On Swedish Wiktionarys common.js, http://sv.wiktionary.org/wiki/MediaWiki:Common.js , is a script that takes the visitors IP-addresses and transforms it into a non-revertable number, and then sends it to an external private server that belongs to one if the administrators on Wiktionary. The script is used for statistics on visited articles.
To me it seems like this kind of script is a violation of the privacy policy, since it is possible to get the IP-numbers of all visitors, even though it is not done in this case. I should also mention that a discussion was held before this script was activated and that no one objected to it.
Are these kind of scripts allowed?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
StefanB wrote:
On Swedish Wiktionarys common.js, http://sv.wiktionary.org/wiki/MediaWiki:Common.js , is a script that takes the visitors IP-addresses and transforms it into a non-revertable number, and then sends it to an external private server that belongs to one if the administrators on Wiktionary. The script is used for statistics on visited articles.
To me it seems like this kind of script is a violation of the privacy policy, since it is possible to get the IP-numbers of all visitors, even though it is not done in this case. I should also mention that a discussion was held before this script was activated and that no one objected to it.
Are these kind of scripts allowed?
I would prefer we keep that sort of thing on the toolserver (thus to some degree 'in the family') until everyone's happy with the stats we can get out of the new logging framework Tim's put together (at which point they should be removed entirely).
Admin's own server is better than sending off to a third party, but still kinda uggy to my perspective.
- -- brion vibber (brion @ pobox.com / brion @ wikimedia.org)
On 04/02/07, StefanB steffe62@yahoo.com wrote:
On Swedish Wiktionarys common.js, http://sv.wiktionary.org/wiki/MediaWiki:Common.js , is a script that takes the visitors IP-addresses and transforms it into a non-revertable number, and then sends it to an external private server that belongs to one if the administrators on Wiktionary. The script is used for statistics on visited articles.
To me it seems like this kind of script is a violation of the privacy policy, since it is possible to get the IP-numbers of all visitors, even though it is not done in this case. I should also mention that a discussion was held before this script was activated and that no one objected to it.
Are these kind of scripts allowed?
Probably a grey area, since if it really is an irreversible hash (at least, as far as we know the hash function to be so, and we all know how crap some hashes have proven to be), then it's not supposedly possible to arbitrarily obtain IP addresses.
On the other hand, I would agree with Brion about keeping it "within the family", or under Wikimedia-affiliated control. Your community should probably jump on it quickly, since it sets a wobbly precedent.
Rob Church
On 2/4/07, Rob Church robchur@gmail.com wrote:
Probably a grey area, since if it really is an irreversible hash (at least, as far as we know the hash function to be so, and we all know how crap some hashes have proven to be), then it's not supposedly possible to arbitrarily obtain IP addresses.
Not really. If it's just a single MD5 application, say, then four billion applications to get a complete rainbow table would be simple. If it's something such that a single application is slow enough to take a couple of seconds on an average computer, you'd need to put a bit more effort into cracking it (distributed computing via a large botnet, say), but it would still be at least theoretically possible, and slow enough to be distinctly annoying for the end user to boot.
Rob Church wrote:
On 04/02/07, StefanB steffe62@yahoo.com wrote:
On Swedish Wiktionarys common.js, http://sv.wiktionary.org/wiki/MediaWiki:Common.js , is a script that takes the visitors IP-addresses and transforms it into a non-revertable number, and then sends it to an external private server that belongs to one if the administrators on Wiktionary. The script is used for statistics on visited articles.
To me it seems like this kind of script is a violation of the privacy policy, since it is possible to get the IP-numbers of all visitors, even though it is not done in this case.
'Is a violation since is possible but is not done' ?? I don't see where the violation is. Wikimedia servers *do* log the ip addresses of editors, and when we arrage how, will treat visitors data too.
I should also mention that a discussion was held before this script was activated and that no one objected to it.
If there were no objections, i don't have any objection either. You may want to comment on http://sv.wiktionary.org/wiki/Wiktionary:Integritetspolicy that visitors ips are logged.
Are these kind of scripts allowed?
As far as the community is happy with it...
On the other hand, I would agree with Brion about keeping it "within the family", or under Wikimedia-affiliated control. Your community should probably jump on it quickly, since it sets a wobbly precedent.
This is a matter of faith. If this admin is trustable, he won't do any harm with that 'power' the data could give him. If not, he could misuse it even if he were using the toolserver. Using a WMF [Germany] Server shows it nicer, just as signed ActiveX. But the risk is the same.[1]
Probably a grey area, since if it really is an irreversible hash (at least, as far as we know the hash function to be so, and we all know how crap some hashes have proven to be), then it's not supposedly possible to arbitrarily obtain IP addresses.
Reversing the hash for a IP number would be quite easy. But it is not neccesary to get the IP. Why transform it into a 'non-revertable number'? This only make a false sense of security.[2] The user is sending the hash to the external server. Thus, the external server is connecting with the visitor, and *can get their IP*.
I suggest moving http://internetvision.se/dan/projekt/wikt/stats/sv-wikt.js to a wiki page. It is simple javascript and doesn't need to be on the external server. Having it on the wiki will have to changes: internetvision.se will receive less queries (only for the real counts), and visitors won't ask it unless it is visiting a countable page (almost all anyway).
1-Note that if it weren 't a private server of the admin, other people could get this data apart of him. 2-As an example, everybody on this thread were taking the 'non-revertable IP' as granted.
On 2/4/07, Platonides Platonides@gmail.com wrote:
2-As an example, everybody on this thread were taking the 'non-revertable IP' as granted.
I wasn't, but I didn't think of the "you're connecting anyway" angle, which makes the point even better.
The user is sending the hash to the external server. Thus, the external server is connecting with the visitor, and *can get their IP*.
Yes, it's this I'm objecting to, the notion that by visiting a Wikimedia-run website I am unknowingly sending requests to some guy's PC. I have no problem with toolserver-based setups, such as that used on the English Wikipedia.
-Gurch
On 2/4/07, Platonides Platonides@gmail.com wrote:
Rob Church wrote:
On the other hand, I would agree with Brion about keeping it "within the family", or under Wikimedia-affiliated control. Your community should probably jump on it quickly, since it sets a wobbly precedent.
This is a matter of faith. If this admin is trustable,
and if this admin runs a reliable secured computed. Which seems to me a much bigger issue than the 'not trustable' one. Remember AOL.
anyway, hashes are very easy to retrieve... Just have to run 256^4 times the script... matter of minutes.
Plyd
StefanB wrote:
On Swedish Wiktionarys common.js, http://sv.wiktionary.org/wiki/MediaWiki:Common.js , is a script that takes the visitors IP-addresses and transforms it into a non-revertable number, and then sends it to an external private server that belongs to one if the administrators on Wiktionary. The script is used for statistics on visited articles.
To me it seems like this kind of script is a violation of the privacy policy, since it is possible to get the IP-numbers of all visitors, even though it is not done in this case. I should also mention that a discussion was held before this script was activated and that no one objected to it.
Are these kind of scripts allowed?
Oh, great. I'm disabling Javascript for all Wikimedia sites. Are any of the other wikis using this?
-Gurch
On 04/02/07, Gurch matthew.britton@btinternet.com wrote:
Oh, great. I'm disabling Javascript for all Wikimedia sites. Are any of the other wikis using this?
Some, including, I believe, the English Wikipedia, are using a similar script, but the statistics get pushed to the toolserver.
Rob Church
On 2/4/07, Rob Church robchur@gmail.com wrote:
On 04/02/07, Gurch matthew.britton@btinternet.com wrote:
Oh, great. I'm disabling Javascript for all Wikimedia sites. Are any of the other wikis using this?
Some, including, I believe, the English Wikipedia, are using a similar script, but the statistics get pushed to the toolserver.
I don't think that the enwiki script sends IPs, though.
Simetrical wrote:
On 2/4/07, Rob Church robchur@gmail.com wrote:
On 04/02/07, Gurch matthew.britton@btinternet.com wrote:
Oh, great. I'm disabling Javascript for all Wikimedia sites. Are any of the other wikis using this?
Some, including, I believe, the English Wikipedia, are using a similar script, but the statistics get pushed to the toolserver.
I don't think that the enwiki script sends IPs, though.
Presumably the IP address is right there in the source address field of the IP packet. Kind of necessary if a script running on the client is going to send a message to a server. Adding the IP address to the message, hashed or unhashed, would be rather redundant.
-- Tim Starling
Hello, Am Sonntag, den 04.02.2007, 15:12 -0500 schrieb Simetrical:
I don't think that the enwiki script sends IPs, though.
The scripts sends the IP of corse, but the IP is not logged at the toolserver in any way (not clear and not hashed).
A logline looks like:
[05/Feb/2007:17:17:57 +0000] "GET /index.png?ns=0&title=Lima&factor=6000&wiki=enwiki HTTP/1.1"
Sincerly, DaB.
On Feb 4, 2007, at 1:40 PM, Gurch wrote:
StefanB wrote:
<snip/>
Oh, great. I'm disabling Javascript for all Wikimedia sites. Are any of the other wikis using this?
-Gurch
<snip/> maybe I'm insufficiently paranoid, and I know I'm technically naive, but what's the big deal? What's the vuln from the user pov?
Jim Hu
On 04/02/07, Jim Hu jimhu@tamu.edu wrote:
maybe I'm insufficiently paranoid, and I know I'm technically naive, but what's the big deal? What's the vuln from the user pov?
Ohnoes, JavaScript and IP addresses and statistics and recording and the sky is blue and fish in the sea and...<bang>
Probably none, but we're just a bit leery of it being out of our domain of control.
Rob Church
Rob Church schreef:
On 04/02/07, Jim Hu jimhu@tamu.edu wrote:
maybe I'm insufficiently paranoid, and I know I'm technically naive, but what's the big deal? What's the vuln from the user pov?
Ohnoes, JavaScript and IP addresses and statistics and recording and the sky is blue and fish in the sea and...<bang>
Probably none, but we're just a bit leery of it being out of our domain of control.
Rob Church
Hoi, God helps those that help themselves :) Thanks, GerardM
StefanB wrote:
On Swedish Wiktionarys common.js, http://sv.wiktionary.org/wiki/MediaWiki:Common.js , is a script that takes the visitors IP-addresses and transforms it into a non-revertable number, and then sends it to an external private server that belongs to one if the administrators on Wiktionary. The script is used for statistics on visited articles.
I wasn't aware that the client IP address was visible in Javascript, and I saw no such code in that file. It's not much different from having an external link in an article.
On 2/5/07, Alphax (Wikipedia email) alphasigmax@gmail.com wrote:
I wasn't aware that the client IP address was visible in Javascript, and I saw no such code in that file. It's not much different from having an external link in an article.
Except it's one that all contributors follow every time they go to the page. It's not much different from, say, the ads you see on most pages on the Internet, though. Or, for that matter, visiting an external site that you haven't already vetted, which I suppose is what you were getting at. This is the Internet, people, everyone knows your IP address.
wikitech-l@lists.wikimedia.org