Re: [Wikimedia-l] CheckUser openness
So User:mfgaowener should get an automated mail saying because you did a pagemove with edit summary Haers! you were checkusered. Please be more subtle in your vandalism next time. I trust the current checks and balances, and I don't think the system is getting significant levels of abuse. -- David Richfield [[:en:User:Slashme]] +27718539985 ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] CheckUser openness
On Thu, Jun 14, 2012 at 3:36 AM, David Richfield davidrichfi...@gmail.comwrote: So User:mfgaowener should get an automated mail saying because you did a pagemove with edit summary Haers! you were checkusered. Please be more subtle in your vandalism next time. I trust the current checks and balances, and I don't think the system is getting significant levels of abuse. +1 on this. The methods that checkusers have are heavily constrained as it is by privacy concerns, and they are very fragile. They only work effectively within the tight privacy restrictions with a certain amount of security through obscurity. For one, a checkuser needs to be able to monitor a situation sometimes to be sure that they are casting a wide enough net for a block to be effective. For another, the standard of reasonable suspicion placed on the checkuser tool is high enough that with enough practice, vandals would learn to be careful to never justify a checkuser request within the privacy guidelines. We're between a rock and a hard place, because to give the transparency being asked for, we'd enter an arms race where we'd quickly have to relax the checkuser standards to the point where it becomes anything goes so long as you don't disclose it. -Stephanie ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Who invoked principle of least surprise for the image filter?
On 13 June 2012 21:30, David Gerard dger...@gmail.com wrote: I was looking over old discussions, and wondered: who originally came up with the notion that the principle of least surprise should apply to educational content? If it existed before Wikimedia, who introduced it to the image filter discussion, on what rationale? It (principle of least astonishment) derives from our redirect guidelines where you are trying to decide between redirecting to an article and redirecting to a disambiguation page. It also somewhat related to page naming. [Personally I think it's an inanity - an education that doesn't turn your head upside down might as well be basket weaving - and it's too easily applied to shocking and outrageous concepts that children shouldn't be exposed to, like homosexuality or rights for minorities - but I could of course be convinced I'm wrong.] I think you miss the point of a concept. The idea is not that say [[Marriage]] shouldn't contain information about homosexual marriages, heterosexual marriages, marriages of convenience or polygamous marriages but that it probably shouldn't contain photos of marriage consummation. [[Nude photography]] on the other hand should have some nudity. but then it should also be more than 3 paragraphs long. -- geni ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Who invoked principle of least surprise for the image filter?
On 14 June 2012 12:52, geni geni...@gmail.com wrote: I think you miss the point of a concept. The idea is not that say [[Marriage]] shouldn't contain information about homosexual marriages, heterosexual marriages, marriages of convenience or polygamous marriages but that it probably shouldn't contain photos of marriage consummation. As I have noted already, this idealised version is not how it was used when it was introduced to the discussion and is not how it's been used in the most recent round of it. - d. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Who invoked principle of least surprise for the image filter?
On 14 June 2012 14:45, David Gerard dger...@gmail.com wrote: As I have noted already, this idealised version is not how it was used when it was introduced to the discussion and is not how it's been used in the most recent round of it. Looking at the timing of the phrase appeared in the email list I think you were physically present when the phrase stated being used in the context of dealing controversial content. Certainly I can find it being used in that context before that London meetup that Dory Carr-Harris attended. And in that case at least the meaning was very much in the direction of not including controversial content unless there was a valid reason to do so. It was unrelated to an image filter. Shocking images in [[Nanking Massacre]] are pretty much expected. [[People's Republic of China–Japan relations]] not so much. [[Agent orange]] is a more boarderline case but these things are never easy as [[Wikipedia:LAME#Names]] shows. -- geni ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Who invoked principle of least surprise for the image filter?
On 14 June 2012 18:01, David Gerard dger...@gmail.com wrote: Yes, but this is called editorial judgement No its called censorship. Or at least it will be called censorship by enough people to make any debate not worth the effort. rather than something that can be imposed by filtering. True for wikipedia but commons in particular needs some way or another to provide more focused search results. (Although the board and staff claim that editorial judgement they disagree with must just be trolling is how principle of least surprise becomes we need a filter system.) Perhaps but I wasn't aware that their opinions were considered to be of any significance at this point. Okey they did block [[user:Beta_M]] but the fact that very much came out of the blue shows how little consideration they are given these days. The fact remains that anyone who actually wants a filter could probably put one together in the form of an Adblock plus filter list within a few days. So far the only list I'm aware of is one I put together to filter out images of Giant isopods. -- geni ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Who invoked principle of least surprise for the image filter?
On Thu, Jun 14, 2012 at 11:31 AM, geni geni...@gmail.com wrote: On 14 June 2012 18:01, David Gerard dger...@gmail.com wrote: Yes, but this is called editorial judgement No its called censorship. Or at least it will be called censorship by enough people to make any debate not worth the effort. rather than something that can be imposed by filtering. True for wikipedia but commons in particular needs some way or another to provide more focused search results. (Although the board and staff claim that editorial judgement they disagree with must just be trolling is how principle of least surprise becomes we need a filter system.) Perhaps but I wasn't aware that their opinions were considered to be of any significance at this point. Okey they did block [[user:Beta_M]] but the fact that very much came out of the blue shows how little consideration they are given these days. The fact remains that anyone who actually wants a filter could probably put one together in the form of an Adblock plus filter list within a few days. So far the only list I'm aware of is one I put together to filter out images of Giant isopods. -- geni ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l If Principle of least astonishment means what it normally means, that being to make sensible UI decisions based upon what your average user would expect to happen, I'm all for it. If Principle of least astonishment means what it's been co-opted to mean in this particular case, that people will somehow be astonished to see images of nude humans on human anatomy articles, or depictions of sex acts on articles about that particular act (though that's already off kilter, we already fail to use real images on those, instead preferring poor-quality line drawings), or images of Muhammad on the Muhammad article, we need a cluebat rather than a filter. Point those who scream in faux-outrage at finding media depicting ejaculation on that article, or Muhammad on that article, to the content disclaimer, tell them that yes, they will actually get an article on what they specifically look for one for, that yes, we use multimedia illustrations when we have appropriately licensed and relevant media, and move on. Todd Allen ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Who invoked principle of least surprise for the image filter?
On 14 June 2012 18:01, David Gerard dger...@gmail.com wrote: On 14 June 2012 17:22, geni geni...@gmail.com wrote: Shocking images in [[Nanking Massacre]] are pretty much expected. [[People's Republic of China–Japan relations]] not so much. [[Agent orange]] is a more boarderline case but these things are never easy as [[Wikipedia:LAME#Names]] shows. Yes, but this is called editorial judgement rather than something that can be imposed by filtering. (Although the board and staff claim that This falls into the trap of presuming there is one approach of editorial judgement of acceptability that is common to all readers, *and* that it's the same as the editorial judgement currently provided by our community of editors. I'm not confident that a) is a reliable assumption - neutrality is a matter of presenting all sides, and so we can achieve it, while this sort of editorial judgement is basically binary and so much harder to equivocate. Even if it is, b) certainly has problems - while our community strives to be neutral, I doubt anyone would claim it does not start off with fairly heavy biases, from demography as much as anything else. Least surprise is one way to try and get around this problem of not relying on the community's own judgement in all edge cases; I'm not sure it's the best one, but I'm not sure leaving it out is any better. -- - Andrew Gray andrew.g...@dunelm.org.uk ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] CheckUser openness
I am not asking for full disclosure, what I am asking is that established user have the right to be notified when and why they are being checkusered. The evidence checkusers get do not need to be disclosed, Its as simple as: X performed a checkuser on you because Y at Z UTC that provides clarity and openness while keeping the information checkusers use confidential. A note like that would provide vandals with very little information. And the second step of defining a threshold would eliminate most of the vandal checks. To me this screams of lets keep oversight of checkuser to a minimum. Right now there is the ombudsman committee globally (to ask for review from them we need evidence, realistically only other checkusers can provide that) and on enwp there is the Audit Subcommittee, which 75% of are either arbcom members (be defacto are granted CU ), former arbcom, or former CU. To me that really reeks of lack of independent oversight. Notifying an established user that they are subject to a CU doesnt harm the CU's ability to do their job unless they themselves have something to hide. Its not like I am asking for CU's to release IP addresses/user-agents or anything else that could assist me in avoiding scrutiny. On Thu, Jun 14, 2012 at 3:48 AM, Stephanie Daugherty sdaughe...@gmail.comwrote: On Thu, Jun 14, 2012 at 3:36 AM, David Richfield davidrichfi...@gmail.comwrote: So User:mfgaowener should get an automated mail saying because you did a pagemove with edit summary Haers! you were checkusered. Please be more subtle in your vandalism next time. I trust the current checks and balances, and I don't think the system is getting significant levels of abuse. +1 on this. The methods that checkusers have are heavily constrained as it is by privacy concerns, and they are very fragile. They only work effectively within the tight privacy restrictions with a certain amount of security through obscurity. For one, a checkuser needs to be able to monitor a situation sometimes to be sure that they are casting a wide enough net for a block to be effective. For another, the standard of reasonable suspicion placed on the checkuser tool is high enough that with enough practice, vandals would learn to be careful to never justify a checkuser request within the privacy guidelines. We're between a rock and a hard place, because to give the transparency being asked for, we'd enter an arms race where we'd quickly have to relax the checkuser standards to the point where it becomes anything goes so long as you don't disclose it. -Stephanie ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Who invoked principle of least surprise for the image filter?
