Grants talk:IdeaLab/Partnership between Wikimedia community and Tor community

From Meta, a Wikimedia project coordination wiki
Jump to: navigation, search

Past conversations[edit]

For persons not accustomed to using Wikipedia, please notice that every article and page has an associated "talk" page for discussion. If you visit any page that is interesting, check the talk page to review comments about it.

I regret to say that all these discussions are messy and improperly documented or archived.

Blue Rasberry (talk) 11:57, 7 February 2014 (UTC)

Making Wikipedia writable for Tor users?[edit]

One of the goals of this project, making Wikipedia can be writable for Tor users, is controversial among the English Wikipedia community. See Wikipedia:Advice to users using Tor. For the Wikimedia (Wikimedia, not Wikipedia) policy, see No open proxies.

I would like to open a conversation about this. Is there a way that we can accommodate anonymous Tor users without encountering the abuse and vandalism that resulted in our present policy? Please note that this is not a referendum on whether we should simply enable write access without changing anything else. Realistically, that is not going to happen. This conversation is about trying to figure out a way to get the benefits of allowing Tor users to edit Wikipedia while avoiding the problems associated with doing that. Comments and Ideas Welcome. --Guy Macon (talk) 17:59, 7 February 2014 (UTC)

Do Global IP block exemptions and local IPBE bypass this restriction? PiRSquared17 (talk) 20:25, 7 February 2014 (UTC)

Proposal: Create a Wikipedia-only read-only Tor exit node[edit]

I propose that we Create a Wikipedia-only read-only Tor exit node with the following attributes:

Wikipedia-only: The proposed Tor exit node would only be able to communicate with Wikipedia (all languages), Wikimedia, Wiktionary, etc. We should not rely upon the exit node to enforce this, but rather make it so that the exit node cannot reach any IP addresses that are not controlled by the Wikimedia Foundation. For convenience, all of the Wikimedia projects that we decide to allow will be simply called "Wikipedia" for the rest of this proposal.

Read-only: The proposed Tor exit node would not have the ability to edit any of the pages that it has read access to. Again, We should not rely upon the exit node to enforce this, but rather use the standard Wikipedia blocking ability. While it may be desirable to allow write-access if the abuse problems are solved, this is outside of the scope of this proposal.

Physically located in the same room as the Wikipedia servers: In theory, the Onion network can be vulnerable to an adversary who monitors a user’s traffic as it enters and leaves the Tor network. Correlating that traffic may link the sender and receiver.[1] By denying an attacker access to the exit traffic at the ISP level, we force any attacker to get a court order forcing Wikipedia to reveal the exit traffic, thus allowing our legal team to be aware of the surveillance and to appeal it. See TOR FAQ: Can Exit Nodes Eavesdrop?. We should not depend on HTTPS to hide the exit traffic. See How does the NSA break SSL? and How the NSA, and your boss, can intercept and break SSL.

Rate limits and QoS: Rate limiting will allow us to set the amount of bandwidth that the Tor exit node uses to as small or as large as we wish, and QoS will allow us to, if we wish, prioritize Tor traffic below regular Wikipedia traffic. One researcher discovered that Tor exit nodes that use the BandwidthRate configuration option to set a limit slightly below their actual capacity were much more reliable than those that did not. If needed, Tor also allows us to set a separate limit for relayed traffic using the RelayBandwidthRate configuration option.[2] This may mitigate certain clogging attacks. See section 4.3 of On the Risks of Serving Whenever you Surf.

Reduced TCP port Exit Policy: The proposed Tor exit node would use the ExitPolicy accept option to only allow traffic on TCP ports that are needed to access Wikipedia. Traffic to all other ports should be silently dropped. Wikipedia appears to use:
TCP Port 80 (HTTP)
TCP Port 179 (Border Gateway Protocol)
TCP Port 443 (HTTPS)
TCP Port 8649 (Ganglia) [3]

Disable Javascript and other executable files: (Note: this is desirable but requires discussion about technical feasibility and possible collateral damage.) For security reasons, it would be desirable to not allow any Wikipedia editor to be able to place executable files (Javascript, .exe files, etc.) on Wikipedia that run on a Tor users machine. See JavaScript anonymity attack on Freedom Hosting users.

