Jump to content

Talk:Privacy policy: Difference between revisions

From Meta, a Wikimedia project coordination wiki
Content deleted Content added
Alexpl (talk | contribs)
Line 1,033: Line 1,033:
::::+1 ...[[Special:Contributions/84.133.109.103|84.133.109.103]] 09:38, 10 December 2013 (UTC)
::::+1 ...[[Special:Contributions/84.133.109.103|84.133.109.103]] 09:38, 10 December 2013 (UTC)
::::+1 [[User:-jkb-|-jkb-]] 09:41, 10 December 2013 (UTC)
::::+1 [[User:-jkb-|-jkb-]] 09:41, 10 December 2013 (UTC)
::::+1 <small>I told you so."Dance"</small> [[User:Alexpl|Alexpl]] ([[User talk:Alexpl|talk]]) 09:57, 10 December 2013 (UTC)

Revision as of 09:57, 10 December 2013

Shortcut:
T:P
This is the talk page for discussing Wikimedia's Privacy Policy.
Please contact the Ombudsman commission if you wish to report a Privacy Policy violation.


What is changing?

Several comments below ask about what’s new in this draft as compared to the current privacy policy. To help new folks just joining the conversation, we have outlined the main changes in this box. But feel free to join the discussion about these changes here.

As a general matter, because the current privacy policy was written in 2008, it did not anticipate many technologies that we are using today. Where the current policy is silent, the new draft spells out to users how their data is collected and used. Here are some specific examples:

  1. Cookies: The current policy mentions the use of temporary session cookies and broadly states some differences in the use of cookies between mere reading and logged-in reading or editing. The FAQ in the new draft lists specific cookies that we use and specifies what they are used for and when they expire. The draft policy further clarifies that we will never use third-party cookies without permission from users. It also outlines other technologies that we may consider using to collect data like tracking pixels or local storage.
  2. Location data: Whereas the current policy does not address collection and use of location data, the draft policy spells out how you may be communicating the location of your device through GPS and similar technologies, meta data from uploaded images, and IP addresses. It also explains how we may use that data.
  3. Information we receive automatically: The current policy does not clearly explain that we can receive certain data automatically. The new draft explains that when you make requests to our servers you submit certain information automatically. It also specifies how we use this information to administer the sites, provide greater security, fight vandalism, optimize mobile applications, and otherwise make it easier for you to use the sites.
  4. Limited data sharing: The current policy narrowly states that user passwords and cookies shouldn’t be disclosed except as required by law, but doesn’t specify how other data may be shared. The new draft expressly lists how all data may be shared, not just passwords and cookies. This includes discussing how we share some data with volunteer developers, whose work is essential for our open source projects. It also includes providing non-personal data to researchers who can share their findings with our community so that we can understand the projects and make them better.
  5. Never selling user data: The current policy doesn’t mention this. While long-term editors and community members understand that selling data is against our ethos, newcomers have no way of knowing how our projects are different from most other websites unless we expressly tell them. The new draft spells out that we would never sell or rent their data or use it to sell them anything.
  6. Notifications: We introduced notifications after the current policy was drafted. So, unsurprisingly, it doesn’t mention them. The new draft explains how notifications are used, that they can sometimes collect data through tracking pixels, and how you can opt out.
  7. Scope of the policy: The current policy states its scope in general terms, and we want to be clearer about when the policy applies. The new draft includes a section explaining what the policy does and doesn’t cover in more detail.
  8. Surveys and feedback: The current policy doesn’t specifically address surveys and feedback forms. The new draft explains when we may use surveys and how we will notify you what information we collect.
  9. Procedures for updating the policy: The new draft specifically indicates how we will notify you if the policy needs to be changed. This is consistent with our current practice, but we want to make our commitment clear: we will provide advance notice for substantial changes to the privacy policy, allow community comment, and provide those changes in multiple languages.

This is of course not a comprehensive list of changes. If you see other changes that you are curious about, feel free to raise them and we will clarify the intent.

The purpose of a privacy policy is to inform users about what information is collected, how it is used, and whom it is shared with. The current policy did this well back when it was written, but it is simply outdated. We hope that with your help the new policy will address all the relevant information about use of personal data on the projects. YWelinder (WMF) (talk) 01:07, 6 September 2013 (UTC)



NSA, FISC, NSL, FISAAA, PRISM...

The WMF and many people with access to nonpublic information (like (for users with accounts) their IP addresses and possibly their email addresses) are subject to the contradictory laws of the USA. The WMF and many people with access to nonpublic information may be required to make such information available to unaccountable agencies while being legally restrained from telling them that the information was shared. Admitting new information sharing mechanisms, or even just the requests may result in imprisonment without trails, without access to the laws leading to imprisonment, or even transcripts of the decisions, evidence, or who their accusers were.

Until the WMF and people with access to nonpublic information remove themselves from such jurisdictions, the guarantees in the WMF's privacy policy, the access to nonpublic information policy, the data retention guidelines, the transparency report, and the requests for user information procedure, are untrue.

To service campaign contributors, your information may be given to third parties for marketing purposes.

Your data may be secretly retained by the WMF for as long as required by US agencies, and/or by those agencies themselves for as long as they want.

The WMF may be prevented from revealing their actual policies but forced to claim that they protect users' privacy per their public policies. -- Jeandré, 2013-09-04t12:47z

See also Talk:Privacy policy/Call for input (2013)#Technical and legal coercion aspects.

Hi Jeandré, while I'm someone who knows for a fact that we would strongly rebel against secret requests and unreasonable demands from the government (any government) I'm certainly sympathetic to these concerns (I think much of what the US government has done is illegal and immoral). That said I have yet to see where we could 'go' to remove everyone from jurisdictions where this (or other equally bad issues) would be a problem. Europe, for example, is generally not better, it has significant issues as well. Jalexander (talk) 20:07, 4 September 2013 (UTC)
As far as I know, the voters in New Zealand and Iceland care about doing the right thing, and don't have the same kinds of laws as the USA and UK. -- Jeandré, 2013-09-05t09:27z
Les lois européennes sont infiniment plus protectrices que les lois américaines. Pourquoi croyez-vous que les grosses sociétés informatique (Google, Micro$oft, Apple, etc.) essaient d'imposer, heureusement sans trop de succès (voir les quelques affaires récentes, par exemple entre Google et les CNIL européennes) , que ce soit le droit américain qui s'applique au détriment du droit européen ? 78.251.243.204 20:18, 5 September 2013 (UTC)
Et de toutes façons ce n'est pas seulement une question de quelle loi est plus protectrice ou pas, c'est une question de que les lois des différents pays doivent être respectées. Chaque pays est souverain et établit ses lois de manière démocratique, on n'a pas à lui imposer des lois qui n'ont aucune légitimité. Seuls les Américains votent pour élire leur congrès. Les lois américaines ne s'appliquent donc qu'à eux 78.251.243.204 20:21, 5 September 2013 (UTC)

PRISM etc

Not sure if this is completely on topic, please point me towards the discussion if not, this is not my area of knowledge.

  1. Is the Wikimedia Foundation subject to the same FISA laws that Microsoft, Google etc have had to comply with and give over information?
  2. If so does the Wikimedia Foundation record anything they may want?
  3. If so this privacy policy will need to reflect this.

--Mrjohncummings (talk) 16:06, 4 September 2013 (UTC)

  • Note that it may illegal for Foundation to admit that they give over information to USA government. 89.74.119.184 19:18, 4 September 2013 (UTC)
The WMF has been very clear that we have not been contacted in relation to that. General Counsel Geoff Brigham said in a blog post that "The Wikimedia Foundation has not received requests or legal orders to participate in PRISM, to comply with the Foreign Intelligence Surveillance Act (FISA), or to participate in or facilitate any secret intelligence surveillance program. We also have not “changed” our systems to make government surveillance easier, as the New York Times has claimed is the case for some service providers." Philippe (WMF) (talk) 20:58, 4 September 2013 (UTC)
Just to add to what Philippe has said, it is our understanding of the law that we can not be forced to 'Lie' (though they can force us to not comment/confirm including while we fight for it to be released), while I can certainly understand people's concerns about "them not even being able to tell us if it's true" I really do stress that we haven't received anything and would fight like crazy if we did. Also, we're really really bad liars, we are an incredibly leaky organization. Jalexander (talk) 08:03, 5 September 2013 (UTC)
This may be a crackpot idea, but given that you cannot be forced to lie, but can be forced to keep quiet, would it be possible for somebody - perhaps in the legal department - to report on a regular basis in a regular spot that "We haven't been contacted by the US Gov't this week to provide any information on users"? Smallbones (talk) 01:05, 7 September 2013 (UTC)
"Also, we're really really bad liars, we are an incredibly leaky organization." I assume that you're joking, but if you're not, why have a privacy policy at all? (Not joking.) -- Gyrofrog (talk) 03:59, 8 September 2013 (UTC)
Given the choice between believing Microsoft/Google/Facebook/US.gov or Snowden, I'd go with Snowden every time. I think the current evidence shows that the people at Google are lying by commision because they're being forced to. While I have orders of maginitude more trust in the people at the WMF than those at Google, I think Ladar Levison's decision to shut down Lavabit and his strong recommendation against trusting organizations "with physical ties to the United States" indicates that he didn't want to lie by commision. -- Jeandré, 2013-09-05t09:27z
Appreciate the discussion. Smallbones (talk · contribs)' suggestion is that we implement what is actually the well-known Warrant canary scheme. Part of Jeandré du Toit (talk · contribs)'s excellent point is that it seems like either Google or Snowden are lying, and that if Google is lying, warrant canaries don't seem to work against the full might of the US Government. Was lavabit publishing a warrant canary? More importantly, should the WMF be doing so on a more regular basis? (the comments from Philippe & Jalexander are great for today, but not regularly made.) --Elvey (talk) 22:21, 8 September 2013 (UTC)
Even if the 2013-06-08 released slide is wrong, and organizations are not currently forced to lie by commission, but only by omision; then a warrant canary still wouldn't help if a WMF developer is asked to contravene the privacy policy (and/or the access to nonpublic information policy, the data retention guidelines, the transparency report, the requests for user information procedure) and forced not to tell the people who provide the warrant.
Every possible person with the ability to contravene these policies and who is subject to US law, would then have to provide daily warranties. I'm not actually suggesting this, because I think the 2013-06-08 released slide is correct, and organizations like Google are being forced to lie by commission.
Until this is clarified, I don't think any privacy policy from any organization "with physical ties to the United States" can be truthful unless it clearly states that it can't currently protect anyone's privacy if the powers that be come knocking. -- Jeandré, 2013-09-23t10:09z
Is it possible for anyone to verify exactly what software the WMF's servers are running and how the software is configured? It is trivial to download Mediawiki and various extensions, but is it possible for anyone to verify that the version of Mediawiki as run by the WMF isn't modified to provide information to the NSA? --Stefan2 (talk) 12:57, 5 September 2013 (UTC)
We are very transparent about our servers, how they are configured, and what they run. For example, you can see our production code and deployment recipes on Gerrit and piles of additional information on Wikitech. So I don’t think we object to transparency like that in principle. But verification that source code matches specific binaries is an extremely difficult challenge, even under relatively small and controlled circumstances where you can control every part of the build, and where you’re simply asking about a binary at one point in time, rather than on a live, running system. To do the same thing for an entire network infrastructure (not just Mediawiki, but the web server, operating system, network switches, etc.) would be effectively impossible, both in terms of difficulty and in terms of making it secure (since it would require trusted access to the live system in order to perform monitoring). Even if it were achievable, it would also make management difficult in practice: for example, we sometimes have security patches deployed that are not yet public (for legitimate, genuine security reasons), and we also have to be able to change configurations quickly and fluidly in response to changes in traffic, performance, etc., and doing this would be difficult if configurations and binaries had to be checksummed, compared, verified, etc. - LVilla (WMF) (talk) 02:05, 6 September 2013 (UTC)
Given everything that's happened, I'm not so sure I trust anyone anymore about what is and isn't watched/kept. I now assume everything is being watched/recorded/analyzed online. You can only hide in the bushes for so long, eventually you'll want to come out and play (online), so I guess you suck it up and move on. Government never tells you about it, one guys leaks it, then they move to make it more transparent and do the about face. Makes you wonder what else they're hiding, and it's sad that they have to hide it from us... 99.251.24.168 02:35, 6 September 2013 (UTC)
I understand why you are finding it hard to trust anyone, and I am glad that Stefan2 was trying to be creative about ways to increase trust. I just don't think this particular idea solves the problem. If it helps, we're trying to work on this issue; most notably right now by pushing the US government to allow more transparency from targets of national security letters. Suggestions on how else we can do that are welcome. - LVilla (WMF) (talk) 17:09, 6 September 2013 (UTC)
Of course it would be a bad idea to give anyone unlimited read access to the live servers. For example, it would allow anyone to extract any information from any database table, including information normally only available to checkusers and oversighters. Thanks, your reply sounds reassuring. --Stefan2 (talk) 19:13, 6 September 2013 (UTC)
Although I do not have any questions at this time concerning this, I wanted to thank you for addressing it in advance as it would have come to mind as I do live in the United States. Koi Sekirei (talk) 00:50, 8 September 2013 (UTC)
Prisms may still be used for disco parties. — The preceding unsigned comment was added by 180.216.68.185 (talk) 14:29, 11 Sep 2013 (UTC)

I'm probably about to be dismissed as a nut case, but I would favor simply havin g Wikipedia programmed to automatically post any government requests in an appropriately titled article. 24.168.74.11 19:33, 12 September 2013 (UTC)

It's not nutty to want more transparency on this issue, but it's impossible to do this in an actual, automated fashion, and not clear that a semi-automated process is legal. We will be pushing shortly an overall transparency report, and we plan to do that regularly in the future. Hopefully that resolves some of the concerns. -LVilla (WMF) (talk) 16:29, 30 September 2013 (UTC)

Subject to US law

I think we should expand the section on the data being kept in the USA, and therefore subject to American laws. The PATRIOT Act comes to mind, where they can and will use any data you store in the US at any point in time against you at a later date. Doesn't matter where you live. So you might not want to post that nasty anti-American rant on a talk page, it might come back to bite you in the choo-choo later... Or the DMCA. I think of a certain Russian computer scientist who could have been arrested had he came to the US to give a speach as he posted information on anti-circumvention measures (Dmitry Sklyarov) ... Oaktree b (talk) 22:09, 4 September 2013 (UTC)

While some of this may be true (though there are lots of laws in Europe and other countries which can be problematic with what you post too and the US allows) I'm not sure I understand your example. There is very little (if any) added risk to posting your anti-american rant on the talk page on an American server. There are certainly risks, but the PATRIOT act does not necessarily make it more risky (especially given the legal system and our desire to fight against demands) then many other location options. Jalexander (talk) 00:29, 5 September 2013 (UTC)

This section concerns me as well as worries me. "to comply with the law, or to protect you and others" I think most of us are aware that our freedom in all areas is slowly but steadily eroding. In many countries, there is not even a pretense at giving freedom priority over other values, while in many others it is only a pretense. I wonder if there is a country left in the world that has not put that value at the bottom of a list of many other values like security and equality. Politicians and lawyers can and will find a way to abuse that which they can abuse for their own purposes. Laws were made to facilitate the sending of millions of people into concentration camps, why should they stop at keeping knowledge sacred? "to comply with the law, or to protect you and others" That is a mightily large back door.

Well I live in Canada, and even if I do my edits in Canada, should I do something distasteful to the Americans, they can hold me at the border for some stupid reason. We also have data privacy laws here in Canada (PIPEDA), but those don't apply to Canadian data stored on American servers. My point is you're essentially at their mercy, whether you like it or not. Just so people are made to understand that. You live in country XYZ, but American law applies to your edits and any data you divulge, so beware. 99.251.24.168 02:09, 6 September 2013 (UTC)
C'est partiellement mais pas complètement vrai, je pense. Une légende court depuis longtemps qui voudrait que c'est la loi du pays où se trouve les serveurs qui s'applique. La jurisprudence n'est pas encore établie, mais pour l'instant c'est faux. Les serveurs étant situés aux EU, les lois américaines s'appliquent en partie. Mais les producteurs et les consommateurs de contenu étant dans d'autres pays, d'autres lois peuvent s'appliquer. Par exemple, pour la Wikipédia francophone, une grosse partie des producteurs et les consommateurs de contenu se trouvant dans d'autres pays comme la France, le Canada, la Belgique, etc., il est très probable que certaines des lois de ces pays s'appliquent. Par exemple, une société dont le siège et les serveurs sont localisés au Luxembourg ont été condamné à appliquer le droit français ; Twitter a été poursuivi pour ne pas appliquer les lois françaises relatives à la liberté d'expression, mais l'affaire n'est pas allée jusqu'au procès car Twitter a préféré passer un accord avec les parties civiles ; Google est attaquée par les différentes CNIL européennes pour non respect des lois européennes de protection des données personnelles, plus contraignantes que les lois américaines ; dans ces deux cas, Twitter et Google prétendent qu'ils ne doivent appliquer que les lois américaines, mais cela est fortement contesté, et on peut douter que la justice leur donne raison. Ce serait très commode pour les entreprises multinationnales, mais quelle perte de souveraineté pour les citoyens et les pays concernés ! Je n'y crois pas du tout 78.251.253.2 11:18, 6 September 2013 (UTC)
Thanks for your comment. Please see my response to a related discussion here. YWelinder (WMF) (talk) 19:42, 7 September 2013 (UTC)

Thanks for raising this question. I’ll tackle it in two parts:

First, generally: as we say in more detail in the policy’s section on our legal obligations, we must comply with applicable law, but we will fight government requests when that is possible and appropriate. For example, unlike some websites, we already are pretty aggressive about not complying with subpoenas that are not legally enforceable. (We’ll have precise numbers on that in a transparency report soon.) We’d love to hear specific feedback on how we can improve that section, such as additional grounds that we should consider when fighting subpoenas.

In addition, we are currently working on a document that will explain our policy and procedure for subpoenas and other court orders concerning private data. We will publish the document publicly, follow it when responding to requests, and also provide it to law enforcement so that they know about our unusually strict policy on protecting user data.

Second, with regards to surveillance programs like PRISM and FISA court orders: We are subject to US law, including FISA. However, as we have previously publicly stated, we have not received any FISA orders, and we have not participated in or facilitated any government surveillance programs. In the unlikely instance that we ever receive an order, we are making plans to oppose it.

Beyond the legal realm, we continue to evaluate and pursue appropriate public advocacy options to oppose government surveillance when it is inconsistent with our mission. For example, the Wikimedia Foundation signed a letter with the Center for Democracy and Technology requesting transparency and accountability for PRISM. If you are interested in proposing or engaging in advocacy on this issue, please consider joining the advocacy advisory group. We also continue to implement technical measures that improve user privacy and make surveillance more difficult. For example, we enabled HTTPS on Wikimedia sites by default for logged in users. For more information, see our HTTPS roadmap.

As always, we greatly appreciate your input on this complex issue. Please note that if you have questions that are specific to surveillance, and not tied to the privacy policy itself, the best place to discuss those is on the Meta page on the PRISM talk page, not here.

Best, Stephen LaPorte (WMF) (talk) 00:03, 6 September 2013 (UTC)

La question n'est pas de résister du mieux possible à l'application de lois avec lesquelles nous ne sommes pas d'accord : les lois sont là, elles ont été votées démocratiquement, nous devons les appliquer, point barre. Nous ne devons pas faire de politique ! Occupons-nous plutôt d'écrire l'encyclopédie, et appliquons les lois quand elles s'appliquent, de quelque pays qu'elles soient 78.251.253.2 11:38, 6 September 2013 (UTC)
Nous ne devons pas faire de politique? C'est une position que j'ai du mal à comprendre, pour la raison suivante: à quoi bon contribuer à une encyclopédie si elle aussi devient un instrument de répression? Au contraire, je suis persuadé que l'histoire nous apprend que nous devons résister aux lois injustes le mieux possible ... bien qu'on puisse parler de votes démocratiques dans le cas des lois en question, je conteste cette interprétation (à la surface, c'en étaient -- modulo la désinformation, la corruption/le lobbyisme, la pression venant des services secrets ...), elles ont été promulguées par un électorat en majorité analphabète en matière de technologie, donc sujet à toute sorte de manipulation -- les avis d'experts indépendants ne comptent plus pour des nèfles. C'est la peur qui gouverne la société pré-(techno)fasciste, pas la raison.
Summary: I strongly oppose unquestioning compliance with unjust laws, passed democratically or not. We can not abstain from being political in this matter because otherwise what we do becomes part of the unjust system. Ɯ (talk) 10:51, 10 September 2013 (UTC)

Localisation des serveurs aux Etats-Unis et loi applicable

Les explications indiquent que les serveurs sont situés aux Etats-Unis et que nous devons accepter que ce soit la loi américaine de protection des données personnelles qui s'applique, même si elle est moins protectrice que la nôtre, et que dans le cas contraire nous ne devons pas utiliser Wikipédia. Ca veut dire que nous devons nous barrer tout de suite ? De toutes façons, je ne crois pas que ce soit légal. La Wikipédia francophone concernant en grande partie des Français (ainsi que des Québécois, Belges, Africains, Suisses, etc.), je pense que les juridictions des publics concernés ont leur mot à dire, et que leurs lois doivent d'appliquer. La jurisprudence n'est pas encore bien établie, mais d'ores et déjà certains décisions judiciaires sont allées dans ce sens. En tous cas, personnellement, je ne suis pas du tout d'accord pour donner mon consentement à ce que ce soit la loi américaine qui s'applique. Bien trop dangereux ! La loi américaine n'est pas assez protectrice ! Sans parler de toutes ces lois liberticides prises à la suite des attentats du 11 septembre, sans grand contre-pouvoir pour contrôler leur mise en oeuvre ! 78.251.246.17 22:55, 4 September 2013 (UTC)

Pourquoi parles-tu uniquement de la Wikipédia francophone ? Il existe plusieurs centaines de projets dans plein de langues, dont les pays pourraient également avoir leur mot à dire. En clair, la fondation ne peut pas suivre toutes les lois du monde et s'arrête donc à celle de son pays. Elfix 07:47, 5 September 2013 (UTC)
Le problème est qu'on a plusieurs centaines de projets dans plein de langues, mais aussi plusieurs centaines de pays qui, que vous le vouliez ou non, sont souverains, ont leurs propres lois, et ont le droit d'avoir leurs propres lois. C'est un fait. Qu'on le veuille ou non. Et la question n'est pas de savoir si la fondation peut suivre toutes les lois du monde, la question est qu'elle DOIT suivre les lois du monde, car ses activités ne s'arrêtent pas aux frontières de son pays mais s'étendent dans le monde entier. Non seulement elle DOIT suivre les lois des pays auxquels ses activités s'étendent, mais pour un pays comme la France ou n'importe quel pays européen, dont les lois sont beaucoup plus protectrices vis-à-vis de la vie privée des citoyens que la loi américaine, c'est même hautement souhaitable. C'est la raison pour laquelle cette clause est mauvaise. Si l'excuse pour laquelle la Fondation explique qu'il faut adopter la loi américaine, même si elle est moins protectrice que celle de notre pays, est que les serveurs sont aux Etats-Unis, dans ce cas rapatrions les serveurs en Europe. Dans tous les cas ce sont les lois les plus protectrices que nous devons respecter, car si nous respectons les lois les plus protectrices, alors nous respectons toutes les lois, y compris les lois américaines ou de tous les pays 78.251.243.204 18:26, 5 September 2013 (UTC)
J'ai fait le point en anglais plus haut, mais c'est la même: toute information que vous soumettez au Wikipedia anglais/françcais/allemand etc. est gardée aux USA, donc votre loi locale ne s'applique probablement pas. Au Canada par exemple, nous avons LPRPDE (PIPEDA en anglais) pour la protection des données et des documents électroniques; toute information qui n'est pas sur un ordinateur canadien n'est pas protégée. Donc, si pour une raison ou un autre, Obama ou le gouvernement américain décide de fouiller dans votre information, tant pis! Toute protection locale s'arrête à la frontière. Vous n'avez qu'à regarder le cas d'Edward Snowden ou de Julien Assange; on peut très facilement vous rendre la vie très difficile s'ils décident que vous êtes l'ennemi des USA... Gare à vous. Caveat emptor. 99.251.24.168 02:24, 6 September 2013 (UTC)
Bonjour 99.251.24.168 et merci de votre réponse :-) J'ai moi aussi répondu plus haut. Je pense au contraire que les lois des pays souverains ont toute chance de s'appliquer. Mais dans le cas que vous décrivez de données canadiennes conservées sur des serveurs américains, les lois américaines s'appliquent AUSSI, et c'est bien normal, les EU sont un pays souverain, comme le Canada. Dans les affaires de ce type, qui concernent plusieurs pays, le droit applicable est toujours un compromis entre les différents droits concernés. Ne croyez pas que seules les lois du pays hébergeant les serveurs s'appliquent. Cave canem ! ;-) 78.251.253.2 11:47, 6 September 2013 (UTC)

Thank you for your comments and my apologies for responding in English. Jurisdiction is a complex issue that is determined based on a case-by-case analysis. Generally, we apply U.S. law, but we are sensitive to European data protection laws. For example, a version of this privacy policy was reviewed by a privacy counsel in Europe to ensure consistency with general principles of data protection.

The important issue for our users' data is our commitment to privacy rather than the general privacy law in the country where the Wikimedia Foundation is based. Our privacy policy generally limits the data collection and use to what is necessary to provide and improve the Wikimedia projects. For example, we commit to never selling user data or using it to sell them products. In other words, the commitments we make in this policy go beyond commitments made by many online sites, including those based in Europe. And we encourage users to focus on and provide feedback about those commitments because the commitments are ultimately what matters for their privacy on the Wikimedia sites.YWelinder (WMF) (talk) 19:36, 7 September 2013 (UTC)

Certes, plus que de savoir si c'est la législation de tel ou tel pays qui s'applique, c'est plutôt les détails des Règles ou Charte de protection des données personnelles de Wikimédia qui nous importent. Cependant, les législations (américaines, européennes) sont des références communes et pratiques offrant une base rassurante, parce qu'elles ne nous sont pas complètement inconnues. Dans cette logique, et pour nous aider à mieux appréhender la Charte, serait-il possible qu'une personne compétente nous fasse un résumé de ce qui diffère entre cette Charte et les législations américaine ou européennes ? Comment la Charte se situe-t-elle par rapport à ces législations ? 85.170.120.230 10:43, 8 September 2013 (UTC)

Localisation des serveurs aux Etats-Unis et loi applicable bis

Je demande le retrait du paragraphe Où se trouve la Fondation et qu’est-ce que ceci implique pour moi ? 78.251.243.204 19:05, 5 September 2013 (UTC)

My apologies for the response in English. If someone would be so kind as to translate this into French, I would be much obliged. Are there any particular reasons that you are requesting removal of that section? Is there any specific language that concerns you? If so, please specify. Mpaulson (WMF) (talk) 22:23, 5 September 2013 (UTC)
Traduction / translation : « Excusez-moi de répondre en anglais. Si quelqu'un avait la gentillesse de tranduire mon message en français, je lui en serai reconnaissant. Y a-t-il des raisons particulières pour que vous demandiez le retrait de cette section ? Y a-t-il une langue spécifique qui vous concerne ? Si tel est le cas, veuillez le préciser. » Jules78120 (talk) 22:37, 5 September 2013 (UTC)
Merci Mpaulson de votre réponse (et merci à Jules78120 pour sa sympathique traduction :-) ). Les raisons particulières qui me poussent à demander le retrait de cette section sont les mêmes que celle déjà développées plus haut dans la section Localisation des serveurs aux Etats-Unis et loi applicable et dans plusieurs autres sections telles par exemple que NSA, FISC, NSL, FISAAA, PRISM... Je me permets juste d'être un peu plus insistant dans ma demande, avec votre permission :-) 78.251.243.204 00:54, 6 September 2013 (UTC)
So, while we as an organization and I personally have some sizable objections to PRISM and many of the actions taken by the US government recently with regards to privacy, removing this section will not actually change the applicability of US law. The Foundation is located in the US, meaning that using our sites leads to the transfer of data to the US, and thus is subject to US law. Mpaulson (WMF) (talk) 01:09, 6 September 2013 (UTC)
Bien sûr que les serveurs sont situés aux EU et que les lois américaines s'appliquent (à ce propos, on devrait peut-être songer à redéménager les serveurs en dehors des EU !). Par contre, je ne suis pas d'accord avec la phrase « Vous consentez également au transfert de vos informations par nous depuis les États-Unis vers d’autres pays qui sont susceptibles d’avoir des lois sur la protection des données différentes ou moins contraignantes que dans votre pays, en lien avec les services qui vous sont fournis. » Je ne suis pas d'accord pour que mes données soient transmises n'importe où, y compris à des entreprises situées dans des pays où les lois autoriseraient n'importe qui à faire n'importe quoi avec. Si nos données sont transmises, elles ne doivent l'être qu'avec la garantie que nos données seront protégées au moins autant que dans notre pays, ou en tous cas au moins autant qu'aux EU. Quelque soit l'entreprise ou le pays vers lesquels sont transmises nos données, on doit s'assurer que la Charte de confidentialité soit garantie. Sinon, on ne transmet pas. La Charte n'établit, je trouve, pas ce point assez clairement (par exemple les paragraphes Si l’organisation est cédée (très peu probable !) et À nos prestataires de services manquent à mon avis de précision) 78.251.253.2 12:36, 6 September 2013 (UTC)
P.S. : EU en français = Etats-Unis = United States = US en anglais ; je m'excuse, j'aurais dû écrire Etats-Unis en toutes lettres :-) 85.170.120.230 01:51, 7 September 2013 (UTC)
Unfortunately, US privacy law is still very much developing and the EU considers the US to have less stringent data protection laws than the US. So using a Wikimedia Site means that, if you are a resident of Europe, your data is being transferred to a country with less stringent data protection laws that your country. There isn't really a way for you to use the Wikimedia Sites without consenting to that kind of transfer unfortunately. But differences in privacy regimes aside, the Wikimedia Foundation seeks to put into place contractual and technological protections with third parties (no matter what country they may be located in) if they are to receive nonpublic user information, to help ensure that their practices meet the standards of the Wikimedia Foundation's privacy policy. Mpaulson (WMF) (talk) 18:59, 6 September 2013 (UTC)
This is not quite correct. If I visit google.com from Italy, I'm asked whether I want to accept a cookie or not, though in USA you are not. Moreover, Google managers were held criminally liable for privacy violation in a meritless case which however ruled that «the jurisdiction of the Italian Courts applies [...] regardless of where the Google servers with the uploaded content are located».[1] --Nemo 19:26, 6 September 2013 (UTC)
What does this mean: "the EU considers the US to have less stringent data protection laws than the US"? PiRSquared17 (talk) 19:27, 6 September 2013 (UTC)
«Special precautions need to be taken when personal data is transferred to countries outside the EEA that do not provide EU-standard data protection.»[2] «The Commission has so far recognized [...] the US Department of Commerce's Safe harbor Privacy Principles, and the transfer of Air Passenger Name Record to the United States' Bureau of Customs and Border Protection as providing adequate protection.»[3] «In many respects, the US is a data haven in comparison to international standards. Increasing globalization of US business, evidenced by the Safe Harbor agreement, is driving more thinking about data protection in other countries. Still, political and economic forces make a European style data protection law of general applicability highly unlikely in the near future».[4] WMF is also not in [5], FWIW. --Nemo 19:46, 6 September 2013 (UTC)
Note that we cannot be in the Safe Harbor program, because the Federal Trade Commission does not have jurisdiction over non-profit organizations. (See "Eligibility for Self-Certification" on the Safe Harbor page.) We would likely join if we could. -LVilla (WMF) (talk) 22:47, 17 September 2013 (UTC)
Interesting. I was merely answering PiRSquared17's question, but if the WMF would like to join the self-certification program if only it was possible, why not adhere to those obligations in the policy? It won't trigger the law obligations (and advantages), but WMF is free to voluntarily stick itself to higher standards. --Nemo 14:13, 27 September 2013 (UTC)
Indeed. This is another example of a response we have seen elsewhere on this page, where WMF has argues that as a non-profit it is not required to adhere to certain privacy-related standards. It would of course be possible to adhere to those standards voluntarily, and I think there should be an explicit statement of what consideration if any has been given to such voluntary adherence. Spectral sequence (talk) 17:15, 27 September 2013 (UTC)
@Mpaulson : J'ai l'impression que vous avez mal compris mon abréviation EU, qui signifiait Etats-Unis (d'Amérique). Pardon. Ceci dit, même si les lois américaines sont en effet souvent considérées moins protectrices des données personnelles que les lois européennes, les Règles de protection des données personnelles (Privacy Policy) de Wikimédia peuvent tout à fait garantir un niveau de protection supérieur aux lois américaines. Garantir un niveau de protection inférieur aux lois américaines ne serait pas légal, mais garantir un niveau de protection supérieur aux lois américaines, et même supérieur aux lois européennes ou à d'autres lois, est tout à fait possible et compatible avec le droit américain. Il suffit d'adopter des Règles au moins aussi protectrices que les différentes législations nationales (un plus grand commun dénominateur des différentes législations, donc). Je ne vois pas ce qui nous en empêche. Et il faut bien entendu que tous les prestataires de services s'engagent ensuite à respecter ce niveau de protection (comme déjà stipulé dans le paragraphe À nos prestataires de services) 85.170.120.230 02:22, 7 September 2013 (UTC)
Dans un but de meilleure compréhension, serait-il possible que quelqu'un de compétent nous explique en quoi ces Règles de Confidentialités diffèrent du droit européen ? En quoi elles seraient moins protectrices que celui-ci ? Une explication du genre de celle donnée ci-dessus dans la section What is changing? serait très intéressante ! 85.170.120.230 02:32, 7 September 2013 (UTC)
En particulier, comme évoqué par Nemo, comment se situe la WMF par rapport au cadre juridique Safe Harbor ? 85.170.120.230 12:10, 8 September 2013 (UTC)
Hi Anonymous. Without going into exhaustive detail, the United States as a whole largely has no explicit privacy framework. The Safe Harbor framework is not so much a United States privacy framework as a system where organizations in the United States can agree to maintain minimum levels of protection similar to that provided in the European Union. This is a particularly helpful system for large companies that tend to have a big physical presence in Europe (and therefore are definitely subject to European laws) and have the need to send massive amounts of personal information between the United States and the European Union. As LVilla mentioned earlier, even if we had the resources available to meet the exact standards required to participate in the Safe Harbor program, we are not eligible because the FTC (who enforces the program) does not have jurisdiction over WMF because it's a non-profit. In the United States, there are federal (i.e. national) laws that may touch on privacy, such as those protecting children, but even those may not apply to every organization or every situation. There are also state laws that address specific aspects of privacy, but those vary from state-to-state and also tend to only address specific scenarios. California is amongst the most protective, but still does not come anywhere the regulatory framework that the European Union has.
One way organizations in the United States have attempted to provide higher standards is through their commitments to do so in their privacy policies. This is what we are doing here with our privacy policy. This draft is meant to explain the minimum levels of protections we can guarantee at this point in the organization's evolution. We are striving to provide greater protections as we learn and grow (and it should be noted that nothing in this or any privacy policy draft we will ever have will prevent us from providing greater protections than outlined in the policy). Mpaulson (WMF) (talk) 18:14, 27 September 2013 (UTC)

Closing off, stale. Will archive in 24-48 hours, a new section is probably best if further questions. Jalexander--WMF 22:15, 6 November 2013 (UTC)

Actually I think this is perfect. Comment by Spectral sequence 17:15, 27 September 2013 (UTC) has not been addressed (yes, we know this is legal in USA; would it be legal in EU? not hard to understand the question). LVilla said above "We would likely join if we could", so let's pretend that you can: what would it entail? --Nemo 22:42, 6 November 2013 (UTC)
By the way, Restoring Trust in EU-US data flows - Frequently Asked Questions (European Commission - MEMO/13/1059 27/11/2013). --Nemo 09:13, 2 December 2013 (UTC)
Hello Nemo, thanks for this link. We are in the process of researching and preparing a response to address Spectral sequence's questions. Stephen LaPorte (WMF) (talk) 20:06, 9 December 2013 (UTC)

The language tends to be condescending

The following discussion is closed: close, looks like the discussion is finished/stale and with a fair bit of changes (jokes removed etc) will archive in a couple days unless reopened. Jalexander--WMF 22:35, 9 December 2013 (UTC)

Really! Truly! I know you don't mean to sound like you are talking down to us, but gosh, I feel like everyone at the Foundation just wants to give us happy smiles & hugs & wishes us all unicorn farts. Not only does it sounds creepy, yo ulose all credibility.

First, I want to know if this warm-&-fuzzy language accurately reflects what the policy is. And some passages don't give me a warm & fuzzy feeling that it does.

Second, it is possible to explain things in plain English without sounding like a demented variant of a Cub Scout Den Leader. Take, for example the section "Account Information & registration". (Was the person who wrote that high on antidepressants?) Everything in that section could be explained quite simply & maturely as follows:

You are not required to create an account to read or contribute to a Wikimedia Site. However, if you contribute without signing in, your contribution will be publicly attributed to the IP address associated with your device. If you want to create a standard account, we do not require you to submit any personal information to do so. All that is required is a username and a password. We do not ask for a legal name or date of birth, nor an email address, and definitely not for credit card information; we consider that information unnecessary to contribute to Wikipedia. There are rules and considerations regarding a username, so please think carefully before you use your real name as your username. Your password is only used to verify that the account is yours.

Notice how more mature this paragraph reads? Yet most of the language is what currently appears on the front page; all I did was take out the fluff. And there is a lot more fluff in this policy statement that needs to come out before the final draft. -- Llywrch (talk) 18:34, 4 September 2013 (UTC)

Really agree with this approach. Wikipedia has a varied usership. We need to communicate clearly for the benefit of everyone. Without the unnecessary fluff. Although some readers may like it, others will find it a distraction. It is unsuited to the serious character of the subject matter. To some people it could appear alienating. MistyMorn (talk) 15:02, 19 September 2013 (UTC)
OK, given the feedback, we will be taking out the jokes (and have already retired Rory). Thanks. Geoffbrigham (talk) 22:23, 15 November 2013 (UTC)

A bit painful

With due respect, some of the phrasing is pretty cringe-worthy.

"Some features we offer are way cooler to use if we know what area you are in."

"If you choose to help us make the Wikimedia Sites better by participating in an optional survey or providing feedback, we think you are awesome."

"We also recognize that some of you know the ins and outs of tracking pixels while others associate the term “cookie” exclusively with the chocolate variety."

Such attempts to be chatty have no place in such a document, in my opinion. 86.169.185.183 21:02, 4 September 2013 (UTC)

Mostly, I'd be interested in tasting a cookie which is a chocolate variety (in Italian, saying that "cioccolato" is "biscotto" is a lexical and etymological absurd). Do such things really exist in USA? We may need a food culture table conversion for such weirdnesses in the text. --Nemo 21:47, 4 September 2013 (UTC)
You will be assimilated. Resistance is futile... We are Wikiborg.Oaktree b (talk) 22:23, 4 September 2013 (UTC)
  • Please remove (Introduction): "As important as eating your greens."{{cringe}}
tl;dr version: While appreciating the aims of this work, and especially the need for a plain-English guide (as prefigured in the summary box), I wish I could be more positive about the style in which the main body of the page is currently couched. Sorry to have to say this, but I find the "cuddly" tone both unfunny and patronizing—a disincentive to reading, and therefore ultimately to my understanding of the content. Unlike with orechiette ai broccoli [6], I find the many privacy policies we're all dutifully expected to ingest across the internet a nerve-jangling annoyance. As others have observed, a "cuddly" style of writing does not sweeten the pill here, or help readers scan the page efficiently to assimilate pertinent information. In brief, I feel the document could usefully be redrafted without the cuddly bits. MistyMorn (talk) 19:07, 17 September 2013 (UTC)
OK - light of the above feedback, we will be removing the jokes. Thanks. Geoffbrigham (talk) 22:25, 15 November 2013 (UTC)

Informal tone

I'm wondering why the WMF has decided to use a very informal tone in this new draft. Is it intended to make the policy appeal to a younger audience? I have nothing against the occasional use of "cool", "awesome", or similar words, but I don't understand why they should be in what is essentially a legal document. @Jalexander: any comment? PiRSquared17 (talk) 21:59, 4 September 2013 (UTC)

I also think it's okay to have a bit of fun and have some in-jokes in internal Wikimedia pages, but it might hurt the WMF's reputation if added to such an important, highly visible document. However, I trust the authors of the document. PiRSquared17 (talk) 22:01, 4 September 2013 (UTC)
Also informal text can have official character. ;) The intention was obviously to make the text comprehensible also for non-Legalese native speakers. ^^ --თოგო (D) 22:36, 4 September 2013 (UTC)
I'm happy that it is more comprehensible and written in Simple/Plain English, but that does not mean we should have text like "[...]we think you are awesome". I'm not explicitly against this kind of informal tone, but I'm afraid that readers may get a bad impression of Wikimedia. It might make WP seem like a website run by "cool kids". ;) PiRSquared17 (talk) 22:41, 4 September 2013 (UTC)
I obviously appreciate your feedback on this and will make sure the lawyers know too (we're keeping track of what people say on both a spreadsheet and I sit very close to Michelle who is the main one in charge of coordinating it) and I think it's something to hear about from others as well to gauge how it comes across. From a personal opinion side though I disagree, I think simple/plain english is one thing (and for legal document incredibly tough) it can't be the only piece. The formal 'voice' and tone are one of the big things that turns people away from reading long documents like this and absorbing the information given. I think the informal tone keeps it flowing and makes it much easier to completely read. In the end I would prefer for people to think we're a bit of a 'silly bunch of people' (which, let's be fair, they already think since we write an online encyclopedia for fun) then for them not to read what is quite a lot of text but is very important in this internet day and age when they give up large amounts of information without even knowing it. Jalexander (talk) 23:46, 4 September 2013 (UTC)
I disagree with this, as I mentioned above. The insertion of inappropriate words such as "cool" and "awesome" does not make the document more readable, it just makes it look self-conscious and a bit ridiculous. 86.169.185.183 00:16, 5 September 2013 (UTC)
Sigh. Did you bother to read my revision of one paragraph of this document? It is informal but dignified. No one will respect a document that is written by a bunch of airhead PR flacks who sound as if they are giggling as they writing--which is the voice this document currently has. And I hope & assume no one working at the Foundation wants to be thought of as an airhead PR flack.--Llywrch (talk) 02:57, 5 September 2013 (UTC)
Honestly, at the time not yet, but I did later and have it on a list for people to look at. I was answering here because @PiRSquared17: specifically pinged me and I wanted to respond to him directly. I actually think I misread initially though and came across as harsher then I felt (too many things at once I guess). I want to find the right balance, and am not completely sure where it is yet. I didn't write the policy and I have my own thoughts but I'm not yet sure exactly what is best. I just wanted to characterize the thought process and some of my own thoughts (about trying to find ways to keep them reading and help them understand). Jalexander (talk) 08:14, 5 September 2013 (UTC)

