Talk:IP Editing: Privacy Enhancement and Abuse Mitigation

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search

Main project page (discuss)
Ideas for privacy enhancement (discuss)  · Improving anti-vandalism tools (discuss)


IP Editing: Privacy Enhancement and Abuse Mitigation Archive index
This page is to collect feedback for the privacy enhancement for unregistered users project.
Hoping to hear from you. You can leave a comment in your language if you can't write in English.
Filing cabinet icon.svg
SpBot archives all sections tagged with {{Section resolved|1=~~~~}} after 14 days and sections whose most recent comment is older than 120 days.

Please remember that this page is used by people from a number of communities, with different native languages. If you avoid using acronyms from your home wiki, that will help them participate in the discussion.

How is this not the end of anonymous editing?[edit]

It seems to me that this is a highly technical and extremely overcomplicated way of putting an end to unregistered editing. There is no effective way to implement IP masking that doesn't cause one of the following two effects:

  1. Hamstring the ability of vandal-fighters to stop disruptive editing
  2. Continue to expose IP information to a sufficiently large group of vandal-fighting editors

Masking IPs will cause one of those two things to happen; there is no middle ground where we can continue to stop disruptive editing while simultaneously preventing IPs from being exposed to nearly all "experienced" editors who contribute to vandal-fighting (which, on en-wp alone is tens of thousands of users). You're fooling yourself if you think you can find that magical middle ground. Since the lawyers appear to be in charge, it's far more likely that it's going to be #1 than #2. And the moment that it becomes clear that our ability to stop vandalism has been removed, the next step will be an RfC to end unregistered editing permanently, and all of this work to mask IPs will have been a colossal waste of time because no one will even use it.

We're bending over backwards to come up with a complex way to name an unregistered user something like "AnonymousUser-99f0ba64", and to attempt to track their IPs behind the scenes (or using cookies or whatever) so that they are still "AnonymousUser-99f0ba64" even if their IP address changes. Well, guess what? That sounds a whole lot like we're auto-registering an account for unregistered users. The only difference is that we're auto-naming their account for them, not requiring them to assign a password to that account, and not encouraging them to even use that same account if they edit from a different device.

So, why go through all of this work? What is the benefit? Just end unregistered editing already and save everyone the trouble. Creating an account is such a small hurdle to overcome in order to edit Wikipedia; anyone who really wants to make an edit will go through the 4-second process to register an account. We don't even require that users connect their account to an email address, like every other website on the internet. A user could quickly and easily register a new account every day, if they wanted to. Both Wikipedia and the internet at large are a lot different than they were 20 years ago. Registering an account to use a website is so commonplace now that very few people will bat an eye at being required to register an account to edit. At the very least, we should conduct a trial (similar to en:WP:ACTRIAL) to understand the effects of requiring all users to register. Will the number of non-vandalism edits being made to Wikipedia plummet? Will the number of new users registered skyrocket? Who knows? But, let's find out before embarking on this convoluted IP masking quest that is destined to trigger the end of unregistered editing anyway. (Furthermore, if IP masking is forced upon projects and they reactively decide to end unregistered ending in response, there won't be time to conduct a trial to understand and mitigate the effects of ending unregistered editing.)

Otherwise, if we're going to continue to allow unregistered editing, then we should simply require unregistered users to explicitly consent to their IP address being publicly logged and forever connected to the edit they're about to make, and require them to explicitly waive all rights connected to the privacy of their IP address. I'm no lawyer, but surely if a user explicitly consents to their IP address being exposed, then WMF would not be exposed to any legal liability. Like, literally, before every edit that they make, a giant 45-page EULA pops up and they have to scroll to the bottom and hit the "I've read and accept this" button. I'm sure the lawyers would love that idea. Scottywong (talk) 23:45, 8 December 2020 (UTC)

Hi Scottywong, I've tried addressing this in the discussions above, to give an understanding of why the Foundation thinks investing in a long process is worth the time and effort. In short, the research we have on wikis and compulsory registration does indicate there's a problem – if it's important enough for them they might register, but if it isn't? If they'd gradually start editing because the threshold was so very low? I see your home wiki is English Wikipedia; please remember that English Wikipedia is at the far end of the spectrum when it comes to already available content and number of editors. There's a balance between "protect what we have" and "get new content", in that it's difficult to make it more difficult for the editing we don't want without making it more difficult for the editing we want, and almost all our wikis are in greater need of more content (and thus people who can add it) than English Wikipedia is. Also, the importance of unregistered editing varies a lot from wiki to wiki both when it comes to how common it is and how much is reverted (i.e. deemed not suitable). For example, my home wiki specifically asked the question "if we do IP masking, do we want to turn unregistered editing off?" and came to the conclusion that it didn't. This is what I wrote when The Signpost asked for a comment:
Why do IP masking at all, some ask. Why not disable IP editing instead? We’re investing significant time and resources in trying to solve this because we’re convinced that turning off unregistered editing would severely harm the wikis. Benjamin Mako Hill has collected research on the subject. Another researcher told us that if we turn IP editing off, we’ll doomed the wikis to a slow death: not because the content added by the IP edits, but because of the increased threshold to start editing. We can’t do it without harming long-term recruitment. The role unregistered editing plays also varies a lot from wiki to wiki. Compare English and Japanese Wikipedia, for example. The latter wiki has a far higher percentage of IP edits, yet the revert rate for IP edits is a third of what it is on English Wikipedia: 9.5% compared to 27.4%, defined as reverted within 48 hours. And some smaller wikis might suffer greatly even in the shorter term.
I hope that at least explains where we're coming from.
(Anecdotally, I was almost exclusively unregistered editor for the first four years or so of my Wikipedia editing. This gave me years to form a habit. It wasn’t important to me when I started. I just fixed spelling errors because it required nothing of me, not even logging in. Then it gradually became the thing that eats most of my waking hours.)
With regards to the legal part, my understanding is that no, unfortunately, it’s not quite that simple. That's how it may have worked in the early days of Wikipedia; it no longer does. /Johan (WMF) (talk) 17:51, 13 December 2020 (UTC)
Well, you're right that different Wikipedias have different user counts, article counts, editing rates, and vandalism rates. Perhaps this suggests that a one-size-fits-all approach to IP masking for all Wikipedias is not a good idea.
Regarding the studies suggesting that requiring user registration would condemn all Wikipedias to a slow death, I'm not seeing it. The studies you linked to on that specific subject are mostly about how unregistered editing historically helped to get Wikipedia off the ground in the early days. I don't see any studies that suggest that requiring registration now (especially on the larger, more active projects) would cause a catastrophic collapse of Wikipedia. After all, there are some Wikipedias that already don't allow unregistered editing, and to my knowledge, they haven't imploded. En-wiki already doesn't allow unregistered users to create new articles, and there is a significant percentage of pages that are not editable by unregistered users (via page protection and other similar mechanisms). Wikipedia is not the same as it was 20 years ago. It's a mature project that people want to influence, and I'd be very surprised if a one-time 30-second registration process is going to discourage someone who wants to contribute, especially when nearly every other website on the modern internet requires registration. I think this deserves more serious consideration. While it's true that requiring registration might not be right for every project, I would be very surprised if IP masking doesn't eventually cause the largest projects (especially en-wiki) to ban IP editing. Scottywong (talk) 15:48, 14 December 2020 (UTC)
But alls this work is something we'd have to do anyway, in that scenario. (: We are also looking closely at what's happening on Portuguese Wikipedia, which is a major wiki where unregistered editing is currently not possible, so that's a research project that is ongoing to gather more data, specific for a mature Wikipedia. It's too early to say anything yet, but we – in the broad sense, of course – will know more about how Portuguese Wikipedia was affected before we do any actual masking. /Johan (WMF) (talk) 16:35, 14 December 2020 (UTC)
@Johan (WMF): while I can certainly accept the case that different projects would accept the concept of IP masking against that of blocking IPs, I would like to ask on additional focus on the options bit raised by OP.
To stop this having major effect (and I would note that my (and many respondents who made such comments in the original consultation) definition of success is "no net increase in "uptime" of problems, no net increase in false positives, no net increase in editor time taken to carry out tasks" will indeed require a) very broad access for most IP information. Probably not tens of thousands on en-wiki alone as IP said, but certainly above 5000 within a couple of years and b) broad access for all IP information - probably about 2000 on enwiki (1100 admins plus other key individuals)
That, by the way, assumes that people with partial information can indeed do functionally all of their work without needing to refer cases to someone with full vision. I'm still not quite sure how well that holds up, but I'll take it as granted for now.
I do share a concern that spreading it that broadly (factoring across all projects) rends the project somewhat moot, or Legal are going to want a tighter close, which is going to have a major effect. Nosebagbear (talk) 10:59, 8 March 2021 (UTC)

I am not certain if I am allowed to comment here, but I certainly welcome the end to (or at least the limiting of) IP editing. Not having to contend with well meaning anonymous editors and the steady stream of vandals will free up a lot of time to add content. And, with limits on anonymous editing, we will be able to communicate with new editors instead of them floating around and never realizing that there are IP talk pages. Of course, it would be nice if this was happening more publicly, instead of here, "in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.'" Mr.choppers (talk) 01:51, 23 March 2021 (UTC)

Mr.choppers: Is there anything in particular you'd want us to do information-wise? We're planning on letting on all admins across the wikis know by posting on their talk pages, but we want to re-assess and figure out where we are in the process first, so we don't give them old information.
To get an idea of how what we've done so far: I see you're active on Commons and English Wikipedia; I wrote w:en:Wikipedia:Wikipedia Signpost/2020-11-01/Op-Ed in an attempt to explain it on the latter wiki. We've repeatedly included in Tech/News, which is sent to both commons:Commons:Village pump/Technical and w:en:Wikipedia:Village pump (technical) and a hundred other community pages across wikis, and is transcluded on the English Wikipedia community portal (w:en:Wikipedia:Community portal#Technical news), we've posted to wikimedia-l, the international Wikimedia mailing list, and some groups on social media where Wikipedians discuss internationally, we've had some local conversations to see if we'd get different feedback in other languages (i.e. are there workflows we're missing on other wikis if we just talk about this in English) and are planning another round, we ran some discussions about the plans at the last Wikimania that was able to take place, and reached out specifically to checkusers and stewards. /Johan (WMF) (talk) 08:02, 23 March 2021 (UTC)
I believe that I, as most editors, do not ever visit to those places. We edit the pages that are of interest to us and we do not generally visit any sort of meta-pages whatsoever. I am here as a result of an admin mentioning this policy to me by happenstance. These changes will be hugely disruptive (I think, it is very unclear what may actually happen) and would, in my eyes, merit a direct notice to all users before such change is decided on. Mr.choppers (talk) 11:21, 23 March 2021 (UTC)
To be clear, the Legal team has declared that this is something they need to happen, and asked the Wikimedia Foundation Product department to figure out how (which we're trying to do here). So let's be honest here: this was not a decision they made with community input, since legal decisions are not matters of consensus. This doesn't mean that we shouldn't make sure the communities are aware: we want to develop this together with patrollers and others from the Wikimedia communities, and we desperately need a lot of feedback and criticism and suggestions along each step for this to work properly. But it hasn't been hidden to have a decision made without anyone noticing and then say "hey, this was something we decided together!", because it wasn’t a collaborative decision or a proposal as much as an investigation.
It's just difficult to find the right level of shouting loud enough so enough people hear but not so loud it comes in the way of their editing. /Johan (WMF) (talk) 17:50, 23 March 2021 (UTC)

Some thoughts[edit]

First, a procedural note: In my opinion, this entire affair has been completely mishandled when it comes to communication. If this is a legal issue, don't give us an FAQ and "motivation" statement that implies that it isn't, only to then reverse and give us a statement from legal that has about as much meaningful content as this template. I know and appreciate that everyone involved has the project's best interests in mind, but this really, really, really should have been handled better.

Persistence: I think cookies are a bad idea, because they are relatively easy to circumvent and get rid of. Using them would also mean that someone could establish multiple distinct identities by just running different browsers. Stick with IPs to establish identities.

User right: If you don't want communities abandoning IP editing as soon as this is passed, there will have to be a user right and it will have to be granted to a substantial number of users; people who regularly deal with vandalism, sockpuppetry, long-term abuse[note 1] and undisclosed paid editing[note 2] will need continued access to full IPs. Partially for proxy detection, partially for informed examination of IP ranges and WHOIS data. If this would be an acceptable compromise, we could consider requiring users to sign an NDA, which may alleviate some of the (legal) concerns involved here. I for one would be happy to do that if it means continued access to unmasked IPs.

Ranges: Consider allowing range queries like Anonymous123/16 for everyone, and to consider providing the size of the involved subnets[note 3] and displaying them on IP Contribution pages, which would allow users without special access to look at ranges without any substantial privacy impact.

Proxies: I don't see that much use in providing yes/no VPN and TOR indicators; known VPN ranges and TOR nodes are already globally blocked. The more problematic proxies are webhosts and open proxies, which will be hard to detect without manual review.

Implementation: We need to get this right on first try. The risk of communities abandoning IP editing is significantly higher if this doesn't work from day one.

All in all, I am still convinced that this will create more problems than it solves, no matter how good the implementation; but alas, what's decided is decided. I urge everyone involved to work towards a solution that restricts and disrupts existing community processes as little as possible. Best, Blablubbs (talk) 14:20, 13 December 2020 (UTC)

  1. Consider for example that confirmation that one is dealing with this individual is made significantly easier if one can check whether the IP geolocates to London
  2. Which the WMF appears to have largely ignored and kicked to the community, sometimes with devastating results
  3. E.g. /22 and /24 for this IP
Blablubbs: Thanks for the feedback, it's much appreciated. About us saying "sorry, Legal says so, we have to do this", that was not our assumption when we started. Legal was involved earlier too, and there was a statement about their support for this project on the talk page early on, but while I understand the change in motivation and what can be done and can't is confusing, it reflects an actual change in understanding for the team behind the project, not just in how we communicate. /Johan (WMF) (talk) 16:10, 13 December 2020 (UTC)
And to be clear, this is not about one specific law or one specific jurisdiction, as stated above. /Johan (WMF) (talk) 16:13, 13 December 2020 (UTC)
Hi Johan, thanks for the response. I had an off-wiki chat with Darren-M, trying to figure out why legal cannot be more clear. So in the hopes of obtaining at least a modicum of clarity, I'll try to ask some direct questions, mostly related to this statement: We can’t spell out the precise details of our deliberations, or the internal discussions and analyses that lay behind this decision, for the reasons discussed above regarding legal ethics and privilege.
  • While legal cannot unilaterally disclose the reasoning because of attorney-client privilege, the WMF – being the client – absolutely can. So if privilege is the argument for being obscure, why doesn't the WMF at least partially waive it or provide a statement itself?
  • Does legal believe that we may currently be open to litigation because of existing laws?
  • If not, why are we citing no specific legislation while also citing privilege to avoid disclosing anything?
  • Is there any current or pending litigation regarding privacy of IPs on Wikimedia projects?
  • Is this being done to avoid future liability because WMF legal believes that laws that might make public disclosure of IPs illegal will be passed?
  • If so, why is the feature not just developed and shelved until such laws potentially come into effect, given the strong opposition by the community?
  • If so, why can we not be more open about what those future liabilities are, given that they are not currently a threat?
  • Has the Board endorsed this decision? If not, what is the most senior level it has been endorsed at?
I'm aware I won't be able to get full responses to all of those questions, but I'd appreciate an attempt at giving the community more than what are arguably non-answers. I am not asking for details about specific liabilities, or for specifics about internal discussions; I merely want to know on a meta-level what the nature of the cited threat is: Given that it's used to override community consensus, it seems like a good idea to be as transparent as possible – and I don't believe legal's statement meets that standard. Thanks and best, Blablubbs (talk) 23:14, 13 December 2020 (UTC)
Blablubbs: Just wanted to acknowledge that I've read this and that I'm passing it on to the Legal department. /Johan (WMF) (talk) 23:37, 13 December 2020 (UTC)
@Johan (WMF): Thank you for passing that on. I'm going to also somewhat tactlessly ask: did Legal change their minds between their initial discussions and more recently with you/your team about it being a necessity, or did they just insufficiently make it clear it was a necessity (perhaps because they felt that if it was going to be introduced, stating it as a legal requirement seemed unneeded to them)? Nosebagbear (talk) 16:23, 14 December 2020 (UTC)
To be honest, I think this is a question more about the difference in how you understand a legal position if you're a lawyer or a non-lawyer, though of course a lot of things have happened in a year and things keep changing. Legal is working even closer with us now. /Johan (WMF) (talk) 17:07, 22 December 2020 (UTC)
Regarding ranges: this seems like a privacy issue. This would make it quite trivial to determine what country someone lives in, for example, and depending on the CIDR sizes permitted you could even get an ISP. Whilst you might not think this is the biggest deal, currently if someone has a registered account it's not possible for anyone to know that, and the same applies on any site with registration, so this is a fair change in the norm.
Regarding NDAs: a lot of active editors are not comfortable with doing so. Indeed, only a fraction of users are functionaries or have access to non-public information. I think requiring editors enter into legal agreements to continue doing the work they're doing is not a good outcome. ProcrastinatingReader (talk) 22:26, 30 December 2020 (UTC)
Thanks for the feedback, ProcrastinatingReader. Just wanted to acknowledge we're reading and taking into account. /Johan (WMF) (talk) 22:41, 6 January 2021 (UTC)
@Johan (WMF): - just a reminder that Legal have yet to respond to the questions posed by @Blablubbs: and myself. I wouldn't have thought these questions were particularly onerous or complex to draft responses for, so I trust we can look forward to a full reply from Legal shortly? Best, Darren-M (talk) 21:51, 20 January 2021 (UTC)
Ping acknowledged. /Johan (WMF) (talk) 05:01, 26 January 2021 (UTC)
@Johan (WMF), I know it isn't your call if and when legal responds, but it's been another month and if we're not going to get a reply, I'd appreciate it if we could just get a statement that says so outright – though, as outlined above, I'm still not entirely clear why it isn't possible to make a statement that is at least marginally less vague. Best, Blablubbs (talk) 15:17, 21 February 2021 (UTC)
Blablubbs: Noted, and I'll pass it along. I can assure you that they read this page, so anything being pointed out here is seen, not just by me. /Johan (WMF) (talk) 11:52, 22 February 2021 (UTC)
Pinging both anyone from Legal watching at @Johan (WMF):, who has the misfortune of being significantly more visible and takes flak for (in)actions outside his control. I'd like to echo Blablubbs' point (another) 3 weeks on - if Legal aren't going to reply to queries and concerns about their opening statement then they need to actually say so openly.
In a distinct point, because I don't want to ping Johan three times in 4 minutes, I'd just like to push ProcrastinatingReader's comment that NDA signing is likely to cause major issues due both to reticence but also to effort. The whole reasoning for retaining IP masking rather than mandatory accounts is because of barrier to entry, but there are barriers to entry to lots of tasks, not just joining wikipedia. People might sign to avoid disrupting their task flow that's already active, but why would anyone new go into handling IP-heavy CVU if the barriers get high. The trade-off needs to be considering not just who we might lose immediately, but who we might fail to recruit into that backend work going forwards Nosebagbear (talk) 11:16, 8 March 2021 (UTC)
I do work on this project, so it's completely natural and fine to let me know any and all issues and concerns! Passing this on, too. /Johan (WMF) (talk) 12:08, 8 March 2021 (UTC)
What is "CVU"? kyykaarme (talk) 05:51, 10 March 2021 (UTC)
@Kyykaarme: Counter-vandalism unit, en.wiki's wikiproject on counter-vandalism, but also used as a bit of a catch-all term for all the different counter-vandalism activities and individuals even if they aren't technically part of the project Nosebagbear (talk) 10:59, 23 March 2021 (UTC)
Well, another 3 weeks later, we're more than 3 months in and at this point I think it's pretty clear I won't be getting a reply or even an acknowledgement that I won't get one. I don't think my specific questions urgently need an answer (though I do still think they're relevant), and I know everyone involved has the best of intentions, but I do think this is a great example for the chronic communication and community relations issue the WMF has as an institution: If you're going to try your hand at playing government and unilaterally impose a vision on the community (who you're supposed to be working for and not against) against its explicit wishes, you're also going to have to acknowledge what makes governance work: Responsiveness, responsibility and accountability. And I'm really not seeing a lot of that, here or elsewhere. Blablubbs (talk) 13:13, 1 April 2021 (UTC)
Whilst I do personally think some form of IP masking is a good idea and support this change, I agree the communication is lacklustre. At the same time, the FAQ says there's no rocket on this plan and this isn't a "proposal" yet, so possibly WMF resources are stretched between the board stuff and the UCOC and whatever else is going on currently. ProcrastinatingReader (talk) 14:24, 3 April 2021 (UTC)

Public-interest location info[edit]

Here is an example of where knowing at least the city had value to more than just direct vandal-fighting, it was used in wider discussion of improper influence. w:en:Wikipedia:Wikipedia Signpost/2020-12-28/Opinion "How to make your factory's safety and labor issues disappear" Mqsobhan was not gone for good. On December 3, an anonymous editor with an IP address from Dhaka, Bangladesh deleted most of the article, but was immediately reverted. If IP addresses are no longer openly published, rough location be? Pelagic from Sydney (talk) 01:39, 12 January 2021 (UTC)

Just wanted to acknowledge that this has been seen and is not ignored. /Johan (WMF) (talk) 12:02, 10 March 2021 (UTC)

Anti-abuse tools[edit]

Once the WMF implements IP masking, our efforts to block VPNs and open proxies (en:WP:WPOP) will be effectively dead. I think it does not matter how many users get the new user rights, we will not be able to cope. Does the WMF plan to implement any new anti-abuse tools?

I would like to make a concrete proposal: the WMF could license the spur.us feed, which includes most IPs associated with VPNs and open proxies and actively block all of them globally. It is not a solution to every problem, but proxy blocking would be handled even more efficiently than today. Also, the cost of licensing such a database is peanuts for the WMF, and I think it makes sense to do it in-house.

I mention spur.us because it is currently giving us very good results on enwiki, but there may be other options. Best, --MarioGom (talk) 23:15, 9 March 2021 (UTC)

Thanks for the feedback! We'll investigate. /Johan (WMF) (talk) 12:01, 10 March 2021 (UTC)

Pending queries[edit]

Hi Johan,

Sort of a mixed bag here, since it includes questions from at least three sections that are now somewhat buried by other comments.

1) Do you have any thoughts on the issue that to get close to current standards is going to require a very broad "most-IP info" and broad "all IP-info" sharing, which is presumably not desired by Legal, and couldn't happen if NDAs were required for full IP-info? (That's two distinct issues I realise)

2) I'm going to assume Legal haven't got back to you with regard to Blablubbs' questions. Could it be added to something like the next set of Wikimedia Clinic hours as a topic (where I believe there's a Legal rep)?

3) On the userright discussion, which has somewhat petered out, I'm going to copy one comment I made in regard to your correct statement that tying it to admin may be tricky due to the different standards. "this is at least a good discussion benchmark. I thank you for your bottom half - I was absolutely going to step in and make a point that it should be lower, but of course you are right as regards variable levels for adminship. Hmm. I will have to have a think, please excuse the whirring hamster noises. I realise it continues the userright proliferation, but would it make sense to actually have two userrights (akin to edit filter helper and edit filter manager), the lower (partial vision) of which would be the "given to all admins", but would also be given to others under one criteria set - while the other (full vision) would be under a higher set [which might be all admins plus others on some projects, but only a subset of admins on others]". It was just a discussion starter, but would be good to consider it, and several other proposals made in the thread, in more detail. Nosebagbear (talk) 11:08, 23 March 2021 (UTC)

Nosebagbear: Good questions, which I think we should address as a team rather than me alone, so I'm going to bring this up internally rather than replying to it right now. Responding here just to acknowledge that it has been seen and is not ignored. /Johan (WMF) (talk) 17:48, 23 March 2021 (UTC)
Nosebagbear: I just had a conversation with NKohli (WMF), and issues 1) and 3) sort of need to be solved together, in a way. We'll put something together so there's something tangible to talk about, and then we can spread the word more broadly. /Johan (WMF) (talk) 17:49, 25 March 2021 (UTC)
An update on this: We're in meetings, but it's work across several teams in different parts of the organisation, and we have to make sure that everything is technically and legally realistic. Sorry this is taking so long: we really don't want to show you what we have in mind, have everyone think about it, leave feedback, come up with plans and so on, and then come back and tell you that, no, sorry, apparently this didn't work, let's start over. /Johan (WMF) (talk) 15:52, 14 April 2021 (UTC)

dissenting voice from the outside[edit]

I see reference of previous discussions on meta and a current request for feedback on Wikidata, but nothing yet on the Wikipedia, the by far biggest communities being affected by this.

And then i read a line like:

Please understand that sometimes, as lawyers, we can’t publicly share all of the details of our thinking; but we read your comments and perspectives, and they’re very helpful for us in advising the Foundation.

Which is frankly speaking legalese bullshit, suggesting again a rather intransparent process (from the community's perspective) and it is again a recipe to piss off large parts of Wikipedia communities.--Kmhkmh (talk) 03:59, 11 May 2021 (UTC)

Yes. The legal team is correct in saying that this must happen, but they need to stop making incorrect statements like, "as lawyers, we can’t publicly share all of the details of our thinking". What they should be saying is, "We don't want to share all of the details of our thinking because it would damage the WMF", which is correct. --Gnom (talk) 09:48, 11 May 2021 (UTC)
I agree with your statement with regard to "can't" and "don't want to".
However at least at first glance I disagree with the rest.
Why exactly is it correct that it must (rather should) be done. Which law is requiring that? And if so why did it take for legal team 20 years to figure that out? Which laws have been ignored for 20 years or have changed in the mean time?
The damage to WMF or WP is impossible to assess without knowing the exact reasoning and what type of damage is to be considered here. As far as the often difficult and contentious relationship with the community is concerned, I'd probably argue that repeated intransparency and potentially not clearly/openly stated (aka hidden) agendas are doing the most damage.--Kmhkmh (talk) 10:48, 11 May 2021 (UTC)
I am a lawyer specialising in data protection laws, and I have been asking myself about the lack of privacy compliance at Wikipedia for a number of years. From my own professional experience, I am confident that this can be implemented in a way that protects logged-out users and at the same time does not hinder our anti-vandalism efforts. Happy to talk about this in more detail. --Gnom (talk) 11:20, 11 May 2021 (UTC)
I have no issue with hiding IP (in particular since IP6) assuming it is done right and support it. My issue is with the process, information policy and intransparency of arguments surrounding this feature.--Kmhkmh (talk) 15:51, 12 May 2021 (UTC)
Kmhkmh: Just to explain how we've reasoned around where to start conversations, this page on Meta has been our main conversation (and we've flagged it in various ways, including on a lot of Wikipeidas), but in order to make sure we hear from various communities (e.g. not just Wikipedias, not just in English and so on), we've started conversations on various wikis to get different local perspectives. A number of those have been Wikipedias. You can find the links to (and summaries of) the conversations on French, Chinese, Swedish and Arabic Wikipedia here. I wrote a piece for the Signpost in English at w:en:Wikipedia:Wikipedia_Signpost/2020-11-01/Op-Ed with conversation below. This is of course not exhaustive. We will have something tangible to present in how we plan to give access to IPs for people who need them soon, at which point we hope to invite more people who haven't seen this yet to comment. /Johan (WMF) (talk) 20:33, 28 May 2021 (UTC)

Quite frankly I don't see the point of this initiative. Seemingly it has already been decided that action needs to be taken while we still haven't read about one single valid reason to even consider it.

I'm very happy with the status quo of users who can either log in, contribute via IP or abstain from editing. In Germany we have some very nice twitter-bots alerting us about edits from IP-nets owned by various federal authorities and that is a watchdog-function I'd dearly miss, and that's just one minor example. --Eloquenzministerium (talk) 22:46, 16 May 2021 (UTC)

The point is that this is something we have to do as norms and regulations around internet privacy has changed quite a lot in the last twenty years. See Gnom's comments above, too. I do realise the statement at IP Editing: Privacy Enhancement and Abuse Mitigation#Statement from the Wikimedia Foundation Legal department has very little actual content at the moment.
The conversations have been important to guide the technical development, not to form a yes/no decision – legal decisions has never been a matter of community consensus. In order to not cause significant harm, we need to a) be careful about how we do masking and b) make sure that people who need access to IPs for vandal fighting still have that, even if we hide them from the rest of the world. We're not going to just take the situation as it is today and then remove visible IPs and do nothing else to balance that, which I think is how a lot of editors visualise this change. We'll be presenting our ideas (based on previous conversations here) on how to what to hide and from whom within a few weeks. These conversations has been core in guiding our work. /Johan (WMF) (talk) 20:33, 28 May 2021 (UTC)
@Johan (WMF): I actually agree with hiding IPs (assuming it is done right) and probably agree that this not suited for yes/no by the community and that the WMF has to push it independent of that for legal reasons. However imho if the latter is case the case the WMF needs to communicate those legal reasons clearly and transparently, pseudo explanations like the one I quoted at the beginning of this sections should be no-go and vague references privacy and changed laws are not enough. Note this is not just about lack content with regard to implementation specific, but this is about intransparency and a lack of content with regard to the legal reasoning, that is which laws and changes in law in what countries force the WMF legally to hide the IPs. Or is the whole thing more a voluntary service to protect the privacy of anonymous contributors (which can be seen good thing on its own). All of is rather unclear to me at the moment (and I suspect for the communities at large) and that is my issue with the process. The legal argument/requirements (and what they are based) should be communicated openly from the start.--Kmhkmh (talk) 07:02, 29 May 2021 (UTC)
@Kmhkmh: Given that they have failed, for now closing in on 3 months, to even provide the "meta" reasons for not providing their reasons, I doubt Legal are going to give us anything approaching answers any time soon. Given this timeline, it's gone beyond the traditional slow legal turnaround time and Covid-19 and entered culpable rudeness. Something that would actually be viewed as bitey on most projects.
@Johan (WMF):, in terms of a discussion that doesn't involve Legal *directly* (but may), you said you were going to talk to your team a while back about the point I raised that while proximate info will be enough for some, the numbers needing full details was going to be fairly large (on en-wiki, much larger than the admin corps, for example) and the number needing some of that info even larger, have you had any further thoughts on that?
Finally In the most recent update on interim IP-masking steps, there have been various questions and concerns raised by a couple with far more SPI/proxy knowledge than I, could we (they) get answers to that as soon as, please? Nosebagbear (talk) 22:35, 29 May 2021 (UTC)
Yes, we are working on getting all the last details down for how we envision this and the process and the requirements; we should get that here in a couple of weeks. Regarding the proxy questions, they are important; unfortunately, this is something we haven't had time to look into yet, partly because the team had to urgently work on SecurePoll to make sure the board elections can finally take place. I have hope Legal will be able to comment soon, too, although not as soon as we can present ideas on who and how will have access. /Johan (WMF) (talk) 02:43, 31 May 2021 (UTC)

Heads up: Massive update to the IP Info subpage in March 2021[edit]

Seems like interesting information regarding progress of development/policy drafting is available there. --Count Count (talk) 13:56, 17 May 2021 (UTC)

Jeez, that would have been good to have posted here at the time. Thanks for raising it, Count. Nosebagbear (talk) 00:45, 19 May 2021 (UTC)

Update: How masking could work[edit]

Hey folks, a pretty important update: IP Editing: Privacy Enhancement and Abuse Mitigation#Updates ("10 June 2021") now has a section on how the actual masking and unmasking could work. We look forward to your comments.

I'll include this in Tech News soon, and from there we'll add more channels to let people know it exists. /Johan (WMF) (talk) 10:06, 10 June 2021 (UTC)

The major comment I have about this is that the threshold for partial access/the threshold for granting the user right seems really weird. 1y/500 is a massive mismatch between time and edits (500 edits within a month is entirely reasonable, and within 2 to 3 basically every active editor will have reached it). I think having something like 90d/500 for partial access, and 6m/1000 for the new userrights seems like more logical thresholds.
Then a few questions: A) how will logging/access be implemented exactly? Will users with the new user right for full access have the same preference opt in as others? If this opt is toggled, does the editor then automatically see the IP address, or will it require some kind of button click per time/IP Address you see? Will the log log every time a editor sees a full IP adresss? Asartea Talk (Enwiki Talk (preferred)) 13:33, 10 June 2021 (UTC)
Thank you for your feedback, Asartea! This is not to dig in and try to defend the current thresholds, which are definitely open for discussion, but just to explain the reasoning behind them: we've tried to make it difficult to create new accounts for the purpose of accessing IPs, but not put them so high that we'd take the IP as a tool away from people who use them today. This way, you can't make 500 edits by say digging into categorisation (which you can easily do in a day) and just wait a couple of months.
As for your questions, this is not yet entirely decided. NKohli (WMF), when you're back, do you have any technical comments here? /Johan (WMF) (talk) 17:25, 10 June 2021 (UTC)
Asartea's thresholds sound reasonable to me, if they're going to be global standards. Johan, we certainly have people who work in the field before a year. To give a human example who is active on this discussion, @Blablubbs: while they created their account in 2014, actually started editing exactly a year ago (so imagine an example if they had registered then). They became a full SPI clerk before that year was up, something I assume you're aware that en-wiki doesn't hand out lightly. I think the Community could accept higher standards on the editing side - which might involve good edit counts in different namespaces if you want to go complex, in return for reducing the time Nosebagbear (talk) 18:29, 10 June 2021 (UTC)
@Asartea We have not yet looked into the specific details of how access would be implemented as this is very much in the brainstorming phase. I can share some early ideas. Everyone who obtains access will probably need to opt-in via a preference. This step is important as they would acknowledge they need IP access and agree to not share it to others who don't have access. They will most likely not automatically see full IP address everywhere and there would be an additional step to see it -- but we can show partial IPs by default. But this will probably differ by use case -- like checkusers would need to see all IPs automatically when they are in the checkuser tool. We would likely need to log it when someone sees a full IP. This is similar to how checkuser tool logs exposure of data. -- NKohli (WMF) (talk) 15:05, 11 June 2021 (UTC)
This feels like it is going to be significantly clunky in the example case I gave below, when handling topics that get lots of traffic from the same area. Even a 10-15% delay to the process (assuming that it's not doing something drastic like reloading a page to show it) would be significant when stacked across all work in the sphere Nosebagbear (talk) 15:28, 11 June 2021 (UTC)
This plan seems reasonable to me. The lower edit count requirement will be good for projects with 'less to do' than enwiki. Presumably the access will be global, i.e. having 500 edits on any wiki should allow access to info on all wikis. A broad interpretation of "community process" to grant access seems advisable, for example for enwiki it would be better if this is just a request at WP:PERM left open for a few days and allowing comments, rather than having it be an RfA-like process and requiring the input of ~100-200 editors. ProcrastinatingReader (talk) 16:05, 10 June 2021 (UTC)
I think we envisioned the default as being per wiki, sort of like how almost all other user rights are also assigned per wiki, but with awareness that there needs to be global access for people active in cross-wiki vandalism. /Johan (WMF) (talk) 17:25, 10 June 2021 (UTC)
I concur with ProcrastinatingReader, the overall solution sounds reasonable to me, but thresholds should probably be defined per wiki. --Vituzzu (talk) 17:40, 10 June 2021 (UTC)
@Johan (WMF): A lot of users do cross-wiki anti-vandalism without needing any global perms. For example, you can use Huggle/SWViewer on other wikis as long as you have rollback locally on any wiki, so arguably you won't need to apply for global rollback. Considering this, and the fact that there can be a need to do work on wikis that you're not too active on, I think this automatic privilege should be global, otherwise it may have bad effects especially for small wikis. ProcrastinatingReader (talk) 14:31, 11 June 2021 (UTC)
ProcrastinatingReader: Noted. This is good feedback, thank you. /Johan (WMF) (talk) 14:41, 11 June 2021 (UTC)
So how will people with full access be able to discuss and report IPs to each other? Will there be a private namespace that is invisible to people without IP access for things like anti-vandalism? Is it fair to accuse people in places they can't see? Kusma (talk) 18:13, 10 June 2021 (UTC)
And evidence also needs to be provided to the person on their user talk page if they're blocked, otherwise it becomes impossible for them to appeal in an informed fashion, and, as appealing is so tough, they will often need to see it before being blocked. Nosebagbear (talk) 18:23, 10 June 2021 (UTC)
Nosebagbear: I was about the write a reply here, but to be really sure we're on the same page, can you mention the kind of evidence you're referring to where you'd want to divulge the IP as part of the reason? Of course those situations exists, but I want to make sure I reply to your concerns and not something I've made up. /Johan (WMF) (talk) 20:59, 10 June 2021 (UTC)
So one example that jumps to mind from a fair while back (so, recollection may not be flawless) was someone who realised they could get different IPs (given the slight differences, likely by router resetting) to put multiple "speakers" into the same !vote Nosebagbear (talk) 21:25, 10 June 2021 (UTC)
OK, good example. I'm not trying to argue here, just trying to understand, but why would it be necessary or even very helpful to list the IPs instead of telling the user that, hey, these ten IPs are coming from the same range? I'm just thinking about what I do as a checkuser today (in my volunteer role) with registered accounts, and I never tell them their IPs or other information, I just tell them the connection. /Johan (WMF) (talk) 21:34, 10 June 2021 (UTC)
Kusma: There will also be the mask, the ID assigned to the user, so it will be possible to talk about them in public to let them know that they are accused – sort of like we can talk about registered socks in public without divulging the IP behind the account. But you still raise an interesting question about how to best share this information I'm not sure we have addressed properly yet. Thank you. /Johan (WMF) (talk) 20:59, 10 June 2021 (UTC)
Is the full IP address information still ephemeral? That would be a deal breaker. MER-C (talk) 18:15, 10 June 2021 (UTC)
I'm not entirely sure what you mean by ephemeral here, but after a certain period of time the IP behind a mask would no longer be accessible, similar to how it works for registered accounts. Please let me know if this isn't what you were asking and I'll try to give a better answer. /Johan (WMF) (talk) 20:59, 10 June 2021 (UTC)

I'm not happy about this project, but I could live with this if it was implemented. Would it be possible to see this implemented on a test wiki before it goes live everywhere else? --Rschen7754 05:19, 12 June 2021 (UTC)

That sounds like an excellent suggestion. Ping NKohli (WMF), this is something we should look into as we get closer to actual implementation. /Johan (WMF) (talk) 16:03, 14 June 2021 (UTC)

Regardless of masking we still need to be able to block IPs and have it stick[edit]

I don't particularly care who is editing through tor exit nodes and the like but they still need blocking. This is the case even if we outright ban IP editing. Indeed since we will no longer get the hint that there is a bunch of vandalism coming from some random IP the foundation may need to look into providing proxy tracking services.Geni (talk) 15:16, 10 June 2021 (UTC)

This is on our to-do list! We have a couple of things we're looking into here. /Johan (WMF) (talk) 17:25, 10 June 2021 (UTC)
There is also a need to make sure that lines of communication are open with the internet watch foundation. If they take action again it will be harder for editors to spot the IP patterns.Geni (talk) 06:06, 11 June 2021 (UTC)
@Geni Thank you for your comment. We have been getting feedback about proxy tracking from several users on the IP Info talk page. If you want to add something that's not yet captured there, it would be helpful for us during project planning. -- NKohli (WMF) (talk) 15:33, 11 June 2021 (UTC)

"IP address access will be logged so that due scrutiny can be performed if and when needed"[edit]

Does this mean even users, who has the ability to view full IP addresses, will be forced to unmask every IP separately, by doing some action on every masked IP on page's history? Does this mean even this users, when they open page history, will not see all IP's, like now? It's catastrophe for many inwiki activities, not even anti-vandalism. MBH (talk) 17:44, 10 June 2021 (UTC)

I imagine that every unmasking would have to be logged, or otherwise it would be easy to create a public website that contains all the masks. Kusma (talk) 18:17, 10 June 2021 (UTC)
I'm going to double down on MBH's comment - I had some issues when I saw that. Even if it's just "click/hover" it's going to significantly slow the speed of just looking at a full view history log. It would make in non-workable - this has to be done without any functionality loss and this would be a significant loss. Nosebagbear (talk) 18:20, 10 June 2021 (UTC)
We've been talking about this, but I'll have to get back to you on exactly what would be necessary for logging, legal aspects and so on – we're aware of it, but we didn't want to try to solve every little detail before talking to you about the general plan, because we wanted to be able to adapt to feedback here. But this is partly what we're trying to address by showing the first part of the IP which would not have to be logged and not have to be separately unmasked (edit: I think. NKohli (WMF), please confirm). Since they are typically not identical between different IPs (and if they are for different IPs editing the same article, might be an indication the same person is jumping IPs on a range), this would make at least my patrolling far easier. Let me know if it would not work the same way for you. /Johan (WMF) (talk) 21:07, 10 June 2021 (UTC)
@Johan (WMF): The roughest patrolling I've ever had to do was on the Delhi riots. Unsurprisingly, in that case (but in countless other similar cases) we had LOTS of IPs in similar ranges Nosebagbear (talk) 21:44, 10 June 2021 (UTC)
OK, this is useful contextualisation. Thank you. /Johan (WMF) (talk) 21:52, 10 June 2021 (UTC)
Agree to what @Johan (WMF) said. I tried to also answer this above in my reply to Asartea. @Nosebagbear The case of patrolling during Delhi riots is interesting. Undoubtedly that would be very hard if one was to unmask every IP one by one. Thanks for that example. We'll try to think of ways to address this in a way that doesn't hinder patrolling work.
@MBH you said "It's catastrophe for many inwiki activities, not even anti-vandalism." -- can you please tell me about other activities that will be impacted, beyond anti-vandalism? We were primarily thinking about this being a use case for anti-vandalism so it would be helpful to know what other workflows could be impacted so we do not cause any unintentional effects. Thank you. -- NKohli (WMF) (talk) 15:53, 11 June 2021 (UTC)
NKohli (WMF), one such area is the detection of potential conflicts of interest and/or undisclosed paid editing. There currently exist tools to flag it when, for example, edits about a given country's legislators originate from their legislative body's address range, helping to find instances when the legislator or a staffer are engaged in PR or whitewashing. This change would either break such tools entirely, or at least severely limit their usefulness. Seraphimblade (talk) 18:45, 17 June 2021 (UTC)

10 June 2021 update and its impact on enwiki's Sockpuppet Investigation (SPI) process[edit]

The SPI process now is carried on in publicly readable pages where incident reporters, SPI clerks, and checkusers all communicate with each other. It's one thing to say that appropriately privileged users will have access to the full IP addresses, but if we must agree not to disclose this information publicly, the entire SPI process will be unable to function. RoySmith (talk) 20:02, 10 June 2021 (UTC)

RoySmith: Thanks for your feedback! I'm reasonably familiar with sockpuppet investigation in general, but not with the English Wikipedia SPI process. Could you briefly walk me through how this would make it unable to function? Especially in how it would differ from dealing with registered accounts, where you'd already wouldn't be able to share the IP, but would publicly rely on talking about the usernames (which here would have the equivalent of the mask, the identity assigned to the unregistered user instead of the IP). Just so I'm understanding the problems we could cause. /Johan (WMF) (talk) 21:14, 10 June 2021 (UTC)
Hm. Move it to a private limited-access wiki, then? Enterprisey (talk) 23:00, 10 June 2021 (UTC)
That would be pretty clunky, no? And the SPI cases have lots of occasional traffic that presumably just wouldn't happen if it was off-wiki Nosebagbear (talk) 23:13, 10 June 2021 (UTC)
From our side we'd definitely prefer to find solutions that wouldn't force processes like these away from the namespaces they inhabit today. /Johan (WMF) (talk) 23:15, 10 June 2021 (UTC)

Enwiki SPI clerk here. A lot of reports that come in are from editors who have been editing in their topic area, see sockpuppetry and then report. Some of these reports come in because in a page with lots of IP edits the LTA is on a distinct and similar range. Furthermore, reporting users often make recommendations about what to do, especially with regards to looking at the block log for an IP (so having a tool to see the block log of an IP from the masked one would be useful but might expose the IP from the block logs though). Furthermore, the archive pages of SPI cases are exceedingly useful for me for identifying IP edits from sockmasters. Having this list of known IPs that a sock master uses gives admins, clerks and editors in general the ability to quickly compare reported IPs range to previously reported IPs. This list then could not be anywhere onwiki as I see no way to hide IPs in wiki text, so we will then either need a private wiki for editors with the rights to see full IP addresses to see previously blocked IPs or some onwiki tool which allows a editable page of IP addresses which is only accessible to those who can view the IP addresses. Perhaps this page could log viewa and hide the tail to those who can't see the full IP address. Although I welcome the extra tools being offered I can see this masking giving LTAs an easier way to evade blocks. I see that the enwiki editors who are active at village pumps want to disallow IP editing due to this IP masking and I would say that my judgement is the overall enwiki community may want this if the tools given Tony outweigh the negatives from making IPs. Dreamy Jazz talk to me | enwiki 11:32, 11 June 2021 (UTC) (copyedited 11:58, 11 June 2021 (UTC))

Thanks for the walk-through, Dreamy Jazz! /Johan (WMF) (talk) 11:48, 11 June 2021 (UTC)
I wonder if there could be some kind of inline show/don't show for IPs at the technical level. Like a special template or "magic word" where I plug in "AnonymousCucumber15" and people with the special ipviewer right will see that resolve to "AnonymousCucumber15/127.0.0.1" (or something like that), so that someone with the appropriate rights can trivially see what I'm talking about without us both having to "talk around" things to avoid disclosing the private information. This does bring up the question of how much people with the ipviewer right can and cannot comment publicly on the information they see; we'll probably want to take inspiration from the CU policy here, but this is something we need to figure out both global and local policy for in advance. For example, can I (as an ipviewer) say on-wiki that AnonymousCucumber15 and IncognitoPickle16 are on the same range or have similar geolocation? (I would say yes, since that is something that even checkusers can say about named accounts). Separately, I'm generally opposed to a cuwiki-lite for ipviewers. GeneralNotability (talk) 18:05, 13 June 2021 (UTC)
That is an interesting proposal GeneralNotability, as at least it would mitigate the SPI-awkward aspect. Nosebagbear (talk) 21:50, 13 June 2021 (UTC)
Thanks for the specific technical suggestion. We'll have to look at it. Yes, you'll need to be able to talk about them in general terms as in "on the same range", of course; as you note, otherwise this would be stricter than the checkuser guidelines and make communication about what is happening and why impossible. /Johan (WMF) (talk) 16:03, 14 June 2021 (UTC)

IP viewer right[edit]

With regards to "Editors who partake in anti-vandalism activities, as vetted by the community, can be granted a right to see IP addresses to continue their work. This could be handled in a similar manner as adminship on our projects. The community approval is important to ensure that only editors who truly need this access can get it. The editors will need to have an account that is at least a year old and have at least 500 edits", there are currently increasingly intense discussions on enwiki regarding both RfA's quantitative standards in the sense of minimum tenure/edit count expectations, and RfA's (as currently set up) ethics as a system of selecting admins at all. I don't see this not wedging a huge and unexpected issue into them. Vaticidalprophet (talk) 02:12, 11 June 2021 (UTC)

  • It probably should be treated the same way that rollback is handled. Otherwise, we're going to be constrained into handling only those who are admins, which is a bad idea, especially as the number of admins dwindle over time. --Rockstone35 (talk) 03:33, 11 June 2021 (UTC)
Eh, I don't think this particular dispute would be likely to exacerbate that discussion - EFM is never viewed in sync with Admin, and this would vastly distinct. And that's assuming that we can't get agreement that WP:PERM by community-selected admins, with a 48-hour hold for community comments, wouldn't be accepted. Nosebagbear (talk) 10:37, 14 June 2021 (UTC)
A right similar in difficulty to obtain as EFM or EFH would be a disaster. ProcSock (talk) 16:19, 14 June 2021 (UTC)
A small request, to make sure everyone can participate: This conversation is currently being fed by links from English Wikipedia, so at the moment it's a lot of English Wikipedians talking to other English Wikipedians, so of course people are using familiar ways to talk about things. But hopefully this changes soon as the technical newsletter is about to go out, and someone from Tagalog Wikipedia, German Wikipedia, Wikidata and so on is probably not familiar with the local English Wikipedia acronyms. /Johan (WMF) (talk) 16:42, 14 June 2021 (UTC)
Or, to phrase it differently: if you have good examples of concerns or your wiki, they might very well be relevant to other wikis, and it's easier to tell and find these if people understand them. (: /Johan (WMF) (talk) 16:48, 14 June 2021 (UTC)
Johan (WMF), I think the concern is that the restriction is too stringent, especially a fixed time, an edit number requirement, and on top of that a "similar manner as adminship". On the English Wikipedia, rights like rollback are genuinely granted on the basis of "You have been around long enough for us to know you're not an idiot, and you have a demonstrated need for it, so here you go." On the other hand, rights like edit filter manager (for non-admins) or template editor are much more strictly reviewed and not given out near as widely. I think the concern here is that we may well prefer to give this out much more like rollback ("You need it, you're not an idiot, here you go.") We certainly would not want to have people go through like anything like a request for adminship for it—if they could pass one of those, they may as well just do that. Nor would we necessarily want people to have to wait for a year; they may have proven themselves well before that point. Seraphimblade (talk) 23:19, 18 June 2021 (UTC)
Noted. Yes, we have talked about the English Wikipedia RfA and RfA-like processes and what they mean for this (it's one of the main reasons why "let's give it to the admins and they should give admin rights to people who need this access – if they are trusted to see this information, they should be trusted with the admin tools" wouldn't work, for example, which would have been a viable solution on a good number of wikis). /Johan (WMF) (talk) 10:43, 21 June 2021 (UTC)

This is incredibly shortsighted -- and not getting the attention it should get.[edit]

I can't help but feel like this is an incredibly shortsighted decision -- and one that will have many unintended consequences. I don't particularly understand why they are making this decision, but at any rate, whenever this does finally formalize (and it sounds like this is going to happen regardless of what the community desires), I predict that it's going to come as quite a shock to the vast majority of the community, especially on enwiki. I sincerely hope that I'm wrong. --Rockstone35 (talk) 03:32, 11 June 2021 (UTC)

I think this is the biggest existential threat that the Wikimedia movement has faced in over a decade, but it's hard to stop lawyers from digging their own graves. Vaticidalprophet (talk) 05:21, 11 June 2021 (UTC)
@Vaticidalprophet: -- oh good, it's not just me who thinks that. Mostly I feel like I'm just watching a train that people on (enwiki at least) are not aware is heading towards them. When this change is implemented, it's going to be very bad. It's also really annoying that the lawyers can't give any good legal argument as to why this is needed. --Rockstone35 (talk) 05:55, 11 June 2021 (UTC)
The Legal department are planning to give an update on their statement, but it's a few weeks away. I can confirm that this a) is happening (it's a legal decision, and those have never been a matter of community consensus), b) it's happening because what can be done and showed with personal information online has changed quite a bit since we implemented this system twenty years ago but c) within the legal frame that is given to us, we can work to find the best solutions based on discussions here and elsewhere. Since this mentions English Wikipedia specifically, we have tried to explain it at length also locally, e.g. w:en:Wikipedia:Wikipedia Signpost/2020-11-01/Op-Ed (also on Diff), and on a number of other wikis, in addition to Tech News, mailing lists and various other venues. But we're planning to reach out far more broadly, too, long before it's actually implemented. /Johan (WMF) (talk) 10:29, 11 June 2021 (UTC)
Jeez, a few weeks, that's brushing 4 months as a turnaround. If the Community failed to respond on that timescale then the WMF would rightly assume that we had no concerns with whatever was being raised in consultation. I do hope they will cover each of the questions raised so far above on this page given that timescale, including the "meta" questions about their statement(s) (and non-statements) thus far Nosebagbear (talk) 10:33, 11 June 2021 (UTC)
You do accept that this change may mean that all IP editing on English Wikipedia will stop though, right? 50.201.228.202 14:12, 11 June 2021 (UTC)
We hope to avoid that, which is why we're very interested in feedback on every step on the way (and are grateful for the comments we are receiving). But if we're doing something for legal reasons – because the privacy landscape around what you can do and can't do on the internet has changed in recent years – we also can't ignore the fact that we have to adapt to that. I assure you this is not a fun project to work on that we're doing because we thought we'd enjoy it. (: /Johan (WMF) (talk) 14:23, 11 June 2021 (UTC)
But on that note: this is not happening tomorrow. There's plenty of time for everyone to see where this is heading – the tools, the changes we make on this based on the feedback here and elsewhere and what is legally possible for us to do and so on. I'm not going to tell people how to react to this, but I would recommend that action is not taken based on a product that isn't finished and is explicitly looking for feedback. /Johan (WMF) (talk) 16:07, 11 June 2021 (UTC)
@Johan (WMF): slightly off topic, but thank you for taking the time to reach out to us, even though we're a bunch of angry people upset about this change. I don't envy your job right now. --Rockstone35 (talk) 23:26, 11 June 2021 (UTC)
Just leaving a quick note (European data protection lawyer here) to say that no, this will not mean that IP editing on Wikipedia will stop. The edit history might just contain a different pseudonym (think of something like "ABC123DEF456" instead of the IP address). It's not the end of the world. And users who need to see the actual IP address of logged-out users (because they're engaged in 'serious' vandal fighting) will still be able to do so. --Gnom (talk) 23:32, 11 June 2021 (UTC)
@Gnom: I think it was meant that in the sense that local communities may block IP editing, rather than the WMF's actions would directly stop them (that would be a very quick change!) Nosebagbear (talk) 00:34, 12 June 2021 (UTC)
But why would local communities (such as English-language Wikipedia) block IP editing? --Gnom (talk) 09:02, 12 June 2021 (UTC)
Because the only reason IP editing works right now is because IP addresses reveal certain information (such as location) which allow for users to detect patterns involving vandalism and trolling. --Rockstone35 (talk) 18:01, 12 June 2021 (UTC)
But we can still reveal the location and other pieces of information. This project is just about hiding the IP address, not the information behind it. --Gnom (talk) 22:47, 13 June 2021 (UTC)
Thank you, Rockstone35, but really, while no one likes people being angry at them, getting long lists of complaints is far better than not discovering the issues in time. We want people to tell us all the reasons they think this will cause problems because while we might not have a magic solution, it gives us a list of things to work on. As long as people keep to m:Meta:Civility (not just for my sake, but also because not doing so will poison the discussion for everyone else), we're just happy to see more comments, because in the end it'll help us at least get a chance to mitigate the potential damage to the patrolling and vandal-fighting process, which is far more important than people agreeing with us. /Johan (WMF) (talk) 17:57, 14 June 2021 (UTC)
@Johan (WMF): Thank you for reaching out here (and on the Signpost; I had not noticed that article), it must be quite frustrating. And a bit futile: we the community don't understand what the legal issue is, other than "some part of our current practice places us in legal jeopardy or is clearly illegal in some jurisdictions that we care about". As long as we don't know what the problem is, it is difficult for us to see what types of mitigation measures counteracting the difficulties masking will cause are ok, and what types are not. "Let's just ban IP editing" is a simple solution that anyone can understand, so it is popular (I am also very sympathetic to it now because it seems preferable to the massive additional complexity proposed here). I'd like to understand why your complex masking and unmasking proposal is better (other than that banning IP editing will mean that we need to triple the size of our checkuser team). Do people on ptwiki not create accounts often enough? Kusma (talk) 09:23, 12 June 2021 (UTC)
I'd be happy to help explain the legal issue (I am a lawyer specialising in online data protection law). --Gnom (talk) 22:47, 13 June 2021 (UTC)
IPs are being masked precisely because they can be used to reveal (very) rough geolocation, ISP, and connection type. If we were to continue making that information available, masking would be unnecessary. --Blablubbs|talk 16:00, 14 June 2021 (UTC)
The Wikimedia Foundation Legal Department will comment soonish, and I’m not a lawyer, but I’d like to remind everyone that this is something that is affected by legal standards, not just our desire to protect our unregistered editors – if it were just the latter, this would not have been "this is coming, and that it’s not negotiable" – we can always talk about our decisions, but we can’t make consensus decisions about legal matters. It's not really up to us to decide what is unnecessary or not from a practical perspective, as there are regulations to take into consideration. /Johan (WMF) (talk) 01:04, 15 June 2021 (UTC)
Kusma: We do understand why this is frustrating! It's important, it messes with one of the very core workflows of the Wikimedia wikis – the very work that allows us to be as open as we are – and we are unable to communicate in detail why we're doing this. Of course people will be upset. I just wanted to stress that this is not something we are doing because we had some idea about improving privacy (though it is important) and didn't realise there would be consequences.
To answer your question, we tried to look into the research done on restricting editing to registered accounts (then on non-Wikimedia wikis, before Portuguese Wikipedia decided to try it out), and are very concerned about the long-term effects on editor recruitment. See Research:Value of IP Editing. This is what I wrote in the Signpost, when they asked for a comment:
Why do IP masking at all, some ask. Why not disable IP editing instead? We’re investing significant time and resources in trying to solve this because we’re convinced that turning off unregistered editing would severely harm the wikis. Benjamin Mako Hill has collected research on the subject. Another researcher told us that if we turn IP editing off, we’ll doomed the wikis to a slow death: not because the content added by the IP edits, but because of the increased threshold to start editing. We can’t do it without harming long-term recruitment. The role unregistered editing plays also varies a lot from wiki to wiki. Compare English and Japanese Wikipedia, for example. The latter wiki has a far higher percentage of IP edits, yet the revert rate for IP edits is a third of what it is on English Wikipedia: 9.5% compared to 27.4%, defined as reverted within 48 hours. And some smaller wikis might suffer greatly even in the shorter term.
I hope that at least explains where we are coming from. /Johan (WMF) (talk) 17:39, 14 June 2021 (UTC)

Three questions[edit]

Hi Johan,

Three questions:

1) With regard to IPs not being unblocked, you note "This solution will have to be a compromise." - what was being thought here?

2) In a related fashion, we need to confirm that when we switch over, the blocks on the IPs behind a mask will still appear when giving an IP block - otherwise our ascending length blocks on IPs are all going to reset

3) With the information you provide on pt-wiki, that I look forward to reading, will that include workload (instances raised, instances carried out, and sockpuppet registered accounts detected) on the Checkusers. As en-wiki already struggles on CU workload, it's one of the facets that would be critical, especially were a discussion on whether to block all IP editing to be considered and opposed Nosebagbear (talk) 10:41, 14 June 2021 (UTC)

1) That the most privacy-protective measure would, as people have previously pointed out on this talk page, be to start from a blank slate with blocks. But we can't do that, so we have to compromise with what would have been the perfect solution from the privacy perspective.
2) I see no reason why this would change, but it's a good question. NKohli (WMF), can you confirm that this will work? I.e. that you can see previous blocks whenever you block an IP, similar to today, including in the case of an admin not opting in to see the IP behind the mask.
3) I don't have an answer to that right now. I'll ask. (I'm not looking into it myself, but it is happening.) /Johan (WMF) (talk) 16:03, 14 June 2021 (UTC)
To follow up on this, yes we are looking into the number of checkuser requests. /Johan (WMF) (talk) 16:09, 14 June 2021 (UTC)

Reaction to 14 June 2021 update[edit]

I'd like to discuss this bullet:

  • Editors who partake in anti-vandalism activities, as vetted by the community, can be granted a right to see IP addresses to continue their work. This could be handled in a similar manner as adminship on our projects. The community approval is important to ensure that only editors who truly need this access can get it. The editors will need to have an account that is at least a year old and have at least 500 edits.

I consider this overly inflexible and would instead suggest that Wikivoyage or any other Wiki community be able to grant anyone with Patroller status a right to see IP addresses. And I think we shouldn't be dictated to on how we decide who is trusted to be a Patroller. Ikan Kekek (talk) 17:02, 14 June 2021 (UTC)

Agree with that. My account is only 5 months old, and would that mean that on the other two WMF projects I'm a sysop in mean, I can't see the IP adresses? And considering that I only revert vandalism on the English Wikipedia, not being able to see IP addresses would be difficult. I like Ikan Kekek's plan with Wikivoyage, and I think anyone with patroller status should be able to see IP addresses. SHB2000 (talk | contibs | en.wikivoyage | w:User:SHB2000) 11:45, 15 June 2021 (UTC)
The thresholds can absolutely be discussed, and we really don't want to intrude on your right to handle vandalism the way you think best, which you're better equipped to figure out than the Foundation is. But, similar to how there are some global requirements for how much support you need to become a checkuser, which wikis can't decide to lower, because the Foundation has legal responsibilities towards the information, the Foundation will need to set some limits for who is able to take on this role. We’re taking this conversation into consideration, of course, but we can’t be completely flexible as we also have to consider our legal responsibilities, in addition to the relationship and division of work between the Foundation and the communities.
I realise this is a bit of a non-answer right now, but just to explain why the Foundation doesn't just hand this over to the communities to decide, when the communities are the experts on anti-vandalism work. /Johan (WMF) (talk) 03:14, 17 June 2021 (UTC)
I don't see how one amount of time vs. another would be dictated by law, rather than arbitrary. By contrast, Patroller is a specific status some users are given that indicates that they are trusted to use rollback tools. This specifically and pointedly differentiates them from users who may be of longer standing but are not entrusted with such tools. And this trust is not arbitrary but carefully considered by local admins and subject to revocation by admins in the unlikely event that the users in question proved to actually be untrustworthy. (There has been no such case of revocation of patroller status due to a loss of trust on en.voy, as far as I can remember.) I will stipulate that we usually don't give users Patroller status until they've been registered for more than 6 months, but if 1 year or even 6 months were to be the standard, there should be provisions for exceptions. Ikan Kekek (talk) 08:33, 18 June 2021 (UTC)
It's not (as far as I know – the legal parts are really not my forte, I'm here to build the technical implementation) – which is why we're saying that the thresholds are negotiable and given the feedback I find it unlikely they will remain at our suggestion, which was mainly a starting point. (: As for "can we tie them to [user right]", I'm checking in with the Legal department to understand what implications that would have. /Johan (WMF) (talk) 10:40, 21 June 2021 (UTC)

Legal questions[edit]

My apologies if these questions have been answered elsewhere; I did not find answers in the FAQ on the content page. I am a checkuser on English Wikipedia editing under a disclosed alternate for security purposes; my main account is User:Ivanvector.

I see that the team preparing these changes is proposing to create a new userright for users to have access to the IP addresses behind a mask. Does Legal have an opinion on whether access to the full IP address associated with a particular username mask constitutes nonpublic personal information as defined by the Confidentiality agreement for nonpublic information, and will users seeking this new userright be required to sign the Access to nonpublic personal data policy or some version of it?

  1. If yes, then will I as a checkuser be able to discuss relationships between registered accounts and their IP addresses with holders of this new userright, as I currently do with other signatories?
  2. If no, then could someone try to explain why we are going to all this trouble for information that we don't consider nonpublic?
  3. In either case, will a checkuser be permitted to disclose connections between registered accounts and unregistered username masks?

Thanks for all the work you've been doing to make sure this monumental change is the right one. PEIsquirrel (talk) 19:01, 14 June 2021 (UTC)

Passing this on to Legal. /Johan (WMF) (talk) 19:16, 14 June 2021 (UTC)
I'd like to echo the thanks above. Although IP masking may cause some problems, having you listen to our comments is very reassuring and helpful. Hopefully once IP masking comes around, I will not miss the ability to see IP addresses on projects I am not active on and also for other users at enwiki to see IP addresses. I'd also like to echo the questions above and it would be useful to get a response to them. Dreamy Jazz talk to me | enwiki 20:35, 14 June 2021 (UTC)
Thanks. I can't promise we will solve everything – some things will be more cumbersome; we hope to offset this by building better tools that will make other parts of the patrolling and anti-vandal workflows easier – and some important questions are still left to be answered. There is a system in place for this and we have to replace it for other reasons than having found a better one. But I want to stress that we do share the concerns, care about the result and really do appreciate everyone listing their concerns, for what it's worth. /Johan (WMF) (talk) 23:07, 14 June 2021 (UTC)

Discussion on the English Wikipedia[edit]

Just an FYI, there is currently a discussion on the English Wikipedia regarding this topic: w:Wikipedia:Village pump (WMF)#IP Masking Update -FASTILY 22:12, 14 June 2021 (UTC)

Requirements[edit]

To continue interacting with anonymous contributors, whether in a collegiate way or fighting vandals, rank-and-file editors need these abilities:

  1. Communicate with an anonymous editor using a page similar to the existing User talk:123.45.67.89, presumably with an obfuscated replacement for the IP
  2. List contributions from adjacent IPs, especially within a v4 /24 or a v6 /64
  3. Determine whether two contributions are from the same IP, similar IPs or widely differing IPs
  4. Identify a contributor to other editors, especially in a form which an admin can turn into an IP block or range block if appropriate

Does the proposed solution address these needs? Does the WMF have any response yet to last year's questions on Crypto-PAn and IPv6 /64s? Certes (talk) 22:20, 14 June 2021 (UTC)

NKohli (WMF), I think you are better equipped to answer this question. /Johan (WMF) (talk) 23:08, 14 June 2021 (UTC)

Access Agreeement - Age[edit]

Johan, relating to a brief section back on the 26/27th October 2020, you concurred that a large number of our most active RCPers and counter-vandals were under-18. It is likely that a significant number of these would even be under 16. Would these groups still be fine to accept the agreement by ticking-in? Nosebagbear (talk) 23:41, 14 June 2021 (UTC)

Putting this on the list of questions I'm forwarding to Legal. /Johan (WMF) (talk) 23:48, 14 June 2021 (UTC)

Global contributions and other external tools[edit]

The rough plan satisfies my concerns as far as counter-vandalism. Thank you! My only concern now is with external tools that we rely on. Stewards in particular use GUC and/or XTools to check for collateral damage when blocking an IP or range on a global level. I assume with IPs hidden except from privileged users, you will not be relaying this data to the Toolforge replicas? If you give us some identifier for an IP (such as a temporary account), such that we can query against it, that will suffice for single IPs, but we still need to query for IP ranges. If we can't find a way to do this without replicating the IP data, then we need a MediaWiki solution for global contributions. Stewards cannot be expected to check every wiki before globally blocking.

There may be other tools that are affected, but global contributions is the main one that comes to mind. And again, I think it's probably just IP ranges that are the main issue, as I assume we'll have an identifier for single IPs (whatever the non-privileged users see), and tools can be updated to use that. MusikAnimal talk 00:17, 15 June 2021 (UTC)

Thanks! I don't think we've looked into this yet. /Johan (WMF) (talk) 10:24, 15 June 2021 (UTC)

Will IP range block exemptions still be needed?[edit]

Right now an IP range block by default blocks both unregistered and registered users. I can understand disallowing account creation from a particular IP range, but I've never understood why existing users that happen to be logging in from the blocked range (for example a cell phone network, or via a proxy when a country blocks access) are also blocked, and need to request an exemption from admins (if they even know that such a thing is possible). Will the new system fix this issue? ArthurPSmith (talk) 12:50, 15 June 2021 (UTC)

I'm not seeing how it would - it's to shield IP addresses, but that wouldn't affect the underlying reasons for rangeblocks, hard blocks, and IPBE. To give an example reason for why a full hardblock (vs account creation block) can be used - it discourages creating gazillions of accounts and then going on a rage with them Nosebagbear (talk) 13:06, 15 June 2021 (UTC)

Losing access to view IP addresses[edit]

The page talks about being able to view IP addresses by opt-in, but traditionally we have a problem that rights are eternal. Perhaps this should get an auto expiry, where if you have NOT requested IP information for more than 6 months, you automatically lose the right. That's not something someone should run a bot for on each and every wiki if you ask me. —TheDJ (talkcontribs) 14:00, 15 June 2021 (UTC)

Good point, like how we already sometimes treat some rights which have specific and potentially damaging accesses (like checkusers, for example), or how some wikis tend to re-elect most of the people with accesses that could be potentially damaging (admins, 'crats, checkusers, oversighters and so on) on a regular basis. For the opt-in case, you could also just opt in again if you need it. /Johan (WMF) (talk) 14:51, 15 June 2021 (UTC)

500 edits one year[edit]

The criteria of 500 edits and one year in a similar process to adminship is unbalanced. At least on the English language Wikipedia one year's tenure is about the minimum requirement for adminship, though 15 months is probably more common a criteria, whereas 500 edits, especially for a vandalfighter is nowhere close. We have non admin vandalfighters who can clock up 500 edits in a day, or less if they have Huggle or Igloo installed. We have had admins pass with little more than three thousand edits, but those tend to be time consuming edits that build the pedia. My suggestion is that the criteria would need to be the same as for EN:WP:Rollback, once someone has shown they are active in fighting vandalism we will need to get them this right as vandalfighting without it will be greatly undermined. WereSpielChequers (talk) 16:12, 15 June 2021 (UTC)

WereSpielChequers: Thanks for the feedback. While there was some reasoning behind it (see my reply in Talk:IP Editing: Privacy Enhancement and Abuse Mitigation#Update: How masking could work, this was mainly to have a number to start the conversation – it's very much up for discussion. /Johan (WMF) (talk) 16:53, 15 June 2021 (UTC)
There is a lot of admin work required to allocate a new userright. Things will go much more smoothly if this was available from the outset for everyone with either the admin or rollbacker right - on EN Rollback is a very common right for vandalfighters, if slightly obsolete. Pending changes reviewer would be another one where there was a logical fit. If we know that all rollbackers will have this right from the outset then those people who want the change to go smoothly can appoint a bunch of rollbackers in advance. Especially if we can get a list of people who have recently filed AIV reports and are neither admins nor rollbackers. WereSpielChequers (talk) 21:04, 15 June 2021 (UTC)
There a couple of things I need to discuss with others to make sure I'm being honest with the communities when I reply to the various comments on this talk page about assigning these rights, just so you know why I'm replying to other things but not to them. /Johan (WMF) (talk) 20:48, 16 June 2021 (UTC)
@Johan (WMF) and WereSpielChequers: my interpretation of where Johan would like the line to be drawn is a bit hazy (because 1 year/500 edits seems so weird, at least to en-wiki eyes), but assuming the two limits approach each other (time down, edits up) I would be thinking that it'd be higher than the somewhat de facto levels we use for PCR and potentially RB. On the flipside, rollback has been somewhat limited in criticality for a while now, and if this shared criteria it might be viable to propose slightly higher RB criteria Nosebagbear (talk) 21:21, 16 June 2021 (UTC)
On further reflection, if anyone can see the warnings that a masked IP has received, and all the edits other than deleted ones, then I'm not sure if anyone other than admins and checkusers need know more. Admins can see any deleted edits they've made, and that might sometimes justify going to a block rather than a warning. The only reason I can see for wanting to know their real IP address is because an IP range block may be needed. But who gets involved in blocking or unblocking IP ranges? A minority of admins and I suspect checkusers. So is there anyone other than an admin who needs access to real IP? WereSpielChequers (talk) 09:22, 18 June 2021 (UTC)

Talkpage for IP addresses[edit]

Currently every IP editor automatically has a talkpage that can be used to communicate with them, warning vandals but also other communication. It isn't clear from this proposal how those talkpages will exist in the future. The obvious way to do it is to have a table of IP addresses and anonymised talkpages, with only Devs, Admins, Rollbackers and Patrollers having the access to know the link between the anonymised talkpage and the IP address. Of course if each time the same IP returned they were linked to the same anonymised talkpage, then much of our vandalfighting systems would still work. As long as you can check an IP users other edits and know that if you block them for the half dozen edits they have been warned for in the last few hours there are only one or two borderline edits rather than hundreds or thousands of good edits that could in theory come from an IP address that represents a whole university or country; you don't need to know what that address is, any more than most of us need the addresses of registered accounts. But everyone, not just experienced editors, needs to be able to say these two edits were made by the same IP address but these three were made by three different ones. WereSpielChequers (talk) 16:26, 15 June 2021 (UTC)

The plan is to have a talk page connected to the masked ID that will be visible instead of how we show IPs today. I.e. not too different from today. /Johan (WMF) (talk) 16:55, 15 June 2021 (UTC)
Thanks. In the transition, will old talkpages be transposed to the new system, or will all IP vandals be given a cleansheet? If the latter you are creating a lot of work for volunteers. WereSpielChequers (talk) 16:59, 15 June 2021 (UTC)
We've talked about some sort of transition, to not wreak havoc, but how to best do this is one of the many questions we still have to figure out. I don't have a good answer for you yet (but we appreciate all feedback in this area, as well as other areas, of course). /Johan (WMF) (talk) 17:03, 15 June 2021 (UTC)
It would be interesting to run an RFC on this, but I suspect that most of the benefit would come from transposing warnings from the last month or two along with recent short term blocks. An IP that was last blocked two months ago for 31 hours and hasn't been warned since in my view doesn't have to have the history transitioned - IPs that have longer term blocks are another matter. One of the biggies that would help make this a better system than we have now would be a "recently reverted ratio" displayed for admin to see. So an IP that's had 10 out of 12 edits reverted in the last month is a completely different kettle of fish to an IP that's had 100 out of 600 edits reverted in the last month - that's the sort of IP that represents a huge institution and potentially a lot of good edits. The other issue is open proxies, but I might start a new thread on that. WereSpielChequers (talk) 21:17, 15 June 2021 (UTC)

Time to stop IP editing and require Login?[edit]

Wouldn't it be simpler and easier to just require that all editing be logged in? I appreciate that we'd lose lots of new editors, especially the unknown but allegedly large proprtion who start with some IP edits before they create an account. And if it is true that vandals do the minimum necessary to commit vandalism, whereas new editors start with an IP edit but are then lured onto more, blocking IP editing will lose us a disproprtionate number of good edits and make some vandalism a little harder to find. However, simply disabling IP editing is a technically simple exercise if we take that option we should free up some IT resource to tackle our biggest problem - making the mobile interface editor friendly. Or alternatively go for the halfway house of adding a tablet view to the mobile view so we can give a bit more functionality to tablet users. WereSpielChequers (talk) 16:38, 15 June 2021 (UTC)

There are a couple of conversations about this further up on this talk page, the latest one in Talk:IP Editing: Privacy Enhancement and Abuse Mitigation#This is incredibly shortsighted -- and not getting the attention it should get. I hope it can at least explain where we're coming from when we think that doing this the hard way is less disruptive in the long run. /Johan (WMF) (talk) 17:02, 15 June 2021 (UTC)
I used to work in Data Protection. I'm very rusty, but I know enough not to be surprised that we are looking to go down this route. My slightly different take on this is that we already have huge barriers for new editors to overcome if they are from the Smartphone generation, so if the concern is about maintaining our recruitment of new editors, the answer lies in our ratio of readers to editors among PC, tablet and smartphone users. And when you look at our ethnicity skew, finding ways to make Wikipedia editable for people in those African countries that are mainly smartphone internet users is more important than recruiting more PC users. Also this isn't 2014 anymore, we aren't in some sort of death spiral, and if we did see a gentle drop in editing it could take a while for editing to drop back to 2014 levels. Plus we no longer think of the community as like some sort of internet game that has to replace its community every two or three years. We have lots of people, including most of our admins, who have been here well over a decade. Of course there is another option, Wikimedia is based in the US which has notoriously business friendly privacy laws. We could just selectively ban IP editing in countries where the Data Commissioners are getting concerned about the privacy side of IP addresses, those countries plus ones where we don't trust the governments not to track our editors. WereSpielChequers (talk) 22:51, 15 June 2021 (UTC)
I'm not saying you're wrong – certainly mobile editing is crucial to us – but we don't think this is an either/or question. Our assumption is that this would also make it more difficult to recruit smartphone editors. But importantly, recruitment, trends and what role unregistered editing play differ a lot from wiki to wiki: as little as some like the idea of masked IPs, other Wikimedia communities would be incensed if we turned off IP editing. /Johan (WMF) (talk) 20:43, 16 June 2021 (UTC)

What happens to existing IP addresses on edit history and talkpages?[edit]

What happens to all the IP addresses logged in article history and talkpages? If we continue to have IP editing we need a bridge between the existing system and the replacement, otherwise all warning logs are reset to zero - creating a lot of work for vandalfighters. There's also an issue of attribution. We have hundreds of millions of edits where IP contributors have licensed their edits cc-BY-SA with their IP address as attribution. So if we are going to keep those edits and not revert them, we are obliged to keep the IP addresses in such a way as to give atribution. WereSpielChequers (talk) 16:46, 15 June 2021 (UTC)

Existing IPs will not be masked. /Johan (WMF) (talk) 17:36, 15 June 2021 (UTC)
That surprises me. If we have to treat IP addresses as personal data then we already have a lot of it, with a data retention poicy of keeping it all for ever. Are you sure the lawyers are cool with that? WereSpielChequers (talk) 22:55, 15 June 2021 (UTC)
We have talked about it, so I would be very surprised to be mistaken, but I'm sure Legal will correct me if I'm wrong. /Johan (WMF) (talk) 20:45, 16 June 2021 (UTC)

Handling attribution for future IP address edits[edit]

If we are going to keep IP editing, my preference is to have their future edits default to CC-SA - at least to the extent that attribution rights are waved by IP editors (if you want attribution of your edits create an account and log in). But if not, you have to create some alternative to an IP address, either that or some legal formula such as these edits are CC-BY-SA but the editor has not given an identity that needs to be attributed. It isn't clear to me how either the current procedures or the new proposal fit our copyright licencing WereSpielChequers (talk) 16:56, 15 June 2021 (UTC)

My understanding is that the mask would count as much as an identifier as e.g. a shared IP would for copyright reasons today, but I'm forwarding this to the Legal Department so they can confirm that this won't be an issue. /Johan (WMF) (talk) 17:08, 15 June 2021 (UTC)

One-page summary for non-English projects[edit]

I have been following this discussion with great interest, even if with moderate difficulties due to the level of technical English used both at the main page and the talkpage. Would it possible to provide a one-page executive summary of the latest development(s), written in plain English and fair to translate, for the sake of (obviously non-English) projects that will be greatly impacted by this proposal but is underrepresented throughout the consultation? dwadieff 17:36, 15 June 2021 (UTC)

Yes, absolutely. Thank you for the suggestion. /Johan (WMF) (talk) 17:54, 15 June 2021 (UTC)

Open Proxies[edit]

We currently block millions of IP addresses as "en:Wikipedia:Open proxies", at least we do on EN, I don't know about other projects. Will this continue in the new era, and how will it be affected by masking of IPs? WereSpielChequers (talk) 10:08, 16 June 2021 (UTC)

Thanks for the question. See #Regardless of masking we still need to be able to block IPs and have it stick – we're hoping to build proxy detection into tools we're developing. /Johan (WMF) (talk) 20:35, 16 June 2021 (UTC)
Johan (WMF), one important distinction for proxies and datacenter-type IPs is that we block those proactively rather than reactively, so in order to keep doing what we're doing we will need some way to block a specific IP or IP range, whether or not we can resolve that IP/range to anonymous IDs. I suspect that checkusers will have the same need. GeneralNotability (talk) 02:20, 17 June 2021 (UTC)
GeneralNotability: Ah, sorry, to be more clear: We are not intending to make changes to the possibility of blocking IPs. That would definitely cause a lot of unwanted disruption. /Johan (WMF) (talk) 03:17, 17 June 2021 (UTC)
Johan (WMF), all right, I wasn't certain one way or the other whether that would change - thank you for clarifying! GeneralNotability (talk) 12:51, 17 June 2021 (UTC)
Happy you're asking – that way we can clarify for everyone else too. /Johan (WMF) (talk) 14:50, 17 June 2021 (UTC)

Transparency[edit]

Lots of projects such as the CongressEdits project use IP addresses to check when powerful groups are editing wikipedia. If you need to have near - checkuser level privileges to view edits by IP, the transparency of edits is dramatically diminished! This proposal seems like it's great for all the political hacks and interns who want to puff up some article without needing to register for an account and become unambigously traceable there.

I for one, strongly oppose this proposal 69.172.145.94 21:10, 18 June 2021 (UTC)

IP editor, depending on exactly what gets exposed to the average user, you probably will not need "checkuser level privileges" - the en:WHOIS information for this Congressional IP, for example, specifically mentions that it's a Congressional IP in the fields that would normally have the name of the ISP. The mockup they presented for the "partial info" view contained the ISP. I concede that we would lose the nice tagging we get from filter 958 though. GeneralNotability (talk) 01:52, 19 June 2021 (UTC)
Speaking of AbuseFilter - NKohli (WMF), I don't see any mention of that on the main page; has any thought been put into how the technical details of IP-hiding will interact with the abuse filter? The ip_in_range function is used in a decent number of LTA-focused enwiki filters. Personally, I'd recommend keeping it and requiring that any filter dealing with IPs be private - for enwiki, at least, the rights that let you view private filters and their hits (edit filter helpers, edit filter managers, and admin) all involve a good deal of vetting, and EFH/EFM for non-admins in particular is quite rare and only given to very trusted editors. GeneralNotability (talk) 01:59, 19 June 2021 (UTC)

Enough is enough[edit]

Firstly, on this page, WMF have been manifestly unfair to their legal team. That may have been without intent, but it is still the case, since attorney-client privilege prohibits the legal team from being able to respond. (Alternatively, their legal team may have said "Hey, make us the bad guys!") So every time that we see a response like Putting this on the list of questions I'm forwarding to Legal. from Johan (WMF), this is essentially sending the question down a black hole. Legal cannot ethically respond; that could literally be a breach of confidentiality that could lead to them being disbarred.

However, attorney-client privilege does not apply to the client, in this case the WMF. They can either permit Legal to respond to things, or do so themselves. So these questions are explicitly and absolutely not intended for a "we forwarded these to Legal" response, as that is by definition a black hole. Rather, I would like a direct response from the current head of the WMF (in the absence of an ED) to each and every one, since they can if they wish answer them, as the client in the attorney-client relationship. I would of course prefer a direct answer to each one (and to a "yes" or "no" question, that would at least start with "yes" or "no"), but at the very minimum, if the answer is "We aren't going to tell you", I would like them to give that response directly and own that. In that instance, they could, as the client, respond, and are choosing not to do so. In no instance should the response be "We can't tell you". You are not bound by professional ethics not to, so yes, you could. If you are choosing not to, say "We won't tell you", not "We can't tell you". You could if you chose to.

For clarity's sake, if the individual reading these questions does not have the authority to answer them, please bump them up to any individual in the WMF who does have the authority to directly address them up to and including the acting ED rather than giving any blowoff yourself.

Questions are as follows:

  1. If not showing IP addresses to the general public was a legal requirement, why was this only stated as such after the community clearly opposed this proposal?
  2. Does showing IP addresses to the general public violate the black-letter law in any jurisdiction in which the WMF is subject to the laws of?
    1. If so, which jurisdiction?
    2. If so, which law(s)?
    3. If so, why hasn't IP editing been disabled while this is in process?
    4. If so, why can we still show old IPs?
  3. Does showing IP addresses to the general public violate the interpretation of law in any jurisdiction in which the WMF is subject to the laws of?
    1. If so, which jurisdiction?
    2. If so, which law(s) (has|have) been interpreted that way?
    3. If so, where can that interpretation be found?
    4. If so, is that interpretation final or still subject to appeal?
    5. If so above, why isn't the WMF appealing?
    6. If so, why hasn't IP editing been disabled while this is in process?
  4. Does showing IP addresses to the general public violate the potential interpretation of law in any jurisdiction in which the WMF is subject to the laws of?
    1. If so, which jurisdiction?
    2. If so, which law(s) could be interpreted that way?
    3. If so, how likely is such an interpretation?
    4. If so, why hasn't IP editing been disabled while this is in process?
  5. Does showing IP addresses to the general public violate the WMF's internal policies or requirements?
    1. If so, why are changes to those internal policies or requirements not being considered as a valid response to community consensus against the masking proposal?
  6. Does showing IP addresses to the general public only violate "general expectations" of Internet users?
    1. If so, why is this being treated as a legal requirement?

Enough is enough. It is time to be clear about exactly what these "legal" requirements are here, because to be quite honest, it at this point seems to be a fig leaf over yet one more instance of "We're doing this whether you like it or not." The community opposed this proposal, and all of a sudden got "Oh it's a LEGAL requirement! But it doesn't break any laws..." (see Q: Is this project the result of a particular law being passed? A: No. Data privacy standards are evolving in many countries and regions around the world, along with user expectations., which leads back to the core question: Is this actually legally REQUIRED, or are there internal standards WMF could amend? It's past time we got an actual answer to that, because I strongly suspect the answer is the second, and you know we'll ask you to do it if that's possible. So time to actually give us the details. Seraphimblade (talk) 05:58, 19 June 2021 (UTC)

It seems like the WMF already did answer it (in the FAQ you quote); the stance seems to be that it doesn't violate any law, but user expectations are changing, and publicly showing entire IPs isn't tenable. (I agree.) Ensuring editor privacy is a reasonable responsibility for the Foundation. Perhaps you'd never get consensus for people to change their workflows voluntarily, so the change would never happen any other way, but that doesn't mean the change isn't the right thing to do. ProcrastinatingReader (talk) 22:10, 20 June 2021 (UTC)
While that may hold up Proc, it doesn't explain the abysmal level of communications and clarity from WMF Legal in the process, with currently just shy of 4 months since a number of questions, including meta-oriented questions that wouldn't be tied to a need to potentially admit liability to anything, were asked. That includes even failing to state specific questions they would not be answering.
We have two primary WMF stakeholders, and the tech team, as indicated by the major improvements in the June 10th update, are engaging nicely. Legal, however, are giving an example of how it's not done. Nosebagbear (talk) 00:58, 21 June 2021 (UTC)
ProcrastinatingReader, well, that's the reason for these questions. If your conjecture is true, this is not actually a legal requirement, and quite frankly if that is so we are being lied to. If we don't want the change, and it is not literally legally mandated, the WMF shouldn't be cramming it down our throats. If it is legally mandated, then the question remains—by what law? If it's only required because of WMF internal policies, and we don't want the change, the answer is "Amend those policies". We already set expectations clearly by displaying to anonymous editors a prominent notice that their contributions will be associated with their IP, and that they may create an account to avoid that, so for them to say "I didn't expect exactly what it told me would happen to actually happen!" would be more than a bit ludicrous. Seraphimblade (talk) 13:46, 21 June 2021 (UTC)
We're aiming for an update from the Wikimedia Foundation Legal department next week. I'm sure there are will still be things they won't be able to address, but it should contain more information than what's available on the page now. /Johan (WMF) (talk) 00:09, 22 June 2021 (UTC)

How is this being proposed unilaterally?[edit]

Is the WMF completely disconnected from the community? Blocking IPs is listed as a perennial failed proposal, for good reasons. As for this particular proposal, dealing with vandals and disruptive IPs is already hard enough when the IP is immediately visible. Given the absolute dearth of convincing legal arguments, I fail to see what this is achieving, beyond further alienating the WMF from a significant proportion of its community. The most important persons on Wikipedia and related projects are not the WMF or administrators or functionaries. The most important persons are editors.

Given that a significant proportion of IP edits seem legitimate, given that this will have absolutely no effect beyond making dealing with dedicated vandals more difficult, given that a significant proportion of the community seems opposed to this, given that the WMF has no legitimate authority or reason to impose top-down on the community which is responsible for its success, the only response I would expect from the WMF, in light of the opposition on this talk page, is to shed this proposal into the garbage bin of history, and not come back to it. RandomCanadian (talk) 19:15, 21 June 2021 (UTC)

RandomCanadian: Of course the Wikimedia projects are run by the editors, and we really do not want to cause more issues for them, which is why this is long-term project, why we're trying to build tools to offset the issues this will cause and so on. But this isn't something we're working on because the Foundation one day decided that, ah, this probably is a good idea, or because we decided that we know better how to handle unregistered editing. We knew it would cause problems. We knew it would be impopular. We knew it would interfere with one of the processes we really do not want to interfere with.
But we're doing it because the Legal department looked at what's been happening with privacy norms and regulations and came to the conclusion that this is something we have to do. While I absolutely do not want to tell the communities how to run vandal fighting, which they are far better equipped than anyone else, the Foundation has legal responsibilities towards the information we're collecting. And legal decisions have not been decided by consensus even in the Wikimedia movement. The status quo – doing what we've been doing and the external world treating it like it has for the past twenty years or so – isn't an option we have been given. /Johan (WMF) (talk) 19:43, 21 June 2021 (UTC)
@Johan (WMF): Thanks for your reply. I don't see any definitive arguments being given in response to the detailed interrogations in #Enough_is_enough. Is the status quo currently breaching any laws, or not? If yes, please state it so clearly. If not, I understand that we don't want to be reactive, but if there's no evidence of a problem, and if there's no evidence that there will be a problem in the short-to-moderate-term future, don't I don't see what exactly is the point of all of this. RandomCanadian (talk) 19:57, 21 June 2021 (UTC)
Thanks, RandomCanadian. The legal team will post an update soon, which should contain a bit more information than what's currently available. In the meanwhile, we appreciate everyone who is pointing out the issues they foresee, so that we can do our best to mitigate said problems. /Johan (WMF) (talk) 20:23, 21 June 2021 (UTC)