A fully enumerated list of "cons" would be an important place to start. Wikimedians and WMF have long promoted the existence of stuff ike the "Congress edits" twitter account, which reports account-less edits from capitol hill. We often block high school IP addresses at certain times in the school year when lots of vandalism comes. Are these necessary? We would need to take a broad and careful look to form a coherent opinion about whether we can do without them. There would be substantial impacts on the production processes of the wikis.
-Pete [[User:Peteforsyth]]
On Sat, Nov 12, 2016 at 12:11 PM, Pine W wiki.pine@gmail.com wrote:
Coincidentally, #4 has been discussed in the past few days on the Analytics mailing list, and some of the discussion there about how to semi-anonymize IPs in logs might also be relevant to publicly exposed IP addresses.
I would suggest that deep thought about IP address logging and exposure should wait until the ongoing Wikimedia account security problems are thoroughly addressed and investigated, as that is a more time-sensitive issue. Perhaps in the months ahead, we can have further discussions about IP address exposure and logging. (I'm most concerned about the latter, as it affects logged-in editors who can reasonably expect a fair amount of privacy about their IP addresses.)
Pine
On Sat, Nov 12, 2016 at 12:02 PM, Brion Vibber bvibber@wikimedia.org wrote:
The biggest privacy problem in Wikipedia has always been the permanent public exposure of casual editors' IP addresses.
Secondarily, we store logged-in editors' IP addresses for a limited time, exposing all editors' IP addresses to access by staff and volunteer accounts which could be stolen or misused as well as to any potential attacker who gains sufficient access to the database systems.
I would like to suggest that the Wikimedia editor community, along with
the
Wikimedia Foundation as steward of the software and servers, have a
serious
consultation about committing to fix this:
- Eliminate IP address exposure for non-logged-in editors. Those editors
should be either given a random, truly anonymous identifier, or required
to
create a pseudonym as a login.
- Seriously think about how this will affect workflows tracking and
fighting vandalism, and provide tools that do not depend on public
exposure
of network addresses.
- Avoid public exposure or long-term logging of any other
location-specific or network-specific information about anonymous users.
- Consider stronger controls on storage of IP addresses in the databases
and how they are secured, in the face of possible attacks through social engineering, security vulnerabilities, or state action. Think about what really needs to be stored and what types of data recovery are possible
when
storing truly personal-private data in shared databases.
-- brion vibber (brion @ pobox.com / brion @ wikimedia.org) Lead Software Architect, Wikimedia Foundation _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe