Page MenuHomePhabricator

Ensure that Terms of Use document restrictions on third-party web interactions
Open, NormalPublic

Description

My current understanding of general policy is that Labs hosted services should not force the end user's browser to interact with third-party services without explicit opt-in approval. The documentation at https://wikitech.wikimedia.org/wiki/Wikitech:Labs_Terms_of_use however does not clearly state that loading web content (e.g. images, javascript, css, ...) from third-party servers (e.g. external CDNs) is an end-user privacy violation.

Related Objects

StatusAssignedTask
OpenNone
OpenNone
OpenNone
OpenNone
ResolvedKenrick95
ResolvedDanmichaelo
Openprnk28
ResolvedAsh_Crow
ResolvedKrinkle
OpenNone
ResolvedJarry1250
Resolved Addshore
ResolvedSurlycyborg
OpenDarTar
ResolvedYarl
ResolvedBeta16
Resolvedferveo
ResolvedSamtar
ResolvedEmijrp
ResolvedMyst
ResolvedEarwig
OpenTpt
ResolvedFnielsen
OpenNone
Openellery
ResolvedRicordisamoa
OpenA930913
ResolvedRanjithsiji
OpenWikedKentaur
ResolvedEpantaleo
OpenNone
ResolvedFastily
OpenTobi_WMDE_SW
OpenNone
Opendhvanil
Resolvedvalhallasw
OpenFramawiki
Declinedbd808
OpenCyberpower678
OpenSymac
ResolvedNone
ResolvedD3r1ck01
ResolvedSamtar
ResolvedAhecht
ResolvedJackPotte
ResolvedAviator
OpenNone
OpenNone
OpenAnkita-ks
Openjkroll
ResolvedKrinkle
ResolvedTheDJ
Resolved yuvipanda
ResolvedMatthewrbowker
Resolvedjrbs
ResolvedSamwilson
OpenYarl
OpenMusikAnimal
OpenMooeypoo
ResolvedSamtar
OpenNone
OpenPintoch
ResolvedFramawiki
OpenMaxSem
OpenStigmj
ResolvedSlashme
ResolvedIncola
OpenNone
ResolvedKenrick95
ResolvedTgr
ResolvedBenjavalero
ResolvedRicordisamoa
ResolvedFramawiki
OpenNone
ResolvedMmarx
ResolvedPrtksxna
ResolvedArlolra
ResolvedFastily
ResolvedSuperHamster
ResolvedFramawiki
OpenIjon
ResolvedSmalyshev
ResolvedFnielsen
ResolvedFramawiki
OpenNone
OpenRicordisamoa
Resolvedcdrini
ResolvedTarrow
OpenNone
ResolvedRicordisamoa
OpenNone
ResolvedD3r1ck01
OpenNone
Opendhvanil
OpenNone
ResolvedRLuts
ResolvedEmijrp
ResolvedSamwilson
Resolved jmatazzoni
ResolvedSamwalton9
Resolveddbarratt
OpenNone
ResolvedHusky
ResolvedMagnus
ResolvedKolossos
ResolvedLokal_Profil
OpenNone
OpenNone
Resolvedsamuelguebo
ResolvedRagesoss
OpenNone

Event Timeline

bd808 created this task.Mar 14 2016, 10:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 14 2016, 10:01 PM

Give examples in the Terms of Use, eg reCAPTCHA, CDN, etc. Suggest that tools-static be used instead.

scfc added a subscriber: scfc.Mar 14 2016, 11:42 PM

I'm not sure if the premise is actually true. We had a user redirecting http://tools.wmflabs.org/$tool to their own private site (which is a very, eh, complete third-party web interaction), so I asked WMF Legal about that:

From: Tim Landscheidt <tim@tim-landscheidt.de>
Subject: Silent redirects from Wikimedia Tools to third-party sites?
To: legal@wikimedia.org
Cc: […]
Date: Wed, 09 Jul 2014 11:07:20 +0000 (1 year, 35 weeks ago)
Organization: http://www.tim-landscheidt.de/

Hi,

throughout enwp, links like
http://tools.wmflabs.org/[…]/[…]
are advertised for the […] tool (there are similar
links for other tools of this user).  However, these redi-
rect silently to
http://[…] & Co.

My gut feeling says that when a user clicks on such a link,
he has an expectation of privacy according to the relevant
policy for Wikimedia Tools and the silent change in the URL
field does not put the onus to detect the connection to a
third-party site on him (especially since with most browsers
his data is passed onto the third-party site before he has a
chance to react), but that the tool author at Wikimedia
Tools has an obligation to make any such redirect obvious,
for example with an interstitial that requires active user
consent to proceed.

