On Fri, Sep 27, 2013 at 7:40 PM, Sumana Harihareswara <sumanah(a)wikimedia.org
wrote:
From talking to Eleanor Saitta: could we do
FlaggedRevs by IP space,
and/or by the intersection of IPs and topic space? Basically, let people
edit from Tor IPs (and/or whitelist or blacklist categories) as long as
those go through a FlaggedRevs-type process? And we could also do
FlaggedRevs on specific IP ranges, like blocks that are known to be
certain government office buildings.
Unfortunately this would not solve the inherent problem with users editing
from Tor. The reason Tor editors are blocked is not just because of
vandalism. If that were the case, we'd just block anonymous editors and
allow logged in users to edit over Tor.
In other words, cleaning up vandalism from regular users vs. Tor users is
the same amount of work: you revert the vandalism and possibly block the
user. Like somebody else mentioned, FlaggedRevs is not related to the
editors as much as it is to the content. Vandalism still has to be removed
regardless of whether the page has FlaggedRevs. The only difference is that
other users won't see the vandalism because it will be hidden from them.
The reason Tor users are really blocked is because Tor allows users to hide
their actual IP address, which makes it difficult to IP-ban people from
editing and creating accounts, which is sometimes done for severe vandals.
Vandals can continue to switch IP addresses at will, create new accounts,
and continue vandalizing. The only way to avoid this issue is to force
users to associate themselves with a "real" IP address before anonymously
editing, but that kind of defeats the point of being anonymous in the first
place.
Ideas were thrown around of issuing an anonymous token. The idea is that
you generate a secret token, perform some crypto on that token to mask and
hide it, and then have Wikipedia sign the masked and hidden token. Because
of the nature of RSA, you can have Wikipedia sign the hidden token and then
later extract a signature for the real token. Then, when you switch to Tor,
you give the real signed token back to Wikipedia. This allows the site to
know that it previously authenticated the user without being able to link
it with the original IP address. Then, you do major rate-limiting, i.e.,
allowing a given IP address to request a signature once every week or
something. Now rather than blocking an IP address, you block the token, and
since the user can only get a token once a week, they're yet again limited
to using their real IP address.
However, as pointed out, this suffers from a number of issues: 1) a week is
a long time, and on a shared IP address it could be impossible to use; 2)
it requires a lot of client-side crypto, which has to be done in either
JavaScript or a custom client; 3) since the rate-limiting is the equivalent
of IP blocks, vandal IP addresses can never be blocked for more than a
week, which means the problem isn't truly solved. In the end, it comes down
to trying to balance the rate-limiting between usability and blocking
capability. I attempted an implementation of this a while ago, but
abandoned it due to lack of interest. If somebody thinks these goals are
surmountable, I'm sure we can resume discussion on it and maybe I can
resume implementation.
*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science