*Updated with corrections Aug. 19.
Last week, we took a few swings at Wikimedia, the parent organization that hosts Wikipedia and other sites, over the stance it’s taking on net neutrality (we couldn’t help but playfully dig at #monkeyselfie while we were at it). However, we would be remiss if we didn’t also give the foundation credit for the transparency report it released on August 6th, which details its efforts to protect user privacy and defend against online censorship.
Wikimedia appears to be taking strong actions to protect user data from surveillance and censorship. The new transparency report shows remarkable pushback by Wikimedia against requests for user data and the alteration or removal of content. Innovating toward a broader notion of transparency, Wikimedia provides significant detail on its data retention policies with a user-friendly chart on the types of data held and the duration. Overall, Access welcomes the report with a few suggestions for the next iteration.
Requests for user data
Wikimedia only produced information for 14% of 56 requests seeking data on the 22 million users who edit Wikipedia, the 6th most visited website in the world. Both the raw number of requests, and the compliance rate, are quite low. The company attributes these small amounts to its effort to retain as little nonpublic information as possible, and when asked for that information, to carefully evaluate the requests against predefined standards and push back on behalf of users.
Per the report, civil and criminal subpoenas accounted for all of the disclosures of user data, with the foundation refusing to comply with all of the informal government and non-governmental requests that lacked “a formal legal process” it received (this type of request was included as a category in the report). The non-profit organization describes these informal requests as “a letter or an email requesting nonpublic information about one of our users,” from a company or government official. Wikimedia’s resistance and vetting underlies its mission to uphold the trust of users to “protect their identities against unlawful disclosure.”
Wikimedia says it will notify affected users of a legally valid request for their information when it is legally permitted to do so, is not endangering life or limb, and has valid contact information. We applaud this procedure, as actively providing this information helps inform users about government access to their data, and could enable them to take legal action to protect their rights.
Further, Wikimedia details the compliance rate by country and by total number of users affected. Producing this level of detail not only allows Wikimedia to provide greater transparency, but could reveal trends and increase accountability over time. Geographically, the U.S. was the only country where information was produced on a Wikimedia user. It was also the country making the greatest number of requests, followed by France, Germany, and India. Future reports could be improved by breaking down which arm of government — judicial, police, or otherwise — requested the user data.
Requests for content alteration & takedown
Wikimedia granted none of the non-Digital Millennium Copyright Act (DMCA) requests it received for altering or taking down content. These numbers shine a light on Wikimedia’s efforts to combat censorship and abuse of the notice-and-takedown mechanism in the U.S. However, 41% of the DMCA’s requests to remove content were granted. Though this number is higher than its compliance rates in other categories, it is still low for DMCA requests generally. Wikimedia does have a stated DMCA response process in which its ensures the requests it receives are valid, vetting them before taking down content as mandated by law.
Wikimedia lists the DMCA takedown requests that it has complied with in its organizational wiki – only 5 thus far in 2014 – and also reports them to Chilling Effects. At present, international requests to Wikimedia for content alteration and takedown are simply broken down by country, not government department, however the organization plans to label requests that originate from governments going forward.
Data retention policies and transparency
Data retention practices are under increasing scrutiny worldwide for violating fundamental rights, increasing costs and risks to companies and users, and being ineffectual in accomplishing stated law enforcement purposes. Wikimedia is highlighting the problems of data retention by including in its transparency report a chart detailing the type of data retained, its origin, and its maximum retention period. For a few categories of data — personal information automatically collected from a user, non-personal information associated with a user account, and articles browsed by readers — it will be deleted, aggregated, or anonymized after, at most, 90 days. In addition, Wikimedia provided details about plans to keep privacy in mind when implementing new tools and systems, by relying on these data retention guidelines.
Notably, there is no mention of what specific legal authority and provision mandated this data retention, if any. In addition, Wikimedia reserves the ability to make exceptions to their guidelines, though they do promise to notify their users if exercised.
Access maintains that all companies processing user data should issue transparency reports, with charts showing data retention rates. The rates should be broken down, at minimum, by type of data or record and the duration it is held, noting where retention is required by law.
Access welcomes Wikimedia’s release of its first transparency report and we look forward to publication of future iterations. When doing so, we would like to see more comprehensive details provided regarding where and which data retention is required by law. In addition, adding more specific information provided about which government agencies and organizations are making the requests will further improve transparency and increase accountability. With more than 30 platforms including most of the world’s most frequently visited sites now issuing transparency reports, this kind of disclosure is fast becoming an industry norm; it’s great to see Wikimedia joining their ranks.
*Correction: This post has been amended to reflect that Wikimedia lists all details of DMCA takedowns it complies with in its organizational wiki, though not within its transparency report. In addition, the organization responded that going forward it will clarify whether the international requests Wikimedia receives for content alteration and takedown come from governments.