User talk:Thatcher/Quis custodiet ipsos custodes

Oversight?
Always a thorny problem. OmCom isn't an effective oversight body; our mandate is too narrow and our numbers are too few. The absence of even a local standard for the use of checkuser precludes any such body. I think the Arbitration Committee has the power to do this, and by example may set a local standard, but there doesn't seem to be much interest. That a number of current/former arbitrators hold checkuser invariably plays a role. Mackensen (talk) 23:55, 16 December 2008 (UTC)
 * The manner in which the leading candidates answered my question 1B gives me hope. Thatcher 00:00, 17 December 2008 (UTC)
 * I have a pretty good idea who the folks are behind the names. My concern is that the community seems loath to allow arbcom to settle these kinds of questions (block review, checkuser) for itself, yet is spectacularly bad at policy-making. I think it was Kelly Martin (before she was burned as a witch) who suggested a policy/privy council (this was ~2005) for handling these matters. I don't recall how far along the idea got. Given the inevitable toxicity it could only be imposed from above. I find I don't have much energy for those kinds of projects now, if I ever did. I've already spent longer in Wikipedia/User space than is my custom these days; I'm about due for another two months doing baseball and railroad stubs. Mackensen (talk) 00:08, 17 December 2008 (UTC)

CU stats
Question - This essay is really starting to scare me Thatcher :( I just wanted to know, what would you estimate are the percentage of checkusers, not counting ones for ArbCom cases or checks of other CUs' work (whenever that happens), that are done without a formal RFCU? - NuclearWarfare  contact me My work  00:47, 17 December 2008 (UTC)
 * I can only tell you my stats, and those of Raul654 who posted them to my talk page. I'll add links later.  In short, many/most checks are run off of stuff we see on the noticeboards, or our watchlists, or the checkuser mailing list, or private requests.  The main purpose for RFCU is to give checkuser access to editors who don't have the ear of a checkuser by some other means (although some checkusers watch WP:SSP and act on worthy cases without waiting for a formal referral to RFCU).  There is nothing wrong with running checks without a formal request at RFCU.  And probably 99.8% of checks are entirely legitimate.  I just think that there is no current effective mechanism for dealing with that last 0.2%. Thatcher 00:54, 17 December 2008 (UTC)
 * My stats are here, Raul654's are here. Thatcher 01:05, 17 December 2008 (UTC)

Oversight logs
The oversight log now does include links to diffs of the specific oversighted edits. I know that this information did not used to be available, and am not certain when the change was made or how far back it goes. Newyorkbrad (talk) 01:13, 17 December 2008 (UTC)
 * You can actually see the deleted content? That's an improvement (or my misunderstanding).  Can you see old diffs or just recent ones. Thatcher 01:26, 17 December 2008 (UTC)
 * Yes, we can. As indicated, I believe this was a recent change (don't know how recent). The available diffs go back to mid-2006, which I believe may have been when the Oversight capability was first created.
 * Incidentally, you might want to address the proposal to add the single-revision deletion function for administrators, which I understand is now technically available, but has not been implemented on En-Wiki for reasons I'm not sure of (perhaps concern that removing a revision can create a misattribution of edits around the same time, and we don't want this to be too common). I suspect that a fair amount of "borderline" oversighting on high-traffic pages occurs when a regular admin deletion (so the revision would be visible by admins) would be sufficient protection for the subject of the oversighted edit, but there too many revisions to make it possible or practical to delete and restore the page history. Newyorkbrad (talk) 01:41, 17 December 2008 (UTC)
 * Single revision deletion would reduce the volume of oversighted edits (and thus the potential for misuse) but would not eliminate the need for an independent panel to review disputed cases. Thatcher 04:09, 17 December 2008 (UTC)
 * Why exactly do we not have this turned on here? We need it badly. I think maybe a list of things that are available but not available on en:wp ought to be put before the community, and then some pushing to get them turned on here, might be a good idea. ++Lar: t/c 04:49, 17 December 2008 (UTC)
 * It's been there as long as I've known it, so that places it in 2007 it was introduced maybe? Ask someone who knows how to check the changelog on the oversight extension maybe. FT2 (Talk 14:56, 17 December 2008 (UTC)
 * Changelog is public (don't ask me where to find it) and the single_rev deletion extension has been done and sitting around for at least a year now. Just waiting for a dev to load it and a community consensus thingy to base it on.  MBisanz  talk 14:58, 17 December 2008 (UTC)
 * Can someone throw together something for the VP to start the consensus process? who would be against this? (this is tangential for this page, no doubt) ++Lar: t/c 23:28, 17 December 2008 (UTC)
 * If I understand correctly, we have the technical capability to delete single (troublesome) edits, we just haven't authorized its installation? — Preceding unsigned comment added by Tznkai (talk • contribs) 18:34, 17 December 2008
 * That's my understanding, yes. (although I could be mistaken) Hopefully actually getting consensus to turn this on would be easier than some of the other things currently technically available, but not yet approved by the community. But again, this probably isn't the place to discuss this side issue. Want to work with me on this? Drop me a note. ++Lar: t/c 15:27, 18 December 2008 (UTC)

The committee not named the Ombudsman Commission
While I like the idea of a local [something] committee in principle, I would raise a few points: --Mackensen (talk) 03:16, 17 December 2008 (UTC)
 * Call it something else. The Ombudsman Commission has specific responsibilities to the Foundation. A local Ombudsman Commission would have different responsibilities and a different mandate. Giving it the same name invites confusion.
 * Who would sit on this body? Ex-arbitrators, inactive checkusers? It's an open question whether such a body could truly exercise independent judgment. Much would depend on the standards adopted.
 * How would this body be chosen? To do its job, members would need access to private information of the most sensitive type. This almost demands appointment by the Arbitration Committee, but that raises the issue of independence again.


 * Mackensen, when this was last brought up by Anthere, you objected to the Ombudsman Commission's remit being extended to looking at checkuser misuse. Can you say why you don't want the Foundation to oversee that? I can't quite see the need for a local commission when we already have the Foundation one. SlimVirgin  talk| contribs 06:42, 17 December 2008 (UTC)
 * The statutory reason is that the Ombudsman commission was created to investigate complaints about violations of the privacy policy, and the privacy policy specifically talks about release of private information, not the act of checking itself. For the ombudsman commission to be statutorily empowered to investigate complaints that do not involve release, the Foundation would have to reword the privacy policy and/or enact new enabling legislation for the commission (and this does not begin to touch on Oversight).  The practical reason is that community standards of privacy vary widely on different wikis; Germany and Japan, for example, are much more strict than even I would advocate for enwiki.  Each complaint would have to be handled according to a different set of rules, which would be a very difficult task for the Foundation-level commission. Better for such complaints to be handled at the local level. Thatcher 13:58, 17 December 2008 (UTC)
 * If I may, Thatcher has articulated my objections. This sort of thing is best done at the local level, according to local standards, so long as these local standards are not weaker than the Foundation standard. Mackensen (talk) 23:42, 17 December 2008 (UTC)


 * I'm sorry to be dense, but I'm still not getting it. We currently have an ombudsman commission. It answers to the Foundation. Its remit is to investigate alleged privacy-policy violations. So why would it be a problem to extend that remit to cover alleged checkuser misuse?


 * Anthere approached checkusers about this in March. Several, including Mackensen, took the view that the ombudsman commission should not deal with checkuser misuse, because inter alia there is no global checkuser policy. But there is a Foundation checkuser policy. Here it is. So I'm not seeing what the issue is. Also, why would the Foundation have to reword the privacy policy, and so what if it did? It would surely be a simple matter to add to whichever decision created the ombudsman commission that they are empowered to investigate alleged violations of the checkuser policy. SlimVirgin  talk| contribs 08:06, 18 December 2008 (UTC)
 * I think we're talking at a cross-purposes here. There are two policies at play: the privacy policy, which governs the release of privileged information, and the checkuser policy, which governs how the tool will be used. The former can't be weakened by a local standard because it's the foundation's data in the first place. The latter is extremely broad; the only things forbidden outright are "political control" (nebulous) and checking without a valid reason. I don't have to tell you how difficult it is to determine what a valid reason is; projects differ on an acceptable criteria. What goes on this project wouldn't pass muster on the German Wikipedia, but we face a different set of problems which (at least in the view of this project's administration) require a different standard. That's why a local standard would be helpful--to take the existing policy at the Foundation level and give it some meaning, either through a test case or a consistent interpretation by a local body such as the one being proposed here. Mackensen (talk) 11:52, 18 December 2008 (UTC)


 * Yup. Thatcher 03:22, 17 December 2008 (UTC)
 * Thanks, Thatcher ;). I'll take that as an invitation to run at the mouth. Mackensen (talk) 03:32, 17 December 2008 (UTC)

There's a potential here to try a blind oversight mechanism. (Cue jokes). That is, I'm envisioning a system where there's a political tier (the oversight body) and a professional (for lack of a better word) tier, composed of checkusers. In disputed cases the checkusers, who are cleared for weblog data, could prepare a summary with the names and IPs left out/changed/generalized (i.e. J. Random Hacker edits from a large ISP in a North American city); enough for the body to rule on the merits without evaluating the data. This may be too much work. I think there are some possible advantages: Now, there are all kinds of potential abuses here. Nothing prevents private lobbying, although in such a system we would want to discourage it. It also places a burden on the checkusers to prepare a good report. My thinking is that both the checker and another, uninvolved, checkuser should submit reports. Possibly they could be selected at random. (Thinking out loud) I'm still not sure this is workable, but let's beat it to death and move on. Mackensen (talk) 03:40, 17 December 2008 (UTC)
 * 1) It potentially eliminates politics by separating the affected users from the oversight body. I have a particular case in mind where this would have been invaluable.
 * 2) It eliminates the need for members of the oversight body to be vetted by the Foundation.
 * I'm not sure about the multiple layers. Let's say there is a body responsible for investigating complaints that is not itself composed of Checkuser/Oversighters.  Take the case of Groucho and Harpo.  Harpo emailed me and said, "I think I was checkusered when I shouldn't have been."  I can certainly provide for the investigating body proof that Grouch did check Harpo (the checkuser log with Harpo's IP redacted).  But for the body to make a meaningful investigation of whether Groucho's check was politically motivated, they would have to be given the diffs of the dispute between them.  There would be no way to investigate unless they knew who Groucho and Harpo were.  So then, you have to require that the investigators take some confidentiality vow, that they will not disclose the identity of Groucho unless they find a serious breach.  (disclosing the name of every accused whether or not there was a finding would lead to major problems)   True double-blind independence is nice but highly impractical/impossible in many cases. Thatcher 03:55, 17 December 2008 (UTC)
 * Similarly, if I mentioned the topic area and banned user described in checkuser example 1, a blind monkey could figure out who the checkuser was. A truly independent review board (without Checkuser or Oversight permissions themselves and not beholden to Arbcom) would still have to agree to be bound by a strong confidentialty agreement and could not truly be blinded. Thatcher 04:01, 17 December 2008 (UTC)
 * Mack (or Thatcher, if you get it) Could you explain the multiple layers thing a bit more, please? I didn't quite follow how it works. Is it different in spirit than Jehochman's idea? ++Lar: t/c 04:47, 17 December 2008 (UTC)
 * I think what Mackensen means is that the review panel would be made up of people without Checkuser or Oversight who would therefore be completely independent of Arbcom and Jimbo. In order to review cases, they would be assisted by Checkusers and Oversighters who would prepare evidence for them, redacted if necessary, and blinded if possible.  I think the blinded part will not work at all.  The redacted part would work for IPs but not Oversighted diffs.  The panel could not decide if a diff was inappropriately Oversighted unless they are told what it said, but they can't be told the contents of any legitimately deleted edits unless they have permission (or at least are identified to the Foundation). Thatcher 04:55, 17 December 2008 (UTC)
 * I would create a new class of user who could inspect the Checkuser and Oversight logs, but not actually run transactions themselves. These users could be called Watchers. They could be appointed by Jimbo, or elected, or some combination. They would have to clear all the necessary privacy and trust hurdles. Jehochman Talk 05:14, 17 December 2008 (UTC)
 * The difficulty with that is that, from the logs, you can discern someone's IP. Let's say I pull the IPs for User X. Then I have a look at the edits on the IPs themselves. The log will show that immediately after getting X's IPs I got edits for Y. Not necessarily a direct correlation, but enough. Mackensen (talk) 12:16, 17 December 2008 (UTC)
 * Let's leave the developers out of it. I think the observers/reviewers should not be so vested in the tools that they lose their independence and fall into the "everything goes" groupthink, but I think the way to do that is to pick good observers rather than giving the observers a crippled toolbox. Thatcher 14:05, 17 December 2008 (UTC)
 * What would be the reason for not giving this review committee access to the tool so that they can check complaints for themselves? SlimVirgin  talk| contribs 08:08, 18 December 2008 (UTC)
 * I agree; they need to be able to examine facts on their own without relying on a third party to feed them information&mdash; otherwise, any true independence is lost. I don't think it's likely that there would be collusion to misinform the reviewers, but the simple fact that it becomes possible at all greatly reduces the value of the review.  &mdash; Coren (talk) 15:37, 18 December 2008 (UTC)

It's turtles all the way down. That is all. --MZMcBride (talk) 09:17, 18 December 2008 (UTC)

Slight correction
"The Arbitrators are all active Checkusers and Oversighters and are reluctant to issue rulings or find fault that might lead to curbs on their own discretion." Recommend "over" --> "mostly". Not all arbitrators have the rights, and some who do rarely or never use them (I have oversighted about four edits and have run just one checkuser all year). Regards, Newyorkbrad (talk) 03:39, 17 December 2008 (UTC)

big thank you
this is seriously good work, I think. Well done, and a big huge thank you. (full disclosure for what it's worth; 14 checks run on me, by at least 10 checkusers on at least 11 dates). Privatemusings (talk) 03:52, 17 December 2008 (UTC)
 * This is quite interesting and I share your concerns.  — Rlevse • Talk  • 10:52, 17 December 2008 (UTC)

Separation of powers
There is a pattern for good governance we can follow: separation of powers. I believe that Jimbo should appoint the Ombudsmen, without any input from the ArbCom. Then the two power centers can watch each other. Who watches Jimbo is a problem for another day. Jehochman Talk 04:41, 17 December 2008 (UTC)
 * Hmmmm. Thatcher 04:43, 17 December 2008 (UTC)
 * Perhaps have Jimbo name three members but have the community ratify the members--a reversal of what Jimmy does with the AC elections, but make it a hard requirement to pass--80% say, RFA style. The AC then names three members, subject to the same ratification process. Since the role of the "Watchers" or whatever they are is to protect the Community, they should have a small degree of input. rootology ( C )( T ) 05:29, 17 December 2008 (UTC)
 * With Jimbo breaking ties? Or, perhaps, a convention that ties go to the checkuser. I wonder how many people could pass the 80% threshold (I know I couldn't)? I suppose the real question is what qualifications one would need for the position. Hopefully some knowledge of sockpuppeting, maybe a little of networking. Interesting proposal though. Incidentally, three isn't sufficient for this kind of position. Mackensen (talk) 12:20, 17 December 2008 (UTC)
 * But it's a six seat position--3 from Jimbo, 3 from the Committe to start. If 80% is too high, 50% even would work, since the person would be already heavily vetted by either Jimbo or the AC anyway--its just to give the community SOME degree of control/authorization over it, since neither Jimbo nor the AC controls or owns Wikipedia. I don't know how I feel about Jimbo as tie breaker, since the basic function of this actually divests him (and the AC) of power. Perhaps a better idea is 2-3 Jimbo appointments subject to community ratification (since he has less power than the AC) and 3-4 from the AC, for an odd number. I'm not sure, but does the idea itself make sense? rootology ( C )( T ) 17:07, 17 December 2008 (UTC)
 * I like the idea in principle, but the devil is in the details. My concern with an odd number is that we'd see block voting in marginal cases. Either having an even split, or requiring a majority of two would ease that possibility. Mackensen (talk) 22:32, 17 December 2008 (UTC)

Lack of policy
As you suggest somewhere near the middle, the actual problem (with respect to CheckUser, at least) is the lack of any policy on its use. Creating yet another committee is meaningless unless there is one. It's really fairly trivial to find out what actions were taken; the logs don't lie. The real question is the significance of those actions, and a guiding policy is necessary to be able to accord significance. --bainer (talk) 12:28, 17 December 2008 (UTC) "The CheckUser feature is approved for use to prevent disruption, or investigate legitimate concerns of bad faith editing. The tool is to be used to fight vandalism, to check for sockpuppet activity, to limit disruption or potential disruption of any Wikimedia project, and to investigate legitimate concerns of bad faith editing. The tool should not be used for political control; to apply pressure on editors; or as a threat against another editor in a content dispute. (emphasis added)"
 * There is a policy, which states


 * The problem I see is that there is no meaningful review, by Arbcom or the Checkusers, of checks that appear outside this policy. What legitimate concern about sockpuppetry or disruption existed with respect to the Adam and Eve example?  How could Harpo be a reasonable target for a check when he was not blocked or banned?  (The Oversight policy is even more specific, setting forth a number of specific types of edits that may be Oversighted, none of which includes "edits that are embarrassing or that the editor later regretted for reasons having nothing to do with privacy."
 * There is also an issue of what might be termed "common law expectations of privacy." People expect that they won't be checked without "good reason," but in my experience the definition of "good reason" with Arbcom and the Checkuser community is much looser than would be tolerated by the general community if it was spelled out.  The Checkuser policy also does not specifically prohibit Checkusers from checking editors with whom they have a history of personal conflict. However, admin policy warns against taking action when the admin is involved in a dispute with an editor, and I think most ordinary Wikipedians would expect that Checkusers would at least respect that standard if not go beyond it.  Do we really need to spell out in writing that if you have a long-running feud with someone else, you should not checkuser them but ask for help from another checkuser?  (See my Arbcom election question 1B and the answers from the leading candidates.)  Likewise with Oversight, should Oversighters be removing their own edits, or should they ask for a second opinion?  (Can admins close AfDs for articles they wrote?  Can admins close article content RFCs when they have been participants in the dispute?)   Do these sorts of conflicts of interest really have to be spelled out in writing? Thatcher 13:10, 17 December 2008 (UTC)

Top Priority
My main reason for staying on ArbCom is to make changes to the way that peer review is done for people with Checkuser and Oversight access. I do not think ArbCom is currently exercising any meaningful peer review. So either ArbCom needs to start, or hand the monitoring of Checkusers and Oversighters to someone else. FloNight&#9829;&#9829;&#9829; 14:41, 17 December 2008 (UTC)

Oversight of oversight
Hi Thatcher, would you mind me commenting that 'oversight of checkuser' is a little misleading on wp where oversight has a specific meaning? The section "oversight of oversight" is amusing for the initiated, but probably confusing as hell to general readers. Perhaps simply supervision or as flo suggests above monitoring might be better alternatives. --Joopercoopers (talk) 15:15, 17 December 2008 (UTC)
 * How about Checkuser/Oversight Review Panel? Excellent work, Thatcher; what I am seeing here is roughly in line with several concerns I too have had.  Risker (talk) 15:39, 17 December 2008 (UTC)
 * A review panel is fine; in describing the function of the panel in the essay text, "supervision" and "monitoring" are less appropriate since they imply daily or routine intervention. "Oversight" is a really good name for the function of investigating and reporting on claims of misuse of special authority of one kind or another.  The problem is that Oversight is a really bad name for the function of hiding revisions. Thatcher 15:57, 17 December 2008 (UTC)
 * Sorry Thatcher, I rather rudely forgot to offer my congratulations as well - This is well written and honourable and actually sounds like the stuff of good governance. I'd go further and suggest that ArbCOM and the Ex-arb body relinquishes its checkuser functions altogether, and redefines its relationship with the 'investigators'. What's the rationale for them having it now? I assume its because ArbCOM elections are seen as the gold standard in terms of trust from the community, but there's no reason we can't vote for the judiciary and investigative law enforcement at the same time. We are suffering from a perception that Arbcom are becoming judge, jury, executioners and investigators - we need separation of those roles and to promote independent, competent prosecution of the roles with open integrity. I agree our use of oversight is a bad use of the language, but we're stuck with it, so shoe-horning the proper use of oversight next to it's wp meaning is confusing. --Joopercoopers (talk) 16:14, 17 December 2008 (UTC)

Regarding removing CU/OS from Arbcom, while I appreciate the concept of a separation of powers, there are times when ArbCom needs to get CU/OS data, and while those people with the CU and OS bits are usually considered trustworthy, there does exist the idea of minimizing private data exposure. ArbCom, looking at a case, will already need to be privy to the data. Why should non-ArbCom investigators also see the data? Unless the pieces that need investigation can be suitably compartmentalized from the remainder of a case. Even so, knowing what is being searched for, at least from the CU perspective, helps in running the analysis, so I think ArbCom should retain the CU/OS bits, unless the community is comfortable with CU/OS investigators being privy to, at least, part of ArbCom judgements. -- Avi (talk) 18:10, 17 December 2008 (UTC)

My own two $currency_subunit
For what it's worth, I wholeheartedly support the creation of a body tasked with examining misuse of checkuser and oversight that also has the authority to cause those rights to be removed when repeatedly or egregiously abused (perhaps indirectly by handing their conclusions to ArbCom for action); this body should investigate complaints from editors and readers, but also be allowed to question the right holders on their own when they observe use that appears questionable.

Members of this body (however it ends up being named) should be selected by the community (with ArbCom veto), be granted access to the appropriate mailing list(s) and given access to the tools to access the logs. Any use of the tool should be entirely forbidden for any reason and grounds for immediate dismissal and removal of the rights.

I am going to support, and push for, the creation of this body however the 20th turns out. &mdash; Coren (talk) 17:08, 17 December 2008 (UTC)

Letting users know of their own checks
What, precisely, is the benefit of not notifying users automatically when their account has been checked? Note: I understand that it exists; I'm not saying there's not one, but it's important to put this into words in a way everyone can agree on so that it can be properly weighed against the costs of this lack of transparency. --Random832 (contribs) 18:25, 17 December 2008 (UTC)
 * Some thoughts, Risker. As a theoretical example, there are times when a range needs to be checked. Sometimes established editors appear in that range. As there have been cases of established editors actually having sockfarms, the editor needs to be checked to see if theer is a relationship. However, if the editor comes up clean, why should there be an on-wiki record of something that may be used inappropriately to link a good editor with the name of a sockpuppet. Let's say no sockpuppetry is found, what should be said? Any onwiki name linking would be inappropriate. As for e-mailing the user in question, the privacy of the sockpuppeteer still may be an issue, in that we would be informing User X that blocked/banned User Y is on a similar range in the ISP. -- Avi (talk) 18:33, 17 December 2008 (UTC)
 * I assume you mean Random832, not Risker :-). For the record, at this point I pretty well agree with the position put forward by you and Thatcher above and below. I know my home IP changes regularly, and my username could show up on any number of checks even though none of my edits was considered problematic or had anything to do with the check. Risker (talk) 21:03, 17 December 2008 (UTC)
 * Why not do a notification that appears in your Preferences, privately visible to just the user, that says "Avraham checkusered Random832 on December 17th 2008" with no other info? It should only be for usernames, since we can't do it for IPs. If Random832 feels the check was inappropriate, he can then take it up privately with the AC, the "Watchers" if that happens, or the Ombudsman, and no one's privacy is violated. rootology ( C )( T ) 18:36, 17 December 2008 (UTC)
 * That still doesn't solve the issue of Random832 sending an on-wiki or off-wiki question saying "WHY?!?!?!" and my having to respond without violating the privacy of the sockpuppeteer or others established editors (if there is no evidence). I can answer "you were caught in a range that needed to be checked" but does that help the issue? -- Avi (talk) 18:40, 17 December 2008 (UTC)


 * Don't get me wrong, I'd like to see a way where we can balance more transparency with the privacy issues, but I would tend to lean towards protection of privacy where the two clash. -- Avi (talk) 18:42, 17 December 2008 (UTC)
 * Oh, I understand fully. But if the end result is that it discourages bad or inappropriate Checks, which is more valuable? A couple of socks sneaking through, or stopping misuse (which was always only alluded to, but we know now exists because Thatcher, one of the Checkusers, has confirmed it exists) because of the possibility of bad use being called out? I don't know the answer. rootology ( C )( T ) 18:46, 17 December 2008 (UTC)


 * Neither do I, which is why it is good to have these discussions [[image:face-smile.svg|25px]] -- Avi (talk) 18:51, 17 December 2008 (UTC)
 * The number of sockpuppets and vandals is much larger than the number of questionable checks, as far as I can tell. Thatcher 18:54, 17 December 2008 (UTC)


 * So are you saying that we should tend to the side of privacy here, because the number of poor checks is far, far fewer than the number of vandals, and thus the number of proper checks, and thus the potential for inappropriate privacy issues, Thatcher? -- Avi (talk) 19:01, 17 December 2008 (UTC)
 * I disfavor automatic notification. The information revealed would be incomplete, possibly misleading, possibly give vandals and sockpuppet abusers valuable information, and possibly violate people's privacy.  Checks run in two directions, I can "get IPs for User:Smith" or I can "get editors for 127.0.0.1".  If the actions "get editors for IP" triggers notification to all the editors revealed, that has quite a large potential for violating people's privacy.  For example, all the editors who work at IBM have the same IP, since IBM uses a single corporate firewall. Many universities, colleges, public and private schools, especially in the UK, use a single IP address.  In some countries and for some ISPs (especially Eastern Europe), the number of dynamic IPs is relatively small, so it is not unusual to see completely unrelated users on the same IP weeks or even months apart.  If someone gets notified and I say, "I was checking User:Smith and you happened to be on the same address" then Smith has been compromised. Or the user could just look at my contribs and block log to see which user I was tracking down when their IP got pinged.  I shudder to think of even one accident; suppose I am working on an RFCU for a Bosnian editor and some Serbian editor is able to guess that he lives in the same neighborhood as the target simply by means of the auto notification and looking at my contribs. Let's instead consider the case where "get IPs for User:Smith" triggers a notification to Smith.  That is less likely to violate the privacy of any other user, but the potential is there; if I my contribs show that I am working on RFCU/Jones and I check Smith, then it Smith is going to figure out he must share an IP with Jones, even if I tell him vaguely "I was checking someone else and your name turned up but you were cleared."  It also could give valuable information to vandals and sockpuppet users. In the case of some sock farms with multiple IPs or ISPs and groups of users that overlap, a listing of which accounts were checked (timestamped of course) could be a roadmap telling the sock user how he got caught and how to better avoid detection next time.   Thatcher 19:42, 17 December 2008 (UTC)
 * Just so I'm clear, what about literally just a "User:Thatcher checkusered User:Rootology" privately notified to me? The checked user (me) can then ask the CU (you) why privately? I wasn't saying a public notification--this would be something only someone with my password could see, literally, in preferences. rootology ( C )( T ) 19:45, 17 December 2008 (UTC)
 * If the answer is "I checked you because you are a pain in the ass and I suspect you of being some banned user whose IP range I might recognize" then there is no problem, at least from a privacy point of view. If the answer is "I was checking someone else and your name came up so I checked you to clear you" then it might be possible for you to determine who the "someone else" was from looking at my logs and contribs and therefore guess that you and the other person shared IPs (such as working at the same company).  I'm also thinking about some damaging threats that have been made in several cases where one editor says "does your employer approve of editing Wikipedia on work time"--that sort of thing. Thatcher 20:05, 17 December 2008 (UTC)
 * Also, if only "Thatcher got IPs for Rootology" is reported, that will leave you ignorant of all the times I ran a check like "Thatcher got editors for 86.214.74.114" which you were on. Is an incomplete notification better than nothing or is it misleading by omission? Thatcher 20:12, 17 December 2008 (UTC)
 * That's what I think a lot of people (or some, I don't know) are stuck on. Is simply knowing you were checked a bad or good thing? I don't know. Who controls the CU policy? Would there be support for language on it that "anyone can be checked anytime"? Thats the way I was sort of looking at it, given how viscerally upset some people get over the knowledge they were checked. It would be interesting to see numbers on how many established, "known" users have been checked, and by whom. rootology ( C )( T ) 20:16, 17 December 2008 (UTC)
 * If you want to ask, "Was I ever checked" I would be happy to answer. (Well, I would have been...)  If you want an automatic notification, you run great risks that those notifications will allow people to make deductions about other people's IP addresses. Thatcher 20:38, 17 December 2008 (UTC)
 * I'm not so keen to answer that question because I think even that answer (was I ever?) gives away information that can result in a breach of privacy. ++Lar: t/c 15:34, 18 December 2008 (UTC)
 * Well, even if the answer is, "I checked you because you briefly shared an IP with a vandal/banned user, but the check cleared you", it would be hard to track down more without a specific date, so would probably be relatively safe. ("I checked you on July 7 at 11:13 UTC because you are on the same IP as banned user:Smith" would be TMI of course, which is why automatic reporting is a bad idea.) Thatcher 15:50, 18 December 2008 (UTC)

The issue with that is that there is no good answer for the obvious question "WHY" other than "BECAUSE". People using high-traffic IPs may get that notice near weekly. -- Avi (talk) 19:55, 17 December 2008 (UTC)

If I may, I think the real issue is that for many, checkusering is, presumptively, an act of bad faith. This isn't the case--when I find suspicious traffic on a range, I'll look at the individual accounts to clear my own suspicions. There's been enough high-profile socking that I don't give anyone a free pass in this regard. I view checkuser as a technical exercise, but there are some people who would never accept a perfectly innocent explanation. I understand the impulse, but I don't see this as desirable or practicable. Mackensen (talk) 22:38, 17 December 2008 (UTC)
 * I agree with that. For most websites it is well known and well understood that IP data is collected, and there is no expectation of privacy regarding it at all, the site uses it as it sees fit. The culture here is different, and that's good. But the mere act of checking something out is not in and of itself a breach of privacy, in my view. It's release of the specific information that is the breach. Checkusers need to be trusted by default. Else why have checkusers at all? I'm fine with putting new processes and procedures in place to ensure that privacy isn't breached, that checks aren't carried out for political reasons and the like, but I'm not keen on the details of checks being discussed openly. The culture of taking umbrage merely because you were checked, often merely to rule something out, needs to change, it's rather corrosive. ++Lar: t/c 15:34, 18 December 2008 (UTC)
 * Having been checkusered at least twice that I know of, I've found it to be a rather painless experience. Granted I can understand some people's fear of private data being released from the void that is the database to a human's brain, but I suspect the resulting negative publicity from the endless "I checked X and it turns out they weren't Y" would lead to a stigma of the same kind as individuals who are desysopped or de-rollbackered currently experience.  MBisanz  talk 15:37, 18 December 2008 (UTC)

Visible on-wiki evidence of an Oversight having happened
What possible harm would there be of having a visible marker indicating something like


 * User:SuchAndSuch Oversighted revision #0000001 on December 18 2008.

