Talk:IP Editing: Privacy Enhancement and Abuse Mitigation

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search

Main project page (discuss)
Ideas for privacy enhancement (discuss)  · Improving anti-vandalism tools (discuss)


IP Editing: Privacy Enhancement and Abuse Mitigation Archive index
This page is to collect feedback for the privacy enhancement for unregistered users project.
Hoping to hear from you. You can leave a comment in your language if you can't write in English.
Filing cabinet icon.svg
SpBot archives all sections tagged with {{Section resolved|1=~~~~}} after 7 days and sections whose most recent comment is older than 90 days.

Feedback on tools[edit]

Hey folks, IP Editing: Privacy Enhancement and Abuse Mitigation/Improving tools has our current thinking around tools to mitigate issues IP masking will bring. We're looking for comments both on those and if there are other things you need us to build. Please do see Talk:IP Editing: Privacy Enhancement and Abuse Mitigation/Improving tools. /Johan (WMF) (talk) 13:23, 15 October 2020 (UTC)

Feedback on persistence[edit]

We're also looking into how to exactly create the IP masking. To avoid as many problems as possible, we need to know how persistence or lack of persistence (that is: how to connect the identities over time) is causing or could cause problems for you. Please see IP Editing: Privacy Enhancement and Abuse Mitigation/Persistence and tell us all the things that could go wrong on the talk page. /Johan (WMF) (talk) 13:23, 15 October 2020 (UTC)

Going forward: IP masking happening, where there's flexibility[edit]

Hey folks, I wanted to acknowledge that there’s been plenty of concerns raised about this, in the archived discussions and not least this list. Thank you for your concerns, everyone. We need to understand all issues around this.

There are some questions we’ve been unable to answer with the requested amount of detail. They have been where we can’t answer because of legal aspects; and where we weren’t able to describe our specific plans or implementations. We didn’t have answers to this second type of question, because if we have the hows ready for something like this before we talk to the communities we’d be asking for disaster. You need to be part of this if it’s going to work.

We’ve been talking internally to get a sense of understanding of what we can do and what we can’t, and the Legal department has clarified their guidance for the project and emphasized the importance of getting this done. If the Legal department tells us we have to do something for legal reasons – which they unfortunately can’t explain publicly in more detail without risk to the projects – we have to take this and do the best we can within the bounds we've been given: the status quo can't remain, and we have to do something about the ways we handle IPs for non-registered users.

But how we do this is yet to be determined. We have some flexibility, so we are trying to figure out how to best do it. We have a page specifically on this. Please do let us know: we’ll need as many use cases as possible. We also don’t have to throw the switch this month, or next month: we are committed to figuring out how to offset the issues this will cause by building new tools. We’re looking for your comments on them too. And please continue to let us know what your main concerns are, so that we can try to work around them as well as we can.

There are a lot of very valid concerns. We’re listening to these and adapting as well as we can. However, please understand that this is something we have to do one way or another, and there’s no available strategy here that is without risk. We do understand the potential this has to create problems for the wikis, though we’re optimistic that by learning from your experiences, we can build tools that will help you offset that and come out with no greater burden than you had a year ago. /Johan (WMF) (talk) 13:23, 15 October 2020 (UTC)