On 14 June 2012 20:36, Andrew Gray andrew.g...@dunelm.org.uk wrote: Least surprise is one way to try and get around this problem of not relying on the community's own judgement in all edge cases; I'm not sure it's the best one, but I'm not sure leaving it out is any better. The present usage (to mean you disagree with our editorial judgement therefore you must be a juvenile troll) is significantly worse. - d. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] CheckUser openness
On Thu, Jun 14, 2012 at 4:07 PM, John phoenixoverr...@gmail.com wrote: I am not asking for full disclosure, what I am asking is that established user have the right to be notified when and why they are being checkusered. The evidence checkusers get do not need to be disclosed, Its as simple as: X performed a checkuser on you because Y at Z UTC that provides clarity and openness while keeping the information checkusers use confidential. A note like that would provide vandals with very little information. And the second step of defining a threshold would eliminate most of the vandal checks. To me this screams of lets keep oversight of checkuser to a minimum. Right now there is the ombudsman committee globally (to ask for review from them we need evidence, realistically only other checkusers can provide that) and on enwp there is the Audit Subcommittee, which 75% of are either arbcom members (be defacto are granted CU ), former arbcom, or former CU. To me that really reeks of lack of independent oversight. Notifying an established user that they are subject to a CU doesnt harm the CU's ability to do their job unless they themselves have something to hide. Its not like I am asking for CU's to release IP addresses/user-agents or anything else that could assist me in avoiding scrutiny. Don't even need to go that far - just say A checkuser viewed the information stored by the web server about you, this information may include [[xyz list if informations]]. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] Who invoked principle of least surprise for the image filter?
On 14 June 2012 16:19, David Gerard dger...@gmail.com wrote: On 14 June 2012 20:36, Andrew Gray andrew.g...@dunelm.org.uk wrote: Least surprise is one way to try and get around this problem of not relying on the community's own judgement in all edge cases; I'm not sure it's the best one, but I'm not sure leaving it out is any better. The present usage (to mean you disagree with our editorial judgement therefore you must be a juvenile troll) is significantly worse. I'm not entirely certain that you've got the usage case correct, David. An example would be that one should not be surprised/astonished to see an image including nudity on the article [[World Naked Gardening Day]], but the same image would be surprising on the article [[Gardening]]. The Commons parallel would be that an image depicting nude gardening would be appropriately categorized as [[Cat:Nude gardening]], but would be poorly categorized as [[Cat:Gardening]]. One expects to see a human and gardening but not nudity in the latter, and humans, gardening, *and* nudity in the former. Now, in fairness, we all know that trolling with images has been a regular occurrence on many projects for years, much of it very obviously trolling, but edge cases can be more difficult to determine. Thus, the more neutral principle of least astonishment (would an average reader be surprised to see this image on this article?/in this category?) comes into play. I'd suggest that the principle of least astonishment is an effort to assume good faith. Risker ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] CheckUser openness
On 14 June 2012 16:36, Nathan nawr...@gmail.com wrote: On Thu, Jun 14, 2012 at 4:07 PM, John phoenixoverr...@gmail.com wrote: I am not asking for full disclosure, what I am asking is that established user have the right to be notified when and why they are being checkusered. The evidence checkusers get do not need to be disclosed, Its as simple as: X performed a checkuser on you because Y at Z UTC that provides clarity and openness while keeping the information checkusers use confidential. A note like that would provide vandals with very little information. And the second step of defining a threshold would eliminate most of the vandal checks. To me this screams of lets keep oversight of checkuser to a minimum. Right now there is the ombudsman committee globally (to ask for review from them we need evidence, realistically only other checkusers can provide that) and on enwp there is the Audit Subcommittee, which 75% of are either arbcom members (be defacto are granted CU ), former arbcom, or former CU. To me that really reeks of lack of independent oversight. Notifying an established user that they are subject to a CU doesnt harm the CU's ability to do their job unless they themselves have something to hide. Its not like I am asking for CU's to release IP addresses/user-agents or anything else that could assist me in avoiding scrutiny. Don't even need to go that far - just say A checkuser viewed the information stored by the web server about you, this information may include [[xyz list if informations]]. I do see where folks are coming from. To the best of my knowledge, for the past few years on English Wikipedia anyone who has asked the Audit Subcommittee if they have been checked has been told the correct response, and I think this is a good thing. On the other hand, what's being proposed here is essentially providing sockpuppeters or otherwise disruptive users (such as those under certain types of sanctions) a how-to guide so they can avoid detection in the future. Risker ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] CheckUser openness