I thought the exact same thing as PirSquared17 and I disagree with "The formal 'voice' and tone are one of the big things that turns people away from reading long documents like this and absorbing the information given. I think the informal tone keeps it flowing and makes it much easier to completely read." In fact the informal tone distracts from the information given and let the reader thinks that the information is not important since it's presented in a "funny" way, we "unconsciously" think that it must be a joke or something alike. I don't mean the text should be full of legalese stuff and I agree that it should be written in plain/simple English, but the "informal tone" does the same as the "legalese and complicated tone" for non-Native English speakers, it makes the text harder to understand (and let be honest such text won't be translated in all languages so, yes, a lot of non-Native English speakers will have to read it in English). Amqui (talk) 02:48, 5 September 2013 (UTC)

The informal tone doesn't bother me much. The document is still pure egregious legalese (i.e. designed to give headaches), see all the instances of "A, BUT! X, Y, W, Z, ..." so that in the end you read three times as much and don't remember what you are agreeing to, being more exceptions than rules, and the WMF is fully protected from users.
You make a good point, however, that the draft text is three times as long as the current wmf:Privacy policy (49 KB vs. 16 KB counting only the text included in the page directly) and it's full of long digressions. Perhaps, per TTO in #Some notes, the digressions and other accessory text may be moved to speech bubbles coming out of Rory, so that both translators and readers can more easily prioritise how they consume the document. --Nemo 06:03, 5 September 2013 (UTC)

I've changed my mind about this. Maybe it is better for people to think we're silly than to avoid reading the policy, as James said. If it actually gets people to read through it, and it doesn't detract attention from the actual content, then it's fine. PiRSquared17 (talk) 01:15, 6 September 2013 (UTC)

Most people will still not read it just because of the length, no matter if you put smiling tigers beside each section or not. So why bother the actual people who will read it with fluff that they don't care about, because, let be honest, the vast majority of the people who will take the time to read the Privacy policy are not the casual readers. Amqui (talk) 03:51, 6 September 2013 (UTC)
Agreed. Let the document's organization, flow and use of examples carry the day. Informality works for fiction, but this document is characterless nonfiction by design. Overall, I'm impressed with the draft. The informal asides are well-intentioned clutter. Even proficient English speakers may pause when reading "coolness." Did they miss something? Was there a redesign? What's being communicated? That said, these are issues that can be hammered out in later drafts after the substantive issues have been deliberated.--Knowlengr (talk) 03:12, 8 September 2013 (UTC)

Good point about the translator, informal tone like that is also harder to translate easily and directly than direct and plain formal English, and since we rely on volunteer translators, that's a point to keep in mind. Amqui (talk) 03:43, 6 September 2013 (UTC)

I do not understand what the informal child friendly tone of the policy is seeking. When I read the proposed policy I'm reading a tutorial of treatment of data, not really a policy. A privacy policy is a document that establishes clauses of what the web site will do or will not do with the data that can identify the user. Privacy terms are released not with the purpose to teach to the visitor what is the purpose of the Wikimedia Foundation, or what is a cookie or why the web site collects data (although, sometimes is necessary explain it), these terms are a declaration of the host about what it will do or not with your data, I mean, because the host decides treat the data as he want. If WMF establishes that will be public the IP and location of the visitor then, the IP and location will be public (for example). Each web site could treat the data in different ways, and it is the reason because each web site have to give to you it's own privacy policy. I see that is a tendency in websites to make the privacy policy more "friendly", but actually, a list of bullets about what the site will do or will not do is the easiest and simplest form to do that. For example "WMF will recollect cookies with the purpose…", "WMF will not give your data to third parties…" and so on. Moreover, privacy policy is the kind of document in that I do not want to expend much time to read, in that sense, proposed policy is a whole treaty. And, in addition, is not the kind of document that needs a mascot (seriously, what the policy writers were thinking when decided that to include Rory in the policy was a good idea?). In other hand, the policy terms should not treat you as if you were ignorant of everything. For example that line "Because everyone (not just lawyers) should be able to easily understand how and why their information is collected and used, we use common language instead of more formal terms" can be changed to this "Some terms that will be used in this policy must be understood with the following meanings". Finally, I expect a simple, short and formal text about privacy policy, if you want to keep the current text as a tutorial named WMF privacy policy for dummies, I agree with that, but I think an informal redaction should be an auxiliary, not the main document. --SirWalter (talk) 05:53, 6 September 2013 (UTC)

The issues at hand here, even though I may sound harsh, are as such:
  • There appears to be a substantive and justifiable dislike for this cuddly, overly verbose presentation of the 'Privacy policy'. To be honest, I've never read the privacy policy prior this as I haven't had cause to concern myself with it, only having drawn on various supplementary material available here for Wikipedia & having cleaned up some conflicting and confusing information surrounding relevant media. I was completely taken aback by what I saw when I finally found a moment to respond to the call for comment on the 'new' policy entry. In as much as it may seem desirable to be welcoming & reconstructing the 'legalese', it is a legal document and should aim to be as succinct as possible.
  • That which may be deemed to be a sweet & welcoming page by the administrators/editors here in actuality presents as being the antithesis. It is duplicitous to make serious policy appear so innocuous and cutesy that it may as well say, "What the heck, you don't need to read this because it's obviously all about goodness and niceness." Condescension is not valuable as the Privacy policy is serious matter. Even if there are young contributors here, the deployment of 'plain speak' requires serious deconstruction & explanation in concrete terms. If this presentation is considered to be a clever method of avoiding scaring younger users/contributors away, it is abundantly clear that those who chose the methodology have no grounding in behavioural psychology and are making uninformed assumptions in feeding people swathes of reconstituted pap.
  • Note, also, that at some point, younger users/contributors are going to have to familiarise themselves with 'legalese'. For their sake, it is preferable that they become acquainted with it before they turn 30. By all means, present the salient points of the policy informally as collapsible 'plain speak' auxiliary information, but most of us probably don't want to wade through 'cute'. At a glance is undoubtedly far more useful and desirable. --Iryna Harpy (talk) 05:59, 8 September 2013 (UTC)
OK, in light of the feedback, we will revisit some of the language mentioned here. Thanks. Geoffbrigham (talk) 22:27, 15 November 2013 (UTC)

Oatmeal vs. Dora the explorer

I saw feedback to the whole illustration and mascot theme is solicited above. I wanted to point out the subtle difference being lost here. Illustrations don't necessarily have to be dumbed down, or be intended for an immature audience. The whole mascot theme, terminology and tone being employed doesn't fit well together. I'm not commenting on the quality of the artwork or the character work for the record, both of which seem fine and probably took a lot of time and effort. It's really hard to cater to an adult audience through this medium but it's not new either - twitter fail whale, firefox fox, google's android etc. all have used their mascots and used them well - I think this could be done better (if this route is going to be taken). But to do that - start by aiming for oatmeal, not Dora or Disney. Regards. Theo10011 (talk) 22:33, 4 September 2013 (UTC)

Unfortunately, Wikimedia wikis don't have a mascot. --MZMcBride (talk) 14:48, 14 September 2013 (UTC)
Thanks for the feedback. We have retired Rory, as explained below. Cheers. Geoffbrigham (talk) 12:38, 18 September 2013 (UTC)

Why a tiger?

Why does the banner for the new privacy policy include a drawing of a tiger? We're not children. --Cryptic C62 (talk) 02:52, 5 September 2013 (UTC)

I don't work for the WMF, so I can't explain why they chose to use the tiger, but here's some sort of explanation: The WMF has a stuffed animal tiger in their offices called wmf:Rory. The usage of Rory illustrations has been discussed above, in other sections. PiRSquared17 (talk) 02:55, 5 September 2013 (UTC)
As someone who believes that tigers are the work of Satan, I'd add that we're not Satanists. –76.108.183.43 03:30, 10 September 2013 (UTC)
Was this sarcastic? --MZMcBride (talk) 14:50, 14 September 2013 (UTC)
Please see below discussion where we have retired Rory. For the record, it was not because I found Rory satanic.  :) Geoffbrigham (talk) 12:37, 18 September 2013 (UTC)

Offputting for adult readers

The policy reads as if aimed at schoolchildren, with the cuddly tiger, "way cooler", "eat your greens", "evil wizard", "You're still awesome" (or "... brilliant" in GB english version). It is possible to write clear English in a neutral, adult, way: see The Plain English Campaign and its guides if you need help. The Privacy Policy is an important document and should be written in a clear and serious tone, not as if it's written by teenagers for children. We are trying to recruit new subject-expert editors, with the introduction of Visual Editor: if a high-power professor reads this proposed text, offered as the Privacy Policy, they are unlikely to take Wikipedia seriously enough to want to contribute their time and expertise. PamD (talk) 07:55, 5 September 2013 (UTC)

Thanks for the link, I'm adding it to Writing clearly. --Nemo 11:42, 5 September 2013 (UTC)
Thanks for all the above comments. To be honest, from my personal viewpoint, I'm actually OK with this, and I'm known as a pretty stuffy and formal lawyer.  :) Our challenge is to explain a complicated topic to everyone, including casual readers of our projects. As I note above, we are repeatedly told that few ever read privacy policies, those who start often don't finish, and when they do, they often misunderstand them. For that reason, we have tried a few ideas, like the user-friendly summary at the beginning of the policy, plainer English (with no doubt a few exceptions), more transparent and hopefully easier-to-understand explanations in the text, and, yes, humor. In my humble opinion, I like it. To my ear, it is not condescending but is respectful, underscoring that we expect the reader to read the policy and we are making efforts to help them enjoy it. For me, humor helps get through dry material. My take on the proposed rewrite above it that it is fine, but I honestly like the version in the draft privacy policy better: it helps explain better in plain terms where we are going, and it may actually help people remember themes in the document. We did have non lawyers read through various drafts. Their ongoing feedback pointed us in this direction. I definitely respect the opinion of those who disagree with me, and, of course, during the 4-month consultation period, we will be listening closely on this issue. In any case, I really appreciate all of you reading and responding ... quite helpful in thinking through this topic. Many thanks. Geoffbrigham (talk) 14:14, 5 September 2013 (UTC)
"We are repeatedly told that few ever read privacy policies, those who start often don't finish, and when they do, they often misunderstand them. For that reason, we have tried a few ideas, like the user-friendly summary at the beginning of the policy, plainer English (with no doubt a few exceptions), more transparent and hopefully easier-to-understand explanations in the text, and, yes, humor.": +1 Ocaasi (talk) 18:19, 5 September 2013 (UTC)
That's not humor, that's an embarrassment. You should target the common average of users(german: Schnittmenge), and not only a specific group. But I'm used to such nonesense in wikipedia. Most of the editors suffer from brain damage or mental retardation I think, so no suprise. Whatever, good luck. Greets--82.113.121.77 22:14, 5 September 2013 (UTC)
Don't you guys just love it when someone pops in, offers no help, is a jerk, and then promptly leaves? Unfortunately, he forgot to create an account which means his IP address is open for everyone to see! ; ) As for this new policy, I actually like the cuddly tiger (though some of the words are a tad cringe-worthy) and seriously wonder why some people worry about wikipedia "not being taken seriously" when it is already leagues above everything else on the web. BallroomBlitzkriegBebop (talk) 17:38, 6 September 2013 (UTC)
The policy in itself my read as if it is aimed at schoolchildren at first glance but it seems as though it is a combination of something everyone can deal with. The "adult readers" who visit Wikipedia and contribute should know that Wikipedia may be edited by anyone and thus, teenagers and even children may contribute. Wikipedia already has made a name for itself being the project that it is. I do not know anyone who doesn't take Wikipedia as a site seriously. I know of a few examples where when writing essays for a project, a teacher may have desired better references or more references than just Wikipedia but that was on the basis that Wikipedia may be edited by anyone. Everyone has to compromise and as Geoffbrigham brought out, it is because the challenge is to explain a complicated topic to everyone. Even the suggestion of "you should target the common average of users" brought out by 82.113.121.77 is in itself, targeting a specific group. From what I've seen of the Privacy Policy (which is very little), I like how it is presented. Koi Sekirei (talk) 17:38, 8 September 2013 (UTC)
I have read the policy, in part indeed to test its readability, and I have to say that some of the language used led me to misunderstand it. Being fairly experienced with most things internet and a bit with legalese, I later realized that I still missed many of the points later brought on by editors on this talk page. If anything, the reason for these misunderstandings was the overly narrative, embellished and long-winded style of writing. It glosses over important points, handwaves issues away, and buries the points it does address between explanations of completely non-privacy-related wiki elements and entire paragraphs of filler delivering no information at all.
This document spends a lot more words and does a much better job of convincing a casual reader that it's an awesome policy than of telling him what the policy actually is. I understand that you've tested it for ease of reading and positive reaction. But did these tests include "reading comprehension" question checks - whether most readers actually got an understanding of various aspects of the policy in the end? CP\M (talk) 08:33, 10 September 2013 (UTC)
An excellent point, CP\M. If this were being treated as a serious pedagogical issue (which it purports to be), the most important part of the process of adopting it would be to test whether it meets its objective, being that of genuine comprehension. Has there been a component for testing comprehension of the policy built into the feedback? --Iryna Harpy (talk) 22:14, 10 September 2013 (UTC)
I agree with all exposed by Iryna Harpy at this point. Basically, if the objective of the new draft is not purely legalistic, not only the legal counsel team of the WMF had to write the draft. Some experts or professionals in translate legal documents in simple terms and, considering the worldwide scope of Wikimedia projects, professionals in languages had to participate in the writing of the draft, (see the exposed by Sir48 below). At this point, counselors sustain that the tone and language of the proposed policy is amazing because they proposed it, they not give reasons neither arguments that sustain how the draft becomes in a master piece. Moreover, nobody proposed the change to informal tone, by contrast, is a legal counselor whom states that they want "to avoid legalese as much as possible" (at all, could add). That looks like a whim from the legal council, not a request from the community. Impose the not well known mascot for the legal office may be a proof of this.--SirWalter (talk) 01:37, 11 September 2013 (UTC)

┌─────────────────────────────────┘
I believe that SirWalter has driven home some excellent points regarding how this has evolved (or devolved) into this proposal. The proposal, as I understand it, was that the 2008 privacy policy was in need of updating to reflect changes in technology and that, somehow, it was identified as being desirable to present the legalese using more 'user friendly' terminology.

The structure of the current policy document doesn't seem to have come into the equation until (I can only assume) the legal department, in collaboration with other unknown parties(?), identified some sort of problems with what appears to be a perfectly serviceable model for presentation which they deemed could be redressed by inserting cuddly mascots and a desperate lack of concise information. Updating the contents of the policy and aiming to make it more accessible by the use of simplified/lay English is something I can understand. What I fail to be able to comprehend is how, when, where, who, what and why was simplified English and 'user-friendly' transmogrified into cuddly mascots?

It's difficult not to come to the conclusion that the legal office are completely stumped and have intentionally thrown a cutesy mess at the community for comment in order to conceal a lack of imagination or desire to put some serious work into a genuinely well thought out proposal & are simply waiting for the blanks to be filled in by the community who are promptly picking up on areas that need to be expanded, elaborated on, qualified and clarified.

I'd suggest that there are enough queries about the proposed new 'structure' to merit a reasonable explanation as to why we should accept that mascots are 'user-friendly' and how this will assist in the reading of the document. For all the noises about how certain individuals have felt it to be less intimidating and having encouraged them to read the policy (which of the condensed one-liners in particular were found to be 'friendlier'?), how familiar were they with the complex issues deciphered(?) by the end of their cheerful read. I'm sceptical about being being herded into taking a leap of faith because a few people have claimed the matter to be so, therefore propose that some empirical data be presented to back up claims that it is a genuinely effective strategy, i.e. a little background into, "We did have non lawyers read through various drafts. Their ongoing feedback pointed us in this direction." Who were the 'non lawyers' and what were the qualifications of those interpreting this 'ongoing feedback'?. --Iryna Harpy (talk) 05:39, 11 September 2013 (UTC)

Sry I've(of course) meant: The average human, and not the average wikipedia user(who are nerds and geeks anyway). Of course you have to target some groups of people, and that should be the group of attributes of groups which all groups have in common(or something, you know what I mean). Does the language have to be childish to explain it better? Hell no ! Will the probality increase that some serious person are scared off of it? Maybe. Will it attract more younger people? If you look how many "children"(not the adult ones who behave like ones here) wikipedia use then I think, no. Greets--82.113.122.164 21:40, 11 September 2013 (UTC)

Thanks to everyone for their comments (under this section and others). I really appreciate people taking the time to read the document and giving us your frank feedback.

Just above I shared some thoughts on this topic for consideration. To state it a little differently here, in the legal department, we have reflected quite a bit about tone as we took this draft through multiple versions, testing them out informally. What we heard was that non-lawyers (who were adults and well educated) preferred this less legalistic tone, including some limited insertions of humor. IMHO, this approach shows an effort to help the reader understand the document and demonstrates our expectation (and respect) that the reader will read it. As I say elsewhere, most Wikimedians are fine with formal language expressing complicated concepts. Indeed, I love the fact that our community is made up of wiki-lawyers who have a strong interest in legal issues and the formalities that naturally follow that interest. That said, many of our users to whom this policy applies are readers from different backgrounds. I feel we need to use tools to encourage all types of people to read the policy throughout and to the end – like the user-friendly summary; like plainer, less formal English; like icons and maybe other visuals; and like humor.

And, to be honest, it also works for me. I enjoy reading the draft privacy policy more because of the tone and humor. I also like what it says: we think it is unreasonable to put dense legal documents before readers without helping them understand the document and enjoy the experience. As I noted above, I think the above rewrite of one paragraph by Llywrch is fine, but, in my personal opinion, I frankly like the version in the draft privacy policy more: the first line of text helps the reader understand where the discussion is going in a simple non-legalistic way. I do appreciate Llywrch’s efforts in illustrating his point, however.

We talk about the use of illustrations elsewhere, but one idea I like out of this conversation is the concept of using bullet points, maybe in the margins to summarize certain critical themes. The community will decide on the mascot idea, but simplified bullet points - such as proposed by Theo above - may be another way of addressing this. I know that is not exactly what you are proposing SirWalter, but the idea is related. I think both of you have good arguments there.

Now I say all this with the understanding that we are in a 4-month consultation period, and we are listening to your views on this. So far, there are some who have commented positively on the language and approach, but I definitely respect the contrary point of view. I’m seeing some points more clearly based on our exchange. For example, it resonates with me when people say some humor doesn't translate well into other languages. And there are no doubt some sentences that we will want to rewrite based on community feedback. Overall, I’m fine with the tone; I even like it, and, personally, I would like to keep it. But, if some specific language really strikes the community as wrong, we will change it, obviously.

