Mr. Starling, thanks for your response. I have to preface this by saying my 
opinions are legitimate criticism and rightly motivated, but I nevertheless 
fear that they won't be allowed on the mailing list and that I will be kicked 
off it because of them.

> I don't know what identifying people with checkuser permissions is
> meant to achieve, when they are not liable for a breach of the privacy
> policy. I can understand requiring identification for Board members,
> who have legal responsibilities. But what is the point of having a
> photocopy of a CheckUser's passport when there are no conceivable
> circumstances under which you would give that photocopy to police?

No, there are plenty conceivable circumstances under which the WMF would be 
compelled to identify a community administrator to the police, such as a 
lawsuit for cyberstalking. For example WMF Steward "Tbloemink" and global sysop 
"JurgenNL" engaged in the stalking of Moiramoira via IRC, harassing phonecalls, 
and a visit to her home in which they peeped in her windows 
 They did use their advanced administrative rights to identify her. So a 
criminal or civil case could be brought in which a subpoena for the passport 
would be lawfully issued.

In the broader picture, requiring identification would improve the behavior of 
any bad administrator that has slipped through the cracks and uses the advanced 
tools to violate users' privacy. Why? Because anonymity reduces the risks 
involved with bad behavior. So they are no longer restrained by personal 
accountability in checkusering people. They can do as they like, use the 
information in any way they like, and, beyond desysoping I guess, can never be 
held to account.  

> Maybe the idea is that if a CheckUser publically doxes someone for
> some petty purpose, such as revenge, then the victim may subpoena
> identifying records from the Foundation as part of a suit against the
> CheckUser. Note that I have done my fair share of troll hunting, it
> occupied quite a bit of my time between when I first got shell access
> in early 2004 and when I introduced CheckUser in late 2005. I have
> publically discussed identifying information of logged-in users. I
> never heard any credible theory on how my actions at that time might
> have created legal liability. Surely, if there was such a legal
> remedy, trolls would constantly threaten to use it.

Your presumption here is that administrators across the board are honorable 
troll hunters fulfilling a community duty, but the reality is somewhat 
different. The demonization of an editor as "troll" and "sockpuppet" and so 
forth is often falsely used by the administrator as an excuse for acting on his 
or her personal antipathies. They become irritated at an editor and set out to 
attack him or her, there are no controls on or standards for their actions. 

> I think that the most important practical measure we can take to
> protect users' privacy against CheckUser is to regularly audit the
> CheckUser logs. We should also work to improve their auditability. The
> logs have hundreds of entries of the form:

Yeah, that's a great idea, but further make it *publicly* auditable. Redact the 
privacy (IP) information and let the public know whom the checkusers are 
checkusering. Another great step would be to force entry of a *reason* before 
the checkuser tool can be used. As I understand it from all I've read, the 
checkuser tool now has a "reason" field, but it can be left blank. Reconfigure 
the tool to force entry of a reason for its use. And this also would immensely 
improve the ability to audit the logs.

13.04.2015, 01:56, "Tim Starling" <>:
> On 13/04/15 00:12, Trillium Corsage wrote:

<text clipped for brevity>

Wikimedia-l mailing list, guidelines at:

Reply via email to