Re: [Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[Marc A. Pelletier]

On 06/29/2014 03:19 PM, Pine W wrote:
> If you or someone else can suggest reasonable ways to reach 90% confidence
> that identity documents are genuine and that identification information
> will not be compromised while in transit or while at WMF, then I think it
> makes sense to require identification. But so far I am not convinced that
> we can reach either of those thresholds and it sounds like WMF has reached
> the same conclusion.

I'm not privvy to that discussion, but I'd expect that "[...] that does
not unduly exclude valuable volunteers" is also an implicit requirement
of any identification method considered.

Even if you /could/ develop a mechanism by which we had safe and
reliable identification of functionnaries, it'd be worthless if most (or
even just many) of the volunteers we had were unable to avail themselves
of it because of social or geographical constraints.

-- Marc


___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[Pine W]

Hi Pajz,

The idea that a previously trustworthy functionary or OTRS volunteer might
later go rogue has occurred to me, so let's work with that example for a
moment.

Let's hypothesize that we have a good way (>90% confidence) of verifying
all submitted identity documents and that those documents are retained by
WMF in a way that's highly secure and not likely to be accessible by any
number of governments (>90% confidence). Let's also hypothesize that a
steward has a mental breakdown, gets bribed, develops a personal grudge, or
otherwise becomes compromised. This rogue steward then uses their tools to
discover privacy sensitive information about a handful of other users
before their actions are noticed and stopped. What can WMF do with the
identity document that it has? WMF can take legal action against the rogue
steward, and can blacklist the rogue steward so that they can never again
be a functionary. Both of those sound like good ideas, although the first
might only work if the steward resides in a location which has an effective
law enforcement agency that is willing to cooperate with WMF.

However, it's not clear to me that we can reach 90% confidence about the
authenticity of identification documents, nor is it clear to me that we can
keep identification documents secure from privacy intrusions while they are
in transit and while they are in WMF's custody. I think the latter would be
a big worry for some potential candidates for functionary roles, and it is
imperative that WMF not be perceived as an agency of any government, or an
organization whose neutrality or integrity are compromised.

If you or someone else can suggest reasonable ways to reach 90% confidence
that identity documents are genuine and that identification information
will not be compromised while in transit or while at WMF, then I think it
makes sense to require identification. But so far I am not convinced that
we can reach either of those thresholds and it sounds like WMF has reached
the same conclusion.

Pine



On Sun, Jun 29, 2014 at 7:45 AM, Austin Hair  wrote:

> On Sun, Jun 29, 2014 at 4:18 PM, Trillium Corsage
>  wrote:
> > (I dunno, Chinese military intelligence, with whom arbitrator Timotheus
> Canens is said by some to be associated?)
>
> Seriously?
>
> I think you've gone on long enough for now. You can come off
> moderation when you contribute something to the discussion rather than
> attacking others and, dare I say it, just plain ranting.
>
> Austin
>
> ___
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[Trillium Corsage]

Pine,

An analogous argument to the one you're making is: someone who intends to rob 
your home will be able to get in one way or other, so why bother locking the 
doors when you go out. This is not a good argument.

You're calling into question the reliability of every identification document 
copy ever presented to the WMF by an advanced-rights-seeking administrator 
because a really sophisticated wrongdoer (I dunno, Chinese military 
intelligence, with whom arbitrator Timotheus Canens is said by some to be 
associated?) could make a masterful forgery that beats the system. The fact is 
that 95% of them, I'd suppose, are going to be okay and the identification 
requirement is going to be an effective deterrent to at least the casual among 
the bad apples. And of course, once they've truly identified, the personal 
accountability aspects of it are going to keep in line once well-intentioned 
administrators that might be tempted to go bad for some reason. 

"Forging identification documents is not impossible" is another variation of 
the "perfection is not attainable" and "no policy can be a magical solution" 
arguments put forth previously on this mailing list by the WMF's deputy general 
counsel Luis Villa. I've attempted to answer those by explaining that you can 
have a pretty good and effective policy without having an infallible one.

Trillium Corsage 

29.06.2014, 07:32, "Pine W" :
> Trillium,
>
> I am having difficulty understanding how retaining copies of possibly
> forged identification documents helps anyone with holding accountable any
> rogue functionary or OTRS user. Can you explain that please? Surely someone
> who intends to misuse the tools will be smart enough to forge an
> identification document. Even in the United States, forging identification
> documents is not impossible, and the police occasionally catch people
> creating such documents.
>
> Pine
>
> On Fri, Jun 27, 2014 at 7:42 AM, Trillium Corsage 
> wrote:
>>  @Nathan
>>
>>  You said "so if you want to argue that such users should be positively
>>  identified, then please make some practical suggestions (which you have
>>  conspicuously avoided doing so far). How should identities be confirmed? In
>>  what circumstances should the ID information be disclosed, and to whom?
>>  What, fundamentally, is the usefulness in collecting this information to
>>  begin with? What are the use cases in which it is necessary?"
>>
>>  It would be a good faith evaluation of the copy of the identification
>>  document provided. There's no need to be quarrelsome about the practical
>>  suggestions I've "conspicuously avoided." I did at least suggest a secure
>>  filing cabinet and making use of a removable hard-drive. As to the precise
>>  criteria by which an identification document is deemed "good enough," I'd
>>  suppose those would be developed on a good faith basis by the action
>>  officer. Nobody is depending on perfection by that individual. The
>>  principle would be that the document appears genuine, has the minimum
>>  elements settled on by the policy (name, age, address, possibly other
>>  elements). If the document is in a foreign language, say Swahili, and the
>>  WMF person can't read that, I would think it would be a "do the best you
>>  can" and file it by respective Wikipedia and username. None of these are
>>  insurmountable obstacles. The answer to "this is hard" is not "well, let's
>>  just stop doing it." The answer is "this is important, let's just do the
>>  best we can."
>>
>>  I have called for a basic examination of the document, not any
>>  verification process. I'd suppose if the document looked suspect in some
>>  way, then a telephone call or follow-up could be done, and that would be a
>>  "verification," but I would expect that to be the exception, not the rule.
>>  Again, these details would be settled by the hands-on person, not by me
>>  attempting to write a ten-page standard operating procedure while Nathan
>>  zings me with "what are your specifics" on the mailing list.
>>
>>  "What is the usefulness in collecting this information to begin with?"
>>  Well, I thought the premise here was obvious. It was obvious enough to
>>  those that crafted the previous policy in the first place. It establishes
>>  some level of accountability to those individuals accorded access to the
>>  personally-identifying information of editors. Personal accountability
>>  encourages acting with self-control and restraint. With apologies to the
>>  other person that responded, anonymity encourages a care-free and
>>  unrestricted handling of that data, and in fact to some of these people it
>>  indeed yields a MMORPG (multimedia online roleplaying game) environment,
>>  and they will do whatever they want, because they are free from
>>  accountability.
>>
>>  The other key aspect of usefulness is to the rank and file editors. They
>>  will feel better knowing that if some creepazoid or cyberbully starts going
>>  over their IPs, an

Re: [Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[Austin Hair]

On Sun, Jun 29, 2014 at 4:18 PM, Trillium Corsage
 wrote:
> (I dunno, Chinese military intelligence, with whom arbitrator Timotheus 
> Canens is said by some to be associated?)

Seriously?

I think you've gone on long enough for now. You can come off
moderation when you contribute something to the discussion rather than
attacking others and, dare I say it, just plain ranting.

Austin

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[Risker]

Okay, that's enough, Trilliium.  You've now made a personal attack against
an identifiable individual based on gossip and rumour.

Stop.

Risker


On 29 June 2014 10:18, Trillium Corsage  wrote:

> Pine,
>
> An analogous argument to the one you're making is: someone who intends to
> rob your home will be able to get in one way or other, so why bother
> locking the doors when you go out. This is not a good argument.
>
> You're calling into question the reliability of every identification
> document copy ever presented to the WMF by an advanced-rights-seeking
> administrator because a really sophisticated wrongdoer (I dunno, Chinese
> military intelligence, with whom arbitrator Timotheus Canens is said by
> some to be associated?) could make a masterful forgery that beats the
> system. The fact is that 95% of them, I'd suppose, are going to be okay and
> the identification requirement is going to be an effective deterrent to at
> least the casual among the bad apples. And of course, once they've truly
> identified, the personal accountability aspects of it are going to keep in
> line once well-intentioned administrators that might be tempted to go bad
> for some reason.
>
> "Forging identification documents is not impossible" is another variation
> of the "perfection is not attainable" and "no policy can be a magical
> solution" arguments put forth previously on this mailing list by the WMF's
> deputy general counsel Luis Villa. I've attempted to answer those by
> explaining that you can have a pretty good and effective policy without
> having an infallible one.
>
> Trillium Corsage
>
> 29.06.2014, 07:32, "Pine W" :
> > Trillium,
> >
> > I am having difficulty understanding how retaining copies of possibly
> > forged identification documents helps anyone with holding accountable any
> > rogue functionary or OTRS user. Can you explain that please? Surely
> someone
> > who intends to misuse the tools will be smart enough to forge an
> > identification document. Even in the United States, forging
> identification
> > documents is not impossible, and the police occasionally catch people
> > creating such documents.
> >
> > Pine
> >
> > On Fri, Jun 27, 2014 at 7:42 AM, Trillium Corsage <
> trillium2...@yandex.com>
> > wrote:
> >>  @Nathan
> >>
> >>  You said "so if you want to argue that such users should be positively
> >>  identified, then please make some practical suggestions (which you have
> >>  conspicuously avoided doing so far). How should identities be
> confirmed? In
> >>  what circumstances should the ID information be disclosed, and to whom?
> >>  What, fundamentally, is the usefulness in collecting this information
> to
> >>  begin with? What are the use cases in which it is necessary?"
> >>
> >>  It would be a good faith evaluation of the copy of the identification
> >>  document provided. There's no need to be quarrelsome about the
> practical
> >>  suggestions I've "conspicuously avoided." I did at least suggest a
> secure
> >>  filing cabinet and making use of a removable hard-drive. As to the
> precise
> >>  criteria by which an identification document is deemed "good enough,"
> I'd
> >>  suppose those would be developed on a good faith basis by the action
> >>  officer. Nobody is depending on perfection by that individual. The
> >>  principle would be that the document appears genuine, has the minimum
> >>  elements settled on by the policy (name, age, address, possibly other
> >>  elements). If the document is in a foreign language, say Swahili, and
> the
> >>  WMF person can't read that, I would think it would be a "do the best
> you
> >>  can" and file it by respective Wikipedia and username. None of these
> are
> >>  insurmountable obstacles. The answer to "this is hard" is not "well,
> let's
> >>  just stop doing it." The answer is "this is important, let's just do
> the
> >>  best we can."
> >>
> >>  I have called for a basic examination of the document, not any
> >>  verification process. I'd suppose if the document looked suspect in
> some
> >>  way, then a telephone call or follow-up could be done, and that would
> be a
> >>  "verification," but I would expect that to be the exception, not the
> rule.
> >>  Again, these details would be settled by the hands-on person, not by me
> >>  attempting to write a ten-page standard operating procedure while
> Nathan
> >>  zings me with "what are your specifics" on the mailing list.
> >>
> >>  "What is the usefulness in collecting this information to begin with?"
> >>  Well, I thought the premise here was obvious. It was obvious enough to
> >>  those that crafted the previous policy in the first place. It
> establishes
> >>  some level of accountability to those individuals accorded access to
> the
> >>  personally-identifying information of editors. Personal accountability
> >>  encourages acting with self-control and restraint. With apologies to
> the
> >>  other person that responded, anonymity encourages a care-free and
> >>  unrestricted h

Re: [Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[pajz]

Trillium, while I sympathise with several of the points you're making, the
Board has approved the current version of the policy. In light of this,
your insinuation that the Executive Director could simply alter the policy
to her liking seems somewhat far-fetched. Just because staff have not yet
implemented the new version doesn't mean they can just make it disappear.

Nathan, several suggestions have been made how identities can be confirmed.
The proponents of the now-enacted laissez-faire policy continuously suggest
that the Foundation would have had to reinvent the wheel here. However, all
sorts of organizations need to confirm the identity of individuals. Just
look at how banks do it. In Switzerland, you can make a copy of your ID and
have it certified by your post office, then mail it to the WMF along with
your signed confidentiality agreement. In Germany, companies use the
"PostIdent" process which the WMF can use as well (Austria has something
similar), or you go to a bank and have your signature certified. Canada
Post provides a verification service, etc. And what if there are countries
where no such process is available? What's the issue? These users can still
just copy their passports or IDs. The policy still makes sense if we can't
really be certain of the identity of some volunteers, and this could be
reviewed on a case-by-case basis. It's not like we're talking about an
inordinate amount of people here.

Pine, even if we were merely talking about retaining copies of IDs, the
argument misses that there is not only the potential case of volunteers who
intend to misuse the tools already at the time they are given access. Based
on experience from Wikipedia, the much more likely scenario seems to be
that users are indeed valuable community members when they get access but
later become frustrated / change their personality / ... and only then
start to make trouble. If their identity were confirmed at one point, this
would constrain them for all time to come.



On 29 June 2014 08:31, Pine W  wrote:

> Trillium,
>
> I am having difficulty understanding how retaining copies of possibly
> forged identification documents helps anyone with holding accountable any
> rogue functionary or OTRS user. Can you explain that please? Surely someone
> who intends to misuse the tools will be smart enough to forge an
> identification document. Even in the United States, forging identification
> documents is not impossible, and the police occasionally catch people
> creating such documents.
>
> Pine
>
>
> On Fri, Jun 27, 2014 at 7:42 AM, Trillium Corsage  >
> wrote:
>
> > @Nathan
> >
> > You said "so if you want to argue that such users should be positively
> > identified, then please make some practical suggestions (which you have
> > conspicuously avoided doing so far). How should identities be confirmed?
> In
> > what circumstances should the ID information be disclosed, and to whom?
> > What, fundamentally, is the usefulness in collecting this information to
> > begin with? What are the use cases in which it is necessary?"
> >
> > It would be a good faith evaluation of the copy of the identification
> > document provided. There's no need to be quarrelsome about the practical
> > suggestions I've "conspicuously avoided." I did at least suggest a secure
> > filing cabinet and making use of a removable hard-drive. As to the
> precise
> > criteria by which an identification document is deemed "good enough," I'd
> > suppose those would be developed on a good faith basis by the action
> > officer. Nobody is depending on perfection by that individual. The
> > principle would be that the document appears genuine, has the minimum
> > elements settled on by the policy (name, age, address, possibly other
> > elements). If the document is in a foreign language, say Swahili, and the
> > WMF person can't read that, I would think it would be a "do the best you
> > can" and file it by respective Wikipedia and username. None of these are
> > insurmountable obstacles. The answer to "this is hard" is not "well,
> let's
> > just stop doing it." The answer is "this is important, let's just do the
> > best we can."
> >
> > I have called for a basic examination of the document, not any
> > verification process. I'd suppose if the document looked suspect in some
> > way, then a telephone call or follow-up could be done, and that would be
> a
> > "verification," but I would expect that to be the exception, not the
> rule.
> > Again, these details would be settled by the hands-on person, not by me
> > attempting to write a ten-page standard operating procedure while Nathan
> > zings me with "what are your specifics" on the mailing list.
> >
> > "What is the usefulness in collecting this information to begin with?"
> > Well, I thought the premise here was obvious. It was obvious enough to
> > those that crafted the previous policy in the first place. It establishes
> > some level of accountability to those individuals accorded access to the

Re: [Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[Pine W]

Trillium,

I am having difficulty understanding how retaining copies of possibly
forged identification documents helps anyone with holding accountable any
rogue functionary or OTRS user. Can you explain that please? Surely someone
who intends to misuse the tools will be smart enough to forge an
identification document. Even in the United States, forging identification
documents is not impossible, and the police occasionally catch people
creating such documents.

Pine


On Fri, Jun 27, 2014 at 7:42 AM, Trillium Corsage 
wrote:

> @Nathan
>
> You said "so if you want to argue that such users should be positively
> identified, then please make some practical suggestions (which you have
> conspicuously avoided doing so far). How should identities be confirmed? In
> what circumstances should the ID information be disclosed, and to whom?
> What, fundamentally, is the usefulness in collecting this information to
> begin with? What are the use cases in which it is necessary?"
>
> It would be a good faith evaluation of the copy of the identification
> document provided. There's no need to be quarrelsome about the practical
> suggestions I've "conspicuously avoided." I did at least suggest a secure
> filing cabinet and making use of a removable hard-drive. As to the precise
> criteria by which an identification document is deemed "good enough," I'd
> suppose those would be developed on a good faith basis by the action
> officer. Nobody is depending on perfection by that individual. The
> principle would be that the document appears genuine, has the minimum
> elements settled on by the policy (name, age, address, possibly other
> elements). If the document is in a foreign language, say Swahili, and the
> WMF person can't read that, I would think it would be a "do the best you
> can" and file it by respective Wikipedia and username. None of these are
> insurmountable obstacles. The answer to "this is hard" is not "well, let's
> just stop doing it." The answer is "this is important, let's just do the
> best we can."
>
> I have called for a basic examination of the document, not any
> verification process. I'd suppose if the document looked suspect in some
> way, then a telephone call or follow-up could be done, and that would be a
> "verification," but I would expect that to be the exception, not the rule.
> Again, these details would be settled by the hands-on person, not by me
> attempting to write a ten-page standard operating procedure while Nathan
> zings me with "what are your specifics" on the mailing list.
>
> "What is the usefulness in collecting this information to begin with?"
> Well, I thought the premise here was obvious. It was obvious enough to
> those that crafted the previous policy in the first place. It establishes
> some level of accountability to those individuals accorded access to the
> personally-identifying information of editors. Personal accountability
> encourages acting with self-control and restraint. With apologies to the
> other person that responded, anonymity encourages a care-free and
> unrestricted handling of that data, and in fact to some of these people it
> indeed yields a MMORPG (multimedia online roleplaying game) environment,
> and they will do whatever they want, because they are free from
> accountability.
>
> The other key aspect of usefulness is to the rank and file editors. They
> will feel better knowing that if some creepazoid or cyberbully starts going
> over their IPs, and of course Googling and otherwise sleuthing for more on
> them, that at least the WMF knows who they are, and the rank and file
> editor potentially has some recourse if it finally comes to it. So I say
> the usefulness there is treating editors right and furnishing a safer
> environment for them, in which they are not so exposed to anonymous
> administrators.
>
> Thank you for your response.
>
> Trillium Corsage (by the way although "Trillium" is a type of flower, I am
> in fact a dude. So please use male pronouns if it occurs to you. It was
> just an email address I picked sort of randomly and then I ran with it as
> pseudonym).
> ___
> Wikimedia-l mailing list, guidelines at:
> https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
> Wikimedia-l@lists.wikimedia.org
> Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
> 
>
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[Trillium Corsage]

@Nathan

You said "so if you want to argue that such users should be positively 
identified, then please make some practical suggestions (which you have 
conspicuously avoided doing so far). How should identities be confirmed? In 
what circumstances should the ID information be disclosed, and to whom? What, 
fundamentally, is the usefulness in collecting this information to begin with? 
What are the use cases in which it is necessary?"