I never understood that? Our SQL dumps are never up to date in any event, and when they get exported, it should be trivial to set them to exclude Oversighted or Deleted edits. rootology ( C )( T ) 18:29, 17 December 2008 (UTC)

I see much less of a problem with that, as opposed to having *User So-and-so checked the IP of user Such-and-Such in public. That already exists as a CU log and all CU's can see that the check was run, even after the results are scrubbed away (which is why sometimes, a check could be run but the results may be forgotten). -- Avi (talk) 18:35, 17 December 2008 (UTC)
 * I believe originally the oversight log was public. I've been doing a bit of writing about it at Revising history. --MZMcBride (talk) 19:08, 17 December 2008 (UTC)

Supposedly, this was so that people couldn't compare that article in an _old_ dump (from after an edit was made but before it was oversighted) with new ones. So the question here is, how many edits that are ultimately oversighted last long enough (or have unlucky timing) to have gotten into a database dump, and is it worth it given that someone intending to do so could just as well do an exhaustive search for _all_ 'disappeared' edits? --Random832 (contribs) 21:02, 17 December 2008 (UTC)

Other past oversight (mis)uses
There are a couple of more notable incidents you missed, one of which is kinda ancient. Jimmy (or someone) didn't want a revision left in Talk:Jimmy Wales, so they had it disappeared. The problem is that revisions are stored in complete form for each revision, so the content was simply re-attributed to the next editor (see link).

The other incident that comes to mind is the FT2 / Gerard drama, in which edits were removed to help a political election. --MZMcBride (talk) 19:24, 17 December 2008 (UTC)
 * Didn't know about the first one, the second one is already public knowledge. In the case of Gerard and zoophilia, best practice would have been to post an acknowledgement to the article talk page in December 2007 that edits were improperly removed and that the changes now attributed to some IP were actually made by FT2.  I assume Gerard was cautioned/warned, that would be sufficient for a first offense in most cases.  I am more concerns with transparency and accountability than in collecting trophies.  I would hope that no one who had been cautioned or warned would continue to make the same errors in judgement. Thatcher 20:09, 17 December 2008 (UTC)
 * Yes. That is the reason that I sometimes call it peer review. If we are picking the right people for the job, then I assume that the opinion of others would give them the insight that they need not to repeat an error in technique or judgment. Of course, if there are repeated lapses then that is a different matter. FloNight&#9829;&#9829;&#9829; 21:11, 17 December 2008 (UTC)

Auditing
What you're talking about is an independent oversight auditing panel - an idea I've heard come up a few times in private discussion. I think what is important is that this auditor panel is protected - from community member whim, from the committee, from the CUs and Oversighters. I'm not sure if I'd even want them to take complaints as such - we don't want the auditors to become hounded by a virtual army of unhappy users - that is going to lead them to quit or get skewed quickly.

A simple way of fixing it is for CU and Oversighters to be required to keep records - extensive records at that - regarding what they did, when, and why. Auditors would randomly - and occasionally not so randomly - ask for these in depth records as part of their normal functioning. It would be a lot of tedious work.

Selecting the auditors by election I am less inclined to do, any more than I would ask the people to elect cops, librarians, Supreme Court Justices or IRS officers (apologies to the non-Americans in the audience).

What I would thus suggest:


 * A 3 member auditor panel is selected by Jimbo, but not from the Arb, ex arb, active CU or OS pool. This approach has obvious problems, but I think the benefits of independence and dealing with the section of the community that is pissed at those users out weigh the penalties.
 * Panel members are given CU and OS permissions, but are not allowed to use them for anything outside of their auditing function. To do so immediately empowers a steward to remove both permissions, and the user is removed from the panel.
 * Panel terms are 6 month terms staggered every two months. Initial panel will have members with extra long/short terms as a result. Former panel members must wait at least 6 months to reapply.
 * Panel members lose both permissions at the end of their terms
 * CheckUser and Oversighters are required to have extensive records
 * Panel can demand records of any checkuser or oversighter: randomly or for probable cause.
 * Panel may, by majority motion, refer the matter to the Arbitration committee with recommendations
 * Finally, the panel should have the power to immediately remove CU/ OS on a unanimous vote

Its rough, but I think it is a start to solve the dramatically titled problems raised here.--Tznkai (talk) 20:59, 17 December 2008 (UTC)20:22, 17 December 2008 (UTC)
 * Would the votes/decisions be announced in public? I think it may be better to have Jimmy/AC split the appointments--perhaps Jimmy one, the AC 2, or vice versa, so no one party possibly inappropriately controls the oversight. rootology ( C )( T ) 20:24, 17 December 2008 (UTC)
 * I think the auditors have to take complaints. There are tens of thousands of logged checks every month, and the number of questionable checks is quite small.  Unless you get lucky and spot one in the log at just the right time (as I did with the Adam and Eve case) you would have to sample an enormous number of checks to find the few bad ones.  If one logged check in a thousand was abusive, the auditors would have to check about 3000 events per month in order to have an 80% chance of catching at least one bad one.  One in a thousand corresponds to about 10 abusive checks per month, and I never saw evidence that it was that high (and I looked).
 * I didn't realize the volume was so big - which also brings us to the fact that the CUs are going to have a hard time policing themselves anyway. So complaints would have to be taken into account - but do we really want to have the panel reply to each and every one of the complaints? Seems like a distraction at best - and a drama factory at it worse. Some sort of middle ground is probably preferable.--Tznkai (talk) 21:04, 17 December 2008 (UTC)
 * Well, some complaints will come from checkusers themselves. I have seen a few questionable things, in one case it led to a pattern, in other case it seemed to be an isolated incident.  Some complaints will come from users, as was the case with Harpo, who emailed me and asked, "I was in a dispute with a checkuser and I think I was checked, can you look into it," or from the admin who emailed me to ask why some edits to Moe's user page had disappeared.  Many times the auditors can just say, "no you weren't checked" and that will be the end of it.  It remains to be seen how many requests there will be and how many will be legitimate concerns.  But yes, I think the panel needs to respond to every complaint. Thatcher 21:14, 17 December 2008 (UTC)
 * Here is my concern: Panel receives complaint from Yakov, that CU Xerses checked him extraprocedurally or some such. Panel checks the facts and determines "nope, everything is fine" and replies Yakov then is unsatisfied and complains again, and again, and again and again. Panel is left spending a lot of time communicating to an angry user who is unwilling to be mollified instead of following up on their own hunches and other functions.--Tznkai (talk) 21:47, 17 December 2008 (UTC)
 * There will always be people who push every process past the point of reasonableness if they disagree with the outcome (Afd/DRV, WP:AE requests, etc.) At some point the auditors just have to politely say, "We have already investigated your complaint and found no violation of policy or best practices" and ignore the user's continued emails. Thatcher 04:40, 18 December 2008 (UTC)
 * Rootology: maybe two members from Jimbo, one by community acclimation, RfC or straw poll? Sure - but Jimbo has indicated he takes advice from the AC anyway so splitting between the two isn't doing much to dilute the influence. And I'd say the vote totals should be, but I'd be reluctant to expose individuals panel to direct fire - the idea is for the panel to work as a whole not like the U.S congress.--Tznkai (talk) 21:10, 17 December 2008 (UTC)

(undent)What then should be the panel's (if that is what happens) remit be then? To respond exclusively to complaints, predominantly to complaints, predominantly to independent investigation, or exclusively to independent investigation. It is my belief that if any sort of review/audit system is put into place, it will have a lot of work to do filed complaints or self directed audits - I think we should give such a system some direction of what to focus on. An additional concern is how far back should the panel be empowered to look? The further you get from an incident, the less reliable evidence, recollection, and so on becomes. If my suggestion was put into place, CUs would be required to maintain records, and to fail to do so at their own peril. That doesn't however, account for the time before the records keeping requirement was put into place - how fair is it to demand CUs have an in depth recollection of a mistake they possibly made two and a half years ago? As I understand it, the log information goes away after a certain time as well.--Tznkai (talk) 20:12, 18 December 2008 (UTC)
 * I think that there definitely needs to be active monitoring of the way the tools are used. From my understanding, requiring there to be more than one person with Checkuser access on a Wiki came from the realization that regular users would not be able to discover all abuse of the tool, so at least two users need have it to prevent undiscovered abuse. We are expanding on the way that monitoring happens, but the same general idea applies. FloNight&#9829;&#9829;&#9829; 20:31, 18 December 2008 (UTC)


 * A real grab bag there.
 * The auditing panel's purpose should be to provide transparency and accountability to Oversight and Checkuser. The manner in which that purpose is achieved is likely to involve responding to complaints from the community, responding to issues raised by other Checkusers and Oversighter, and maybe some self-initiated actions.  Responding means asking questions of the various parties and making some kind of public statement about the finding.
 * The Checkuser log has a "reason" field, it should always be filled out with an informative comment. However, requiring checkusers to maintain separate records is a very bad idea.  Data retained by Checkusers is theoretically subject to subpoena just like the Checkuser logs from the Foundation.  If someone wants to force the Foundation to disclose someone's IP (for libel in a BLP for example), a clever and wiki-wise lawyer would also subpoena the Foundation to reveal the names and addresses of any Checkuser who ran a related check and then subpoena the Checkuser to turn over any data that was retained personally.  Since Checkuser data expires after a given time, personal records kept by Checkusers could be a goldmine of information for the right litigant.  It should be up to the individual Checkuser to decide whether they want to take that risk, and which cases (if any) and what information (if any) to retain.  Mandating it would make them all potentially subject to the hassle of responding to subpoenas.
 * If a Checkuser fails to leave an informative log summary and, when contacted by the panel, is unable to satisfactorily explain a check, that can be taken into account by the panel. Like any jury, the panel can decide for itself whether a claim of "I don't remember" is credible or evasion.
 * The primary goal is transparency and responsibility. I don't see any reason not to take old cases.  Sometimes there will be enough information in the log to answer (especially regarding Oversight, since the diff itself is now visible via the log) and if there is not, a polite, "We looked into your complaint but determined that too much time had elapsed to do a proper investigation" will have to do.  Certainly whatever page is set up to describe the process should include advice to make complaints as timely as possible. Thatcher 20:43, 18 December 2008 (UTC)


 * I don't have any special permissions (other than sysop) myself, so I'm not sure of the load - but how many complaints are there on average for CU/OS that are sent to the various lists?--Tznkai (talk) 20:35, 18 December 2008 (UTC)
 * @Thatcher: you bring up some good points - but if part of the purpose is not only to provide transparency and accountability, I feel that having some strict requirements helps - otherwise we're passing "Trust CU's collective judgment" to "trust the panel's judgment." If we can describe how the panel operates in a definite way, yet leave them with enough wiggle room to do their job right, this will work a lot better, and will inspire more trust to the panel. Another thing is, should all responses be public? I only bring that up because some people will want to bring up complaints in private because of fear of retaliation or some such. Would we require those complaints to be public as well? If we decide to leave the rules of thumb for evidence consideration up to the panel, I think as a matter of best practice they should publish how they operate internally - even if it changes as the panel changes membership, as the method at least, must also be transparent. On the matter of records, yes, there is greater legal exposure - but at the same time having some sort of record of WHY you did something is important in the event of legal action: people are never impressed by irregularities without concrete explanation. I'm not sure what concern outweighs the other, but I do know I myself would at least hold onto some data so I wouldn't have to rely on memory.--Tznkai (talk) 21:00, 18 December 2008 (UTC)

The other oversight of Checkuser: actually getting the right answer
Thatcher, you write about the need to ensure that all uses of the checkuser tool are for valid cause. This is reasonable. However, there is another concern: what if checkuser gets the wrong answer? It is extremely rare, but it does happen, and checkusers should be expected to own up if they make a mistake. Crystal whacker (talk) 15:36, 18 December 2008 (UTC)
 * Yes, that is a good point. I'm aware of some mistakes but I'm not aware of any particular instance where a checkuser failed to correct the mistake after having it pointed out internally.  Jumping up and down on the noticeboard or the RFCU page and shouting that a mistake was made is less likely to be effective than quietly contacting a second checkuser and asking for a recheck. I know most checkusers--and I hope all of them--would accept such a request.  I certainly did, and a lot of checkuser-L traffic relates to rechecks and double-checks. Thatcher 15:43, 18 December 2008 (UTC)
 * Thanks for explaining that. So, if I understand correctly, you think the system works well when someone inquires by email to have a checkuser double-checked. Crystal whacker (talk) 16:00, 18 December 2008 (UTC)
 * It should. It depends of course on who you email and what the technical findings originally were.  I know several of the checkusers who are extremely conscientious about getting it right and helping with questions; I won't name them because I don't want to leave the impression that other checkusers are not conscientious, I just know them less well.  And some cases can not be resolved by technical analysis.  For example, if a workplace or school has installed identical PC workstations, two different people can appear identical from a technical analysis standpoint.  The only thing we can do in that sort of case is to note the explanation and leave it up to the community to decide based on other factors whether to treat the two users as the same or not. Certainly an audit panel or review panel should be tasked with investigating complaints of inaccurate results as part of its mandate. Thatcher 16:16, 18 December 2008 (UTC)


 * Crystal whacker: Getting the wrong answer with CU is not "extremely rare". Remember, and, after all. I have never studied the stats here (and frankly am not quite sure how to start if I wanted to) so this is guess work but I would be surprised if the accuracy rate was better than 999 out of 1000. (that's pretty good mind you... it may well be worse, but I'd be surprised if it was better)... so as a CU I always am careful to say that I got or didn't get correlation, and leave it at that. Behavioural (WP:DUCK) analysis is always needed. And call me a softie but if someone presents a credible explanation (even if I've heard it 19 times before) I tend to give the benefit of the doubt. A fair bit of what I do is check other CU's work (almost always at their request) and a fair bit of what I do is work I expect another CU to check after me. This is true on en, and it's true elsewhere as well. (I think most en:wp CUs hold CU here and no where else, and I'm in a small minority that hold it elsewhere). So yes, if we are to be formalising a review panel, reviewing possibly erroneous results is clearly within mandate. But with very few exceptions (which I decline to name here), every CU I've ever worked with is terrifically willing to have their work reviewed and terrifically willing to admit they're not sure or may have made a mistake. So this should be relatively mundane stuff, just formalising what we do now rather than a source of new controversy. ++Lar: t/c 23:18, 18 December 2008 (UTC)

