All sorts of identifying information, public and nonpublic, gets requested. Requests tend to be very broad in nature, in order to capture as much information as possible. However, most information on the projects is public: for instance, talk pages or information relating to a page’s edit history. We store very little nonpublic information. Some of it is collected automatically (such as the IP address of the user's device or their proxy server and user agent information), while other types of nonpublic information are optionally provided by the user (such as an email address). With some narrow exceptions, nonpublic information that includes personal information of any particular user is only kept for a short amount of time. You can learn more about the types of information we collect and how long we retain that information in our Privacy Policy and Data Retention Guidelines.
In some transparency reports, you may have seen a distinction made between “content” and “non-content” information. This distinction comes from the Electronic Communications Privacy Act, or ECPA (18 U.S.C. § 2703 et seq.). “Content information” refers to the contents of user communications. “Non-content” information refers to data about those communications. One common (if imperfect) analogy for explaining this is the difference between letters and envelopes. The information visible on the outside of an envelope, such as routing information, is considered non-content information. On the Wikimedia projects, this might include user agent information, IP addresses, or email addresses. The letter inside the envelope, however, is considered content information. On the Wikimedia projects, one example would be information on a Wikipedia page, which is already public. Because of the public nature of the projects, we very rarely receive requests for content information.
No. Regardless of who is requesting user data—be it an individual, a government, or a law enforcement officer—the Wikimedia Foundation only discloses nonpublic user information in accordance with our Terms of Use, Privacy Policy, and applicable U.S. law, including the Electronic Communications Privacy Act (ECPA) (18 U.S.C. §§2510-2522, 18 U.S.C. §§ 2701-2711, and 18 U.S.C. §§ 3121-3127). We typically do not produce information as a result of a request unless we have received proper legal process. Submitted requests must be reasonable, specific and relevant. Requests must include contact information for the requester, and a specific deadline. Finally, requests must be legally valid and enforceable under United States law, in the form of a court order, subpoena, warrant, or request served under the mutual legal assistance treaty or letters rogatory process.
Additionally, we may disclose information in response to emergency requests in accordance with ECPA (18 U.S.C. 2702(b)(8)) when there is a credible and imminent threat of death or serious bodily harm. These requests must meet specific criteria, including detailing the nature of the emergency, why it is believed to be imminent, and the specific information requested and how it is necessary to prevent the threat from being carried out.
For more information on the procedures for requesting user information and making an emergency request, see our Requests for User Information Procedures & Guidelines.
Per our Requests for User Information Procedures & Guidelines, we require requests originating from outside of the United States to follow the mutual legal assistance treaty (MLAT) process or letters rogatory process, so that a U.S. court will issue the required U.S. legal process to the Wikimedia Foundation. The MLAT process involves a network of treaties between countries, which require them to aid each other in obtaining information used for enforcing laws. Letters rogatory are a type of request issued by a court in one country to a court in another country, usually seeking assistance to serve process or gather evidence.
For content requests received from abroad, we evaluate the request to determine if it presents an applicable legal requirement in our jurisdiction and, if so, we respond to it appropriately. If it does not, we help requesters understand Wikipedia and provide them with information to work productively with the volunteer community.
If you are the subject of a subpoena, it is highly recommended that you consult your own lawyer immediately. There are a number of organizations that will fight on a user's behalf, like the American Civil Liberties Union (ACLU) or the Electronic Frontier Foundation (EFF). If you need help finding an attorney, WMF may be able to put you in touch with some of these organizations or help you secure an attorney at reduced or pro-bono rates. In rare cases, assistance may also be available under our Legal Fees Assistance Program or Defense of Contributors Program. Additionally, in certain situations, WMF may challenge a subpoena on a user’s behalf if it is unnecessarily broad or burdensome, or if we believe the subpoena threatens the free speech of users on the projects. For more information about subpoenas, see our Subpoena FAQ.
When we say “information produced”, we mean that as a result of a legal process (such as a subpoena) that was legally valid, some or all of the nonpublic user information requested by that legal process was produced by WMF to the requesting party. “Information produced” also applies to rare emergency situations where we voluntarily disclose personal information to law enforcement, or produce such information in response to an emergency request, in order to prevent imminent bodily harm or death.
Beginning with the July 2016 Transparency Report, we decided to provide additional information about the ways in which the Foundation responds to requests for user information. “Information produced (all)” refers to situations where we provided all of the nonpublic user information requested in the requester’s initial message to us. “Information produced (partial)” refers to situations in which we provided some nonpublic user information, but less than what was requested in the requester’s initial message. For example, this may happen when some of the information requested is information that we do not collect or store, when the requester asked for information that has already been deleted from our systems under our Data Retention Guidelines, or if the requester served us with valid legal process regarding some, but not all, of the information they wanted.
When we say “informal non-government request”, we mean a request for user information from a non-governmental entity that does not involve a formal legal process. For example, this would include a situation where a corporation sends us a letter or an email requesting nonpublic information about one of our users.
When we say “informal government request”, we mean a request for user information from a governmental entity that does not involve a formal legal process. For example, this would include a situation where a government sends us a letter or an email requesting nonpublic information about one of our users.
When we say “civil subpoena”, we mean a legal process received by the Wikimedia Foundation from a third-party individual or organization requesting nonpublic user information that usually relates to a legal dispute between two or more individuals or organizations. Civil subpoenas generally do not require review by a judge or a magistrate.
When we say “criminal subpoena”, we mean a legal process received by the Wikimedia Foundation requesting nonpublic user information that is typically issued by a government attorney or grand jury, in connection with an official criminal investigation.
When we say “administrative subpoena”, we mean a legal process received by the Wikimedia Foundation requesting nonpublic user information that has been issued directly by a government agency, without judicial oversight.
When we say “search warrant”, we mean a warrant issued under the procedures of the United States’ Federal Rules of Criminal Procedure or equivalent state warrant procedures, based upon a showing of probable cause that specific information held by the Wikimedia Foundation may be related to a crime. Search warrants are generally reviewed by a judge or a magistrate.
When we say “court order”, we mean an order issued by a court directed at the Wikimedia Foundation. If an order has been issued by a court of competent jurisdiction, we will evaluate the request. For example, court orders for user data may be issued under various U.S. federal and state laws, such as section 2703(d) of the Electronic Communications Privacy Act (“ECPA”). As another example, some court orders may require the Wikimedia Foundation to alter or remove content from Wikipedia. Such orders could come from a court in the United States or from a court in another country on a case by case basis depending on whether the facts gives rise to enforceable foreign jurisdiction.
For the avoidance of doubt, we believe a warrant is required by the 4th Amendment to the United States Constitution, which prohibits unreasonable search and seizure and overrides conflicting provisions in ECPA. We believe that ECPA needs to be updated so that equivalent protections are granted to electronic communications and documents that have already been granted to the physical documents one keeps at home or in their office. To that end, we are a member of the Digital Due Process Coalition to help in that effort.
“National security requests” include national security letters and orders issued under the Foreign Intelligence Surveillance Act (50 U.S.C. §1801 et seq.).
A wiretap order (see The Wiretap Act, 18 U.S.C. § 2511 et seq.) is an order that requires the real-time interception of the content of telephone or internet communications. A pen register order (see The Pen Register Statute, 18 U.S.C. § 3121 et seq.) requires the real-time interception of non-content information associated with telephone or internet communications (such as routing information). We have never received a wiretap or pen register order relating to activity on the Wikimedia projects. Should we receive such an order, we will disclose it in this report if allowed to do so by law.
No. The All Writs Act (28 U.S.C. § 1651) allows federal courts to issue all orders “necessary or appropriate in aid of their respective jurisdictions”. The Act has been used as a basis for orders requiring technology companies to access password-protected information. Thus, some technology companies and organizations may report All Writs Act requests in their transparency reports. We have not received such an order. If we do, and we are legally able to do so, we will include it in this report.
This number represents the number of unique user accounts implicated by requests for user data and whose data would have been disclosed if we had granted every request we received. This number may not reflect the number of unique individuals implicated by requests for user data, since an individual may have multiple accounts across all Wikimedia projects, and we record each user account separately. As a result, this number might overestimate the number of individuals implicated by user data requests.
