Policy talk:Privacy policy: Difference between revisions

Policy talk:Privacy policy/Header User:MiszaBot/config PrivacyPolicy-Invitation

What is changing? Several comments below ask about what’s new in this draft as compared to the current privacy policy. To help new folks just joining the conversation, we have outlined the main changes in this box. But feel free to join the discussion about these changes here. As a general matter, because the current privacy policy was written in 2008, it did not anticipate many technologies that we are using today. Where the current policy is silent, the new draft spells out to users how their data is collected and used. Here are some specific examples: Cookies: The current policy mentions the use of temporary session cookies and broadly states some differences in the use of cookies between mere reading and logged-in reading or editing. The FAQ in the new draft lists specific cookies that we use and specifies what they are used for and when they expire. The draft policy further clarifies that we will never use third-party cookies without permission from users. It also outlines other technologies that we may consider using to collect data like tracking pixels or local storage. Location data: Whereas the current policy does not address collection and use of location data, the draft policy spells out how you may be communicating the location of your device through GPS and similar technologies, meta data from uploaded images, and IP addresses. It also explains how we may use that data. Information we receive automatically: The current policy does not clearly explain that we can receive certain data automatically. The new draft explains that when you make requests to our servers you submit certain information automatically. It also specifies how we use this information to administer the sites, provide greater security, fight vandalism, optimize mobile applications, and otherwise make it easier for you to use the sites. Limited data sharing: The current policy narrowly states that user passwords and cookies shouldn’t be disclosed except as required by law, but doesn’t specify how other data may be shared. The new draft expressly lists how all data may be shared, not just passwords and cookies. This includes discussing how we share some data with volunteer developers, whose work is essential for our open source projects. It also includes providing non-personal data to researchers who can share their findings with our community so that we can understand the projects and make them better. Never selling user data: The current policy doesn’t mention this. While long-term editors and community members understand that selling data is against our ethos, newcomers have no way of knowing how our projects are different from most other websites unless we expressly tell them. The new draft spells out that we would never sell or rent their data or use it to sell them anything. Notifications: We introduced notifications after the current policy was drafted. So, unsurprisingly, it doesn’t mention them. The new draft explains how notifications are used, that they can sometimes collect data through tracking pixels, and how you can opt out. Scope of the policy: The current policy states its scope in general terms, and we want to be clearer about when the policy applies. The new draft includes a section explaining what the policy does and doesn’t cover in more detail. Surveys and feedback: The current policy doesn’t specifically address surveys and feedback forms. The new draft explains when we may use surveys and how we will notify you what information we collect. Procedures for updating the policy: The new draft specifically indicates how we will notify you if the policy needs to be changed. This is consistent with our current practice, but we want to make our commitment clear: we will provide advance notice for substantial changes to the privacy policy, allow community comment, and provide those changes in multiple languages. This is of course not a comprehensive list of changes. If you see other changes that you are curious about, feel free to raise them and we will clarify the intent. The purpose of a privacy policy is to inform users about what information is collected, how it is used, and whom it is shared with. The current policy did this well back when it was written, but it is simply outdated. We hope that with your help the new policy will address all the relevant information about use of personal data on the projects. YWelinder (WMF) (talk) 01:07, 6 September 2013 (UTC)[reply]

There are obviously a lot of things to talk about and if you aren't interested in this piece of it please feel free to start a new section with your discussion point/question/concern/etc. As you can probably see both here and on some of the other policies and draft pages we rolled out we're trying the idea of having illustrations and light humor in the text. These are not in anyway 'set' and may not appear in the final version if they're not appreciated. Legal documents tend to be lengthy, weighty and difficult to read (and rarely read at that) especially when you consider how many sites the average user visits. We want to make these documents as accessible as possible to as many people as possible. We hope to keep everyone's attention with the illustrations and a bit of levity. This is especially the case in the privacy policy but we've seeded them in a couple other locations as well. Do you like them? Hate them? Any specific ones work well or not work well? Should we think about another scene for a specific area? Jalexander (talk) 01:50, 4 September 2013 (UTC)[reply]

I think the illustrations are a waste of screen space and the web page would be physically easier to read without them - eg I wouldn't need to scroll horizontally when reading in a narrow window.

The levity and humour in the text is unnecessary and possibly counter-productive. It's hard to take a policy seriously when it compares itself to "eating your greens". "Plain English" (instead of "legalese") is a very good thing, but making it too informal or "chatty":

• may create a perception that you don't really care at all - because you're joking about it.
• may create ambiguity or uncertainty because the less formal the language, the less precise it risks becoming.

The policy needs to be easy to read and factual; it does not need to be entertaining. Mitch Ames (talk) 06:55, 4 September 2013 (UTC)[reply]

Yes, something like http://creativecommons.org/licenses/by-sa/2.0/ is perfect, but "funny" images are IMHO a poor idea.

Sorry but this "Hi, I'm Rory! I'm here to help explain this privacy policy. Welcome!" is terrible. It is straight from stupid commercial and/or something for a small children. Bulwersator (talk) 07:03, 4 September 2013 (UTC)[reply]

Agrre with all of the above. Wikipedia (& Wikimedia) is not a children's book. -Nabla (talk) 09:06, 4 September 2013 (UTC)[reply]

Gotta agree with Bulwesator & Nabla. Now if Rory were something with roots in the community (like Wikipe-Tan), I wouldn't be bothered hy this illustration half as much, however Rory is just some plush toy at the Foundation offices, giving the impression this is an initiative from the Foundation & foistering an us-vs.-them feeling to this proposed policy. (Yes, that is an issue that has been hammered ad nauseum, but presently there is a fair amount of distrust from the community about anything the Foundation does. Unforutnately clumsy stuff like this only aggrivates this distrust.) -- Llywrch (talk) 15:43, 4 September 2013 (UTC)[reply]

I agree, this Rory feels like a reincarnation of Clippy - "one of the worst software design blunders in the annals of computing". I think we can do much better here... I understand the desire to make this policy more friendly, but it must first and foremost be clear and believable. I personally feel that any cute character used on this document will only serve to undermine its legitimacy in the eyes of serious users. -- JonathanCross (talk)

I personally enjoyed the illustrations and the style of speech as well. In my eyes this is a good way to encourage readers to study the whole document and not stop reading after the first paragraph. Besides that, horizontal scrolling should be prevented through better html. --trm 10:07, 4 September 2013 (UTC)[reply]

I also like the illustration too. Given that some of our contributors and readers are kids, we want them to know how it affects them. Plus, nobody (adults and kids alike) likes to read a text block of quasi-legal stuff. The illustration helps retain some of their attention while they read through the page. OhanaUnited^{Talk page} 18:36, 4 September 2013 (UTC)[reply]

To my definition of a kid is someone who is under the age of teenager. I'm fairly sure that very very few contributors on this site fit my definition of a kid. I'm sure no kid would ever read the policy, consider that most them wouldn't able to understand that much. Even for readers, kids would only made up a very small portion of the total wikipedia readers (I barely can come up with any reasons why any kid would come to read Wikipedia's articles rather than watching TV or doing something fun). I expect this site to be a grown-up one not a website for kids.184.97.201.174 02:06, 5 September 2013 (UTC)[reply]

Look at the 2 things separately - Illustrations are fine, talking down like we're in kindergarten and we're being read a bedtime story, is probably not. I seriously doubt a lot of kids will be reading this quasi-legal, rather lengthy policy with things about metadata, subpoenas and access to nonpublic information policy etc.. With that said, It's actually a good idea to inject some levity in the mix with illustrations (I loved the kittens that used to be in other project and small cutesy things added here and there - but a mascot talking down might not be right for this audience). A little consideration for the audience would go a long way - I would suggest 'In a nutshell' blurbs accompanying the illustration would be more helpful - something like tl;dr version in 2-3 bullet-points. Hope that helps. Theo10011 (talk) 21:09, 4 September 2013 (UTC)[reply]

It says at the beginning that Rory is "here to help explain this privacy policy", but that never really happens. Some fuzzy drawings of something that looks like a cross between ET and a fluffy toy doing indistinct actions is not much of a help to me, at least. 86.169.185.183 01:26, 5 September 2013 (UTC)[reply]

I think we could explain more but for now I've removed that piece and he just says "Hi, I'm Rory". You're right, that for now he isn't really explaining anything. Jalexander (talk) 02:44, 5 September 2013 (UTC)[reply]

Hi everyone - I really appreciate the feedback on the use of images (namely, Rory, the tiger) in the privacy policy. He does represent something novel in our thinking about how to communicate a policy to a wide audience of readers and users. We like the concept, but, recognizing this is a bit of an experiment, we are definitely listening closely to your views - both pro and con.

Just to share a perspective for your consideration:

Our chief concern is to find a way to encourage everyone to read the privacy policy, given its importance to our readers and contributors. We are told that privacy policies are hard to read, that people read them infrequently, and that, when they do read them, people misunderstand them often. We are looking for ways not to fall into that norm. For example, we have included a user-friendly summary at the beginning of the policy - which was a great idea suggested by the community when we were consulting on the terms of use. We believe that, in addition to avoiding legalese, our use of visuals might also improve interest and readability in longer documents like our privacy policy.

Most Wikimedians hardly need a visual to read through a complicated document, but, of course, this policy is for everyone, including readers who may not be as familiar with our sites and projects. In the ideal world, we want to attract as many people as possible to read the privacy policy since it does govern their use of our projects and the expectations of the community and WMF.^[1]

Now our present use of the visuals is only illustrative. We are looking at ways to leverage the pictures to better explain aspects of the policy. The text box under the Rory image in the “Welcome” section is meant to help inspire ideas on how to use such images to facilitate readability and understanding. Based on some comments here, we are going to change the present text to avoid confusion, but we would be interested in your ideas on how to best use images (if you think that would be a good idea). For example, we could use other text boxes in the margins to help link to relevant FAQs on the topic or to highlight critical parts of the policy, if you thought that was useful.

Anyhow, we are really interested in your views on this idea and how we could leverage it. Also, if you have other ideas on how to improve readability through visuals, that would be helpful as well.

Thanks again for your time, comments, and insights. I greatly appreciate it. Geoffbrigham (talk) 03:31, 5 September 2013 (UTC)[reply]

Commenting on the "reference": there seems a world of difference between using a cheerful character to encourage editors to visit the draft and offer feedback, and having that same character featuring in a serious document. I hope that any success with Rory on the banner will be interpreted as "it might be a good thing to have Rory on a banner encouraging user interaction" and not as "it is a good thing to have Rory in a serious policy document". PamD (talk) 10:11, 5 September 2013 (UTC)[reply]

Hey Geoff, thanks for giving a background on this. It helps to understand what the intention was. I do believe something like illustrations accompanying the large body of text would be very helpful and break the monotony. It is a good idea, but this attempt misses the mark in my opinion. It just means another attempt might be needed here. Twitter fail whale, firefox fox, Google's android - mascots are actually quite common and using them in internal documents is also not unheard of. We just need to do better with this.

The difference, you guys might know Rory, most of us don't. Wikipe-tan is about as close to a mascot as we can get, and that might not be really suitable for this. My suggestion again would be using illustrations to make some sort of a "In a nutshell" or "tl;dr" version with bullet points. It can consolidate a large amount of text into a few salient points accompanied by some cute illustration - something like a tl;drabbit or nutshell kitten.

Also, if you would allow me to go on a brief rant here about something trivial - the senior staff should exercise more judgement. A/B testing is/has become carte blanche for backing anything lately, it was bordering on our own internal meme. We are slowly becoming a private start up, hellbent on maximizing click-through with banners. Unfortunately, porn websites and scammers have been doing this for years and doing it better. I suppose the final step would be learning everything from them and copying them to maximize click-throughs. I'm sure a nude or a semi-nude in the banner would also give a much higher click-through than what might have been seen - but someone has to exercise good judgement. I personally have nothing but disdain for A/B testing, especially when its used blindly without any common sense, judgement or editorial control. I hope the senior staff members can see the point here, and show a little bit more wisdom when it comes to blind numbers and testing. Thanks. Theo10011 (talk) 10:08, 5 September 2013 (UTC)[reply]

Thanks Theo for your thoughts. I appreciate your view and those of others on this topic. I do like the nutshell idea. Hear you on A/B testing. Geoffbrigham (talk) 12:17, 5 September 2013 (UTC)[reply]

Thanks Geoff. Your reply is much appreciated. Theo10011 (talk) 17:08, 5 September 2013 (UTC)[reply]

I am not totally anti the use of images; my main problem with "Rory" is that, with no offence intended to the artist, it simply isn't very well drawn. 86.167.19.217 17:49, 5 September 2013 (UTC)[reply]

Re Theo10011: I think we shouldn't be using Wikipe-tan because the character itself only represents one project (Wikipedia) out of many other WMF projects. Even the name "Wikipe-tan" implies it is for Wikipedia. On the other hand, Rory does not have this issue. Since the privacy policy affects not just Wikipedia but all projects, it's inappropriate to use a character with a very narrow scope. OhanaUnited^{Talk page} 20:33, 5 September 2013 (UTC)[reply]

I agree about Wikipe-tan, and there is a list of reasons why its usage here might be a bad idea. Apart from that, my point was - no one knows "Rory" it might as well be Tony or Leo. Someone mentioned Rory is a stuff-toy at the office and it's supposedly an in-reference to that- I don't know if that is true or not, but there is no familiarity there to go off of. Someone mentioned that they thought they saw either Tony the tiger from Kellogg or Tigger from Winnie the pooh on Wikipedia. Theo10011 (talk) 21:05, 5 September 2013 (UTC)[reply]

I think the images are frankly playful, inviting, engaging, and ultimatey appropriate. The purpose of illustration here is to invite the reader into a conversation about privacy. Legal documents tend towards the dry, boring, and off-putting. Anything that furthers people actually wading into the details of complex policy should be lauded. There's a misconception that anything cute or playful is at odds with serious pursuits; it's quite the opposite, though. Playful design, when it's done well, invites a larger audience and welcomes them into serious discussion. The illustrations do not detract from the meaning of the policy, they just make it more likely that more people will read it. Yes, our hard-core contributors may feel slightly insulted or belittled by this display of creativity, but they're going to read the policy anyway, and so the illustrations serve to attract a different, broader audience. I think particular jokes may need tweaking, and clear and bold summaries of policy impact are top-priority for emphasis, but images do not take away from that. Ocaasi (talk) 18:07, 5 September 2013 (UTC)[reply]

I love the images. I think they inject the right amount of whimsy into a subject which is decided Super Serious and boring. I found that I actually read the privacy policy text because of them - if only so that I could scroll forward and see the next image. That was actually very clever, I think. I feel that if we can't make room for some fun, we've failed at what we do - it means we're not confident in what we're producing. --Jorm (WMF) (talk) 21:17, 5 September 2013 (UTC)[reply]

At first I borked at the images and playful text, but then I reconsidered. I imagined a teacher using the illustrations in colouring activities (or like) and trying to start a lesson, as simple as it would have to be, on data, privacy and security... to this end, the text needs to have simple one liners at the start, that sum up the sections. Maybe rename the section headings so when read alone, they make some sort of meaningful narrative. Then the first line of each section is for the next level of readership, limited to 140 characters for example, then the next paragraph is the next level (100 words), and so on until you have a paragraph that an expert can read. That way, like the language versions, you'll be reaching as wider range of audience as possible. Regarding the light humour, be careful not to use colloquial or culturally centric humour. Leighblackall (talk) 23:52, 5 September 2013 (UTC)[reply]

Re colloquial or culturally centric humour: we tried hard to stick to things that we thought could be translated (most of us on the legal team have at least one second native-level language), but if we failed in that, we'd definitely love to hear about it so we can fix it or help the translators find good alternatives. - LVilla (WMF) (talk) 00:51, 6 September 2013 (UTC)[reply]

I loved the illustrations. I hope i'm putting my comment in the right place because I've actually never added anything to this site before in any way though I use it all the time. The illustrations are cute, and the overall effect is to make the legal tone of the policy more friendly and less forbidding. I didn't feel talked down to because of them. I agree with the person who said that they read more of the policy because of them, I did the same. I especially liked the one with the sword and shield by "protection."

Hey! As someone who could be considered a "kid" I think that Rory could be entertaining and helpful for younger contributors. He was the thing that caught my eye and actually encouraged me to read the policy. I think that in the right places(such as influential changes like this one) he and other little illustrations could help the younger audience participate more. I know that I wouldn't have read it if it was the same old long boring document that contains hard to understand language. Also, some of "jokes" could be rephrased as the younger audience might not get them, and the older audience feels talked down too. If the jokes are used in the right way, then it will help the paragraph and not distract and detract. Overall, if the changes are tweaked a bit, then I believe that they will be welcomed in the Wikipedian community. 17adavis7 (talk) 23:39, 9 September 2013 (UTC)[reply]

I didn't like Rory either. It seems childish when they is a legal-like document.Frmorrison (talk) 14:29, 10 September 2013 (UTC)[reply]

Maybe hide it as default or move to the bottom? There is nothing here that would be surprising or interesting for normal person and on encountering it half people will stop reading this document Bulwersator (talk) 07:10, 4 September 2013 (UTC)[reply]

Hi Bulwersator! Thank you for your suggestion! Hiding this section as a default is certainly an option if it seems that the majority of people already know this information, but moving it to the bottom probably wouldn't make organizational sense. What do other people think? Did the "A Little Background" section provide you with information you didn't already know? Should it remain as is or be changed to default hidden? Mpaulson (WMF) (talk) 18:42, 4 September 2013 (UTC)[reply]

Agree with Bulwersator. As it is "Privacy policy", it should deal directly with the standing privacy policy. Additional information is additional information. Nuts and bolts, please. --Iryna Harpy (talk) 03:57, 8 September 2013 (UTC)[reply]

Hi Iryna Harpy! Thank you for your input. I will continue to monitor this thread to see if there is a lot of support to change this section's default to hidden. Mpaulson (WMF) (talk) 20:37, 9 September 2013 (UTC)[reply]

Found on second paragraph in Privacy policy#Account Information & Registration. Is there any reason to have a link to a user page on policy page? – Kwj2772 (msg) 07:14, 4 September 2013 (UTC)[reply]

Just as a note the specific account is a created 'example' (you can see a little comment/note in the edit window ). Jalexander (talk) 07:30, 4 September 2013 (UTC)[reply]

I think the joke still works if you put a disclaimer right on the user page. Steven Walling (WMF) • talk 17:05, 4 September 2013 (UTC)[reply]

Hi Steven and Kwj2772! We are contemplating possible changes based on this input, but want to wait to see what other comments we receive on this joke prior to making any changes. Mpaulson (WMF) (talk) 19:06, 4 September 2013 (UTC)[reply]

I don't think this joke translates well. PiRSquared17 (talk) 19:10, 4 September 2013 (UTC)[reply]

I removed this sentence. It's a bad joke and isn't appropriate for this document. --MZMcBride (talk) 12:28, 5 September 2013 (UTC)[reply]

• I expected Rory to actually say more stuff as the page went on. As it is, he is pretty useless.

Thanks, This, that and the other. I appreciate your taking the time to read and post. I hear you re Rory. I did a posting on this, which you can find here. I agree that, if we do decide to use visuals, we will need to find ways of doing so in a helpful way. Geoffbrigham (talk) 13:02, 5 September 2013 (UTC)[reply]

• Under "More On What This Privacy Policy Doesn't Cover", the use of the phrase "are supposed to" implies that some stewards or checkusers might be able to get away without agreeing to follow the other policies. I suggest that you use "must" here instead.

Thanks. I have been going back and forth on this since community members don't work for the Wikimedia Foundation. How about we say "are required to"? This would refer to the requirements of the new draft of the Access to nonpublic information policy. Would that work? Geoffbrigham (talk) 13:06, 5 September 2013 (UTC)[reply]

Thanks This, that and the other! We have changed the policy to "are required to" as Geoff suggested. Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)[reply]

• Under "Your Public Contributions", we have "Your contribution (even if you just removed something) will show when it was made and your username (if you are signed in) or your IP address (if you are not signed in)." While I think I get what this means, it still comes across as a bit ambiguous. Please recast this sentence so it is better structured and pronouns are used in a clearer way.

I see what you mean. If you have time, could you give us some proposed language. If not, don't worry. We will think about it a bit ourselves. Geoffbrigham (talk) 13:14, 5 September 2013 (UTC)[reply]

We have redrafted so that it reads: "The page history will show when your contribution or deletion was made, as well as your user name (if you are signed in) or your IP address (if you are not signed in)." I hope this helps with the clarity issue. Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)[reply]

• Humor is fine, but a lot of this humor is quite bad humor :( Some examples:
  • "... the picture of you in that terrible outfit your mom forced you to wear when you were eight." It's just not funny.
  • Get rid of "ericsgrl4evah". The link is funny, but inappropriate and confusing. Or at the very least, go and full-protect her user and user talk pages on enwiki.
  • Under "Information We Collect", "While removing or disabling our locally stored data does not cause lasers to shoot out of your device" is silly, and could conceivably be taken literally.

We have actually gotten different types of feedback on this, sometimes quite positive. I tend to think humor is fine if it encourages the reader to read the document and actually enjoy that experience. We have seen other policies do this successfully. Indeed, I don't believe legal documents should be stuffy or overly formal. It does not affect the legal effect of the document. That said, we are definitely listening to this type of feedback. After we hear from others, we may want to revisit how we are approaching it. (P.S. Will get to your other comments shortly.) Geoffbrigham (talk) 13:19, 5 September 2013 (UTC)[reply]

• "the website you exited the Wikimedia Sites from". What is this? Surely you exit the Wikimedia Sites from the Wikimedia Sites themselves?

This was phrased improperly. Thank you for catching that. It has been changed to "the website you exited to when you left the Wikimedia Sites". Hope that is a little clearer now. Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)[reply]

• JavaScript, please.

I believe MZMcBride already changed this. Thanks for pointing that out! Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)[reply]

• Under "How Long Do We Keep Your Data?" the bit "such as your IP address if you edit while not logged in and any public contributions to the Wikimedia Sites." needs to be recast. Suggesting "such as your IP address (if you edit while not logged in) and any public contributions you make to the Wikimedia Sites."

Thanks! I have revised according to your suggestion. Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)[reply]

• Link WikimediaAnnounce-L every time.

Thanks! This is been revised according to your suggestion. Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)[reply]

Nice work, though. This, that and the other (talk) 07:43, 4 September 2013 (UTC)[reply]

I too concur on the point that Rory is an absolutely stupid and redundant idea. It should be removed. Privacy policies aren't comedic, they're serious business. Having some chump character introduce itself then serve absolutely no purpose just gives me the vibe that someone doodled something, thought it was gods gift to art, then pushed an agenda to have it incorporated. It's redundant, superfluous, and should be removed to minimize distraction of future readers. BaSH PR0MPT (talk) 02:57, 5 September 2013 (UTC)[reply]

I think this is a valid view, BaSH PROMPT, but I think the use of visuals could be helpful. I did post something on that above. I am also seeing some interesting alternative ideas. Thanks. Geoffbrigham (talk) 13:23, 5 September 2013 (UTC)[reply]

Hi This, that and the other. You should be able to edit the page yourself. :-) I removed the "Ericsgrl4evah" sentence and corrected the spelling of JavaScript just now. --MZMcBride (talk) 12:46, 5 September 2013 (UTC)[reply]

I've responded in-line above. We really appreciate your comments, This, that and the other. They have already made the draft better. Mpaulson (WMF) (talk) 22:59, 5 September 2013 (UTC)[reply]

• In the summary change this: "This Privacy Policy does not apply to all of the Wikimedia Sites, such as ..." to this: "This Privacy Policy does not apply to some of the Wikimedia Sites, such as .... " To say it does not apply to all sites is ambiguous and could be taken to mean that it does not apply to any sites.

Template:Answered

Je vous remercie. Les versions allemande et française sont des traductions juridiques professionnels. Mon expérience est que nous avons besoin d'habitude de membres de la communauté de prendre les versions professionnelles à travers une révision ou deux. Pour cette raison, nous avons invité la communauté pour améliorer les traductions dans la mesure où cela est possible. Geoffbrigham (talk) 08:11, 6 September 2013 (UTC)[reply]

J'ai il y a quelques jours commencé à essayer d'apporter quelques améliorations à la traduction en français mais ce n'est pas facile car : je ne suis pas un excellent traducteur ; les textes sont trèèèès longs, on se fatigue vite ; je n'ai pas trouvé où se traduisaient certains morceaux du texte, par exemple Informations importantes 78.251.253.2 10:58, 6 September 2013 (UTC)[reply]

What is changing in the new Policy relative to the current one? Can anyone knowledgeable, probably those proposing it, make a diff please? - 09:08, 4 September 2013 (UTC)

+1

I have no big problem with this policy but knowing what's diferent helps to decide if it is 1 step forward or not. --Madlozoz (talk) 14:23, 4 September 2013 (UTC)[reply]

Also agree that it would be useful to know the actual changes in the policy - it could be done as a chart in a subpage since I can't see how one could give a "diff". Risker (talk) 14:28, 4 September 2013 (UTC)[reply]

Obviously a plain simple diif was not possible, if it was, there would be no point in asking for a changes list, we would do the diff, right? :-) - Nabla (talk) 20:24, 7 September 2013 (UTC)[reply]

See also #So, what is the purpose of all this?. --Nemo 05:44, 5 September 2013 (UTC)[reply]

Footer is linking to clearly superior http://wikimediafoundation.org/wiki/Privacy_policy 89.74.119.184 15:30, 5 September 2013 (UTC)[reply]

Second the motion PauAmma (talk) 15:50, 5 September 2013 (UTC)[reply]

Agreed, it's a nice looking document and quite readable, but I don't understand what and how it has changed. Ocaasi (talk) 16:39, 5 September 2013 (UTC)[reply]

+1 78.251.243.204 22:17, 5 September 2013 (UTC)[reply]

Thanks for asking about this. As Risker noted, it would be impossible to show the changes in a diff given that this is a completely new policy. Instead, I would like to outline some important changes here.

As a general matter, because the current privacy policy was written in 2008, it did not anticipate many technologies that we are using today. Where the current policy is silent, the new draft spells out to users how their data is collected and used. Here are some specific examples:

1. Cookies: The current policy mentions the use of temporary session cookies and broadly states some differences in the use of cookies between mere reading and logged-in reading or editing. The FAQ in the new draft lists specific cookies that we use and specifies what they are used for and when they expire. The draft policy further clarifies that we will never use third-party cookies without permission from users. It also outlines other technologies that we may consider using to collect data like tracking pixels or local storage.
2. Location data: Whereas the current policy does not address collection and use of location data, the draft policy spells out how you may be communicating the location of your device through GPS and similar technologies, meta data from uploaded images, and IP addresses. It also explains how we may use that data.
3. Information we receive automatically: The current policy does not clearly explain that we can receive certain data automatically. The new draft explains that when you make requests to our servers you submit certain information automatically. It also specifies how we use this information to administer the sites, provide greater security, fight vandalism, optimize mobile applications, and otherwise make it easier for you to use the sites.
4. Limited data sharing: The current policy narrowly states that user passwords and cookies shouldn’t be disclosed except as required by law, but doesn’t specify how other data may be shared. The new draft expressly lists how all data may be shared, not just passwords and cookies. This includes discussing how we share some data with volunteer developers, whose work is essential for our open source projects. It also includes providing non-personal data to researchers who can share their findings with our community so that we can understand the projects and make them better.
5. Never selling user data: The current policy doesn’t mention this. While long-term editors and community members understand that selling data is against our ethos, newcomers have no way of knowing how our projects are different from most other websites unless we expressly tell them. The new draft spells out that we would never sell or rent their data or use it to sell them anything.
6. Notifications: We introduced notifications after the current policy was drafted. So, unsurprisingly, it doesn’t mention them. The new draft explains how notifications are used, that they can sometimes collect data through tracking pixels, and how you can opt out.
7. Scope of the policy: The current policy states its scope in general terms, and we want to be clearer about when the policy applies. The new draft includes a section explaining what the policy does and doesn’t cover in more detail.
8. Surveys and feedback: The current policy doesn’t specifically address surveys and feedback forms. The new draft explains when we may use surveys and how we will notify you what information we collect.
9. Procedures for updating the policy: The new draft includes specific instructions on how we will notify you if the policy needs to be changed. This is consistent with our current practice, but we want to make our commitment clear: we will provide advance notice for substantial changes to the privacy policy, allow community comment, and provide those changes in multiple languages.

The purpose of a privacy policy is to inform users about what information is collected, how it is used, and whom it is shared with. The current policy did this well back when it was written, but it is simply outdated. We hope that with your help the new policy will address all the relevant information about use of personal data on the projects. YWelinder (WMF) (talk) 01:07, 6 September 2013 (UTC)[reply]

Thank you. - Nabla (talk) 20:24, 7 September 2013 (UTC)[reply]

PS: If someone could remove my previous, un-logged, post, I would appreciate. Thanks in advance. And if I wasn't forced to log in to meta while already logged at enwiki, it would also be useful (it should be obviously so, no?) - Nabla (talk) 20:24, 7 September 2013 (UTC)[reply]

A couple community members got to it way before I saw the request :) You're set. Jalexander (talk) 03:28, 10 September 2013 (UTC)[reply]

The WMF and many people with access to nonpublic information (like (for users with accounts) their IP addresses and possibly their email addresses) are subject to the contradictory laws of the USA. The WMF and many people with access to nonpublic information may be required to make such information available to unaccountable agencies while being legally restrained from telling them that the information was shared. Admitting new information sharing mechanisms, or even just the requests may result in imprisonment without trails, without access to the laws leading to imprisonment, or even transcripts of the decisions, evidence, or who their accusers were.

Until the WMF and people with access to nonpublic information remove themselves from such jurisdictions, the guarantees in the WMF's privacy policy, the access to nonpublic information policy, the data retention guidelines, the transparency report, and the requests for user information procedure, are untrue.

To service campaign contributors, your information may be given to third parties for marketing purposes.

Your data may be secretly retained by the WMF for as long as required by US agencies, and/or by those agencies themselves for as long as they want.

The WMF may be prevented from revealing their actual policies but forced to claim that they protect users' privacy per their public policies. -- Jeandré, 2013-09-04t12:47z

See also Talk:Privacy policy/Call for input (2013)#Technical and legal coercion aspects.

Hi Jeandré, while I'm someone who knows for a fact that we would strongly rebel against secret requests and unreasonable demands from the government (any government) I'm certainly sympathetic to these concerns (I think much of what the US government has done is illegal and immoral). That said I have yet to see where we could 'go' to remove everyone from jurisdictions where this (or other equally bad issues) would be a problem. Europe, for example, is generally not better, it has significant issues as well. Jalexander (talk) 20:07, 4 September 2013 (UTC)[reply]

As far as I know, the voters in New Zealand and Iceland care about doing the right thing, and don't have the same kinds of laws as the USA and UK. -- Jeandré, 2013-09-05t09:27z

Les lois européennes sont infiniment plus protectrices que les lois américaines. Pourquoi croyez-vous que les grosses sociétés informatique (Google, Micro$oft, Apple, etc.) essaient d'imposer, heureusement sans trop de succès (voir les quelques affaires récentes, par exemple entre Google et les CNIL européennes) , que ce soit le droit américain qui s'applique au détriment du droit européen ? 78.251.243.204 20:18, 5 September 2013 (UTC)[reply]

Et de toutes façons ce n'est pas seulement une question de quelle loi est plus protectrice ou pas, c'est une question de que les lois des différents pays doivent être respectées. Chaque pays est souverain et établit ses lois de manière démocratique, on n'a pas à lui imposer des lois qui n'ont aucune légitimité. Seuls les Américains votent pour élire leur congrès. Les lois américaines ne s'appliquent donc qu'à eux 78.251.243.204 20:21, 5 September 2013 (UTC)[reply]

PRISM etc

Not sure if this is completely on topic, please point me towards the discussion if not, this is not my area of knowledge.

1. Is the Wikimedia Foundation subject to the same FISA laws that Microsoft, Google etc have had to comply with and give over information?
2. If so does the Wikimedia Foundation record anything they may want?
3. If so this privacy policy will need to reflect this.

--Mrjohncummings (talk) 16:06, 4 September 2013 (UTC)[reply]

• Note that it may illegal for Foundation to admit that they give over information to USA government. 89.74.119.184 19:18, 4 September 2013 (UTC)[reply]

The WMF has been very clear that we have not been contacted in relation to that. General Counsel Geoff Brigham said in a blog post that "The Wikimedia Foundation has not received requests or legal orders to participate in PRISM, to comply with the Foreign Intelligence Surveillance Act (FISA), or to participate in or facilitate any secret intelligence surveillance program. We also have not “changed” our systems to make government surveillance easier, as the New York Times has claimed is the case for some service providers." Philippe (WMF) (talk) 20:58, 4 September 2013 (UTC)[reply]

Just to add to what Philippe has said, it is our understanding of the law that we can not be forced to 'Lie' (though they can force us to not comment/confirm including while we fight for it to be released), while I can certainly understand people's concerns about "them not even being able to tell us if it's true" I really do stress that we haven't received anything and would fight like crazy if we did. Also, we're really really bad liars, we are an incredibly leaky organization. Jalexander (talk) 08:03, 5 September 2013 (UTC)[reply]

This may be a crackpot idea, but given that you cannot be forced to lie, but can be forced to keep quiet, would it be possible for somebody - perhaps in the legal department - to report on a regular basis in a regular spot that "We haven't been contacted by the US Gov't this week to provide any information on users"? Smallbones (talk) 01:05, 7 September 2013 (UTC)[reply]

"Also, we're really really bad liars, we are an incredibly leaky organization." I assume that you're joking, but if you're not, why have a privacy policy at all? (Not joking.) -- Gyrofrog (talk) 03:59, 8 September 2013 (UTC)[reply]

Given the choice between believing Microsoft/Google/Facebook/US.gov or Snowden, I'd go with Snowden every time. I think the current evidence shows that the people at Google are lying by commision because they're being forced to. While I have orders of maginitude more trust in the people at the WMF than those at Google, I think Ladar Levison's decision to shut down Lavabit and his strong recommendation against trusting organizations "with physical ties to the United States" indicates that he didn't want to lie by commision. -- Jeandré, 2013-09-05t09:27z

Appreciate the discussion. Template:User' suggestion is that we implement what is actually the well-known Warrant canary scheme. Part of Template:User's excellent point is that it seems like either Google or Snowden are lying, and that if Google is lying, warrant canaries don't seem to work against the full might of the US Government. Was lavabit publishing a warrant canary? More importantly, should the WMF be doing so on a more regular basis? (the comments from Philippe & Jalexander are great for today, but not regularly made.) --Elvey (talk) 22:21, 8 September 2013 (UTC)[reply]

Is it possible for anyone to verify exactly what software the WMF's servers are running and how the software is configured? It is trivial to download Mediawiki and various extensions, but is it possible for anyone to verify that the version of Mediawiki as run by the WMF isn't modified to provide information to the NSA? --Stefan2 (talk) 12:57, 5 September 2013 (UTC)[reply]

We are very transparent about our servers, how they are configured, and what they run. For example, you can see our production code and deployment recipes on Gerrit and piles of additional information on Wikitech. So I don’t think we object to transparency like that in principle. But verification that source code matches specific binaries is an extremely difficult challenge, even under relatively small and controlled circumstances where you can control every part of the build, and where you’re simply asking about a binary at one point in time, rather than on a live, running system. To do the same thing for an entire network infrastructure (not just Mediawiki, but the web server, operating system, network switches, etc.) would be effectively impossible, both in terms of difficulty and in terms of making it secure (since it would require trusted access to the live system in order to perform monitoring). Even if it were achievable, it would also make management difficult in practice: for example, we sometimes have security patches deployed that are not yet public (for legitimate, genuine security reasons), and we also have to be able to change configurations quickly and fluidly in response to changes in traffic, performance, etc., and doing this would be difficult if configurations and binaries had to be checksummed, compared, verified, etc. - LVilla (WMF) (talk) 02:05, 6 September 2013 (UTC)[reply]

Given everything that's happened, I'm not so sure I trust anyone anymore about what is and isn't watched/kept. I now assume everything is being watched/recorded/analyzed online. You can only hide in the bushes for so long, eventually you'll want to come out and play (online), so I guess you suck it up and move on. Government never tells you about it, one guys leaks it, then they move to make it more transparent and do the about face. Makes you wonder what else they're hiding, and it's sad that they have to hide it from us... 99.251.24.168 02:35, 6 September 2013 (UTC)[reply]

I understand why you are finding it hard to trust anyone, and I am glad that Stefan2 was trying to be creative about ways to increase trust. I just don't think this particular idea solves the problem. If it helps, we're trying to work on this issue; most notably right now by pushing the US government to allow more transparency from targets of national security letters. Suggestions on how else we can do that are welcome. - LVilla (WMF) (talk) 17:09, 6 September 2013 (UTC)[reply]

Of course it would be a bad idea to give anyone unlimited read access to the live servers. For example, it would allow anyone to extract any information from any database table, including information normally only available to checkusers and oversighters. Thanks, your reply sounds reassuring. --Stefan2 (talk) 19:13, 6 September 2013 (UTC)[reply]

Although I do not have any questions at this time concerning this, I wanted to thank you for addressing it in advance as it would have come to mind as I do live in the United States. Koi Sekirei (talk) 00:50, 8 September 2013 (UTC)[reply]

Prisms may still be used for disco parties. —Preceding unsigned comment added by 180.216.68.185 (talk • contribs) 14:29, 11 Sep 2013 (UTC)

Subject to US law

I think we should expand the section on the data being kept in the USA, and therefore subject to American laws. The PATRIOT Act comes to mind, where they can and will use any data you store in the US at any point in time against you at a later date. Doesn't matter where you live. So you might not want to post that nasty anti-American rant on a talk page, it might come back to bite you in the choo-choo later... Or the DMCA. I think of a certain Russian computer scientist who could have been arrested had he came to the US to give a speach as he posted information on anti-circumvention measures (Dmitry Sklyarov) ... Oaktree b (talk) 22:09, 4 September 2013 (UTC)[reply]

While some of this may be true (though there are lots of laws in Europe and other countries which can be problematic with what you post too and the US allows) I'm not sure I understand your example. There is very little (if any) added risk to posting your anti-american rant on the talk page on an American server. There are certainly risks, but the PATRIOT act does not necessarily make it more risky (especially given the legal system and our desire to fight against demands) then many other location options. Jalexander (talk) 00:29, 5 September 2013 (UTC)[reply]

This section concerns me as well as worries me. "to comply with the law, or to protect you and others" I think most of us are aware that our freedom in all areas is slowly but steadily eroding. In many countries, there is not even a pretense at giving freedom priority over other values, while in many others it is only a pretense. I wonder if there is a country left in the world that has not put that value at the bottom of a list of many other values like security and equality. Politicians and lawyers can and will find a way to abuse that which they can abuse for their own purposes. Laws were made to facilitate the sending of millions of people into concentration camps, why should they stop at keeping knowledge sacred? "to comply with the law, or to protect you and others" That is a mightily large back door.

Well I live in Canada, and even if I do my edits in Canada, should I do something distasteful to the Americans, they can hold me at the border for some stupid reason. We also have data privacy laws here in Canada (PIPEDA), but those don't apply to Canadian data stored on American servers. My point is you're essentially at their mercy, whether you like it or not. Just so people are made to understand that. You live in country XYZ, but American law applies to your edits and any data you divulge, so beware. 99.251.24.168 02:09, 6 September 2013 (UTC)[reply]

C'est partiellement mais pas complètement vrai, je pense. Une légende court depuis longtemps qui voudrait que c'est la loi du pays où se trouve les serveurs qui s'applique. La jurisprudence n'est pas encore établie, mais pour l'instant c'est faux. Les serveurs étant situés aux EU, les lois américaines s'appliquent en partie. Mais les producteurs et les consommateurs de contenu étant dans d'autres pays, d'autres lois peuvent s'appliquer. Par exemple, pour la Wikipédia francophone, une grosse partie des producteurs et les consommateurs de contenu se trouvant dans d'autres pays comme la France, le Canada, la Belgique, etc., il est très probable que certaines des lois de ces pays s'appliquent. Par exemple, une société dont le siège et les serveurs sont localisés au Luxembourg ont été condamné à appliquer le droit français ; Twitter a été poursuivi pour ne pas appliquer les lois françaises relatives à la liberté d'expression, mais l'affaire n'est pas allée jusqu'au procès car Twitter a préféré passer un accord avec les parties civiles ; Google est attaquée par les différentes CNIL européennes pour non respect des lois européennes de protection des données personnelles, plus contraignantes que les lois américaines ; dans ces deux cas, Twitter et Google prétendent qu'ils ne doivent appliquer que les lois américaines, mais cela est fortement contesté, et on peut douter que la justice leur donne raison. Ce serait très commode pour les entreprises multinationnales, mais quelle perte de souveraineté pour les citoyens et les pays concernés ! Je n'y crois pas du tout 78.251.253.2 11:18, 6 September 2013 (UTC)[reply]

Thanks for your comment. Please see my response to a related discussion here. YWelinder (WMF) (talk) 19:42, 7 September 2013 (UTC)[reply]

Legal response

Thanks for raising this question. I’ll tackle it in two parts:

First, generally: as we say in more detail in the policy’s section on our legal obligations, we must comply with applicable law, but we will fight government requests when that is possible and appropriate. For example, unlike some websites, we already are pretty aggressive about not complying with subpoenas that are not legally enforceable. (We’ll have precise numbers on that in a transparency report soon.) We’d love to hear specific feedback on how we can improve that section, such as additional grounds that we should consider when fighting subpoenas.

In addition, we are currently working on a document that will explain our policy and procedure for subpoenas and other court orders concerning private data. We will publish the document publicly, follow it when responding to requests, and also provide it to law enforcement so that they know about our unusually strict policy on protecting user data.

Second, with regards to surveillance programs like PRISM and FISA court orders: We are subject to US law, including FISA. However, as we have previously publicly stated, we have not received any FISA orders, and we have not participated in or facilitated any government surveillance programs. In the unlikely instance that we ever receive an order, we are making plans to oppose it.

Beyond the legal realm, we continue to evaluate and pursue appropriate public advocacy options to oppose government surveillance when it is inconsistent with our mission. For example, the Wikimedia Foundation signed a letter with the Center for Democracy and Technology requesting transparency and accountability for PRISM. If you are interested in proposing or engaging in advocacy on this issue, please consider joining the advocacy advisory group. We also continue to implement technical measures that improve user privacy and make surveillance more difficult. For example, we enabled HTTPS on Wikimedia sites by default for logged in users. For more information, see our HTTPS roadmap.

As always, we greatly appreciate your input on this complex issue. Please note that if you have questions that are specific to surveillance, and not tied to the privacy policy itself, the best place to discuss those is on the Meta page on the PRISM talk page, not here.

Best, Stephen LaPorte (WMF) (talk) 00:03, 6 September 2013 (UTC)[reply]

La question n'est pas de résister du mieux possible à l'application de lois avec lesquelles nous ne sommes pas d'accord : les lois sont là, elles ont été votées démocratiquement, nous devons les appliquer, point barre. Nous ne devons pas faire de politique ! Occupons-nous plutôt d'écrire l'encyclopédie, et appliquons les lois quand elles s'appliquent, de quelque pays qu'elles soient 78.251.253.2 11:38, 6 September 2013 (UTC)[reply]

Nous ne devons pas faire de politique? C'est une position que j'ai du mal à comprendre, pour la raison suivante: à quoi bon contribuer à une encyclopédie si elle aussi devient un instrument de répression? Au contraire, je suis persuadé que l'histoire nous apprend que nous devons résister aux lois injustes le mieux possible ... bien qu'on puisse parler de votes démocratiques dans le cas des lois en question, je conteste cette interprétation (à la surface, c'en étaient -- modulo la désinformation, la corruption/le lobbyisme, la pression venant des services secrets ...), elles ont été promulguées par un électorat en majorité analphabète en matière de technologie, donc sujet à toute sorte de manipulation -- les avis d'experts indépendants ne comptent plus pour des nèfles. C'est la peur qui gouverne la société pré-(techno)fasciste, pas la raison.

Summary: I strongly oppose unquestioning compliance with unjust laws, passed democratically or not. We can not abstain from being political in this matter because otherwise what we do becomes part of the unjust system. Ɯ (talk) 10:51, 10 September 2013 (UTC)[reply]

Localisation des serveurs aux Etats-Unis et loi applicable

Les explications indiquent que les serveurs sont situés aux Etats-Unis et que nous devons accepter que ce soit la loi américaine de protection des données personnelles qui s'applique, même si elle est moins protectrice que la nôtre, et que dans le cas contraire nous ne devons pas utiliser Wikipédia. Ca veut dire que nous devons nous barrer tout de suite ? De toutes façons, je ne crois pas que ce soit légal. La Wikipédia francophone concernant en grande partie des Français (ainsi que des Québécois, Belges, Africains, Suisses, etc.), je pense que les juridictions des publics concernés ont leur mot à dire, et que leurs lois doivent d'appliquer. La jurisprudence n'est pas encore bien établie, mais d'ores et déjà certains décisions judiciaires sont allées dans ce sens. En tous cas, personnellement, je ne suis pas du tout d'accord pour donner mon consentement à ce que ce soit la loi américaine qui s'applique. Bien trop dangereux ! La loi américaine n'est pas assez protectrice ! Sans parler de toutes ces lois liberticides prises à la suite des attentats du 11 septembre, sans grand contre-pouvoir pour contrôler leur mise en oeuvre ! 78.251.246.17 22:55, 4 September 2013 (UTC)[reply]

Pourquoi parles-tu uniquement de la Wikipédia francophone ? Il existe plusieurs centaines de projets dans plein de langues, dont les pays pourraient également avoir leur mot à dire. En clair, la fondation ne peut pas suivre toutes les lois du monde et s'arrête donc à celle de son pays. Elfix 07:47, 5 September 2013 (UTC)[reply]

Le problème est qu'on a plusieurs centaines de projets dans plein de langues, mais aussi plusieurs centaines de pays qui, que vous le vouliez ou non, sont souverains, ont leurs propres lois, et ont le droit d'avoir leurs propres lois. C'est un fait. Qu'on le veuille ou non. Et la question n'est pas de savoir si la fondation peut suivre toutes les lois du monde, la question est qu'elle DOIT suivre les lois du monde, car ses activités ne s'arrêtent pas aux frontières de son pays mais s'étendent dans le monde entier. Non seulement elle DOIT suivre les lois des pays auxquels ses activités s'étendent, mais pour un pays comme la France ou n'importe quel pays européen, dont les lois sont beaucoup plus protectrices vis-à-vis de la vie privée des citoyens que la loi américaine, c'est même hautement souhaitable. C'est la raison pour laquelle cette clause est mauvaise. Si l'excuse pour laquelle la Fondation explique qu'il faut adopter la loi américaine, même si elle est moins protectrice que celle de notre pays, est que les serveurs sont aux Etats-Unis, dans ce cas rapatrions les serveurs en Europe. Dans tous les cas ce sont les lois les plus protectrices que nous devons respecter, car si nous respectons les lois les plus protectrices, alors nous respectons toutes les lois, y compris les lois américaines ou de tous les pays 78.251.243.204 18:26, 5 September 2013 (UTC)[reply]

J'ai fait le point en anglais plus haut, mais c'est la même: toute information que vous soumettez au Wikipedia anglais/françcais/allemand etc. est gardée aux USA, donc votre loi locale ne s'applique probablement pas. Au Canada par exemple, nous avons LPRPDE (PIPEDA en anglais) pour la protection des données et des documents électroniques; toute information qui n'est pas sur un ordinateur canadien n'est pas protégée. Donc, si pour une raison ou un autre, Obama ou le gouvernement américain décide de fouiller dans votre information, tant pis! Toute protection locale s'arrête à la frontière. Vous n'avez qu'à regarder le cas d'Edward Snowden ou de Julien Assange; on peut très facilement vous rendre la vie très difficile s'ils décident que vous êtes l'ennemi des USA... Gare à vous. Caveat emptor. 99.251.24.168 02:24, 6 September 2013 (UTC)[reply]

Bonjour 99.251.24.168 et merci de votre réponse :-) J'ai moi aussi répondu plus haut. Je pense au contraire que les lois des pays souverains ont toute chance de s'appliquer. Mais dans le cas que vous décrivez de données canadiennes conservées sur des serveurs américains, les lois américaines s'appliquent AUSSI, et c'est bien normal, les EU sont un pays souverain, comme le Canada. Dans les affaires de ce type, qui concernent plusieurs pays, le droit applicable est toujours un compromis entre les différents droits concernés. Ne croyez pas que seules les lois du pays hébergeant les serveurs s'appliquent. Cave canem ! ;-) 78.251.253.2 11:47, 6 September 2013 (UTC)[reply]

Thank you for your comments and my apologies for responding in English. Jurisdiction is a complex issue that is determined based on a case-by-case analysis. Generally, we apply U.S. law, but we are sensitive to European data protection laws. For example, a version of this privacy policy was reviewed by a privacy counsel in Europe to ensure consistency with general principles of data protection.

The important issue for our users' data is our commitment to privacy rather than the general privacy law in the country where the Wikimedia Foundation is based. Our privacy policy generally limits the data collection and use to what is necessary to provide and improve the Wikimedia projects. For example, we commit to never selling user data or using it to sell them products. In other words, the commitments we make in this policy go beyond commitments made by many online sites, including those based in Europe. And we encourage users to focus on and provide feedback about those commitments because the commitments are ultimately what matters for their privacy on the Wikimedia sites.YWelinder (WMF) (talk) 19:36, 7 September 2013 (UTC)[reply]

Certes, plus que de savoir si c'est la législation de tel ou tel pays qui s'applique, c'est plutôt les détails des Règles ou Charte de protection des données personnelles de Wikimédia qui nous importent. Cependant, les législations (américaines, européennes) sont des références communes et pratiques offrant une base rassurante, parce qu'elles ne nous sont pas complètement inconnues. Dans cette logique, et pour nous aider à mieux appréhender la Charte, serait-il possible qu'une personne compétente nous fasse un résumé de ce qui diffère entre cette Charte et les législations américaine ou européennes ? Comment la Charte se situe-t-elle par rapport à ces législations ? 85.170.120.230 10:43, 8 September 2013 (UTC)[reply]

Localisation des serveurs aux Etats-Unis et loi applicable bis

Je demande le retrait du paragraphe Où se trouve la Fondation et qu’est-ce que ceci implique pour moi ? 78.251.243.204 19:05, 5 September 2013 (UTC)[reply]

My apologies for the response in English. If someone would be so kind as to translate this into French, I would be much obliged. Are there any particular reasons that you are requesting removal of that section? Is there any specific language that concerns you? If so, please specify. Mpaulson (WMF) (talk) 22:23, 5 September 2013 (UTC)[reply]

Traduction / translation : « Excusez-moi de répondre en anglais. Si quelqu'un avait la gentillesse de tranduire mon message en français, je lui en serai reconnaissant. Y a-t-il des raisons particulières pour que vous demandiez le retrait de cette section ? Y a-t-il une langue spécifique qui vous concerne ? Si tel est le cas, veuillez le préciser. » Jules78120 (talk) 22:37, 5 September 2013 (UTC)[reply]

Merci Mpaulson de votre réponse (et merci à Jules78120 pour sa sympathique traduction :-) ). Les raisons particulières qui me poussent à demander le retrait de cette section sont les mêmes que celle déjà développées plus haut dans la section Localisation des serveurs aux Etats-Unis et loi applicable et dans plusieurs autres sections telles par exemple que NSA, FISC, NSL, FISAAA, PRISM... Je me permets juste d'être un peu plus insistant dans ma demande, avec votre permission :-) 78.251.243.204 00:54, 6 September 2013 (UTC)[reply]

So, while we as an organization and I personally have some sizable objections to PRISM and many of the actions taken by the US government recently with regards to privacy, removing this section will not actually change the applicability of US law. The Foundation is located in the US, meaning that using our sites leads to the transfer of data to the US, and thus is subject to US law. Mpaulson (WMF) (talk) 01:09, 6 September 2013 (UTC)[reply]

Bien sûr que les serveurs sont situés aux EU et que les lois américaines s'appliquent (à ce propos, on devrait peut-être songer à redéménager les serveurs en dehors des EU !). Par contre, je ne suis pas d'accord avec la phrase « Vous consentez également au transfert de vos informations par nous depuis les États-Unis vers d’autres pays qui sont susceptibles d’avoir des lois sur la protection des données différentes ou moins contraignantes que dans votre pays, en lien avec les services qui vous sont fournis. » Je ne suis pas d'accord pour que mes données soient transmises n'importe où, y compris à des entreprises situées dans des pays où les lois autoriseraient n'importe qui à faire n'importe quoi avec. Si nos données sont transmises, elles ne doivent l'être qu'avec la garantie que nos données seront protégées au moins autant que dans notre pays, ou en tous cas au moins autant qu'aux EU. Quelque soit l'entreprise ou le pays vers lesquels sont transmises nos données, on doit s'assurer que la Charte de confidentialité soit garantie. Sinon, on ne transmet pas. La Charte n'établit, je trouve, pas ce point assez clairement (par exemple les paragraphes Si l’organisation est cédée (très peu probable !) et À nos prestataires de services manquent à mon avis de précision) 78.251.253.2 12:36, 6 September 2013 (UTC)[reply]

P.S. : EU en français = Etats-Unis = United States = US en anglais ; je m'excuse, j'aurais dû écrire Etats-Unis en toutes lettres :-) 85.170.120.230 01:51, 7 September 2013 (UTC)[reply]

Unfortunately, US privacy law is still very much developing and the EU considers the US to have less stringent data protection laws than the US. So using a Wikimedia Site means that, if you are a resident of Europe, your data is being transferred to a country with less stringent data protection laws that your country. There isn't really a way for you to use the Wikimedia Sites without consenting to that kind of transfer unfortunately. But differences in privacy regimes aside, the Wikimedia Foundation seeks to put into place contractual and technological protections with third parties (no matter what country they may be located in) if they are to receive nonpublic user information, to help ensure that their practices meet the standards of the Wikimedia Foundation's privacy policy. Mpaulson (WMF) (talk) 18:59, 6 September 2013 (UTC)[reply]

This is not quite correct. If I visit google.com from Italy, I'm asked whether I want to accept a cookie or not, though in USA you are not. Moreover, Google managers were held criminally liable for privacy violation in a meritless case which however ruled that «the jurisdiction of the Italian Courts applies [...] regardless of where the Google servers with the uploaded content are located».[1] --Nemo 19:26, 6 September 2013 (UTC)[reply]

What does this mean: "the EU considers the US to have less stringent data protection laws than the US"? PiRSquared17 (talk) 19:27, 6 September 2013 (UTC)[reply]

«Special precautions need to be taken when personal data is transferred to countries outside the EEA that do not provide EU-standard data protection.»[2] «The Commission has so far recognized [...] the US Department of Commerce's Safe harbor Privacy Principles, and the transfer of Air Passenger Name Record to the United States' Bureau of Customs and Border Protection as providing adequate protection.»[3] «In many respects, the US is a data haven in comparison to international standards. Increasing globalization of US business, evidenced by the Safe Harbor agreement, is driving more thinking about data protection in other countries. Still, political and economic forces make a European style data protection law of general applicability highly unlikely in the near future».[4] WMF is also not in [5], FWIW. --Nemo 19:46, 6 September 2013 (UTC)[reply]

@Mpaulson : J'ai l'impression que vous avez mal compris mon abréviation EU, qui signifiait Etats-Unis (d'Amérique). Pardon. Ceci dit, même si les lois américaines sont en effet souvent considérées moins protectrices des données personnelles que les lois européennes, les Règles de protection des données personnelles (Privacy Policy) de Wikimédia peuvent tout à fait garantir un niveau de protection supérieur aux lois américaines. Garantir un niveau de protection inférieur aux lois américaines ne serait pas légal, mais garantir un niveau de protection supérieur aux lois américaines, et même supérieur aux lois européennes ou à d'autres lois, est tout à fait possible et compatible avec le droit américain. Il suffit d'adopter des Règles au moins aussi protectrices que les différentes législations nationales (un plus grand commun dénominateur des différentes législations, donc). Je ne vois pas ce qui nous en empêche. Et il faut bien entendu que tous les prestataires de services s'engagent ensuite à respecter ce niveau de protection (comme déjà stipulé dans le paragraphe À nos prestataires de services) 85.170.120.230 02:22, 7 September 2013 (UTC)[reply]

Dans un but de meilleure compréhension, serait-il possible que quelqu'un de compétent nous explique en quoi ces Règles de Confidentialités diffèrent du droit européen ? En quoi elles seraient moins protectrices que celui-ci ? Une explication du genre de celle donnée ci-dessus dans la section What is changing? serait très intéressante ! 85.170.120.230 02:32, 7 September 2013 (UTC)[reply]

En particulier, comme évoqué par Nemo, comment se situe la WMF par rapport au cadre juridique Safe Harbor ? 85.170.120.230 12:10, 8 September 2013 (UTC)[reply]

It would be nice if the account can be removed. Thank You! --78.49.38.54 13:03, 4 September 2013 (UTC)[reply]

Sadly deleting an account is essentially impossible, if we delete an account then every edit made by that account isn't attributed to anyone and we can't allow that. Many wikis have a policy similar to English Wikipedia's Right to Vanish where you can be renamed to some obscure numbered name and your user page deleted but that's essentially the closest that we can get :(. Jalexander (talk) 20:11, 4 September 2013 (UTC)[reply]

A option to do that which ive seen done on other sites is to attribute all the things a person has written to account named "Deleted", which would solve this problem and allow the deletion of account from database. Of course there is the potential risk of people registering, vandalizing and deleting themselves not to trace them back. A possible solution could be that deletion ony gets confirmed after, say 24 hours, during which the vandalism gets noticed usually.

P.S. not sure if i did this formatting thing right

Call me brainwashed by my years in accounting audit and reading computer security logs, but I agree that the identity should be retained in some fashion, and not removed from the database. However, I think there is sufficient cause to allow identified persons to "retire" their identity. Yes, that begs a question or two. "Retiring" is not the same as deleting an identity. Their reasons could have to do with stalking or police state issues, or psychological concerns, but it would be the statesmanlike thing to do to permit it. I think there are better ideas than my initial suggestion here (i.e., research needed), but perhaps we can consider identifying such a person as "Retired." Timestamp and other data needed to maintain talk page threads to maintain Wikipedia standards for transparency would not be removed. Perhaps the identity information could be taken offline -- if there is such a notion in Wikipedia's architecture. It is true that third party archive engines could restore identities once deleted. Still, while the benefit is limited, it would be useful for most contributors. It should not be easy to retire oneself, as this could place a burden on the community. Ping me if you would like me to look at some suggestions in the literature. --Knowlengr (talk) 02:00, 8 September 2013 (UTC)[reply]

Hi All,

Thank you for your suggestions. As Jalexander mentioned above, there are significant difficulties in deleting an account altogether. However, providing a way to mark an account “retired” is an interesting suggestion and one worth further exploration.

From a privacy policy perspective, it is first worth noting that a privacy policy only outlines the baseline privacy protections that the Wikimedia Foundation will provide -- nothing prohibits the Wikimedia Foundation (or the community) from providing greater privacy protections now than those stated in the privacy policy or from providing more comprehensive protections in the future as new protections become available. For example, if we find a way to create more secure connections for users or ways to universally retire accounts, the privacy policy draft as it currently stands would permit those protections to be given.

From an implementation perspective, “retiring” an account is already somewhat available on select wikis. For example, the English Wikipedia has a Courtesy vanishing/Right to Vanish policy and a couple of other large wikis have similar policies. However, you can currently only rename an account one by one on each wiki where you (or your unified account) exist. Because of this, a global policy that would permit you to “retire” you account would be incredibly difficult to write and enforce.

In the future (hopefully soon), as we work towards finalizing our unified account system, we will be able to have a much easier global rename or “retirement” process and the community may be able to decide on a global vanishing or “retirement” process. Mpaulson (WMF) (talk) 00:18, 12 September 2013 (UTC)[reply]

Really! Truly! I know you don't mean to sound like you are talking down to us, but gosh, I feel like everyone at the Foundation just wants to give us happy smiles & hugs & wishes us all unicorn farts. Not only does it sounds creepy, yo ulose all credibility.

First, I want to know if this warm-&-fuzzy language accurately reflects what the policy is. And some passages don't give me a warm & fuzzy feeling that it does.

Second, it is possible to explain things in plain English without sounding like a demented variant of a Cub Scout Den Leader. Take, for example the section "Account Information & registration". (Was the person who wrote that high on antidepressants?) Everything in that section could be explained quite simply & maturely as follows:

You are not required to create an account to read or contribute to a Wikimedia Site. However, if you contribute without signing in, your contribution will be publicly attributed to the IP address associated with your device. If you want to create a standard account, we do not require you to submit any personal information to do so. All that is required is a username and a password. We do not ask for a legal name or date of birth, nor an email address, and definitely not for credit card information; we consider that information unnecessary to contribute to Wikipedia. There are rules and considerations regarding a username, so please think carefully before you use your real name as your username. Your password is only used to verify that the account is yours.

Notice how more mature this paragraph reads? Yet most of the language is what currently appears on the front page; all I did was take out the fluff. And there is a lot more fluff in this policy statement that needs to come out before the final draft. -- Llywrch (talk) 18:34, 4 September 2013 (UTC)[reply]

A bit painful

With due respect, some of the phrasing is pretty cringe-worthy.

"Some features we offer are way cooler to use if we know what area you are in."

"If you choose to help us make the Wikimedia Sites better by participating in an optional survey or providing feedback, we think you are awesome."

"We also recognize that some of you know the ins and outs of tracking pixels while others associate the term “cookie” exclusively with the chocolate variety."

Such attempts to be chatty have no place in such a document, in my opinion. 86.169.185.183 21:02, 4 September 2013 (UTC)[reply]

Mostly, I'd be interested in tasting a cookie which is a chocolate variety (in Italian, saying that "cioccolato" is "biscotto" is a lexical and etymological absurd). Do such things really exist in USA? We may need a food culture table conversion for such weirdnesses in the text. --Nemo 21:47, 4 September 2013 (UTC)[reply]

You will be assimilated. Resistance is futile... We are Wikiborg.Oaktree b (talk) 22:23, 4 September 2013 (UTC)[reply]

Informal tone

I'm wondering why the WMF has decided to use a very informal tone in this new draft. Is it intended to make the policy appeal to a younger audience? I have nothing against the occasional use of "cool", "awesome", or similar words, but I don't understand why they should be in what is essentially a legal document. @Jalexander: any comment? PiRSquared17 (talk) 21:59, 4 September 2013 (UTC)[reply]

I also think it's okay to have a bit of fun and have some in-jokes in internal Wikimedia pages, but it might hurt the WMF's reputation if added to such an important, highly visible document. However, I trust the authors of the document. PiRSquared17 (talk) 22:01, 4 September 2013 (UTC)[reply]

Also informal text can have official character. ;) The intention was obviously to make the text comprehensible also for non-Legalese native speakers. ^^ --თოგო ^(D) 22:36, 4 September 2013 (UTC)[reply]

I'm happy that it is more comprehensible and written in Simple/Plain English, but that does not mean we should have text like "[...]we think you are awesome". I'm not explicitly against this kind of informal tone, but I'm afraid that readers may get a bad impression of Wikimedia. It might make WP seem like a website run by "cool kids". ;) PiRSquared17 (talk) 22:41, 4 September 2013 (UTC)[reply]

I obviously appreciate your feedback on this and will make sure the lawyers know too (we're keeping track of what people say on both a spreadsheet and I sit very close to Michelle who is the main one in charge of coordinating it) and I think it's something to hear about from others as well to gauge how it comes across. From a personal opinion side though I disagree, I think simple/plain english is one thing (and for legal document incredibly tough) it can't be the only piece. The formal 'voice' and tone are one of the big things that turns people away from reading long documents like this and absorbing the information given. I think the informal tone keeps it flowing and makes it much easier to completely read. In the end I would prefer for people to think we're a bit of a 'silly bunch of people' (which, let's be fair, they already think since we write an online encyclopedia for fun) then for them not to read what is quite a lot of text but is very important in this internet day and age when they give up large amounts of information without even knowing it. Jalexander (talk) 23:46, 4 September 2013 (UTC)[reply]

I disagree with this, as I mentioned above. The insertion of inappropriate words such as "cool" and "awesome" does not make the document more readable, it just makes it look self-conscious and a bit ridiculous. 86.169.185.183 00:16, 5 September 2013 (UTC)[reply]

Sigh. Did you bother to read my revision of one paragraph of this document? It is informal but dignified. No one will respect a document that is written by a bunch of airhead PR flacks who sound as if they are giggling as they writing--which is the voice this document currently has. And I hope & assume no one working at the Foundation wants to be thought of as an airhead PR flack.--Llywrch (talk) 02:57, 5 September 2013 (UTC)[reply]

Honestly, at the time not yet, but I did later and have it on a list for people to look at. I was answering here because @PiRSquared17: specifically pinged me and I wanted to respond to him directly. I actually think I misread initially though and came across as harsher then I felt (too many things at once I guess). I want to find the right balance, and am not completely sure where it is yet. I didn't write the policy and I have my own thoughts but I'm not yet sure exactly what is best. I just wanted to characterize the thought process and some of my own thoughts (about trying to find ways to keep them reading and help them understand). Jalexander (talk) 08:14, 5 September 2013 (UTC)[reply]

I thought the exact same thing as PirSquared17 and I disagree with "The formal 'voice' and tone are one of the big things that turns people away from reading long documents like this and absorbing the information given. I think the informal tone keeps it flowing and makes it much easier to completely read." In fact the informal tone distracts from the information given and let the reader thinks that the information is not important since it's presented in a "funny" way, we "unconsciously" think that it must be a joke or something alike. I don't mean the text should be full of legalese stuff and I agree that it should be written in plain/simple English, but the "informal tone" does the same as the "legalese and complicated tone" for non-Native English speakers, it makes the text harder to understand (and let be honest such text won't be translated in all languages so, yes, a lot of non-Native English speakers will have to read it in English). Amqui (talk) 02:48, 5 September 2013 (UTC)[reply]

The informal tone doesn't bother me much. The document is still pure egregious legalese (i.e. designed to give headaches), see all the instances of "A, BUT! X, Y, W, Z, ..." so that in the end you read three times as much and don't remember what you are agreeing to, being more exceptions than rules, and the WMF is fully protected from users.

You make a good point, however, that the draft text is three times as long as the current wmf:Privacy policy (49 KB vs. 16 KB counting only the text included in the page directly) and it's full of long digressions. Perhaps, per TTO in #Some notes, the digressions and other accessory text may be moved to speech bubbles coming out of Rory, so that both translators and readers can more easily prioritise how they consume the document. --Nemo 06:03, 5 September 2013 (UTC)[reply]

I've changed my mind about this. Maybe it is better for people to think we're silly than to avoid reading the policy, as James said. If it actually gets people to read through it, and it doesn't detract attention from the actual content, then it's fine. PiRSquared17 (talk) 01:15, 6 September 2013 (UTC)[reply]

Most people will still not read it just because of the length, no matter if you put smiling tigers beside each section or not. So why bother the actual people who will read it with fluff that they don't care about, because, let be honest, the vast majority of the people who will take the time to read the Privacy policy are not the casual readers. Amqui (talk) 03:51, 6 September 2013 (UTC)[reply]

Agreed. Let the document's organization, flow and use of examples carry the day. Informality works for fiction, but this document is characterless nonfiction by design. Overall, I'm impressed with the draft. The informal asides are well-intentioned clutter. Even proficient English speakers may pause when reading "coolness." Did they miss something? Was there a redesign? What's being communicated? That said, these are issues that can be hammered out in later drafts after the substantive issues have been deliberated.--Knowlengr (talk) 03:12, 8 September 2013 (UTC)[reply]

Good point about the translator, informal tone like that is also harder to translate easily and directly than direct and plain formal English, and since we rely on volunteer translators, that's a point to keep in mind. Amqui (talk) 03:43, 6 September 2013 (UTC)[reply]

I do not understand what the informal child friendly tone of the policy is seeking. When I read the proposed policy I'm reading a tutorial of treatment of data, not really a policy. A privacy policy is a document that establishes clauses of what the web site will do or will not do with the data that can identify the user. Privacy terms are released not with the purpose to teach to the visitor what is the purpose of the Wikimedia Foundation, or what is a cookie or why the web site collects data (although, sometimes is necessary explain it), these terms are a declaration of the host about what it will do or not with your data, I mean, because the host decides treat the data as he want. If WMF establishes that will be public the IP and location of the visitor then, the IP and location will be public (for example). Each web site could treat the data in different ways, and it is the reason because each web site have to give to you it's own privacy policy. I see that is a tendency in websites to make the privacy policy more "friendly", but actually, a list of bullets about what the site will do or will not do is the easiest and simplest form to do that. For example "WMF will recollect cookies with the purpose…", "WMF will not give your data to third parties…" and so on. Moreover, privacy policy is the kind of document in that I do not want to expend much time to read, in that sense, proposed policy is a whole treaty. And, in addition, is not the kind of document that needs a mascot (seriously, what the policy writers were thinking when decided that to include Rory in the policy was a good idea?). In other hand, the policy terms should not treat you as if you were ignorant of everything. For example that line "Because everyone (not just lawyers) should be able to easily understand how and why their information is collected and used, we use common language instead of more formal terms" can be changed to this "Some terms that will be used in this policy must be understood with the following meanings". Finally, I expect a simple, short and formal text about privacy policy, if you want to keep the current text as a tutorial named WMF privacy policy for dummies, I agree with that, but I think an informal redaction should be an auxiliary, not the main document. --SirWalter (talk) 05:53, 6 September 2013 (UTC)[reply]

The issues at hand here, even though I may sound harsh, are as such:

• There appears to be a substantive and justifiable dislike for this cuddly, overly verbose presentation of the 'Privacy policy'. To be honest, I've never read the privacy policy prior this as I haven't had cause to concern myself with it, only having drawn on various supplementary material available here for Wikipedia & having cleaned up some conflicting and confusing information surrounding relevant media. I was completely taken aback by what I saw when I finally found a moment to respond to the call for comment on the 'new' policy entry. In as much as it may seem desirable to be welcoming & reconstructing the 'legalese', it is a legal document and should aim to be as succinct as possible.
• That which may be deemed to be a sweet & welcoming page by the administrators/editors here in actuality presents as being the antithesis. It is duplicitous to make serious policy appear so innocuous and cutesy that it may as well say, "What the heck, you don't need to read this because it's obviously all about goodness and niceness." Condescension is not valuable as the Privacy policy is serious matter. Even if there are young contributors here, the deployment of 'plain speak' requires serious deconstruction & explanation in concrete terms. If this presentation is considered to be a clever method of avoiding scaring younger users/contributors away, it is abundantly clear that those who chose the methodology have no grounding in behavioural psychology and are making uninformed assumptions in feeding people swathes of reconstituted pap.
• Note, also, that at some point, younger users/contributors are going to have to familiarise themselves with 'legalese'. For their sake, it is preferable that they become acquainted with it before they turn 30. By all means, present the salient points of the policy informally as collapsible 'plain speak' auxiliary information, but most of us probably don't want to wade through 'cute'. At a glance is undoubtedly far more useful and desirable. --Iryna Harpy (talk) 05:59, 8 September 2013 (UTC)[reply]

Oatmeal vs. Dora the explorer

I saw feedback to the whole illustration and mascot theme is solicited above. I wanted to point out the subtle difference being lost here. Illustrations don't necessarily have to be dumbed down, or be intended for an immature audience. The whole mascot theme, terminology and tone being employed doesn't fit well together. I'm not commenting on the quality of the artwork or the character work for the record, both of which seem fine and probably took a lot of time and effort. It's really hard to cater to an adult audience through this medium but it's not new either - twitter fail whale, firefox fox, google's android etc. all have used their mascots and used them well - I think this could be done better (if this route is going to be taken). But to do that - start by aiming for oatmeal, not Dora or Disney. Regards. Theo10011 (talk) 22:33, 4 September 2013 (UTC)[reply]

Why a tiger?

Why does the banner for the new privacy policy include a drawing of a tiger? We're not children. --Cryptic C62 (talk) 02:52, 5 September 2013 (UTC)[reply]

I don't work for the WMF, so I can't explain why they chose to use the tiger, but here's some sort of explanation: The WMF has a stuffed animal tiger in their offices called wmf:Rory. The usage of Rory illustrations has been discussed above, in other sections. PiRSquared17 (talk) 02:55, 5 September 2013 (UTC)[reply]

As someone who believes that tigers are the work of Satan, I'd add that we're not Satanists. –76.108.183.43 03:30, 10 September 2013 (UTC)[reply]

Offputting for adult readers

The policy reads as if aimed at schoolchildren, with the cuddly tiger, "way cooler", "eat your greens", "evil wizard", "You're still awesome" (or "... brilliant" in GB english version). It is possible to write clear English in a neutral, adult, way: see The Plain English Campaign and its guides if you need help. The Privacy Policy is an important document and should be written in a clear and serious tone, not as if it's written by teenagers for children. We are trying to recruit new subject-expert editors, with the introduction of Visual Editor: if a high-power professor reads this proposed text, offered as the Privacy Policy, they are unlikely to take Wikipedia seriously enough to want to contribute their time and expertise. PamD (talk) 07:55, 5 September 2013 (UTC)[reply]

Thanks for the link, I'm adding it to Writing clearly. --Nemo 11:42, 5 September 2013 (UTC)[reply]

Thanks for all the above comments. To be honest, from my personal viewpoint, I'm actually OK with this, and I'm known as a pretty stuffy and formal lawyer.  :) Our challenge is to explain a complicated topic to everyone, including casual readers of our projects. As I note above, we are repeatedly told that few ever read privacy policies, those who start often don't finish, and when they do, they often misunderstand them. For that reason, we have tried a few ideas, like the user-friendly summary at the beginning of the policy, plainer English (with no doubt a few exceptions), more transparent and hopefully easier-to-understand explanations in the text, and, yes, humor. In my humble opinion, I like it. To my ear, it is not condescending but is respectful, underscoring that we expect the reader to read the policy and we are making efforts to help them enjoy it. For me, humor helps get through dry material. My take on the proposed rewrite above it that it is fine, but I honestly like the version in the draft privacy policy better: it helps explain better in plain terms where we are going, and it may actually help people remember themes in the document. We did have non lawyers read through various drafts. Their ongoing feedback pointed us in this direction. I definitely respect the opinion of those who disagree with me, and, of course, during the 4-month consultation period, we will be listening closely on this issue. In any case, I really appreciate all of you reading and responding ... quite helpful in thinking through this topic. Many thanks. Geoffbrigham (talk) 14:14, 5 September 2013 (UTC)[reply]

"We are repeatedly told that few ever read privacy policies, those who start often don't finish, and when they do, they often misunderstand them. For that reason, we have tried a few ideas, like the user-friendly summary at the beginning of the policy, plainer English (with no doubt a few exceptions), more transparent and hopefully easier-to-understand explanations in the text, and, yes, humor.": +1 Ocaasi (talk) 18:19, 5 September 2013 (UTC)[reply]

That's not humor, that's an embarrassment. You should target the common average of users(german: Schnittmenge), and not only a specific group. But I'm used to such nonesense in wikipedia. Most of the editors suffer from brain damage or mental retardation I think, so no suprise. Whatever, good luck. Greets--82.113.121.77 22:14, 5 September 2013 (UTC)[reply]

Don't you guys just love it when someone pops in, offers no help, is a jerk, and then promptly leaves? Unfortunately, he forgot to create an account which means his IP address is open for everyone to see! ; ) As for this new policy, I actually like the cuddly tiger (though some of the words are a tad cringe-worthy) and seriously wonder why some people worry about wikipedia "not being taken seriously" when it is already leagues above everything else on the web. BallroomBlitzkriegBebop (talk) 17:38, 6 September 2013 (UTC)[reply]

The policy in itself my read as if it is aimed at schoolchildren at first glance but it seems as though it is a combination of something everyone can deal with. The "adult readers" who visit Wikipedia and contribute should know that Wikipedia may be edited by anyone and thus, teenagers and even children may contribute. Wikipedia already has made a name for itself being the project that it is. I do not know anyone who doesn't take Wikipedia as a site seriously. I know of a few examples where when writing essays for a project, a teacher may have desired better references or more references than just Wikipedia but that was on the basis that Wikipedia may be edited by anyone. Everyone has to compromise and as Geoffbrigham brought out, it is because the challenge is to explain a complicated topic to everyone. Even the suggestion of "you should target the common average of users" brought out by 82.113.121.77 is in itself, targeting a specific group. From what I've seen of the Privacy Policy (which is very little), I like how it is presented. Koi Sekirei (talk) 17:38, 8 September 2013 (UTC)[reply]

I have read the policy, in part indeed to test its readability, and I have to say that some of the language used led me to misunderstand it. Being fairly experienced with most things internet and a bit with legalese, I later realized that I still missed many of the points later brought on by editors on this talk page. If anything, the reason for these misunderstandings was the overly narrative, embellished and long-winded style of writing. It glosses over important points, handwaves issues away, and buries the points it does address between explanations of completely non-privacy-related wiki elements and entire paragraphs of filler delivering no information at all.

This document spends a lot more words and does a much better job of convincing a casual reader that it's an awesome policy than of telling him what the policy actually is. I understand that you've tested it for ease of reading and positive reaction. But did these tests include "reading comprehension" question checks - whether most readers actually got an understanding of various aspects of the policy in the end? CP\M (talk) 08:33, 10 September 2013 (UTC)[reply]

An excellent point, CP\M. If this were being treated as a serious pedagogical issue (which it purports to be), the most important part of the process of adopting it would be to test whether it meets its objective, being that of genuine comprehension. Has there been a component for testing comprehension of the policy built into the feedback? --Iryna Harpy (talk) 22:14, 10 September 2013 (UTC)[reply]

I agree with all exposed by Iryna Harpy at this point. Basically, if the objective of the new draft is not purely legalistic, not only the legal counsel team of the WMF had to write the draft. Some experts or professionals in translate legal documents in simple terms and, considering the worldwide scope of Wikimedia projects, professionals in languages had to participate in the writing of the draft, (see the exposed by Sir48 below). At this point, counselors sustain that the tone and language of the proposed policy is amazing because they proposed it, they not give reasons neither arguments that sustain how the draft becomes in a master piece. Moreover, nobody proposed the change to informal tone, by contrast, is a legal counsel who statements that they want "to avoid legalese as much as possible" (at all, could add). That looks like a whim from the legal council, not a request from the community. Impose the not well known mascot for the legal office may be a proof of this.--SirWalter (talk) 01:37, 11 September 2013 (UTC)[reply]

Template:OdI believe that SirWalter has driven home some excellent points regarding how this has evolved (or devolved) into this proposal. The proposal, as I understand it, was that the 2008 privacy policy was in need of updating to reflect changes in technology and that, somehow, it was identified as being desirable to present the legalese using more 'user friendly' terminology.

The structure of the current policy document doesn't seem to have come into the equation until (I can only assume) the legal department, in collaboration with other unknown parties(?), identified some sort of problems with what appears to be a perfectly serviceable model for presentation which they deemed could be redressed by inserting cuddly mascots and a desperate lack of concise information. Updating the contents of the policy and aiming to make it more accessible by the use of simplified/lay English is something I can understand. What I fail to be able to comprehend is how, when, where, who, what and why was simplified English and 'user-friendly' transmogrified into cuddly mascots?

It's difficult not to come to the conclusion that the legal office are completely stumped and have intentionally thrown a cutesy mess at the community for comment in order to conceal a lack of imagination or desire to put some serious work into a genuinely well thought out proposal & are simply waiting for the blanks to be filled in by the community who are promptly picking up on areas that need to be expanded, elaborated on, qualified and clarified.

I'd suggest that there are enough queries about the proposed new 'structure' to merit a reasonable explanation as to why we should accept that mascots are 'user-friendly' and how this will assist in the reading of the document. For all the noises about how certain individuals have felt it to be less intimidating and having encouraged them to read the policy (which of the condensed one-liners in particular were found to be 'friendlier'?), how familiar were they with the complex issues deciphered(?) by the end of their cheerful read. I'm sceptical about being being herded into taking a leap of faith because a few people have claimed the matter to be so, therefore propose that some empirical data be presented to back up claims that it is a genuinely effective strategy, i.e. a little background into, "We did have non lawyers read through various drafts. Their ongoing feedback pointed us in this direction." Who were the 'non lawyers' and what were the qualifications of those interpreting this 'ongoing feedback'?. --Iryna Harpy (talk) 05:39, 11 September 2013 (UTC)[reply]

Sry I've(of course) meant: The average human, and not the average wikipedia user(who are nerds and geeks anyway). Of course you have to target some groups of people, and that should be the group of attributes of groups which all groups have in common(or something, you know what I mean). Does the language have to be childish to explain it better? Hell no ! Will the probality increase that some serious person are scared off of it? Maybe. Will it attract more younger people? If you look how many "children"(not the adult ones who behave like ones here) wikipedia use then I think, no. Greets--82.113.122.164 21:40, 11 September 2013 (UTC)[reply]

Some thoughts for consideration from legal

Thanks to everyone for their comments (under this section and others). I really appreciate people taking the time to read the document and giving us your frank feedback.

Just above I shared some thoughts on this topic for consideration. To state it a little differently here, in the legal department, we have reflected quite a bit about tone as we took this draft through multiple versions, testing them out informally. What we heard was that non-lawyers (who were adults and well educated) preferred this less legalistic tone, including some limited insertions of humor. IMHO, this approach shows an effort to help the reader understand the document and demonstrates our expectation (and respect) that the reader will read it. As I say elsewhere, most Wikimedians are fine with formal language expressing complicated concepts. Indeed, I love the fact that our community is made up of wiki-lawyers who have a strong interest in legal issues and the formalities that naturally follow that interest. That said, many of our users to whom this policy applies are readers from different backgrounds. I feel we need to use tools to encourage all types of people to read the policy throughout and to the end – like the user-friendly summary; like plainer, less formal English; like icons and maybe other visuals; and like humor.

And, to be honest, it also works for me. I enjoy reading the draft privacy policy more because of the tone and humor. I also like what it says: we think it is unreasonable to put dense legal documents before readers without helping them understand the document and enjoy the experience. As I noted above, I think the above rewrite of one paragraph by Llywrch is fine, but, in my personal opinion, I frankly like the version in the draft privacy policy more: the first line of text helps the reader understand where the discussion is going in a simple non-legalistic way. I do appreciate Llywrch’s efforts in illustrating his point, however.

We talk about the use of illustrations elsewhere, but one idea I like out of this conversation is the concept of using bullet points, maybe in the margins to summarize certain critical themes. The community will decide on the mascot idea, but simplified bullet points - such as proposed by Theo above - may be another way of addressing this. I know that is not exactly what you are proposing SirWalter, but the idea is related. I think both of you have good arguments there.

Now I say all this with the understanding that we are in a 4-month consultation period, and we are listening to your views on this. So far, there are some who have commented positively on the language and approach, but I definitely respect the contrary point of view. I’m seeing some points more clearly based on our exchange. For example, it resonates with me when people say some humor doesn't translate well into other languages. And there are no doubt some sentences that we will want to rewrite based on community feedback. Overall, I’m fine with the tone; I even like it, and, personally, I would like to keep it. But, if some specific language really strikes the community as wrong, we will change it, obviously.

Thanks again for taking the time to read this draft and to share your comments. We know people are busy and have other priorities, so we really appreciate it. Geoffbrigham (talk) 07:45, 6 September 2013 (UTC)[reply]

I have three comments about this:

• Guys, fun is ok, but the Wikimedia projects are not the place to it. Wikimedia is a serious web site, not serious in the sense of a drill instructor, but in the meaning of trusty and accurate information. I think everybody, regardless of age, nationality or educational level can understand that the legal issues are serious issues. If you want to get fun, go to the Encyclopedia Dramatica, paradoxically, their privacy policy is better than the draft that you are proposing.
• Wikimedia projects are not the sort of websites that intensively recollect personal information or get profit with it. Most of the data recollected is result of the way in that internet servers work. I do not understand why a simple upgrade in the policy becomes in a complete senseless renovation.
• Privacy policy is a legal text with legal consequences. With your "cool" way to redact it, you are introducing ambiguity in the terms. And the ambiguity in a written contract will be construed against the drafter. If you want to fight in a trial in that somebody felt offended because thinks that he/she looks great in his eight year old picture or, because somebody interprets the "evil wizard" in an inconvenient sense, you are in the right way. By the way, I find, more than 40 paragraphs since the beginning of the policy text, the statement that "if you do not agree with this Privacy Policy, you may not use the Wikimedia Sites"; of course, is well known that you have to put the Important Info at the end of a legal text.

At the end, you are more involved in the project, and you will carry with the consequences of all this. --SirWalter (talk) 19:02, 6 September 2013 (UTC)[reply]

I take your point quick seriously, SirWalker. I thought about this lots before the rollout. I came to the Wikimedia Foundation from a for-profit major internet company. I think many saw me as quite formalistic as a lawyer.  :) So I get what you are saying. Yet, after seeing similar examples elsewhere, I have come around to the position that a less legalistic style and humor can be helpful in facilitating understanding, especially when you are addressing a diverse community. I don't think it would be appropriate for me to comment on the quality of others’ privacy policies, but I will say that our site has unusual and complicated issues in a collaborative community that need to be addressed in an understandable way in our privacy policy - a need that is not really satisfied with a policy made up of short bullet points. (That said, I do like the idea of using bullet points in the margins to summarize major themes, if the community wants that format.) Also I firmly believe in honest transparency with our community. This means we need to explain in plain English how we collect and employ user information, and I think this draft does a better job in that respect, though it takes words to do that. I think you are right to be concerned about ambiguity in any contract, but I would respectfully disagree that this causes any real legal risk; to be frank, if I thought it did, I would strike it. I hear your point about changing the placement of the highlighted sentence ("if you do not agree with this Privacy Policy, you may not use the Wikimedia Sites"); I have no objection moving it towards the front of the document (like the Introduction) or putting the concept in as a bullet point in the user-friendly summary if the community supports that view. Other detailed reasons for the rewrite are set out above under the opening template on this talk page, explaining the need for this new draft. I say we watch the community feedback. I’m seeing support for our approach, but I am also hearing the words of caution. During the course of the consultation, we may well make modifications that address some of your concerns. I know that we may disagree on some points, but I want to reemphasize how much I appreciate your reading the document and raising these points. It does help everyone as we work towards the right final draft for the community. Geoffbrigham (talk) 07:50, 7 September 2013 (UTC)[reply]

There is a difference between plain English and childishness. At this moment, the draft reads as if it's trying to appeal to the reader, explain itself to him, and at times almost butter him up, rather than to inform him. I agree with others in thinking it should neither trivialize serious privacy matters nor put its own appeal ahead of its informative value.

For instance, this entire paragraph - Wikimedia Sites are collaborative, with users writing most of the policies and selecting from amongst themselves people to hold certain administrative rights. These rights may include access to limited amounts of otherwise nonpublic information about recent contributions and activity by other users. They use this access to help protect against vandalism and abuse, fight harassment of other users, and generally try to minimize disruptive behavior on the Wikimedia Sites. - has almost nothing to do with privacy and engages instead in broad overview and advertisement of Wikimedia's self-management policies.

I don't believe that such long-winded digressions are consistent with the first stated principle: Be clear and concise in language. CP\M (talk) 13:03, 9 September 2013 (UTC)[reply]

Consider this concept from the European privacy standards

". . . Subjects on whom data is held are given certain rights: 'the right of access to that data, the right to know where the data originated (if such information is available), the right to have inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to withhold permission to use their data in certain circumstances . . . ' "

I would like to see some mechanism provided to request that PII data to be corrected, and some right of recourse for misuse. Misuse could be due to hacking or simply abuse (intentional or otherwise) of data by third parties. Recourse, or stated in a more positive light, feedback, is one of the overlooked facets for maintaining data quality. I presume that PII is a minor part of data protection concerns for WMF, but breakdowns in the integrity of attribution could reflect broader data corruption. In addition, it is not hard to imagine that public or private sources might try to infer something about one's character from what content they are curating on Wikipedia. If this is (or is thought to be) a case of mistaken identity, WMF should provide a recourse. There are lightweight and heavyweight solutions to this, and for a nonprofit, lightweight may be good enough. Not because there is any obligation to follow the European model, but simply for reasons of data quality. As for "right to withhold permission," I would argue against fully deleting the identity, but there may be steps that can be taken to mitigate compromised identities. Data quality ombudsman? Hopefully this would be a relatively minor occurrence and easily separated from the casual editor's relatively more common misunderstanding of how Wikipedia works.--Knowlengr (talk) 03:48, 8 September 2013 (UTC)[reply]

Hi Knowlengr! Thank you for your suggestions. These European standards were actually concepts we considered in great detail and for a long time while putting together this draft. Unfortunately, it seems that at the point we do not have the capacity to provide users methods to request these things (although I hope we will be able to offer some in the future). That said, in the (hopefully) rare situation where someone believes that a particular attribution's integrity has been compromised, we would like to have that investigated and addressed. I will look into where someone can report such problems and get back to you. Mpaulson (WMF) (talk) 00:42, 12 September 2013 (UTC)[reply]

I'm told you can report it on Technical Village Pump and WMF's ops team will be notified accordingly. Hope that helps! Mpaulson (WMF) (talk) 00:49, 12 September 2013 (UTC)[reply]

Continues at http://thread.gmane.org/gmane.org.wikimedia.foundation/68188

Template:Resolved

MOVED FROM WIKIPEDIA VILLAGE PUMP

Hi, at http://meta.wikimedia.org/wiki/Privacy_policy/BannerTestA, it says:

Because of how browsers work and similar to other major websites, we receive some information automatically when you visit the Wikimedia Sites. This information includes the type of device you are using (possibly including unique device identification numbers), the type and version of your browser, your browser’s language preference, the type and version of your device’s operating system, in some cases the name of your internet service provider or mobile carrier, the website that referred you to the Wikimedia Sites and the website you exited the Wikimedia Sites from, which pages you request and visit, and the date and time of each request you make to the Wikimedia Sites.

What sort of "unique device identification numbers" is it referring to? I thought browsers didn't provide that information. 86.169.185.183 (talk) 17:40, 4 September 2013 (UTC)[reply]

Looking at similar privacy policies, it looks like this may refer to mobile devices: "AFID, Android ID, IMEI, UDID". --  Gadget850 ^talk 17:45, 4 September 2013 (UTC)[reply]

You mean that when you access a website through a browser on an Android device the website can collect a unique device ID? Is that really correct? (I can believe it for general apps, where, presumably the app can do "anything" within permissions, but I didn't think there was any such browser-website mechanism). 86.169.185.183 (talk) 18:58, 4 September 2013 (UTC)[reply]

I think this question is more appropriate for the Talk page discussion on the privacy policy draft. Steven Walling (WMF) • talk 20:31, 4 September 2013 (UTC)[reply]

I see that this information is "receive[d] [...] automatically". That doesn't necessarily mean this information needs to be collected and stored. Personally I am fine with this information being temporarily handled in a volatile location in order to cater to the display needs of each individual device. I do not however, believe that this information should be stored or used for any other means. Participation in this data-mining should be off by default. WMF would of course be free to nag users into opting in. Because this is a _free_ encyclopedia, users should be _free_ to at least view it in the way they want, without having all their habits and device details harvested non-consensually. Contributions? Edits? Sure, take all you want. There's an implicit agreement to such data-mining when a user submits an edit. But there isn't one from just viewing a page. --129.107.225.212 16:59, 5 September 2013 (UTC)[reply]

Thanks, but that is not really relevant to my question (not sure if it was supposed to be), My question is whether it is technically possible for a website to obtain "unique device identification numbers" from a web browser. The text implies that it is; previously I believed it wasn't. I am hoping that someone will be able to answer the question. 86.167.19.217 17:27, 5 September 2013 (UTC)[reply]

You are correct in stating that browsers are sandboxed from retrieving this type of information. However, our mobile apps and our mobile app deployment infrastructure may utilize "unique device identification numbers" to identify mobile devices (such as a device tokens, device unique user agents, or potentially UDIDs). Our mobile apps may need this ID for certain functionality, such as sending push notifications or delivering test deployments. Thanks, Stephen LaPorte (WMF) (talk) 17:11, 6 September 2013 (UTC)[reply]

I think we have no intention of accessing or recording device UDID, IMEI number, or anything else like that. (It's also getting increasingly hard for apps to get access to those, as the OS vendors don't like creepy apps either.) In the cases where we do usage tracking and need identifiers, they'll be either based on something already in the system -- like your username/ID -- or a randomly-generated token. --brion (talk) 17:20, 6 September 2013 (UTC)[reply]

In that case, I think the wording needs adjusting since it currently says "Because of how browsers work [...] we receive some information automatically when you visit the Wikimedia Sites [...] possibly including unique device identification numbers". Mobile apps are not "browsers". 86.160.215.210 20:53, 9 September 2013 (UTC)[reply]

Template:Resolved

Template:Resolved

"Wikimedia Sites"

Why this terminology? I'd appreciate consistency. Terms of use talks of Projects and Wikimedia Projects. --Nemo 21:08, 4 September 2013 (UTC)[reply]

+1. Theo10011 (talk) 21:22, 4 September 2013 (UTC)[reply]

Isn't is the case that WMF runs sites that are subject to the privacy policy but aren't projects? If so (the blog springs to mind), the current broader language seems me the better fit, best regards --Jan (WMF) (talk) 08:28, 5 September 2013 (UTC)[reply]

Actually that might be a distinction worth noting. Does this policy cover things like the blog or labs? I seem to recall the blog using third party software, instead of mediawiki, and labs having similar issues with deployed analytic, and users having access to other user's info. I assumed those 2 things meant this privacy policy probably won't cover those and only the projects. Anyway, it just sounds clunky, a better terminology must exist for this. Theo10011 (talk) 10:15, 5 September 2013 (UTC)[reply]

I appreciate this discussion. The definition of "Wikimedia Sites" is probably a bit broader than the projects. Specifically in the Introduction of the policy we have a list of definitions. "Wikimedia Sites" is defined as:

Wikimedia Sites and services (regardless of language), including our main projects, such as Wikipedia and Wikimedia Commons, as well as mobile applications, APIs, emails, and notifications; excluding, however, sites and services listed in the “What This Privacy Policy Doesn’t Cover” section below.

My thinking is that a casual reader of Wikipedia - to whom this privacy policy applies - may not understand what a "project" is naturally, but will understand what a "site" is. I can see good arguments either way, however, on correct wording. Geoffbrigham (talk) 14:37, 5 September 2013 (UTC)[reply]

I don't care much about the name you choose but I don't like inconsistency with the terms of use, so whatever choice you make please be consistent.

On the definition proposed and the casual reader, using common words doesn't necessarily make something more understandable, especially if you use them in uncommon ways. Applications are not sites. The WebAPI lives on the projects' domains. "Emails and notifications" is too broad and might mean anything; the important ones are those generated by MediaWiki i.e. included in the "Wikimedia projects" category. Finally, which of the hundreds of non-project domains (and this is only the wikimedia.org subdomains) fall under the definition of "Wikimedia Site" per the privacy policy? It's probably easier to use a specific, narrow term and definition to then add instances to it on a case by case basis, rather than use super-broad language and then be forced to endless lists of exceptions. --Nemo 10:44, 7 September 2013 (UTC)[reply]

This is intended to be broader than "Projects" in the ToU. We want the default to be that everything is covered, because that is a common legal standard for privacy policies, and because we want the things that are not covered to be deliberate and thoughtful choices, rather than "someone forgot to add this to the list".

That said, "Wikimedia Sites" should not be used in its own definition - we'll switch to "Wikimedia websites" within the definition. - LVilla (WMF) (talk) 23:35, 11 September 2013 (UTC)[reply]

“the Wikimedia Foundation” / “the Foundation” / “WMF” / “we” / “us” / “our”

Instead of providing glossaries, can't you just use a single term? --Nemo 21:10, 4 September 2013 (UTC)[reply]

Hi Nemo! There are different reasons for using these various terms to describe the Wikimedia Foundation. We say "the Wikimedia Foundation" because it's our official name and depending on the sentence, formality or use of the full name is appropriate. However, we recognize that it's a rather long name and something that we frequently have to reference. Saying "the Wikimedia Foundation" every time we refer to the Wikimedia Foundation would have made the policy even longer...something we wanted to avoid, so we sometimes used "WMF" or simply "the Foundation" instead. As for "we", "us", and "our", we believed that informal terms would help improve readability and flow. For the avoidance of doubt, we added it to the Glossary to make it clear that these terms all refer to the Wikimedia Foundation. Hope that helps explain why we drafted as we did. Mpaulson (WMF) (talk) 00:08, 6 September 2013 (UTC)[reply]

Hello. Thanks for caring about the length of the document! A nice aim would be to reduce it by about 66 %, to stay more or less at the same level as the current one.

As for the specific case, avoiding the use of "WMF" and "the Foundation" would increase the byte count of the document by 0.10 %, if my math is correct. On "we", "us" and "our", either the definition is wrong or there is something wrong in what you said at #Exclusion of on-wiki actions from privacy policy, because in your interpretation "we" seems to include something more than the incorporated entity called the Wikimedia Foundation, Inc. (If that's the case, you may want to distinguish between the normal English "we" and the "WE" referring to the definition in question. That's one of the rare occasions where capitals serve some useful purpose, unlike the Title Case invading the text. If used in stead of “the Wikimedia Foundation” / “the Foundation” / “WMF”, it would also reduce byte length by 0.73 %!) --Nemo 19:10, 6 September 2013 (UTC)[reply]

"update your account profile", "information in your user profile"

What is this thing or things the text talks about? Never heard of profiles on our wikis. --Nemo 21:19, 4 September 2013 (UTC)[reply]

Hi Nemo! This refers to information on your user page. We used the terms like "user profile" to be more accessible to casual users who may not be as familiar with the term "user page". However, I do believe that this phrase should be consistent within this document. Thank you for pointing out that it's called "account profile" in one place. We will get that changed. Mpaulson (WMF) (talk) 23:25, 5 September 2013 (UTC)[reply]

Actually, +1 on all 3. Consistency is very important in vetted documents like these that will be around for a long while. Theo10011 (talk) 21:25, 4 September 2013 (UTC)[reply]

Can someone explain what purpose it serves to have a two-tiers privacy protection in which WMF doesn't guarantee much, or anything, about what in the end might happen with private data on the wikis? In particular the exclusion of "data-collecting tools that are placed on Wikimedia Sites by users, volunteer administrators, or other third parties" means that we (WMF and community) could no longer just remove any tracking script from the wikis on sight as being against the privacy policy. --Nemo 21:15, 4 September 2013 (UTC)[reply]

Hi Nemo! I am a little confused by your question, to be honest. The policy draft does not change rules regarding the removal of tracking scripts from wikis that contravene the privacy policy. Community members are still free to remove tracking scripts from the wikis on sight if they believe they violate the privacy policy. However, if you are not sure whether a particular tracking script is in violation of the privacy policy or you happen to be a casual user who doesn't know how to or doesn't want to remove the script themselves, they can report it directly to the Foundation and we will look into the matter. Does that help address your concerns or did I misunderstand your question? Mpaulson (WMF) (talk) 23:10, 5 September 2013 (UTC)[reply]

Have you read the sentence I quoted? It's in the "More On What This Privacy Policy Doesn’t Cover" section, which by the way is so broad that I have no idea what the privacy policy actually is about (perhaps it would be easier to start with a narrower definition which requires less exceptions).

Let me quote more extensively: «This Privacy Policy only covers the way we collect and handle information [note: "we" means the Wikimedia Foundation, according to the definitions provided; as in its staff, but not its sites as a whole, apparently]. [...] With that in mind, the following are not covered by this Privacy Policy: [...] Third-party scripts, gadgets, cookies, tracking pixels, share buttons, or other data-collecting tools that are placed on Wikimedia Sites by users, volunteer administrators [...]».

Consequently, a script e.g. including Google Analytics on all pages of a wiki, added by a volunteer sysop, is not covered by the privacy policy as proposed, hence is obviously not against the privacy policy and can't just be removed straight away as such (e.g. by stewards as usual so far), though the WMF reserves the right to decide (at whim) that it's better to remove it, or more specifically to "investigate" it, whatever this means: «please report it to privacy[at]wikimedia.org so we can investigate further.» --Nemo 17:34, 6 September 2013 (UTC)[reply]

I think we may just be interpreting the language differently. When we say that third-party data-collecting tools are not covered by the privacy policy, we mean that they are not covered to the extent that they are third-party tools that we do not control and therefore cannot regulate how the information collected by those tools is used by the third parties who receive them. The placement of such tools on Wikimedia Sites, particularly if they do not get the users implied or express consent before collecting information, is not permitted under the privacy policy draft because such tools may not meet the privacy standards set out in the privacy policy draft. But we also understand that despite the prohibition, some placement may occur due to the open nature of the projects. It is in those situations that community members (or WMF if specific instances are reported to us) can remove them on-sight if the community member or WMF believes the tool violates the privacy policy. Does that make more sense? 216.38.130.164 18:30, 6 September 2013 (UTC)[reply]

That last response was me. Didn't realize that I had been logged out. Sorry about that! Mpaulson (WMF) (talk) 18:32, 6 September 2013 (UTC)[reply]

Thanks for the explanation but no, it doesn't make more sense. First, it's not what the draft says: it doesn't say that what happens outside our cluster is outside our control, it says that "data-collecting tools" without further specifications (hence including their being placed on our wikis) are not covered by this policy. Second, it makes no sense to state properties about the empty set (which must be empty). Third, if your aim was to state the obvious, this particular "More On What This Privacy Policy Doesn’t Cover" "clarification" makes more damage than benefit. --Nemo 18:50, 6 September 2013 (UTC)[reply]

Hi Nemo. If that doesn't make sense, do you have suggestions on how to improve the current language? I've taken a stab at making this clearer below. Let me know what you think about this phrasing or if you have proposed language that you think might be better. Mpaulson (WMF) (talk) 23:37, 11 September 2013 (UTC)[reply]

Third-party scripts, gadgets, cookies, tracking pixels, share buttons, or other data-collection tools that are placed on Wikimedia Sites by users, volunteer administrators, or other third parties. The Wikimedia Sites are built and collaboratively developed over time by a global community of users and volunteer developers. Sometimes, a user or volunteer developer may place a third party’s data-collecting tool on a particular Wikimedia Site without our knowledge. The collection, storage, use, and transfer of information by these third-party data-collection tools and the third parties the tools are associated with are not covered by this Privacy Policy because we cannot control the actions of third parties or their tools. However, placement of these third-party data-collection tools on Wikimedia Sites may be in violation of this Privacy Policy if the data-collection tool in question does not meet the standards of this Privacy Policy. If you come across such a third-party tool, you may remove it yourself if you believe it violates this Privacy Policy or you can report it to privacy[at]wikimedia.org so we can investigate further.

Makes no sense, please kill. --Nemo 21:21, 4 September 2013 (UTC)[reply]

What about that makes no sense? It seems straightforward to me. Registration data, and demographic data about yourself. Philippe (WMF) (talk) 21:26, 4 September 2013 (UTC)[reply]

So you're saying that the users can delete registration data? Please tell me how. Is it a new feature that will be developed? --Nemo 21:32, 4 September 2013 (UTC)[reply]

I'm actually curious what demographic data is and where it is extracted from. There is no demographic data as far as I know besides gender info in the preference options, and even that isn't disclosed half the times. Also, did we add an option to disclose age at some point or is there more analytic data being extracted from elsewhere besides the preference option? Maybe I missed something. Theo10011 (talk) 21:34, 4 September 2013 (UTC)[reply]

Gender preference is not demographic data, it's grammatical information. --Nemo 21:44, 4 September 2013 (UTC)[reply]

I thought so too. But "we may ask you for more demographic information about yourself, such as gender or age." - seems to imply not. What exactly is the demographic data here then? Theo10011 (talk) 21:46, 4 September 2013 (UTC)[reply]

Gender preference certainly is grammatical information as well but there is no getting away from the fact that it is also demographic data (and that people don't always like it being known for varied reasons). Jalexander (talk) 21:56, 4 September 2013 (UTC)[reply]

James, is that all the demographic data is that is being referred to? I actually would like a clearer explanation if that kind of info is only pulled from the preference options or somewhere else and what other kind of info is there? Thanks. Theo10011 (talk) 22:00, 4 September 2013 (UTC)[reply]

Thanks Theo, I'll find someone who can give a more through answer. Jalexander (talk) 07:02, 5 September 2013 (UTC)[reply]

Currently, we collect information about gender for grammatical purposes, but it is still demographic information, even if we don’t use it that way. Language is another example of something that we collect right now for technical purposes, but is sometimes considered demographic information.

Gender and language aside, we don’t generally collect demographic information (though see Jeremyb's comment below for an example of specific, non-general demographic information collection). But we’re trying to build a policy that can grow with us in the future and allows us to better understand who contributes to our community and our mission. That’s why we put this in - not to cover something we do now, but to cover things we might do in the future. - LVilla (WMF) 02:18, 7 September 2013 (UTC)[reply]

Yes. This is not something we might ever want to do. Registration must require only necessary data, not demographic information. --Nemo 08:55, 8 September 2013 (UTC)[reply]

Research:Gender micro-survey seems relevant, and is definitely demographic and not related to grammar. --Jeremyb (talk) 20:58, 6 September 2013 (UTC)[reply]

That's not about registration. --Nemo 00:30, 7 September 2013 (UTC)[reply]

I've read the draft from beginning to end, and I have no idea what you wanted me as a user to get from it. What's the purpose, what does it improve compared to the much shorter and more concise current policy which provides very clear and straightforward protections such as the four (4) magic words «Sampled raw log data» (see also #Data retention above)? Is the purpose just adding tracking pixels and cookies for everyone, handwashing (see section above) and generally reducing privacy commitments for whatever reason? --Nemo 21:31, 4 September 2013 (UTC)[reply]

Hi Nemo, Thanks for your comment. I outlined some specific reasons for why we needed an update above. YWelinder (WMF) (talk) 01:12, 6 September 2013 (UTC)[reply]

See here for Yana's summary. Geoffbrigham (talk) 02:12, 6 September 2013 (UTC)[reply]

The summary only says things I already knew, because I read the text. What's missing is the rationale for such changes, or why the changes are supposed to be an improvement. One hint: are there good things that we are not or will not be able to do due to the current policy and what changes are proposed in consequence?

Additionally, the summary doesn't even summarise that well IMHO, e.g. the language about cookies is not very clear and you didn't write anything about making request logs unsampled (which means having logs of all requests a user makes). --Nemo 06:47, 6 September 2013 (UTC)[reply]

I've forwarded your question to our tech team. Relevant members of the tech team are out for a conference and will respond to this shortly.YWelinder (WMF) (talk) 01:04, 12 September 2013 (UTC)[reply]

Would it be relevant to add something along the lines of "From time to time, we may release non-personally-identifying information in the aggregate, e.g., by publishing analytical data..."