Thanks again for taking the time to read this draft and to share your comments. We know people are busy and have other priorities, so we really appreciate it. Geoffbrigham (talk) 07:45, 6 September 2013 (UTC)

I have three comments about this:
  • Guys, fun is ok, but the Wikimedia projects are not the place to it. Wikimedia is a serious web site, not serious in the sense of a drill instructor, but in the meaning of trusty and accurate information. I think everybody, regardless of age, nationality or educational level can understand that the legal issues are serious issues. If you want to get fun, go to the Encyclopedia Dramatica, paradoxically, their privacy policy is better than the draft that you are proposing.
  • Wikimedia projects are not the sort of websites that intensively recollect personal information or get profit with it. Most of the data recollected is result of the way in that internet servers work. I do not understand why a simple upgrade in the policy becomes in a complete senseless renovation.
  • Privacy policy is a legal text with legal consequences. With your "cool" way to redact it, you are introducing ambiguity in the terms. And the ambiguity in a written contract will be construed against the drafter. If you want to fight in a trial in that somebody felt offended because thinks that he/she looks great in his eight year old picture or, because somebody interprets the "evil wizard" in an inconvenient sense, you are in the right way. By the way, I find, more than 40 paragraphs since the beginning of the policy text, the statement that "if you do not agree with this Privacy Policy, you may not use the Wikimedia Sites"; of course, is well known that you have to put the Important Info at the end of a legal text.
At the end, you are more involved in the project, and you will carry with the consequences of all this. --SirWalter (talk) 19:02, 6 September 2013 (UTC)
I take your point quick seriously, SirWalker. I thought about this lots before the rollout. I came to the Wikimedia Foundation from a for-profit major internet company. I think many saw me as quite formalistic as a lawyer.  :) So I get what you are saying. Yet, after seeing similar examples elsewhere, I have come around to the position that a less legalistic style and humor can be helpful in facilitating understanding, especially when you are addressing a diverse community. I don't think it would be appropriate for me to comment on the quality of others’ privacy policies, but I will say that our site has unusual and complicated issues in a collaborative community that need to be addressed in an understandable way in our privacy policy - a need that is not really satisfied with a policy made up of short bullet points. (That said, I do like the idea of using bullet points in the margins to summarize major themes, if the community wants that format.) Also I firmly believe in honest transparency with our community. This means we need to explain in plain English how we collect and employ user information, and I think this draft does a better job in that respect, though it takes words to do that. I think you are right to be concerned about ambiguity in any contract, but I would respectfully disagree that this causes any real legal risk; to be frank, if I thought it did, I would strike it. I hear your point about changing the placement of the highlighted sentence ("if you do not agree with this Privacy Policy, you may not use the Wikimedia Sites"); I have no objection moving it towards the front of the document (like the Introduction) or putting the concept in as a bullet point in the user-friendly summary if the community supports that view. Other detailed reasons for the rewrite are set out above under the opening template on this talk page, explaining the need for this new draft. I say we watch the community feedback. I’m seeing support for our approach, but I am also hearing the words of caution. During the course of the consultation, we may well make modifications that address some of your concerns. I know that we may disagree on some points, but I want to reemphasize how much I appreciate your reading the document and raising these points. It does help everyone as we work towards the right final draft for the community. Geoffbrigham (talk) 07:50, 7 September 2013 (UTC)
There is a difference between plain English and childishness. At this moment, the draft reads as if it's trying to appeal to the reader, explain itself to him, and at times almost butter him up, rather than to inform him. I agree with others in thinking it should neither trivialize serious privacy matters nor put its own appeal ahead of its informative value.
For instance, this entire paragraph - Wikimedia Sites are collaborative, with users writing most of the policies and selecting from amongst themselves people to hold certain administrative rights. These rights may include access to limited amounts of otherwise nonpublic information about recent contributions and activity by other users. They use this access to help protect against vandalism and abuse, fight harassment of other users, and generally try to minimize disruptive behavior on the Wikimedia Sites. - has almost nothing to do with privacy and engages instead in broad overview and advertisement of Wikimedia's self-management policies.
I don't believe that such long-winded digressions are consistent with the first stated principle: Be clear and concise in language. CP\M (talk) 13:03, 9 September 2013 (UTC)
  • The issue is the difference between the expression of the policy and the presentation of the policy. The policy is what drives, guides or constrains the behaviour of the WMF and as such will have formal expression in a working business document written in a formal style suitable for use in decision-making. In a real sense that document is the policy. The presentation of the policy is how the policy as enshrined in the formal expression is communicated to audiences who need to understand it: those audiences might be, for example, junior WMF staff, new contributors to WMF projects, experienced contributors, technically-expert readers of WMF material, or editors with enhanced rights. Those presentations might, and probably do, need to be different for the different audiences. What we have here is a one-size-fits-all version which is attempting to be all of those things at once.
I believe that the formal policy should be exposed for discussion by and the use of all the stakeholder groups. We can take it. There is no need to patronise us with cute furry animals and little pats on the head. The more cutesy version can be published as well and it may indeed be helpful for some readers, or not. I really find it hard to believe that round the WMF boardroom table, when trying to decide on whether a proposed strategic direction is consistent with the privacy policy, the assembled trustees, director or senior executives will be helped by wading through wording that tells them that their users are "great", or that their use of the site is "cool", or that the policy is "as important as eating their greens", or that a picture of Tony the Tiger will help them take the right decision. If they don't need that stuff, we don;t need it either. Spectral sequence (talk) 16:16, 14 September 2013 (UTC)
Thanks for the feedback. As an update, we are retiring the image of Rory from the privacy policy, per this discussion. Cheers. Geoffbrigham (talk) 11:35, 18 September 2013 (UTC)
So is removing the image sufficient to resolve the difference between the formal policy -- which we now understand is intended to be legally binding on both WMF and users -- and its explanation? I think that it does not.
I remain genuinely concerned about what I (and, I believe, others) perceive as a patronizing ("condescending") tone in some of the content ("fluff"). It's not just a question of formality. To me, the sentence about "eating your greens" is emblematic of this issue about how Wikipedia presents both itself and its privacy policy. I may have missed something, but I have yet to see a response to this live concern. MistyMorn (talk) 20:25, 26 September 2013 (UTC)
In my opinion, the tone of the document is fine. I think the biggest pushback from the community is Rory (who we are retiring with tears in his eyes) and the jokes. If people don't like specific jokes, we can take those out. However, I'm seeing a mixed response in the feedback to be honest. Geoffbrigham (talk) 22:28, 1 November 2013 (UTC)
One obvious explanation for a "mixed feedback" to the jokes is that the sort of readers they were conceived for are more likely to appreciate them, whereas others probably won't. I believe Wikipedia should 'belong' to everyone, and that use of the most universally acceptable style possible should be a key consideration when drafting an explanatory document that is intended to be as open as possible to the entire usership. Simple plain English should be the stylistic touchstone here imo. Regards, —MistyMorn (talk) 15:05, 10 November 2013 (UTC)
OK, we will take out all the jokes. It will take us a few days to do that. Thanks. Geoffbrigham (talk) 21:27, 15 November 2013 (UTC)
Thanks for your patience, —MistyMorn (talk) 10:40, 17 November 2013 (UTC)

┌─────────────────────────────────┘
The "joke" about eating your greens is still there and has now been approved for translation. —MistyMorn (talk) 14:00, 25 November 2013 (UTC)

Collection of "unique device identification numbers"

MOVED FROM WIKIPEDIA VILLAGE PUMP

Hi, at http://meta.wikimedia.org/wiki/Privacy_policy/BannerTestA, it says:

Because of how browsers work and similar to other major websites, we receive some information automatically when you visit the Wikimedia Sites. This information includes the type of device you are using (possibly including unique device identification numbers), the type and version of your browser, your browser’s language preference, the type and version of your device’s operating system, in some cases the name of your internet service provider or mobile carrier, the website that referred you to the Wikimedia Sites and the website you exited the Wikimedia Sites from, which pages you request and visit, and the date and time of each request you make to the Wikimedia Sites.

What sort of "unique device identification numbers" is it referring to? I thought browsers didn't provide that information. 86.169.185.183 (talk) 17:40, 4 September 2013 (UTC)

Looking at similar privacy policies, it looks like this may refer to mobile devices: "AFID, Android ID, IMEI, UDID". --  Gadget850 talk 17:45, 4 September 2013 (UTC)
You mean that when you access a website through a browser on an Android device the website can collect a unique device ID? Is that really correct? (I can believe it for general apps, where, presumably the app can do "anything" within permissions, but I didn't think there was any such browser-website mechanism). 86.169.185.183 (talk) 18:58, 4 September 2013 (UTC)
I think this question is more appropriate for the Talk page discussion on the privacy policy draft. Steven Walling (WMF) • talk 20:31, 4 September 2013 (UTC)

I see that this information is "receive[d] [...] automatically". That doesn't necessarily mean this information needs to be collected and stored. Personally I am fine with this information being temporarily handled in a volatile location in order to cater to the display needs of each individual device. I do not however, believe that this information should be stored or used for any other means. Participation in this data-mining should be off by default. WMF would of course be free to nag users into opting in. Because this is a _free_ encyclopedia, users should be _free_ to at least view it in the way they want, without having all their habits and device details harvested non-consensually. Contributions? Edits? Sure, take all you want. There's an implicit agreement to such data-mining when a user submits an edit. But there isn't one from just viewing a page. --129.107.225.212 16:59, 5 September 2013 (UTC)

Thanks, but that is not really relevant to my question (not sure if it was supposed to be), My question is whether it is technically possible for a website to obtain "unique device identification numbers" from a web browser. The text implies that it is; previously I believed it wasn't. I am hoping that someone will be able to answer the question. 86.167.19.217 17:27, 5 September 2013 (UTC)
You are correct in stating that browsers are sandboxed from retrieving this type of information. However, our mobile apps and our mobile app deployment infrastructure may utilize "unique device identification numbers" to identify mobile devices (such as a device tokens, device unique user agents, or potentially UDIDs). Our mobile apps may need this ID for certain functionality, such as sending push notifications or delivering test deployments. Thanks, Stephen LaPorte (WMF) (talk) 17:11, 6 September 2013 (UTC)
I think we have no intention of accessing or recording device UDID, IMEI number, or anything else like that. (It's also getting increasingly hard for apps to get access to those, as the OS vendors don't like creepy apps either.) In the cases where we do usage tracking and need identifiers, they'll be either based on something already in the system -- like your username/ID -- or a randomly-generated token. --brion (talk) 17:20, 6 September 2013 (UTC)
In that case, I think the wording needs adjusting since it currently says "Because of how browsers work [...] we receive some information automatically when you visit the Wikimedia Sites [...] possibly including unique device identification numbers". Mobile apps are not "browsers". 86.160.215.210 20:53, 9 September 2013 (UTC)
Thanks -- I made a small change to clarify that it applies to mobile applications. - Stephen LaPorte (WMF) (talk) 22:33, 6 November 2013 (UTC)
Thanks to the long term foundation policy of enabling widespread vandalism from IP addresses (because who cares how much time dedicated users spend reverting vandalism when they could be productively editing.. far more important not scare off someone who wants to add 'is a dick' to a biography), and the genius decision to enable vandalism from IPv6 addresses, Wikimedia is now actively enabling access to unique identifying data not just by Wikimedia admins, but by absolutely anyone in the world. Unless a Wikipedia user forced onto an IPv6 network takes extraordinary steps- steps which they are highly unlikely to be aware of unless they are reasonably technically savvy and thus have a Wikipedia account anyway- they will now be trackable to the household, if not the *device* level. Genius! John Nevard (talk) 14:37, 14 September 2013 (UTC)

Further clarification on unique identifiers for mobile applications?

Below, @Nemo bis: asked for clarification about why the policy still mentions unique device identification numbers after Brion's response. The intention for this sentence is to clarify that our applications could possibly collect unique device identification numbers, which may still be applicable for some applications, although not all of them. This sort of technical detail will depend precisely on the operating system, device, and application. I would welcome an alternative phrasing, if you think this could be clarified further in the policy. Thanks for everyone's attention to detail here. Stephen LaPorte (WMF) (talk) 20:49, 22 November 2013 (UTC)

Yes, add that said unique device identification numbers are not accessed nor recorded, per Brion above. Covering them and not explicitly excluding their usage is worse than not mentioning them at all. --Nemo 10:35, 25 November 2013 (UTC)

So, what is the purpose of all this?

I've read the draft from beginning to end, and I have no idea what you wanted me as a user to get from it. What's the purpose, what does it improve compared to the much shorter and more concise current policy which provides very clear and straightforward protections such as the four (4) magic words «Sampled raw log data» (see also #Data retention above)? Is the purpose just adding tracking pixels and cookies for everyone, handwashing (see section above) and generally reducing privacy commitments for whatever reason? --Nemo 21:31, 4 September 2013 (UTC)

Hi Nemo, Thanks for your comment. I outlined some specific reasons for why we needed an update above. YWelinder (WMF) (talk) 01:12, 6 September 2013 (UTC)
See here for Yana's summary. Geoffbrigham (talk) 02:12, 6 September 2013 (UTC)
The summary only says things I already knew, because I read the text. What's missing is the rationale for such changes, or why the changes are supposed to be an improvement. One hint: are there good things that we are not or will not be able to do due to the current policy and what changes are proposed in consequence?
Additionally, the summary doesn't even summarise that well IMHO, e.g. the language about cookies is not very clear and you didn't write anything about making request logs unsampled (which means having logs of all requests a user makes). --Nemo 06:47, 6 September 2013 (UTC)
I've forwarded your question to our tech team. Relevant members of the tech team are out for a conference and will respond to this shortly.YWelinder (WMF) (talk) 01:04, 12 September 2013 (UTC)

Unsampled request logs/tracking

Hey Nemo!
You have raised the question why we want the ability to store unsampled data and that’s a great question!
Two important use-cases come to mind. The first use case is funnel analysis for fundraising. As you know, we are 100% dependent on the donations by people like you -- people who care about the mission of the Wikimedia movement and who believe in a world in which every single human being can freely share in the sum of all knowledge.
We want to run the fundraiser as short as possible without annoying people with banners. So it’s crucial to understand the donation funnel, when are people dropping out and why. We can only answer those kind of questions if we store unsampled webrequest traffic.
The second use case is measuring the impact of Wikipedia Zero. Wikipedia Zero’s mission is to increase the number of people who can visit Wikipedia on their mobile phone without having to pay for the data charges: this is an important program that embodies our mission. Measuring the impact means knowing how many people (unique visitors) are benefiting from this program. If we can measure this then we can also be transparent to our donors in explaining how their money is used and how much impact their donations are making.
I hope this gives you a better understanding of why we need to store unsampled webrequest data. It is important to note that we will not build long historic reader profiles: the Data Retention Guidelines (soon to be released) will have clear limits on how long we will store this type of data.
Best regards,
(in my role as Product Manager Analytics @ WMF)
Drdee Drdee (talk) 23:03, 12 September 2013 (UTC)
Thank you for your answer. Note that this is only one of the unexplained points of the policy, though probably the most controversial one (and for some reason very well hidden), so I'm making a subsection. I'll wait for answers on the rest; at some point we should add at the top a notice of the expected improvements users should like this policy for (this is the only one mentioned so far apart from longer login duration, if I remember correctly).
Frankly, your answer is worse than anything I could have expected: are you seriously going to tell our half billion users that you want them to allow you to track every visit to our websites in order to target them better for donations and for the sake of some visitors of other domains (the mobile and zero ones)? This just doesn't work. I'm however interested in knowing more.
  • Why does fundraising require unconditional tracking of all visits to Wikimedia projects? If the aim is understanding the "donation funnel" (note: the vast majority of readers of this talk doesn't understand you when you talk like this), why can't they just use something like the ClickTracking done in 2009-2010 for the usability initiative, or the EventLogging which stores or should store only aggregate data (counts) of events like clicks of specific things?
  • I know that Wikipedia Zero has struggled to find metrics for impact measure, but from what I understood we do have some metrics and they were used to confirm that "we need some patience". If we need more statistics so desperately as to desire tracking all our visitors, I assume other less dramatic options have been considered as well? For instance, surely the mobile operators need how much traffic they're giving out for free that they would otherwise charge; how hard can it be for them to provide this number? (Of course I know it's not easy to negotiate with them; but we need to consider the alternatives.) --Nemo 06:51, 13 September 2013 (UTC)
Hi Nemo,
I think you are switching your arguments: first you ask why we would need to store unsampled webrequest data. You specifically asked "are there good things that we are not or will not be able to do due to the current policy and what changes are proposed in consequence?". I give you two use cases both being a type of funnel analysis that require unsampled data (the two use cases are btw not an exhaustive list). Then you switch gears by setting up a Straw man argument and saying that we will use it for better targeting of visitors. That's not what I said, if you read my response then I said we want to know when and why people drop out of a funnel.
The fact that you quote our half billion users indicates that we need unsampled data: we don't know for sure how many unique visitors we have :) We have to rely on third-party estimates. You see even you know of use-cases for unsampled data :)
Regarding Wikipedia Zero: the .zero. domain will soon be deprecated so that will leave us with only the .m. domain so we cannot restrict unsampled storage to .zero. In addition, most Wikipedia Zero carriers do not charge for .m. domains as well.
Regarding the Fundraising: I am answering your question and I am sure you know what a donation funnel is; I was not addressing the general public. EventLogging does not store aggregate data but raw unsampled data.
I am not sure how I can counter your argument 'This just doesn't work'.
Drdee (talk) 19:08, 18 September 2013 (UTC)
I'm sorry that you feel that way, I didn't intend to switch arguments. What does "We want to run the fundraiser as short as possible" mean if not that you want to extract more money out of the banners? That's the argument usually used by the fundraiding team, that the higher the "ROI" is the shorter the campaign will be. If you meant something else I'm sorry, but then could you please explain what you meant?
I'm also sorry for my unclear "This just doesn't work"; I meant that in this section I'm asking why the users, with whom we have a contract, should agree to revise it: what do they gain ("what is the purpose")? I still don't see an answer. For instance, knowing for sure how many unique users we have is not a gain for them; it's just the satisfaction of a curiosity the WMF or wikimedians like me can have.
As for Zero, I don't understand your reply. Are you saying that yes, other ways to get usage stats were considered but only unsampled tracking works? And that I'm wrong when I assume that operators would know how much traffic they're giving for free? --Nemo 14:55, 27 September 2013 (UTC)
Hi Nemo, I'll let other folks chime in to articulate the needs for the Fundraiser and Zero, I am with you on the fact that Wikimedia should collect as little data as possible but let me expand on the point you make about "curiosity regarding UVs". Measuring reach in terms of uniques is more than just a matter of "curiosity". We currently rely on third-party data (comScore) to estimate unique visitors but there are many reasons why we want to reliably monitor high-level traffic data based on uniques. We recently obtained data about the proportion of entries from Google properties as part of a review of how much of our readership depends on search engines. I cite this example because any significant drop in search engine-driven traffic is likely to affect Wikimedia's ability to reach individual donors, new contributors and potential new registered users. Similarly, we intervened in the past to opt out of projects such as Google QuickView based on evidence that they were impacting our ability to reach and engage visitors by creating intermediaries between the user and the content. Using UV data (particularly in combination with User Agents) also helps us determine whether decisions we make about browser support affect a substantial part of our visitor population. As Diederik pointed out, EventLogging does collect unsampled behavioral data about user interaction with our websites to help us run tests and improve site performance and user experience. The exact data collected by EventLogging is specified in these schemas and is subject to the data retention guidelines that the Legal team is in the process of sharing. DarTar (talk) 20:23, 9 December 2013 (UTC)

What about hiding the IP addresses of the users?

The following discussion is closed: close, looks like the discussion is finished/stale, will archive in a couple days unless reopened. Jalexander--WMF 22:33, 9 December 2013 (UTC)

Last time I wrote a program which gathered all the IP addresses of the "recent changes" page and fed them to nmap with one click, that was fun, but not cool. So what about that? Greets--82.113.121.77 21:56, 5 September 2013 (UTC)

Vous avez peut-être raison. Est-ce que l'affichage des IPs est vraiment utile ? Ne pourrait-on pas le remplacer par un autre système plus respectueux de nos données personnelles ? On peut de plus se poser la question de la légalité d'un tel affichage public 78.251.243.204 22:11, 5 September 2013 (UTC)
Attempt to translate 78.251.243.204 message : « You may be right. Is IP adresses' display really useful? Couldn't we replace it by an other system more respectful of our personal data? Moreover, we can ask the issue of the public display's legality. » Jules78120 (talk) 22:49, 5 September 2013 (UTC)
Was soll der Mist? Du kannst nicht erwarten das jeder französisch spricht. Schreib am besten auf englisch, dann ist wenigstens die change höher das jemand was zurück schreibt. Gruss--82.113.121.77 22:21, 5 September 2013 (UTC)
Na ja, ich schreibe einfach in meiner besten Sprache, Sie können aber auch nicht erwarten, dass jeder Englisch spricht (in der Schule habe ich Deutsch gelernt, kein Englisch, tut mir leid!)! Jeder kann vielleicht dennoch, so wie ich, ein Übersetzungsprogramm benutzen, es ist doch nicht so schwer zu finden, oder? Solch ein Programm können Sie einfach auf Internet kostenlos finden... Wir sind ja im ein-und-zwanzigsten Jahrhundert! Und ich lese lieber Ihr gutes Deutsch als Ihr schlechtes Englisch :-) Am besten schreibt jeder in seiner eigenen Sprache, und dann ist Ihr Liebingsübersetzungsprogramm auch Ihr Lieblingsfreund 78.251.243.204 01:03, 6 September 2013 (UTC)
I'm opposed to the idea of hiding editors' IP addresses, as they're necessary to identify and expose shills, astroturfers, propagandists and vandals in general. A typical example is the recent case of a member of the US Senate being caught red-handed vandalising the Edward Snowden page, changing the description of Snowden from "dissident" to "traitor". Slatedorg (talk) 16:29, 9 September 2013 (UTC)
It's interesting that you would use Snowden's name in an argument advocating more data collection. Do you genuinely believe that these rare instances of catching a fool who didn't think to create an account outweigh the loss to privacy from mass-scale data collection? CP\M (talk) 17:42, 9 September 2013 (UTC)
It can hardly be described as "more data collection" if that is in fact the current amount of data that's already collected. I'm merely proposing no change to the existing policy in that regard. And yes, I do think the advantages greatly outweigh the disadvantages, given the number of times such high-profile acts of vandalism have been exposed - something that's very much in the public interest. Moreover, Wikipedia is a public space, not private communications, so I don't see this as any particular threat to anyone ... except the vandals, of course. Slatedorg (talk) 07:37, 11 September 2013 (UTC)
Hi All. Thank you for participating in this consultation period. We appreciate questions and comments in all languages. =) I just wanted to let you know that I have passed your questions along to members of our Tech team, who may be able to better address your questions. Mpaulson (WMF) (talk) 22:41, 5 September 2013 (UTC)
The attribution of edits by logged-out users to IP addresses, and all the mechanics that go along with that (mechanisms for blocking users, tracking edits etc.) are pretty fundamental to how MediaWiki and most wiki software that allows logged-out user editing works, and how the community responds to edits by those users. So I consider this issue out of scope for a privacy policy discussion; rather, it is a larger technical conversation that should be influenced and guided by community input. A policy change does not magically create a workable alternative.
That said, I do agree that this is an area where we can do better -- the incontinent fashion in which wikis treat IP addresses is inconsistent with user expectations. The community recognizes this and has generally created pretty prominent warnings about this software behavior. Further technical improvements in this area range from easy to difficult, and significant payoff could be achieved with some of the easier improvements, so our intent in the near term is to focus on those.
For instance, right now it is possible to look for IP addresses of logged-in (!) users by trying to find edits that the user made while being accidentally logged-out. The software could reduce the incidence rate of accidental disclosures by doing a better job at helping users see that they are logged out, and making it possible to log in without leaving the edit page (tricky to do securely unless/until we switch over to HTTPS for all editing, though). Similarly, prompts to create accounts could be tested and optimized for effectiveness.--Eloquence (talk) 06:53, 12 September 2013 (UTC)
More importantly, any editor that first tries Wikipedia out as an anonymous editor and then creates an account - a path encouraged by Wikipedia policies - has, in all likelihood, permanently published his IP address for everyone to see. Come across a bad article you can easily improve, do it, register, keep improving it... gotcha. I tried this myself once and successfully so.
We shouldn't have such easy access to private information. And whether an editor takes a Checkuser request to dig out his IP or merely an attentive user shouldn't depend on the dice roll of which article they started their editing with. This isn't accident or carelessness, we actually hope to recruit editors through allowing them start "anonymously" - and this is what they get slapped with if they do. Warnings just aren't sufficient because most internet users care nothing for their privacy until it bites them.
While, understandably, IP addresses still have to be logged, I've made a minimalistic suggestion on how to reduce this leak here. In short, run the IP through an encryption function before doing anything else with it. Logging, block checks, signatures, anything that is done, keep doing it, only the value is different. It should allow legacy routines to run with minimal if any changes (as long as old block lists are updated), while decryption to actual IPs can be restricted to sysop+ users.
It's not an overnight change, but, other than the burden of converting legacy tables, it should still lie somewhere on the easy side of the spectrum. CP\M (talk) 08:05, 12 September 2013 (UTC)

Closing off as stale discussion for now. I think this is a discussion that is going to have to happen outside of the privacy policy discussion with tech, legal and the community if we want to go forward with it. Jalexander--WMF 22:31, 6 November 2013 (UTC)

Reopening because of discussion at Still lacking IP privacy protection which was waiting for response from Erik which he did here. Will point that section up here. Jalexander--WMF 22:56, 6 November 2013 (UTC)

Information We Collect: proposed disclosure is misleadingly incomplete.

