Re: [Wikimedia-l] Access to Private Information Policy: How Long Will This Be Left a Question Mark?

2015-04-13 Thread Trillium Corsage
Mr. Starling, thanks for your response. I have to preface this by saying my 
opinions are legitimate criticism and rightly motivated, but I nevertheless 
fear that they won't be allowed on the mailing list and that I will be kicked 
off it because of them.

 I don't know what identifying people with checkuser permissions is
 meant to achieve, when they are not liable for a breach of the privacy
 policy. I can understand requiring identification for Board members,
 who have legal responsibilities. But what is the point of having a
 photocopy of a CheckUser's passport when there are no conceivable
 circumstances under which you would give that photocopy to police?

No, there are plenty conceivable circumstances under which the WMF would be 
compelled to identify a community administrator to the police, such as a 
lawsuit for cyberstalking. For example WMF Steward Tbloemink and global sysop 
JurgenNL engaged in the stalking of Moiramoira via IRC, harassing phonecalls, 
and a visit to her home in which they peeped in her windows 
(http://meta.wikimedia.org/wiki/Requests_for_comment/Privacy_violation_by_TBloemink_and_JurgenNL).
 They did use their advanced administrative rights to identify her. So a 
criminal or civil case could be brought in which a subpoena for the passport 
would be lawfully issued.

In the broader picture, requiring identification would improve the behavior of 
any bad administrator that has slipped through the cracks and uses the advanced 
tools to violate users' privacy. Why? Because anonymity reduces the risks 
involved with bad behavior. So they are no longer restrained by personal 
accountability in checkusering people. They can do as they like, use the 
information in any way they like, and, beyond desysoping I guess, can never be 
held to account.  

 Maybe the idea is that if a CheckUser publically doxes someone for
 some petty purpose, such as revenge, then the victim may subpoena
 identifying records from the Foundation as part of a suit against the
 CheckUser. Note that I have done my fair share of troll hunting, it
 occupied quite a bit of my time between when I first got shell access
 in early 2004 and when I introduced CheckUser in late 2005. I have
 publically discussed identifying information of logged-in users. I
 never heard any credible theory on how my actions at that time might
 have created legal liability. Surely, if there was such a legal
 remedy, trolls would constantly threaten to use it.

Your presumption here is that administrators across the board are honorable 
troll hunters fulfilling a community duty, but the reality is somewhat 
different. The demonization of an editor as troll and sockpuppet and so 
forth is often falsely used by the administrator as an excuse for acting on his 
or her personal antipathies. They become irritated at an editor and set out to 
attack him or her, there are no controls on or standards for their actions. 

 I think that the most important practical measure we can take to
 protect users' privacy against CheckUser is to regularly audit the
 CheckUser logs. We should also work to improve their auditability. The
 logs have hundreds of entries of the form:

Yeah, that's a great idea, but further make it *publicly* auditable. Redact the 
privacy (IP) information and let the public know whom the checkusers are 
checkusering. Another great step would be to force entry of a *reason* before 
the checkuser tool can be used. As I understand it from all I've read, the 
checkuser tool now has a reason field, but it can be left blank. Reconfigure 
the tool to force entry of a reason for its use. And this also would immensely 
improve the ability to audit the logs.

13.04.2015, 01:56, Tim Starling tstarl...@wikimedia.org:
 On 13/04/15 00:12, Trillium Corsage wrote:

text clipped for brevity

___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Access to Private Information Policy: How Long Will This Be Left a Question Mark?

2015-04-12 Thread Tim Starling
On 13/04/15 00:12, Trillium Corsage wrote:
 On 25 April last year, the board of trustees approved, in a
 non-public and scantily-documented meeting, a policy that accords
 Checkuser and Oversight and other statuses to community members
 appointed by a community process with essentially a mere two
 requirements: provide an email address, and assert that you are 18
 or over. Name, address, NOT required. Is this truly an adequate way
 to protect the privacy interests of all those that edit Wikipedia?
 Well, I don't think so, but my purpose right now is to try to
 eliminate the ambiguity of what is actually occurring at this
 time.

I was not involved in the development of this policy, either the
original one or the current iteration. So what follows are my
independent, unofficial thoughts on the issue.

I don't know what identifying people with checkuser permissions is
meant to achieve, when they are not liable for a breach of the privacy
policy. I can understand requiring identification for Board members,
who have legal responsibilities. But what is the point of having a
photocopy of a CheckUser's passport when there are no conceivable
circumstances under which you would give that photocopy to police?

Maybe the idea is that if a CheckUser publically doxes someone for
some petty purpose, such as revenge, then the victim may subpoena
identifying records from the Foundation as part of a suit against the
CheckUser. Note that I have done my fair share of troll hunting, it
occupied quite a bit of my time between when I first got shell access
in early 2004 and when I introduced CheckUser in late 2005. I have
publically discussed identifying information of logged-in users. I
never heard any credible theory on how my actions at that time might
have created legal liability. Surely, if there was such a legal
remedy, trolls would constantly threaten to use it.

I think that the most important practical measure we can take to
protect users' privacy against CheckUser is to regularly audit the
CheckUser logs. We should also work to improve their auditability. The
logs have hundreds of entries of the form:

* AdminUser got IP addresses for Spambot10255787 (Investigating spam)
* AdminUser got users for 11.22.33.44/16 (Investigating spam)

What auditor is ever going to do another CheckUser request to make
sure that 11.22.33.44 really was an IP address used by
Spambot10255787? How can we tell if AdminUser was interested in
11.22.33.44 for some other reason? Linked log entries should probably
be explicitly annotated by the software.

-- Tim Starling


___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Access to Private Information Policy: How Long Will This Be Left a Question Mark?

2015-04-12 Thread Trillium Corsage
Very strange response, Oliver. I guess I'll take it one step at a time. 

1) Well into the email I certainly critiqued Philippe for shredding the 
identification documents, but it is a step too far to say I attacked him.

2) That he (and you) goes by his real name is a rightful aspect of his WMF (a 
public charity) employment. Yes, I strive to protect my online privacy and 
speak here from an obvious nickname or pseudonym. While I limit my statements 
to what I think is reasonable, I don't think I'm obligated to disclose my 
identity as he must. I also have never sought the ability to block others or to 
access their IP etc. information on Wikipedia, which would be a good argument 
that I identify.

3) Am I in the grip of a paranoid fantasy that Philippe Beaudette controls 
the WMF's board of trustees? No, I spoke only of the one matter. But okay, in 
that specific matter I gave him credit for forcing the board to change the 
access-to-private-information policy. While drawing pay, he flouted and defied 
the prior WMF policy. It's a matter of record that WMF Legal's Michelle Paulson 
was alarmed by this and brought it to the attention of the board, which then 
strongly impliedly endorsed Beaudette's actions by changing the policy. I dunno 
if he could similarly move the board on policy he's not intimately involved 
with implementing, I'd say not. 

Okay, then.

Trillium Corsage


12.04.2015, 17:20, Oliver Keyes ironho...@gmail.com:
 Have you considered that you might get a better response to your messages
 if you - and this is just an idea drawn of idle whimsy, here - not spend
 quite so much of them on an extended trip off the reservation in order to
 attack and critique someone under their real name in public while hiding
 any identification of who you are? While we're discussing privacy, here.

 Seriously: you've spent a lot of this email indulging in the paranoid
 fantasy that Philippe controls the board (he doesn't. One way you can tell
 is that they don't wear sweaters literally everywhere :p).

 If we're asking questions we've already seemingly made our minds up about,
 and prefacing them with lots of grumping, let me get in on this - exactly
 what response do you expect? How do you think your claim of a Philippe
 Occupied Government enhances the utility of your message and the value a
 reader takes from it?

 On Sunday, 12 April 2015, Trillium Corsage trillium2...@yandex.com wrote:
  I'm writing to get an answer (from anybody at the WMF) on the status of
  the WMF's policy access to private (i.e. IP, Browser, etc.) information.
  Each day thousands of people edit Wikipedia and deserve to know what
  measures, if any, are taken to avoid divulging to the wrong sort of people
  this sensitive information about them.

  On 25 April last year, the board of trustees approved, in a non-public and
  scantily-documented meeting, a policy that accords Checkuser and Oversight
  and other statuses to community members appointed by a community process
  with essentially a mere two requirements: provide an email address, and
  assert that you are 18 or over. Name, address, NOT required. Is this truly
  an adequate way to protect the privacy interests of all those that edit
  Wikipedia? Well, I don't think so, but my purpose right now is to try to
  eliminate the ambiguity of what is actually occurring at this time.

  One source of this ambiguity is the edit of the WMF's James Alexander (
  
 http://wikimediafoundation.org/w/index.php?title=Access_to_nonpublic_data_policyaction=historysubmitdiff=98029oldid=95071)
  on 6 June, in which he wrote: This policy has been replaced by a new
  [[m:Access to non public information policy|Access to non public
  information policy]], which was approved by the Board of Trustees on 25
  April 2014. However, this policy remains in force until the new processes
  mandated by the new policy are put into place. A future announcement will
  be made to those affected before the new policy goes in effect. It's now
  the future (and after nine months, quite so), so what is the policy?

  The old policy mandated that those seeking the accesses fax or secure
  email a from of identification. Casual and rank-and-file Wikipedia editors
  were repetitively told that the checkusers and oversighters etc. were
  identified to the WMF. This was incredibly misleading because the
  practice of Philippe Beaudette was to shred and otherwise destroy the
  identifications after marking the noticeboard. It is apparent to any
  plain-spoken individual, I think, that you can't tell people that those
  granted these accesses are identified to the WMF when you have shredded
  the documents and all that is left (except in Mr. Beaudette's memory) is a
  checkmark by a username on a noticeboard. It wasn't a semantic dodge
  predicated on the definition of identified, rather it was in my opinion a
  smoke-screen. Mr. Beaudette felt loyalty to the privacy of the
  administrators, and evidently none to the 

Re: [Wikimedia-l] Access to Private Information Policy: How Long Will This Be Left a Question Mark?

2015-04-12 Thread Oliver Keyes
Have you considered that you might get a better response to your messages
if you - and this is just an idea drawn of idle whimsy, here - not spend
quite so much of them on an extended trip off the reservation in order to
attack and critique someone under their real name in public while hiding
any identification of who you are? While we're discussing privacy, here.

Seriously: you've spent a lot of this email indulging in the paranoid
fantasy that Philippe controls the board (he doesn't. One way you can tell
is that they don't wear sweaters literally everywhere :p).

If we're asking questions we've already seemingly made our minds up about,
and prefacing them with lots of grumping, let me get in on this - exactly
what response do you expect? How do you think your claim of a Philippe
Occupied Government enhances the utility of your message and the value a
reader takes from it?

On Sunday, 12 April 2015, Trillium Corsage trillium2...@yandex.com wrote:

 I'm writing to get an answer (from anybody at the WMF) on the status of
 the WMF's policy access to private (i.e. IP, Browser, etc.) information.
 Each day thousands of people edit Wikipedia and deserve to know what
 measures, if any, are taken to avoid divulging to the wrong sort of people
 this sensitive information about them.

 On 25 April last year, the board of trustees approved, in a non-public and
 scantily-documented meeting, a policy that accords Checkuser and Oversight
 and other statuses to community members appointed by a community process
 with essentially a mere two requirements: provide an email address, and
 assert that you are 18 or over. Name, address, NOT required. Is this truly
 an adequate way to protect the privacy interests of all those that edit
 Wikipedia? Well, I don't think so, but my purpose right now is to try to
 eliminate the ambiguity of what is actually occurring at this time.

 One source of this ambiguity is the edit of the WMF's James Alexander (
 http://wikimediafoundation.org/w/index.php?title=Access_to_nonpublic_data_policyaction=historysubmitdiff=98029oldid=95071)
 on 6 June, in which he wrote: This policy has been replaced by a new
 [[m:Access to non public information policy|Access to non public
 information policy]], which was approved by the Board of Trustees on 25
 April 2014. However, this policy remains in force until the new processes
 mandated by the new policy are put into place. A future announcement will
 be made to those affected before the new policy goes in effect. It's now
 the future (and after nine months, quite so), so what is the policy?

 The old policy mandated that those seeking the accesses fax or secure
 email a from of identification. Casual and rank-and-file Wikipedia editors
 were repetitively told that the checkusers and oversighters etc. were
 identified to the WMF. This was incredibly misleading because the
 practice of Philippe Beaudette was to shred and otherwise destroy the
 identifications after marking the noticeboard. It is apparent to any
 plain-spoken individual, I think, that you can't tell people that those
 granted these accesses are identified to the WMF when you have shredded
 the documents and all that is left (except in Mr. Beaudette's memory) is a
 checkmark by a username on a noticeboard. It wasn't a semantic dodge
 predicated on the definition of identified, rather it was in my opinion a
 smoke-screen. Mr. Beaudette felt loyalty to the privacy of the
 administrators, and evidently none to the common editors whose IPs and so
 forth he was exposing to them.

 The immediately above is not necessarily a criticism of the old policy,
 which taken at face value strongly implies that the WMF keeps the
 identifications on file, on a secure computer, or in a physical safe. It's
 rather that Mr. Beaudette operated for years in open defiance of the
 policy. To his credit though, apparently he impelled the Board to rewrite
 the policy in a manner corresponding to his actions.

 BUT MY QUESTION NOW is: What is the status of the policy? For example
 English Wikipedia just got three new checkusers: Bbb23, Callanecc, and Mike
 V. What information were they required to provide? Proper documents, or
 merely an email address and assertion that they are over 18?

 Trillium Corsage



 ___
 Wikimedia-l mailing list, guidelines at:
 https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
 mailto:wikimedia-l-requ...@lists.wikimedia.org javascript:;
 ?subject=unsubscribe



-- 
Sent from my mobile computing device of Lovecraftian complexity and horror.
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Re: [Wikimedia-l] Access to Private Information Policy: How Long Will This Be Left a Question Mark?

2015-04-12 Thread Pine W
Trilium,

My understanding is that the new policy is now active, meaning that
identification documents are not required for checkusers and oversighters.
I believe that identification documents are still required for WMF Board,
FDC, Board Elections Committee, and Board Audit Committee appointments.

Can you explain what it is that worries you about this change in policy for
checkusers and oversighters?

Thanks,

Pine
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe

Re: [Wikimedia-l] Access to Private Information Policy: How Long Will This Be Left a Question Mark?

2015-04-12 Thread James Alexander
On Sun, Apr 12, 2015 at 10:37 AM, Pine W wiki.p...@gmail.com wrote:

 Trilium,

 My understanding is that the new policy is now active, meaning that
 identification documents are not required for checkusers and oversighters.
 I believe that identification documents are still required for WMF Board,
 FDC, Board Elections Committee, and Board Audit Committee appointments.

 Can you explain what it is that worries you about this change in policy for
 checkusers and oversighters?


tldr: It isn't rolled out yet, however I'm hoping to do so during my free
moments over the next month as we set up the election.


Actually, the policy is not yet active for anyone and identification is
still required from checkusers and oversighters. Because of logistical
(including that we needed to have a tool for the sign off and some
adjustments to the confidentiality agreement itself to ensure it made more
sense) and resource (both the lawyers involved and the CA staff have been
slammed for the past year) issues the speed moving forward has been
incredibly slow. The confidentiality agreement text has final approval from
meta now (I haven't updated meta but I will early this week), at this point
the only thing left is for translation of the agreement and for me to write
up the announcements the teams who are affected and then notify them. That
will start the 3 month time window and I hope to do so very soon. The
upcoming board election is my number one priority, however this is my 2nd.

There is no doubt that we would have preferred to have finished this long
ago at this point. However in the end the combination of figuring out
exactly how to do the agreement and just finding time to do the necessary
steps prevented us from going forward how we wanted too. We had to make
quite a few compromises from how it was originally envisioned technically
both throwing out the original idea of a unique tool to do it (in favor of
using Phabricator legal pad) and not being able to do everything we
originally expected in Phabricator. For better or worse the people
responsible for the rollout on both the Legal and CA side are also some of
the most over scheduled members of those teams during the past year and so
the speed of advancement hasn't been what we'd like because other
responsibilities had to take priority given that the existing policy was
still in place.

James Alexander
Community Advocacy
Wikimedia Foundation
(415) 839-6885 x6716 @jamesofur
___
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 
mailto:wikimedia-l-requ...@lists.wikimedia.org?subject=unsubscribe