On 9/19/07, Gregory Maxwell <gmaxwell(a)gmail.com> wrote:
On 9/19/07, SlimVirgin <slimvirgin(a)gmail.com>
wrote:
[snip]
My understanding is that, with the information
people are considering
releasing, it would be possible for someone to work out which editor
had which IP address, which would be a serious betrayal of trust.
Hopefully you can see from my prior posts on this thread that I favor
a conservative handling of private data and you won't mistake my point
below for an insensitivity to your concerns.
I agree that the log data must not be handled in a way that reduces
privacy, but I disagree with the implied claim that there is a high
level of privacy for *editors* to begin with.
If editors are betting on the privacy of their IP addresses to avoid
harassment or stalkers then they are making a bad bet. I do not want
people to be surprised when they discover the privacy they thought
they had did not really exist.
There are many ways a users IP can be leaked. For example, whenever
you follow a link to an external site your address is leaked to that
site. Any administrator can inject CSS or JS into your personal or the
site wide files which could cause your browser to connect to another
site and give away your address. Your use of email along with your
account can reveal your address. We have a great many checkusers, and
while they are trustworthy their machines or accounts could become
compromised. Checkuser data is sent unencrypted to checkusers across
the Internet. ... it's very very very easy to accidentally edit while
logged out, especially when you cross over to one of our other wikis
like commons or meta.
Yes, I agree that protecting IP address is hard. Just as an example,
we have one stalker (and I'm using the word advisedly) who posts links
on people's talk pages to what appears to be Wikipedia articles,
purportedly asking for advice, but in fact diverting that user to the
stalker's own website, so he can pick up the IP. He's also sent
e-mails with disguised links that divert people to a blog he has
access to.
The concerns of people being harassed are partly to do with not
wanting people to know where we edit from, but also to do with fears
that the more determined stalkers could get into the user's computer
if they knew the exact IP, which is a more serious invasion than
knowing you live in New York or wherever.
The protections provided today are not bad. But they are not very good
because very good protection would be someplace between highly
inconvenient and impossible.
Only the most paranoid and inconvenience tolerant people have a
fighting chance of keeping their totally secret during a long editing
carrier.
Most people simply lack the foresight (few expect stalkers the day
they make their first edit), technical expertise, and patience
required to strongly protect their anonymity while editing.
Providing privacy strong enough to stop a stalker for people who are
indirectly spewing out large amounts of information about themselves
in the form of edits is just a really hard problem which I don't have
a solution for...
I agree with you. It's very tricky.
The only workable solution I can see is to make it less likely that
stalkers will want to target particular admins. One way to do that
would be to set up anonymous admin accounts that multiple admins could
use. So for example, if a difficult user needs to be blocked, any
admin could access the joint admin account to make the block. The user
would only see that User:Admin1 had blocked him. Only trusted people
would have access to which admin had made a block with User:Admin1 at
time T.
I know it would complicate things, and it might make admin abuse a
little more likely. And we'd still have the problem of potential
leaks, so it wouldn't be foolproof by any means.
Sarah