We should set permanent cookies on every pageview except saves, require cookies for saving pages, assign random account names (anon2349bx29s) to anonymous editors, and use cookies to block most users.
We should do away with IP numbers in page histories, recent changes etc. completely.
We should retain the ability to block by IP in emergencies.
This would address several current problems and have several advantages.
1) Having users' IP numbers published all over the place is a quite serious privacy violation. It would be trivial to scan recent changes for hosts with open ports and security vulnerabilities. Furthermore, it reveals geographic information about anonymous editors which they may want to keep private (such information can be very specific, depending on the ISP).
2) Banning anonymous users by IP affects anyone who also uses the same IP. In case of proxies, this may be thousands of individuals. If the first message we send a new user - because they share a vandal IP - is "You are banned from editing for serious vandalism", that user is unlikely to become a regular contributor. Even regulars are frequently pissed off because they accidentally get blocked.
3) Banning users by IP is also ineffective, as for most users, it is trivial to get a new dynamic IP address.
4) For repeat vandals, we can set a very high or unlimited expiry without fear of blocking someone else.
5) Requiring cookies even for anons allows them to change their user preferences even without creating an account.
6) We can more easily attribute edits to users and easily change anon edits over to real accounts when people decide to create an account. This may also address some copyright issues.
Now, regarding some possible criticisms:
1) "They will just delete the cookie and edit away." Yes, some users will do that. For these users, we should retain the ability to block by IP (without revealing that IP address to sysops). However, doing so requires an understanding of how the blocking mechanism works, which most users don't have. They will have to know how to *remove* cookies, not just disable them. The user will have to keep deleting the cookie every time it is re-blocked. And sysops don't have to be hesitant about blocking them, because no other users can be affected by it. So we can in fact make this a single-click operation, making it costly for the average user, and cheap for us.
2) "I have cookies disabled for privacy reasons!" Then you can't be editing Wikipedia non-anonymously. We already require cookies for signed in users. Most modern browsers allow enabling cookies on a case-by-case basis. If a user tries to edit a page without having cookies enabled, we will let them know that they need to enable them. If you are concerned about privacy, you should be more concerned about having IP addresses publicized everywhere, even stored permanently in the page history.
3) "This won't help us to deal with the most egregious vandals." Maybe, maybe not. A vandal using a script would have to do the same thing as a malicious user -- get a fresh cookie from a regular pageview, use that cookie to submit an edit, then discard the cookie. This isn't hard to do, but I doubt the average kiddie will be able to figure it out. On the other hand, we can build more extreme anti-vandalism measures on top of this, like disabling edits by any completely new contributor (= not setting any new cookies) for a few hours.
All in all, I think this would greatly reduce the time spent on fighting vandalism, and allow us to focus on more important matters, like creating an encyclopedia.
Regards,
Erik
"EM" == Erik Moeller erik_moeller@gmx.de writes:
EM> We should set permanent cookies on every pageview except EM> saves, require cookies for saving pages, assign random account EM> names (anon2349bx29s) to anonymous editors, and use cookies to EM> block most users.
Although I think anti-vandalism paranoia is the path to doom, I think the anon cookie is a good idea. It would allow, in addition, setting preferences when not logged in. Also, we could offer to optionally give new users credit for the work they've done anonymously so far.
EM> All in all, I think this would greatly reduce the time spent EM> on fighting vandalism, and allow us to focus on more important EM> matters, like creating an encyclopedia.
Or, y'know, fostering the community that's needed to create an encyclopedia.
~ESP
Evan Prodromou wrote:
EM> All in all, I think this would greatly reduce the time spent EM> on fighting vandalism, and allow us to focus on more important EM> matters, like creating an encyclopedia.
Or, y'know, fostering the community that's needed to create an encyclopedia.
Absolutely. One of my biggest concerns is that problem users exhaust good contributors and make them snap at each other. Problem users cause us to suspect the motives of good people too often.
Some people have a strong internal compass to guide their behavior in a good way. Others, many many others, are basically good people but who will conform to whatever a culture has as norms. A culture in which vandals are allowed to pester people is a culture which will cause more good people to dabble in vandalism and pranks.
One of the brilliant insights of the Wikipedia community is that soft security can work, that most people are basically good. So I'm always in favor of anything that meets my "strict scrutiny" test of being costly to bad behavior while not costing much for good behavior.
--Jimbo
On Wed, 10 Mar 2004, Erik Moeller wrote:
This would address several current problems and have several advantages.
- Having users' IP numbers published all over the place is a quite
serious privacy violation. It would be trivial to scan recent changes for hosts with open ports and security vulnerabilities. Furthermore, it reveals geographic information about anonymous editors which they may want to keep private (such information can be very specific, depending on the ISP).
If people want to hide their IP address they can do so by logging in, all your system would do is force users to login (even if it is under an assigned name). Also IP address are useful in identifying specific vandals with dynamic IPs and also in copyvio/NPOV discussion where the users contribution may relate to their IP address (for example a company IP editing an article about that compant.).
- "They will just delete the cookie and edit away." Yes, some users will
do that. For these users, we should retain the ability to block by IP (without revealing that IP address to sysops). However, doing so requires an understanding of how the blocking mechanism works, which most users don't have.
That kind of vandal isn't really a serious problem we spend more time dealing with persistent vandal with some basic skills then we do with casual vandals.
While I don't disagree that cookies can be used to better deal with vandalism, I don't see why they should replace the current methods. I think the best solution would be a hybrid one allowing for a user to be blocked either on the basis of IP or of cookie.
Incidently on the proxy issue, one way we could identify users who use proxies is to deliver a graphic via ftp or https, as most web browsers will simply bypass the proxy and download the image directly giving away their IP address.
Imran
While I don't disagree that cookies can be used to better deal with vandalism, I don't see why they should replace the current methods. I think the best solution would be a hybrid one allowing for a user to be blocked either on the basis of IP or of cookie.
Erik doesn't say that he wants to replace the IP-method by the coockie-method. In fact he spoke of the hybrid method!?
He just wants to hide the ip-adresses, but in case we need it, the admins can get it and block it.
--Ivo Köthnig
As usual, Erik has great insight. I'm sure that there are some drawbacks to be considered that he hasn't mentioned, but he makes a very persuasive case.
I should point out that I personally regard cookie paranoia as media-driven ignorance, and so while it's my job to be sympathetic to the concerns of everyone, I find it hard to step into the shoes of those who are anti-cookie, as I find their objections to be mostly incoherent and ill-informed. :-)
Cookies provide a great mechanism for increasing anonymity *and* accountability, two issues that are often in tension against each other.
Erik Moeller wrote:
We should set permanent cookies on every pageview except saves, require cookies for saving pages, assign random account names (anon2349bx29s) to anonymous editors, and use cookies to block most users.
We should do away with IP numbers in page histories, recent changes etc. completely.
We should retain the ability to block by IP in emergencies.
This would address several current problems and have several advantages.
- Having users' IP numbers published all over the place is a quite
serious privacy violation. It would be trivial to scan recent changes for hosts with open ports and security vulnerabilities. Furthermore, it reveals geographic information about anonymous editors which they may want to keep private (such information can be very specific, depending on the ISP).
- Banning anonymous users by IP affects anyone who also uses the same IP.
In case of proxies, this may be thousands of individuals. If the first message we send a new user - because they share a vandal IP - is "You are banned from editing for serious vandalism", that user is unlikely to become a regular contributor. Even regulars are frequently pissed off because they accidentally get blocked.
- Banning users by IP is also ineffective, as for most users, it is
trivial to get a new dynamic IP address.
- For repeat vandals, we can set a very high or unlimited expiry without
fear of blocking someone else.
- Requiring cookies even for anons allows them to change their user
preferences even without creating an account.
- We can more easily attribute edits to users and easily change anon
edits over to real accounts when people decide to create an account. This may also address some copyright issues.
Now, regarding some possible criticisms:
- "They will just delete the cookie and edit away." Yes, some users will
do that. For these users, we should retain the ability to block by IP (without revealing that IP address to sysops). However, doing so requires an understanding of how the blocking mechanism works, which most users don't have. They will have to know how to *remove* cookies, not just disable them. The user will have to keep deleting the cookie every time it is re-blocked. And sysops don't have to be hesitant about blocking them, because no other users can be affected by it. So we can in fact make this a single-click operation, making it costly for the average user, and cheap for us.
- "I have cookies disabled for privacy reasons!" Then you can't be
editing Wikipedia non-anonymously. We already require cookies for signed in users. Most modern browsers allow enabling cookies on a case-by-case basis. If a user tries to edit a page without having cookies enabled, we will let them know that they need to enable them. If you are concerned about privacy, you should be more concerned about having IP addresses publicized everywhere, even stored permanently in the page history.
- "This won't help us to deal with the most egregious vandals." Maybe,
maybe not. A vandal using a script would have to do the same thing as a malicious user -- get a fresh cookie from a regular pageview, use that cookie to submit an edit, then discard the cookie. This isn't hard to do, but I doubt the average kiddie will be able to figure it out. On the other hand, we can build more extreme anti-vandalism measures on top of this, like disabling edits by any completely new contributor (= not setting any new cookies) for a few hours.
All in all, I think this would greatly reduce the time spent on fighting vandalism, and allow us to focus on more important matters, like creating an encyclopedia.
Regards,
Erik _______________________________________________ Wikitech-l mailing list Wikitech-l@Wikipedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
On Fri, 12 Mar 2004 09:36:09 -0800, Jimmy Wales wrote:
Cookies provide a great mechanism for increasing anonymity *and* accountability, two issues that are often in tension against each other.
Persistent, non-deletable cookies might be a problem in internet cafes and other shared computers though. If you log in with your user name from that machine and the cookie isn't deleted on logout, the next user would edit with your user name.
In my opinion the concept of username and password has the big advantage of being bound to a person, not to a (potentially shared) computer. If a user has done many good edits (measured in 'trust metrics', number of edits vs. reverts, whatever), he has more rights (sysops for example).
A more flexible version display similar to the one described at http://meta.wikipedia.org/wiki/Anti-vandalism_ideas could take more advantage of this accountability and might also make vandalism less attractive as it wouldn't immediately appear in the 'stable' version shown to new visitors.
wikitech-l@lists.wikimedia.org