Jump to content

Policy talk:Access to nonpublic personal data policy/Archive 1

From Wikimedia Foundation Governance Wiki

Answers to some questions around policy change

Hello all,

We would like to offer more clarity with regards to the NDA policy change that is currently being implemented in certain locations. While doing this, we will try to be as clear as possible. However, in some areas we will not be as explicit as we would like to be due to privacy related reasons and the possibility of increasing exposure to individuals whom the Foundation is trying to keep from harm.

As mentioned earlier, the NDA policy was modified in response to a current credible threat. We are sorry to inform you that this is not an isolated risk. Unfortunately, the Foundation has had to deal with cases where individuals have been identified, exposed and extorted with a deliberate effort to extract crucial information pertaining to other users and activities on Wikimedia sites. At the moment, and due to security reasons, we cannot reveal the extent of these details.

We are also aware that some of you would like the Foundation to name the jurisdictions and locations that are currently impacted by this NDA policy change. Unfortunately, we are unable to provide this for the safety and protection of the individuals impacted by the NDA policy change. We realize that these locations may be widely known, but public disclosure may increase the risk of exposure to harm to multiple users. What we can inform you is that the jurisdiction and locations are among those that currently or in the recent past have blocked access to Wikimedia projects.

Though the purpose of the NDA policy is to protect everyone, it is worth noting that it is not intended to impact individuals visiting these locations (since vulnerability is lower for a temporary and likely not widely known visit). That said, we have had arrangements in the past where NDA-holding individuals who are easily identifiable have requested temporary removal of their non-personal information access when visiting these regions. We encourage people to think carefully about security issues when they travel in order to prioritize the safety of the community overall.

There does seem to be some misunderstanding that accounts are being locked until they voluntarily request removal. We would like to clarify that accounts were locked in order to immediately secure the safety of individuals especially in these jurisdictions while we reached out to the impacted NDA-holding users.

At this time we have offered the impacted NDA holding users an opportunity to voluntarily request removal if they prefer. This is because these are not removals under a cloud. For security reasons, we are well aware that it may not be safe for all impacted users to self-request this removal. All impacted users have been made aware that we will be removing access and then unlocking the accounts of those users who do not feel safe or comfortable self-requesting removal (or simply prefer not to).

Any user who may be thinking of applying for an NDA is welcome to reach out to see if this policy might impact them. We will be evaluating future NDA requests against this policy and will advise individuals if we detect a risk at the time of their application.

We have prepared some frequently asked questions with regards to the NDA Policy Change and shared them below. We have tried our best to offer answers to questions around the policy change. It is our hope that you will understand that there is certain information we cannot provide at this time due to the sensitivity of the threat.

Sincerely, WMFOffice (talk) 19:13, 1 September 2021 (UTC)

FAQs

  1. What is the NDA Policy Change?
    • This is a policy adjustment that suspends Foundation volunteer NDA recognition to applicants who live in jurisdictions that have blocked access to Wikimedia projects and where there is reason to believe that their domicile associated with their user account is known to others than the individual applicant(s) and the Foundation.
  2. Why has the NDA policy change been effected?
    • The NDA policy change has been necessitated by recent world events triggered by credible information about a more focused security threat to the Wikimedia community that places multiple users at risk. The users who were at risk are physically located in the jurisdictions identified.
  3. Who is affected by the NDA policy change?
    • Applicants who live in jurisdictions that have blocked access to Wikimedia projects and where there is reason to believe that the domicile associated with their user account is known to others than the individual applicant(s) and the Foundation have been affected.
  4. For how long will this policy be in place?
    • This policy adjustment will be reviewed in future depending on the safety of the community at large.
  5. What practice does this policy impact?
    • The Wikimedia movement relies on volunteers, not only in creating and curating content but also in performing the bulk of movement governance work. In order to do this, some users have been trusted by the broader user community with access to tools that let them see information that is not otherwise public.

      This includes information about devices that are used to access Wikimedia sites, including assigned IP addresses. This information does not directly identify the individuals using these accounts, but can be used alongside other information (or with information supplied by internet service providers) to help figure out who a person is.

      This policy change is intended to reduce the risk of bad actors gaining access to information about who is editing Wikimedia projects by targeting community members who are vulnerable to force.