Paragraph 1 of Information We Collect:

"We actively collect some types of information with a variety of commonly used technologies. These may include tracking pixels, JavaScript, and a variety of “locally stored data” technologies, such as cookies and local storage. We realize that a couple of these terms do not have the best reputation in town and can be used for less-than-noble purposes. So we want to be as clear as we can about why we use these methods and the type of information we use them to collect."

I strongly object to this policy as proposed. Clear about what is collected? Not yet! No mention of screen / window resolution, plugin versions, fonts available, or lots more. Let's not set a bad example and be deceitful about what we collect and justify it (to ourselves) as necessary for security reasons.

Is it appropriate for users to edit the draft directly at this time? Is the last sentence even a sentence? The draft sure seems to be an early draft, and it's not edit-protected. I could swap in something like this:

(Newer suggestion below.)"We actively collect some types of information with a variety of commonly used technologies. These generally include WP:tracking pixels, JavaScript, cookies, and a variety of other “locally stored data” technologies, such WP:local storage, and may include collected information regarding screen / window resolution, plugin versions, fonts available and more. We realize that a couple of these technologies have poor reputations and can be used for less-than-noble purposes. Therefore, we want to be as clear as we can about why we use these methods and the type of information we collect using them."

--Elvey (talk) 22:38, 8 September 2013 (UTC)

Hi Elvey, thanks for your comments. We are going to check with Tech on this and get back to you. Geoffbrigham (talk) 03:22, 9 September 2013 (UTC)
Dear Elvey,
Thank you for raising this issue. I believe you are asking why we have not included a comprehensive list of the information we are collecting or may collect in the future and you mention a couple of examples including: screen / window resolution, plugin versions and fonts available.
My first response would be that we are already transparent about the information we collect when assessing the efficacy of a new feature. I believe that a better place to disclose that information is not within the Privacy Policy, because it’s a policy which stipulates our principles and guidelines. Those principles and guidelines are embodied when we actually run experiments and collect data. For example, currently we use EventLogging to instrument our features. The mobile team created a schema to determine the number of upload attempts using the mobile Commons app, in order to measure whether new educational UI features were helping more people make their first upload. The schema will tell you exactly what information is collected and for what purpose and if you have a question you can interact with the developers through the talk page.
My second response is that it seems that you are alluding to the practice of browser sniffing to uniquely identify a reader by collecting as much information about the browser as possible including plugins and fonts. The EFF has a website called panopticlick that shows you how unique your browser is based on this technique.
This technique can be used to keep tracking people even when they clear their cookies after each session. Suffice to say, we will never employ this technique because it would violate our principle of collecting as little data as possible.
You are right that you could edit the new Privacy Policy but it would complicate the discussion significantly as we would not refer to the same draft anymore. The Legal Team will make changes in response to feedback from the community after the discussion regarding such change has been fleshed out and they are also trying to track changes internally, both things that would not work very well if everyone was editing the draft.
I hope this addresses your concerns but please feel free to add a follow-up question.
Best regards,
(in my role as Product Manager Analytics @ WMF)
Drdee (talk) 21:21, 11 September 2013 (UTC)
NOTE: what follows is a back and forth with Elvey and Drdee; indentation indicates who said what.
Thanks so much, for a thorough response!
I'm pleased to see that we 'are already transparent about the information we collect when assessing the efficacy of a new feature,' as your example shows. On the other hand, indeed, I strongly object to this policy as proposed, because I don't see that we 'are already transparent about the information we collect,' in general, yet. The place to disclose the latter is within the Privacy Policy, IMO.
I believe we are transparent about the information we collect: we clearly identify different types of information that we collect and for what purpose.
Re. your second response: Indeed, that is what concerns me. We disagree; I do not see browser sniffing as necessarily incompatible with the principle of collecting as little data as is consistent with maintenance, understanding, and improvement of the Wikimedia Sites; I can think of cases where it would aid security. However, I would be happy to see language in the policy that made it clear(er) that browser sniffing is incompatible with policy. What language do you suggest we add to do so, if you are amenable? How 'bout we swap in something like this?:
"We actively collect some types of information with a variety of commonly used technologies. These generally include EN:tracking pixels, JavaScript, cookies, and a variety of other “locally stored data” technologies, such W:local storage, and may include collected information regarding screen / window resolution. We realize that a couple of these technologies have poor reputations and can be used for less-than-noble purposes. Therefore, we want to be as clear as we can about why we use these methods and the type of information we collect using them. Extensive browser sniffing is incompatible with this policy; we will not collect plugin versions, fonts available, HTTP_ACCEPT headers, or color depth information."
I cannot imagine how browser sniffing would ever be compatible with this Privacy Policy (see also my follow-up comment).
Umm, you don't have to imagine. I've already said I can think of cases where browser sniffing would aid security. So unless I'm imagining those cases (and I'm confident that they're not imaginary), does that not mean that the policy allows browser sniffing because it allows collection to aid security, which is part of maintenance. If not, why not?
Any objections to s/seek to put requirements/put requirements/g ? I see no reason to be so wishy-washy. If there are to be exceptions, I feel the policy must state that any such exceptions will be specified, say, in the noted FAQ section. [Update: I see this is discussed already at #Seek_or_find.3F We already have the non-wishy-washy, "We will never use third-party cookies," so I see this seek to crud as unjustifiable.]
We are looking into this to see if it's feasible but it will require a bit of thought and we also look if we should do it in combination with the Data Retention Policy. Stay tuned.
As there were no objections, I did the substitution some days ago. If someone does s/put requirements/has not but plans to to put requirements/g, at least we'll have clarity - it'll be clear that we don't have the requirements in place, and if not, it'll be clear that we do, when this becomes policy.
A desire to 'refer to the same draft' is reasonable, but already out the window; the draft is rapidly evolving due to many recent edits by both the legal team and others. (In future, when a draft is proposed, clarity around this could be created with a statement, perhaps enforced with technical measures, or perhaps just noted with a permalink to the version as proposed.)
In-line reply encouraged. --Elvey (talk) 21:47, 13 September 2013 (UTC)
In-line replies: Drdee (talk) 20:40, 18 September 2013 (UTC)
In-line replies: --Elvey (talk) 17:46, 30 October 2013 (UTC)

Strip Wikimedia Data Collection to the Barest Minimum - Introduction

Two suggestions for the privacy policy:

  1. Lose the cutesy language and cartoons being used to make Wikimedia's disturbingly extensive user tracking seem less threatening
  2. Eliminate Wikimedia's disturbingly extensive user tracking.

It is fundamentally misleading to tell users that Wikimedia does not require any personal information to create an account, and then to actually collect vastly more behavioral information on each user than could ever be requested in a sign-up form, under the guise of "understanding our users better" — exactly the creepy line of every Orwellian data-vacuuming Web site today.

And ironically what is all this "understanding" producing? A site with fairly gruesome usability that's barely changed years and years later. Yet Wikimedia wants to keep track of every piece of content read by every "anonymous" user — associated with information like IP address and detailed browser info, which today in malevolent hands can often easily be associated with real name, address, Kindergarten academic record, likelihood to support an opposition candidate, and favorite desert topping.

It's just not Wikimedia's concern that someone is interested in both Pokemon and particle physics. That doesn't improve either article. That doesn't improve the interface. That doesn't improve the Byzantine and Kafkaesque bureaucracy of trying to find somewhere to report a gang of editors controlling and distorting an article.

To find the phrase "tracking pixels" here is jaw dropping. This is inherently a hacking-like technique to install a spyware file on a user's computer, to evade their express effort not to be tracked by clearing cookies. Web developers bringing these "normal" techniques used by "every other Web site" to Wikimedia, apparently don't understand, that "every other Web site" today is evil — and Wikimedia sites are supposed to be a radically different exception to this.

For readability this comment continues in "Strip Wikimedia Data Collection to the Barest Minimum - Privacy Specifics"

Privacycomment (talk)Privacycomment

Hi Privacycomment,
Sorry for the slow response -- I understand your concerns as follows:
1) Why are you misleading users when saying they do not need to provide personal information to create an account but meanwhile you collect a lot of behavioral data?
2) Can you demonstrate the benefits of understanding our users better?
3) Why is Wikimedia interested in creating an interest graph?
4) Why are we using tracking pixels?
Question 1: Interacting with our servers will provide us with some data: url visited, timestamp, used browser, etc. It seems that you define this as behavioral data but in fact it is not -- it is non-analyzed webrequest data that we have to store, for a minimum amount of time, to be able to monitor server performance and provide key performance indicators about usage of all the Wikimedia projects (those are two very important use cases). Without that data we would be flying in the dark -- how could we even do capacity planning?
In theory, we could analyze data and infer behavior from that, such as you mention in your paragraph about reader behavior, but atm we are not doing such things.
It's also very important to note that we do not buy 3rd party databases to add demographic data to our data and obviously we would never disclose webrequest data containing Personal Identifiable Information in raw form nor sell it. So I do not agree that we are misleading the users, in fact we are really trying to be as transparent and clear as possible.
Question 2: Our efforts to understand our users in the context of how they use new features have only begun quite recently. The Product team was formed in February 2012 and the E2 / E3 teams (now renamed to Core Features and Growth) started in March 2012. I do not agree that there has been no progress: for example, the E3 team worked on simplifying the account creation process and those improvements were the result of data-inspired decision-making. Other new features that we have rolled out / are rolling out like mw:VisualEditor, mw:Echo and mw:Flow are all supported by data-informed decision-making. I am sure we will see the fruits of this approach soon.
Question 3: AFAICT, there are currently no plans to make an interest graph of the readers but your example is actually a great use case! It could help uncover articles that are being targeted by vandals and in that way it could alleviate the work pressure on patrollers, oversighters and admins.
Question 4: Regarding tracking pixels -- I think we need to unravel this concept a bit more clearly. There are three use cases of tracking pixels:
1) as a very light way to push data from the browser to the server
2) a specific technique of bypassing browser origin restrictions
3) a method to infer whether an email message was opened / read
I suspect that you have big concerns regarding 3) and Fabrice Florin's answer regarding the use of tracking pixels was in this context. On the other hand, mw:EventLogging uses constructing of image requests to push data to server which is 1). I am not aware of an exampe of 2) in our context but given that we have many domain names I would not be entirely surprised that we would use 2) as well.
I hope this addresses your concerns,
Drdee (talk) 21:36, 1 October 2013 (UTC) (in my role as Product Manager Analytics @ WMF)
Regarding tracking pixels, perhaps part of the problem is in terminology. The term "tracking pixels" heavily implies use case #3. I'm not sure there is a widely-recognized term for use cases #1 and #2; any such term would probably be quickly adopted as a euphemism by those using use case #3, leading to the euphemism treadmill. Regarding use case #2, things these days are more likely to use techniques such as CORS as these are less restrictive. Regarding use case #3, I note that many email clients will specifically block externally-loaded images to prevent this.
I suppose CentralAuth's use of such pixel-images might be considered an instance of use case #2: it loads a 1x1 transparent pixel from all the other domains to attempt to set the login cookies for those domains, because the current domain can't set cookies on all those other domains. This could be done (possibly better) in other ways, but it has the advantage of working even when the client has JavaScript disabled. BJorsch (WMF) (talk) 14:31, 2 October 2013 (UTC)
We have edited the tracking pixel language to reflect feedback received in this discussion thread and others like it. Please let us know if you have any further questions or concerns regarding the applicable tracking pixel language. Thanks! Mpaulson (WMF) (talk) 19:22, 22 November 2013 (UTC)

Strip Wikimedia Data Collection to the Barest Minimum - Privacy Specifics

This is what Wikimedia should know about its users —

For anonymous readers, the sole data collected should be IP address, URL visited, and basic user-agent data (as specifics can be quasi-identifying): platform, browser name, major version, screen size. And this data should be immediately split into three separate log files, each separately randomized in half-hour time blocks, with the default Web server log disabled or immediately obliterated. So that, that secret governmental order to hand over every Wikipedia article read by a particular IP address simply can't be complied with. And so that that great new Wikimedia employee, who no one would suspect is working for a supragovernmental/governmental/corporate/mafia espionage operation, can't get at it either.

For anonymous editors the sole data collected should be that of anonymous readers, plus:

  • the data of the actual edit of course
  • the IP address of the edit, stored for one week (without data backups) and then obliterated, and viewable only by administrators investigating potential spam, vandalism, or other violations of Wikimedia rules during that week.

Public-facing edit records, and administrator-facing edit records after one week, should associate only the phrase "Anonymous Edit" or "One-Time Edit by [ad hoc nickname]". Wikimedia should use automated systems to detect any administrator accessing the IP address data associated with edits which are not likely to be spam, vandalism, or other violations of Wikimedia rules.

For logged-in users the sole data collected should be that of anonymous editors, plus:

  • their username at sign-up and log-in
  • their email address at sign-up if given
  • a public-facing list of their edits (of all types) on their user page
  • the contents of a Wikimedia browser cookie, set when they log in to a Wikimedia site, and deleted if/when they log out, which contains solely their username and encrypted password
  • an administration-facing log of Wikimedia messaging and banners which they have already received
  • an optional administration-facing flag in their account, indicating that they have donated to Wikimedia in month/year, without further identifying data, so as to suppress fundraising banners (if they have elected to overtly identify themselves with a Wikimedia username when making a donation).

Email addresses should be accessible for use for bulk mailings only by Wikimedia employees, and the email list file should be encrypted to prevent theft by corrupt or disgruntled Wikimedia employees.

For basic-level administrators the sole data collected should be that of logged-in users, plus their (pseudonymously-signed) administrator contract.

And no Wikimedia server or office should be located in any country — whether admitting to be a dictatorship or still pretending to be a democracy — which overtly, or by secret order, requires Wikimedia to collect or retain any data other than that specified here for these non-commerce functions.

Thank you for your consideration of these points,

Privacycomment (talk)Privacycomment

Strip Wikimedia Data Collection to the Barest Minimum - Further Considerations

Thanks Privacycomment for this post. I just want to add my perspective with some ideas on how to look at data-relevant processes in general and how to use the artificial differences in national laws on an action done in the physical or digital world.

  • First and foremost Wikipedia is a labor of love of knowledge nerds worldwide. This means that it is from an outside view an "international organization" much like the Red Cross - only to battle information disasters. This could be used to get servers and employees special status and protections under international treaties (heritage, information/press etc)
  • History teaches that those protections might not be a sufficient deterrent in heated moments of national political/legal idiocy, so Wikimedia should enact technical as well as content procedures to minimize the damage.

Data Protection

  • Collect as few data as possible and purge it as fast as possible. Period. You cannot divulge what you do not have.
  • Compartmentalize the data so that a breach - let's say in the US - does not automatically give access to data of other countries' userbases.
  • Play with laws: as there are a lot of protections well established when used against homes, or private property shape your installation and software to imitate those - no "official" central mail server that can be accessed with provider legislature, but a lot of private servers that are each protected and must be subpoenaed individually etc...
  • Offer a privacy wikipedia version that can only be accessed via tor - and where nothing is stored (I know this might be too much to admin against spam pros)
  • Use Perfect forward secrecy, hashes etc to create a situation, where most of the necessary information can be blindly validated without you having any possibility to actually see the information exchanged. This also helps with legal problems due to deniability. Again - compartmentalize.

Physical and digital infrastructure concerns

  • An internal organization along those lines and with the Red Cross as an example would offer a variety of possibilities when faced with legal threats: First and foremost, much like choosing where to pay taxes, one could quickly relocate the headquarters for a specific project to another legal system so that one can proof, that e.g. the US national chapter of wikimedia has no possible way of influencing let's say the Icelandic chapter who happens to have a national project called wikipedia.org
  • Another important step in being an international and truly independent organization is to finally use the power of interconnected networks and distribute the infrastructure with liberal computer legislation in mind much more as is now the case. Not to compare the content - just the legal possibilities - of the megaupload case with those of wikimedia, as long as US authorities have physical access to most of the servers, they do not need to do anything but be creative with domestic laws to hurt the organisation and millions of international users, too...
  • If this might be too difficult, let users choose between different mirrors that also conform to different IT legislation

Information Activism

  • Focus on a secure mediawiki with strong crypto, which can be deployed by information activists

So: paranoia off. But the problem really is that data collected now can and will be abused in the next 10, if not 50-100 years. If we limit the amount of data and purge data, those effects can be minimized. No one knows if something that is perfectly legal to write now might not bite one in the ass if legislation is changed in the future.

Cheers, --Gego (talk) 13:53, 9 September 2013 (UTC)

Hi Gego,
The idea of having a secure mediawiki with strong crypto is a technical proposal and as such is best to be presented as an RFC on Mediawiki but it's outside the scope of the new Privacy Policy.
Drdee (talk) 00:40, 7 November 2013 (UTC)

There's a lot of discussion about the data collected from those who edit pages, but what about those who passively read Wikipedia? I can't figure out what's collected, how long it's stored, and how it's used.

Frankly I don't see why ANY personally identifiable information should EVER be collected from a passive reader. In the good old days when I went to the library to read the paper encyclopaedia, no one stood next to me with a clipboard noting every page I read or even flipped past. So why should you do that now?

I don't object to real time statistics collection, e.g., counting the number of times a page is read, listing the countries from which each page is read from at least once, that sort of thing. But update the counters in real time and erase the HTTP GET log buffer without ever writing it to disk. If you decide to collect some other statistic, add it to the real-time code and start counting from that point forward.

Please resist the strong urge to log every single HTTP GET just because you can, just in case somebody might eventually think of something interesting to do with it someday. This is EXACTLY how the NSA thinks and it's why they store such a terrifying amount of stuff. 2602:304:B3CE:D590:0:0:0:1 14:54, 10 September 2013 (UTC)

2602, I will be linking to this comment from below but you may be interested in the section started at the bottom of the page at Tracking of visited pages . Jalexander (talk) 03:37, 11 September 2013 (UTC)
Dear 2602,
We need to store webrequest data for a very limited time from a security point of view: in case of a DDoS we need to be able to investigate where it originates and block some ip ranges. Sometimes we need to verify whether we are reachable from a certain country. And there other uses cases so not storing webrequest is not an option. The Data Retention guidelines, which will be published soon, will put clear timeframes on how long we can store webrequest data.
I hope this addresses your concern.
Best, Drdee (talk) 00:51, 7 November 2013 (UTC)
The current policy only allows sampled logs. Are you saying the the sysadmins are currently unable to protect the sites from DDoS? I never noticed.
Also, https://blog.archive.org/2013/10/25/reader-privacy-at-the-internet-archive/ , linked below, shows it definitely is an option. --Nemo 10:07, 8 November 2013 (UTC)

Text based page delivery (or 'how' we read)

No, I'm not going to harp on about using Rory as it appears that you're determined to use him whether he is redundant gimmick or not.

Other than feeling that one instance of his use is sufficient, if he is to be used as currently stands, serious consideration needs to be given to rules of thumb pertaining to desktop publishing and website development. Culturally, the English language is read from left to right, meaning that English readers are acclimatised to the left hand side of the page being the central focal point when dealing with anything text orientated. Not only is there no word-wrap around the Rory images in order to allow for a longer continuum of text (remembering that we read ahead by a minimum of several words at a time), the entire left side of the document disturbs the reader's expectations by sandwiching the text (and tables!) to the right. Bear in mind that these rules of thumb were developed through experience and behavioural studies over many years, right down to serif being preferred for paper documents, while sans serif reads more comfortably online. It's foolhardy to disregard certain standards which have been proven in order to 'experiment' with other techniques.

I've spent over three decades involved with pedagogical issues surrounding visual teaching methods/delivery, from secondary education to Post Graduate research presentation (I'm speaking of delivery at tertiary MA and PhD level by 100% research), so I'm not just blowing smoke.

If Rory is to be used, the 'culturally logical' layout for any Latin script language is to about-face the set-out of current draft and have him on the right-hand side. I'd also suggest that he could be made a little smaller and that word-wrap be used. --Iryna Harpy (talk) 04:21, 10 September 2013 (UTC)

Hi Iryna Harpy! Thank you for bringing this point up. I know that some of the decision involved in placing Rory on the left-hand side of the page and not wrapping the text around him had to do with making the format easily adaptable to different scripts and different screen/window sizes. I'll have one of the people who helped with the layout address those issues in more detail on this thread.
On a related note, based on community feedback, we are going to experiment with how to make Rory more useful in explaining the major concepts of the privacy policy over the next week. Some of the ideas we are going to try are either providing Rory with a narrative or with bullet points about the big concepts. If you have other ideas, we'd love to hear them. We're going to try to get some prototypes out to the community to see if they think that adds value. I'm hoping once we have a better idea of what text would accompany Rory (if any and assuming Rory stays in the policy), we can experiment with the layout to see if there are ways to make it more readable as you suggested. Mpaulson (WMF) (talk) 23:47, 10 September 2013 (UTC)
Right. I'm seeing both support for and opposition to Rory, but I want to make clear we have not "determined to use him." As explained above, we are playing with the idea, which is why your feedback for or against is important. If, after taking into account community feedback, it doesn't make sense after some experimentation, we won't use him; if it does, we might. That said, IMHO, visuals are important, as I suggested above. So alternative ideas are also welcome. Many thanks. Geoffbrigham (talk) 07:44, 11 September 2013 (UTC)
Thank you both (Mpaulson (WMF) & Geoffbrigham) for your responses. I suspect I speak for quite a few people responding to the draft policy when I say that my main concern was that Rory had already been locked into the presentation and was going to be worked in regardless of whether his 'presence' was superfluous or not. As I'm now feeling a little more assured that he's not a given, I'll abstain from further critiques regarding that aspect of the updated policy until the proposed prototypes are up and will judge as objectively as is possible at that point. I'm certainly not going to approach the subject with prejudice and will reserve judgement bearing context in mind. Cheers! --Iryna Harpy (talk) 02:01, 12 September 2013 (UTC)
I agree one hundred percent with Iryna Harp's concerns about text layout. As I understand the purpose is: "We want to make these documents as accessible as possible to as many people as possible." Congratulations, you have managed to do the opposite.
The big text boxes at the top, which are not part of the Privacy Policy, are not helping either. It's even hard to find out where the actual proposed privacy policy begins.
I believe you have successfully managed to prevent the majority of people of reading the proposed privacy policy.
Suggestions:
  1. If you do something special with the layout like text placement, illustrations and use of big icons, make sure it increases accessibility and not the opposite.
  2. Make the page look like a regular Wikipedia article page where people can start reading the proposed privacy policy immediately.
  3. Rename the page so it's clear from the name that this is a proposal and not the current privacy policy. For example "Proposed privacy policy" or "Privacy policy (draft)" or "Privacy policy (proposal)".
  4. Remove the side notes that are not part of the proposal. Instead, add a side bar at the right linking to side notes.
Cheers! --Aviertje (talk) 09:06, 16 September 2013 (UTC)
(Reply to second suggestion. Moved by Aviertje (talk) 18:50, 17 September 2013 (UTC))
I think we should provide a link at top to the main policy, as we did with the Terms of Use. See http://wikimediafoundation.org/wiki/Terms_of_Use Geoffbrigham (talk) 10:32, 17 September 2013 (UTC)
Geoffbrigham, I moved your in text replies down. I hope you approve. I also added numbering to my suggestions.
Providing a link at the top to the main policy would certainly help. But I don't understand putting in an obstacle and providing a link to move past it. There shouldn't be any obstacle accessing the terms of use or privacy policy. When people want to consult the terms of use or privacy policy, they want to read the real deal and not any unofficial comments. Any accompanying comments should not form an obstacle. --Aviertje (talk) 18:50, 17 September 2013 (UTC)
I understand your point, Aviertje, but, in the context of the terms of use, the user-friendly summary was in fact proposed by the community (not WMF), and we have received a number of positive comments about it since. In this discussion, people are saying that they want nutshell summaries of our privacy principles, and, as I see it, the user-friendly summary will satisfy that need. So, if you don't mind, I would like to monitor this issue and see if others feel strongly. In the meantime, I will have this link put above the user-friendly summary:
This is a summary of the [draft] Privacy Policy. To read the full terms, scroll down or click here.
Thanks. Geoffbrigham (talk) 11:54, 18 September 2013 (UTC)
The unofficial summary and the official privacy policy (or terms of use) serve completely different purposes and should not be mixed. I looked up the proposal for an informal summary and looked at the following edits to this proposal. It was suggested to create a separate informal summary containing a link to the official terms of use and managed by the community. Placing this unofficial summary above the official terms of use seems to be your own initiative. The fact that people value the unofficial summary does not mean it should be located here. It might be a good idea though to include such summary (officially) in the introduction of the privacy policy/terms of use. --Aviertje (talk) 22:03, 18 September 2013 (UTC)
Let's see if we hear additional objections. I know the user-friendly summary was posted at the top of the terms of use for some time during the consultation, and I don't recall any objection. Now that the issue has been raised, I will monitor and see if there is any other opposition to its placement vis-a-vis the privacy policy. Tx. Geoffbrigham (talk) 22:53, 18 September 2013 (UTC)
(Reply to fourth suggestion. Moved by Aviertje (talk) 18:50, 17 September 2013 (UTC))
I'm sorry. Could you explain this a bit more. Thanks. Geoffbrigham (talk) 10:32, 17 September 2013 (UTC)
With 'side bar' I meant a sidebar, a box at the right like on the page with the current privacy policy.
With side notes I meant all comments that are not part of the proposed privacy policy. Like the "This draft Privacy Policy needs your feedback..", "Want to help translate?..", "This is a user-friendly summary of the privacy policy..". Even the "This is a draft of a proposed privacy policy.." can be removed if the title is changed like I suggested in suggestion 3 above. --Aviertje (talk) 18:50, 17 September 2013 (UTC)
Thanks. I am monitoring to see if others feel the same way. Geoffbrigham (talk) 21:53, 15 November 2013 (UTC)

Comments by Shell

Lots of small details.

  • Your Public Contributions: "Please do not contribute any information that you are uncomfortable making permanently public, like the picture of you in that terrible outfit your mom forced you to wear when you were eight." Such a picture is unlikely to be kept anyway, so it's not a good example. I'd either remove the example or change it into something like: ...permanently public. For instance, if you reveal your real name somewhere, it will be permanently linked to your other contributions. (A better example/phrasing would be appreciated)
  • Account Information & Registration:
    • There's a link Privacy policy FAQ#standardaccount, but that section/ID doesn't exist on the page.
    • "Your username will be publicly visible, so please think carefully before you use your real name as your username." Slightly ambiguous (to me): Could be interpreted as the username should be your real name, so think carefully whether you want to sign up. The preceding sentence and the following paragraph make it clearer, but I'd still rephrase it (not sure how though - also not a big deal).
      • Would it be clearer to say:
Your username will be publicly visible, so please be careful if you choose to use your real name as your username
This is a subtle point, so I am not sure the best way to explain it. Stephen LaPorte (WMF) (talk) 01:08, 7 November 2013 (UTC)
Yeah, I think your new version is a little better. //Shell 06:19, 11 November 2013 (UTC)
Made the change (see here). Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
Good. You accidentally removed a period, so I added it back. //Shell 08:49, 17 November 2013 (UTC)
Good catch, thanks. Stephen LaPorte (WMF) (talk) 19:07, 22 November 2013 (UTC)
  • Information Related to Your Use of the Wikimedia Sites: "We also want this Policy and our practices to reflect our community’s values." This looks like a stray sentence - can it be removed completely?
    • I believe the intention is to explain the balance with the first sentence in that paragraph. It makes sense to me, but I will consider it more, and we are open to suggestions if it's still unclear to you. Stephen LaPorte (WMF) (talk) 01:08, 7 November 2013 (UTC)
      As it is that sentence feels out of place. You need to do one of: 1) remove it, 2) explain how it relates to the first sentence, 3) say something about what it means (it reflects community values by .. / it reflects community values. Therefore .. / it reflects community values. For example, ..). Personally I think it's enough if this is said in the introduction. //Shell 06:19, 11 November 2013 (UTC)
  • Information We Collect:
    • "For example, by using local storage to store your most recently read articles directly on your device so it can be retrieved quickly; and by using cookies, we can learn about the topics searched so that we can optimize the search results we deliver to you." This is a really long sentence that should be split up. Also, I don't understand how using local storage to store read articles can optimize search results. To me they seem like separate things.
      • Is this clearer?
For example, we may use local storage to store your most recently read articles directly on your device, so it can be retrieved quickly. Also, we may use cookies to learn about the topics searched so that we can optimize the search results we deliver to you.
Stephen LaPorte (WMF) (talk) 01:08, 7 November 2013 (UTC)
Yes, it's clearer. However, I'm always skeptical about delivering different search results for different people. I hope that such things would be explicitly marked and that there'd be an opt-out. //Shell 06:19, 11 November 2013 (UTC)
Updated. I appreciate the feedback on the feature. Technically, I am not sure if it would be used to deliver different results, or merely optimize the delivery time for the same results. I believe the feature is still under development, and @RobLa-WMF: may be able to point you to more information, if any is available yet. Thanks, Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
Ok. In general, it's enough if such things are documented by the Signpost when it's implemented. If there is an outline of how it would work out, I'm interested in reading about it in this case. //Shell 08:49, 17 November 2013 (UTC)
    • "Make the Wikimedia Sites more convenient to use, such as by using..." Should be rephrased: "such as by" sounds weird in my ears.
      • It sounds normal to me, but I will run it by some other people to see if it needs to be changed. Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
        I don't use English every day, so maybe my ears are more sensitive to unusual constructs. If you think it sounds normal, leave as is. :-) //Shell 08:49, 17 November 2013 (UTC)
    • ...does not cause lasers to shoot out of your device... Too informal, I think.
  • IP Adresses: "Finally, when you visit any of Wikimedia Sites, we automatically receive the IP address of your device (or your proxy server) you are using to access the Internet..." "Any Wikimedia Site" or "Any of the Wikimedia Sites" sounds better. It should probably be "...the device (or the proxy server) you are using...".
  • For Legal Reasons: "We are committed to notifying you via email within five (5) business days, when possible, if we receive a legal request for disclosure of your information, assuming that we are not legally restrained from contacting you, there is no credible threat to life or limb that is created or increased by disclosing the request, and you have provided us with an email address." This sentence is too long.
  • How Long Do We Keep Your Data?: You should provide more concrete examples - every piece of personal information should be covered.
    • This will be covered in a forthcoming Data Retention guidelines. Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
      Ok, good. It needs to be readily accessible. //Shell 08:49, 17 November 2013 (UTC)
  • Where is the Foundation and What Does that Mean for Me?:
    • "...you consent to the collection, transfer, storage, processing, disclosure, and other uses of your information in the U.S. and as described in this Privacy Policy." It sounds like there's this policy + collection etc. in the U.S. I suggest that you replace and with a comma.
      • The intention is that users consents to both: collection, etc. in the U.S., and collection, etc. as described in the Privacy Policy. Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
        I thought the point of a privacy policy was that it makes the rules stricter, not the bare minimum required by law. If there is collection in the U.S. that is not specified in the Privacy Policy, why isn't it added? //Shell 08:49, 17 November 2013 (UTC)
        Upon reflection, the meaning is clearer without the "and". Thanks, Stephen LaPorte (WMF) (talk) 19:06, 22 November 2013 (UTC)
    • "...in connection with providing services to you." "In connection" is very vague - is it possible to use "in order to provide services to you"?
      • We use "connection with" because the policy includes a number of reasons how data may be used, all in connection to providing services. Do you prefer: "...in order to use your data as described above."? Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
        No, I think "in connection with" is better than "as described above". Leave as is if you can't make it more specific. //Shell 08:49, 17 November 2013 (UTC)
    • "For the protection of the Wikimedia Foundation and other users, if you do not agree with this Privacy Policy, you may not use the Wikimedia Sites." This sentence seems misplaced. Should it be moved to the introduction, some other headline or to the other disclaimer at the bottom?
  • Changes to This Privacy Policy: "...and via a notification on WikimediaAnnounce-L or a similar mailing list." It sounds like the mailing list can be chosen at random. Is "...or a similar mailing list" really necessary? Retiring WikimediaAnnounce-L could be as simple as announcing the move there (including this tiny link/name change in the privacy policy), while still following with this policy.
    • Yes, the intention is to use the announcement list for the general Wikimedia community. It will probably be WikimediaAnnounce-L, but the policy should also be flexible to use a different list if it is more reasonable. Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
      I'm not entirely convinced, but it's a minor matter. It's ok. //Shell 08:49, 17 November 2013 (UTC)

General notes:

  • Is there any system regarding "and" vs. "&" in headlines?
    • Updated. Good catch. I think it looks better (and is shorter) to consistently use "&" in the headlines. Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
      Good. //Shell 08:49, 17 November 2013 (UTC)
  • I like Rory. Tasteful, doesn't distract, and gives you something to look at now and then.
    • Glad you liked Rory. I hope there is an opportunity to use him (or similar, friendly illustrations) elsewhere. Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
      • I think it's important to have something that gives you a break when reading - even a well written privacy policy requires a lot of effort to read. The current blue icons are a bare minimum, and I encourage you to add back something. One way to do that is 500px's short summaries of each section. //Shell 08:49, 17 November 2013 (UTC)
        • That's an excellent idea. We actually considered something similar and would be happy to prepare short summaries. But we would like to see if this is something that a lot of community members would like us to include. Would you like to propose this in a separate thread where more people can weigh in? Thanks, YWelinder (WMF) (talk) 20:15, 9 December 2013 (UTC)
  • Use apostrophes consistently (don't vary between ’ and ')
    • These may be tricky to catch, but I will keep watching for them. Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
      Good. //Shell 08:49, 17 November 2013 (UTC)
  • Is it "user profile" or "user page"?
    • Changed it to "user page". I expected that "user profile" may be more common around the internet, but "user page" is what we mean. Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
      "User profile" still occurs twice in the policy: "Register an account or update your user profile." and "(although you may delete the information in your user profile)". Is that on purpose? //Shell 08:49, 17 November 2013 (UTC)
  • It's still quite long. This introduction is, however, a quite good summary.
    • Thanks. It's difficult to provide a be both thorough and concise, but hopefully the privacy policy provides a good balance. The summary and headlines are also intended to make it more readable. Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
      Yep, good work. //Shell 08:49, 17 November 2013 (UTC)

//Shell 23:08, 10 September 2013 (UTC)

Hi Shell! Thank you for your detailed comments. We really appreciate you taking the time to help us on this. The legal team and I will go through your comments and suggestions in greater detail tomorrow and will respond in-line accordingly (probably with some questions for you). =) Thanks again! Mpaulson (WMF) (talk) 00:02, 11 September 2013 (UTC)
Apologies for the delay. We will be on this shortly. Thanks. Geoffbrigham (talk) 10:37, 17 September 2013 (UTC)
Bump. Do you have ant comments? //Shell 10:35, 4 October 2013 (UTC)
Further apologies for the ongoing delay. We are juggling a couple of priorities right now, but intend to focus on your comments this week or next. Thanks. Geoffbrigham (talk) 19:21, 10 October 2013 (UTC)
Hello @Skalman: My apologies for taking so long to review your comments. I have left a few comments above, and suggested some alternative language a few spots. I appreciate your detailed feedback on the policy -- it's helpful indeed. Stephen LaPorte (WMF) (talk) 01:08, 7 November 2013 (UTC)
I have responded to your comments inline. You didn't comment all my points - do you intend to? //Shell 06:19, 11 November 2013 (UTC)
@Skalman: Yes, now I have followed up on your comments inline. Thanks again for spending time reviewing the policy so thoroughly. Your feedback has been helpful, and it has improved this draft. Cheers, Stephen LaPorte (WMF) (talk) 00:07, 16 November 2013 (UTC)
@Slaporte (WMF): I've responded again. I'm glad to help. //Shell 08:49, 17 November 2013 (UTC)
The following discussion is closed: close, looks like the discussion is finished/stale, will archive in a couple days unless reopened. Jalexander--WMF 22:32, 9 December 2013 (UTC)

The policy does not clearly express its own legal status. Is it intended be, or form part of, some legally binding agreement between users of WMF sites and the WMF? Are other parties supposed to be bound by it in any way? Do it create any enforceable obligations on the WMF? In particular, what is the intended legal status of the sentence "For the protection of the Wikimedia Foundation and other users, if you do not agree with this Privacy Policy, you may not use the Wikimedia Sites"? Clearly I can use those sites whether or not I agree with the policy. What does it mean to say that I may not? What does "agree" mean? Is it implying that by using the site I am agreeing with the policy in a legal sense? Spectral sequence (talk) 16:24, 14 September 2013 (UTC)

Hello Spectral Sequence! The privacy policy is a legal document, binding on both the Foundation and the users of the projects. This means that the Foundation is bound to only collect and use user information as provided for in the privacy policy. Similarly, while you are correct that you can use the sites whether or not you agree with the policy, by using the sites you are accepting the terms of the policy and will be bound by those terms. Thank you for eliciting this clarification! DRenaud (WMF) (talk) 21:36, 19 September 2013 (UTC)
If it is intended that this policy placed the user under some kind of legal obligation, that needs to be made clear in the policy and it also needs to be made clear in the Terms of Use. It would be a good idea to summarise the obligations the user is entering into under this policy. I also believe that insofar as the privacy policy is intended to be legally binding on users, it becomes even less appropriate for the formal policy to contain informal language such as "we think you are awesome". (Am I contractually obliged to be awesome, or are you just obliged to think me so?). Spectral sequence (talk) 13:23, 21 September 2013 (UTC)
The policy should also probably clarify whether this page itself is the complete legal contract, or do its subpages like the FAQ and glossary also form part of the contract.--Siddhartha Ghai (talk) 17:15, 25 September 2013 (UTC)
Wow, this is a good catch. Our original drafts included that language but somehow it did not make its way to this on-wiki version. So we will include language that makes clear that the following documents are not technically part of the legal privacy policy: (1) the FAQ; (2) the Glossary of key terms; and (3) the Subpoena FAQ. The language should read something like this: "This FAQ [Glossary] is not part of the privacy policy. It is not even a legal document. We do hope however that you will find it helpful." To facilitate navigation, we will also include a insert box on each of these documents and the privacy policy with cross links to each one. We may not get to making these changes immediately because our staff is working on another project, but we are putting it on our list of things to do within the next couple of weeks. Many thanks! Geoffbrigham (talk) 21:01, 15 November 2013 (UTC)

Structure of the document

I find the current privacy policy much more clear than the new one. It's much easier to retrieve information from it. One of the reasons I think is because there are redundant headings in the proposed new privacy policy. If you remove the headers "Welkom!", "Use of info", "Sharing", "Protection" and "Important info", the document suddenly makes much more sense.

It looks like meaningless headers were added, only to provide for short descriptions for the big icons. I suppose this is done to make the document look more attractive to a younger audience and to lure people into clicking the icons at the top. Also the numbering of chapters seems to be removed to support the structure created by the big icons. It may look more cool and attractive and you perhaps get more clicks, but I'm sure the actual information comes across much harder. --Aviertje (talk) 15:15, 19 September 2013 (UTC)

Hi Aviertje. Thank you for your suggestion. The purpose of the icons was to make it easy for people to skip to sections that they are looking for or are the most interested in. I see what you're saying about some being redundant, such as when the "Sharing" icon and heading is immediately followed by the subsection heading "When May We Share Your Information?". However, other times, the icon and accompanying heading help group together related subsections. For example, the "Important Info" icon and heading groups together "Where is the Foundation and What Does that Mean for Me?", "Changes to This Privacy Policy", "Contact Us", and "Thank You!". The Introduction icon and heading do something similar.
The hope was not to make the document look attractive (although that's not the worst thing to do if you are trying to encourage people to read something), but to make it more navigable. What do others think? Do the icons and section headings help? Mpaulson (WMF) (talk) 18:12, 19 September 2013 (UTC)
It's funny that you mention "Important info" as an example. "Important info" says absolutely nothing. Each chapter could be named that. Naming it "I don't know what to name this" would even be more informative.
BTW. "Welcome!" is a bad title, because the section is not about welcoming the reader. It can be a greeting if you make it normal text instead of a header. "A Little Background" is also a bad title. The inconsistent use of the informal word "info" looks strange. --Aviertje (talk) 16:34, 20 September 2013 (UTC)
Hi Aviertje. If you have suggestions as to what the titles should be renamed as, I'd like to hear them and hear what other community members think, both about the current titles and your proposed titles. Mpaulson (WMF) (talk) 22:31, 26 September 2013 (UTC)
Like I said at the beginning lose the meaningless headers "Welkom!", "Use of info", "Sharing", "Protection" and "Important info". As to "A Little Background", what do you think of "Language used in this policy"? --Aviertje (talk) 22:15, 30 September 2013 (UTC)
I would like to hear if others feel the same way. Thanks. Geoffbrigham (talk) 20:31, 15 November 2013 (UTC)

Introduction and scope of the privacy policy

The following discussion is closed: close, looks like the discussion is finished/stale, will archive in a couple days unless reopened. Jalexander--WMF 22:28, 9 December 2013 (UTC)

In my opinion the introduction should only contain redundant information. People expect the introduction to contain only redundant information and often skip it.

