Re: [Wikimedia-l] PRISM, government surveillance, and Wikimedia: Request for community feedback
Geoff Brigham wrote: WMF is getting professional translations in German, French, Spanish, and Japanese, and will post by Tuesday. I know that the RfC on PRISM has already been closed, but I have only remembered this today: what happened with the professional translations of https://meta.wikimedia.org/wiki/PRISM? As far as I can see, the German, French and Spanish translations have all been created (and then reviewed) by volunteers, and the Japanese version isn't finished to this day. I'm asking this question now because I noticed that Garfield (Byrd) has spoken about the translation of the Annual Plan into other languages in the current issue of the English Wikipedia Singpost, saying: I am hoping that some key parts of the annual plan can be translated and the Foundation is prepared to commit resources to this task. I understand that it is the prerogative of the Foundation to decide how they want to spend their budget, but seeing how (seemingly) badly the translation of the relative short announcement on PRISM has been managed, I'm not really convinced that getting professional translations of the Annual Plan is that good an idea. Our caring and motivated translation community has proven many times in the past that they can provide good quality translations of even the most important content; after long years of waiting, we now can use wonderful software (the Translate extension) that makes the job smooth and easy, so I'd just like us to give the volunteers a try before spending huge amounts of money on translating stuff. Tomasz ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe
Re: [Wikimedia-l] prism and certificate authorities, snooping https
On 06/15/2013 05:48 PM, rupert THURNER wrote: the conclusion is also interesting: when a company that uses a certificate authority located in a country different than the one in which it holds user data, it needlessly exposes users’ data to the compelled disclosure by an additional government. so, by getting the certificates from digicert, the traffic can easier be snooped by the u.s. government. and only u.s. citizens are protected by u.s. law. this gives a lot of trust :) Your quote (when a company that uses a certificate authority located in a country different than the one in which it holds user data) warns of what happens when you use a *foreign* (not the same as where the servers are) cert. Wikimedia uses DigiCert, a provider in the same country, exactly what that recommends. Your statement that the traffic can easier be snooped by the u.s. government is false. If Wikimedia received a secret U.S. court order to turn over certain data, the certificate would make no difference, since the headquarters and servers are already in the U.S. But using a U.S. provider reduces the WMF's vulnerability to additional governments. Matt Flaschen ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Fri, Jun 14, 2013 at 3:33 PM, Andy Mabbett a...@pigsonthewing.org.ukwrote: PRISM From @ShammaBoyarin on Twitter: Its not as if the NSA were mass downloading articles from JSTOR. Certainly if the evidence showed that the NSA were breaking into wiring closets and hacking into computer networks this would be a much different story. (Yes, you can speculate that they're probably doing this too, but this particular scandal is the NSA getting information from computer networks with the permission of the computer owners, not despite the owners actively trying to keep them out.) ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Fri, Jun 14, 2013 at 3:33 PM, Andy Mabbett a...@pigsonthewing.org.ukwrote: PRISM From @ShammaBoyarin on Twitter: Its not as if the NSA were mass downloading articles from JSTOR. Certainly if the evidence showed that the NSA were breaking into wiring closets and hacking into computer networks this would be a much different story. (Yes, you can speculate that they're probably doing this too, but this particular scandal is the NSA getting information from computer networks with the permission of the computer owners, not despite the owners actively trying to keep them out.) Actually, there is a small attached CIA unit to do just that. The story is a bit bigger than what The Guardian has published so far. Fred ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Sat, Jun 15, 2013 at 10:16 AM, Fred Bauder fredb...@fairpoint.netwrote: (Yes, you can speculate that they're probably doing this too, but this particular scandal is the NSA getting information from computer networks with the permission of the computer owners, not despite the owners actively trying to keep them out.) Actually, there is a small attached CIA unit to do just that. The story is a bit bigger than what The Guardian has published so far. Did you read what I said? Yes, you can speculate that that's what they're doing. But that's not what was published. The fact of the matter is that there would be a much bigger uproar if the NSA were caught doing what Aaron Swartz did, on American soil against an innocent American company. If NSA were caught breaking into wiring closets and hacking into computer networks, the 4th Amendment violation would be way more obvious and incontrovertible. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Sat, Jun 15, 2013 at 10:16 AM, Fred Bauder fredb...@fairpoint.netwrote: (Yes, you can speculate that they're probably doing this too, but this particular scandal is the NSA getting information from computer networks with the permission of the computer owners, not despite the owners actively trying to keep them out.) Actually, there is a small attached CIA unit to do just that. The story is a bit bigger than what The Guardian has published so far. Did you read what I said? Yes, you can speculate that that's what they're doing. But that's not what was published. The fact of the matter is that there would be a much bigger uproar if the NSA were caught doing what Aaron Swartz did, on American soil against an innocent American company. If NSA were caught breaking into wiring closets and hacking into computer networks, the 4th Amendment violation would be way more obvious and incontrovertible. Within the United States the FBI, has the authority, in appropriate cases, with a warrant, to engage in such activity. If there was a valid finding by a Federal District Court judge that the was a valid reason it would not be a 4th amendment violation. There is more than one source, not just what happens to be on the front page this week. Additionally, we are not bound by the canon of generally accepted knowledge in our discussions. That is our rule for encyclopedia articles, not our rules for thinking. Fred ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Sat, Jun 15, 2013 at 1:56 PM, Fred Bauder fredb...@fairpoint.net wrote: The fact of the matter is that there would be a much bigger uproar if the NSA were caught doing what Aaron Swartz did, on American soil against an innocent American company. If NSA were caught breaking into wiring closets and hacking into computer networks, the 4th Amendment violation would be way more obvious and incontrovertible. Within the United States the FBI, has the authority, in appropriate cases, with a warrant, to engage in such activity. That they can do it with a warrant is why I said an *innocent* American company. I'm quite aware of the existence of sneak-and-peak warrants. If these are being issued to hack into the networks of Google and Yahoo and all, without any evidence that Google and Yahoo and all were breaking the law, then I think evidence of this would cause a huge uproar, and that the practice would be found to be in violation of the 4th Amendment. If there was a valid finding by a Federal District Court judge that the was a valid reason it would not be a 4th amendment violation. By definition, if the warrant is valid, then the 4th Amendment is not violated, because a warrant which violates the 4th Amendment is not a valid one. But that's nothing more than hand waving. A warrant allowing the government to break into an MIT wiring closet and from there hack into the JSTOR network (spoofing IP and MAC addresses in order to get around blocks), without any evidence of wrongdoing on the part of MIT or JSTOR, would not be valid. Maybe by valid you meant procedurally valid, and not substantively valid? If so, you're just wrong. For those not familiar with the case against Aaron Swartz, who might be under the mistaken impression that all he did was download a bunch of public domain resources, Orin Kerr has a good summary at http://www.volokh.com/2013/01/14/aaron-swartz-charges/ where he concludes the charges against Swartz were based on a fair reading of the law. There is more than one source, not just what happens to be on the front page this week. Additionally, we are not bound by the canon of generally accepted knowledge in our discussions. That is our rule for encyclopedia articles, not our rules for thinking. I'm not sure whose rules for thinking you're talking about. Personally I have a rule against believing things without evidence. In some cases that's more lenient than Wikipedia's sourcing rules (original research is great), and in some cases it's more strict (I don't believe everything I read in the mainstream news). ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
[Wikimedia-l] prism and certificate authorities, snooping https
hi, i saw on the wmf statement on meta that https everywhere should calm people. thats a good start already. 3 years ago the EFF (electronic frontier foundation) warned about https. Soghoian and Stamm write about especially about certificate authorities (CA): [...] Microsoft’s Root Certificate Program includes he governments of Austria, Brazil, [...], the United States and Uruguay. [...] each of these states has the power to facilitate attacks on encryption anywhere in the world — not just in its territory or Internet domain. [...] “Packet Forensics’ devices are designed to be inserted-into and removed-from busy networks without causing any noticeable interruption [. . . ] This allows you to conditionally intercept web, e-mail, VoIP and other traffic at-will, even while it remains protected inside an encrypted tunnel on the wire. Using ‘man-in-the-middle’ to intercept TLS or SSL is essentially an at-tack against the underlying Diffie-Hellman cryptographic key agreement protocol [. . . ] To use our product in this scenario, [government] users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity.” [...] Individuals living in countries with laws that protect their privacy from unreasonable invasion have good reason to avoid trusting foreign governments (or foreign companies) to protect their private data. This is because individuals often receive the greatest legal protection from their own governments, and little to none from other countries. For example, US law strictly regulates the ability of the US government to collect information on US persons. However, the government can freely spy on foreigners around the world, as long as the surveillance is performed outside the US. the conclusion is also interesting: when a company that uses a certificate authority located in a country different than the one in which it holds user data, it needlessly exposes users’ data to the compelled disclosure by an additional government. so, by getting the certificates from digicert, the traffic can easier be snooped by the u.s. government. and only u.s. citizens are protected by u.s. law. this gives a lot of trust :) links: * https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl * http://files.cloudprivacy.net/ssl-mitm.pdf rupert ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
PRISM From @ShammaBoyarin on Twitter: Its not as if the NSA were mass downloading articles from JSTOR. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
[Wikimedia-l] PRISM, government surveillance, and Wikimedia: Request for community feedback
Hi Tomasz, Thank you very much for everything you and the volunteers are doing. You people do rock. WMF is getting professional translations in German, French, Spanish, and Japanese, and will post by Tuesday. We are doing this because of the fast timing situation and our desire to hear international voices. We are asking for translations by volunteers in the other languages. If the community says that we need to push out the dates, we will listen of course. My competing consideration is that we don't miss opportunities if the right course is to proceed forward as recommended in the blog post. Apologies for any confusion here.Any fault is mine. Again ... many thanks. Geoff *Date: Sat, 15 Jun 2013 03:19:55 +0200 From: Tomasz W. Kozlowski tom...@twkozlowski.net To: wikimedia-l@lists.wikimedia.org Subject: Re: [Wikimedia-l] [Wikimedia Announcements] PRISM, government surveillance, and Wikimedia: Request for community feedback Message-ID: 51bbc13b.10...@twkozlowski.net Content-Type: text/plain; charset=UTF-8; format=flowed Geoff, I'm a bit lost here now that I've read that translation notice more carefully — are you really saying you want to have this post translated into German, French, Spanish and Japanese by Tuesday, June 18, and then for the local communities to comment on it by Friday, June 21? There is just no way that this can scale in this world. FYI, I posted a message asking for translations at http://lists.wikimedia.org/pipermail/translators-l/2013-June/002311.html, and I'm sure that our amazing volunteer translators can get it translated into those four languages (and more) by noon on Sunday (PST).* (And again—doing this kind of things on a Friday is a Very Bad Idea[TM].) -- Tomasz ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Do others feel that the letter to US Congress text at https://optin.stopwatching.us/ (for which there does not seem to be a direct URL, sorry) is appropriately worded? I am far more impressed by the text at http://bestbits.net/prism-nsa/ which Jan Engelmann suggested on the Advocacy Advisors list, and by https://www.eff.org/deeplinks/2013/06/international-customers-its-time-call-us-internet-companies-demand-accountability which urges economic action. What are the arguments for and agains using project banner space for: (1) Calls for boycott (Liam Wyatt says this is unlikely, and as a practical matter I have no illusions but to agree. However, I must insist to those considering starting or participating in an RFC on the topic: there is only one way to find out); (2) Shareholder resolution organisation (Google is immune to shareholder resolutions, so what is an appropriate alternative in Google's case -- picketing the triumvirate's residences?); (3) Calls for divestiture; and (4) Calls for individual court action on First and Fourth Amendment grounds, and on the grounds of disproportionate spending and incarceration relative to other threats to health, safety, and security than crime? ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Fred Bauder, 12/06/2013 22:47: We hack network backbones like huge internet routers, basically that give us access to the communications of hundreds of thousands of computers without having to hack every single one, http://www.guardian.co.uk/world/2013/jun/12/edward-snowden-us-extradition-fight Time for some additional encryption at least between different parts of the infrastructure perhaps? Nemo ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
I would like to raise the option of a more Wikipedia-like protest. How about, on the English Wikipedia, picking one day to make the Main Page topic-specific, similar to the traditional April 1 selection? Candidates, off the top of my hat: [[NSA]] / [[Black Chamber]] [[PRISM (surveillance program)]] [[Panopticon]] [[Surveillance state]] / [[Mass surveillance]] [[1984]] [[Surveillance abuse]] The articles are (of course!:-) NPOV, but the topic selection could be POV to raise awareness of the issue. On Thu, Jun 13, 2013 at 8:16 AM, Federico Leva (Nemo) nemow...@gmail.comwrote: Fred Bauder, 12/06/2013 22:47: We hack network backbones – like huge internet routers, basically – that give us access to the communications of hundreds of thousands of computers without having to hack every single one, http://www.guardian.co.uk/**world/2013/jun/12/edward-** snowden-us-extradition-fighthttp://www.guardian.co.uk/world/2013/jun/12/edward-snowden-us-extradition-fight Time for some additional encryption at least between different parts of the infrastructure perhaps? Nemo __**_ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.**org Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/**mailman/listinfo/wikimedia-lhttps://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Fred Bauder, 12/06/2013 22:47: We hack network backbones  like huge internet routers, basically  that give us access to the communications of hundreds of thousands of computers without having to hack every single one, http://www.guardian.co.uk/world/2013/jun/12/edward-snowden-us-extradition-fight Time for some additional encryption at least between different parts of the infrastructure perhaps? Nemo My impression is that NSA has set up a sort of mirror internet; presumably they would simply incorporate additional encryption into that. In any event we do want to have easy world wide communication, not necessarily all heavily encrypted. More than anything else, we need to get the wolves out of the hen house; if billions are being spend on signals intelligence maybe its time to negotiate an end to the cyberwar. Fred ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
I would like to raise the option of a more Wikipedia-like protest. How about, on the English Wikipedia, picking one day to make the Main Page topic-specific, similar to the traditional April 1 selection? Candidates, off the top of my hat: [[NSA]] / [[Black Chamber]] [[PRISM (surveillance program)]] [[Panopticon]] [[Surveillance state]] / [[Mass surveillance]] [[1984]] [[Surveillance abuse]] The articles are (of course!:-) NPOV, but the topic selection could be POV to raise awareness of the issue. This is good, but I fear it would soon expand into banners denouncing fracking and Monsanto. Somehow we would have to achieve and maintain a posture which rejects nihilism, no values, without embracing the cause of the day. Fred ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Le 2013-06-11 14:09, Fred Bauder a écrit : There will always be humans maintaining the system who must, in order to do their work, have potential access to everything. A potential access to everything is a so vast and vague assertion that it practicaly denote nothing. Also, one could come with the exact opposite assertion, full of always/never nothing/everything. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
I encourage everyone to join the StopWatching campaign, individually. It also seems like the right thing for Wikimedia to stand for; our projects are among the more prominent supporters of anonymous and pseudonymous knowledge-work on the web. SJ On Tue, Jun 11, 2013 at 2:17 PM, Luis Villa lvi...@wikimedia.org wrote: [+ Advocacy Advisors] On Tue, Jun 11, 2013 at 9:08 AM, Liam Wyatt liamwy...@gmail.com wrote: Perhaps we as individuals, or the WMF as an organisation, might also like to sign up to Mozilla's campaign stopwatching.us? Blogpost - https://blog.mozilla.org/blog/2013/06/11/stopwatching-us-mozilla-launches-massive-campaign-on-digital-surveillance/ Website - https://optin.stopwatching.us/ I note from the selected list of organisations that have already signed (of whom several are our frequent allies) we would be in good company. Hi, Liam- Participating in StopWatching is definitely one of the options. For WMF to get involved in that way, there needs to be a consultation with the Advocacy Advisors list and (time permitting) an RFC. By following that process, we can be sure that the actions WMF takes are consistent with community's opinion on the topic. If you think WMF should be more involved, we (as always) invite and encourage you to start an RFC or discussion on Advocacy Advisors. We would pay close attention to those, and use them to help us guide our next steps. Please let us know if there is anything else we can do to support, of course. (Our full internal policy is at https://meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Foundation_Policy_and_Political_Association_Guideline#Collaborative_Advocacy). Thanks- Luis -- Luis Villa Deputy General Counsel Wikimedia Foundation 415.839.6885 ext. 6810 NOTICE: This message may be confidential or legally privileged. If you have received it by accident, please delete it and let us know about the mistake. As an attorney for the Wikimedia Foundation, for legal/ethical reasons I cannot give legal advice to, or serve as a lawyer for, community members, volunteers, or staff members in their personal capacity. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l -- Samuel Klein @metasj w:user:sj +1 617 529 4266 ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Le 2013-06-11 14:09, Fred Bauder a écrit : There will always be humans maintaining the system who must, in order to do their work, have potential access to everything. A potential access to everything is a so vast and vague assertion that it practicaly denote nothing. Also, one could come with the exact opposite assertion, full of always/never nothing/everything. We hack network backbones like huge internet routers, basically that give us access to the communications of hundreds of thousands of computers without having to hack every single one, http://www.guardian.co.uk/world/2013/jun/12/edward-snowden-us-extradition-fight Fred ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Le 2013-06-10 12:21, Fred Bauder a écrit : Correct. If Osama Bin Laden had been editing Wikipedia, before his death of course, through some account in Pakistan, it would have been rather reasonable to respond favorable to a request for information. Be careful, the underlying assumption of such a claim is that it's fine to create information tools and canals as long as it may have legitimate uses, regardless of potential illegitimate uses, without evaluating if the means are proportionate to the goal and if they may have disproportionate consequences on other issues, such as privacy. -- Association Culture-Libre http://www.culture-libre.org/ ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Le 2013-06-10 14:29, Craig Franklin a écrit : If the NSA, CIA, or some other spook agency is getting information off of Wikimedia servers, they don't have a CU account or anything like that. They'd have a program running at the operating system level that extracts the data in a standardised format and sends it off to some secret server somewhere where it can be collated for data mining purposes. If they have some way of getting private information, it's going to be well hidden and not something you or I are likely to (or capable of) stumbling across. People wherever they work are humans. They never use supranatural powers that are fundamentally innaccessible to the mere mortal because they are mere mortal. Sure one person can hardly expect to achieve more than a structured organisation with far much ressources. It doesn't mean individuals which are not part of one sepcific organisation are powerless. Cheers, Craig On 10 June 2013 20:09, David Gerard dger...@gmail.com wrote: On 10 June 2013 10:56, Florence Devouard anthe...@yahoo.com wrote: Precisely, they could ask to have CU accounts... There are people who closely monitor who has what powers. - d. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l -- Association Culture-Libre http://www.culture-libre.org/ ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Le 2013-06-10 16:01, John Vandenberg a écrit : It would be good *if* the WMF can provide assurances to editors that they havent received any national security letters or other 'trawling' requests from any U.S. agency. I doubt they can. Even if they say so, how do you check? May be you can teach people what trusting mean, and what are logical limits of trusting. But, to my mind, your proposal would be misguiding people on what is trust. -- Association Culture-Libre http://www.culture-libre.org/ ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Tue, Jun 11, 2013 at 5:52 AM, Mathieu Stumpf psychosl...@culture-libre.org wrote: Le 2013-06-10 16:01, John Vandenberg a écrit : It would be good *if* the WMF can provide assurances to editors that they havent received any national security letters or other 'trawling' requests from any U.S. agency. I doubt they can. Even if they say so, how do you check? May be you can teach people what trusting mean, and what are logical limits of trusting. But, to my mind, your proposal would be misguiding people on what is trust. Do the letters require people to lie? If they did, is that something that could be challenged in regular, non-secret court (perhaps with some parts of the lawsuit under seal or something)? On the other hand, the value of this is rather limited. If the WMF can't say it, it could mean that it once received a secret subpoena regarding the IP addresses of someone they had probable cause to believe was involved with some specific terrorist plot. Or it could mean they got a letter requiring all their logs all the time in perpetuity. If you really need your web browsing to be anonymous, what can you do? HTTPS plus an anonymizing proxy plus noscript gets you some level of security. If your browsing habits can reveal your courtroom defense strategy, is this simple form of anonymization enough to trust the freedom of your client? Maybe it depends on how big of a target your client is. If your client is Martin Luther King Jr., and J. Edgar Hoover is the President, maybe you've gotta take a few steps beyond a simple anonymizing proxy. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Le 2013-06-10 14:29, Craig Franklin a écrit : If the NSA, CIA, or some other spook agency is getting information off of Wikimedia servers, they don't have a CU account or anything like that. They'd have a program running at the operating system level that extracts the data in a standardised format and sends it off to some secret server somewhere where it can be collated for data mining purposes. If they have some way of getting private information, it's going to be well hidden and not something you or I are likely to (or capable of) stumbling across. People wherever they work are humans. They never use supranatural powers that are fundamentally innaccessible to the mere mortal because they are mere mortal. Sure one person can hardly expect to achieve more than a structured organisation with far much ressources. It doesn't mean individuals which are not part of one sepcific organisation are powerless. There will always be humans maintaining the system who must, in order to do their work, have potential access to everything. We have them here in our developers who have access to our databases. This was the niche Snowden filled and why he had access to so much he was not authorized to access. Fred ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Tue, Jun 11, 2013 at 8:09 AM, Fred Bauder fredb...@fairpoint.net wrote: There will always be humans maintaining the system who must, in order to do their work, have potential access to everything. No, there isn't. This statement is about as recklessly false as your previous one that WMF didn't have the logs. We have them here in our developers who have access to our databases. Putting everything in a single database which can be accessed by a single developer is a choice. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On 06/11/2013 08:19 AM, Anthony wrote: Putting everything in a single database which can be accessed by a single developer is a choice. It is, also, the only *reasonable* choice given the resources at our disposal. I've contracted with CSIS in the past and had the immense pleasure of working with true MLS systems. They are extraordinarily expensive, a nightmare to maintain (the change request cycle necessarily works at the scale of months), and requires about two to three times the staff to manage (because the SA can't be the same person as the SO who can also not be the one performing the actual operations; that's not counting that MLS may partition things further if there are different authorities involved). The WMF protects itself not by partitioning roles and security domains, but by making sure that as much of everything is transparent as is possible, and with normal due diligence and care in selecting those persons who have access to the rest. Put another way: I can see at /least/ two dozen vectors for the NSA (or whichever acronym agency you prefer) to get at every single octet under WMF control without us being able to even know about it. We purchase and use off-the-shelf equipment, do not have to source to every bit of firmware in our datacenters (let alone the ability to *audit* any of it), our hardware is on premises we do not have physical control over, and all our communications are transmitted over packet switched networks constructed out of untrustable parts and under the control of innumerable parties we have no control over. Fixing any /one/ of those holes would cost tens of times our current total operating budget, and would be essentially burned money unless they were all closed -- which turns out to not be possible at all given that we actually *want* the world-at-large to be able to, you know, use our stuff? There is nothing we can do about any of this beyond continuing to be careful and trust in all the numerous employees and volunteer of the WMF (most of whom are outside the US) to start yelling very loudly if something fishy is going on. So let's store the tinfoil hats and get back to work, please? -- Marc ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Perhaps we as individuals, or the WMF as an organisation, might also like to sign up to Mozilla's campaign stopwatching.us? Blogpost - https://blog.mozilla.org/blog/2013/06/11/stopwatching-us-mozilla-launches-massive-campaign-on-digital-surveillance/ Website - https://optin.stopwatching.us/ I note from the selected list of organisations that have already signed (of whom several are our frequent allies) we would be in good company. -Liam / Wittylama -- wittylama.com Peace, love metadata ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
[+ Advocacy Advisors] On Tue, Jun 11, 2013 at 9:08 AM, Liam Wyatt liamwy...@gmail.com wrote: Perhaps we as individuals, or the WMF as an organisation, might also like to sign up to Mozilla's campaign stopwatching.us? Blogpost - https://blog.mozilla.org/blog/2013/06/11/stopwatching-us-mozilla-launches-massive-campaign-on-digital-surveillance/ Website - https://optin.stopwatching.us/ I note from the selected list of organisations that have already signed (of whom several are our frequent allies) we would be in good company. Hi, Liam- Participating in StopWatching is definitely one of the options. For WMF to get involved in that way, there needs to be a consultation with the Advocacy Advisors list and (time permitting) an RFC. By following that process, we can be sure that the actions WMF takes are consistent with community's opinion on the topic. If you think WMF should be more involved, we (as always) invite and encourage you to start an RFC or discussion on Advocacy Advisors. We would pay close attention to those, and use them to help us guide our next steps. Please let us know if there is anything else we can do to support, of course. (Our full internal policy is at https://meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Foundation_Policy_and_Political_Association_Guideline#Collaborative_Advocacy). Thanks- Luis -- Luis Villa Deputy General Counsel Wikimedia Foundation 415.839.6885 ext. 6810 NOTICE: This message may be confidential or legally privileged. If you have received it by accident, please delete it and let us know about the mistake. As an attorney for the Wikimedia Foundation, for legal/ethical reasons I cannot give legal advice to, or serve as a lawyer for, community members, volunteers, or staff members in their personal capacity. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
We'd should ask the NSA if they'd like a Wikipedian-in-Residence. Think of the citations we could add to BLPs! On Jun 10, 2013 2:17 AM, Liam Wyatt liamwy...@gmail.com wrote: This is a simple question with a potentially very complicated answer. What, if any, are the implications of the PRISM scandal for Wikimedia? Does the fact that our servers are based in the US now compromise our mission either in a technical, privacy or an ethical sense? - Liam / Wittylama -- wittylama.com Peace, love metadata ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On 6/11/2013 1:03 PM, Andy Mabbett wrote: We'd should ask the NSA if they'd like a Wikipedian-in-Residence. Why not just go all the way and ask them to release everything they've collected under a free license? (Well, so the copyright to most of it probably doesn't belong to them. Does that mean we're entitled to royalties for being spied on?) --Michael Snow ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Would they be considered a reliable source? Peter - Original Message - From: Andy Mabbett a...@pigsonthewing.org.uk To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org Sent: Tuesday, June 11, 2013 10:03 PM Subject: Re: [Wikimedia-l] PRISM We'd should ask the NSA if they'd like a Wikipedian-in-Residence. Think of the citations we could add to BLPs! On Jun 10, 2013 2:17 AM, Liam Wyatt liamwy...@gmail.com wrote: This is a simple question with a potentially very complicated answer. What, if any, are the implications of the PRISM scandal for Wikimedia? Does the fact that our servers are based in the US now compromise our mission either in a technical, privacy or an ethical sense? - Liam / Wittylama -- wittylama.com Peace, love metadata ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Tue, Jun 11, 2013 at 10:41 AM, Marc A. Pelletier m...@uberbox.orgwrote: On 06/11/2013 08:19 AM, Anthony wrote: Putting everything in a single database which can be accessed by a single developer is a choice. It is, also, the only *reasonable* choice given the resources at our disposal. Maybe (*). But my comment was in response to There will always be humans maintaining the system who must, in order to do their work, have potential access to everything. That the commenter extended this to everyone regardless of their resources is evident from the example of Snowden (who didn't have anywhere near access to everything anyway). (*) Which is to say, no, I disagree, but I don't feel like arguing about it. Put another way: I can see at /least/ two dozen vectors for the NSA (or whichever acronym agency you prefer) to get at every single octet under WMF control without us being able to even know about it. Legally? There is nothing we can do about any of this beyond continuing to be careful and trust in all the numerous employees and volunteer of the WMF (most of whom are outside the US) to start yelling very loudly if something fishy is going on. So let's store the tinfoil hats and get back to work, please? Tinfoil hats? These secret subpoenas have been demonstrated to be real. Very few of the employees (and probably none of the volunteers), none of whom are outside the US, would know about them, and those few would be criminally bound to keep quiet about them. This isn't conspiracy theory. This isn't paranoia. It's demonstrated reality. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Sun, Jun 9, 2013 at 11:05 PM, Anthony wikim...@inbox.org wrote: By access logs I meant HTTP access logs. It's pretty clear that without taking extraordinary measures, what you're editing is not anonymous. But some people are probably under the impression that what they're reading and searching (and linking from) is private. http://thread.gmane.org/gmane.org.wikimedia.foundation/49712/focus=49727 is probably relevant (if what Domas said then is still true). ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Benjamin Lees, 10/06/2013 08:13: http://thread.gmane.org/gmane.org.wikimedia.foundation/49712/focus=49727 is probably relevant (if what Domas said then is still true). While I'm not aware of privacy changing substantially, speaking of fantastic names, Kraken is going to change things a bit compared to 2010: https://www.mediawiki.org/wiki/Analytics/Kraken/Request_Logging https://www.mediawiki.org/wiki/Analytics/Kraken/Data_Formats I didn't find a human-readable overview but the gist seems to be that WMF will log the same (partial) data, but for 100 % of visits rather than 1/1000. More technical members of the list will be able to tell more from the specifications and source code. Nemo ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Federico Leva wrote: ... WMF will log the same (partial) data, but for 100 % of visits rather than 1/1000. How much more will that cause the Foundation to spend on processing subpoenas from law enforcement agencies? Will those agencies be charged for the time and organizational overhead of their requests? Will they be charged for the chilling effects on readers? How can we measure the cost of chilling effects on readers for 100% logging? I think this is a terrible idea. It's a huge step backwards to go from statistical sampling to logging all accesses. Exactly as far backwards as transitioning to A/B testing to multivariate analysis of fundraising messaging would be a step forwards. People say that donors' funds should be spent efficiently. When is the Foundation actually going to do so on both of these subjects? increasing surveillance ... does not decrease ... criminal activities. Ironically, ... increased surveillance might ... increase the number of inmates -- http://www.fas.org/sgp/crs/misc/R42937.pdf ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On 06/10/2013 08:49 AM, Federico Leva (Nemo) wrote: Benjamin Lees, 10/06/2013 08:13: http://thread.gmane.org/gmane.org.wikimedia.foundation/49712/focus=49727 is probably relevant (if what Domas said then is still true). While I'm not aware of privacy changing substantially, speaking of fantastic names, Kraken is going to change things a bit compared to 2010: https://www.mediawiki.org/wiki/Analytics/Kraken/Request_Logging https://www.mediawiki.org/wiki/Analytics/Kraken/Data_Formats I didn't find a human-readable overview but the gist seems to be that WMF will log the same (partial) data, but for 100 % of visits rather than 1/1000. More technical members of the list will be able to tell more from the specifications and source code. Interesting... I couldn't really find much information about the privacy concepts of Kraken, though the flow diagram suggests that the raw data (which I suppose includes the kind of data we discussed earlier, i.e. IP, time and date, accessed content, ...) is kept for 7 days until it is anonymized. Is that true? If so, it seems like a huge mistake to me. -- Tobias ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Precisely, they could ask to have CU accounts... Flo On 6/10/13 4:53 AM, Benoit Landry wrote: What information could the WMF disclose that isn't already available to some volunteers anyhow? The IP addresses of logged-in editors are visible to volunteer CUs; deleted revisions and log entries are visible to all volunteers admins. Wikipedia's inherently a pretty transparent system... , Salvidrim! -Original Message- From: Anthony Sent: Sunday, June 09, 2013 10:37 PM To: Wikimedia Mailing List Subject: Re: [Wikimedia-l] PRISM There is plenty of reason to think the government would be interested in Wikipedia access logs. On the other hand, there's very little reason to believe an organization when they say they haven't been turning over information under a top secret order which they're not allowed to tell anyone about. On Sun, Jun 9, 2013 at 10:17 PM, Nathan nawr...@gmail.com wrote: I think an official statement would be unnecessary and ill advised. It doesn't affect Wikimedia projects, there is no reason to think it does, and involving itself would be a mistake the WMF can and should avoid. On Sun, Jun 9, 2013 at 10:12 PM, Christophe Henner christophe.hen...@gmail.com wrote: My understanding is that PRISM focused on private electronic communication. I can't see a situation where we would be concerned by that. But some official statement could help put at ease people worries :) -- Christophe On 10 June 2013 03:34, Fred Bauder fredb...@fairpoint.net wrote: All edits and other actions are archived, but I would think there would be zero interest or utility to NSA. I would simply ignore the matter. Fred This is a simple question with a potentially very complicated answer. What, if any, are the implications of the PRISM scandal for Wikimedia? Does the fact that our servers are based in the US now compromise our mission either in a technical, privacy or an ethical sense? - Liam / Wittylama -- wittylama.com Peace, love metadata ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Everything passing over the internet is archived. Nearly everything done at Wikipedia passes over the internet. Fred My understanding is that PRISM focused on private electronic communication. I can't see a situation where we would be concerned by that. But some official statement could help put at ease people worries :) -- Christophe On 10 June 2013 03:34, Fred Bauder fredb...@fairpoint.net wrote: All edits and other actions are archived, but I would think there would be zero interest or utility to NSA. I would simply ignore the matter. Fred This is a simple question with a potentially very complicated answer. What, if any, are the implications of the PRISM scandal for Wikimedia? Does the fact that our servers are based in the US now compromise our mission either in a technical, privacy or an ethical sense? - Liam / Wittylama -- wittylama.com Peace, love metadata ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On 10 June 2013 10:56, Florence Devouard anthe...@yahoo.com wrote: Precisely, they could ask to have CU accounts... There are people who closely monitor who has what powers. - d. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On 06/10/2013 04:53 AM, Benoit Landry wrote: What information could the WMF disclose that isn't already available to some volunteers anyhow? The IP addresses of logged-in editors are visible to volunteer CUs; deleted revisions and log entries are visible to all volunteers admins. Wikipedia's inherently a pretty transparent system... The fact that the information is available to some users is irrelevant. If I send a private message through facebook, I do not want it to be read by anyone other than the receipient. Same thing if I send an email through a WMF wiki. You are right, some information is available to more than one user. That doesn't mean it should be available to some three letter agency. Checkuser is a perfect example, as we have policies and safeguards in place to make sure its use is limited to a small set of cases. It is inherently a different kind of use than what the NSA would do, if it were able to access our logs. --Tobias ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
There is plenty of reason to think the government would be interested in Wikipedia access logs. On the other hand, there's very little reason to believe an organization when they say they haven't been turning over information under a top secret order which they're not allowed to tell anyone about. Correct. If Osama Bin Laden had been editing Wikipedia, before his death of course, through some account in Pakistan, it would have been rather reasonable to respond favorable to a request for information. But plenty of reason to think the government would be interested in Wikipedia access logs No, massive amounts of information about people doing ordinary things like editing articles about Homer Simpson is kind of the opposite of intelligence; it IS the haystack, not the needle. Fred ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On 06/10/2013 03:17 AM, Liam Wyatt wrote: This is a simple question with a potentially very complicated answer. What, if any, are the implications of the PRISM scandal for Wikimedia? Does the fact that our servers are based in the US now compromise our mission either in a technical, privacy or an ethical sense? I think Wikimedia should protest openly against such unethical surveillance. While previous posts have pointed out that indeed Wikipedia contains less private information than Facebook or Google, it still has a lot that should remain private. Most notably access logs of both readers and authors. Note that the Wikimedia Foundation could be gagged from informing the community about privacy leaks (https://en.wikipedia.org/wiki/National_security_letter). Free knowledge for everyone only works if everyone can safely access it without having to fear that third parties might be looking over the shoulder. It is in our core interest to ensure that the privacy of our users is respected. -- Tobias ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Tobias wrote: I think Wikimedia should protest openly against such unethical surveillance. While previous posts have pointed out that indeed Wikipedia contains less private information than Facebook or Google, it still has a lot that should remain private. Most notably access logs of both readers and authors. If Wikimedia is not involved in the scandal, then it should not get involved in it on its own accord. We protested against DDL intercettazioni, SOPA and PIPA and the 139-FZ Act in Russia (among others) because they were /directly/ threatening the very existence of our projects. However, in this case I cannot see how what the NSA might or might not have done is related to us, and I not think we should aim to introduce protest blindness (see [[banner blindness]] for reference). Should I start an AWWDPAIM (Association of Wikimedians Who Dislike Protesting Against Irrelevant Matters), perhaps? -- Tomasz ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
If the NSA, CIA, or some other spook agency is getting information off of Wikimedia servers, they don't have a CU account or anything like that. They'd have a program running at the operating system level that extracts the data in a standardised format and sends it off to some secret server somewhere where it can be collated for data mining purposes. If they have some way of getting private information, it's going to be well hidden and not something you or I are likely to (or capable of) stumbling across. Cheers, Craig On 10 June 2013 20:09, David Gerard dger...@gmail.com wrote: On 10 June 2013 10:56, Florence Devouard anthe...@yahoo.com wrote: Precisely, they could ask to have CU accounts... There are people who closely monitor who has what powers. - d. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 6:10 AM, Fred Bauder fredb...@fairpoint.net wrote: Everything passing over the internet is archived. Nearly everything done at Wikipedia passes over the internet. Encrypted, if you're using https everywhere (and Wikipedia hasn't intentionally or unintentionally compromised their certificate). ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
I don't understand this line of discussion. From an intelligence stand-point, the goal of the program seems to be communication interception COMINT through SIGAD means. From phone calls, to emails, to private and public posts. I'm not sure how that would have any bearing on Wikipedia though, the purpose there is to write an article, fix typos, add pictures, occasionally there is cross-communication between different editors. Nearly all of it is visible to the world. I read Domas' email[1] linked to by Benjamin Lees, he seems pretty clear that there is nothing hidden and discussions like this are a waste of time. This is one of the big benefit of the open culture. There is little hidden about Wikipedia, or even Wikimedia. There are no secret server logs, and I'm not sure what they would actually be of. Most of the logs are already there in revisions, and the entire copy of Wikipedia can just be downloaded without anyone's permission and inspected to death. As far as CU checks go, I think we've made a bigger deal of it on wiki than it has, in real world implication. They just pull information from the headers, that virtually any server that has a visitor has access to. If a system with a breadth like PRISM can exist and monitor virtually all communication traffic across multiple countries, - in comparison, figuring out someone's header info or extracting their browser choice and IP address would be the least useful thing to them. And then drowned between a deluge of IP addresses, most of which are already dynamic, would reveal what, exactly- a user from Russian fixed a typo today, a user from Spain likes ice cream, someone else uploaded a picture of their dog. I guess what I'm saying is, all this wouldn't be hard to do - but there is absolutely no utility any decent intelligence community can expect to gain from this, when they have access to your email accounts and phone records, this seems like a giant waste of time when 90% of it is already up there for anyone to see. The irony here is perhaps that we're having a discussion about a top-secret government monitoring program on a publicly archived indexed list, most of us using email accounts which the program actually *does* monitor, all to talk about exposure to wikipedia which has no such thing to archive, monitor or hide. Regards Theo http://thread.gmane.org/gmane.org.wikimedia.foundation/49712/focus=49727 On Mon, Jun 10, 2013 at 5:59 PM, Craig Franklin cfrank...@halonetwork.netwrote: If the NSA, CIA, or some other spook agency is getting information off of Wikimedia servers, they don't have a CU account or anything like that. They'd have a program running at the operating system level that extracts the data in a standardised format and sends it off to some secret server somewhere where it can be collated for data mining purposes. If they have some way of getting private information, it's going to be well hidden and not something you or I are likely to (or capable of) stumbling across. Cheers, Craig On 10 June 2013 20:09, David Gerard dger...@gmail.com wrote: On 10 June 2013 10:56, Florence Devouard anthe...@yahoo.com wrote: Precisely, they could ask to have CU accounts... There are people who closely monitor who has what powers. - d. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 6:21 AM, Fred Bauder fredb...@fairpoint.net wrote: Correct. If Osama Bin Laden had been editing Wikipedia, before his death of course, through some account in Pakistan, it would have been rather reasonable to respond favorable to a request for information. But plenty of reason to think the government would be interested in Wikipedia access logs No, massive amounts of information about people doing ordinary things like editing articles about Homer Simpson is kind of the opposite of intelligence; it IS the haystack, not the needle. And yet, PRISM is exactly about collecting the full haystack. And it makes sense, if you ignore the privacy implications: Collect everything in your multi-zetabyte storage device, even if you aren't going to analyze it right away. And yeah, editing articles about Homer Simpson is one thing. Editing articles about the Tea Party, on the other hand... Fred, you used to be a lawyer. How would you like the government to have access to all the Wikipedia searches (and google searches which linked to Wikipedia) done from your office? Might that not compromise your ability to defend alleged criminals? ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 8:59 AM, Theo10011 de10...@gmail.com wrote: I'm not sure how that would have any bearing on Wikipedia though, the purpose there is to write an article, fix typos, add pictures, occasionally there is cross-communication between different editors. Wikipedia is not a top traffic website from people editing. 99% of the traffic is reading/searching. We know that people's Google searches have been used against them in court. I'm not aware of any cases where Wikipedia searches have been used. But I can't imagine why they'd be any different. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 6:33 PM, Anthony wikim...@inbox.org wrote: Wikipedia is not a top traffic website from people editing. 99% of the traffic is reading/searching. Yes, and I as I pointed to the email written by Domas, that those logs don't exist. We know that people's Google searches have been used against them in court. I'm not aware of any cases where Wikipedia searches have been used. But I can't imagine why they'd be any different. Because one is a search engine and the other is an encyclopedia. If someone was researching ways to make explosives or looking for child pornography, those are grounds to incriminate. Wikipedia on the other hand is an encyclopedia. There is nothing illegal about going in to a library and looking at a physical encyclopedia, nor should there be about Wikipedia. Regards Theo ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 6:10 AM, Fred Bauder fredb...@fairpoint.net wrote: Everything passing over the internet is archived. Nearly everything done at Wikipedia passes over the internet. Encrypted, if you're using https everywhere (and Wikipedia hasn't intentionally or unintentionally compromised their certificate). But simple encryption that NSA can break at will. Fred ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
They tap directly into the internet backbone. Only if there is some particular matter which interests them which they would need our help to decipher would they contact the Foundation. There are a few things out there that I can imagine them being interested in, but very few. For example, there are small groups of people in the United States that support The Shining Path or the Naxalites. Active steps to open a military front in the United States would probably kick them into gear and they might be interested in who edited our articles on these subjects as advocates for that tendency. Fred If the NSA, CIA, or some other spook agency is getting information off of Wikimedia servers, they don't have a CU account or anything like that. They'd have a program running at the operating system level that extracts the data in a standardised format and sends it off to some secret server somewhere where it can be collated for data mining purposes. If they have some way of getting private information, it's going to be well hidden and not something you or I are likely to (or capable of) stumbling across. Cheers, Craig On 10 June 2013 20:09, David Gerard dger...@gmail.com wrote: On 10 June 2013 10:56, Florence Devouard anthe...@yahoo.com wrote: Precisely, they could ask to have CU accounts... There are people who closely monitor who has what powers. - d. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
You are right, Anthony, never assume you're not dealing with idiots. If NSA is doing doing detailed surveillance of Tea Party activists or defense lawyers we are truly well along the road to hell. Fred On Mon, Jun 10, 2013 at 6:21 AM, Fred Bauder fredb...@fairpoint.net wrote: Correct. If Osama Bin Laden had been editing Wikipedia, before his death of course, through some account in Pakistan, it would have been rather reasonable to respond favorable to a request for information. But plenty of reason to think the government would be interested in Wikipedia access logs No, massive amounts of information about people doing ordinary things like editing articles about Homer Simpson is kind of the opposite of intelligence; it IS the haystack, not the needle. And yet, PRISM is exactly about collecting the full haystack. And it makes sense, if you ignore the privacy implications: Collect everything in your multi-zetabyte storage device, even if you aren't going to analyze it right away. And yeah, editing articles about Homer Simpson is one thing. Editing articles about the Tea Party, on the other hand... Fred, you used to be a lawyer. How would you like the government to have access to all the Wikipedia searches (and google searches which linked to Wikipedia) done from your office? Might that not compromise your ability to defend alleged criminals? ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
National Security Letters have been served on Libraries. However, as we keep no track whatever off who is reading the site; it is hard to see how serving one on us would accomplish anything; we can't produce records we don't keep. I suppose a secret court order could be applied for which would require us to log readers and searchers, but that would be kind of dumb and unproductive. Fred On Mon, Jun 10, 2013 at 6:33 PM, Anthony wikim...@inbox.org wrote: Wikipedia is not a top traffic website from people editing. 99% of the traffic is reading/searching. Yes, and I as I pointed to the email written by Domas, that those logs don't exist. We know that people's Google searches have been used against them in court. I'm not aware of any cases where Wikipedia searches have been used. But I can't imagine why they'd be any different. Because one is a search engine and the other is an encyclopedia. If someone was researching ways to make explosives or looking for child pornography, those are grounds to incriminate. Wikipedia on the other hand is an encyclopedia. There is nothing illegal about going in to a library and looking at a physical encyclopedia, nor should there be about Wikipedia. Regards Theo ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 11:00 PM, Anthony wikim...@inbox.org wrote: On Mon, Jun 10, 2013 at 6:21 AM, Fred Bauder fredb...@fairpoint.net wrote: No, massive amounts of information about people doing ordinary things like editing articles about Homer Simpson is kind of the opposite of intelligence; it IS the haystack, not the needle. And yet, PRISM is exactly about collecting the full haystack. And it makes sense, if you ignore the privacy implications: Collect everything in your multi-zetabyte storage device, even if you aren't going to analyze it right away. And we give every needle a distinct and descriptive name. And yeah, editing articles about Homer Simpson is one thing. Editing articles about the Tea Party, on the other hand... Or DeCSS, or AACS, .. Or 2012 Benghazi attack, Efforts to impeach Barack Obama, Drone attacks in Pakistan, .. Or PRISM (surveillance program), Edward Snowden, Bradley Manning, .. It would be good *if* the WMF can provide assurances to editors that they havent received any national security letters or other 'trawling' requests from any U.S. agency. If the WMF has received zero such requests, can the WMF say that? There wouldn't be any gag order. https://en.wikipedia.org/wiki/National_security_letter says that the gag orders were struck down, pending appeal. That means we may have to wait a while.. -- John Vandenberg ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On 06/10/2013 03:30 PM, Fred Bauder wrote: Encrypted, if you're using https everywhere (and Wikipedia hasn't intentionally or unintentionally compromised their certificate). But simple encryption that NSA can break at will. No one will bother trying to break SSL/TLS. The NSA certainly doesn't need to. They can just sign their own certificates and perform man-in-the-middle attacks. Browsers will in most cases accept those forged certificates, since the NSA can make sure that they are signed by a CA trusted by many browsers. A bit off-topic, but this talk explains everything wrong with the certificate system: https://www.youtube.com/watch?v=Z7Wl2FW2TcA -- Tobias ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
It would be good *if* the WMF can provide assurances to editors that they havent received any national security letters or other 'trawling' requests from any U.S. agency. If the WMF has received zero such requests, can the WMF say that? There wouldn't be any gag order. https://en.wikipedia.org/wiki/National_security_letter says that the gag orders were struck down, pending appeal. That means we may have to wait a while.. -- John Vandenberg I know a college librarian who used to be in Naval Intelligence. He swore up and down that should his library received such a request that he would not honor it. There is a lot of blowback to this sort of stuff not only by librarians but by people with intelligence experience. It seems very unlikely we would have received one, not only because of it being useless, but also because of the very high probability that our outlaw organization would almost certainly disclose it. Fred ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 7:31 PM, John Vandenberg jay...@gmail.com wrote: Or DeCSS, or AACS, .. Or 2012 Benghazi attack, Efforts to impeach Barack Obama, Drone attacks in Pakistan, .. Or PRISM (surveillance program), Edward Snowden, Bradley Manning, .. It would be good *if* the WMF can provide assurances to editors that they havent received any national security letters or other 'trawling' requests from any U.S. agency. If the WMF has received zero such requests, can the WMF say that? There wouldn't be any gag order. You mean like Yahoo, Facebook, Google and Microsoft did at this program's first disclosure[1]. They all denied it for the record. They also have long running campaigns about security, protecting user data and privacy. After Obama and the NSA chief admitted to it, everyone started re-examining the language of their denial and found loopholes and similarities between carefully worded responses which were written and revised by a team of lawyers. There isn't any personal data (more than IP addresses etc.) on Wikipedia to compromise. As a user, I would actually be more concerned if WMF put out a similar response along with the big guys. It would be analogous to walking in a police station and yelling I wasn't involved in that... - when no one actually knows or suspects anything. On Mon, Jun 10, 2013 at 6:59 PM, Fred Bauder fredb...@fairpoint.net wrote: They tap directly into the internet backbone. Only if there is some particular matter which interests them which they would need our help to decipher would they contact the Foundation. There are a few things out there that I can imagine them being interested in, but very few. For example, there are small groups of people in the United States that support The Shining Path or the Naxalites. Active steps to open a military front in the United States would probably kick them into gear and they might be interested in who edited our articles on these subjects as advocates for that tendency. Actually, it's still not clear the methodology they use - there are theories about lockboxes, about a beam splitter at Tier 1 service providers, or running a shadow copy from the service provider lines, or combination of those, or something else entirely. The original slide did mention upstream and downstream surveillance methods as some news stories pointed out. I have no possible way to extract who is a supporter of a cause, based on what article they edit or what they read. There can be some form of POV pushers but again there is nothing that would require this level of circumvention to use a secret government surveillance program to discern. More often than not, I and prob. a large number of editors just fix things, add something here and there and move on. They don't pay attention to the political ramifications of editing that article. The amount of false positive they would get from monitoring something like this would be several times more than anything resembling a useful and sustained pattern. Not to mention, this would require human interpretation to discern when someone supports a cause, pushes POV or just curates an article without any underlying feeling. Again, all this would be going the long way round to prove something they can easily get from a user's email, chat logs and searches- the perception of threat would also be more evident from their personal communication instead of public editing behavior. Regards Theo [1] http://en.wikipedia.org/wiki/PRISM_(surveillance_program)#Response_from_companies ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
I think the key here is not to keep more information about users than necessary. Of course, there is the question of if the NSA asks for our checkuser data. I am relatively confident of WMF's honesty here. They have been pretty concerned about user privacy in general (I am sure that there is some WMF privacy mishap that happened at some point, but I am judging by my overall sense of the organization, make of it what you will. I think it would be a good idea for the WMF legal department to make a statement (which means I need to remember what mailing list legal is, it's not a burden but I am a lazy, lazy man) On Jun 10, 2013 10:39 AM, Theo10011 de10...@gmail.com wrote: On Mon, Jun 10, 2013 at 7:31 PM, John Vandenberg jay...@gmail.com wrote: Or DeCSS, or AACS, .. Or 2012 Benghazi attack, Efforts to impeach Barack Obama, Drone attacks in Pakistan, .. Or PRISM (surveillance program), Edward Snowden, Bradley Manning, .. It would be good *if* the WMF can provide assurances to editors that they havent received any national security letters or other 'trawling' requests from any U.S. agency. If the WMF has received zero such requests, can the WMF say that? There wouldn't be any gag order. You mean like Yahoo, Facebook, Google and Microsoft did at this program's first disclosure[1]. They all denied it for the record. They also have long running campaigns about security, protecting user data and privacy. After Obama and the NSA chief admitted to it, everyone started re-examining the language of their denial and found loopholes and similarities between carefully worded responses which were written and revised by a team of lawyers. There isn't any personal data (more than IP addresses etc.) on Wikipedia to compromise. As a user, I would actually be more concerned if WMF put out a similar response along with the big guys. It would be analogous to walking in a police station and yelling I wasn't involved in that... - when no one actually knows or suspects anything. On Mon, Jun 10, 2013 at 6:59 PM, Fred Bauder fredb...@fairpoint.net wrote: They tap directly into the internet backbone. Only if there is some particular matter which interests them which they would need our help to decipher would they contact the Foundation. There are a few things out there that I can imagine them being interested in, but very few. For example, there are small groups of people in the United States that support The Shining Path or the Naxalites. Active steps to open a military front in the United States would probably kick them into gear and they might be interested in who edited our articles on these subjects as advocates for that tendency. Actually, it's still not clear the methodology they use - there are theories about lockboxes, about a beam splitter at Tier 1 service providers, or running a shadow copy from the service provider lines, or combination of those, or something else entirely. The original slide did mention upstream and downstream surveillance methods as some news stories pointed out. I have no possible way to extract who is a supporter of a cause, based on what article they edit or what they read. There can be some form of POV pushers but again there is nothing that would require this level of circumvention to use a secret government surveillance program to discern. More often than not, I and prob. a large number of editors just fix things, add something here and there and move on. They don't pay attention to the political ramifications of editing that article. The amount of false positive they would get from monitoring something like this would be several times more than anything resembling a useful and sustained pattern. Not to mention, this would require human interpretation to discern when someone supports a cause, pushes POV or just curates an article without any underlying feeling. Again, all this would be going the long way round to prove something they can easily get from a user's email, chat logs and searches- the perception of threat would also be more evident from their personal communication instead of public editing behavior. Regards Theo [1] http://en.wikipedia.org/wiki/PRISM_(surveillance_program)#Response_from_companies ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Forwarded to legal at wikimedia.org Fred I think the key here is not to keep more information about users than necessary. Of course, there is the question of if the NSA asks for our checkuser data. I am relatively confident of WMF's honesty here. They have been pretty concerned about user privacy in general (I am sure that there is some WMF privacy mishap that happened at some point, but I am judging by my overall sense of the organization, make of it what you will. I think it would be a good idea for the WMF legal department to make a statement (which means I need to remember what mailing list legal is, it's not a burden but I am a lazy, lazy man) We have occasionally made mistakes, but all checkuser requests are logged; fishing expeditions are not allowed. Fred ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On 10/06/13 14:12, Tobias wrote: No one will bother trying to break SSL/TLS. The NSA certainly doesn't need to. They can just sign their own certificates and perform man-in-the-middle attacks. Browsers will in most cases accept those forged certificates, since the NSA can make sure that they are signed by a CA trusted by many browsers. With all the computing power they do have and will have they could, in theory, try to break the CA certificates themselves. They can collect and store the encrypted traffic and then at any time decrypt said traffic when they've done breaking the CA certificate used to encrypt it. It could be worth it for them in case of the big CAs. For all we know, the big CAs could have received secret court orders where they are required to hand over the certificates themselves, foregoing the aforementioned step. This incertainty due to this kind of secrecy isn't good for the mind. - Svavar Kjarrval signature.asc Description: OpenPGP digital signature ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Encrypted, if you're using https everywhere (and Wikipedia hasn't intentionally or unintentionally compromised their certificate). But simple encryption that NSA can break at will. No one will bother trying to break SSL/TLS. The NSA certainly doesn't need to. They can just sign their own certificates and perform man-in-the-middle attacks. Browsers will in most cases accept those forged certificates, since the NSA can make sure that they are signed by a CA trusted by many browsers. HTTPS Everywhere (which I mentioned) includes a Decentralized SSL Observatory to try to detect exactly this. If the NSA wants to keep their spying a secret, they won't do a MITM attack, because they'd get caught. I suspect if they were doing this with a significant portion of traffic, they'd have been caught by now, and that it'd be a story I would have heard of. So what's left is breaking the encryption after the fact. I'm not aware of how much difficulty this is (or even what encryption is used by Wikipedia), but it's probably going to slow the process down to where they're less likely to go on pure fishing expeditions. Once they have a target, sure, but just to make lists of people viewing certain Wikipedia articles, I doubt it. Maybe if the algorithm itself has been broken, or NSA has a whole lot of quantum computers the public doesn't know about, or something like that, but otherwise, I don't see them doing this en-masse. Storing the encrypted communications en-masse for later cracking, maybe. Or maybe I'm wrong about the difficulty of breaking Wikipedia's HTTPS. Anyone have any figures? Should Wikipedia be using stronger encryption? (A quick search shows that there might be a problem with RC4: http://nakedsecurity.sophos.com/2013/03/16/has-https-finally-been-cracked/) ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 9:09 AM, Theo10011 de10...@gmail.com wrote: On Mon, Jun 10, 2013 at 6:33 PM, Anthony wikim...@inbox.org wrote: We know that people's Google searches have been used against them in court. I'm not aware of any cases where Wikipedia searches have been used. But I can't imagine why they'd be any different. Because one is a search engine and the other is an encyclopedia. If someone was researching ways to make explosives or looking for child pornography, those are grounds to incriminate. First of all, no there isn't. Certainly not for researching ways to make explosives, anyway. Perhaps looking for child pornography could somehow be construed as attempted possession of child pornography, but even that would be stretching it. Wikipedia on the other hand is an encyclopedia. There is nothing illegal about going in to a library and looking at a physical encyclopedia, nor should there be about Wikipedia. That there's nothing illegal about it is the whole point. Were it illegal to view certain articles on Wikipedia, that the government would be able to violate the privacy of those doing so wouldn't even be a question. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 9:36 AM, Fred Bauder fredb...@fairpoint.net wrote: You are right, Anthony, never assume you're not dealing with idiots. If NSA is doing doing detailed surveillance of Tea Party activists or defense lawyers we are truly well along the road to hell. Maybe we are. It certainly wouldn't be unprecedented for the government to engage in witch hunts against certain political groups. Granted, it's more likely to be the FBI that has a file on Tea Party groups than the NSA, but still... Tea Party groups was, of course, just an example. John Vandenberg gave a somewhat larger list. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
They tap directly into the internet backbone. Only if there is some particular matter which interests them which they would need our help to decipher would they contact the Foundation. There are a few things out there that I can imagine them being interested in, but very few. For example, there are small groups of people in the United States that support The Shining Path or the Naxalites. Active steps to open a military front in the United States would probably kick them into gear and they might be interested in who edited our articles on these subjects as advocates for that tendency. Fred If the NSA, CIA, or some other spook agency is getting information off of Wikimedia servers, they don't have a CU account or anything like that. They'd have a program running at the operating system level that extracts the data in a standardised format and sends it off to some secret server somewhere where it can be collated for data mining purposes. If they have some way of getting private information, it's going to be well hidden and not something you or I are likely to (or capable of) stumbling across. Cheers, Craig On 10 June 2013 20:09, David Gerard dger...@gmail.com wrote: On 10 June 2013 10:56, Florence Devouard anthe...@yahoo.com wrote: Precisely, they could ask to have CU accounts... There are people who closely monitor who has what powers. - d. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Hi, all- For your information, we have not been approached to participate in PRISM, and we have never received or honored an NSA or FISA subpoena or order. If we were to be approached in the future, we would reject participation in any PRISM-type program to the maximum extent possible and challenge in court any such demand, since this sort of program, as described in the press, contradicts our core values of a free Internet and open, neutral access to knowledge. We should have a blog post up within the next few days to discuss PRISM and our values in more detail; we will pass that along here when it is posted. Thanks- Luis, Geoff, and Stephen On Sun, Jun 9, 2013 at 6:17 PM, Liam Wyatt liamwy...@gmail.com wrote: This is a simple question with a potentially very complicated answer. What, if any, are the implications of the PRISM scandal for Wikimedia? Does the fact that our servers are based in the US now compromise our mission either in a technical, privacy or an ethical sense? - Liam / Wittylama -- wittylama.com Peace, love metadata ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l -- Luis Villa Deputy General Counsel Wikimedia Foundation 415.839.6885 ext. 6810 NOTICE: This message may be confidential or legally privileged. If you have received it by accident, please delete it and let us know about the mistake. As an attorney for the Wikimedia Foundation, for legal/ethical reasons I cannot give legal advice to, or serve as a lawyer for, community members, volunteers, or staff members in their personal capacity. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Luis Villa wrote: For your information, we have not been approached to participate in PRISM, and we have never received or honored an NSA or FISA subpoena or order. Google and Facebook both flatly denied having any relationship to PRISM, and it turned out not to be exactly true—is there any reason we should trust you more than them? Let the games begin. -- Tomasz ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Because Luis, Geoff and Stephen all know me well, and in particular they know that if they did sign up to such a programme I'd deck them :P. On 10 June 2013 23:29, Tomasz W. Kozlowski tom...@twkozlowski.net wrote: Luis Villa wrote: For your information, we have not been approached to participate in PRISM, and we have never received or honored an NSA or FISA subpoena or order. Google and Facebook both flatly denied having any relationship to PRISM, and it turned out not to be exactly true—is there any reason we should trust you more than them? Let the games begin. -- Tomasz __**_ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.**org Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/**mailman/listinfo/wikimedia-lhttps://lists.wikimedia.org/mailman/listinfo/wikimedia-l -- Oliver Keyes Community Liaison, Product Development Wikimedia Foundation ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On 11/06/13 05:21, Anthony wrote: On Mon, Jun 10, 2013 at 9:36 AM, Fred Bauder fredb...@fairpoint.net wrote: You are right, Anthony, never assume you're not dealing with idiots. If NSA is doing doing detailed surveillance of Tea Party activists or defense lawyers we are truly well along the road to hell. Maybe we are. It certainly wouldn't be unprecedented for the government to engage in witch hunts against certain political groups. Granted, it's more likely to be the FBI that has a file on Tea Party groups than the NSA, but still... According to the Washington Post, PRISM is primarily operated by the FBI. The data is stored by the FBI, and the NSA requests data from the FBI on a case-by-case basis. The FBI checks each search term to make sure the person named is not a US citizen. http://www.washingtonpost.com/world/national-security/us-company-officials-internet-surveillance-does-not-indiscriminately-mine-data/2013/06/08/5b3bb234-d07d-11e2-9f1a-1a7cdee20287_story_1.html So there is a separation of responsibilities, but there is no reason to think that US citizens are better protected against snooping than foreigners. -- Tim Starling ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Tue, Jun 11, 2013 at 8:15 AM, Luis Villa lvi...@wikimedia.org wrote: Hi, all- For your information, we have not been approached to participate in PRISM, and we have never received or honored an NSA or FISA subpoena or order. If we were to be approached in the future, we would reject participation in any PRISM-type program to the maximum extent possible and challenge in court any such demand, since this sort of program, as described in the press, contradicts our core values of a free Internet and open, neutral access to knowledge. We should have a blog post up within the next few days to discuss PRISM and our values in more detail; we will pass that along here when it is posted. Thanks. Please put the draft on meta so the volunteers can review it and identify phrases which are not tight enough. e.g. we have never received or honored an NSA or FISA subpoena or order is good (and far better than I've seen from Google or Facebook), but ... does that exclude all possible orders under the Patriot Act? does that exclude orders from any U.S. Government agency? e.g. FBI? I don't know the answer to those questions, and I am sure the average reader doesn't either. It would be helpful to have a response with has both precise language and broad statements that will ensure the layman doesnt worry that WMF is dodging the question. -- John Vandenberg ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
David Gerard wrote: On 10 June 2013 18:01, Rand McRanderson therands...@gmail.com wrote: I think the key here is not to keep more information about users than necessary. In particular - at present. as I understand it, we don't keep full access logs, just 1/1000 samples. We need to not keep full access logs. I'm not sure about access log retention. I know what used to be true (that we didn't and frankly couldn't keep full access logs), but I'm not sure what the current situation is. Related to this, however, is a broader point about hiding versus deleting information. We, as a community, have gotten into a pattern of hiding (suppressing) information in our databases rather than simply removing it outright. This has advantages (chiefly reversibility), but the practice of sweeping information under the rug rather than taking out the trash can, and inevitably will, cause issues. Truly problematic usernames, edits, and logs really ought to be deleted, not simply suppressed, in my opinion. This has come up in the context of database dumps and database replication. We're basically asking for this information to one day be leaked by retaining it indefinitely (including usernames that out individuals, CheckUser logs, content buried inside page histories, etc.). MZMcBride ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
David Gerard wrote: On 10 June 2013 18:01, Rand McRanderson therands...@gmail.com wrote: I think the key here is not to keep more information about users than necessary. In particular - at present. as I understand it, we don't keep full access logs, just 1/1000 samples. We need to not keep full access logs. I'm not sure about access log retention. I know what used to be true (that we didn't and frankly couldn't keep full access logs), but I'm not sure what the current situation is. Related to this, however, is a broader point about hiding versus deleting information. We, as a community, have gotten into a pattern of hiding (suppressing) information in our databases rather than simply removing it outright. This has advantages (chiefly reversibility), but the practice of sweeping information under the rug rather than taking out the trash can, and inevitably will, cause issues. Truly problematic usernames, edits, and logs really ought to be deleted, not simply suppressed, in my opinion. This has come up in the context of database dumps and database replication. We're basically asking for this information to one day be leaked by retaining it indefinitely (including usernames that out individuals, CheckUser logs, content buried inside page histories, etc.). MZMcBride It is much better to be able to monitor oversighters than to completely remove the miniscule portion of suppressed material intelligence agencies might have an interest in. Fred ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 6:15 PM, Luis Villa lvi...@wikimedia.org wrote: We should have a blog post up within the next few days to discuss PRISM and our values in more detail; we will pass that along here when it is posted. Thanks. I do appreciate this. And it seems to be better worded than the statements of the Google and Facebook founders (which said that they had never heard of PRISM, not that they hadn't participated in it, and certainly not that they've never received a FISA subpoena). One thing I'd also appreciate is that if indeed Wikipedia access logs are not even collected in the first place (except for 1/1000 samples), that this be stated officially, rather than relying on a two-year-old comment by a single, now-former employee. Anyone who truly needs to keep their Wikipedia use confidential should, of course, still take measures to anonymize their access. But for the rest of the time, an assurance that these logs are simply not being kept is reassuring. Something in the privacy policy saying this would be best. But I've suggested this in the past, and WMF has declined on the grounds that they want to leave flexibility should they decide to do full logging in the future. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 7:13 PM, John Vandenberg jay...@gmail.com wrote: e.g. we have never received or honored an NSA or FISA subpoena or order is good (and far better than I've seen from Google or Facebook), but ... does that exclude all possible orders under the Patriot Act? does that exclude orders from any U.S. Government agency? e.g. FBI? Apparently if it's your communications records the government is after, they're more likely to use a National Security Letter ( https://ssd.eff.org/foreign/fisa) ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Anthony and John beat me to it -- I was going to second the suggestion that the sentence spend a bit of time being wordcrafted on Meta for extra eyes, to clarify things like the National Security Letters, NSL gag orders, etc. -Dan Dan Rosenthal On Tue, Jun 11, 2013 at 4:02 AM, Anthony wikim...@inbox.org wrote: On Mon, Jun 10, 2013 at 7:13 PM, John Vandenberg jay...@gmail.com wrote: e.g. we have never received or honored an NSA or FISA subpoena or order is good (and far better than I've seen from Google or Facebook), but ... does that exclude all possible orders under the Patriot Act? does that exclude orders from any U.S. Government agency? e.g. FBI? Apparently if it's your communications records the government is after, they're more likely to use a National Security Letter ( https://ssd.eff.org/foreign/fisa) ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Fred Bauder wrote: This has come up in the context of database dumps and database replication. We're basically asking for this information to one day be leaked by retaining it indefinitely (including usernames that out individuals, CheckUser logs, content buried inside page histories, etc.). It is much better to be able to monitor oversighters than to completely remove the miniscule portion of suppressed material intelligence agencies might have an interest in. Sorry, that confusion was caused by me. I wasn't speaking in the context of the NSA or PRISM or anything like that (subject line aside, of course). I was talking about the general trend of preferring suppression to (actual) deletion on Wikimedia wikis. Though to frame it as simply able to monitor oversighters misses the point, I think. Yes, it's a trade-off, but when we think of things like long-banned usernames (and their associated block log entries) that are basically vandalism, we can take the approach of hiding them indefinitely (sweeping them under the rug) or we can take the approach of eventually deleting them outright (taking out the trash). The same is true of CheckUser logs, particularly logged direct queries of IP addresses, which when viewed in a timeline, can often reveal an editor's IP addresses. This is basically private user metadata similar to the telephony metadata at the center of one of these recent controversies. We can choose to keep these logs around forever, hoping they'll never be exposed, or we can delete them after a certain period of Time. In other words, it's not even outright suppression (in the MediaWiki sense) that we should consider. Private data can't and won't stay private forever unless it's actively destroyed. Surely history has taught us this. My view is that if you continue sweeping things under the rug, eventually some dirt is going to be exposed. This related to the thread's larger point about removing liability/culpability by simply deleting things rather than archiving them indefinitely. MZMcBride ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Anthony wrote: One thing I'd also appreciate is that if indeed Wikipedia access logs are not even collected in the first place (except for 1/1000 samples), that this be stated officially, rather than relying on a two-year-old comment by a single, now-former employee. Minor point: I can't tell for sure if this is a reference to Domas, but if so, he only ever served as a Wikimedia Foundation Board member and volunteer sysadmin, never as an employee, as far as I know. Anyone who truly needs to keep their Wikipedia use confidential should, of course, still take measures to anonymize their access. But for the rest of the time, an assurance that these logs are simply not being kept is reassuring. Something in the privacy policy saying this would be best. But I've suggested this in the past, and WMF has declined on the grounds that they want to leave flexibility should they decide to do full logging in the future. I'm not sure that an empty reassurance will be particularly reassuring. It's not as though the Legal and Community Advocacy team sets log rotation/expiration times. This would have to be put into the privacy policy to mean anything of substance, I think. And I completely agree with your understanding of the current situation (the Wikimedia Foundation objecting due to concerns about future flexibility). Though I'm now remembering that there are certain staff policies that now exist (they contrast with official/Board policies). Perhaps that would be an avenue to pursue? MZMcBride ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
Federico Leva (Nemo) wrote: Benjamin Lees, 10/06/2013 08:13: http://thread.gmane.org/gmane.org.wikimedia.foundation/49712/focus=49727 is probably relevant (if what Domas said then is still true). While I'm not aware of privacy changing substantially, speaking of fantastic names, Kraken is going to change things a bit compared to 2010: https://www.mediawiki.org/wiki/Analytics/Kraken/Request_Logging https://www.mediawiki.org/wiki/Analytics/Kraken/Data_Formats I didn't find a human-readable overview but the gist seems to be that WMF will log the same (partial) data, but for 100 % of visits rather than 1/1000. More technical members of the list will be able to tell more from the specifications and source code. Kraken: the next-generation analytics platform that we'll see next generation. ;-) You and I should write the history of Wikimedia analytics. I already have notes! MZMcBride ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 10:06 PM, MZMcBride z...@mzmcbride.com wrote: Anthony wrote: One thing I'd also appreciate is that if indeed Wikipedia access logs are not even collected in the first place (except for 1/1000 samples), that this be stated officially, rather than relying on a two-year-old comment by a single, now-former employee. Minor point: I can't tell for sure if this is a reference to Domas, but if so, he only ever served as a Wikimedia Foundation Board member and volunteer sysadmin, never as an employee, as far as I know. Ah yes. I was mistaken. Did a quick look at his LinkedIn page, which said Data Performance Engineer, and negligently assumed that meant employee. I mostly agree with the rest of your post. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On 11/06/13 10:41, Anthony wrote: One thing I'd also appreciate is that if indeed Wikipedia access logs are not even collected in the first place (except for 1/1000 samples), that this be stated officially, rather than relying on a two-year-old comment by a single, now-former employee. In October 2012, I introduced an unsampled log of API requests, including IP addresses. This was in response to a server overload caused by the API which was very difficult to isolate due to the lack of meaningful logs. The retention time is currently 30 days. This means that, among other things, search autocomplete is logged. The logs are collected at the backend, which means that Squid cache hits will not be logged. So autocomplete requests for common terms and prefixes will appear rarely. This is not a secret -- the changes that made it happen were public at the time: https://gerrit.wikimedia.org/r/#/c/24274/ https://gerrit.wikimedia.org/r/#/c/26434/ I'm sure that the other teams (e.g. fundraising, mobile and analytics) can give you details of what access logs they collect and store. In general, access logs haven't been stored due to cost, rather than for any privacy reason. Lots of smaller services (e.g. blog.wikimedia.org) store access logs. -- Tim Starling ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
[Wikimedia-l] PRISM
This is a simple question with a potentially very complicated answer. What, if any, are the implications of the PRISM scandal for Wikimedia? Does the fact that our servers are based in the US now compromise our mission either in a technical, privacy or an ethical sense? - Liam / Wittylama -- wittylama.com Peace, love metadata ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
All edits and other actions are archived, but I would think there would be zero interest or utility to NSA. I would simply ignore the matter. Fred This is a simple question with a potentially very complicated answer. What, if any, are the implications of the PRISM scandal for Wikimedia? Does the fact that our servers are based in the US now compromise our mission either in a technical, privacy or an ethical sense? - Liam / Wittylama -- wittylama.com Peace, love metadata ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
My understanding is that PRISM focused on private electronic communication. I can't see a situation where we would be concerned by that. But some official statement could help put at ease people worries :) -- Christophe On 10 June 2013 03:34, Fred Bauder fredb...@fairpoint.net wrote: All edits and other actions are archived, but I would think there would be zero interest or utility to NSA. I would simply ignore the matter. Fred This is a simple question with a potentially very complicated answer. What, if any, are the implications of the PRISM scandal for Wikimedia? Does the fact that our servers are based in the US now compromise our mission either in a technical, privacy or an ethical sense? - Liam / Wittylama -- wittylama.com Peace, love metadata ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
2013/6/9 Fred Bauder fredb...@fairpoint.net All edits and other actions are archived, but I would think there would be zero interest or utility to NSA. I would simply ignore the matter. How about private messages from Special:EmailUser? Just asking. I haven't studied the subject of PRISM much yet. -- Amir Elisha Aharoni · אָמִיר אֱלִישָׁע אַהֲרוֹנִי http://aharoni.wordpress.com “We're living in pieces, I want to live in peace.” – T. Moore ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
I think an official statement would be unnecessary and ill advised. It doesn't affect Wikimedia projects, there is no reason to think it does, and involving itself would be a mistake the WMF can and should avoid. On Sun, Jun 9, 2013 at 10:12 PM, Christophe Henner christophe.hen...@gmail.com wrote: My understanding is that PRISM focused on private electronic communication. I can't see a situation where we would be concerned by that. But some official statement could help put at ease people worries :) -- Christophe On 10 June 2013 03:34, Fred Bauder fredb...@fairpoint.net wrote: All edits and other actions are archived, but I would think there would be zero interest or utility to NSA. I would simply ignore the matter. Fred This is a simple question with a potentially very complicated answer. What, if any, are the implications of the PRISM scandal for Wikimedia? Does the fact that our servers are based in the US now compromise our mission either in a technical, privacy or an ethical sense? - Liam / Wittylama -- wittylama.com Peace, love metadata ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
There is plenty of reason to think the government would be interested in Wikipedia access logs. On the other hand, there's very little reason to believe an organization when they say they haven't been turning over information under a top secret order which they're not allowed to tell anyone about. On Sun, Jun 9, 2013 at 10:17 PM, Nathan nawr...@gmail.com wrote: I think an official statement would be unnecessary and ill advised. It doesn't affect Wikimedia projects, there is no reason to think it does, and involving itself would be a mistake the WMF can and should avoid. On Sun, Jun 9, 2013 at 10:12 PM, Christophe Henner christophe.hen...@gmail.com wrote: My understanding is that PRISM focused on private electronic communication. I can't see a situation where we would be concerned by that. But some official statement could help put at ease people worries :) -- Christophe On 10 June 2013 03:34, Fred Bauder fredb...@fairpoint.net wrote: All edits and other actions are archived, but I would think there would be zero interest or utility to NSA. I would simply ignore the matter. Fred This is a simple question with a potentially very complicated answer. What, if any, are the implications of the PRISM scandal for Wikimedia? Does the fact that our servers are based in the US now compromise our mission either in a technical, privacy or an ethical sense? - Liam / Wittylama -- wittylama.com Peace, love metadata ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
What information could the WMF disclose that isn't already available to some volunteers anyhow? The IP addresses of logged-in editors are visible to volunteer CUs; deleted revisions and log entries are visible to all volunteers admins. Wikipedia's inherently a pretty transparent system... , Salvidrim! -Original Message- From: Anthony Sent: Sunday, June 09, 2013 10:37 PM To: Wikimedia Mailing List Subject: Re: [Wikimedia-l] PRISM There is plenty of reason to think the government would be interested in Wikipedia access logs. On the other hand, there's very little reason to believe an organization when they say they haven't been turning over information under a top secret order which they're not allowed to tell anyone about. On Sun, Jun 9, 2013 at 10:17 PM, Nathan nawr...@gmail.com wrote: I think an official statement would be unnecessary and ill advised. It doesn't affect Wikimedia projects, there is no reason to think it does, and involving itself would be a mistake the WMF can and should avoid. On Sun, Jun 9, 2013 at 10:12 PM, Christophe Henner christophe.hen...@gmail.com wrote: My understanding is that PRISM focused on private electronic communication. I can't see a situation where we would be concerned by that. But some official statement could help put at ease people worries :) -- Christophe On 10 June 2013 03:34, Fred Bauder fredb...@fairpoint.net wrote: All edits and other actions are archived, but I would think there would be zero interest or utility to NSA. I would simply ignore the matter. Fred This is a simple question with a potentially very complicated answer. What, if any, are the implications of the PRISM scandal for Wikimedia? Does the fact that our servers are based in the US now compromise our mission either in a technical, privacy or an ethical sense? - Liam / Wittylama -- wittylama.com Peace, love metadata ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Sun, Jun 9, 2013 at 10:53 PM, Benoit Landry benoit_lan...@hotmail.comwrote: What information could the WMF disclose that isn't already available to some volunteers anyhow? I don't know what information some volunteers have access to, who qualifies as some volunteers (does the board qualify?), or why it matters whether or not a person is a volunteer. By access logs I meant HTTP access logs. It's pretty clear that without taking extraordinary measures, what you're editing is not anonymous. But some people are probably under the impression that what they're reading and searching (and linking from) is private. The IP addresses of logged-in editors are visible to volunteer CUs; En-masse, or one-request-at-a-time? deleted revisions and log entries are visible to all volunteers admins. Wikipedia's inherently a pretty transparent system... Transparent? ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
I'd suggest that while Wikimedia projects are somewhat less susceptible to PRISM-style snooping, simply because we're not a communications medium like Google or Facebook are. However, there is plenty of non-public information that could be of interest: - The IP addresses and identities of logged on users - Server logs (including logs of users who use the https version of the sites) - Times, dates, and possibly contents of emails sent through the Email this user functionality - Other information that is not kept at the application (MediaWiki) layer, but possibly could be logged at the database or OS layers. I wouldn't say that there's nothing to worry about, but at the same time I doubt we're near the top of the spooks' priority list. Cheers, Craig Franklin On 10 June 2013 13:05, Anthony wikim...@inbox.org wrote: On Sun, Jun 9, 2013 at 10:53 PM, Benoit Landry benoit_lan...@hotmail.com wrote: What information could the WMF disclose that isn't already available to some volunteers anyhow? I don't know what information some volunteers have access to, who qualifies as some volunteers (does the board qualify?), or why it matters whether or not a person is a volunteer. By access logs I meant HTTP access logs. It's pretty clear that without taking extraordinary measures, what you're editing is not anonymous. But some people are probably under the impression that what they're reading and searching (and linking from) is private. The IP addresses of logged-in editors are visible to volunteer CUs; En-masse, or one-request-at-a-time? deleted revisions and log entries are visible to all volunteers admins. Wikipedia's inherently a pretty transparent system... Transparent? ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 12:05 AM, Craig Franklin cfrank...@halonetwork.netwrote: I wouldn't say that there's nothing to worry about, but at the same time I doubt we're near the top of the spooks' priority list. Maybe not priority-wise, but remember that the cooperation between Mediawiki developers and the CIA goes back several years at the least. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
Re: [Wikimedia-l] PRISM
On Mon, Jun 10, 2013 at 2:30 PM, Anthony wikim...@inbox.org wrote: Maybe not priority-wise, but remember that the cooperation between Mediawiki developers and the CIA goes back several years at the least. Please feel free to elaborate, Just because they use MediaWiki doesn't mean the developers are cooperating with them. ___ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l