Some notes on experience of tor, and IP block extension, and the use of
TorBlock on enwiki
TORBLOCK AND TOR USAGE:
Enwiki for some reason seems to get a lot of heavy duty sock usage and
editing abuse. Tor is highly abused, enough that tor has a "hard block on
sight" approach pretty much.
About a month ago, IP block extension was enabled on enwiki. This was rolled
out carefully on all sides, in view of past rollouts that had not gone
smoothly. It was a success. The developers did not enable it until there was
a clear communal consensus backed by a clear community policy. The community
created that policy and allowed it to stabilize. The issues were considered
carefully and a balanced approach created, which to date has worked very
well.
IP block exemption has broadly, two main uses -- a good-faith editor who
wishes to use their native IP, which is range-blocked for abuse prevention,
and an editor who is firewalled and cannot access WMF IP's safely other than
via an anonymizing proxy system such as Tor. Unfortunately IP block
exemption is also gold dust for account abusers - we have on enwiki regular
cases of extremely skilful sock-puppet abusers, including at least two
sock-masters who went as far as to get +sysop on a new account, specifically
in order to modify blocking of tor proxies, to enable their other socks to
edit in a manner that would defeated checkuser.
We resolved this by instigating an IP block exemption policy that was very
strict, to ensure admins wouldn't abuse the grant of the right (and could be
verified to have done so wrongly if needed) - those whose native IPs are
blocked can request IP exemption /provided/ they don't use it to edit via a
proxy (which means they remain low risk and any admin can handle granting
it), and any user wanting to edit via an anonymizing proxy has their request
discussed first by the community, to prevent admins quietly giving it to
their socks and making excuses later. So far it's worked well, a dozen or so
users on vandal ranges, two Chinese editors, a number of bots, and a user
who after discussion was agreed to be trusted not to sock, have all been
given IP block exemption.
What is relevant in all this, for TorBlock, is the communal agreement that
Tor (and other anonymizing proxies) are a special case, and that we treat
them on enwiki as ideally /not/ to be used other than under exceptional
conditions such as hard anti-vandal range blocks (if confirmed) and the
Chinese or other firewalls (subject to communal consensus). We haven't
mass-blocked them before simply because of the technical problems of doing
so.
I cannot speak for other wikis, but with IP block exemption working out so
well, we probably have no real need to keep tor open at all. The ability to
defeat CheckUser is an admin right, permits easy socking, and requires a
degree of communal trust. If there is a genuine need, then we have it in
place, now, that the request will be considered communally and if agreed,
granted. The strictness of the process has meant that this right can be
given when genuinely helpful, without major concerns over abuse.
All wikis differ, but on enwiki, the option I would expect most sensible,
would be hard blocking of all tor nodes for a reasonable time, or until they
have ceased to be tor nodes for a while. (I understand that other wikis may
find autoconfirmed or other settings more useful instead.) Enwiki checkusers
almost unanimously have a view that tor and other proxies are a major source
of disruptive editing. We have IP block exemption in place; tor seems to be
a preferred route for problem editing, and if someone does need to edit via
tor for a legitimate reason we can easily accommodate it via IP block
exemption.
MARKING OF EDITS
A second issue, the marking of edits
(revisions/diffs/contribs/history/checkuser/oversight) as having been made
via a tor node, would be extremely helpful. For enwiki, one option might be
to show this to admins or wider users, as well as checkusers. I've summed up
the emails covering this, below.
Best,
FT2
----- cu-list email #1
(Response to comment that there are many wikis with different needs)
Nobody is disputing that different wikis have different needs. The enwiki
project (as pointed out) has IP block exemption enabled, and has checkusers
who strongly feel that project would benefit from hard blocking tor in this
extension's use. Other projects (as you and others rightly point out) may
have completely different needs and views.
What I guess this means is, the tor extension needs to be per-wiki
configured, but that's hardly a surprise. Ie, same as settings for other
features that vary between projects.
----- Email #2
(Response re concern that tor is fluid)
As I understand it, the extension updates its cache of tor nodes every hour,
and edits are marked as "tor" if they come from a node that's currently
stated to be tor, not just "was a tor node some time in the last 2 months".
It's apparently very specific that at or within a very few hours of the edit
it was actively indexed as a tor exit node, hence its usefulness. Werdna has
confirmed.
----- Email #3 & #4
(Response on WMF privacy policy)
From time to time, 1/ general information such as
ISP/country are in fact
placed on-wiki during the course of a checkuser case, and 2/
this is
specifically endorsed by WMF guidance/help information for checkusers.
From [[Meta:Help:Checkuser]], the main WMF guidance
page, the full quote:
June 2008:
"Wikimedia privacy policy:
[...] The following information is commonly permissible. This list is not
comprehensive, and cannot replace the checkuser's judgment...
[...] the ISP edited from, if it is large enough that the information is not
personally identifiable; the country, which is generally not personally
identifiable."
The first versions of the WMF guidance/help page from October 2005 stated
the same:
Oct 2005:
"If they're on a large ISP (e.g. AOL, NTL, BT, Telstra), they're one of
millions and it's not personally identifiable."
"Revealing the country is generally not personally identifiable (e.g.
"User:Querulous is coming in from the UK, User:Sockpuppet is coming in from
Canada")."
http://meta.wikimedia.org/w/index.php?title=Help:CheckUser&oldid=226259
To support the statement that this is followed in practice as well as "on
paper", a quick search gave some specific case examples:
[[RFCU/Case/Cplot]] - "I have pinpointed a couple of Illinois Comcast
addresses" ... "The IPs come from Sprint PCS"
[[User:MER-C/Blu_Aardvark_RFCU]] - "Usual group of AOL and CenturyTel IPs"
[[RFCU/Case/JB196]] - "he has resorted to using anonymous AOL Proxies"
[[RFCU/Case/Tajik]] - "Unrelated. Anoshirawan is in the US."
If naming a country or (large) ISP would not be considered a privacy issue,
then a flag indicating "this edit was made via tor" is not a privacy issue
either. It in no way is personally identifying to say "this edit was made
via an anonymizer".
What does matter is the potential it has, for drawing attention to a user
and encouraging speculative or bad faith conclusions (eg: "they use tor so
they must be a sock/hiding something/up to no good/etc"). I'd be tempted to
limit it primarily for the latter reason rather than for privacy reasons. In
general it may not be a bad thing to let admins see that info in contribs,
diffs and edit histories, as admins do a lot of the initial multiple account
spotting for the project. Not making it public to all, and limiting it to
admins, will cut most of the problematic usage.
As privacy policy doesn't seem to be an apparent issue, the core question
about "who is safe to know" is much more about avoidance of unhelpful,
unfair, and often tenuous speculation. I think admins are probably safe on
the whole, to trust with that level of information. Worth trialling anyway;
and agreeing it may vary by wiki.
----- Email #5
(Response to impact of auto-tor blocking)
Noted that since anon IPs don't get even autoconfirmed, and Werdna's new
extension would block tor edits unless at a minimum autoconfirmed (and
optionally may hard block them on some projects), then under what
circumstances will unlogged-in IPs be able to make edits to WMF projects via
tor in future? Is the information that an anon edit was made via tor, likely
to arise, or actually be meaningful, in future?
----- Email #6
(Comment on publicity of TorBlock settings)
In any event, can we perhaps agree to keep private the exact requirements
for TorBlock extension to allow tor editing on projects, much as we do the
length of time that checkuser data is kept, for the same reason -- if it's
apparently "large", and a specific limit is not well known, then it won't
be
so readily gamed.
Best,
FT2