What sort of user information gets requested?
In some transparency reports, you may have seen a distinction made between “content” and “non-content” information. This distinction comes from the Electronic Communications Privacy Act, or ECPA (18 U.S.C. § 2703 et seq.). “Content information” refers to the contents of user communications. “Non-content” information refers to data about those communications. One common (if imperfect) analogy for explaining this is the difference between letters and envelopes. The information visible on the outside of an envelope, such as routing information, is considered non-content information. On the Wikimedia projects, this might include user agent information, IP addresses, or email addresses. The letter inside the envelope, however, is considered content information. On the Wikimedia projects, one example would be information on a Wikipedia page, which is already public. Because of the public nature of the projects, we very rarely receive requests for content information.
Does WMF have different standards for granting requests for user information depending upon who makes the request? How are these requests processed?
Additionally, we may disclose information in response to emergency requests in accordance with ECPA (18 U.S.C. 2702(b)(8)) when there is a credible and imminent threat of death or serious bodily harm. These requests must meet specific criteria, including detailing the nature of the emergency, why it is believed to be imminent, and the specific information requested and how it is necessary to prevent the threat from being carried out.
For more information on the procedures for requesting user information and making an emergency request, see our Requests for User Information Procedures & Guidelines.
What happens when you receive a request from abroad?
Per our Requests for User Information Procedures & Guidelines, we require requests originating from outside of the United States to follow the mutual legal assistance treaty (MLAT) process or letters rogatory process, so that a U.S. court will issue the required U.S. legal process to the Wikimedia Foundation. The MLAT process involves a network of treaties between countries, which require them to aid each other in obtaining information used for enforcing laws. Letters rogatory are a type of request issued by a court in one country to a court in another country, usually seeking assistance to serve process or gather evidence.
Help! My personal information is being sought because of something I did on the Wikimedia projects. What should I do?
If you are the subject of a subpoena, it is highly recommended that you consult your own lawyer immediately. There are a number of organizations that will fight on a user's behalf, like the American Civil Liberties Union (ACLU) or the Electronic Frontier Foundation (EFF). If you need help finding an attorney, WMF may be able to put you in touch with some of these organizations or help you secure an attorney at reduced or pro-bono rates. In rare cases, assistance may also be available under our Legal Fees Assistance Program or Defense of Contributors Program. Additionally, in certain situations, WMF may challenge a subpoena on a user’s behalf if it is unnecessarily broad or burdensome, or if we believe the subpoena threatens the free speech of users on the projects. For more information about subpoenas, see our Subpoena FAQ.
What do you mean by “information produced”?
When we say “information produced”, we mean that as a result of a legal process (such as a subpoena) that was legally valid, some or all of the nonpublic user information requested by that legal process was produced by WMF to the requesting party. “Information produced” also applies to rare emergency situations where we voluntarily disclose personal information to law enforcement, or produce such information in response to an emergency request, in order to prevent imminent bodily harm or death.
What’s the difference between “information produced (partial)” and “information produced (all)”?
Beginning with the July 2016 Transparency Report, we decided to provide additional information about the ways in which the Foundation responds to requests for user information. “Information produced (all)” refers to situations where we provided all of the nonpublic user information requested in the requester’s initial message to us. “Information produced (partial)” refers to situations in which we provided some nonpublic user information, but less than what was requested in the requester’s initial message. For example, this may happen when some of the information requested is information that we do not collect or store, when the requester asked for information that has already been deleted from our systems under our Data Retention Guidelines, or if the requester served us with valid legal process regarding some, but not all, of the information they wanted.
What do you mean by “informal non-government request”?
When we say “informal non-government request”, we mean a request for user information from a non-governmental entity that does not involve a formal legal process. For example, this would include a situation where a corporation sends us a letter or an email requesting nonpublic information about one of our users.
What do you mean by “informal government request”?
When we say “informal government request”, we mean a request for user information from a governmental entity that does not involve a formal legal process. For example, this would include a situation where a government sends us a letter or an email requesting nonpublic information about one of our users.
What do you mean by “civil subpoena”?
When we say “civil subpoena”, we mean a legal process received by the Wikimedia Foundation from a third-party individual or organization requesting nonpublic user information that usually relates to a legal dispute between two or more individuals or organizations. Civil subpoenas generally do not require review by a judge or a magistrate.
What do you mean by “criminal subpoena”?
When we say “criminal subpoena”, we mean a legal process received by the Wikimedia Foundation requesting nonpublic user information that is typically issued by a government attorney or grand jury, in connection with an official criminal investigation.
What do you mean by “administrative subpoena”?
When we say “administrative subpoena”, we mean a legal process received by the Wikimedia Foundation requesting nonpublic user information that has been issued directly by a government agency, without judicial oversight.
What do you mean by “search warrant”?
When we say “search warrant”, we mean a warrant issued under the procedures of the United States’ Federal Rules of Criminal Procedure or equivalent state warrant procedures, based upon a showing of probable cause that specific information held by the Wikimedia Foundation may be related to a crime. Search warrants are generally reviewed by a judge or a magistrate.
What do you mean by “court order”?
When we say “court order”, we mean an order issued by a court directed at the Wikimedia Foundation. If an order has been issued by a court of competent jurisdiction, we will evaluate the request. For example, court orders for user data may be issued under various U.S. federal and state laws, such as section 2703(d) of the Electronic Communications Privacy Act (“ECPA”).
For the avoidance of doubt, we believe a warrant is required by the 4th Amendment to the United States Constitution, which prohibits unreasonable search and seizure and overrides conflicting provisions in ECPA. We believe that ECPA needs to be updated so that equivalent protections are granted to electronic communications and documents that have already been granted to the physical documents one keeps at home or in their office. To that end, we are a member of the Digital Due Process Coalition to help in that effort.
What do you mean by “national security request”?
What is a “wiretap” or a “pen register”, and why doesn’t the Wikimedia Foundation list them in its Transparency Report?
A wiretap order (see The Wiretap Act, 18 U.S.C. § 2511 et seq.) is an order that requires the real-time interception of the content of telephone or internet communications. A pen register order (see The Pen Register Statute, 18 U.S.C. § 3121 et seq.) requires the real-time interception of non-content information associated with telephone or internet communications (such as routing information). We have never received a wiretap or pen register order. Should we receive such an order, we will disclose it in this report if allowed to do so by law.
Have you ever received an order under the All Writs Act?
No. The All Writs Act (28 U.S.C. § 1651) allows federal courts to issue all orders “necessary or appropriate in aid of their respective jurisdictions”. The Act has been used as a basis for orders requiring technology companies to access password-protected information. Thus, some technology companies and organizations may report All Writs Act requests in their transparency reports. We have not received such an order. If we do, and we are legally able to do so, we will include it in this report.
What do you mean by “user accounts potentially affected”?
This number represents the number of unique user accounts implicated by requests for user data and whose data would have been disclosed if we had granted every request we received. This number may not reflect the number of unique individuals implicated by requests for user data, since an individual may have multiple accounts across all Wikimedia projects, and we record each user account separately. As a result, this number might overestimate the number of individuals implicated by user data requests.
What do you mean by “user accounts actually affected”?
This number represents the number of unique user accounts whose nonpublic information was disclosed as a result of WMF receiving a valid request for user data. This number may not reflect the number of unique individuals whose data was disclosed as a result of a valid request for user data, since an individual may have multiple accounts across all Wikimedia projects, and we record each user account separately. As a result, this number might overestimate the number of individuals implicated by user data requests.
What do you mean when you say “user accounts notified”? When would you not tell a user that their nonpublic personal information is being disclosed as a result of a legal process, such as a subpoena?
We are committed to notifying users if we plan on disclosing nonpublic personal information. We added the “user accounts notified” category in the July 2016 Transparency Report to refer to the number of users whom we notified about such a planned disclosure. However, we cannot notify a user account if we are legally restrained from doing so (e.g., by a gag order), if a credible threat to life or limb is present, or if the user has not provided us with an e-mail address or valid contact information. Since one person may have more than one user account, and provide no, or different contact information for those accounts, the number of user accounts notified may not reflect the number of people notified.
What do you mean by “preservation request”?
A preservation request is an order from the U.S. government under the Electronic Communications Privacy Act (18 U.S.C. § 2703(f)). It requires us to retain information that would otherwise be deleted, anonymized, or aggregated within 90 days, according to our Data Retention Guidelines. If we receive one of these requests, we are legally required to retain the specific information indicated. However, we will not turn this information over to the requesting party unless they subsequently follow our Requests for User Information Procedures & Guidelines, and obtain a legal order, such as a subpoena or warrant, for the information in question. A preservation request requires us to preserve something. We will never produce information in response to a preservation request, and simply because we have preserved information does not mean that the party will follow the proper steps and obtain an order requiring us to produce it later.
What do you mean by “emergency disclosure”?
An “emergency request” is a request made when law enforcement has contacted us because of an imminent threat to life or limb, and we have decided to release information according to the process described in our Requests for User Information Procedures & Guidelines and the Electronic Communications Privacy Act (see 18 U.S.C. § 2702). When we feel that a law enforcement request does not rise to this level, we classify it as an “informal government request” instead.
What do you mean by “Right To Erasure”?
The Right to Erasure, sometimes called the Right to be Forgotten, grants individuals the ability to request the de-indexing or delisting of content about them from the results when someone searches for their name. We believe in a Right to Remember. Everyone should have free access to relevant and neutral information of public concern. We occasionally receive direct requests to remove content from Wikimedia projects under the Right To Erasure. We began documenting such requests in July 2014. For more information about our concerns, see our August 2014, October 2016>, and July and November 2017 blog posts about intervening in a related case.
How are requests for user data calculated differently by WMF as compared to other organizations?
In our transparency reports, WMF includes all types of requests for user information it receives, including governmental and non-governmental requests as well as informal and formal requests. Some other organizations, including several of those appearing in the “Compared to other companies” graph in our report, only disclose requests originating from governments. Please visit the transparency reports of Facebook, Google, Twitter, and LinkedIn for more details about the types of requests they receive.
What is WMF doing to help improve laws related to disclosure or surveillance of user information?
Our core values of freedom of speech and access to information can be threatened by laws that compromise user privacy. For this reason, the Wikimedia Foundation has joined the fight to improve privacy laws around the world.
In 2013, we joined the Digital Due Process Coalition (DDPC), an organization focused on reforming the United States Electronic Communications Privacy Act (ECPA). ECPA specifies standards for law enforcement access to electronic communications and associated data, thereby providing a degree of privacy to users of digital communication services. However, ECPA was enacted in 1986, meaning that it does not adequately protect users anymore, and only serves to provide inconsistent standards for law enforcement when dealing with “new” technologies. The DDPC’s mission is to simplify, clarify, and unify ECPA standards—providing clearer privacy protections for users, while taking into account changes in technology and usage patterns, and preserving the legal tools necessary for government agencies to enforce the laws and protect the public.
In 2014, we signed onto the Necessary and Proportionate Principles, which support the application of human rights to mass surveillance and set forth basic principles to which governments should adhere when employing modern surveillance technologies. In March 2015, we took an even stronger stand. The Wikimedia Foundation joined eight other co-plaintiffs in filing a lawsuit against the U.S. National Security Agency over its “Upstream” mass surveillance practices, which capture communications passing through the Internet “backbone.” While the claims of all plaintiffs were originally dismissed by the district court, in May 2017, the Court of Appeals for the Fourth Circuit ruled that the Wikimedia Foundation has standing to proceed. We strongly oppose mass surveillance by any government or entity, and hope that this lawsuit becomes an important step in enacting change. For more information, see our resources page on the case.
How do users resolve content disputes and decide what should appear on the Wikimedia projects?
All content on the Wikimedia projects is written, uploaded, edited, and curated by people just like you from around the world. For the most part, users—not the Wikimedia Foundation—develop and enforce the policies and procedures that govern the content on the projects. This means that users decide what should and shouldn't be included on the projects, within the bounds of U.S. law.
Similarly, each project’s community has created policies and procedures to handle disputes about whether certain content belongs on a particular project or meets that project's standards. When a third party has a Wikipedia article written about them and doesn’t like some of the content included in that article, the proper way to address their concerns is to reach out to the community itself, as opposed to the Wikimedia Foundation.
Help! I’m being sued because of something I did on the Wikimedia projects. What should I do?
Lawsuits against Wikimedia users are exceedingly uncommon—most disputes about content are resolved by working with the user community through community-driven processes. In fact, individuals and organizations that sue over content they wish to remove from the public eye often end up causing that content to receive greater public attention as a result of the lawsuit, a phenomenon known as the Streisand Effect.
In the unlikely event that you are the subject of a lawsuit, it is highly recommended that you consult your own lawyer. There are a number of organizations that will fight on a user's behalf, like the California Anti-SLAPP Project or the Electronic Frontier Foundation (EFF). If you need help finding an attorney, WMF may be able to put you in touch with some of these organizations or help you secure an attorney at reduced or pro-bono rates. Additionally, in rare cases, assistance may also be available under our Legal Fees Assistance Program or Defense of Contributors Program.
Does WMF ever remove content?
Absent the receipt of a legally valid DMCA notice, the Wikimedia Foundation will generally only remove content in exceptional circumstances. For example, we once removed a blogger’s unredacted travel visa after somebody else posted the image with the blogger’s private information exposed.
What makes a DMCA takedown notice “valid” or “proper”?
The DMCA has several formal requirements for notices. However, our evaluation isn’t over when we receive a notice that meets all of these requirements. We will also analyze the copyright eligibility of the work being infringed, whether the allegedly infringing material actually infringes, and whether the allegedly infringing material is a fair use of the requester’s work. For more information, see our DMCA Policy.
How are you transparent about particular DMCA removals besides in this transparency report?
We record every DMCA takedown request that results in removal of content on our website. In addition, every DMCA removal is submitted to the Lumen database (Lumen), a web archive managed by the Electronic Frontier Foundation and several law school clinics. By collecting takedown notices from a variety of sources, Lumen provides a large set of data for analysis and allows recipients and senders of takedown notices to learn more about how the DMCA operates in the current online environment.
What is a DMCA counter-notice, and did you receive any?
When material is removed due to a DMCA takedown notice, the uploader of that content or a third party may believe that it did not violate copyright laws. If so, they may send us a DMCA counter-notice, stating their belief that the content did not infringe any copyrights. If the counter-notice complies with the statute, we will restore the content within 10-14 business days unless a lawsuit is filed by the copyright holder. Prior to the July 2016 Transparency Report, we had not received any DMCA counter-notices. Between January and June 2016, we received two. We have received no subsequent counter-notices.
Why is the information from July 2012 - June 2013 not available in six-month increments like the information from July 2013 forward?
During the July 2012 - June 2013 period, we recorded totals only for the entire period, rather than breaking the totals into six-month terms. In order to provide a better comparison with other reporting organizations, we changed the date ranges for our charts to line up with the timelines used by those organizations starting in July 2013.
How do you count requests?
Each request received counts as one request in the Transparency Report, irrespective of the number of webpages, content, or users that request deals with. For example, a request for user information that asks for the information of three users counts as one request for user data, and a DMCA takedown request that requests the removal of five images is counted as one DMCA request. Duplicate requests regarding the same matter from the same requesting party are also counted as one request. For example, if a requesting party sends us multiple demand letters to take a particular Wikipedia article down, it counts as one request.
What do you mean when you say a project was “targeted” by a takedown, alteration, or DMCA request?
It means that a particular project would have been altered if we had granted a particular request or that a particular project was actually altered due to a particular request. For example, if the Transparency Report indicates that French Wiktionary was targeted by one content alteration request, it means that we received a content alteration request that demanded that we change content on French Wiktionary.
Do you have data for projects potentially and actually affected from July 2012 to June 2013?
No, we started tracking requests in more detail beginning in July 2013, so this level of detail is not available for July 2012 to June 2013.