What is WMF Legal's reading on that?  Please make any answer
publishable so that tool authors (or users) can be referred
to it.

TIA,
Tim

I never received a reply, so I assume that this is not as clear-cut as it would seem.

coren added a subscriber: coren.Mar 15 2016, 2:17 AM

I'm not sure why you never received a reply, but it's very clear-cut. Indeed, there was at least one user whose access to labs was suspended because of that very reason.

It's a question of notice - enforce; not one of allowability.

I've seen some tools use Google Analytics too, and there is nothing in the Terms of Use at the moment that say not to. It would make sense to have it in the Terms of Use as saying very clearly that this is something that we do not allow.

Restricted Application added a subscriber: JEumerus. · View Herald TranscriptMar 16 2016, 7:35 PM

Thanks to everyone for bringing this issue to our attention.

There has also been some discussions on labs-l about changing and clarifying the Labs Terms of Use so this is definitely something we will looking into changing as part of the process.

@tom29739

I've seen some tools use Google Analytics too, and there is nothing in the Terms of Use at the moment that say not to. It would make sense to have it in the Terms of Use as saying very clearly that this is something that we do not allow.

I assume this comment is in line with all the other comments. That the issue is a lack of a user consent for the use of third-party interactions rather than wholly disallowing its use?

bd808 added a comment.Mar 17 2016, 9:41 PM

I'd be all for just disallowing, but yeah my word of mouth understanding is that 3rd party server interactions should require consent. It would be nice to get things clarified one way or the other.

Thanks Bryan.

Will do. We'll keep this task updated as we look into updating the TOU.

I've been told that 3rd party server interactions were not allowed full-stop, so it would be good to get it clarified.

Dzahn added a subscriber: Dzahn.Mar 18 2016, 5:49 PM
This comment was removed by Dzahn.
chasemp triaged this task as Normal priority.Mar 22 2016, 1:46 PM

hey @ZhouZ! Thanks for digging into this.

I'd be all for just disallowing, but yeah my word of mouth understanding is that 3rd party server interactions should require consent. It would be nice to get things clarified one way or the other.

This has been my impression as well.

As a kind of overview to relate explanations I have seen to our current text:

https://wikitech.wikimedia.org/wiki/Wikitech:Labs_Terms_of_use#What_uses_of_Labs_do_we_not_like.3F

  1. Illegal or harmful activity: Do not break the law. This includes, but it is not limited to, accessing other systems without authorization, accessing private data without authorization, harassing or abusing others, engaging in fraud, trafficking in unlawful material, or distributing unsolicited commercial email (spam), viruses, malware, or other malicious code.

accessing other systems without authorization

This to me has indicated that you cannot use external user tracking services or, really, any system outside of the universe of Labs and the protective TOU without authorization from the user. Which could be a "hey we are doing x" acknowledgement?

  1. Misuse of Private Information: Do not collect or misuse private information of users, as defined in “Private Information”, below.

We do identify 'IP' as private information in the expanded section and any system outside of Labs makes that a private information leak as far as I can understand it. Which may be permissible with notice and etc, but seems in violation without following the guidance in https://wikitech.wikimedia.org/wiki/Wikitech:Labs_Terms_of_use#What_can_and_can.E2.80.99t_be_done_with_user_information.3F

  1. Proprietary software: Do not use or install any software unless the software is licensed under an Open Source license.

This becomes a shell game if we are cavalier about passing requests to systems outside of Labs because anyone can easily put the bulk of their logic in some propriety off Labs system effectively neutering this provision.

  1. Proprietary content: Do not use or create content unless it complies with the Wikimedia Licensing policy. This includes content in the public domain or freely licensed under an applicable free culture license, such as the Creative Commons Attribution ShareAlike 3.0 license.

Same issues as 3 I believe.

  1. Using Wikimedia Labs as a network proxy: Do not use Wikimedia Labs servers or projects to proxy or relay traffic for other servers. Examples of such activities include running Tor nodes, peer-to-peer network services, or VPNs to other networks. In other words, all network connections must originate from or terminate at Wikimedia Labs.

In other words, all network connections must originate from or terminate at Wikimedia Labs.

I'm not entirely sure how expansive this statement was meant to be but it could be relevant.

