Page MenuHomePhabricator

Hide the thank-you-log on dewp
Closed, DeclinedPublic

Description

Please hide the thank-you-log again on dewp. We are unhappy that the fae-bot now creates lists and statistics about users which use the thank-you-function; there is also a external website which does the same.
Please make also sure that the data can not be seen with the API.


There is a previous request to do this WMF-wide (T57428: Remove all logging for the Thanks extension). See also T90486: Sending "thanks" does not imply that this will publicly logged.

Event Timeline

DaBPunkt raised the priority of this task from to Medium.
DaBPunkt updated the task description. (Show Details)
DaBPunkt subscribed.
tomasz set Security to None.
tomasz subscribed.

Adding the community-consensus-needed tag as there are no links to any community discussions on the subject (at this moment).

Adding the community-consensus-needed tag as there are no links to any community discussions on the subject (at this moment).

AFAIK was the log added at a later stage and was not there at the beginning. Where is the community-consesus to enable it? And why have I – who lives in Germany with a high Datenschutz-level – to live with that data is collected and stored, that is not needed by Wikipedia’s function or by the license?

Adding the community-consensus-needed tag as there are no links to any community discussions on the subject (at this moment).

AFAIK was the log added at a later stage and was not there at the beginning. Where is the community-consesus to enable it? And why have I – who lives in Germany with a high Datenschutz-level – to live with that data is collected and stored, that is not needed by Wikipedia’s function or by the license?

Ditto. This feature has been enabled without community consensus.

Odder, for discussion c.f. https://de.wikipedia.org/wiki/Wikipedia_Diskussion:Kurier#Danke-Bot_listet_Top_Ten

+ I understand the feature as a "private" thank you. Since it is not clarified when sending "thanks", it is a violation of privacy which will go in a separate task for the feature itself.

The "Thanks" gadget is nice, the data-collection everything but nice. If such nice tool is misused for Schwanzvergleichslisten (pissing contest lists), it's extremely devaluated.

Thanks has to be private, no bot whatsoever must ever see any logs about this, if it for some weird legal reason it should be logged, only Stewards should be able to see the logs.

AFAIK was the log added at a later stage and was not there at the beginning.

Logging was added in https://gerrit.wikimedia.org/r/#/c/58450/ (Apr 9, 2013) and Thanks was deployed to dewiki in https://gerrit.wikimedia.org/r/#/c/96536/ (Nov 20, 2013).

The "Thanks" gadget is nice, the data-collection everything but nice. If such nice tool is misused for Schwanzvergleichslisten (pissing contest lists), it's extremely devaluated.

Thanks has to be private, no bot whatsoever must ever see any logs about this, if it for some weird legal reason it should be logged, only Stewards should be able to see the logs.

Obviously, this is only the opinion of Germans like me and you and you'll have to show "community consensus" which means you'll need the very bureaucratic "Meinungsbild" on German Wikipedia and as soon as you go to another project, the standards change. Welcome at Facebook, @Saenger.

Yes, it's a shame the over the pond there seems to next to no grasp about privacy matters. Data nightmares like Facebook or Google are seen in a positive light despite their extreme data mining, thus privacy raping.

My data belong to me, and without my explicit consent nobody must ever deal with them. That's the core of proper data security and privacy. Opt-In is a must, Opt-Out has to be the exception.

Thank you for the link to the Kurier talk page, @Rillke.

Please do feel free to post the link to a discussion on Meta regarding the privacy aspects of this, as soon as you start it (or someone else does), so that those of the subscribers who are interested in it can participate.

Thank you :-)

My data belong to me, and without my explicit consent nobody must ever deal with them.

For the records, https://wikimediafoundation.org/wiki/Privacy_policy states "Any content you add or any change that you make to a Wikimedia Site will be publicly and permanently available.
" and "Unless this Policy says otherwise, you should assume that information that you actively contribute to the Wikimedia Sites, including personal information, is publicly visible and can be found by search engines."
If you would like to discuss the current situation on a higher / more general level (I assume so as you generally mentioned "data" above), please do so on Meta as this Phabricator task has a way smaller and specific scope: Hiding the "Thanks" log on de.wp.
Thank you!

My data belong to me, and without my explicit consent nobody must ever deal with them.

For the records, https://wikimediafoundation.org/wiki/Privacy_policy states

If we like to quote: »Die Erhebung, Verarbeitung und Nutzung personenbezogener Daten und die Auswahl und Gestaltung von Datenverarbeitungssystemen sind an dem Ziel auszurichten, so wenig personenbezogene Daten wie möglich zu erheben, zu verarbeiten oder zu nutzen. Insbesondere sind personenbezogene Daten zu anonymisieren oder zu pseudonymisieren, soweit dies nach dem Verwendungszweck möglich ist und keinen im Verhältnis zu dem angestrebten Schutzzweck unverhältnismäßigen Aufwand erfordert.« (§3a, Bundesdatenschutzgesetz). I guess you understand that law is more important than a simple policy.
But I guess that we can and should speak like normal people (and not like lawyers), and value arguments more, and can come to a compromise at the end.

The question is: are Thanks actions more like edits (public) or like watching pages (private)? Edits are public because the information they contain is critical for the collaborative wiki experience. Watching pages has been considered a private activity. With the right tools, it is possible for users with no/few permissions to extract some data (i.e. how many users are watching a specific page) but not who is watching what.

Is there a need to know who liked which edit, beyond the two users involved? Users might want to track their own Thanks just like they can track watched pages. Users being thanked also benefit from the fact of knowing who is thanking them. So far this is clear. Is the use case of publicizing who tanks what clear as ell? What is the benefit? Could the same benefit be achieved by anonymizing the data, just allowing to retrieve the number of thanks received by an edit / an article / a user? How complex would be this work?

PS: I don't have a strong opinion on the subject, but I can understand both positions. I'm not related to the Thanks project either. Just trying to help in this discussion.

The question is: are Thanks actions more like edits (public) or like watching pages (private)?

They are more like sending an e-mail (private).

The Thanks log exists because of requests for it at the English Wikipedia.

The main rationale for logging use of the Thanks feature is explained in T51087. The log allows community members to find out whether an editor is harrassing someone else. For example, the community can use this log to determine whether a user under an interaction ban is violating that community-imposed ban by "thanking" the other person, or by thanking the person for every edit they make. It also makes it possible for community members to determine whether the rate limit is too high or too low.

The rationale for not including the specific edit is also explained there. It is to reduce the likelihood that "I was thanked by a lot of people for that edit" would be used as a way to circumvent consensus discussions, because an editor cannot prove that any thanks he received were for any particular edit, and – if someone were tempted to exaggerate – because other editors can prove exactly how few editors have thanked them since the allegedly popular edit. (In one instance I saw, "a lot" turned out to be "two".)

NB that I don't care about the outcome. People may value the risks and the benefits differently. If the community at the German Wikipedia really does not want to be able to monitor and prevent this type of harassment and consensus-twisting, then in my opinion, that is a legitimate choice. However, I believe that they should acknowledge that trade-off decision explicitly, by saying something like, "I would rather risk harrassment and abuse, than have other people find out that I thanked someone". "I want privacy", with no mention of the risks, is IMO not enough to show that you've considered the options fully.

As we were asked for a comunity consensus, here’s a fast one (about 3/4 of one day):
https://de.wikipedia.org/w/index.php?title=Wikipedia:Fragen_zur_Wikipedia&oldid=139182790#Kurzmeinungsbild:_Dankesch.C3.B6n-Logbuch_.5BDanke.2C_reicht..5D

32 people voted for hiding the log, 10 against, 5 have expressed their opinion without voting.
16 people have (partly as a second vote) expressed, that the location was the wrong one (Fragen zur Wikipedia is de.WP’s village pump).

With (32+10) : 16 votes the poll was accepted with 72.4 percent.
With 32 : 10 votes it was requested to hide the logs by 76.2 percent of the voters.

Comments show, that Check User staff might see it (just like the wikimail logs), everyone else not.

hoo subscribed.

IMO that's not enough to perform such a change, especially given how many people expressed that they reject the survey. (That doesn't mean I'm going to block/-2 someone else from doing the configuration change if someone feels very bold... but I don't think anyone should perform this change now).

The next step here would be a proper Meinungsbild/Umfrage in my opinion.

@32X do you have launched the formal discussion (Meinungsbild/Umfrage) on de.?

Dereckson changed the task status from Open to Stalled.May 12 2015, 7:20 PM

Note that since this was filed we have clarified the UI to make 100% explicit that thanking is a public action. See T90486: Sending "thanks" does not imply that this will publicly logged.

Not to be a s*!t starter, but might there be a way to scrub the past public thanks as it wasn't explicit earlier? I understand the potential confusion about the "thanks" being public (though being as open as this movement is, I suppose it would make sense to assume that it would be), and I wonder if as a result, that some technical solution to "remove" past thanks from view might be possible?

Nemo_bis claimed this task.
Nemo_bis subscribed.

Transparency is a non-negotiable principle of MediaWiki. https://www.mediawiki.org/wiki/Principles
Logs exist for a reason or should not exist at all in the code; see the relevant task.

Restricted Application edited subscribers, added: Luke081515, Matanya; removed: Liuxinyu970226. · View Herald TranscriptJul 2 2015, 7:38 PM

Re-opened.
While it is no problem that Mediawiki LOGS the data, the problem is that is SHOWS these data to everybody.

So you want this to be another silly suppressionlog-type thing?

Yes, transparency is about showing.

Re-opened.
Guys, Mediawiki also logs the IP-address of every users – but not every user can see the ip of other users, can’t they? My request says clearly that the log should be “HIDE”, not deleted or anything.

There was discussion in dewp, there was a (quick) showing of consent, what you need more?

I disagree that there was a clear consent, becuase really many people have opposed the poll in general. If you really want hiding of the thanks-log, please start a regular RfC at dewiki.

@Nemo_bis: Would you also make public who sent whom an email? That's almost the same thing. I don't want public logs of this.

Guys, Mediawiki also logs the IP-address of every users – but not every user can see the ip of other users, can’t they? My request says clearly that the log should be “HIDE”, not deleted or anything.

It is very clear in our privacy policy that your IP address is considered to be private information. If you are a logged out user, there are warnings that your IP address will be visible. Similarly, when you send thanks, the wording (at least in English) is: "Send public thanks for this edit?". It is obvious that your thanks are public.

@Nemo_bis: Would you also make public who sent whom an email? That's almost the same thing. I don't want public logs of this.

No it's not "almost" the same thing. It is "almost" the same thing as editing someone's talk page and writing "Thank you!" on it. Every other notification type sent through Echo is publicly logged, whether it be a page edit or a patrolling action. Thanks is no different.

I'm going to re-close this again endorsing what Nemo said earlier:

Transparency is a non-negotiable principle of MediaWiki. https://www.mediawiki.org/wiki/Principles

You can re-open the bug if you want, but that would just be wasting everyone's time.