On 13 June 2012 15:06, Nathan nawrich@gmail.com wrote:
On Wed, Jun 13, 2012 at 2:42 PM, Risker risker.wp@gmail.com wrote:
I think perhaps I was not clear in what I meant by "nefarious" purposes. The IP addresses in our contribution logs have been used by others to locate editors, to make allegations against individuals and organizations because their IP address showed up in those logs, and so on. It is a key reason why "accidentally editing logged out" is one of the top reasons
for
suppression requests, because it can provide a non-negligible amount of information about the user.
I think I understood what you meant by nefarious, but regardless of the definition, the point remains: unless you restrict any IP-related data to administrators and/or CUs, the type of masking FT2 described is ineffective at improving privacy.
I would put to you that, actually, our publishing of full IP addresses of
our logged-out contributors is a very significant privacy issue. There is no other top-10 website that publishes this information; in fact, the number of websites that attributes contributions to specific (often traceable) IP addresses is minuscule. The only rationale that has ever been given for publishing of IP addresses is for the purpose of edit attribution. That can be done any number of other ways.
Risker
I have to disagree for several reasons. First, while you are correct that no other top 10 website publishes IP information of users, that is in no small part a byproduct of how different Wikipedia is from the other 9. Without belaboring the point too much, search engines and passive viewing sites don't publish user information at all in any format, and commercial social networks have a wholly different set of interests than do Wikimedia projects. Second, more complete anonymity is and has always been available to any editor; while the primary and original purpose of an IP address in edit history is attribution, it has long been put to many other beneficial uses. Given that we've had a stable approach to IP addresses for 10 years, and no rush of demand to change the paradigm, it makes sense to balance the public benefit nature of the projects against the reasonable privacy needs (on which we all generally agree). We should discuss that balance rather than just assume that more perfect privacy is worth significantly less transparency.
The original Wikipedia platform (lo those long years ago) published only partial IP addresses. Today, "significantly less transparency" seems to mean "create an acccount" to many people. However, that is antithetical to the "anyone can edit" principle on which our projects are based. "Anyone can edit, as long as they don't mind that everyone in the world will know where they're from, what ISP they use, and possibly even the physical location from which they are editing and what equipment they're using to do so, unless they create an account" is what it has become.
We want the edits. We don't need to know the rest, and never have. If we needed to know that information, we would have decided not to permit account-based editing in the first place. There's no template at the bottom of the talk pages of editors with accounts that allows identification and geolocation of their IP. If it's useful for logged-out editors, it is just as useful for logged-in ones, according to the "transparency" logic.
One of the reasons that many of us were taken by surprise with the sudden appearance of the IPv6 change was that this very discussion could have taken place beforehand, and would have guided the Engineering team in their progress. I for one have long been concerned about the use of IP addresses to attribute edits, but that may be because I'm one of the few people who winds up suppressing those that happen accidentally to account holders. It's a discussion we need to have, though.
Risker