Page MenuHomePhabricator

CentralAuth account autocreation may be violating WMF's privacy policy
Closed, InvalidPublic

Description

The policy says http://wikimediafoundation.org/wiki/Privacy_policy#Reading_projects: "page visits do not expose a visitor's identity publicly.", however the fact that a user registered on one project visited another site and the first time he/she did so are logged and viewable publicly by SUL account.


Version: unspecified
Severity: normal

Details

Reference
bz40006

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:04 AM
bzimport set Reference to bz40006.
bzimport added a subscriber: Unknown Object (MLST).
liangent created this task.Sep 5 2012, 2:19 PM
Elfix added a comment.Sep 5 2012, 3:33 PM

They are free to ask that their global account be deleted.

Barras added a comment.Sep 5 2012, 3:35 PM

I doubt that this is actually something for bugzilla (yet). That looks more like something that needs a discussion, which shouldn't happen here but on meta.

How is SUL autocreation exposing one's "identity" publicily?

(In reply to comment #3)

How is SUL autocreation exposing one's "identity" publicily?

I read it as my user name. For example I'm [[en:User:Liangent]] and is publicly known as this username on enwiki. You can find the time I visited simplewiki for the first time.

tomasz added a comment.Sep 5 2012, 6:53 PM

This is not a Bugzilla bug, but a legalese discussion. You'll need to define what "identity" is in the first place (and I very much doubt it's your nickname, as this is not a "personally identifiable information").

By the way, the information in the log is does not tell when you visited simplewiki for the first time; it only says when the account was created - which happens when you log-in into the wiki for the first time or visit it while logged-in on another project for the first time (so you might have visited it a long time before doing either of this things).

If you still have any doubts about that, please contact the Foundation's LCA team at http://meta.wikimedia.org/wiki/Legal_and_Community_Advocacy/Team_responsibilities.

Closing as RESOLVED INVALID.

Elfix added a comment.Sep 5 2012, 9:52 PM

I think Liangent has a point, your first visit is logged if you're logged in, which is contradictory with what the privacy policy states (the gist of it being "visits aren't publicly logged"). I have passed it on to the WMF staff responsible for rectifying that.

Just as a heads-up, the Deputy General Counsel thinks no changes are necessary in the privacy policy for the following reasons:

  • Users can delete cookies or log out in order to prevent this from happening,
  • the information disclosed is not identifiable (a simple username).
Pine added a comment.Jan 24 2018, 2:21 AM

For the record, I am waiting for an email response from WMF Legal about this issue.