Do you think that's covered by the Experimentation section? "Similarly, we may share non-personal or aggregated information with researchers, scholars, academics, and other interested third parties who wish to study the Wikimedia Sites." or is there somewhere else you think it needs to be spelled out more? Jalexander (talk) 02:42, 5 September 2013 (UTC)[reply]

It is covered in the Experimentation section, but in the era of Big Data, one wonders whether enough attention is being paid to the provenance of Wiki data. Just a thought in this context; I suggest addressing data quality directly elsewhere.--Knowlengr (talk) 03:18, 8 September 2013 (UTC)[reply]

Hi Knowlengr, where do you think would be an appropriate place to address this? Would adding it to the user-friendly summary help? Maybe something like "As part of our commitment to education and research around the world, we occasionally release public information and aggregated or non-personal information to the general public through data dumps and data sets." Mpaulson (WMF) (talk) 23:18, 9 September 2013 (UTC)[reply]

Hi- That would fine so far as the policy's public face is concerned. I also think that WMF should add requirements upon data recipients -- consumers of such information -- to maintain provenance information from Wikipedia so that it is not unintentionally / intentionally merged with third party content, yet remain tagged as WMF or as WMF-derived with unclear provenance. This is a technical issue for Big Data provenance, and I'm not doing a good job here of explaining it.--Knowlengr (talk) 12:54, 11 September 2013 (UTC)[reply]

Je ne me suis jamais créé de compte. On ne m'a jamais obligé à le faire. Mais je dois dire que la pression pour le faire est assez importante (je le déplore). Méfiance exacerbée envers les contributeurs sous IP. Protections non justifiées de trop nombreux articles. Questions fréquentes (pas forcément méchantes, mais parfois si) demandant pourquoi on ne se crée pas de compte. Certains contributeurs refusent de discuter avec des IP. Etc.
Je suis très favorable à la possibilité de contribuer sous IP. Je trouve même que cela pourrait avec profit être rendu obligatoire dans la plupart des cas. D'après ce que j'ai lu des Règles de confidentialité, Wikimédia semble avoir compris l'importance de cette possibilité de contribuer sous IP. Mais il faudrait que cette compréhension ne soit pas restreinte à ces Règles, mais se répande dans la communauté. Dire et répéter que les simples IP sont bienvenus, pas forcément sanctionner (pas besoin de diviser la communauté) mais contredire ceux qui critiquent les Wikipédiens contribuant sous IP qui ne désirent pas s'inscrire, combattre les discriminations dont nous sommes fréquemment victimes (semi-protections de page parfois abusives, absence d'outils de suivi pour les IP, interdiction de participer à certaines discussions (pour les votes, je comprends, mais pour les discussions je ne comprends pas), etc.). Parce que d'un côté on a de beaux discours, mais dans les faits ça ne suit pas toujours :-) 78.251.248.20 01:42, 5 September 2013 (UTC)[reply]

I agree this point. --194.79.157.242 07:25, 5 September 2013 (UTC)[reply]

Pardonnez-moi, est-ce qu'il est votre proposition que il être rendu obligatoire qu'on peut contribuer seulement sous IP et pas du tout sous compte? Si c'est le cas, pouvez-vous expliquer pour quoi il est meilleur? DRenaud (WMF) (talk) 02:18, 6 September 2013 (UTC)[reply]

C'est mon avis, mais je n'en fais pas la proposition, car je ne crois pas qu'elle aurait beaucoup d'appui dans la communauté, et je ne veux pas ennuyer les Wikipédiens avec une idée qui n'est que personnelle :-)

Mais il est vrai que la contribution sous IP a beaucoup d'avantages. Je ne me suis jamais créé de compte sous Wikipédia car je n'en crée nulle part, où que ce soit : Facebook, Twitter, MSN. Pour Wikipédia, j'aurais certes un peu plus confiance, mais bon (n'oublions pas que, les serveurs étant situés aux EU, les lois françaises ou européennes ne s'appliquent pas complètement, et inversement, certaines lois américaines que je n'apprécie pas forcément s'appliquent). De plus, au fil des années, je me suis rendu compte que la contribution sous IP comportait beaucoup d'inconvénients (difficulté du suivi des pages, par exemple) mais aussi des avantages. Je trouve que la contribution sous IP est, par certains côtés, plus proche de l'esprit initial de Wikipédia : chez les IPs, pas de course au plus grand nombre de contributions, pas de clans ni de guéguerres de clans (d'où, certainement, moins de stress), parfois plus de respect entre contributeurs, pas de confiance ni de défiance a priori (parce que, il y a trois ans, nous étions d'accord ou opposés sur une question), etc. Bref, je crois que la contribution sous IP est souvent plus relax, plus sereine. Je la recommande à tous. Pour certaines tâches (travail d'administrateur, par exemple), il n'est peut-être pas possible de rester sous IP. Mais tous, et en premier lieu les administrateurs, devraient reprendre l'habitude de contribuer de temps en temps sous IP, pour vivre les situations du point de vue d'un IP. Parce que, quand la contribution en tant qu'utilisateur enregistré n'est pas nécessaire (travail d'administrateur, par exemple), quel est l'intérêt de se connecter à son compte ? 78.251.253.2 12:17, 6 September 2013 (UTC)[reply]

Thank you for taking the time to share your viewpoint. This issue is certainly one that warrants more discussion by the community at large. Mpaulson (WMF) (talk) 02:43, 6 September 2013 (UTC)[reply]

Bonjour. Je pense qu'il faut une politique de confidentialité mais qu'il ne faut pas que n'importe qui puisse changer les pages de wikipédia. Comme le dit le titre plus bas, je pense que les comptes anonymes peuvent être un fléau de wikipédia, bien qu'une fois inscrits dans la durée, la construction, les redactions postives soient de mises pour la plupart.--Zavatter (talk) 14:31, 8 September 2013 (UTC)[reply]

Edit privileges without logging in

I have to say I am not in favor of this. Wikimedia needs to be able to be a reputable site for information. If anyone can change anything at any time, it can loose that credibility.

Comment on above statement - I don't know who wrote the above, but I tend to agree with it. I read the whole privacy policy and think it was thoroughly thought out and like it. However, once in the past I wrote on one forum that I had reservations about allowing edits when the writer was not logged on. My argument was poorly received but I will say it again. Several times I have run into persons who wanted to make inappropriate edits or deletions of valid material. Many of these were done without the person having logging on, which can make it immensely difficult to track down the responsible individual (they can use any public or office computer to remain anonymous). I must note that most persons who edit outside of accounts make productive edits, while persons who work from registered accounts can make disruptive or vandalizing edits. In the latter case, however, there is always the possibility of using sanctions against the registered user.Wpollard (talk) 12:19, 5 September 2013 (UTC)[reply]

What you are asking for is something that just entirely goes outside of the wiki philosophy. The goal of the foundation isn't to be a reputable site for information. That's what peer-reviewed, formally published content in the academia is for. -129.107.225.212 17:12, 5 September 2013 (UTC)[reply]

Il y a aussi des possibilités de sanction pour les IPs : il suffit de la bloquer ! Et je ferais remarquer que les plus gros problèmes relationnels entre Wikipédiens ne sont pas le fait d'IPs mais d'utilisateurs inscrits. Certains utilisateurs inscrits croient avoir une réputation à défendre, font preuve d'arrogance, d'impolitesse, d'indélicatesse, d'acharnement contre d'autres utilisateurs, etc. C'est beaucoup moins voire pas du tout le cas avec les IPs, qui eux n'ont pas de stupide réputation à défendre 78.251.243.204 18:41, 5 September 2013 (UTC)[reply]

In the end I don't think this is a very good place to have this particular discussion. While it's in the privacy policy ( because the policy needs to be descriptive of what is actually happening) but this is an incredibly long standing and core piece of the projects. If it wants to change it's going to need to be a very large (and likely controversial) discussion of its own. Jalexander (talk) 01:12, 6 September 2013 (UTC)[reply]

• Summarizing a comment we received via email: The individual was concerned about the use of IPs to track authors because they don't reliably track user identities anyway and that one person's profile (edits) may be inappropriately construed to be another persons because of ISPs changing their IPs. He believes that it would be best to force everyone to login to edit to work around this issue. ( in responding to him and saying that I made this post I did let him know that this isn't a 'new' change which is what he thought but a continuation of an old policy). Jalexander (talk) 01:53, 11 September 2013 (UTC)[reply]
• We also have 2 other emails which were less specific but also focusing on the removal of the ability to have logged out edits to assist with vandalism. Jalexander (talk) 03:26, 11 September 2013 (UTC)[reply]

Anonymous editors are the bane of the Wikipedia

And quite a lot of subject-experts think so. This isn't news to anybody though. Evertype (talk) 17:57, 6 September 2013 (UTC)[reply]

Hi. Which part of the privacy policy do you want to be changed? Do you want anonymous editing to be disabled? (See the perennial proposals page on enwiki.) Also, what subject-experts are you referring to? Can you cite some experiment, or journal, or something else saying so? Thank you! PiRSquared17 (talk) 19:24, 6 September 2013 (UTC)[reply]

Considering how you used an account to type that up, the statement is quite ironic

Closing for now as it seems this discussion has played out without much of a place to go on this page. Archiving in 24-48 hours unless reopened. Jalexander (talk) 03:24, 10 September 2013 (UTC)[reply]

Reopening this myself for now because of some comments via email, posted above under 'Edit privileges without logging in' Jalexander (talk) 03:26, 11 September 2013 (UTC)[reply]

• Closing for now given no response, generally want to keep translation pages open to allow for more translation but if specific issues please let us know and we can look into it. (I'm not sure how easy it actually is to do ) . Will archive in 24-48 hours if not reopened. Jalexander (talk) 03:12, 10 September 2013 (UTC)[reply]

The "user-friendly summary" is not readable on my mobile because it is in a fixed width box; I can read the rest of the draft policy OK. PamD (talk) 06:53, 5 September 2013 (UTC)[reply]

Thanks Pam, we noticed the same thing yesterday (and while you can read the rest it isn't great on many phones as well) we're talking to some of our mobile team on some good ways to make it work better. Jalexander (talk) 07:42, 5 September 2013 (UTC)[reply]

Archiving in 24-48 hours unless reopened, looks like discussion done for now :) Jalexander (talk) 03:19, 10 September 2013 (UTC)[reply]

Template:Resolved

Last time I wrote a program which gathered all the IP addresses of the "recent changes" page and fed them to nmap with one click, that was fun, but not cool. So what about that? Greets--82.113.121.77 21:56, 5 September 2013 (UTC)[reply]

Vous avez peut-être raison. Est-ce que l'affichage des IPs est vraiment utile ? Ne pourrait-on pas le remplacer par un autre système plus respectueux de nos données personnelles ? On peut de plus se poser la question de la légalité d'un tel affichage public 78.251.243.204 22:11, 5 September 2013 (UTC)[reply]

Attempt to translate 78.251.243.204 message : « You may be right. Is IP adresses' display really useful? Couldn't we replace it by an other system more respectful of our personal data? Moreover, we can ask the issue of the public display's legality. » Jules78120 (talk) 22:49, 5 September 2013 (UTC)[reply]

Was soll der Mist? Du kannst nicht erwarten das jeder französisch spricht. Schreib am besten auf englisch, dann ist wenigstens die change höher das jemand was zurück schreibt. Gruss--82.113.121.77 22:21, 5 September 2013 (UTC)[reply]

Na ja, ich schreibe einfach in meiner besten Sprache, Sie können aber auch nicht erwarten, dass jeder Englisch spricht (in der Schule habe ich Deutsch gelernt, kein Englisch, tut mir leid!)! Jeder kann vielleicht dennoch, so wie ich, ein Übersetzungsprogramm benutzen, es ist doch nicht so schwer zu finden, oder? Solch ein Programm können Sie einfach auf Internet kostenlos finden... Wir sind ja im ein-und-zwanzigsten Jahrhundert! Und ich lese lieber Ihr gutes Deutsch als Ihr schlechtes Englisch :-) Am besten schreibt jeder in seiner eigenen Sprache, und dann ist Ihr Liebingsübersetzungsprogramm auch Ihr Lieblingsfreund 78.251.243.204 01:03, 6 September 2013 (UTC)[reply]

I'm opposed to the idea of hiding editors' IP addresses, as they're necessary to identify and expose shills, astroturfers, propagandists and vandals in general. A typical example is the recent case of a member of the US Senate being caught red-handed vandalising the Edward Snowden page, changing the description of Snowden from "dissident" to "traitor". Slatedorg (talk) 16:29, 9 September 2013 (UTC)[reply]

It's interesting that you would use Snowden's name in an argument advocating more data collection. Do you genuinely believe that these rare instances of catching a fool who didn't think to create an account outweigh the loss to privacy from mass-scale data collection? CP\M (talk) 17:42, 9 September 2013 (UTC)[reply]

It can hardly be described as "more data collection" if that is in fact the current amount of data that's already collected. I'm merely proposing no change to the existing policy in that regard. And yes, I do think the advantages greatly outweigh the disadvantages, given the number of times such high-profile acts of vandalism have been exposed - something that's very much in the public interest. Moreover, Wikipedia is a public space, not private communications, so I don't see this as any particular threat to anyone ... except the vandals, of course. Slatedorg (talk) 07:37, 11 September 2013 (UTC)[reply]

Hi All. Thank you for participating in this consultation period. We appreciate questions and comments in all languages. =) I just wanted to let you know that I have passed your questions along to members of our Tech team, who may be able to better address your questions. Mpaulson (WMF) (talk) 22:41, 5 September 2013 (UTC)[reply]

To understand and experiment needs some elaboration. I am annoyed by the fact that many websites do not really explain how third parties can take a "limited" amount of user data for "analysis." Where are requests to use aggregated data posted (to determine who is using this data), what is the application process, what is the format in which the data is transferred to the requesting organization, what is the maximum amount of data that the organization can receive, and how is the data limited (list types of user data that the requesting party can only choose)? Longbyte1 (talk) 23:24, 5 September 2013 (UTC)[reply]

On this subject, I'd like to learn what does this mean for researchers of Wikipedia in practice. Will we get new data? Will we loose access to some? How can the data be obtained, in practice? --Piotrus (talk) 05:15, 6 September 2013 (UTC)[reply]

Excellent questions, in fact the Research Committee started to flesh out a process and a set of requirements for data requests for research purposes (cc Daniel Mietchen). That proposal was never fully executed, because of the lack of community and WMF policies that the RCom could use to enforce it. With a new privacy policy making it explicit under which conditions data can be shared, I would really like us to work on a policy mandating for researchers who get access to private data under an NDA that (1) they publicly document their requests, (2) share aggregate data within a predefined timeline and (3) make the research output of any work based on this data publicly available in an open access format. I don't think the privacy policy is the appropriate place to specify the process and the terms of this mandate, but I agree these should be captured in an official policy. --DarTar (talk) 19:48, 6 September 2013 (UTC)[reply]

I completely agree with DarTar on this. -- Daniel Mietchen (talk) 21:59, 8 September 2013 (UTC)[reply]

This section is a lot too vague and opens the door for all kinds of intrusive techniques well known from commercial search engines and social networks. Consider item 3:

• Understand how you use the Wikimedia Sites, so that we know what works and what is useful. For example, we might use tracking pixels in our notifications to make sure that you don’t miss important information from us just because our notification accidentally end up in your spam folder; or we might use cookies to learn about the list of articles you are following on your watchlist so that we can recommend similar articles that you may be interested in.

If tracking pixels are used to track whether notifications have been viewed, this should be stated explicitely instead of suggesting Wikemedia is going to hijack the users' spam folders. The statement about learning "about the list of articles you are following" sounds like personal profiling.

In my opinion, usage information should only be stored if this is strictly necessary for a very specific purpose; and, in addition, all information stored should be transparently visible to the users at all times. Using locally stored data that "can be anything" to "make your experience with the Wikimedia Sites safer and better", or to "generally improve our services" is just the opposite. --109.45.180.100 04:36, 6 September 2013 (UTC)[reply]

Thank you for your comments. I have passed them along to some pertinent members of our tech team who work these tools and may better able to address your concerns. They should be responding shortly. Mpaulson (WMF) (talk) 20:56, 6 September 2013 (UTC)[reply]

Hi Anonymous!

Thank you for your thoughtful question. I believe you are asking why is the new Privacy Policy vague regarding the information that will be collected and the technologies used and does this vagueness open us up for abusive practices.

The reason for not giving an exhaustive list of technologies or types of information that we want to constrain ourselves by our principles rather than constraining ourselves a-priori either by the technology that we use or the information that we might need. Three out of the four the principles that guide us, as mentioned in the new Privacy Policy, relate directly to what type of data we collect and how long we store it.

Technology changes so fast and, even though we have an Analytics team, we cannot predict the future in terms of what technologies will be available 2, 3 or 5 years from now, nor do we know what features we will be rolling out by then. But on a high level, we do know that we need to be able to:

1. measure the impact of our new features, to help guide us in prioritizing what we should continue developing and what should be shelved (e.g., testing whether more users complete an edit using Visual Editor or wikitext)
2. refine existing features based on whether or not our users are successfully able to take full advantage of their functionality
3. minimize errors and bugs that may not get surfaced by users directly reporting them to us
4. ensure that our features are helping more new users become frequent, productive contributors to our projects

What you might not be aware of, is that we are already very transparent about the information we collect when assessing the efficacy of a new feature. We use EventLogging to instrument our features. For example, the mobile team created a schema to determine the number of upload attempts using the mobile Commons app, in order to measure whether new educational UI features were helping more people make their first upload. The schema will tell you exactly what information is collected and for what purpose and if you have a question you can interact with the developers through the talk page.

Regarding the abusive practices, I am not entirely sure which ones you had specific in mind, there are many :) A huge safeguard that we offer is that we do not allow third-parties to track our users nor do we sell your data, ever, period. Whatever we collect about you cannot be correlated to other sources, and we will keep your data for a limited time.

I like your idea regarding making it transparent what information we have stored about an individual user, it’s definitely something we, WMF & the community, should think about.

I hope this addresses your concerns.

Best regards,

(in my role as Product Manager Analytics @ WMF)

Drdee (talk) 22:10, 6 September 2013 (UTC)[reply]

Thank you, Drdee, for the detailed reply and the explanations. Best regards, --109.45.141.106 17:02, 9 September 2013 (UTC)[reply]

Closing now for lack of response and not sure what the request is. Archiving in 24-48 hours unless reopened. Jalexander (talk) 03:21, 10 September 2013 (UTC)[reply]

Just wanted to speak up for the possible majority of Wikipedia users and say "Meh, not a big deal, I don't care, I support whatever changes you guys think are best." 198.96.35.90 07:29, 6 September 2013 (UTC)[reply]

:) Thanks! Geoffbrigham (talk) 08:17, 6 September 2013 (UTC)[reply]

Agree Wholeheartedly. Thats why the silent Majority usually stays silent! Vague 12345 (talk) 12:14, 6 September 2013 (UTC)[reply]

But: who is "you"? The Wikimedia Foundation Board of Trustees? The staff in general? The ED specifically? Legal? The WMF as a whole? --Nemo 15:11, 6 September 2013 (UTC)[reply]

Good point. And also why you two can't represent it, as you've just been non-silent. ;) --Nemo 15:13, 6 September 2013 (UTC)[reply]

I have contributed something today for the simple purpose of saying that this poster is right. And he is right because every policy on every site has such majority. thats because vocal minority is always minority. Any case when majority became vocal, we named them revolutions. So while it is nice that they listen to suggestions, its worth remembering that this is after all a vocal minority.

Affirmer : « La majorité silencieuse est de mon avis », voilà bien un argument de dictateur ! 85.170.120.230 10:22, 8 September 2013 (UTC)[reply]

I won't argue the vocal minority or the silent majority as they are what they are, but you can't let the absence of the silent majority prevent a change that may be required from occurring. Wikipedia is trying to get the input from all of its users (from what I've been able to determine) by hanging the banner on the top saying "Let your voice be heard! Give your input on the draft of our new privacy policy." From editing on the English Wikipedia, I can see by that banner that all visitors to Wikipedia have the opportunity to participate in the discussion whether they choose to or not. Koi Sekirei (talk) 17:56, 8 September 2013 (UTC)[reply]

D'accord avec vous. Je dis juste que la majorité silencieuse... reste silencieuse. Ne lui faisons donc pas dire ce qu'elle n'a justement pas dit. Lui faire dire qu'elle soutient (ou rejette) le changement, ce serait de l'imposture 85.170.120.230 01:35, 9 September 2013 (UTC)[reply]

To: 85.170.120.230 - Ah...I will admit that I hadn't translated what you said before now. Sorry about that. I was merely commenting on the sixth and unsigned comment right before yours...unless that was yours just in English. Koi Sekirei (talk) 04:17, 9 September 2013 (UTC)[reply]

The following view/questions/comments are based on revision 5788377 of the draft. I've used tags to differentiate my comments according to importance:

• FIXME : Very important. Should really be fixed/changed.
• SUGGESTION : May be technical/legal/humourous.
• QUESTION : Stuff that needs clarification (either here or in the draft)

Feel free to reply between this report (just maintain indentation for the replies, wrong indentation gives me headache in reading).--Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)[reply]

Siddhartha - thank you for your comments. I look forward to reviewing with the legal team over the next couple of days and getting back to you. Have a good weekend. Geoffbrigham (talk) 08:58, 7 September 2013 (UTC)[reply]

Hello @Siddhartha Ghai:, thank you for providing such detailed comments. I have responded to some your points below, and reformatted the comments using subheadings so that they can be addressed specifically. Best, Stephen LaPorte (WMF) (talk) 22:51, 11 September 2013 (UTC)[reply]

Summary

Text: If you add content or make a change to a Wikimedia Site without logging in, that content or change will be publicly and permanently attributed to your IP address rather than a username.

SUGGESTION:

Many users may not have a permanent IP address and hence may find this slightly confusing. How about this:

If you add content or make a change to a Wikimedia Site without logging in, that content or change will be publicly and permanently attributed to the IP address you were using at the time, rather than a username.

or simply:

If you add content or make a change to a Wikimedia Site without logging in, that content or change will be publicly and permanently attributed to the IP address you were using at the time. --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)[reply]

Yes, you are correct that unregistered users are attributed via their IP address used at the time, and the attribution will remain the same if a user’s IP address changes. I updated the policy based on your suggestion. Stephen LaPorte (WMF) (talk) 22:51, 11 September 2013 (UTC)[reply]

Welcome!

Text:

We do not sell or rent your information, nor do we use it to sell you anything.

QUESTION:

This sounds great, but can't this be construed to mean that "your information" (your username) won't be used on any CD/DVD versions of wikipedia. I don't know if the versions are brought out by the WMF itself, or if its through volunteers/chapters/other organisations, but if it's the WMF, the BY of CC-BY-SA would require use of the username (which would take place even if the user states on his/her userpage that he/she releases all contributions under PD.)

Perhaps clarify on this? --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)[reply]

This is a good question. The Wikimedia Foundation is a nonprofit organization, so it does not sell or rent user nonpublic personal information. Usually, if we were to make CD/DVD versions of Wikipedia available, it will be noncommercial and free of charge. You are correct that other organizations may use public Wikipedia data commercially, but under this policy, we will not sell access to our nonpublic data. I updated the policy based on your suggestion. Stephen LaPorte (WMF) (talk) 22:51, 11 September 2013 (UTC)[reply]

Account Information and Registration

Text:

However, if you contribute without signing in, your contribution will be publicly attributed to the IP address associated with your device.

SUGGESTION:

However, if you contribute without signing in, your contribution will be publicly attributed to the IP address which was associated with your device at the time the contribution was made.

or

However, if you contribute without signing in, your contribution will be publicly attributed to the IP address which was associated with your device at the time of making the contribution. --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)[reply]

This is updated as well. Stephen LaPorte (WMF) (talk) 22:59, 11 September 2013 (UTC)[reply]

Information We Receive Automatically

Text:

This information includes the type of device you are using (possibly including unique device identification numbers), the type and version of your browser,

SUGGESTION:

Shouldn't this be clarified that information about versions of all browsers on the device are sent? I saw a http GET request sent to a wikipedia and its query urls seemed to contain names and version numbers of all the browsers on my computer.

QUESTION: Also, don't the requests specify the timezone? I'm wondering how the time-related magic words function on a per-user basis if they don't know which timezone the user is in. (Or do they treat all IPs as being UTC?) --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)[reply]

Wikipedia has a list of HTTP header fields, which is standard data that may be delivered whenever you visit any site on the Internet. This may depend on your browser’s privacy settings, so your browser’s documentation may explain more about what is sent automatically. Stephen LaPorte (WMF) (talk) 22:51, 11 September 2013 (UTC)[reply]

Information We Collect

Text:

Similarly, tracking pixels and JavaScript can be used to help us understand whether a page has been visited, and may be associated with personal information like your IP address.

QUESTION:

What other personal information like IP address may be associated with visited pages? Are usernames associated with visited pages? If yes, how is this information utilized? Is this used only aggregately for a large number of users, or is it possible that individual cases may be analyzed for specific purposes of improving the site?

Text:

by using cookies, we can learn about the topics searched so that we can optimize the search results we deliver to you.

QUESTION:

Is this applicable for computers (laptop/desktop/ultrabook) or only for mobile devices (smartphones/feature phones/tablets/phablets). Basically what I want to know is whether search results for a logged in user are optimized on the basis of his/her past searches (I think google does something similar). If they are, how is the data for past searches stored, and how is it used?

Text:

we might use cookies to learn about the list of articles you are following on your watchlist so that we can recommend similar articles that you may be interested in.

FIXME

This seems to suggest (to me atleast) that there is going to be some backend program/software analysing people's watchlist and wikipedia category structure or something to find and recomment related articles. Though I haven't actually seen this feature on wp yet, it sorta gives me the creeps. Any internal program accessing user watchlists means that access to watchlists is more open than I anticipated. It also means that anyone who can find a loophole in the program which does the suggesting, can theoretically view users' watchlist. If what I'm saying about there being a software (current or future) is correct, I'd like to know the level of security surrounding it (what level of encryption is being used, etc). I know it may be difficult to explain the security measures in detail without the security risk of making technical details public (and hence availaible to potential hackers), but any information will be appreciated.

Text:

Understand how you use the Wikimedia Sites across different devices, so that we can make our varied Wikimedia Sites more efficient and effective for you.

QUESTION:

Again, is this data used in aggregated form or is it possible that it may be used per user for feature improvement? --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)[reply]

The term “personal information” is defined in the introduction of the policy, and the section on "Information we collect" explains how this information is used. Diederik, from the Analytics team, provided more detail how use this information. As he explains, the technical details may change from time to time (as technology always does), but the policy includes specific principles and restrictions about how the data may be used. We make a general commitment to keep data as short as necessary (see “How long do we keep your data?”). Additionally, the ’’data retention policy’’ -- which will be shared with the community for comment -- includes more detail about the length that data will be retained. Stephen LaPorte (WMF) (talk) 22:51, 11 September 2013 (UTC)[reply]

Emails

Text:

so we can pursue the evil wizard who is impersonating us.

SUGGESTION: Sounds too much Harry Potter/Dungeons and Dragons. More Star Wars please :D

so we can pursue the Sith lord who is impersonating us. --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)[reply]

IP Addresses

Text:

Finally, when you visit any of Wikimedia Sites, we automatically receive the IP address of your device (or your proxy server) you are using to access the Internet,

SUGGESTION:

Grammatically incorrect maybe? Possibly this:

Finally, when you visit any of Wikimedia Sites, we automatically receive the IP address of your device (or the proxy server) you are using to access the Internet,

Text:

If you are visiting Wikimedia Sites with your mobile device, we may use your IP address to provide anonymized or aggregated information to service providers regarding the volume of usage in certain areas.

FIXME Who are these "service providers"? The cellphone company whose network the user is using? Also, if the info is either anonymized or aggregated, in case anonymized info is given, how does that really help in determining volume? (This needs fixing.) --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)[reply]

If the Organization is Transferred (Really Unlikely!) and Changes to This Privacy Policy

FIXME:

In case this apocalypse does happen, I would like that the WMF offer atleast a month's notice, and not only on the mailing list, but highly visibly, possibly using CentralNotice (the thingy used to announce this discussion), and notifications on village pumps (may be coordinated through meta). Also, since any transfer of information would mean the possibility of the data coming under a new privacy policy, I would like that the WMF offer the option of users not accepting the new policy and requesting deletion of their data (this may not be possible for IPs, but should definitely be there for logged in users). And I would like this to be specified in this version and all future versions of the privacy policy. --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)[reply]

To Protect You, Ourselves, and Others

Text:

We may need to share your personal information if we reasonably believe it is necessary to enforce or investigate potential violations of our Terms of Use, this Privacy Policy, or any Foundation or user community-based policies.

