Policy talk:Privacy policy

How do I report someone adding something to my view ie. Chris Brown as if it's coming from me? —The preceding unsigned comment was added by 65.95.40.84 (talk • contribs) 05:32, 25 February 2009 (UTC).[reply]

The policy says that info on page visits are not exposed publically, but there is a bot which is publishing page after page of user's search terms along with their username and I think for non-users IP address: here are many such pages: [1] also failed search terms are logged: [2] (there are dozens of archives of the above page stretching back several months, with page names of the form ../archive26). Given the controversy over search engines retaining user data and in some cases publishing it, these pages seem a gross violation of user privacy. Do wikipedia visitors know that the search terms they use have become a matter of public record? I doubt it. Weeksinput 03:36, 27 February 2009 (UTC)[reply]

You're mistaken. The bot is posting its own search results. It searches new pages and posts a list of those it finds. The username you see next to each page is the page's creator. This is confirmed by looking at the history of the page. That bot is not publishing users' search results. -Kotra 17:14, 25 March 2009 (UTC)[reply]

Regarding Where the information pertains to page views generated by a spider or bot and its dissemination is necessary to illustrate or resolve technical issues in the section 'Access to and release of personally identifiable information'. I have looked at the definition of page view on Wikipedia. But I am still not sure that I understand what 'page views generated by a spider or bot' are. Can anyone explain this in layman's terms? Lloffiwr 11:16, 26 April 2009 (UTC)[reply]

Bots and spiders, in this context, are computer programs set up to automatically visit webpages, without anyone actually sitting behind the screen. For example, search engines like Google have spiders that run around the web, reading webpage after webpage, to create an index of the web that you can search. Email spammers use bots too, to search the web for email addresses.

"Page views generated by a spider or bot", then, would occur whenever a bot visited a webpage. Wikimedia's software would detect the bot's visit as a page view, just like the page views of actual humans.

One reason I can think of why they would have this line is so administrators, checkusers, and other volunteer editors can take action against bots that are set up to add commercial links (linkspam) into articles. There are probably other reasons as well, or they may just be putting that out for unforeseen contingencies.

If you're really curious, though, you might try to track down User:UninvitedCompany, who originally added the text back in 2003. -Kotra 03:04, 14 May 2009 (UTC)[reply]

Thank you for the clear and detailed explanation - I now have a much better idea of how to translate this sentence. Lloffiwr 12:49, 20 May 2009 (UTC)[reply]

Regarding Interactions with the Projects not covered by this Policy include, but are not limited to, aspects of browsing and editing pages in the section Activities on Foundation projects.

The paragraph is mostly dealing with some ways that the user can voluntarily disclose her own private data. When the user is sending email or creating OTRS ticket, it is obvious that by the very nature of those communications some private data will be disclosed. It is clear, that anonymous editing is one of the the aspects of editing pages, since the IP address becomes public by the very nature of that interaction and becomes publicly available data and therefore not covered by this policy, although they may be covered by some other policies (like that one of the OTRS).

However, I do not to understand the which aspects of browsing may constitute publicly available information not covered by this policy. The policy deals extensively with Web server access logs as well as with privacy implications of certain HTTP features like cookies.

So, the question is, which aspects of browsing the Wikimedia sites are not covered by this privacy policy? I understand that this is just list of examples ("...not limited to...") but my understanding to date that all aspects of passive browsing were covered under this policy.

 « Saper // @talk »  02:04, 20 May 2009 (UTC)[reply]

I've always thought that the disclosure of the realname of a person behind a user account by another user on talkpages or in edit-commentaries, as it happens sometimes in edit-conflicts between users, is a no-no in all Wikimedia projects. However, when looking for written policy, I couldn't find anything about that. Any hint? --Túrelio 08:26, 14 September 2009 (UTC)[reply]

I don't think that a global "anonymity policy" exists for that. The current privacy policy certainly doesn't cover it. However, such edits are allowed to be deleted by Oversight policy (#1) from which I would deduce that they are not allowed in any project. --Tinz 01:26, 16 December 2009 (UTC)[reply]

Thanks. Better late than never ;-). --Túrelio 19:22, 1 January 2010 (UTC)[reply]

What if that information is available in the history of the user's page? Isn't all the material on the user's page history covered by the same content rules that apply to all Wikimedia material?