This number represents the number of unique user accounts whose nonpublic information was disclosed as a result of WMF receiving a valid request for user data. This number may not reflect the number of unique individuals whose data was disclosed as a result of a valid request for user data, since an individual may have multiple accounts across all Wikimedia projects, and we record each user account separately. As a result, this number might overestimate the number of individuals implicated by user data requests.
We are committed to notifying users if we plan on disclosing nonpublic personal information. We added the “user accounts notified” category in the July 2016 Transparency Report to refer to the number of users whom we notified about such a planned disclosure. However, we cannot notify a user account if we are legally restrained from doing so (e.g., by a gag order), if a credible threat to life or limb is present, or if the user has not provided us with an e-mail address or valid contact information. Since one person may have more than one user account, and provide no, or different contact information for those accounts, the number of user accounts notified may not reflect the number of people notified.
A preservation request is an order from the U.S. government under the Electronic Communications Privacy Act (18 U.S.C. § 2703(f)). It requires us to retain information that would otherwise be deleted, anonymized, or aggregated within 90 days, according to our Data Retention Guidelines. If we receive one of these requests, we are legally required to retain the specific information indicated. However, we will not turn this information over to the requesting party unless they subsequently follow our Requests for User Information Procedures & Guidelines, and obtain a legal order, such as a subpoena or warrant, for the information in question. A preservation request requires us to preserve something. We will never produce information in response to a preservation request, and simply because we have preserved information does not mean that the party will follow the proper steps and obtain an order requiring us to produce it later.
An “emergency disclosure” includes two types of disclosures: voluntary disclosures, and emergency requests. “Voluntary disclosure” refers to a case in which we become aware of statements on the projects that threaten harm to the user who made the statements and/or other individuals, and—on our initiative—choose to disclose nonpublic user information to a law enforcement agency. Such disclosures are rare; they are made only in accordance with the exceptions outlined in our Privacy Policy, such as to protect you, ourselves, and others from imminent and serious bodily harm or death.
An “emergency request” is a request made when law enforcement has contacted us because of an imminent threat to life or limb, and we have decided to release information according to the process described in our Requests for User Information Procedures & Guidelines and the Electronic Communications Privacy Act (see 18 U.S.C. § 2702). When we feel that a law enforcement request does not rise to this level, we classify it as an “informal government request” instead.
The Right to Erasure, sometimes called the Right to be Forgotten, is a right under the laws of various countries that allows individuals to request that certain information relating to them be delisted or removed. We receive two types of Right to Erasure requests relating to the Wikimedia projects: requests relating to project content, and requests relating to user accounts. We believe in a Right to Remember. Everyone should have free access to relevant and neutral information of public concern. For more information about our concerns, see our August 2014, October 2016>, and July and November 2017 blog posts about intervening in a related case.
In our transparency reports, WMF includes all types of requests for user information it receives, including governmental and non-governmental requests as well as informal and formal requests. Some other organizations, including several of those appearing in the “Compared to other companies” graph in our report, only disclose requests originating from governments. Please visit the transparency reports of Facebook, Google, Twitter, and LinkedIn for more details about the types of requests they receive.
Our core values of freedom of speech and access to information can be threatened by laws that compromise user privacy. For this reason, the Wikimedia Foundation has joined the fight to improve privacy laws around the world.
In 2013, we joined the Digital Due Process Coalition (DDPC), an organization focused on reforming the United States Electronic Communications Privacy Act (ECPA). ECPA specifies standards for law enforcement access to electronic communications and associated data, thereby providing a degree of privacy to users of digital communication services. However, ECPA was enacted in 1986, meaning that it does not adequately protect users anymore, and only serves to provide inconsistent standards for law enforcement when dealing with “new” technologies. The DDPC’s mission is to simplify, clarify, and unify ECPA standards—providing clearer privacy protections for users, while taking into account changes in technology and usage patterns, and preserving the legal tools necessary for government agencies to enforce the laws and protect the public.
In 2014, we signed onto the Necessary and Proportionate Principles, which support the application of human rights to mass surveillance and set forth basic principles to which governments should adhere when employing modern surveillance technologies. In March 2015, we took an even stronger stand. The Wikimedia Foundation joined eight other co-plaintiffs in filing a lawsuit against the U.S. National Security Agency over its “Upstream” mass surveillance practices, which capture communications passing through the Internet “backbone.” While the claims of all plaintiffs were originally dismissed by the district court, in May 2017, the Court of Appeals for the Fourth Circuit ruled that the Wikimedia Foundation has standing to proceed. We strongly oppose mass surveillance by any government or entity, and hope that this lawsuit becomes an important step in enacting change. For more information, see our resources page on the case.