FIXME:

If I remember correctly, there was some talk some time ago of a majority of users on a wikipedia belonging to a particular nation, with Muslim majority, thinking about implementing policies on wikipedia based on the Shar'ia. Although I really doubt I'll ever have anything to do with the wiki, it is not impossible that certain policies/guidelines on certain wikipedias are culture-specific, and someone from another wikipedia may accidentally end up offending the users and breaking those guidelines. In such cases, I won't like the WMF releasing such a users' information to the wikipedia users, only to have a fatwa issued against the said user. Possible complications in this would include users doing something which is illegal in their country, and other users (either good faith or on a vendetta spree) asking for user information from the WMF in order to file legal complaints against the user. Potential examples: The map of India used on WMF sites, for NPOV purposes, shows Pakistan-occupied Kashmir as part of Pakistan, and Askai Chin as part of China. Both these portions are claimed by India as part of the state of Jammu and Kashmir. So anyone using an infobox on an India article and adding coordinates to the infobox is basically adding a map to the article. And the distribution of that map is illegal in India. So such a user can theoretically be prosecuted for aiding/abetting a criminal offence. I wouldn't like the WMF to release users' data to other users on the basis of such a complaint. --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)[reply]

We are working to adopt best practices in responding to legal orders. Consistent with our current practices, this policy explains that we are committed to fighting orders that are legally invalid or an abuse of the legal system. We also provide notice to users in advance when possible, to allow a user the opportunity to oppose an improper order and obtain legal counsel. We hope to publish soon a draft document for law enforcement, which will include more detail about our strict procedures for responding to orders. Stephen LaPorte (WMF) (talk) 22:51, 11 September 2013 (UTC)[reply]

How Do We Protect Your Data?

FIXME:

Possibly add what the WMF intends to do in case the security is breached. And possibly also add that once fixed, affected users will be notified of all security breaches. This may be done via email, or publicly, through the blog, CentralNotice/Meta, or something alike. --Siddhartha Ghai (talk) 12:23, 6 September 2013 (UTC)[reply]

I don't think this Privacy Policy adequately provides information on how the Wikimedia Foundation collects information from children under the age of 13 (as required by the Children's Online Privacy Protection Act. How does the Foundation receive consent from someone who is not the age of majority (i.e. requiring parental permission before using the Sites)? Will the Foundation permit the usage of the Sites by those under 13 (i.e. some websitse on the Internet don't allow children under 13 using their site because of this law)? What will the Foundation do to ensure the safety of children on Wikimedia Sites (i.e. the disclosure of personal information of a minor or communication taking place on the Site between a child and an adult)? 184.146.126.95 22:20, 6 September 2013 (UTC)[reply]

Thanks 184, just to let you know that the legal team is working on a response to this that should be ready tomorrow (they're doing a writing sprint to answer a bunch of questions). Jalexander (talk) 01:25, 11 September 2013 (UTC)[reply]

I'd like to see a change of policy regarding anonymising VPNs. Currently these are blocked as 'open proxies', which they aren't. Though I also think open proxies should be allowed as well. I know that there have been instances of abuse by anonymous users but I think that blocking all anonymising services is a bridge too far. Perhaps a solution would be to allow users to edit via anonymising services if they register an account? Either way to just say anonymous users do too much damage is a cop out. The price of freedom is eternal vigilance. If the admins can't cope, get more admins.58.6.101.181 23:32, 6 September 2013 (UTC)[reply]

In the end the foundation (and this privacy policy) does not stop VPNs (or open proxies) from being used. For reading nothing is blocked but for editing the issue is up to the community, both the local communities and the global stewards for global issues. All projects that I know of have a way for you to ask for and receive an 'exemption' flag that will let you edit from blocked IPs, each of them have different rules that the community has set. Jalexander (talk) 08:41, 7 September 2013 (UTC)[reply]

Wikipedia certainly does stop users editing when they access via anonymising VPNs. I use a VPN and I can't edit when I am using it as it gives me a message saying I am editing from an open proxy, which it certainly isn't. I'd like to see more information on the method you mention of getting permission to edit from blocked IPs as I have never heard of it. I have tried repeatedly to be able to edit via my VPN but have always been assured that it is forbidden. But I do think that even if specific projects have a way to give someone permission of the kind you mentioned that is a serious limitation. Users might not only wish to edit pages of a particular project or indeed to seek permission for such approval if they are in a situation where their anonymity is important. If wikipedia really wants for everyone to be able to edit it then we shouldn't be limiting users based solely on the fact that they wish to be anonymous. It seems that the main reason given is that it is too much work for admins to deal with. The solution to that should be to get more admins not remove the ability to be anonymous because some people have behaved badly. 203.57.208.89

Yeah, Wikipedia (individual projects or the global community here on Meta) block access to some anonymizing services but in the end that's up to them and it isn't something that we're able to really change much. We have to give the specific projects the ability to control vandalism, sadly there are many people who use anonymising services to vandalize or abuse the sites in other ways. The warning you get about 'open proxies' is the message for why the block was placed but it was placed there by the community, usually because people from that IP/VPN were causing disruption or problems and 'acting' like an open proxy even if they aren't in actuality one. You can find the English Wikipedia policy on IP Block Exemption as well as the Global request page (global requests are for globally blocked IPs, i does not exempt you from local blocks). Obviously there are projects (such as zhWiki) which are more free in allowing the exemption then others (such as enWiki). In the end this is not something the foundation is going to impose on the individual projects, they NEED to have the ability to block these if they determine it's necessary to protect the project. Jalexander (talk) 03:46, 10 September 2013 (UTC)[reply]

I find the argument that changes are needed with regards to the privacy policy unconvincing. The specific modifications that were suggested would deprive Wikipedia from what it is most renowned for: a free Internet. Let me make my case.

1. The Wikimedia Foundation argues that changes are needed to "update" the privacy policy of 2008. The Wikimedia Foundation is in my eyes the wrong actor to call for these changes to the privacy policy. Such an initiative can only be taken – if it is to be legitimate – by the users of Wikipedia. If those users are not interested in a discussion, or any change to the privacy policy, i.e. if they don't care about it or if only an insignificant number of them cares about it, any change incited by the Wikimedia Foundation is illegitimate for it breaches with the idea that Wikipedia is a user-generated, bottom-up, collaborative project. If changes to the privacy policy would occur, Wikipedia would lose its status as a bottom-up, user-driven project and become one of those same old leadership-projects where some rule over others.

2. Not only is the wrong actor suggesting these changes (cf 1.). What has been suggested makes little sense. The meaning of the modifications proposed by the Wikimedia Foundation lie in their increase of data-gathering capacity. Recent (NSA; GCHQ) as well as long-term developments (decrease of social and economic human rights since 2001) suggest that the more data is gathered, the more it is used by those in power to control, surveil and repress common people. This has become clear recently as the documents leaked by Ed Snowden are evidence that Orwellian mass-surveillance and control are excessively used against what are considered to be both foreign as well as domestic enemies. This is becoming increasingly clear if we look at developments that are more long-term. Since 2001, the U.S. lead the discourse on "The War on Terror" which has led to what political philosopher Giorgio Agamben calls "The State of Exception". What does he mean? He means that sovereign power is increasingly used in blatant contradiction to ethics, i.e. written and unwritten law. In the field of international conflict, we see that happening in Guantanamo. In the field of personal liberties, we witness a state of exception as well as governments justify the invasion of the private sphere, the exploitation of all sorts of data with "national security interests". It becomes evident that the major westerns states themselves pose a threat to the security of most people. The Wikimedia Foundation's proposal to change privacy policy in a way that requires its users to give more data has to be seen in this context: it aids those who want to surveil and control populations by creating data that is not necessary to collect. If Wikipedia is to remain a symbol of a free internet, where people are not tracked down, surveiled, controled or mapped constantly, the privacy policy cannot be accepted.

If Wikipedia is to continue to be a symbol for a free internet, for one that makes knowledge accessible and negotiable across the world, if Wikipedia is to embody the single most impressive collective effort of humanity to understand the world, it cannot chose a path that leads us towards an old principle of leadership that has caused too much trouble already, and it cannot lead us astray from humanity's everlasting task of emancipation:

that we become more fully human, more fully free, and less controlled, less surveilled and less mapped. —Preceding unsigned comment added by 78.53.120.152 (talk • contribs) 11:25, 7 September 2013

Why "should" we apply a heavily Schmittian basic design? Derrida, for example, developed a quite coherent alternative route, in The Beast and the Sovereign, in tackling the same issue and is heavily at odds with Agamben (granted: Derrida directly addresses Homo Sacer and not the later stages of camp logic developments spelled out by the Italian). Regards, --Jan eissfeldt (talk) 16:02, 7 September 2013 (UTC)[reply]

I believe that it has to be clear in the user-friendly summary that "Wikimedia will give any user-related data if it receives a sub-poena from the authorities" (or a slightly longer text giving a more accurate description). --FocalPoint (talk) 15:28, 7 September 2013 (UTC)[reply]

I see what you mean. How about something like this as a rough idea:

We may disclose information for different purposes, such as compliance with valid legal demands; protection of you, WMF, or others; or inclusion of service providers who help run or improve Wikimedia Sites.

I may want to wordsmith and reduce a bit more, but this is the basic idea. Interested in your thoughts. Thanks. Geoffbrigham (talk) 16:24, 7 September 2013 (UTC)[reply]

Actually, if the aim is to simplify the explanation, I'd suggest that it would be desirable to elaborate a little more as your rewrite is still tending towards being overly abstract. At least qualify "valid legal demands" with a couple of instances, i.e. subpoena from the authorities (what constitutes an 'authority'? US local laws? US federal laws? Laws you need to be aware of in your own country if you live outside of the US?). It still smacks of legalese vagueness which, I gather, is what you're trying to avoid. Cheers! --Iryna Harpy (talk) 01:38, 10 September 2013 (UTC)[reply]

"We do not sell or rent your information, nor do we use it to sell you anything." Is not fully in accord with current practice. The most expensive things I've bought through this site have been registrations at Wikimania, but we should be careful to talk to merchandising as well. One of these years I'm hoping to be able to buy some Wikimedia calenders or flip flops that leave a trail of "citation needed" down the beach. It would be a shame if this privacy policy were to be seen as precluding this. WereSpielChequers (talk) 16:18, 7 September 2013 (UTC)[reply]

WereSpielChequers - I'm really happy to be hearing your voice here; your ideas are always so constructive. With respect to your present comment, I think I need a little more clarity here from you. Now, a separate privacy policy applies to our Wikimedia Store (as made clear in the draft policy), so merchandizing from the store is not at issue. We say this in the Introduction of the proposed draft: "This Privacy Policy does not cover some situations where we may gather or process information. For example, some uses may be covered by separate privacy policies (like those of the Wikimedia Shop or sites or services run by third parties, such as third-party developer projects on Wikimedia Labs)." We would happily sell you the calendars and flip-flops under the Store's privacy policy, but we would not use your registration information on Wikipedia to market it to you.  :) I don't know of any examples where we take user information obtained through registration on the projects to actively sell Wikimedia registrations or other products or services, but I may not have full knowledge here. If you or others have known examples, I would be interested in them. Geoffbrigham (talk) 16:50, 7 September 2013 (UTC)[reply]

The WMF run a CentralNotice campaign on en.wiki to promote the shop, IIRC targeted to registered users (possibly with some editing activity requirements), as well as some talk page promotion if I'm not mistaken. With some stretching, that could possibly be considered "targeted advertising" (even if at loss...). It's quite far fetched though! --Nemo 17:01, 7 September 2013 (UTC)[reply]

Hi Geoff and Nemo and thanks for the welcome, I don't think anyone would object at the "wikimedia" things that we try and sell on Wikimedia sites, so to some extent I am being pedantic. But I'm pretty sure that what we are considering would be technically breached by some current practices. Having a separate policy for the shop does reduce the practical issues - they need to process financial transactions. But I would suggest we drop the words "nor do we use it to sell you anything". WereSpielChequers (talk) 17:48, 7 September 2013 (UTC)[reply]

Well, I think that here is necessary more clarity about what kind of information collects WMF for what kind of user, what WMF do with it, and if WMF could communicate to you in different way according to your user status. You should create a section for each kind of user as the follow:

If you are a visitor: Basically here you can put the Information We Collect section. And you have to warn about if the user shares an IP direction, a box telling him that has a new message could appear (see anonymous contributor)

If you are a anonymous contributor: You explain that, in addition to information collected as visitor, the anonymous contributions will be assigned to the IP. Editors could leave a message for IP contributors associated with an IP.

If you are a registered user: In addition to information collected as visitor, you will be identified with your user name. Registered users have talk pages to communicate among them. E-mail could be solicited but not is not necessary to provide it. Because you are a registered user WMF assumes that you are interested in Wikimedia projects and WMF or administrator could you send a message or focuses some communications to registered users, and to do this we use your data. And…so on.

If you are a user with privileges: (call them as you please) I do not know exactly if exist a significative difference with simple registered users, but administrators have different forms to communicate, and in some cases they send or request information in name of WMF (OTRS). Is necessary to clarify the scope of the data of the users with privileges.

If you are a donor: WMF is a non profit organization that is sustained with voluntary contributions. You can donate to WMF, but data required for donation is managed under the donor policy, and privacy policy of third parties involved in the process of donation, if any.

Text above is only a stub, but I think more structured document can be helpful.--SirWalter (talk) 20:12, 7 September 2013 (UTC)[reply]

Thanks for these thoughts and ideas. I want to monitor the community discussion on this and think about it some. Quite helpful. Appreciated. Geoffbrigham (talk) 06:33, 8 September 2013 (UTC)[reply]

I like the text and outline you provided SirWalter. While I have perceived the information collected as outlined by your stub in the anonymous contributor and registered user from previous discussions and pages, I hadn't thought of the donor category to which I could be part of as I contributed last time it was out as a banner. Koi Sekirei (talk) 18:04, 8 September 2013 (UTC)[reply]

The section:

Information you provide us or information we collect from you that could be used to personally identify you. 
To be clear, while we do not necessarily collect all of the following types of information, we consider the 
following to be personal information if it can be used to identify you:

   your real name, date of birth, gender, sexual orientation, racial or ethnic origins, medical conditions or disabilities;
   address, phone number, email address, password, identification number on government-issued ID, IP address, credit card number;
   political affiliation, religion; and

Conflates two very different issues, data that could be used to identify people, and data that most people would consider should be kept private - "sensitive" data in European parlance. I suggest that this needs rethinking and separating out. We also need to differentiate between information disclosed, disclosed and redacted, imputed or alleged. The community has longstanding policies that impinge on this, and people have been banned for breaches of it. I would suggest that you need a section on information that could be used to identify, and that section needs to also include info on school or place of work. We also need to link to our child protection policies here, we allow adults to supply contact information but for obvious reasons oversight it when supplied by children. For example a University Professor is very welcome to link their userpage to the academic bio and vice versa, but we would not allow a minor to do that.

The section on "sensitive" data needs to say something along the lines of:

We understand that certain types of data can be more "personal" than others. We will only connect these types of data and store that 
with a link to identifiable people when we have a clear and pressing need, such as to supply appropriate food at an event. Where 
practical we will anonymise this data.

WereSpielChequers (talk) 17:39, 7 September 2013 (UTC)[reply]

Hi WereSpielChequers! Thank you for this thoughtful suggestion. We are familiar with the distinction between regular PII and "sensitive" information in EU parlance, but drafted the way we did mostly because we consider both categories of information to be "personal information" if it can be used to identify you and therefore subject to greater protections under this privacy policy draft. However, your suggestion is an interesting one. We will mull over how separating these categories of information could impact the draft in the next couple of days and get back to you, probably on Wednesday. Mpaulson (WMF) (talk) 00:40, 10 September 2013 (UTC)[reply]

"Never require for contact information, and collect little data otherwise;" I suspect would read better without "for", but again we have some examples where we do require contact information. Functionaries for example have to identify to the office. I think that the Principle which we follow is for minimal requirement, or that "for the vast majority of Wikimedians we don't require contact details". WereSpielChequers (talk) 17:59, 7 September 2013 (UTC)[reply]

Maybe something like this, roughly speaking:

"Never require contact information to use the Wikimedia Sites, and collect little data otherwise."

Thoughts? - Geoffbrigham (talk) 06:46, 8 September 2013 (UTC)[reply]

What does "use" mean? --Nemo 08:51, 8 September 2013 (UTC)[reply]

Actually, I think this is just a typo. The "for" was never supposed to be there. It's been corrected. Thanks for catching that! Mpaulson (WMF) (talk) 17:41, 8 September 2013 (UTC)[reply]

"for" probably was a typo and taking it out fixes one problem, but there are some circumstances where we do require contact information. Geoff's wording "Never require contact information to use the Wikimedia Sites, and collect little data otherwise." might work, but it could leave people wondering at the ambiguity. Howabout: "We only require contact information from users who request certain high level access rights to these sites. Or sometimes to send you things like Tshirts." Though the last clause might need tweaking, other parts of the document already read like confirmation of the old joke about the WMF talking to the community like a bunch of twenty somethings trying to relate to a bunch of adolescents, and inadvertently offending the silver surfers who increasing predominate in it. WereSpielChequers (talk) 23:14, 9 September 2013 (UTC)[reply]

I think your first sentence suggestion would work. I'll get that changed. Thanks, WereSpielChequers! Mpaulson (WMF) (talk) 16:36, 10 September 2013 (UTC)[reply]

by users

"The Wikimedia Sites are collaborative labors of love that were created, and by constantly maintained and updated, a global community of volunteer users." might read better as "The Wikimedia Sites are collaborative labors of love that were created, and constantly maintained and updated, by a global community of volunteers."

By was simply in the wrong place, users was redundant but also offensive to some. In my book our users are the people who use our site to look things up in a dictionary, image library or encyclopaedia. Our volunteers who contribute to the site are rather more than just users. WereSpielChequers (talk) 18:12, 7 September 2013 (UTC)[reply]

Nice catch. I think this was garbled when we wikified the draft for posting. Thanks. I like the rewrite (much better). I might say "volunteer editors and contributors" at the end since we use that phrase elsewhere (see, e.g., user-friendly summary). So it would read:

The Wikimedia Sites are collaborative labors of love that were created, and constantly maintained and updated, by a global community of volunteer editors and contributors.

Does that work? Geoffbrigham (talk) 06:51, 8 September 2013 (UTC)[reply]

Yes that works for me. WereSpielChequers (talk) 22:54, 9 September 2013 (UTC)[reply]

"Labours of love" and similar expressions like "Wikilove" much liked in the US does not work for me in any Danish (and I suppose any Nordic) translation, where love means the real thing. What about using "collaborative effort" or some similar expression instead? Sir48 (talk) 23:07, 9 September 2013 (UTC)[reply]

I'm not sure that needs changing on the English side, I don't think something like collaborative effort gets the idea across well there :-/. That said If we need to tweak it in other languages I think that's perfectly understandable. If you think that's the best phrasing to use I'd go with it for the translation, the idea of the labour of love is more of a task done for pleasure, not reward. Jalexander (talk) 18:54, 10 September 2013 (UTC)[reply]

Nevermind. You hid it in that FAQ, which does not seem to be an actual part of this page, for some reason, even though it is a change in policy. I'd rather be able to stay logged in forever, but 180 days is better than 30.

Honestly, I don't get why I would ever care to be logged out. Worst case scenario--someone gets access to my computer at my house and does something that gets me temporarily banned. I get another userid at a friends house and log in using it from now on.

Just as long as you don't pull a Google and make it where I can't fix this by just editing my login cookie, I guess I'm okay with that. Though explicitly letting me set how long I'll stay logged in would be a nice addition. Trlkly (talk) 02:47, 8 September 2013 (UTC)[reply]

Hi Trlkly! It was not our intent to hide information about login cookie duration. Quite the opposite, in fact! We're trying to provide more specific information about the cookies we use and their duration. However, we placed that information in the FAQ because (1) we want didn't want to make the main body of the privacy policy unnecessarily long; and (2) we want to be able to continue to add to/modify the cookie table in the FAQ to keep the table up-to-date and provide better transparency about our use of cookies and other locally-stored data. Mpaulson (WMF) (talk) 17:00, 8 September 2013 (UTC)[reply]

hi, a silly (and really niche) question: certain Wikimedia and project functionaries, such as stewards, checkusers, ombudspeople, oversighters have to disclose their identity as well as provide scanned IDs. it is my understanding that this falls under the privacy policy of the WMF as well, but I can't pin it down to any specific paragraph. Scanned IDs are not mentioned on the list of types of data that the WMF may collect at all. Pundit (talk) 07:32, 8 September 2013 (UTC)[reply]

Hi Pundit, I think we've generally just kept specific pieces about it completely within the Access to nonpublic data policy (being the old one, with a new draft under discussion under it's new name Access to nonpublic information policy along with a separate confidentiality agreement) but I'll see if they think we need something specific in this policy as well. What are your thoughts? Jalexander (talk) 08:21, 8 September 2013 (UTC)[reply]

Thanks. I don't have any specific thoughts, I just think it is good to keep those niche cases in mind, and as I have not found this case specifically addressed, I thought that maybe it should be. Deferring to access to nonpublic information policy is one option, too, definitely - maybe even less confusing for casual users. Pundit (talk) 09:50, 8 September 2013 (UTC)[reply]

One more thought: it is unclear who within the WMF is authorized to have access to this most sensitive information (scanned IDs), how is it kept and protected, and what happens to it when a given user resigns/gets demoted from a function (I would imagine that the WMF should be given a right to keep the scanned IDs for a certain time for accountability reasons, but not longer). Pundit (talk) 09:54, 8 September 2013 (UTC)[reply]

These are excellent questions. We currently do not keep IDs of those who have access to nonpublic information, though our draft privacy policy would require that. We have an internal WMF policy on how to maintain these records when we do keep them, and I set it out below for your review. I'm open to any suggestions about how to improve this policy. Thanks again. Geoffbrigham (talk) 12:25, 9 September 2013 (UTC)[reply]

Many thanks, this is exactly what I had in mind and it is great to see that it is already in place :) Of course some explicit limitations to data retention would be nice to have (I don't know to what extent you'd be willing to put a fixed amount of time that the data is kept, with exceptions authorized by someone specific at senior level). Pundit (talk) 16:15, 11 September 2013 (UTC)[reply]

Wikimedia Foundation - Internal Policy

Purpose

The Wikimedia Foundation (“WMF”) may sometimes need to collect copies of identification documents (“IDs”) from community members pursuant to established policies of WMF or the community. Examples where community members may need to identify themselves include the following:

• Candidates for the WMF Board of Trustees
• Candidates for the Funds Dissemination Committee
• Recipients of WMF grants
• Representatives and agents of user groups and thematic organizations
• Community members with access to nonpublic user data information [GRB Note: we are currently not keeping such IDs on file.]

This internal policy summarizes the approach to be taken by WMF employees and contractors when handling and storing such community member IDs. The required ID depends on the criteria of the particular policy or practice, but may include copies of passports, driver’s licenses, and other government-issued documents showing real name and age.

Collection, Storage, and Access

Copies of IDs provided to WMF by community members will be kept confidential, consistent with any applicable requirements of the WMF privacy policy. Physical copies of IDs will be kept in locked cabinets designated for this purpose. Electronic copies of IDs will be protected by passwords or other electronic protections in files designated for this purpose.

Access to IDs will be limited to a “need to know” protocol determined by the program administrator. Usually that means only the principal administrators of a program will have access to those IDs. WMF will not share the IDs with outside third parties, unless required by law, covered by a non-disclosure agreement approved by Legal, or necessary to protect the rights, property, or safety of WMF and its employees and contractors.

Destruction

IDs will be kept as long as necessary to satisfy the need of the applicable policy and practice requiring the IDs. Such IDs will be destroyed as soon as the need for the ID has expired. Depending on the program, some IDs may need to be retained for a period of time for legal and financial purposes beyond the immediate purpose of the policy and practice. For example, IDs may need to be retained after the life of a grant to prove expenditure responsibility to government officials in the case of an audit. Check with Legal and Finance for any legal or finance record retention requirements.

