Some notes on experience of tor, and IP block extension, and the use of TorBlock on enwiki
TORBLOCK AND TOR USAGE:
Enwiki for some reason seems to get a lot of heavy duty sock usage and editing abuse. Tor is highly abused, enough that tor has a "hard block on sight" approach pretty much.
About a month ago, IP block extension was enabled on enwiki. This was rolled out carefully on all sides, in view of past rollouts that had not gone smoothly. It was a success. The developers did not enable it until there was a clear communal consensus backed by a clear community policy. The community created that policy and allowed it to stabilize. The issues were considered carefully and a balanced approach created, which to date has worked very well.
IP block exemption has broadly, two main uses -- a good-faith editor who wishes to use their native IP, which is range-blocked for abuse prevention, and an editor who is firewalled and cannot access WMF IP's safely other than via an anonymizing proxy system such as Tor. Unfortunately IP block exemption is also gold dust for account abusers - we have on enwiki regular cases of extremely skilful sock-puppet abusers, including at least two sock-masters who went as far as to get +sysop on a new account, specifically in order to modify blocking of tor proxies, to enable their other socks to edit in a manner that would defeated checkuser.
We resolved this by instigating an IP block exemption policy that was very strict, to ensure admins wouldn't abuse the grant of the right (and could be verified to have done so wrongly if needed) - those whose native IPs are blocked can request IP exemption /provided/ they don't use it to edit via a proxy (which means they remain low risk and any admin can handle granting it), and any user wanting to edit via an anonymizing proxy has their request discussed first by the community, to prevent admins quietly giving it to their socks and making excuses later. So far it's worked well, a dozen or so users on vandal ranges, two Chinese editors, a number of bots, and a user who after discussion was agreed to be trusted not to sock, have all been given IP block exemption.
What is relevant in all this, for TorBlock, is the communal agreement that Tor (and other anonymizing proxies) are a special case, and that we treat them on enwiki as ideally /not/ to be used other than under exceptional conditions such as hard anti-vandal range blocks (if confirmed) and the Chinese or other firewalls (subject to communal consensus). We haven't mass-blocked them before simply because of the technical problems of doing so.
I cannot speak for other wikis, but with IP block exemption working out so well, we probably have no real need to keep tor open at all. The ability to defeat CheckUser is an admin right, permits easy socking, and requires a degree of communal trust. If there is a genuine need, then we have it in place, now, that the request will be considered communally and if agreed, granted. The strictness of the process has meant that this right can be given when genuinely helpful, without major concerns over abuse.
All wikis differ, but on enwiki, the option I would expect most sensible, would be hard blocking of all tor nodes for a reasonable time, or until they have ceased to be tor nodes for a while. (I understand that other wikis may find autoconfirmed or other settings more useful instead.) Enwiki checkusers almost unanimously have a view that tor and other proxies are a major source of disruptive editing. We have IP block exemption in place; tor seems to be a preferred route for problem editing, and if someone does need to edit via tor for a legitimate reason we can easily accommodate it via IP block exemption.
MARKING OF EDITS
A second issue, the marking of edits (revisions/diffs/contribs/history/checkuser/oversight) as having been made via a tor node, would be extremely helpful. For enwiki, one option might be to show this to admins or wider users, as well as checkusers. I've summed up the emails covering this, below.
Best,
FT2
----- cu-list email #1
(Response to comment that there are many wikis with different needs)
Nobody is disputing that different wikis have different needs. The enwiki project (as pointed out) has IP block exemption enabled, and has checkusers who strongly feel that project would benefit from hard blocking tor in this extension's use. Other projects (as you and others rightly point out) may have completely different needs and views.
What I guess this means is, the tor extension needs to be per-wiki configured, but that's hardly a surprise. Ie, same as settings for other features that vary between projects.
----- Email #2
(Response re concern that tor is fluid)
As I understand it, the extension updates its cache of tor nodes every hour, and edits are marked as "tor" if they come from a node that's currently stated to be tor, not just "was a tor node some time in the last 2 months".
It's apparently very specific that at or within a very few hours of the edit it was actively indexed as a tor exit node, hence its usefulness. Werdna has confirmed.
----- Email #3 & #4
(Response on WMF privacy policy)
From time to time, 1/ general information such as ISP/country are in fact
placed on-wiki during the course of a checkuser case, and 2/ this is specifically endorsed by WMF guidance/help information for checkusers.
From [[Meta:Help:Checkuser]], the main WMF guidance page, the full quote:
June 2008:
"Wikimedia privacy policy: [...] The following information is commonly permissible. This list is not comprehensive, and cannot replace the checkuser's judgment... [...] the ISP edited from, if it is large enough that the information is not personally identifiable; the country, which is generally not personally identifiable."
The first versions of the WMF guidance/help page from October 2005 stated the same:
Oct 2005:
"If they're on a large ISP (e.g. AOL, NTL, BT, Telstra), they're one of millions and it's not personally identifiable." "Revealing the country is generally not personally identifiable (e.g. "User:Querulous is coming in from the UK, User:Sockpuppet is coming in from Canada")."
http://meta.wikimedia.org/w/index.php?title=Help:CheckUser&oldid=226259
To support the statement that this is followed in practice as well as "on paper", a quick search gave some specific case examples:
[[RFCU/Case/Cplot]] - "I have pinpointed a couple of Illinois Comcast addresses" ... "The IPs come from Sprint PCS" [[User:MER-C/Blu_Aardvark_RFCU]] - "Usual group of AOL and CenturyTel IPs" [[RFCU/Case/JB196]] - "he has resorted to using anonymous AOL Proxies" [[RFCU/Case/Tajik]] - "Unrelated. Anoshirawan is in the US."
If naming a country or (large) ISP would not be considered a privacy issue, then a flag indicating "this edit was made via tor" is not a privacy issue either. It in no way is personally identifying to say "this edit was made via an anonymizer".
What does matter is the potential it has, for drawing attention to a user and encouraging speculative or bad faith conclusions (eg: "they use tor so they must be a sock/hiding something/up to no good/etc"). I'd be tempted to limit it primarily for the latter reason rather than for privacy reasons. In general it may not be a bad thing to let admins see that info in contribs, diffs and edit histories, as admins do a lot of the initial multiple account spotting for the project. Not making it public to all, and limiting it to admins, will cut most of the problematic usage.
As privacy policy doesn't seem to be an apparent issue, the core question about "who is safe to know" is much more about avoidance of unhelpful, unfair, and often tenuous speculation. I think admins are probably safe on the whole, to trust with that level of information. Worth trialling anyway; and agreeing it may vary by wiki.
----- Email #5
(Response to impact of auto-tor blocking)
Noted that since anon IPs don't get even autoconfirmed, and Werdna's new extension would block tor edits unless at a minimum autoconfirmed (and optionally may hard block them on some projects), then under what circumstances will unlogged-in IPs be able to make edits to WMF projects via tor in future? Is the information that an anon edit was made via tor, likely to arise, or actually be meaningful, in future?
----- Email #6
(Comment on publicity of TorBlock settings)
In any event, can we perhaps agree to keep private the exact requirements for TorBlock extension to allow tor editing on projects, much as we do the length of time that checkuser data is kept, for the same reason -- if it's apparently "large", and a specific limit is not well known, then it won't be so readily gamed.
Best,
FT2