It would be a good faith evaluation of the copy of the identification document 
provided. There's no need to be quarrelsome about the practical suggestions 
I've "conspicuously avoided." I did at least suggest a secure filing cabinet 
and making use of a removable hard-drive. As to the precise criteria by which 
an identification document is deemed "good enough," I'd suppose those would be 
developed on a good faith basis by the action officer. Nobody is depending on 
perfection by that individual. The principle would be that the document appears 
genuine, has the minimum elements settled on by the policy (name, age, address, 
possibly other elements). If the document is in a foreign language, say 
Swahili, and the WMF person can't read that, I would think it would be a "do 
the best you can" and file it by respective Wikipedia and username. None of 
these are insurmountable obstacles. The answer to "this is hard" is not "well, 
let's just stop doing it." The answer is "this is important, let's just do the 
best we can."

I have called for a basic examination of the document, not any verification 
process. I'd suppose if the document looked suspect in some way, then a 
telephone call or follow-up could be done, and that would be a "verification," 
but I would expect that to be the exception, not the rule. Again, these details 
would be settled by the hands-on person, not by me attempting to write a 
ten-page standard operating procedure while Nathan zings me with "what are your 
specifics" on the mailing list.

"What is the usefulness in collecting this information to begin with?" Well, I 
thought the premise here was obvious. It was obvious enough to those that 
crafted the previous policy in the first place. It establishes some level of 
accountability to those individuals accorded access to the 
personally-identifying information of editors. Personal accountability 
encourages acting with self-control and restraint. With apologies to the other 
person that responded, anonymity encourages a care-free and unrestricted 
handling of that data, and in fact to some of these people it indeed yields a 
MMORPG (multimedia online roleplaying game) environment, and they will do 
whatever they want, because they are free from accountability.

The other key aspect of usefulness is to the rank and file editors. They will 
feel better knowing that if some creepazoid or cyberbully starts going over 
their IPs, and of course Googling and otherwise sleuthing for more on them, 
that at least the WMF knows who they are, and the rank and file editor 
potentially has some recourse if it finally comes to it. So I say the 
usefulness there is treating editors right and furnishing a safer environment 
for them, in which they are not so exposed to anonymous administrators.

Thank you for your response.

Trillium Corsage (by the way although "Trillium" is a type of flower, I am in 
fact a dude. So please use male pronouns if it occurs to you. It was just an 
email address I picked sort of randomly and then I ran with it as pseudonym).
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[Trillium Corsage]

Hi again Luis,

Thank you for commenting my open letter to Lila. I guess if I send an open 
letter I should expect open responses, however I surely hope Lila will speak on 
the matter, "yea," "nay," or "not of concern to me," as I asked.

Yes, I recall your previous response to my previous email (which was actually 
larger in scope, criticizing the now-effective overall privacy policy, whereas 
I now focus on the access-to-non-public information sub-policy, not yet in 
effect). In it you said the policies would never attain "perfection." Below you 
assert "there is no magical answer." These are examples of thought-terminating 
cliches. Presented with reasoned criticism of the policies, you attempt to stop 
discussion by saying they can never be perfect or magical. To give you credit, 
a lot of times thought-terminating cliches are effective in debate with 
non-lawyers.

I'm going to go ahead and answer your "perhaps when we next look at the 
question in a few years" with the obvious observation that the procedures the 
policy lays out now are going to affect contributors mightily within the next 
few years. The access policy is not effective yet and can still be amended. So 
I'm going to resist your kicking the can down the road a few years.

Now, to dig into the actual merits of what you say, I respond that these 
policies were not "discussed extensively with the community." You obtained 
input almost exclusively from the *administrative subset* of the community, and 
none no more so than the individuals that currently have or stand to obtain the 
accesses in question. Should we be surprised that they prefer anonymity for 
themselves, as they explore the IPs and browser signatures and so on of the 
rank and file content editors? No. "The community" according to Lila is *all* 
the editors, a mere fraction (though powerful) of which are the insider and 
involved administrative types that commented on the policy drafts. I'm 
confident you'll agree that this distinction is more or less accurate, that in 
fact it is the administrative participants particularly that tend to comment 
this stuff, and not so much representatives of the great masses of content 
editors that actually built Wikipedia. Please do not gloss over this 
distinction in the future when claiming immense "community" participation. I'm 
not saying it's your fault that the discussion wasn't representative though. 
I'm just saying that's how it is.   

Neither am I faulting, or at least I shouldn't fault, anything about Michelle 
Paulson's hard work on the matter. I think the bad decision to accord anonymity 
to the checkusers and so forth was made higher up. In fact it's interesting to 
look back in the discussion to see what she said: "1) We do not believe that 
the current practices regarding collection and retention of community member 
identification are in compliance with the Board’s current Access to nonpublic 
data policy and hoped to bring the policy and practices closer to fulfilling 
the original intent of the policy" 
(http://meta.wikimedia.org/wiki/Talk:Access_to_nonpublic_information_policy/Archives/2014#Rethinking_the_access_policy:_Response_to_recent_feedback).
 What she's saying is that WMF Legal became uncomfortable with the fact that 
what the responsible individuals were doing with the identifications 
(shredding, deleting) was at odds with what the policy clearly stated to 
editors was the case (identifying). Faced with this problem, there were two 
ways to go: 1) change the practice to conform with the policy (i.e. start 
securely keeping the identifications), or 2) change the policy to conform to 
the practice (i.e. grant anonymity to those granted access to non-anonymous 
information of others). What I am saying here, and if Lila is reading this far, 
is that you chose the wrong option.

This email is already long, and I am not going to start commenting again why I 
think the administrative culture has attracted exactly the wrong kind of 
people, cyber-bullies, MMORPG players, creepers, and that this change to the 
policy is going to magnify that. I guess I'll just close by saying that it is 
not that hard to buy a secure file cabinet for the identification faxes and, 
say, the removable hard-drive containing the identification emails. There 
aren't all that great many checkusers and oversighters and OTRS volunteers and 
so forth, and they're not being added that fast. The existing ones can be 
accounted for in stages. So these "practical difficulties" you refer to Luis, I 
don't see them as so severe. As for the "risks to volunteers" what are you 
saying? Are you saying the WMF cannot securely keep some copies of 
identifications? The real volunteers at risk are those rank and file editors 
you propose to expose to a group of anonymous and unaccountable administrative 
participants.

Trillium Corsage

27.06.2014, 01:48, "Luis Villa" :
> Hi, Trillium-
>
> As I pointed out to you the last time we discussed the privacy

Re: [Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[Nathan]

Trillium,

Let's be clear about a few things. The only data that checkusers get is a
subset of the data that the WMF webservers (and all other webservers
throughout the Internet) collect on all visitors. This is data that is
voluntarily disclosed by readers (although they may not all be aware of
it). The checkusers get substantially less information than is actually
available, and only on those users who *edit* and not those who simply
view. That means that while you are correct, the Wikimedia community at
large certainly includes all readers, only editors are stakeholders in the
exposure of certain data to checkusers.

There is no legal requirement in the U.S. to make this information
invisible (AFAIK). The only limitations are those imposed by the Terms of
Service. The previous privacy policy referred to the identification of
volunteers to whom certain limited information is exposed, but when
Michelle and others said that the policy itself wasn't being effectively
enforced more was at issue than how (or if) the IDs were stored. The WMF
has never had a method of verifying received identification. Because of the
international nature of the movement, IDs were submitted in languages no
one at the WMF speaks, from countries and authorities around the world. As
a result, anyone could easily submit a false, altered or misleading
identification. The identities provided by users with advanced permissions
could never be relied upon.

So if you want to argue that such users should be positively identified,
then please make some practical suggestions (which you have conspicuously
avoided doing so far). How should identities be confirmed? In what
circumstances should the ID information be disclosed, and to whom? What,
fundamentally, is the usefulness in collecting this information to begin
with? What are the use cases in which it is necessary?

Thanks in advance for providing us with such useful advice!
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[Richard Symonds]

>
> MMORPG players


:-(

Richard Symonds
Wikimedia UK
0207 065 0992

Wikimedia UK is a Company Limited by Guarantee registered in England and
Wales, Registered No. 6741827. Registered Charity No.1144513. Registered
Office 4th Floor, Development House, 56-64 Leonard Street, London EC2A 4LT.
United Kingdom. Wikimedia UK is the UK chapter of a global Wikimedia
movement. The Wikimedia projects are run by the Wikimedia Foundation (who
operate Wikipedia, amongst other projects).

*Wikimedia UK is an independent non-profit charity with no legal control
over Wikipedia nor responsibility for its contents.*


On 27 June 2014 14:18, Trillium Corsage  wrote:

> Hi again Luis,
>
> Thank you for commenting my open letter to Lila. I guess if I send an open
> letter I should expect open responses, however I surely hope Lila will
> speak on the matter, "yea," "nay," or "not of concern to me," as I asked.
>
> Yes, I recall your previous response to my previous email (which was
> actually larger in scope, criticizing the now-effective overall privacy
> policy, whereas I now focus on the access-to-non-public information
> sub-policy, not yet in effect). In it you said the policies would never
> attain "perfection." Below you assert "there is no magical answer." These
> are examples of thought-terminating cliches. Presented with reasoned
> criticism of the policies, you attempt to stop discussion by saying they
> can never be perfect or magical. To give you credit, a lot of times
> thought-terminating cliches are effective in debate with non-lawyers.
>
> I'm going to go ahead and answer your "perhaps when we next look at the
> question in a few years" with the obvious observation that the procedures
> the policy lays out now are going to affect contributors mightily within
> the next few years. The access policy is not effective yet and can still be
> amended. So I'm going to resist your kicking the can down the road a few
> years.
>
> Now, to dig into the actual merits of what you say, I respond that these
> policies were not "discussed extensively with the community." You obtained
> input almost exclusively from the *administrative subset* of the community,
> and none no more so than the individuals that currently have or stand to
> obtain the accesses in question. Should we be surprised that they prefer
> anonymity for themselves, as they explore the IPs and browser signatures
> and so on of the rank and file content editors? No. "The community"
> according to Lila is *all* the editors, a mere fraction (though powerful)
> of which are the insider and involved administrative types that commented
> on the policy drafts. I'm confident you'll agree that this distinction is
> more or less accurate, that in fact it is the administrative participants
> particularly that tend to comment this stuff, and not so much
> representatives of the great masses of content editors that actually built
> Wikipedia. Please do not gloss over this distinction in the future when
> claiming immense "community" participation. I'm not saying it's your fault
> that the discussion wasn't representative though. I'm just saying that's
> how it is.
>
> Neither am I faulting, or at least I shouldn't fault, anything about
> Michelle Paulson's hard work on the matter. I think the bad decision to
> accord anonymity to the checkusers and so forth was made higher up. In fact
> it's interesting to look back in the discussion to see what she said: "1)
> We do not believe that the current practices regarding collection and
> retention of community member identification are in compliance with the
> Board’s current Access to nonpublic data policy and hoped to bring the
> policy and practices closer to fulfilling the original intent of the
> policy" (
> http://meta.wikimedia.org/wiki/Talk:Access_to_nonpublic_information_policy/Archives/2014#Rethinking_the_access_policy:_Response_to_recent_feedback).
> What she's saying is that WMF Legal became uncomfortable with the fact that
> what the responsible individuals were doing with the identifications
> (shredding, deleting) was at odds with what the policy clearly stated to
> editors was the case (identifying). Faced with this problem, there were two
> ways to go: 1) change the practice to conform with the policy (i.e. start
> securely keeping the identifications), or 2) change the policy to conform
> to the practice (i.e. grant anonymity to those granted access to
> non-anonymous information of others). What I am saying here, and if Lila is
> reading this far, is that you chose the wrong option.
>
> This email is already long, and I am not going to start commenting again
> why I think the administrative culture has attracted exactly the wrong kind
> of people, cyber-bullies, MMORPG players, creepers, and that this change to
> the policy is going to magnify that. I guess I'll just close by saying that
> it is not that hard to buy a secure file cabinet for the identification
> faxes and, say, the removable hard-drive conta

Re: [Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[Luis Villa]

Hi, Trillium-

As I pointed out to you the last time we discussed the privacy
policy[1], this issue (and the rest of the policy) were discussed
extensively with the community, with the board, and with the previous
Executive Director. It was then approved by the Board.

This particular topic was discussed particularly thoroughly, with a
separate consultation and additional discussion with the Board. We did
all that because, as we said in our blog post on the topic[2], this
was a tough question that required everyone involved to balance
difficult privacy concerns with the risks and practical difficulties
of identifying volunteers. There was no magical answer that could
please everyone, despite sincere efforts to find creative solutions
informed by several years of experience building and operating the
previous policy.

Since we made that post (and since the Board approved the decision)
nothing has changed. The factors being balanced are still difficult,
and Legal would still come down the same way we did in February (when
we finished the public consultation) and April (when we presented our
recommendation to the Board).

Perhaps when we next look at the question in a few years the facts
will have substantially changed and it will make sense to revisit this
decision and tighten the requirements. But right now, within months of
board approval after a lot of discussion, is not that time.

For what it is worth-
Luis

[1] https://www.mail-archive.com/wikimedia-l@lists.wikimedia.org/msg12552.htm
[2] http://blog.wikimedia.org/2014/02/14/a-new-access-to-nonpublic-information/

P.S. Tangentially, and speaking mostly for myself, I want to thank the
many Wikimedians I've talked with in the past ~18 months who have been
patient and supportive as we try our best to talk with you, weigh
costs and benefits with you, and make difficult decisions - not just
about privacy but also about many other things large and small. We'd
love to be perfect, have infinite time and infinite resources and
infinite patience, or no hard problems. Since we don't, we have to
just try our best. I'm grateful for and deeply appreciate all the
people who understand that and have worked with us in patient good
faith to move ahead the mission we all share. Corny, I know, but true.
:)

On Thu, Jun 26, 2014 at 9:06 AM, Trillium Corsage
 wrote:
> Dear Ms. Tretikov,
>
>
> Would you please speak on the new revision of the "Access to Non-Public 
> Information" policy? Can you express your objection to it? Can you express 
> your support of it? You'll find it here:
>
> http://meta.wikimedia.org/wiki/Access_to_nonpublic_information_policy
>
> This governs the conditions by which the WMF grants access to potentially 
> personally-identifying data such as IPs and web-browser profiles of Wikipedia 
> editors. It grants these to particular administrative participants, for 
> example checkusers and oversighters and arbitrators, of the various 
> "communities," for example the Wikipedias of various languages.
>
> Under the terms of the prior access policy, those administrative participants 
> were required to send a fax or scanned copy of an identification document. 
> Editors were led to believe that the WMF kept record of who these people 
> actually were. It was repeatedly claimed that they had "identified to WMF." 
> This soothed the concerns of editors like me that thought, okay, well at 
> least someone knows who they are. The truth was that a WMF employee marked a 
> chart of usernames only that the administrative participant's ID showed 
> someone 18 or over, and then shredded or otherwise destroyed those records. 
> The phrase that so-and-so "has identified to WMF" or "is identified to WMF" 
> was so commonly stated, including by the WMF, that I regard it as a great 
> deception and betrayal that it really was shredding and destroying the 
> identifications.
>
> The new policy is even worse. It abandons the mere pretense of an 
> identification. So while it goes the wrong direction, at least it ceases to 
> deceive. All it calls for now is an email address, an assertion that the 
> person is 18 or over, and an assertion that the owner of the email account 
> has read a short confidentiality agreement. The person need not provide a 
> real name. You are well aware that various web-email services offer basically 
> untraceable email addresses. You are well aware that only a named person can 
> enter into agreement on confidentiality. An agreement by a Wikipedia username 
> with an untraceable email address is not only unenforceable, it is a 
> ludicrous proposition.
>
> The webpage says the policy is not in effect yet. I urge you to reject it as 
> written and instead have it amended to actually require identification for 
> those faceless entities you prepare to turn loose with potentially 
> cyberstalker tools.
>
> Whatever your stance, I do call on you to speak on the question. Say "yea," 
> say "nay," or say "not my concern," but at least speak.
>
> Tri

[Wikimedia-l] Open Letter to Lila Regarding Access to Non-Public Information Policy

[Trillium Corsage]

Dear Ms. Tretikov,


Would you please speak on the new revision of the "Access to Non-Public 
Information" policy? Can you express your objection to it? Can you express your 
support of it? You'll find it here:

http://meta.wikimedia.org/wiki/Access_to_nonpublic_information_policy

This governs the conditions by which the WMF grants access to potentially 
personally-identifying data such as IPs and web-browser profiles of Wikipedia 
editors. It grants these to particular administrative participants, for example 
checkusers and oversighters and arbitrators, of the various "communities," for 
example the Wikipedias of various languages.

Under the terms of the prior access policy, those administrative participants 
were required to send a fax or scanned copy of an identification document. 
Editors were led to believe that the WMF kept record of who these people 
actually were. It was repeatedly claimed that they had "identified to WMF." 
This soothed the concerns of editors like me that thought, okay, well at least 
someone knows who they are. The truth was that a WMF employee marked a chart of 
usernames only that the administrative participant's ID showed someone 18 or 
over, and then shredded or otherwise destroyed those records. The phrase that 
so-and-so "has identified to WMF" or "is identified to WMF" was so commonly 
stated, including by the WMF, that I regard it as a great deception and 
betrayal that it really was shredding and destroying the identifications.

The new policy is even worse. It abandons the mere pretense of an 
identification. So while it goes the wrong direction, at least it ceases to 
deceive. All it calls for now is an email address, an assertion that the person 
is 18 or over, and an assertion that the owner of the email account has read a 
short confidentiality agreement. The person need not provide a real name. You 
are well aware that various web-email services offer basically untraceable 
email addresses. You are well aware that only a named person can enter into 
agreement on confidentiality. An agreement by a Wikipedia username with an 
untraceable email address is not only unenforceable, it is a ludicrous 
proposition.

The webpage says the policy is not in effect yet. I urge you to reject it as 
written and instead have it amended to actually require identification for 
those faceless entities you prepare to turn loose with potentially cyberstalker 
tools.

Whatever your stance, I do call on you to speak on the question. Say "yea," say 
"nay," or say "not my concern," but at least speak.

Trillium Corsage  

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,