Sincerely,

Virgilio A. P. Machado

Vapmachado 03:37, 10 July 2010 (UTC)[reply]

I'm not sure if I understand your question correctly. It should not matter whether personal information of a user is disclosed in an article or on a user page. You can ask any Oversight (or Steward, if your project has no oversights) to remove that information. Or do you mean cases in which the user himself has made his own information public at some earlier point? I don't think that a global policy exists for this, but in the projects I know, the wish to become anonymous is respected. The old versions are deleted and other users are asked to respect his wish to "become" anonymous. --Tinz 17:47, 22 July 2010 (UTC)[reply]

Thank you so much for addressing my question. I'll take you and all other readers, particularly my very good friend and member of our mutual admiration society Sir Lestaty de Lioncourt, through a step by step example, to make it easier on everybody, and present a clear case, hopefully without violating anybody's privacy. You are welcome to post your answers right after each question.

Consider Alexanderps.

I would like to know if it is disclosure of private data of another user account without that user permission, to post on one of your own subpages the following:

1) The name Alexanderps uses in his signature, like on this example [3] ?

(You are welcome to post your answers right after each question on the space below.)

2) Space for next question

Sincerely,

Virgilio A. P. Machado

Vapmachado 18:27, 22 July 2010 (UTC)[reply]

Sorry, I don't really like this interview style, it makes me feel like a student about to get outwitted by Socrates :-)

As a former ombudsman, I visit this page from time to time to help in case of problems with the understanding of the privacy policy.

If you think that the privacy policy was broken then you should contact the current Ombudsman commission.

However, your problem doesn't really seem to be related to any violations of the privacy policy (which deals mostly with private information that checkusers have). It sounds more like a problem that you have with other users of pt Wikipedia or maybe with the anonymity policies of ptwiki (which I don't know). In any case, this talk page is the wrong place to resolve these problems. A better way would be to seek conflict resolution on pt-wiki itself. Alternatively, you could probably start a RFC here. Regards, --Tinz 13:57, 26 July 2010 (UTC)[reply]

Thank you so much for your suggestion, according to which this request for comment has been started and announced. As a former ombudsman you must surely know something that might help answer my question. It would be an honor if you were the first to post your comment there. Thanks for your compliment, but it is highly exaggerated. There's no comparison between Socrates and me. I believe that the Socrates you're referring to is dead :-)

Sincerely,

Virgilio A. P. Machado

Vapmachado 23:11, 26 July 2010 (UTC)[reply]

Two layers of privacy

Draft amendments to the rules
The case of privacy policy has at least two 'layers' both focusing upon certain civil rights of an individual seeking to defend his anonymity.

Encouraging everybody to post, edit and discuss articles, Wikimedia (as well as thousands of other interactive facilities in the Internet) offers an option to show his authorship:

1. as some IP which automatically appears as a 'singature' above/under/besides his message;
2. as some pseudonym which one may choose for that purpose

Since an IP is automatically generated upon some technical data which to a certain extent may show the way to the originating computer and through this to a specific individual — the formula for the first 'layer' is ”IP vs nick”.

Since the very first days of the Internet folks preferred to identify theirselves by pseudonyms (nicks). With the further development of Internet (especially since the namespace boundaries have been overcome) people found it possible to use their actual civilian names as 'nicks'. Although it's obvious that it was their personal will to disclose their anonymity in this way (below I'll make some reservations upon that), another disputable layer of privacy appeared in the Internet communities, that is ”real” vs fictitious nick.

In addition to the explicit writing of personal data I shall mention some indirect means, as URLs and other kind of external links to the sources where their personal data is written. The netiquette explicitly treats as a gross breach when a third person discloses somebody's private information in that way. Having occured within some community (e.g. Wikipedia registered users) and its common editable workspace — it is suppressed by its in-law. However this case is too flat to deserve a thourough investigation here. I suppose that to be sufficiently covered in the existing rules of behaviour in Wikimedia.

The yawning gap in our rulings here is in unsufficient clarity and unambiguity concerning the case when somebody claims that equating his «”real” name nick» to an apparently fictitious nick is a violation of his privacy. The most recent example:

• Arbiter 'A' creates a sockpuppet 'S' for his personal investigation purposes
• Checkuser 'C' founds that a sockpuppet 'S' = 'A'.
• Arbiter 'A' insists, that 'C' has infringed his privacy by revealing that 'S' = 'A', since he claims 'A' to be an abbreviation of his real name.

