As a follow up to T293379, the current tickets keeps track of an inquiry about
potential policy and/or legal issues with CheckUsers performing investigations with private Wikimedia data using completely external services. More specifically, the following question was asked: "does [a CheckUser] violate the privacy policy [when sharing user User Agent information with a third-party, as part of an anti-abuse investigation?"
For context, the user agent and IP information that CheckUsers insert in those external tools are not directly tied to any username. Some illustrations are this IP copy-paste or UA information parsing.
The question, as well as the broader issue of sharing non-public information with external services will be raised with WMF-Legal, and this ticket updated accordingly.