Wikipedia talk:Arbitration Committee/Archive 8

This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

Hi Future Perfect at Sunrise, yes, I think it would be ok to modify the instructions to reflect current practice. Also, creating another section to log warnings would also be ok. Unless anyone objects in the next day or so, my advice would be to go ahead. PhilKnight (talk) 21:51, 14 February 2011 (UTC)

There's actually a deeper problem here, in some sense: I'm not sure if you noticed, but Pseudoscience and Martinphi-ScienceApologist actually authorize identical areas of discretionary sanctions (on "articles which relate to pseudoscience, broadly interpreted"). Administrators can, in principle, use the cases interchangeably; the cross-reference to a single log location was put in place to reflect that.

In practical terms, I think having two sets of logs for the same area is likely to be more confusing than having one case refer to the other. If even the latter is causing problems—and the fact that we do now have two logs suggests that it is—my inclination would be to rescind one of the discretionary sanctions and leave only one in place.

As far as logging warnings go, I don't see any problem with that. Generally speaking, administrators involved in enforcement are free to log more than the minimum required by the sanctions. Kirill ^{[talk] [prof]} 01:01, 15 February 2011 (UTC)

Would it be a good idea to protect

• I'd support protecting by default all pages that require the committee's consent to edit. Thryduulf (talk) 09:17, 18 February 2011 (UTC)

This system should be introduced to have somebody in the committee that has no direct and prior affilitation with it. The arbcom members are usually the most senior, experienced and respected users of Wikipedia. The arbcom's verdict should represent the meaning of users of all differint kinds, with all different rights, with all different experience. The introduction of this system will lead to more fair arbcom rulings. PaoloNapolitano (talk) 21:35, 26 February 2011 (UTC)

Proposal by PaoloNapolitano

I would like to propose a "lay committee member" system. It would work like this:

• Editors in good standing who have never been a committee member (perhaps more than 500 edits and half a year of registration) may enlist to be a lay committee member.

• Two editors are randomly selected to participate in all arbcom cases

• They have the same priviliges, powers and rights as the full-time arbcom members in the cases they are arbitrating over

• No editor can be selected for more than two cases a year.

Comments

I think you have something of a misaprehension as to what the Arbitration Committee is/does - perhaps reading

the Audit subcommittee, which examines the use of checkuser and oversight tools. Elen of the Roads (talk

) 21:48, 26 February 2011 (UTC)

The Audit subcomittee is kind of similar for several reasons: The arbitrators are involved in the subcom "elections" and the subcomittee members are elected for a period of time. With the system i am proposing, average users are randomly selected to participate in the arbitration of completely random cases. This will enforce the "legal security" of the users involved in the committee cases. The lay arbitrators have no connection to the committee's prior work, and have never been committee members. The committee's ruling should not represent any group of editors, and having regular editors in the arbcom will clarify that. PaoloNapolitano (talk) 11:02, 28 February 2011 (UTC)

Ah, you mean more like the [[Athenian_democracy#Selection_by_lot_(Allotment}|Athenians]]. Interesting idea. The problem with it would be that Arbs often get access to quite confidential information, and the Foundation has rules that require Arbs to provide details of their real identity to the Foundation. Might put some people off. The 'lay members' could of course look at all the info posted online without needing to do that, but sometimes that's not all the information there is. For example, the current Monty Hall arbitration case is all online, but in the previous case, allegations were being made about real life identities. You may be interested to note that any editor can post to the evidence and workshop pages, so you could carry out your own investigation and post the outcome, or your suggestions for resolving the situation, as an uninvolved editor (if you look at some old cases, you can see this happening). This outside perspective can be quite useful - perhaps you want to give it a go on one of the currently open cases.Elen of the Roads (talk) 11:21, 28 February 2011 (UTC)

I don't get the point of this proposal. I'm certainly not trusting any random user with 500 edits with CU/OS permissions. /ƒETCHCOMMS/ 15:41, 28 February 2011 (UTC)

The lay arbitrators will have to sign a confidentiality agreement, which says that the lay arbitrator can not give confidential information such as CU and US, other user than the other arbitrators. Concerning the CU/OS permissions, it is only temporarily given during the arbitration and abuse will lead to expulsion from the committee and banning from future arbitration, as well as a possible block. PaoloNapolitano (talk) 18:34, 28 February 2011 (UTC)

ALL arbitrators are lay arbitrators, who have been selected from the membership of the community to address the issues that come forward. If people want to work on arbitration matters, they should run for the position in order to demonstrate the confidence of the community. It would be impossible to manage cases with people who have access to only certain information; we simply cannot have separate mailing lists for every case. Risker (talk) 18:46, 28 February 2011 (UTC)

• This is never going to happen. We absolutely cannot give access to privacy breaching tools to inexperienced users without a track record here. Anyone can comment in an ArbCom proceeding, but access to private material is severely restricted with good reason. The last two rounds of CU/OS elections made it clear that this is not a permission the community wants handed out willy-nilly.
  talk
  ) 19:17, 28 February 2011 (UTC)
• Well,
  Beeblebrox is spot on about access to privacy breaching tools. We can't do this and so I think this proposal is a non-starter. As to the general merits, I'd like to know more about the specific problem this is supposed to address. I'm not saying there isn't a problem, I'd just like to know what it is, and how this proposal would help remedy that. I must say that I'm not inclined, at first blush, to be inclined favorably toward a proposal that says "ArbCom members are usually the most senior, experienced and respected users of Wikipedia. The ArbCom's verdict should represent the views of users of all different kinds". What, we should include members who aren't respected? We have some users here who are idiots, should we include an idiot on the ArbCom to represent this sector of the community? This seems wrong. I would recommended considering delisting this from CENT, it is not fully thought out or properly formed. Herostratus (talk
  ) 19:54, 28 February 2011 (UTC)

I am not talking about including "idiots" to the committee, users who have been registered for 6 months and have have made 500+ edits without being blocked, are usually not "idiots". PaoloNapolitano (talk) 20:08, 28 February 2011 (UTC)

Users who have only 6 months and 500 edits under the belt, and think they are ready to serve on a body of this sort, usually are idiots. John Vandenberg ^(chat) 21:27, 28 February 2011 (UTC)

Sorry, PaoloNapolitano, I didn't mean to deprecate your proposal by referring to "idiots" and I know you are not proposing that, and I was out of line. In fact, PaoloNapolitano, there is some good thinking here. Consider: The UN Security Council includes the "real" members and a random rotation of lesser members. The "real" (permanent) members have a lot more clout (the veto) but the rotating members have a say also. You know, it might not be a bad thing to include outside voices, if only to make the regular contributors not feel that the Big People alone are charge of their fate (even if, or especially if, it is true). But we already have the ability for any person to contribute a statement to an ArbCom action. And we do have ArbCom clerks, which I guess (don't really know how it works) allows non-members to participate in and learn about the workings of the ArbCom. And the problem of allowing people access to sensitive information is a problem, although possibly one that could be worked out. I guess I would say, talking this over at the village pump first would be, or would have been, a good idea. Herostratus (talk) 06:04, 1 March 2011 (UTC)

• I echo Herostratus's question, what is the problem, exactly? Arbcom members are indeed the most trusted, respected members of the community, but that's why they're arbitrators. Not because they belong to some class of
  vested contributors. Swarm ^X
  03:31, 1 March 2011 (UTC)
  • They're arbitrators because they stood and got a certain number of votes, not because they're the most trusted and respected members of the community.(Though it may be that there's a reasonably good correlation between the two things.) Personally I'd like to see some way of "diversifying" membership of ArbCom - it seems we usually elect the same people from the same little group, with the same way of thinking, and it would be good to have some views from outside the box, as it were. Not sure how to do it, though I've suggested in the past having separate groups of arbitrators for confidential and non-confidential matters - that way we could get broader input in the open cases without risking compromising confidentiality in the closed cases.--Kotniski (talk) 08:48, 1 March 2011 (UTC)
    • Arbs get votes if they're respected and trusted, not because they belong to a patrician class. If you're suggesting that there are many more highly experienced, trustworthy users that could and should run for ArbCom, I agree with you. And having a separate group for non-confidential matters sounds like a good idea, though I can't say whether that would be practical. However, as for this proposal, it simply takes the utterly wrong approach. Swarm ^X 15:13, 1 March 2011 (UTC)

The way to get more diversity would be to convince more people to run. However, in my opinion, the near constant abuse that Arbs receive, or at least, the incessant suspicion that is applied to their every action, is the primary reason as to why so many suitable people do not run. -- Avi (talk) 09:01, 1 March 2011 (UTC)

That's certainly true; one thing that might help a bit in the way arbitrators are perceived (and much more importantly, make them a more effective dispute-resolving force) would be for them to engage in and steer the discussion of cases - act more like mediators - rather than just come from on high with judgements that often appear to come from nowhere (or from discussions that go on somewhere behind the scenes on private mailing lists). That sort of thing is bound to make people antagonistic, even if the decisions are perfectly sound.--Kotniski (talk) 09:16, 1 March 2011 (UTC)

Unfortunately, RfARs have become less about solving issues and more like Nomic run amok. If there was a way to simplify the entire process, that would help, in my opinion. -- Avi (talk) 09:23, 1 March 2011 (UTC)

Very much agreed; in fact our whole "dispute resolution" process seems geared towards exacerbating disputes and ensruing that they are not resolved (mainly by encouraging the personalization of issues).--Kotniski (talk) 10:21, 1 March 2011 (UTC)

• Note that several of the new arbitrators elected this year have no prior affiliation with ArbCom. Jclemens (talk) 18:00, 1 March 2011 (UTC)

Observation: You want to get involved in ArbCom? You first need to read the policy documents and be very clear on what it is you're being entrusted with. Then you start lurking (and occasionally commenting) on the ArbCom/Audit/Appeal committee pages to understand how the systems in place work. It is also important to be putting forth the level of professionalisim that people would expect from one in a entrusted situation. Then it becomes a waiting game for either the ArbCom elections or one of the subcommittee calls for support. While I do think it would be a good idea to get some light on the darker corners of the ArbCom, I see this as an end run around the community advice/concent that is provided during ArbCom elections. Hasteur (talk) 21:52, 1 March 2011 (UTC)

The arbcom is a little bit like the North Korean government; there is a lot of talks, discussions and other stuff going on behind the scenes that the committee believes is best if it is kept secret. All discussions not involving confidential information should be held in public. --PaoloNapolitano (talk) 23:01, 1 March 2011 (UTC)

Oh no! we are the Crazy North Koreans? So does that mean Citizendium is South Korea? I always though of us as South Korea with Encylopedia Dramatica or Wikipedia Review being North Korea..... But if Arbcom is like the Government of North Korea does that mean Jimbo is our Kim Jong-il? Then Who is Jimbo grooming as his Kim Jong-un? The Resident Anthropologist (Talk / contribs) 02:30, 2 March 2011 (UTC)

I don't know what you're talking about. Though Arbcom cases do (and should) take place behind the scenes, they're hardly secret. Any user on Wikipedia is free to contribute to an Arbcom case by commenting or presenting evidence, the Arbcom ask questions to involved parties and take questions themselves, they propose a decision before issuing it and take comments on it from involved parties and other users, as far as I know the only discussions which are done in secret are those regarding confidential information. I would compare Wikipedia to the entire western world and Citizendium to North Korea, but that's beside the point. Swarm ^X 04:36, 2 March 2011 (UTC)

No, I'm pretty sure they use their private mailing list to discuss decisions even when there's no need for confidentiality. Which might have certain advantages, but it has the gross disadvantage that allegations are being made against people in a forum where the people concerned have no opportunity to know about them or answer them. This is one thing that really needs to stop.--Kotniski (talk) 09:01, 2 March 2011 (UTC)

• Cynical Observation Clearly the proposer does not really understand ArbCom and does not particularly like it (as evidenced by the first statement and the one on North Korea, respectively). At best, this is a misunderstanding by a genuinely concerned user. At worst, this is an attempt for a user to gain a spot on ArbCom without going through the regular elections. This really isn't worth our time discussing, it's not going to happen.
  Wha?
  05:01, 2 March 2011 (UTC)

I understand your concern, but this is not intended to be POINT, and it is not an attempt to get into the Arbcom. --PaoloNapolitano (talk) 07:29, 2 March 2011 (UTC)

Okay then. Either way, I was there during the elections and I can tell you that they were rigorous and fair. The community decided who they thought were the best people for the job, almost 1000 people voted. Many were new to the committee. One thing I will say though, is that while people that are not admins are allowed to run, no non-admin has ever been elected. ArbCom is a position of great trust, and as a result a high level of involvement and experience in Wikipedia is seen as a requirement by the community.

Wha?

08:03, 2 March 2011 (UTC)

• With all due respect to the proposer, I've removed & archived this listing from {{
  wp:snow and common sense for what I feel are obvious reasons. Swarm ^X
  12:35, 3 March 2011 (UTC)

I would like to propose that the section where some individual arbitrators have published their personal email addresses be modified from [email protected] to username [at] example.com in order to place an additional barrier to address-harvesting spambots.

I don't think it's necessary; all of the emails are posted using

Template:NonSpamEmail. NW (Talk

) 16:36, 23 March 2011 (UTC)

No. His ability to email is now disabled. Shell ^babelfish 06:06, 25 March 2011 (UTC)

I'd like to suggest that one or more arbitrators post PGP/GPG public keys in their userspace (arbcom itself could also post one at

I don't think so. If the evidence is so private that it is eyes-only for Arbcom, users should send it via email. There are plenty of services that can be used (many free like gmail, others at relatively low cost) that would disguise the originating address of an emailer. It would not do to have encrypted messages onwiki. Risker (talk) 01:38, 7 April 2011 (UTC)

Well, it's more the other way around--the reason to use encryption is that email might not be private enough. And the confidentiality concerns would probably be more about the message content than its origin. I take your point about on-wiki encrypted messages, though for arbs and CU/OS (already authorized to receive confidential info about wiki stuff) it might be less of a problem. A middle ground might be for an arb or two to have an on-wiki key that people could use to send encrypted email messages. 75.57.242.120 (talk) 00:35, 9 April 2011 (UTC)

The final draft of a proposed update to the existing

I wanted to point out that a number of arbcom cases have let to editnotice templates (see {{Editnotice templates}}), and there may be others using editnotices but not editnotice templates. Using templates for widely applied editnotices of this type is generally helpful; they should be listed in Category:Wikipedia arbitration templates or a subcategory. Rd232 ^talk 01:49, 19 May 2011 (UTC)

The

Looks to be an oversight, which I've now remedied. Kirill ^{[talk] [prof]} 01:58, 22 May 2011 (UTC)

Thanks. Note as well, BTW, that the uw-sanctions template doesn't appear to have a topic option for the Ayn Rand case. I mentioned this on the template talk page, but no one has taken action yet over there. I might be able to figure out how to make the change myself, but I'm a bit timid about trying to fix a problem in such a complex and high-visibility template. Richwales (talk · contribs) 06:29, 22 May 2011 (UTC)

As a matter of experience, the Arbitration Enforcement (AE) noticeboard is unwieldy. In the current system of organisation, all requests are under one main header, with the most recent ones going to the bottom. The result is that an administrator, upon opening AE to attend to pending requests, is faced with a lengthy array of threads. I propose that we do something to improve the organisation of the noticeboard, although I have no single preference as to what new structure we implement. My suggestion is that we create sub-sections for the topic areas that are most commonly related to enforcement requests, with the option to add or remove sub-sections as dictated by demand, and with a final sub-section for other requests. The resulting structure would be:

= Requests for enforcement =

== Open requests ==

=== Arab-Israel conflict ===
=== Armenia-Azerbaijan ===
=== Digwuren ===
=== Pseudoscience ===
=== Other topics ===

== Closed requests ==

The sub-sections of Open requests are alphabetised (except for Other topics, which is placed last), so as to not give precedence to any one topic area. The topic areas which I have given their own section are ones that come to mind when I think of the cases which are most commonly cited at AE, but there may be others, and in any case this is merely an example. Also, I am unsure if I need the Committee's approval for this change, because AE was initially a community process—and, although it was moved by an arbitrator to the ArbCom space, I think it still is. But I thought I'd propose this here, because, although my primary motivation is to ask for input from everybody, I am also keen to know how the arbitrators would feel about these changes.

Thank you for giving this issue consideration, AGK. I think the most useful feedback would be from other administrators who currently participate in arbitration enforcement, as well as perhaps others who may be considering it. If this works for all of you, then it is likely to be a good step. One very minor point: Pseudoscience. :-) Risker (talk) 06:19, 25 May 2011 (UTC)

My bad; fixed :).

•

] 08:33, 25 May 2011 (UTC)

As Risker said, this is mostly a question of what works best for the admins involved in enforcement; while the Committee retains jurisdiction over the enforcement process in principle, I don't see any problem with having the people who actually participate determining how to structure it.

Personally, I think your idea is a good one. The only suggestion I would make is to use topic areas, rather than actual case names, for the section headings; "Eastern Europe" is much more obvious than "Digwuren", for example. Kirill ^{[talk] [prof]} 10:25, 25 May 2011 (UTC)

Yeah, topic areas as opposed to case names would be better. As an aside, naming of cases has improved in recent years, and it is normally only older cases that do not have descriptive titles.

•

] 20:04, 29 May 2011 (UTC)

Kirill: As a purely constitutional point, arbitration enforcement is a community process, because it is operated entirely by administrators who do not sit on the Committee. It was moved into the Committee's namespace some time ago, from a subpage of AN, but without community agreement.

•

] 14:28, 7 June 2011 (UTC)

I disagree. The fact that arbitration enforcement is performed by the administrator corps, rather than the Committee itself, is immaterial; the administrators are implementing the Committee's decisions, pursuant to the enforcement provisions set by the Committee, and thus the enforcement process as a whole is necessarily under the Committee's jurisdiction.

Or, to be slightly more pedantic: administrators are able to perform certain actions (e.g. blocking editors) on their own discretion, pursuant to the relevant community policies; thus, for example, the activity of AN/I. Thus, any administrator may in principle sanction an editor who violated an arbitration decision independently of the decision per se, by arguing that the editor's action was sanctionable in and of itself. However, for an administrator to legitimately claim that his actions constitute "enforcement of an arbitration decision", those actions must be carried out in accordance with the provisions for enforcement contained in said decision—else they are merely independent actions which happen to sanction the same offense. In other words, any administrator who explicitly claims to be acting pursuant to the Committee's instructions is by definition granting the Committee jurisdiction over his actions by doing so. Kirill ^{[talk] [prof]} 00:03, 8 June 2011 (UTC)

I don't about this. There are quite a lot of areas under discretionary sanctions; I'm not sure if I fancy seeing 12 headers up on

WP:AE all the time, not even counting subheaders. Perhaps if we had people include the case in the section title like so: ==User (9/11 attacks)==, and started archiving closed discussions more quickly, we could streamline the process a bit more and achieve a similar result. NW (Talk

) 11:22, 25 May 2011 (UTC)

I don't see what problem this is solving. Admins who often comment at AE probably go there at least once a day. They are unlikely to be confused by the set of threads currently open. I tend to check the history before opening the page to see if there are any new comments on the set of things I am following. Adding headers to the page could be adding one more task for the people trying to submit complaints. EdJohnston (talk) 16:37, 25 May 2011 (UTC)

Ed: I am as active at AE as most, but I regularly get frustrated and confused by the mass of threads. The page is simply so massive, even when closed threads are collapsed and even with the relatively prompt archiving set-up in place. My personal feeling is that we must impose some further structure if this page is to continue to function, although as I said before this is only one idea and I don't mind particularly what that structure is.

