Re: [Wikimedia-l] New access to non-public information policy, re-ID requirements and data retention
Hi George - I can tell you that I was in the room as this was being discussed today. I'm fairly sure that Michelle is going to be following up on this question shortly. It wasn't being ignored - we are just in that territory where lawyers like to be certain that when they answer clarifying queries like yours, they aren't accidentally muddying the waters further. More soon. pb — Philippe Beaudette Director, Community Advocacy Wikimedia Foundation, Inc On Oct 25, 2013, at 9:19 PM, George Herbert george.herb...@gmail.com wrote: Again I ask: Can the WMF either publicly or privately provide enough detailed assurance as to the digital medium storage plan for these IDs? This is or should be a no-go for requiring IDs (or at least allowing them to be transferred that way). I would be happy to contribute a free independent security audit to a plan, if there is a detailed plan to audit. And do so under confidentiality agreement if you need that, as long as you let me share a non-exploitable summary with the community... On Wed, Oct 23, 2013 at 4:21 PM, George Herbert george.herb...@gmail.comwrote: Going back to the 2011 discussions on otrs lists, a flag was raised that challenged whether the WMF had sufficiently secure servers to host copies of ID documents that might be electronically submitted, including sufficient firewalling and/or airgapping, internal access controls, etc. My impression was that once that was raised as a detailed concern, the push died off rapidly, but I may be misremembering. Let me now ask - Can the WMF either publicly or privately (I live in the SF Bay Area and can come over and talk) provide enough detailed assurance as to the digital medium storage plan for these IDs? This is enough data for someone to do an identity theft with. The physical handling is relatively easy to ensure is proper (locked cabinet or the like requires a physical office intrusion). The electronic... On Wed, Oct 23, 2013 at 4:15 PM, Rschen7754 rschen7754.w...@gmail.comwrote: Speaking for myself, I have no problems with the overall idea, and I doubt that a lot of the others who have signed the petition do either. The problem is in the details of how it is implemented, and that appropriate safeguards are not written into place to protect the privacy and legal rights of those who (re)identify. I know some European users have raised concerns about how the overall policy does not work for them and/or would cause them to break the law. I don't believe that they should have to stand alone. Thanks, Rschen7754 rschen7754.w...@gmail.com On Oct 23, 2013, at 4:07 PM, Marc A. Pelletier m...@uberbox.org wrote: On 10/23/2013 07:01 PM, Newyorkbrad wrote: (I myself can think of one and only one, but am curious if there are others.) I can also think of exactly one off the cuff (and it is almost certainly the same); but I can think of a couple of scenarios where the dissuasive effect alone might have made a difference. But my understanding is that this is prompted by a more serious focus on accountability than over any particular incident. -- Marc ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe -- -george william herbert george.herb...@gmail.com -- -george william herbert george.herb...@gmail.com ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe
Re: [Wikimedia-l] New access to non-public information policy, re-ID requirements and data retention
Ok. As long as it wasn't missed, in all the other topics. Thanks, I will be patient. On Fri, Oct 25, 2013 at 11:10 PM, Philippe Beaudette pbeaude...@wikimedia.org wrote: Hi George - I can tell you that I was in the room as this was being discussed today. I'm fairly sure that Michelle is going to be following up on this question shortly. It wasn't being ignored - we are just in that territory where lawyers like to be certain that when they answer clarifying queries like yours, they aren't accidentally muddying the waters further. More soon. pb — Philippe Beaudette Director, Community Advocacy Wikimedia Foundation, Inc On Oct 25, 2013, at 9:19 PM, George Herbert george.herb...@gmail.com wrote: Again I ask: Can the WMF either publicly or privately provide enough detailed assurance as to the digital medium storage plan for these IDs? This is or should be a no-go for requiring IDs (or at least allowing them to be transferred that way). I would be happy to contribute a free independent security audit to a plan, if there is a detailed plan to audit. And do so under confidentiality agreement if you need that, as long as you let me share a non-exploitable summary with the community... On Wed, Oct 23, 2013 at 4:21 PM, George Herbert george.herb...@gmail.comwrote: Going back to the 2011 discussions on otrs lists, a flag was raised that challenged whether the WMF had sufficiently secure servers to host copies of ID documents that might be electronically submitted, including sufficient firewalling and/or airgapping, internal access controls, etc. My impression was that once that was raised as a detailed concern, the push died off rapidly, but I may be misremembering. Let me now ask - Can the WMF either publicly or privately (I live in the SF Bay Area and can come over and talk) provide enough detailed assurance as to the digital medium storage plan for these IDs? This is enough data for someone to do an identity theft with. The physical handling is relatively easy to ensure is proper (locked cabinet or the like requires a physical office intrusion). The electronic... On Wed, Oct 23, 2013 at 4:15 PM, Rschen7754 rschen7754.w...@gmail.com wrote: Speaking for myself, I have no problems with the overall idea, and I doubt that a lot of the others who have signed the petition do either. The problem is in the details of how it is implemented, and that appropriate safeguards are not written into place to protect the privacy and legal rights of those who (re)identify. I know some European users have raised concerns about how the overall policy does not work for them and/or would cause them to break the law. I don't believe that they should have to stand alone. Thanks, Rschen7754 rschen7754.w...@gmail.com On Oct 23, 2013, at 4:07 PM, Marc A. Pelletier m...@uberbox.org wrote: On 10/23/2013 07:01 PM, Newyorkbrad wrote: (I myself can think of one and only one, but am curious if there are others.) I can also think of exactly one off the cuff (and it is almost certainly the same); but I can think of a couple of scenarios where the dissuasive effect alone might have made a difference. But my understanding is that this is prompted by a more serious focus on accountability than over any particular incident. -- Marc ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l , mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe -- -george william herbert george.herb...@gmail.com -- -george william herbert george.herb...@gmail.com ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe -- -george william herbert george.herb...@gmail.com ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe
Re: [Wikimedia-l] New access to non-public information policy, re-ID requirements and data retention
As for I, I have totally given up with the idea of preservation of confidential data when the US are somehow involved (if the NSA is already involved in recording German president phone conversations or French diplomatic department communications, who are we to hope that our every steps can be private anyway ?). My trust in WMF ability to provide security to our private information also dramatically dropped with the password leak a couple of months ago. So what are the risks left ? I see mostly three main ones 1) that a digital version of my passport get in the hands of scammers. We know some of the risks associated to this, one of which being identity theft. Collection of a bunch of private data (name, email, phone number, postal address...) is one thing. Preservation of official identity paper is another. I think that's a non-acceptable risk. 2) that WMF disclose private information about us (OTRS member for example) volunteers to other volunteers, who may not even be identified in the least (as in arbitration committee members). Main risk associated imho would go from mild online bullying to severe irl mishandling. I have very acute memory of this sick person sending me emails threatening my life and the life of my own kids when I was Chair of WMF. I was happy he was in the USA and me in France. I was not happy he knew of my postal address. And I was scared when I met him at the WMF doors irl. Disclosing private information about us to a lawyer or a policeman is one thing. Disclosing private information about us to an unknown wikimedia member not bound by similar rules related to private data is unacceptable. 3) last, that WMF disclose private information about us without having the obligation to inform us it did so. The draft proposes that The Wikimedia Foundation will not share submitted materials with third parties, unless such disclosure is (A) permitted by a non-disclosure agreement approved by the Wikimedia Foundation’s legal department; (B) required by law; (C) needed to protect against immediate threat to life or limb; or (D) needed to protect the rights, property, or safety of the Wikimedia Foundation, its employees, or contractors. This is vague enough that it may happen that our private data is disclosed to about whoever (who will access our private data thanks to this permitted by a non-disclosure agreement approved by the Wikimedia Foundation’s legal department ???), possibly without us knowing. Consequences may be various (being citing in a legal case without even knowning; having personal information disclosed to spammers or scammers; being sued by an unhappy customer after we failed to fix his case on otrs etc.) A good part of benefit of this agreement would be that covered person better feel accountable. I think a fitting balance would be that WMF agree to mandatorily inform ANY covered person WHEN and to WHOM his/her information has been disclosed. Florence On 10/26/13 8:20 AM, George Herbert wrote: Ok. As long as it wasn't missed, in all the other topics. Thanks, I will be patient. On Fri, Oct 25, 2013 at 11:10 PM, Philippe Beaudette pbeaude...@wikimedia.org wrote: Hi George - I can tell you that I was in the room as this was being discussed today. I'm fairly sure that Michelle is going to be following up on this question shortly. It wasn't being ignored - we are just in that territory where lawyers like to be certain that when they answer clarifying queries like yours, they aren't accidentally muddying the waters further. More soon. pb — Philippe Beaudette Director, Community Advocacy Wikimedia Foundation, Inc On Oct 25, 2013, at 9:19 PM, George Herbert george.herb...