Hi @chasemp,

Thanks for pointing out these potential inconsistencies and lack of clarity on these terms. These are all things we will be looking at as we begin the process of the revising the labs terms of use, probably starting off with a community mini-consultation.

Illegal or harmful activity: Do not break the law. This includes, but it is not limited to, accessing other systems without authorization, accessing private data without authorization, harassing or abusing others, engaging in fraud, trafficking in unlawful material, or distributing unsolicited commercial email (spam), viruses, malware, or other malicious code.
accessing other systems without authorization
This to me has indicated that you cannot use external user tracking services or, really, any system outside of the universe of Labs and the protective TOU without authorization from the user. Which could be a "hey we are doing x" acknowledgement?

This is not very clear but I think this is actually referring to accessing another system without authorization from the system or system's administrator (e.g. do not hack into another system).

Proprietary software: Do not use or install any software unless the software is licensed under an Open Source license.
This becomes a shell game if we are cavalier about passing requests to systems outside of Labs because anyone can easily put the bulk of their logic in some propriety off Labs system effectively neutering this provision.

Perhaps another way to approach this is to make it clear (assuming we want a strict policy) that you cannot link or use another resource that's not under an open license policy.

Proprietary content: Do not use or create content unless it complies with the Wikimedia Licensing policy. This includes content in the public domain or freely licensed under an applicable free culture license, such as the Creative Commons Attribution ShareAlike 3.0 license.
Same issues as 3 I believe.

We might just want to clarify that to the extent any content is actually visible to a user accessing a labs project or being created via user input on the labs project, such content should adhere to the WMF licensing policy. I don't think we can tell users to never link to a page that's not under our Wikimedia Licensing policy.

Zhou

bd808 added a subscriber: csteipp.Mar 23 2016, 3:26 PM

There actually is a potential technical solution to disallowing loading javascript, images, etc from external domains. The Content-Security-Policy HTTP header provides instructions to the receiving User Agent (web browser) about what origins should be allowed for various interactions. The generic intent of this header is to limit potential abuse by malicious scripts. It allows defining a whitelist of domains that are ok to interact with for various actions.

A header like Content-Security-Policy: default-src 'self' 'unsafe-inline' data: *://*.wmflabs.org:* *://*.wikimedia.org:* *://*.mediawiki.org:* *://*.wikipedia.org:* ... could be injected into all responses at the HTTP proxy to provide browsers with a whitelist of acceptable content origins. The ... would need to list all other Wikimedia TLDs that are acceptable and would probably end up being a pretty long list. I'd be interested to hear what @csteipp thinks about the feasibility of such a solution.

As discussed on irc a bit this seems right to me. Thanks @bd808

@bd808 Does that stop links to external sites, or just the loading of javascript, images, etc. on the page from external sites?

bd808 added a comment.Mar 23 2016, 4:35 PM

@bd808 Does that stop links to external sites, or just the loading of javascript, images, etc. on the page from external sites?

It would not stop external linking, and I do not think that external linking is actually something that we want or need to prevent. The privacy aspect is about automatically loading content from external domains in the form of images, css, javascript, iframe embeds, etc.

bd808 added a comment.Mar 23 2016, 5:44 PM

I created T130748: Add Content-Security-Policy header enforcing 3rd party web interaction restrictions to proxy responses to discuss the technical details of enforcement once we have decided here what the official policy actually is.

ZhouZ moved this task from Backlog to Assigned on the WMF-Legal board.Apr 14 2016, 12:24 AM

@bd808

I will publish a new proposed draft of the labs terms of use for community consultation, incorporating the feedback from Round 1.

I have been busy with some other matters recently so I think it be until end of the month/early August before this is ready.

Zhou

Hi, I'm particularly interested by this task. Any news ?

Pine added a subscriber: Pine.Jan 7 2019, 5:35 AM

Bumping up after the holiday.

Zhou is not around anymore and there are no news yet (if there were, they'd be mentioned here) unfortunately. Someone with time and resources would need to pick this up again and find someone with time and resource in Legal.

(Please avoid contentless and useless "bumping" - thanks.)

There has been a small bit of work on this project in the past 6 months, but there is no resolution yet. I will provide updates if and when there is information that can be shared.

Pine added a comment.EditedFeb 20 2019, 10:27 PM

@Aklapper thank you for the update. I think that asking whether there have been any changes, after a suitable period of time has passed, is fine. In addition to prompting people to update Phabricator with relevant info that they can share, this helps to flag tasks which may have stalled.