NW: That suggestion might actually work. I wonder if we could additionally create two sub-headers, for Open requests and Closed requests, to further separate the settled threads (before they are archived) from the stuff that actually needs attention. I should also say that I anticipated that we would

•

] 20:04, 29 May 2011 (UTC)

The problem with limiting the headers using {{TOC limit}} is that if you use {{TOC limit|2}}, you don't have enough headers. If you use {{TOC limit|3}}, you have all the subject areas but it isn't easy to see from a glance if there is anything in the section you want to see, so you have to go down and read it all anyway. If we use {{TOC limit|4}}, that would work I guess, but I think that's too many headers. I liked the idea of "opened" and "closed" sections though. NW (Talk) 20:22, 29 May 2011 (UTC)

The current written arbitration policy dates from 2004 and much has evolved since then. It has been extensively reviewed over the last two years, with a series of wide-ranging community consultations. A proposed update has now been posted and is awaiting community ratification. All editors are cordially invited to participate in the ratification process, which is now open.  Roger Davies ^talk 23:36, 1 June 2011 (UTC)

Discuss this

The current written arbitration policy dates from 2004 and much has evolved since then. The policy has been extensively reviewed over the last two years, with a series of wide-ranging community consultations, to bring the written document up to date. The proposed update is posted and is undergoing community ratification, which is due to close on 13 June 2011. All editors are cordially invited to participate in the ratification process.  Roger Davies ^talk 06:02, 9 June 2011 (UTC)

Discuss this

One of the things that has concerned me about the leaked material is the number of times those participating have been asking around to see if anyone has saved old checkuser data, and the fact that such data are being held by individuals (presumably on their own machines) and not centrally on a machine controlled by the Foundation. Two points - is such private retention compatible with the Foundation's existing privacy policy, and if any retention is to be allowed it would surely be more efficient and helpful in the cases where Arbs want to access it for it to be held in one place rather than scattered around. DuncanHill (talk) 15:23, 27 June 2011 (UTC)

http://checkuser.wikimedia.org/ now exists (it's a relatively recent creation). My general view is that this type of data aggregation and retention violates both the spirit and letter of the Wikimedia privacy policy. --MZMcBride (talk) 17:00, 27 June 2011 (UTC)

Mike Godwin posted recently to the Foundation mailing list: "Typically, a service that values user privacy highly minimizes the amount of private information it keeps about users, so that even if compelled to comply with a lawful government order to disclose identifying information, the service may not have much to disclose." [1]

I'm afraid that what we're seeing here is that the Foundation has not valued user privacy, or indeed its users' safety or reputations. Whether it's CU archives, or ArbCom archives containing gossip, they should be destroyed after a short time. I know that several editors have requested the latter. As things stand, more and more people are downloading these things every year with authorization, never mind without. SlimVirgin ^{TALK|CONTRIBS} 17:20, 27 June 2011 (UTC)

The problem with wholesale deletion of archived material is the loss of context when it comes to long-term problems, or problems which have resurfaced. A wiser move would be to archive material (private wikis and mail lists) to a machine entirely under WMF control, with one of the public-facing WMF employees having sole access--someone like Bastique perhaps. This ensures that information can still be re-released (in a private sense) to arbs and CUs on a need to know basis, without the potential damage of wholesale leaks. → ROUX ₪ 17:54, 27 June 2011 (UTC)

I personally think the value of archives is overrated. They are usually only useful for verification purposes (ie to see whether a text claiming to unredacted is actually a true copy of the original). Others mileage might vary.  Roger Davies ^talk 18:01, 27 June 2011 (UTC)

Arbs say they download them, so they must see them of value. SlimVirgin ^{TALK|CONTRIBS} 18:03, 27 June 2011 (UTC)

Sure: some do, some don't. I personally don't.  Roger Davies ^talk 18:11, 27 June 2011 (UTC)

But then you still have a situation where the Foundation is releasing gossip, and in some cases actionable material, to the ArbCom, without the knowledge of the person concerned, who has no right to defend himself, and doesn't even know what the charges are. SlimVirgin ^{TALK|CONTRIBS} 17:58, 27 June 2011 (UTC)

Where incidentally do you draw the various lines between gossip, vennting, fair comment, speculation and reasonable inference?  Roger Davies ^talk 18:11, 27 June 2011 (UTC)

I don't know where I'd draw the line. But I think the Arbs shouldn't be engaged in any of it without the knowledge of the person they're discussing. We've seen material along the lines of "X is toxic, "X is a blackmailer," "Don't trust X," "X's editing is worthless." As I recall, none of the comments were connected to arbitration, and none of the people were told they were being discussed. That means the ArbCom list has become like IRC at its worst, or some of the other private lists people have objected to over the years (including one I was involved in, so I'm not being holier-than-thou here, because I know how easy it is for this to happen—though I didn't keep archives).

When you keep archives, it means people who were not included on those emails can access and download this stuff years after the fact, and may end up drawing quite false conclusions from it. And that encourages new Arbs to continue to treat those people poorly, and in general develop an Us and Them mentality (We Who Have Access to the Insults versus The Insulted).

The point is that the ArbCom is elected by the people it's discussing, and it therefore has to force itself to rise above this kind of thing, and be fair to all, including people individual members may personally dislike. SlimVirgin ^{TALK|CONTRIBS} 18:30, 27 June 2011 (UTC)

Sure, people shouldn't really be making those kinds of remarks but, that said, the unfortunate truth is that some people are toxic and some people's edits are worthless and similar remarks are made publicly, for example, on WP:AN/I, about recently indeffed users (with no right of reply) frequently.  Roger Davies ^talk 18:41, 27 June 2011 (UTC)

That's a worrying response, Roger, because it suggests you think the tone of the mailing list is okay. It really isn't okay, not least because you're spending huge amount of time on issues other than arbitration, micromanaging sockpuppet investigations, and almost creating problems by discussing them.

Calling someone "toxic" is meaningless, so that kind of casual insult is something friends can exchange, but for it to happen on a formal Foundation mailing list is obviously dodgy. You wouldn't like it if you were the one being so described without your knowledge. But for those comments to be collected for six years in archives, so that every new ArbCom member is able to download them, is really unacceptable. Please put yourself in the shoes of the people being so discussed. SlimVirgin ^{TALK|CONTRIBS} 18:52, 27 June 2011 (UTC)

It no more suggests that I think the tone of every post is okay than I think that the tone of yours is. For instance, you've just taken it upon yourself to say that I've wasted huge amounts of time micromanaging sockpuppet investigations and creating problems by discussing them.  Roger Davies ^talk 19:07, 27 June 2011 (UTC)

Ideally, Arbs who disagree with the tone ought to speaking up when they see discussions deteriorating. You can see a few Arbs try to do it, but for the most part they don't. And that's entirely understandable, because they don't want to fall out with people, or they don't read every post, or they prefer to lurk, or they decide that continuing to post—even to ask that a discussion stop—will only prolong it. That's why the list has become problematic, as all private lists of this kind do. And that's why they should not be archived, because at least without archives the damage is contained to the people the emails were actually sent to. SlimVirgin ^{TALK|CONTRIBS} 19:14, 27 June 2011 (UTC)

Oh, that happens often enough, don't you worry. I realise that you're not able to form an accurate view of things because of the partial view you have. However, you are rather assuming that (i) arbs blindly swallow what other arb say (they don't) and (ii) the archives are read assiduously. It may be apocryphal but I think the thing most new arbs do is check the archives so see what has been said about them (a "Washington read", I think it's called). The search facility on the archives is so appalling and the usual content so tedious, that few if any spend much time there. I agree entirely with pruning and with a short fall off the radar.  Roger Davies ^talk 19:22, 27 June 2011 (UTC)

I'm sure that Roger is right (cf the true story of the public figure who receives a free book without covering note, turned to the index, turned to the first mention of their own name, and found a marginal note from the author explaining the gift beginning 'knew you'd look here first'). Certainly when I discovered my unexpected electoral popularity in December 2007, the one thing that more than any other persuaded me not to withdraw was that it might be interesting to read the archives. (When actually appointed I discovered I no longer did, but that may be another story for another day). However what is slowly dawning on WR is that there are very few complete surprises in the material; what few there are, were kept confidential for good reason; and that the Arbs in private are in fact generally conscientious and try to be fair. It's a bit like a Wikipedia version of the Palin emails. If there were any absolute shockers, you can bet that they would be screaming about them at WR whereas in fact they're complaining that it's dull and 'tl; dr'. And I absolutely agree with everything the current arbitrators say that they do need to discuss things in private. Sam Blacketer (talk) 22:14, 27 June 2011 (UTC)

In the case of actionable material, that already happens, doesn't it? And really, if it's actionable, then the person in question is pretty much guaranteed to know what they've done wrong. So that's not really a concern. I guess what I'm envisioning is something along the lines of how CU data is released to the community: a specific question must be asked, and the CU responds with yes or no, and contextual information (e.g. other socks found), without releasing underlying private data. So in my hypothetical scenario, an arb would have to (publicly, unless there are serious privacy ramifications) ask the Foundation for historical material relating to User X in a specific context. So... let's say there's an Arbcom case involving User X who has been misbehaving. Arbs could then ask the Foundation if there is archived material related to the scope of the case. Anything outside of the scope would remain in the archive and unseen. → ROUX ₪ 18:06, 27 June 2011 (UTC)

I didn't understand your point about actionable material. What I meant to say is that, if the ArbCom mailing list contains arguable defamation—and it seems it does—that material ought not to be retained in archives. Damaging material in general ought not to be archived, even if it doesn't rise to the level of defamation. Ideally it ought not to be emailed between Arbs in the first place, but it certainly shouldn't be archived.

You couldn't have a situation where the Foundation was releasing personally damaging and possibly false material to individual Arbs at their request from archives the Foundation controlled.

As for CU material, yes I see what you mean there. But that goes back to Mike Godwin's point: the more the Foundation retains, the more it may have to hand over to the courts one day. SlimVirgin ^{TALK|CONTRIBS} 18:18, 27 June 2011 (UTC)

Sorry, by 'actionable' I had thought you meant actionable by ArbCom, not actionable in a court of law. AFAIK, defamation only occurs when such information is made public; retaining it to a small group that is decidedly nonpublic doesn't rise to that level. WMF legal counsel would be able to define better, of course. Roger's point above about the continuum from gossip to reasonable inference is a useful one, too. I guess what I'm suggesting is that private arblist/arbwiki information should be retained for institutional memory purposes, but access to it should be very narrowly circumscribed. I think that approach would satisfy privacy concerns without a baby/bathwater problem. → ROUX ₪ 18:37, 27 June 2011 (UTC)

Material need not have been made public; it need only have been communicated to a third party. As I said above, allowing narrow access to problematic material is still allowing access. We should not be retaining archives that contain this stuff, and preferably Arbs should be very wary of distributing it in the first place. SlimVirgin ^{TALK|CONTRIBS} 18:45, 27 June 2011 (UTC)

Are we talking US law here? It's pretty well impossible to obtain a judgement for libel in the US, so I can't see a legal issue for user x calling user y a ....whatever. Interestingly, in the UK, it has to be published, and it is the publisher, not the person making the statement, who is liable. So if this were the UK, WR could be sued for publishing libels (assuming any of the material actually constitutes libel). Elen of the Roads (talk) 19:10, 27 June 2011 (UTC)

None of that is quite right, Elen. You need only pass the material to a third party, or fail to take reasonable care. But this isn't the place to discuss legal ins and outs. The point is that by retaining archives you are publishing the material to more and more people every year. As I've been trying to argue for a couple of years, unauthorized access isn't the only problem here. Editors are being blackened, whether fairly or otherwise, in emails being read by people the emails were not sent to, and this is being done without the knowledge of the person being discussed. You can surely see why that's deeply problematic, ethically never mind legally, and in terms of community relations. SlimVirgin ^{TALK|CONTRIBS} 19:24, 27 June 2011 (UTC)

Personal retention of non-public data is not addressed by the privacy policy, and it would likely be impossible to regulate. Hosting such data on Foundation servers would open them up to subpoena, but would not make them much less likely to be downloaded by those with access.

The CheckUser wiki is actually an attempt to move us in the right direction in terms of compliance with the privacy policy. Currently (but changing within a matter of days), the CheckUser mailing list retains an archive, which actually means the data posted to it was accessible by CheckUsers long after it had expired through normal CheckUser means. Going forward, checkuser-l will not be archived, or its archives will expire within the same time frame as CheckUser data. The wiki is intended to host the data from investigations that actually needs to be retained for the future due to persistent abuse. The only CheckUser data it retains is related to persistent vandals, spammers, and a select few banned users, and even those will be removed when no longer relevant. This does not in any way run afoul of the privacy policy, and is in line with Mike Godwin's point.

There is certainly room for discussion of improving how sensitive data is handled in the other mailing list archives, or in the CheckUser log itself, but most of the suggestions on this page so far fail to take into account that ArbCom actually has a function that it needs to perform, and that it is a body which requires both sensitive data and confidential discussions amongst its members to properly carry that out. Dominic·t 18:52, 27 June 2011 (UTC)

The issue I have is how this relates to transparency, because it explains a lot. Depending on how widespread this saving of old CU information is, it explains why so many open on-wiki cases are not conducted in these situations. If an investigation had been opened, it would have had to be revealed that the accounts were being CUed against information that should have long been considered stale and deleted and this, in turn, would have revealed that Arbcom members and other people have been saving old CU info. Because this is obviously not something the community knows about and would be a large shock, instead in such cases, the accounts either say that the User was banned because of CU data, but without an actual investigation page being present or the user is banned with a statement saying that you should refer any questions to Arbcom.

Essentially, this means that the lack of transparency has been compounded with an active cover-up of the fact that old CU information has been being saved and utilized in a secret manner. While I may or may not believe that this old info should be allowed for use in certain instances, the main issue I have is specifically this lack of transparency and the active cover-up actions taken so that the truth of it didn't get out. Silverseren^C 21:21, 27 June 2011 (UTC)

If the complaint is that it was somehow a secret that all checks are logged and that we refer to this log to find expired CheckUser data, or that we also refer to mailing list archives or fellow CheckUsers for such data, then that is simply false. This has never been a secret, nor was there any active cover-up. It is commonly remarked upon where CheckUser investigations occur, namely

sockpuppet investigations. As several people have noted here, this is not a revelation. If anything, the complaints are largely about the fact that it has been a known vulnerability for so long. I think you are simply confusing this state of affairs with the fact that CheckUser investigations may take place outside of the context of a case, or even an on-wiki request; that is an entirely different issue, and has no bearing on the use of expired CheckUser data. Dominic·t

21:41, 27 June 2011 (UTC)

It is common knowledge that expired checkuser data is kept and stored by individual users and used in subsequent investigations without a case being opened for them? Is this written somewhere on the

investigations page. Nope, can't find it there either. Silverseren^C

21:59, 27 June 2011 (UTC)

I do not believe the fact that some specific point is not explained on those pages means there is a cover-up. As I noted, it commonly remarked upon. You have also somewhat misrepresented my words; the main source of expired CheckUser data is in fact the CheckUser log itself, not just data on people's hard drives. Dominic·t 22:10, 27 June 2011 (UTC)

But my original remark was about the data kept on people's hard drives, as that is what is mentioned in the revealed Arbcom discussions. Saying that they should "ask around to see if anyone has a copy of the data" seems to imply that it is not in a centralized log, since anyone who has access should be able to look there, but data that has been saved specifically by various Checkusers and functionaries. Silverseren^C 22:20, 27 June 2011 (UTC)

• If someone with checkuser privileges is retaining on their personal machine data acquired from the use of those privileges, I believe that is a gross breach of trust and suggests that they should not retain those privileges. If Arbs are fishing around for such data (as they clearly have been) it really beats any of the previous ethical failures of the committee hands down. Just because you can do something does not mean you should, or even ought, to do it. You really need to have a moral compass and an ability to restrain yourself if you are going to have the sort of privacy invading tools that checkusers and Arbs have. DuncanHill (talk) 02:17, 28 June 2011 (UTC)
  • I think that's a very important point, and hopefully someone somewhere is working on a proper Wikipedia data protection policy. What information is being stored, where, for how long, and for what purpose?
    Fatuorum
    02:50, 28 June 2011 (UTC)

If an Arb receives a confidential EMail and forwards it to the rest of arbcom may I suggest redacting that which you don't need to forward? I gather in this case that the Arb who first received the email was the one whose account was compromised, so it wouldn't have helped this time. But adopting a general principle of pruning superfluous info is one way of minimising risk (and avoiding clutter). An editors request would need to be discussed with arbcom, but does their Email need to be shared? ϢereSpielChequers 19:32, 27 June 2011 (UTC)

The problem with redacting is it can be tricky to redact the right amount. Not everyone will agree on what information is relevant, and where it is being done in secret, there is a risk that important information may be redacted without anyone being in a position to point it out. Essentially your asking one arbitor to censor what the rest of the committee is going to see, with no oversight. It doesn't sound like a good idea to me. Monty₈₄₅ 19:42, 27 June 2011 (UTC)

It requires judgment, but at a minimum I'd expect an email address to be redacted unless there was very good reason or it was clearly known. If there has been a whole thread of discussion ending with a request to forward an appeal or whatever to the rest of the committee I'd expect the appeal to be forwarded, not necessarily the rest. ϢereSpielChequers 20:14, 27 June 2011 (UTC)

While it's literally true that no system is perfectly secure and anything connected to the internet could be hacked, such excuses miss the point entirely. No responsible financial institution or merchant would invite customers to submit non-public personal information :such as credit card, bank account, or social security numbers via ordinary email or any other insecure form of online transmission. Secure websites utilizing Transport Layer Security or equivalent strong cryptography are a generally accepted means of handling information which requires privacy. Yet until recently, arbcom invited editors unfamiliar with proper security practices to send "any private material intended for the Committee's attention" to the arbcom mailing list. Compounding the problem, the "private material" thereby solicited was redistributed via insecure, unencrypted email, as were passwords giving access to arbcom's entire email archive since 2004. This was in no way necessary, since a secure messaging facility could have been added to the mediawiki interface, much as banks which allow online account access normally provide a secure mail feature for encrypted transmission of customer service requests. Distribution of such messages could have been confined to the secure arbcom wiki, to which access would be provided only using arbitrators' primary account passwords, eliminating the man-in-the-middle attack on password distribution. Suggestions that editors sufficiently naive to trust arbcom to provide a generally accepted level of information security deserve whatever fate befalls them are misplaced. The community should expect arbitrators to act in a responsible manner worthy of the trust reposed in them. 71.131.18.216 (talk) 06:17, 27 June 2011 (UTC)

While your suggestions are interesting and reflect some knowledge of information security theory and practice, there is absolutely no indication that transport security was at issue here. Likewise, I'm not sure how retrieving a stored password from a mailbox constitutes a MITM attack. Indeed, if the issue wasn't with stored email, in mailbox or archived format, then the leak has been going on for quite some time indeed. Jclemens (talk) 06:39, 27 June 2011 (UTC)

We obviously don't know exactly how this particular security breach occurred. What's certain is that the attacker could have retrieved Iridescent's password when arbcom emailed it to him in plaintext format, then waited until now to publish the stolen material to throw investigators off the trail. The other salient possibility is that Iridescent's computer was one of all too many improperly secured Windows installations, making it easy to hack and install a keylogger. Financial institutions that handle private information don't make this mistake either. Even with hackers highly motivated by the prospect of stealing thousands of credit card numbers, such breaches are relatively rare, since banks normally have professional IT staff to secure their servers. Since the WMF also employs such personnel, it would be advisable to have them instruct arbitrators, checkusers, etc, in the correct way to secure their computers. Hacking a system with a clean operating system installation, an effective firewall, and good anti-virus software is probably sufficiently difficult to be beyond the capabilities of "MaliceAforethought". While using

two-factor authentication. Security of private information online has been a studied problem in e-commerce for over a decade. It's time for arbcom to utilize some of the solutions developed, instead of relying on plaintext content and password distribution to arbitrators' computers which the WMF has made no effort to secure. 71.131.18.216 (talk

) 07:26, 27 June 2011 (UTC)

The WMF already has an infrastructure it uses for privacy-sensitive interactions with the public, namely,

WP:OTRS. It ought to be, at least, a bit more secure and professionally managed than a mailing list archive or individual e-mail accounts, and could be used as a stopgap measure for all sensitive internal ArbCom work.

The Committee should also reduce its apparently great reliance on private communication and use the onwiki case pages for case coordination, which is the purpose of these pages, unless there are genuine privacy concerns. More transparency could reduce the appearance of cabalism, and thus perhaps some of the incentive to break into other people's computers and to steal and publish the actually sensitive information. (Of course, ArbCom's perceived deficiencies are absolutely no excuse for the criminal acts that appear to have been committed here; these should be reported to law enforcement authorities, and the perpetrators brought to justice.)

Finally, users should be more proactively informed that in a semi-anonymous unpaid volunteer environment on an international Internet-based project, the risk of something like this happening is ultimately rather high no matter what technical and organizational measures are taken, and so that if they have genuinely important and private information to communicate relating to Wikipedia content, they may want to contact the WMF rather than ArbCom. And the WMF may need to take more responsibility to triage and if necessary address such requests by their own staff in a secure IT environment rather than relying on the OTRS and ArbCom volunteers. At the end of the day, the responsibility to protect sensitive project data lies with the Foundation; they cannot rely on a rather large group of unpaid volunteers to develop and reliably use a state-of-the-art secure communications system.  Sandstein 

09:39, 27 June 2011 (UTC)

Good points, some which I've also made in the past to the effect that discussions which don't need to be private should be public. That said, most discussions of editors should be done in private. Check Robert's Rules of Order. When a committee discusses personnel it's often appropriate to do so in "executive session": in private and confidentially. Obviously, city councils can't go on the record as saying Joe Smith is a lazy city clerk and we need to fire him. They go into executive sessions, speak candidly in private, and then announce their decision publicly. In California the Brown Act is a sunshine ordinance requiring public meetings on many topics once held in private. It's had a huge impact in local governance.

