information is deleted is dependant on the deletion policies of the project that contains the information." 'Dependant' should be 'dependent' —Preceding unsigned comment added by 167.202.196.71 (talk • contribs)

http://en.wikipedia.org/wiki/Brazil

About mailing lists:

Some email addresses ... may forward mail to a team of volunteers ... to use a ticket system such as OTRS ....

Mail to board AT wikimedia DOT org or to board members' private addresses may also be forwarded to the OTRS team.

The last line should be "to the voluneteer team". --Mongol 21:01, 10 July 2006 (UTC)[reply]

Can I use this as a basis for the Privacy Policy at my site? —Preceding unsigned comment added by 140.209.124.24 (talk • contribs)

I've just noticed that there are very critical discrepancies between the English original and the Japanese translated version at the Foundation website. We need to update the Japanese Privacy Policy translation. I will post the same message at Talk:Privacy policy/Ja. Thank you. --Californiacondor 13:06, 14 November 2006 (UTC)[reply]

After looking around for 5 or 10 minutes I could not find anything about the privacy or lack thereof of searches. Is everything typed into the search box safe from the government (or other nairdowells)? Or is it all saved and distributed freely? Or something inbetween? Knowing something about what happens when you type into the search box is important (if privacy is important at all). —Preceding unsigned comment added by 71.238.68.25 (talk • contribs)

It seems as if compaints about the privacy policy are intended to be handled by the m:Ombudsman commission (see w:Signpost, w:Wikipedia:Privacy policy). As far as I can tell, few people know about this. I think it might be helpful for the people who need it if the commission was mentioned on foundation:Privacy policy, similar to what is written, unoffically, at Wikipedia. Kenb215 03:07, 14 June 2007 (UTC)[reply]

Hello, could someone direct me to some content regarding whether individuals have the right to request the removal of details such as full name, age, occupation, location etc from articles, or the correct procedure for doing so? 58.173.165.12 08:07, 18 June 2007 (UTC)[reply]

• Some editors have decided to adopt pseudonyms as a username, and due to privacy, there is no scrutiny available, and no accountability.
• I believe in openness. My Wikipedia Username reflects by personal name,[4] and I have had a link on my Wiki User page,[5] to my personal home page.[6] (which is easily found on Google).
• Since they are publicly available, some editors have subjected my personal details to a level of scrutiny that is not available to them, and I believe that some are taking advantage, to argue that my education, affiliations and interest demonstrate an "agenda", or even a conflict of interest in certain articles.
• It seems unfair that an editor who is open about their identity, may be subject to a level of scrutiny that editors with pseudonyms are not.
• Does publicizing one's identify, and linking to a personal home page, mean that an "open" editor forgoes the right to "privacy" that is enjoyed by an anonymous editor? --Iantresman 08:10, 15 July 2007 (UTC)[reply]

In a couple of weeks I will be performing with a notable band. If my name goes into their WP article, do I have the right to edit it so that my stage name only is in the article, as I'd prefer to keep my real name offline? Also: if I do get in the article, would I be still allowed to edit any of the article, even bits I'm not mentioned in (eg discography), because of COI rules? Totnesmartin 11:23, 5 August 2007 (UTC)[reply]

(tap tap) Hello? Fat lot of good this place is...

I highly suggest at some point in the future changing policy to allow for one very specific hole to deleting user names: emergencies as deemed by the systems administrators. This concern stems from recent research in defeating CAPTCHAs. Properly motivated (i.e., with enough skill in math & programming experience to put to practice), an attacker could fairly reliably defeat the CAPTCHAs that are employed on most Wikimedia projects, therein bypassing the check against automated account registration. Therefore, I believe that should anyone try to use this as a form of attack, there should be in place the ability for the actual Wikimedia systems administrators to repair the damage by deleting the maliciously-added accounts outright. Otherwise, the attacker would have a viable long-term attack plan-- simply keep running the attack.

To clarify, I would like everything to remain the same, except that only systems administrators (i.e., the same people who are needed to permanently delete material even after Oversight) are able to delete user names manually. I feel that this is a safe amendment, because absolute worst-case scenario, there are still physical backups of any data deleted. However, if I'm overlooking something here, please definitely let me know, as I obviously want this change to be as conservative as possible while still maintaining the safety of the network. --slakr 00:28, 12 September 2007 (UTC)[reply]