James Lawrie, M.A.

Corrupt Wikipedia Admin Quits After Almost a Decade of Data Protection Breaches Across Multiple Jurisdictions

James Lawrie, M.A.

Last April, as the first COVID19 wave fixated the Internet, a data breach and potential public relations catastrophe, threatened to infect the English Wikipedia. The fallout could have infected the entire project. However, unlike the virulent plague sweeping the globe, Wikipedia’s arbitration committee (ArbCom) contained this disaster by taking affirmative action. To address the platform’s broader cultural issues, The WikiMedia Foundation introduced a new code of conduct, possibly as a vaccine against corrupt administrators. However, judging by the lukewarm reception the new code of conduct has received thus far from existing admins and veteran editors alike, the cavalier attitudes espoused by much of the community mean that issues of cyberbullying and harassment could persist for some time.

Image by Pete Linforth from Pixabay

What was Wikipedia’s touch-paper, and who was the lightning rod?

For context, even though a para-hierarchy exists on the platform, Wikipedia is still a collaborative effort. Traditionally, Wikipedians liken the administrator role to that of a janitor.

It was the very freedoms that Wikipedia entrusts in its users, which led to the need for site administrators. During the encyclopaedia’s formative years, anyone could delete an article. However, if editors objected to the deletion, they had no way of retrieving the deleted content. Another issue was that sometimes copyright violations, libellous speech or sensitive personal data needed to be purged from Wikipedia’s dataset altogether. Therefore, a group of trusted users gave themselves additional powers. However, the community took steps to prevent those with additional powers from forming a hierarchy or going power-mad. The community informally referred to administrators as Wikipedia Janitors and saluted new admins with the phrase “May you wield the mop and bucket with equanimity”. (Lih, 2009)

Among the site’s administrators exists a subgroup known as checkusers. Wikipedia allows this cadre of volunteers to use the CheckUser tool, which shows the IP addresses an individual editor has used as well as “other technical data stored by the server about a user account or IP address.” — Wikipedia:CheckUser

On 1st April 2020, The Arbitration Committee, Wikipedia’s equivalent of the supreme court, finally took the decision to strip corrupt administrator bbb23 of his right to view user IP data and other sensitive information. The decision exposed the tectonic divide at the heart of Wikipedia’s community. On one side, there were the pragmatists, level-headed forward-thinking editors who agreed with ArbCom’s decision, on the other, the cavaliers, who revered BBB23 as a buccaneering champion of Wikipedian sovereignty.

However, for most, BBB23 was a known cyberbully and tyrant.

“To those who did interact with Bbb and follow his career, indirectly as admins and/or directly as editors who had run-ins with him, no, the story is not so complex. Bbb has always been an overly-aggressive, authoritarian, rule-breaking, unaccountable, cruel CU, not just to socks, but to anyone who dared question his authority or decision making. ~Swarm~ {sting} 05:34, 18 July 2020 (UTC)”

In light of these revelations, something had to change.

Image by mohamed Hassan from Pixabay

What did BBB23 do to have his checkuser powers revoked?

According to the UK’s 2018 Data Protection Act (DPA) as well as The European General Data Protection Regulation (GDPR), your IP address counts as personal information and should not have been shared with anyone without your consent. (Anon., n.d.)

However, Wikipedia makes its user’s IP data and other sensitive information available to a trusted group of volunteer site administrators known as check users.

The platform advises its checkusers to use their ‘discretion’ when checking IP addresses and tracking down multiple accounts with one operator. However, as many in the community knew, BBB23 did not use his powers with discretion. He would view the IP data of most new Wikipedia accounts and, if two IP addresses match, block both accounts associated with those IP addresses. For BBB23, it didn’t matter if there was an innocent explanation, such as a shared house or office wi-fi. He viewed the personal information of Wikipedia’s volunteers and shared it with others without their knowledge or consent. There were even unverified claims on Wikipedia criticism site, Wikipediocracy.com that BBB23 was storing this data.

