Requests for
User Data

Jul – Dec 2018

Total User Data Requests
25

Jul – Dec 2018

Percentage of Times Information Produced
16%

Freedom of speech is essential to the Wikimedia movement—the projects cannot flourish in an ecosystem where individuals cannot speak freely. Our users trust us to protect their identities against unlawful disclosure, and we take this responsibility seriously.

However, every year, governments, individuals, and corporations ask us to disclose user data. Often, we have no nonpublic information to disclose because we collect little nonpublic information about users and retain that information for a short period of time. But when we do have data, we carefully evaluate every request before considering disclosure. If the requests do not meet our standards—if they are overly broad, unclear, or irrelevant—we will push back on behalf of our users.

If we must produce information due to a legally valid request, we will notify the affected user before we disclose, if we are legally permitted and have the means to do so. In certain cases, we may help find assistance for users to fight an invalid request.

Below, you will find more information about the requests for user data we receive.

Awareness that the Government may be watching chills associational and expressive freedoms. And the Government’s unrestrained power to assemble data that reveal private aspects of identity is susceptible to abuse.

Jul – Dec 2018
Summary

Total User Data Requests 25
Informal non-government requests 10
Informal government requests 9
Civil subpoenas 1
Criminal subpoenas 2
Administrative subpoenas 2
Search warrants 1
Court orders 0
National security requests 0
Information Produced 4

Jul – Dec 2018
User Accounts Affected

User accounts potentially affected 6722
User accounts actually affected 6674
User accounts notified 0

Type of Information Requested

We divide the requests we receive by the type of information requested: “content” or “non-content.”

Most content information on the Wikimedia projects is the public content of articles and project pages; “non-content” information refers to information such as IP addresses or user agent information. The distinction comes from the Electronic Communications Privacy Act, or ECPA. Please see our FAQ for more information.

Jul – Dec 2018

Content Requests
0%

Jul – Dec 2018

Non-Content Requests
100%

Compared to other companies, we received relatively few requests*

Total requests

Requests where information was produced

*

Due to the inconsistent release dates across different organizations, comparison data for the period covered by this report (July 2018 - December 2018) was not available, so we are presenting the comparison data above for January 2018 - June 2018. Please also note that figures for Wikimedia include additional types of requests for user data that are not included in the other organizations' figures. See the FAQ for more details.

Requests for user data, and how we responded

Request TypeShow All

Information Produced?

All

Partial*

None

*

Beginning with the July 2016 Transparency Report, the Wikimedia Foundation began distinguishing between "full" and "partial" compliance with user data requests. This distinction was not made for requests prior to July 2016. Please see our FAQ for more information.

By CountryShow All

Jul – Dec 2018
Government Requests Breakdown

Informal Government Requests Total 9
Australia State police 1
Canada State police 1
Federal police 1
Germany Local police 1
India Local police 3
Italy State police 1
United Kingdom Administrative agency 1
Administrative Subpoenas Total 2
United States Administrative agency 2
Civil Subpoenas Total 1
United States DOJ 1
Criminal Subpoenas Total 2
United States District court 2
Search warrants Total 1
United States District court 1




Jul – Dec 2018

Total Preservation Requests
2

Preservation Requests

Occasionally, we receive a preservation request from the U.S. government under the Electronic Communications Privacy Act. A preservation request is an order to retain information that would otherwise be deleted, anonymized, or aggregated within 90 days, according to our Data Retention Guidelines. If we receive one of these requests, we are legally required to retain the specific information indicated. However, we will not turn this information over to the requesting party unless they subsequently follow our Requests for User Information Procedures & Guidelines, and obtain a legal order, such as a subpoena or warrant, for the information in question.

Here, we provide the number of new preservation requests we received during the period covered by this report.





Jul – Dec 2018

Total Emergency Disclosures
13

Emergency Disclosures

We report two types of emergency disclosures, which happen on rare occasions.

First, the Electronic Communications Privacy Act provides an expedited process for law enforcement to request user data from websites in cases of immediate threat to life or limb. We call these “emergency requests”. Such requests are also addressed in our Requests for User Information Procedures & Guidelines and Privacy Policy.

Second, we proactively contact the authorities when we become aware of troubling statements on the projects, such as suicide threats or bomb threats. We take these statements seriously and assess each one individually, contacting law enforcement as appropriate to help resolve the issue. We call these “voluntary disclosures.”

The stories below are real. They are also meant to be illustrative of the kinds of situations that would warrant a possible emergency disclosure of user information. Please note that these specific stories may not have occurred during the precise time frame that this transparency report covers. Some variables, such as the privacy of our users, may require our postponing the reporting of certain stories.



Jul – Dec 2018
Total Emergency Disclosures

Voluntary Disclosures 13




A Deadly Threat

The community shares threats with the Foundation when they find them. When an anonymous poster made an alleged bomb threat, we found that the edit was made from an IP address that was near the apparent threat location. As permitted by our Privacy Policy, we alerted local police, passing on the IP address and details we had about the threat. The police informed us they had located and arrested the person in question, who allegedly had weapons available and reportedly confessed.

Protecting Schools

Our community members are vigilant. We work with them to address rare threats of harm that they encounter on the Wikimedia projects. In one such case, community members told us about a shooting threat, made against a school in the United States. We reported the user’s IP address and user agent information to the FBI, as allowed under our Privacy Policy in these circumstances. They passed the information on to local police, who identified the person who made the threat and prevented the situation from escalating.

Dealing with Suicide

Authorities advise contacting emergency services when a loved one threatens suicide. When someone shared what appeared to be a credible intent to commit suicide, we notified their local police department. The person was able to get medical help, and later let us know they were okay. If you are considering suicide, please seek out a mental health professional immediately. You can also contact emergency services; visit an emergency room or psychiatric walk-in clinic; or call a suicide prevention hotline.



Emergency Disclosures By Type