Another idea
I have convinced myself that ArbCom could be effective at overseeing Checkusers if they themselves refrained from acting as checkusers. They could have access to the tool for purpose of review, but they should not be performing routine checkuser work if they are going to be the reviewers. People cannot be trusted to review themselves or their close co-workers. It is common practice in banks and corportations to have financial contols implemented by people who do not work in the same office as those being overseen. In banks (at least Citibank) there is a regulation that each employee must take two consecutive weeks of vacation, during which time a different person performs their work. This serves as an opportunity to uncover any shenanigans. At Wikipedia, we should strengthen our internal controls. ArbCom would be a good place to start. Jehochman Talk 15:40, 18 December 2008 (UTC)
 * I noted that Arbcom could do the job in my essay, the question is do they want to? (And do they have time, etc.)  Or would they prefer to delegate and retain the right to supervise their delegates. Thatcher 15:57, 18 December 2008 (UTC)
 * Upon consideration, I think we should avoid creating more bureaucracy. It would be simpler to disentangle the Arbs from the admin and checkuser duties.  That would allow them to provide effective supervision. Jehochman Talk 16:38, 18 December 2008 (UTC)
 * However, as I wrote above, that does require, at times, that non-Arbs be brought into Arb issues if CU checks or a re-reading of OS logs are needed, which expands the number of people involved in a given Arb case. That's fine if the community accepts it, but now, Arbs can keep the pool of informed people smaller as they have the tools themselves. Then again, perhaps they can keep the bit for the sensitive issues, and delegate the standard stuff? -- Avi (talk) 16:47, 18 December 2008 (UTC)
 * Correct of course Avi - but your concerns were about the number of people with access to CU data. I see CU's becoming an essentially autonomous body, which Arb will have to request CU data from on an as-needed basis - this would actually restrict the amount of CU data being bandied about to just that required in arb cases - non-arb investigations of sock farms for instance would be handled by CUs proper. --Joopercoopers (talk) 16:52, 18 December 2008 (UTC)
 * Also, CU's should be an elected position. --Joopercoopers (talk) 16:53, 18 December 2008 (UTC)
 * Simpler: the Arbs appoint and supervise CUs.  The Arbs are elected.  One election is enough. The Arbs themselves should not run checkuser requests, though they may have access to the tool so they can inspect its uses. Jehochman Talk 16:55, 18 December 2008 (UTC)
 * From my experience, most of the current Arbs do not run CU's on a regular basis, so we have most of what you say already. -- Avi (talk) 16:58, 18 December 2008 (UTC)
 * (ec)Simpler - but less accountable - it's easy enough to hold 2 elections in December. People shouldn't run for both positions. It's also important for the CU supervision to be reciprocal, CU's must also monitor Arbs use of CU is just for the purposes of supervision. --Joopercoopers (talk) 16:59, 18 December 2008 (UTC)
 * I'm sure that's so Avi - but the purpose of setting up accountable institutions is to embed in the system checks and balances - the fact something isn't being abused at the moment doesn't mean it won't be. --Joopercoopers (talk) 17:00, 18 December 2008 (UTC)
 * I understand, JC. However, what is going to be implemented that does not exist now (in the 1-election suggestion)? Unless actually formalizing that Arbs should act as the CU audit committee is enough in and of itself? -- Avi (talk) 17:04, 18 December 2008 (UTC)

"Moe" and "Curly"
Hi Thatcher,

This section just came to my notice (via WR!). I suspect that I may have been involved in this case and if so, can shed a lot of light on the situation without discussing privacy-related details. If you'd like to confirm that I was one of the parties, I'll gladly take it from there. I'm all for more openness and accountability when it comes to both checkuser and oversight - A l is o n  ❤ 22:07, 18 December 2008 (UTC)
 * I don't actually know who Curly is, although you would be my first guess. FloNight and Moe both claim the oversight was in policy; I can not reconcile that with the description of the content given to my by the admin who asked me about it.  I suppose that if in addition to "ranting" (as it was described to me) he also revealed something personal like "You can all come to Boston and kiss my ass", it would be more appropriate to remove it. The reason this case sticks in my mind is that I was asked by an admin (who was quite annoyed), I asked around, I got no answer, the admin got no answer, and it was all sort of left hanging for a long time.  More an example of why more transparency is needed than an example of misjudgement, I guess.  And maybe it would be appropriate to post a copy of the non-personal portion of the comment somewhere so that it could be used as a diff if Moe really had run for admin and someone wanted to use it as a reason to oppose.  Not a black and white case, surely.  I should probably revise the essay a bit. Thatcher 22:19, 18 December 2008 (UTC)
 * And people are now emailing more examples. Fun fun fun. Thatcher 22:19, 18 December 2008 (UTC)
 * That's good (that you've become a clearing house and people are willing to come forward) and bad (that there ARE more examples), hm? ++Lar: t/c 23:21, 18 December 2008 (UTC)
 * I never thought the things I noticed would be the only things. I've heard about a couple of recent things and a couple of old things.  What matters, I think, is that whether they have substance or not, we need to have a more transparent process for dealing with such reports. Thatcher 03:06, 19 December 2008 (UTC)
 * So does this mean we already have a de facto audit committee (The Thatcher commission [[image:face-grin.svg|25px]]). -- Avi (talk) 23:46, 18 December 2008 (UTC)
 * Hah. Even if I still had the tools I couldn't do anything about the issues that have concerned me.  I've learned, for example, that Arbcom was considering the Adam and Eve situation and got sidetracked into an unproductive discussion about whether all Checkusers should be required to sit down occasionally.  Sounds like Arbcom to me... Thatcher 00:51, 19 December 2008 (UTC)

Ok - just to answer this. This incident relates to my oversighting of revisions of a "Moe's" userpage. Yes, it did contain an "I'm leaving!!" rant, but it also contained information regarding a third party that this person was related to. The information was related to something which was intensely traumatic to that person, and that person had serious RL issues at the time - issues that ultimately involved the authorities. "Moe" was not directly involved in those, but the reference was there. It was in deference to the third party and not to "Moe" that these edits were removed. I cannot say any more than that as editors local to these people will go "aha!" and this person will be hurt all over again.

When the edits were removed, I was approached by User:Morven to explain my actions. As part of my reply to him, I said the following; " ''"Hi Matthew, I'll gladly address the points below. However, due to its inherent private nature, I'd like this circulated amongst the sitting arbitrators only with possibly other people such as Cary or Jimmy [Wales]. I'd rather not broadcast it to the somewhat-open arbcom mailing list. Therefore, I will forward my statement to yourself, [FloNight] and Charles Matthews, for dissemination to the other arbs."''

I emailed a detailed, 600-word reply to Morven, CCing FloNight and Charles Matthews. The reply I got said, "Thanks, Alison. I figured there would be a decent explanation for it", along with some details as to my possibly making a statement, if required, at that person's future RfA. Later, this went to Jimmy Wales as the person requesting oversight was concerned that personal information had been leaked via the ArbCom mailing list. Jimmy independently vetted it himself and okayed it.

