On 14 March and 15 March 2018, a CentralNotice banner appeared to some 
logged-out users viewing English Wikipedia pages. The banner contained 
JavaScript hosted by Facebook, which allowed Facebook to collect traffic data 
from those who visited a page with a banner. The banner was prepared by the 
Wikimedia Foundation. The Foundation turned the banner off as soon as we 
learned how the script was running, and its potential scope. We have also 
removed all references to the code in question from CentralNotice on Meta-Wiki.

The code utilized in this banner was based on an unused prototype created by an 
outside vendor. Because the prototype was never enabled, the vendor’s prototype 
code was not subjected to our standard quality assurance process. However, we 
made the mistake of reusing the code for a different purpose, and implementing 
it based on recommendations in documentation from Twitter and Facebook to 
improve the appearance of shared links. At the time, our understanding was that 
the platforms would only receive traffic data if the user clicked on the link. 
Although this was true for Twitter, the Facebook code operated differently.

We discovered the problematic link configurations during our ongoing monitoring 
of live banners. The recommended code enhanced not only the appearance of 
links, it also enhanced Facebook's ability to collect information on people 
visiting non-Facebook sites. As soon as we realized these banners were sharing 
information without even having to click the link, we disabled them and began 
an investigation. Staff in multiple departments are collaboratively reviewing 
the incident as well as procedural and technical improvements to prevent future 

While this sort of tracking is commonplace today across most of the internet, 
it is not consistent with our policies. We are disappointed that this type of 
hidden data collection is routinely recommended by major platforms, without 
clearer disclosure.

These practices are why we all must regularly take routine steps to maintain a 
secure computer and account. As the Wikimedia Foundation continues to explore 
ways we can do that within Wikimedia's platform, we encourage you to consider 
tools which block unwanted third-party scripts like the one provided by 

We apologize for sending this late on a Friday (San Francisco time). However, 
we wanted to provide this information as quickly as possible.
Wikimedia-l mailing list, guidelines at: 
https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines and 
New messages to: Wikimedia-l@lists.wikimedia.org
Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, 

Reply via email to