The biggest privacy problem in Wikipedia has always been the permanent public exposure of casual editors' IP addresses.
Secondarily, we store logged-in editors' IP addresses for a limited time, exposing all editors' IP addresses to access by staff and volunteer accounts which could be stolen or misused as well as to any potential attacker who gains sufficient access to the database systems.
I would like to suggest that the Wikimedia editor community, along with the Wikimedia Foundation as steward of the software and servers, have a serious consultation about committing to fix this:
1) Eliminate IP address exposure for non-logged-in editors. Those editors should be either given a random, truly anonymous identifier, or required to create a pseudonym as a login.
2) Seriously think about how this will affect workflows tracking and fighting vandalism, and provide tools that do not depend on public exposure of network addresses.
3) Avoid public exposure or long-term logging of any other location-specific or network-specific information about anonymous users.
4) Consider stronger controls on storage of IP addresses in the databases and how they are secured, in the face of possible attacks through social engineering, security vulnerabilities, or state action. Think about what really needs to be stored and what types of data recovery are possible when storing truly personal-private data in shared databases.
-- brion vibber (brion @ pobox.com / brion @ wikimedia.org) Lead Software Architect, Wikimedia Foundation
Coincidentally, #4 has been discussed in the past few days on the Analytics mailing list, and some of the discussion there about how to semi-anonymize IPs in logs might also be relevant to publicly exposed IP addresses.
I would suggest that deep thought about IP address logging and exposure should wait until the ongoing Wikimedia account security problems are thoroughly addressed and investigated, as that is a more time-sensitive issue. Perhaps in the months ahead, we can have further discussions about IP address exposure and logging. (I'm most concerned about the latter, as it affects logged-in editors who can reasonably expect a fair amount of privacy about their IP addresses.)
Pine
On Sat, Nov 12, 2016 at 12:02 PM, Brion Vibber bvibber@wikimedia.org wrote:
The biggest privacy problem in Wikipedia has always been the permanent public exposure of casual editors' IP addresses.
Secondarily, we store logged-in editors' IP addresses for a limited time, exposing all editors' IP addresses to access by staff and volunteer accounts which could be stolen or misused as well as to any potential attacker who gains sufficient access to the database systems.
I would like to suggest that the Wikimedia editor community, along with the Wikimedia Foundation as steward of the software and servers, have a serious consultation about committing to fix this:
- Eliminate IP address exposure for non-logged-in editors. Those editors
should be either given a random, truly anonymous identifier, or required to create a pseudonym as a login.
- Seriously think about how this will affect workflows tracking and
fighting vandalism, and provide tools that do not depend on public exposure of network addresses.
- Avoid public exposure or long-term logging of any other
location-specific or network-specific information about anonymous users.
- Consider stronger controls on storage of IP addresses in the databases
and how they are secured, in the face of possible attacks through social engineering, security vulnerabilities, or state action. Think about what really needs to be stored and what types of data recovery are possible when storing truly personal-private data in shared databases.
-- brion vibber (brion @ pobox.com / brion @ wikimedia.org) Lead Software Architect, Wikimedia Foundation _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
A fully enumerated list of "cons" would be an important place to start. Wikimedians and WMF have long promoted the existence of stuff ike the "Congress edits" twitter account, which reports account-less edits from capitol hill. We often block high school IP addresses at certain times in the school year when lots of vandalism comes. Are these necessary? We would need to take a broad and careful look to form a coherent opinion about whether we can do without them. There would be substantial impacts on the production processes of the wikis.
-Pete [[User:Peteforsyth]]
On Sat, Nov 12, 2016 at 12:11 PM, Pine W wiki.pine@gmail.com wrote:
Coincidentally, #4 has been discussed in the past few days on the Analytics mailing list, and some of the discussion there about how to semi-anonymize IPs in logs might also be relevant to publicly exposed IP addresses.
I would suggest that deep thought about IP address logging and exposure should wait until the ongoing Wikimedia account security problems are thoroughly addressed and investigated, as that is a more time-sensitive issue. Perhaps in the months ahead, we can have further discussions about IP address exposure and logging. (I'm most concerned about the latter, as it affects logged-in editors who can reasonably expect a fair amount of privacy about their IP addresses.)
Pine
On Sat, Nov 12, 2016 at 12:02 PM, Brion Vibber bvibber@wikimedia.org wrote:
The biggest privacy problem in Wikipedia has always been the permanent public exposure of casual editors' IP addresses.
Secondarily, we store logged-in editors' IP addresses for a limited time, exposing all editors' IP addresses to access by staff and volunteer accounts which could be stolen or misused as well as to any potential attacker who gains sufficient access to the database systems.
I would like to suggest that the Wikimedia editor community, along with
the
Wikimedia Foundation as steward of the software and servers, have a
serious
consultation about committing to fix this:
- Eliminate IP address exposure for non-logged-in editors. Those editors
should be either given a random, truly anonymous identifier, or required
to
create a pseudonym as a login.
- Seriously think about how this will affect workflows tracking and
fighting vandalism, and provide tools that do not depend on public
exposure
of network addresses.
- Avoid public exposure or long-term logging of any other
location-specific or network-specific information about anonymous users.
- Consider stronger controls on storage of IP addresses in the databases
and how they are secured, in the face of possible attacks through social engineering, security vulnerabilities, or state action. Think about what really needs to be stored and what types of data recovery are possible
when
storing truly personal-private data in shared databases.
-- brion vibber (brion @ pobox.com / brion @ wikimedia.org) Lead Software Architect, Wikimedia Foundation _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Point #1, with current means, will simply imply the end of countervandalism with IPs.
Vito
2016-11-12 21:02 GMT+01:00 Brion Vibber bvibber@wikimedia.org:
The biggest privacy problem in Wikipedia has always been the permanent public exposure of casual editors' IP addresses.
Secondarily, we store logged-in editors' IP addresses for a limited time, exposing all editors' IP addresses to access by staff and volunteer accounts which could be stolen or misused as well as to any potential attacker who gains sufficient access to the database systems.
I would like to suggest that the Wikimedia editor community, along with the Wikimedia Foundation as steward of the software and servers, have a serious consultation about committing to fix this:
- Eliminate IP address exposure for non-logged-in editors. Those editors
should be either given a random, truly anonymous identifier, or required to create a pseudonym as a login.
- Seriously think about how this will affect workflows tracking and
fighting vandalism, and provide tools that do not depend on public exposure of network addresses.
- Avoid public exposure or long-term logging of any other
location-specific or network-specific information about anonymous users.
- Consider stronger controls on storage of IP addresses in the databases
and how they are secured, in the face of possible attacks through social engineering, security vulnerabilities, or state action. Think about what really needs to be stored and what types of data recovery are possible when storing truly personal-private data in shared databases.
-- brion vibber (brion @ pobox.com / brion @ wikimedia.org) Lead Software Architect, Wikimedia Foundation _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
While it is tempting to start with cons, I think for most of the community members, the question will be: 'what alternatives are there to accomplish more or less the same' with regards to fighting vandalism and sockpuppetry. And answering that question would start with describing how we actually do make use of this data. Sounds like a good process to go through, but this puts more emphasis on 2).
Lodewijk
2016-11-12 21:36 GMT+01:00 Vi to vituzzu.wiki@gmail.com:
Point #1, with current means, will simply imply the end of countervandalism with IPs.
Vito
2016-11-12 21:02 GMT+01:00 Brion Vibber bvibber@wikimedia.org:
The biggest privacy problem in Wikipedia has always been the permanent public exposure of casual editors' IP addresses.
Secondarily, we store logged-in editors' IP addresses for a limited time, exposing all editors' IP addresses to access by staff and volunteer accounts which could be stolen or misused as well as to any potential attacker who gains sufficient access to the database systems.
I would like to suggest that the Wikimedia editor community, along with
the
Wikimedia Foundation as steward of the software and servers, have a
serious
consultation about committing to fix this:
- Eliminate IP address exposure for non-logged-in editors. Those editors
should be either given a random, truly anonymous identifier, or required
to
create a pseudonym as a login.
- Seriously think about how this will affect workflows tracking and
fighting vandalism, and provide tools that do not depend on public
exposure
of network addresses.
- Avoid public exposure or long-term logging of any other
location-specific or network-specific information about anonymous users.
- Consider stronger controls on storage of IP addresses in the databases
and how they are secured, in the face of possible attacks through social engineering, security vulnerabilities, or state action. Think about what really needs to be stored and what types of data recovery are possible
when
storing truly personal-private data in shared databases.
-- brion vibber (brion @ pobox.com / brion @ wikimedia.org) Lead Software Architect, Wikimedia Foundation _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Honestly I cannot find pros since it's a free choice to edit without logging, so it's not up to me to find them :D if it would depend solely on me this thread would even exist ;)
Meanwhile I weight in the biggest con: the inability to use rangeblocks and an unacceptable weakening of our ability to investigate sockpuppetry and abuse.
Vito
2016-11-12 22:54 GMT+01:00 Lodewijk lodewijk@effeietsanders.org:
While it is tempting to start with cons, I think for most of the community members, the question will be: 'what alternatives are there to accomplish more or less the same' with regards to fighting vandalism and sockpuppetry. And answering that question would start with describing how we actually do make use of this data. Sounds like a good process to go through, but this puts more emphasis on 2).
Lodewijk
2016-11-12 21:36 GMT+01:00 Vi to vituzzu.wiki@gmail.com:
Point #1, with current means, will simply imply the end of
countervandalism
with IPs.
Vito
2016-11-12 21:02 GMT+01:00 Brion Vibber bvibber@wikimedia.org:
The biggest privacy problem in Wikipedia has always been the permanent public exposure of casual editors' IP addresses.
Secondarily, we store logged-in editors' IP addresses for a limited
time,
exposing all editors' IP addresses to access by staff and volunteer accounts which could be stolen or misused as well as to any potential attacker who gains sufficient access to the database systems.
I would like to suggest that the Wikimedia editor community, along with
the
Wikimedia Foundation as steward of the software and servers, have a
serious
consultation about committing to fix this:
- Eliminate IP address exposure for non-logged-in editors. Those
editors
should be either given a random, truly anonymous identifier, or
required
to
create a pseudonym as a login.
- Seriously think about how this will affect workflows tracking and
fighting vandalism, and provide tools that do not depend on public
exposure
of network addresses.
- Avoid public exposure or long-term logging of any other
location-specific or network-specific information about anonymous
users.
- Consider stronger controls on storage of IP addresses in the
databases
and how they are secured, in the face of possible attacks through
social
engineering, security vulnerabilities, or state action. Think about
what
really needs to be stored and what types of data recovery are possible
when
storing truly personal-private data in shared databases.
-- brion vibber (brion @ pobox.com / brion @ wikimedia.org) Lead Software Architect, Wikimedia Foundation _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
That would require a precise prediction of how it would affect countervandalism. Sometimes a very good clue we have about a sockpuppeteer is the information we get from the IP. Not the number itself, but location and ISP. If that change can make this impossible to find out, that may be a bad idea.
We can also recognize a long term vandal by their IP range when they have dynamic IPs. Providing another kind of identification instead of the IP could also take out this ability.
The price for that could be lots of checkusers with headaches.
Teles
Em sáb, 12 de nov de 2016 às 19:00, Vi to vituzzu.wiki@gmail.com escreveu:
Honestly I cannot find pros since it's a free choice to edit without logging, so it's not up to me to find them :D if it would depend solely on me this thread would even exist ;)
Meanwhile I weight in the biggest con: the inability to use rangeblocks and an unacceptable weakening of our ability to investigate sockpuppetry and abuse.
Vito
2016-11-12 22:54 GMT+01:00 Lodewijk lodewijk@effeietsanders.org:
While it is tempting to start with cons, I think for most of the
community
members, the question will be: 'what alternatives are there to accomplish more or less the same' with regards to fighting vandalism and
sockpuppetry.
And answering that question would start with describing how we actually
do
make use of this data. Sounds like a good process to go through, but this puts more emphasis on 2).
Lodewijk
2016-11-12 21:36 GMT+01:00 Vi to vituzzu.wiki@gmail.com:
Point #1, with current means, will simply imply the end of
countervandalism
with IPs.
Vito
2016-11-12 21:02 GMT+01:00 Brion Vibber bvibber@wikimedia.org:
The biggest privacy problem in Wikipedia has always been the
permanent
public exposure of casual editors' IP addresses.
Secondarily, we store logged-in editors' IP addresses for a limited
time,
exposing all editors' IP addresses to access by staff and volunteer accounts which could be stolen or misused as well as to any potential attacker who gains sufficient access to the database systems.
I would like to suggest that the Wikimedia editor community, along
with
the
Wikimedia Foundation as steward of the software and servers, have a
serious
consultation about committing to fix this:
- Eliminate IP address exposure for non-logged-in editors. Those
editors
should be either given a random, truly anonymous identifier, or
required
to
create a pseudonym as a login.
- Seriously think about how this will affect workflows tracking and
fighting vandalism, and provide tools that do not depend on public
exposure
of network addresses.
- Avoid public exposure or long-term logging of any other
location-specific or network-specific information about anonymous
users.
- Consider stronger controls on storage of IP addresses in the
databases
and how they are secured, in the face of possible attacks through
social
engineering, security vulnerabilities, or state action. Think about
what
really needs to be stored and what types of data recovery are
possible
when
storing truly personal-private data in shared databases.
-- brion vibber (brion @ pobox.com / brion @ wikimedia.org) Lead Software Architect, Wikimedia Foundation _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
In addition, we'd be making significantly more difficult the detection and mitigation of abusive anonymous editing. Currently, when someone edits as an IP, gets blocked, resets their router, and changes the last octet, we can easily tell they're socking around a block. And to mitigate that, we can then consider an appropriate range block, if they keep doing it.
With a "pseudo pseudonym" used instead of the IP, a checkuser would be required to do that in both those cases, rather than an admin just being able to. That would be a good deal more load on the checkusers, since they would then be responsible for running checks on anonymous editors as well as accounts. A plus there would be that checkusers could definitively link anonymous socking to accounts, which today they can't do for privacy reasons, but realistically, I'd be more in favor of just removing that restriction--if you're editing abusively, you shouldn't have the right to have us help you conceal it.
That doesn't necessarily make it a no go, but even today, anyone concerned about having their IP show up need only create an account, and we've got pretty clear warnings indicating that the IP will be left in the public history if you edit anonymously. If people don't take that simple step, see that warning, and save the edit anyway, I think we can pretty safely conclude that they do not mind if their IP is in the edit history.
Todd
On Sat, Nov 12, 2016 at 3:20 PM, Lucas Teles teleswiki@gmail.com wrote:
That would require a precise prediction of how it would affect countervandalism. Sometimes a very good clue we have about a sockpuppeteer is the information we get from the IP. Not the number itself, but location and ISP. If that change can make this impossible to find out, that may be a bad idea.
We can also recognize a long term vandal by their IP range when they have dynamic IPs. Providing another kind of identification instead of the IP could also take out this ability.
The price for that could be lots of checkusers with headaches.
Teles
Em sáb, 12 de nov de 2016 às 19:00, Vi to vituzzu.wiki@gmail.com escreveu:
Honestly I cannot find pros since it's a free choice to edit without logging, so it's not up to me to find them :D if it would depend solely
on
me this thread would even exist ;)
Meanwhile I weight in the biggest con: the inability to use rangeblocks
and
an unacceptable weakening of our ability to investigate sockpuppetry and abuse.
Vito
2016-11-12 22:54 GMT+01:00 Lodewijk lodewijk@effeietsanders.org:
While it is tempting to start with cons, I think for most of the
community
members, the question will be: 'what alternatives are there to
accomplish
more or less the same' with regards to fighting vandalism and
sockpuppetry.
And answering that question would start with describing how we actually
do
make use of this data. Sounds like a good process to go through, but
this
puts more emphasis on 2).
Lodewijk
2016-11-12 21:36 GMT+01:00 Vi to vituzzu.wiki@gmail.com:
Point #1, with current means, will simply imply the end of
countervandalism
with IPs.
Vito
2016-11-12 21:02 GMT+01:00 Brion Vibber bvibber@wikimedia.org:
The biggest privacy problem in Wikipedia has always been the
permanent
public exposure of casual editors' IP addresses.
Secondarily, we store logged-in editors' IP addresses for a limited
time,
exposing all editors' IP addresses to access by staff and volunteer accounts which could be stolen or misused as well as to any
potential
attacker who gains sufficient access to the database systems.
I would like to suggest that the Wikimedia editor community, along
with
the
Wikimedia Foundation as steward of the software and servers, have a
serious
consultation about committing to fix this:
- Eliminate IP address exposure for non-logged-in editors. Those
editors
should be either given a random, truly anonymous identifier, or
required
to
create a pseudonym as a login.
- Seriously think about how this will affect workflows tracking
and
fighting vandalism, and provide tools that do not depend on public
exposure
of network addresses.
- Avoid public exposure or long-term logging of any other
location-specific or network-specific information about anonymous
users.
- Consider stronger controls on storage of IP addresses in the
databases
and how they are secured, in the face of possible attacks through
social
engineering, security vulnerabilities, or state action. Think about
what
really needs to be stored and what types of data recovery are
possible
when
storing truly personal-private data in shared databases.
-- brion vibber (brion @ pobox.com / brion @ wikimedia.org) Lead Software Architect, Wikimedia Foundation _______________________________________________ Wikimedia-l mailing list, guidelines at:
wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe:
https://lists.wikimedia.org/mailman/listinfo/wikimedia-l,
<mailto:wikimedia-l-request@lists.wikimedia.org?subject=
unsubscribe>
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/
mailman/listinfo/wikimedia-l,
mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
-- Steward for Wikimedia Foundation. Administrator at Portuguese Wikipedia and Wikimedia Commons. Sent from mobile. Please, excuse my brevity. +55 (71) 99707 6409 _______________________________________________ Wikimedia-l mailing list, guidelines at: https://meta.wikimedia.org/ wiki/Mailing_lists/Guidelines New messages to: Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Brion Vibber wrote:
The biggest privacy problem in Wikipedia has always been the permanent public exposure of casual editors' IP addresses.
Secondarily, we store logged-in editors' IP addresses for a limited time, exposing all editors' IP addresses to access by staff and volunteer accounts which could be stolen or misused as well as to any potential attacker who gains sufficient access to the database systems.
I would like to suggest that the Wikimedia editor community, along with the Wikimedia Foundation as steward of the software and servers, have a serious consultation about committing to fix this:
- Eliminate IP address exposure for non-logged-in editors. Those editors
should be either given a random, truly anonymous identifier, or required to create a pseudonym as a login.
- Seriously think about how this will affect workflows tracking and
fighting vandalism, and provide tools that do not depend on public exposure of network addresses.
- Avoid public exposure or long-term logging of any other
location-specific or network-specific information about anonymous users.
There are some notes here: https://www.mediawiki.org/wiki/?curid=428113. Any effort to expand these notes would be welcome.
MZMcBride
On Sat, Nov 12, 2016 at 12:02 PM, Brion Vibber bvibber@wikimedia.org wrote:
- Eliminate IP address exposure for non-logged-in editors. Those editors
should be either given a random, truly anonymous identifier, or required to create a pseudonym as a login.
I filed https://phabricator.wikimedia.org/T133452 for that a while ago (but then never got around to expand it). It would be technically challenging but would unlock many interesting possibilities, such as proper targeting of welcome messages / warning templates / thanks, blocking anonymous editors without blocking the (possibly shared) IP they use, or the ability to claim recent anonymous edits when you register.
On Thu, Nov 17, 2016 at 11:09 PM, Gergo Tisza gtisza@wikimedia.org wrote:
the ability to claim recent anonymous edits when you register.
Here, here. I'm sure my IP address is lying around in lots of places in the wikidump because I forgot to log in or my cookie expired and I never noticed. Automating the task of claiming those edits once you log in would go far toward preventing accidental IP exposure.
I might also suggest thinking of this in terms of architectural change. We have been too casual about IP information inside mediawiki. What if we took as a first step factoring out all IP-related code from the core db and pushing it into a separate db. So instead of "IP edits" we have some sort of automatically-generated pseudonym *but also recorded the IP address associated with this pseudonym in a separate database* -- perhaps this function is actually in an extension, not in core mediawiki. Now we preserve all our abilities to track down sock puppets or do IP blocks, but at the cost of one indirection.
We can then take steps to further protect/limit/purge this IP address database independent of the core mediawiki database, and we don't have "hidden gotchas" in the core code because the core code doesn't manipulate IPs any more. And folks who do routine tasks like processing archive dumps of the core db don't stumble across IPs. --scott
On Nov 18, 2016 05:09, "Gergo Tisza" gtisza@wikimedia.org wrote:
On Sat, Nov 12, 2016 at 12:02 PM, Brion Vibber bvibber@wikimedia.org wrote:
- Eliminate IP address exposure for non-logged-in editors. Those
editors
should be either given a random, truly anonymous identifier, or
required to
create a pseudonym as a login.
I filed https://phabricator.wikimedia.org/T133452 for that a while ago
(but
then never got around to expand it). It >
I am thrilled about this proposal thank you brion and get-go.
Rupert
wikimedia-l@lists.wikimedia.org