Let us leave aside all derivative issues that may arise in connection with the specific circumstances of this case. I shall rather insist that both this one and the series of similar disputes shall have their doubtful grounds until Wikimedia shall clearly define that

Note. Clause 2-a is necessary for the case when checkusers and stewards are required to establish compliance between nicks and IP's — for example, in investigation of abuses with open proxies.

Example (has a real basis, however not investigated yet). User 'X' (assume he is unknown) enters Wikipedia aiming to set an article for deletion (AfD). Since the article is outside his 'national' workspace, he

• sets his browser to work via a foreign open proxy server, so his AfD request is 'signed' with an IP of this proxy.
• having suddenly found an error in his edit, he urgently switches to another browser seeking for solution. For some reason (rush, carelessness) he corrects his error from another window which is not set to an open proxy. This edit is signed with an IP originally assigned by his ISP
• last, the AfD discussion page is 'signed' again with a faked IP (of an open proxy).

Now suppose that a checkuser establishes an identity: 'X'='Quasi Real Name'. But the underlying evidences of this output are IPs, so in the absence of ruling that the 'reality' of a nickname is a problem of an account owner, 'Quasi Real Name' shall have the grounds to counter-claim against the violation of his 'privacy'. Such lawlessness shall undermine all our further attempts to halt cross-wiki-vandalism!

I realize that a lack of knowledge of local regulations may weaken certain statements of my proposals. However the underlying problems in my examples are actual and they are awaiting their solution. Anyway I hope that the discussion of this subject shall contribute to the strengthening of the rules for all the projects of Wikimedia. Thank you in advance for the studying of this project. Cherurbino 06:48, 31 January 2011 (UTC)[reply]

The last edit to this page fixed a typo in the Cookies section (back in October), but this change was never implemented on the Foundation mirror of this site. Is there anyone with Foundation access that can fix this typo (visted -> visited). We received an OTRS e-mail about this (2010010210021971). Thanks. -Andrew c 15:38, 3 January 2010 (UTC)[reply]

 Fixed here. Thank you. - Rjd0060 16:22, 3 January 2010 (UTC)[reply]

This policy doesn't comply with the Children's Online Privacy Protection Act[4]. Shouldn't it say what the policy is towards children? --Aled D 15:26, 14 May 2010 (UTC)[reply]

Let me quote from the article you cite:

"The Act applies to websites and online services operated for commercial purposes that are either directed to children under 13 or have actual knowledge that children under 13 are providing information online. Most recognized non-profit organizations are exempt from most of the requirements of COPPA.[1] However, the Supreme Court ruled that non-profits operated for the benefit of their members' commercial activities are subject to FTC regulation and consequently also COPPA."

Wikimedia is not commercial and not operated for the benefit of their members' commercial activities. Therefore, it seems to me that COPPA does not apply to wikimedia's projects. --Tinz 12:23, 17 May 2010 (UTC)[reply]

I like your privacy policy, but I have two small issues:

"When a visitor requests or reads a page, or sends email to a Wikimedia server, no more information is collected than is typically collected by web sites."

That's not really informative, unfortunately. What is a typical website these days? And what do they (i.e. you) actually collect?

Also, I didn't see any mention of search history. What is your policy with that?

I would say that only technical staff of the wikimedia foundation can answer these questions and I am not sure whether they read this page. All I can say is that the community, including trusted users in special roles like checkusers or stewards, have no access to this kind of information. --Tinz 14:29, 27 September 2010 (UTC)[reply]

(This is just my personal opinion, and may not reflect reality). The average apache webserver log entry looks like:

127.0.0.1 - - [12/Nov/2010:02:25:24 -0400] "GET /w/phase3/index.php?title=Special%3ASearch&search=image%3AExample.jpg&go=Go HTTP/1.1" 200 146 "http://localhost/w/phase3/index.php/Main_Page" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009061212 Iceweasel/3.0.6 (Debian-3.0.6-1)"

It contains the IP address, user name for HTTP authentication (mediawiki doesn't use HTTP authentication for accounts, so normally this is a - regardless of if you're logged in or not), date, the method (GET in 99% of the time), the url, HTTP protocol version (HTTP/1.1 99%) of the time, the HTTP status code (200 is the most common, meaning success. Other common codes are 404 for file not found, and 403 for forbidden), the number of bytes transferred (146 in my example), the referrer (the page where you came from to get to the page you are currently visiting), the user-agent (which web browser you're using. Usually also contains information on your operating system). This is just the "typical" example. Wikimedia servers could be configured differently (not to mention that a large portion of their logs would be squid logs not apache logs). Bawolff 22:18, 12 November 2010 (UTC)[reply]

What is the MediaWiki message which should be used?