V.1.1 (2013-03-14)

There is one area where identity and personal data is essential. It is imposible to give anonymous license permission if the identity cannot be verified. For example if an artist gives permission for his work to published/used in the commons, or his descendants. It is not posible to upload files in the commons without registering. Some explicit clarification would be usefull.212.61.237.163 09:32, 8 September 2013 (UTC)[reply]

Hi Anonymous! That's a great point. We will add clarifying language to the registration section accordingly. Thank you so much! Mpaulson (WMF) (talk) 00:51, 10 September 2013 (UTC)[reply]

What happens when some contributor dies? There sometimes in memoradium pages, by important wikipedia contributors, but who is then responsible for the information?212.61.237.163 09:36, 8 September 2013 (UTC)[reply]

Hi 212.61 ... As set out in the privacy policy, data may be retained as long as necessary, and, if no longer necessary, it should be deleted (whether or not a person is living) per our data retention policy (which we will be sharing in draft form with the community for comments). Also the estate of a deceased individual often appoints a representative to exercise the rights of the deceased person, if necessary. Geoffbrigham (talk) 12:09, 9 September 2013 (UTC)[reply]

To be practical, we usually won't know when a contributor dies. I suspect in a century or so we will start assuming that the early editors are dead, but if someone retires after a year or a decade of editing then how would we learn of their death perhaps half a century later? WereSpielChequers (talk) 23:37, 10 September 2013 (UTC)[reply]

Who is the actual "sender of the message" behind this proposal? To me it does not seem to be a proposal at all but a prepared policy that the community must accept. Where is the discussion that lead up to this? Who is the real sender? — Jeblad 11:35, 8 September 2013 (UTC)[reply]

Il est vrai qu'on peut se demander si cette discussion est juste une opération de communication destinée à faire croire que la Charte est le résultat des réflexions de la communauté, ou si nos avis seront réellement pris en compte :-) 85.170.120.230 12:14, 8 September 2013 (UTC)[reply]

Hi Jeblad and 85.170... In June the Wikimedia Foundation - which hosts Wikipedia and its sister sites - requested feedback from the community on a proposed update of the present privacy policy; the community gave us a number of ideas; and those comments played an important role as we drafted this proposal, which we just offered as a draft for further community comment. The consultation period for this draft with the community is at least 4 months, and we are making significant efforts to get the word out to get further global community input, including providing translations, using site banners, blog posts, announcements, etc. We anticipate that the input from the community will be similar to our Terms of Use, where there were significant changes based on community feedback and negotiation. For background on how the community consultation worked for the Terms of Use, take a look at this blog. Once the privacy policy draft is modified based on the community feedback and discussions, that draft will be presented to the Wikimedia Foundation Board of Trustees, which includes at least 50% Wikimedians and community members as directors, for further consideration. So this is far from a fait accompli. Indeed, I'm unaware of any major website that undertakes this degree of consultation, negotiation, and change based on community feedback for policies as significant as the terms of use and privacy policy. I personally believe it is essential to do so: not only is community collaboration consistent with our values, but also it makes the policy better. That was definitely the case with the Terms of Use. Take care, and thanks for your question. Geoffbrigham (talk) 17:48, 8 September 2013 (UTC)[reply]

Super ! Si c'est comme vous le dites, je m'en réjouis :-) 85.170.120.230 01:40, 9 September 2013 (UTC)[reply]

I really don't know if I like this, the projects are community driven but this is driven by Foundation. The Foundation shall only be a necessary administrative level to do those things the community can't, but more and more it put itself in a leading role. I'm not sure if this is wise. — Jeblad 17:10, 9 September 2013 (UTC)[reply]

We may just need to agree to disagree, Jeblad. As the hosting company of the projects, WMF has a responsibility as a steward to the community to take the initiative, for example, when the policy needs updating for legal reasons. The alternatives include WMF doing it without community consultation or WMF doing it with significant community consultation with global outreach. We have been able to aim for the latter in the last policy rollouts, and I believe we are doing that here. I agree that any policy rollout must be a true partnership, not a fait accompli. I also agree that, in most cases, WMF should be hands off on community policies when there are no overarching critical need, like ensuring legal corrections or updating. Geoffbrigham (talk) 03:45, 11 September 2013 (UTC)[reply]

There is no such thing as privacy on Wikipedia or its sister projects. If you post anything, you can be banned. Chutznik (talk) 21:07, 8 September 2013 (UTC)[reply]

Hi Chutznik. I'm not sure if I understand your comment. Can you elaborate, please? Thanks. Geoffbrigham (talk) 12:02, 9 September 2013 (UTC)[reply]

I will add to the above that users what post from multiple IP accounts have been victimized in past for having "sock-puppet" accounts, when in reality, they preferred simply to post anonymously from various locations -i.e. post from home and post from their work-places. Over-zealous admin (or even other posters) were meticulous about tracking them down and attempting to "expose" them, publicly shame them, etc., especially when they found they sometimes logged in from those same I.P.s (for example, to upload images or start new articles, something you can't do from an anonymous I.P. only account). So I would agree with the sentiment, though perhaps not the wording, that some of the privacy policy is merely high-minded sounding while many of its proponents are failing to live up to its ideals in practice.198.161.2.241 18:32, 9 September 2013 (UTC)[reply]

What is being discussed here is policy, while you're criticizing the implementation/practice. I'm not even saying I disagree (nor agree), I just think it is not necessarily relevant to the policy proposal. Pundit (talk) 16:19, 11 September 2013 (UTC)[reply]

Chutznik has since been blocked. Tiptoety ^talk 16:21, 11 September 2013 (UTC)[reply]

I hoped that eventually Wikimedia would think of some way to keep user IP addresses private. Yes, they can register an account - but there's a high chance that one would accidentally make an edit while logged out. And it's very easy for that edit to reveal the editor's username.

Publicly displaying user IP addresses isn't necessary. There are other ways to accomplish what this mechanic does: for instance, the IP addresses of editing users could be replaced by a random ID assigned to each address. Same end result, but then actual IPs remain visible to admins only, for the rest it's just an ID. There is nothing at all a regular user would need to know another's IP for.

I don't know if it's difficult to do, but for any update to privacy policy, I would consider that change essential. Not much has been improved in terms of actual privacy, so it's just more detail on the same thing. I guess there's no harm, but neither is there a gain.

CP\M (talk) 21:26, 8 September 2013 (UTC)[reply]

It appears to be doable from a technical perspective - the question is how desirable. I personally agree that a discussion of removing IP addresses from display from at least some folks. While it is not a worry for me personally, I have argued about privacy, outings, drones, the NSA, and other topics enough to at least respect that it is a serious concern for a growing population of people - rightly or wrongly is not necessarily applicable here. If this is about assuring people and alleviating fears - a philosophical debate about online privacy in this specific regard may be moot. I think there would obviously need to be some users with certain rights that could see that information for blocking, usercheck, etc. reasons. However, there is already an assumption that those people are trusted with some sensitive data. There are some obvious problems regarding how to handle vandalism detection - functions not just limited to certain groups. Perhaps consider with just removing it from display to readers and anon contributors? Regular users would continue to see them. I recognize that has flaws from a privacy view as well, but is a start and probably an easier "sell" to folks doing vandalism work. --Varnent (talk)^(COI) 22:01, 8 September 2013 (UTC)[reply]

I don't really see what viewing someone's IP address accomplishes, for a regular editor. So I know the vandal used 225.122.52.16. What now? I'm certainly not going to seek out his ISP and pursue legal action, not that I even have any grounds for it. We just don't have any use for the actual IP.

The only value it offers is spotting another edit by 225.122.52.16. But this exact utility is completely reproducible by any other form of unique ID. Just salt and hash the address to produce a unique ID for any editing IP.

For instance, 225.122.52.16 would transform to XC12-KT75. It's easier to remember, covers the whole range, and it would hide user IP from anyone below sysop. CP\M (talk) 00:28, 9 September 2013 (UTC)[reply]

Tout à fait d'accord avec CP\M. Et même les administrateurs n'ont pas besoin de connaître l'adresse IP. Ils peuvent bloquer XC12-KT75, et c'est le programme derrière qui se débrouille pour que 225.122.52.16 soit bloqué. Ca ne me parait pas très difficile à mettre en oeuvre, techniquement 85.170.120.230 02:15, 9 September 2013 (UTC)[reply]

By posting from an IP, you partially make my point. Wikimedia has massive protections for registered editors' private data and IP addresses specifically. As easily seen from CheckUser policy, only a handful of people can see them, and only for 3 months. This is quite enough. But all this protection is in vain if the user ever makes a single edit without logging in that can be traced to his username. Many users do.

I actually had to destroy my whole userpage once - mark it for deletion - because I accidentally made an IP edit to it. That's all it takes. And I'm very careful in these matters, which is the only reason I ever noticed. Most people wouldn't, and someone who puts the effort into getting their IP is quite likely to succeed. Over the thousands of edits and years of activity as a Wikipedia editor, it's not unusual to slip once, and just once is enough.

When I was a mediator, it led me into some very heated disputes, where my position became that of a heatsink. No, I never feared for anything in regard to it, but there are some people online who can get uncomfortable. The pressure of having your account potentially easily connectable to IP and thus real name and address is a factor.

WMF tries to keep that from happening - but the public display of editing IP addresses is one very fragile weak link in this otherwise secure system. Sysops have reasons to see editor addresses - to distinguish proxies, public access points, dynamic IPs, manage IP range bans. For the rest of us it only serves as a unique ID, which purpose can be - and elsewhere usually is - served by a more secure randomized identifier or hash code.

Sorry if I'm repeating anything. But I feel that, if we're bringing up the privacy policy, this should be addressed. CP\M (talk) 10:24, 9 September 2013 (UTC)[reply]

I totally agree that this needs a rethink, and I've felt this way since forever. But it's not completely trivial to fix. Life would be a lot simpler if every IP address were unique as the progenitors of IPv6 fondly hoped. With a shared address, even if opaque behind a nonce, anyone sharing that nonce can spill the beans about physical location. Even behind a DSL line with a fixed IP, there can multiple users oblivious to each other (or not). Are these user agents sharing the same IP actually different people, or a sock-puppet pretending to have more children than Old Mother Hubbard? Actual IP addresses are somewhat resistant to this kind of game. Replacing the IP addresses with nonces might do harm by creating a false perception that these are necessarily less revealing (they aren't in many cases). The problem in my mind is that we let anonymous users escape from session management (logging in/out). Session management is normally tied to a fixed account, but doesn't need to be. Users could formally log in as an anonymous user to their current IP address and potentially have user preferences for the duration of that session (until they formally log out, or are logged out automatically on elapsed time). IP address pseudo-accounts (IPAPA) would not have persistent user preferences across sessions. A cookie might implement this, but that's a different story. Perhaps it should be a formal requirement on all editors to at least log at least transiently into their anonymous IPAPA. To prevent people with real accounts from logging into such an account by mistake, the IPAPA might require typing in the last decimal octet of the IP as a makeshift password. There might be a communication problem convincing faint-livered anonymous editors that they remain anonymous despite logging in under an IPIPA. Some faint-livered editors might blanch and give up. So it goes. I don't think it's possible to be strong on privacy without having to confront communication issues straight up. If it is also the case that for the most extreme anonymous editor Wikipedia is not even willing to store a cookie on the user agent (potentially identifying that the user agent was used to make an edit on Wikipedia) then you could simply require the user type the IP octet password for every edit. The "private window" feature of most user agents will burn such a cookie anyway (or so I wish to believe). In the rare case where a concerned user isn't willing or able to cover their tracks with a private window (or by manually erasing history and cookies) and they also don't want a cookie (which is technically insane if they allow their user agent's URL history to persist) IMO it's really not too much to ask them to type a last octet confirmation code with each edit. It's really not acceptable to expose long term editors with a proper account to the constant hazard of slipping up just once, if they have worked diligently to protect their identity. What such a person will never do is type the last three digits of their IP address as a confirmation code when making an edit. I think it's crazy that any identifier associated with a user is permanently displayed with no vetting process that isn't tied to what actually gets displayed (as passwords tie to user identity, or a last octet confirmation code would tie to the IP address). It can't be streamlined in any case to just slapping the enter key one more time. The hurdle needs to be consciously unique, so that in no case is it ever unconsciously or unwittingly crossed. In conclusion, I oppose the false obscurity of noncing the IP address displayed. Far more strongly, I think it's insane and unconscionable to permanently blow the cover of a conscientious editor by constant exposure to a trivial mishap in the first inattentive moment. That's my input FWIW. I doubt I'll return to engage in further debate. MaxEnt (talk) 12:08, 9 September 2013 (UTC)[reply]

While the proposed IPAPA does seem an interesting and useful mechanic, I would consider it part of a more serious debate and longer-term planning, since it's a more significant change. As for a confirmation code, it's on the other hand much more realistic than my suggestion. It doesn't, however, completely address the issue. For instance, if an editor begins as an anonymous contributor and then registers an account, it can be very trivial to connect their IP contributions to their account. They start a discussion as an IP, later reply from their account? You got them. Free checkuser for everyone, just takes a little data mining.

While it's possible for a nonce or hash code to be traced to an IP regardless, I would consider it a very small concern. It's a factor for shared addresses, which for that very reason are decoupled from their physical user. And then, of course, there is the possibility of rogue admins. But, by an large, just this small layer of encryption before revealing IP addresses to the whole world would still significantly cut down on the overall negative impact on privacy that Wikimedia's IP collection has. CP\M (talk) 17:58, 9 September 2013 (UTC)[reply]

Hi All! Thank you for this valuable input. I just wanted to let you know that I will be passing these thoughts and concerns on to relevant members of our tech department and they will respond to this thread directly within a few days. Thank you for patience and for participating in this process. Mpaulson (WMF) (talk) 17:16, 10 September 2013 (UTC)[reply]

Paragraph 1 of Information We Collect:

"We actively collect some types of information with a variety of commonly used technologies. These may include tracking pixels, JavaScript, and a variety of “locally stored data” technologies, such as cookies and local storage. We realize that a couple of these terms do not have the best reputation in town and can be used for less-than-noble purposes. So we want to be as clear as we can about why we use these methods and the type of information we use them to collect."

I strongly object to this policy as proposed. Clear about what is collected? Not yet! No mention of screen / window resolution, plugin versions, fonts available, or lots more. Let's not set a bad example and be deceitful about what we collect and justify it (to ourselves) as necessary for security reasons.

Is it appropriate for users to edit the draft directly at this time? Is the last sentence even a sentence? The draft sure seems to be an early draft, and it's not edit-protected. I could swap in something like this:

"We actively collect some types of information with a variety of commonly used technologies. These generally include WP:tracking pixels, JavaScript, cookies, and a variety of other “locally stored data” technologies, such WP:local storage, and may include collected information regarding screen / window resolution, plugin versions, fonts available and more. We realize that a couple of these technologies have poor reputations and can be used for less-than-noble purposes. Therefore, we want to be as clear as we can about why we use these methods and the type of information we collect using them."

--Elvey (talk) 22:38, 8 September 2013 (UTC)[reply]

Hi Elvey, thanks for your comments. We are going to check with Tech on this and get back to you. Geoffbrigham (talk) 03:22, 9 September 2013 (UTC)[reply]

Dear Elvey,

Thank you for raising this issue. I believe you are asking why we have not included a comprehensive list of the information we are collecting or may collect in the future and you mention a couple of examples including: screen / window resolution, plugin versions and fonts available.

My first response would be that we are already transparent about the information we collect when assessing the efficacy of a new feature. I believe that a better place to disclose that information is not within the Privacy Policy, because it’s a policy which stipulates our principles and guidelines. Those principles and guidelines are embodied when we actually run experiments and collect data. For example, currently we use EventLogging to instrument our features. The mobile team created a schema to determine the number of upload attempts using the mobile Commons app, in order to measure whether new educational UI features were helping more people make their first upload. The schema will tell you exactly what information is collected and for what purpose and if you have a question you can interact with the developers through the talk page.

My second response is that it seems that you are alluding to the practice of browser sniffing to uniquely identify a reader by collecting as much information about the browser as possible including plugins and fonts. The EFF has a website called panopticlick that shows you how unique your browser is based on this technique.

This technique can be used to keep tracking people even when they clear their cookies after each session. Suffice to say, we will never employ this technique because it would violate our principle of collecting as little data as possible.

You are right that you could edit the new Privacy Policy but it would complicate the discussion significantly as we would not refer to the same draft anymore. The Legal Team will make changes in response to feedback from the community after the discussion regarding such change has been fleshed out and they are also trying to track changes internally, both things that would not work very well if everyone was editing the draft.

I hope this addresses your concerns but please feel free to add a follow-up question.

Best regards,

(in my role as Product Manager Analytics @ WMF)

Drdee (talk) 21:21, 11 September 2013 (UTC)[reply]

You may not view? What are you thinking - how can you enforce this prohibition? The legal reasoning, "For the protection of the Wikimedia Foundation and other users," would apply to editing, where you can ban and so forth. But this is a minority of users. - 173.28.94.175 00:57, 9 September 2013 (UTC)[reply]

Hi 173.28 ... This is a fairly typical provision in online terms of use and privacy policies. In the unlikely case of conflict or litigation, it allows a defense that one was not free to use our site when that person was not in agreement with the privacy policy. Thanks. Geoffbrigham (talk) 03:45, 9 September 2013 (UTC)[reply]

Anyone who sues was not allowed to use. Has it held up in court? - 173.28.94.175 13:45, 9 September 2013 (UTC)[reply]

I'm not sure if I understand your question 173.28 ... Could you possibly rephrase it? Thanks. Geoffbrigham (talk) 16:02, 9 September 2013 (UTC)[reply]

Or give citations to cases where it did not hold up. --Jeremyb (talk) 16:21, 9 September 2013 (UTC)[reply]

It reeks. How about putting it more softly, as in, for instance http://hosted2.ap.org/APDEFAULT/terms - 173.28.94.175 22:57, 9 September 2013 (UTC)[reply]

For the record, this seems to be the relevant parts of the AP policy:

Template:Blockquote

--Jeremyb (talk) 19:45, 11 September 2013 (UTC)[reply]

There's currently a mix of straight versus curly apostrophes in the policy. For example, there are four instances of don't and three instances of don’t. In total there are a bit over a dozen total instances of each style. The final document should have consistent usage. I would recommend (strongly) straight apostrophes over the curly ones. (See en:MOS:QUOTEMARKS for reasons.) It really aids text-based searching; for example, I was grammar checking the policy for "your" vs "you're" mistakes and found no instances of you're because the lone instance is typed you’re. Had I not considered also searching for you’re I would have missed it. The policy also uses curly double quotes, which I'd also convert to straight quotes. As a side-treat, this will trim the document length by one byte for each change. In general, I've noticed the WMF tends to use curly quotes a lot in its announcements. I have no idea why. Jason Quinn (talk) 04:23, 9 September 2013 (UTC)[reply]

Hi Jason. You have a great editor's eye. I will ask James to convert everything to straight quotes (unless I hear any significant objection from anyone). Many thanks. Geoffbrigham (talk) 11:56, 9 September 2013 (UTC)[reply]

The intro states:

It is essential to understand that, by using any of the Wikimedia Sites, you consent to the collection, transfer, processing, storage, disclosure, and use of your information as described in this Privacy Policy. That means that reading this Policy carefully is important. As important as eating your greens.

We (communities on individual projects) try to make it easy to contribute. Few people will read the policy carefully. Rather than stating it is important to read the policy, the policy should be made such that there is no need to read it, to the largest extent possible.

There are issues on the Internet, which people should be aware of. As far as they concern all sites or all sites in USA, people should be made aware of them at home, in school, in newspapers and in Wikipedia articles. Repeating the information in the policy may be legally sound and good for completeness, but it should be old news for any concerned reader.

Where issues on Wikimedia sites differ from those on Internet in general, the special circumstances here should be pointed out as clearly and briefly as possible in the introduction, before any legalese.

• The Wikimedia sites operate under the laws of USA, which allow [NSA & al] to [get more info than the contributor may expect]
• Contributions to the wikis, including questions on discussion pages, are logged for eternity, with user name or IP address
• Visiting a page on a formerly unvisited WMF project may cause the account to be automatically registered there, thus leaving a trace in the logs without your making any contribution.
• ....

The "surprising" points should be few and short enough that anybody can read them in seconds. The details should of course be sorted out later in the policy for those interested.

--LPfi (talk) 08:51, 9 September 2013 (UTC)[reply]

Hi LPfi! Thank you for taking the time to comment. We agree that people should be able to get the basics of a major policy in seconds. We recognize that some users like greater detail and will read the entirety of legal policies, while others just want a basic summary. That's why we created the "user-friendly summary" that precedes this privacy policy draft (as well as one that precedes our Terms of Use). However, we are are looking for ways to make the user-friendly summary more helpful to those who read it during this community consultation period. Are there particular things that you think are missing from the summary that should be in there? Are there items that could be better phrased or elaborated on to be clearer? I'm very interested in hearing your thoughts on this.

With regards to the three suggested bullet points you have already: (1) we could add something about the Wikimedia Sites being operated under the laws of the US if you think that is an important point to call out; (2) I think the indefinite nature of edits are already addressed in the "Be Aware" section of the user-friendly summary ("Any content you add or any change that you make to a Wikimedia Site will be publicly and permanently available."); and (3) I'm not sure what you are referring to with your third suggestion...visiting a formerly unvisited WMF project doesn't cause an account to be automatically registered there as far as I know.

Thanks again for your suggestions! Mpaulson (WMF) (talk) 18:33, 10 September 2013 (UTC)[reply]

It does. Actually, you don't even have to visit them, but that is/was just a bug. --Nemo 19:01, 10 September 2013 (UTC)[reply]

I would say that, if the current long-winded language of the main policy is kept as is (it probably could use trimming), then it's best if at least the Summary dispenses with justifications and digressions, but instead covers everything of matter in the form of bullet points.

The first paragraph of the summary is a fairly good example. I'd skip the "Because..." part for brevity, perhaps, but it states what it needs to.

The second, on the other hand - Because we want to understand how Wikimedia Sites are used so we can make them better for you, we collect some information when you... - is not.

"Some" in it just acts as a teaser, "read below to find out what". Rather than explaining the why, I believe the space would be better spent briefly listing what exactly is collected in each case.

This is just one example. Since changing the summary has no effect on the policy's legal implications, I hope the community will work out the rest. But a good goal would be to provide a concise yet reasonably complete listing of what is collected and when. Work out any whys below. CP\M (talk) 19:15, 10 September 2013 (UTC)[reply]

Two suggestions for the privacy policy:

1. Lose the cutesy language and cartoons being used to make Wikimedia's disturbingly extensive user tracking seem less threatening
2. Eliminate Wikimedia's disturbingly extensive user tracking.

It is fundamentally misleading to tell users that Wikimedia does not require any personal information to create an account, and then to actually collect vastly more behavioral information on each user than could ever be requested in a sign-up form, under the guise of "understanding our users better" — exactly the creepy line of every Orwellian data-vacuuming Web site today.

And ironically what is all this "understanding" producing? A site with fairly gruesome usability that's barely changed years and years later. Yet Wikimedia wants to keep track of every piece of content read by every "anonymous" user — associated with information like IP address and detailed browser info, which today in malevolent hands can often easily be associated with real name, address, Kindergarten academic record, likelihood to support an opposition candidate, and favorite desert topping.

It's just not Wikimedia's concern that someone is interested in both Pokemon and particle physics. That doesn't improve either article. That doesn't improve the interface. That doesn't improve the Byzantine and Kafkaesque bureaucracy of trying to find somewhere to report a gang of editors controlling and distorting an article.

To find the phrase "tracking pixels" here is jaw dropping. This is inherently a hacking-like technique to install a spyware file on a user's computer, to evade their express effort not to be tracked by clearing cookies. Web developers bringing these "normal" techniques used by "every other Web site" to Wikimedia, apparently don't understand, that "every other Web site" today is evil — and Wikimedia sites are supposed to be a radically different exception to this.

For readability this comment continues in "Strip Wikimedia Data Collection to the Barest Minimum - Privacy Specifics"

— Privacycomment (talk)Privacycomment

This is what Wikimedia should know about its users —

For anonymous readers, the sole data collected should be IP address, URL visited, and basic user-agent data (as specifics can be quasi-identifying): platform, browser name, major version, screen size. And this data should be immediately split into three separate log files, each separately randomized in half-hour time blocks, with the default Web server log disabled or immediately obliterated. So that, that secret governmental order to hand over every Wikipedia article read by a particular IP address simply can't be complied with. And so that that great new Wikimedia employee, who no one would suspect is working for a supragovernmental/governmental/corporate/mafia espionage operation, can't get at it either.

For anonymous editors the sole data collected should be that of anonymous readers, plus:

• the data of the actual edit of course

• the IP address of the edit, stored for one week (without data backups) and then obliterated, and viewable only by administrators investigating potential spam, vandalism, or other violations of Wikimedia rules during that week.

Public-facing edit records, and administrator-facing edit records after one week, should associate only the phrase "Anonymous Edit" or "One-Time Edit by [ad hoc nickname]". Wikimedia should use automated systems to detect any administrator accessing the IP address data associated with edits which are not likely to be spam, vandalism, or other violations of Wikimedia rules.

For logged-in users the sole data collected should be that of anonymous editors, plus:

• their username at sign-up and log-in
• their email address at sign-up if given
• a public-facing list of their edits (of all types) on their user page
• the contents of a Wikimedia browser cookie, set when they log in to a Wikimedia site, and deleted if/when they log out, which contains solely their username and encrypted password
• an administration-facing log of Wikimedia messaging and banners which they have already received
• an optional administration-facing flag in their account, indicating that they have donated to Wikimedia in month/year, without further identifying data, so as to suppress fundraising banners (if they have elected to overtly identify themselves with a Wikimedia username when making a donation).

Email addresses should be accessible for use for bulk mailings only by Wikimedia employees, and the email list file should be encrypted to prevent theft by corrupt or disgruntled Wikimedia employees.

For basic-level administrators the sole data collected should be that of logged-in users, plus their (pseudonymously-signed) administrator contract.

And no Wikimedia server or office should be located in any country — whether admitting to be a dictatorship or still pretending to be a democracy — which overtly, or by secret order, requires Wikimedia to collect or retain any data other than that specified here for these non-commerce functions.

Thank you for your consideration of these points,

— Privacycomment (talk)Privacycomment

Thanks Privacycomment for this post. I just want to add my perspective with some ideas on how to look at data-relevant processes in general and how to use the artificial differences in national laws on an action done in the physical or digital world.

• First and foremost Wikipedia is a labor of love of knowledge nerds worldwide. This means that it is from an outside view an "international organization" much like the Red Cross - only to battle information disasters. This could be used to get servers and employees special status and protections under international treaties (heritage, information/press etc)
• As we all know that those protections might not be a sufficient deterrent in a heated moment of national political/legal idiocy, one should enact technical as well as content procedures to minimize the damage

Data Protection

• Collect as few data as possible and purge it as fast as possible. Period. You cannot be held liable for what you do not have.
• Compartmentalize the data so that a breach - let's say in the US - does not automatically give access to data of other countries userbase
• Play with laws: as there are a lot of protections well established when used against homes, or private property shape your installation and software to imitate those - no "official" central mail server that can be accessed with provider legislature, but a lot of private servers that are each protected and must be subpoenaed individually etc...
• Offer a privacy wikipedia version that can only be accessed via tor - and where nothing is stored (I know this might be too much to admin against spam pros)
• Use Perfect forward secrecy, hashs etc to creat a situation, where most of the necessary information can be blindly validated without you having any possibility to actually see the information exchanged. This also helps with legal problems due to deniability. Again - compartmentalize

Physical and digital infrastructure concerns

• An internal organization along those lines and with the red cross as an example would offer a variety of possibilities when faced with legal threats: First and foremost, much like choosing where to pay taxes, one could quickly relocate the headquarters for a specific project to another legal system so that one can proof, that e.g. the us national chapter of wikimedia has no possible way of influencing let's say the icelandic chapter who happens to have a national project called wikipedia.org
• Another important step in being an international and truly independent organization is to finally use the power of interconnected networks and distribute the infrastructure with liberal computer legislation in mind much more as is now the case. Not to compare the content - just the legal possibilities - of the megaupload case with those of wikimedia, as long as us authorities have physical access to most of the servers, they do not need to do anything but be creative with domestic laws to hurt the organisation and millions of international users, too...
• If this might be too difficult, let users choose between different mirrors that also conform to different IT legislation

Information Activism

• Focus on a secure mediawiki with strong crypto, which can be deployed by information activists

So: paranoia off. But the problem really is that data collected now can and will be abused in the next 10, if not 50-100 years. If we limit the amount of data and purge data, those effects can be minimized. Noone knows, if something that is perfectly legal to write now might not bite him in the ass if legislation is changed in the future.

Cheers, --Gego (talk) 13:53, 9 September 2013 (UTC)[reply]

There's a lot of discussion about the data collected from those who edit pages, but what about those who passively read Wikipedia? I can't figure out what's collected, how long it's stored, and how it's used.

Frankly I don't see why ANY personally identifiable information should EVER be collected from a passive reader. In the good old days when I went to the library to read the paper encyclopaedia, no one stood next to me with a clipboard noting every page I read or even flipped past. So why should you do that now?

I don't object to real time statistics collection, e.g., counting the number of times a page is read, listing the countries from which each page is read from at least once, that sort of thing. But update the counters in real time and erase the HTTP GET log buffer without ever writing it to disk. If you decide to collect some other statistic, add it to the real-time code and start counting from that point forward.

