Talk:Privacy policy

From Rodovid Engine

--Security Ideas-- (picked up from conversation on the Wikimedia Meta project)

privacy checkmark

I would like to see an option to click my record and have it rendered private based upon my birth date. A stored procedure could search the database and process the records marked private. There are two thoughts about how to handle the records thus marked.

  1. Page displays with name only or the signature of the submitter
  2. Page does not display at all but only a marker that says "private or living".

This rule for handling the private tag could be that the tag is removed once the person's 80 birthday has passed, or a death date is entered on the person's record. I see no reason to keep persons who are desceased from being listed in a free genealogy wiki forum.

Otherwise I agree with the developers. If you dont want it listed dont enter the record. Almoustine 16:59, 17 February 2008 (EET)


  • I prefer display nothing but only a marker that says "private or living" with the signature of the submitter --Baya 00:18, 19 February 2008 (EET)

Gedcom Uploads

As I understand you are ready add to subj your gedcom but with some additional conditions or without private info that contains your gedcom? Please, describe it more precisely. For example, I can tune gedcom import script and user will can select fields that can be imported and deselect other. Can you look at project and give some comments?
sorry for my poor english, sincerely, --Baya 12:32, 23 February 2006 (UTC)

My #1 concern about adding content here is that I need to respect the privacy of living individuals that are currently in my own genealogical database. I can filter that out and perform extractions for people who are dead or have been born more than 110 years ago (the usual cut-off time to assume death of somebody without documentation of that event). I would recommend that you make this a policy here as well, at least for publication of the information, or to include some explicit checkbox that would show permission has been granted. This should by default through GEDCOM importation be set to not grant this permission.

I hope this makes sense. My wife, particularly, does not want information about her published in a public forum anywhere on the internet. She got mad at me when I put up a picture of myself on a web page and it included her hand on my shoulder. I respect that and it does affect what I do on-line.

You have as nice project here, and I do plan on adding some content in the near future. --Robert Horning 19:25, 23 February 2006 (EET)

  • Its really silly to be concerned about people getting your info because it already easily accessible to those that want to steal it. Is your number unlisted? If not just type it into gooble and you get a map to your house. 220.99.201.52 04:58, 22 March 2006 (EET)

Thank you very match for your harmfull words :) To deal: This privacy problem can be resolved by two ways:

  1. Private information can be accessed only by owner/contributor (with current database schema I can change only type of one field and couple sqls for this). But this case kill wiki idea - information must be open and free. So, imho, second way is more preferable.
  2. Do not submit unwanted/private data to open project. For this variant I redesign a Gedcom import script. Now user can select age of people or time from death. Or must check necessary box to submit to Rodovid data about "young" people. --Baya 22:18, 24 February 2006 (UTC)

My Policy Idea

Obviously we need to protect the privacy of living people, because they might not have any say in whether they get uploaded to this database or not . Therefore I think it is necessary to have some sort of blanket policy. However, as you say, hiding living people to everyone except the contributor would be wholly un-wiki.

My suggestion is that we restrict data on lving people to just names by default. So, in GEDCOM import all data (brith, place etc.) about living people would be removed and just names imported. The user would have no option on this. However, if they want to, they can be more stringent than the policy states and use a checkbox to not import any living people at all.

I feel that a names only policy would be a good comprimise as people's privacy does need to be protected, but having no data at all would stop people from being able to see their own, and their living relatives trees. Having names also allows people to find potential 'long-lost' relatives. The names would be enough for them to be fairly sure that they were related. If they wanted more data, they could contact the person who contributed those people.

The only possible issue with a names only policy is that of mothers maiden name. However, as an anon says above, personal data is fairly readily availible and I doubt that Rodovid will make much difference to identity fraud. In addition, as the database grows, there will be many people with the same name and without other data to find the one that you want, the information will be almost useless to identity fraudsters. They would have something like 100 or 1000 maiden names to choose from!

I would like to know what other people think of my suggestion. Please discuss, all comments are welcome.--Bjwebb 12:05, 19 April 2006 (EEST)

if by defult a living person's box merely said "currently living" or the like, with no more info, not even name, we could avoid more trouble. as long as there was an option to show more information for currently living people, this would be safest. aslo, the server would still know the names of people, as a result family connections would still be made, or at the very least it could concivably be set up this way. i have some other idea on my talk page. ----Mayhew18[1] 4:25, 29 May 2006 (EST)

I don't think there should be any restriction on the information about living people. There is simply no danger. I can't see how somebody can use some names and dates in any "bad" purposes. There are lots of places where there is more information about a person than on Rodovid. For instance the telephone book. There you can find not only people's names, but also their address and telephone number. And the government has so much information on all citizens. In Finland, in hospitals, at the police, etc., they ask me my security number and they can immediately see my name, address, phone number, all dates when I entered or left Finland, what visas I had, and so on. And talk about privacy!