On Thu, Jun 14, 2012 at 4:52 PM, Risker risker...@gmail.com wrote: I do see where folks are coming from. To the best of my knowledge, for the past few years on English Wikipedia anyone who has asked the Audit Subcommittee if they have been checked has been told the correct response, and I think this is a good thing. On the other hand, what's being proposed here is essentially providing sockpuppeters or otherwise disruptive users (such as those under certain types of sanctions) a how-to guide so they can avoid detection in the future. Risker Can you explain how this is so? I did a fair amount of work at SPI as a clerk, and I'm not sure I understand how the mere fact that a check was performed is giving sockpuppeters a roadmap for how to avoid detection. If you mean they could test the CU net by running a bunch of socks on different strategies to see which get checked and which don't, that seems like a lot of work that a vanishingly small number of abusers would attempt... and also basically the same information as they would receive when those sock accounts are ultimately blocked or not blocked per CU. ~Nathan ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] CheckUser openness
I do see where folks are coming from. To the best of my knowledge, for the past few years on English Wikipedia anyone who has asked the Audit Subcommittee if they have been checked has been told the correct response, and I think this is a good thing. On the other hand, what's being proposed here is essentially providing sockpuppeters or otherwise disruptive users (such as those under certain types of sanctions) a how-to guide so they can avoid detection in the future. Risker I'm inclined to agree with Risker here. Telling someone that a CU has been performed on their account, at the time that a CU is performed, might alert a disruptive user that some part of their recent activity has triggered the attention of SPI. This information could be used to the advantage of the disruptive user. If someone believes that CU may have been used improperly, various groups can investigate the use of CU. John, you said in your original email, See the Rich Farmbrough ArbCom case where I suspect obvious fishing, where the CU'ed user was requesting information and the CU claimed it would be a violation of the privacy policy to release the time/reason/performer of the checkuser. Can you provide a link to the relevant diffs? I would be interested in reading the diffs to get a fuller understanding of what was said, particularly regarding the Wikimedia-wide Privacy Policy. Thanks, Pine ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
[Wikimedia-l] donate.wikimedia.org.uk has an SSL error
If you go to http://donate.wikimedia.org.uk/ you can donate… insecurely. If you go to https://donate.wikimedia.org.uk/ you can donate… but you get an SSL certificate error. This seems like a problem. -- Tom Morris http://tommorris.org/ ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] donate.wikimedia.org.uk has an SSL error
I do apologise. I meant to send this to Wikimediauk-l rather than Wikimedia-l. -- Tom Morris http://tommorris.org/ ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] CheckUser openness
I think the idea that making the log of checks public will be a service to those subject to CheckUser is misguided. One of the best reasons for keeping the logs private is not security through obscurity but the prevention of unwarranted stigma and drama. Most checks (which aren't just scanning a vandal or persistent sockpuppeteer's IP for other accounts) are performed because there is some amount of uncertainty. Not all checks are positive, and a negative result doesn't necessarily mean the check was unwarranted. I think those who have been checked without a public request deserve not to have suspicion cast on them by public logs if the check did not produce evidence of guilt. At the same time, because even justified checks will often upset the subject, the CheckUser deserves to be able to act on valid suspicions without fear of retaliation. The community doesn't need the discord that a public log would generate. That's not to say that there should be no oversight, but that a public log is not the way to do it. Dominic On 6/14/12 6:34 PM, En Pine wrote: Nathan, I’d like to respond to all three of your recent comments. Can you explain how this is so? I did a fair amount of work at SPI as a clerk, and I'm not sure I understand how the mere fact that a check was performed is giving sockpuppeters a roadmap