AntiCompositeNumber (2023-05-27 05:29):
I am disappointed that these Terms went into effect immediately,
without any chance for review or comment by the community. This is
counter to how Wikimedia processes should run, and flies in the face
of the values of the Wikimedia movement.
I am concerned about some of the provisions of these Terms. For
example, 7.3 bullet 3 states
Not collect any other Personal Information and Wikimedia Usernames from End
Users, other than any user agent information forwarded by the anonymizing
reverse proxy or OAuth provided usernames and email addresses.
One of my tools, signatures.toolforge.org, provides data on a user's
signature from their username. The queried username is included in the
path, and is logged by the default uwsgi logging configuration. It is
likely that at least some End Users will check their own usernames, so
therefore the tool is collecting Wikimedia Usernames from End Users.
This *shouldn't* be a violation of the Terms, but by a plain reading
of them, it is.
I am not a lawyer, but as a developer with some GDPR experience (EU Law)
-- storing usernames, especially indefinitely, in logs doesn't seem
acceptable to me. You shouldn't store user data you don't need. And if
you store user data, you should allow the user to object and provide a
procedure to delete this data. In general you should probably remove
that data as soon as you do not needed.
An additional complication could be if you process user data in
conjunction with IP and create some statistics, because then it may fall
under profiling.
Kind regards,
Nux.
_______________________________________________
Cloud mailing list -- [email protected]
List information:
https://lists.wikimedia.org/postorius/lists/cloud.lists.wikimedia.org/
