[WikiEN-l] Arbitration Committee members granted checkuser tool

[David Gerard]

M. Creidieki Crouch wrote:
>David Gerard wrote:

>> 2.  it would be utterly poisonous to the community. Merely being
>> checked on would be seen as a black mark (c.f. geni's attacks on Kelly
>> Martin's character in this thread).

>I think that this danger would be minimized if the admin explained the
>reason for the check, ideally with a link to something that would be
>considered "reasonable evidence".


Even then, it's much easier to not violate it and not cause trouble in
the community by not making the log public. It's hard to run afoul of
the privacy policy by doing your very best imitation of a [[Magic
8-ball]].

This is not ideal. I recently misidentified [[User:TheChief]] as
[[User:Agriculture]]. It was highly questioned but I couldn't answer
most of the questions people were asking so as to substantiate the
match as I simply wasn't allowed to do so. Eventually someone else
spotted that they had close-together edits at widely disparate
geographical locations. (I'd done a time-IP chart myself, but
evidently missed that one.) Which is not hard (if I wanted I could
show an IP record of me flitting from Australia to Wisconsin to London
in five minutes, all through legitimate accounts), but is very far
from common, so I called it "not a match."

It's all a tricky one. Saying "'cos I say so" really doesn't go down
well, but it's often the only answer I can give. Getting second
opinions from other checkers can help, though that certainly isn't
going to become routine. (I'm sure *requests* for it will ...)


>> 3. It's a sysadmin level function, allowing certain people to assist
>> the devs so they can get on with running the actual servers. No-one
>> using a website can seriously expect the sysadmins will *not* check
>> their IP, usage patterns, etc. as is necessary for good functioning of
>> the site.

>I'm worried about "you should have expected it" as a rationale for
>revealing personal information, but perhaps.


It's not *revealing* the personal information - that's what's *not*
happening. It's *having someone look at it at all*. No-one can
reasonably expect the people running a site will never look at the
usage in as close detail as is needed.

What they *can* expect is that the data will be confidential per the
privacy policy. At present, all those on en: with it are arbitrators.
(I also asked for Linuxbeak and Fvw to get it, but the board is
presently happier with just the AC having it. That's fine, 'cos
Linuxbeak and Fvw know they need only ask if they have some heavy-duty
vandals that need tracking. In the last few weeks I ran a pile of
checks for Linuxbeak tracking Jarlaxle and MARMOT, for instance, and
some time tracking [[User:SuperTroll]].)

I got the power at all because the devs didn't have time to give the
AC the checks it needed (they're busy running the site and writing the
software) and I was on the AC and knew my way around a network. The AC
are people trusted not to fuck up Wikimedia's policies, ways of doing
things and internal and external image and so forth, so were
considered suitable for the confidential information. They also know
how good and bad editors work, and the social structure of the wiki.
So we picked some of them that can find their way around a network
(the technical consideration). You'd typically find the technical
skills in a sysadmin, for example (there's lots on Wikipedia). I
picked up mine tracking Usenet and email spammers for my own amusement
;-)

(And just to cross-thread: this is a good example of something that
people shouldn't even be thinking of voting on, any more than you'd
vote for root or MediaWiki lead. [[m:Voting is evil (and stupid)]] )


>> 4. There's a log the other checkuser users can see and keep an eye on
>> each other. If you react "ZOMG CABAL!!!", you can say that to the devs
>> next, because they can check this stuff too, and do as they see fit.
>> With no logs at all.

>Does this log contain explanations or comments on why a specific check
>was done?  This certainly would prevent an admin from doing a check on
>everyone they came in contact with.  But if you see one or two checks
>a week on users you've never heard of, are you going to track down the
>admin and ask about it?


It just has lines like:

* 15:54, 10 July 2005 David Gerard got IPs for David Gerard
* 15:55, 10 July 2005 David Gerard got edits for 82.153.102.255

(that's me looking up my own name and then one of the IPs.)

Note that it's not "admins". It's not every admin having access to
this. It's a (deliberately) very small pool of people.


>I'm sorry to be contributing to the already-long discussion against
>this.  I'm not at all convinced that checkuser is a bad idea.  But I
>want to make sure that we've thought about the best way of
>implementing it.


It gives sensitive information, but it doesn't actually give a huge amount.

* I'll typically be found on two static IPs and one that's dynamic but
changes slowly.
* Someone else might be on dialup and have their IP for any given
session be anywhere in a /12, which is 1,048,576 possible addresses,
in which case you have to understand social aspects of the wiki (usage
patterns and what sort of things sockpuppeteers tend to do) to declare
a "possible match" or "likely match" or whatever.
* Someone else might be on AOL, where each *page view* might use a
different AOL proxy, in which case you can stop the check right there
because you can't say anything other than "is on AOL" (which is 22% of
the US internet, so generally wouldn'tt really count as revealing
personal information).
* Someone else might have their username using IPs from all over the
world in close succession ... in which case it's a good guess that the
IPs are open proxies and the user is hopping about on them to evade
detection.

This sort of thing is why a software version that just gives "MATCH",
"NEAR MATCH" or "NO MATCH" or whatever is not possible (and again, if
someone thinks it is, show us the code and show us it works well
enough). It takes a human who knows the little ways of the Internet
and the little ways of good and bad editors to make sense of the
little information you get from knowing what IP a given user made a
given edit from.

Any more questions, anyone?


- d.