Please resist the strong urge to log every single HTTP GET just because you can, just in case somebody might eventually think of something interesting to do with it someday. This is EXACTLY how the NSA thinks and it's why they store such a terrifying amount of stuff. 2602:304:B3CE:D590:0:0:0:1 14:54, 10 September 2013 (UTC)[reply]

2602, I will be linking to this comment from below but you may be interested in the section started at the bottom of the page at Tracking of visited pages . Jalexander (talk) 03:37, 11 September 2013 (UTC)[reply]

Big Data

• the draft itself is full of unnecessary drivel, obviously designed to stop anybody reading the "juicy bits" -- that is the unnecessary use of tracking images etc. The guideline is also too US-centric (the style is like one of those Microsoft manuals for Americans imbeciles), where much stricter laws apply. There are other WP sections, with offices [6] who will be subject to such laws. Certain European states require a cookie opt-out option etc. At least for WPs in pertinent languages such laws ought to be complied with.

BTW: what will happen to the collected data

1. 'when the NSA, or any other agency of any other government, is tapping it (which it probably done already)? Say a filter checking for "user:TinyTaliban" (living in say a Parisian banlieu) looked up en:Ricin Plot. will the plane he is using on his next holiday to fly to Venezuela be intercepted?
2. Jimbo & Co. decide to go commercial? -- and sell the data. This is not such a far off suggestion, see what happened at couchsurfing.com, now called a "benefit corporation" Background ...

(Using my right to make a comment without log in -- you'll find me anyway ...)

• Just to add to this discussion that we'v received a similar email asking for the ability to time limit storage of data linked to a user account, specific geographic servers for user data and procedures to deny access to information even if required to by law. The emailer has been invited to participate in this discussion as well. Jalexander (talk) 03:36, 11 September 2013 (UTC)[reply]

There's a small paragraph after the table of translations that seems odd to me:

We also recognize that some of you know the ins and outs of tracking pixels while others associate the term “cookie” exclusively with the chocolate variety. Whether you are brand new to privacy terminology or you are an expert who just wants a refresher, you might find our Glossary of Key Terms helpful.

The problem here is the switch to using such technical language seems abrupt since tracking pixels and cookies are introduced after this paragraph in the next section (in "Use of info" / "Information We Collect"). (It seems as if the text text may have been re-ordered at some point.) I think just mentioning that they are "technical terms" helps alleviate this problem. I also think "some" over-estimates how many people know that stuff, so "only a few" would make less people feel inadequate. My attempt at improving this paragraph reads like this:

We recognize that only a few of you are familiar with technical terms like “tracking pixels” and “cookies” (hint: these can't be dunked in milk) used in the privacy policy. Whether you are brand new to privacy terminology or you are an expert who just wants a refresher, you might find our Glossary of Key Terms helpful.

Jason Quinn (talk) 21:14, 9 September 2013 (UTC)[reply]

Overall, the policy is a good one. However, it is unclear in at least one area.

The User-friendly summary of the policy says "This Privacy Policy does not apply to all of the Wikimedia Sites ..." yet the What This Privacy Policy Does & Doesn't Cover section of the policy itself says "This Privacy Policy applies to our collection and handling of information about you that we receive as a result of your use of any [commenter's formatting] of the Wikimedia Sites." These are, of course, direct contradictions, and leaves the reader confused as to what the policy does and does not cover.

It's important that the policy be very clear in what it does and does not cover. If there are some sites to which the policy does not apply, then the policy should clearly say that. Truthanado (talk) 00:32, 10 September 2013 (UTC)[reply]

You are right, see also #"Wikimedia Sites". Sadly, this is not a minor problem but something that defeats the purpose of the policy completely. In general, the proposal has to IMHO be re-thought from scratch.

Instead of making overly broad statements and then add a bunch of clarifications and exceptions, it should focus on the important things and say them clearly. We know what a failure the unified privacy policy by Google was; they needed to transfer the personal data from one service to another, but we don't have this need so we can and should be cautious and not add loopholes for half a billion users just for the sake of a few dozens using some obscure corner of the platform. --Nemo 05:41, 10 September 2013 (UTC)[reply]

No, I'm not going to harp on about using Rory as it appears that you're determined to use him whether he is redundant gimmick or not.

Other than feeling that one instance of his use is sufficient, if he is to be used as currently stands, serious consideration needs to be given to rules of thumb pertaining to desktop publishing and website development. Culturally, the English language is read from left to right, meaning that English readers are acclimatised to the left hand side of the page being the central focal point when dealing with anything text orientated. Not only is there no word-wrap around the Rory images in order to allow for a longer continuum of text (remembering that we read ahead by a minimum of several words at a time), the entire left side of the document disturbs the reader's expectations by sandwiching the text (and tables!) to the right. Bear in mind that these rules of thumb were developed through experience and behavioural studies over many years, right down to serif being preferred for paper documents, while sans serif reads more comfortably online. It's foolhardy to disregard certain standards which have been proven in order to 'experiment' with other techniques.

I've spent over three decades involved with pedagogical issues surrounding visual teaching methods/delivery, from secondary education to Post Graduate research presentation (I'm speaking of delivery at tertiary MA and PhD level by 100% research), so I'm not just blowing smoke.

If Rory is to be used, the 'culturally logical' layout for any Latin script language is to about-face the set-out of current draft and have him on the right-hand side. I'd also suggest that he could be made a little smaller and that word-wrap be used. --Iryna Harpy (talk) 04:21, 10 September 2013 (UTC)[reply]

Hi Iryna Harpy! Thank you for bringing this point up. I know that some of the decision involved in placing Rory on the left-hand side of the page and not wrapping the text around him had to do with making the format easily adaptable to different scripts and different screen/window sizes. I'll have one of the people who helped with the layout address those issues in more detail on this thread.

On a related note, based on community feedback, we are going to experiment with how to make Rory more useful in explaining the major concepts of the privacy policy over the next week. Some of the ideas we are going to try are either providing Rory with a narrative or with bullet points about the big concepts. If you have other ideas, we'd love to hear them. We're going to try to get some prototypes out to the community to see if they think that adds value. I'm hoping once we have a better idea of what text would accompany Rory (if any and assuming Rory stays in the policy), we can experiment with the layout to see if there are ways to make it more readable as you suggested. Mpaulson (WMF) (talk) 23:47, 10 September 2013 (UTC)[reply]

Right. I'm seeing both support for and opposition to Rory, but I want to make clear we have not "determined to use him." As explained above, we are playing with the idea, which is why your feedback for or against is important. If, after taking into account community feedback, it doesn't make sense after some experimentation, we won't use him; if it does, we might. That said, IMHO, visuals are important, as I suggested above. So alternative ideas are also welcome. Many thanks. Geoffbrigham (talk) 07:44, 11 September 2013 (UTC)[reply]

One of the central uses of a privacy policy is to inform.

As such, mounting buckets of lawyer speak on a wall of text is precisely the opposite.

Whatever privacy policy you have you need to have a starting review segment of simple speak - the way you would describe the situation to your friends on a picnic without any pressure or need for unnecessary elaborate language.

Law-wise this useless, social-wise - priceless - as people don't have to suffer through every text the lawyer wrote to cover the possible loopholes and situations that may arise legally.

What you do and don't do can be covered in a group of brief, clear and easy to understand sentences - layman's terms if you will. It looks very much like the "This is a user-friendly summary of the privacy policy" intro you made to welcome people for input on this topic. The rest with all the details is also there, but it is not the only thing available for consumption.

Many companies ignore doing this and alienate users when it is discovered that somewhere in the abyss of text they've thrown a dubious or direct disregard of user interests not to mention basic ethics.

Whatever it is you are doing, if you make a simple statement about what it is, it is going to go much better than having to learn gossip about it from a third party that had the nerve to sit through and decode the swamp of text.

In case of this site, your operations have more hazards for the company than the users, make sure you are covered, we want the site to thrive.

Also address popular concerns here is an example of a simple intro: (may not be applicable but is just an example)

" PLEASE READ THIS! We have made an effort to design it to be concise and helpful and not the usual barrage of dubious language you can find allover the web.

In case you haven't used wikimedia - we are ...

We only retain ip addresses to manage unethical conduct such vandalism that disrupts the purpose of the site. It is done because there is no other way to maintain a civil interaction while everyone can come in and participate.

We don't know who you are and we don't ask, all we know is that you are not the same person that is editing the other article. Using this statistic how many different users we have, we plan the technical development of our site to be able to accommodate demand of traffic for our users and contributors. (make sure you clarify what exactly is entailed in this - Use information only to understand how we can make the sites better for you based on your use and needs - what information EXACTLY and how long, if you don't know how long - just say there is no schedule so people know it may be indefinite.)

We absolutely discourage you from providing any personal information in your profile and the rest of our site - as your information is not free from abuse by third parties that can obtain it by any manner without consulting us in any way. You take responsibility for any personal information you do disclose and what happens to it. We do not have the capability to monitor all information at all times.

We can not identify who you are, but the nature of how the technology necessary for this to work has ways available to identify you, which are through legal channels and unlawful conduct. We can not invent new technology that can completely shield your activities - and we don't need to, as the site isn't for secret developments. We take it - you understand that using the internet leaves your information vulnerable regardless if we existed or not.

Other than that we make sure the rights of others as well as ours are kept and respected on our site, as not everyone is willing to allow use of their proprietary information that complies the knowledge bases we have open for everyone.

Below you can find the full privacy policy with every aspect and detail of it.

Thank you for being part of this great project.

Wiki staff."

...

And yeah - Roy is a bad idea. The people who would care for Roy at this location usually wont bother to read your policy. You are either taking this topic seriously or fooling around it with. You can't have a serious topic with toy gimmicks and mascots. And having a informal topic sort of ruins the purpose of updating an official matter. It's why business people don't wear flip flops and cartoon stamped sweaters to firm meetings. And believe me I wish we could do it without getting hammered, but alas we do.

It might fit to the intro capacity I've covered. But it will still generate variable impressions, and I doubt that most will be good.

The privacy policy is OK in theory. In practice I find that:

1. Some editors use their cloak of anonymity to behave in a way in way that would not happen in real life. They are uncivil and unreasonable, and any conflicts of interest are hidden from scrutiny.
2. Other editors like myself use usernames based on their real name, and their real life identities can readily be ascertained. That should not be a reason to do so. My own background and affiliates have been regularly used against me. ie. I have no privacy.

There is an apparent double standard here. Editors that are more open should not be disadvantaged. --Iantresman (talk) 17:12, 10 September 2013 (UTC)[reply]

Thank you for sharing your thoughts, Iantresman! You are correct in that different people have different comfort levels about what they choose to share with the public about themselves (both in their username and elsewhere). But can you elaborate a little more about what you mean that there is a double standard? And how editors who are more open are disadvantaged? Mpaulson (WMF) (talk) 23:35, 10 September 2013 (UTC)[reply]

• Editors may have conflicts of interest (COI). An editor who is a Republican, went to Harvard, and personally knows the editor of the New York Times, may have a COI editing articles on the those subjects. But anonymity means these details remain private and unchallenged. Editors such as myself have a username that is a trivial representation of my real life name. But this is not an invitation to access my background, and my affiliations, whic can and have been used against me. This is the double standard. Anonymous editors ensure their privacy is guarded, editors with links to their real-life identity, lose their privacy. This is not right, as it disadvantages those who are more open.
• Anonymous editors may also make unfounded claims. I had one claiming to be a professor, and also allowed another editor to perpetuate the claim, even though it was false. In this respect, anonymity means there is no accountability. Then I had an anonymous editor claim that I was a leyman, despite me having two university degrees that I choose not to publicise. The privacy of more open editors, is also open to abuse. --Iantresman (talk) 11:54, 11 September 2013 (UTC)[reply]

Lots of small details.

• Your Public Contributions: "Please do not contribute any information that you are uncomfortable making permanently public, like the picture of you in that terrible outfit your mom forced you to wear when you were eight." Such a picture is unlikely to be kept anyway, so it's not a good example. I'd either remove the example or change it into something like: ...permanently public. For instance, if you reveal your real name somewhere, it will be permanently linked to your other contributions. (A better example/phrasing would be appreciated)
• Account Information & Registration:
  • There's a link Privacy policy FAQ#standardaccount, but that section/ID doesn't exist on the page.
  • "Your username will be publicly visible, so please think carefully before you use your real name as your username." Slightly ambiguous (to me): Could be interpreted as the username should be your real name, so think carefully whether you want to sign up. The preceding sentence and the following paragraph make it clearer, but I'd still rephrase it (not sure how though - also not a big deal).
• Information Related to Your Use of the Wikimedia Sites: "We also want this Policy and our practices to reflect our community’s values." This looks like a stray sentence - can it be removed completely?
• Information We Collect:
  • "For example, by using local storage to store your most recently read articles directly on your device so it can be retrieved quickly; and by using cookies, we can learn about the topics searched so that we can optimize the search results we deliver to you." This is a really long sentence that should be split up. Also, I don't understand how using local storage to store read articles can optimize search results. To me they seem like separate things.
  • "Make the Wikimedia Sites more convenient to use, such as by using..." Should be rephrased: "such as by" sounds weird in my ears.
  • ...does not cause lasers to shoot out of your device... Too informal, I think.
• IP Adresses: "Finally, when you visit any of Wikimedia Sites, we automatically receive the IP address of your device (or your proxy server) you are using to access the Internet..." "Any Wikimedia Site" or "Any of the Wikimedia Sites" sounds better. It should probably be "...the device (or the proxy server) you are using...".
• For Legal Reasons: "We are committed to notifying you via email within five (5) business days, when possible, if we receive a legal request for disclosure of your information, assuming that we are not legally restrained from contacting you, there is no credible threat to life or limb that is created or increased by disclosing the request, and you have provided us with an email address." This sentence is too long.
• How Long Do We Keep Your Data?: You should provide more concrete examples - every piece of personal information should be covered.
• Where is the Foundation and What Does that Mean for Me?:
  • "...you consent to the collection, transfer, storage, processing, disclosure, and other uses of your information in the U.S. and as described in this Privacy Policy." It sounds like there's this policy + collection etc. in the U.S. I suggest that you replace and with a comma.
  • "...in connection with providing services to you." "In connection" is very vague - is it possible to use "in order to provide services to you"?
  • "For the protection of the Wikimedia Foundation and other users, if you do not agree with this Privacy Policy, you may not use the Wikimedia Sites." This sentence seems misplaced. Should it be moved to the introduction, some other headline or to the other disclaimer at the bottom?
• Changes to This Privacy Policy: "...and via a notification on WikimediaAnnounce-L or a similar mailing list." It sounds like the mailing list can be chosen at random. Is "...or a similar mailing list" really necessary? Retiring WikimediaAnnounce-L could be as simple as announcing the move there (including this tiny link/name change in the privacy policy), while still following with this policy.

General notes:

• Is there any system regarding "and" vs. "&" in headlines?
• I like Rory. Tasteful, doesn't distract, and gives you something to look at now and then.
• Use apostrophes consistently (don't vary between ’ and ')
• Is it "user profile" or "user page"?
• It's still quite long. This introduction is, however, a quite good summary.

//Shell 23:08, 10 September 2013 (UTC)[reply]

Hi Shell! Thank you for your detailed comments. We really appreciate you taking the time to help us on this. The legal team and I will go through your comments and suggestions in greater detail tomorrow and will respond in-line accordingly (probably with some questions for you). =) Thanks again! Mpaulson (WMF) (talk) 00:02, 11 September 2013 (UTC)[reply]

Hello. I received the following question via wmf:Answers. I am posting it here for response and will point out to the correspondent where it is. --Maggie Dennis (WMF) (talk) 01:26, 11 September 2013 (UTC)[reply]

As you can imagine, with all the knowledge now available to everyone about the vast extent of USA and other countries’ spying networks, we all know that Wikimedia can be forced rather easily to give up every bit of personal, location, metadata, and other data you have. People who use Wikipedia are often people with a broad range of interests or people researching data for writing a paper for school or a work of literature, etc. They may visit sites in which they have no personal interest other than fulfilling a specific need at a specific time. However, there are probably a good many “trigger” words or phrases used by NSA and others that they would deem indicative of potential criminal or terrorist activity. They may ask for data on anyone who has visited any of the pages using those words or phrases within the last ten to twenty years! That makes everyone who uses Wikimedia a potential target. Perhaps, in the interest of securing the privacy of innocent parties, Wikimedia should NOT collect any information on which pages are visited. I realize this would put a big chunk information you should be able to use for the betterment of the sites out of reach, but with spying run amok, this may be a necessary sacrifice. Billions of your users are now getting very paranoid!

• Additional comments above Here (diff) and in general in Strip Wikimedia Data Collection to the Barest Minimum - Introduction and related sections under that on amount of user tracking, Jalexander (talk) 03:56, 11 September 2013 (UTC)[reply]
• We also have an email from a user who would like us to rethink any ideas to 'tailor' the experience automatically because their needs change day to day and they feel that tailoring it more will hurt the usefulness of the site in this way. They have been invited to join in here or elsewhere on the page if desired. Jalexander (talk) 03:56, 11 September 2013 (UTC)[reply]

Hi Thomas,

I wanted to let you know that I archived your discussion on Talk:Privacy policy regarding deWiki edit filters. As I stated there the correct place for that discussion is either privately with the Ombudsman or the Meta RfC process. If you have already reached out and talked to the ombudsman you can email myself and/or Philippe but I must let you know that we put heavy influence on the Ombudsman and there decisions. Jalexander (talk) 12:06, 7 September 2013 (UTC)[reply]

As I stated before, this is not a question to an ombudsman, but is a legal question. German administrators violate heavily german law. This could not be solved by an ombudsman. For this reason, and the necessarity of public in this case, I redid your archivation. Kind Regards, Thomas198 (talk) 13:00, 11 September 2013 (UTC)[reply]

Benutzer Seewolf ist hauptverantwortlicher Bearbeiteter der nicht für die Öffentlichkeit einsehbaren privaten Bearbeitungs- UND IP-FILTER

und er war tätig bei Wikimedia Deutschland e.V. -

See more at: http://shtoink.de/category/machtstrukturen-wikipedia/page/3

Öffentliche Filter: 50

Für die Öffentlichkeit oder Wikipedia Community nicht einsehbare Filter: 75

Filterbearbeiter: Hauptnutzer und Bearbeiter der Filter sind die Benutzer Lustiger seth (32 Filter) und Seewolf (55 Filter).

Benutzer Lustiger seth bearbeitet vor allem öffentlich einsehbare Filter bearbeitet (25 Filter)

Die öffentlich nicht kontrollierten Filter sind die Domäne des Benutzers Seewolf (44 Filter)

Personenbezogene Filter: 32

Nahezu alle privat. Oft werden bei personenbezogenen Filtern dabei in der Wikipedia einzelne Artikel, die Wikipedia Funktionsseiten und Benutzerseiten für ganze IP-Bereiche gesperrt.

Die Benennung “Personenbezogener Filter ist insofern missverständlich; das am häufigsten benutzte IP Erkennungsmuster deckt maximal 65534 potentielle Benutzer ab.

Der Kollateralschaden – Sperrungen Unbeteiligter – kann also beträchtlich sein.

- See more at: http://shtoink.de/category/machtstrukturen-wikipedia/page/3/#sthash.tfGrmO5Y.dpuf

german User:Seewolf is mainly responsible Worked the non-accessible
to the public and private processing filters.
He worked he at Wikimedia Germany eV -
See more at: http://shtoink.de/category/machtstrukturen-wikipedia/page/3

1. #Public filters: 50

For the public, or Wikipedia community non-visible filters: 75

Filter Editor:

primary users and the user agent of the filter are Funny seth (32 filters) and

german User:Seewolf (55 filters). Funny edit user seth mainly publicly available filter processes (25 filters)

The public is not controlled filters are the domain of the user german User:Seewolf (44 Filters)

2. Personal filter: 32 Almost all private.

Often in personal filters are employed in the individual Wikipedia articles that feature disabled Wikipedia pages and user pages for entire IP ranges.

The term "Person-specific filter is so far misleading, the most commonly used IP detection pattern covers more than 65,534 potential users.

The collateral damage - innocent bystander closures - can therefore be considerable.

Thanks

—Preceding unsigned comment added by 77.24.61.140 (talk • contribs) 20:27, 4 September 2013

Pretty nonsense here. -jkb- 22:43, 4 September 2013 (UTC)[reply]

Sorry -jkb-, ::

are you self a germnan Admin and Editor of this List? ::

but the German IP and USER Filter and the German USER Seewolf are real ;(

Some IP -addresses are publicly visible see ""Liste der Schurken im Wikipedia-Universum""

[ http://de.wikipedia.org/wiki/Benutzer:Seewolf/Liste_der_Schurken_im_Wikipedia-Universum]

Some entries are malicious prosecutions of IP und WP User...

For example, the CAD Troll by Benutzer:Ralf Roletschek

This is not a pretty nonsense here, this is real of a german WP

Sorry , this list is not Wiki -Like ...

—Preceding unsigned comment added by ‎ 77.24.151.44 (talk • contribs) 5 sep 2013 05:20

The AbuseFilter (German: Missbrauchsfilter) is meant, like the name says it already, to prevent abuse users. If users, especially long term abusers, are smart enough to evade the filter by seeing what regex the filter uses. That's why some filters are private there. Concerning the public availability of IP's: That could have been prevented if the user in question had put __NOINDEX__ at the top or the bottom of their page. The list in findable in searh engines, but how many anonymous users will end up searching that page? I think almost none or a few. Aswell I see no name of any user account at the "CAD Troll" section of that page, so saying that putting IP's on that page is a privacy violation is kinda nonse in my opinion. This is because IP adresses can be seen in the history of the article and sometimes change fast between owners. Note: I don't have any relation with the German Wikipedia and what I say is based on facts I know myself and could find on the German Wikipedia. --Wiki13 _talk 05:55, 5 September 2013 (UTC)[reply]

//edit conflict// The abuse filter on the German WP works precisely the saame way and no other one just like the abuse filters on other Wikipedias and respects all regulations on it. The linked List "Liste der Schurken im Wikipedia-Universum" (a list of blocked users, trolls and vandals using more sockpuppets) is manualy made and has no connection to the abuse filter. On the German WP some users think the IP ist one of the blocked vandals. -jkb- 09:19, 5 September 2013 (UTC)[reply]

The abusefilter are a violation of german law, because this filter produce "Personenbezogene Information" which is recorded and this is against the german law. IP numbers a not obvious, as long the author is using an account name. Seewpöf and others nevertheless take this information from the so called Missbrauchsfilter and publish this information, a criminal act in germany. :) Acidbony (talk) 09:16, 5 September 2013 (UTC)[reply]

Sorry, this ""AbuseFilter"" (German: Missbrauchsfilter) is used today

for entries are malicious prosecutions of IP und WP User...

For example: for hounding the entry CAD Troll named by Benutzer:Ralf Roletschek...

The name of this list "villains in the Wikipedia universe" ("Liste der Schurken im Wikipedia-Universum") is a direct accusation and public discrimination of a real IP-WP-Editors!

This public "abusefilter" at german WP is today a real current violation of german law, 
because this filter produce "Personenbezogene Information" which is recorded 
and this is against the german law...

german WP-User:Seewolf is mainly responsible worked his public and other private processing filters.

He worked self at Wikimedia Germany e.V. - and created self this ""AbuseFilter""

with Name: "villains in the Wikipedia universe" ("Liste der Schurken im Wikipedia-Universum")

Sorry, but this thing is going too far...

resolved|This does not seem to be the best place for this discussion. If there are issues that can't be addressed on the wikis involved the Ombudsman deal with possible privacy policy breaches and the Meta RfC process is available. Will archive in 24-48 hours. Jalexander (talk) 20:08, 5 September 2013 (UTC)]][reply]

this is not solved. And criminal acts of User:Seewolf could not be solved by an Ombudsman. Thomas198 (talk) 16:44, 6 September 2013 (UTC)[reply]

Dear Thomas, id you believe that there was any criminal activity, do not wait for any discussion on Wikimedia, but go directly to the police and/or a public prosecutor (while keeping this advisory from en-wiki in mind, too). If you believe that there was no crime in a legal sense, but there was a privacy policy violation, go to the Ombudsman Commission. Whatever your decision is, I suggest you do not discuss a particular case on a talk page for a privacy policy draft, simply because it is off-topic. Pundit (talk) 16:29, 11 September 2013 (UTC)[reply]

a current available WP-violation of a german law in Range "Privacy policy" is here not off-topic...

This list is not an official managed or checked list for german admins.

Each WP user, for example Benutzer:Ralf Roletschek can make the CAD-Troll Edit self

You can closures IP-ranges for WP-Edit without Admin approval.

Some entries are more than half a year old and still effective...

The [User:-jkb-|-jkb-]], is self a germnan WP-Admin and active Editor of this List...

Starting a new section based on an email we received, summarized here and the emailer pointed to the discussion:

• The emailer is happy about the desire to protect information from unauthorized disclosure and use but is concerned about government monitoring [Specifically in the UK but obviously this is a broader question as well]. They would like us to watch for the browser set 'Do Not Track' header and to collect only minimal data for any user with that setting. Jalexander (talk) 17:56, 11 September 2013 (UTC)[reply]

The email Jalexander references was fairly specific and well-written, so I will quote it here to give more context: "I think that some users, in some situations, have specific needs or desires not to be tracked. I think this means that wikimedia should support the 'Do Not Track' header and only collect minimal data for users with this. I could not find any information about a policy either way."

I think it will also be helpful, before answering, to clear up a common misconception about Do Not Track.

To quote from donottrack.us, the page about Do Not Track maintained by Stanford researchers (emphasis added): "Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit..."

The World Wide Web Consortium's Do Not Track standard, which is the formal definition of what Do Not Track means, similarly says (emphasis added):

Template:Blockquote

(It is important to note that the specification is unfortunately very far from finished; for example, there is still substantial discussion over what the definition of "track" is. So things may change before the definition is finalized.)

In other words, the official definition of the Do Not Track header specifically allows the websites you visit to record and track information. What it primarily prohibits is giving specific kinds of information to third parties. Unfortunately, many people are confused about this, and think that the DNT header prohibits any sort of tracking, not just third parties. I hope this comment clarifies that point.

Because the privacy policy already has fairly stringent protections for all user information (not just those who turn on Do Not Track), particularly about how/when we give information to third parties, and because DNT does not limit what we ourselves do with the data, we had not included a mention of DNT in the policy. However, we're open to that discussion - for example, if it would be useful, we could summarize this information about DNT a FAQ. And we will of course continue evaluating the standard as it progresses. Hope that helps answer the question.- LVilla (WMF) (talk) 19:26, 11 September 2013 (UTC)[reply]

It may be worth clarifying that we aim at being stricter than the opt-in DNT behaviour. --Nemo 21:56, 11 September 2013 (UTC)[reply]

We could even take the idea, that some users have a greater need to not be tracked, and allow for an opt out of some of the behavioural tracking, weather explicitly offering a choice somewhere or taking DNT as an indication of this desire and acting further than required by it. Its also worth noting and informing users of the limitations of DNT. --ZMD123 (talk) 23:13, 11 September 2013 (UTC)[reply]

You can't visit wikipedia while using Tor. Do something about it. Let's discuss: GO ! --82.113.122.164 21:54, 11 September 2013 (UTC)[reply]

Can't visit?! For what it's worth, NOP was just updated. Check it. --Nemo 21:56, 11 September 2013 (UTC)[reply]

You are right, sry I'm a miserable guy. Greets--82.113.122.164 22:01, 11 September 2013 (UTC)[reply]