Wikipedia:On privacy, confidentiality and discretion

As Wikipedia has grown to become one of the most popular websites on the internet, accessed daily by millions, numerous attempts have been made to develop a consistent way of protecting the private personal information of those who create and develop its content, while at the same time protecting the encyclopedia from abusive editing practices. The processes that have been developed over time are, in part, contradictory, because of the inherent tension between protecting the individual and protecting the institution. External pressures have resulted in paradoxical reactions within the English Wikipedia community.

The Wikimedia Foundation (owner of Wikipedia) is largely uninvolved in internal community decisions, and has therefore remained largely silent on project-specific privacy and confidentiality issues beyond its own privacy policies that are mandatory on all hosted projects.

Who are we when we edit Wikipedia?
Wikipedia and the Wikimedia Foundation do not require that editors identify themselves by their legal names or by providing private information to confirm their identity. Editors may establish accounts in any of the following ways (in order of likelihood that the Wikipedia account will be linked to other activities):
 * Account name = real name (or a variation of real name)
 * The level of privacy is dependent on how common one's name is, and how much personal information one provides on-wiki or elsewhere. Real names can be easily linked to other internet references.
 * Account name = pseudonym used for internet interaction on multiple sites, or easily found on search engines
 * The level of privacy is dependent on where else the pseudonym is used, and what personal information has been provided on-wiki or on the other sites. Even if it may not lead directly to a real life identity, other activities may be identified or a profile gradually constructed.
 * Account name = IP address (i.e. no account name)
 * IP addresses can vary in level of anonymity. IP allocation on some ISPs changes very quickly, whereas others can remain stable for months or years. Some countries have a very limited roster of IP addresses. Many businesses have dedicated IP addresses that, when checked, will reveal the corporate name and location. Because the IP is displayed in the edit history it may be easier to uncover the editor's real life identity than it would be when a pseudonymous username is employed.
 * Account name = pseudonym specific to Wikipedia/Wikimedia activities only
 * The level of privacy is dependent on what personal information is provided on-wiki, as long as the Wikipedia identity is not discussed off-wiki. This is likely the most secure method of editing Wikipedia and has the lowest risk of the Wikipedia identity being linked to the real life identity.

The opportunity to edit without linking to a person's real world identity provides a degree of confidentiality to those who could be placed at risk if they edited using their legal names. This confidentiality is not guaranteed, however, and is largely dependent on editors withholding personal information about themselves.

Expectations vs. reality
Wikipedia is a public project. Every time an editor hits the "save" button, the editor is publicly publishing their words. Each editor is individually responsible for what they have published on Wikipedia. This is explained in the Wikimedia Foundation's privacy policy. There is no right to privacy when it comes to editing Wikipedia.

Nonetheless, many editors have come to expect that Wikipedia will take steps to assist them in managing inadvertent revelations of personal information. The range of expectations can include deleting or even oversighting of edits, removal of links to external sites that link editing pseudonyms to private personal information including names, and disallowing references to prior accounts that may have had personal information associated with them. The on-site processes governing such actions are contradictory, in part because of the conflict between protecting individual editors and protecting the encyclopedia as an independent entity. Access to this assistance is inconsistent.

Reversion, deletion and/or oversight of edits
Any editor can revert an edit; however, it is still available in the history for other readers or editors to view. Editors who come across private personal information about another editor that has been added by someone other than that editor should be encouraged to revert the information, and to contact an administrator for deletion of the edit. Serious privacy breaches can be oversighted by using an extreme form of deletion that removes the edit from the view of all but a few users; it is often better to have the edit deleted first while contacting the Oversight team. Any administrator can delete individual revisions or log entries, subject to the revision deletion policy. This hides the edit from the view of all but other administrators. Many privacy breaches can be addressed sufficiently with simple deletion. Deletion is appropriate for certain personal attacks and may be an appropriate step in removing a serious privacy breach from the database before an editor with oversight privileges can be reached.

Oversight is intended to address only very serious breaches in editor privacy: non-public personal information, such as phone numbers, home addresses, workplaces or identities of pseudonymous or anonymous individuals who have not made their identity public. It is also used to address libellous information and copyright violations, and some lower-level privacy issues. There is both a Wikipedia policy on oversight, and also an overriding Wikimedia Foundation policy. Editors with oversight privileges continue to have access to the removed information via the oversight or suppression log. Since late January 2009, the former extreme "oversight" process has been replaced with a less drastic measure referred to as "suppression". While the privacy-violating information is removed (whether it is the full edit, the edit summary, and/or the username), it is noted in the history of the page as having been redacted. This process is also used for editing logs that contain personal private information.

Removal of links to external sites
External links are used throughout the encyclopedia for various reasons, mostly in the mainspace to support content or in content discussions on talk pages. Occasionally, external links are used elsewhere, again frequently with relation to discussions about content, but sometimes in innocuous messages between editors. Only rarely are external links problematic in relation to editors: when an external link is used to create a personal attack against an editor, and when an external link in article space leads directly to private information or an external personal attack about a specific editor. Generally speaking, our guidelines on external links will determine whether or not a link is suitable for article space; high-value links will usually be kept despite an allegation that there is a personal attack directed at a specific editor. Further guidance can also be found at Linking to external harassment, which includes a link assessment table, and some general information for editors who feel harassed by the presence of certain external links.

Harassment related to personal information
Some editors have started Wikipedia accounts and revealed personal information about themselves. While the information may not fall into the "private" classification, some editors have included their marital status, sexual orientation, name of employer, general or specific location, educational institutes attended, age, and so on. The majority of editors who provide such personal information are never contacted in real life, and have had absolutely no problem as a result of these self-revelations. A small number of editors, unfortunately, have had their off-wiki life disrupted by individuals who have directly or indirectly used this information. Some Wikipedians have left the encyclopedia due to such harassment. Many others have remained; some of them changing usernames.

It is critical for editors to understand that, once they have added personal information about themselves to Wikipedia, there is no way to prevent its use or keep it from being seen. Edits anywhere in Wikipedia are subject to the GFDL, and as such others can copy or reproduce the information without anything other than attribution. Information need only be visible on Wikipedia for a brief period for it to be copied and permanently mirrored on another site.

References to prior accounts
Some editors who become concerned about the security of any personal information they have revealed will elect to continue to contribute to Wikipedia using a new username, simply by starting a new account without going through the formal processes to change one's username.

Moving to a new username may seem a simple and obvious step to eliminate harassment; however, if the editor returns to an area where they have made significant contributions in the past, there is a strong likelihood that other editors will recognise the editing style. In some cases, particularly if the topic area has a history of sockpuppet problems, editors can expect to be challenged and/or be subjected to a CheckUser review to ensure that there has been no abuse of alternate accounts. Editors who start a new account can protect themselves somewhat from accusations of abusive use of multiple accounts by notifying the Arbitration Committee and CheckUsers; however, that will not prevent the legitimate concerns of other editors from being put forth.

Of special note, administrators who elect to change usernames but also wish to retain their administrative privileges must proceed with the assistance of a global renamer, and their administrative account will be linked to the new username. This change will be immediately noticeable to anyone who tracks administrative privileges. There is no privacy benefit for a change of name of an administrator account; however, administrators may have other reasons for changing their usernames.

CheckUser
CheckUser is a feature designed to protect the project from disruptive editing activities. Individuals with CheckUser privileges have access to technical information about accounts, such as a list of IP addresses from which an account has edited within a certain period, and data about the computer(s) used in editing sessions. Access to this feature is logged, and the log is available for review by other CheckUsers or the Ombudsmen. The primary purpose for which CheckUser is run is to identify additional accounts that have been used, or could be used, disruptively by a single person. On rare occasions, a CheckUser may be run to identify an editor who has made threats, in order to provide information to police; this kind of check is most commonly performed by specifically-authorized WMF staff.

The use of the CheckUser feature can be controversial, in part because its use is not transparent. On English Wikipedia, administrators and editors may request checks through private channels (email, IRC, or other messaging), and CheckUsers may run queries without a specific request when they themselves identify suspicious accounts. Some other Wikimedia projects require that all CheckUser requests be made on-wiki. English Wikipedia CheckUsers routinely participate in cross-wiki checks to identify and block spambots and cross-project vandals. It should be noted that English Wikipedia is the largest project and is the main target of several virulent serial vandals using multiple accounts, often causing large-scale disruption over a very short period; advance identification of such accounts prior to their being used for disruption, without alerting the vandal, is a net gain for the project. Many disruptive editors using multiple accounts have been identified and neutralised by non-public checks in conjunction with other investigative processes. Some editors and administrators may make a non-public request for CheckUser in order to prevent reputational harm to an account that may be incorrectly suspected of sockpuppetry. It is in this setting, and with this history, that the current CheckUser practices have developed.

CheckUser is a double-edged sword. It is useful, in many cases, for identifying problematic accounts and ferreting out behaviour that is harmful to the encyclopedia (in the broad sense); however, many editors find the concept of "checking" to hold significant potential for unwarranted invasion of privacy, especially when viewed in the light of the level of discretion granted to users of the CheckUser tool in its application. Editors working in an area where there is a history of abusive use of alternate accounts should be aware that their account may be CheckUsered.

Information about editors who are not the target of a CheckUser will sometimes be brought up during a legitimate check being performed on another account, particularly when the editor shares a highly dynamic ISP or a narrow IP range with the target account. Editors will generally not be informed that a CheckUser has been performed on their account, or that their account came up during a CheckUser.

Disclosure of CheckUser results
The results of requests publicly posted on the sockpuppet investigations (SPI) pages are normally made publicly, and can link usernames (including those based on an editor's real name) with IP addresses. CheckUser requests made publicly on the talk page of an individual checkuser may or may not be responded to at the same location. CheckUser requests made via email other direct contact with a CheckUser, or those made through the Arbitration Committee or Functionaries mailing lists, are often not disclosed publicly at all, except with the identification of a checkuser template on any relevant blocks. In some cases where a private checkuser request has resulted in significant findings, the checkuser may ask that the requesting party post a SPI request so that the results can be publicly documented.

At the same time, CheckUsers may also be involved in discussions in other internal forums, such as various Administrator's noticeboards, and may provide CheckUser results, including some details to assist administrators and others in understanding how the decision on likelihood of abuse of alternative accounts has been made. Release of this information is at the discretion of the CheckUser; only in exceptional circumstances will there be a direct link to a real-life identity that is not also the user's account name.

There has been no significant discussion on-wiki as to whether or not individuals whose accounts have been subject to CheckUser review should be permitted to authorize disclosure of the CheckUser findings. This form of voluntary disclosure of private or possibly personally-identifying information does not appear to be out of line with the accepted practices of editors using their legal names as usernames, or of editors providing other personal or even private information on their user pages or in on-wiki postings. It is not clear what harm would be caused with revelation of CheckUser data provided it is limited to data specific to the subject of the check, and is posted with the full agreement of the holder of the checked account; however, it may be difficult to separate data specific to one account if information relating to multiple accounts is revealed during the CheckUser process.

Other confidential information
Editors may choose to share personal information that does not meet the threshold of private information with other editors, most frequently in personal conversation on user talk pages, or in an off-wiki process such as email, IRC or other messaging process. Most people presume that information shared off-wiki is confidential; however, sometimes that presumption of confidentiality is unrealistic. People should be mindful of the following factors:
 * Large forums, such as mailing lists or IRC channels (even supposedly private ones), should be presumed to be "leaky". This applies whether there are five or five hundred people with access.
 * Relatively harmless or insignificant information (e.g., opinions on music, favourite foods) is less likely to be revealed than that which illustrates problematic editorial behaviour. Block shopping, perceived threats, defamation of other editors, or a stated intention to systematically affect content using out-of-process means or to otherwise disrupt the project is more likely to be shared with others beyond the original recipient(s).
 * Requesting that a correspondent behave in a way that they feel is improper or harmful to others or to the encyclopedia may lead the correspondent to alert others of the request.
 * Individual understandings of discretion vary widely amongst people; Wikipedia editors are no different.

The Arbitration Committee accepts confidential information in its cases in limited circumstances, as noted in the Arbitration policy. Because of current technical limitations of the Arbitration Committee mailing lists, any private information is likely to remain in its archives for the foreseeable future and will not be deleted.

Attempts to develop Wikipedia policy with respect to private correspondence and confidential information have been unsuccessful, for several reasons. See related rejected proposals Private correspondence, Correspondence off-wiki and Confidential evidence.

A note on discretion
Many editors will establish off-wiki relationships with their peers, whether it be through social media, the occasional exchange of email, chatting in IRC, or in some cases meeting up at Wikipedia-related events or elsewhere. Personal information is often exchanged; in the cases of meet-ups, photos or videos may be taken.

All editors are reminded that there can be serious consequences to sharing this personal information on-wiki, even when done in the best of faith. It's important to obtain permission from the subject before posting images, for example, because any free content posted to a Wikimedia site can be redistributed and reused elsewhere. Individuals whose discretion is found wanting by their peers may find themselves ostracised or even removed from the project. While the primary objective of Wikipedia is to collaboratively build an encyclopedia, collaboration is dependent to a certain degree on interpersonal trust and confidence in each other's judgment.