OpenWetWare:Software/Private Pages

There have been requests and questions about having content on OWW that is not public, not indexed by Google, not editable by everyone on OWW, etc. This page aims to discuss this policy.

There seem to be 2 major methods of implementation:

1. Groups + access control (rumors MediaWiki may be working on this).
2. Encryption. I have implemented an extension which does this. It's available here on the development site for anyone who wants to play around with it.

Discussion Questions:

1. Is it in OWW's "open" or "wiki" nature to have pages that are private in any form?
   • Sri Kosuri 17:15, 20 April 2006 (EDT): I think that this could be a useful excercize. I think one of the problems is that once people start using it, there is no turning back... we have to continue to support it.
   • yeem 20:31, 21 April 2006 (EDT): I believe that there should be a free flow of information, and that encrypted pages are a barrier to said exchange. If a lab requires a private page, perhaps it should be taken to an external site that requires certificates or another access method. As far as I can tell, there is no harm in being indexed by Google, and I don't know of a whole lot of ways to circumvent it. The page would have to be deleted and kept deleted until Google's next cache purge. Non-editable pages should only be reserved for pages that are critical to the continued functionality of the wiki, such as things in the "Special:" namespace.
   • Austin 21:50, 21 April 2006 (EDT): We also need to be practical. Free flow of information is good but isn't always practical. I wrote this extension because we needed it. We were interviewing people and required a mechanism for communicating our notes between us and email is very cumbersome relative to the wiki. As you say, there's always private wikis (which we did end up using), but it would have been much more convenient for us to do it on OWW as related non-private stuff was on OWW. A different practical case could be the idea of publishing work. People may want to collaborate on the wiki using an encrypted form and after publication or after some time, to "declassify" it by removing the encrypt tags. The benefit of this method of encryption is that it is really easy to go from private to public (and basically impossible to classify something that's already public). By forcing people to use other wikis, you lose the time that people would spend on OWW (which could be used for sharing stuff), and the possibility of easily "declassifying" portions and making it public. The main potential drawback of enabling an encryption extension is if people encrypt something they wouldn't have encrypted otherwise. However, it is still OpenWetWare, and people who are on here, by and large, want to contribute. It's only those cases (like ours) where we cannot make something public. Given that we are the ones running OWW, it seems to make sense to me to run it in any way that's useful for us. As a side comment, I'd like to point out that unlike the noedit idea, enabling encryption could in some sense increase collaboration. It's really shared wiki encryption where everyone with the key can edit the page. So it's still a wiki just with a controlled group of people. People who would not have used the wiki otherwise may collaborate/edit if it's encrypted. It doesn't hurt anyone else on the wiki unless information which would have otherwise been public is encrypted (which as I said, I think is unlikely).
2. What's the "right" way to do encryption?
   • Austin 16:38, 20 April 2006 (EDT): The current implementation allows users to put <encrypt> tags around any text they wish to encrypt. Keys are stored via users' preferences. Text is automatically encrypted/decrypted on views/edits if a proper key is found. File uploads (images) are not encrypted. This could be another issue.
     • Sri Kosuri 17:15, 20 April 2006 (EDT):Can you store multiple keys?
     • Austin 17:47, 20 April 2006 (EDT): Not right now, but definitely what I had been envisioning. Each user would have a list mapping page names to keys.
3. How would people likely use such features? Would the majority of their content be public or not?
   • Austin 16:38, 20 April 2006 (EDT): My belief is that anything to get people on to OWW is good even if some of the content is private.
   • Sri Kosuri 17:15, 20 April 2006 (EDT): I think if we use the encryption extension that Austin made, most of the content will remain open, if only it is much more cumbersome to close it. I am probably for this option.
4. Encryption vs. Access control
   • Encryption can provide greater comfort of security (even administrators may not be able to access page content)
   • Encryption doesn't technically provide more than what users can do currently (i.e. in theory, anyone can put any encrypted text on a page, it's just not particularly easy).
   • Encryption does not provide anything other than secrecy (i.e. cannot control someone else from messing up with your page, even if that someone else has no idea what they are messing with).
     • Johncumbers 22:16, 20 April 2006 (EDT) This looks good Austin. The main concern that people have at Brown, when I tell them about OWW is that somebody will edit their user page/protocol whilst they are not looking. So whilst I don't think that I'd use encryption like this that much at the moment(we have just set up a private wiki for the lab fly stocks/vectors/research) if the protect tab could be developed to prevent editing by other users then this would be most useful and also in the unlikely event would prevent encrypted pages being edited. I do see the point that once we go down this road there is no turning back however. It is a difficult situation.
     • Devin 11:55, 21 April 2006 (EDT) I like the idea of <encrypt> tags a lot. Having entire pages as private content seems to defeat the purpose of OWW by making it more like a hosting service and less like a collaborative effort. Tags allow for some private content but, it would seem to me, are just inefficient enough to prevent wholesale hiding. One thing which might be useful for addressing John's point about protocols is a <noedit> tag that would only allow the creator to modify the protocol. Others could still view it and comment on it, but not mess it up.
     • Austin 12:28, 21 April 2006 (EDT): I don't like the idea of a noedit tag as that really goes against the idea of a wiki. Perhaps if the tag was an advisory tag rather than a mandatory tag (perhaps an extra "are you sure you want to edit this page that someone said shouldn't be edited"). For the cases where people want to publish information publicly but would rather others not edit it, are they not satisfied (or don't know) that they can watch those pages and be notified by email on any changes? It's easy to revert unwanted changes.
     • Devin 16:47, 21 April 2006 (EDT) Granted, it goes against the idea of a wiki, but the starting point of this discussion is that perfect wikiness is not totally satisfactory for OWW. There need to be some trade-offs made, and it is reasonable to think that there is some content that shouldn't be edited by everyone. I may want to make a protocol available, but not want to check the page history every time I refer to it. If a lot of people take interest in the protocol, I or someone else can promote it to the main protocols section with full access. Thinking about the encryption more, I am skeptical of the idea that it would be advisable for anyone to place private content on OWW, or that it would be advisable for OWW to make any claim as to the security of the info. What if valuable, sensitive info was leaked? The depositor would have given up control over the security of the information to OWW, but they would have no legal recourse. In my view, noedits are a more minimal solution and much less damaging to the collaborative spirit than encryption. In fact, I take back my initial enthusiasm for encryption and place it in the camp of noedits. (Assuming of course that they are technically feasible.)
     • Sri Kosuri: Just to point out, you can always point to a particular version of a page/protocol, such as this one [1] if you are worried about people editing it in the future. That particular version is not changeable by anybody (including administrators). So if you have a set of protocols that you want to use, you can just links to the current history files of your particular pages. So there is a way to do this, it is just cumbersome. The question is do you want to make it easier with a noedit tag. My initial thoughts on this is that it is not worth the hassle right now. W.r.t security, I agree with Devin, that we cannot guarantee any level of security (as everything, from passwords to data will be sent over the net in clear text). The encryption will protect against indexing by sites like google, and reasonable levels of security (I think to some extent, that's all that many people want). People should never put really private things on any kind of public website.
     • RS 14:01, 22 April 2006 (EDT): It's funny that Devin changed his mind because I actually agree (mostly) with what Devin has said in his original comment. OWW is a collaborative effort rather than a hosting service. Frankly, I am still unsure whether we should enable any sort of encryption or access control on OpenWetWare since the purpose of OWW is to be open. But given a choice between encryption and access control, I prefer encryption for a few reasons. (1) As Devin and Sri have said, encryption tags are hopefully just inconvenient enough that people won't use them by default. (2) Enabling pages that are world-readable but user-writable turns OWW into a webpage hosting service. Ideally, I would like to see encryption tags only used by users who have contributed a lot of open content to the site and just need to hide a bit of stuff relevant to a project. I agree with Austin that advisory no edit tags are preferable to enforced no edit tags. I am not convinced that adding access controls will get us that many more users and even if it does, I am not sure how much value would get added to the information base of OWW.