Draft:CheckUser policy

CheckUser access allows a user to:

• investigate users;
• monitor actions performed by other users with CheckUser access.

Note, however, that local communities with a committee that has CheckUser access may choose not to authorize it to conduct investigations, for example, to avoid conflicts of interest.

The use of investigation is approved to prevent harm to Wikimedia projects, including fighting vandalism, spamming, detecting sockpuppet abuse, and minimizing disruptions.

The tool must not be used for political control, pressuring editors, or threatening others in content disputes. A valid reason is required to conduct an investigation, as alternative accounts are allowed unless they violate policies (e.g., double-voting, manipulating support, or evading blocks/bans).

Notification to the checked account or to the community is optional but permitted, subject to the privacy policy.

In some wikis, editors may request IP checks to provide evidence against sockpuppet allegations, though such requests can sometimes be part of disruptive behavior.

Communities must comply with these requirements:

1. The candidate must request CheckUser access within the local community and advertise this request appropriately (e.g., village pump, mailing list when available, special request page, etc.).
2. There must be at least two local users with CheckUser access per wiki, or not at all:
   • The community must ensure that the wiki has at least two local users with CheckUser access^[1] to oversee and verify each other's actions.^[2]
3. While local communities may establish additional requirements to complement the global community-set standards^[3], WMF-set requirements, or other Wikimedia Foundation policies, these additional requirements must not override or conflict with them.
4. The community must address complaints, especially those related to abuse or misuse, either directly or by referring them to the appropriate body:
   • Complaints involving private data may be handled by a community-run body with CheckUser access or the Ombuds Commission;
   • Complaints related to other concerns, such as account inactivity, may be addressed by the relevant body or local community (e.g., Arbitration Committee, sysop-run body, Request for Comment) for resolution.

On Wikimedia projects, privacy policy considerations are of tremendous importance. Unless someone is violating policy with their actions (e.g. massive bot vandalism or spam) and revealing information about them is necessary to stop the disruption, it is a violation of the privacy policy to reveal their IP, whereabouts, or other information sufficient to identify them, unless they have already revealed this information themselves on the project.

Users with CheckUser access must not publicly disclose confidential information. However, they may:

• Share any information with other users with CheckUser access;
• Share public information (accessible otherwise than by using their tools, for example from Special:Log);
• Communicate information that is too vague to be considered sensitive, such as:

UserA and UserB share the same network

UserA and UserB are similar

In the case of a public and explicit statement of personal information about an account that was registered prior to an investigation, this constitutes a disclosure on their part, and the CheckUser may communicate the same information (since it may have been obtained without privileges and/or has become public). However, they are not required to explicitly confirm or deny this statement, whether it is true or false. They may say "I cannot refute this statement" which could be understood as a refusal to respond or as an implicit confirmation. However, since the information could become confidential again (e.g., in the case of a suppression by Oversight users), the CheckUser must exercise caution.

Confidential information may only be accidentally and implicitly disclosed. This is referred to as a "necessary and accidental consequence" of preventing abuse. For example, if account "A" is abusing Wikipedia from IP address "X.X.X.X", then blocking that IP might imply that "X.X.X.X" and "A" are identical. If this occurs, the CheckUser will not be able to publicly and explicitly confirm that blocking "X.X.X.X" corresponds to blocking "A". This accidental disclosure, resulting from the fight against abuse, should remain "implicit".

The appointment of users, that is, granting CheckUser access to tools, can be done through community approval (i.e., election systems) or via a community-run body (i.e., nominations).

The community approval must meet the following requirements:

• At least 70% support in a pro/con vote or winning the majority of votes in a multiple-choice election (e.g. Schulze method).
• A minimum of 25 supporting votes from community members.
• It may revoke CheckUser access if necessary.

The community-run body, which is a group of elected users^[4], must meet the following requirements to appoint users:

• Its members :
  • Received at least 50% support in a pro/con vote or won the majority of votes in a multiple-choice election (e.g. Schulze method);
  • Were elected with the support of at least 25 members of the local community.
• It must have at least two active members;
• It may revoke CheckUser access if necessary.

Other forms of appointments may be discussed and validated within the Meta community to ensure there are no objections regarding the local consensual process.

After gaining consensus, the successful candidate - or the community-run body - should request access at Steward requests/Permissions, providing a link to the page documenting the consensus. An appointment cannot take place if, at the end of the process, fewer than two users with CheckUser access remain.

Local communities can create community-run bodies to monitor and/or judge complaints about users with CheckUser access. These bodies may or may not have CheckUser access.

Note, however, that the Ombuds commission investigates complaints about infringements of the Privacy Policy, the Access to nonpublic personal data policy and this Global policy, on any Wikimedia project. They also investigate for the Board of Trustees the compliance of local CheckUser policies or guidelines with the global CheckUser.^[5]

Any community-run body must meet the following conditions:

• It must have at least two active members;
• It must ensure or comply to #Requirements for local communities;
• It may revoke CheckUser access if necessary;
• Its members must be elected, as outlined #Appointing local CheckUsers.

When a community-run body has CheckUser access and can address complaints, it must ensure there is no conflict of interest or misuse of privileges in doing so. As a result, it must not be allowed to perform investigations as part of its routine activities.

Any user with CheckUser access will have their access revoked if they:

• remain inactive for more than one year;
• abuse or misuse the tool.

In such situations, local communities should request removal at Steward requests/Permissions.

Complaints regarding violations of this CheckUser Policy, the Access to Nonpublic Information Policy, or Privacy Policy breaches are handled by the Ombuds commission for all Wikimedia projects.

Abuse or misuse is defined as the use (or threat of use) of tools in a manner that is clearly inconsistent with the #Policy. This may include:

• Investigating users without a valid reason;
• Disclosing private data;
• Intimidating or harassing other contributors, as outlined in the Universal Code of Conduct.

• Privacy policy
• Ombuds commission (processes complaints of privacy violations)
• Requests for CheckUser information and CheckUser status
• Local policies of the projects
• Help:CheckUser user manual
• [Foundation-l] CheckUser (thoughts), by Anthere on April 22, 2006, includes a historic background