OpenWetWare:Software/Private Pages
From OpenWetWare
Jump to navigationJump to search
There have been requests and questions about having content on OWW that is not public, not indexed by Google, not editable by everyone on OWW, etc. This page aims to discuss this policy.
There seem to be 2 major methods of implementation:
- Groups + access control (rumors MediaWiki may be working on this).
- Encryption. I have implemented an extension which does this. It's available here on the development site for anyone who wants to play around with it.
Discussion Questions:
- Is it in OWW's "open" or "wiki" nature to have pages that are private in any form?
- Sri Kosuri 17:15, 20 April 2006 (EDT): I think that this could be a useful excercize. I think one of the problems is that once people start using it, there is no turning back... we have to continue to support it.
- What's the "right" way to do encryption?
- Austin 16:38, 20 April 2006 (EDT): The current implementation allows users to put <encrypt> tags around any text they wish to encrypt. Keys are stored via users' preferences. Text is automatically encrypted/decrypted on views/edits if a proper key is found. File uploads (images) are not encrypted. This could be another issue.
- Sri Kosuri 17:15, 20 April 2006 (EDT):Can you store multiple keys?
- Austin 17:47, 20 April 2006 (EDT): Not right now, but definitely what I had been envisioning. Each user would have a list mapping page names to keys.
- Austin 16:38, 20 April 2006 (EDT): The current implementation allows users to put <encrypt> tags around any text they wish to encrypt. Keys are stored via users' preferences. Text is automatically encrypted/decrypted on views/edits if a proper key is found. File uploads (images) are not encrypted. This could be another issue.
- How would people likely use such features? Would the majority of their content be public or not?
- Austin 16:38, 20 April 2006 (EDT): My belief is that anything to get people on to OWW is good even if some of the content is private.
- Sri Kosuri 17:15, 20 April 2006 (EDT): I think if we use the encryption extension that Austin made, most of the content will remain open, if only it is much more cumbersome to close it. I am probably for this option.
- Encryption vs. Access control
- Encryption can provide greater comfort of security (even administrators may not be able to access page content)
- Encryption doesn't technically provide more than what users can do currently (i.e. in theory, anyone can put any encrypted text on a page, it's just not particularly easy).
- Encryption does not provide anything other than secrecy (i.e. cannot control someone else from messing up with your page, even if that someone else has no idea what they are messing with).
- --Johncumbers 22:16, 20 April 2006 (EDT) This looks good Austin. The main concern that people have at Brown, when I tell them about OWW is that somebody will edit their user page/protocol whilst they are not looking. So whilst I don't think that I'd use encryption like this that much at the moment(we have just set up a private wiki for the lab fly stocks/vectors/research) if the protect tab could be developed to prevent editing by other users then this would be most useful and also in the unlikely event would prevent encrypted pages being edited. I do see the point that once we go down this road there is no turning back however. It is a difficult situation.
- Devin 11:55, 21 April 2006 (EDT) I like the idea of <encrypt> tags a lot. Having entire pages as private content seems to defeat the purpose of OWW by making it more like a hosting service and less like a collaborative effort. Tags allow for some private content but, it would seem to me, are just inefficient enough to prevent wholesale hiding. One thing which might be useful for addressing John's point about protocols is a <noedit> tag that would only allow the creator to modify the protocol. Others could still view it and comment on it, but not mess it up.
- Austin 12:28, 21 April 2006 (EDT): I don't like the idea of a noedit tag as that really goes against the idea of a wiki. Perhaps if the tag was an advisory tag rather than a mandatory tag (perhaps an extra "are you sure you want to edit this page that someone said shouldn't be edited"). For the cases where people want to publish information publicly but would rather others not edit it, are they not satisfied (or don't know) that they can watch those pages and be notified by email on any changes? It's easy to revert unwanted changes.
- Devin 16:47, 21 April 2006 (EDT) Granted, it goes against the idea of a wiki, but the starting point of this discussion is that perfect wikiness is not totally satisfactory for OWW. There need to be some trade-offs made, and it is reasonable to think that there is some content that shouldn't be edited by everyone. I may want to make a protocol available, but not want to check the page history every time I refer to it. If a lot of people take interest in the protocol, I or someone else can promote it to the main protocols section with full access. Thinking about the encryption more, I am skeptical of the idea that it would be advisable for anyone to place private content on OWW, or that it would be advisable for OWW to make any claim as to the security of the info. What if valuable, sensitive info was leaked? The depositor would have given up control over the security of the information to OWW, but they would have no legal recourse. In my view, noedits are a more minimal solution and much less damaging to the collaborative spirit than encryption. In fact, I take back my initial enthusiasm for encryption and place it in the camp of noedits. (Assuming of course that they are technically feasible.)
- Sri Kosuri: Just to point out, you can always point to a particular version of a page/protocol, such as this one [1] if you are worried about people editing it in the future. That particular version is not changeable by anybody (including administrators). So if you have a set of protocols that you want to use, you can just links to the current history files of your particular pages. So there is a way to do this, it is just cumbersome. The question is do you want to make it easier with a noedit tag. My initial thoughts on this is that it is not worth the hassle right now. W.r.t security, I agree with Devin, that we cannot guarantee any level of security (as everything, from passwords to data) will be sent over the net in clear text. The encryption will protect against is indexing by places like google, and reasonable levels of security (I think to some extent, that's all that most people want). People should never put really private things on any kind of public website.
