We should set permanent cookies on every pageview except saves, require cookies for saving pages, assign random account names (anon2349bx29s) to anonymous editors, and use cookies to block most users.

We should do away with IP numbers in page histories, recent changes etc. completely.

We should retain the ability to block by IP in emergencies.

This would address several current problems and have several advantages.

1) Having users' IP numbers published all over the place is a quite serious privacy violation. It would be trivial to scan recent changes for hosts with open ports and security vulnerabilities. Furthermore, it reveals geographic information about anonymous editors which they may want to keep private (such information can be very specific, depending on the ISP).

2) Banning anonymous users by IP affects anyone who also uses the same IP. In case of proxies, this may be thousands of individuals. If the first message we send a new user - because they share a vandal IP - is "You are banned from editing for serious vandalism", that user is unlikely to become a regular contributor. Even regulars are frequently pissed off because they accidentally get blocked.

3) Banning users by IP is also ineffective, as for most users, it is trivial to get a new dynamic IP address.

4) For repeat vandals, we can set a very high or unlimited expiry without fear of blocking someone else.

5) Requiring cookies even for anons allows them to change their user preferences even without creating an account.

6) We can more easily attribute edits to users and easily change anon edits over to real accounts when people decide to create an account. This may also address some copyright issues.

Now, regarding some possible criticisms:

1) "They will just delete the cookie and edit away." Yes, some users will do that. For these users, we should retain the ability to block by IP (without revealing that IP address to sysops). However, doing so requires an understanding of how the blocking mechanism works, which most users don't have. They will have to know how to *remove* cookies, not just disable them. The user will have to keep deleting the cookie every time it is re-blocked. And sysops don't have to be hesitant about blocking them, because no other users can be affected by it. So we can in fact make this a single-click operation, making it costly for the average user, and cheap for us.

2) "I have cookies disabled for privacy reasons!" Then you can't be editing Wikipedia non-anonymously. We already require cookies for signed in users. Most modern browsers allow enabling cookies on a case-by-case basis. If a user tries to edit a page without having cookies enabled, we will let them know that they need to enable them. If you are concerned about privacy, you should be more concerned about having IP addresses publicized everywhere, even stored permanently in the page history.

3) "This won't help us to deal with the most egregious vandals." Maybe, maybe not. A vandal using a script would have to do the same thing as a malicious user -- get a fresh cookie from a regular pageview, use that cookie to submit an edit, then discard the cookie. This isn't hard to do, but I doubt the average kiddie will be able to figure it out. On the other hand, we can build more extreme anti-vandalism measures on top of this, like disabling edits by any completely new contributor (= not setting any new cookies) for a few hours.

All in all, I think this would greatly reduce the time spent on fighting vandalism, and allow us to focus on more important matters, like creating an encyclopedia.

Regards,

Erik