Another point would be Wikipedia. There you can find lots of information about living people. Not only their birthday and birth place, but also quite many details on their lives, and also some things about relatives. You can say that it's because they are celebrities, but in any case, if there was such a big danger in displaying this information, those articles wouldn't exist.

Showing limited information on living people will not help the project at all. Imagine somebody wanted to find distant relatives. If only the name was shown, they couldn't be sure it is the person they're looking for, since many names are quite common and lots of people have the same name. To give a concrete example - I began searching for relatives with whom I hadn't talked for a long time on hi5. I searched by name, and I often had several results. The birthday always helped me to identify the person I was looking for. And yes, on hi5 most people give their birthday and their age, and most have lots of pictures of themselves (it's true that the name is not displayed, but if you search for a name, you find the people that have it).

So what I think is that there is no danger in putting here information about oneself or other persons, and if somebody doesn't want to appear here, they can just not put the information. -- Dumiac 22:08, 3 June 2006 (EEST)

Mothers' maiden name is useful information for identity theft via social engineering. Its usefulness in finding long-lost relatives doesn't change that fact. Davidlamb 01:58, 28 September 2006 (EEST)

I think that in order to help those out there looking for those they may be related to - it is important to allow living people to be put into this database. I also don't think you want to FORCE a policy on someone (as in, they are not allowed to put their exact birth information). According to a relative of mine that is familiar with standards now, I guess the general thought is to put either approximate birthdates for living people or to simply have a tag that says "private" - this is hopefully somewhat of a deterrent from identity theft. While I know, as others have stated, that if you look long enough, you can any information online, I think identity thefts are crimes of opportunity, so if they can't get someone's information easily, they will probably go after someone else. --Hipsterdoofus 20:10, 5 January 2007 (EET)

Alex Eagar's Suggestion

I would like to see Rodovid become as popular, if not more popular than Wikipedia. This is not going to happen without a good privacy policy because there will be controversies and lawsuits down the road that will shut Rodovid down. My suggestion is to implement real security so that people can confidently add personal information about living people which will only be seen and edited by users who have been authorized by the creator of the information. This will make Rodovid a wiki for our ancestors and a personal history recorder for ourselves. Rodovid should not be a wiki for living people because there is an authority. There is nothing to discuss because that person is alive and can tell you first hand how things happened. But there is still a need to record information because we don't want it to be lost when they die. When a living record is created it should by default only be visible by the creator. That user can then authorize specific other users to view or edit the record. By doing this, a person will be able to easily create and view his whole family tree, but when he logs out, all those living people disappear. Very few living records will be duplicates because real relatives have real relationships which allow them to authorize each other to see their living relatives. It will also increase Rodovid's user base because if I want my mother to see her own tree which I entered, she needs to create a user name and password.

I'm sure that there are many ways to implement and administer this kind of security. Here is how I recommend administering it. Each living record would have one administrator. The administrator can view and edit a page and can authorize or remove authorization to view that record. The administrator can also transfer administration rights to another user, but the original administrator would then loose administration rights to that record. There would also be users who can only view a record and users who can both see and edit a record. There would of course need to be a way to grant rights for whole branches as well as specific individuals.

Here's an example of how it would work. I discover Rodovid, so I create an account and start entering my genealogy. After I have a good sized tree that includes my ancestors and my living relatives, I decide that I want to share my tree with other family members so that they can contribute to it. First I show it to my brother and explain what Rodovid is and how it works. He is impressed, so he creates an account. I don't want him to have to re-enter all the information about our living relatives, so I grant him edit rights to all our living relatives except myself and my kids. I also transfer him administrative rights for the records of him and his kids. My fourth cousin, whom I have never met, then discovers Rodovid while searching for a common relative on the Internet. He creates an account and starts entering more relatives and also adds his own personal information as well information about living relatives. He then posts a message on my discuss page to thank me for entering information about our relatives. Most of my family don't know him, so I don't feel comfortable sharing my whole living tree with him. But I do give him rights to view me and my kids and he gives me rights to view him and his kids. In the mean time my brother has removed my rights to edit him and his children, but I can still view them. The next person to find out about Rodovid is my is my father who abused and abandoned my mother while she was pregnant. He doesn't dare ask to see my personal records, but he knows when I was born and the names of my kids, so he creates his own records of me and my kids. He then shares his living tree with his brother. And thus it continues with everyone entering all their information but with only trusted individuals seeing sensitive information. --Alexeagar 14:12, 13 May 2007 (EEST)

