Page MenuHomePhabricator
Create Task
Maniphest T293811

Clarify whether CUs should share non-public information with external services
Open, Needs TriagePublic
Actions

Description

As a follow up to T293379, the current tickets keeps track of an inquiry about
potential policy and/or legal issues with CheckUsers performing investigations with private Wikimedia data using completely external services. More specifically, the following question was asked: "does [a CheckUser] violate the privacy policy [when sharing user User Agent information with a third-party, as part of an anti-abuse investigation?"

For context, the user agent and IP information that CheckUsers insert in those external tools are not directly tied to any username. Some illustrations are this IP copy-paste or UA information parsing.

The question, as well as the broader issue of sharing non-public information with external services will be raised with WMF-Legal, and this ticket updated accordingly.

Related Objects

Event Timeline

sguebo_WMF created this task.Oct 19 2021, 4:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 19 2021, 4:32 PM
sguebo_WMF added subscribers: GeneralNotability, Urbanecm.Oct 19 2021, 4:35 PM

Hey @GeneralNotability and @Urbanecm. As mentioned earlier, your question will be brought to WMF-Legal's attention. Feel free to rename it or adjust the description if I missed some aspects.

GeneralNotability added a comment.Oct 19 2021, 4:39 PM

Thank you @sguebo_WMF. The specific question from the ticket was about UAs, but I ask that Legal also account for IPs, since those are covered under the same privacy policy and there is a much greater need to query external data on those. And as a caveat, none of these checks would link a username to the IPs - we're doing things like checking whois (https://whois-referral.toolforge.org/gateway.py?lookup=true&ip=8.8.8.8) or parsing a useragent (https://www.whatsmyua.info/api/v1/ua?ua=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64;%20rv:93.0)%20Gecko/20100101%20Firefox/93.0), but nothing in these checks ties the private data to a specific user or users.

sguebo_WMF updated the task description. (Show Details)Oct 20 2021, 5:13 PM

Noted, thanks for the additional context @GeneralNotability. The description was updated accordingly.

sguebo_WMF moved this task from Incoming to Waiting on the Privacy Engineering board.Oct 25 2021, 3:51 PM
sguebo_WMF added a subscriber: MMoss_WMF.Oct 25 2021, 4:37 PM
L235 subscribed.Oct 27 2021, 11:05 PM
AntiCompositeNumber subscribed.Oct 28 2021, 12:54 AM
Stang subscribed.Dec 31 2021, 5:49 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL