IP Editing: Privacy Enhancement and Abuse Mitigation/Privacy enhancement

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search

Main project page (discuss)
Ideas for privacy enhancement (discuss)  · Improving anti-vandalism tools (discuss)

IP Address[edit]

What can an IP address tell you?[edit]

IP addresses can reveal a wealth of information to anyone who is even slightly technically inclined. With the advent of modern search enginers, much of this information is readily accessible by searching for an IP address. Here's a WHOIS query performed on a WMF Office IP address to show what data is exposed from an IP address:

$ whois 198.73.209.241 

NetRange:       198.73.209.0 - 198.73.209.255
CIDR:           198.73.209.0/24
NetName:        WMFOIT
NetHandle:      NET-198-73-209-0-1
Parent:         NET198 (NET-198-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS11820
Organization:   Wikimedia Foundation, Inc. (WF-44)
RegDate:        2013-11-21
Updated:        2013-11-21
Ref:            https://rdap.arin.net/registry/ip/198.73.209.0

OrgName:        Wikimedia Foundation, Inc.
OrgId:          WF-44
Address:        1 Montgomery Street
Address:        16th Floor
City:           San Francisco
StateProv:      CA
PostalCode:     94105
Country:        US
RegDate:        2013-09-10
Updated:        2017-09-25
Ref:            https://rdap.arin.net/registry/entity/WF-44

OrgAbuseHandle: WOI-ARIN
OrgAbuseName:   WMF Office IT
OrgAbusePhone:  +1-415-839-6885 
OrgAbuseEmail:  officeit-bgp@wikimedia.org
OrgAbuseRef:    https://rdap.arin.net/registry/entity/WOI-ARIN

OrgNOCHandle: WOI-ARIN
OrgNOCName:   WMF Office IT
OrgNOCPhone:  +1-415-839-6885 
OrgNOCEmail:  officeit-bgp@wikimedia.org
OrgNOCRef:    https://rdap.arin.net/registry/entity/WOI-ARIN

OrgTechHandle: WOI-ARIN
OrgTechName:   WMF Office IT
OrgTechPhone:  +1-415-839-6885 
OrgTechEmail:  officeit-bgp@wikimedia.org
OrgTechRef:    https://rdap.arin.net/registry/entity/WOI-ARIN

This IP address above tells you:

  • The company this IP is registered to
  • The date it was registered
  • The exact address, phone number, email address and other information for that company

Various ways in which IP addresses are used[edit]

Some of these are pulled from here:

  • Check previous edit history of an IP. Some IPs are very static, I know people who edited anonymously from the same IP for years and created dozens of articles from their IP (but also possibly violated rules). Being able to interact with such people unwilling to register is clearly useful. However, we need to keep their identifier static and not change it daily, they might well edit the same article from the same IP a few years in a row.
  • Check range contributions. If an IP is dynamic, it is very useful to know if there is any activity from a neighbouring range. For instance, if a vandal with a particularly annoying pattern (e.g. changing dates in articles) is active in a dynamic range, getting all edits from this range to check them is clearly necessary.
  • Set an abuse filter on a range. If there is a particular pattern of vandalism from a range (e.g. use of certain words that might be appropriate in some but not all articles), we might have to disallow editing with this specific pattern to this range. This is an alternative to a block of the entire, potentially large range, and to disallowing potentially useful edits to all users.
  • Check global contributions. It is extremely important to keep identifiers consistent between wikis for fighting cross-wiki vandals. This is particularly the case of cross-wiki spammers who may insert spamming links from the same IP to multiple wikis.
  • Check if an IP is a proxy, VPN or Tor node. This is usually more advanced than automatic tools can allow, particularly in cases when people use proxies or VPNs to hide links with their main accounts in an abusive way. Sometimes I literally google an IP to find if I happen to find it in some proxy or VPN list.
  • Check if users/IPs belong to same network/geography. Some providers use multiple ranges with very different IP patterns (like a 128.*.0.0/16 and a 192.*.0.0/16), and a user (both registered and anon) might move from one to another without notice. Some users (both registered and anon) use two different providers (like home and mobile) but in a very specific location, and we can link accounts by this location. For example, if two IPs from the same town but different networks in Malaysia participate in the same discussion in Ukrainian Wikipedia, they very likely belong to the same person.
  • Check location of an IP. Unlike the previous case, location can be used in a positive context. For instance, an IP adding information of some obscure politician in China is possibly a vandalism. However, a Chinese IP adding information about a Chinese politician is less likely to be reverted.
  • Check organisation of an IP. This is needed for paid editing / COI matters. For example, an edit to an article about an MP made from the Parliament's IP (be it a registered or an anon user) is very likely an undisclosed paid editing or a COI and requires relevant actions.
  • Running the IP over various abuse databases such as stopforumspam, and the cbl