for how to avoid detection. If you mean they could test the CU net by running a bunch of socks on different strategies to see which get checked and which don't, that seems like a lot of work that a vanishingly small number of abusers would attempt... and also basically the same information as they would receive when those sock accounts are ultimately blocked or not blocked per CU. ~Nathan I think you might be amazed that the persistence and sophistication of some individuals. I personally haven’t dealt with them much on-wiki, but I’ve certainly seen them on IRC. Here are some problems with that rationale: 1) If a sock confirmation results from a CU check, the person is blocked, which is a pretty big tip off all its own. If a case is filed at SPI, then tons of evidence is submitted, then a CU check is performed in public, then a block is or is not imposed. That whole process is a pretty big tip off too, but we haven't shut it down for providing a road map to abusers. You are correct that the start of the CU case is public at the time of filing at WP:SPI. The identity of the CU is also public when it is run for those filed cases. I believe that we are discussing in this thread are instances of the CU tool being used, or data from the tool being used and shared among functionaries who are permitted access to private data, when that use or sharing is not made publicly known at WP:SPI. I am not a Checkuser but perhaps someone who is a Checkuser can give some examples of situations when this happens. I personally know of at least two scenarios. 2) You can't dispute the use of CU on your information if you don't know that it was used. It's kind of like secret wiretapping with a FISA warrant; if you never know you've been wiretapped, how are you supposed to challenge it or know whether it was used improperly? As for various groups can investigate, to some extent that's true. Most of them are checkusers, however, and they still tend not to disclose all relevant information. I'm not saying that any CU is doing anything improper or that it's likely, but such allegations have been made in the past, and it seems like a pretty cut and dried case of people having a right to know how their own information is being used. If Wikimedia were based in Europe, it would most likely be required by law. Nathan When you use Wikipedia, information about what you do is logged. The same is true for other websites. In most cases on the internet in general, it’s impossible for the average user to know if their information has been used or disclosed in a way that is contrary to the site’s privacy policy. Sometimes misuse or preventable, improper disclosure of private data is made publicly known, as has happened with many online services being hacked for credit card or password information. The reality on the internet is that generally the information you provide can’t be guaranteed to remain private and secure. It is true that there can be abuses of investigative tools like CU, search warrants, and almost anything else. The best that can be done is to take reasonable precautions and to be careful about what you disclose in the first place, for the people who are trusted with special investigative tools to be honest and competent, to have sufficient “separation of powers” to help as much as possible to verify that the investigators are honest and competent, and for there to be penalties for investigators who misuse their authority. Regarding the investigative use of private information, as I think others have said also, sometimes there may be a good reason to keep an active
Re: [Wikimedia-l] CheckUser openness
No that is not a fair characterization. Risker explained that these things are handled by each project, not hide her true intentions toward your campaign, but because it ii the way things are. And it is not at all particular to CU issues. What really reeks of obfuscation is using words and phrasing that requires native level English skills to campaign for a policy that you wish to impose on the Tosk Albanian, and all other, projects. Self-governing communities work for the most part. Which is more than can be said about the alternatives, and there are ghost wikis all over the Internet to prove the point. BirgitteSB On Jun 13, 2012, at 8:30 PM, John phoenixoverr...@gmail.com wrote: Risker comment was basically lets not set a global accountability and ability to get CU related logs of our self on a global level, instead take it to each project and fight it out there to me that reeks of obfuscation. Realistically this should be a global policy, just like our privacy policy is. Why shouldnt users know when they have been checkusered and why? On Wed, Jun 13, 2012 at 9:24 PM, Philippe Beaudette, Wikimedia Foundation pbeaude...