All content on the Wikimedia projects is written, uploaded, edited, and curated by people like you from around the world. Volunteer contributors jointly develop and enforce the policies and procedures that govern the content on the projects. This means that users decide what should and shouldn’t be included on the projects, keeping in mind both U.S. law and the particular project’s own policies.
Each community has policies and procedures to handle disputes about whether certain content belongs on a particular project or meets that project’s standards. When a third party has a Wikipedia article written about them and doesn’t like some of the content included in that article, their first step should be to reach out to the community itself, as opposed to the Wikimedia Foundation.
Lawsuits against Wikimedia users are exceedingly uncommon—most disputes about content are resolved by working with the user community through community-driven processes. In fact, individuals and organizations that sue over content they wish to remove from the public eye often end up causing that content to receive greater public attention as a result of the lawsuit, a phenomenon known as the Streisand Effect.
In the unlikely event that you are the subject of a lawsuit, it is highly recommended that you consult your own lawyer. There are a number of organizations that will fight on a user's behalf, like the California Anti-SLAPP Project or the Electronic Frontier Foundation (EFF). If you need help finding an attorney, WMF may be able to put you in touch with some of these organizations or help you secure an attorney at reduced or pro-bono rates. Additionally, in rare cases, assistance may also be available under our Legal Fees Assistance Program or Defense of Contributors Program.
The vast majority of questions about content on the projects are ably handled by volunteer contributors. Absent the receipt of a legally valid DMCA notice, the Wikimedia Foundation supports community processes of evaluating and improving project content, and will generally only remove content in exceptional circumstances. For example, we once removed a blogger’s unredacted travel visa after somebody else posted the image with the blogger’s private information exposed.
The DMCA has several formal requirements for notices. However, our evaluation isn’t over when we receive a notice that meets all of these requirements. We will also analyze the copyright eligibility of the work being infringed, whether the allegedly infringing material actually infringes, and whether the allegedly infringing material is a fair use of the requester’s work. For more information, see our DMCA Policy.
We record every DMCA takedown request that results in removal of content on our website. In addition, every DMCA removal is submitted to the Lumen database (Lumen), a web archive managed by the Electronic Frontier Foundation and several law school clinics. By collecting takedown notices from a variety of sources, Lumen provides a large set of data for analysis and allows recipients and senders of takedown notices to learn more about how the DMCA operates in the current online environment.
When material is removed due to a DMCA takedown notice, the uploader of that content or a third party may believe that it did not violate copyright laws. If so, they may send us a DMCA counter-notice, stating their belief that the content did not infringe any copyrights. If the counter-notice complies with the statute, we will restore the content within 10-14 business days unless a lawsuit is filed by the copyright holder. Prior to the July 2016 Transparency Report, we had not received any DMCA counter-notices. Between January and June 2016, we received two. We have received no subsequent counter-notices.
During the July 2012 - June 2013 period, we recorded totals only for the entire period, rather than breaking the totals into six-month terms. In order to provide a better comparison with other reporting organizations, we changed the date ranges for our charts to line up with the timelines used by those organizations starting in July 2013.
Each request received counts as one request in the Transparency Report, irrespective of the number of webpages, content, or users that request deals with. For example, a request for user information that asks for the information of three users counts as one request for user data, and a DMCA takedown request that requests the removal of five images is counted as one DMCA request. Duplicate requests regarding the same matter from the same requesting party are also counted as one request. For example, if a requesting party sends us multiple demand letters to take a particular Wikipedia article down, it counts as one request.
It means that a particular project would have been altered if we had granted a particular request or that a particular project was actually altered due to a particular request. For example, if the Transparency Report indicates that French Wiktionary was targeted by one content alteration request, it means that we received a content alteration request that demanded that we change content on French Wiktionary.
No, we started tracking requests in more detail beginning in July 2013, so this level of detail is not available for July 2012 to June 2013.