Strengthen HTTPS/SSL: (Note: this is desirable but requires discussion about technical feasibility and possible collateral damage.) As far as is feasible, we should address the issues identified at sslcheck.globalsign.com.

Coordinated with the Tor community and with the Wikimedia engineers: This proposal should not just be evaluated by the Wikipedia or Wikimedia community. Although that sort of input is desirable, it should also be examined closely by technical experts from the Tor project and by the WMF engineers.

Comments/corrections welcome. --Guy Macon (talk) 23:15, 7 February 2014 (UTC)

This is similar to a suggestion that was made on Jimbo Wales' talk page. The comment there by Yawnbox, dated 19:09, 24 January 2014, explains why such an exit node would be unwelcome on the Tor network:

Tor routing is based on ports, like port 80 (HTTP) and 443 (HTTPS). Tor Exit Routers have to explicitly allow specific ports to allow the passage of traffic over said port, which is done in a configuration policy on the Tor Exit Router (the TORRC file), which tells the rest of the Tor network which traffic you're willing to accept. If you accept only port 443 for example (presuming that only HTTPS traffic should pass), and then on Wikipedia's side block all other https-web traffic that is not a Wikimedia domain, you will literally censor the rest of the internet for any Tor client presuming that port 443 traffic will resolve through that Tor Exit Router. Nothing in the current Tor protocol would allow the Tor network to say-- "only this Tor Exit Router can pass traffic to these specific domains". This would not greatly affect the Tor network, as it would take a little bit of time for said Tor Exit Router to gain consensus, but more importantly, the Tor protocol would recognize said blocking and mark said router as a 'bad router', and it wouldn't pass any Tor Exit traffic at all.

However, the desired effect of this proposal could be achieved by setting up a hidden service (how it works, setup instructions). Although a hidden service is normally used to conceal the location of a server, it also affords greater anonymity for those visiting the site, since the communication travels on the Tor network from end to end. Rybec (talk) 15:41, 10 February 2014 (UTC)

Social barriers to implementation[edit]

As I understand, the major barrier to implementing this is social. The thought is that if Wikipedia is writable by Tor users then Tor users could be empowered to vandalize Wikipedia in new ways. This is because one of the tools to fight vandalism on Wikipedia is to block IP addresses, but it will never be able to block any Tor user by IP address because all users will share a limited number of the addresses.

This is a serious concern but I think that it can be managed. There is a lot of vandalism from IP addresses but the current policing tools manage it mostly well. Also, if Tor use somehow becomes out of control, one safeguard is that we could set up a changes patrol for Tor users so that anyone editing with Tor would have their Tor use disclosed on Wikipedia and their contributions would go into a special feed for review. I am not sure what is right, but this should be considered.

Are their other social barriers? Blue Rasberry (talk) 12:20, 10 February 2014 (UTC)

Given how rampant surveillance is these days, especially because Wikipedia is targeted by XKeyscore, it is crucial to allow Tor user to edit Wikipedia anonymously. Alonso McLaren (talk) 17:26, 21 February 2014 (UTC)

Benefits of allowing users to edit Wikipedia using Tor[edit]

Tor allows users to use Internet services without revealing their IP addresses. If the Wikimedia community supported Tor, that could mean that users who did not reveal their IP address even to the Wikimedia Foundation could be able to edit Wikipedia and contribute to Wikimedia projects. The following classes of people face barriers and risks to contributing to Wikipedia without using a de-identification service like Tor:

  • persons who have an anonymous persistent personal identity elsewhere online, and wish to use that identity on Wikipedia without sharing their IP address
  • persons who participate in the witness protection program in their countries
  • persons who wish to contribute social content which is culturally suppressed, as for social rights movements for LGBT interests or gender rights
  • persons contributing media in and about places with legal enactment of censorship against political criticism
  • persons who are concerned about contemporary mass surveillance and wish to opt out of being under surveillance

I have had discussions with people who have experienced harm from not using sufficient online protection of their identities and as the result of the harm they suffered they have asked me about Tor and Wikipedia without my prompting. There is no way for me to know how many people want this service but I have met several who have expressed a need for it, and I feel that thoughtful consideration should be made to either grant people a right to edit Wikipedia anonymously with an account which does not reveal their IP, or to consciously exclude these people. Right now I feel that Tor users are excluded but not with much thought. Blue Rasberry (talk) 12:47, 10 February 2014 (UTC)

Everybody, not just people who have experienced harm from not using anonymization tools, need to right to edit Wikipedia anonymously. Remember that Wikipedia is among the sites that are targeted by XKeyscore. Alonso McLaren (talk) 17:31, 21 February 2014 (UTC)

An edit space for blocked users[edit]

I think what a lot of these ideas come down to is a need to create a place where blocked users can edit, which is monitored by ordinary users who can do something with material they submit. We would permit:

  • Access for open-proxy exit nodes (perhaps any Tor exit node, though a same-room exit node does have some reassurances)
  • The otherwise quixotic ability to create a blocked account starting from a blocked IP.
  • If material from a blocked account is useful, after a while an admin can take a chance and unblock it and see what happens, allowing normal editing throughout the wiki.

Such a mechanism requires interested normal users to volunteer, which admittedly is easier to postulate than to make happen. And it does raise the bureaucratic bugaboo that some formerly blocked user might evade checkuser detection and get a "clean start" this way. Which shouldn't be a surprise - one cannot be fully committed both to fighting mass surveillance and to practicing it. Wnt (talk) 13:32, 10 February 2014 (UTC)

  • Wnt What you propose sounds like the en:Wikipedia:Pending changes restriction which can be placed on individual articles, except that you are proposing a mechanism for this to be put on individual users. Does that capture the intent of what you are saying? If Tor users could have their edits just be flagged as pending changes, then that would eliminate the need for a creation of a new and specialized moderation community. Blue Rasberry (talk) 14:34, 10 February 2014 (UTC)
Bluerasberry Ugghhh... I have a longstanding dislike for Pending Changes, and the notion of polluting otherwise PC-free articles with edits pending review is disturbing. In other contexts the effect of these edits can be that ordinary users find their contributions awaiting review even though they are supposed to be free to edit. Also, I'm not sure reviewers would realize that they were reviewing the contributions of blocked and therefore quite questionable users while approving, say, an external link to an informative but virus infected site. So I'd say stick to one or a few narrow forums that people can browse with "shields up". Wnt (talk) 14:00, 18 February 2014 (UTC)
Wnt Definitely some Tor users would do vandalism, but still your posturing is a bit more defensive than I think there is evidence to justify. Tor users include persecuted demographics who face discrimination in using Wikipedia due to their circumstances. People who want privacy should not be assumed to be out of the ordinary, "quite questionable", or needing to be corralled to protect the community. Many of these people need protection themselves, and in light of government surveillance disclosures, I think that it is more mainstream now than ever before to treat people who wish for privacy with less discrimination. I am not sure how to technically implement this but if there is will then we could find a way. Perhaps you are reading the story about persecution in Greece. I also know of Wikipedians who support LGBT causes in countries where this is illegal, and at a conference I met someone who had a believable claim to be a political exile from their country for what they posted on Wikipedia. It may not be possible to support Tor users but if we do not make a path for them, then I think at least we should talk about them in positive terms and acknowledge that our lack of support for them is our own shortcoming and not because people who want privacy are a danger to others. Blue Rasberry (talk) 12:34, 19 February 2014 (UTC)
I can definitely picture Wikipedia being a lot less like a spy agency itself, not making so much effort to track down "sock puppets" and block whole ranges of IP addresses. The problem is that if we make this mechanism a workaround for that, all the abuse that would have come out anywhere else could come out here. Also bear in mind that if this mechanism actually becomes a significant workaround for people from any repressive regime, they will soon enough be sending provocateurs with the deliberate intention of ruining things. Wnt (talk) 13:06, 21 February 2014 (UTC)

An onion domain for research purposes[edit]

Since Tor is currently blocked alongside other anonymous proxies its hard to make an estimate of how much vandalism might caused by Tor users or if their behaviour is different . Its important to remember that the motivation for using Tor over one of the many one-hop proxies out there might result in a completely different user base and I think there is a case to be made that they should not necessarily be treated equally or at the very least that this is question that would be useful to have the answer to.

The easiest solution to enable Tor users, and not users of other open proxies, to edit wikipedia would be to set up a .onion domain, as described above, and apply additional speed bumps. These could come in the form of dynamically scaling CAPTCHAs, marking edits as "Done by Tor user" and perhaps adding dynamic article cool-down periods. Initially speed bumps would be configured aggressively, being relaxed slowly over time until a equilibrium is reached. —The preceding unsigned comment was added by 130.225.96.226 (talk) 16:41, 21 February 2014‎

Proposal: Try to allow Tor for one week and see what happens[edit]

Pretty self explanatory. Alonso McLaren (talk) 17:25, 21 February 2014 (UTC)

I would actually support this a lot. Everyone I have talked to about Tor and Wikimedia has asked for data to back up the abuse anecdotes. We don't have any data though, so we don't actually know for sure how big of a problem we'd have and what needs done to mitigate it. Zellfaze (talk) 13:15, 2 October 2014 (UTC)

Registered users, IP editors, and anonymous users[edit]

Whenever anyone edits Wikimedia projects the Wikimedia Foundation and some trusted volunteers, the "checkusers", has access to their IP address. In the case of so-called IP editors, who are those editing without logging into a Wikimedia account, their IP address is displayed publicly in the history logs of the page which undoubtedly discloses more public information to more people than can ever happen with a logged-in user's edits.

There is a long history of calling "IP editors" "anonymous editors", under the common mistaken premise that if the only thing that is known about a person is their IP address, then one knows less about that user than if they only shared the username they chose during registration. This confusion should be clarified, as anyone editing with an IP address is doing less to preserve their privacy than a person who is logged into an account.

There are some discussions about this in these place -

These links are all to archived versions of these conversations, and the conversations will likely continue to update. There is no way to make a permanent link to the latest version of these discussions so interested persons should search for these discussions in the relevant forums.

I am sharing this here because this proposal is about making it possible for people to preserve their privacy while editing Wikipedia. The community has already tolerated many years of misinformation in the community culture and bad advice being spread about the best way for users to make decisions about sharing their personal information. Many people are under the impression that if they do edit while only revealing their IP address, then this is the especially protective, when actually it discloses more publicly than would ever happen on any other website which people commonly use.

I feel that this proposal should include plans to educate the Wikimedia community on personal online privacy. Blue Rasberry (talk) 14:05, 23 May 2014 (UTC)

Original ambiguous proposal[edit]

I am archiving the original ambiguous proposal here. It did not make a specific enough request to be useful, so I rewrote it.

Blue Rasberry (talk) 17:00, 8 June 2014 (UTC)

Allowing Tor Relay Operators Access to Wikimedia[edit]

There is a bug that was just opened on Bugzilla that relates, at least a little bit, to this project. https://bugzilla.wikimedia.org/show_bug.cgi?id=71551 Currently we block all exit relays. This bug proposes that we should unblock exit relays that reject connections destined for port 80, port 443, or any Wikimedia servers, as these exit relays will never allow Tor users to connect to Wikimedia projects. Even if blocking Tor is a good idea, blocking these relays is just collateral damage. Zellfaze (talk) 13:24, 2 October 2014 (UTC)