  6. Why is this policy coming into effect now? Did something happen?
    • The Foundation received credible information of threats targeted to the Wikimedia community. These threats, confirmed by a security firm contracted by the Foundation, place multiple users at risk. This information has prompted the Foundation to take unprecedented and extraordinary actions that aim to keep all users safe.
  7. Which projects does the policy change cover?
    • This policy change covers all Wikimedia projects. In the future it may be reviewed after careful consideration of the security and safety of the individuals and the community at large.
  8. Is the Foundation tracking the everyday moves of individual community members?
    • No. The Foundation is not tracking the moves of individual community members.
  9. How is the Foundation working with the community and individual members to effect the change to NDA policy?
    • The Foundation is currently working with the Stewards with regards to the NDA policy change based on the preferences expressed by impacted accounts in response to its individual non-public outreach to them on the day the policy was rolled out.
  10. Can exemptions be granted?
    • Yes, exceptions may be granted on an individual basis and following a request for review submitted to the Legal department. However, the Foundation recognizes that granting such NDA-based access will put applicants as well as other volunteers relying on the Foundation’s platform at undue risk and will only grant exceptions due to extraordinary need and if the safety of volunteers is certain.

WMFOffice (talk) 19:13, 1 September 2021 (UTC)

  1. What does NDA mean?

  • A question for WMFOffice: I could have missed something. But if the concerns are all over some users being forced to give out "crucial information pertaining to other users and activities on Wikimedia sites", why not just split the NDA privilege into two, just as what has been done to the sysop usergroup in response to the security risk that all sysops were able to edit interfaces? Some of the user groups covered by the current NDA policy might have a significantly lower risk than others. For example, oversighters only deal with non-public infomation posted by others and such information may or may not cause threat to our users, while checkusers have access to raw user data generated or collected by WMF servers. OTRS members don't even deal with personal data about "users". Instead, they deal with that of the public. It would be better if the proposed policy change could differentiate over these different scenarios. --Antigng (talk) 07:08, 2 September 2021 (UTC)
    • I even imagine we can introduce a "semi-checkuser", which is a tool that may see accounts sharing IP or /16-/24 ranges with a given account, without revealing IP.--GZWDer (talk) 14:29, 2 September 2021 (UTC)
      @Antigng @GZWDer both sound like possible options, if there's a bottleneck of available people to handle those workloads. Identifying where there's the most demand for help (and availability of people blocked by this change) may be a useful first step, before pushing for a new policy. –SJ talk  21:03, 13 September 2021 (UTC)

We appreciate your sharing your thoughts.

Before initiating this policy change, the Foundation evaluated several options and strategies to mitigate the security threat posed to the Wikimedia community at large. The solutions derived from these options and strategies were classified into three (immediate, short term and long term). Our immediate need was to suspend Foundation volunteer NDA recognition to applicants who live in jurisdictions that have blocked access to Wikimedia projects and where there was reason to believe that the domicile associated with those user accounts were known to others than the individual applicant(s) and the Foundation.

Currently, we are addressing the short-term needs which include getting in touch with the impacted users and working with the Stewards to effect the preferences expressed by impacted accounts in response to individual non-public outreach.

With regards to the long-term solutions, the Foundation is considering several options. While these long-term discussions are still at preliminary stages, the Foundation found some challenges that also relate to the options mentioned in your note.

First, the volunteer support team has access to sensitive user data, including but not limited to access to that of other agents, alongside the PII of readers, article subjects, and other third parties that are writing to them or are donating content. Secondly, there are technical and policy issues that would need to be reviewed collectively before such a change could be made. This includes users currently unaffected, potentially re-signing their existing NDAs (something that is not required in the current system). So splitting NDAs for permissions would be more complex than the introduction of the interface adminship user group.

It is important to note that the current system provides a one-stop service to users who are interested in supporting their communities in elected onwiki permissions. As we continue reviewing long term options, if we determine that a new NDA model is needed, we will organize a session to gather input and take it into account before embarking on any such model. Our goal is to find a long-term solution that does not burden users with more processes than they currently face. We’re looking into the best long-term action and the appropriate implementation mode and want to do some early exploration of challenges and benefits especially with the functionaries, who are familiar with the processes. -Jrogers (WMF) (talk) 16:18, 8 September 2021 (UTC)

@Jrogers (WMF): Hello, after a year, any plan of long term solutions or other efforts that could be shared to community? Thanks. SCP-2000 10:30, 28 September 2022 (UTC)

10-day notice requirement

  • "Disclosures of Nonpublic Personal Data are limited to ... law enforcement, in cases where there is an immediate and credible threat of serious bodily harm ..."
  • "... if they are required by law to disclose to law enforcement, administrative bodies, or other governmental agencies, they must secure written approval from the Wikimedia Foundation by emailing check-disclosurewikimedia.org an explanation of the proposed disclosure at least ten (10) business days prior to such anticipated disclosure ..."

@WMF Legal, @Slaporte (WMF), the second line seems to contradict the first. If there is an immediate and credible threat, waiting 10 days to disclose to law enforcement sounds like, well, a bad idea. Requiring people to wait 10 days sounds like a really bad idea. Please review. Thanks, Levivich (talk) 19:51, 27 February 2023 (UTC)