On 13/04/15 00:12, Trillium Corsage wrote:
> On 25 April last year, the board of trustees approved, in a
> non-public and scantily-documented meeting, a policy that accords
> Checkuser and Oversight and other statuses to "community" members
> appointed by a community process with essentially a mere two
> requirements: provide an email address, and assert that you are 18
> or over. Name, address, NOT required. Is this truly an adequate way
> to protect the privacy interests of all those that edit Wikipedia?
> Well, I don't think so, but my purpose right now is to try to
> eliminate the ambiguity of what is actually occurring at this
> time.

I was not involved in the development of this policy, either the
original one or the current iteration. So what follows are my
independent, unofficial thoughts on the issue.

I don't know what identifying people with checkuser permissions is
meant to achieve, when they are not liable for a breach of the privacy
policy. I can understand requiring identification for Board members,
who have legal responsibilities. But what is the point of having a
photocopy of a CheckUser's passport when there are no conceivable
circumstances under which you would give that photocopy to police?

Maybe the idea is that if a CheckUser publically doxes someone for
some petty purpose, such as revenge, then the victim may subpoena
identifying records from the Foundation as part of a suit against the
CheckUser. Note that I have done my fair share of troll hunting, it
occupied quite a bit of my time between when I first got shell access
in early 2004 and when I introduced CheckUser in late 2005. I have
publically discussed identifying information of logged-in users. I
never heard any credible theory on how my actions at that time might
have created legal liability. Surely, if there was such a legal
remedy, trolls would constantly threaten to use it.

I think that the most important practical measure we can take to
protect users' privacy against CheckUser is to regularly audit the
CheckUser logs. We should also work to improve their auditability. The
logs have hundreds of entries of the form:

* AdminUser got IP addresses for Spambot10255787 (Investigating spam)
* AdminUser got users for (Investigating spam)

What auditor is ever going to do another CheckUser request to make
sure that really was an IP address used by
Spambot10255787? How can we tell if AdminUser was interested in for some other reason? Linked log entries should probably
be explicitly annotated by the software.

-- Tim Starling

Wikimedia-l mailing list, guidelines at: 
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Reply via email to