I think the introduction should be followed by a chapter about the scope of the privacy policy. This should include information about the identity of the Foundation and whether the Foundation has to comply with the provisions in the privacy policy. --Aviertje (talk) 15:34, 19 September 2013 (UTC)

Hi Aviertje! Thank you for your suggestion. The purpose of the introduction is to give the privacy policy draft some context. It outlines some of our guiding principles and lays out the scope of the policy draft. I think it plays an important role in the draft for those reasons. Providing redundant information in the introduction only serves to make the policy draft longer without reason. Every section of the policy draft has been included for a reason and should be read in full. I understand that some people may skip the introduction (or any other section that does not interest them), and part of the reason why we have subsections (like "What This Privacy Policy Does & Doesn't Cover") is to make it less likely that people will accidentally skip a section that is important to them.
As to your second comment about having a chapter about the scope of the privacy policy, I'm not sure I understand. The scope of the privacy policy draft is actually covered as a subsection of the introduction (following the "Welcome" and "A Little Background" subsections), and is entitled "What This Privacy Policy Does & Doesn't Cover". Could you clarify?
As to your comment about explaining the identity of the Foundation, can you explain what you mean exactly? In the "A Little Background" section, we state by ""the Wikimedia Foundation" / "the Foundation" / "we" / "us" / "our"", we mean "The Wikimedia Foundation, Inc., the non-profit organization that operates the Wikimedia Sites." What additional information do you think we should include to make the identity of the Foundation a little clearer?
And finally, regarding your question about whether the Foundation has to comply with the provisions of the privacy policy. The answer is yes, a privacy policy is a legal document that outlines the Foundation's practices with regard to the collection and use of user information and the Foundation is supposed to follow it. Any alleged violations of the privacy policy should be brought to the attention of the Foundation's legal team or the Ombudsman Commission so that it can be investigated and addressed as appropriate to the particular situation.
Thank you again for taking the time to bring these issues up. I look forward to hearing clarification of some of your points and hope we can make the draft better as a result. Mpaulson (WMF) (talk) 17:51, 19 September 2013 (UTC)
I meant not to make the privacy policy longer, but to move important information like "What This Privacy Policy Does & Doesn't Cover" out of the introduction into a separate chapter.
Concerning my comment about the identity of the Foundation, I was thinking of the information in the section "Where is the Foundation and What Does that Mean for Me?" I suggest to move this information to the beginning. First things first. A privacy policy should state who is responsible for processing personal data, what data is processed and for what purpose. It seems logical to me to use this order.
There doesn't seem to be a law saying the Foundation has to comply with the provisions in the privacy policy, see section "What's the use of this policy?" on this talk page. And there doesn't seem to be a statement in the terms of use or privacy policy explicitly stating the Foundation has to comply. Since this is a legal document, what's not stated, doesn't count. Anyway, I think it would be good to include explicit statements saying the Foundation has to comply with certain things. The terms of use and privacy policy seem to be very one-sided agreements. It's all about protecting the interest of the Foundation. The users are forced to consent with everything. The Foundation doesn't commit to anything. Not explicitly stated anyway. --Aviertje (talk) 15:24, 20 September 2013 (UTC)
Aviertje, can you point to language in other privacy policies that would be along the lines of what you are recommending re binding nature of the privacy policy? As a side note, I would question that this is a one-sided agreement, especially given the commitment to collect relatively minimal information compared to other major website. We understand your other points and will monitor this discussion to see how others feel as well. Thanks. Geoffbrigham (talk) 09:23, 25 September 2013 (UTC)
I don't know examples by heart from other privacy policies and I don't have the time to research this. Sorry.
Let me ask you a question. Can you point me to language in the proposed privacy policy where user rights are protected? Compare that with the times the rights of the Foundation are protected.
Can you also point me to language in the proposed privacy policy where the Foundation explicitly commits to collect relatively minimal information? --Aviertje (talk) 14:09, 25 September 2013 (UTC)
Standard for most privacy policies, there are various places where protection of user rights is mentioned (e.g., "We do not sell or rent your nonpublic information, nor do we use it to sell you any third-party products or services."). There are also provisions regarding protection of the rights of the Foundation (e.g., "We may need to share your personal information if we reasonably believe it is necessary to enforce or investigate potential violations of our Terms of Use, this Privacy Policy, or any Foundation or user community-based policies.").
With regard to our data collection practices, as we have pointed out, for example, “you do not have to provide things like your real name, address, or date of birth to sign up for a standard account or contribute content to the Wikimedia Sites.”
Courts often apply contract law to online policies. We will be including some language to make this clearer. Geoffbrigham (talk) 23:26, 30 September 2013 (UTC)
After reviewing the proposed privacy policy again, I give in. I was wrong.
I think I was put off by things like "This Privacy Policy explains how the Wikimedia Foundation ... collects, uses, and shares information we receive from you .... It is essential to understand that ... you consent to the collection, transfer, processing, storage, disclosure, and use of your information as described in this Privacy Policy." While the Foundation merely gives an explanation, I have to consent. There is a lot of attention to informing the user he is giving consent. Is it the intention to get consent from the user, or is it the intention to make the user aware of how his information is used? --Aviertje (talk) 08:56, 1 October 2013 (UTC)
Hi Aviertje. I am not sure I understand your question exactly, so please let me know if I'm not answering it. Our main goal is to inform the users - including readers - about how their information is used, though their use of the site constitutes consent legally. Geoffbrigham (talk) 20:29, 22 November 2013 (UTC)

Banners

The following discussion is closed: close, looks like the discussion is finished/stale, will archive in a couple days unless reopened. Jalexander--WMF 22:26, 9 December 2013 (UTC)

Recently when I visited Wikipedia I was presented a banner saying something like "Wiki Loves Monuments: Photograph a monument for Wikipedia and win!" This kind of advertisement is a clear invasion of privacy. There doesn't seem to be an option in the preferences to turn this off and the privacy policy does not mention banners, does it? --Aviertje (talk) 16:15, 19 September 2013 (UTC)

Hi Aviertje! Thank you for your question. You are correct that sometimes the Wikimedia Sites display banners to users. The purpose of these banners are to alert you about certain things that involve the Wikimedia movement -- sometimes they will encourage you to donate to the Wikimedia Foundation (after all, the Wikimedia Sites are supported almost entirely from donations from the community), sometimes the banners let you know about interesting Wikimedia-related events that are going on (like the Wiki Loves Monuments competition, which encourages people to contribute to Wikimedia Commons), and sometimes they alert you to discussions about important topics that might impact you as a user (like the privacy policy draft discussion). They are never used for subjects that are not related to or could impact the Wikimedia projects or the Wikimedia movement.
Could you clarify why you believe the banners are an invasion of privacy? Displaying banners does not, itself, result in the collection of any personal information. Clicking on a banner may result in the collection of some personal information, such as IP address, through the use of JavaScript (a method of information collection we use not just for banners and which is described in the "Information We Collect" section of the draft). You are correct in that the privacy policy draft does not directly address the banners. Do you think adding specific language under the "Information We Collect" section would be helpful in this regard?
As to your question about turning off banners, we try to not overwhelm you with banners (we actually use cookies to try to limit the number of times that you see a banner), but there is not an option to turn them off completely. This is because there may be times where we need to alert users about important information. For example, when a major legal policy is changed and is going to go into effect, we use banners to provide users notice of the impending changes. This method of notice is particularly important because we do not have another equally effective way of reaching all of our users as we do not require contact information to use Wikimedia Sites or even when you register an account.
Hope that helps address some of your concerns. Mpaulson (WMF) (talk) 00:49, 20 September 2013 (UTC)
You ask why banners with advertisements are an invasion of privacy? Because I have "the right to be let alone" [7]. When I request a page with information from WMF's server, an advertisement is sent directly to me personally. I don't appreciate spam. Not by e-mail, not by phone and not by answering http requests. --Aviertje (talk) 13:49, 20 September 2013 (UTC)
A banner is part of the wiki page itself, it is shown to everyone who looks up a page without looking to who is looking. All major sites use or have used banners in certain cases that are considered important, as there is no other way to communicate to all users together. The Wikimedia Foundation does not advertise for commercial benefit (spam). There is a difference between spam and a notice. The Wikimedia Foundation only uses banners for notices as the worldwide community is in general against advertisements. What is a notice? A notice is a message to everyone about the conditions of the website and changes in those or about activities that are organized on the website. Examples are the implementation of a privacy policy (change in condition), asking for a donation for maintenance/etc of the website (condition) and the organisation of the largest photo competition in the world (activity). So don't mix up spam with notices, we do not call a cat a dog either. If you visit whatever website, you can only retrieve the complete web page from the server, which includes all texts, images, links and notices. That has nothing with privacy but the wish someone has to visit a page we created with all the information we have put on it, not just for that person, but for everyone. Romaine (talk) 02:13, 21 September 2013 (UTC)
An advertisement doesn't have to be for commercial benefit for it to be considered spam.
The Foundation provides the service Wikipedia. The function of this service is to be a free encyclopedia that anyone can edit. It's function is not to send notices for the Foundation to everyone. The Foundation has its official website and blog for that. I can accept to be bothered by a banner on Wikipedia when the Foundation wants to announce new terms of use or a new provicacy policy. For anything else, I don't see why I should be bothered. Leave me alone while enjoying the free service. At the least, make receiving other notices optional. --Aviertje (talk) 22:42, 22 September 2013 (UTC)
Err, any user can hide the banners fairly easily. If you're unregistered, you can use client-side CSS or JavaScript in your Web browser. If you're a registered user, you can use server-side JavaScript and CSS pages to do this. For example: w:en:User:MZMcBride/hidebanner.js. There's also a close mechanism (usually via an "X" icon) associated with every(?) banner that's deployed. The banners are certainly optional if you put in a modicum of work. :-)
I'll try not to take the bait regarding "leave me alone while enjoying the free service." That's just silliness. --MZMcBride (talk) 01:07, 23 September 2013 (UTC)
Although the Foundation has a blog and an official website, only involved members of the community would know about these. The privacy policy discussion is important for all users, and casual readers may even be interested in Wiki Loves Monuments. Compare Wikimedia's donation banners to websites with real ads, and you'll see they're in a very different league. More like a (possibly target by language/country) notice or announcement. Not spam. You may opt out [if you have cookies enabled] of CentralNotice banners by clicking the "X" (sometimes "hide"?) button, or by using user CSS (in Special:MyPage/common.css on any wikis you read) to hide all CN and even local (SiteNotice) banners.
#siteNotice, #fundraiser, #centralNotice, .fundraiser-box { display:none !important; }
PiRSquared17 (talk) 01:15, 23 September 2013 (UTC)
Clicking the "X" only disables the current displayed banner. It does not opt out for receiving such banners.
Disabling the feature yourself is a violation of the terms of use, see Terms_of_use 17. Other_Terms: "You agree that we may provide you with notices, including those regarding changes to the Terms of Use, by email, regular mail, or postings on Project websites."
Unlike regular ads, the notices are not clearly distinguishable as Advertisements. For one thing they are not marked as being ads. This makes it unclear that they are meant for everybody to read if they are interested. In fact, they are not messages displayed to everyone, optionally to read.
The terms of use says "You agree that we may provide you.." It does not say "You agree that we may provide everybody.." The notices are addressed to each person individually. Advertisements sent this way are a form a direct marketing. I don't know the ins and outs of the law of California. But I understand the California Constitution gives each citizen an inalienable right to pursue and obtain privacy. That may very well mean that you can always object to direct marketing. --Aviertje (talk) 13:16, 23 September 2013 (UTC)
I don't see how displaying a banner is a violation of privacy. Think of it as part of the web page. Compare that to sites (e.g. Wikia) with real ads. If hiding banners is against the ToU, then MZM and I have been violating it... @Mpaulson (WMF): comment? PiRSquared17 (talk) 13:40, 23 September 2013 (UTC)
PiRSquared17, why did you remove the banner? --Aviertje (talk) 11:44, 24 September 2013 (UTC)
Hi Aviertje, PiRSquared17, and MZMcBride. Aviertje, I'm not sure exactly how you have derived the right not to see banners from a general right to privacy provided in the California Constitution. Can you point us to some statutory or case law supporting your theory? I am unaware of any such interpretation under California law, but would be happy to examine any materials you have. PiRSquared and MZ, I do not believe you have violated the Terms of Use by hiding some banners. The Terms of Use language cited in this discussion simply means that you have agreed to permit us to provide you notice by email, regular mail, or postings to the sites. It does not mean that you hiding the banner or throwing away mail that we send you results in a violation of the Terms of Use. Mpaulson (WMF) (talk) 22:11, 26 September 2013 (UTC)
My protest is not against banners in general, but against the banners in the mentioned case. A banner is just the means, it's about the contents of the banner. Like spam isn't the same as email.
I said: "I don't know the ins and outs of the law of California. .... That may very well mean.." It should be obvious that I was raising questions rather than giving answers. I have done a quick scan on California law now. Surely you can't derive much from California Constitution. But I do see the same basic principles concerning privacy being applied. For example, direct marketing is definitely related to privacy. What's the Foundation's policy about own direct marketing (not by third parties)? And can people object to it?
What legal implications does hiding the banner or throwing away mail have? Does the Foundation still consider new terms of use and new privacy policy binding when notices about these new terms are being hidden and thrown away? --Aviertje (talk) 21:30, 30 September 2013 (UTC)
Hi Aviertje, I really don't see any legal issues here. Banners are notices to which users agree to in the terms of use. Michelle has answered above with respect the hiding of the banner. Take care, Geoffbrigham (talk) 20:51, 22 November 2013 (UTC)

Conflict with user community policy

The following discussion is closed.

The section To Protect You, Ourselves, and Others states "We may need to share your personal information if we reasonably believe it is necessary to enforce or investigate potential violations of our Terms of Use, this Privacy Policy, or any Foundation or user community-based policies. [...] Wikimedia Sites are collaborative, with users writing most of the policies and selecting from amongst themselves people to hold certain administrative rights." What happens when a community policy conflicts with or contradicts the provisions of this policy? Which takes precedence? The answer needs to be made explicit. Spectral sequence (talk) 18:49, 22 September 2013 (UTC)

Hi Spectral sequence! That's a great question. The Terms of Use does not, to the best of knowledge, contain anything that contradicts the Privacy Policy draft (it only reiterates some things in the current Privacy Policy and the Privacy Policy draft), as they are meant to cover different subject matter. As for community-based policies, they should be in adherence to the Privacy Policy. Although, it should be noted that the Privacy Policy is meant to describe the minimum protections provided and does not prevent other Foundation or community policies or practices from being more protective of privacy. Are there any particular policies that come to mind that you are concerned about? Would adding language like this be helpful: "In the event that a community-based policy relating to a Wikimedia Site covered by this Privacy Policy conflicts with this Privacy Policy, this Privacy Policy takes precedence to the extent the community-based policy conflicts with this Privacy Policy." Mpaulson (WMF) (talk) 18:54, 26 September 2013 (UTC)
I would prefer a "ratchet" clause that stated that the WMF privacy policy provided a minimum level of protection and that community policies were invalid to the extent that they provided a lower level, but valid to the extent that they provided a higher level of protection. Spectral sequence (talk) 17:18, 27 September 2013 (UTC)
@Spectral Sequence: Good idea. How about, at the end of "What This Privacy Policy Does & Doesn't Cover": "Where community policies govern information, such as the CheckUser policy, the relevant community may add to the rules and obligations set out in this policy. However, they cannot create new exceptions or otherwise reduce the protections offered by this policy." Sound good?
@WereSpielChequers: you raised a similar question before, that I addressed in a comment but didn't adjust the policy to reflect. Does this help? Thanks to both of you for prodding us. -LVilla (WMF) (talk) 21:34, 15 November 2013 (UTC)
@Spectral Sequence: @WereSpielChequers: I've now added this language to the policy; thanks for the suggestions! Closing this section, but if someone wants to reopen to discuss this addition, please feel free. -LVilla (WMF) (talk) 18:58, 9 December 2013 (UTC)

Many websites across the Internet now utilize a more explicit means of communicating the website's use of cookies and requirement to agree to said usage. For example, one can visit https://www.google.co.uk/ where on the bottom one will notice:

Cookies help us deliver our services. By using our services, you agree to our use of cookies. [button]OK[/button] [link]Learn more[/link]

It is in the best interest of users and the Foundation to include a similar message indicating to that effect the use of cookies and an explicit click of the "OK" button indicating the user's acceptance to the Privacy Policy. This is particularly helpful rather than stating that the user automatically agrees to the Policy when said user visits the Sites. 184.147.55.86 21:33, 2 October 2013 (UTC)

Great idea. A volunteer started to document cookies used by WMF sites at cookie jar, but it is not even close to being complete. By the way, I believe that google.co.uk asks the user about cookies because of the EU's E-Privacy Directive. The Wikimedia Foundation might legally need to do so because they use cookies that are not "strictly necessary", but I'm sure they would have done so by now if legally required. Let's leave that to Legal. Even if it's not legally required, it may be better to inform users, however, as you say. PiRSquared17 (talk) 21:55, 2 October 2013 (UTC)
A lot of European websites inform about cookies because of that directive. As Wikimedia Foundation projects are hosted in the United States, I would assume that the Wikimedia Foundation doesn't have to do this, but nothing prevents the Foundation from informing about cookies either. --Stefan2 (talk) 10:26, 3 October 2013 (UTC)
We have seen this in several places here recently: the rationale, explicit, implict or presumed, that if WMF is not legally required to do something then it need not. While that may be correct legally, it suggests a somewhat limited commitment to users' privacy. There is no technical reason not to follow the European practice voluntarily, and I for one would suggest that WMF sites should do so as a matter of good practice. Could we hear an explicit reason why WMF has decided not to do so in these cases: a reason, that is, going beyond "we don't have to". Spectral sequence (talk) 18:42, 4 October 2013 (UTC)
I agree that this is a good idea. Could someone make a mockup of this? PiRSquared17 (talk) 02:42, 5 October 2013 (UTC)
Hi All. Thank you for bringing this issue up. This possibility was actually discussed internally when we were formulating this draft of the privacy policy. We decided not to explore this option further mostly because we were concerned that such pop-ups would take away from the user experience -- people generally do not like pop-ups as part of their interactions with a site. We don't think that having such a pop-up would be wrong or inappropriate per se, but it's a trade-off. If there was a significant call from the community to implement such pop-ups, we would happily discuss this possibility with the tech team again. Mpaulson (WMF) (talk) 20:36, 1 November 2013 (UTC)
  • Support for pop-ups, as nominator. 184.146.127.142 22:47, 4 November 2013 (UTC)

The draft EU Data Protection Regulation

The draft EU Data Protection Regulation will probably come into force in 2016. It is proposed that it will apply to all non-EU companies processing the data of EU citizens. While of course we appreciate that the WMF is legally situated in the USA, its interactions with users situated in the EU will be affected by the Regulation. How does the proposed Privacy Policy sit with respect to the EU proposals? Spectral sequence (talk) 17:28, 6 October 2013 (UTC)

Hi Spectral sequence! We are aware of the upcoming draft and are tracking the regulation accordingly. The privacy policy draft was written with EU principles in mind and reviewed by EU counsel, but does not incorporate every EU regulation or proposal. Frankly, there is a lot that can happen to the content of proposed EU Data Protection Regulation between now and actually implementation of the regulation and we don't think it's wise to speculate quite yet as to how this will impact the privacy policy draft. We will, of course, keep tracking it and once the language of the regulation has been finalized and an adoption timeline is being established, we reevaluate the privacy policy to see if any changes are needed. Mpaulson (WMF) (talk) 19:22, 1 November 2013 (UTC)

What This Privacy Policy Doesn't Cover

The following discussion is closed: close, looks like the discussion is finished/stale, will archive in a couple days unless reopened. Jalexander--WMF 22:24, 9 December 2013 (UTC)

Expanding the section on Examples of What This Privacy Policy Doesn't Cover reveals some things that don't quite seem to make sense. We read Some sites the Wikimedia Foundation operates have separate privacy policies or provisions that differ from this Privacy Policy which makes perfect sense, but is then followed by the phrase these particular situations have separate privacy policies that do not incorporate this Privacy Policy: where "situation" is not at all the same thing as "site". The list then includes some sites (like the shop) and then Administrative groups, such as CheckUsers or Stewards. Should that bullet come after the comment This Privacy Policy only covers the way we collect and handle information, where in passing "we" should be replaced by "the WMF"?

I think it would be much clearer to say something like: This privacy policy applies only to the way WMF collects and handles data and only on certain of WMF sites. Some WMF sites have their own policies; other parties than WMF have access to data on WMF servers and different policies apply to them. Specifically: ....