  • You describe my ideas :) But some notes. As you understand over some time We will need additional support to maintain the Rodovid. So my addition is: private records that you describe will be available only under chargeable account. It is just an idea, not a real way! What do you think about it? Maybe do you have other ideas about Rodovid maintanence? --Baya 18:09, 14 May 2007 (EEST)
    • I think that the most feasible way to be continue to maintain Rodovid is for the project to be adopted by the Wikimedia Foundation. Each localized front page should state that Rodovid's primary goals are to create the world's best genealogical wiki and become an official WikiMedia project. It should offer suggestions on how to contribute to Rodvid. A few suggestions could be for users to add ancestors to Rodovid, tell family and friends about Rodovid, sign the Wikimedia Rodovid project proposal, read about Wikimedia's new project policy, donate monetarily, report bugs and help develop Rodovid. I think that the biggest obstacle in becoming an official Wikimedia project is our lack of privacy. I think that each localized front page should also explain that our users' privacy is very important to us. It should then explain that we are currently planning how to implement privacy for living people and ask for users to joint the conversation. It should also warn that because there are no privacy policies implemented yet we suggest that people not add information about other living individuals and cautiously add information about themselves. --Alexeagar 08:53, 15 May 2007 (EEST)
  • The First Step Toward a Solution I like my idea above but I know it will take a long time to implement. For starters could you just implement a private attribute to each record? If checked then only the creator can see the record and only the creator can check or uncheck it. I would not expect this to be a final solution, but I think that it is a solution that everyone can agree to and which would be fairly easy to implement. I think that it is offensive to post information about living individuals. Yet if I could mark records as private, I would add more records to Rodovid. You could also make it so that if a private record is recorded to have been born more than 120 years ago, it becomes public. That way you get everyone to enter their private information, but in years to come the information is not lost, but is opened to the public. --Alexeagar 23:28, 21 June 2007 (EEST)
My idea: there will be some privacy levels. Important note: Names will never be private.
  1. noindex record marked with noindex tag to avoid search engine index them (these pesons will be shown in trees and lists only with names) (nearest future)
  2. private record from your proposition but these persons also will be shown in trees and lists only with names. Page about private and Family of private person will present only names to not record creator and can be edited only by creator. (more complicated due to require recoding of mediawiki cache mechanizm)
  3. group privacy. (....)
--Baya 10:14, 22 June 2007 (EEST)

Privacy

I must say I am very confused about this discussion.It is assumed that this is eventually going to be a Wikimedia project, correct? And the Wikimedia vision is: "Imagine a world in which every single human being can freely share in the sum of all knowledge. That's our commitment.". So, all that needs to be done is figure out the minimum necessary amount of privacy by law, meaning how much can Rodovid legally display without getting sued. Is it illegal for someone to post on the internet the names and birth dates of his kids? Can someone post how he's related to his 4th cousin without getting sued for privacy violation? It seems all this requires is a little research. As it is, the progress of this project is basically completely halted until this issue is resolved, because no one knows if they can put anything on. --Yair rand 00:30, 9 December 2009 (EET)

From Talk:Living people

There must be a possibility to add living people and to hide all their informations, so the account user can see a complete tree, but not other people. It help the user to have a whole tree online for his personal use, and other users will only see not living people. (It is possible in Geneanet with names shown as xx xx). (unknown author)

Hiding Living People?

This is a corollary: It seems to me that many genealogists (in the US, since that's where most of my knowledge is based on) prefer to hide information about living people. As they may extend this to their own entry, it could be a stumbling block to Rodovid. Would it be reasonable to allow for a check to 'hide' family members by showing only (Living) or some variation thereof for first name and no other data, and locking edits to the creator until the person is non-hidden? --Pipian 03:28, 19 April 2006 (EEST)

Selected deletion

The need of privacy leads to the option of completely erasing (on demand) the record of a person, from the level of the database, and it raises several questions :

  • Would that procedure be implemented for all pages or just for persons, families, images ?
  • Would that new behaviour mean that pages deleted in the past would be completely erased, with no possibiliity of restoration ? (In a number of cases, originals have been deleted and duplicates kept.)
  • For future deletions, would there be two modes of deletion : the usual one and the complete one ?
  • What options would be available if a rogue sysop starts deleting valid records for weeks without being detected ? (Could a special storage of completely deleted pages be created in the database for safety, like the recycle bin of computers ?)

Until now, visitors could ask on the site or by mail the deletion of pages created about them and their relatives (deletions were done assuming good faith on both sides).

  • In the future, would visitors have the right to request the deletion of records beyond their immediate family, that is cousins or distant relatives of the same generation ?
  • Would they have the right to request the deletion of records about their great-grandparents, even if these people are deceased ?
  • Would it be required from these visitors to prove their identity to obtain the deletion ?

Recently, a used deleted several thousands of his own records.

  • In such a case, should other users contact him / her to try to limit the deletion to living people only ?

Dn Gov (d) 10:00, 22 April 2026 (UTC)

  • we should keep possibility to delete records about living people in any way - so it should be.
  • all other stuff can be discussed.

