Motions

Shortcuts WP:ARM WP:ARBM This page can be used by arbitrators to propose motions not related to any existing case or request. Motions are archived at Wikipedia:Arbitration/Index/Motions. Only arbitrators may propose or vote on motions on this page. You may visit WP:ARC or WP:ARCA for potential alternatives. Make a motion (Arbitrators only) You can make comments in the sections called "community discussion" or in some cases only in your own section. Arbitrators or clerks may summarily remove or refactor any comment.

From Wikipedia:Arbitration Committee/Procedures#CheckUser/Oversight permissions and inactivity

For this motion there are 12 active arbitrators. With 0 arbitrators abstaining, 7 support or oppose votes are a majority.

Enacted: Kevin (aka L235 · t · c) 05:19, 30 September 2018 (UTC)[reply]

Support

1. The proposal is to update the language and examples in the existing outdated policy to better reflect functionary areas of activity and current practices. Mkdw ^talk 20:29, 25 September 2018 (UTC)[reply]
2. as a first step. DGG ( talk ) 16:17, 26 September 2018 (UTC)[reply]
3. Agreed a good first step. RickinBaltimore (talk) 16:19, 26 September 2018 (UTC)[reply]
4. It’s a start. Katie^talk 18:22, 26 September 2018 (UTC)[reply]
5. Euryalus (talk) 04:00, 27 September 2018 (UTC)[reply]
6. Per Mkdw and per Risker in the comment section. Newyorkbrad (talk) 04:25, 27 September 2018 (UTC)[reply]
7. Personally, I'm of the opinion that general activity on wiki should be sufficient to retain the tools, but I certainly see this as an improvement. Worm^TT(talk) 08:55, 27 September 2018 (UTC)[reply]
8. Sure, sounds reasonable. I'll cop to being one of those lame-os who doesn't prioritize this process, particularly for people who are still editing - as I've said before, here and on the mailing list, I've almost completely changed my mind on this since joining the committee, and whether that's a genuinely new perspective or turning into The Man, I don't know. I originally thought it was important to prevent "functionaries" from becoming a social class rather than a clunky not-so-short shorthand term for a couple of user rights. I've since come to the view that trying to do that kind of social engineering is both ineffective and not really the point of the activity requirements, though of course I still agree with the underlying premise. The problem with the current requirements is mostly that they're not at all targeted toward preventing data breaches due to account compromise - if that's the problem we're trying to solve, then we should have mandatory 2FA plus an automatic expiration after a much shorter period of overall account inactivity. Rhetoric aside, the current process focuses only on use of CU/OS use, independent of other editing activity that clearly indicates the account is under the control of the right person, and is really not designed to target that risk. Opabinia regalis (talk) 09:47, 28 September 2018 (UTC)[reply]
9. I support this as a good start. There's no reason to let the perfect be the enemy of the good - we can alter things further if need be in other motions. ♠PMC♠ (talk) 18:14, 28 September 2018 (UTC)[reply]

Oppose

1. Oppose calling this our activity policy quite strongly until we address whether we're actually going to hold functionaries to these requirements. Our current activity policy, even after these changes, is heavily misleading to the community. We simply do not enforce it as written, and there appears to be no appetite here to even talk about changing that. We check inactivity incredibly infrequently, and when a functionary is found to be inactive even based on this lax application of already lax standards, the Committee essentially never acts to remove the tools. This applies even to functionaries that show up repeatedly in our activity checks. I can't vote for this if I don't think it will represent what will actually happen behind-the-scenes. The community deserves more transparency than that.

   We've seen administrator accounts (and even Jimbo's account, which had CU/OS access) compromised in the past couple years. Functionaries are not required to have 2FA enabled, and many do not. Under this set of circumstances, I don't see how we can ignore the fact that inactive functionary accounts could lead to a very preventable security breach.