@Johan (WMF): Can we get an official statement from Legal on this? --Rschen7754 19:14, 15 October 2020 (UTC)
Rs7754: Yes, coming. /Johan (WMF) (talk) 03:40, 16 October 2020 (UTC)
@Johan (WMF): I don't mean to be a bother, but it's been days now. Do you have a ballpark idea on when we might hear from Legal - whom ordered this? SQLQuery me! 07:10, 21 October 2020 (UTC)
SQL: When I asked them towards the end of last week, they were aiming for some point this week. /Johan (WMF) (talk) 08:17, 21 October 2020 (UTC)
(But it could also be next week. /Johan (WMF) (talk) 08:32, 21 October 2020 (UTC))
Is the IP masking retroactive for all IP edits made on all projects so far, or is this only for edits made after the IP masking is implemented? Hemiauchenia (talk) 22:16, 17 October 2020 (UTC)
Hemiauchenia: Per current plans, only the ones after IP masking is implemented. /Johan (WMF) (talk) 05:54, 18 October 2020 (UTC)
@Johan (WMF): Could you please explain what is actually meant by "IP masking"? The term sounds rather vague. In particular, does that mean that won't be able to look up the contribution history for a particular IP editor? And to tell that two edits were made by the same IP editor? In the history log for a given page, would all the IP edits just by marked by something like "anonymous IP editor"? Or would you try to assign to them some sort of internal identifying numbers, e.g. "anonymous IP editor 3233", "anonymous IP editor 3234", etc? Thanks, Nsk92 (talk)
Nsk92: It means that we will somehow need to replace the IP with something else, but definitely individualise them, using some sort of alias: I don't see how we could work with non-registered edits if they were all treated as one user. We are looking for feedback on exactly how this would work. Please see this page. /Johan (WMF) (talk) 05:54, 18 October 2020 (UTC)
The first question I'd have here is whether an RFA or RFA-like process would be sufficient to access IP material. The tooling needed will differ dramatically based on that point. power~enwiki (talk) 04:20, 18 October 2020 (UTC)
power~enwiki: Important question. We will need to figure out what the potential legal aspects of this detail are before I can give you a good answer. /Johan (WMF) (talk) 05:54, 18 October 2020 (UTC)
So we have this alleged "directive" from legal that IP masking MUST!!! happen, but I am to understand that there has been absolutely no thought on how it would actually be implemented? I wish I could say that I was surprised. Anyone with +sysop must be able to see IP addresses and contributions for IP addresses and ranges, they must be able to review block logs and place blocks, in the same way that they can today. Not on some masked "anonymous user 2351/64", but on an IP address or range that can be run through WHOIS and proxy checkers and cross-wiki contributions checks. On the other hand, if you expect admins to continue to clean up vandalism and worse while breaking all of the tools that they rely on, the only possible conclusion is that whoever came up with this idea is dramatically out of touch with the day to day operations of the wikis. ST47 (talk) 16:06, 18 October 2020 (UTC)
ST47: IP masking is not going to happen tomorrow. We have specifically tried to talk to the communities long before we have the solutions because we need vandal fighters to be involved in the process. With that said, there's been plenty of thought on how it could be implemented, both internally and in the archives here. What I'm saying is that the team responsible for this are adapting to a new situation and there are some implications we're still figuring out, but we also don't want to keep important information like this from the communities. The only way we could have the solutions ready would have been if we had tried to solve this without involving the communities, which I think would not have ended up well.
Our goal is to have as much tool development as possible before we mask IPs. If we just wanted to mask IPs, we could do that in a couple of days. This is a long-term project because we're trying to fix as many of the issues as possible. Telling us what you see as the most prioritised issues are is helpful; the ones others see aren't necessarily the ones I concentrate on, for example. /Johan (WMF) (talk) 20:57, 18 October 2020 (UTC)
ST47: Also, by the way, since you're a member of the SWMT – are there any SWMT-specific concerns you think we should be aware of? Do they differ in any way from the problems you're seeing for English Wikipedia? /Johan (WMF) (talk) 21:17, 18 October 2020 (UTC)
  • Two points, @Johan (WMF): - one is that you note that Legal requires it, but "which they unfortunately can’t explain publicly in more detail without risk to the projects" - the WMF has always pushed for transparency, so why can't it be explained in more detail? If there's a legal argument for it based off public laws (as opposed to say, a contract) then transparency should be taking precedence - especially in the case of an action that is going to cause in-ordinate disruption to every (non-pt) community. In more implementation-oriented direction, the early discussions with NKolhi and team indicated that they'd been surprised but accepted how much activity in this field was carried out by non-admins. Unless the replacement can guarantee 100% of the same ability, in all circumstances, for non-admins, the information barrier needs a lower threshold than a passed-RfA, probably on a userright basis. Nosebagbear (talk) 19:07, 18 October 2020 (UTC)
Nosebagbear: I don't know what they'll be able to say, but Legal has promised a statement in addition to what I've written here, hopefully next week if nothing gets in the way. /Johan (WMF) (talk) 20:57, 18 October 2020 (UTC)
@Johan (WMF):, I'll keep my eyes out for that, are you in a position to reply to the second half of my comment (obviously it's a weekend atm)? Nosebagbear (talk) 22:37, 18 October 2020 (UTC)
Nosebagbear: Nothing beyond what I could give power~enwiki in Special:Diff/20547191, i.e. that I will have to get back to you on that, I'm afraid. /Johan (WMF) (talk) 06:30, 19 October 2020 (UTC)
    • My reading of the passage "for legal reasons – which they unfortunately can’t explain publicly in more detail without risk to the projects" in Johan's original post is that WMF wants to maintain plausible deniability here. They apparently think that they are already exposed to some substantial legal liability on this issue in some jurisdictions and explaining publicly could be used against WMF in some lawsuits later on. There may be some validity to that argument but on a larger scale it is basically BS. The fact that this thread even exists is already proof positive that WMF is aware of it current legal exposure on the issue, and I doubt that making the reasons public would make that much of a difference. As others noted above, transparency is a key basic principle of WMF and of all of its projects. I believe that in this situation WMF owes us a much fuller explanation of the reasons for its actions than what has been offered so far. That is especially the case in view of the overwhelming opposition that this proposal received here on Meta just a month ago, Talk:IP Editing: Privacy Enhancement and Abuse Mitigation/Archives/10-2020. If somehow it turns out that the potential legal liability to WMF created by the current practices with unmasked IP addresses is really extremely severe (and so far we have not been provided explanations to that effect), then the correct solution would probably be to just institute mandatory account registration across all WMF projects and disallow any IP editing at all. Masked IP editing creates too many problems that are too difficult to mitigate, not just with straightforward vandalism, but with other forms of disruption such as sockpuppetry, meatpuppetry, block evasion, etc. It's just not worth the trouble. Giving every IP an individualized alias is almost a form of registration anyway, except that they haven't chosen a password. We might as well make them do that. Nsk92 (talk) 20:33, 18 October 2020 (UTC)
