[Wikitech-l] Anonymous user id on wikipedia?

Tue, 18 Dec 2012 10:57:50 -0800

I've been digging around in our cookie jar, as part of my work with Fundraising, and I have a few questions about the cookies we set on anonymous users.
First, I am deeply impressed with the care we have taken to respond to the community's privacy concerns, and after first-hand experience negotiating with our lawyers to implement an additional cookie, I think that WMF deserves its place as a model to the rest of the internet. I would like to help clean up or at least explain the few oversights I identify below, so that we can be fully confident that we are doing everything we can to prevent abuse of our visitors' privacy. 


1) Anonymous users are given a 1-year cookie which uniquely identifies 
them.  After logging out and clearing all cookies from my browser, I 
visited en.wikipedia.org and received this cookie.  Why would an 
anonymous user be given an identifying token?

mediaWiki.user.id=oDNtHcMSeGMSZyRehhuC7ypQRuPEGk3a; expires=Wed, 18 
Dec 2013 18:25:38 GMT; path=/; domain=en.wikipedia.org



2) Anonymous users are enrolled in clicktracking.  I was surprised 
because the extension page at 
http://www.mediawiki.org/wiki/Extension:ClickTracking specifies that it 
affects "users", and I think it should very explicitly state that it 
affects "logged-in users and anonymous visitors" if that is really the 
intention.

clicktracking-session=0orJJTU79otWR6x1m8ykUAyasVpZJBn2x; path=/; 
domain=en.wikipedia.org



3) Registered user's cookies are not cleared at logout.  This seems like 
a pretty basic fix.

enwikiUserName=Adamw; expires=Sun, 16 Jun 2013 18:43:51 GMT; path=/; 
domain=en.wikipedia.org; Secure; HttpOnly



Ideally, an anonymous user, whether or not they have ever been logged in 
as a registered user, will not transmit any personally identifying 
information in their requests.  All three of these cookies violate that 
principle.  I have not found any public debate on the issue, hopefully 
others are interested in this topic.


Regards,
Adam Wight

_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l






















					Reply via email to