Page MenuHomePhabricator
Create Task
Maniphest T183876

Consider whether auto-created user accounts should be hidden at the time of creation
Closed, DuplicatePublic
Actions

Description

Per J-Mo's comment in https://lists.wikimedia.org/pipermail/wikimedia-l/2017-December/089408.html: "if the welcome bot is pulling from a public log to send these welcomes (as it must be), then the potential privacy violation occurs regardless of whether a welcome is sent, and the fix, if deemed necessary, needs to happen upstream."

This issue arose because users who create an account on one wiki, and then browse to another wiki while logged in for the sole purpose of reading that wiki, may experience a welcome message being placed on their talk pages immediately following the user reading that other wiki.

If a public log entry that indicates that a user account has been auto-created, does that constitute a privacy violation? If the answer is yes then the log entries either should be hidden or should not exist. (No one is disputing that after a user creates an edit as logged-in user that the existence of the account on that wiki should be public.)

I am tagging this with Privacy and Legal with the hopes of getting an appropriate person, probably a WMF attorney who addresses privacy matters, to review this situation. Note that even if the attorney's opinion is that the public nature of the log entry of the auto-created user account is permissible under current policies, the policy itself could be changed; that discussion is something that would happen off of Phabricator.

Related Objects

Event Timeline

Pine created this task.Jan 1 2018, 9:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 1 2018, 9:44 PM
Pine updated the task description. (Show Details)Jan 1 2018, 10:07 PM
Pine added a comment.Jan 1 2018, 10:25 PM

Thinking about what welcome messages could be provided to users who have an account auto-created for them on a wiki that they visit if the review from WMF Legal or a community policy change results in these user creation logs being made confidential or being fully omitted from logs in the future, perhaps the user could be offered a welcome message that the community could customize and would be displayed to the user privately instead of publicly on the user's talk page.

MZMcBride subscribed.Jan 1 2018, 11:44 PM
Anomie closed this task as a duplicate of T42006: CentralAuth account autocreation may be violating WMF's privacy policy.Jan 2 2018, 4:18 PM
Anomie subscribed.Jan 2 2018, 4:25 PM

Also potentially related is T21161: Don't autologin if local account doesn't exist (don't autocreate if user doesn't explicitly login), although be warned that that task has a lot of offtopic discussion.

Pine reopened this task as Open.EditedJan 8 2018, 7:18 AM

Thanks for linking the history, Anomie. I am re-opening this bug, as I have problems with both of the arguments that were given in 2012 in task T42006 as the reasons for declining the task as invalid, and I am expecting a new 2018 review of this matter from WMF Legal or someone else with the authority to speak for WMF. If WMF re-affirms the previous WMF position on this matter with the same reasoning then I think that a policy change should be considered; the discussion about the policy change would likely happen in a location other than Phabricator.

Aklapper added a comment.Jan 8 2018, 10:02 AM

@Pine: https://meta.wikimedia.org/wiki/Legal#Wikimedia_Foundation_Email_Contacts explains how you can contact WMF's Legal team.
Legal is free to reopen T42006. Currently the situation is as in T42006.

Aklapper closed this task as a duplicate of T42006: CentralAuth account autocreation may be violating WMF's privacy policy.Jan 8 2018, 10:02 AM
Pine reopened this task as Open.EditedJan 23 2018, 2:12 AM

*editing my comment* Whoops, I thought you closed this as *invalid* rather than *duplicate*. I agree that it is a duplicate. I will re-close.

Pine closed this task as Declined.Jan 23 2018, 2:15 AM

Changing status to reflect that this is declined as a duplicate.

Aklapper added a comment.Jan 25 2018, 4:53 AM

(Please close duplicates as duplicates via "Edit Related Tasks...".)

Aklapper closed this task as a duplicate of T42006: CentralAuth account autocreation may be violating WMF's privacy policy.Jan 25 2018, 4:53 AM
Tgr subscribed.Jan 31 2018, 6:33 PM

Note there isn't really such a thing as a hidden account. You can hide the account autocreation log event, that will prevent account autocreations from appearing in recent changes, but won't prevent a determined attacker from learning about it by polling the list of users. Or you can not autocreate at all (T21161), which would have implications far beyond privacy.

sbassett moved this task from Intake to Done on the Privacy board.Oct 16 2019, 5:26 PM
sbassett triaged this task as Medium priority.Oct 16 2019, 5:32 PM
Aklapper removed subscribers: Anomie, Capt_Swing.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL