Wikipedia:Requests for comment/Community expectation of Checkuser

Source: Wikipedia, the free encyclopedia.

Opened 27 January 2009. Closes March 1, 2009, 00:00 UTC or at the discretion of the Audit Panel.

Checkuser is a software tool that can determine the IP address of a user, information that is normally hidden by the Wikimedia software. This information is normally used to investigate whether a user is a sockpuppet of another user or a blocked or banned user evading the block or ban. The rules covering use of the Checkuser tool are very broad and non-specific. Checkuser may be used to limit disruption of Wikipedia; it should not be used for political reasons or retaliation; there must be a "valid reason". The Arbitration Committee is planning to create an Audit Panel to review concerns and complaints that Checkuser has been used inappropriately. However, there have been no prior discussions of editors' expectations for the appropriate and inappropriate use of Checkuser tool. Is there an expectation of privacy that goes beyond the written policy? What exactly does "limit disruption" mean? Do editors accept that they may be checked at any time, or do they expect they will only be checked with a "valid reason" and if so, what constitutes a valid reason? This RFC is brought to solicit community views to serve as a frame of reference for the Audit Panel when it is seated by Arbcom (currently planned for 28 February 2009).

Purpose
  • To receive community feedback regarding expectations of privacy as it relates to Checkuser
  • To receive feedback on uses of Checkuser considered by the community to be appropriate or inappropriate


Policy

The tool is to be used to fight vandalism, to check for sockpuppet abuse, and to limit disruption of the project. It must be used only to prevent damage to any of Wikimedia projects. The tool should not be used for political control; to apply pressure on editors; or as a threat against another editor in a content dispute. There must be a valid reason to check a user.

# CheckUsers have a wide range of discretion to use their access provided it is for legitimate purposes – broadly, those which relate to preventing or reducing potential or actual disruption, and to investigation of legitimate concerns of bad faith editing.

  1. CheckUsers may accept requests publicly or otherwise, as they see fit.
  2. Requests should not be accepted on the basis of "fishing" - that is, requests by users without a good and specific cause. On their own cognisance they may however perform privately as part of their role, any checks within the bounds of CheckUser policy - that is to say, any check which is reasonably performed in order to address issues of disruption or damage to the project.


Some suggested questions to be answered
  • Does the community have expectations of privacy that go beyond the letter of the Checkuser policy? If so, what are they?
  • If Checkuser is only supposed to be used to "limit disruption", what does this mean in practical terms?
  • If Checkuser can only be used for a "valid reason", what constitutes an invalid reason?
  • If Checkuser is used without a valid reason but the results are not disclosed publicly, has any harm been done?
  • Are there situations in which a Checkuser should ask another Checkuser for help in determining whether there is a valid reason for a check?
  • Are there situations in which a Checkuser should not run a check personally but should ask another Checkuser to do it?


For further information


Statements about community expectations for use of the CheckUser function

View by Thatcher

I created this RFC but I did not want to influence the comments by posting my own views and evidence in the introductory section. I actually have had quite a hard time coming up with a definition of "inappropriate checking" that does not rely on actual examples. It seems like a case where "I know it when I see it" but I have a hard time putting it into words exactly. Hopefully someone else will have some good ideas. I am going to list a few basic principles, but they do not comprehensively answer the questions I posed above and more input is needed.

  1. Checkusers should not check editors with whom they are involved in a dispute. Instead, contact another Checkuser with the reasons you think a check is needed and ask for their opinion, and for them to do it if needed. (However, "dispute" should be interpreted rationally. An argument between an editor and a Checkuser that has gone on for several hours or days involving many edits is a dispute; a sockpuppet posting taunts on a talk page is not.)
  2. Checkusers should not check editors who edit articles or topics where the Checkuser has a strong presence. Instead, send your suspicions to another Checkuser. Checkusers must avoid the appearance of favoritism or of protecting certain editors, topics, or points of view.
  3. "Valid reason" should be interpreted broadly but not blindly. For example, while it may be appropriate to check a new account who vigorously defends a recently banned editor, it is probably not appropriate to check a long-term editor who defends the banned editor unless there are other credible indications of sockpuppetry.
Users who endorse this view
  1. Subject to refinement as more views are expressed, but an excellent start at summarizing a reasonable set of expectations, and reflecting due regard for the fact that "checkuser discretion" will always include elements of good judgment and cannot be reduced to black-line rules. Newyorkbrad (talk) 03:05, 29 January 2009 (UTC)[reply]
  2. I like the general ideas of this, but there are a few things I would change. Instead of Checkusers sending information to each other, why not have a CU just post to the mailing list like a regular user or file a RfCU. This discourages any cliquey feel in my mind at least. This way; a checkuser would be more inclined to review everything rather than say, "Checkuser X" told me to believe these things; why shouldn't I?" Aside from that, an excellent initial statement NuclearWarfare (Talk) 04:00, 29 January 2009 (UTC)[reply]
  3. I agree fully with the thrust of this. To pick out a particularly crucial phrase from your second point, "Checkusers must avoid the appearance of favoritism..." It is vitally important that the CU process be transparently and obviously fair; this is just as important as ensuring the fairness itself. [[Sam Korn]] (smoddy) 08:43, 29 January 2009 (UTC)[reply]
  4. I agree with this idea, but given the opaque nature of checkuser, I would hope to see more checkusers publicly endorsing this beyond the guy legally tasked with maintaining privacy (Sam) and the guy who only uses it to review cases (Brad). MBisanz talk 13:07, 29 January 2009 (UTC)[reply]
  5. Similar to the norms on admin intervention. In fact, perhaps these rules should be applied to non sockpuppeting related administrative disputes as well as content disputes?--Tznkai (talk) 15:31, 29 January 2009 (UTC)[reply]
  6. Agree generally, and think it is best to avoid raising the issue with other Checkusers behind the scene as much as practical if you are involved as an editor. And a Checkuser should self disclose their involvement to the other Checkusers when making the request. FloNight♥♥♥ 22:22, 29 January 2009 (UTC)[reply]
  7. I fully agree with this, and hope to see other CheckUsers doing the same. Tiptoety talk 22:16, 31 January 2009 (UTC)[reply]
  8. I Agree with Thatcher's view. --Kanonkas :  Talk  22:31, 31 January 2009 (UTC)[reply]
  9. Deskana (talk) 15:14, 2 February 2009 (UTC)[reply]
  10. Of course. Clayoquot (talk | contribs) 06:35, 3 February 2009 (UTC)[reply]
  11. Re: #2, I believe that people who edit frequently in areas with ongoing problems (especially Israel-Palestine which had its own arbitration should not be Check Users at all. I see some balance with people on both sides of the issue, but complete neutrality NOT balance should be the goal. I've got a problem with a non-Israel-Palestine probable sock/harasser right now but because I see check users I feel are POV and even abusive on the I-P issue, I have to wonder what other biases lurk in users I'm NOT familiar with. (So I'll just pick an unknown person and cross my fingers.) You need a board that takes complaints and quickly removes check users who have complaints of non-neutrality that can be backed up by evidence. (I've seen a couple complaints on different talk pages about one check user on the list.) CarolMooreDC (talk) 15:44, 3 February 2009 (UTC)[reply]
  12. Majorly talk 15:07, 6 February 2009 (UTC)[reply]
  13. By all means. Akin to what Tznkai said, the expectations for administrators involved in disputes, specifically with an eye for avoiding chilling effects, seem like a good template. – Luna Santin (talk) 00:46, 7 February 2009 (UTC)[reply]
  14. Of course - Alison 00:58, 7 February 2009 (UTC)[reply]
  15. Fair and reasonable views. Jim boon (talk) 03:21, 9 February 2009 (UTC)[reply]
  16. Fully support. Also agree with Sam Korn - the "must avoid the appearance of favoritism" should actually be number 1 on the list, in bold. Xymmax So let it be written So let it be done 21:16, 10 February 2009 (UTC)[reply]
  17. Yes. I've been holding off opining in hopes of something more comprehensive, but this is right as far as it goes. More elaborately, a checkuser should use the tools neutrally with regard to any long-standing dispute. They should not preferentially accept/run checks on or suggested by only one side of a dispute, nor should they use different standards for evaluating the results from one side or another. This suggestion is not meant to restrict ongoing monitoring of a banned user by checking their previously identified accounts or IP addresses to see if there are new matches. It is meant to restrict checking all new users on one side of a dispute simply because one or more users previously on that side of a dispute are banned - that is using the tool for political control, especially if the checkuser is themself involved in the dispute. GRBerry 22:01, 12 February 2009 (UTC) GRBerry 22:08, 12 February 2009 (UTC)[reply]
  18. Good sensible guidelines. DurovaCharge! 22:07, 17 February 2009 (UTC)[reply]
  19. Per Newyorkbrad. Ncmvocalist (talk) 10:14, 21 February 2009 (UTC)[reply]
  20. Stating the obvious. -- Fayssal-F - Wiki me up® 12:13, 11 April 2009 (UTC)[reply]

View by Tznkai

Some poorly organized points, with the caveat that I don't know what goes on behind the veil:

  1. Checkusers should not become "specialists". That is, CheckUsers should not take on one serial sockpuppeter or article area as their sole domain. Instead, CheckUsers who know certain signs well should train other Checkusers. Ideally, checkusers should be as inter-changeable as possible - everyone as competent as possible in every sort of case. (Every marine a rifleman)
  2. The appearance of propriety is almost as important as the substance of propriety. Checkusers should take extra care to allay concerns about bias even if they are certain there is no bias within themselves.
  3. CheckUsers should make answering concerns of fellow CheckUsers and the audit panel (if and when that happens) a priority.
  4. CheckUsers should be mindful of the fact that many editors will feel violated merely by a Check, and should always be respectful and conscientious of that fact. Diplomacy is a requirement, not a talent.
Users who endorse this view
  1. These are all good ideas, although #1 may be defeated by the shear number of long term vandals and troublemakers. While a specialist knows everything about nothing, a generalist knows nothing about everything [1]. Certainly no one checkuser should be the sole expert on a particular troublemaker. Thatcher 15:25, 29 January 2009 (UTC)[reply]
  2. Agree with the general ideas expressed. Lack of confidence in the results because of perceived biases undermines the process for the entire project. I agree with the last statement. Since the checks are done by community members (that may have a social relationship with users checked), rather than paid site sysops, it is especially important to be sensitive in the manner the information is handled. FloNight♥♥♥ 22:37, 29 January 2009 (UTC)[reply]
  3. I generally agree. While it is important for all Checkusers to be competent in all aspects of CheckUser, I do not think "specialists" are bad. Currently, there are a number of large active sockfarms that to the untrained eye may be hard to detect, but to a user whom has been dealing with the puppeteer for a great deal of time it is easy. Having someone whom you are aware is knowledgeable about a specific case to go to is not a bad thing, and often times ensures that correct action is taken. It is like a teacher, they should be generally knowledgeable about all subjects but even more so about the subject they teach. Tiptoety talk 22:20, 31 January 2009 (UTC)[reply]
  4. Agree broadly, but it is inevitable that certain checkusers will become more familiar with certain vandals than others. I know where to get help dealing with serial vandals if I need it, since checkusers are very contactable in general. Especially agree with two: I always tell people where they can appeal to even if it's blatantly obvious to me that they're lying through their teeth. --Deskana (talk) 15:12, 2 February 2009 (UTC)[reply]
  5. There are, however, some checkusers who (admittedly) are not as good as other checkusers, be it tech-wise, policy-wise, or tact-wise when dealing with sensitive issues. Majorly talk 15:07, 6 February 2009 (UTC)[reply]
  6. Endorse with Deskana's reservations. DurovaCharge! 22:08, 17 February 2009 (UTC)[reply]

When checkuser results are reported anywhere, including but not limited to the Checkuser pages, administrative noticeboards, and other Wikipedia pages, extreme care must be taken to preserve privacy. Regardless of the findings, interim or final, of an investigation, no information such as "User:ABC is likely a sockpuppet of User:XYZ because they both post from IPs in the same neighborhood of London", or "User:ABC is likely NOT a sockpuppet of User:XZY because while User:ABC posts from McMurdo in Antarctica, User:XYZ logs on from Rejkjavik." Likewise reports such as "User:ABC, USER:DEF and User:GHI are likely the same person: one of them logs on from a Blackberry, the other from a static .gov IP, and the other from a dynamic IP in the 1600 block of Pennsylvania Avenue, all within a 2-mile radius of each other in the District of Columbia." (The foregoing are examples employed to illustrate the point, not an exhaustive list of prohibited behaviors.)

Violation of this privacy rule shall be considered a "one-strike and you're out" infraction, i.e., immediate and permanent removal of checkuser powers, no second chances given.

Users who endorse this view
  1. To quote from privacy policy: It is the policy of Wikimedia that personally identifiable data collected in the server logs, or through records in the database via the CheckUser feature, or through other non-publicly-available methods, may be released by Wikimedia volunteers or staff, in any of the following situations:
    [snip]
    Where it is reasonably necessary to protect the rights, property or safety of the Wikimedia Foundation, its users or the public.
    The corollary of this is that no more than is reasonably necessary should be released. I do not think it prudent as a member of the ombudsman commission to bind my hands by committing to a particular "remedy" to apply in all cases, but I think the general principles (that users' privacy be treated as a matter of great importance, that those who cannot be trusted with users' private data should not have access to it and that this should be enforced strictly) are sound. [[Sam Korn]] (smoddy) 12:57, 2 February 2009 (UTC)[reply]
    Addendum, in response to Thatcher. I agree absolutely that a single, good-faith error in judgement should not be met with automatic removal of rights, and it is precisely that idea that I am attempting to get at with "reasonably" -- if someone makes a reasonable justification for why they took the action they did, I would be disinclined to punish it, even if I might well support a clarification of the policy. [[Sam Korn]] (smoddy) 14:02, 2 February 2009 (UTC)[reply]
    With the understanding, hopefully, that someone who repeatedly has issues of this kind, even if each individual case has a reasonable explanation, should be seen as someone who does not learn from their mistakes, and should probably lose CU access. Thatcher 14:53, 2 February 2009 (UTC)[reply]
    Of course. [[Sam Korn]] (smoddy) 18:02, 2 February 2009 (UTC)[reply]
  2. I endorse in general the idea that the amount of information released should be the minimum necessary to make the identification. I specifically decline to endorse a "one-strike" remedy. Determining how much information to release is a matter of judgement, and people (whether on-wiki or in real life) should rarely be punished for a single good-faith error in judgement. Persistent poor judgement is definitely grounds for rescinding checkuser access, as could be a particularly egregious single incident. But a blanket one-strike policy leaving no freedom for evaluation of circumstances is not the way to go. Finally, note that allegations of privacy violations involving excessive release of information may be brought to the Ombudsman commission at any time. Thatcher 13:51, 2 February 2009 (UTC)[reply]
  3. Endorse - the public at large has no reason to know particulars. "Different devices" serves just as well as specifying what the different devices are for examples. One strike is a bit much, I'd prefer a stronger culture of caution be developed within the CU Corps.--Tznkai (talk) 14:09, 2 February 2009 (UTC)[reply]
  4. Endorse. Majorly talk 15:05, 6 February 2009 (UTC)[reply]

Suggestion by User:Ipromise

Jimbo Wales recently wrote that he wants more transparency of ArbCom. Listening to Jimbo Wales' wisdom, the revised expectation of the Checkuser is that all checkuser searches must be publically listed. For example: "15 Feb 2010 checkuser:Jimbo Wales looked up edits of User:B"

Transparency will prevent Wikipedia from being accused of fishing. It will also prevent checkuser forum shopping, especially if e-mailed requests for a checkuser is denied.

Users who endorse this view.
Users who oppose this view.
  • Your idea has merit but it could cause unnecessary harm. THis is like saying police have to publicly name the parties of every investigation, even those that prove unfounded or which are inconclusive. If an innocent person becomes the subject of more than 2 or 3 inconclusive sockpuppet investigations, some of those who know about the investigations may conclude that "he's a slippery one who knows how to evade checkuser and plant fake exonerating evidence" thereby hurting the editor, without looking into the circumstances that prompted the investigations. davidwr/(talk)/(contribs)/(e-mail) 11:50, 5 February 2009 (UTC)[reply]
  • The checkuser log is private for a reason; if someone has a valid suspicion that a user is a sockpuppet, privately approaches a checkuser, and the (valid) suspicion is proved incorrect, it is not fair to them to tarnish their reputation by ever having it in public view that there were suspicions. In addition, I personally will tell people if they have been checked if they can: a) give me a good reason for me to do so, and b) there is no harm in telling them. 90%[citation needed] of such requests end with me telling the user if they were checked or not. Things should remain as they are. --Deskana (talk) 17:08, 5 February 2009 (UTC)[reply]
  • Per Deskana. Majorly talk 15:04, 6 February 2009 (UTC)[reply]
  • If there were a "comment" section, I'd probably be putting this there. Even beyond what Deskana's said, I'm having trouble seeing how this would pass muster under our privacy policy. Suppose I check User:Example, and then grab edits for 192.168.1.1 and 127.0.0.1? It's pretty obvious what Example's IP(s) were, in that context. Very uncomfortable inferences can be made, even if we hide IP checks. Let's suppose I'm checking for a prolific vandal's sleeper socks, and that vandal has been creating sleepers from a university. If I check any users at that university in the course of this investigation -- even to rule them out as socks -- a public list of users checked effectively becomes a list of people attending that university. The checkuser log is just as sensitive as checkuser data, in many cases. These sorts of problems can be mitigated, but I do take any threat to user privacy seriously. – Luna Santin (talk) 01:05, 7 February 2009 (UTC)[reply]
  • Transparency and privacy don't mix well. This view highly emphasizes the transparency, while ignoring the privacy issues completely. עוד מישהו Od Mishehu 16:01, 17 February 2009 (UTC)[reply]
  • Fundamentally at odds with the Foundation privacy policy, which we cannot overrule by local en:wiki consensus even if we wanted to. DurovaCharge! 22:09, 17 February 2009 (UTC)[reply]
  • This would cause extreme privacy issues, not to mention it would scare off CheckUsers from performing their duties. Tiptoety talk 04:38, 20 February 2009 (UTC)[reply]

View by MZMcBride

All CheckUsers should be required to be reconfirmed every 18 months by the community using the same standards as the current ongoing elections. --MZMcBride (talk) 11:53, 6 February 2009 (UTC)[reply]

Users who endorse this view
Users who oppose this view

*Checkuser requires some "old hands" for issues that new checkusers would have no idea how to deal with. There needs to be some sort of continuity. Unless the bit is being abused (or is lying usused), I don't see why we should have to possibly remove the tools. If there is a problem with a CU, there are other methods than an election every 18 months. Majorly talk 15:10, 6 February 2009 (UTC)[reply]

View by Od Mishehu

One problem which seems to come up is when an account with several edits, or an IP range, had been blocked with a {{checkuserblock}} which doesn't indicate the sockpuppeteer. While some of the time there may be privacy issues involved (an IP address which can be linked to a real-world person, for example), this would seem not to be the case when talking about a big IP range, or about a user name which doesn't seem to refer to a real-world identity. I think that:

  1. All checkuser blocks should indicate the apparent sock-puppeteer, except where this information can link the sockpuppetry to a real-world identity; and where the issue is that the original account seems to be the link (such as a real name) - then some other account should be chosen to "represent" the case.
  2. All accounts blocked with a checkuser block should be tagged to link to the sockpuppeteer (again, subject to the same considerations as before) - such tagging will allow sockpuppets to be linked to each other.
  3. If a sockpuppeteer is already known to the community via a confirmed account, there is no point in treating this account name as private, even if it may be the real name of the user.
Users who endorse this view

View by [[User:]]

Users who endorse this view