The following page documents an officialglobal policy. This page has been developed and approved by the community and its compliance is mandatory for all projects. It must not be modified without priorcommunity approval.

For legal and security reasons, theWikimedia Foundation requirestwo-factor authentication for this role. This is also enforced by the software (users who don't have 2FA enabledwill not be able to use their permissions).

Oversight orsuppression refers to hiding revisions, edit summaries, usernames, or log entries from the public. This access is available to oversighters,stewards and users in thestaff global user group. Suppressed data can only be viewed and restored by users in these groups, with the exception ofOmbuds who may view suppressed data (but not restore it).

Oversight and suppression are often used interchangeably. Oversight is derived from the deprecated MediaWiki extensionOversight, which has been replaced by a MediaWiki core feature known asRevisionDelete.

Initially, a MediaWiki extension calledOversight was used for hiding data from the public (includingadministrators); only users with'oversight' right were able to view content which was oversighted. As it requireddatabase access to undo actions, a new system known as RevisionDelete was introduced as part of MediaWiki core in version 1.16 to replace Oversight.

RevisionDelete allowed suppressed edits and log entries to be restored without querying the database directly. In addition, it clearly identified in the page history what edits had been suppressed. In 2015, afterconverting the old oversighted actions to suppressed actions, the Oversight extension wasremoved from all Wikimedia wikis.

With MediaWiki's RevisionDelete feature, revision texts, edit summaries, and editor's username/IP address can be suppressed from page histories. On log entries, it is possible to suppress the target and parameters, edit summary, and the performer's username. Additionally, with'hideuser' right, oversighters are able to suppress a username from all page edits and log entries when blocking a user.

Suppressions are logged privately and this log is only visible to the users in the aforementioned groups throughSpecial:Log/suppress.

On Wikimedia wikis, users in oversight group have the following rights by default. Some wikis may have different configuration.

• 'deleterevision' — Delete and undelete specific revisions of pages
• 'deletelogentry' — Delete and undelete specific log entries
• 'hideuser' — Block or unblock a username, hiding or unhiding it from the public
• 'suppressrevision' — View, hide and unhide specific revisions of pages from any user
• 'suppressionlog' — View private logs
• 'abusefilter-hide-log' — Hide entries in the abuse log
• 'abusefilter-hidden-log' — View hidden abuse log entries

There is a private IRC channel (#wikimedia-privacy^connect) to which all oversighters and stewards who useIRC should have access. Contact a steward if you need help gaining access.

This feature is approved for use in four cases:

1. Removal of non-public personal information such as phone numbers, home addresses, workplaces or identities of pseudonymous or anonymous individuals who have not made their identity public, or of public individuals who have not made that personal information public.
2. Removal of potentially libelous information either:
   • on the advice ofWikimedia Foundation counsel or
   • when the case is clear, and there is no editorial reason to keep the revision.
3. Removal of copyright violations on the advice of Wikimedia Foundation counsel.
4. Hiding of blatant attack names on automated lists and logs, where this does not disrupt edit histories. A blatant attack is one obviously intended to denigrate, threaten, libel, insult, or harass someone.

Local oversighters should generally handle local oversighting, when they're available. Stewards may perform local oversighting in emergencies, during cross-wiki issues, or if there are no local oversighters available (seecontact details).

Oversight access is granted bystewards. This section just describes steward practice and theaccess to nonpublic personal data policy.

Oversighters must be both 18 years of age and oflegal age in their jurisdiction, and willing tosign the Wikimedia Foundation'sconfidentiality agreement for nonpublic information. They must also be familiar with theprivacy policy.

Stewards can see oversighted revisions on all wikis and can grant themselves active oversight rights in emergency cases or on wikis without local oversighters when there’s a valid request. On any wiki, there must be at least two local oversighters, or none at all. This is so that they can mutually control and confirm their actions. If only one oversighter is left on a wiki (usually when the other retires or is removed), the community must appoint a new oversighter immediately or remove the remaining oversighter.

On wikis without anArbitration Committee, the community must approve oversighters by consensus. The candidates must request it within the local community and advertise this request to the local community properly (community discussion page, mailing list, etc). After gaining consensus (at least 70–80% in pro/con voting or the highest number of votes in multiple choice elections) in their local community, and with at least 25–30 members' approval, the user should request access onSteward requests/Permissions with a link to the community's decision.

On wikis with an Arbitration Committee elected with 25–30 members' approval, users may also be appointed by the Arbitration Committee, unless the local community prefers independent elections. After agreement, a member of the local Arbitration Committee should place a request onSteward requests/Permissions.

Local administrators may also delete the specific revision or log entries containing the oversightable data, but it will continue to be visible to administrators until it is suppressed.

Oversight access is revoked by stewards, using rules adopted from theCheckUser policy. This section just describes steward practice.

Any user account with Oversight access that is inactive for more than a year will have their Oversight access removed.

In case of abusive use of the tool, the steward or the oversighter will have their access removed immediately. This will in particular happen if actions are done routinely without a serious motive to do so (links and proofs of bad behavior should be provided).

Suspicion of abuses of oversight should be discussed by each local wiki. On wikis with an approved Arbitration Committee, the committee can decide on the removal of access. On wikis without an approved Arbitration Committee, the community can vote for removal of access. Removal can only be done by stewards. A steward may not decide to remove access on their own, but can help provide information necessary to prove the abuse (such as logs). If necessary, and in particular in case of lack of respect towards the privacy policy, theBoard of Wikimedia Foundation can be asked to declare removal of access as well.

This is not the place to request suppression. If you would like to request for hiding data, please note that private details should not be posted in public. Seethis page for details about how to contact an oversighter. For urgent cross wiki requests, find a steward in the#wikimedia-stewardsconnectIRC channel and contact a steward privately.

• Comparison of local oversight policies
• About RevisionDelete on MediaWiki.org
• Technical documentation
• Oversighter's Handbook on Commons
• Project:Oversight page across Wikimedia wikis

• Global policies
• User groups that require two-factor authentication
• User groups
• Oversight