Trust and Safety Product/Temporary Accounts/Updates/Legal
First of all, we'd like to thank everyone for participating in the discussions. We appreciate the attention to detail, the careful consideration, and the time spent on our project. We would like to explain in more detail how this project came about and the risks that inspired this work.
Please take into account that sometimes, we can't publicly share all of the details of our thinking; but we read your comments and perspectives, and they're very helpful for us in advising the Foundation.
[edit]
Hello! We have published a new policy page: Access to temporary account IP addresses. It explains how users can gain access to IP addresses. Later, we will update the section on using IP addresses. In it, we will add information on how and where to access the IP addresses, and what is logged when IP addresses are accessed. There is also a new page with frequently asked questions. Both pages use the term "temporary user accounts". This name comes from the first version of the software (MVP). Soon, we will share more information about it. We welcome your comments on the talk page.
[edit]
Background
[edit]To explain how we arrived here, we'd like to look backwards. Wikipedia and its sibling projects were built to last. Sharing the sum of all knowledge is a long-term vision which can't be achieved in any of our lifetimes. But the technical and governance structures serving that vision were not long-term. Instead, they were of the time they were designed.
Many of these features have thrived. Wikimedia projects were ahead of the rest of the internet. Wikimedians have known that privacy and anonymity are key to share and consume free knowledge. The Foundation has collected little information about users. Email addresses have not been needed for registration. The Foundation has also recognized that IP addresses are personal data. (See, for example, the 2014–2018 version of our Privacy policy).
Over the last 20 years, a lot has evolved, though. Societies use and relate to the internet in new ways. Regulations and policies that impact how online platforms run have appeared. Users have different expectations for how a website will handle their data.
The external situation has particularly changed in the past five years. Users and governments have become more concerned about online privacy. The collection, storage, handling, and sharing of personal data are now discussed. New laws and best practices have emerged. The European Union's General Data Protection Regulation, which went into effect in May 2018, has set the tone for a global dialogue. It also defined what rights individuals should have to understand and control the use of personal data. In the last few years, related laws around the world have been changing. Look at the conversations, draft bills, and new laws in, for example, Brazil, India, Japan, or the United States.
The decision to hide IP addresses and the legal risks mitigated by it
[edit]A few years ago, as the Foundation's Privacy team, we assessed that publishing IP addresses of non-logged-in contributors should change. It creates risk to users whose information is published in this way.
Despite the notices on wikis explaining how attribution works, non-logged-in editors are surprised to see their IP address on the history page. Some of them are in locations where Wikimedia are controversial. They worry that the exposure of their IP address may allow their governments to target them. IP addresses can be associated with a single user or device. This way, they can be used to identify and locate non-logged-in users and link them with their on-wiki activity.
The impact on the communities
[edit]We understand that IP addresses play a major part in the protection of the wikis. They allow users to fight vandalism and abuse. We need to work on this project with the communities. Only by taking your observations and ideas into account we will be able to make this change.
Even when IP addresses are masked and we build new tools to support your anti-vandalism work, this project will not end. It's going to be an iterative process instead. We will ask you what works and what doesn't, so that the new tools can be improved and adapted to fit your needs.
Questions
[edit]Q: I see that the team preparing these changes is proposing to create a new userright for users to have access to the IP addresses. Does access to the full IP address associated with a temporary account constitute nonpublic personal information as defined by the Confidentiality agreement for nonpublic information? Will users seeking this new userright be required to sign the Access to nonpublic personal data policy or some version of it?
- If yes, then will I as a checkuser be able to discuss relationships between registered accounts and their IP addresses with holders of this new userright, as I currently do with other signatories?
- If no, then why we are going to all this trouble for information that we don't consider nonpublic?
- In either case, will a checkuser be permitted to disclose connections between registered accounts and unregistered username masks?
A: Partially yes. First, yes, anyone who has access to the right will need to acknowledge in some way that they are accessing this information for the purposes of fighting vandalism and abuse on the wikis. We are working on how this acknowledgement will be made. The process to gain access is likely to be something less complex than signing the access to non-public personal data agreement.
As to how this would impact CUs, right now, the access to non-public personal data policy allows users with access to non-public personal data to share that data with other users who are also able to view it. So a CU can share data with other CUs to carry out their work. We are maintaining a distinction between logged-in and logged-out users. So a CU would not be able to share IP addresses of logged-in users with users who have this new right, because users with the new right would not have access to such information.
Presuming that the CU also opts in to see IP addresses of non-logged-in users, under the current scheme, that CU would be able to share IP address information demonstrating connections between logged-in users and non-logged-in users who had been masked with other CUs who had also opted in. They could also indicate to users with the new right that they detected connections between logged-in and non-logged-in users. However, the CU could not directly share IP addresses of the logged-in users with non-CU users who only have the new right.
Please let us know if this sounds unworkable. As mentioned above, we are figuring out the details, and want to get your feedback to make sure it works.
[edit]
This statement from the Wikimedia Foundation Legal department was written on request for the talk page and comes from that context. For visibility, we wanted you to be able to read it here too.
On some occasions, we need to keep specifics of our work or our advice to the organization confidential, due to the rules of legal ethics and legal privilege that control how lawyers must handle information about the work they do. We realize that our inability to spell out precisely what we're thinking and why we might or might not do something can be frustrating in some instances, including this one. Although we can't always disclose the details, we can confirm that our overall goals are to do the best we can to protect the projects and the communities at the same time as we ensure that the Foundation follows applicable law.
Within the Legal Affairs team, the privacy group focuses on ensuring that the Foundation-hosted sites and our data collection and handling practices are in line with relevant law, with our own privacy-related policies, and with our privacy values. We believe that individual privacy for contributors and readers is necessary to enable the creation, sharing, and consumption of free knowledge worldwide. As part of that work, we look first at applicable law, further informed by a mosaic of user questions, concerns, and requests, public policy concerns, organizational policies, and industry best practices to help steer privacy-related work at the Foundation. We take these inputs, and we design a legal strategy for the Foundation that guides our approach to privacy and related issues. In this particular case, careful consideration of these factors has led us to this effort to mask IPs of non-logged-in editors from exposure to all visitors to the Wikimedia projects. We can't spell out the precise details of our deliberations, or the internal discussions and analyses that lay behind this decision, for the reasons discussed above regarding legal ethics and privilege.
We want to emphasize that the specifics of how we do this are flexible; we are looking for the best way to achieve this goal in line with supporting community needs. There are several potential options on the table, and we want to make sure that we find the implementation in partnership with you. We realize that you may have more questions, and we want to be clear upfront that in this dialogue we may not be able to answer the ones that have legal aspects. Thank you to everyone who has taken the time to consider this work and provide your opinions, concerns, and ideas.