Perhaps what's needed is a noticeboard where only ArbCom members can participate, but in public. Otherwise the confidential mailing list is the only place for deliberations free from interruptions by non-members.   Will Beback  talk  10:17, 27 June 2011 (UTC)

I dunno, non-members are just as likely to have valid points to make as members are. It's this "us and them" approach ("we're better than the rest of you and have little interest in listening to what you have to say") that seems to be one of the fundamental problems with ArbCom. And discussions of editors, if they happen at all, ought to be done in public - otherwise (and we all know from real life what happens when a group of people start discussing someone who's not there) the person is not able to defend themselves aginst dodgy allegations, which then gradually come to be perceived as truth. --Kotniski (talk) 11:08, 27 June 2011 (UTC)

I think we have to start insisting that anyone discussed by ArbCom in private must be included in the discussion, with exceptions made only for situations where there would be real-life danger to someone. SlimVirgin ^{TALK|CONTRIBS} 17:27, 27 June 2011 (UTC)

This would seem like an ideal time for very serious consideration of Sandstein's comment about OTRS. While the leaked ArbCom material is concerning and will likely have some damaging effects on a few individuals, it is (for the most part) confined to Wikipedia's internal politics and Wikipedia editors. Imagine the fallout if emails to OTRS from someone well-known to the public were leaked, say Rick Santorum or Paris Hilton? Delicious carbuncle (talk) 12:08, 27 June 2011 (UTC)

FWIW, the celebrities who write in person tend to be minor people, not anyone big enough to have a PR firm or staffers. I think there's no better education in BLP than reading the pleas from relatively minor people whose Wikipedia articles are mostly made up of the one big mistake they've made in their lives, but I digress. Yes, OTRS is a better place for actual private information. No, there's no indication this event involved OTRS data in any way. Jclemens (talk) 14:09, 27 June 2011 (UTC)

But inevitably one day it will involve that data, if archives are retained. SlimVirgin ^{TALK|CONTRIBS} 17:22, 27 June 2011 (UTC)

Slim such data retention is an unfortunate necessity in running an operation like this. Could the Data have been better secured? Yes.. but that does not no mean retaining the data itself is invalid act. The Resident Anthropologist (talk)•(contribs) 21:46, 27 June 2011 (UTC)

The long-term retention of sensitive data—especially in a way that gives large numbers of people access to it—is legally, ethically and technically difficult. It's just impossible to do it with a mass of volunteers, none of them properly identified. And even if they were identified, what would it tell us? Knowing that someone is called John Smith and lives in Bristol tells us nothing about whether he's sensible and can be trusted.

Wikipedia has always believed it could start from scratch, reinvent the wheel, but there are areas of expertise we ought to learn from, and once you start to educate yourself, you see that what we're doing is unsustainable. We can't continue to keep files on people, whether they're editors, or readers who complain to us—files that every year are accessed by more and more Arbs, functionaries and OTRS volunteers—and believe we have no legal and moral obligations toward the people the files discuss. SlimVirgin ^{TALK|CONTRIBS} 22:12, 27 June 2011 (UTC)

There are two ways we can do it, hold everything or hold very little. Ultimately I think the benefits of retaining the data outweighs the risks of security. So far the leaked emails have more or less shown that such data retention is extremely useful in assessing new evidence. The Resident Anthropologist (talk)•(contribs) 22:27, 27 June 2011 (UTC)

Surely the reverse - the fact of the leak has shown that data retention is extremely harmful - unless, I suppose, access to it were to be restricted to a limited group of very well-trusted and security-aware people.--Kotniski (talk) 11:11, 28 June 2011 (UTC)

I'm not comfortable with storing gossip either, especially where those gossiped about have no way of knowing what is said about them. That gossip should go, and not be kept. What is legitimate to keep is any important decisions, and the basis on which they were made, and other important facts that may become relevant later on. And in my view, we should implement a kind of FOIA, giving editors the right to view what is stored about them. That's a common principle in modern society, and it was instituted for good reasons. --JN466 15:56, 28 June 2011 (UTC)

Unfortunately the current software is an "all or nothing" kind of thing - either there are archives, or there aren't. We have asked for a different system at various times in the past and obviously have re-iterated our request given the current situation. –xeno^talk 16:05, 28 June 2011 (UTC)

I really find these attempts to blame the software extremely unconvincing. Surely even if you're forced to use inadequate software, you can work round the problem somehow (like restarting a new list at least once a year, and restricting access to the old ones to very few people).--Kotniski (talk) 18:16, 28 June 2011 (UTC)

So it is good point to finf free software with basic configuration possibility. Or use not-free if it is impossible Bulwersator (talk) 16:40, 28 June 2011 (UTC)

Could you not store summaries of the stuff that is important and fact-based, and delete the dross? And these summaries should be accessible to the users concerned. --JN466 16:48, 28 June 2011 (UTC)

That would be fairly easy to do—produce a summary of the discussion that contains only the agreed facts—or allegations along with evidence—and a rebuttal from the person concerned. And only those summaries are forwarded to a separate archive, with archiving for the main mailing list switched off.

There should definitely be no more discussions among Arbs without the subjects being cc-ed, with exceptions for serious real-life issues, such as evidence of mental-health problems or a justified fear of real-life stalking. The bottom line is that we have to start applying the BLP principles to internal discussions too. SlimVirgin ^{TALK|CONTRIBS} 17:01, 28 June 2011 (UTC)

(unindent) I can say with a good amount of confidence,firmly, no, that is not going to happen SV. We will discuss things amongst ourselves as necessary for our job, no more, no less. SirFozzie (talk) 17:27, 28 June 2011 (UTC)

That has not been happening, though. A great deal of the discussion seems to be about non-issues, issues invented by ArbCom. Obsessing about who's a sockpuppet (why is ArbCom dealing with SPI issues?), discussing whether to unblock very troublesome editors (when these are issues for the community). Editors being insulted gratuitiously. In the mean, requests for arbitration are turned down, or dealt with so slowly it's like watching paint dry. In short, it feels as though the ArbCom mailing list is just another venue like IRC circa 2006, or WR, where people are attacked so the in-group can bond socially.

It can't continue if the Committee wants the community to have confidence in it, or respect for it. And I hope the Foundation won't allow it to continue, because it has ethical and legal implications that can't keep on being ignored. SlimVirgin ^{TALK|CONTRIBS} 17:40, 28 June 2011 (UTC)

Agreed - and I would even go further - quite apart from the information concerns that have been raised, ArbCom would actually do its basic job of arbitrating better if the arbs didn't talk to each other about substance in private. We want to know on what basis each arb reached their decision, and we expect them to do so independently with their own intellect, not via groupthink. (Yes, I know what real-life juries do, but they're not really comparable.)--Kotniski (talk) 18:06, 28 June 2011 (UTC)

That still leaves the possibility of not archiving the list traffic, but creating a database of the relevant facts, allegations, and evidence, and making that open to the people concerned. --JN466 19:28, 28 June 2011 (UTC)

Good points from Sandstein and Will regarding transparency. --JN466 16:04, 28 June 2011 (UTC)

I thought Risker came over as a real straight shooter in the emails with a priority on doing the right thing, vice how it would look. TCO (talk) 03:34, 28 June 2011 (UTC)

I have to say, Pulling the Curtain back really has allowed me to appreciate how much work the committee does behind the scenes. I had always thought of them as a bloated but necessary bureaucracy that really failed to do much at all. The Resident Anthropologist (talk)•(contribs) 03:18, 29 June 2011 (UTC)

I was quite pleasantly surprised to read comments such as "... the thoughtful and intelligent people there [Wikipedia Review] who want to discuss Wikipedia but aren't in a position to do so on the main site--Kelly Martin, Somey, even Greg Kohs and Abd when they're not off on a tangent ...". -- Seth Finkelstein (talk) 03:51, 29 June 2011 (UTC)

An update on WMF’s view of this incident: We were notified about the disclosure of ArbCom information shortly after the disclosure appeared. We have conducted a preliminary review and have detected no unauthorized activity on our servers. We have nonetheless taken precautionary security measures and will continue to investigate the situation as appropriate. Philippe Beaudette, Wikimedia Foundation (talk) 09:22, 28 June 2011 (UTC)

If it’s determined that there was no unauthorized access to the mailing list archives on WMF’s servers, that will mean that Iridescent can’t have been the only arbitrator who was hacked, correct? Some of the leaked e-mails are from before Iridescent became an arbitrator, so the only way they could have been obtained using Iridescent’s account is if an attacker broke into the archives using Iridescent’s password. If there was no unauthorized access to the archives, then it wouldn’t have been possible to obtain messages from before the beginning of the year using only Iridescent’s account. --Captain Occam (talk) 09:56, 28 June 2011 (UTC)

Not necessarily. Access to the archives by an arbitrator's account wouldn't be flagged as "unauthorized" on a technical level, since the security mechanisms would have no way of knowing whether said account was under the control of someone other than the real arbitrator. Furthermore, if an arbitrator had a personal copy of the archive, and it was their system (rather than just their email account) that was compromised, that copy of the archive could be distributed without leaving any traces on the WMF servers. Kirill ^{[talk] [prof]} 10:18, 28 June 2011 (UTC)

Moreover, there's absolutely no evidence Iridescent's account was hacked.  Roger Davies ^talk 10:24, 28 June 2011 (UTC)

Kirill: I was assuming that the mail archive kept a log of the IP addresses that have logged into accounts there, and that Philippe’s comment meant that no arbitrators’ accounts had been accessed by IPs other than those normally associated with the accounts’ owners. I could be misinterpreting him, though, and I also see your other point.

Roger: Thanks for pointing out that there doesn’t seem to be evidence of Iridescent having been hacked; I’d missed that.

Is ArbCom considering the possibility that one of its members deliberately chose to leak these e-mails? I know it’s a much more palatable idea that someone’s account or system was compromised, but if there’s no evidence of that having happened, the alternative should be considered also. Based on this thread, deliberate leaking of mailing list contents from a (former) arbitrator appears to be something that’s happened before. --Captain Occam (talk) 11:04, 28 June 2011 (UTC)

Yes, of course the committee considered that. If you read Coren's earliest statements about it, you see that it was our original assumption. In my view, it has not been eliminated as a possibility. We just don't know. Cool Hand Luke 12:19, 28 June 2011 (UTC)

Hmm. I was going to say that the odd selection of material leaked argued against an insider trying to do damage. But then I realized that one could turn that around, and say the odd selection of material leaked argued for an insider, but not trying to do damage. That is, the people who have come off the worst from this have essentially been those who are troublesome cases for ArbCom. It does sort of look like what one would get if a frustrated prosecutor or police officer started leaking private documents about annoying court cases. That's just a speculation. But it's an intriguing thought. -- Seth Finkelstein (talk) 12:52, 28 June 2011 (UTC)

To date, our little thief has mostly posted threads at the request of people interested in unveiling imaginary conspiracies. That those vast conspiracies ended up being phantasms should come as little surprise. There are very few truly damaging things to reveal in our archives, and those would be damaging to third parties rather than the committee (hence our dismay at the theft).

Honestly, except for the possibility of taking fragments out of context, the worst behavior arbs tend to engage in on the private list is to be more candid than would have been appropriate in a public venue — embarrassing, perhaps, but certainly not the smoking guns some people imagine. The reason we are so pissed is because the people who emailed us in confidence may end up being victimized because some little thief feels they can make themselves interesting by posting their purloined email. — Coren ^(talk) 00:14, 29 June 2011 (UTC)

Indeed, it's mostly threads about convoluted cases (hard to call it conspiracy derisively when it really is about secret deliberations - out of necessity, of course). But, that's very strange behavior in context. What sort of cracker has all of: the familiarity with Wikipedia culture to start out with eyes-glaze-over detail, the motivation to crack into the list, and the lack of interest in obvious ways to embarrass ArbCom? That combination is extremely puzzling to me, in terms of

WP:BEAN : If I had such an archive, I'd search the entire collection for mentions of every critic or person with a platform, and personally email them all messages containing their name. Now, it's not that the people involved don't have a good idea of what might be said about them in private (given what's often said about them in public :-)). But still, being exposed as behaving badly can cause a loss of confidence. And some "candid" comments can be smoking guns, if they show a person taking private positions contrary to what they've publicly espoused (I can think of a few of possibilities here involving past Wikipedia bad publicity). I agree with you about who is getting hurt here, those on the bottom. But I think that's in part happening because of the way the leaker is going about things. And perhaps that's a clue (and maybe not, as life isn't a mystery novel). -- Seth Finkelstein (talk

) 01:22, 29 June 2011 (UTC)

I suggest to inform other ACs to avoid similar thing - I did this for plwiki Bulwersator (talk) 10:22, 28 June 2011 (UTC)

i agree. de.wp: the german arbcom doesn't need an extra note, because it is not authorized to store comparable databases anyway. de.wp-arbcom-members are not entitled to hold privacy policy-related flags on a local basis, regards --Jan eissfeldt (talk) 16:17, 28 June 2011 (UTC)

Hi , i wanna ask you something. I dont know who can help me , but i want to talk about it with you. Maybe you can advise me something. We Kurds (Kurmanj[2] , Zaza[3] , Soran[4] ) have 3 wikipedia. There is an administrator in zazaki[5] wikipedia. He's doing abnormal things. He doesnt let zaza Kurd to write correct articles. He blocks users and the most important thing , He puts (copy-paste) same writing on many articles. He just tries to show that there are many new articles in Zazaki, but all are same. How can we stop him? I dont want him to mess up Zazaki Wikipedia? How can i report him? Can you please help me? What should i do? Have a nice time —Gomada 20:57, 29 June 2011 (UTC)

Gomada, I'm afraid the Arbitration Committee only has authority on the English Wikipedia and is unable to help you on other language wikis. You should try contacting another administrator on your home wiki.

a/c

) 22:03, 29 June 2011 (UTC)

Ok Hersfold , thank you for answer. —Gomada 12:57, 30 June 2011 (UTC)

I would like to know which member of ArbCom, past or present, is responsible for this leak.[6]

Maybe nobody is responsible and it is result of succesful hacking attack (or maybe sb decided to use "12345" as password)? Bulwersator (talk) 10:36, 28 June 2011 (UTC)

Oh dear. This is not going to end well, and I fear you--rather than the responsible parties--are going to end up pilloried. → ROUX ₪ 15:13, 23 June 2011 (UTC)

I'm quite used to that, but there's something amiss here that needs sorting out. What else has been/is being leaked?

Fatuorum

15:15, 23 June 2011 (UTC)

Without engaging in hyperbole, this is really very bad. personally I'd bypass the usual ArbCom nonsense and go straight to WMF. Moonriddengirl might be a good way to get someone to take notice. → ROUX ₪ 15:23, 23 June 2011 (UTC)

meta:Ombudsman commission seems to be the appropriate Wikimedia body for outside review of this matter. –xeno^talk 15:29, 23 June 2011 (UTC)

The Ombudsman Commission investigates violations of the Foundation privacy policy, which does not appear to have occurred. This is a matter of a breach of trust by a community member, but not a matter for the Foundation. Dominic·t 16:47, 23 June 2011 (UTC)

Would a contributor's non-public(?) email address not be considered personally-identifying information? –xeno^talk 17:03, 23 June 2011 (UTC)

Can't be any past arbitrators (for the initial leak anyway); the only people on the list these days are current Arbs and Jimbo. NW (Talk) 15:28, 23 June 2011 (UTC)

• The committee is aware of the situation and looking into it. –xeno^talk 15:29, 23 June 2011 (UTC)

Malleus, please accept my most profound apology for this unforgivable breach of your expectation of privacy. It is vanishingly unlikely that this leak comes from someone else than a sitting arbitrator, and I want to assure you that I will do everything in my power to identify the slime who did this and crucify them. — Coren ^(talk) 16:34, 23 June 2011 (UTC)

In this particular instance there was nothing particularly private, just a chat with Iridescent (who I don't at all blame for this) about a few options that are now impractical. It does though raise the very serious question of what else has been leaked.

Fatuorum

16:49, 23 June 2011 (UTC)

Nevertheless, you were given an assurance of confidentiality and, through lack of care or dishonesty, it has been breached. I agree with you that the possibility of further leaks that we are unaware of is worrisome, and makes it all the more important that the leak is found and plugged. — Coren ^(talk) 17:09, 23 June 2011 (UTC)

It clearly needs to be sorted out, and quickly. I must admit to being rather puzzled at this discussion being leaked though, as I'm sure there must be much juicier stuff on the mailing list that's far more interesting.

Fatuorum

17:15, 23 June 2011 (UTC)

I do hope this isn't swept under the rug, either. This is a serious breach of confidentiality and I (and I'm sure others) would very much like to know who the leak is. Please don't just do whatever it is you arbs do behind closed doors. Please make a public statement about this once it is known who did such a thing. Tex (talk) 17:18, 23 June 2011 (UTC)

I agree with Tex, this is a very serious matter and as Tex said a lot of people would very much like to know who leaked and I, along with others, want a public statement as to what happened once it is figured out. This is a very serious issue and indeed it is worrisome that possibly other things have leaked out. This is truly disconcerting, as this defeats the entire purpose of Arb Com and emailing, to keep things that are private private, had he wanted it public he wouldn't have been emailing it. As Malleus said there are much more interesting things that could be talked about and that is partially what has me worried, if this is what we have found then there is probably other stuff that is more interesting or important out there as well. I hope that this is all resolved quickly and we can be assured that this is all that is out there.  Adwiii  Talk  17:42, 23 June 2011 (UTC)

The same person has leaked some emails I recently sent to the ArbCom, and emails from some of the Arbs discussing it between themselves. I think it's important that an announcement be made about this somewhere prominently, so that people know not to send anything confidential to the ArbCom until it's sorted out. SlimVirgin ^{TALK|CONTRIBS} 18:41, 23 June 2011 (UTC)

I've temporarily removed the word "private" from the emphatic bright yellow box on the page, since such status can't currently be guaranteed. I agree an announcement somewhere else (although I'm not sure where) might also be a good idea. --

talk

) 18:47, 23 June 2011 (UTC)

The resulting statement instructs individuals to send all material (private or otherwise) for our attention to the list. –xeno^talk 18:51, 23 June 2011 (UTC)

Well, it says "any", not "all", but yes it could have been construed that way. So how should it be worded? How about "Material intended for the Committee's attention can be sent to..." ? The alternatives are emphatically suggesting a level of privacy that likely does not currently exist, or removing mention of the email address altogether until the problem is resolved. Or is there a better way? --

talk

) 18:59, 23 June 2011 (UTC)

I'd suggest full and clear honesty. Something like Notice: Communication with ArbCom has been confirmed to be compromised. Confidentiality can not be guaranteed at the current time.--Cube lurker (talk) 19:08, 23 June 2011 (UTC)

I think the first sentence of that is perhaps overly dramatic. The second, in small, would be adequate though. --

talk

) 19:15, 23 June 2011 (UTC)

I think this is serious enough that I'd be more concerned about failure to fully inform someone who intended to transmit confidential information. My understanding is that someone with access is willing to release information maliciously. There's a definite right to know issue that goes beyond a fine print note that could be missed or not treated seriously.--Cube lurker (talk) 19:22, 23 June 2011 (UTC)

(ec) No one will notice it there. It should be posted somewhere prominently. It would be best if the ArbCom would do that asap. SlimVirgin ^{TALK|CONTRIBS} 19:23, 23 June 2011 (UTC)

This aspect of the discussion has been superseded by Coren's note below as far as I'm concerned. --

talk

) 19:26, 23 June 2011 (UTC)

brief status update

At this time, the source of the leak seems to have been identified and closed. We are not yet able to determine what other emails may have been stolen, but I am confident that future email will not be so exposed. The committee will give a detailed statement regarding the incident once we have finished cleaning things up and investigating the matter in detail (within the next 24h). — Coren ^(talk) 19:24, 23 June 2011 (UTC)

Confirming what Coren has said above. For the record, this incident has been discussed with the WMF as well. Risker (talk) 19:32, 23 June 2011 (UTC)

Given the ongoing leaks at Wikipedia Review, how confident are you that this matter is now sorted?

Fatuorum

22:24, 23 June 2011 (UTC)

Interestingly, the material posted so far has been surprisingly mild, and far more gossipy than scandalous. I'm a little hesitant to start writing

WP:BEANS cases, but I think either the person who has the emails doesn't know what would be (relatively) explosive, or doesn't have much (I'm excluding there being nothing scandalous, based on knowing the personalities of certain people :-) ...) -- Seth Finkelstein (talk

) 22:48, 23 June 2011 (UTC)

We are quite certain that we have identified the source of the leak, and that the account involved no longer has access to any private mailing lists or the arbitration wiki. We are still assessing what information was accessed while the account was compromised. As a precaution, other members of the committee are changing passwords and reassessing their personal security precautions including hardware/software checks. Risker (talk) 22:51, 23 June 2011 (UTC)

Should we assume that when the announcement about this is posted, it’s going to include the identity of whichever arbitrator leaked the e-mails? If it’s now been determined who was responsible for the leak, I think the community has a right to know that. --Captain Occam (talk) 00:44, 24 June 2011 (UTC)

Risker seems to imply that the arbitrator in question had their account and/or email and/or other login information compromised by a third party. NW (Talk) 00:50, 24 June 2011 (UTC)

Coren indicated that Iridescent's account had been compromised, but some of the leaked material dates from before his time on the ArbCom. I hope the Committee will be completely transparent about what happened here. SlimVirgin ^{TALK|CONTRIBS} 00:59, 24 June 2011 (UTC)

Part of the problem is that most passwords, including that to the email archive, were sent by email (hence the importance of having all accounts pointing at a new email account as swiftly as possible). Of course, access to the archive and wikis was immediately removed to prevent further access, but that will have had no effect on what data was already stolen.

In other words, it's not really possible to establish with certainty what, or how much, has been taken before the accesses were changed; our focus will be on securing things for the future so that this does not happen again. I'm going to recommend a number of procedural changes to diminish the probability of such incidents happening in the future, as well as push very hard for strong security precautions to access confidential data (for instance, two-factor authentication to access privileged wikis or archives seem important to me). — Coren ^(talk) 01:07, 24 June 2011 (UTC)

I had a conversation with the Foundation about this around a year ago, maybe longer. Anyone gaining access to the wiki or the archives needs that access only for the briefest of periods. They download the material, and that's that. Once this immediate situation is sorted out, I think a serious discussion needs to take place about the amount of information the Committee is retaining about people. Realistically you can't guarantee its safety, and the larger the mailing list, the less of a guarantee there can be. SlimVirgin ^{TALK|CONTRIBS} 01:12, 24 June 2011 (UTC)

Yes, I'll spearhead that necessary work to reform myself. — Coren ^(talk) 01:14, 24 June 2011 (UTC)

Mike Godwin posted to one of the mailing lists recently that enlightened organizations are retaining very little data about individuals, so that if a legal issue arises, there's little to hand over. And the same principle would apply to security, that if there's a leak, there's not much that can be released. But it seems the ArbCom and functionaries take the opposite approach, retaining large archives, setting up an ArbCom wiki, and I believe a checkuser wiki. A great deal of it is unpleasant gossip about people, and some of it is material that ought to remain private. So I really question the ethics of this approach, because I think it's very unfair to editors to keep so much material for so long, and to be constantly giving new people access to it, even though the subjects of the information may not have seen it themselves. SlimVirgin ^{TALK|CONTRIBS} 01:31, 24 June 2011 (UTC)

Coren, is what you’re saying that it was possible to use Iridescent’s account to access information from before Iridescent became an arbitrator, because their e-mail account contained the password to the archive of past mailing list discussions? And it’s certain that there wasn’t any leak other than whoever broke into Iridescent’s account? --Captain Occam (talk) 01:16, 24 June 2011 (UTC)

That is what every the evidence we have indicates, yes. I'm not going to say that it's certain that there are no other possible leaks, but it's certainly improbable. I'm probably the only arbitrator who controls every part of his email infrastructure, so I can tell you as a fact that no access has been made to my own email, but the other arbitrators have taken measures to ensure that their passwords are secure to make as sure as we can that no other leak is possible. — Coren ^(talk) 01:22, 24 June 2011 (UTC)

(ec) That was the issue I raised with the Foundation, that new members automatically gain access to the full archives, including material they have no need to read. Some kind of purging ought to be taking place each year, so that these secret files about individuals aren't being retained, just waiting for someone to steal them.

Also, the leaker leaked Coren's email saying it was Iridescent's account. Presumably Coren sent that email after that account's access had been removed, so that's somewhat worrying. SlimVirgin ^{TALK|CONTRIBS} 01:23, 24 June 2011 (UTC)

(←) No, it was not, though it is almost certainly the last email that account received from the list: Risker needed a bit of delay to get to a secure computer to remove the accesses. — Coren ^(talk) 01:28, 24 June 2011 (UTC)

I saw some emails that were not addressed to arbcom. For example at least one email was from SV addressed to Cirt. How this got stolen and/or leaked?

I believe, if wikipedia review has some self respect left, it should remove these stolen emails and ban the user who posted them for good.--Mbz1 (talk) 02:41, 24 June 2011 (UTC)

My guess (provisional, and subject to revision based on new information) is that we're seeing information that was in a personal mail archive. As opposed to there being a Wikipedia

Wikileaks cache of the entire arbcom list available. Umm, regarding banning the user who posted them - since it was a new special account, that wouldn't do a lot good even if they were so inclined (horse, barn, door). -- Seth Finkelstein (talk

) 03:03, 24 June 2011 (UTC)

• Just following up on what Coren has said, that was the last email on the mailing list before the account in question was fully disabled from all private mailing lists and from the arbwiki. The point about archive security is entirely valid, and it is a concern that is shared by the Arbitration Committee. We have been having discussions with the WMF specifically about alternative methods of managing archives for various private lists, some processes are already in motion, and we were continuing to examine options for the arbcom-L list. We'll be accelerating those discussions now. However, at least some of it is a moot point because it appears these are from the arbitrator's own email logs and thus even tighter security on arbcom-L or arbwiki would not have changed the outcome. The committee members are now evaluating their own personal security situations, examining methods of storing emails, changing passwords and adding two-step authentications, to reduce the risk of a further recurrence. I know the saying about the barn door (I edit-conflicted with Seth saying the same thing), but I just wanted to point out that we've been working on this in the background for a while, and unfortunately this occurred before we'd managed to hammer out the details for this specific mailing list. Risker (talk) 03:07, 24 June 2011 (UTC)

• For everybody who uses GMAIL there is a line below the list of your messages:

• "Details" is a clickable button. If you are to click it, you will see, if any IP other than your own accessed your account. It is a very useful tool that I used to locate a dirty hacker that hacked my email.--Mbz1 (talk) 03:26, 24 June 2011 (UTC)

Am I right in recalling that this isn't the first time something like this has happened? Didn't someone once do a complete public dump of the ArbCom archives, or something like that? If this incident is any more than a complete one-off, then I suggest we stop giving out the impression to anyone that they can communicate privately via the ArbCom mailing list; if people have anything confidential they need to bring to an arbitrator's attention, they should be advised to write to a single arbitrator whom they trust (ideally the Foundation would employ someone to deal with such matters), and information would be shared further strictly on a need-to-know basis.--Kotniski (talk) 10:14, 24 June 2011 (UTC)

• Some editors indeed chose the method of contacting a single arbitrator, who then forward it to every individual arbitrator when a decision needs to be reached. In this case, it would not have made any difference if the correspondence was emailed via the list or bypassing it (via every individual arbitrator email). -
  Mailer Diablo
  11:09, 24 June 2011 (UTC)

  But my point was that it doesn't need to go to every individual arbitrator. It depends on the situation, I suppose, but I would have thought in most cases it would be enough for at most two or three of them to see it (and others to be told only what the public is told). --Kotniski (talk) 11:28, 24 June 2011 (UTC)

  The position here is that individual arbitrators have no special authority so any actual decisions need to be made the committee as a whole. What would help considerably though would be if people brought fewer things to the committee as many of the matters raised privately could be easily be handled publicly.  Roger Davies ^talk 11:54, 24 June 2011 (UTC)

  Or if the committee learnt to delegate (which would have other advantages quite apart from limiting the circulation of private information). BTW, am I right in recalling that there have been leaks of this nature in the past, or is it my imagination (or untrue gossip)?--Kotniski (talk) 12:01, 24 June 2011 (UTC)

  Yes, see this thread about a leak of the ArbCom mailing list archives in 2009. Graham87 05:07, 25 June 2011 (UTC)

From the threads on WR, it sure doesn't appear to be Iridescent who was hacked to me. Why would Iridescent have the whole SlimVirgin/Cirt/Shell thread, especially since Shell made it clear she was not sharing it with the whole of arbcom? I think your mailing list is leaking like a sieve and something needs to be done, pronto. Tex (talk) 14:07, 24 June 2011 (UTC)

The entire SV/Cirt/Shell thread was forwarded to the arbcom-l mailing list at a later date (following a call for Shell's recusal in the related arbitration case).

As indicated above, it is believed that the immediate cause of the breach has been identified and prevented from further access. We are exploring options to avoid a similar recurrence. –xeno^talk 14:20, 24 June 2011 (UTC)

So what was the cause of the breach?

Fatuorum

14:59, 24 June 2011 (UTC)

It is believed the cause was a breach of security (i.e. someone targeting an arbitrator's PC and/or email account). We intend to post a detailed statement in the near future. –xeno^talk 15:23, 24 June 2011 (UTC)

• As I pointed out to Sue Gardner in this message, there was an incident where a single Arb was contacted regarding an editor who was engaging in pro-paedophilia advocacy. That Arb did not act on the information and nothing was done until Arbcom in full were notified. I am concerned by the suggestion that editors should contact only a single Arbitrator as an effort to reduce the risk of these types of leaks. That course of action has been demonstrated to have other problems. (Gardner did not reply to my message and email, or my follow-up, incidentally.) Delicious carbuncle (talk) 00:28, 25 June 2011 (UTC)

Break - security

What's the status regarding functionaries-en? Is there anything to indicate that material from that list was also compromised? /ƒETCHCOMMS/ 18:34, 24 June 2011 (UTC)

It's likely that some or many email from that list were also in the compromised mail account. Whether the criminal who broke into it cared enough for those email (who are, in the end, much less superficially "interesting" than arbcom-l's) to download them before access was cut, we cannot say. I note that none seem to have been leaked, though that obviously shouldn't be taken as any sort of guarantee. — Coren ^(talk) 19:20, 24 June 2011 (UTC)

As an uninvolved (I hope!) observer, I'd hate for the ArbCom to throw out the baby with the bathwater, losing important communication systems and institutional memory. Perhaps the archive can be set with a daily limit and a notice could go to the email list every time the it's accessed. Whatever the right solution is, I hope the WMF takes this issue seriously enough to devote sufficient coding resources to provide security for the largest Wikimedia project.   Will Beback  talk  19:50, 24 June 2011 (UTC)

There are systematic problems to fix for which, indeed, there may be technological help available. Much of this would require a bit of coding and support from the foundation (I would, for instance, strongly suggest some sort of two-factor authentication before private data can be accessed, and a running log of such accesses).

By happenstance IT security is my specialty, so I've already spoken at length about stronger security mechanisms; but I'm going to work directly with the foundation to help put those mechanisms in place in the short term. If nothing else, this incident will have served to highlight the importance of doing so. — Coren ^(talk) 19:56, 24 June 2011 (UTC)

Re Xeno's recent email to me, which hasn't yet been leaked onto WR, I hope that you will not fall into the trap of security by obscurity, or avoid disclosing what actually happened here by deploying the silly beans argument. I am not at all happy about the situation this leak has put me in.

Fatuorum

20:03, 24 June 2011 (UTC)

I actually know security, Malleus; you'll not find me arguing for security theater. Little of what happened could have been avoided the way things are currently set up; we've plugged the immediate hole, but unless we start taking security more seriously such things are going to happen again. Like I've said, I've already approached the Foundation to start working on a review and rebuild of the way we handle private data from the ground up.

I take what happened to you (and the other victims) very seriously, and I don't intend to let the matter rest until I can confidently say that another incident like this will not happen again. — Coren ^(talk) 20:15, 24 June 2011 (UTC)

• There are two separate issues here: the first is the personal IT security of individuals with access to non-public mailing lists, which we believe is what is at issue in this current event. We all know people who have taken all kinds of precautions and still wound up with hidden software in their computer; and this will always remain the most likely vector of attack.

  The second issue is the management of archiving of private mailing lists, and we have been working with WMF on this issue for some months now. Changes are already in progress for some private mailing lists which are affiliated in whole or in part with Arbcom. The biggest challenge is the Mailman software that is currently used by WMF: it is extremely inflexible when it comes to archiving. One either has archiving turned on or off, but there is no ability to set auto-destroy or to manually remove posts from the archives. Therefore, the only way to keep current archives that are in very active use is to also keep the archives that were created at the inception of the list. We have made what we believe is a strong case for WMF to consider other mailing list software specifically for private mailing lists (Mailman's archiving function is just fine for the public lists).

  We have also endorsed the principle of requiring two-step log-in for WMF-related private wikis, and I've been advised that the developers/sysadmins are currently looking at how this can be done, with a goal toward implementation. Risker (talk) 21:02, 24 June 2011 (UTC)

  • And how long will that take, given the glacial pace of Wikimedia development?
    Fatuorum
    21:13, 24 June 2011 (UTC)
    • Fair question, Malleus. My understanding is that this has been established as a high priority by Erik Moeller, to whom the entire developer/sysadmin structure currently reports, with significant support from the other department heads, so I'm guessing it's moved fairly close to the top of the heap. I've been given to believe that it's not a particularly difficult fix, but I'm poorly acquainted with anything that technical so can't give you an honest assessment. My sense is we're talking days to weeks rather than the usual many weeks to months. Risker (talk) 21:25, 24 June 2011 (UTC)
      • So presumably the only safe thing to do in the interim is to assume that the ArbCom mailing list is not confidential?
        Fatuorum
        21:32, 24 June 2011 (UTC)
        • Well, it's as confidential as emailing any mailing list to which a group of individuals are subscribed. From the feedback I am seeing from my fellow arbitrators, the majority of us have now taken additional precautions to secure the email addresses to which we subscribe to the list, and have changed passwords on all applicable accounts; however, there remains the reality that anyone can be hacked by someone determined to do so, just as any of us could have our wallets stolen no matter how many precautions we take, or our houses could be broken into regardless of all the fancy security systems we subscribe to. We can mitigate the risk, but it will never completely disappear. Risker (talk) 22:00, 24 June 2011 (UTC)

So as I said, the only safe thing to do is to assume that the ArbCom mailing list is not secure, and can never be secure.

• that should be pretty much assumed to be case with any system attached to the web yes.©Geni 23:09, 24 June 2011 (UTC)
  • So why the claim that it was secure, and why should anyone believe that it's now secure?
    Fatuorum
    23:42, 24 June 2011 (UTC)
    • I don't follow such things closely; where was the claim made? The reality is there is no such thing as absolute security for anything held outside your own head (even there there there is active research to get at stuff). So really it boils down to degrees of security. Historically arbcom have mostly relied on most arbcom members not leaking stuff (kelly martin is the exception) and the list not being interesting enough for more than standard security measures to be needed.©Geni 23:55, 24 June 2011 (UTC)

On a related note, I urge everyone who views this thread to check LulzSec's leak of 62,000 email-password combinations and ensure that if your email address has been listed, immediately stop using the associated password. (But this is a little late, perhaps, as the list was released last week and has surely been plundered several times.) /ƒETCHCOMMS/ 21:16, 24 June 2011 (UTC)

The story so far

Yesterday, around 15h UTC, we were made aware by Malleus Fatuorum that an email exchange between him and Iridescent, which was forwarded to the Arbitration Committee had been leaked to an external website. The contents of the leaked email thread, which included comments that were restricted to the Arbitration Committee list itself, demonstrated that the leak necessarily came from someone who had access to (at least part of) the email archives or email box of a currently sitting arbitrator (or Jimmy Wales).

An investigation of the technical aspects of the leak have shown that the leak was mailed by arbitrator Iridescent's Yahoo mail account from a server located in Iran, indicating that the person responsible for the leak was in control of that mail account. Given that it seemed highly improbable that Iridescent himself would have had the wherewithal to use a proxy computer in a foreign jurisdiction yet use a mail account directly associated with him, the scenario that the leak was a wilful act from Iridescent was not credible.

At that time, I emailed the list and arbitrator Risker directly (who is one of the arbitrators in technical control of the mailing lists and the secure wikis) that Iridescent's mail account was compromised, and that it should be immediately removed from all private lists and wikis. This was done shortly, thus ensuring that whoever was in control of Iridescent's email account would get no further access.

Simultaneously, we entered in contact with Iridescent through a different email account and verified that he was the correct person with private information that could not be found in any email archive. Once contact was established, Iridescent immediately changed all his passwords and all the email addresses associated with wiki accounts he has access to. At this time, Iridescent is still evaluating his personal computing security and has not yet been returned any access to private information.

Every arbitrator has since taken steps to reevaluate their own computer security by, among other things, changing their passwords or other credentials where appropriate, or turning on additional security features such as two-factor authentication where possible. While this offers no guarantees that all our accounts are secure, it greatly reduces the probability that more accounts are under external control.

Unfortunately, Iridescent's password to the Arbcom email archive was sent to him via the email address that was compromised, and it seems that the attacker used it to access it to leak at least one email thread from it. At this point, we must presume that all of Iridescent's email to and from that email address as well as an unknown fraction of the archive of the mailing list have been stolen by the attacker. Likewise, it is not possible to assess whether only Iridescent's Yahoo account has been compromised, or whether much or all of his computing resources were.

In the name of the Arbitration Committee, I offer our most profound apologies to everyone whose privacy has been breached by this criminal act. While our investigation is ongoing, and we hope to gather enough information to evaluate more precisely the extent of the intrusion, our focus will be on making the necessary systemic changes to prevent such an attack from succeeding in the future.

— Coren ^(talk) 21:08, 24 June 2011 (UTC)

That account is not strictly accurate, as I have never to my knowledge emailed the Arbitration Committee. What was made public was a series of emails I exchanged with

Fatuorum

21:16, 24 June 2011 (UTC)

I've tweaked it accordingly. I don't think it makes much difference in substance, though. — Coren ^(talk) 21:57, 24 June 2011 (UTC)

It may not, but it more accurately represents what happened. I did not, and have never, emailed anything to the Arbitration Committee.

Fatuorum

22:02, 24 June 2011 (UTC)

Malleus

Coren's account above is correct to the best of my knowledge. I endorse the posts that have been made by Coren, Risker, and others. I will add only that upon learning of what had occurred, I immediately ruled out the possibility that Iridescent had intentionally leaked the material based on everything I know about him, even before I learned of the technical evidence demonstrating an external hack. Newyorkbrad (talk) 22:58, 24 June 2011 (UTC)

An external hack of what? This still needs some explanation.

Fatuorum

23:46, 24 June 2011 (UTC)

An arbitrator's email account was compromised by an unknown third party. This third party then used the additional information gathered after gaining access to the email account, (the emails to that Arbitrator with the passwords to the archives, which would be necessary for the performance of their duties) to gather additional information. We're still trying to figure out how and by whom, but this incident has of course prompted all of us to review our own security and try to determine not only how this happened, and by whom, but how to prevent it from happening again. SirFozzie (talk) 23:52, 24 June 2011 (UTC)

And how was that done? No more beans bollocks please, just a little bit of honesty.

Fatuorum

23:59, 24 June 2011 (UTC)

Malleus, how the hell could we know? Maybe the thief guessed Iridescent's password. Perhaps he has a keylogger on a computer that Iridescent has used, or he has compromised a router between him and Yahoo. Perhaps he is a Yahoo employee with enough access or a backdoor to compromise the accounts of arbitrary users. We almost certainly will never know how the account was compromised unless the miscreant steps forward and confesses. — Coren ^(talk) 01:13, 25 June 2011 (UTC)

Maybe the thief guessed Iridescent's password to what? And how do you explain the initial focus on me?

Fatuorum

01:24, 25 June 2011 (UTC)

If I might mildly interject, I think this is an excellent question. As Captain Occam says somewhere below, it is often possible to figure out how an account was hacked and someone needs to do that figuring. At the least, simple questions like "was Iridescent's password guessable", do other arbcom members have secure passwords (minimum 10 characters with mixed uppercase, lowercase, digits, etc.) should be asked and answered. (I'm collapsing the gratuitous part of the discussion below.)--rgpk (comment) 14:03, 25 June 2011 (UTC)

As someone who’s had online accounts belonging to me broken into in the past (not at Wikipedia; this happened before I joined) I don’t agree with the statement that it’s not possible to determine how Iridescent’s account was broken into unless the culprit reveals it. Other members of ArbCom probably won’t be able to determine this, but I don’t think it’s unreasonable to expect Iridescent to. It’s often possible for a person who’s been hacked to determine what method was used against them, and I’ve done this myself. Once a person has determined when they were first hacked (which in this case Iridescent could determine from her e-mail IP login history), they can next determine what vulnerabilities they were exposed to at around that time. I think that determining how a break-in was accomplished is an important part of preventing the problem from recurring in the future, because without an understanding of how it was done, you can never be certain that you’ve removed the vulnerability that made it possible. --Captain Occam (talk) 09:10, 25 June 2011 (UTC)

That's true, but may not be particularly helpful in this case. Everything we've seen so far suggests that this was a targeted compromise (in other words, that the attacker set out specifically to gain access the Committee's correspondence) rather than an opportunistic one; if that's the case, then it's quite possible that the underlying security breach took place days or weeks before the material was released, and that the attacker has had ample time to compromise any audit trails. Kirill ^{[talk] [prof]} 11:22, 25 June 2011 (UTC)

Even if the e-mails weren’t released until weeks after Iridescent’s account was broken into, isn’t it likely that Iridescent’s e-mail account would have been logged into by an unfamiliar IP address whenever the breach first took place? If the attacker didn’t even log into Iridescent’s e-mail account until a long time after obtaining the password, there would have been a possibility of Iridescent changing their password before the attacker could download any material from the mail archive. --Captain Occam (talk) 15:44, 25 June 2011 (UTC)

• See
  spear phishing. That's the most likely explanation. ArbCom should not hold forth their ability to keep correspondence confidential, nor should archives be kept past their immediate need. ArbCom does not have the benefit of a professional IT staff, and they are sufficiently numerous that there will always be at least one member to can be successfully victimized by social engineering. It would be regrettably if many years worth of confidential information were to suddenly surface on the open Internet. Hopefully ArbCom has been purging their archives regularly. Jehochman ^Talk
  20:04, 26 June 2011 (UTC)

• Apparently not. SlimVirgin ^{TALK|CONTRIBS} 20:27, 26 June 2011 (UTC)

PGP

• Would the severity of this incident and the importance of confidentiality merit arbitrators adopting PGP for their email communications? --causa sui (talk) 23:43, 24 June 2011 (UTC)
  • I can't speak for the other arbs, but I think all options need to be considered. Of course, that means any further archives (which to some, is rather necessary for us to do our jobs, especially when we do clarifications or amendments of past decisions) would be useless. I'm not going to rule anything in or out, however.. we're taking a Soup to nuts review of our current situation, both personally, as a committee, and working with the WMF. SirFozzie (talk) 23:52, 24 June 2011 (UTC)
    • Has anyone actually used PGP for day-to-day conversations? I have, and found it to be pretty cumbersome. A simpler solution would be to move ALL conversations to a secured Wiki, and just turn on email notifications of changes. Jclemens (talk) 06:12, 25 June 2011 (UTC)
  • We're still assessing the situation, but preliminary findings appear to look very bleak. Encryption might well become the future way of securing email communications along with other long-term security measures, which the arbitrators will be discussing once the dust settles. -
    Mailer Diablo
    23:57, 24 June 2011 (UTC)
    • Why do you say "preliminary findings appear to look very bleak"? Nothing of much consequence (no offense meant) has been leaked. Do you KNOW that the Arbcom email archive was downloaded? -- Seth Finkelstein (talk) 00:05, 25 June 2011 (UTC)
      • Know? Not as of yet. Is there inklings from what HAS been posted? Yes. SirFozzie (talk) 00:13, 25 June 2011 (UTC)
        • I'd say the opposite. The thread that pre-dated Iridescent being on the committee has been explained as having been forwarded later. I suppose the thing to do is to ask Iridescent if he was in the habit of keeping everything archived, or just saved a few threads once in a while. -- Seth Finkelstein (talk) 00:23, 25 June 2011 (UTC)

• Good to know that you're on top of it. I brought up PGP because aside from giving a second layer of security -- PGP-encrypted email is left encrypted in the inbox, requiring a hacker to guess an extremely strong password before he could read any archived mail -- it would have an important additional benefit: PGP would allow arbitrators to send identity-validated communications to prevent a more intelligent and destructive hacker from impersonating an arbitrator. That hasn't yet happened, but it should be on our minds as a very real and very, very dangerous disaster scenario. I'm sure you'll reach out to anyone you think can help you implement the security measures you choose. Good luck. Regards, --causa sui (talk) 23:59, 24 June 2011 (UTC)

• Non-repudiation is among the least important of the security aspects of messages. Impersonating an arb gets one very little, and of that "very little", almost none could not be quickly reversed when the mischief was discovered. The bigger issue is the account compromise itself, which could lead to...
  WP:BEANS. Jclemens (talk
  ) 06:24, 25 June 2011 (UTC)

• Well then, whichever security concern you think is most important, I'll say PGP is an elegant solution to it and leave it at that. :-) --causa sui (talk) 16:52, 25 June 2011 (UTC)

Re: Malleus

• Seth, the password to the archives was emailed to Iridescent, so whoever had access to the account had access to the archives, unless we know that Iridescent did not keep a copy of the password in that account. Two things: (1) I seem to recall from the last leak that the ArbCom agreed to stop emailing passwords, though I may be misremembering, and I can't now find those threads. (2) Are the developers able to see which IP addresses have accessed the archives recently, using which password? SlimVirgin ^{TALK|CONTRIBS} 07:57, 25 June 2011 (UTC)

• As the leaker gained access to the archives, we have to assume that he downloaded them. Can the Committee tell us how far back the compromised archives go so we can judge the extent of the damage? SlimVirgin ^{TALK|CONTRIBS} 07:52, 25 June 2011 (UTC)
  • Mailman stores its archives as a single bundle; anyone who gains access to any part of the archive gains access to all of it. In the case of arbcom-l, this would include material going back to when the list was started (in 2004?); the archives have never been purged, although there have been repeated discussions about doing so. Kirill ^{[talk] [prof]}
    11:16, 25 June 2011 (UTC)
    • Earlier, the kind of material posted suggested to me that the poster did not have much. Even if there was a message with an archive password, I wondered if that message had been found before the archive password was changed. As more material has been posted, I'm reconsidering my original skeptical view. I may have been too restrictive in thinking about what someone would likely do if they had a full dump. Ironically, I've still yet to see something that really puts ArbCom in a scandalous light (it may yet happen, but hasn't so far). -- Seth Finkelstein (talk) 19:15, 25 June 2011 (UTC)

Looking around WR (not pleasant), there are now multiple threads posting what appear to be hacked e-mails. All of these threads are started by someone calling him/herself Maliceaforethought. I would guess that's the screen name of the hacker. Does that name ring any bells? --Tryptofish (talk) 14:31, 25 June 2011 (UTC)

Other than the obvious one, you mean? I'm not aware of any obvious connections to anyone we know, although it's not that difficult to conceal that sort of thing.

At this point, it's not really certain whether the user in question is the attacker himself—the material may have been handed off, à la Wikileaks—or even whether this is the work of a single attacker or of a group. Kirill ^{[talk] [prof]} 14:38, 25 June 2011 (UTC)

Is this really a disaster?

Sure, it's embarrassing for the arbitrators and discomforting for those who have been in communication with them on this list, but in a whole of project sense, just how much damage can be done? Miss E. Lovetinkle (talk) 11:45, 25 June 2011 (UTC)

Our internal deliberations are not the main concern, in my opinion; as you suggest, their being published is more a cause for embarrassment than a real threat to the project. The larger issue is the various material (including evidence, complaints, requests for assistance, and so forth) submitted by other editors; in many cases, this correspondence includes personal information (real names, addresses, telephone numbers, ages) whose release could have negative consequences for editors and non-editors with no relation to the Committee.

I remain hopeful, however, that the individual or individuals in possession of the archives will maintain their focus on the Committee itself, and will refrain from gratuitously exposing the personal information of the many innocent people who've written to us over the years. Kirill ^{[talk] [prof]} 12:12, 25 June 2011 (UTC)

So why was this information never purged? Wasn't it absolutely inevitable that at one time or another it would be stolen and/or leaked? Why were people encouraged to write to ArbCom as if in confidence, when it was known that the probability of the information's remaining confidential would tend to zero over time?--Kotniski (talk) 13:32, 25 June 2011 (UTC)

It's not possible to purge as it's not part of the Mailman functionality: you can either have archives or not. Profoundly unsatisfactory but there you are.  Roger Davies ^talk 13:42, 25 June 2011 (UTC)

(edit conflict) There are several problems with purging the archives; some of these have been alluded to above, but to recap:

• The software used for operating the mailing lists does not allow either selective archiving or modification of the archives after the fact; either the entire archive is retained, in its original form, or no archiving is done at all.
• Numerous proposals have been made to disable archiving entirely, but have never achieved consensus; this is primarily because some level of records retention is necessary to process appeals (particularly repeat appeals), clarifications, and similar matters where examining the content of previous discussions is necessary. It has been suggested that the personal archives maintained by individual arbitrators could serve this institutional memory purpose without the need for a central archive; but there were concerns that (a) no single arbitrator or former arbitrator has archives covering the Committee's entire history, that (b) personal archives could potentially be tampered with in subtle ways, and there would be no "master" copy to compare against, and that (c) this would unduly rely on former arbitrators, many of whom might be inactive or unwilling to share archives.
• An alternative option that was considered was the selective retention of particular discussions in some shared space (e.g. on the arbitration wiki) and the deletion of the original archive. This is something that is currently being done with CheckUser records, but would be prohibitively time-consuming for arbcom-l due to the immense volume of the archives; and there have been security concerns with the arbitration wiki as well.

As far as inevitability is concerned, arbcom-l is not inherently any less secure than any other mailing list used by/for Wikimedia business. A determined attacker can eventually find a way to compromise a system of this sort—we'd need to disconnect it from the internet to truly make it secure—but the same is true of any online system. The only real way to ensure that private correspondence could never be leaked would be to prohibit the use of private correspondence in the first place; otherwise, any system open to remote access is potentially open to compromise. Kirill ^{[talk] [prof]} 13:57, 25 June 2011 (UTC)

But if you keep the information only for as long as it's needed, it's possible but unlikely that it will be leaked. If you keep it for ever, the only question is how much time will elapse before it inevitably is leaked. If the software you use doesn't allow you to discard old information, then you're using the wrong software. And if you know (from common sense and past experience) that the information people send to a given address is highly likely to be leaked, you should at the very least make sure people are aware of that fact before writing to that address. --Kotniski (talk) 14:31, 25 June 2011 (UTC)

Oh, we're well aware that Mailman is the wrong software; unfortunately, it's all that the WMF provides. We tried moving arbitration discussions to a non-WMF-hosted list at one point—thus the succession of "private" lists—but that was rather poorly received by the community, if you recall. Kirill ^{[talk] [prof]} 14:46, 25 June 2011 (UTC)

People have submitted their IRL stuff to you guys? Phone numbers? Why on earth would people do that? Why would you require people to submit such information? This is an online encyclopedia. What possible necessity is there in the provision of information of that kind to you and your colleagues? This really is quite surprising stuff. Miss E. Lovetinkle (talk) 13:38, 25 June 2011 (UTC)

No it's not a requirement of ours but you'd be astonished what some people think is pertinant to tell us.  Roger Davies ^talk 13:42, 25 June 2011 (UTC)

Well given that I've just discovered where this stuff is being posted to, I think this might be a bit of a disaster. For you guys at any rate. Oh dear. There's some rancid stuff coming out. What the hell is the "functionaries" list? Apparently stuff from that is being released now. Miss E. Lovetinkle (talk) 13:46, 25 June 2011 (UTC)

• Is this a disaster? Looks like one to me.
  Off2riorob (talk
  ) 13:36, 25 June 2011 (UTC)
  • Well, given that we're told that almost the same thing happened in the past and absolutely nothing was done to prevent a repetition, this episode would appear to have revealed ArbCom as an institution to be almost criminally incompetent. I'd say it's a good thing that more people are now aware of that fact. --Kotniski (talk) 14:24, 25 June 2011 (UTC)
    • The previous situation to which you refer was someone who had authorized access to the material releasing it in breach of trust. In this case, there was a breach of security - as could happen to any system connected to the Internet. –xeno^talk 14:29, 25 June 2011 (UTC)
      • So? The point remains that nothing was done to prevent or ameliorate a potential repetition, and people writing to the list were not warned that this was likely to happen. --Kotniski (talk) 14:34, 25 June 2011 (UTC)
        • As I recall that's not correct, Xeno. There have been leaks before from the ArbCom list or wiki to WR, and we were told at the time that someone had hacked into something. SlimVirgin ^{TALK|CONTRIBS} 15:25, 25 June 2011 (UTC)

You'll have to point me to that; they haven't been referenced yet in this discussion as far as I can tell. –xeno^talk 15:30, 25 June 2011 (UTC)

• You might be referring to the arbitration wiki vulnerabilities (e.g. being able to determine the presence of pages based on the error reported, etc.), which led to new security measures being implemented on that wiki. There were earlier leaks from arbcom-l (before the removal of former arbitrators from the list), but those were believed to be deliberate leaks rather than technical compromise. Kirill ^{[talk] [prof]} 15:33, 25 June 2011 (UTC)
  • I'm thinking in particular of email threads that were posted to WR about two particular editors. I don't want to name them here. My recollection of that is we were told the wiki had been hacked into, and there was talk then of changing the way passwords were generated or distributed. SlimVirgin ^{TALK|CONTRIBS} 15:36, 25 June 2011 (UTC)
    • I think we're talking about the same thing, then; but, as you mention, that was a compromise of the arbitration wiki, while the indication here is that the compromise is of an arbitrator's email account (and the subsequent use of materials found in that account to gain access to e.g. the mailing list archives). Kirill ^{[talk] [prof]} 15:41, 25 June 2011 (UTC)

• • • • As I noted above, arbcom-l is not inherently any more insecure than any other mailing list; it's simply that its contents are likely a higher-value target, and the leaks from it are more widely publicized. The same warning could just as legitimately be applied to any Wikimedia/Wikipedia list—or the private email of anyone involved in Wikipedia, for that matter. I'm assuming that people don't need a warning that "anything you post on the internet could potentially be exposed" when they go online? Kirill ^{[talk] [prof]} 14:43, 25 June 2011 (UTC)
        • You're just not getting it. I was assured by Iridescent that our correspondence would remain confidential, and it wasn't. The mailing list itself claimed to be confidential and it wasn't. But all I see here is empty bleating and no real explanation, and I've got no doubt that's the way it'll stay. What will it take to wake you guys up?
          Fatuorum
          14:50, 25 June 2011 (UTC)

Quite. Until this all came out, the banner at the top of this page specifically invited people to send private material to this address. Despite you knowing that much material sent to the address had already been leaked, and that nothing had changed that would prevent the same thing happening again. The committee was effectively lying to the public in order to protect its own image.--Kotniski (talk) 14:56, 25 June 2011 (UTC)

• Presumably you're referring to our image of being a cabal and doing everything behind closed doors? Why in the world would we want to protect that, of all things? We'd much prefer it if we had a reputation for transparency.

  Having said that, our work does require us to handle some things in a non-public fashion—most of them incoming correspondence from people who would prefer that it not be published. The measures we took to safeguard our correspondence were those that were reasonable (i.e. did not pose an undue hardship on our work) and feasible (i.e. could be implemented given the very limited resources available—recall that the Committee has no funding with which to procure a more sophisticated security infrastructure). It is unfortunate that these measures were not sufficient to prevent a compromise; but that does not mean that they were not appropriate ones, given the applicable constraints. Kirill ^{[talk] [prof]} 15:16, 25 June 2011 (UTC)

  • You don't need funding to stop the continued distribution of old private e-mails to new recipients. You just need an ounce of common sense. I find it sick that arbitrators not only allowed this to happen, but are now pretending that they couldn't reasonably have done anything about it. This mailing list should never have been described as private, given the way it was managed. You guys had a serious duty to people; you failed in that duty - though I don't blame anyone personally, the excuses that have been presented are absolutely pathetic. (Not to mention the other issue, the apparent revelations about the way arbitrators have been discussing editors behind their backs.)--Kotniski (talk) 19:28, 26 June 2011 (UTC)

It's worth noting that in the European Union at least, data breaches of this kind can be and have been criminally prosecuted - not just the person responsible for the breach but the people or organisations who failed to secure the data in the first place. The arbitrators and the WMF need to be conscious that this is not just an embarrassment, this is potentially something for which they could face civil and criminal legal consequences as individuals and collectively. There needs to be a radical change to the way they handle private data. At the very least, the current archives need to be shut down and taken offline until there is a secure access system in place - and that needs to be signed off by outside specialists, not just Coren. Prioryman (talk) 14:40, 25 June 2011 (UTC)

• The focus on security misses an important point. A lot of this material shouldn't be posted and archived in the first place, because it's just Arbs gossiping about editors, barely related or entirely unrelated to arbitration. Yet every year more members are sent a password to access it, which is spreading the damage, even without the leaks. SlimVirgin ^{TALK|CONTRIBS} 15:31, 25 June 2011 (UTC)

• It's really quite shocking that it looks like Arbcom is using some kind of antique archives and sending the password out via e-mail. I swear, we have better security in place at the library where I work. Kirill's point about the lack of funding to set up better security is something that has to be resolved, immediately. A project of this size and importance demands it. --Diannaa (talk) 15:50, 25 June 2011 (UTC)
  • I suspect it's not so much a lack of funding, but an instutionalized lack of common sense - among arbitrators, among people at the WMF, and among us all, who tolerate a dispute-resolution and privacy-protection system that is obviously failing in so many different ways (partly because those two systems have been rolled into one).--Kotniski (talk) 19:34, 26 June 2011 (UTC)

• Obviously what happened was terrible and can't be defended. But I hope that this incident can spur a discussion of Arbcom's transparency. There was a lot of complaining from both sides in the Climate Change arbitration that Arbcom was excessively opaque, failed to give guidance to the parties, and that generally everything seemed to be happening behind closed doors, so to speak. Arbcom also needs to advise persons writing to it in the future, no matter what "security precautions" are put in place, that it cannot assure the confidentiality of emails to the arbitrators. ScottyBerg (talk) 16:21, 25 June 2011 (UTC)

Action plans

It seems there are an awful lot of leaks in the news this week ... I hope this is at the very least a wakeup call and I hope the ArbCom will keep the community updated on the status of any technical/security changes that will be occurring in the near future. /ƒETCHCOMMS/ 16:33, 25 June 2011 (UTC)

I can confirm that we are accelerating the action plans that we had in place to address the mailing list archives, as well as re-evaluating these plans based on the nature of this breach. –xeno^talk 16:45, 25 June 2011 (UTC)

So what was the nature of this breach? What exactly was hacked into? Iridescent's email account? Is that the claim?

Fatuorum

17:14, 25 June 2011 (UTC)

Based on the information we have to date, yes, that appears to have been the case. Kirill ^{[talk] [prof]} 17:17, 25 June 2011 (UTC)

How confident are you that no other arbitrators' email accounts have been equally compromised?

Fatuorum

17:20, 25 June 2011 (UTC)

It's difficult to prove a negative, obviously; but there has been no evidence that indicates any other compromise, and a number of arbitrators have implemented additional security measures (e.g. two-factor authentication) to reduce the risk of a similar compromise in the future. Kirill ^{[talk] [prof]} 17:23, 25 June 2011 (UTC)

The point though is that if you're wrong then this is nothing more than an irrelevant side show. Why would Iridescent have been the only arbitrator to have been targetted?

You are right that we can't rule anything out at this point - though as indicated by Coren above at

mailman lists (and archives thereof). It is entirely possible that more than one arbitrator was targeted; all arbitrators have changed or will be changing all their Wikipedia-related passwords as a precaution and are taking further steps to secure their personal infrastructures. Moreover, any arbitrators who are inactive and have not confirmed that this has been done have been or will be removed from the mailing lists as a further precaution. –xeno^talk

17:30, 25 June 2011 (UTC)

Confirmed it how? From a compromised email account?

Fatuorum

17:36, 25 June 2011 (UTC)

We have been verifying that the right people are in control of their email accounts via offline methods (voice-to-voice, and so forth). –xeno^talk 21:17, 25 June 2011 (UTC)

(edit conflict) I have no idea. It's possible that Iridescent was deliberately targeted for some reason, whether related to his security profile or something totally different; or that multiple arbitrators were targeted and Iridescent was simply the first one compromised; or even that the evidence we found of Iridescent's account being compromised was deliberately planted to conceal a completely different attack vector. Unfortunately, it's somewhat speculative unless we (and by "we" I mean the people looking at the audit trail, not necessarily the Committee) can find additional evidence to point in one direction or the other. Kirill ^{[talk] [prof]} 17:33, 25 June 2011 (UTC)

Malleus: One of the first things we did when we found out about the leaks is in general for all of us to look at our own security.. several of us use a service which maintains a log of IP addresses used to access those accounts (which is set to alert us should any unusual IP address access our accounts). The first thing I did, and I know that at least several other Arbs have done is to immediately change ALL our passwords (even for stuff not Wiki-related).. just in case. As Kirill says, however, it's hard to prove a negative. SirFozzie (talk) 17:41, 25 June 2011 (UTC)

This is probably just stating the obvious, but if the way the attacker gained access to Iridescent's (or anyone else's) e-mail account was by installing a keylogger on a computer they regularly use, changing all of their passwords isn't going to be enough to stop the problem. When my online accounts were broken into using this method years ago, the person attacking me was able to use the keylogger to re-record my password every time I changed it. --Captain Occam (talk) 19:27, 25 June 2011 (UTC)

Well, that too.. but I run Spybot S&D every few days already, so it was just a matter of bumping up the check here :/ SirFozzie (talk) 21:24, 25 June 2011 (UTC)

There are ways of hiding these programs so that virus scanners can’t detect them, using things like rootkits and hidden user accounts. (Which is what happened to me.) It all depends on how skilled and determined the attacker is. I wish I could give more specific advice about how to detect them in those cases, but it depends on the operating system and the method of attack that was used.

This is one of the reasons why I think it’s important for Iridescent to figure out how their e-mail account was broken into. When an attacker knows what they’re doing, these sorts of routine security measures like changing passwords and running virus scanners aren’t very effective, because they’re not all that difficult for a sophisticated attacker to anticipate and thwart. The only way to make sure a vulnerability has been closed is to determine exactly how the attacker got in, and make sure you’ve changed whatever it is that made it possible. --Captain Occam (talk) 23:05, 25 June 2011 (UTC)

The most obvious "action plan" would be for all Arbitrators and functionaries to be given @wikipedia.org mail accounts that are to be used only for "company business", and to configure those accounts carefully. OTOH, having read a good bit of the "leaks", perhaps a better solution might be to always talk in public, since everything I've seen seems to be about some people trying to manipulate other people, which isn't really such a great thing for the ideals that most people in this community seem to ascribe to. --SB_Johnny | ^talk 19:20, 25 June 2011 (UTC)

I've been reading too, and it's clear that a significant amount of the material clearly could not ever have been discussed in public (I already knew about some of it, but that's not quite the same thing.) I do take your point that private musings about public disputes can, and probably should, be reduced, but there is still a place for private discussion. And in addition, it's extremely hard to know where to draw the line; or to enforce such a line. Every time an arb says privately on the arb list "hey, you know that's just like that other guy SomeName who acted just like this two years ago", another arb has to say "you can't say that here" ? It's tricky. --

talk

) 21:18, 25 June 2011 (UTC)

Very little of what's appeared so far is of genuine concern wrt privacy. It's not really even the case that the arbs themselves look all that bad, for the most part. It's more the outsiders who are mailing the list with material that seems to be aimed at making rather petty political gains that are being embarrassed here, and quite frankly I think that the committee would do better by themselves and by the project at large if they would strongly discourage that (and better yet, not spend time discussing it).

I don't see any reason to doubt that the arbitrators are in any way not acting in good faith and out of high ideals, but it's pretty clear that there's some unhealthy groupthink, and that groupthink is likely encouraged when non-arbitrators throw dirty laundry at them. --SB_Johnny | ^talk 11:32, 26 June 2011 (UTC)

"Very little of what's appeared so far is of genuine concern wrt privacy." What? I haven't even bothered reading more than a small fraction of the material that's appeared so far, and even offhand I can think of three separate instances of serious breaches of privacy that would be of great concern to the three people concerned. (I am not talking of things like people's private email addresses being exposed, although such people do still have every right to be annoyed.) So yes, some of what's appeared is very much of genuine concern wrt privacy.

And then of course there's all the material that hasn't appeared so far, but is assumed to be in the hands of the hacker. --

talk

) 14:41, 26 June 2011 (UTC)

"The hacker" has been fairly selective in his leaking, and has made an open and straightforward effort to comply with The Review's privacy policy, which is aimed narrowly at preventing harm, rather than enabling bad behavior (which WP's policy does, if inadvertently). "The hacker" is doing things you don't like, but he's been more or less ethical about it so far. More will be coming out, of course. Give credit where credit is due, and look for the opportunity to learn from this. --SB_Johnny | ^talk 23:39, 26 June 2011 (UTC)

SG followup

First, I smell socks having fun on this page. Second, could an arb in contact with Iri please ascertain if he e-mailed me from yahoo on June 10? The answer to that question might point to the intruder. Thirdly, best wishes to Iri and Malleus, who has every right to be bugged as heck. Finally, I raised a very long time ago the issue that new arbs should not have access to archived info before their term, particularly in very sensitive cases. Because the entry bar to ArbCom was lowered by the RFC two years ago, and because new arbs can access old cases, I no longer write to ArbCom. SandyGeorgia (Talk) 23:46, 25 June 2011 (UTC)

More Material

Moved them

Just to let you know, WR moved all of the threads related to this into a subforum under bureaucracy. That's something at least, since they won't be Google-indexed now. Silverseren^C 01:27, 26 June 2011 (UTC)

That subforum looks like it's indexed [7]. –xeno^talk 13:05, 27 June 2011 (UTC)

Seeing the latest post of Malice is the stuff relating to Jossi from 2009.... This clearly goes further than simply Iri's or Chase Me accounts being compromised. This suggests Malice either had full access to everything and got a dump of it all or still has access to it all. The Resident Anthropologist (talk)•(contribs) 16:49, 26 June 2011 (UTC)

Yes, it appears the mail archives were compromised, which date back to July 2005. We're still not sure if Chase Me's account was hijacked - the blocking was done as a preventative measure, and we're trying to get in touch with him. PhilKnight (talk) 17:07, 26 June 2011 (UTC)

what about Panyd and has anyone tried her? The Resident Anthropologist (talk)•(contribs) 17:28, 26 June 2011 (UTC)

It appears from the section below that Chase me has been in contact with someone from ArbCom. RxS (talk) 19:53, 26 June 2011 (UTC)

It also appears that money changed hands at some point, regardless of where the data originated. Don't know what it means...RxS (talk) 02:20, 27 June 2011 (UTC)

Chase me ladies, I'm the Cavalry de-adminned

Privacy

In the RH__u case, many asked that all correspondence be made available.

WR's malicious publication of stolen correspondence shows the imprudence and callousness of that demand, which could have led to a death or serious injury.

Let us hope that WR remove the stolen correspondence ASAP, probably to reduce their liability.

Some commentators may wish to retract some of their statements and criticisms of ArbCom during the RH_u case. Sincerely,  Kiefer.Wolfowitz 23:29, 25 June 2011 (UTC)

I've been following this whole thing, and I think this would be as good a place as any to add my two cents. In the year or so that I've been active in this community, I've heard a lot of moaning about how ArbCom is an incompetent mess. Regardless of the merits of the decisions of individual cases, and even the process by which this batch of information was acquired, I think that the one thing that stands out to me is the sheer amount of crap (that refers to both quantity and quality) that must be decided behind the scenes. Obviously, I won't mention any specific cases/leaks, but certain situations just make me wonder how else they could have been resolved without...well... Anyway, I'm sure the Committee will take a lot of flak for certain things but, I guess that if you haven't been there, you don't know what it's like. Just something to remember --

^{Talk·Contribs}

00:09, 26 June 2011 (UTC)

ArbCom was correct in that decision, and I have no serious complaints about any decision I've reviewed. Emphatically,  Kiefer.Wolfowitz 00:13, 26 June 2011 (UTC)

Thank you both for your kind words. It means a lot to us right now. Jclemens (talk) 00:24, 26 June 2011 (UTC)

Agreed. Thanks. SirFozzie (talk) 00:57, 26 June 2011 (UTC)

Seconding Nolelovers's comment. sonia♫ 23:18, 29 June 2011 (UTC)

1) To be fair, at the time, those who "asked that all correspondence be made available" could have no idea of what was going on behind the scenes.

2) Agreed, ArbCom does come out ahead here. Politically, I'd say it's got a major "sympathy backlash" benefit.

3) Life's complicated. Sometimes "National Security" really is about national security. Sometimes it's about covering up corruption. How do you tell beforehand?

-- Seth Finkelstein (talk) 01:43, 26 June 2011 (UTC)

Dear Seth,

A number of alarming statements were publicized on Wikipedia and cited (perhaps too much) during the discussion, as others noted at the time. These statements were denied by those mis-characterizing solidarity as paternalism (or mistaking the "hands-on imperative" for the categorical imperative ...). This episode needs to be remembered in future discussions of vulnerable persons, especially minors.

Nobody has claimed "national security" or denied life's complexity. Nobody has even alleged that this ArbCom has conducted "cover ups", so the relevance of your third point escapes me.  Kiefer.Wolfowitz 02:03, 26 June 2011 (UTC)

Sigh. I used the cliche "National Security" as a way of making the intended point distanced from current emotional issues. The idea is that when a person in power says "We are keeping this information confidential because of (national security, privacy, delicate personal matters, etc.), sometimes that is the truth, but sometimes it is an excuse. HOW CAN YOU TELL? A liar is always going to say that he or she is telling the truth and has someone's best interests at heart. So it doesn't help much to have an instance where people were shown to be telling the truth. The question is what one does when faced with a story. One can't always believe power, as then cover-ups will go uninvestigated. -- Seth Finkelstein (talk) 02:18, 26 June 2011 (UTC)

I replied at User_talk:Seth_Finkelstein#Economics_of_truth.  Kiefer.Wolfowitz 05:58, 26 June 2011 (UTC)

I'm old enough to remember Oliver North's surprise that the emails he thought he'd deleted weren't really gone after all. We're all old enough to remember Wikileaks. Emails aren't secure. Even diaries can be subpoenaed. Whatever we write, even our most personal thoughts, can turn up in public. The point being that no one should write an email, especially one that goes to a mailing list, which includes anything they'd be embarrassed to see made public. I suggest that ArbCom members should avoid using disparaging nicknames or making comments, even in "private" conversations. That said, in the little I've seen of the leaked documents the ArbCom seems to maintain their professionalism even when discussing problem users.   Will Beback  talk  04:49, 26 June 2011 (UTC)

My company basically says the same thing about e-mails. Even so, if someone has betrayed the trust of arbcom here and/or hacked into it, a few snippy comments are a small problem by comparison. ←Baseball Bugs ^{What's up, Doc?} carrots→ 05:05, 26 June 2011 (UTC)

Notification of this compromise to personal information

I think the discussions here are sufficient to conclude that the information that has been publicly leaked is genuine. There seem to be suggestions that still more information could have been accessed before the leak was plugged, so there may be more disclosures yet to come. Given that ArbCom receives private and personal information from editors and others, and may be privy to private information related to Wikipedia (alternate accounts, real names, email addresses, etc), it seems that it is incumbent on ArbCom and/or the WMF to alert editors that their personal information may be or may already have been revealed. I don't mean this in a legal sense, although I am not certain that the privacy laws of some countries would not come into play in this instance. The have been several high-profile data breaches recently and one of the lessons that should have been learned from those incidents is that it is important to alert users quickly to allow them to take whatever steps are necessary to protect their privacy and security.

Now that the barn door is locked and the horses bolted, it may be wise to let some people know that those unsightly horses that they thought were safely hidden away may be popping up in public places soon. At the very least, I would have hoped that there would have been a site-wide announcement by now. It should be fairly easy to send out a message to every account that has emailed ArbCom to let them know that those emails may soon become public. Legal issues aside, I think the WMF has a responsibility to minimize the damage that this leak may cause others. Delicious carbuncle (talk) 15:35, 26 June 2011 (UTC)

Click the "Reply to all" option in the Email sever? The Resident Anthropologist (talk)•(contribs) 17:34, 26 June 2011 (UTC)

I have absolutely no doubt that information leaked so far is genuine.

Fatuorum

22:09, 26 June 2011 (UTC)

A site-wide message might be overkill and mistargeted (in particular, affected people may not be editing now, or ignore an unspecific message). But I would agree that it would be prudent (if understandably painful) to notify people who have emailed to the list, that their emails may become public due to a data-breach. Though this sort of thing should be run by staff counsel for the particulars of the message, so a short delay for legal review would be understandable. -- Seth Finkelstein (talk) 23:58, 26 June 2011 (UTC)

I haven't done a side-by-side comparison, but I'm not aware of any discrepancies. A message for the ArbCom noticeboard has been drafted and is awaiting approval. PhilKnight (talk) 00:00, 27 June 2011 (UTC)

That is a good start, PhilKnight, but what steps are being taken to directly notify editors (most of whom are unlikely to be watching that noticeboard) and individuals outside of Wikipedia who may have contacted ArbCom? Delicious carbuncle (talk) 11:53, 27 June 2011 (UTC)

Indeed, my personal impression is that of what's been published, any editing that has been done has been to remove "the boring bits". The majority of Arbcom-L traffic is substantially more mundane than what's been posted, being routine "can the last two of you vote?" or "I agree with that wording" or "Someone besides me want to respond?" sorts of things. I've not read everything posted, but I haven't seen myself misquoted yet. Jclemens (talk) 02:29, 27 June 2011 (UTC)

The only thing I've noticed is a few missing headers which make it unclear who is saying what. –

xeno^talk

02:35, 27 June 2011 (UTC)

If/once the intruder is identified, could the WMF be pursuing legal action against the responsible party or parties? Or is this not a possibility at all? I'm not familiar with the relevant U.S. and state laws, but would the WMF even be an involved party in this, and is Geoff Brigham going to make any statement about this soon? /ƒETCHCOMMS/ 01:18, 27 June 2011 (UTC)

Fetchcomms brings up an important point. I may have missed it, but if the WMF General Counsel, Geoff Brigham, has not yet commented regarding this illegal action, then he should be asked to make a statement to inform the community regarding the WMF legal position regarding this matter. I also feel that ArbCom deserves praise and support during this stressful period. Jusdafax 01:56, 27 June 2011 (UTC)

WMF has made Geoff aware of the situation, and we've been told there's going to be a big meeting on Monday on how to proceed. Jclemens (talk) 02:25, 27 June 2011 (UTC)

I can confirm that Geoff is aware. Beyond that, I don't know much. Philippe Beaudette, Wikimedia Foundation (talk) 03:48, 27 June 2011 (UTC)

ArbCom deserves praise and support?! Amazing. They've failed in one of their two fundamental duties, despite having the benefit of one lot of hindsight; and they don't even seem to understand what they've done wrong (or even that they have done anything wrong). These guys doubtless mean well, but they were way out of their depth here, and the complete lack of contrition displayed here by some of the most long-standing arbs is (or would be, if it wasn't what we've come to expect) really astounding.--Kotniski (talk) 06:36, 27 June 2011 (UTC)

Anyone can be hacked these days, my friend, even the US Government and the biggest corporations in the world... Considering none of the ArbCom members make a dime off their stressful, time-consuming work, my statement stands. I don't know you, nor your history, but I find it doubtful you are a past member of ArbCom. Do you think it possible, on reflection, that moderation and the key WP concept of Agf might be the path of wisdom? To put it perhaps a bit more harshly, your comment is less than helpful, at best. Jusdafax 07:21, 27 June 2011 (UTC)

As I say, they mean well - I'm not disputing their good faith. But it's not the fact they were hacked that I'm complaining about - it's the fact that they knew (or should have known) they were going to get hacked, and still carried on (and let others carry on) as if they weren't.--Kotniski (talk) 07:27, 27 June 2011 (UTC)

First of all, I'm very pleased that counsel is now involved. Second, what Jusdafax said. I agree entirely, and would add to it. My heart goes out, deeply, to those members of our community whose privacy has been violated. To those members whose privacy was not violated, but who are nonetheless taking shots at the Committee, please let me point out that there is a good supply of digital white space in this talk, where you may choose to post your user name, followed by your real life name, e-mail address, phone number, street address, and perhaps some additional information about your medical records, employment, and family members. If that doesn't ring your bell, then perhaps you will observe that the news is full of other organizations that have also been hacked in recent days, many of them no slouches with respect to security, and furthermore that every single one of our Arbitrators is an unpaid volunteer doing a rather thankless job. I've read some of the stuff that was leaked. There have been cases that I followed on-Wiki where I have wondered whether the Arbs recognized various things for the garbage that it was. I now know that they did. Good for you! In my personal opinion, the current members of the Committee actually come across very well in what I saw, although some past members and some non-members come across rather badly. In time, we are going to learn some things about how to make the Committee work better (pity that this happened just after the completion of the policy revision). But for now, the Committee deserves the community's understanding and support. --Tryptofish (talk) 13:58, 27 June 2011 (UTC)

I don't understand why you start by sympathizing (rightly) with those whose privacy has been violated, but somehow end by saying how much we should be supporting those whose collective complacency and incompetence (see multiple threads on this page) largely brought about that violation. --Kotniski (talk) 16:57, 27 June 2011 (UTC)

I promise you that I've read all those threads. With respect, if you still conclude "incompetence", then I have to agree with you that you do not understand. --Tryptofish (talk) 23:13, 27 June 2011 (UTC)

If your job description includes handling private information, then you're incompetent if you continue to invite people to send such information to an address which (from past experience and common sense) is known to have critical unresolved security issues. And it's not so much a criticism of the individuals (though one might have hoped that lightbulbs might have sparked in at least some of their heads), but of the system, which places important professional tasks in the hands of clueless amateurs.--Kotniski (talk) 10:53, 28 June 2011 (UTC)

Kotniski, your admirable frankness has unfortunately turned into personal attacks against ArbCom, whom we all elected. What good does your name calling these volunteers do?  Kiefer.Wolfowitz 11:05, 28 June 2011 (UTC)

Haven't you noticed - I haven't name-called anyone, and deliberately so. I have made no personal attacks, just an "institutional attack" if you like, against a Wikipedia institution that has seriously fouled up and deserves (for all our sakes, including its members') to be recognized clearly as having done so.--Kotniski (talk) 11:15, 28 June 2011 (UTC)

DMCA for emails?

Could one of you arbitrators issue a DMCA notice to Wikipedia Review? Nyttend (talk) 01:20, 27 June 2011 (UTC)

Does the Committee own the copyright? Or do the individuals who corresponded own copyright to the individual emails? In the first case, how did the committee acquire the copyright? In the second, wouldn't the individual senders be required to initiated the DMCA take downs? And then who gave the committee permission to archive the emails, and if the emails were licensed under terms open enough for the committee to archive and redistribute the emails, are you sure that Wikipedia review can't post them too? In the future, if an email is forwarded to the committee and the original sender DMCA's the committee, would the committee be willing to remove the email from the archives, would they even have the technical capability? Would DMCAing the emails attracted broader media attention? Would it do any good? The whole DMCA thing seems like an enormous can of worms that perhaps should go unopened. Monty₈₄₅ 01:34, 27 June 2011 (UTC)

I'm sure WMF is looking at all their options in this case. The Resident Anthropologist (talk)•(contribs) 01:37, 27 June 2011 (UTC)

• Attention all WR folks: About a million years ago, I Opposed one RfA based largely on the fact that the nominee was a WR regular. Many WR folks (some well-known and respected here) chimed in and said how valuable WR is. I was taken aback at the rush to defend WR. HERE IS YOUR CHANCE TO BE MATURE AND RESPONSIBLE. JUST DON'T LET ANYONE PUBLISH PRIVATE MATERIAL. delete immediately. Ban user who posts. That is the only adult thing to do, and the only ethical thing. All else is shameless, in the truest sense of the word. 'Nuff said.  – Ling.Nut 01:41, 27 June 2011 (UTC)

• That's just bollocks Ling.Nut.
  Fatuorum
  01:53, 27 June 2011 (UTC)

I agree with MF, let's not over-react.--SPhilbrickT 15:15, 27 June 2011 (UTC)

Clarifying: I thought you calling for a ban (from Wikipedia) of anyone who posts (at WR). I now see you were talking more narrowly about the single person who was posting the ArbCom communications. Sorry, my intention was to avoid an over-reaction, and I may have inadvertently contributed to one.--SPhilbrickT 11:57, 28 June 2011 (UTC)

Breaking my rule for not using humor on Wikipedia discussions: Oh, please, please, send a DMCA notice to Wikipedia Review. This whole dull, dreary, tawdry, mostly downright boring event, desperate needs some fireworks and popcorn. I can think of little that would liven it up better than the prospect of some good old fashioned CENSORSHIP flames, where everyone can smugly rant

^ ResidentAntropologist 03:00, 27 June 2011 (UTC)

• [8]  – Ling.Nut 03:23, 27 June 2011 (UTC)

←Baseball Bugs ^{What's up, Doc?} carrots→ 03:43, 27 June 2011 (UTC)

 Dislike Eagles 24/7 (C) 05:59, 27 June 2011 (UTC)

To comment on the legal merits: the WMF doesn't hold the copyrights to the emails, and the Arbitration Committee isn't a legal entity, so a DMCA request would be incumbent on the individuals involved. The emails definitely are not licensed for usage such as posting at WR. However I do not think that such a takedown action would be likely to be effective or expedient. Der Wohltemperierte Fuchs^(talk) 20:09, 27 June 2011 (UTC)

Seth is correct here (Not often that I'm going to say that). As of right now, this is getting no coverage or attention. If anyone tries to remove the material it is going to get a lot more. Just the way the internet works. JoshuaZ (talk) 01:12, 28 June 2011 (UTC)

Since I don't frequent any Wikipedia-related websites except for ones operated by the WMF, I saw the firestorm that's erupted here and misinterpreted it as an indication that this was already all over the Internet. Anyway, of course Arbcom doesn't hold copyrights; that's why I said "one of you arbitrators". Nyttend (talk) 11:40, 28 June 2011 (UTC)

Enquiries are continuing

At time of writing, we have not established the source of the data theft though our investigations are continuing. There is no reason to suppose that either Iridescent or Chase Me were responsible. In the meantime, the committee is looking at various options.  Roger Davies ^talk 14:05, 27 June 2011 (UTC)

Thank you all. Bearian (talk) 17:23, 27 June 2011 (UTC)

Just to make this crystal clear, there is no credible evidence at all to suggest that Iridescent or Chase were responsible, either directly or indirectly.  Roger Davies ^talk 17:40, 27 June 2011 (UTC)

So, Coren's statement "An investigation of the technical aspects of the leak have shown that the leak was mailed by arbitrator Iridescent's Yahoo mail account from a server located in Iran" turned out to be a misinterpretation or data falsification? Amalthea 17:43, 27 June 2011 (UTC)

Correct.  Roger Davies ^talk 17:46, 27 June 2011 (UTC)

More accurately, further review of the information that made it appear that the email came from Iri's email account showed that the headers were forged. SirFozzie (talk) 19:40, 27 June 2011 (UTC)

Which raises the question of why it was Iridescent's email that was was forged instead of, say, yours, and why the first revelations were a rather dull email exchange I had with Iridescent. There are definitely more questions than answers here.

Fatuorum

01:25, 28 June 2011 (UTC)

Malleus: I can sincerely say I wish I knew. We're still working towards getting all the information we can here. SirFozzie (talk) 01:41, 28 June 2011 (UTC)

Are you saying there's no indication at all where the leak came from, and that therefore it may not have been plugged? SlimVirgin ^{TALK|CONTRIBS} 17:45, 28 June 2011 (UTC)

I'm not a big fan of ARBCOM, but...

It's fairly well known that I have deep seated concerns with ARBCOM as a general idea, and in particular issues with a number of the individual arbitrators and their actions. I'm also not totally against Wikipedia Review if it stuck to the goal of critical and hard analysis of Wikipedia (which it does occasionally - and heck we even manage to be an encyclopedia occasionally too.) Nevertheless the posting of prviate conversation, no matter that in certain cases it's rather low-brow stuff, is not a good idea. The posting of email addresses even less so. The posting of conversations involving real life threats (I understand now redacted) just bloody stupid. This is a tough time for a lot of people who give up a lot of hours to help Wikipedia for free, and for your resilience in this unfortunate episode I tip my hat. Pedro :  Chat  20:02, 27 June 2011 (UTC)

Well said, Pedro.  Kiefer.Wolfowitz 20:32, 27 June 2011 (UTC)

I think the threat posting nailed the sympathy backlash. ArbCom is coming out of this way ahead. -- Seth Finkelstein (talk) 22:02, 27 June 2011 (UTC)

Meh. I have similar feelings about that you do whoever released the info. And piling on arbcom wouldn't be productive at the moment, but I'm having trouble seeing anything worth giving them a two thumbs up attaboy.--Cube lurker (talk) 22:21, 27 June 2011 (UTC)

Yah. ArbCom's members as individuals may be among the victims here, but it is ArbCom (as an institution) that is largely to blame.--Kotniski (talk) 10:59, 28 June 2011 (UTC)

Especially since we're back to the very real possibility that one of the members is not the victim but the perpetrator.--Cube lurker (talk) 12:30, 28 June 2011 (UTC)

Let's not jump to conclusions about individuals - I don't think it's helpful to throw blame around when the investigations aren't over. The Cavalry (Message me) 21:47, 28 June 2011 (UTC)

Have you posted this in the right place? I'm (vaguely) supporting ARBCOM and you turn up to chalenge that, after months of absence and a cloud that you were the leak. Or can you not use indents?. Dear me. Pedro :  Chat  22:14, 28 June 2011 (UTC)

I believe Chase's reply is directed at Cube lurker. –

xeno^talk

22:32, 28 June 2011 (UTC)

@Chase I'm not pointing fingers at individuals, that would be reckless. What I am noting is that although at one point it looked clear that it was an outside hack, we've now been informed on this page by a sitting arbcom member that it's now unclear and that and that an internal leak has not been ruled out. Question: Is ArbCom considering the possibility that one of its members deliberately chose to leak these e-mails? by Captain Occam. Answer: Yes, of course the committee considered that. If you read Coren's earliest statements about it, you see that it was our original assumption. In my view, it has not been eliminated as a possibility. We just don't know. by Cool Hand Luke.--Cube lurker (talk) 22:41, 28 June 2011 (UTC)

Good gravy, people.

The mailing list software, as far as I know, doesn't have a good way to track what files were accessed by a particular user using a particular password. If you're out for blood, go here

instead.

(I'm not a big fan of ARBCOM either, as an institution. I do respect the good intentions and hard work of the members, even though I can't understand why they would put up with what they put op with.) --SB_Johnny | ^talk 00:21, 29 June 2011 (UTC)

Do you have a reading comprehension problem? I said I've seen nothing worthy of praise, that's me, maybe you praise different things. Also not even arbcom members are sure if this was an internal or external leak. They've said that on this very page. How pray tell is that "out for blood"?--Cube lurker (talk) 00:55, 29 June 2011 (UTC)

This current data breach was first discussed here on 23 June. It is now 28 June. Why have editors who have contacted ArbCom -- with the explicit assurance of confidentiality -- not yet been informed that that correspondence is now in the hands of unknown persons? When will editors be informed of this data breach so that they may take steps to protect themselves? Delicious carbuncle (talk) 00:14, 29 June 2011 (UTC)

This may be an attempt to avoid legal liability, since arbitrators hardly want to start sending thousands of emails which effectively say "Information we solicited from you with an unqualified promise of confidentially has been stolen due to our negligent transmission of the material and identification factors for accessing it in an insecure plaintext format, with no effort made to secure the computers from which the material was accessed, or real-life vetting of the people to whom access was provided. Please sue us." Arbcom may believe that the fewer people who are informed of this problem, the fewer lawsuits they will have to defend. Of course, this strategy might simply increase their legal liability, since a lack of proper notice to the people whose data was compromised could be considered tortuous in its own right. 71.131.18.216 (talk) 00:38, 29 June 2011 (UTC)

Agree. MaliceAforethought's motives are completely opaque at this point. Unless there are strong reasons to believe he is acting alone, hasn't privately passed anything off to anyone that hasn't been already posted on the Wikipedia Review, and won't do so in the future, everyone who could potentially be harmed needs to be fully informed. TotientDragooned (talk) 02:04, 29 June 2011 (UTC)

And info to other AC #Communication to avoid similar thing is bare minimum Bulwersator (talk) 03:45, 29 June 2011 (UTC)

Thump thump thump...is this thing on? Hello Arbs? Hello WMF? Can anybody hear me out there? Delicious carbuncle (talk) 16:37, 29 June 2011 (UTC)

There is no feasible way to email everyone who has emailed us in six-plus years. I'm not sure what you imagine, but there's no "reply to everyone who has ever posted to this list" option. Der Wohltemperierte Fuchs^(talk) 16:54, 29 June 2011 (UTC)

Surely someone on the Committee, or at the Foundation, has the technical savvy to write a script that harvests sender email addresses from the archive? If not, I'm sure many third parties familiar with Mailman would have been happy to help you write such a script had you asked.

It's been almost a week now since an explicit assurance of privacy extended to "editors and non-editors with no relation to the Committee" was violated. It's not directly your fault, but it is your responsibility to do anything possible to minimize any "negative consequences." I'm dismayed that the Committee has been so slow and cavalier in responding to this severe breach of private information. TotientDragooned (talk) 18:19, 29 June 2011 (UTC)

Good question, DeliciousCarbuncle. After a third party gave a heads up I wrote to the Committee to inform them that I laughed it off for my own part, also to suggest that would be a good idea for them to become more proactive about acknowledging the breach. They haven't responded via email either. Durova⁴¹² 19:03, 29 June 2011 (UTC)

Just going to note Fla. Stat. § 817.5681 which covers data breaches in Florida. This was discovered six days ago thus still have 29 days to make such notifications. I assuming here Florida law is applicable since the severs are there. Note: I am not lawyer The Resident Anthropologist (talk)•(contribs) 19:17, 29 June 2011 (UTC)

Did you read the definition of personal information? Monty₈₄₅ 19:25, 29 June 2011 (UTC)

RA, I'm not a lawyer either - and I understand your concern - but having read that, it seems to only apply where a name is leaked in combination with either

1. Social security number
2. Driver’s license number or Florida Identification Card number
3. Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account"

I'm not sure how many users that applies to, but I imagine it numbers in the single digits. The Cavalry (Message me) 19:27, 29 June 2011 (UTC)

Speculation about which laws may apply from those not well-versed in this area is unhelpful and also misguided. The WMF should be notifying the people who may have been affected by this so that those people can take whatever steps are necessary to protect themselves, rather than to meet the requirements of the law. By not doing so, the WMF may be compounding the harm done to people. Delicious carbuncle (talk) 19:30, 29 June 2011 (UTC)

Exactly. The Committee has a moral obligation to warn those whose real names, home addresses, name of family members, employers, etc have been leaked, independent of any legal obligations the Foundation might have. Especially since, up until very recently, people were assured in no uncertain terms that this information would be kept safe. TotientDragooned (talk) 19:49, 29 June 2011 (UTC)

David Fuchs, I imagine that "it is hard" is not a response that most people would accept from a group that expects to be taken seriously. Perhaps I should be asking the leaker to send out the notifications instead? Delicious carbuncle (talk) 19:22, 29 June 2011 (UTC)

"It is hard" may not be an acceptable reason for not doing anything, but it is an acceptable reason for not taking rash action immediately. It might be that the right thing to do is to harvest email addresses from the archive, but even if one ignores obvious questions, it isn't something that can be done in minutes. Some questions occurring to me in just a couple minutes of thought:

• what if someone emailed one arb, and they cut and pasted the body of the email, but did not include the email hear? Are they a second class citizen (if you undertake to notify everyone, you have to think how to notify everyone)
• what do you do about people whose email isn't current, and you have a private notice of their updated email?
• what do you do about people whose email isn't current, and you don't have a private notice of their updated email, but you know someone who might?
• what if an email address is in the body of an email, but isn't someone who sent an email, should that be included?
• what about email addresses of cc:, people who received email but may not have sent email?
• what about people named in emails, but who did not send emails (arguably, these are even more important that those sending emails)
• what if you have an answer for every one of these points, but a dozen arbs have differing answers - how long does it take to sort out?--SPhilbrickT 19:47, 29 June 2011 (UTC)

Sure, it may not be possible to warn everybody immediately. But notifying all senders to the list is a 90% solution and a proactive first step. If part of the sidewalk caves in, you cordon off the area and post "DANGER" signs all around: you don't twiddle your thumbs for 6 days under the excuse that warning signs wouldn't help the blind, illiterate, and non-English speakers. TotientDragooned (talk) 19:58, 29 June 2011 (UTC)

To suggest that we're twiddling our fingers and/or doing nothing is fundamentally incorrect, to the point of being insulting., We are not only working on what happened, but how to prevent it from happening again, and any way we can minimize the effect this theft has on people who emailed the Committee in confidence. We're working with the WMF to do a full level review of every protocol we use to access data, to determine what we can change going forward. Everyone seems to think because the Arbitrators aren't spending their every moment here on WP trying to answer questions and jump through every hoop, we're slacking off and laughing about this. We're not. We're doing a lot that is not seen. Also, for those who have devoted their every post here to criticizing the job we're doing.. I cordially invite you to run in December when the next set of Arb elections are being held. I can sincerely say I don't want this to ever happen again, but I can also say with the most sincerity that no one understands how much stuff goes into doing this job sometimes. SirFozzie (talk) 21:21, 29 June 2011 (UTC)

You might not remember, but some of us did try to run last December, but the candidature was sabotaged by the existing arbcom and Jimbo because the candidate said he did not trust your security and confidentialy, not looking so fucking paranoid now - am I?

talk

) 21:53, 29 June 2011 (UTC)

The only one who sabotaged your candidacy Giano, was yourself. There's not 1 rule for you and one rule for everyone else. You decided you weren't going to identify to the WMF or any of the other steps that are required for an advanced position. That was reflected in the votes you received. SirFozzie (talk) 22:40, 29 June 2011 (UTC)

The fact that it was made clear that he would not be appointed even if he would get enough votes, may have made people to not vote for him. Also there may have been editors who decided not to run because of this rule. I think one has to seriously reconsider this issue. Count Iblis (talk) 22:25, 29 June 2011 (UTC)

If you want to "reconsider" identification to the Foundation, talk to Jimbo and the WMF. I doubt you'll get anywhere mind you. It's their requirement.. SirFozzie (talk) 22:40, 29 June 2011 (UTC)

• No! Jimbo made it clear (mid-election) on his page at the time that he would not accept me. He wanted everyones names and I said anyone who gave their name was taking a risk and security was inadequate. The entire arbcom and Jimbo assured the community that that was not so. It seems they were quite wrong and I was quite right. Doesn't it?
  talk
  ) 22:18, 29 June 2011 (UTC)
  • As I stated on my talk page, you did not have to identify to your fellow arbitrators (had you been elected).. you would have to identify to the Foundation (which is their requirement). I know of at least one arb on the list who never gave their name to the rest of us.. so if you still want to joust at that windmill, please go to Jimbo and the WMF. It's not an "arbitrator rule" it's handed down from the foundation. SirFozzie (talk) 22:40, 29 June 2011 (UTC)

SirFozzie, I have no doubt that there is a great deal of activity going on in several areas right now as a result of these leaks and my questions were not intended to suggest that people are not working diligently to address the security situation. That said, however, the current or future security of ArbCom communications is separate from the simple fact of the data breach. While people will likely want to know what is happening in these areas once they learn that their emails and/or personal details have been leaked, there is no excuse for delaying letting people know what has happened. Delicious carbuncle (talk) 22:15, 29 June 2011 (UTC)

Yes there are:

A) Sending an email that says "Hi, this is just a message to let you know an unknown attacker found an unknown way into arbcom-l and has apparently absconded with the lot.. and is posting bits of it at a time on an off-WP site" doesn't really say much, does it? Kinda asks more questions then it answers, right? What we're trying to do is get more information (and to put some changes into play with what is kept, how it is kept, etcetera).. so we can tie it up in a package and say "To the best of our knowledge, THIS is what happened. This is how we believe it happened, and This is what we're doing to prevent such issues in the future." That's not a simple task.

B)Then, once that is done, to contact everyone we'll have to go through approximately 60 months of archives and strip all email addresses out archives that in some cases, aren't readable by machine script (I can think of a couple arbs who send/sent their emails in HTML, which screw up archiving/formatting something fierce), send our findings, and then deal with the tsunami of email bounces from no-longer working addresses, addresses that might have been re-assigned, etcetera. I don't even know who would be responsible for that email, the WMF? The Committee as a whole? Individual Committee members? That's a question that needs to be answered, and I'm not sure it's one that can be answered even at my "lofty" pay-level.

To put it in simple terms, we're trying to walk before we run. We don't want to do things that will later be judged as incomplete (just look at previous statements from us as we try to figure out how this happened as we acquired and in some cases discarded information that we determined that had been forged). I know this is intensely aggravating and frustrating for onlookers. All I can say, is if you think it's aggravating and frustrating, you should try living our lives the last week or so. SirFozzie (talk) 22:40, 29 June 2011 (UTC)

With all due respect, I believe that it is incumbent on you to let people know what has happened inasmuch as it may effect them, even if that means admitting that you do not know the details of how it happened yet. Tell people what you do know (that their email addresses, personal information, etc) may be out in public view and let them take whatever steps they feel are necessary. I am sure they will have questions, and I am sure many of them will want to know how you will prevent this from happening again, but since you don't have those answers and may not have them for some time, for the time being just direct people to a page that will be updated as information becomes available. There is no question in my mind that the WMF owns and manages the servers and should be the one sending out these messages. I understand that there may be some minor technical hurdles, but the WMF has a very capable technical team which I am confident will be able to address those challenges. You have my sympathies, SirFozzie, but you seem more interested in finding reason not to do this than you are in accepting it as a responsibility. Do you agree that ArbCom/the WMF has an obligation to notify people about this data breach? Delicious carbuncle (talk) 02:57, 30 June 2011 (UTC)

I don't know how many people have corresponded with ArbCom over the years but it probably runs into hundreds if not thousands. Many of these came with utterly innocuous "How do I"-type enquiries; some with Wikipedia concerns; others are very scary people indeed, issuing death threats and so forth.

Practical considerations apart, I would not be averse to notifying all correspondents about the data theft. It seems to me though that this alone is ignoring the elephant in the room. The obvious fallout to which correspondents should be alerted is that their details will be plastered all over Wikipedia Review and they may be also subjected to grave-dancing/wild speculation etc there. One immediate precautionary action that correspondents can take is to contact Wikipedia Review moderators/owners and ask that their details are not published (or if already published be immediately redacted/anonymised) or to ask individual members there please not to call for further publication. This though is easier said than done as the moderators/owners of Wikipedia Review appear reticent to publish their names/email addresses and a similar veil of secrecy seems to cloak the identity of many of those individuals calling for more stuff to be published.  Roger Davies ^talk 03:50, 30 June 2011 (UTC)

You can make all the notifications you want, Roger. I will not be doing so for 2 reasons: 1) Notification is a matter of law, as described above, and WMF counsel have not advised ArbCom to do any such thing. 2) ArbCom is not a legal entity, while the WMF is. Taking a step as an individual (or non-legal entity group) that a legal entity may or may not be required to do would muddy the relationship between ArbCom and the WMF, and possibly create novel legal liability for the person making such notification, by assuming the role of a legal entity. It would be nice if it were a simple matter of "doing the right thing", but the creation of legal obligations by statute overrides the moral imperative which would normally govern such a situation. Jclemens (talk) 04:35, 30 June 2011 (UTC)

Fair enough thogh I was talking hypothetically.  Roger Davies ^talk 07:17, 30 June 2011 (UTC)

Jclemens, that last post of yours was unbelievable. You won't notify because it may or may not fall into the narrow class in which someone must notify? Bloody nonsense. We talk a lot about good faith here on Wikipedia, but it strikes me as extreme bad faith indeed to refuse to take steps to help editors protect themselves (as Roger suggested) on the slim chance that someone else might be required to do a similar thing at some point in the future. You're casting round for excuses not to tell people that ArbCom has failed to protect their data. If it's really so hard for ArbCom to find out who has been in contact with it, at least put up a sitenotice. DuncanHill (talk) 09:18, 30 June 2011 (UTC)

You're entitled to think I should care, but I really don't. The mailing list and archives existed before I was elected to the committee, are maintained on WMF servers and various lists in question are distributed to a group of 19 people (Arbcom+Jimmy), have who knows how many missing patches, system administrators, potential backdoors in the infrastructure for ease of offsite administration... I have no power to fix security, so I simply don't lose sleep over it. I find that my comments and those of my friends and colleagues on the committee have been released, and I'm disappointed but not surprised: the security was not hardened to withstand dedicated attackers, and it apparently didn't. Big surprise. Now, I am chagrined that other people's secrets are out there, because the biggest of the two reasons we do stuff off-wiki is privacy (the lesser of the two being candor), and years of efforts that made arbcom look slow and wishy-washy while we negotiated quiet retirements--or tried to--and other de-escalation and face-saving measures are essentially shattered. But privacy and security are not the same thing. To the best of my knowledge, there has been no privacy breach, in the sense that no one authorized to have the information has shared it inappropriately. Instead, we have a security breach, where (again, speculation) someone without authorization to the material has gained access to all or substantially all of it. If it was a leaking arb, however, I would still not be in any position to assume liability for someone else's misdeeds. Even having said all that, the nail in the coffin of elective notification is legal liability. I am not an officer or director of any body. I have no legal standing as part of ArbCom--I can't make legally binding statements, but more importantly I'm not covered by any WMF liability insurance. If you want me to take on novel legal risk to do the right thing, then you can pony up for a professional liability policy for ArbCom. Under those circumstances, when we cease to be simply elected volunteers who don't own the clubhouse, and start to be officers or directors with actual legal standing and legal obligations, I'll be singing a different tune. Actually, I wouldn't, because I almost certainly would not stand for election under those terms. Thus, there's discussions here, but I'm not going to take any action that looks like I'm behaving as if I had an obligation to anyone for anything in this matter. I will continue to do my job as an arb, which has nothing to do with computer security obligations, and wait for the server owners (WMF) who have their own legal counsel advising them of their obligations to take appropriate action. I've already been asked to do way more and different work than I thought I was getting into when I decided to run for the committee, which I've done without complaining, but I am absolutely not going to step in the way of whatever lawsuit or regulatory action may arise out of this mess, not-of-my-making. Jclemens (talk) 07:19, 1 July 2011 (UTC)

When's your term up? DuncanHill (talk) 13:12, 1 July 2011 (UTC)

Good grief! In future elections, I, for one, will be more likely to support current members, not less. And I will be pretty likely to oppose anyone who runs on a platform of criticizing the incumbent Arbs instead of whoever turns out to be the leaker (unless an Arb is the leaker, of course). --Tryptofish (talk) 16:53, 1 July 2011 (UTC)

"aren't readable by machine script" - sorry but it is untrue. It can be read by script - maybe it requires more than 2 minutes to write it but it is possible. I hope that information from AC unverifiable by me is more true Bulwersator (talk) 04:16, 1 July 2011 (UTC)

Clearly, it was a mistake to delete my official WikiLeaks page here on Wikipedia. By having a WikiLeaks page on Wikipedia, one can make sure that leaked information is presented according to some appropriate rules. Count Iblis (talk) 18:23, 29 June 2011 (UTC)

A polite tap on the shoulder

It would be a good first step to compose a simple form letter for reply to the individuals affected by this leak who find out about it through other means. A week has passed since the Committee learned about the hack, two days have passed since I wrote to the ArbCom list, and a day after commenting at this page about the lack of response. The very least they could do is send back a "We received your email." They haven't even done that much. The the thing that leaked was mean-spirited but kind of cute--worth a chuckle. Other people who got targeted might not share the good humor, and it would try the patience of anyone to get the brush-off after being insulted. Consider those other people, please, because from that vantage it is very easy to construe the arbitrators' posts to this talk page as being something less than sincere. It would help to extend basic courtesy outside of watchlisted pages. Durova⁴¹² 17:12, 30 June 2011 (UTC)

Unless I am misreading Jimbo's comments on his talkpage (specifically this one and this one), it seems that this is being cast as not a WMF problem. I can only assume this rather odd position is being staked out for legal ass-covering reasons. I will stop asking when notifications will be sent out as clearly none will be forthcoming except to meet legal obligations. Arbs, you have my sympathy. Delicious carbuncle (talk) 02:28, 1 July 2011 (UTC)

Structually, as a position, that would be very consistent in terms of what the WMF has always maintained as legal stance: Nobody home, err, I mean, it's a community issue. From a realpolitik viewpoint, it's hard to fault this. I think the thing to ask now is if the WMF Staff Counsel would be willing to make a public comment on the matter. -- Seth Finkelstein (talk) 03:11, 1 July 2011 (UTC)

Thanks for the replies, guys. So how about the situations where an editor learns about this through some other means, and it's the editor who contacts ArbCom? Do you think the rationale of non-notification goes so far that now they don't even acknowledge receipt? In the early threads on this page there were some gracious posts about the hack, especially from Coren. Durova⁴¹² 04:04, 1 July 2011 (UTC)

Ironic, since one of the leaks shows the former WMF Counsel getting quite involved in "community" matters. 75.23.46.157 (talk) 04:07, 1 July 2011 (UTC)

Yes, and look how well that went :-) -- Seth Finkelstein (talk) 05:14, 1 July 2011 (UTC)

I don't believe anything I've been told so far, and I doubt anyone else does either. I would like to see some rational explanation of why the first revelations were a fairly boring exchange of emails between me and Iridescent.

Fatuorum

04:11, 1 July 2011 (UTC)

Could it have simply been recency? That is, it was just one of the most recent threads, so that's what caught the cracker's eye for the initial post? Or recency combined with some interest in Iridescent? -- Seth Finkelstein (talk) 05:14, 1 July 2011 (UTC)

Jimmy will be making an announcement on the BBC radio4 news today between 1730-1800 regarding privacy. According to the prequel yesterday his line will be "ROFLMA privacy is gone, get over it, and suck it up.". John lilburne (talk) 06:53, 1 July 2011 (UTC)

Malleus, here's a guess: ArbCom has spent a long time rushing from crisis to crisis and any organization that spends a lot of time putting out fires is not going to plan ahead very well. Their privacy safeguards were substandard and they had no contingency plan for how to respond to a hacking incident. Now their first priority is to cover their tracks. As for why you got singled out, the easiest way to look at a data dump is to search for key terms such as specific usernames. Durova⁴¹² 15:42, 1 July 2011 (UTC)

All information becomes public sooner or later, unless it's deleted, because there is no such thing as perfect security. The arbcom list and archives are only as secure as the weakestly secured list member. When the number of list members is more than a few, info sent to this list is likely to be publicized quickly, even if the software is upgraded. What's the point of a confidential list that isn't? Truely confidential matters could be sent to WMF counsel, where a small number of people with professional security can keep the info confidential longer on average and hopefully have the good sense to delete things that are no longer needed.

From what I've seen much of the secret list contents is just gossip. It would be beneficial to move these discussions into the open.

For the above reasons, I hereby nominate the ArbCom list and archives for deletion. (Stop using them, and take them offline. WMF counsel can keep the archive.) Jehochman ^Talk 10:21, 1 July 2011 (UTC)

• Strong support. This can't be kept securely, and every year when new Arbs arrive, it poisons the well against editors who've been gossiped about. I know that several editors have been asking for years either that this be deleted, or that portions of it be sectioned off and moved, so that new people don't continue to gain access to old discussions. SlimVirgin ^{TALK|CONTRIBS} 17:06, 1 July 2011 (UTC)
• Strong oppose The Archives are units of collective memory that are an essential resource for future cases and researchers. I would support moving them into a more secure location but deleting them would be more detrimental in the long term and likely have unforeseen consequences. The Resident Anthropologist (talk)•(contribs) 17:33, 1 July 2011 (UTC)

  Moving the archive offline is what I suggested. The other half of the problem is the ongoing mailing list. With near certainty there are several Arbs at this very moment using Windows who have machines compromised by malware. Virtually every Internet connected Windows machine has malware. These machines are not secure. Antivirus software is a joke. In the best case, AV detects just 30-40% of infections, because modern malware is polymorphic. Nothing confidential should be emailed to any Arb. There are no controls in place to assure security. Until there are (which might never even be feasible) ArbCom shold stop misleading people that corresponence will be kept secure. Post all business on wiki, or take it up with WMF office if matters need to be kept confidential. Jehochman ^Talk 18:11, 1 July 2011 (UTC)

• (edit conflict) At this point, I'm ambivalent about the proposal as a whole (the preceding two comments summarize well what the pluses and minuses are), but I'm quite interested in the idea of making a clearer line between what the Committee should do, and what should instead be sent to WMF counsel. I think the silver lining in this awful leak business is an opportunity to look constructively at ways to better define ArbCom's role, by removing tasks to which they may perhaps not be well suited. (Offhand, what stands out to me is doing investigations, and doing human resource management things.) --Tryptofish (talk) 18:15, 1 July 2011 (UTC)
  • Funnily enough, "investigation" was specifically part of the committee's scope under the original Arbiration policy. I wrote it out in the
    new version. That said, the committee as a whole has rarely investigated anything though individual arbitrators have done so. Critical examination - which does sometimes involve many one's own enquiries - is important simply because what somebody says is not necessarily true and some degree of corroboration is sometimes necessary.  Roger Davies ^talk
    18:35, 1 July 2011 (UTC)

(od) In response to both your posts, Jon, security issues aside, the WMF is deliberately moving further and further away from with wiki internals as it could jeopardise their legal status. (They host around 5000 wikis now, and counting). People do seem to think they're prepared to get hands on, nothing could be further from the truth. And, I suppose, custofy of the archive implies some sort of fiduciary care in respect of its contents. While there is a load of dross in the archives, there is also useful stuff to aid detection of the various crazies who return time and time again.  Roger Davies ^talk 18:21, 1 July 2011 (UTC) PS: This is not a wriggle but where has anyone said that the data is specially secure?  Roger Davies ^talk 18:24, 1 July 2011 (UTC)

5000 wikis? Surely you meant 1000 (which would still be overshooting the actual number, which is about 850). --MZMcBride (talk) 20:20, 1 July 2011 (UTC)

I actually meant 500 (the last actual figure I heard was 491) but thanks for picking it up and the update.  Roger Davies ^talk 20:25, 1 July 2011 (UTC)

Ah, fair enough. There's a fairly nifty page at Special:SiteMatrix that tracks nearly every Wikimedia wiki (with a count at the bottom). :-) --MZMcBride (talk) 20:27, 1 July 2011 (UTC)

Thanks! Book marked.  Roger Davies ^talk 20:37, 1 July 2011 (UTC)

• (e/c)Strong support for Jehochman's proposal. I guess the archives of a mailing-list are not deletable through
  WP:MfD, so let's have an RfC on the matter. Slim's point about the archives poisoning the well against our notorious gossip-targets every time new arbs come in is enough reason to delete those archives. (Even though I'm credibly informed by my friend Deep Throat that the only thing new arbs are likely to search the archive for is comments about themselves. A refreshing touch of fallible humanity there!) Anyway, please take the monster off the internet and leave it on WMF's doorstep; perhaps they can be persuaded to take it in. A minor point: no doubt arbs and functionaries will hang on to archived e-mails that they have a more personal interest in. I don't blame them, I'd do the same. But in case some of them are as klutzy as I am with their personal security, I suggest sending them to boot camp to learn the essentials about protecting their computers. @Resident Anthropologist, above: I don't think there's enough anthropology in your argument. The collective memory of Wikipedia resides in the History tabs — the remarkable way we keep everything (with some minor exceptions) that was ever posted here. Analysing those would be a lifetime job for some crazy researchers, and far more susceptible than the Arbcom Gossip Archives to juicy conclusions as well as to breaking down in various statistical ways. Bishonen | talk
  18:29, 1 July 2011 (UTC).

This is just my current idea, but I would be interested in alternatives. Cool Hand Luke 19:09, 1 July 2011 (UTC)

I don't think having a private e-mail archive is really problematic, per se. The issues are (a) that the list and the ArbCom wiki are very regularly used for matters that are not private; and (b) ArbCom's scope is so ill-defined that a lot of matters that should be referred to Wikimedia/OTRS/another venue/the trash have not been. I think both of these problems are fairly easily solved. --MZMcBride (talk) 20:20, 1 July 2011 (UTC)

Yes, we do get items that should really go to WMF, OTRS, on-wiki, or the trash (particularly the last two categories). My issue is that most of the traffic on the list doesn't really need to be private. On the other hand, perhaps a concentrated list of private information would only make the content more vulnerable. Cool Hand Luke 21:01, 1 July 2011 (UTC)

• The discussion of the mailing lists also relates, in a much broader sense, to the essence of the Committee itself. When one looks at the major issues that the Arbitration Committee has faced, these are almost invariably related to a lack of communication within the committee rather than too much communication. I agree that 18 arbitrators is too many (that was the community's idea, and I don't think anyone who's ever been on the Committee supported it), but there's nobody on the current Committee whom I'd exclude, as every voice has made a difference and brought a valuable perspective to just about every issue that the Committee has addressed in my 2-1/2 years on it. And I think my colleagues are fooling themselves when they say that archives aren't useful; almost every issue we've discussed this week that doesn't revolve around the mailing list has involved some review of archival material, with the exception of "fresh" unblock requests. Even some of them have had us looking at past emails to see that "oh, we reviewed a request from XX three months ago, turned it down because of XXX" or the like.

  I agree that we need to find a method to cull useless stuff from archives - and that would make up the overwhelming majority of correspondence in the archives right now; the data thief hasn't bothered to share that publicly as it devalues what few "interesting" things he can pull out and edit into his chosen format. In an ideal world, we'd have the appropriate software to identify what does and does not need to be kept, and for how long; and would also have some ability to export what information should be retained to a more secure environment in an effective manner - depending on humans to do this is unworkable, we have tried various logging processes during my tenure but they are all too labour intensive to be sustained. (I can think of about a dozen other features I'd look for in mailing list software as well, but we'll stick to archives.) I understand the concerns about "poisoning the well"; however, most of the time another arbitrator will follow up with a different interpretation or will correct an erroneous statement. Let's be realistic though, the majority of people who are spoken of in a negative way on the mailing list are people who are being considered for sanction, which by definition means that there is something negative to say about them - and past history is a significant determinant in sanctions anywhere in the project. (Blocked editors are blocked longer for repeat violations, and so on.) I'll just remind everyone that you're reading highly selective excerpts from the archives, many of them out of context, and several of them very incomplete. Risker (talk) 20:02, 1 July 2011 (UTC)

Allegedly there is a private Arbcom wiki with dossiers on sanctioned/problem users... isn't that a better place to organize histories of unblock request (without needing to keep non-germane private information about those users around) than the mailing list? TotientDragooned (talk) 20:19, 1 July 2011 (UTC)

It's listed at Special:SiteMatrix. Yes, it is a better place but it doesn't stop people sending stuff to arbcom-l though. The problem there is not so much that it's been sent but that there's no easy way of removing stuff from the archives once it's there.  Roger Davies ^talk 20:37, 1 July 2011 (UTC)

TotientDragooned, you're correct that in an ideal world, that information would be transferred to the appropriate "dossier" on the arbitration wiki; however, as we all know, wikis are good for retention, but not very good for timely discussion, unless one is logged in all the time to them and constantly refreshing the relevant page. The key is finding effective ways to transfer the information from the discussion platform (mailing list) to the retention platform (wiki) without needing to task someone to devote most of their volunteer time to move information back and forth, summarizing threads and so on. We did try that in my first year of the committee, and it took hours and hours a week. I don't think anyone has ever volunteered to be an arbitrator so that they can spend their hours archiving information. And I say that knowing that even before this episode, I'd been actively working with the WMF on the archives and mailing list software, and had already planned to spend a lot of time on the issue this summer; it was my personal objective before my term was over to address this issue. Please believe me that I really do understand a lot of the concerns that have been expressed, because I share them. Risker (talk) 20:44, 1 July 2011 (UTC)

Possible solutions for ArbCom to consider:

1. Appoint a small number of custodians to hold and access the archive. Giving 18 people access creates way too big an attack surface.
2. Do not distribute or retain any unnecessary confidential info. If people blab about their mental illness, real name, home address, or other irrelevant details, redact it immediately. The existing archive is poluted with such info and should be taken offline until it can be expunged.
3. Warn users that there is no such thing as perfect security. If you have a very sensitive issue, email an individual Arb and ask them to delete the message after reading, or call them on Skype. The relevant info can then be extracted, sanitized and summarized for the rest of the committee. Decentralization avoids creating a juicy target that is worth expending a lot of resources to crack.
4. Conduct routine business in public. The stuff will leak anyways. Taking away the secrecy would be a real buzzkill for the hackers and dramamongers.
5. Yeah, the archives have utility to you, but they have disutility to the people who's privacy is violated. You serve us, not the other way around.

Thanks for reading. Somebody organized could turn this discussion into a proper RFC. Jehochman ^Talk 20:56, 1 July 2011 (UTC)

Jehochman, I'm afraid we've not made ourselves understood. We are unable in any way to alter the archive other than deleting it all or keeping it all. This is the limitation of the Mailman software provided by the WMF. The community has made it very clear, in the wake of the Cyberstalking list, that they have no tolerance for discussion of project-related matters on non-WMF platforms, and in any case the Committee has no financial resources to move to an off-WMF platform. We've already recommended to the WMF that we think a change in software for private mailing lists is an essential part of addressing any concerns about retention of private data, as well as personal information and confidential information which is every bit as sensitive to the individuals involved. Emails to individual arbitrators is not an effective method of reaching the Committee, and is entirely dependent on all of us being on call 24/7 for a volunteer position; needless to say, that is not even remotely reasonable. Risker (talk) 21:13, 1 July 2011 (UTC)

_{Waits for big acrimonious debate over premature proposal in the wrong venue.} The more things change, the more they stay insane. Durova⁴¹² 21:21, 1 July 2011 (UTC) (remembering why my volunteer time now goes to a different charity)

• In addition to what Risker said, such a prohibition is bigger than a local consensus RfC is appropriate to handle.
  WP:ARBPOL was just updated, after a rather complicated referendum. While that was three years of cumulative changes and updates, I would say that such a proposal is a bigger change than that. Again, while we're going to try to do things as best we can, we're 1) stuck on WMF infrastructure, and 2) have no direct ability to change that, so we'll work within the framework we're given, and try to do our policy-mandated job while respecting as many of the community's preferences as we can, again, within that framework. Jclemens (talk
  ) 22:29, 1 July 2011 (UTC)

If the only way to get rid of the objectionable material is to delete the archives, then that's what must be done. Alternatively, you could hand them over to the control of the Foundation and remove access to them by others. But the current situation can't be allowed to continue, for all the reasons that people have been pointing out for years. A simple fix: (a) hand over archive access to the Foundation by closing the mailing list; (b) open a new mailing list until a more permanent fix has been decided; (c) don't switch on the archive for the new list; and (c) conduct almost all of your business onwiki. SlimVirgin ^{TALK|CONTRIBS} 22:48, 1 July 2011 (UTC)

Regarding the issue of deleting a message from mailman archives, could you please elaborate on the problem? I did a quick Google search, and found "How can I remove a post from the list archive / remove an entire archive?". It is complicated, and requires high level system access, but there is a method. -- Seth Finkelstein (talk) 04:16, 2 July 2011 (UTC)

Yes, that's true and it's one of the options I've been exploring. However, it's a huge task identifying the stuff to go in six-years worth of archive and a similarly mammoth task physically doing it.  Roger Davies ^talk 04:23, 2 July 2011 (UTC)

That's an argument to declare email bankruptcy, delete all the old messases, and then start over with a proper system. You could probably cherry pick the most essential bits of old data in a couple (wo)man days of work, and send the rest to the bit dumpster. Don't let perfect be the enemy of good. Jehochman ^Talk 05:20, 2 July 2011 (UTC)

Well, it will actually take a few weeks, but essentially that is what we are planning to do. The key point though, is that the real solution is better software (the "proper system" you refer to), and that is currently outside of our control. We've made the pitch, though, did so months before this event. Risker (talk) 05:30, 2 July 2011 (UTC)

Great. If I were you, I'd ask nicely once for proper software to be installed, and if you don't get a serious reply, resign (or go on strike) until you get the tools you need to maintain high standards. Sometimes one has to draw the line and say, "No, I will not do shoddy work." Jehochman ^Talk 05:40, 2 July 2011 (UTC)

Funnily enough, that's almost entirely my position on this. There are a couple of practical problems here. First, there's isn't a software solution ready yet (more on this in a moment). Second, I reckon that effectively weeding the archives would take at least several hundred person hours and perhaps closer to thousands of hours, not a couple of days. Third, now that they've been stolen, for

ArbPol is explicit about can be handled off-wiki. Finally, and this isn't intended to be a dig, while I appreciate your kind offer to help with new software very much indeed and have no reason whatsoever to doubt your integrity, many members of the community would go ballistic at the thought of a homegrown solution with all the attendent risks in terms of backdoors and so forth.  Roger Davies ^talk

05:39, 2 July 2011 (UTC)

I doubt ArbCom's needs are unique. If you Google around using the right keywords you can probably find an open source package that does everything you need (and more) off the shelf. Then it's just a matter of getting somebody to install it. I or some other volunteers could do some Googling and evaluate what software matches your needs. Custom development would be a really bad idea in this case, unless modifications were then released back to the open source project and became part of the community supported product. Jehochman Talk 05:46, 2 July 2011 (UTC)

This opens up a host of other practical issues. Where would we install it? Who would maintain, do upgrades etc? We don't necessarily have someone on the committee who could do all this, we don't have a full-time secretariat to provide maintenance continuity from year to year, and using non-WMF outsiders is a big no-no. It really has to be WMF driven.  Roger Davies ^talk 05:56, 2 July 2011 (UTC)

Risk is an unrealized expense. I submit that the cost of doing this right will be a lot less than the cost of doing it wrong. You should insist on having proper tools and resources to do your job. Your bargaining power is that you can quit. You don't need your Arbitrator paycheck and benefits -- because there are none. Unless WMF wants to handle Arbitration matters themselves, they will provide the software for the volunteers. All you need to do is assert yourselves. Jehochman ^Talk 06:18, 2 July 2011 (UTC)

I think you're overlooking the fact that the costs are not borne by the people who are at risk. This asymmetry tends to be the root of most monumentally stupid risk management decisions. Jclemens (talk) 06:28, 2 July 2011 (UTC)

I agree strongly with Jehochman. WMF has the funds to provide software and support. The point is, you have enough leverage that in the end it depends on how important you think it is, not how important Jimbo and the Foundation think it is. So decide amongst yourselves whether you think this is important enough that you really, really want it. "Jimbo and the Foundation" would be a pretty good name for a technopop group.

talk

) 00:49, 3 July 2011 (UTC)