To: DR@ruwiki, OneLittleMouse@ruwiki, Q-bit_array@ruwiki, Wulfson@ruwiki, Ле_Лой@ruwiki
Dear ruwiki CheckUser,
This follows up on our request to you dated Jun. 25, 2017, concerning ruwiki's process for granting the IP block exemption ("IPBE") flag. As you may have inferred, the Ombudsman Commission was reviewing if requiring IPBE applicants to undergo a CheckUser investigation violates or conflicts with a relevant global policy.
We would like to inform you that we have since concluded this investigation. No violation of or conflict with a relevant global policy has been found.
Please find below an anonymized version of our concluding statement. In particular, please see section IV(2), which is directed at ruwiki CheckUsers.
If you have any questions, you can reach the Commission at <...>.
Thank you in advance.
By the Commission.
<...>
START COPY OF CONCLUDING STATEMENT
The Ombudsman Commission has completed its review of the CheckUser requirement imposed by ruwiki's IP block exemption (IPBE) policy.
I.
(1) In the recent past, the Commission has been asked several times to weigh in on IPBE-related issues. As a general matter, it is our position that the CheckUser tool may be used on users applying for the IPBE flag if and to the extent that those applicants consent to the use of the CheckUser tool. Absent such consent, such routine checks would generally not be covered by the CheckUser policy since a request for the IPBE flag is not in itself indicative of vandalism, sockpuppet abuse or behavior disrupting the project, and hence does not in itself constitute a "valid reason" to check a user. See, CheckUser policy - section "Use of the tool": [1].
(2) The Wikimedia Foundation has previously expressed its agreement with this position. In particular, it agreed with this Commission's recommendation to the projects to "establish a process whereby users consent to these checks before receiving the IPBE flag". See, WMF Legal, Legal/Statement regarding IP block exemptions: [2].
II.
The present complaint draws attention to the fact that users willing to be granted the IPBE flag are, in the words of the complaint, "forced" into being subjects of a CheckUser investigation. The complaint concludes that this violates the "principle of Checkusing is not fishing".
III.
(1) The Ombudsman Commission has a narrow mandate. To the extent relevant for this investigation, it can generally only look into alleged violations of the CheckUser, the Access, or the Privacy Policy, as well as potential conflicts between a local CheckUser policy and the global CheckUser policy. See, Board of Trustees, Resolution "Amending the Scope of the Ombudsman Commission": [3].
(2) A local policy requiring users to undergo a CheckUser investigation in order to qualify for a particular user right poses a wide variety of governance-related questions (a). However, none of the policies within this Commission's purview bar such a practice (b).
(a) It is undoubtedly true that the imposition of CheckUser requirements is potentially capable of changing the face of our projects. Some projects require IPBE-flagged users to consent to checks (one-time or regular). At least one Wikimedia project requires all its new administrators to "pass" a CheckUser investigation. If we pursue the underlying logic further, we might conceive an extreme scenario where a CheckUser requirement is applied to all editors willing to contribute to a set of politically contentious articles. Against this backdrop, it stands to reason that project communities carry great responsibility towards ensuring that the community of contributors is not unnecessarily burdened with requirements to provide personal information. This is consistent with the Wikimedia Foundation's belief, expressed in the Privacy Policy, that users "shouldn't have to provide personal information to participate in the free knowledge movement". Wikimedia Foundation, Privacy policy - section "Introduction": [4]. At the same time, particularly when it comes to users holding advanced rights, it is possible that the potential risks associated with such rights justify their granting to be tied to the provision of some personal information. For instance, aspiring oversighters must provide some personal information to the Wikimedia Foundation under the Access Policy. Access to nonpublic information policy - section "Minimum requirements for community members applying for access to nonpublic information rights", (a) and (b): [5].
(b) The resulting balancing act is, indubitably, a difficult one. However, it is our position that neither the Privacy nor the CheckUser policy preclude the imposition of a requirement as that described in the complaint. Those policies' overarching concern is that users shall maintain, to the extent possible, control over their personal information. CheckUsers are constrained specifically by the CheckUser policy in their use of the tool, so as to prevent a situation where community members constantly have to fear that their IP information is being accessed by individuals whose identity is not even known to the Wikimedia Foundation. We submit that it is consistent with these principles if users are granted certain rights only after consenting to a check, because this leaves them in a position where they are in full control over that retrieval of their personal information. If a user does not wish to provide their personal information, they do not have to do so. It is true that this may render them ineligible for a certain privilege. However, we find that, at its core, this is a problem of access, not privacy. A privacy-conscious user refusing to give consent to any check on their account may effectively be barred from receiving the IPBE flag and may therefore have less "access" than a counterpart willing to meet the local requirements. But their privacy has not been imperilled at any point, precisely because they were able to refuse consent. This renders the practice incomparable to "sockpuppet fishing" as in that case users are unable to "opt out" of the CheckUser investigation.
IV.
(1) In accordance with relevant resolutions of the Board of Trustees governing the responsibilities of the Ombudsman Commission,[3] the Commission is therefore unable to take any further action with regard to the complaint.
(2) Nevertheless, we would like to take the opportunity to remind CheckUsers of the Wikimedia Foundation's Statement regarding IP block exemptions at [2]. As can be inferred from the above reasoning, it is paramount with IPBE-related checks that they must be performed only with the affected users' consent. We encourage ruwiki CheckUsers to review the relevant ruwiki processes. If there is any doubt that a given user applying for the IPBE flag may not be fully aware of the CheckUser requirement, they should be made aware of it and asked for their express consent.
[1] <https://meta.wikimedia.org/wiki/CheckUser_policy>
[2] <https://meta.wikimedia.org/wiki/Legal/Statement_regarding_IP_block_exemptions>
[3] <https://wikimediafoundation.org/wiki/Resolution:Amending_the_Scope_of_the_Ombudsman_Commission>
[4] <https://wikimediafoundation.org/wiki/Privacy_policy#Introduction>
[5] <https://meta.wikimedia.org/wiki/Access_to_nonpublic_information_policy#Minimum_requirements_for_community_members_applying_for_access_to_nonpublic_information_rights>
END COPY OF CONCLUDING STATEMENT
