Change 539553 had a related patch set uploaded (by Strainu; owner: Strainu):
[operations/mediawiki-config@master] [rowiki] Enable 'deleterevision' for patrollers

https://gerrit.wikimedia.org/r/539553

Umm, is this okay from a legal perspective? Allowing patrollers to undelete page revisions would require them to undergo community scrutiny, per WMF's stance on granting access to deleted content

Could WMF-Legal comment on this, please?

@DannyS712 I can't find any such policy on meta. Could you please provide a link with the mentioned requirements?

See, eg,

...For legal reasons, we require RFA or an RFA-identical process for access to certain tools (deleted revisions among them). I thank Robert for the proposal and thank everyone who participated in the debate below, but I'm afraid that this one is a non-starter for the WMF. Philippe Beaudette, Wikimedia Foundation (talk) 21:02, 16 December 2014 (UTC)

at https://en.wikipedia.org/wiki/Wikipedia:Village_pump_(proposals)/Archive_116#RFA_reform_Proposal:_Automatic_admintools_to_users_with_1_year_of_registration_and_3000_mainspace_edits,

The Wikimedia Foundation's legal department has explicitly instructed us not to allow non-administrators to view deleted pages.
at https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_(proposals)/Persistent_proposals/Straw_poll_for_view-deleted

There is a summary at https://en.wikipedia.org/wiki/Wikipedia:Viewing_deleted_content - these principles apply to other projects as well

I've emailed Wikimedia Legal directly, we'll see what they'll say.

As far as I understand from docs and throughout the code, the ability to see the deleted content is actually controlled by the 'deletedtext' right, not 'deleterevision'.

While I agree it is unpractical to have the latter but not the former userright and it was not my initial intention to not allow visibility of the hidden content, I would say that in the configuration introduced by my patch the patrollers would not have access to deleted content. This config also covers the main reason for this request - to reduce the number of requests to hide obscenities from history.

One other note is that all current patrollers on ro.wp were elected in a RFA-identical process - see https://ro.wikipedia.org/wiki/Wikipedia:Candida%C8%9Bi Would the previous elections+current consensus be enough to grant those users the right to view deleted content?

deleterevision is a core MediaWiki-Revision-deletion functionality to redact and unredact logs and history entries. I agree this falls within WMF legal's recomendation. Let's wait for Legal to comment.

Hi all. A couple thoughts. I note from the original ticket that there's a note that patrollers were all selected through an RFA style process, which would satisfy the need for community review before giving people rights. It's not clear to me from this thread if that's the process for all patrollers or if it's just coincidence that it applies to all patrollers right now. If the latter, I would suggest that you formalize that the process to get patroller rights requires a community review and then this is fine.

The second things is that we would be comfortable if there's a way to split the delete and undelete rights (no idea if that's possible though). Having extra people who can help clean up content but who can't see it or make it visible to others would not be a problem.

Hello,

thanks for writing the comment. I've experimented with what having only deleterevision right actually allows at my local development wiki, and created https://ctrlv.tv/zuHX containing my progress. For reference, deleterevision user has only deleterevision right, Martin Urbanec is a sysop.

It seems that deleterevision allows to delete and undelete individual revisions, but not actually view the delete content. The only way how they can view the content of a deleted revision is to undelete it to view it, and then re-delete. Not sure if this changes anything from the legal side.

@Jrogers-WMF Could you please comment on what is "community review"? For instance, Czech Wikipedia requires 14 days of vote and 2/3 in favour votes for becoming an admin, becoming patroller right is far more easier (the request must be live for 48 hours and decision is made by an admin, using community's comments; that means it's possible to become a patroller without anyone saying anything except the approving administrator). That means community has time to object, but it's not necessary for the whole community to approve/comment/vote about the candidate for he/she to get the rights. I'm asking not only for this case, but also for future possible cases, so I know what the legal viewpoint is.

Thank you,
Martin Urbanec

In T234051#5578226, @Jrogers-WMF wrote:

Hi all. A couple thoughts. I note from the original ticket that there's a note that patrollers were all selected through an RFA style process, which would satisfy the need for community review before giving people rights. It's not clear to me from this thread if that's the process for all patrollers or if it's just coincidence that it applies to all patrollers right now. If the latter, I would suggest that you formalize that the process to get patroller rights requires a community review and then this is fine.

