Jump to content

Talk:IP Editing: Privacy Enhancement and Abuse Mitigation/Archives/2020-12

From Meta, a Wikimedia project coordination wiki

How is this not the end of anonymous editing?

It seems to me that this is a highly technical and extremely overcomplicated way of putting an end to unregistered editing. There is no effective way to implement IP masking that doesn't cause one of the following two effects:

  1. Hamstring the ability of vandal-fighters to stop disruptive editing
  2. Continue to expose IP information to a sufficiently large group of vandal-fighting editors

Masking IPs will cause one of those two things to happen; there is no middle ground where we can continue to stop disruptive editing while simultaneously preventing IPs from being exposed to nearly all "experienced" editors who contribute to vandal-fighting (which, on en-wp alone is tens of thousands of users). You're fooling yourself if you think you can find that magical middle ground. Since the lawyers appear to be in charge, it's far more likely that it's going to be #1 than #2. And the moment that it becomes clear that our ability to stop vandalism has been removed, the next step will be an RfC to end unregistered editing permanently, and all of this work to mask IPs will have been a colossal waste of time because no one will even use it.

We're bending over backwards to come up with a complex way to name an unregistered user something like "AnonymousUser-99f0ba64", and to attempt to track their IPs behind the scenes (or using cookies or whatever) so that they are still "AnonymousUser-99f0ba64" even if their IP address changes. Well, guess what? That sounds a whole lot like we're auto-registering an account for unregistered users. The only difference is that we're auto-naming their account for them, not requiring them to assign a password to that account, and not encouraging them to even use that same account if they edit from a different device.

So, why go through all of this work? What is the benefit? Just end unregistered editing already and save everyone the trouble. Creating an account is such a small hurdle to overcome in order to edit Wikipedia; anyone who really wants to make an edit will go through the 4-second process to register an account. We don't even require that users connect their account to an email address, like every other website on the internet. A user could quickly and easily register a new account every day, if they wanted to. Both Wikipedia and the internet at large are a lot different than they were 20 years ago. Registering an account to use a website is so commonplace now that very few people will bat an eye at being required to register an account to edit. At the very least, we should conduct a trial (similar to en:WP:ACTRIAL) to understand the effects of requiring all users to register. Will the number of non-vandalism edits being made to Wikipedia plummet? Will the number of new users registered skyrocket? Who knows? But, let's find out before embarking on this convoluted IP masking quest that is destined to trigger the end of unregistered editing anyway. (Furthermore, if IP masking is forced upon projects and they reactively decide to end unregistered ending in response, there won't be time to conduct a trial to understand and mitigate the effects of ending unregistered editing.)

Otherwise, if we're going to continue to allow unregistered editing, then we should simply require unregistered users to explicitly consent to their IP address being publicly logged and forever connected to the edit they're about to make, and require them to explicitly waive all rights connected to the privacy of their IP address. I'm no lawyer, but surely if a user explicitly consents to their IP address being exposed, then WMF would not be exposed to any legal liability. Like, literally, before every edit that they make, a giant 45-page EULA pops up and they have to scroll to the bottom and hit the "I've read and accept this" button. I'm sure the lawyers would love that idea. Scottywong (talk) 23:45, 8 December 2020 (UTC)

