- This is not the place for stewards requests. To make a new request, see steward requests and requests and proposals.
- For illustration of steward policies and use, see the steward handbook.
- See also: Access to nonpublic personal data policy noticeboard.
- This page is automatically archived by SpBot. Threads older than 30 days will be moved to the archive.
 |
SpBot archives all sections tagged with {{Section resolved|1=~~~~}} after 2 days and sections whose most recent comment is older than 30 days.
|
Intrusive surveillance script at trwiki
[edit]I talked about this in the Wikimedia Community Discord, and I was directed here by a steward (@AntiCompositeNumber:). Apparently 2 years ago the Turkish Wikipedia added a script to its common.js that monitors the browsers of every Wikipedia reader, logged in or otherwise, and publicly reports changes to the HTML using the "inspect element" tool of the browser. Here's the script, and here's the frankly way too short discussion in trwiki about its implementation.
I found out about this after another user tried to talk about this in the Turkish Wikipedia's village pump, but it was reverted as a "troll" just a few hours later. I tried it to see if it was true after reading about its reverted discussion. I was threatened with a block for this experiment, so I did not continue. Thanks for your attention. Betseg (talk) 23:07, 10 April 2026 (UTC)
- To add a bit more context here, the script causes the user to make an edit on a report page if the user uses the console to edit their username specifically for the purposes of impersonating an administrator. Apparently there has been a problem with users using the console to change the username and then take screenshots for use off-wiki. Would appreciate someone a bit more technically minded confirming exactly how the script does that and if it is violating user privacy in doing so - at a glance I don't see anything myself. – Ajraddatz (talk) 23:49, 10 April 2026 (UTC)
- The primary problem I see is that this script is causing automated revisions to be published under the logged-in user account without an intentional action to publish. As a result, a revision is attributed to that user and licensed under CC BY-SA, undermining the expectation of informed consent. This does not appear to require emergency intervention, as the script does not appear to capture or publish any sensitive information (such as browser or OS data). This seems like an inappropriate use of common.js and is trivial for bad actors to bypass. I suggest this project look into using AbuseFilter or other server-side mechanisms to log suspicious edits instead. — xaosflux Talk 00:40, 11 April 2026 (UTC)
- I'm not sure that the abusefilter would work here, as there are no edits that could be flagged. I agree generally with the concern around forcing the user to publish an edit. However if WMF legal has already reviewed I'm not sure what else we would be able to do here, other than nudging the community to make changes or re-evaluate the need for the script. – Ajraddatz (talk) 03:21, 11 April 2026 (UTC)
- Ah ok, so these are people that aren't even attempting to publish a revision - that are then being tricked in to publishing a revision without being show and agreeing to the TOU and Copyright notice - that seems like an issue itself. Not sure if that specific concern was brought up to legal. — xaosflux Talk 13:51, 11 April 2026 (UTC)
- This is not a security problem. If interface admins want to do weird stuff they will. If the trwiki community is OK with what that script is doing I don't see a problem. I would personally avoid doing such things, but hey, some LTA are weird and dumb so maybe that works. I mean this should only work once. Nux (talk) 22:18, 12 April 2026 (UTC)
- I'm not sure that the abusefilter would work here, as there are no edits that could be flagged. I agree generally with the concern around forcing the user to publish an edit. However if WMF legal has already reviewed I'm not sure what else we would be able to do here, other than nudging the community to make changes or re-evaluate the need for the script. – Ajraddatz (talk) 03:21, 11 April 2026 (UTC)
- The primary problem I see is that this script is causing automated revisions to be published under the logged-in user account without an intentional action to publish. As a result, a revision is attributed to that user and licensed under CC BY-SA, undermining the expectation of informed consent. This does not appear to require emergency intervention, as the script does not appear to capture or publish any sensitive information (such as browser or OS data). This seems like an inappropriate use of common.js and is trivial for bad actors to bypass. I suggest this project look into using AbuseFilter or other server-side mechanisms to log suspicious edits instead. — xaosflux Talk 00:40, 11 April 2026 (UTC)
- Read WMF Legal's comment here: [1]. Nemoralis (talk) 02:43, 11 April 2026 (UTC)
Blacklisting usernames consisting of only non-spacing characters
[edit]There is currently a global title blacklisting request regarding usernames consisting of nothing but non-spacing characters, which might affect a small number of legitimate accounts. A comment from stewards would be appreciated. NguoiDungKhongDinhDanh 00:50, 20 April 2026 (UTC)