Wikimedia projects are created by the contribution and collaboration of users all over the world. As we work towards our goal of providing free and educational content globally, we here at the Wikimedia Foundation (“WMF”) understand that we must strive to protect user privacy (and sometimes anonymity), without which Wikimedia projects would not be where they are today. We also understand our obligation to individuals and agencies who are working to protect the public and stop illegal activity. Although rare, it is possible for these two responsibilities to collide when we are presented with a request for user information, such as a subpoena or a warrant.

Transparency and consistency through clear guidelines

Today, we are happy to announce the release of our Requests for User Information Procedures and Guidelines (“guidelines”). The purpose of these guidelines is threefold: (1) to create greater transparency and understanding around the types of information collected and retained in relation to the Wikimedia projects; (2) to set appropriate expectations with third parties seeking user information as to what requirements they must meet before we will consider their request; and (3) to establish a clear and consistent procedure by which third-party requests for user information will be handled.

Lorimerlite structure, the strongest isotropic truss for resisting compression.

These guidelines, in conjunction with our Privacy Policy[1] and our Data Retention Guidelines, explain the types of data held by WMF. Given our culture of transparency, most information — like the edit history of a particular user or webpage — is available publicly on our sites. However, some information is nonpublic, such as the IP addresses of registered users. As a general rule, unlike other websites, we collect very little nonpublic information about our users and retain that information for limited amounts of time.

Although requests for user information are relatively rare, we believe it’s important to review such requests with a critical eye because some requests are legitimate, but some are not. Therefore, the Foundation carefully scrutinizes every request for information we receive, whether from law enforcement, a government agency, or a civil litigant. Nonpublic user information will only be disclosed in accordance with our Terms of Use and our Privacy Policy, and only if valid and enforceable under applicable United States law, including the Electronic Communications Privacy Act (“ECPA”) (18 U.S.C. §§2510-2522, 18 U.S.C. §§ 2701-2711, and 18 U.S.C. §§ 3121-3127).[2] The guidelines released today provide clear guidance to third parties seeking user information about exactly what we need from them to properly evaluate their request.[3]

Helping users help themselves

While we do our best to defend user privacy on our end, we believe in also empowering users to protect themselves. Users impacted by a third-party request for their information can only legally challenge such a request if they know that the request exists. Therefore, when we think we will be legally compelled to release user information to a third party, we will inform affected users of the request for their information, assuming we have a means of notifying them and we are not legally prohibited from providing notice.[4] This way, users can make their own informed decision about the legal options available to them.

We encourage users to learn more about their legal rights. To that end, we are working to provide informational starting points, such as our Subpoena FAQ, about these sensitive topics.

Use of these guidelines

We hope that the guidelines we release today will help everyone — our users, civil litigants, government agencies, law enforcement, and even those at the Foundation — better understand the responsibilities and rights that are evoked when a request for user information arises. It is our hope that through transparency and mutual understanding, those involved in the difficult situations that lead to such requests can make more responsible and better informed decisions.

Michelle Paulson, Legal Counsel*

* I would like to thank Roshni Patel (Privacy Fellow at WMF) for her help and guidance in the development of these guidelines.

  1. Our draft Privacy Policy was approved by the Wikimedia Board of Trustees on 25 April 2014 and will go into effect following a notice period.
  2. For the avoidance of doubt, we believe a warrant is required by the 4th Amendment to the United States Constitution, which prohibits unreasonable search and seizure and overrides conflicting provisions in ECPA. We believe that the ECPA needs to be updated so that equivalent protections are granted to your electronic communications and documents that are already granted to the physical documents you keep at home or in your office. To that end, we joined the Digital Due Process Coalition last year to help in that effort.
  3. While user privacy is one of our top priorities, we also care about keeping the public safe and keeping our users free from harm. To that end, we may provide user information in response to an emergency disclosure request. You can learn more about how to file an emergency request in the guidelines.
  4. Certain information about requests for user information will also be publicly reported in our transparency report. The first WMF transparency report is currently scheduled to be released later this summer.