Page MenuHomePhabricator
Create Task
Maniphest T190875

Security review for Wikidata queries data release proposal
Closed, ResolvedPublic
Actions

Description

We would like to hear Security team's feedback on the proposal to publish WDQS query data set which was collected for the research by Markus Krötzsch.

The proposal is here: https://meta.wikimedia.org/wiki/User:Markus_Kr%C3%B6tzsch/Wikidata_queries

TLDR summary of it: we would like to release anonymized data about queries performed on WDQS over the period of twelve weeks in summer 2017, which were collected for research done by Markus. This data set is anonymized and modified in a way to exclude PII from the data.@Smalyshev (for WDQS) and @leila (for Research team) have reviewed the proposal and it looks fine to us. See more detailed feedback on the proposal's discussion pages.

The purpose of the data release is to enable other researches the insight into how SPARQL services are used in general and Wikidata one specifically.

We would like to have Security team review the proposal and comment whether there are any security aspects we should consider for this task.

Related Objects
Search...

Event Timeline

Smalyshev triaged this task as Medium priority.Mar 27 2018, 8:17 PM
Smalyshev created this task.
Smalyshev updated the task description. (Show Details)
Smalyshev updated the task description. (Show Details)
Smalyshev moved this task from Backlog to Waiting/Blocked on the User-Smalyshev board.Mar 27 2018, 8:27 PM
Bawolff added projects: Privacy, WMF-Legal.Mar 28 2018, 2:12 AM
Bawolff added subscribers: APalmer_WMF, Bawolff.

I suspect this is more something that should have a privacy review from WMF-Legal than a security review.

Smalyshev added a comment.Mar 28 2018, 3:22 AM

I have T190874 for legal.

Bawolff added a comment.Apr 3 2018, 6:49 AM

Hi,

So first of all, we'd like to see the code that does the query normalization.

Second, could this have a summary of the types of queries we expect to be most common in the data set. I appreciate there will be a very long tail here, but having a summary of the most common types (broadly speaking) ensures that we have a good understanding of the type of data we expect the data-set to contain.

mkroetzsch added a comment.Apr 3 2018, 7:37 AM

Hi,

The code is here: https://github.com/Wikidata/QueryAnalysis
It was not written for general re-use, so it might be a bit messy in places. The code includes the public Wikidata example queries as test data that can be used without accessing any confidential information.

We have a list of query types ordered by frequency. However, there are millions of query types, and the most frequent are those created by bots. I can dig up a pointer to the local file where we have it, if this is what you want. If you are interested in a broader analysis of the data, you could take a look at a recent workshop paper of ours: https://iccl.inf.tu-dresden.de/web/Inproceedings3196/en
It has detailed statistics of SPARQL feature distributions and discusses some findings.

Bawolff added a comment.Apr 4 2018, 6:58 PM

Question: Looking at https://github.com/Wikidata/QueryAnalysis/blob/master/tools/extractAnonymized.py, at first glance, it looks like the string handline code wouldn't handle edge cases properly e.g.

"foo\"bar"
"foo'bar"

?

(I only skimmed the code, may have misunderstood)

We have a list of query types ordered by frequency. However, there are millions of query types, and the most frequent are those created by bots. I can dig up a pointer to the local file where we have it, if this is what you want. If you are interested in a broader analysis of the data, you could take a look at a recent workshop paper of ours: https://iccl.inf.tu-dresden.de/web/Inproceedings3196/en
It has detailed statistics of SPARQL feature distributions and discusses some findings.

Ok, that's good enough that you did that I think. The main point of the question was to ensure that you had a good idea of the type of data in the data set (i.e. We aren't just releasing data we've never actually looked at)

Smalyshev mentioned this in T183020: Investigate the possibility to release Wikidata queries.Apr 7 2018, 1:22 AM
Smalyshev added a comment.Apr 24 2018, 11:52 PM

extractAnonymized.py indeed seems broken, but I don't see anything using it. It seems that anonymization is done by Java class Anonymizer in QueryAnalysis, which is used by Anonymize.py script. Not sure whether it's completely true but I don't see any usage of extractAnonymized.py. @mkroetzsch - could you clarify whether that script is actually used?

Adrian_Bielefeldt subscribed.EditedApr 26 2018, 2:21 PM

The extractAnonymized.py-script is indeed not used anywhere, so I've removed it.

Quick rundown of the anonymization process and its code locations:
Stage 1: Parsing of the query here. This uses a slightly modified version of the OpenRDF-Parser, among others setting the default prefixes.
Stage 2, Point 1: Not exactly in the code, but parsing ignores comments.
Stage 2, Point 2: Replacing the strings is done here.
Stage 2, Point 3: The variable renaming code is here.
Stage 2, Point 4: The geographic coordinates are handled here.
Stage 3: The entire rendering is done here.

The python script Anonymize.py just for convenience, supplying the default locations on the server and building the maven call.

Smalyshev added a comment.Apr 26 2018, 5:40 PM

@Bawolff do we have any other concerns or this is fine?