   Frankly, the community should be outraged by how lax we actually are with enforcing functionary activity. It's your data that's potentially vulnerable when we fail to apply the principle of least privilege. As noted by Beeblebrox below, a functionary recently retained their tools through a full year with zero logged actions. We're setting ourselves up for a future security breach when we allow something like that. I can't support reaffirming that this is our activity policy when it doesn't match what we're actually doing. ~ Rob₁₃^Talk 06:20, 28 September 2018 (UTC)[reply]

   With respect to Opabinia regalis' view, I just want to point out that the principle of least privilege contradicts it. I'm not an information security expert, but I trust those that are, and they're near-universally in agreement that the principle of least privilege is important to maintaining overall security of a system. It's about reducing the number of possible attack vectors. Further, the community has decided this principle is important, given the furor surrounding interface administrators. ~ Rob₁₃^Talk 17:55, 28 September 2018 (UTC)[reply]

2. I want to support this, I really do, because the changes in what is counted as activity is important. That bit's great. But Rob's right saying that we don't enforce the three month bit - in fact I'm not sure if it should be 3, 4 or 6 months and I'd like to see more discussion about that soon because it isn't working in practice - in fact I wish this motion had left the time period to be set by the community. Of course my oppose doesn't matter because there are 8 in favor, so I haven't scuppered what is in part a good change. Doug Weller talk 12:04, 28 September 2018 (UTC)[reply]

Abstain

1. I was originally going to support this change, however, on further reflection I do have reservations especially as the person who has been doing these audits. I'm concerned that this change will make an already time-consuming and difficult process even more difficult as it will add grey to a process which needs to be black and white to work effectively. The more grey we make it, the more discussion and consensus building will be required in a process which history has shown arbitrators tend to be too busy to care about. I'm not opposing the change as making steps forward on this is a good thing and I think the arguments in favour are sound. Plus, I can live with this if the majority wants it. The way it's implemented, however, will need to be discussed when this motion passes. Callanecc (alt) (talk) 12:39, 29 September 2018 (UTC)[reply]

Comments by arbitrators

• I would like to pin down removal procedures at the same time as tackling the activity requirements. It's meaningless to update the requirements if the requirements aren't evenly or consistently enforced, and they currently aren't. I would be interested to hear if the community saw any disadvantages in automatic removal of functionary tools if a functionary goes inactive, with the tools restored upon request. ~ Rob₁₃^Talk 03:15, 26 September 2018 (UTC)[reply]
  • By automatic removal, I mean removal not requiring a vote of the full Committee. Obviously, we can't require the stewards to do our work for us. It would be allowing an individual arb to go to the stewards and say our criteria for removal has been met, please remove, rather than requiring a vote of the Committee to remove someone even after they've failed to meet our activity requirements. ~ Rob₁₃^Talk 13:42, 26 September 2018 (UTC)[reply]
    • To explain my oppose above a bit further, I do support this move to define "activity" more broadly. What I'm opposing is continuing the fiction of an unenforced activity policy. Any community member can verify how poorly we've enforced this. Simply check WP:AUDIT/STATS since the start of 2018 and see how often functionaries have fallen below the "minimums". Zero functionaries have been removed by the Committee during this time. ~ Rob₁₃^Talk 06:25, 28 September 2018 (UTC)[reply]
• As I understand this, the point of this is to increase the range of actions that count towards the requirement. I think it's a necessary update, But it is a minimal update. In the last few years, we have never managed to get to this every three months, and we have usually been quite liberal in accepting a promise of continuing activity as sufficient. I suggest that what is needed is changing 3 months to 6 months, and adding the word "normally" somewhere appropriate. I would very strongly oppose anything automatic in this connection--this is something where we need more flexibility, not less. DGG ( talk ) 16:17, 26 September 2018 (UTC)[reply]
• I intentionally left out audits and the removal process because they are more controversial; waiting for an omnibus motion that will cover all three issues will mean waiting forever. As indicated, these issues have been debated for years without any movement. The proposal would almost certainly stall and not reach a consensus resulting in no changes. All three issues need to be revisited, but not with in a singular proposal. The proposal is not a mutually exclusive option to evaluating other proposals about audits, activity, and removal. Mkdw ^talk 17:35, 26 September 2018 (UTC)[reply]

• @Beeblebrox: If the current minimum activity requirements do not seem realistic or reasonable, it is no surprise that for years the Committee has not strictly enforced them. Outdated procedures only contribute to that fact. In my experience, no one on the current Committee believes inactive editors should retain the tools. The point of contention always seems to come down to three primary issues: (1) the frequency of audits; (2) what defines activity; (3) the removal process.

For me, the most important factor is functionary activity. Ideally, the procedure should not encourage over-liberal use of the tools to simply game meeting the hard-defined logged requirement. And for the purposes of audit, it seems apparent to me when someone is not active. Tracking publicly logged actions gives us a good starting place to look further into the matter.

If someone responds to ten oversight OTRS tickets and the oversight tool is used only four times and the rest are 'decline' responses, I would much rather give due consideration and deem them 'active'. Under the current policy, that person should be removed for inactivity regardless, or under the current practice, they would be allowed to continue and the Committee would be non-compliant.

Lastly, I did not rewrite the procedure to expressly say "five logged actions and/or activity and actions not publicly logged" because they are not equal. My rationale was to provide a way for commonsense to prevail. The Committee should be capable of adequately reviewing each on a case-by-case basis, or at least the community may address it when they appoint individuals. Mkdw ^talk 20:17, 26 September 2018 (UTC)[reply]

• As others have indicated in their votes, which is based upon lengthy list discussions, this is only the first step in a process that will require many. Several issues still need to be resolved such as minimum activity requirements, audit frequency, removal, and security. The only way the Committee will enforce these requirements will be if there is consensus and buy-in. It will take time to get there and we are not going to do it in just one step.

There have been years of exhaustive discussions, including with the current sitting Committee, that have gone no where. This has been acknowledged repeatedly both off and on-wiki. It is clear that too many issues are trying to be addressed at once and the debates always stall. Waiting for consensus on all issues will mean waiting forever. Pursuing an omnibus motion to overhaul the procedures has consistently failed to move even past discussion. An incremental approach needs to be attempted to capture and lock down the areas we do agree upon so we can focus on the areas we do not. Others must obviously vote their conscious, but I am disappointed to hear that they agree with the changes, but oppose the motion because we have not reached a point that will not be achieved until many steps later. Frankly, requiring full consensus ahead of any action has been one of the contributing factors that has paralyzed the Committee and resulted in non-enforcement. The process needs collaboration and compromise to reach an agreed upon policy that will be enforced. Mkdw ^talk 16:32, 28 September 2018 (UTC)[reply]

As noted privately, I would support such incremental steps if we formally stated this policy is currently not being enforced until there is actual agreement within the Committee that we should enforce it. Otherwise, we're giving a false impression to the community about the current state of enforcement by reaffirming the current policy. ~ Rob₁₃^Talk 17:57, 28 September 2018 (UTC)[reply]

Based on my post at ACN it's clear that the policy is sometimes being enforced the problem is, and has always been during my time on the Committee, that the level of arbitrator buy-in isn't strong enough for there to be consistent enforcement. I made an attempt to streamline the removal process during my first term on the Committee and that definitely made it easier by codifying a process and not requiring a ccommittee vote to remove the tools from inactive CUs/OSers. However, the problem is that, so far, no Committee has agreed to automatic removal of permissions which is the most time effective way to reduce the significant amount of time it takes to do the audit, contact inactive functionaries (twice), recheck activity and check that no one objects to removing permissions from functionaries who haven't responded. Until the Committee designs and agrees (that is, through consensus building and majority votes) a process which is much less time consuming but still fair to functionaries the activity standards simply cant be effectively enforced. Callanecc (alt) (talk) 12:10, 29 September 2018 (UTC)[reply]

Community comments

• More like just a wording change (on a verbatim level), since the meaning appears to remain mostly the same, but perhaps the extra clarity doesn't hurt, seeing as the Audit Subcommittee is inactive. —Mythdon 05:27, 26 September 2018 (UTC)[reply]
• This has literally been argued over for years, and whatever standards are put into place are never really enforced, so I sadly think this is not a productive use of time unless ArbCom is really prepared to enforce the policy. --Rschen7754 05:31, 26 September 2018 (UTC)[reply]
  • As far as automatic removal, the procedure would need to be acceptable to the stewards on Meta. I think an automatic policy where the removal request was made to stewards by an arbitrator or bureaucrat would *probably* be okay, but I'm no longer a steward so I can't say for certain. --Rschen7754 05:35, 26 September 2018 (UTC)[reply]
    • Put a question about this on the Steward noticeboard. Jo-Jo Eumerus (talk, contributions) 07:38, 26 September 2018 (UTC)[reply]

      We rarely have capacity to monitor enwiki's CU/OS logs. (We already have more than enough works to do and enwiki's quantity of log is simply overwhelming.) So, I'd rather see the request coming from either 1. local crat or 2. current local arbitrator. (Disclaimer: Personal opinion.) — regards, Revi 10:10, 26 September 2018 (UTC)[reply]

      Where is the difference at all and why should we comment? Is it that now "Consideration will be given for activity and actions not publicly logged"? --MF-W 10:52, 26 September 2018 (UTC)[reply]

      I am not sure you will get much use out of this diff unless you have WikedDiff. From what I can see, the significant changes are removing the requirement for community-requested action, addition of 'not publicly logged actions' as consideration, addition of list discussion participation, specifying that participation at noticeboards should be in relation to the CUOS toolsets, and excepting auditors from these requirements. There is also removal of the audit subcommittee, which I don't see as significant. --Izno (talk) 12:24, 26 September 2018 (UTC)[reply]

      This was in response to Rob's proposal of an automatic process that would not require a vote of the Committee to remove rights but would instead be a pre-written policy that might need an arbitrator or bureaucrat to certify the request. For getting CU/OS, the two options are community vote or ArbCom motion. For removing it, many wikis do have an inactivity policy option that has been acted on by stewards, though the CU/OS global policies are less clear about how removal works. My question is whether stewards would be okay with the combination of ArbCom appointment, and then ArbCom or inactivity policy for removal. The wikis that do ArbCom CU/OS appointments generally have ArbCom votes for the removals (frwiki, nlwiki, ruwiki, ukwiki). --Rschen7754 19:15, 26 September 2018 (UTC)[reply]

      (commenting as a Steward). If the policy allows for a single arb (or crat) to make the request at Meta, then I can't see why we wouldn't act on it. With the exception of the very rare emergency, all we are ever doing for en.wiki is implementing your policy QuiteUnusual (talk) 14:50, 26 September 2018 (UTC)[reply]

      Agreed with QU; ArbCom is the granting authority for CU/OS on enwiki, so we'll enforce whatever policies (save ones that don't meet the minimum standard of the global CU policy) you decide on. -- Ajraddatz (talk) 20:35, 26 September 2018 (UTC)[reply]

• This seems to be saying non-logged actions wil be given “consideration”. I find that rather vague. I’m ok with the idea that not every functionary action is a logged use of the tool, we all know that, but given that for years the committee has been extremely lax in following this policy making it more open to interpretation seems like a step backwards. Will the non logged actions be given the same consideration as logged actions? If I comment five times on email threads does that mean I can just sit back for the next three months or does there still need to be some at least occasional actual tool use? I’m asking because it really is not clear to me. Beeblebrox (talk) 18:28, 26 September 2018 (UTC)[reply]

I appreciate the reply above. I guess my concern comes down to trusting the committee to exhibit the common sense you refer to, but I can’t think of a way to more explicitly define the relative weight of logged and non-logged actions either. Beeblebrox (talk) 20:21, 26 September 2018 (UTC)[reply]

• Just a note that I love the color coding of changes. Appreciated! spryde | talk 20:25, 26 September 2018 (UTC)[reply]
• As to the removal process, I really think it needs an overhaul. Or maybe just a simplification. With AUSC gone I think the task could easily be handled by a 2-3 times a year discussion on the arb mailing list, without requiring a formal vote, just a discussion amongst whichever arbs care to monitor the activity levels and act in accordance with them. As you all know, we recently saw an oversighter who was totally inactive in OS activities for about a year before the committee apparently asked them to turn the tool back in, and that was only after I bugged you guys about it via email. With the reduced arbcom workload in recent years I don’t see any reason why this keeps slipping through the cracks. The stats are updated for all to see once a month. Beeblebrox (talk) 20:31, 26 September 2018 (UTC)[reply]
• I think the modifications, in particular the recognition that there are related and crucial activities that do not result in logged actions, are quite important and valuable. It's important that (for example) oversighters be assured that *turning down* an inappropriate request will be considered as much a part of their role as accepting and acting on appropriate requests. There are also some very important discussions about specific requests that occur on the oversighter mailing list that serve (in part) to articulate and reinforce a more standard method of responding to particular requests, and participation from both new and experienced oversighters is very helpful in those discussions. The same holds true for checkusers - saying "no" to requests that aren't appropriate is again an important part of the role. The privacy of our users is important and any actions that affect it should be limited. Thanks, Arbcom, for this updated process. Risker (talk) 02:55, 27 September 2018 (UTC)[reply]
  • I can't comment on how much of an issue it has been in the past, but per usual Risker is right: having activity requirements that are based around positive action taking will encourage taking those actions. A good decline may even be more thoughtful. ~ Amory (u • t • c) 10:42, 27 September 2018 (UTC)[reply]
  • I agree with everything Risker and Amory say. I actually think that answering an OTRS ticket should count the same towards activity levels regardless of whether the action is an oversight/CU, a decline, a request for more information, starting a discussion on the mailing list, or moving the ticket to the correct queue (the enwp oversight queue occasionally gets requests for oversight on other projects, if that project has a OTRS oversight queue we can move the ticket to that queue to be handled by the people who have oversight permission on that wiki). Thryduulf (talk) 11:55, 27 September 2018 (UTC)[reply]
• As a further comment, I agree with everything Rob has said. User:Lankiveil has not been with us for several months, yet he is still subscribed to functionaries-en per Template talk:Functionaries. We don't know who controls his email account now. There is an editor on that list who was desysopped for inactivity. Think about inactive functionaries' emails (like the ones they use for Wikimedia) being hacked, as may have happened to one current arbitrator a few years ago (though we did not believe that private data was accessed). All the inactive CUs have access to the CheckUser wiki, which has raw IP addresses stored on it, and they are generally subscribed to checkuser-l (a global mailing list which has CheckUsers from across Wikimedia). Besides being able to see all oversighted content (with logging only done at the server level), oversighters can get into the oversight-en-wp queue and have oversight-l access. This is not a good thing. Can't we do something about this? We really need to correct the fuzzy notion that we need to preserve people's access to private data lest we offend them greatly when they are barely using their access. --Rschen7754 06:34, 28 September 2018 (UTC)[reply]
  • The comments about the functionaries list subscribers are valid - I shall highlight this on the list for the list admins. Thryduulf (talk) 12:44, 28 September 2018 (UTC)[reply]
• One might as well do away with the requirements anyways. But managing the functionaries seems to be a bulk of the committee's business since 2016, so I guess we need a raison d'être for the overhead. --Guerillero | Parlez Moi 05:08, 29 September 2018 (UTC)[reply]
  • I can't speak for before 2018, of course, but I can say that managing the functionaries has made up a very tiny minority of our business this year. ~ Rob₁₃^Talk 14:40, 29 September 2018 (UTC)[reply]
• This seems to be another ArbCom policy that is far too bureaucratic for what the situation demands, and that's why it isn't being used. The requirement for notification and follow-up with both the individual and the rest of ArbCom already makes it really boring work that nobody wants to do and therefor nobody does. Instead of making the process more complicated to solve the relatively minor issue of non-actions also being important, just make a simpler standard that takes the fact that many important actions are not logged into account and a simpler system that allows people to actually enforce the policy with less hoops. You aren't actually a court, most of you aren't lawyers, there's no need for the fluff. -- Ajraddatz (talk) 21:14, 29 September 2018 (UTC)[reply]