Actually, we changed this process from a RFA to something similar to what Martin describes for Czech Wikipedia in T231099 . The community considers that change more important than this one, so we will not revert to an RFA-style election. The current situation is as follows:

• all patrollers elected before 2019-10-01 went through an RFA process
• all patrollers which received the rights after 2019-10-01 (currently none) will not go through such a process.

So I guess my question would be:

1. Considering the demo made by Martin, can we go ahead and give those rights to all patrollers, present and future? I think having a policy against undeleting by patrollers would be acceptable for the community, if that would help (undeletions would appear in the logs).
2. If the answer to question 1 is "no", can we give the deleterevision rights to patrollers elected before 2019-10-01?

I have also logged T235600 to separate the two rights.

The underlying worry that our previous GCs highlighted is that deleted information has some stuff that creates legal risks either for the WMF or sometimes individual users (or even if it may not actually be risky, it's the kind of material that could lead to a lot more complaints coming in, making for a large administrative burden for us). So, the right to review and access deleted material should be limited to ensure it's only available to a trusted group and it doesn't accidentally become public. We've relied on that trust being established through the RFA process, so I'm hesitant to give approval for a process that's shorter and only requires one commenter to participate.

That said, could you tell me what kind of review there would be for a policy against undeleting by patrollers? If violations of that policy would be noticed fairly quickly, I think that would address the concern because they'd be given the right only for helping to clean up content, but if an undeletion might go unnoticed for a long while, I'd be more hesitant.

Lastly, for patrollers who did go through the Rfa process before 2019-10-01, it would be okay to give them deleterevision.

In T234051#5582768, @Jrogers-WMF wrote:

That said, could you tell me what kind of review there would be for a policy against undeleting by patrollers? If violations of that policy would be noticed fairly quickly, I think that would address the concern because they'd be given the right only for helping to clean up content, but if an undeletion might go unnoticed for a long while, I'd be more hesitant.

The normal behavior would be to have admins watch for such undeletions, which would probably offer a response time in hours, but gradual technical helpers could be considered (which I could implement together with @Andrei_Stroe our other interface admin):

1. highlight such changes in the recent changes list using JavaScript
2. have a bot check for undelete messages associated with patrollers in the logs and notify [[:ro:WP:AA]] (the equivalent of [[:en:WP:ANI]]) when they appear
3. have a bot with admin rights check for such messages in the logs and block the offenders on sight (will need steward support to test, but that should be OK)

Which one seems sufficient for you?

I'm not sure if abusefilter sees revision undeletions, could you have a look? That'd surely be enough.

Unfortunately abusefilter seems to only handle article deletions (not even undeletions, let alone revision visibility)

Maybe @Daimona can add that? :)

In T234051#5584036, @Strainu wrote:

Unfortunately abusefilter seems to only handle article deletions (not even undeletions, let alone revision visibility)

That's correct.

In T234051#5584208, @Urbanecm wrote:

Maybe @Daimona can add that? :)

I'm not sure whether this is feasible.

Of the suggestions from Strainu, I'd be okay with either 2 or 3. It doesn't need to be immediate, so having a bot flagging it for admin review would work.

@Strainu Could you please implement either 2 or 3 and them leave a message here, so we can resolve this task? Thanks!

@Jrogers-WMF @Urbanecm I've implemented suggestion 2. The bot is set to run daily. A test message was posted at https://ro.wikipedia.org/wiki/Wikipedia:Afi%C8%99ierul_administratorilor#[Test]Recuperare_nerealizat%C4%83_de_un_administrator - it's for a real operation made by a user who no longer has sysop rights, so you can check the links work.

I have also added a JS snippet to prevent accidental recovery - if a checkbox is checked, non-sysops see it as disabled. It's easy to workaround for tech-savy users, so the robot needs to exist as well.

I believe the bug can now be unblocked.

Change 539553 merged by jenkins-bot:
[operations/mediawiki-config@master] [rowiki] Enable 'deleterevision' for patrollers

https://gerrit.wikimedia.org/r/539553

Mentioned in SAL (#wikimedia-operations) [2019-11-20T11:55:39Z] <urbanecm@deploy1001> Synchronized wmf-config/InitialiseSettings.php: SWAT: 2b13fbe: [rowiki] Enable deleterevision for patrollers (T234051) (duration: 00m 52s)

The change should be live. Thanks for being patient!