The current text suggests MediaWiki:Privacy, which was deleted as "no long required". Besides, the pages in other languages (e.g. French, Portuguese,...) suggests MediaWiki:Copyright, which is also deleted in most projects (e.g. en.wiktionary) with the same reason. Helder 12:50, 21 November 2010 (UTC)

Is the policy sufficiently comprehensive. These seem like important questions as 200x dates start to feel like the relatively distant past. Technology continues to advance and how can we create a global environment in which a meaningful conversation is possible. 24.59.179.184 23:34, 12 January 2011 (UTC)[reply]

It seems to me that there is something wrong with the document structure and headings. "Reading projects", "Editing projects", "Discussions" are level 5 headings under one paragraph "User contributions". I guess they should be promoted to the same level as "General expectations" (level 3), since this makes little sense otherwise. I am not sure what was the original format presented to the board, however.  « Saper // @talk »  12:52, 17 January 2011 (UTC)[reply]

PHPSESSID is not anormal cookie, but asession, i will ask to agnolege the user about this,.

General scope

There's written there: «Consistent with its Data Retention Policy, the Foundation collects and retains the least amount of personally identifiable information needed to fulfill the Projects' operational needs.»

“Fulfill” is underlined red by my spell-checker.

LONGMAN Dictionary of English:

„ful-fil /.../ v -ll- (also fulfill AmE) ...“ (and so on).

What standard of spelling are we to keep to?

Lincoln Josh 13:14, 4 March 2011 (UTC)[reply]

A majority of ACC Tool users[5] are not checkusers and have not been formally identified by the Foundation. They have critical access and knowledge about the ip addresses and email addresses of users requesting new accounts at the English Wikipedia. Can we, therefore, include references to the ACC Tool in the privacy policy? (Note: We also have the Wikipedia:ACC tool users' pledge that attempts to voluntarily encourage ACC Tool users to adhere to our privacy policy).♪ ♫ Wifione ♫ ♪ 12:37, 23 March 2011 (UTC)[reply]

hm, I'm not sure if I understand this ACC tool completely: These users see only the data of users who tried to create an account on the english Wikipedia, had problems (e.g. failed to decipher the captcha), and then applied for an account manually. They don't see the data of users who register the usual way, right? It surprises me that a team of ~100 users is needed for this task, maybe our captcha needs to be improved?

But it seems to me that their role is somewhat comparable to the role of the OTRS volunteer response team, so did you think of mentioning ACC in the section on OTRS of the privacy policy? --Tinz 17:48, 24 March 2011 (UTC)[reply]

Hi Tinz. You are right. The ACC tool allows users to apply for an account when they're not able to decipher the captcha or when their name is perchance too similar to an existing name. The role of ACC tool users is somewhat similar to the OTRS volunteer response team, the difference being that the OTRS team is identified by the Foundation, while the ACC tool volunteers remain anonymous by choice. And yes, I wished to mention them in the OTRS section of the privacy policy. My intent is that any person reading our privacy policy gets informed that even on the ACC tool, the interface account handlers have access to ip addresses, email addresses of new account requesting users. Thanks.♪ ♫ Wifione ♫ ♪ 18:11, 24 March 2011 (UTC)[reply]

Боржигин овогт Батбаатбрын Батням нь 1991,04,21 нд Монгол

Please see the discussion at http://en.wikisource.org/wiki/Wikisource:Scriptorium#User_talk:page_created_on_it.wikisource. Basically, when I visit a Mediawiki site for the first time, even if only to read a page, the server detects that I have a globally unified account, and creates my account on that site, and this account creation is publicly logged. This would seem to be a straight-forward violation of the privacy policy as currently worded:

