Page MenuHomePhabricator

Consider whether auto-created user accounts should be hidden at the time of creation
Closed, DuplicatePublic

Description

Per J-Mo's comment in https://lists.wikimedia.org/pipermail/wikimedia-l/2017-December/089408.html: "if the welcome bot is pulling from a public log to send these welcomes (as it must be), then the potential privacy violation occurs regardless of whether a welcome is sent, and the fix, if deemed necessary, needs to happen upstream."

This issue arose because users who create an account on one wiki, and then browse to another wiki while logged in for the sole purpose of reading that wiki, may experience a welcome message being placed on their talk pages immediately following the user reading that other wiki.

If a public log entry that indicates that a user account has been auto-created, does that constitute a privacy violation? If the answer is yes then the log entries either should be hidden or should not exist. (No one is disputing that after a user creates an edit as logged-in user that the existence of the account on that wiki should be public.)

I am tagging this with Privacy and Legal with the hopes of getting an appropriate person, probably a WMF attorney who addresses privacy matters, to review this situation. Note that even if the attorney's opinion is that the public nature of the log entry of the auto-created user account is permissible under current policies, the policy itself could be changed; that discussion is something that would happen off of Phabricator.

Event Timeline

Pine created this task.Jan 1 2018, 9:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 1 2018, 9:44 PM
Pine updated the task description. (Show Details)Jan 1 2018, 10:07 PM
Pine added a comment.Jan 1 2018, 10:25 PM

Thinking about what welcome messages could be provided to users who have an account auto-created for them on a wiki that they visit if the review from WMF Legal or a community policy change results in these user creation logs being made confidential or being fully omitted from logs in the future, perhaps the user could be offered a welcome message that the community could customize and would be displayed to the user privately instead of publicly on the user's talk page.

Anomie added a subscriber: Anomie.Jan 2 2018, 4:25 PM

Also potentially related is T21161: Don't autologin if local account doesn't exist (don't autocreate if user doesn't explicitly login), although be warned that that task has a lot of offtopic discussion.

Pine reopened this task as Open.EditedJan 8 2018, 7:18 AM

Thanks for linking the history, Anomie. I am re-opening this bug, as I have problems with both of the arguments that were given in 2012 in task T42006 as the reasons for declining the task as invalid, and I am expecting a new 2018 review of this matter from WMF Legal or someone else with the authority to speak for WMF. If WMF re-affirms the previous WMF position on this matter with the same reasoning then I think that a policy change should be considered; the discussion about the policy change would likely happen in a location other than Phabricator.

@Pine: https://meta.wikimedia.org/wiki/Legal#Wikimedia_Foundation_Email_Contacts explains how you can contact WMF's Legal team.
Legal is free to reopen T42006. Currently the situation is as in T42006.

Pine reopened this task as Open.EditedJan 23 2018, 2:12 AM

*editing my comment* Whoops, I thought you closed this as *invalid* rather than *duplicate*. I agree that it is a duplicate. I will re-close.

Pine closed this task as Declined.Jan 23 2018, 2:15 AM

Changing status to reflect that this is declined as a duplicate.

(Please close duplicates as duplicates via "Edit Related Tasks...".)

Tgr added a subscriber: Tgr.Jan 31 2018, 6:33 PM

Note there isn't really such a thing as a hidden account. You can hide the account autocreation log event, that will prevent account autocreations from appearing in recent changes, but won't prevent a determined attacker from learning about it by polling the list of users. Or you can not autocreate at all (T21161), which would have implications far beyond privacy.