Spectral sequence (talk) 20:59, 16 October 2013 (UTC)

Hi Spectral sequence. I agree that we should move down the bullet point as you suggested. I also agree that we change "we" to "WMF" as you have suggested. I have given those instructions.
You also are correct that we need more clarity here. I generally like your wording, but I might suggest redrafting a bit. How about something like the following:
This Privacy Policy does not cover all sites where WMF or others may gather or process data. For example, this Privacy Policy may not apply to sites that have their own independent WMF privacy policies or to sites that are run by third parties other than WMF. This Privacy Policy may not apply to certain community administrative groups in specified circumstances. You can find examples where this Privacy Policy does not apply below: .... .
Does this work?
Thanks, Geoffbrigham (talk) 21:21, 1 November 2013 (UTC)
Please note that we have restructured the What This Privacy Policy Does & Doesn't Cover section for clarity. Please let us know what you think! Mpaulson (WMF) (talk) 20:34, 22 November 2013 (UTC)

Reader Privacy at the Internet Archive

The following discussion is closed: close, looks like the discussion is finished, will archive in a couple days unless reopened. Jalexander--WMF 22:23, 9 December 2013 (UTC)

Interesting read: http://blog.archive.org/2013/10/25/reader-privacy-at-the-internet-archive/ Among other things:

The web servers on Archive.org and OpenLibrary.org were modified to take the IP addresses, and encrypt them with a key that changes each day making it very difficult to reconstruct any users behavior.

It seems the ever-growing collection of data about users behaviour is not an irresistible trend in all corners of the web. --Nemo 17:30, 25 October 2013 (UTC)

Very interesting reading, Nemo. Thank you for sharing. Mpaulson (WMF) (talk) 19:34, 1 November 2013 (UTC)

Updated draft?

The following discussion is closed: close, looks like the discussion is done and stale, will archive in a couple days unless reopened. Jalexander--WMF 22:21, 9 December 2013 (UTC)

Is the staff planning to release some updated draft at some point of the feedback period and if yes roughly when? Or is it planned to follow a waterfall model, incorporating all changes at once shortly before sending it to the board? --Nemo 17:30, 25 October 2013 (UTC)

We are making edits as we go throughout the 4.5 month consultation period. We're a bit behind on incorporating some of the changes and waiting for more community feedback before implementing other changes, but you should be able to see what we have done so far in the history. And a lot more should be done over the next week. Mpaulson (WMF) (talk) 18:58, 1 November 2013 (UTC)
I'm not seeing any substantial edit and root questions about the proposal (and I don't mean mine, but others') are routinely closed above without any visible change to the proposal. If you have some sort of queue of things you plan to change/address, it would be useful to keep such todos somewhere here (or to keep the corresponding sections open).
Considering that the feedback period is coming to an end soon, you may also want to make first things clear first, rather than when it's too late. We still don't know what purpose(s) this proposal serves, for instance, so it's almost impossible to comment on details of it. The underlying reasons and premises for the proposal, unknown to the public and apparently non-negotiable (if nothing else because it's impossible to discuss them), seem to make the discussion impossible apart from commas and make-up.
When we discovered something, for instance in #Collection of "unique device identification numbers", edits to the page went in the opposite direction (Brion says mobile doesn't need them, an edit added that mobile is an example of a need for it [8]). --Nemo 10:02, 8 November 2013 (UTC)
Hello @Nemo bis: First, I responded to your substantive question on "unique device identification numbers" above. (We can continue that conversation if any further clarification is necessary, but I suggest moving it to the section up above for organization's sake.) Second, we are making edits to the policy in an ongoing basis. Most of the edits are being coordinated by James, and we are also trying to credit users who suggest changes via the edit summary. In total so far, I think the policy has improved with the help of everyone's productive comments, and we will continue to update it based on feedback. Stephen LaPorte (WMF) (talk) 21:12, 22 November 2013 (UTC)

FAQ

The following discussion is closed: close, looks like the discussion is finished, will archive in a couple days unless reopened. Jalexander--WMF 22:19, 9 December 2013 (UTC)

Hi! Is the privacy policy FAQ part of the policy, or a non-binding supplement? Emufarmers (talk) 19:00, 8 November 2013 (UTC)

The FAQ is not part of the legal privacy policy. That allows us to make changes rapidly in the FAQ to explain issues that may come up in the practical application of the policy. Thanks for the question. Geoffbrigham (talk) 20:21, 15 November 2013 (UTC)
Thanks for your response! Does this mean that things like cookie expirations could now be adjusted freely? I ask because my impression was that session lengths were adjusted from 180 to 30 days to comply with the language in the current privacy policy (please correct me if I'm wrong about that), and it would be nice if they could be increased again once the new policy is approved. Emufarmers (talk) 05:34, 17 November 2013 (UTC)
Hi Emufarmers, you're right that it was adjusted to comply with the current policy. Because this table is in the FAQ, it can be changed to reflect the appropriate expiration times and the fact that technology changes fast. YWelinder (WMF) (talk) 19:09, 22 November 2013 (UTC)

Is this discussion still active?

The following discussion is closed: closing, looks done will archive in a couple days unless reopened. Jalexander--WMF 22:18, 9 December 2013 (UTC)

I'm a little confused as to what point the new draft policy is up to. I was under the impression that it was being closed off for revision and a fresh call for comment would alert us to the fact that a revised proposal was up. --Iryna Harpy (talk) 00:22, 11 November 2013 (UTC)

Yes it is. We are revising the draft policy online as we receive feedback. We expect to close the discussion about mid-January. Take care, Geoff Geoffbrigham (talk) 20:20, 15 November 2013 (UTC)
Apologies for the belated response, Geoff. I re-tweaked my various wiki email filters a few weeks ago and, somehow, notifications re. this subject ended up in my 30 day spam folder. Good thing I checked it before it was automatically deleted! I've had a cursory read and it's certainly evolving into a solid, informative document. If I make any more whining noises, they're not going to amount to much aside from nitpicking over details. Commendations on the serious work that's gone into it! --Iryna Harpy (talk) 21:30, 1 December 2013 (UTC)
Many thanks. Your help and that of other constructive community members have made this a much better document. We really appreciate the time that you have put into this. Geoffbrigham (talk) 18:44, 9 December 2013 (UTC)

Revision of "What This Privacy Policy Doesn’t Cover"

I've rewritten the discussion of what the policy doesn't cover, after an earlier discussion with Nemo about the clarity and organization of it. The substance is largely the same (or is intended to be), but hopefully it is easier to find relevant sections now. Please review and leave any comments here. Thanks! -LVilla (WMF) (talk) 19:52, 21 November 2013 (UTC)

Businesses on talk pages

The following discussion is closed.

There is a lot of discussion recently concerning paid editors, especially about the en:WP:COI guideline saying that businesses may discuss issues concerning the business on an article's talk page. So someone claiming to be from XYZ corp. can make a fairly public statement, apparently on behalf of the corporation. It strikes me that it would be very embarrassing for all concerned if that person did NOT represent the business. I think this is called "spoofing." Is there a way to require that a person claiming to represent a business divulge (at least semi-publicly) enough information to be sure that he or she represents the business, and that the representatives "confirmed" status be made public? Would that in any way be contrary to this policy?

Something similar might come up with regard to businesses providing copyright releases on information they've written to be placed on Wikipedia or given to 3rd parties to place on Wikipedia. Is there any way consistent with this policy to keep track of which business has provided copyright releases for which articles? Smallbones (talk) 23:16, 21 November 2013 (UTC)

Hi Smallbones. You always ask great questions. With respect to the first question, our terms of use does put some limits in place. For example, a purported representative of a business cannot "[w]ith the intent to deceive, post[] content that is false or inaccurate; [a]ttempt[] to impersonate another user or individual, misrepresent[] [its] affiliation with any individual or entity, or us[e] the username of another user with the intent to deceive; [or] [e]ngag[e] in fraud." There is nothing that would prevent the community from putting in a process that would allow for public verification for parties who consent to such a process.
If I am not mistaken, OTRS keeps tracks of the releases and includes a template when permission is given. Here is an example.
Thanks. Geoffbrigham (talk) 18:56, 22 November 2013 (UTC)
Thank you. Smallbones (talk) 15:34, 23 November 2013 (UTC)

Looks done, closing for now will archive in a couple days. Jalexander--WMF 18:45, 9 December 2013 (UTC)

Generation of editor profiles

I'd like once more to point out serious concerns about the generation and publication of detailed user profiles on Wikimedia websites or servers. This issue is repeatedly dealt with, at least, on the German Wikipedia (i.e. here, and actually again in the signpost equivalent at deWP). While the toolserver's policy accords to European standards concerning data privacy, wmlabs (which will completly replace the toolsever in 2014) does not meet these requirements. A contributor's poll at Meta clearly showed the community's preference of an opt-in solution for user data mining tools. Nevertheless WMF is giving the opportunity to run a detailed user profiling tool that does not allow an opt-in, even not an opt-out. We are aware that American data protection standards differ from European standards, and that such tools are considered to be legal in the USA. They are yet not needed by anyone. Thus, we still hope that WMF does not impose US points of view on their global contributors, whenever weak data policies are not required by US law, nor needed by contributors to improve the projects' contents. Looking forward a WMF statement on this issue. --Martina Nolte (talk) 20:53, 24 November 2013 (UTC)

Can you expand on what you mean by a 'US point of view'? --Krenair (talkcontribs) 01:06, 25 November 2013 (UTC)
Sure. User contribution data are publicly available in the edit histories. According to US law, it is okay to aggregate these data and generate detailed user profiles; people tend to feel okay with such a tool. In European countries an aggregation of personal data and the publication of user profiles without consent are considered illegal; people feel offended by such a tool. The views on what is okay or not okay depend on local laws. Laws reflect a culture's values and points of views. --Martina Nolte (talk) 04:27, 25 November 2013 (UTC)
+1 - I would generally like to underline this. -jkb- 10:13, 25 November 2013 (UTC)
Other discussions: Kurier (2013-09), Kurier (2013-10), labs-l (2013-09), labs-l (2013-10). I regret bringing this up on dewiki a little, as I didn't realize it would start this much drama. On the other hand, I do think that this is something we really should be discussing. But all the data will be public as long as db dumps with detailed info are published. PiRSquared17 (talk) 17:39, 26 November 2013 (UTC)
No need to regret it, no drama. This is an important discussion and it has to be made: 5th most used website, 1.7 billion edits with user information, 14 years of data collecting, our data. NNW (talk) 18:23, 26 November 2013 (UTC)
You're right. It's good that this is being discussed at least. I was a bit surprised that almost nobody commented about it on enwiki though. PiRSquared17 (talk) 20:21, 26 November 2013 (UTC)
Perhaps the experience of the 20th century might explain why Germans are quite sensitive concerning these topics. NNW (talk) 09:07, 27 November 2013 (UTC)
Right, the raw data are available by dumps. But not yet aggregated to individual user profiles. WMF could even think about slimming down these dumps; a matter of data economy (as much personal data as needed, as few personal data as possible). Editors agreed to publish their content contributions under a free licence; they do not automatically agree to publish their editing behaviour, or even their individual profiles. As I said, the "drama" is due to a quite different view on data privacy issues. --Martina Nolte (talk) 19:49, 26 November 2013 (UTC)
I'm another who feels that this is a really pertinent Privacy issue which requires careful consideration here. And not just from a purely legal perspective (after all, if the Foundation is adopting a "cuddly" approach to volunteers, legality is surely just one dimension in the picture). User profiling—with its abuses as well as uses—is one reason why I prefer to edit Wikipedia as an IP. —MistyMorn (talk) 11:20, 27 November 2013 (UTC)
  • I am disappointed that the concerns that were raised here and in this RFC are not addressed by the current draft of the new privacy policy. It is amazing that these collected records are not even mentioned in the section Information We Collect. --AFBorchert (talk) 20:30, 30 November 2013 (UTC)
I may have missed something, but the only comment I can see from a WMF member is this. The fact that user profiling—including provision of potentially sensitive personal information—may be done either with or (though rather more arduously for most) without tools made publicly available through Wikimedia doesn't mean that users cannot be informed of such possibilities in the present document. MistyMorn (talk) 20:37, 3 December 2013 (UTC)

To make clear that the above mentionned questions are not individual concerns of single Wikipedia/Wikimedia contributors, I'd like to point to this site (German language yet, a translation is planned). --Martina Nolte (talk) 19:40, 9 December 2013 (UTC)

Hi, Martina: thanks for notifying us about that discussion. We're discussing this issue and considering how best to handle. -LVilla (WMF) (talk) 20:21, 9 December 2013 (UTC)

Contradiction

"We believe that you shouldn't have to provide personal information to participate in the free knowledge movement."/"If you want to create a standard account, we do not require you to submit any personal information to do so" -- According to your definition of "personal information," this term refers, among other things, to "address, phone number, email address, password, identification number on government-issued ID, IP address, credit card number". Bur clearly you provide your IP address when creating an account. — Pajz (talk) 06:31, 1 December 2013 (UTC)

Interesting point, Pajz; I think we intended to say that we don't force you to provide that information; whereas IP address must be provided by the nature of the architecture of the internet. So, yes, this is possibly contradictory, but I think only in a minor way. We're considering tweaking that definition for other reasons, so we'll try to take that into account when we revise it. -LVilla (WMF) (talk) 20:22, 3 December 2013 (UTC)
In discussing this comment after I posted it, I realized that I had misunderstood how we handle IPs when new user accounts are created. So I'd propose changing the "standard account" sentence to read: "If you want to create a standard account, we require only a username and a password. Your username will be publicly visible, so please be careful about using your real name as your username. Your password is only used to verify that the account is yours. Your IP address is also automatically submitted to us, and we record it temporarily to help fight spam. No other personal information is required: no name, no email address, no date of birth, no credit card information." -LVilla (WMF) (talk) 21:36, 3 December 2013 (UTC)
It's used for more than just fighting spam though. "prevent abuse" is probably more accurate, though a little more vague. Legoktm (talk) 20:23, 4 December 2013 (UTC)
Yes, that makes sense; will make that change. Anyone else have other comments/suggestions? -LVilla (WMF) (talk) 19:03, 9 December 2013 (UTC)

When May We Share Your Information? Because You Made It Public

Privacy policy#Because_You_Made_It_Public: "Any information you post publicly on the Wikimedia Sites is just that – public."

Does this mean the WMF is allowed to share any of the information, by any means, in any form, for any purpose, to anyone? --Aviertje (talk) 13:03, 1 December 2013 (UTC)

It means that, for example, the WMF can distribute dumps with all your edits, etc. in them. I think this should be changed to exclude oversighted (or deleted?) info, though, even if it was originally public. PiRSquared17 (talk) 15:57, 1 December 2013 (UTC)
I doubt that going back to redact information from old dumps is really feasible, though. Anomie (talk) 14:15, 2 December 2013 (UTC)
We could, in theory, delete it from the dumps we provide. However, many other people mirror and distribute those dumps, and we can't (as a practical matter) reach out and take those down. So any promise here to exclude deleted information would be a false promise. We'd prefer to be up-front, and warn people that their public edits really are public- that's what this language attempts to do.
That said, I sort of see the original commenter's point about the language being perhaps somewhat confusing. We'd be happy to listen to any suggestions on how to improve it.-LVilla (WMF) (talk) 19:40, 9 December 2013 (UTC)

Regarding site visiting logs

First question: is our every visit to wikimedia sites logged (e.g. some ip, logged in or not, visited page https://meta.wikimedia.org/w/xxxx at some time) and stored? If yes, then how long will it be stored? The current Privacy policy says: "When a visitor requests or reads a page, or sends email to a Wikimedia server, no more information is collected than is typically collected by web sites. The Wikimedia Foundation may keep raw logs of such transactions, but these will not be published or used to track legitimate users.", in which the "may keep raw logs" is ambiguous. Also, regarding "these will not be published or used to track legitimate users." does that mean these data can be used to track illegitimate(for example, suspected vandalism) users?

Second question: recently I just heard some user claiming that though Checkusers' range of access excludes user visit log, in some necessary occasions they can apply to access those data. Is that true?--朝鲜的轮子 (talk) 06:57, 4 December 2013 (UTC)

CheckUser does not have access to a user's visit log. Legoktm (talk) 20:23, 4 December 2013 (UTC)
By "does not have access", do you mean "never ever, even when there is need", or "possible when checking such log can be helpful to proving connections between users"?--朝鲜的轮子 (talk) 03:15, 5 December 2013 (UTC)
Checkusers only have access to what is stored in the checkuser table. A user's visits are not stored in that table. Hence, checkusers "never ever" have access to it via the CheckUser tool. Legoktm (talk) 03:17, 5 December 2013 (UTC)
And Checkusers will never ever use anything beyond reach of Checkuser tool?--朝鲜的轮子 (talk) 03:56, 5 December 2013 (UTC)
What User:Legoktm wrote is incomplete. Is there other information, stored on some hardware controlled by the Wikimedia Foundation, in addition to the information available to checkusers? If so, what information is available at that location, and who has access to it? --Stefan2 (talk) 21:56, 7 December 2013 (UTC)
Well, I would likely be the one they'd have to apply to - and I've never heard of such a thing. To my knowledge, there is no such application process or access to any other data. I don't want to categorically speak to what may or may not be on the servers - I'm not technical enough to know - but I can say that if it exists, it is not and has not been used that way. At least, not for the last several years that I've been around. Philippe (WMF) (talk) 00:41, 8 December 2013 (UTC)
wikitech:Logs has a summary of the sorts of raw access logs that are probably being referred to here (note this may not be a complete list). Access to this data is limited to people with access to the servers involved, and as far as I know getting access requires an NDA and is generally limited to WMF employees and contractors involved in maintaining the site and software. Also as far as I know, the sorts of illegitimate uses this data might be used to track are more along the lines of someone trying to break or break into the servers, not on-wiki vandalism. BJorsch (WMF) (talk) 14:37, 9 December 2013 (UTC)
The current privacy policy only allows sampled logs, which means it's hard to do any tracking/user profiling/fingerprinting/user behaviour analysis/however you may wish to call it. The proposed text, in short, proposes to allow unlimited tracking; see in particular #Unsampled request logs/tracking and #Reader Privacy at the Internet Archive for more information. --Nemo 14:17, 7 December 2013 (UTC)

Please add concerning user profiles

Sorry, me English is not good enough to write it directly in English, so I hope somebody will translate it.

  • Wir veröffentlichen ohne Deine ausdrückliche Zustimmung kein Nutzerprofil von Dir, also Daten, die Deine zeitlichen Editiergewohnheiten und Interessengebiete zusammenfassen. Wenn wir Daten an andere weitergeben, die das Erstellen solcher Profile ermöglichen (zum Beispiel WikiLabs), so verpflichten wir sie, ebenfalls keine in dieser Weise aggregierten Nutzerdaten ohne Deine Zustimmung zu veröffentlichen.

--Anka Friedrich (talk) 11:25, 7 December 2013 (UTC)

Rough translation: "Withour your explicit consent, we do not publish user profiles about you, i.e. data summarizing your temporal editing habits and interest areas. If we release data to others who enable the generation of such profiles (e.g. WikiLabs), we require them to likewise not publish user data that have been aggregated in this way, except with your consent." Regards, Tbayer (WMF) (talk) 03:34, 10 December 2013 (UTC)

The ability to store unsampled log data (a.k.a. loss of privacy in exchange for money)

One of the changes between the existing privacy policy and the new draft is that the draft will now allow the Foundation to retain unsampled log data — in effect, this means that every single visit by every single visitor to each and every Wikimedia project (and perhaps other sites owned/run by the Foundation) will now be recorded and retained on WMF servers. It is shocking to me that the only reasons given for such a broad, controversial and hardly advertised change are (1) fundraising and (2) the ability to measure statistics in Wikipedia Zero, a project that is limited in terms of geography, scope and type of access (mobile devices).

Given that Wikipedia Zero is just one of many project led by the Foundation, and that it applies to a limited number of visitors who are using a very specific medium to access the projects, I fail to see the need to sacrifice the privacy of everyone who will ever visit a Wikimedia project. Moreover, I am disappointed and terrified to learn that the Foundation thinks it is reasonable to sacrifice our privacy in exchange for more money — especially since our fundraising campaigns appear to have been quite effective, or at least to have enabled the WMF to reach their revenue goals without much trouble. odder (talk) 22:22, 7 December 2013 (UTC)

"will now be recorded and retained" is probably a bit strong. s/will/may/ would probably be more accurate. Personally, I can see the ability to record full logs when needed to be useful in debugging, performance analysis, and analysis of which features should be prioritized for improvement or development or even possible removal. Boring stuff to most people. BJorsch (WMF) (talk) 14:46, 9 December 2013 (UTC)
"May" is only a legalese euphemism for "will" (in this case). If there are no plans to store and use unsampled log data, for whatever purpose, then surely there will be no problem to revert to the wording of the current privacy policy, which only allows storing sampled data. odder (talk) 15:35, 9 December 2013 (UTC)
Maybe I missed it somewhere but it would be helpful to listen all data types from the logs. Especially I am interested in this question: Do you save every pageview incl. IP address and/or username? Do you have logs in which you can see what page I have read (!), how long I have read them etc etc. Raymond (talk) 16:55, 9 December 2013 (UTC)
Yes, I also would appreciate to know if you have, or plan, such visitor logs. --Martina Nolte (talk) 19:46, 9 December 2013 (UTC)
+1 --Steinsplitter (talk) 19:48, 9 December 2013 (UTC)
+1, by all means! Ca$e (talk) 09:36, 10 December 2013 (UTC)
+1 ...84.133.109.103 09:38, 10 December 2013 (UTC)
+1 -jkb- 09:41, 10 December 2013 (UTC)
+1 I told you so."Dance" Alexpl (talk) 09:57, 10 December 2013 (UTC)