Hi Scottywong, I've tried addressing this in the discussions above, to give an understanding of why the Foundation thinks investing in a long process is worth the time and effort. In short, the research we have on wikis and compulsory registration does indicate there's a problem – if it's important enough for them they might register, but if it isn't? If they'd gradually start editing because the threshold was so very low? I see your home wiki is English Wikipedia; please remember that English Wikipedia is at the far end of the spectrum when it comes to already available content and number of editors. There's a balance between "protect what we have" and "get new content", in that it's difficult to make it more difficult for the editing we don't want without making it more difficult for the editing we want, and almost all our wikis are in greater need of more content (and thus people who can add it) than English Wikipedia is. Also, the importance of unregistered editing varies a lot from wiki to wiki both when it comes to how common it is and how much is reverted (i.e. deemed not suitable). For example, my home wiki specifically asked the question "if we do IP masking, do we want to turn unregistered editing off?" and came to the conclusion that it didn't. This is what I wrote when The Signpost asked for a comment:
Why do IP masking at all, some ask. Why not disable IP editing instead? We’re investing significant time and resources in trying to solve this because we’re convinced that turning off unregistered editing would severely harm the wikis. Benjamin Mako Hill has collected research on the subject. Another researcher told us that if we turn IP editing off, we’ll doomed the wikis to a slow death: not because the content added by the IP edits, but because of the increased threshold to start editing. We can’t do it without harming long-term recruitment. The role unregistered editing plays also varies a lot from wiki to wiki. Compare English and Japanese Wikipedia, for example. The latter wiki has a far higher percentage of IP edits, yet the revert rate for IP edits is a third of what it is on English Wikipedia: 9.5% compared to 27.4%, defined as reverted within 48 hours. And some smaller wikis might suffer greatly even in the shorter term.
I hope that at least explains where we're coming from.
(Anecdotally, I was almost exclusively unregistered editor for the first four years or so of my Wikipedia editing. This gave me years to form a habit. It wasn’t important to me when I started. I just fixed spelling errors because it required nothing of me, not even logging in. Then it gradually became the thing that eats most of my waking hours.)
With regards to the legal part, my understanding is that no, unfortunately, it’s not quite that simple. That's how it may have worked in the early days of Wikipedia; it no longer does. /Johan (WMF) (talk) 17:51, 13 December 2020 (UTC)
Well, you're right that different Wikipedias have different user counts, article counts, editing rates, and vandalism rates. Perhaps this suggests that a one-size-fits-all approach to IP masking for all Wikipedias is not a good idea.
Regarding the studies suggesting that requiring user registration would condemn all Wikipedias to a slow death, I'm not seeing it. The studies you linked to on that specific subject are mostly about how unregistered editing historically helped to get Wikipedia off the ground in the early days. I don't see any studies that suggest that requiring registration now (especially on the larger, more active projects) would cause a catastrophic collapse of Wikipedia. After all, there are some Wikipedias that already don't allow unregistered editing, and to my knowledge, they haven't imploded. En-wiki already doesn't allow unregistered users to create new articles, and there is a significant percentage of pages that are not editable by unregistered users (via page protection and other similar mechanisms). Wikipedia is not the same as it was 20 years ago. It's a mature project that people want to influence, and I'd be very surprised if a one-time 30-second registration process is going to discourage someone who wants to contribute, especially when nearly every other website on the modern internet requires registration. I think this deserves more serious consideration. While it's true that requiring registration might not be right for every project, I would be very surprised if IP masking doesn't eventually cause the largest projects (especially en-wiki) to ban IP editing. Scottywong (talk) 15:48, 14 December 2020 (UTC)
But alls this work is something we'd have to do anyway, in that scenario. (: We are also looking closely at what's happening on Portuguese Wikipedia, which is a major wiki where unregistered editing is currently not possible, so that's a research project that is ongoing to gather more data, specific for a mature Wikipedia. It's too early to say anything yet, but we – in the broad sense, of course – will know more about how Portuguese Wikipedia was affected before we do any actual masking. /Johan (WMF) (talk) 16:35, 14 December 2020 (UTC)
@Johan (WMF): while I can certainly accept the case that different projects would accept the concept of IP masking against that of blocking IPs, I would like to ask on additional focus on the options bit raised by OP.
To stop this having major effect (and I would note that my (and many respondents who made such comments in the original consultation) definition of success is "no net increase in "uptime" of problems, no net increase in false positives, no net increase in editor time taken to carry out tasks" will indeed require a) very broad access for most IP information. Probably not tens of thousands on en-wiki alone as IP said, but certainly above 5000 within a couple of years and b) broad access for all IP information - probably about 2000 on enwiki (1100 admins plus other key individuals)
That, by the way, assumes that people with partial information can indeed do functionally all of their work without needing to refer cases to someone with full vision. I'm still not quite sure how well that holds up, but I'll take it as granted for now.
I do share a concern that spreading it that broadly (factoring across all projects) rends the project somewhat moot, or Legal are going to want a tighter close, which is going to have a major effect. Nosebagbear (talk) 10:59, 8 March 2021 (UTC)

I am not certain if I am allowed to comment here, but I certainly welcome the end to (or at least the limiting of) IP editing. Not having to contend with well meaning anonymous editors and the steady stream of vandals will free up a lot of time to add content. And, with limits on anonymous editing, we will be able to communicate with new editors instead of them floating around and never realizing that there are IP talk pages. Of course, it would be nice if this was happening more publicly, instead of here, "in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.'" Mr.choppers (talk) 01:51, 23 March 2021 (UTC)

Mr.choppers: Is there anything in particular you'd want us to do information-wise? We're planning on letting on all admins across the wikis know by posting on their talk pages, but we want to re-assess and figure out where we are in the process first, so we don't give them old information.
To get an idea of how what we've done so far: I see you're active on Commons and English Wikipedia; I wrote w:en:Wikipedia:Wikipedia Signpost/2020-11-01/Op-Ed in an attempt to explain it on the latter wiki. We've repeatedly included in Tech/News, which is sent to both commons:Commons:Village pump/Technical and w:en:Wikipedia:Village pump (technical) and a hundred other community pages across wikis, and is transcluded on the English Wikipedia community portal (w:en:Wikipedia:Community portal#Technical news), we've posted to wikimedia-l, the international Wikimedia mailing list, and some groups on social media where Wikipedians discuss internationally, we've had some local conversations to see if we'd get different feedback in other languages (i.e. are there workflows we're missing on other wikis if we just talk about this in English) and are planning another round, we ran some discussions about the plans at the last Wikimania that was able to take place, and reached out specifically to checkusers and stewards. /Johan (WMF) (talk) 08:02, 23 March 2021 (UTC)
I believe that I, as most editors, do not ever visit to those places. We edit the pages that are of interest to us and we do not generally visit any sort of meta-pages whatsoever. I am here as a result of an admin mentioning this policy to me by happenstance. These changes will be hugely disruptive (I think, it is very unclear what may actually happen) and would, in my eyes, merit a direct notice to all users before such change is decided on. Mr.choppers (talk) 11:21, 23 March 2021 (UTC)
To be clear, the Legal team has declared that this is something they need to happen, and asked the Wikimedia Foundation Product department to figure out how (which we're trying to do here). So let's be honest here: this was not a decision they made with community input, since legal decisions are not matters of consensus. This doesn't mean that we shouldn't make sure the communities are aware: we want to develop this together with patrollers and others from the Wikimedia communities, and we desperately need a lot of feedback and criticism and suggestions along each step for this to work properly. But it hasn't been hidden to have a decision made without anyone noticing and then say "hey, this was something we decided together!", because it wasn’t a collaborative decision or a proposal as much as an investigation.
It's just difficult to find the right level of shouting loud enough so enough people hear but not so loud it comes in the way of their editing. /Johan (WMF) (talk) 17:50, 23 March 2021 (UTC)

Some thoughts

First, a procedural note: In my opinion, this entire affair has been completely mishandled when it comes to communication. If this is a legal issue, don't give us an FAQ and "motivation" statement that implies that it isn't, only to then reverse and give us a statement from legal that has about as much meaningful content as this template. I know and appreciate that everyone involved has the project's best interests in mind, but this really, really, really should have been handled better.

Persistence: I think cookies are a bad idea, because they are relatively easy to circumvent and get rid of. Using them would also mean that someone could establish multiple distinct identities by just running different browsers. Stick with IPs to establish identities.

User right: If you don't want communities abandoning IP editing as soon as this is passed, there will have to be a user right and it will have to be granted to a substantial number of users; people who regularly deal with vandalism, sockpuppetry, long-term abuse[note 1] and undisclosed paid editing[note 2] will need continued access to full IPs. Partially for proxy detection, partially for informed examination of IP ranges and WHOIS data. If this would be an acceptable compromise, we could consider requiring users to sign an NDA, which may alleviate some of the (legal) concerns involved here. I for one would be happy to do that if it means continued access to unmasked IPs.

Ranges: Consider allowing range queries like Anonymous123/16 for everyone, and to consider providing the size of the involved subnets[note 3] and displaying them on IP Contribution pages, which would allow users without special access to look at ranges without any substantial privacy impact.

Proxies: I don't see that much use in providing yes/no VPN and TOR indicators; known VPN ranges and TOR nodes are already globally blocked. The more problematic proxies are webhosts and open proxies, which will be hard to detect without manual review.

Implementation: We need to get this right on first try. The risk of communities abandoning IP editing is significantly higher if this doesn't work from day one.

All in all, I am still convinced that this will create more problems than it solves, no matter how good the implementation; but alas, what's decided is decided. I urge everyone involved to work towards a solution that restricts and disrupts existing community processes as little as possible. Best, Blablubbs (talk) 14:20, 13 December 2020 (UTC)

  1. Consider for example that confirmation that one is dealing with this individual is made significantly easier if one can check whether the IP geolocates to London
  2. Which the WMF appears to have largely ignored and kicked to the community, sometimes with devastating results
  3. E.g. /22 and /24 for this IP
Blablubbs: Thanks for the feedback, it's much appreciated. About us saying "sorry, Legal says so, we have to do this", that was not our assumption when we started. Legal was involved earlier too, and there was a statement about their support for this project on the talk page early on, but while I understand the change in motivation and what can be done and can't is confusing, it reflects an actual change in understanding for the team behind the project, not just in how we communicate. /Johan (WMF) (talk) 16:10, 13 December 2020 (UTC)
And to be clear, this is not about one specific law or one specific jurisdiction, as stated above. /Johan (WMF) (talk) 16:13, 13 December 2020 (UTC)
Hi Johan, thanks for the response. I had an off-wiki chat with Darren-M, trying to figure out why legal cannot be more clear. So in the hopes of obtaining at least a modicum of clarity, I'll try to ask some direct questions, mostly related to this statement: We can’t spell out the precise details of our deliberations, or the internal discussions and analyses that lay behind this decision, for the reasons discussed above regarding legal ethics and privilege.
  • While legal cannot unilaterally disclose the reasoning because of attorney-client privilege, the WMF – being the client – absolutely can. So if privilege is the argument for being obscure, why doesn't the WMF at least partially waive it or provide a statement itself?
  • Does legal believe that we may currently be open to litigation because of existing laws?
  • If not, why are we citing no specific legislation while also citing privilege to avoid disclosing anything?
  • Is there any current or pending litigation regarding privacy of IPs on Wikimedia projects?
  • Is this being done to avoid future liability because WMF legal believes that laws that might make public disclosure of IPs illegal will be passed?
  • If so, why is the feature not just developed and shelved until such laws potentially come into effect, given the strong opposition by the community?
  • If so, why can we not be more open about what those future liabilities are, given that they are not currently a threat?
  • Has the Board endorsed this decision? If not, what is the most senior level it has been endorsed at?
I'm aware I won't be able to get full responses to all of those questions, but I'd appreciate an attempt at giving the community more than what are arguably non-answers. I am not asking for details about specific liabilities, or for specifics about internal discussions; I merely want to know on a meta-level what the nature of the cited threat is: Given that it's used to override community consensus, it seems like a good idea to be as transparent as possible – and I don't believe legal's statement meets that standard. Thanks and best, Blablubbs (talk) 23:14, 13 December 2020 (UTC)
Blablubbs: Just wanted to acknowledge that I've read this and that I'm passing it on to the Legal department. /Johan (WMF) (talk) 23:37, 13 December 2020 (UTC)
@Johan (WMF): Thank you for passing that on. I'm going to also somewhat tactlessly ask: did Legal change their minds between their initial discussions and more recently with you/your team about it being a necessity, or did they just insufficiently make it clear it was a necessity (perhaps because they felt that if it was going to be introduced, stating it as a legal requirement seemed unneeded to them)? Nosebagbear (talk) 16:23, 14 December 2020 (UTC)
To be honest, I think this is a question more about the difference in how you understand a legal position if you're a lawyer or a non-lawyer, though of course a lot of things have happened in a year and things keep changing. Legal is working even closer with us now. /Johan (WMF) (talk) 17:07, 22 December 2020 (UTC)
Regarding ranges: this seems like a privacy issue. This would make it quite trivial to determine what country someone lives in, for example, and depending on the CIDR sizes permitted you could even get an ISP. Whilst you might not think this is the biggest deal, currently if someone has a registered account it's not possible for anyone to know that, and the same applies on any site with registration, so this is a fair change in the norm.
Regarding NDAs: a lot of active editors are not comfortable with doing so. Indeed, only a fraction of users are functionaries or have access to non-public information. I think requiring editors enter into legal agreements to continue doing the work they're doing is not a good outcome. ProcrastinatingReader (talk) 22:26, 30 December 2020 (UTC)
Thanks for the feedback, ProcrastinatingReader. Just wanted to acknowledge we're reading and taking into account. /Johan (WMF) (talk) 22:41, 6 January 2021 (UTC)
@Johan (WMF): - just a reminder that Legal have yet to respond to the questions posed by @Blablubbs: and myself. I wouldn't have thought these questions were particularly onerous or complex to draft responses for, so I trust we can look forward to a full reply from Legal shortly? Best, Darren-M (talk) 21:51, 20 January 2021 (UTC)
Ping acknowledged. /Johan (WMF) (talk) 05:01, 26 January 2021 (UTC)
@Johan (WMF), I know it isn't your call if and when legal responds, but it's been another month and if we're not going to get a reply, I'd appreciate it if we could just get a statement that says so outright – though, as outlined above, I'm still not entirely clear why it isn't possible to make a statement that is at least marginally less vague. Best, Blablubbs (talk) 15:17, 21 February 2021 (UTC)
Blablubbs: Noted, and I'll pass it along. I can assure you that they read this page, so anything being pointed out here is seen, not just by me. /Johan (WMF) (talk) 11:52, 22 February 2021 (UTC)
Pinging both anyone from Legal watching at @Johan (WMF):, who has the misfortune of being significantly more visible and takes flak for (in)actions outside his control. I'd like to echo Blablubbs' point (another) 3 weeks on - if Legal aren't going to reply to queries and concerns about their opening statement then they need to actually say so openly.
In a distinct point, because I don't want to ping Johan three times in 4 minutes, I'd just like to push ProcrastinatingReader's comment that NDA signing is likely to cause major issues due both to reticence but also to effort. The whole reasoning for retaining IP masking rather than mandatory accounts is because of barrier to entry, but there are barriers to entry to lots of tasks, not just joining wikipedia. People might sign to avoid disrupting their task flow that's already active, but why would anyone new go into handling IP-heavy CVU if the barriers get high. The trade-off needs to be considering not just who we might lose immediately, but who we might fail to recruit into that backend work going forwards Nosebagbear (talk) 11:16, 8 March 2021 (UTC)
I do work on this project, so it's completely natural and fine to let me know any and all issues and concerns! Passing this on, too. /Johan (WMF) (talk) 12:08, 8 March 2021 (UTC)
What is "CVU"? kyykaarme (talk) 05:51, 10 March 2021 (UTC)
@Kyykaarme: Counter-vandalism unit, en.wiki's wikiproject on counter-vandalism, but also used as a bit of a catch-all term for all the different counter-vandalism activities and individuals even if they aren't technically part of the project Nosebagbear (talk) 10:59, 23 March 2021 (UTC)
Well, another 3 weeks later, we're more than 3 months in and at this point I think it's pretty clear I won't be getting a reply or even an acknowledgement that I won't get one. I don't think my specific questions urgently need an answer (though I do still think they're relevant), and I know everyone involved has the best of intentions, but I do think this is a great example for the chronic communication and community relations issue the WMF has as an institution: If you're going to try your hand at playing government and unilaterally impose a vision on the community (who you're supposed to be working for and not against) against its explicit wishes, you're also going to have to acknowledge what makes governance work: Responsiveness, responsibility and accountability. And I'm really not seeing a lot of that, here or elsewhere. Blablubbs (talk) 13:13, 1 April 2021 (UTC)
Whilst I do personally think some form of IP masking is a good idea and support this change, I agree the communication is lacklustre. At the same time, the FAQ says there's no rocket on this plan and this isn't a "proposal" yet, so possibly WMF resources are stretched between the board stuff and the UCOC and whatever else is going on currently. ProcrastinatingReader (talk) 14:24, 3 April 2021 (UTC)