Written by the Wikimedia Foundation’s: Kate Ruane, Lead Public Policy Specialist for the United States; Ellen Magallanes, Senior Counsel; and, Clarissa Choy, Senior Counsel.

Protecting privacy is in Wikimedians’ DNA. Both the Foundation and the Wikimedia community know better than most that privacy is an essential element of free knowledge and knowledge equity, which is why we demonstrate our commitment to it in our policies. There is a presumption in favor of privacy in the content of Wikimedia projects. For example, current rules limit the amount of private information about living persons made available and ensure the information in question is reliable and neutral. The Foundation also collects and retains very little personal information about users of Wikimedia projects. However, not every online service shares our commitment to privacy. Study after study and report after report show that almost every time people interact with the world, online or offline, data is being collected about them. To name but a few, GPS coordinates, biometric details from photographs and voice messages, and networks of contacts, friends, and family are deeply personal information that can be used in unexpected, even harmful ways, and support mass surveillance by governments. For years, it has been clear that the federal government must create new rules to protect the privacy of personal information and rein in harmful business practices that put privacy, civil rights, and other freedoms at risk. Now, finally, the Federal Trade Commission (FTC) is answering.

Earlier this year, the FTC issued an advanced notice of proposed rulemaking (ANPRM) on Commercial Surveillance and Data Security. The ANPRM asked a number of important questions about current personal data gathering and use practices, harmful impact of certain uses of data, the FTC’s authority to protect consumers’ privacy through a rulemaking, and data security and consumer privacy. The ANPRM is the first step in a process which could lead to the FTC issuing binding rules that govern the collection and use of personal information for commercial use by many companies in the US.

The Wikimedia Foundation, as a nonprofit organization that hosts open and free knowledge projects, filed comments in response to the FTC’s call. In doing so, we hoped to demonstrate to the FTC what sound privacy policies and data practices look like when they are motivated by a public interest focus and not by profit, and to guide the FTC toward rules that would provide strong privacy protection that support the exchange of free knowledge. Our comments highlight five key practices in which the Foundation engages as well as recommendations to the FTC for translating those practices into a commercial context: data minimization; transparency; short data retention periods; support for community-driven platforms; and, protection of human rights.

• Data Minimization. The Foundation practices data minimization in the first instance by collecting very little personal information. Currently, a user does not need to sign up for an account or sign into their account in order to contribute to any of the projects. When people do create accounts, the Foundation does not require that they provide their real names or even an email address to hold an account. We do note in our privacy policy, however, that the Foundation can only help recover access to accounts for which a person has provided an email address, and that we collect information related to accounts that would be considered personal information, even though real names are not required. The Foundation also collects information as people use the websites, make public contributions, or engage with Foundation staff by email or otherwise provide feedback to the Foundation when requested. We make clear that collecting this information helps to understand how the Wikimedia websites are used, so that the Foundation can improve operations and make the websites more useful to users.
  
  The Foundation recommended that the FTC also require data minimization in the first instance under its rules by restricting the permissible collection of data to only what is reasonably necessary to provide a particular service.
• Transparency. The Foundation is transparent regarding how, when, and with whom it may share personal information. Most importantly, the Foundation never sells personal information, does not earn money from selling advertisements, and does not permit third parties to track users through Wikimedia projects for any reason.
  
  The Foundation recommended that the FTC require transparency surrounding privacy practices, but also cautioned it ensure that any transparency requirements should not require entities to collect more data than they otherwise would, and not require disclosures that could compromise the privacy of community moderators, who may have permission to access personal data in order to address vandalism or other rule violations on certain websites.
• Short Data Retention Periods. The Foundation has extremely short data retention times. Most non-public personal information is deleted, aggregated or de-identified within ninety (90) days if it is retained at all. In addition to being a strong privacy practice, our short data retention window also increases data security because it makes Foundation databases less attractive to hackers. If the Foundation does not have the data, no one can steal it.
  
  The Foundation recommended that the FTC create retention time limitations when it issues its rules.
• Support for Community-Driven Platforms. The goal of the Wikimedia projects is to provide access to freely reusable, objective, and verifiable content that everyone can edit and improve. As the encyclopedia is open to contributions from anyone, the Wikimedia community has created policies to ensure the information on Wikipedia is and remains accurate. These include policies that require citation of verifiable secondary sources for every fact included on Wikipedia, and transparency requirements regarding conflicts of interest. Most notably, in the context of privacy, and by way of example, Wikipedia editors for English Wikipedia must comply with the policy on Biographies of Living Persons, which mandates a presumption in favor of privacy when writing about people who are still alive.
  
  Importantly, the creation and enforcement of these policies by communities would not be possible without strong intermediary liability protections, like those afforded by Section 230 (47 U.S.C. § 230). This is so even with the protections that the First Amendment to the US Constitution affords community-driven projects. Section 230 allows communities to edit projects like Wikipedia, and establish and enforce their own content moderation rules in a decentralized way with safety and security top of mind, rather than focusing on avoiding liability risk.
  
  The Foundation recommended the FTC must also consider the limits Section 230 may place on community-driven platforms in its pursuit of the protection of privacy, because those limitations are critical to maintaining the balance between free expression online and protecting privacy and community-led platforms as we know it.
• Protection of Human Rights. The Foundation is committed to protecting the human rights of its users, including privacy as a crucial right that enables people to exercise many other rights, such as the right to free expression. The Foundation’s public interest mandate shapes the particular relationship we have with the data to which we have access, including how we use it, and how long we keep it. We understand online interactions can potentially have negative consequences, such as exposure to harassment, harmful content, or inappropriate communication. Our commitment to upholding the human rights of Wikimedia users encompasses mitigating these risks, and we reflect these values in the Foundation’s Privacy Policy, Terms of Use, and Human Rights Policy. In addition, we are currently undergoing a Children’s Rights Impact Assessment to better understand and mitigate the risks that minors face on Wikimedia projects, while still protecting those users’ rights to privacy and freedom of expression.
  
  Every online platform is different. Enforcing a uniform set of rules would have serious unintended consequences to many of them. The FTC should encourage platforms to reflect and conduct their own impact assessments in order to evaluate their specific risks and opportunities, find ways to mitigate those risks while enhancing the positive and affirmative impacts, and produce tailored protections for children’s rights.
  
  Rather than regulate platforms broadly and uniformly, the Foundation recommended that the FTC encourage platforms to be responsible actors and uphold users’ rights by conducting human rights impact assessments of their services.

This is merely the first step on the road for the FTC to issue final rules. To be sure, these rules are long overdue. We are hopeful that the FTC will take this opportunity to bring public interest and human rights to rules governing data collection, use, and security practices. Creating rules through that lens will lead to strong data minimization requirements, limits on harmful uses of data, and a focus on the human rights of all impacted by the collection and use of their personal information for commercial gain. The Foundation stands ready to work with the FTC as this process continues.