Keep in mind there are two parts to labs. tools.wmflabs has a proxy in front that filters out ip addresses, but non-tool projects may need user IP info for one thing or another (UTRS for example)
On Wednesday, March 9, 2016, Tim Landscheidt <[email protected]> wrote: > (anonymous) wrote: > > > I think the situation with passwords has been clarified. Thanks for that. > > > However, there is still the matter of Labs users potentially logging and > > publishing the IPs of users who access the tool. My impression that this > > forbidden by policy but not by technical means. Can the wording of "By > > using this project, you agree that any private information you give to > this > > project may be made publicly available and not be treated as > confidential." > > be made more narrow to reflect that, in fact, it's not true that "any > > private information you give to this project may be made publicly > available > > and not treated as confidential" unless a tool owner is breaking policy? > > > Also, I'm wondering what to do about the vulnerability of user IPs being > > recorded and tracked. It sounds like there are three options: > > 1. Use technical means to prevent Labs tools from loading external > > resources that could potentially track IPs > > 2. Prohibit this practice by policy, and run some kind of background > check > > on tool admins similar to what's done for CUs > > 3. Keep the status quo of warning users of potential disclosure but not > do > > much to protect users against improper disclosure. > > > Finally, it seems to me that the penalty for publishing private > information > > in violation of Labs policy should involve far more than simply revoking > > Labs permissions. I think that this would merit the same kind of legal > > action that would likely be brought to bear if a checkuser or WMF > employee > > did the same thing. There can be real-world consequences for users whose > > private information is made public, and therefore I think that it's > > appropriate that real-world legal action be explicitly included in the > > scope of possible consequences for misconduct of this kind, and I think > > that this should be noted in the Labs Terms of Use. > > > Thoughts? > > > I'm also looping in Michelle and James. > > I live in a country where you need a court order to resolve > an IP and a timestamp to a name and an address, so I would > strongly recommend emigrating from countries where this is > different or using a privacy service in a safe country. > > But even if I was concerned about my IP address, I would > certainly not access Wikipedia with it where this precious > datum can be accessed by an indeterminate and fluctuating > number of employees and international contractors of a > Florida organization with offices in San Francisco and a > legal address in Los Angeles, but also by any administrator > on the wiki with the power to add some JavaScript or tracker > images. Much less would I access any site where the de- > clared purpose is that random users can host their brilliant > tools with no review necessary so that functionality can be > provided immediately and not with the years of delay typical > of WMF software development. > > So if someone is blackmailed about their IP address, I would > strongly recommend (even stronger than emigration) to report > the blackmailer and the one emphasizing the danger!!!eleven! > to the police so that law enforcement can deal with the > criminal and investigate any links between the two. > > If someone is not blackmailed, they should have plenty of > time to come up with a structure for tools not reviewed in > any way where breaches of privacy are technically impossi- > ble. It rolls off the tongue like that, so it can't be that > hard to implement. > > Tim > > > _______________________________________________ > Labs-l mailing list > [email protected] <javascript:;> > https://lists.wikimedia.org/mailman/listinfo/labs-l >
_______________________________________________ Labs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/labs-l
