[Foundation-l] New draft of privacy policy

[John Vandenberg]

On Mon, Jun 16, 2008 at 9:20 AM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> On Sun, Jun 15, 2008 at 6:55 PM, David Gerard <dgerard at gmail.com> wrote:
>> 2008/6/15 Gregory Maxwell <gmaxwell at gmail.com>:
>>> On Sun, Jun 15, 2008 at 10:31 AM, David Gerard <dgerard at gmail.com> wrote:
>>>> It's also entirely unclear how this proposal would actually cause a
>>>> better encyclopedia, dictionary, media archive, quote database etc. to
>>>> be written. You know, the stuff we're supposed to be here for. Project
>>>> first, then community.
>>
>>> By this logic we should grant access to Special:Checkuser to everyone.
>>> No?  Explain.
>>
>> You originally claimed something was in need of fixing; support it.
>
> I only asked why we give the equivalent checkuser on half our users to
> the general public.   So far only Anthony has provided a reasonable
> explanation.

There is a much more obvious answer: nobody has written the code to do
otherwise.  An IP is a fixed size which helps with storage, and the
properties of IP numbering and re-use are well-known, allowing people
to roughly guess when it is a different person on the same IP.

Any change to mediawiki to remove or obscure IPs needs to also give a
similar ability back to editors; we are human and we like to know how
many editors we are working with, even more so when editing behaviour
is suspicious.

> To make you happy I'll go ahead and make an argument for
> fixing something:
>
> I don't see any logical cause for the inconsistency in how we treat
> registered and unregistered users. There is no particular reason is
> has to be this way, it seems to be historical accident as Anthony
> suggested. Instead we could publish the IPs of all edits, we could use
> opaque identifiers for anons, or we could completely dissallow
> anonymous editing.  All of these would be consistent solutions.

It is very strange that we call IP edits "anonymous" yet they are
often more revealing than edits made when logged in.

> The current inconsistent situation generates a lot of problems:
> Careful COI pushers are rewarded for being smart enough to log in
> while at the same time normal users are harmed by accidentally getting
> logged out and having their IP surprisingly leaked.
>
> The edit histories of our articles are frequently sliced and diced to
> hide the IPs of established contributors and this sometimes makes the
> article history misleading. For example, see my edits on meta today (I
> swear I didn't do that intentionally to make a point, I have no clue
> how I ended up logged out) ... my IP edits couldn't be hidden without
> making the history misleading due to the timing of Cimon's edits.  ...
> and the service of IP edit oversighting is generally only available to
> the Wiki(p|m)edia elite, if for no other reason than few others know
> it is available.

The oversight tool desperately needs finer granularity.  If the IP is
the element that needs to be hidden, it shouldnt be necessary to
pretend that the edit didnt happen.  Anyone know when the new
oversight tool is going to land?

https://bugzilla.wikimedia.org/show_bug.cgi?id=3576

Also, many people are not aware that oversight needs to be done before
the next dump in order to be useful.  I often see admins removing six
months old IP talk contribs, for privacy reasons, and are a bit
surprised and annoyed when I show them the dumps.

> Unregistered users account for roughly half of the contributors on at
> least one of the largest projects (EnWP).  They make many valid and
> useful contributions (along with a bunch of junk...).  We often
> mislead them about their privacy by calling their contributions
> "anonymous" when they are far less anonymous than the edits made by
> many registered users.   Checkuser is by far one of the most highly
> regulated activities on all the projects. We keep a very tight fist
> over it. Yet, its equivalent is given freely over an enormous subset
> of the contributors.  This smacks of favoritism.
>
> I think our behavior should probably be changed to remove the
> inconsistency. By removing the inconsistency we will prevent
> unpleasant surprises. I think the ability to *know* and *understand*
> the privacy posture you have when editing Wikipedia is more important
> than what the posture is, so I don't care which path to consistency is
> taken.
>
> I would presume that of the three I suggested most users would prefer
> replacing IPs with unique identifiers.  The primary harm this path
> would cause is an increase in need for checkusers.

Rather than adding a layer on top of IP to hide the IP, it would be
less revealing to automatically assign each new IP session with a
cookie managed identifier, i.e. "Guest1234" (or a long random string
that does not repeat, such as a GUID ) and then allow the user to
rename this "guest account" when they finally learn how to.  Also when
a user has accidentally logged out, when they log back in from a guest
account to their main account, the system could allow the user to
merge those guest edit into their main account.

--
John