The meeting with Chris Steipp poited out 2 scenarios that are potentially sensitive:
- A user writes by mistake sensitive information into a textual field such as username, article title, image title, summary, etc. This information can be deleted from the wiki databases by user's request. But it would stay persisted in EL database if not purged correctly.
- A user performs an anonymous edit by mistake. They do not want their IP to be stored, and ask WMF to remove the edit registry from the wiki databases. But again, it would stay stored in EL database, if not correctly purged.
So, we should to auto-purge all fields that can store information like that.