"When a visitor requests or reads a page... no more information is collected than is typically collected by web sites. The Wikimedia Foundation may keep raw logs of such transactions, but these will not be published or used to track legitimate users." (my emphasis)

Hesperian 01:05, 24 June 2011 (UTC)[reply]

• When you first log in to Wikipedia make sure you uncheck the "Log me in globally" check box. That way you'll be logged only into the Wikipedia you log in to. If you leave the box checked you will create a new local account each time you visit a new wiki for the first time. Although each person gets a global account they also get local accounts at each wiki they join. Since you would have had "log me in globally" checked you created accounts every where you visited. The global account and local accounts are separate entities. Hope this helps. fr33kman 02:54, 24 June 2011 (UTC)[reply]

So does the information around global login explicitly explain that that this will happen? That is to say, that when you tick this box, that an account will be created on your first visit to a site and that account names are visible to all users; typically that you will be welcomed to the site. billinghurst sDrewth 02:59, 24 June 2011 (UTC)[reply]

I don't think it does. I'm not a mediawiki technical type. I suppose it's a interesting question, but wouldn't it be mostly moot since if a person has a user account they are a person likely to make an edit and hence divulge their username in any event. Still, I guess it is something for those that maintain it to answer. fr33kman 03:07, 24 June 2011 (UTC)[reply]

In fact, in the name of transparency, there is an IRC channel where these "unifications" scroll by live whilst they are being made. fr33kman 03:10, 24 June 2011 (UTC)[reply]

From the technical aspect, the centralauth extension automatically creates your account when you view a Wikimedia site for the first time. I would also not classify the extension's automatic actions as in violation of the privacy policy (from a practical standpoint, anyways), as the website is not collecting data from the viewer's computer, but from Wikimedia's servers, and the information that is collected is well within the "no more information is collected than is typically collected by web sites" clause. I won't get too much into that, though, as I am not a lawyer. The event is publicly logged, though it does not appear in the recent changes, and as fr33kman alluded to, the log is public for transparency. Ajraddatz (Talk) 03:49, 24 June 2011 (UTC)[reply]

I've emailed the general consul with a link to this thread.  ℳono  05:32, 24 June 2011 (UTC)[reply]

RESOLVED DUPLICATE / This bug has been marked as a duplicate of bug 19161. Cbrown1023 talk 15:47, 24 June 2011 (UTC)[reply]

I'm not really happy with the response I've received here. Fr33kman assumes that I don't understand global login, and if I did I wouldn't have a problem. Fr33kman, I've been around Wikimedia projects for nearly seven years, longer indeed than the GlobalAuth extension, I know perfectly well what it does, and I don't need you to teach my grandmother to suck eggs.

Cbrown1023 makes the legitimate and interesting point that this could be used to in an exploit that extracts further information that ought to be private. But I'm not talking about this as a vulnerability that might release further information. I'm talking about the information that has already been released. The privacy policy clearly states that When a visitor requests or reads a page... the Wikimedia Foundation may keep raw logs of such transactions, but these will not be published.... Here we have a real-world non-hypothetical situation where a visitor has read a page, the fact that they did so has triggered an entry in a public log, so that they cannot deny that they have read a page on that site, and they are uncomfortable with this. Is that not a straight-forward violation of the privacy policy, already, non-withstanding any further information that might be released via an exploit?

Hesperian 02:34, 26 June 2011 (UTC)[reply]

I'm sorry for being nice and trying to help, since that offends you. fr33kman 04:18, 26 June 2011 (UTC)[reply]

It didn't offend me that you were "being nice and trying to help". That's twice now you've been too eager to reply, to bother to try to understand what I actually said. Hesperian 13:22, 26 June 2011 (UTC)[reply]

I understand, and understood, what you were/are trying to say but since I don't know who you are I thought I'd tell you how to stop the auto creation log in case you were unaware. I can't really speak to the privacy policy since the board decided that, not the community. Perhaps asking User:Philippe (WMF) about it may help? fr33kman 18:42, 26 June 2011 (UTC)[reply]

You're sending me elsewhere?? I'm pretty sure Talk:Privacy policy is the right forum for someone to raise concerns about a possible privacy policy violation. It might possibly be the wrong forum for someone who "can't really speak to the privacy policy" to nonetheless expound on unrelated matters. Hesperian 04:29, 27 June 2011 (UTC)[reply]

