Talk:CheckUser policy

From Meta, a Wikimedia project coordination wiki
(Redirected from Talk:CheckUser Policy)
Jump to navigation Jump to search

CU-only accounts and their inactivity?[edit]

On bgwiki we're discussing a local CU policy (translation). The current proposal allows the CUs to have a separate user account for the CU-related (and possibly admin) rights only. My reasoning for this was that CU is rather more sensitive in its nature than all the other local rights (except, to an extent, for the interface-admin). At the same time, we tend to stay logged in with our “ordinary” accounts for very long time periods and often not only on one device, which inevitably makes such accounts more vulnerable. Sure, 2FA mitigates this problem substantially, but another layer of security rarely hurts. If the separate CU account stays logged off most of the time, being used only when CU checks are being made, then, together with the 2FA and, obviously, a strong password (and possibly tightening a bit the password reset with the new functionality to require the email address as well, which could have a random “+” extension added to it), should provide an even greater peace of mind.

However, here's the problem: the global policy says “Any user account with CheckUser status that is inactive for more than one year will have their CheckUser access removed.”

I suppose that a reasonable explanation that this is a separate account of an otherwise active user, allowed by the local CU policy, with appropriate information on the user page, etc. would satisfy the stewards—as people—but since they also have their obligations as functionaries, not technically enforcing the policy might put them in some uncharted waters; “any user account”, the policy says—not “a user that is inactive”—must be stripped off of their CU rights.

So, TL;DR, should we possibly change the global policy here to rather refer to the inactivity of the user, not specifically of the user account? It's kind of a corner case, true, but I think it would make more sense this way. To me, it seems a bit rigidly phrased right now.

Of course, it goes without saying that the connection between the user accounts should be openly and unambiguously disclosed (this is even explicitly mentioned in the proposal for our local policy, although it's also kind of obvious, since the editors who vote need to know who they vote for). Or, in other words, the burden of proof would be entirely on the user—we are *not* talking here about forcing the stewards to go out of their way and perform some extensive checks if an inactive account is associated with some active user if that's not already clearly and unambiguously stated. It's just that if there's a clear connection between an active user and an inactive account, the stewards wouldn't feel compelled to remove the rights of the account just because the global policy explicitly says so.

Now, an argument could be made here, I guess, that it would be more confusing to have such separate accounts. But I think that having two (or, in some cases, even more) accounts is a generally accepted practice when there are good reasons for it and when this is publicly disclosed. However, there may be other reasons to not encourage people to have a second, CU-only, account. If you know such, or could think of some, please, do share them.

Thanks,
— Luchesar • T/C 12:15, 1 July 2020 (UTC)

If someone hasn't used the CheckUser tool in a year, why should they not have the userright removed? ST47 (talk) 19:38, 15 July 2020 (UTC)
ST47, that's a good question, even if about something slightly different. The policy has a requirement for any account activity, not specifically for CU activity. IIRC, this was explicitly discussed at some point in the past and the consensus was that the CUs shouldn't feel forced to do checks to keep their rights—even if otherwise there are no cases that justify such checks. Such counterproductive “CU misuse encouragement” would be especially pronounced in the relatively smaller projects, where the number of cases that clearly justify CU checks may fluctuate a lot. On bgwiki, for example, we've had years with literally hundreds of strongly suspected sockpuppets, and also years with almost none. It wouldn't make sense to strip the otherwise active (as editors/sysops/'crats/etc.) CUs from their rights just because this year there hasn't been enough cases for each one of them to do at least one check, when the very next year they could, contrastingly, be even overwhelmed with the number of required checks. And the whole point of requiring activity is really more about: (a) knowing that the people with such rights are, indeed, around and can react when and if their help is needed, and (b) knowing that they hadn't abandoned their accounts, which could have security implications.
— Luchesar • T/C 10:11, 16 July 2020 (UTC)

Login attempts[edit]

According to phab:T253802, it looks like the CheckUser tool already records login attempts (both successful and failed), which is not mentioned yet here. I propose the changes below:

-Determine from which IP addresses that an account has performed edits, logged actions, or password resets on the Wikimedia wiki;
+Determine from which IP addresses that an account has performed edits, logged actions, login attempts, or password resets on the Wikimedia wiki;
-Determine all edits, logged actions, and password resets that were performed on the Wikimedia wiki from a specific IP address (including users who were logged in with an account);
+Determine all edits, logged actions, login attempts, and password resets that were performed on the Wikimedia wiki from a specific IP address (including users who were logged in with an account);

In fact, if there are even more kinds of information are missing and should be mentioned, the list would be too long and we might want to make the language here more open-ended instead (using something like "operations including but not limited to"). But I'm not aware of those, hence the proposal. whym (talk) 13:27, 15 February 2021 (UTC)

I went with the second change only. [1] I left out the first one because 'an account has performed...' implies someone already logged in. whym (talk) 10:17, 12 March 2021 (UTC)

Requests for comment/Ombuds Commission inactivity[edit]

I have started a RFC about the persistent inactivity of several members of the OC. --Rschen7754 02:01, 1 March 2021 (UTC)

Blocking of user without any checking, verifiable reason and evidence for Sockpuppetry[edit]

Hi all, I want to know what is the check user policy about Sockpuppetry and blocking of user without any verifiable reason and evidence. I want to know what is the policy of inspecting the user and closing it without providing a documented and valid document. Can the inspection manager close the user indefinitely without providing proof of inspection? And state the reason that "because your account is old and has not been active for some time and now your edits are professional", close it indefinitely and abuse this management opportunity. What is the policy if he does not provide documentary evidence of his abuse, and his violation? In Fawiki they have closed my account without any document Based on doubt only. I ask them to check with tools but they Refues it. Then I want to check global policy of wiki about this please. Thanks all. —The preceding unsigned comment was added by Shahramrashidi (talk) Hi all, Why anyone dont response? Shahramrashidi (talk) 17:42, 9 April 2021 (UTC)

you might want to contact the ombuds commission. See the Submission section in particular. whym (talk) 14:04, 15 April 2021 (UTC)

Should the test.wikipedia.org be added?[edit]

Hello, is there something missing, in the list of user with CheckUser access? The test wikipedia has two CheckUser accounts, too. Maybe, we can insert them into the list. --Indoor-Fanatiker (talk) 09:57, 6 June 2021 (UTC)