As a more responsible CheckUser GorillaWarfare pointed out, BBB23 was essentially fishing which is where a CheckUser looks at personal data without evidence of wrongdoing in violation of Wikipedia’s CheckUser policy. Or, as one anonymous user put it,

“An analogy might be a police officer whose “gift for drug busts” came from improper searches or wiretaps.” — Anonymous

Leading the pragmatists, the responsible checkuser, GorrillaWarfare confirmed that BBB23 was fishing through private information for terms of use violations.

“However, given the private information that is exposed to checkusers when a check is run, we do expect checkusers to be able to justify the checks that they are making are supported by policy and are not “fishing”. — GorillaWarfare

The arbitration committee did not revoke BBB23’s powers out of the blue; they warned him in an email reiterating invalid reasons for viewing private data. (Anon., n.d.) Although the arbitration committee did not make the full email public, for transparency, they published the following excerpt, which lists his egregious behaviour, most of which involved harassing newcomers.

· Suspicious new users.

There must be clear evidence of misuse of multiple accounts. Just being a new account is not enough.

· Creating a new article.

If the article is spam, treat it as such. The CU tool should not be used without evidence that multiple accounts are being misused.

· Editing a contentious topic.

Many of our new editors get involved because they see an error and want to fix it. This is encouraged, even when the topic is considered contentious.

· Commenting at ANI, ANEW, the TEAHOUSE, RfA, or noticeboard.

Editing project-space must not trigger an automatic check; new users are allowed to ask for help or report problems.

· An editor returning after a hiatus, with no evidence of disruption or sockpuppetry.

There must be onwiki evidence that an account has been compromised. This should not trigger an automatic check.

· A clueless newbie making newbie mistakes.

Help them if they need help, don’t violate their privacy or try to find reasons to block them. We must AGF, especially for new editors.

In case you are wondering, AGF is Wikipedia jargon for assume good faith.

The above email excerpt show’s that ArbCom were aware that BBB23 was harassing new editors and invading their privacy on an industrial scale.

The ongoing data breach went unremarked until bbb23 exposed his holier than thou attitude. Over the past four or more years, bbb23 had chosen to dedicate the hundreds of hours he volunteered to the Wikipedia Foundation to blocking accounts.

Image by Pete Linforth from Pixabay

He was prolific too. During his tenure, he blocked around 25000 accounts, sometimes removing 2,000 users a month. Unfortunately, his fixation with viewing personal data rode roughshod over the DPA and GDPR.

Shockingly, many senior members of Wikipedia were aware that BBB23 was, looking up IP addresses for every new account that was created before it even had time to edit a page but did nothing to intervene. This unjustifiable intrusion into the privacy of practically every new editor was what finally brought ArbCom to make the following announcement.

The committee additionally imposed specific restrictions on Bbb23’s use of the CheckUser [IP checking] tool in ambiguous cases otherwise considered to be within the discretion of individual CheckUsers. Bbb23 has subsequently communicated to the committee that he is unwilling to comply with these restrictions, continued to run similar questionable checks, and refused to explain these checks on request. Accordingly, Bbb23’s CheckUser access is revoked.

In other words, bbb23 was indiscriminately violating the law and Wikimedia’s own policies. When asked to stop and justify his behaviour, he refused. He received a verbal slap on the wrist and had his extra powers removed. At this repudiation, bbb23 threw his proverbial toys out the pram and announced his retirement. His announcement late turned out to be what Wikipedians refer to as a diva quit. He became active again in February 2021.

As editor Ajraddatz pointed out, the community was aware that BBB23 was abusing his powers for a long time, but he went unchallenged.

“Bbb23 is making judgment calls as to whether there is sufficient evidence of abuse to justify the invasion of a user’s privacy, and he is routinely not making those calls correctly. This has been going on for a long time and is another one of these funny Wikipedia memes that everyone knows is true but nobody has done anything about.” — Ajraddatz (talk)

As another editor, Leaky Cauldron, pointed out, the situation arose because Wikipedia’s arbitration committee is notoriously underactive.

“It’s high time we had an active AC, never mind an “overactive” one.” — Leaky Cauldron

However, the overarching question is, how did BBB23 get away with it for so long?

Judging by the discussion, there was no lack of evidence and many complaints about BBB23’s behaviour logged over the years. However, a comment by RoySmith and the subsequent retort by LEPRICAVARK show that the project’s dependence on voluntary labour coupled with some editors absolute dedication to the cause is what enables bullies like BBB23 to get a free pass on online harassment.

· “I agree with Tony Ballioni. ArbCom has turned into a witchhunt against longterm effective admins, apparently believing it has a remit from T&S to rid us of all the most productive admins on the slimmest grounds possible. I am taking careful note of all the current arbs who are enabling and supporting these actions regarding the four admins (so far since January) in question, which (ArbCom actions) are in my mind clearly doing immeasurable harm to the project, and I will vote against them in the next ArbCom election. I also hope that all of the current arbitrators are going to spend several hours of each day to take up the slack at SPI that Bbb23’s absence causes. He took a wiki-break a few years ago and SPI got so backed up it took weeks to get any SPI report looked at. Softlavender (talk) 00:18, 7 April 2020 (UTC)

Orthogonal to everything else being discussed here, it is unhealthy for any project to become so dependent on a single person that their absence has a serious impact on the smooth running of the project. — RoySmith (talk) 00:28, 7 April 2020 (UTC)

· Softlavender, it’s comments such as yours in this thread that help foster an environment in which well-connected individuals are able to get away with harmful behaviour simply because they have enough influential friends. The current ArbCom has earned my respect by taking on tough cases and refusing to let prominent editors off lightly for poor behavior. While these actions may anger those who put personalities above principles, the current arbs are to be commended, not condemned, for their courage and commitment to doing their job in an equitable fashion. LEPRICAVARK (talk) 01:53, 7 April 2020 (UTC)”

In case you are wondering SPI stands for sockpuppet investigations. Sockpuppets are multiple accounts operated by one user. While some editors use sockpuppets for malign reasons, paid editors use them to protect their clients from harassment.

However, to the community’s credit, most of the editors who participated in the above thread supported ArbCom’s decision.

“Beyond My Ken, you seem to be ignoring why arbcom sent a policy reminder. It was because Bbb wasn’t adhering to the CU policy, which deals with sensitive and private user data. What exactly is unethical about that? Mr Ernie (talk)”

To give credit where credit’s due, the WikiMedia Foundation averted a PR catastrophe that could have had dire consequences for the project at large.

The fallout: how Wikipedia averted a public relations crisis.

Not for the first time, Wikipedia’s decentralised volunteer-led model proved to be its saving grace. Due to Wikipedia’s distribution of labour, it’s impossible to hold any one person accountable for wrongdoing and because most Wikipedians, including administrators and checkusers edit anonymously it’s virtually impossible to pinpoint individuals who were complicit in this wrongdoing.

With crisis management, timing matters. As I mentioned in the lead paragraph, ArbCom made its move just as the first wave of the pandemic peaked. The world was distracted, and who wants to read or write about an encyclopaedia when a global catastrophe dominates the news.

Whether BBB23’s actions were what finally prompted the WikMedia Foundation to introduce a universal code of conduct remains unclear but the departure of several notorious administrators from the project demonstrates that the foundation in conjunction with ArbCom is finally clamping down on the platform’s toxic culture. However, judging by the support that many corrupt admins and checkusers still enjoy, Wikipedia will have a difficult job getting the whole community on board with its new code of conduct.

Works Cited

Anon., n.d. [Online]
Available at: https://www.legislation.gov.uk/ukpga/2018/12/notes/division/3/index.htm

Anon., n.d. [Online]
Available at: https://en.wikipedia.org/wiki/Wikipedia:Arbitration_Committee/Noticeboard/Archive_12#Revocation_of_CheckUser_access_for_Bbb23

Jamielniuk, D., 2014. Common knowledge: An Ethnography of Wikipedia. 1 ed. Stanford, California: Stanford University Press.

Lih, A., 2009. The Wikipedia revolution: how a bunch of nobodies created the world’s greatest encyclopaedia. 1st ed. New York: Hyperion.

James Lawrie is a professional Wikipedia editor from Shrewsbury, Shropshire. He runs WikiNative, the UK’s leading paid Wikipedia editing outfit.