[Foundation-l] Wikipedia tracks user behaviour via third party companies #2

Fri Jun 5 21:08:56 UTC 2009

On Fri, Jun 5, 2009 at 9:49 PM, Tisza Gergő <gtisza at gmail.com> wrote:

> Bence Damokos <bdamokos at ...> writes:
>
> > I'd like to note in the interest of facts that the Huwp stats have been
> > implemented (without complaint till now, June 2009) since October 2006;
> the
> > current version of the privacy policy has been available in English since
> > October 2008.
>
> It was implemented in October 2005, actually (not long after the knams
> stats
> stopped IIRC); MediaWiki:Lastmodifiedat replaced an earlier message in
> 2006,
> that is why the page history doesn't go back further.
>
> More importantly, the privacy policy explicitly states that developers
> might
> have access to the raw logs. The stat is thus in compliance with the letter
> of
> the privacy policy, and I don't see why it would be countrary of its
> spirit. (As
> stated, the only purpose is to provide statistics which include no
> personally
> identifiable information; the operator is one of the most trusted users of
> the
> hu.wp community, the founder of the community, the head of Wikimedia
> Hungary,
> admin, bureaucrat, checkuser, whatnot; and the stat server was operated
> with the
> knowledge and consent of the community. It is linked from the statistics
> page
> and other relevant places, not exactly a secret.)
>

There are a few issues with this.  Devs have access to logs on WMF servers,
not random external servers.  The community cannot decide that Random_user1
and Random_user2 etc will agree with the communities view on the stats being
passed to an external server.  Also there *may* be issues with the security
of that server that means it could be compromised and could probably be
accessed by the web hosting company if they so wished.

I still fail to see how, at this point (not before when there was no policy)
this can be considered to be acceptable.  IP information etc is still being
passed to an external server, regardless of who it is being operated by.  As
we can see at http://meta.wikimedia.org/wiki/Privacy and copied below I
don't see where this is acceptable.

Release: Policy on Release of Data

It is the policy of Wikimedia that personally identifiable data collected in
the server logs, or through records in the database via the CheckUser
feature, or through other non-publicly-available methods, may be released by
Wikimedia volunteers or staff, in any of the following situations:

   1. In response to a valid subpoena or other compulsory request from law
   enforcement,
   2. With permission of the affected user,
   3. When necessary for investigation of abuse complaints,
   4. Where the information pertains to page views generated by a spider or
   bot and its dissemination is necessary to illustrate or resolve technical
   issues,
   5. Where the user has been vandalizing articles or persistently behaving
   in a disruptive way, data may be released to a service provider, carrier, or
   other third-party entity to assist in the targeting of IP blocks, or to
   assist in the formulation of a complaint to relevant Internet Service
   Providers,
   6. Where it is reasonably necessary to protect the rights, property or
   safety of the Wikimedia Foundation, its users or the public.

Except as described above, Wikimedia policy does not permit distribution of
personally identifiable information under any circumstances.

Regards

Mark

>
>
> _______________________________________________
> foundation-l mailing list
> foundation-l at lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/foundation-l
>