@gmail.com wrote: Again I ask: Can the WMF either publicly or privately provide enough detailed assurance as to the digital medium storage plan for these IDs? This is or should be a no-go for requiring IDs (or at least allowing them to be transferred that way). I would be happy to contribute a free independent security audit to a plan, if there is a detailed plan to audit. And do so under confidentiality agreement if you need that, as long as you let me share a non-exploitable summary with the community... On Wed, Oct 23, 2013 at 4:21 PM, George Herbert george.herb...@gmail.comwrote: Going back to the 2011 discussions on otrs lists, a flag was raised that challenged whether the WMF had sufficiently secure servers to host copies of ID documents that might be electronically submitted, including sufficient firewalling and/or airgapping, internal access controls, etc. My impression was that once that was raised as a detailed concern, the push died off rapidly, but I may be misremembering. Let me now ask - Can the WMF either publicly or privately (I live in the SF Bay Area and can come over and talk) provide enough detailed assurance as to the digital medium storage plan for these IDs? This is enough data for someone to do an
Re: [Wikimedia-l] New access to non-public information policy, re-ID requirements and data retention
On 10/26/2013 10:00 AM, Florence Devouard wrote: 2) that WMF disclose private information about us (OTRS member for example) volunteers to other volunteers, who may not even be identified in the least (as in arbitration committee members) The members of the English Wikipedia Arbcom, at least, are all identified. -- Marc ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe
Re: [Wikimedia-l] New access to non-public information policy, re-ID requirements and data retention
On Sat, Oct 26, 2013 at 10:00 AM, Florence Devouard anthe...@yahoo.comwrote: As for I, I have totally given up with the idea of preservation of confidential data when the US are somehow involved (if the NSA is already involved in recording German president phone conversations or French diplomatic department communications, who are we to hope that our every steps can be private anyway ?). This bit is extraneous and unnecessary because (a) no one is asking the WMF to hide details from the NSA, who let's agree couldn't care less about that bit of data and (b) anything the NSA is capturing in Germany or France was already quite certainly being captured by the governments of Germany and France (or really, both). That said, I agree with your three main points and think the WMF legal team should consider them very strongly as they bring their failed policy proposal back to the drawing board. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe
[Wikimedia-l] MIT Technology Review's The Decline of Wikipedia article
Hi. Readers of this list may be interested in this piece that a colleague sent me earlier this week: http://www.technologyreview.com/node/520446/. There wasn't much new information in the article, but it provides a decent high-level view of some editor engagement issues from the past few years. Somewhat unrelated to the above, I read this piece from a different colleague this past week and I feel compelled to share it as it was incredibly interesting and thought-provoking: http://nybooks.com/articles/archives/2013/nov/07/are-we-puppets-wired-world MZMcBride ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe
Re: [Wikimedia-l] New access to non-public information policy, re-ID requirements and data retention
On 10/26/13 5:37 PM, Nathan wrote: On Sat, Oct 26, 2013 at 10:00 AM, Florence Devouard anthe...@yahoo.comwrote: As for I, I have totally given up with the idea of preservation of confidential data when the US are somehow involved (if the NSA is already involved in recording German president phone conversations or French diplomatic department communications, who are we to hope that our every steps can be private anyway ?). This bit is extraneous and unnecessary because (a) no one is asking the WMF to hide details from the NSA, who let's agree couldn't care less about that bit of data and (b) anything the NSA is capturing in Germany or France was already quite certainly being captured by the governments of Germany and France (or really, both). At 45, I am still perhaps very innocent about my gov. But really, I do not think the French gov is recording Ms Merkel. If only because they very likely do not have the tech means to do so ;) Still, I disagree with you that the bit is extraneous. The thing is that most Europeans were really very shocked to read all that stuff about the NSA in the past few months. People are probably more sensitive about their private data than they were a couple of days ago because that was the opportunity for much talk on the general subject in the past few months (which data is recorded, by who, what for and so on). Flo That said, I agree with your three main points and think the WMF legal team should consider them very strongly as they bring their failed policy proposal back to the drawing board. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe
Re: [Wikimedia-l] The Wikipedia Adventure, alpha testers needed
Hey David, Thanks! This is a known bug and I'm fixing it this weekend. If you make an edit, you can see the rest of the game. This is first priority for fixing, though. Thanks again! Jake (Ocaasi) ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe
Re: [Wikimedia-l] The Wikipedia Adventure, alpha testers needed
David, I think I just fixed it with the help of Village Pump Tech. Please give it another go. http://enwp.org/WP:TWA Cheers! Jake (Ocaasi) ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe