My current understanding of general policy is that Cloud hosted services should not force the end user's browser to interact with third-party services without explicit opt-in approval. The documentation at https://wikitech.wikimedia.org/wiki/Wikitech:Cloud_Services_Terms_of_use however does not clearly state that loading web content (e.g. images, javascript, css, ...) from third-party servers (e.g. external CDNs) is an end-user privacy violation.
Description
Event Timeline
Give examples in the Terms of Use, eg reCAPTCHA, CDN, etc. Suggest that tools-static be used instead.
I'm not sure if the premise is actually true. We had a user redirecting http://tools.wmflabs.org/$tool to their own private site (which is a very, eh, complete third-party web interaction), so I asked WMF Legal about that:
From: Tim Landscheidt <[email protected]> Subject: Silent redirects from Wikimedia Tools to third-party sites? To: [email protected] Cc: […] Date: Wed, 09 Jul 2014 11:07:20 +0000 (1 year, 35 weeks ago) Organization: http://www.tim-landscheidt.de/ Hi, throughout enwp, links like http://tools.wmflabs.org/[…]/[…] are advertised for the […] tool (there are similar links for other tools of this user). However, these redi- rect silently to http://[…] & Co. My gut feeling says that when a user clicks on such a link, he has an expectation of privacy according to the relevant policy for Wikimedia Tools and the silent change in the URL field does not put the onus to detect the connection to a third-party site on him (especially since with most browsers his data is passed onto the third-party site before he has a chance to react), but that the tool author at Wikimedia Tools has an obligation to make any such redirect obvious, for example with an interstitial that requires active user consent to proceed. What is WMF Legal's reading on that? Please make any answer publishable so that tool authors (or users) can be referred to it. TIA, Tim
I never received a reply, so I assume that this is not as clear-cut as it would seem.
I'm not sure why you never received a reply, but it's very clear-cut. Indeed, there was at least one user whose access to labs was suspended because of that very reason.
It's a question of notice - enforce; not one of allowability.
I've seen some tools use Google Analytics too, and there is nothing in the Terms of Use at the moment that say not to. It would make sense to have it in the Terms of Use as saying very clearly that this is something that we do not allow.
Thanks to everyone for bringing this issue to our attention.
There has also been some discussions on labs-l about changing and clarifying the Labs Terms of Use so this is definitely something we will looking into changing as part of the process.
I've seen some tools use Google Analytics too, and there is nothing in the Terms of Use at the moment that say not to. It would make sense to have it in the Terms of Use as saying very clearly that this is something that we do not allow.
I assume this comment is in line with all the other comments. That the issue is a lack of a user consent for the use of third-party interactions rather than wholly disallowing its use?
I'd be all for just disallowing, but yeah my word of mouth understanding is that 3rd party server interactions should require consent. It would be nice to get things clarified one way or the other.
Thanks Bryan.
Will do. We'll keep this task updated as we look into updating the TOU.
I've been told that 3rd party server interactions were not allowed full-stop, so it would be good to get it clarified.
hey @ZhouZ! Thanks for digging into this.
This has been my impression as well.
As a kind of overview to relate explanations I have seen to our current text:
https://wikitech.wikimedia.org/wiki/Wikitech:Labs_Terms_of_use#What_uses_of_Labs_do_we_not_like.3F
- Illegal or harmful activity: Do not break the law. This includes, but it is not limited to, accessing other systems without authorization, accessing private data without authorization, harassing or abusing others, engaging in fraud, trafficking in unlawful material, or distributing unsolicited commercial email (spam), viruses, malware, or other malicious code.
accessing other systems without authorization
This to me has indicated that you cannot use external user tracking services or, really, any system outside of the universe of Labs and the protective TOU without authorization from the user. Which could be a "hey we are doing x" acknowledgement?
- Misuse of Private Information: Do not collect or misuse private information of users, as defined in “Private Information”, below.
We do identify 'IP' as private information in the expanded section and any system outside of Labs makes that a private information leak as far as I can understand it. Which may be permissible with notice and etc, but seems in violation without following the guidance in https://wikitech.wikimedia.org/wiki/Wikitech:Labs_Terms_of_use#What_can_and_can.E2.80.99t_be_done_with_user_information.3F
- Proprietary software: Do not use or install any software unless the software is licensed under an Open Source license.
This becomes a shell game if we are cavalier about passing requests to systems outside of Labs because anyone can easily put the bulk of their logic in some propriety off Labs system effectively neutering this provision.
- Proprietary content: Do not use or create content unless it complies with the Wikimedia Licensing policy. This includes content in the public domain or freely licensed under an applicable free culture license, such as the Creative Commons Attribution ShareAlike 3.0 license.
Same issues as 3 I believe.
- Using Wikimedia Labs as a network proxy: Do not use Wikimedia Labs servers or projects to proxy or relay traffic for other servers. Examples of such activities include running Tor nodes, peer-to-peer network services, or VPNs to other networks. In other words, all network connections must originate from or terminate at Wikimedia Labs.
In other words, all network connections must originate from or terminate at Wikimedia Labs.
I'm not entirely sure how expansive this statement was meant to be but it could be relevant.
Hi @chasemp,
Thanks for pointing out these potential inconsistencies and lack of clarity on these terms. These are all things we will be looking at as we begin the process of the revising the labs terms of use, probably starting off with a community mini-consultation.
Illegal or harmful activity: Do not break the law. This includes, but it is not limited to, accessing other systems without authorization, accessing private data without authorization, harassing or abusing others, engaging in fraud, trafficking in unlawful material, or distributing unsolicited commercial email (spam), viruses, malware, or other malicious code.
accessing other systems without authorization
This to me has indicated that you cannot use external user tracking services or, really, any system outside of the universe of Labs and the protective TOU without authorization from the user. Which could be a "hey we are doing x" acknowledgement?
This is not very clear but I think this is actually referring to accessing another system without authorization from the system or system's administrator (e.g. do not hack into another system).
Proprietary software: Do not use or install any software unless the software is licensed under an Open Source license.
This becomes a shell game if we are cavalier about passing requests to systems outside of Labs because anyone can easily put the bulk of their logic in some propriety off Labs system effectively neutering this provision.
Perhaps another way to approach this is to make it clear (assuming we want a strict policy) that you cannot link or use another resource that's not under an open license policy.
Proprietary content: Do not use or create content unless it complies with the Wikimedia Licensing policy. This includes content in the public domain or freely licensed under an applicable free culture license, such as the Creative Commons Attribution ShareAlike 3.0 license.
Same issues as 3 I believe.
We might just want to clarify that to the extent any content is actually visible to a user accessing a labs project or being created via user input on the labs project, such content should adhere to the WMF licensing policy. I don't think we can tell users to never link to a page that's not under our Wikimedia Licensing policy.
Zhou
There actually is a potential technical solution to disallowing loading javascript, images, etc from external domains. The Content-Security-Policy HTTP header provides instructions to the receiving User Agent (web browser) about what origins should be allowed for various interactions. The generic intent of this header is to limit potential abuse by malicious scripts. It allows defining a whitelist of domains that are ok to interact with for various actions.
A header like Content-Security-Policy: default-src 'self' 'unsafe-inline' data: *://*.wmflabs.org:* *://*.wikimedia.org:* *://*.mediawiki.org:* *://*.wikipedia.org:* ... could be injected into all responses at the HTTP proxy to provide browsers with a whitelist of acceptable content origins. The ... would need to list all other Wikimedia TLDs that are acceptable and would probably end up being a pretty long list. I'd be interested to hear what @csteipp thinks about the feasibility of such a solution.
@bd808 Does that stop links to external sites, or just the loading of javascript, images, etc. on the page from external sites?
It would not stop external linking, and I do not think that external linking is actually something that we want or need to prevent. The privacy aspect is about automatically loading content from external domains in the form of images, css, javascript, iframe embeds, etc.
I created T130748: Add Content-Security-Policy header enforcing 3rd party web interaction restrictions to proxy responses to discuss the technical details of enforcement once we have decided here what the official policy actually is.
@ZhouZ what are the next steps here now that https://meta.wikimedia.org/wiki/Labs_TOU_Consultation_Round_1_(2016) has closed?
I will publish a new proposed draft of the labs terms of use for community consultation, incorporating the feedback from Round 1.
I have been busy with some other matters recently so I think it be until end of the month/early August before this is ready.
Zhou
Zhou is not around anymore and there are no news yet (if there were, they'd be mentioned here) unfortunately. Someone with time and resources would need to pick this up again and find someone with time and resource in Legal.
(Please avoid contentless and useless "bumping" - thanks.)
There has been a small bit of work on this project in the past 6 months, but there is no resolution yet. I will provide updates if and when there is information that can be shared.
@Aklapper thank you for the update. I think that asking whether there have been any changes, after a suitable period of time has passed, is fine. In addition to prompting people to update Phabricator with relevant info that they can share, this helps to flag tasks which may have stalled.