IP Editing: Privacy Enhancement and Abuse Mitigation/Privacy enhancement
What can an IP address tell you?
IP addresses can reveal a wealth of information to anyone who is even slightly technically inclined. With the advent of modern search enginers, much of this information is readily accessible by searching for an IP address. Here's a WHOIS query performed on a WMF Office IP address to show what data is exposed from an IP address:
$ whois 188.8.131.52 NetRange: 184.108.40.206 - 220.127.116.11 CIDR: 18.104.22.168/24 NetName: WMFOIT NetHandle: NET-198-73-209-0-1 Parent: NET198 (NET-198-0-0-0-0) NetType: Direct Assignment OriginAS: AS11820 Organization: Wikimedia Foundation, Inc. (WF-44) RegDate: 2013-11-21 Updated: 2013-11-21 Ref: https://rdap.arin.net/registry/ip/22.214.171.124 OrgName: Wikimedia Foundation, Inc. OrgId: WF-44 Address: 1 Montgomery Street Address: 16th Floor City: San Francisco StateProv: CA PostalCode: 94105 Country: US RegDate: 2013-09-10 Updated: 2017-09-25 Ref: https://rdap.arin.net/registry/entity/WF-44 OrgAbuseHandle: WOI-ARIN OrgAbuseName: WMF Office IT OrgAbusePhone: +1-415-839-6885 OrgAbuseEmail: firstname.lastname@example.org OrgAbuseRef: https://rdap.arin.net/registry/entity/WOI-ARIN OrgNOCHandle: WOI-ARIN OrgNOCName: WMF Office IT OrgNOCPhone: +1-415-839-6885 OrgNOCEmail: email@example.com OrgNOCRef: https://rdap.arin.net/registry/entity/WOI-ARIN OrgTechHandle: WOI-ARIN OrgTechName: WMF Office IT OrgTechPhone: +1-415-839-6885 OrgTechEmail: firstname.lastname@example.org OrgTechRef: https://rdap.arin.net/registry/entity/WOI-ARIN
This IP address above tells you:
- The company this IP is registered to
- The date it was registered
- The exact address, phone number, email address and other information for that company
Various ways in which IP addresses are used
Some of these are pulled from here:
- Check previous edit history of an IP. Some IPs are very static, I know people who edited anonymously from the same IP for years and created dozens of articles from their IP (but also possibly violated rules). Being able to interact with such people unwilling to register is clearly useful. However, we need to keep their identifier static and not change it daily, they might well edit the same article from the same IP a few years in a row.
- Check range contributions. If an IP is dynamic, it is very useful to know if there is any activity from a neighbouring range. For instance, if a vandal with a particularly annoying pattern (e.g. changing dates in articles) is active in a dynamic range, getting all edits from this range to check them is clearly necessary.
- Set an abuse filter on a range. If there is a particular pattern of vandalism from a range (e.g. use of certain words that might be appropriate in some but not all articles), we might have to disallow editing with this specific pattern to this range. This is an alternative to a block of the entire, potentially large range, and to disallowing potentially useful edits to all users.
- Check global contributions. It is extremely important to keep identifiers consistent between wikis for fighting cross-wiki vandals. This is particularly the case of cross-wiki spammers who may insert spamming links from the same IP to multiple wikis.
- Check if an IP is a proxy, VPN or Tor node. This is usually more advanced than automatic tools can allow, particularly in cases when people use proxies or VPNs to hide links with their main accounts in an abusive way. Sometimes I literally google an IP to find if I happen to find it in some proxy or VPN list.
- Check if users/IPs belong to same network/geography. Some providers use multiple ranges with very different IP patterns (like a 128.*.0.0/16 and a 192.*.0.0/16), and a user (both registered and anon) might move from one to another without notice. Some users (both registered and anon) use two different providers (like home and mobile) but in a very specific location, and we can link accounts by this location. For example, if two IPs from the same town but different networks in Malaysia participate in the same discussion in Ukrainian Wikipedia, they very likely belong to the same person.
- Check location of an IP. Unlike the previous case, location can be used in a positive context. For instance, an IP adding information of some obscure politician in China is possibly a vandalism. However, a Chinese IP adding information about a Chinese politician is less likely to be reverted.
- Check organisation of an IP. This is needed for paid editing / COI matters. For example, an edit to an article about an MP made from the Parliament's IP (be it a registered or an anon user) is very likely an undisclosed paid editing or a COI and requires relevant actions.
- Running the IP over various abuse databases such as stopforumspam, and the cbl