While it doesn't bother me that my reading of various wikis has been logged, I can see how it could be a big problem to some people, and it looks to me like it still happens. WereSpielChequers 23:11, 29 September 2011 (UTC)[reply]

The bit about IRC probably needs updating to reflect the fact that there are now official WMF office hours on IRC. WereSpielChequers 12:53, 27 November 2011 (UTC)[reply]

There's quite a bit of "private" information that some users accumulate here, especially in things like their watchlists. Some of this information is then collected and used in an aggregated way, for example unwatched pages are available to trusted editors but we try not to release them to vandals. I think the Privacy policy should cover this - at present I think it insufficiently covers reality. WereSpielChequers 13:06, 27 November 2011 (UTC)[reply]

One area which has grown has been meetups, and these especially the residential ones do tend to require disclosure of real names. I would suggest that the Privacy policy should cover this WereSpielChequers 13:06, 27 November 2011 (UTC)[reply]

Certain tools such as Oversight and checkuser are only available to editors who have identified to the Office. I would suggest that this policy should cover that process and in the process disclose whether the identity information is held and if so how long for. WereSpielChequers 13:14, 27 November 2011 (UTC)[reply]

Hi... Sorry if this should be placed elsewhere... The Privacy Policy states that, "When a page is edited by a logged-in editor, the server confidentially stores related IP information for a limited period of time. This information is automatically deleted after a set period. " Can you tell me how long the "limited period of time" / "set period" is? Thanks! Wikipelli (talk) 15:41, 4 March 2012 (UTC)[reply]

The previous privacy policy stated "the raw log data is not made public, and is normally discarded after about two weeks." Presumably, this is no longer the case? I am a bit unsure, but the new policy seems to say the following about IP address retention:

• Editors who are not logged inn: IP addresses are retained indefinitely and published.
• Readers: IP addresses may be retained indefinitely (in server logs) but not published.
• Editors who are logged in: IP addresses are are retained for a limited but unspecified period of time, and not published.

I find it a bit peculiar that readers have less privacy than (registered) editors. Besides, even Google hashes IP addresses after a specified period of time (and one would think Wikipedia searches is no less sensitive than Google searches). 62.212.73.103 21:06, 6 April 2012 (UTC)[reply]

Disclosing exactly how long the WMF keeps IP data on registered editors for would make it easier for sockpuppeteers to evade the checkusers, so there is a good reason for not being too public here. However I'm pretty sure that the wording needs amendment as I'm reasonably confident that data is kept for much longer when it involves certain longterm banned users. WereSpielChequers (talk) 20:54, 11 May 2012 (UTC)[reply]

• To the best of my knowledge, reader data is only kept for a couple of weeks. Data specific to logged-in editors is kept 3 months. Data specific to abusive editors may be retained for a longer period, and is linked to how long that person remains an abusive editor; it is not stored on the server logs, however. Risker (talk) 20:59, 11 May 2012 (UTC)[reply]

"If one saves a user name or password in one's browser, that information will be saved for up to 30 days, and this information will be resent to the server on every visit to the same Project." This sentence is incorrect now that the expiry has been changed to 180 days as part of the MediaWiki 1.19 deployment. PleaseStand (talk) 21:42, 6 March 2012 (UTC)[reply]

Please See this discussion on sinhala language wikipedia. Our active user community is small. Please comment & advice. Singhalawap (talk) 15:56, 28 March 2012 (UTC)[reply]

This has been taken care of by Reedy. –Krinkle^talk 19:58, 27 May 2012 (UTC)[reply]

    i have old account .. but now i forgot password ..

and my email . not received any message from " wiki ... " help me please >.. my old account is " w.halawani "

It should be noted that even on IRC channels that do not allow for logs to be published, that they occasionally are published, and that the WMF has neither the legal right nor the responsibility to chase after the people that have done so. This is also Sven Manguard (talk) 19:08, 26 June 2012 (UTC)[reply]

Hi all -- I believe in the past, I've seen ads for the Wikipedia Ambassador Program on Wikimedia sites, specifically asking for Canadian reps. Based on that, I presume we have permission within the privacy policy to customize content based on location? -- Zanimum (talk) 15:23, 5 July 2012 (UTC)[reply]