Nsk92: Not being a lawyer, I really can't comment on the legal aspects of this, but as a data point, my home wiki has specifically decided against turning off IP editing in the light of IP masking, for example. (: The role IP editing plays across the wikis varies a lot. Not trying to get into an argument about the best way forward here, merely trying to explain why we think it's worth investing a couple of years of work in trying to solve the problems instead. /Johan (WMF) (talk) 20:57, 18 October 2020 (UTC)
"Not being a lawyer, I really can't comment on the legal aspects of this." User:Johan (WMF), sorry, but once again, I call out BS on this point. The only thing that not being a lawyer prevents you from doing is arguing a case in court. You most certainly can comment on the legal aspects of the reasons behind this WMF move. We all got brains and the ability to use reason and rational arguments, at least I hope we do. We routinely have to delve into fairly complicated laws when we deal with copyright issues on various wikis. Similarly, we discuss various legal cases and court decisions at talk pages of Wikipedia articles about them, or about judges who wrote relevant opinions, and nobody asks to verify if an editor has a law degree in order to edit such an article. Of course, in real life we do the same too, when we deal with various legal matters, in our own lives or in politics and public life. We don't suddenly switch off our brains and say: "I am not a lawyer so I can't comment on the legal aspects of this issue." It's not rocket science. We all can comment on legal matters and so can you. Nsk92 (talk) 21:42, 18 October 2020 (UTC)
I would feel a lot more comfortable about Legal's "we can't speak publicly about it" statement IF anyone who has been elected "bureaucrat or higher" and is still in good standing, or others who has signed an NDA already for other reasons such as OTRS, had the opportunity to get the full details from the legal team, even if a separate, purpose-written NDA was required. Notice I said "opportunity" - what is heard cannot be un-heard, so it should be "on request" rather than "pushed out" to people who hold high privileges. If more than handful of "highly trusted users" on the English Wikipedia were to say "yeah, we got the full deal, yeah, they really can't talk about it, and yeah, it really is one of those things we have to do" I'd feel a lot more comfortable, especially if at least half of them were currently serving in an elected position or had gone through an RFB-like procedure. Those on other large projects deserve similar respect. Those on small projects may have to rely on the words of stewards and other cross-wiki highly-trusted editors. Davidwr/talk 21:17, 18 October 2020 (UTC)
It does seem likely that the "WMF is already subject to major non-compliance" would be the only reason to want to hide it that might hold up (Legal teams in general are reticent to provide unwarranted information, so I can see them desiring not to spread it even if that weren't the case, it would just have less justifiability to it), but if we're currently in major breach then logically an emergency shut-down of IP-editing for 6 months would be the action. If it's an impending risk (technically all risks are impending, but still), say, from upcoming US law, then there'd be no issues with stating that. Nosebagbear (talk) 22:37, 18 October 2020 (UTC)
Davidwr, I assume it depends a lot on why they can't speak publicly. While this is very far from my field, I assume if they're subject to some sort of gag order or similar, getting someone to sign any NDA is not going to be enough. They need to convince a court to allow them to disclose it under said conditions which may be difficult. Likewise, if they don't want to speak publicly because they don't want to give any ammunition to a legal opponent, then I suspect this also isn't going to work. Getting someone to sign an NDA probably won't affect that you've communicated it with some random person and therefore protections against enforced disclosure (attorney-client privilege etc) may go out the window. (As someone pointed out above, the very fact this has occurred poses a risk. Still I can imagine the risk may be lower if all you have is this and whatever limited carefully vetted statement they eventually put out compare to having the exact opinion of the legal team to show a judge or jury.) Nil Einne (talk) 07:24, 20 October 2020 (UTC)
  • I can't reconcile 'We also don’t have to throw the switch this month, or next month' with 'which they unfortunately can’t explain publicly in more detail without risk to the projects'. If the risk is indeed so material, I can't understand the delay - and if it isn't, I can't understand the non-disclosure. I would be keen to understand whether Legal has engaged external counsel on this, whether an impact assessment has been done, and whether the Board has endorsed the approach also. I do think Legal have missed a trick by not having a statement ready to go. Best, Darren-M (talk) 10:02, 20 October 2020 (UTC)
  • @Johan (WMF):, I realise "don’t have to throw the switch this month, or next month'" wasn't meant purely literally, but I do hope the timeline on this is not tight - getting CluebotNG (which has an easier mission that identifying similar-looking editors) into a form where the false positives weren't too high took a lengthy period of time. All the previous documentation states that the tools would be up and running before any switch-over (since we are apparently going ahead, despite the fact that I still can't see how we're going to get 100% equivalence even if tools all work as desired). Nosebagbear (talk) 10:50, 20 October 2020 (UTC)
It's not a tight timeline. I'll get back to you on more details when we have them. (I realise I'm saying this a lot, but we really wanted to involve the community as early in the process as possible, and that means not spending a lot of time first keeping silent on this while figuring out everything internally.) /Johan (WMF) (talk) 17:11, 20 October 2020 (UTC)
A lot doesn't make sense here. If this really is some sort of legal compliance issue, IP editing should at least be temporarily disabled while solutions are figured. I think we need that statement from Legal sooner rather than as later, and to at minimum at least know which jurisdiction's laws they think require such a step. Unless the answer is "the US", the answer there might be "Time to pull out of that jurisdiction." I work in tech, and I have never once heard of US-specific law demanding that IP addresses be kept secret. Seraphimblade (talk) 19:36, 21 October 2020 (UTC)
@Seraphimblade: - the USA or EU would both be rather too problematic to consider a withdrawal, at a bare minimum (if that is the issue) Nosebagbear (talk) 19:47, 21 October 2020 (UTC)
Quite honestly, if EU law is messing with us in that way, I think there's no better time than the present. But it would certainly be good to know which law it is—some of us in the relevant jurisdiction might be very interested in talking to our legislators about it and encouraging others to do the same. If it were US law, you better bet I'll be calling up my Senators and Congresscritter. Seraphimblade (talk) 19:57, 21 October 2020 (UTC)
  • Isn't this an indication that we should only allow registered users to edit WP? Just think - no more vandalism, a sharp reduction in backlogs at AfC and NPP because editors won't be wasting their time fighting vandals and can focus where their time is more productive, and we'll have a better shot at ensuring accuracy in our articles instead of worrying about drive-by kid games. I don't think the arguments for allowing IP editing are as convincing as they were in the earlier days of WP. It's not a big deal to register, or get an IP exemption. A grammar/spell check algorithm can be created by WMF to fix what some drive-by IPs do. IPs are already restricted in several ways, so why not just eliminate it all together? Atsme📞📧 14:50, 23 October 2020 (UTC)
A huge amount of vandalism is done by short-term accounts and if we canned IPs, obviously we'd see even more of them. So I wouldn't think we'd lose more than a tithe or so of vandalism. And getting an IP exception is quite hard if you don't have a pre-standing link with the site. The main reason is that even though individuals are more willing to create accounts than was in the case in 2001, we still get lots of new editors joining the site having initially experimented with some IP edits. Nosebagbear (talk) 14:54, 23 October 2020 (UTC)

Archiving[edit]

Hey everyone, this page has been regularly archived, but there were still some sections here. I've archived those too, in accordance with the existing system. I've been rather undecided on the best way to go about this, because we really don't want to hide away the fact that there's been a lot of concern and resistance (see the list here, for example), but my reasoning is as follows: a) We did a major update to the main page. The old talk page discussion doesn't really discuss the same page as earlier, which could be confusing. b) The old talk page belonged to a project which we hoped to be able to do, but were not entirely certain would happen. Now that the Legal department has clarified that we'll need to do this one way or another, getting people stuck in patterns of an old discussion and risk missing being clear about where there's flexibility would make it more difficult for them to actually influence what happens. /Johan (WMF) (talk) 13:23, 15 October 2020 (UTC)

Communication plans[edit]

We're planning to communicate this more widely soon – there's a lot of things happening right now, and we don't want to overwhelm the communities with so many things at the same time they've got no chance to react, but we also didn't want to sit on major updates and not tell you. /Johan (WMF) (talk) 13:27, 15 October 2020 (UTC)

Well...[edit]

If you want to mask IPs, I'd rather take the plea of ptwiki and require signup to contribute. (Permalink)

IPs protected (from the public), and the ptwiki community got their wishes fulfilled. Two problems solved once. (BTW, if you are going to use "Legal told us so", why all the "consultations"?) — regards, Revi 20:58, 16 October 2020 (UTC)