Smalyshev removed a project: WMF-Legal.Apr 26 2018, 5:42 PM
Smalyshev moved this task from Waiting/Blocked to In review on the User-Smalyshev board.Apr 26 2018, 11:26 PM
Smalyshev added a comment.May 29 2018, 7:50 PM

@Bawolff ping?

Bawolff added a comment.May 29 2018, 9:28 PM

Sorry, im on vacation until Monday. Perhaps someone else on the security team can take a look or failing that ill be back on monday

(Thank you for your patience, i know this has been delayed multiple times)

Smalyshev added a comment.Jun 5 2018, 5:22 PM

@Bawolff any news?

EBjune added a comment.Jun 14 2018, 12:20 AM

@Bawolff sorry for the nudge, just wondering if you've had a chance to take a final look at this? Appreciate any update, thanks.

Smalyshev moved this task from In review to Waiting/Blocked on the User-Smalyshev board.Jun 15 2018, 11:04 PM
EBjune added a subscriber: JBennett.Jun 20 2018, 9:15 PM

Hi @JBennett, adding you to this ticket because it's been blocking us for a while now, I don't think there's much else to look at, but hoping for a final security sign-ff so we can move stuff forward.

Smalyshev mentioned this in T197777: potential issues with planned release of query logs (Wikidata Query Server).Jun 20 2018, 10:46 PM
Bawolff added a comment.Jun 26 2018, 12:46 PM

Sorry for the delay, this kind of got preempted by t194204 but is now next on my todo list.

As an aside - this sort of thing traditionally doesnt require security team sign off (afaik) nor have we reviewed things like this in the past - historically its been legal and maybe analytics only. As far as I know security team has no criteria for evaluating this sort of thing (beyond ensuring that its not blantently outputting PII) so Im mostly planning to check that it implementsthe properties specified in the description on the linked wikipage. I hope that meets what everyone is looking for.

EBjune added a comment.Jun 26 2018, 6:04 PM

Thanks, Brian, I appreciate you taking a look. Maybe next time it would be
good to know all that stuff about security not usually reviewing this kind
of thing up front, it may save a lot of people a bunch of time and
expectations. I also wouldn't be nudging it if Stas wasn't escalating it to
me ;)

Cheers,

Erika

Erika Bjune
Engineering Manager - Search Platform
Wikimedia Foundation

leila added a comment.Jun 26 2018, 7:00 PM

@Bawolff @EBjune for context re why Security is asked to provide feedback: For data releases, we usually ask for privacy and security feedback if the data may contain private information (either within itself or in combination with other possible datasets that we, WMF, or others may release in the future.) Sometimes we don't have the capacity or expertise to do this in-house in which case we reach out to external privacy experts (check this example), sometimes we ask internally. Some level of such feedback is needed to understand the risks from the expert perspective before these releases.

Bawolff closed this task as Resolved.Jul 2 2018, 8:27 AM
Bawolff claimed this task.

I think this is ok, and I have no objections, with the caveat that (imo), security's role should be ensuring that stuff meets a certain standard or is safe against a certain threat model. I don't entirely feel confident that I'm competent to review something where the criteria of what we're trying to protect against is unspecified. That said, as far as I can tell, the proposal sounds reasonable.

If we intend to do this again in the future, we should fully disclose that we will release redacted logs, on the query.wikidata.org footer.

mkroetzsch added a comment.Jul 2 2018, 2:28 PM

This is good news -- thanks for the careful review! The lack of specific threat models for this data was also a challenge for us, for similar reasons, but it is also a good sign that many years after the first SPARQL data releases, there is still no realistic danger to user anonymity known. The footer is still a good idea for general community awareness. People who do have concerns about their anonymity could be encouraged to come forward with scenarios that we should take into account.

JBennett added a comment.Jul 2 2018, 3:16 PM

Has legal reviewed this? I don't see any comments from them in this ticket. I'd like to sort out a process for reviewing items like this. It's sort of in-between security/privacy/data governance. I'll put together a strawman review process so to help us avoid delays and follow up with Stas.

leila added a comment.Jul 2 2018, 4:22 PM
In T190875#4386342, @JBennett wrote:

Has legal reviewed this? I don't see any comments from them in this ticket.

Yes, they have. T190874

I'd like to sort out a process for reviewing items like this. It's sort of in-between security/privacy/data governance. I'll put together a strawman review process so to help us avoid delays and follow up with Stas.

Please check the approach developed at https://meta.wikimedia.org/wiki/Research:Improving_link_coverage/Release_page_traces in case you want to re-use parts of it. Happy to provide input to what you will put together. :)

sbassett moved this task from Incoming to Done on the deprecated-security-team-reviews board.Apr 24 2019, 6:07 PM
sbassett moved this task from Intake to Done on the Privacy board.Oct 16 2019, 5:46 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:15 PM
chasemp added a project: Application Security Reviews.Jan 8 2020, 4:39 PM
chasemp moved this task from Incoming to Our Part Is Done on the Application Security Reviews board.Jan 8 2020, 4:43 PM
chasemp added a project: secscrum.Mar 10 2020, 8:11 PM
chasemp moved this task from Incoming to Our Part Is Done on the secscrum board.Mar 10 2020, 8:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL