The Wikimedia projects depend on countless dedicated community members who generously donate their time, knowledge, and skills to the free knowledge movement. In addition to creating, editing, and maintaining articles, some community members have taken on important roles in safeguarding and supporting the projects. They protect the sites against vandalism, respond to helpdesk emails, and ensure that users are not violating Wikimedia policies, among other things. To that end, certain community members are entrusted with limited amounts of nonpublic information regarding other users.
In 2007, the Board adopted the current Access to nonpublic data policy (“current policy”) to set out procedures for entrusting community members with nonpublic user information. For two reasons, it is time to update that six-year-old policy:
- Current identification practices are not consistent with the current policy; and
- The new policy should provide guidance about:
- how and when to use those access rights;
- when and to whom nonpublic information may be shared; and
- what specific confidentiality obligations should accompany those access rights.
Under the current policy, community members with access to the nonpublic user information are required to be “known” to the Wikimedia Foundation. However, current identification practices in fact do not result in the Foundation knowing the identities of the community members with access rights: (1) community members now provide an identification document or copy to a member of the Wikimedia Foundation’s staff; (2) the staff member informally “checks” it; and (3) the staff member returns or destroys the identification or its copy. As a result, the identities of many community members with access rights have progressively become unknown to the Foundation over the years.
In this spirit, we drafted a new Access to Nonpublic Information Policy draft (“new draft”) and announced the start of a community consultation on September 3, 2013, to get community feedback on the new draft.
During this consultation, we strove to strike a balance between two important sets of interests — (1) those of the users whose information was being accessed, and (2) those of the community volunteers accessing that information. For us, finding this balance was particularly challenging on the identification requirement. Community members underscored issues that weighed heavily against a stringent requirement like local restrictions on copying or transferring identification documents, risks in the retention of copies, and requirements of forced disclosure in light of legal mandates. Community members also raised questions about whether a process could be implemented in a manner that actually verified someone’s identity – given the vulnerability to fake documents or fraud.
We understand that this topic is a sensitive and complicated one, and one in which great minds can disagree. Because there was no community consensus on the matter, we are closing the consultation today as planned and will make our recommendation to the Board. That said, the Board may well disagree given the valid considerations expressed by many in the consultation. The Board’s attention will be directed to the various community views on this topic. We expect that, in the next couple of months, the Board will be reviewing and discussing the policy in light of our community consultation.
We are grateful to the members of the community who took the time to participate in the community consultation — their input was invaluable in tackling this difficult issue.
Michelle Paulson, Legal Counsel
Geoff Brigham, General Counsel
- Special thanks to the Ombudsman Commission for their input and ideas in creating the original draft of the new policy, the entire Legal and Community Advocacy team (particularly James Alexander, Roshni Patel, and Megumi Yukie) for their tireless support throughout this process, and the Board for their much-appreciated guidance.