revi: There's a section in the FAQ, but in short, here are some of the main reasons why we're doing a long-term project on this, attempting to come up with new tools and spending significant time and resources instead of merely turning off unregistered editing across the projects:
IP editing is important for editor recruitment and we're afraid we'll harm the wikis if we just turn off IP editing. For example Swedish Wikipedia has explicitly discussed turning off IP editing in the light of IP masking and decided not to, since they don't seem to consider IP masking to be much of a problem. And IP Editing: Privacy Enhancement and Abuse Mitigation/Research shows there are significant differences in how important IP editing is for wikis, with some wikis depending on IPs to a considerable degree for their content even when you ignore the role it plays in editor recruitment. Personally I worry it would almost completely kill some small wikis, like Faroese Wikipedia.
With regards to the "Legal told us this has to be done", I want to stress that we didn't know we'd end up with this when we started this project. We haven't been hiding it: we learned it recently which is why we're telling you now. It did come from Legal, but it wasn't clear that we'd end up with "and the status quo can't remain". Second, our main goal was never to present an idea and get a yes or no: we didn't have a clear suggestion for what to do. We needed to talk to the communities to understand their concerns and technical wishes, so we can do our best to find solutions to these – involve the communities early in the process. We're still looking for feedback on tools and collecting use cases so we can avoid creating unnecessary problems. /Johan (WMF) (talk) 06:27, 17 October 2020 (UTC)
I'm still confused on a pretty major point. The FAQ says: We think that deciding for all wikis that they can’t have IP editing is a destructive solution. However, here it seems you are refuting the idea that a wiki (in this case ptwiki) itself cannot decide whether turning off IP editing is appropriate for their own community. I mean, maybe Portuguese Wikipedia doesn't want to prioritise editor recruitment, so shouldn't they be allowed to make that decision? –MJLTalk 07:00, 17 October 2020 (UTC)
MJL: Sorry, I probably took revi's comment to be more generalised than it was meant to. The Portuguese Wikipedia case has been addressed to the board, which is quite beyond what this team can act on. You're quite right it has implications for both what we've said previously – we've talked about helping a wiki pilot limiting IP contributions to get more data if they wanted to go that way – and this conversation, and I'm not trying to ignore that, nor refute anything. It's just grown into a process we're also trying to figure out before we can give a good answer. /Johan (WMF) (talk) 08:39, 17 October 2020 (UTC)
(The TL;DR of the comment above is "will have to get back to you on that, which might take a while". The rest is just trying to be transparent about why. /Johan (WMF) (talk) 10:12, 17 October 2020 (UTC))
@Johan (WMF): No, that's fair. -revi was being pretty sardonic in that comment, so it's not unreasonable to just imagine it as sarcasm. If you need a wiki to work with in the future to implement a ip pilot program, Scots Wikipedia would certainly be interested in discussing that to say the least. –MJLTalk 21:56, 17 October 2020 (UTC)
  • This entire proposal remains an awful idea. Vandal-fighters and admins rely on IP addresses in order to identify and block vandals and abusers. The persistence and subnettability of IP addresses is essential to this work. If IP masking goes into effect, it will be impossible to place a range block without being a checkuser, as you need access to the complete WHOIS information in order to calculate the correct range, and access to the complete contributions in order to check collateral. Even regular users need to be able to view the contributions, block log, and talk page history of an IP address in order to determine how to respond to various types of disruptive editing. Forcing IP masking on the communities will result in more wikis taking the route of disabling anonymous editing, in all namespaces, so you might as well just acknowledge that that is the decision that you're making here, and update $wgGroupPermissions['*']['edit'] = false. Once the communities see that their anti-vandalism and anti-abuse workflows have been completely upended, they will make the same decision. ST47 (talk) 15:53, 18 October 2020 (UTC)
ST47: I've replied to the point about turning off IP editing above, but honest question, if you've got time (and totally understandable if you've got something else to do, of course): Why do you think regular users wouldn't have access to the contributions, block log, and talk page history?
Also, are there any particular situations with regards to persistence you think we should be aware of? /Johan (WMF) (talk) 21:07, 18 October 2020 (UTC)
@Johan (WMF): This masking cannot stand. Disabling unregistered editing is better in every way. Everyone else has already explained why. If transparency is the goal here, why is this not being acknowledged? Naleksuh (talk) 22:04, 19 October 2020 (UTC)
Hi, Naleksuh, we’re hearing you (and the others). And we are taking it seriously. Let me reiterate why we think that investing a lot of time in trying to solve the problems involved – we know we haven't, by the way. We're talking to the communities to figure out this together, not to present you with a solution that we've tried to come up with on our own, without community input. I completely understand looking at the situation today, imagining what it would look like if we turned on IP masking, nothing else changes, and think it'll be really bad on some wikis (but not necessary all – IP editing and spam patterns vary a lot across the wikis).
This page, and its archives, is not the total sum of Wikimedia community discussion on this subject, because Meta conversations are vey dominated by English which shuts out a lot Wikimedians. Here, for example is a community discussion on the subject asking the question "in the light of IP masking, do we want to turn IP editing off?" with other perspectives. Or the very varied results when Arabic Wikipedia discussed it.
The researchers who have been trying to look at what the effects would be are really afraid of the long-term effects it would have. But, as I wrote above, we’ve said we’re open to take a closer look together with a suitable community. For example, w:en:User:Benjamin Mako Hill wrote up IP Editing: Privacy Enhancement and Abuse Mitigation/Research. /Johan (WMF) (talk) 17:30, 20 October 2020 (UTC)

Third Party MediaWiki installs.[edit]

Hi, Could this at least be opt-in for third party installs? or at least a config flag to disable it? RhinosF1 (talk) 21:08, 16 October 2020 (UTC)

Looking into this, RhinosF1. /Johan (WMF) (talk) 08:46, 17 October 2020 (UTC)
RhinosF1: I'd really recommend going with some sort of masking for the same reason we're doing it, but it won't be forced on third-party installations. /Johan (WMF) (talk) 20:40, 19 October 2020 (UTC)
Of course we'll consider any meausres you put in place on the legal and community approval sides but I just wanted to make sure it would be optional. RhinosF1 (talk) 08:43, 20 October 2020 (UTC)

Range information[edit]

It is absolutely necessary that recent changes patrollers and administrators have access to IP range information. The ideas in IP Editing: Privacy Enhancement and Abuse Mitigation/Persistence are wholly inadequate in that regard. As Hemiauchenia wrote on the talk page there, using a persistent range-preserving mapping such as Crypto-PAn is necessary. Furthermore administrators need to be able to access WHOIS-Information so they can make informed decisions about blocking parameters. It is something quite different to block a range of a company compared to a range of dynamic IP addresses of a local service provider. --Count Count (talk) 08:01, 19 October 2020 (UTC)

Hey Count Count, thanks for the feedback, much appreciated.
As a general comment, just want to point out that a lot of folks seem worried that we have presented implementation specifics that we feel prepared to put into reality, unless they protest. I just want to be clear this is not the case: because we know how complicated this is, we have no ambition to suggest how to move forward until we have heard the concerns. We figured that we needed to involve the communities very early in the planning process, rather than coming up with a plan before talking to you. It might be helpful to understand this more as a technical investigation than a proposal for how to move forward.
We're working on tools to serve key WHOIS info such as owner (company or ISP?) to everyone who needs it, not just admins. See IP Editing: Privacy Enhancement and Abuse Mitigation/Improving tools#1. IP info feature and feel free to comment on those plans. /Johan (WMF) (talk) 08:34, 19 October 2020 (UTC)
Is that cleared with legal? Giving everyone access to personal information such as GEO location, organization, etc. might be just as problematic as the IP address at least under the GDPR. --Count Count (talk) 08:54, 19 October 2020 (UTC)
@Count Count: We don't plan on giving everyone access to personal information. In the series of interviews we did with checkusers and patrollers it became very apparent that their jobs are really hard and not having access to IP Information readily available is part of the complication. They rely on external websites that are broken or misleading quite often. Also different editors rely on different websites creating inconsistencies in data. The feature we are building is focused on making it easier for patrollers (including checkusers) easier to detect where an IP is coming from and get some basic information available at their fingertips. We are yet to decide which group of users will have access to this information but rest assured it will not be handed out to everyone. I'd love to hear your thoughts about this. Thanks much. -- NKohli (WMF) (talk) 04:21, 20 October 2020 (UTC)
(Just to clarify: by "everyone who needs it" I didn't mean "everyone", I meant "everyone who needs it from our perspective of vandal fighting". /Johan (WMF) (talk) 17:07, 20 October 2020 (UTC))
On dewiki we have quite few recent changes patrollers who are able to check the edits of an IP, find out if it is dynamic or static, check the WHOIS information and the block log as well as the same for ranges including that IP. They often remember if they saw similar unconstructive edits from IPs in the same /x range recently. They are then able to include valuable insight in their vandalism reports. If at all possible knowledgable recent changes patrollers (non-administrators) and administrators should have access to information about anonymous editors including WHOIS, geolocation, range information, edits of those ranges, etc. --Count Count (talk) 17:40, 20 October 2020 (UTC)

Crypto-PAn[edit]

Has anyone looked into Crypto-PAn? This would mask IPs while preserving range information. As originally specified, it only works for IPv4 addresses, but it might be possible to modify it to support IPv6 as well. Suffusion of Yellow (talk) 20:23, 19 October 2020 (UTC)

Treat all users on a /64 as one[edit]

Idea: Before masking, throw away the 64 low-order bits of IPv6 addresses. That is, everyone on a single /64 range is considered to be one user. This is the most common case where an unprivileged user benefits from knowing range information. This might cause trouble where one user on a home network gets lumped in with the "little brother" on another device, but that would have happened anyway if they had been using IPv4. And there might be some issues with weird ISPs (e.g. AT&T) where unrelated users can share /64 ranges. But I don't think there will be major problenms. In fact, I'd support this even if IP masking doesn't happen. (Pinging @TonyBallioni: for a second opinion here). Suffusion of Yellow (talk) 20:34, 19 October 2020 (UTC)

This is not workable. Verizon Wireless and its millions of customers are not allocated their own /64. They bounce around on a /40. This is true of a very large number of ISPs that have similar numbers of customers. NinjaRobotPirate (talk) 06:01, 22 October 2020 (UTC)
To be clear, I wasn't suggesting that merging /64s would be the magic pixie dust that would make masking IPs anything other than a disaster. But it might make it a slightly smaller disaster. On Verizon and similar ISPs, merging /64s would be pointless, but also harmless. It's only on AT&T-like ISPs that it could be harmful, and from my understanding those aren't all that common. Suffusion of Yellow (talk) 01:59, 26 October 2020 (UTC)

Make separate user right for "unmasking" IPs[edit]

A danger I fear: If only checkusers can unmask IPs, wikis will need to increase the checkuser count by an order of magnitude, just to keep up. That's an order of magnitude more accounts that could be compromised. So the unintended consequence will be to decrease privacy for registered users. Instead there should be a separate right, given out more freely than checkuser. Suffusion of Yellow (talk) 20:40, 19 October 2020 (UTC)

It will need to be a userright - more than admins (let alone CUs!) will need access. A discussion should be had with Johan as to what, presumably fairly strenuous, set of criteria will be needed, whether it will be globally/locally provided, etc. Nosebagbear (talk) 21:03, 19 October 2020 (UTC)
We're talking about what we can do, internally – it's been suggested before – and will get back to you as soon as I can with our thoughts around this. /Johan (WMF) (talk) 17:05, 20 October 2020 (UTC)

Who can access the IP of an unregistered editor?[edit]

OK, so this is what we're thinking right now: We could create a new user right, which would give access to the full IP. We could look into making it an opt-in function, dependent on yet undefined criteria. This could simplify bureaucracy but make access less flexible. The important part here is that we need to know who has access at any given point. I want to stress that we haven’t tried to answer all questions here, as we’re trying to solve this together with you.

An idea could be to create three tiers.

  1. The vast majority of people who access our wikis would see the IPs fully masked.
  2. All admins could see them partially masked (the first three parts of an IP being visible). This could be helpful to see patterns even if they don’t have the new user right. Partially masking them reduces the privacy risk for the unregistered user.
  3. The new user right – in addition to checkusers and stewards – would have access to the entire IP.

Thoughts? /Johan (WMF) (talk) 17:02, 21 October 2020 (UTC)

First 3 parts, does it applies to ipv6 too? In addition, since it's privacy related, why not oversighters also have the full access? As we now OS logged out user IPs too. And the new userright seems so like interface admin, there are wikis which IAs are given like per request, while others are very strict. Will communities get to decide or WMF will mandate the process (or rather % of the new userright / admins etc). And will 2FA be needed for this right? Camouflaged Mirage (talk) 17:05, 21 October 2020 (UTC)
Camouflaged Mirage: Masking the equivalent information value of IPv6 addresses, to be clear. (:
I want to stress that this is a conversation starter to figure out what the different communities' needs are, rather than trying to define exactly how this would work – my examples are not exhaustive. There will be some sort of requirement from the Foundation, since this has to do with handling user data, but really, tell us what you think would work best? My personal best guess – not speaking for the team, just for myself – is that an automatic opt-in process would probably make requirements more similar across the wikis than if it was a user right that was manually assigned.
The 2FA question is a very good one. /Johan (WMF) (talk) 17:27, 21 October 2020 (UTC)
And I get that some of you will feel that it should be easier to get this user right than adminship, and look askance at why this would be necessary, but remember that while this talk page is currently dominated by users from English Wikipedia, the English Wikipedia Request for Adminship process is an outlier and we need something that works for all wikis.
If you’ve been around for nine months, have a thousand edits, been active in discussions in the Wikipedia namespace to show that you’re aware what the community is, and been somewhat active in patrolling, there’s a fair chance you’ll be completely unopposed in a request for adminship on my home wiki. On some small wikis, you’ll get a time-limited adminship when you request it and the two other users who turn up say sure, why not. The global minimum for permanent adminship on Wikimedia content wikis is five editors supporting you.
The process and requirements to gain adminship vary a lot. We figure that the ability to handle sensitive information here is below what’s currently required in e.g. the English Wikipedia Request for Adminship process, but above what the global minimum can mean in practice. /Johan (WMF) (talk) 17:27, 21 October 2020 (UTC)
I will suggest a mass message to village pumps in every wiki to solicit what every community thinks if this is what you hoped for. Thanks for the replies, appreciate it.Camouflaged Mirage (talk) 17:32, 21 October 2020 (UTC)
Yes, we're planning on some sort of MassMessage, to make sure vandal fighters on all wikis are aware of what's happening and how they can participate in the process. /Johan (WMF) (talk) 17:35, 21 October 2020 (UTC)
Thanks. One more, if we are speaking about global issues, how will wikis without local communities work, they are now patrolled by SWMT and global rollbackers, sysops, stewards handle the issues. Will these groups be granted access to the new userrights on these wikis? I understand the different rights systems as I edit wikis ranging from large ones (with local crats) and small ones (which I was once a perm sysop on a small content wiki). If we are saying we can accept users lower than enwp RFA bar and higher than perm sysop other wikis bar, then for enwp, sysops should be given the right to view full. One user in the middle range, let say a small wiki perm sysop + enwp rollbacker, he can see the IP address in homewiki, but not on enwp, if we trust them on one, why not all? Anyway the same IP user will be seen by the same person. I know it's hard to define what exactly is, I agree a massmessage will be proper, I think we might even benefit from a global RFC similiar to how global sysops is conceived for the new userrights. This will be benefical IMO. Camouflaged Mirage (talk) 17:41, 21 October 2020 (UTC)
Hmm, @Johan (WMF):, this is at least a good discussion benchmark. I thank you for your bottom half - I was absolutely going to step in and make a point that it should be lower, but of course you are right as regards variable levels for adminship. Hmm. I will have to have a think, please excuse the whirring hamster noises. I realise it continues the userright proliferation, but would it make sense to actually have two userrights (akin to edit filter helper and edit filter manager), the lower (partial vision) of which would be the "given to all admins", but could also be given to others under one criteria set - while the other (full vision) would be under a higher set? I'm not set on that, but would like to hear your and others' feedback. Nosebagbear (talk) 19:19, 21 October 2020 (UTC)
I think this proposal still lacks crucial details in that it says nothing about what exactly the regular users will see instead of an IP address. That is, 'how' will an IP address be masked? If you plan to assign the IPs individualized aliases, then how exactly will that work? That's not an aside question. E.g. will it be possible to tell that two individualized IP aliases for IP addresses from the same geographical area do come from a common geographical area? Or will the aliases be assigned randomly? Or perhaps in the same linear order as the IPs come online and make their first WP edits? Or using some other scheme? This question matters a great deal for anti-vandalism and SPI considerations, and the matter can't just be omitted from the above discussion. Nsk92 (talk) 23:12, 22 October 2020 (UTC)
Nsk92: Just to be clear, this isn't a proposal as much as it is a conversation starter. In order to solve these questions, we're trying to bring the communities into the process as early as possible, instead of trying to figure out everything on our own and risk missing crucial things. We're sort of taking the kind of conversation that normally lives in Phabricator and having it on the wikis where it's more accessible for more Wikimedians. Do you have use cases we should be aware of here? A preferred solution? /Johan (WMF) (talk) 23:54, 22 October 2020 (UTC)
From the prospective of anti-vandalism and SPI work, the least harmful solution version of IP masking would be some system of assigning internal IP aliases that effectively serves the same purposes that the current public IP address system does. That is an alias system where, say, two IP editors with "similar" (in whichever ways the term is precisely quantified) public IP addresses are assigned "similar" internal aliases. That might still allow for some modified form of range-blocking; in cases of sock puppetry and block evasion it would also make it easier (as the current system does) to infer that the same editor is engaged in IP hopping. I have no idea if such a way IP aliases is technologically feasible (plus, I suppose, you'd have to make sure that one can't actually de-scramble it), but in terms of preserving the functionalities of the current system, that'd be most useful, IMO. Nsk92 (talk) 10:11, 23 October 2020 (UTC)
As a note, this discussion is clearly critical, (certainly we need something far better than mere cookies) but it's not inherently related to this specific conversation topic (they warrant their own section), which is who will have access to the information (whether that be the default - whatever that turns out to be), partial, or full. The discussion will logically expand into "and what are going to be the levels needed for those access rights" Nosebagbear (talk) 10:25, 23 October 2020 (UTC)

Minors[edit]

I often get the vibe that some of our most enthusiastic recent changes patrollers are a long way from 18. Will younger editors be eligible for the new user right, even though they aren't eligible for CheckUser access? Suffusion of Yellow (talk) 02:04, 26 October 2020 (UTC)

Rangeblocks[edit]

How will rangeblocks be handled? Will admins be able to block ranges larger than a /24? Will more privileged users be able to block smaller ranges? In each case, how will the block be displayed in the public log? For example suppose an user will "full IP" access blocks 1.2.3.192/22? Then, an "ordinary" admin considers blocking 1.2.3.0/24. Will they even know that that a block already covers 1/4 of the range? Suffusion of Yellow (talk) 02:10, 26 October 2020 (UTC)

Old blocks[edit]

What happens to all the blocks from before the masking? If they carry over, then it will be trivial to connect the masked IP with the real IP, from the timestamp, blocking admin's name, etc. If they don't, then how will we deal with the gigantic flood of vandalism when everyone gets unblocked all at once? Suffusion of Yellow (talk) 02:13, 26 October 2020 (UTC)