What happens when someone asks us for your information?

Wikimedia projects are created by the contribution and collaboration of users all over the world. As we work towards our goal of providing free and educational content globally, we here at the Wikimedia Foundation (“WMF”) understand that we must strive to protect user privacy (and sometimes anonymity), without which Wikimedia projects would not be where they are today. We also understand our obligation to individuals and agencies who are working to protect the public and stop illegal activity. Although rare, it is possible for these two responsibilities to collide when we are presented with a request for user information, such as a subpoena or a warrant.

Transparency and consistency through clear guidelines

Today, we are happy to announce the release of our Requests for User Information Procedures and Guidelines (“guidelines”). The purpose of these guidelines is threefold: (1) to create greater transparency and understanding around the types of information collected and retained in relation to the Wikimedia projects; (2) to set appropriate expectations with third parties seeking user information as to what requirements they must meet before we will consider their request; and (3) to establish a clear and consistent procedure by which third-party requests for user information will be handled.

Lorimerlite structure, the strongest isotropic truss for resisting compression.

These guidelines, in conjunction with our Privacy Policy[1] and our Data Retention Guidelines, explain the types of data held by WMF. Given our culture of transparency, most information — like the edit history of a particular user or webpage — is available publicly on our sites. However, some information is nonpublic, such as the IP addresses of registered users. As a general rule, unlike other websites, we collect very little nonpublic information about our users and retain that information for limited amounts of time.

Although requests for user information are relatively rare, we believe it’s important to review such requests with a critical eye because some requests are legitimate, but some are not. Therefore, the Foundation carefully scrutinizes every request for information we receive, whether from law enforcement, a government agency, or a civil litigant. Nonpublic user information will only be disclosed in accordance with our Terms of Use and our Privacy Policy, and only if valid and enforceable under applicable United States law, including the Electronic Communications Privacy Act (“ECPA”) (18 U.S.C. §§2510-2522, 18 U.S.C. §§ 2701-2711, and 18 U.S.C. §§ 3121-3127).[2] The guidelines released today provide clear guidance to third parties seeking user information about exactly what we need from them to properly evaluate their request.[3]

Helping users help themselves

While we do our best to defend user privacy on our end, we believe in also empowering users to protect themselves. Users impacted by a third-party request for their information can only legally challenge such a request if they know that the request exists. Therefore, when we think we will be legally compelled to release user information to a third party, we will inform affected users of the request for their information, assuming we have a means of notifying them and we are not legally prohibited from providing notice.[4] This way, users can make their own informed decision about the legal options available to them.

We encourage users to learn more about their legal rights. To that end, we are working to provide informational starting points, such as our Subpoena FAQ, about these sensitive topics.

Use of these guidelines

We hope that the guidelines we release today will help everyone — our users, civil litigants, government agencies, law enforcement, and even those at the Foundation — better understand the responsibilities and rights that are evoked when a request for user information arises. It is our hope that through transparency and mutual understanding, those involved in the difficult situations that lead to such requests can make more responsible and better informed decisions.

Michelle Paulson, Legal Counsel*

* I would like to thank Roshni Patel (Privacy Fellow at WMF) for her help and guidance in the development of these guidelines.

  1. Our draft Privacy Policy was approved by the Wikimedia Board of Trustees on 25 April 2014 and will go into effect following a notice period.
  2. For the avoidance of doubt, we believe a warrant is required by the 4th Amendment to the United States Constitution, which prohibits unreasonable search and seizure and overrides conflicting provisions in ECPA. We believe that the ECPA needs to be updated so that equivalent protections are granted to your electronic communications and documents that are already granted to the physical documents you keep at home or in your office. To that end, we joined the Digital Due Process Coalition last year to help in that effort.
  3. While user privacy is one of our top priorities, we also care about keeping the public safe and keeping our users free from harm. To that end, we may provide user information in response to an emergency disclosure request. You can learn more about how to file an emergency request in the guidelines.
  4. Certain information about requests for user information will also be publicly reported in our transparency report. The first WMF transparency report is currently scheduled to be released later this summer.
Categories: Legal, Privacy Policy
Tags: , ,
4 Show

4 Comments on What happens when someone asks us for your information?

Michelle Paulson 2 years

Hi Jake! We don’t have a document inclusively listing the types of situations where WMF could be legally prohibited from providing notice, but a gag order or a sealed search warrant are examples of ways that WMF could potentially be legally prohibited from providing notice to a user. Depending on the particular situation, we may seek legal remedies to lift such a gag order or unseal search warrants. As to your aggregate data question, we are planning on releasing aggregate numbers on each type of request in late July 2014 in our first transparency report. Hope that helps!

Michelle Paulson 2 years

Hi Torsten – The Diu case is ongoing. We anticipate it going well into 2015 actually. We plan on posting updates about the case when important development occur.

Torsten 2 years

BTW: What happened to User:Diu case in Greece?

Jake Orlowitz (Ocaasi) 2 years

Neat and reassuring post. Is there a document which inclusively lists the types of situations where WMF is “legally prohibited from providing notice”? Are there aggregate data available on each type of request? For which types of requests where notification is prohibited is aggregate data also prohibited. Thank for helping protect our user’s privacy!

Leave a Reply

Your email address will not be published. Required fields are marked *