And that's about it. I cannot release any further information, but hope this is okay - A l is o n  ❤ 20:04, 23 December 2008 (UTC)

Term limits
I'm not sure whether term limits are the answer, but since I brain stormed the idea I'll post a few thoughts: I suppose one major problem would be those sockpuppeters who are known by a particular checkuser, and whether they could be adequately followed after that CU left. On the other hand, we already have sockpuppeters who aren't adequately followed by any particular CU, and it seems likely that substantial problems could be dealt with as they arose. Thoughts for consideration. Mackan79 (talk) 08:56, 19 December 2008 (UTC)
 * 1) What's needed seems largely to be a higher standard among checkusers, and a recognition that this is a position of high trust to the encyclopedia not unlike a fiduciary relationship.
 * 2) In the public sphere, means for achieving these kinds of standards are a separation of powers, or independent prosecutors, or the electoral accountability of an executive. In the private sphere you have other means.  Nobody expects high standards to arise on their own.
 * 3) Wikipedia is an open encyclopedia, where it is difficult to set up these kinds of oversight mechanisms.
 * 4) There is nevertheless a community which should have faith in the people who have access to their personally identifying information, and faith that access to this information will only be used in a thoroughly impeccable manner.
 * 5) Because of the private and investigatory nature of the information, direct community oversight of the use of these functions is impractical.
 * 6) Although problematic, the current standards are supported by at least a few factors, significantly a.) that only respected and active community members are assigned to these positions, and b.) that while the community does not directly make appointments, it is at least offered a chance to comment on candidates.
 * 7) While recent appointments therefore carry some community "mandate," the longer they serve in the role the less this is true and the less their connection to the community. Other problems over time could include an increasing chance that they became disaffected with Wikipedia.
 * Like any term limit proposal, you will drop some Checkusers who may not be performing up to standards, but you will also drop some Checkusers who are doing unquestionably excellent work, and you will lose some institutional memory. Thatcher 13:29, 19 December 2008 (UTC)
 * As Thatcher said if you implement term limits, you will lose some of the most capable and most devoted CUs due to the technical imposition of the limit. As it stands CU is currently treated as a high-trust position, only given to those elected as Arbitrators by the community or (for a few) those whom the ArbCom has investigated and feels trustworthy, and the most recent group also had the opportunity for full-community comment. Part of having multiple CUs in a project is specifically so that the CUs can police each other. An independant body would still need to have the bit to check the CUs, so there would tend to be a merging of parties anyway, unless we create a class of local ombudsmen that do not perform CUs unless for the purpose of auditing. Then again, one of the suggestions above is to let ArbCom perform that role.
 * More importantly, what is the actual benefit of term limits in an electorate? If I am not mistaken, it is to ensure both that those elected to represent the community actually do represent the community and do not become so entrenched in power as to be able to do what they please without regard for those whom they are supposed to be representing in a republican form of government. How exactly is that appropriate for CUs and OS? A CU/OS is not supposed to be "acting for the community", rather, they are more the investigative branch of wikipedia. Their jobs are to investigate allegations of technical violations of the multiple account policy and enforce the existing policies. Having term limits for CUs is equivalent to having term limits for Homicide detectives. Similarly OS is also a technical position (that may be defunct if we get single-revision deletion installed). ArbCom, which is a judicial position, is where term limits may be more appropriate, although on a personal level, I have always been against term limits, as I believe the electorate should be intelligent enough to vote OUT someone inappropriate, and not lose the opportunity to keep someone good in for longer, but that is neither here nor there. -- Avi (talk) 15:41, 19 December 2008 (UTC)
 * Sometimes bad people are given power and authority, and sometimes good people are given power and authority but develop bad habits or even actual corruption and misconduct over time. One way of dealing with this is to selectively examine the power-holders and get rid of the bad ones.  Another way of dealing with the problem is to term-limit all the power holders.  The assumptions behind term limits are (1) every power holder eventually becomes corrupt, or (2) it is too difficult to catch the bad guys with individual investigations.  If you want to keep your vegetable garden free of cabbage moths, you can either pluck the larvae off the individual plants or you can spray the area with pesticide once a week. Thatcher 20:39, 19 December 2008 (UTC)
 * I may not have meant "term limits," but perhaps just terms of any sort. We don't have term limits for ArbCom, but at least we have terms.  It's an interesting choice, in any case, that people would be given life access to CU information in a position without any real expectations, or accountability, or even necessarily any interaction with others.  No way to see odd personal behavior, or if someone is taking home files that they shouldn't be, etc.  Comparing police detectives or independent prosecutors or the like, my understanding is that there is generally either a great deal of oversight, or a clearly delineated role and term.
 * The related problem, though, is that a culture of stamping out controversial (and stubborn) use where it arises just doesn't seem likely to happen, especially by new CUs against old. Sanctioning individual checkusers, even by an independent panel, would likely be too controversial, too much like government, and too prone to problems.  On the other hand, rotating CUs may be more responsive to community concerns (or even concerns in general), closer to equals among each other, and thus may even do a better job of overseeing each other as well. Mackan79 (talk) 08:38, 20 December 2008 (UTC)

Since these are volunteer positions, then rotating them amongst different people has merit, I think. In most organizations with volunteers, some shuffling of volunteers assignments happens fairly regularly. Since the Community wants to limit the number of people that have checkuser and oversight access, the only way to include different people is to retire some users.

My preference is for people to have Checkuser and Oversight access for no more than 3 years. Then they sit out a year and can ask for it back if they are still interested and the people choosing think that they are the best pick for the job.

Also, I would like to change to on twice a year on site elections. The main election would be mid year, with a smaller replacement election done at the same time as the ArbCom election. There would still be a certification step after the election done by all or one of Jimbo/ArbCom/Foundation to make sure the people are who they say that they are. While I'm strongly against doing spontaneous vote for one candidate Request For Checkuser method votes, I think the Community can elect good candidates if given a selection of nominations and time to look into them. FloNight&#9829;&#9829;&#9829; 21:36, 19 December 2008 (UTC)
 * I'd agree that reconfirmation every interval of time is a good idea, but a year of sitting out will do little but deprive Wikipedia from the services of a volunteer if there were no problems. &mdash; Coren (talk) 22:55, 19 December 2008 (UTC)
 * Because we will have more people volunteering for the job than job slots. I think an organization is healthier when the work is spread around among more interested and skilled people. FloNight&#9829;&#9829;&#9829; 23:15, 19 December 2008 (UTC)
 * As I suggested earlier, terms could be staggered in order to retain some institutional memory, and I agree with FloNight, spreading the work out has many benefits.--Tznkai (talk) 19:52, 20 December 2008 (UTC)

A modest proposal
I have just posted a proposal for a board tasked with ensuring transparency and accountability for Arbitration, Checkuser and Oversight. The proposal is available at Review Board, and comments are welcome and sollicited.

Please note that this is a proposal from a new Arbitrator, but not a Committee proposal. Other arbitrators have examined, commented, and assisted in the crafting of this proposal, but in their individual capacities. &mdash; Coren (talk) 23:54, 21 December 2008 (UTC)

Jimbo
I think the name "Jimbo" should be changed; it implies Jimbo Wales even though you say the names have been changed. Tez kag 72 01:53, 31 December 2008 (UTC)
 * It does mean Jimbo Wales. I had an email conversation with Jimbo and checkuser Smith about checkuser Smith's behavior.  Jimbo agreed it had the appearance of impropriety but checkuser Smith refused to change his practice.  Smith is a pseudonym of course but Jimbo is not.  This highlights the need for some sort of independent review system. Thatcher 15:14, 2 January 2009 (UTC)

Out of curiosity
What has been (without naming names) the response, feedback, and attitude been from Checkusers and Oversighters since posting this? rootology ( C )( T ) 17:17, 2 January 2009 (UTC)
 * I don't think I've gotten any responses other than those on this talk page. Thatcher 19:43, 2 January 2009 (UTC)

Still active?
Sincerest regards, are you still active? I would like to send you a letter with regards to an old account. DawnisuponUS (talk) 01:50, 30 March 2009 (UTC)
 * I'm still alive but not very active. You can send me email but since I no longer am a checkuser and I deleted all my files and emails, I may not be much help. Thatcher 14:14, 30 March 2009 (UTC)