--Ярослав aka Baya 16:08, 22 April 2026 (UTC)

About the records which were deleted in Rodovid_Fr before the upgrade, are they now nonrestorable ? -- Dn Gov (d) 20:00, 23 April 2026 (UTC)

It was just a theorical question.

I don't have precise cases in mind for Rodovid_Fr, but user Almoustine often created a mess (above all in Rodovid_En), while in many occasions ordinary users also turned valid records into isolated pages by mistake leading to an erroneous deletion.

See for example the discussion i had with Agnès Rimsky-Korsakoff last June about the Bagration dynasty, where records had been terribly confused : https://fr.rodovid.org/wk/Discussion_utilisateur:Rimsky-korsakoff#Achot (That's why i asked you the restoration of a pair of records for that family.) -- Dn Gov (d) 20:40, 23 April 2026 (UTC)

Let's try to imagine how we can resolve such issues?

you see, from my point of view any strict rule does not work. that's why i prefer do not delete the stuff at all.

deletion is the final action that can be used in case of violation of somebody rights.

in this current case. I think it is simple to create a new record instead of doing archelogical investigations who, when and why deleted it.

It's better to spend time to create a good referenced record.

if it is a recent deletion - it can be quickly restored - if it was done years ago - forget it - nobody needs it now.

So, as result, I think that finally it will be something like - all deleted stuff will be deleted permenantly but with some delay depends on comment of deletion. So if comment is something like "sanation" (the mark of direct person's request of deleting record about living person) - it will be deleted in couple days. All other can be deleted over a month for example.

to keep hundreds of thousands deleted stuff does not make sense at all.

PS. as I see there is no personal things in our discussion, what do you think about addig it to the https://engine.rodovid.org/wk/Talk:Privacy_policy ?

--Ярослав aka Baya 08:18, 24 April 2026 (UTC)

I think both points of view are valid.

Some years ago, i had a glimpse of a genealogy created perhaps in Russian about an Egyptian dynasty, and it seemed more complete than the earlier trees existing in the English version. In that case, it is probably better to keep the second genealogy if it has been done more carefully.

In most cases, Rodovid users implemented a non-written collaborative rule : the first records became the core of the trees and new records were added as developments. "Infringrements" of that principle are not numerous, except in the English version. It is a bit like on Wikipedia, where it is usually not allowed to empty a earlier page by moving its content into a later page (the rule is to keep the links between the contributions and their authors). It prevented disputes about "who created the best records".

Here in a number of situations, a tree that was carefully created became broken in one or several points.

For example, i noticed with id numbers that (if i follow edits correctly) user Алёхан in 2012 in the Russian localisation changed the father <https://ru.rodovid.org/wk?title=%D0%97%D0%B0%D0%BF%D0%B8%D1%81%D1%8C:561&diff=651746&oldid=426308> of prince Sviatoslav of Kyiv. After that, the Russian page for prince Igor was deleted in November 2012, and his global record was completely disconnected <https://en.rodovid.org/wk?title=Person:560&diff=next&oldid=320750> from his father Rurik by Almoustine in July 2015. Finally it was considered a duplicate. So in April 2021, i modified the Ukrainian pages of Rurik, Igor and Sviatoslav to restore the original chain of records.

In cases like that, it is difficult for me to resist the temptation of putting things back in the earlier order, like a puzzle that has to be solved.

For other situations, i agree that it is not worth to keep deleted pages from aborted trees (users who created only three of four records) or for accidental duplicates by beginners.

Is it possible to delay by about one month the general cleaning of the database, in order to do some verifications about deleted pages?

(It is ok to add the discussion to the Rodovid talk page.)

--Dn Gov (d) 10:00, 25 April 2026 (UTC)

these collisions could not be resolved by rules. IT is just a common consensus - in some cases it can be hard to achieve it - but it is only one way ...

yes, of course. I' absolutely agree. There should be a delay before the final clean up. It can be weeks or even months. But for sanation I think it should be cleaned up immediately. Just to avoid crooked talks. --Ярослав aka Baya 17:46, 27 April 2026 (UTC)

I did the same : everytime i received a request for the erasure of living people (and sometimes even older relatives) i deleted the records within one or two days. And it is even better if everything disappears from the database. So we will have maybe four situations :
* requests about living people : санація / sanation meaning almost immediate deletion (done also in the database)
* future deletions of ordinary records : erasure in the database after a few weeks or months
* already deleted records : erasure in the database in a few weeks or months from now
* deleted records of Rodovid_FR : erasure already done in the database
Dn Gov (d) 22:00, 27 April 2026 (UTC)

yes. I think in the same way. --Ярослав aka Baya 18:08, 28 April 2026 (UTC)

Retrieved from "https://engine.rodovid.org/wk?title=Talk:Privacy_policy&oldid=39445"