Re: [Wikimedia-l] CheckUser openness

2012-06-16 Thread ENWP Pine

I do hear and understand the argument here, but it is somewhat
problematic to have to have the argument if we do this, we'll be
handing over information to sockpuppeteers we don't want them to have,
and we can't tell you what that information is, because otherwise
we'll be handing over information to sockpuppeteers we don't want them
to have. While I think the methods currently used are probably sound,
and the information would indeed give them more possibilities to evade
the system, I can't be sure of it, because I can't be told what that
information is.

I don't think this is a viable long-term strategy. The Audit Committee
is a way around this, but as indicated before, there is somewhat of an
overlap between the committee and the Check-User in-crowd, which could
(again, could, I'm not sure if it is indeed true).

Apart from the 'timed release' of information I proposed earlier, I
don't really see a viable solution for this, as I doubt we have enough
people that are sufficiently qualified on a technical level to
actually judge the checkuser results, who also have enough statistical
knowledge to interpret the level of certainty indicated in a result,
who also have the trust of the community to carry out the task, who
also have never been a checkuser or arb, who also have the backbone to
blow the whistle if something goes wring, who also have the
willingness and time to take it upon themselves to be a meaningful
member of the Audit Committee.


Hi Martijn,

I agree that there might be ways to structure a delayed and limited release 
so that it poses only a moderate risk to investigations, but as I have said, 
I think that the benefits to an honest user are limited, and there is 
potential for substantial cost in terms of volunteer hours for many types of 
users with enhanced permissions who might get lots of requests for audits of 
CU actions and lots of detailed questions about CU policy. Even if the risk 
to investigations was zero, there would still be those costs of time. In a 
cost/benefit analysis, I think there will be more cost value than benefit 
value. Consider the amount of time that users with enhanced permissions 
could spend conducting risk-based investigations and risk-based or random 
audits of CUs, instead of being asked to spend that time answering questions 
and conducting investigations solely because users make requests for second 
opinions about their account being CU'd even if that CU action had 
relatively low risk of CU misuse and inaccuracy.


Regarding who checks the checkusers, I think the current systems of peer 
review, AUSC and arbcom reviews, ombudsman review, and WMF review are about 
as extensive as realistically possible. Maybe if I was a CU or a member of 
one of these organizations I would have deeper insight into potential 
opportunities for valuable improvements. If you are seriously interested in 
these issues then consider nominating yourself or someone you trust to serve 
as a CU, community-appointed AUSC member, ombudsman, or arbiter.


Cheers,

Pine 



___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-15 Thread En Pine

Hi Nathan,

For a moment, let's suppose that there is a global policy that all CU checks 
must be disclosed to the person being checked, with the information 
disclosed in private email, and only consisting of the date of the check and 
the user who performed the check. What benefit does this have to the user 
who was checked? This information doesn't make the user more secure, it 
doesn't make the user's information more private, and there are no actions 
that the user is asked to take. Perhaps there is a benefit, but I am having 
difficulty thinking of what that benefit would be. I can think of how this 
information would benefit a dishonest user, but not how it would benefit an 
honest user. If there is a valuable benefit that an honest user receives 
from this information, what is it?


Thanks,

Pine 



___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-15 Thread Martijn Hoekstra
Two points that might help bring people on different sides of the
issue closer together.

1. How about notifying people that they have been check-usered 2
months after the fact? By that time I hope all investigations are
complete, and is the risk of tipping off the nefarious should be over.

2. Though the strategies of when to checkuser and how to interpret the
results are private, the workings of CheckUser are not. It is free
software, and its useage described at
http://www.mediawiki.org/wiki/Extension:CheckUser I would imagine any
tech-savy user with malicioius intent will check how CheckUser can be
used to detect their malicious editing, and what means they have to
avoid detection. Notifying someone they have been checkusered does not
give them any information they didn't have already, apart from being
under investigation.

On Fri, Jun 15, 2012 at 8:43 AM, Neil Babbage n...@thebabbages.com wrote:

 Notification of some checks would always have to be withheld to allow complex 
 investigations to be completed without tipping off. There is public 
 information that suggests there have been complex abuse cases (real abuse, 
 like harassment, not vandalism). To notify parties suspected of involvement 
 while these long running investigations are underway is broadly analogous to 
 receiving an automated email when your name is searched on the FBI national 
 computer: the innocent want an explanation that wastes police time; the 
 guilty realise they are being investigated and are tipped off to adapt their 
 behaviour.  As soon as there is an option to suppress the alert you are back 
 to square 1: CUs may suppress the notification to hide what they are doing.

 End of the day, the communities elected the CUs knowing they'd be able to 
 secretly check private data - so you have to trust them to do what you ask 
 them to do or elect someone else you do trust.


 Neil / QuiteUnusual@Wikibooks

 -Original Message-
 From: Nathan nawr...@gmail.com
 Sender: wikimedia-l-boun...@lists.wikimedia.org
 Date: Thu, 14 Jun 2012 22:10:33
 To: Wikimedia Mailing Listwikimedia-l@lists.wikimedia.org
 Reply-To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org
 Subject: Re: [Wikimedia-l] CheckUser openness

 On Thu, Jun 14, 2012 at 8:06 PM, Dominic McDevitt-Parks
 mcdev...@gmail.comwrote:

 I think the idea that making the log of checks public will necessarily be
 a service to those subject to CheckUser is misguided. One of the best
 reasons for keeping the logs private is not security through obscurity but
 the prevention of unwarranted stigma and drama. Most checks (which aren't
 just scanning a vandal or persistent sockpuppeteer's IP for other accounts)
 are performed because there is some amount of uncertainty. Not all checks
 are positive, and a negative result doesn't necessarily mean the check was
 unwarranted. I think those who have been checked without a public request
 deserve not to have suspicion cast on them by public logs if the check did
 not produce evidence of guilt. At the same time, because even justified
 checks will often upset the subject, the CheckUser deserves to be able to
 act on valid suspicions without fear of retaliation. The community doesn't
 need the discord that a public log would generate. That's not to say that
 there should be no oversight, but that a public log is not the way to do it.


 Dominic


 The threat of stigma can be ameliorated by not making the logs public,
 which was never suggested. A simple system notification of The data you
 provide to the Wikimedia web servers has been checked by a checkuser on
 this project, see [[wp:checkuser]] for more information would be enough.

 En Pine's reply to my queries seems calibrated for someone who is
 unfamiliar with SPI and checkuser work. I'm not - in fact I worked as a
 clerk with checkusers at SPI for a long time and am quite familiar with the
 process and its limitations. I know what's disclosed, approximately how
 frequently checks are run, the general proportion of checks that are public
 vs. all checks, etc. I still am not clear on how disclosing the fact of a
 check helps socks avoid detection, and I still believe that it's worthwhile
 for a transparent organization like Wikimedia to alert users when their
 private information (information that is, as Risker has mentioned,
 potentially personally identifying) has been disclosed to another
 volunteer.

 Nathan
 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-15 Thread Stephanie Daugherty
On Fri, Jun 15, 2012 at 4:52 AM, Martijn Hoekstra martijnhoeks...@gmail.com
 wrote:

 Two points that might help bring people on different sides of the
 issue closer together.

 1. How about notifying people that they have been check-usered 2
 months after the fact? By that time I hope all investigations are
 complete, and is the risk of tipping off the nefarious should be over.

 That's an interesting concept, and I'd think this would be the only way to
notify users without compromising the effectiveness of the tool, but I
still have serious reservations about disclosure here for reasons
previously cited and below. Also, there are conceivably complex abuse cases
where an investigation would take longer than 2 months, particularly in the
sort of cases that eventually end up before en.wiki's arbcom.



 2. Though the strategies of when to checkuser and how to interpret the
 results are private, the workings of CheckUser are not. It is free
 software, and its useage described at
 http://www.mediawiki.org/wiki/Extension:CheckUser I would imagine any
 tech-savy user with malicioius intent will check how CheckUser can be
 used to detect their malicious editing, and what means they have to
 avoid detection. Notifying someone they have been checkusered does not
 give them any information they didn't have already, apart from being
 under investigation.


The privacy rules surrounding it are very much public as well. That makes
the effectiveness of checkuser as a tool very much dependent on
carelessness or ignorance of person targeted, things we want to preserve as
much as possible lest checkuser stop being effective or massive relaxation
of privacy policies become necessary to preserve its effectiveness.
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-15 Thread Martijn Hoekstra
On Fri, Jun 15, 2012 at 11:18 AM, Stephanie Daugherty
sdaughe...@gmail.com wrote:
 On Fri, Jun 15, 2012 at 4:52 AM, Martijn Hoekstra martijnhoeks...@gmail.com
 wrote:

 Two points that might help bring people on different sides of the
 issue closer together.

 1. How about notifying people that they have been check-usered 2
 months after the fact? By that time I hope all investigations are
 complete, and is the risk of tipping off the nefarious should be over.

 That's an interesting concept, and I'd think this would be the only way to
 notify users without compromising the effectiveness of the tool, but I
 still have serious reservations about disclosure here for reasons
 previously cited and below. Also, there are conceivably complex abuse cases
 where an investigation would take longer than 2 months, particularly in the
 sort of cases that eventually end up before en.wiki's arbcom.



 2. Though the strategies of when to checkuser and how to interpret the
 results are private, the workings of CheckUser are not. It is free
 software, and its useage described at
 http://www.mediawiki.org/wiki/Extension:CheckUser I would imagine any
 tech-savy user with malicioius intent will check how CheckUser can be
 used to detect their malicious editing, and what means they have to
 avoid detection. Notifying someone they have been checkusered does not
 give them any information they didn't have already, apart from being
 under investigation.


 The privacy rules surrounding it are very much public as well. That makes
 the effectiveness of checkuser as a tool very much dependent on
 carelessness or ignorance of person targeted, things we want to preserve as
 much as possible lest checkuser stop being effective or massive relaxation
 of privacy policies become necessary to preserve its effectiveness.


Am I correct to summorise here than that CU works because people don't
know it doesn't?

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-15 Thread Stephanie Daugherty


 Am I correct to summorise here than that CU works because people don't
 know it doesn't?

 Almost. It works because people don't know how, don't care how, or don't
think they are attracting enough attention to avoid being targeted.
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-15 Thread Nathan
On Fri, Jun 15, 2012 at 2:22 AM, En Pine deyntest...@hotmail.com wrote:

 Hi Nathan,

 For a moment, let's suppose that there is a global policy that all CU
 checks must be disclosed to the person being checked, with the information
 disclosed in private email, and only consisting of the date of the check
 and the user who performed the check. What benefit does this have to the
 user who was checked? This information doesn't make the user more secure,
 it doesn't make the user's information more private, and there are no
 actions that the user is asked to take. Perhaps there is a benefit, but I
 am having difficulty thinking of what that benefit would be. I can think of
 how this information would benefit a dishonest user, but not how it would
 benefit an honest user. If there is a valuable benefit that an honest user
 receives from this information, what is it?

 Thanks,


 Pine


Pine: As you have said, checkuser oversight comes from AUSC, ArbCom and the
ombudspeople. These groups typically respond to requests and complaints
(well, the ombuds commission typically doesn't respond at all). But you
only know to make a request or complaint if you know you've been CU'd. So
notifying people that they have been CU'd would allow them to follow up
with the oversight bodies. My guess is most would choose not to, but at
least some might have a reason to. It's also plain that even if there is no
recourse, people will want to know if their identifying information has
been disclosed.

Neil: The difference between the FBI and checkusers is clear: checkusers
are volunteers. They are elected on some projects, appointed on others, and
the process can often be murky or poorly attended. The background check
as such for checkusers is minimal. People with an intention to abuse the
system have become checkusers in the past.

Martijn: A delay makes sense. Two months seems like a long time, but two
weeks or a week might be reasonable.

Stephanie: Supposedly, the data only survives 3 months. If data is being
retained much longer than this for investigations that go on for months
on the checkuser wiki, that's concerning.

~Nathan
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-15 Thread James Forrester
On 15 June 2012 04:55, Nathan nawr...@gmail.com wrote:
 Supposedly, the data only survives 3 months. If data is being
 retained much longer than this for investigations that go on for months
 on the checkuser wiki, that's concerning.

We have well-known trolls and repeat vandals who have been coming back
to the various wiki communities for many years - in some cases, for
nearly a decade now. Why is it concerning to you that the people
responsible for detecting, tracking and defeating these individuals
keep track of these users and their work over time (whilst of course
always being within the Privacy and CheckUser policies)?

Yours,
-- 
James D. Forrester
jdforres...@gmail.com
[[Wikipedia:User:Jdforrester|James F.]] (speaking purely in a personal capacity)

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-15 Thread ENWP Pine



Hi Nathan,

For a moment, let's suppose that there is a global policy that all CU
checks must be disclosed to the person being checked, with the 
information

disclosed in private email, and only consisting of the date of the check
and the user who performed the check. What benefit does this have to the
user who was checked? This information doesn't make the user more secure,
it doesn't make the user's information more private, and there are no
actions that the user is asked to take. Perhaps there is a benefit, but I
am having difficulty thinking of what that benefit would be. I can think 
of

how this information would benefit a dishonest user, but not how it would
benefit an honest user. If there is a valuable benefit that an honest 
user

receives from this information, what is it?

Thanks,


Pine


Pine: As you have said, checkuser oversight comes from AUSC, ArbCom and 
the

ombudspeople. These groups typically respond to requests and complaints
(well, the ombuds commission typically doesn't respond at all). But you
only know to make a request or complaint if you know you've been CU'd. So
notifying people that they have been CU'd would allow them to follow up
with the oversight bodies. My guess is most would choose not to, but at
least some might have a reason to. It's also plain that even if there is 
no

recourse, people will want to know if their identifying information has
been disclosed.



Hi Nathan,

Thanks, I think I understand your points better now. Let me see if I can 
respond. I'm not a Checkuser or CU clerk, and I am commenting only from my 
limited ability to get information as an outsider.


If we notify all users who have been CU'd as we are discussing, what I 
speculate will happen is an increase in the volume of people who contact the 
CU who used the tool, their local AUSC or ArbCom, other local CUs, OTRS, and 
the ombudsmen. This will increase the workload of emailed questions for the 
CU who used the tool and anyone else who might be contacted. This increase 
in workload could require an increase the number of people on AUSC or other 
audit groups who have access to the tool in order to supervise the CUs who 
are doing the front-line work, and this increase in the number of CUs makes 
it more possible for a bad CU to slip through.


Another other problem that I foresee is that if a user appeals the original 
CU decision to another CU or any group that audits CUs, then the user is put 
in the position of trusting that whoever reviews the first CU's work is 
themselves trustworthy and competent. The user still doesn't get the 
personal authority to review and debate the details of the CU's work. Since 
my understanding is that CUs already check each other's work, I'm unsure 
that an increase in inquiries and appeals to supervisory groups would lead 
to a meaningful improvement as compared to the current system in CU accuracy 
or data privacy.


So, what I foresee is an increase in workload for audit groups, but little 
meaningful increase to the assurance that the CU tool and data are used and 
contained properly. Additionally, as has been mentioned before, I worry 
about the risk of giving sockpuppets additional information that they might 
be able to use to evade detection.


I agree with you that there might be bad CUs in the current system, although 
personally I haven't heard of any. Where I think we differ is on the 
question of what should be done to limit the risk of bad CUs while balancing 
other considerations. At this point, I think the available public evidence 
is that there are more problems with sophisticated and persistent 
sockpuppets than there are problems with current CUs. I hope and believe 
that current CUs and auditors are generally honest, competent, and vigilant 
about watching each other's work.


Pine 



___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-15 Thread Martijn Hoekstra
On Fri, Jun 15, 2012 at 9:51 PM, ENWP Pine deyntest...@hotmail.com wrote:

 Hi Nathan,

 For a moment, let's suppose that there is a global policy that all CU
 checks must be disclosed to the person being checked, with the
 information
 disclosed in private email, and only consisting of the date of the check
 and the user who performed the check. What benefit does this have to the
 user who was checked? This information doesn't make the user more secure,
 it doesn't make the user's information more private, and there are no
 actions that the user is asked to take. Perhaps there is a benefit, but I
 am having difficulty thinking of what that benefit would be. I can think
 of
 how this information would benefit a dishonest user, but not how it would
 benefit an honest user. If there is a valuable benefit that an honest
 user
 receives from this information, what is it?

 Thanks,


 Pine


 Pine: As you have said, checkuser oversight comes from AUSC, ArbCom and
 the
 ombudspeople. These groups typically respond to requests and complaints
 (well, the ombuds commission typically doesn't respond at all). But you
 only know to make a request or complaint if you know you've been CU'd. So
 notifying people that they have been CU'd would allow them to follow up
 with the oversight bodies. My guess is most would choose not to, but at
 least some might have a reason to. It's also plain that even if there is
 no
 recourse, people will want to know if their identifying information has
 been disclosed.


 Hi Nathan,

 Thanks, I think I understand your points better now. Let me see if I can
 respond. I'm not a Checkuser or CU clerk, and I am commenting only from my
 limited ability to get information as an outsider.

 If we notify all users who have been CU'd as we are discussing, what I
 speculate will happen is an increase in the volume of people who contact the
 CU who used the tool, their local AUSC or ArbCom, other local CUs, OTRS, and
 the ombudsmen. This will increase the workload of emailed questions for the
 CU who used the tool and anyone else who might be contacted. This increase
 in workload could require an increase the number of people on AUSC or other
 audit groups who have access to the tool in order to supervise the CUs who
 are doing the front-line work, and this increase in the number of CUs makes
 it more possible for a bad CU to slip through.

 Another other problem that I foresee is that if a user appeals the original
 CU decision to another CU or any group that audits CUs, then the user is put
 in the position of trusting that whoever reviews the first CU's work is
 themselves trustworthy and competent. The user still doesn't get the
 personal authority to review and debate the details of the CU's work. Since
 my understanding is that CUs already check each other's work, I'm unsure
 that an increase in inquiries and appeals to supervisory groups would lead
 to a meaningful improvement as compared to the current system in CU accuracy
 or data privacy.

 So, what I foresee is an increase in workload for audit groups, but little
 meaningful increase to the assurance that the CU tool and data are used and
 contained properly. Additionally, as has been mentioned before, I worry
 about the risk of giving sockpuppets additional information that they might
 be able to use to evade detection.

 I agree with you that there might be bad CUs in the current system, although
 personally I haven't heard of any. Where I think we differ is on the
 question of what should be done to limit the risk of bad CUs while balancing
 other considerations. At this point, I think the available public evidence
 is that there are more problems with sophisticated and persistent
 sockpuppets than there are problems with current CUs. I hope and believe
 that current CUs and auditors are generally honest, competent, and vigilant
 about watching each other's work.

 Pine


I do hear and understand the argument here, but it is somewhat
problematic to have to have the argument if we do this, we'll be
handing over information to sockpuppeteers we don't want them to have,
and we can't tell you what that information is, because otherwise
we'll be handing over information to sockpuppeteers we don't want them
to have. While I think the methods currently used are probably sound,
and the information would indeed give them more possibilities to evade
the system, I can't be sure of it, because I can't be told what that
information is.

I don't think this is a viable long-term strategy. The Audit Committee
is a way around this, but as indicated before, there is somewhat of an
overlap between the committee and the Check-User in-crowd, which could
(again, could, I'm not sure if it is indeed true).

Apart from the 'timed release' of information I proposed earlier, I
don't really see a viable solution for this, as I doubt we have enough
people that are sufficiently qualified on a technical level to
actually judge the checkuser results, who also have 

Re: [Wikimedia-l] CheckUser openness

2012-06-14 Thread David Richfield
So User:mfgaowener should get an automated mail saying because you
did a pagemove with edit summary Haers! you were checkusered.
Please be more subtle in your vandalism next time.

I trust the current checks and balances, and I don't think the system
is getting significant levels of abuse.

-- 
David Richfield
[[:en:User:Slashme]]
+27718539985

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-14 Thread Stephanie Daugherty
On Thu, Jun 14, 2012 at 3:36 AM, David Richfield
davidrichfi...@gmail.comwrote:

 So User:mfgaowener should get an automated mail saying because you
 did a pagemove with edit summary Haers! you were checkusered.
 Please be more subtle in your vandalism next time.

 I trust the current checks and balances, and I don't think the system
 is getting significant levels of abuse.

 +1 on this. The methods that checkusers have are heavily constrained as it
is by privacy concerns, and they are very fragile. They only work
effectively within the tight privacy restrictions with a certain amount of
security through obscurity. For one, a checkuser needs to be able to
monitor a situation sometimes to be sure that they are casting a wide
enough net for a block to be effective. For another, the standard of
reasonable suspicion placed on the checkuser tool is high enough that with
enough practice, vandals would learn to be careful to never justify a
checkuser request within the privacy guidelines.

We're between a rock and a hard place, because to give the transparency
being asked for, we'd enter an arms race where we'd quickly have to relax
the checkuser standards to the point where it becomes anything goes so
long as you don't disclose it.

-Stephanie
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-14 Thread John
I am not asking for full disclosure, what I am asking is that established
user have the right to be notified when and why they are being checkusered.
The evidence checkusers get do not need to be disclosed, Its as simple as:

 X performed a checkuser on you because Y at Z UTC

that provides clarity and openness while keeping the information checkusers
use confidential. A note like that would provide vandals with very little
information. And the second step of defining a threshold would eliminate
most of the vandal checks.

To me this screams of lets keep oversight of checkuser to a minimum. Right
now there is the ombudsman committee globally (to ask for review from them
we need evidence, realistically only other checkusers can provide that)
and on enwp there is the Audit Subcommittee, which 75% of are either arbcom
members (be defacto are granted CU ), former arbcom, or former CU. To me
that really reeks of lack of independent oversight. Notifying an
established user that they are subject to a CU doesnt harm the CU's ability
to do their job unless they themselves have something to hide. Its not like
I am asking for CU's to release IP addresses/user-agents or anything else
that could assist me in avoiding scrutiny.

On Thu, Jun 14, 2012 at 3:48 AM, Stephanie Daugherty
sdaughe...@gmail.comwrote:

 On Thu, Jun 14, 2012 at 3:36 AM, David Richfield
 davidrichfi...@gmail.comwrote:

  So User:mfgaowener should get an automated mail saying because you
  did a pagemove with edit summary Haers! you were checkusered.
  Please be more subtle in your vandalism next time.
 
  I trust the current checks and balances, and I don't think the system
  is getting significant levels of abuse.
 
  +1 on this. The methods that checkusers have are heavily constrained as
 it
 is by privacy concerns, and they are very fragile. They only work
 effectively within the tight privacy restrictions with a certain amount of
 security through obscurity. For one, a checkuser needs to be able to
 monitor a situation sometimes to be sure that they are casting a wide
 enough net for a block to be effective. For another, the standard of
 reasonable suspicion placed on the checkuser tool is high enough that with
 enough practice, vandals would learn to be careful to never justify a
 checkuser request within the privacy guidelines.

 We're between a rock and a hard place, because to give the transparency
 being asked for, we'd enter an arms race where we'd quickly have to relax
 the checkuser standards to the point where it becomes anything goes so
 long as you don't disclose it.

 -Stephanie
 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-14 Thread Nathan
On Thu, Jun 14, 2012 at 4:07 PM, John phoenixoverr...@gmail.com wrote:

 I am not asking for full disclosure, what I am asking is that established
 user have the right to be notified when and why they are being checkusered.
 The evidence checkusers get do not need to be disclosed, Its as simple as:

  X performed a checkuser on you because Y at Z UTC

 that provides clarity and openness while keeping the information checkusers
 use confidential. A note like that would provide vandals with very little
 information. And the second step of defining a threshold would eliminate
 most of the vandal checks.

 To me this screams of lets keep oversight of checkuser to a minimum. Right
 now there is the ombudsman committee globally (to ask for review from them
 we need evidence, realistically only other checkusers can provide that)
 and on enwp there is the Audit Subcommittee, which 75% of are either arbcom
 members (be defacto are granted CU ), former arbcom, or former CU. To me
 that really reeks of lack of independent oversight. Notifying an
 established user that they are subject to a CU doesnt harm the CU's ability
 to do their job unless they themselves have something to hide. Its not like
 I am asking for CU's to release IP addresses/user-agents or anything else
 that could assist me in avoiding scrutiny.


Don't even need to go that far - just say A checkuser viewed the
information stored by the web server about you, this information may
include [[xyz list if informations]].
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-14 Thread Risker
On 14 June 2012 16:36, Nathan nawr...@gmail.com wrote:

 On Thu, Jun 14, 2012 at 4:07 PM, John phoenixoverr...@gmail.com wrote:

  I am not asking for full disclosure, what I am asking is that established
  user have the right to be notified when and why they are being
 checkusered.
  The evidence checkusers get do not need to be disclosed, Its as simple
 as:
 
   X performed a checkuser on you because Y at Z UTC
 
  that provides clarity and openness while keeping the information
 checkusers
  use confidential. A note like that would provide vandals with very little
  information. And the second step of defining a threshold would eliminate
  most of the vandal checks.
 
  To me this screams of lets keep oversight of checkuser to a minimum.
 Right
  now there is the ombudsman committee globally (to ask for review from
 them
  we need evidence, realistically only other checkusers can provide that)
  and on enwp there is the Audit Subcommittee, which 75% of are either
 arbcom
  members (be defacto are granted CU ), former arbcom, or former CU. To me
  that really reeks of lack of independent oversight. Notifying an
  established user that they are subject to a CU doesnt harm the CU's
 ability
  to do their job unless they themselves have something to hide. Its not
 like
  I am asking for CU's to release IP addresses/user-agents or anything else
  that could assist me in avoiding scrutiny.
 

 Don't even need to go that far - just say A checkuser viewed the
 information stored by the web server about you, this information may
 include [[xyz list if informations]].



I do see where folks are coming from. To the best of my knowledge, for the
past few years on English Wikipedia anyone who has asked the Audit
Subcommittee if they have been checked has been told the correct response,
and I think this is a good thing.

On the other hand, what's being proposed here is essentially providing
sockpuppeters or otherwise disruptive users (such as those under certain
types of sanctions) a how-to guide so they can avoid detection in the
future.

Risker
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-14 Thread Nathan
On Thu, Jun 14, 2012 at 4:52 PM, Risker risker...@gmail.com wrote:


 I do see where folks are coming from. To the best of my knowledge, for the
 past few years on English Wikipedia anyone who has asked the Audit
 Subcommittee if they have been checked has been told the correct response,
 and I think this is a good thing.

 On the other hand, what's being proposed here is essentially providing
 sockpuppeters or otherwise disruptive users (such as those under certain
 types of sanctions) a how-to guide so they can avoid detection in the
 future.

 Risker


Can you explain how this is so? I did a fair amount of work at SPI as a
clerk, and I'm not sure I understand how the mere fact that a check was
performed is giving sockpuppeters a roadmap for how to avoid detection. If
you mean they could test the CU net by running a bunch of socks on
different strategies to see which get checked and which don't, that seems
like a lot of work that a vanishingly small number of abusers would
attempt... and also basically the same information as they would receive
when those sock accounts are ultimately blocked or not blocked per CU.

~Nathan
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-14 Thread En Pine


I do see where folks are coming from. To the best of my knowledge, for the
past few years on English Wikipedia anyone who has asked the Audit
Subcommittee if they have been checked has been told the correct response,
and I think this is a good thing.

On the other hand, what's being proposed here is essentially providing
sockpuppeters or otherwise disruptive users (such as those under certain
types of sanctions) a how-to guide so they can avoid detection in the
future.

Risker



I'm inclined to agree with Risker here. Telling someone that a CU has been 
performed on their account, at the time that a CU is performed, might alert 
a disruptive user that some part of their recent activity has triggered the 
attention of SPI. This information could be used to the advantage of the 
disruptive user.


If someone believes that CU may have been used improperly, various groups 
can investigate the use of CU.


John, you said in your original email, See the Rich Farmbrough ArbCom case 
where I suspect obvious fishing, where the CU'ed user was requesting 
information and the CU claimed it would be a violation of the privacy policy 
to release the time/reason/performer of the checkuser. Can you provide a 
link to the relevant diffs? I would be interested in reading the diffs to 
get a fuller understanding of what was said, particularly regarding the 
Wikimedia-wide Privacy Policy.


Thanks,

Pine 



___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-14 Thread Dominic McDevitt-Parks
I think the idea that making the log of checks public will be a service 
to those subject to CheckUser is misguided. One of the best reasons for 
keeping the logs private is not security through obscurity but the 
prevention of unwarranted stigma and drama. Most checks (which aren't 
just scanning a vandal or persistent sockpuppeteer's IP for other 
accounts) are performed because there is some amount of uncertainty. Not 
all checks are positive, and a negative result doesn't necessarily mean 
the check was unwarranted. I think those who have been checked without a 
public request deserve not to have suspicion cast on them by public logs 
if the check did not produce evidence of guilt. At the same time, 
because even justified checks will often upset the subject, the 
CheckUser deserves to be able to act on valid suspicions without fear of 
retaliation. The community doesn't need the discord that a public log 
would generate. That's not to say that there should be no oversight, but 
that a public log is not the way to do it.


Dominic

On 6/14/12 6:34 PM, En Pine wrote:

Nathan, I’d like to respond to all three of your recent comments.


Can you explain how this is so? I did a fair amount of work at SPI as a
clerk, and I'm not sure I understand how the mere fact that a check was
performed is giving sockpuppeters a roadmap for how to avoid detection. If
you mean they could test the CU net by running a bunch of socks on
different strategies to see which get checked and which don't, that seems
like a lot of work that a vanishingly small number of abusers would
attempt... and also basically the same information as they would receive
when those sock accounts are ultimately blocked or not blocked per CU.

~Nathan

I think you might be amazed that the persistence and sophistication of some 
individuals. I personally haven’t dealt with them much on-wiki, but I’ve 
certainly seen them on IRC.


Here are some problems with that rationale:

1) If a sock confirmation results from a CU check, the person is blocked,
which is a pretty big tip off all its own. If a case is filed at SPI, then
tons of evidence is submitted, then a CU check is performed in public, then
a block is or is not imposed. That whole process is a pretty big tip off
too, but we haven't shut it down for providing a road map to abusers.


You are correct that the start of the CU case is public at the time of filing 
at WP:SPI. The identity of the CU is also public when it is run for those filed 
cases. I believe that we are discussing in this thread are instances of the CU 
tool being used, or data from the tool being used and shared among 
functionaries who are permitted access to private data, when that use or 
sharing is not made publicly known at WP:SPI. I am not a Checkuser but perhaps 
someone who is a Checkuser can give some examples of situations when this 
happens. I personally know of at least two scenarios.


2) You can't dispute the use of CU on your information if you don't know
that it was used. It's kind of like secret wiretapping with a FISA warrant;
if you never know you've been wiretapped, how are you supposed to challenge
it or know whether it was used improperly? As for various groups can
investigate, to some extent that's true. Most of them are checkusers,
however, and they still tend not to disclose all relevant information. I'm
not saying that any CU is doing anything improper or that it's likely, but
such allegations have been made in the past, and it seems like a pretty cut
and dried case of people having a right to know how their own information
is being used. If Wikimedia were based in Europe, it would most likely be
required by law.

Nathan

When you use Wikipedia, information about what you do is logged. The same is 
true for other websites. In most cases on the internet in general, it’s 
impossible for the average user to know if their information has been used or 
disclosed in a way that is contrary to the site’s privacy policy. Sometimes 
misuse or preventable, improper disclosure of private data is made publicly 
known, as has happened with many online services being hacked for credit card 
or password information. The reality on the internet is that generally the 
information you provide can’t be guaranteed to remain private and secure. It is 
true that there can be abuses of investigative tools like CU, search warrants, 
and almost anything else. The best that can be done is to take reasonable 
precautions and to be careful about what you disclose in the first place, for 
the people who are trusted with special investigative tools to be honest and 
competent, to have sufficient “separation of powers” to help as much as 
possible to verify that the investigators are honest and competent, and for 
there to be penalties for investigators who misuse their authority. Regarding 
the investigative use of private information, as I think others have said also, 
sometimes there may be a good reason to keep an active 

Re: [Wikimedia-l] CheckUser openness

2012-06-14 Thread Birgitte_sb
No  that is not a fair characterization. Risker explained that these things are 
handled by each project, not hide her true intentions toward your campaign, but 
because it ii the way things are.  And it is not at all particular to CU 
issues. What really reeks of obfuscation is using words and phrasing that 
requires native level English skills to campaign for a policy that you wish to 
impose on the Tosk Albanian, and all other, projects.

Self-governing communities work for the most part.  Which is more than can be 
said about the alternatives, and there are ghost wikis all over the Internet to 
prove the point.

BirgitteSB


On Jun 13, 2012, at 8:30 PM, John phoenixoverr...@gmail.com wrote:

 Risker comment was basically lets not set a global accountability and
 ability to get CU related logs of our self on a global level, instead take
 it to each project and fight it out there to me that reeks of obfuscation.
 Realistically this should be a global policy, just like our privacy policy
 is. Why shouldnt users know when they have been checkusered and why?
 
 On Wed, Jun 13, 2012 at 9:24 PM, Philippe Beaudette, Wikimedia Foundation 
 pbeaude...@wikimedia.org wrote:
 
 I dunno, John, you almost had me convinced until that email. I saw in that
 mail a reasonable comment from Risker based on long time precedent.
 
 As you may know, there are a number of checks and balances in place.
 First, the CUs watch each other. With a broad group, you can be assured
 they don't all always agree and there is healthy debate and dialogue.
 Second, enwp has an audit subcommittee that routinely audits the logs with
 a fine toothed comb.  They are NOT all previous checkusers, to avoid the
 sort of groupthink that appears to concern you. Then, the WMF has an
 ombudsman commission, which also may audit with commission from the Board.
 Those people take their role very seriously. And last, anyone with genuine
 privacy concerns can contact the WMF:  me, Maggie, anyone in the legal or
 community advocacy department.
 
 Is it an iron clad assurance of no misbehavior?  Probably not, and we will
 continue to get better at it: but I will say that in 3 years of being
 pretty closely involved with that team, I'm impressed with how much they
 err on the side of protection of privacy. I have a window into their world,
 and they have my respect.
 
 Best, PB
 ---
 Philippe Beaudette
 Director, Community Advocacy
 Wikimedia Foundation, Inc
 
 
 Sent from my Verizon Wireless BlackBerry
 
 -Original Message-
 From: John phoenixoverr...@gmail.com
 Sender: wikimedia-l-boun...@lists.wikimedia.org
 Date: Wed, 13 Jun 2012 21:17:09
 To: Wikimedia Mailing Listwikimedia-l@lists.wikimedia.org
 Reply-To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org
 Subject: Re: [Wikimedia-l] CheckUser openness
 
 Yet another attempt from a checkuser to make monitoring their actions and
 ensuring our privacy more difficult.
 
 On Wed, Jun 13, 2012 at 9:10 PM, Risker risker...@gmail.com wrote:
 
 Each project has its own standards and thresholds for when checkusers may
 be done, provided that they are within the limits of the privacy policy.
 These standards vary widely.  So, the correct place to discuss this is on
 each project.
 
 Risker
 
 On 13 June 2012 21:02, Thomas Dalton thomas.dal...@gmail.com wrote:
 
 Why shouldn't spambots and vandals be notified? Just have the software
 automatically email anyone that is CUed. Then the threshold is simply
 whether you have an email address attached to your account or not.
 
 This seems like a good idea. People have a right to know what is being
 done
 with their data.
 On Jun 14, 2012 12:35 AM, Risker risker...@gmail.com wrote:
 
 On 13 June 2012 19:18, John phoenixoverr...@gmail.com wrote:
 
 This is something that has been bugging me for a while. When a user
 has
 been checkusered they should at least be notified of who preformed
 it
 and
 why it was preformed. I know this is not viable for every single CU
 action
 as many are for anons. But for those users who have been around
 for a
 period, (say autoconfirmed) they should be notified when they are
 CU'ed
 and
 any user should be able to request the CU logs pertaining to
 themselves
 (who CU'ed them, when, and why) at will. I have seen CU's refuse to
 provide
 information to the accused.
 
 See the Rich Farmbrough ArbCom case where I suspect obvious
 fishing,
 where
 the CU'ed user was requesting information and the CU claimed it
 would
 be
 a
 violation of the privacy policy to release the
 time/reason/performer
 of
 the
 checkuser.
 
 This screams of obfuscation and the hiding of information. I know
 the
 ombudsman committee exists as a check and balance, however before
 something
 can be passed to them evidence of inappropriate action is needed.
 Ergo
 Catch-22
 
 I know checkusers  keep a private wiki
 https://checkuser.wikimedia.org/wiki/Main_Page and I know
 according
 to
 our
 privacy policy we are supposed to purge our

Re: [Wikimedia-l] CheckUser openness

2012-06-14 Thread Dominic McDevitt-Parks
I think the idea that making the log of checks public will necessarily 
be a service to those subject to CheckUser is misguided. One of the best 
reasons for keeping the logs private is not security through obscurity 
but the prevention of unwarranted stigma and drama. Most checks (which 
aren't just scanning a vandal or persistent sockpuppeteer's IP for other 
accounts) are performed because there is some amount of uncertainty. Not 
all checks are positive, and a negative result doesn't necessarily mean 
the check was unwarranted. I think those who have been checked without a 
public request deserve not to have suspicion cast on them by public logs 
if the check did not produce evidence of guilt. At the same time, 
because even justified checks will often upset the subject, the 
CheckUser deserves to be able to act on valid suspicions without fear of 
retaliation. The community doesn't need the discord that a public log 
would generate. That's not to say that there should be no oversight, but 
that a public log is not the way to do it.


Dominic

On 6/14/12 6:34 PM, En Pine wrote:

Nathan, I’d like to respond to all three of your recent comments.


Can you explain how this is so? I did a fair amount of work at SPI as a
clerk, and I'm not sure I understand how the mere fact that a check was
performed is giving sockpuppeters a roadmap for how to avoid detection. If
you mean they could test the CU net by running a bunch of socks on
different strategies to see which get checked and which don't, that seems
like a lot of work that a vanishingly small number of abusers would
attempt... and also basically the same information as they would receive
when those sock accounts are ultimately blocked or not blocked per CU.

~Nathan

I think you might be amazed that the persistence and sophistication of some 
individuals. I personally haven’t dealt with them much on-wiki, but I’ve 
certainly seen them on IRC.


Here are some problems with that rationale:

1) If a sock confirmation results from a CU check, the person is blocked,
which is a pretty big tip off all its own. If a case is filed at SPI, then
tons of evidence is submitted, then a CU check is performed in public, then
a block is or is not imposed. That whole process is a pretty big tip off
too, but we haven't shut it down for providing a road map to abusers.


You are correct that the start of the CU case is public at the time of filing 
at WP:SPI. The identity of the CU is also public when it is run for those filed 
cases. I believe that we are discussing in this thread are instances of the CU 
tool being used, or data from the tool being used and shared among 
functionaries who are permitted access to private data, when that use or 
sharing is not made publicly known at WP:SPI. I am not a Checkuser but perhaps 
someone who is a Checkuser can give some examples of situations when this 
happens. I personally know of at least two scenarios.


2) You can't dispute the use of CU on your information if you don't know
that it was used. It's kind of like secret wiretapping with a FISA warrant;
if you never know you've been wiretapped, how are you supposed to challenge
it or know whether it was used improperly? As for various groups can
investigate, to some extent that's true. Most of them are checkusers,
however, and they still tend not to disclose all relevant information. I'm
not saying that any CU is doing anything improper or that it's likely, but
such allegations have been made in the past, and it seems like a pretty cut
and dried case of people having a right to know how their own information
is being used. If Wikimedia were based in Europe, it would most likely be
required by law.

Nathan

When you use Wikipedia, information about what you do is logged. The same is 
true for other websites. In most cases on the internet in general, it’s 
impossible for the average user to know if their information has been used or 
disclosed in a way that is contrary to the site’s privacy policy. Sometimes 
misuse or preventable, improper disclosure of private data is made publicly 
known, as has happened with many online services being hacked for credit card 
or password information. The reality on the internet is that generally the 
information you provide can’t be guaranteed to remain private and secure. It is 
true that there can be abuses of investigative tools like CU, search warrants, 
and almost anything else. The best that can be done is to take reasonable 
precautions and to be careful about what you disclose in the first place, for 
the people who are trusted with special investigative tools to be honest and 
competent, to have sufficient “separation of powers” to help as much as 
possible to verify that the investigators are honest and competent, and for 
there to be penalties for investigators who misuse their authority. Regarding 
the investigative use of private information, as I think others have said also, 
sometimes there may be a good reason to keep an 

Re: [Wikimedia-l] CheckUser openness

2012-06-14 Thread Nathan
On Thu, Jun 14, 2012 at 8:06 PM, Dominic McDevitt-Parks
mcdev...@gmail.comwrote:

 I think the idea that making the log of checks public will necessarily be
 a service to those subject to CheckUser is misguided. One of the best
 reasons for keeping the logs private is not security through obscurity but
 the prevention of unwarranted stigma and drama. Most checks (which aren't
 just scanning a vandal or persistent sockpuppeteer's IP for other accounts)
 are performed because there is some amount of uncertainty. Not all checks
 are positive, and a negative result doesn't necessarily mean the check was
 unwarranted. I think those who have been checked without a public request
 deserve not to have suspicion cast on them by public logs if the check did
 not produce evidence of guilt. At the same time, because even justified
 checks will often upset the subject, the CheckUser deserves to be able to
 act on valid suspicions without fear of retaliation. The community doesn't
 need the discord that a public log would generate. That's not to say that
 there should be no oversight, but that a public log is not the way to do it.


 Dominic


The threat of stigma can be ameliorated by not making the logs public,
which was never suggested. A simple system notification of The data you
provide to the Wikimedia web servers has been checked by a checkuser on
this project, see [[wp:checkuser]] for more information would be enough.

En Pine's reply to my queries seems calibrated for someone who is
unfamiliar with SPI and checkuser work. I'm not - in fact I worked as a
clerk with checkusers at SPI for a long time and am quite familiar with the
process and its limitations. I know what's disclosed, approximately how
frequently checks are run, the general proportion of checks that are public
vs. all checks, etc. I still am not clear on how disclosing the fact of a
check helps socks avoid detection, and I still believe that it's worthwhile
for a transparent organization like Wikimedia to alert users when their
private information (information that is, as Risker has mentioned,
potentially personally identifying) has been disclosed to another
volunteer.

Nathan
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-14 Thread David Goodman
The request--at least the original request here-- was not that they be
made public. The request was that they be disclosed to the person
being checkusered,. There is thus no stigmatization or drama.  That it
might upset the subject to tell him the truth is paternalism.

On Thu, Jun 14, 2012 at 8:06 PM, Dominic McDevitt-Parks
mcdev...@gmail.com wrote:
 I think the idea that making the log of checks public will necessarily be a
 service to those subject to CheckUser is misguided. One of the best reasons
 for keeping the logs private is not security through obscurity but the
 prevention of unwarranted stigma and drama. Most checks (which aren't just
 scanning a vandal or persistent sockpuppeteer's IP for other accounts) are
 performed because there is some amount of uncertainty. Not all checks are
 positive, and a negative result doesn't necessarily mean the check was
 unwarranted. I think those who have been checked without a public request
 deserve not to have suspicion cast on them by public logs if the check did
 not produce evidence of guilt. At the same time, because even justified
 checks will often upset the subject, the CheckUser deserves to be able to
 act on valid suspicions without fear of retaliation. The community doesn't
 need the discord that a public log would generate. That's not to say that
 there should be no oversight, but that a public log is not the way to do it.


 Dominic

 On 6/14/12 6:34 PM, En Pine wrote:

 Nathan, I’d like to respond to all three of your recent comments.

 Can you explain how this is so? I did a fair amount of work at SPI as a
 clerk, and I'm not sure I understand how the mere fact that a check was
 performed is giving sockpuppeters a roadmap for how to avoid detection.
 If
 you mean they could test the CU net by running a bunch of socks on
 different strategies to see which get checked and which don't, that seems
 like a lot of work that a vanishingly small number of abusers would
 attempt... and also basically the same information as they would receive
 when those sock accounts are ultimately blocked or not blocked per CU.

 ~Nathan

 I think you might be amazed that the persistence and sophistication of
 some individuals. I personally haven’t dealt with them much on-wiki, but
 I’ve certainly seen them on IRC.

 Here are some problems with that rationale:

 1) If a sock confirmation results from a CU check, the person is blocked,
 which is a pretty big tip off all its own. If a case is filed at SPI,
 then
 tons of evidence is submitted, then a CU check is performed in public,
 then
 a block is or is not imposed. That whole process is a pretty big tip off
 too, but we haven't shut it down for providing a road map to abusers.

 You are correct that the start of the CU case is public at the time of
 filing at WP:SPI. The identity of the CU is also public when it is run for
 those filed cases. I believe that we are discussing in this thread are
 instances of the CU tool being used, or data from the tool being used and
 shared among functionaries who are permitted access to private data, when
 that use or sharing is not made publicly known at WP:SPI. I am not a
 Checkuser but perhaps someone who is a Checkuser can give some examples of
 situations when this happens. I personally know of at least two scenarios.

 2) You can't dispute the use of CU on your information if you don't know
 that it was used. It's kind of like secret wiretapping with a FISA
 warrant;
 if you never know you've been wiretapped, how are you supposed to
 challenge
 it or know whether it was used improperly? As for various groups can
 investigate, to some extent that's true. Most of them are checkusers,
 however, and they still tend not to disclose all relevant information.
 I'm
 not saying that any CU is doing anything improper or that it's likely,
 but
 such allegations have been made in the past, and it seems like a pretty
 cut
 and dried case of people having a right to know how their own information
 is being used. If Wikimedia were based in Europe, it would most likely be
 required by law.

 Nathan

 When you use Wikipedia, information about what you do is logged. The same
 is true for other websites. In most cases on the internet in general, it’s
 impossible for the average user to know if their information has been used
 or disclosed in a way that is contrary to the site’s privacy policy.
 Sometimes misuse or preventable, improper disclosure of private data is made
 publicly known, as has happened with many online services being hacked for
 credit card or password information. The reality on the internet is that
 generally the information you provide can’t be guaranteed to remain private
 and secure. It is true that there can be abuses of investigative tools like
 CU, search warrants, and almost anything else. The best that can be done is
 to take reasonable precautions and to be careful about what you disclose in
 the first place, for the people who are trusted with special 

Re: [Wikimedia-l] CheckUser openness

2012-06-13 Thread Risker
On 13 June 2012 19:18, John phoenixoverr...@gmail.com wrote:

 This is something that has been bugging me for a while. When a user has
 been checkusered they should at least be notified of who preformed it and
 why it was preformed. I know this is not viable for every single CU action
 as many are for anons. But for those users who have been around for a
 period, (say autoconfirmed) they should be notified when they are CU'ed and
 any user should be able to request the CU logs pertaining to themselves
 (who CU'ed them, when, and why) at will. I have seen CU's refuse to provide
 information to the accused.

 See the Rich Farmbrough ArbCom case where I suspect obvious fishing, where
 the CU'ed user was requesting information and the CU claimed it would be a
 violation of the privacy policy to release the time/reason/performer of the
 checkuser.

 This screams of obfuscation and the hiding of information. I know the
 ombudsman committee exists as a check and balance, however before something
 can be passed to them evidence of inappropriate action is needed. Ergo
 Catch-22

 I know checkusers  keep a private wiki
 https://checkuser.wikimedia.org/wiki/Main_Page and I know according to our
 privacy policy we are supposed to purge our information regularly (on wiki
 CU logs exist for 90 days) however who oversees the regular removal of
 private information on the wiki?

 My proposal would be for all users who are at least auto confirmed to be
 notified and be able to request all CU logs regarding themselves at any
 point, and any mentions of themselves on the CU wiki should be retrievable.



Perhaps some full disclosure should be made here John.  You are a checkuser
yourself, have access to the checkuser-L mailing list and the checkuser
wiki, helped to set up the Audit Subcommittee on the English Wikipedia
(which carries out reviews of checkuser/oversighter actions on request);
you are also a member of the English Wikipedia functionaries mailing list
because you are a former arbitrator, a checkuser and an oversighter on
enwp. (so have access there to express your concerns or suggest changes in
standards),   It seems you are complaining about a specific case, and
instead of talking things out about this specific case, you've decided to
propose an entirely different checkusering standard.  I'll point out  in
passing that half of the spambots blocked in recent weeks by checkusers
were autoconfirmed on one or more projects, and even obvious vandals can
hit the autoconfirmed threshold easily on most projects.

Full disclosure on my part: I am also an Enwp checkuser and a member of the
Arbitration Committee.

Risker
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-13 Thread John
I am not a checkuser, I do not have access to checkuser-l, the CU wiki, or
any other private information. This goes far beyond the one case, I was
just using it as a recent example

On Wed, Jun 13, 2012 at 7:34 PM, Risker risker...@gmail.com wrote:

 On 13 June 2012 19:18, John phoenixoverr...@gmail.com wrote:

  This is something that has been bugging me for a while. When a user has
  been checkusered they should at least be notified of who preformed it and
  why it was preformed. I know this is not viable for every single CU
 action
  as many are for anons. But for those users who have been around for a
  period, (say autoconfirmed) they should be notified when they are CU'ed
 and
  any user should be able to request the CU logs pertaining to themselves
  (who CU'ed them, when, and why) at will. I have seen CU's refuse to
 provide
  information to the accused.
 
  See the Rich Farmbrough ArbCom case where I suspect obvious fishing,
 where
  the CU'ed user was requesting information and the CU claimed it would be
 a
  violation of the privacy policy to release the time/reason/performer of
 the
  checkuser.
 
  This screams of obfuscation and the hiding of information. I know the
  ombudsman committee exists as a check and balance, however before
 something
  can be passed to them evidence of inappropriate action is needed. Ergo
  Catch-22
 
  I know checkusers  keep a private wiki
  https://checkuser.wikimedia.org/wiki/Main_Page and I know according to
 our
  privacy policy we are supposed to purge our information regularly (on
 wiki
  CU logs exist for 90 days) however who oversees the regular removal of
  private information on the wiki?
 
  My proposal would be for all users who are at least auto confirmed to be
  notified and be able to request all CU logs regarding themselves at any
  point, and any mentions of themselves on the CU wiki should be
 retrievable.
 
 
 
 Perhaps some full disclosure should be made here John.  You are a checkuser
 yourself, have access to the checkuser-L mailing list and the checkuser
 wiki, helped to set up the Audit Subcommittee on the English Wikipedia
 (which carries out reviews of checkuser/oversighter actions on request);
 you are also a member of the English Wikipedia functionaries mailing list
 because you are a former arbitrator, a checkuser and an oversighter on
 enwp. (so have access there to express your concerns or suggest changes in
 standards),   It seems you are complaining about a specific case, and
 instead of talking things out about this specific case, you've decided to
 propose an entirely different checkusering standard.  I'll point out  in
 passing that half of the spambots blocked in recent weeks by checkusers
 were autoconfirmed on one or more projects, and even obvious vandals can
 hit the autoconfirmed threshold easily on most projects.

 Full disclosure on my part: I am also an Enwp checkuser and a member of the
 Arbitration Committee.

 Risker
 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-13 Thread Risker
My apologies to you John - and also to John Vandenberg, whose name popped
up when I cursored over this.

Please do consider expressing a concern to the Audit Subcommittee with
respect to this case, or alternately to the Ombudsman.

Risker

On 13 June 2012 19:37, John phoenixoverr...@gmail.com wrote:

 I am not a checkuser, I do not have access to checkuser-l, the CU wiki, or
 any other private information. This goes far beyond the one case, I was
 just using it as a recent example

 On Wed, Jun 13, 2012 at 7:34 PM, Risker risker...@gmail.com wrote:

  On 13 June 2012 19:18, John phoenixoverr...@gmail.com wrote:
 
   This is something that has been bugging me for a while. When a user has
   been checkusered they should at least be notified of who preformed it
 and
   why it was preformed. I know this is not viable for every single CU
  action
   as many are for anons. But for those users who have been around for a
   period, (say autoconfirmed) they should be notified when they are CU'ed
  and
   any user should be able to request the CU logs pertaining to themselves
   (who CU'ed them, when, and why) at will. I have seen CU's refuse to
  provide
   information to the accused.
  
   See the Rich Farmbrough ArbCom case where I suspect obvious fishing,
  where
   the CU'ed user was requesting information and the CU claimed it would
 be
  a
   violation of the privacy policy to release the time/reason/performer of
  the
   checkuser.
  
   This screams of obfuscation and the hiding of information. I know the
   ombudsman committee exists as a check and balance, however before
  something
   can be passed to them evidence of inappropriate action is needed. Ergo
   Catch-22
  
   I know checkusers  keep a private wiki
   https://checkuser.wikimedia.org/wiki/Main_Page and I know according to
  our
   privacy policy we are supposed to purge our information regularly (on
  wiki
   CU logs exist for 90 days) however who oversees the regular removal of
   private information on the wiki?
  
   My proposal would be for all users who are at least auto confirmed to
 be
   notified and be able to request all CU logs regarding themselves at any
   point, and any mentions of themselves on the CU wiki should be
  retrievable.
  
  
  
  Perhaps some full disclosure should be made here John.  You are a
 checkuser
  yourself, have access to the checkuser-L mailing list and the checkuser
  wiki, helped to set up the Audit Subcommittee on the English Wikipedia
  (which carries out reviews of checkuser/oversighter actions on request);
  you are also a member of the English Wikipedia functionaries mailing list
  because you are a former arbitrator, a checkuser and an oversighter on
  enwp. (so have access there to express your concerns or suggest changes
 in
  standards),   It seems you are complaining about a specific case, and
  instead of talking things out about this specific case, you've decided to
  propose an entirely different checkusering standard.  I'll point out  in
  passing that half of the spambots blocked in recent weeks by checkusers
  were autoconfirmed on one or more projects, and even obvious vandals can
  hit the autoconfirmed threshold easily on most projects.
 
  Full disclosure on my part: I am also an Enwp checkuser and a member of
 the
  Arbitration Committee.
 
  Risker
  ___
  Wikimedia-l mailing list
  Wikimedia-l@lists.wikimedia.org
  Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
 
 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-13 Thread Nathan
On Wed, Jun 13, 2012 at 8:34 PM, Samuel Klein meta...@gmail.com wrote:

 On Wed, Jun 13, 2012 at 7:42 PM, John phoenixoverr...@gmail.com wrote:
  PS I am not a former arb, do not have access to functionaries mailing
 list,
  I do not have access nor have ever had access to any of the above
 including
  Oversight. I was just throwing out autoconfirmed as a line in the sand,
 we
  can adjust the line so that normal users can be notified while excluding
  spambots. One point could be say 50 edits and at least a month old
 account?

 Using a similarly arbitrary high threshhold: how often are checks -
 order of magnitude - made on users who are eligible to vote in arbcom
 elections?

 SJ


At least every day, there are 5 or 6 who qualify by edit count waiting for
CU on SPI right now.

~Nathan
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-13 Thread Thomas Dalton
Why shouldn't spambots and vandals be notified? Just have the software
automatically email anyone that is CUed. Then the threshold is simply
whether you have an email address attached to your account or not.

This seems like a good idea. People have a right to know what is being done
with their data.
On Jun 14, 2012 12:35 AM, Risker risker...@gmail.com wrote:

 On 13 June 2012 19:18, John phoenixoverr...@gmail.com wrote:

  This is something that has been bugging me for a while. When a user has
  been checkusered they should at least be notified of who preformed it and
  why it was preformed. I know this is not viable for every single CU
 action
  as many are for anons. But for those users who have been around for a
  period, (say autoconfirmed) they should be notified when they are CU'ed
 and
  any user should be able to request the CU logs pertaining to themselves
  (who CU'ed them, when, and why) at will. I have seen CU's refuse to
 provide
  information to the accused.
 
  See the Rich Farmbrough ArbCom case where I suspect obvious fishing,
 where
  the CU'ed user was requesting information and the CU claimed it would be
 a
  violation of the privacy policy to release the time/reason/performer of
 the
  checkuser.
 
  This screams of obfuscation and the hiding of information. I know the
  ombudsman committee exists as a check and balance, however before
 something
  can be passed to them evidence of inappropriate action is needed. Ergo
  Catch-22
 
  I know checkusers  keep a private wiki
  https://checkuser.wikimedia.org/wiki/Main_Page and I know according to
 our
  privacy policy we are supposed to purge our information regularly (on
 wiki
  CU logs exist for 90 days) however who oversees the regular removal of
  private information on the wiki?
 
  My proposal would be for all users who are at least auto confirmed to be
  notified and be able to request all CU logs regarding themselves at any
  point, and any mentions of themselves on the CU wiki should be
 retrievable.
 
 
 
 Perhaps some full disclosure should be made here John.  You are a checkuser
 yourself, have access to the checkuser-L mailing list and the checkuser
 wiki, helped to set up the Audit Subcommittee on the English Wikipedia
 (which carries out reviews of checkuser/oversighter actions on request);
 you are also a member of the English Wikipedia functionaries mailing list
 because you are a former arbitrator, a checkuser and an oversighter on
 enwp. (so have access there to express your concerns or suggest changes in
 standards),   It seems you are complaining about a specific case, and
 instead of talking things out about this specific case, you've decided to
 propose an entirely different checkusering standard.  I'll point out  in
 passing that half of the spambots blocked in recent weeks by checkusers
 were autoconfirmed on one or more projects, and even obvious vandals can
 hit the autoconfirmed threshold easily on most projects.

 Full disclosure on my part: I am also an Enwp checkuser and a member of the
 Arbitration Committee.

 Risker
 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-13 Thread John
Yet another attempt from a checkuser to make monitoring their actions and
ensuring our privacy more difficult.

On Wed, Jun 13, 2012 at 9:10 PM, Risker risker...@gmail.com wrote:

 Each project has its own standards and thresholds for when checkusers may
 be done, provided that they are within the limits of the privacy policy.
 These standards vary widely.  So, the correct place to discuss this is on
 each project.

 Risker

 On 13 June 2012 21:02, Thomas Dalton thomas.dal...@gmail.com wrote:

  Why shouldn't spambots and vandals be notified? Just have the software
  automatically email anyone that is CUed. Then the threshold is simply
  whether you have an email address attached to your account or not.
 
  This seems like a good idea. People have a right to know what is being
 done
  with their data.
  On Jun 14, 2012 12:35 AM, Risker risker...@gmail.com wrote:
 
   On 13 June 2012 19:18, John phoenixoverr...@gmail.com wrote:
  
This is something that has been bugging me for a while. When a user
 has
been checkusered they should at least be notified of who preformed it
  and
why it was preformed. I know this is not viable for every single CU
   action
as many are for anons. But for those users who have been around for a
period, (say autoconfirmed) they should be notified when they are
 CU'ed
   and
any user should be able to request the CU logs pertaining to
 themselves
(who CU'ed them, when, and why) at will. I have seen CU's refuse to
   provide
information to the accused.
   
See the Rich Farmbrough ArbCom case where I suspect obvious fishing,
   where
the CU'ed user was requesting information and the CU claimed it would
  be
   a
violation of the privacy policy to release the time/reason/performer
 of
   the
checkuser.
   
This screams of obfuscation and the hiding of information. I know the
ombudsman committee exists as a check and balance, however before
   something
can be passed to them evidence of inappropriate action is needed.
 Ergo
Catch-22
   
I know checkusers  keep a private wiki
https://checkuser.wikimedia.org/wiki/Main_Page and I know according
 to
   our
privacy policy we are supposed to purge our information regularly (on
   wiki
CU logs exist for 90 days) however who oversees the regular removal
 of
private information on the wiki?
   
My proposal would be for all users who are at least auto confirmed to
  be
notified and be able to request all CU logs regarding themselves at
 any
point, and any mentions of themselves on the CU wiki should be
   retrievable.
   
   
   
   Perhaps some full disclosure should be made here John.  You are a
  checkuser
   yourself, have access to the checkuser-L mailing list and the checkuser
   wiki, helped to set up the Audit Subcommittee on the English Wikipedia
   (which carries out reviews of checkuser/oversighter actions on
 request);
   you are also a member of the English Wikipedia functionaries mailing
 list
   because you are a former arbitrator, a checkuser and an oversighter on
   enwp. (so have access there to express your concerns or suggest changes
  in
   standards),   It seems you are complaining about a specific case, and
   instead of talking things out about this specific case, you've decided
 to
   propose an entirely different checkusering standard.  I'll point out
  in
   passing that half of the spambots blocked in recent weeks by checkusers
   were autoconfirmed on one or more projects, and even obvious vandals
 can
   hit the autoconfirmed threshold easily on most projects.
  
   Full disclosure on my part: I am also an Enwp checkuser and a member of
  the
   Arbitration Committee.
  
   Risker
   ___
   Wikimedia-l mailing list
   Wikimedia-l@lists.wikimedia.org
   Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
  
  ___
  Wikimedia-l mailing list
  Wikimedia-l@lists.wikimedia.org
  Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l
 
 ___
 Wikimedia-l mailing list
 Wikimedia-l@lists.wikimedia.org
 Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l

___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-13 Thread Philippe Beaudette, Wikimedia Foundation
I dunno, John, you almost had me convinced until that email. I saw in that mail 
a reasonable comment from Risker based on long time precedent.

As you may know, there are a number of checks and balances in place. First, the 
CUs watch each other. With a broad group, you can be assured they don't all 
always agree and there is healthy debate and dialogue. Second, enwp has an 
audit subcommittee that routinely audits the logs with a fine toothed comb.  
They are NOT all previous checkusers, to avoid the sort of groupthink that 
appears to concern you. Then, the WMF has an ombudsman commission, which also 
may audit with commission from the Board. Those people take their role very 
seriously. And last, anyone with genuine privacy concerns can contact the WMF:  
me, Maggie, anyone in the legal or community advocacy department. 

Is it an iron clad assurance of no misbehavior?  Probably not, and we will 
continue to get better at it: but I will say that in 3 years of being pretty 
closely involved with that team, I'm impressed with how much they err on the 
side of protection of privacy. I have a window into their world, and they have 
my respect. 

Best, PB
---
Philippe Beaudette
Director, Community Advocacy
Wikimedia Foundation, Inc 


Sent from my Verizon Wireless BlackBerry

-Original Message-
From: John phoenixoverr...@gmail.com
Sender: wikimedia-l-boun...@lists.wikimedia.org
Date: Wed, 13 Jun 2012 21:17:09 
To: Wikimedia Mailing Listwikimedia-l@lists.wikimedia.org
Reply-To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org
Subject: Re: [Wikimedia-l] CheckUser openness

Yet another attempt from a checkuser to make monitoring their actions and
ensuring our privacy more difficult.

On Wed, Jun 13, 2012 at 9:10 PM, Risker risker...@gmail.com wrote:

 Each project has its own standards and thresholds for when checkusers may
 be done, provided that they are within the limits of the privacy policy.
 These standards vary widely.  So, the correct place to discuss this is on
 each project.

 Risker

 On 13 June 2012 21:02, Thomas Dalton thomas.dal...@gmail.com wrote:

  Why shouldn't spambots and vandals be notified? Just have the software
  automatically email anyone that is CUed. Then the threshold is simply
  whether you have an email address attached to your account or not.
 
  This seems like a good idea. People have a right to know what is being
 done
  with their data.
  On Jun 14, 2012 12:35 AM, Risker risker...@gmail.com wrote:
 
   On 13 June 2012 19:18, John phoenixoverr...@gmail.com wrote:
  
This is something that has been bugging me for a while. When a user
 has
been checkusered they should at least be notified of who preformed it
  and
why it was preformed. I know this is not viable for every single CU
   action
as many are for anons. But for those users who have been around for a
period, (say autoconfirmed) they should be notified when they are
 CU'ed
   and
any user should be able to request the CU logs pertaining to
 themselves
(who CU'ed them, when, and why) at will. I have seen CU's refuse to
   provide
information to the accused.
   
See the Rich Farmbrough ArbCom case where I suspect obvious fishing,
   where
the CU'ed user was requesting information and the CU claimed it would
  be
   a
violation of the privacy policy to release the time/reason/performer
 of
   the
checkuser.
   
This screams of obfuscation and the hiding of information. I know the
ombudsman committee exists as a check and balance, however before
   something
can be passed to them evidence of inappropriate action is needed.
 Ergo
Catch-22
   
I know checkusers  keep a private wiki
https://checkuser.wikimedia.org/wiki/Main_Page and I know according
 to
   our
privacy policy we are supposed to purge our information regularly (on
   wiki
CU logs exist for 90 days) however who oversees the regular removal
 of
private information on the wiki?
   
My proposal would be for all users who are at least auto confirmed to
  be
notified and be able to request all CU logs regarding themselves at
 any
point, and any mentions of themselves on the CU wiki should be
   retrievable.
   
   
   
   Perhaps some full disclosure should be made here John.  You are a
  checkuser
   yourself, have access to the checkuser-L mailing list and the checkuser
   wiki, helped to set up the Audit Subcommittee on the English Wikipedia
   (which carries out reviews of checkuser/oversighter actions on
 request);
   you are also a member of the English Wikipedia functionaries mailing
 list
   because you are a former arbitrator, a checkuser and an oversighter on
   enwp. (so have access there to express your concerns or suggest changes
  in
   standards),   It seems you are complaining about a specific case, and
   instead of talking things out about this specific case, you've decided
 to
   propose an entirely different checkusering

Re: [Wikimedia-l] CheckUser openness

2012-06-13 Thread Nathan
On Wed, Jun 13, 2012 at 9:24 PM, Philippe Beaudette, Wikimedia Foundation 
pbeaude...@wikimedia.org wrote:

 I dunno, John, you almost had me convinced until that email. I saw in that
 mail a reasonable comment from Risker based on long time precedent.

 As you may know, there are a number of checks and balances in place.
 First, the CUs watch each other. With a broad group, you can be assured
 they don't all always agree and there is healthy debate and dialogue.
 Second, enwp has an audit subcommittee that routinely audits the logs with
 a fine toothed comb.  They are NOT all previous checkusers, to avoid the
 sort of groupthink that appears to concern you. Then, the WMF has an
 ombudsman commission, which also may audit with commission from the Board.
 Those people take their role very seriously. And last, anyone with genuine
 privacy concerns can contact the WMF:  me, Maggie, anyone in the legal or
 community advocacy department.

 Is it an iron clad assurance of no misbehavior?  Probably not, and we will
 continue to get better at it: but I will say that in 3 years of being
 pretty closely involved with that team, I'm impressed with how much they
 err on the side of protection of privacy. I have a window into their world,
 and they have my respect.

 Best, PB
 ---
 Philippe Beaudette
 Director, Community Advocacy
 Wikimedia Foundation, Inc



There is also the Meta checkuser policy; not all policy guidance for
checkusers is set locally, they all have to abide by the global policy on
checkuser usage (which incorporates by reference the privacy policy).

To make an analogy to the health world... In the United States, the privacy
and security of health information is governed by the Health Insurance
Portability And Accountability Act (HIPAA). Part of the act is the
requirement that access to health information be auditable, and that an
accounting of access to protected information be provided to the person
concerned upon request. It's not that far out to suggest that people should
be notified when their personally identifying information is accessed on
Wikimedia, if we invest that information with the significance that many
wish to. To be honest, I'm surprised Risker doesn't agree, given the
emphasis on personal privacy demonstrated in the IPv6 thread on this list.

Nathan
___
Wikimedia-l mailing list
Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l


Re: [Wikimedia-l] CheckUser openness

2012-06-13 Thread James Alexander
To be honest the biggest problem is that releasing this information can
hurt quite a lot. It can give away the techniques the checkuser (or
checkusers, more then one working together is very common to make sure
they're right) used to draw the connections. This is especially true for
technical information where it can easily give away 'tell-tale' signs used
as part of the determination.

Almost every time I've ever seen the information demanded it was quite
clear (usually even with out any type of technical information) that the
user was guilty as charged and now they just wanted one of those two
things: A target (the CU) or the information (to find out where they went
wrong).

Yes, if a horrible checkuser was checking you you wouldn't know instantly
but that's why we have so many checks and balances. Giving all of this
information to everyone, especially automatically, would make it almost
infinitely harder for checkusers to do their job.

James

On Wed, Jun 13, 2012 at 6:30 PM, John phoenixoverr...@gmail.com wrote:

 Risker comment was basically lets not set a global accountability and
 ability to get CU related logs of our self on a global level, instead take
 it to each project and fight it out there to me that reeks of obfuscation.
 Realistically this should be a global policy, just like our privacy policy
 is. Why shouldnt users know when they have been checkusered and why?

 On Wed, Jun 13, 2012 at 9:24 PM, Philippe Beaudette, Wikimedia Foundation 
 pbeaude...@wikimedia.org wrote:

  I dunno, John, you almost had me convinced until that email. I saw in
 that
  mail a reasonable comment from Risker based on long time precedent.
 
  As you may know, there are a number of checks and balances in place.
  First, the CUs watch each other. With a broad group, you can be assured
  they don't all always agree and there is healthy debate and dialogue.
  Second, enwp has an audit subcommittee that routinely audits the logs
 with
  a fine toothed comb.  They are NOT all previous checkusers, to avoid the
  sort of groupthink that appears to concern you. Then, the WMF has an
  ombudsman commission, which also may audit with commission from the
 Board.
  Those people take their role very seriously. And last, anyone with
 genuine
  privacy concerns can contact the WMF:  me, Maggie, anyone in the legal or
  community advocacy department.
 
  Is it an iron clad assurance of no misbehavior?  Probably not, and we
 will
  continue to get better at it: but I will say that in 3 years of being
  pretty closely involved with that team, I'm impressed with how much they
  err on the side of protection of privacy. I have a window into their
 world,
  and they have my respect.
 
  Best, PB
  ---
  Philippe Beaudette
  Director, Community Advocacy
  Wikimedia Foundation, Inc
 
 
  Sent from my Verizon Wireless BlackBerry
 
  -Original Message-
  From: John phoenixoverr...@gmail.com
  Sender: wikimedia-l-boun...@lists.wikimedia.org
  Date: Wed, 13 Jun 2012 21:17:09
  To: Wikimedia Mailing Listwikimedia-l@lists.wikimedia.org
  Reply-To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org
  Subject: Re: [Wikimedia-l] CheckUser openness
 
  Yet another attempt from a checkuser to make monitoring their actions and
  ensuring our privacy more difficult.
 
  On Wed, Jun 13, 2012 at 9:10 PM, Risker risker...@gmail.com wrote:
 
   Each project has its own standards and thresholds for when checkusers
 may
   be done, provided that they are within the limits of the privacy
 policy.
   These standards vary widely.  So, the correct place to discuss this is
 on
   each project.
  
   Risker
  
   On 13 June 2012 21:02, Thomas Dalton thomas.dal...@gmail.com wrote:
  
Why shouldn't spambots and vandals be notified? Just have the
 software
automatically email anyone that is CUed. Then the threshold is simply
whether you have an email address attached to your account or not.
   
This seems like a good idea. People have a right to know what is
 being
   done
with their data.
On Jun 14, 2012 12:35 AM, Risker risker...@gmail.com wrote:
   
 On 13 June 2012 19:18, John phoenixoverr...@gmail.com wrote:

  This is something that has been bugging me for a while. When a
 user
   has
  been checkusered they should at least be notified of who
 preformed
  it
and
  why it was preformed. I know this is not viable for every single
 CU
 action
  as many are for anons. But for those users who have been around
  for a
  period, (say autoconfirmed) they should be notified when they are
   CU'ed
 and
  any user should be able to request the CU logs pertaining to
   themselves
  (who CU'ed them, when, and why) at will. I have seen CU's refuse
 to
 provide
  information to the accused.
 
  See the Rich Farmbrough ArbCom case where I suspect obvious
  fishing,
 where
  the CU'ed user was requesting information and the CU claimed it
  would

Re: [Wikimedia-l] CheckUser openness

2012-06-13 Thread John
I am not asking for checkuser results, rather the basic logs about
when/why/who may have checkusered the account. I am not asking CUs to
release IP/user-agent/other info, but to let users know that they are being
CUed, by whom and why. and to be able to request that historical
information from the CU logs

On Wed, Jun 13, 2012 at 9:54 PM, James Alexander jameso...@gmail.comwrote:

 To be honest the biggest problem is that releasing this information can
 hurt quite a lot. It can give away the techniques the checkuser (or
 checkusers, more then one working together is very common to make sure
 they're right) used to draw the connections. This is especially true for
 technical information where it can easily give away 'tell-tale' signs used
 as part of the determination.

 Almost every time I've ever seen the information demanded it was quite
 clear (usually even with out any type of technical information) that the
 user was guilty as charged and now they just wanted one of those two
 things: A target (the CU) or the information (to find out where they went
 wrong).

 Yes, if a horrible checkuser was checking you you wouldn't know instantly
 but that's why we have so many checks and balances. Giving all of this
 information to everyone, especially automatically, would make it almost
 infinitely harder for checkusers to do their job.

 James

 On Wed, Jun 13, 2012 at 6:30 PM, John phoenixoverr...@gmail.com wrote:

  Risker comment was basically lets not set a global accountability and
  ability to get CU related logs of our self on a global level, instead
 take
  it to each project and fight it out there to me that reeks of
 obfuscation.
  Realistically this should be a global policy, just like our privacy
 policy
  is. Why shouldnt users know when they have been checkusered and why?
 
  On Wed, Jun 13, 2012 at 9:24 PM, Philippe Beaudette, Wikimedia
 Foundation 
  pbeaude...@wikimedia.org wrote:
 
   I dunno, John, you almost had me convinced until that email. I saw in
  that
   mail a reasonable comment from Risker based on long time precedent.
  
   As you may know, there are a number of checks and balances in place.
   First, the CUs watch each other. With a broad group, you can be assured
   they don't all always agree and there is healthy debate and dialogue.
   Second, enwp has an audit subcommittee that routinely audits the logs
  with
   a fine toothed comb.  They are NOT all previous checkusers, to avoid
 the
   sort of groupthink that appears to concern you. Then, the WMF has an
   ombudsman commission, which also may audit with commission from the
  Board.
   Those people take their role very seriously. And last, anyone with
  genuine
   privacy concerns can contact the WMF:  me, Maggie, anyone in the legal
 or
   community advocacy department.
  
   Is it an iron clad assurance of no misbehavior?  Probably not, and we
  will
   continue to get better at it: but I will say that in 3 years of being
   pretty closely involved with that team, I'm impressed with how much
 they
   err on the side of protection of privacy. I have a window into their
  world,
   and they have my respect.
  
   Best, PB
   ---
   Philippe Beaudette
   Director, Community Advocacy
   Wikimedia Foundation, Inc
  
  
   Sent from my Verizon Wireless BlackBerry
  
   -Original Message-
   From: John phoenixoverr...@gmail.com
   Sender: wikimedia-l-boun...@lists.wikimedia.org
   Date: Wed, 13 Jun 2012 21:17:09
   To: Wikimedia Mailing Listwikimedia-l@lists.wikimedia.org
   Reply-To: Wikimedia Mailing List wikimedia-l@lists.wikimedia.org
   Subject: Re: [Wikimedia-l] CheckUser openness
  
   Yet another attempt from a checkuser to make monitoring their actions
 and
   ensuring our privacy more difficult.
  
   On Wed, Jun 13, 2012 at 9:10 PM, Risker risker...@gmail.com wrote:
  
Each project has its own standards and thresholds for when checkusers
  may
be done, provided that they are within the limits of the privacy
  policy.
These standards vary widely.  So, the correct place to discuss this
 is
  on
each project.
   
Risker
   
On 13 June 2012 21:02, Thomas Dalton thomas.dal...@gmail.com
 wrote:
   
 Why shouldn't spambots and vandals be notified? Just have the
  software
 automatically email anyone that is CUed. Then the threshold is
 simply
 whether you have an email address attached to your account or not.

 This seems like a good idea. People have a right to know what is
  being
done
 with their data.
 On Jun 14, 2012 12:35 AM, Risker risker...@gmail.com wrote:

  On 13 June 2012 19:18, John phoenixoverr...@gmail.com wrote:
 
   This is something that has been bugging me for a while. When a
  user
has
   been checkusered they should at least be notified of who
  preformed
   it
 and
   why it was preformed. I know this is not viable for every
 single
  CU
  action
   as many are for anons