@wikimedia.org wrote: I dunno, John, you almost had me convinced until that email. I saw in that mail a reasonable comment from Risker based on long time precedent. As you may know, there are a number of checks and balances in place. First, the CUs watch each other. With a broad group, you can be assured they don't all always agree and there is healthy debate and dialogue. Second, enwp has an audit subcommittee that routinely audits the logs with a fine toothed comb. They are NOT all previous checkusers, to avoid the sort of groupthink that appears to concern you. Then, the WMF has an ombudsman commission, which also may audit with commission from the Board. Those people take their role very seriously. And last, anyone with genuine privacy concerns can contact the WMF: me, Maggie, anyone in the legal or community advocacy department. Is it an iron clad assurance of no misbehavior? Probably not, and we will continue to get better at it: but I will say that in 3 years of being pretty closely involved with that team, I'm impressed with how much they err on the side of protection of privacy. I have a window into their world, and they have my respect. Best, PB --- Philippe Beaudette Director, Community Advocacy Wikimedia Foundation, Inc Sent from my Verizon Wireless BlackBerry -Original Message- From: John phoenixoverr...@gmail.com Sender: wikimedia-l-boun...@lists.wikimedia.org Date: Wed, 13 Jun 2012 21:17:09 To: Wikimedia Mailing Listwikimedia-l@lists.wikimedia.org Reply-To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org Subject: Re: [Wikimedia-l] CheckUser openness Yet another attempt from a checkuser to make monitoring their actions and ensuring our privacy more difficult. On Wed, Jun 13, 2012 at 9:10 PM, Risker risker...@gmail.com wrote: Each project has its own standards and thresholds for when checkusers may be done, provided that they are within the limits of the privacy policy. These standards vary widely. So, the correct place to discuss this is on each project. Risker On 13 June 2012 21:02, Thomas Dalton thomas.dal...@gmail.com wrote: Why shouldn't spambots and vandals be notified? Just have the software automatically email anyone that is CUed. Then the threshold is simply whether you have an email address attached to your account or not. This seems like a good idea. People have a right to know what is being done with their data. On Jun 14, 2012 12:35 AM, Risker risker...@gmail.com wrote: On 13 June 2012 19:18, John phoenixoverr...@gmail.com wrote: This is something that has been bugging me for a while. When a user has been checkusered they should at least be notified of who preformed it and why it was preformed. I know this is not viable for every single CU action as many are for anons. But for those users who have been around for a period, (say autoconfirmed) they should be notified when they are CU'ed and any user should be able to request the CU logs pertaining to themselves (who CU'ed them, when, and why) at will. I have seen CU's refuse to provide information to the accused. See the Rich Farmbrough ArbCom case where I suspect obvious fishing, where the CU'ed user was requesting information and the CU claimed it would be a violation of the privacy policy to release the time/reason/performer of the checkuser. This screams of obfuscation and the hiding of information. I know the ombudsman committee exists as a check and balance, however before something can be passed to them evidence of inappropriate action is needed. Ergo Catch-22 I know checkusers keep a private wiki https://checkuser.wikimedia.org/wiki/Main_Page and I know according to our privacy policy we are supposed to purge our
Re: [Wikimedia-l] CheckUser openness
I think the idea that making the log of checks public will necessarily be a service to those subject to CheckUser is misguided. One of the best reasons for keeping the logs private is not security through obscurity but the prevention of unwarranted stigma and drama. Most checks (which aren't just scanning a vandal or persistent sockpuppeteer's IP for other accounts) are performed because there is some amount of uncertainty. Not all checks are positive, and a negative result doesn't necessarily mean the check was unwarranted. I think those who have been checked without a public request deserve not to have suspicion cast on them by public logs if the check did not produce evidence of guilt. At the same time, because even justified checks will often upset the subject, the CheckUser deserves to be able to act on valid suspicions without fear of retaliation. The community doesn't need the discord that a public log would generate. That's not to say that there should be no oversight, but that a public log is not the way to do it. Dominic On 6/14/12 6:34 PM, En Pine wrote: Nathan, I’d like to respond to all three of your recent comments. Can you explain how this is so? I did a fair amount of work at SPI as a clerk, and I'm not sure I understand how the mere fact that a check was performed is giving sockpuppeters a roadmap for how to avoid detection. If you mean they could test the CU net by running a bunch of socks on different strategies to see which get checked and which don't, that seems like a lot of work that a vanishingly small number of abusers would attempt... and also basically the same information as they would receive when those sock accounts are ultimately blocked or not blocked per CU. ~Nathan I think you might be amazed that the persistence and sophistication of some individuals. I personally haven’t dealt with them much on-wiki, but I’ve certainly seen them on IRC. Here are some problems with that rationale: 1) If a sock confirmation results from a CU check, the person is blocked, which is a pretty big tip off all its own. If a case is filed at SPI, then tons of evidence is submitted, then a CU check is performed in public, then a block is or is not imposed. That whole process is a pretty big tip off too, but we haven't shut it down for providing a road map to abusers. You are correct that the start of the CU case is public at the time of filing at WP:SPI. The identity of the CU is also public when it is run for those filed cases. I believe that we are discussing in this thread are instances of the CU tool being used, or data from the tool being used and shared among functionaries who are permitted access to private data, when that use or sharing is not made publicly known at WP:SPI. I am not a Checkuser but perhaps someone who is a Checkuser can give some examples of situations when this happens. I personally know of at least two scenarios. 2) You can't dispute the use of CU on your information if you don't know that it was used. It's kind of like secret wiretapping with a FISA warrant; if you never know you've been wiretapped, how are you supposed to challenge it or know whether it was used improperly? As for various groups can investigate, to some extent that's true. Most of them are checkusers, however, and they still tend not to disclose all relevant information. I'm not saying that any CU is doing anything improper or that it's likely, but such allegations have been made in the past, and it seems like a pretty cut and dried case of people having a right to know how their own information is being used. If Wikimedia were based in Europe, it would most likely be required by law. Nathan When you use Wikipedia, information about what you do is logged. The same is true for other websites. In most cases on the internet in general, it’s impossible for the average user to know if their information has been used or disclosed in a way that is contrary to the site’s privacy policy. Sometimes misuse or preventable, improper disclosure of private data is made publicly known, as has happened with many online services being hacked for credit card or password information. The reality on the internet is that generally the information you provide can’t be guaranteed to remain private and secure. It is true that there can be abuses of investigative tools like CU, search warrants, and almost anything else. The best that can be done is to take reasonable precautions and to be careful about what you disclose in the first place, for the people who are trusted with special investigative tools to be honest and competent, to have sufficient “separation of powers” to help as much as possible to verify that the investigators are honest and competent, and for there to be penalties for investigators who misuse their authority. Regarding the investigative use of private information, as I think others have said also, sometimes there may be a good reason to keep an
Re: [Wikimedia-l] CheckUser openness
On Thu, Jun 14, 2012 at 8:06 PM, Dominic McDevitt-Parks mcdev...@gmail.comwrote: I think the idea that making the log of checks public will necessarily be a service to those subject to CheckUser is misguided. One of the best reasons for keeping the logs private is not security through obscurity but the prevention of unwarranted stigma and drama. Most checks (which aren't just scanning a vandal or persistent sockpuppeteer's IP for other accounts) are performed because there is some amount of uncertainty. Not all checks are positive, and a negative result doesn't necessarily mean the check was unwarranted. I think those who have been checked without a public request deserve not to have suspicion cast on them by public logs if the check did not produce evidence of guilt. At the same time, because even justified checks will often upset the subject, the CheckUser deserves to be able to act on valid suspicions without fear of retaliation. The community doesn't need the discord that a public log would generate. That's not to say that there should be no oversight, but that a public log is not the way to do it. Dominic The threat of stigma can be ameliorated by not making the logs public, which was never suggested. A simple system notification of The data you provide to the Wikimedia web servers has been checked by a checkuser on this project, see [[wp:checkuser]] for more information would be enough. En Pine's reply to my queries seems calibrated for someone who is unfamiliar with SPI and checkuser work. I'm not - in fact I worked as a clerk with checkusers at SPI for a long time and am quite familiar with the process and its limitations. I know what's disclosed, approximately how frequently checks are run, the general proportion of checks that are public vs. all checks, etc. I still am not clear on how disclosing the fact of a check helps socks avoid detection, and I still believe that it's worthwhile for a transparent organization like Wikimedia to alert users when their private information (information that is, as Risker has mentioned, potentially personally identifying) has been disclosed to another volunteer. Nathan ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] CheckUser openness
The request--at least the original request here-- was not that they be made public. The request was that they be disclosed to the person being checkusered,. There is thus no stigmatization or drama. That it might upset the subject to tell him the truth is paternalism. On Thu, Jun 14, 2012 at 8:06 PM, Dominic McDevitt-Parks mcdev...@gmail.com wrote: I think the idea that making the log of checks public will necessarily be a service to those subject to CheckUser is misguided. One of the best reasons for keeping the logs private is not security through obscurity but the prevention of unwarranted stigma and drama. Most checks (which aren't just scanning a vandal or persistent sockpuppeteer's IP for other accounts) are performed because there is some amount of uncertainty. Not all checks are positive, and a negative result doesn't necessarily mean the check was unwarranted. I think those who have been checked without a public request deserve not to have suspicion cast on them by public logs if the check did not produce evidence of guilt. At the same time, because even justified checks will often upset the subject, the CheckUser deserves to be able to act on valid suspicions without fear of retaliation. The community doesn't need the discord that a public log would generate. That's not to say that there should be no oversight, but that a public log is not the way to do it. Dominic On 6/14/12 6:34 PM, En Pine wrote: Nathan, I’d like to respond to all three of your recent comments. Can you explain how this is so? I did a fair amount of work at SPI as a clerk, and I'm not sure I understand how the mere fact that a check was performed is giving sockpuppeters a roadmap for how to avoid detection. If you mean they could test the CU net by running a bunch of socks on different strategies to see which get checked and which don't, that seems like a lot of work that a vanishingly small number of abusers would attempt... and also basically the same information as they would receive when those sock accounts are ultimately blocked or not blocked per CU. ~Nathan I think you might be amazed that the persistence and sophistication of some individuals. I personally haven’t dealt with them much on-wiki, but I’ve certainly seen them on IRC. Here are some problems with that rationale: 1) If a sock confirmation results from a CU check, the person is blocked, which is a pretty big tip off all its own. If a case is filed at SPI, then tons of evidence is submitted, then a CU check is performed in public, then a block is or is not imposed. That whole process is a pretty big tip off too, but we haven't shut it down for providing a road map to abusers. You are correct that the start of the CU case is public at the time of filing at WP:SPI. The identity of the CU is also public when it is run for those filed cases. I believe that we are discussing in this thread are instances of the CU tool being used, or data from the tool being used and shared among functionaries who are permitted access to private data, when that use or sharing is not made publicly known at WP:SPI. I am not a Checkuser but perhaps someone who is a Checkuser can give some examples of situations when this happens. I personally know of at least two scenarios. 2) You can't dispute the use of CU on your information if you don't know that it was used. It's kind of like secret wiretapping with a FISA warrant; if you never know you've been wiretapped, how are you supposed to challenge it or know whether it was used improperly? As for various groups can investigate, to some extent that's true. Most of them are checkusers, however, and they still tend not to disclose all relevant information. I'm not saying that any CU is doing anything improper or that it's likely, but such allegations have been made in the past, and it seems like a pretty cut and dried case of people having a right to know how their own information is being used. If Wikimedia were based in Europe, it would most likely be required by law. Nathan When you use Wikipedia, information about what you do is logged. The same is true for other websites. In most cases on the internet in general, it’s impossible for the average user to know if their information has been used or disclosed in a way that is contrary to the site’s privacy policy. Sometimes misuse or preventable, improper disclosure of private data is made publicly known, as has happened with many online services being hacked for credit card or password information. The reality on the internet is that generally the information you provide can’t be guaranteed to remain private and secure. It is true that there can be abuses of investigative tools like CU, search warrants, and almost anything else. The best that can be done is to take reasonable precautions and to be careful about what you disclose in the first place, for the people who are trusted with special
