On 28/12/12 18:29, Tilman Bayer wrote:
On Fri, Dec 28, 2012 at 1:26 AM, Sumana Harihareswara wrote:
I've floated this problem past Tor and privacy people, and here are a few ideas:
- Just use the existing mechanisms more leniently. Encourage the
communities (Wikimedia & Tor) to use https://en.wikipedia.org/wiki/Wikipedia:Request_an_account (to get an account from behind Tor) and to let more people get IP block exemptions even before they've made any edits (< 30 people have gotten exemptions on en.wp in 2012). Add encouraging "get an exempt account" language to the "you're blocked because you're using Tor" messaging. Then if there's an uptick in vandalism from Tor then they can just tighten up again.
This seems the right approach.
- Encourage people with closed proxies to re-vitalize
https://en.wikipedia.org/wiki/Wikipedia:WOCP . Problem: using closed proxies is okay for people with some threat models but not others.
I didn't know about it. This is an interesting concept. It would be possible to setup some 'public wikipedia proxys' (eg. by an European chapter) and encourage its use. It would still be possible to checkuser people going through that, but a 2-tier process would be needed (wiki checkuser + proxy admin) thus protecting from a “rogue checkuser” (Is that the primary concern of good editors wishing to use proxys?). We could use that setup for gaining information about usage (eg. it was 90% spam).
- Look at Nymble - http://freehaven.net/anonbib/#oakland11-formalizing
and http://cgi.soic.indiana.edu/~kapadia/nymble/overview.php . It would allow Wikimedia to distance itself from knowing people's identities, but still allow admins to revoke permissions if people acted up. The user shows a real identity, gets a token, and exchanges that token over tor for an account. If the user abuses the site, Wikimedia site admins can blacklist the user without ever being able to learn who they were or what other edits they did. More: https://cs.uwaterloo.ca/~iang/ Ian Golberg's, Nick Hopper's, and Apu Kapadia's groups are all working on Nymble or its derivatives. It's not ready for production yet, I bet, but if someone wanted a Big Project....
As Brad and Ariel point out, Nymble in the form described on the linked project page does not seem to allow long-term blocks, and cannot deal with dynamic IPs. In other words, it would only provide the analogue of autoblock functionality for Tor users. The linked paper by Henry and Goldberg is more realistic about these limitations, discussing IP addresses only as one of several possible "unique identifiers" (§V). From the concluding remarks to that chapter, it seems most likely that they would recommend "some form of PKI or government ID-based registration" for our purposes.
Requiring a government ID for connecting through tor would be even worse for privacy.
I completely agree that matching with the IP address used to request the nymble token is not enough. Maybe if the tokens were instead based in ISP+zone geolocation, that could be a way. Still, that would still miss linkability for vandals which use eg. both their home and work connections.
3a) A token authorization system (perhaps a MediaWiki extension) where the server blindly signs a token, and then the user can use that token to bypass the Tor blocks. (Tyler mentioned he saw this somewhere in a Bugzilla suggestion; I haven't found it.)
Bug 3729 ?
Thoughts? Are any of you interested in working on this problem? #tor on the OFTC IRC server is full of people who'd be interested in talking about this.
This is a social problem. We have the tools to fix it (account creation + ip block exemption). If someone asked me for that (in a project where I can) because they are censored by their government I would gladly grant it. That also means that when they replaced 'Jimbo' with 'penis', 5 minutes after getting their account, I would notice and kick them out. In my experience, far more people is trying to use tor in wikipedia for vandalising than for doing constructive edits / due to local censorship. Although I concede that it's probably the opposite on ‘certain wikis’ I don't edit. The problem with global solutions are vandals abusing it.
"If I don't get caught on 10 edits I can edit through tor" is a candle for vandals. Note that "I don't get caught" is different than "doing a constructive edit".
An idea would be to force some recaptcha-style work before giving such tokens, so even though we know they will abuse the system, we are still using them as improving force (although the following vandalism could still be worse than what we gained).
I also wonder if we are not aiming too high, trying to solve the anonimity and traceability problems on the internet, while we have for instance captchas forced to anons and newbies on a couple wikis due to a bot vandalism done years ago (bug 41745).