New subject: [WikiEN-l] Rethinking vandalism

10 Mar 2004

We should set permanent cookies on every pageview except saves, require  
cookies for saving pages, assign random account names (anon2349bx29s) to  
anonymous editors, and use cookies to block most users.

We should do away with IP numbers in page histories, recent changes etc.  
completely.

We should retain the ability to block by IP in emergencies.

This would address several current problems and have several advantages.

1) Having users' IP numbers published all over the place is a quite  
serious privacy violation. It would be trivial to scan recent changes for  
hosts with open ports and security vulnerabilities. Furthermore, it  
reveals geographic information about anonymous editors which they may want  
to keep private (such information can be very specific, depending on the  
ISP).

2) Banning anonymous users by IP affects anyone who also uses the same IP.  
In case of proxies, this may be thousands of individuals. If the first  
message we send a new user - because they share a vandal IP - is "You are  
banned from editing for serious vandalism", that user is unlikely to  
become a regular contributor. Even regulars are frequently pissed off  
because they accidentally get blocked.

3) Banning users by IP is also ineffective, as for most users, it is  
trivial to get a new dynamic IP address.

4) For repeat vandals, we can set a very high or unlimited expiry without  
fear of blocking someone else.

5) Requiring cookies even for anons allows them to change their user  
preferences even without creating an account.

6) We can more easily attribute edits to users and easily change anon  
edits over to real accounts when people decide to create an account. This  
may also address some copyright issues.

Now, regarding some possible criticisms:

1) "They will just delete the cookie and edit away." Yes, some users will  
do that. For these users, we should retain the ability to block by IP  
(without revealing that IP address to sysops). However, doing so requires  
an understanding of how the blocking mechanism works, which most users  
don't have. They will have to know how to *remove* cookies, not just  
disable them. The user will have to keep deleting the cookie every time it  
is re-blocked. And sysops don't have to be hesitant about blocking them,  
because no other users can be affected by it. So we can in fact make this  
a single-click operation, making it costly for the average user, and cheap  
for us.

2) "I have cookies disabled for privacy reasons!" Then you can't be  
editing Wikipedia non-anonymously. We already require cookies for signed  
in users. Most modern browsers allow enabling cookies on a case-by-case  
basis. If a user tries to edit a page without having cookies enabled, we  
will let them know that they need to enable them. If you are concerned  
about privacy, you should be more concerned about having IP addresses  
publicized everywhere, even stored permanently in the page history.

3) "This won't help us to deal with the most egregious vandals." Maybe,  
maybe not. A vandal using a script would have to do the same thing as a  
malicious user -- get a fresh cookie from a regular pageview, use that  
cookie to submit an edit, then discard the cookie. This isn't hard to do,  
but I doubt the average kiddie will be able to figure it out. On the other  
hand, we can build more extreme anti-vandalism measures on top of this,  
like disabling edits by any completely new contributor (= not setting any  
new cookies) for a few hours.

All in all, I think this would greatly reduce the time spent on fighting  
vandalism, and allow us to focus on more important matters, like creating  
an encyclopedia.

Regards,

Erik