[Foundation-l] New draft of privacy policy

Mon Jun 16 07:21:47 UTC 2008

On Mon, Jun 16, 2008 at 1:21 AM, John Vandenberg <jayvdb at gmail.com> wrote:
> There is a much more obvious answer: nobody has written the code to do
> otherwise.  An IP is a fixed size which helps with storage, and the
> properties of IP numbering and re-use are well-known, allowing people
> to roughly guess when it is a different person on the same IP.
>
> Any change to mediawiki to remove or obscure IPs needs to also give a
> similar ability back to editors; we are human and we like to know how
> many editors we are working with, even more so when editing behaviour
> is suspicious.

It would be nearly trivial to feed the IP through a 32bit block
cipher, convert that to base 36 (or just an integer), and use that as
the user_text.  I'm pretty confident that a reasonably clean solution
wouldn't be hard.  ::shrugs::   But does anyone anywhere want that
behavior in mediawiki?

> It is very strange that we call IP edits "anonymous" yet they are
> often more revealing than edits made when logged in.

Indeed.

> The oversight tool desperately needs finer granularity.  If the IP is
> the element that needs to be hidden, it shouldnt be necessary to
> pretend that the edit didnt happen.  Anyone know when the new
> oversight tool is going to land?
>
> https://bugzilla.wikimedia.org/show_bug.cgi?id=3576

note my comment at the bottom of that ticket. :)

> Also, many people are not aware that oversight needs to be done before
> the next dump in order to be useful.  I often see admins removing six
> months old IP talk contribs, for privacy reasons, and are a bit
> surprised and annoyed when I show them the dumps.

People are also surprised when deletion fails to successfully hide information.

Considering how trivial it is to run a script that saves every change
as it is made.. all we can really hope to do is minimize the bleeding.

> Rather than adding a layer on top of IP to hide the IP, it would be
> less revealing to automatically assign each new IP session with a
> cookie managed identifier, i.e. "Guest1234" (or a long random string
> that does not repeat, such as a GUID ) and then allow the user to
> rename this "guest account" when they finally learn how to.  Also when
> a user has accidentally logged out, when they log back in from a guest
> account to their main account, the system could allow the user to
> merge those guest edit into their main account.

It would be less revealing but it would greatly amplify the ability to
hide because it would be far more anonymous.  Depending on the
implementation it could be used as a force multiplier with a single
user on a single IP churning out dozens of guest ids by flushing their
cookies.

Obscuring the IP would convert the IPs into effective pseudonymous
names, similar to real account names. The above would create something
much closer to actual anonymous edits.  I doubt most Wikimedia Wikis
would support a proposal like that. (though, personally, I suspect
life would go on if it were done).