On Mon, Jan 13, 2014 at 9:10 AM, Chris Steipp csteipp@wikimedia.org wrote:
To satisfy Applebaum's request, there needs to be a mechanism whereby someone can edit even if *all of their communications with Wikipedia, including the initial contact* are coming over Tor or equivalent. Blinded, costly-to-create handles (minted by Wikipedia itself) are one possible way to achieve that; if there are concrete reasons why that will not work for Wikipedia, the people designing these schemes would like to know about them.
This should be possible, according to https://meta.wikimedia.org/wiki/NOP, which Nemo also posted. The user sends an email to the stewards (using tor to access email service of their choice). Account is created, and user can edit Wikimedia wikis. Or is there still a step that is missing?
I tested the existing process by creating a new riseup.net email account via Tor, then requesting account creation and a global exemption via stewards@wikimedia.org. My account creation request was granted, but for exemption purposes, I was requested to go through the process for any specific wiki I want to edit. In fact, the account was created on Meta, but not exempted there.
The reason I gave is as follows:
"My reason for editing through Tor is that I would like to write about sensitive issues (e.g. government surveillance practices) and prefer not to be identified when doing so. I have some prior editing experience, but would rather not disclose further information about it to avoid any correlation of identities."
This seems like a valid reason for a global exemption to me, so I'm not sure the current global policy is sufficient.
Erik
On Fri, Jan 17, 2014 at 1:21 PM, Erik Moeller erik@wikimedia.org wrote:
I tested the existing process by creating a new riseup.net email account via Tor, then requesting account creation and a global exemption via stewards@wikimedia.org. My account creation request was granted, but for exemption purposes, I was requested to go through the process for any specific wiki I want to edit. In fact, the account was created on Meta, but not exempted there.
Thanks for taking the initiative to check that out. Now maybe the stewards will be paranoid that any further Tor requests might be from you, and act accordingly. It kinda reminds me of the Rosenham Experimenthttps://en.wikipedia.org/wiki/Rosenhan_experiment. Just the known possibility that there might be a mystery customer keeps the service providers on their toes, and they are much more likely to mistake an ordinary customer for the mystery customer than vice versa, as demonstrated by the non-existent impostor experimenthttps://en.wikipedia.org/wiki/Rosenhan_experiment#The_non-existent_impostor_experiment .
On Fri, Jan 17, 2014 at 1:21 PM, Erik Moeller erik@wikimedia.org wrote:
On Mon, Jan 13, 2014 at 9:10 AM, Chris Steipp csteipp@wikimedia.org wrote:
To satisfy Applebaum's request, there needs to be a mechanism whereby someone can edit even if *all of their communications with Wikipedia, including the initial contact* are coming over Tor or equivalent. Blinded, costly-to-create handles (minted by Wikipedia itself) are one possible way to achieve that; if there are concrete reasons why that will not work for Wikipedia, the people designing these schemes would like to know about them.
This should be possible, according to
https://meta.wikimedia.org/wiki/NOP,
which Nemo also posted. The user sends an email to the stewards (using
tor
to access email service of their choice). Account is created, and user
can
edit Wikimedia wikis. Or is there still a step that is missing?
I tested the existing process by creating a new riseup.net email account via Tor, then requesting account creation and a global exemption via stewards@wikimedia.org. My account creation request was granted, but for exemption purposes, I was requested to go through the process for any specific wiki I want to edit. In fact, the account was created on Meta, but not exempted there.
The reason I gave is as follows:
"My reason for editing through Tor is that I would like to write about sensitive issues (e.g. government surveillance practices) and prefer not to be identified when doing so. I have some prior editing experience, but would rather not disclose further information about it to avoid any correlation of identities."
This seems like a valid reason for a global exemption to me, so I'm not sure the current global policy is sufficient.
I use an anonymous encrypted VPN when accessing the Internet from home, and found myself unable to edit on en.wp. I requested IPBE https://en.wikipedia.org/w/index.php?title=User_talk:Nathan&diff=572887054&oldid=568388651 and was initially denied because I was able to turn off the VPN to edit. Exemption was only granted because an administrator familiar with me was watching my talkpage and stepped in.
On Fri, Jan 17, 2014 at 1:21 PM, Erik Moeller erik@wikimedia.org wrote:
I tested the existing process by creating a new riseup.net email account via Tor, then requesting account creation and a global exemption via stewards@wikimedia.org. My account creation request was granted, but for exemption purposes, I was requested to go through the process for any specific wiki I want to edit. In fact, the account was created on Meta, but not exempted there.
I feel like a much better experiment would be to:
1) Do what you just did 2) Request Tor access on a specific wiki 3) Edit for a while and become an established editor 4) Then ask for a global exemption
If anything it is good for stewards to not randomly grant global exemptions to anybody who walks in off the street.
If anything I would try testing out the enwiki-specific exemption process and see how that works out for you.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science
On 01/17/2014 01:21 PM, Erik Moeller wrote:
This seems like a valid reason for a global exemption to me, so I'm not sure the current global policy is sufficient.
To be fair, Erik, I don't think it's fair to expect that one would be granted IPBE (especially globally) simply by just remembering to not add "and vandalize" in the request.
On English Wikipedia, at least, IPBE is normally only granted to someone who has some positive history and has an actual /need/ for the bit. The reason for this is simple: It's be abused over and over again historically. The number of times I personally caught someone misusing a proxy for socking that happened to have a "good hand" account with IPBE also on that proxy is much higher than the number of IPBE I've seen used legitimately.
The problem isn't straight up vandalism (IPBE is no help there -- the account'd get swiftly blocked) but socking. POV warriors know how to misuse proxies and anonymity to multiply "their" consensus, and having IPBE and editing through any sort of anonimizing proxy (including TOR) defeats what little means checkuser have to curb socking.
-- Marc
Am 17.01.2014 20:08, schrieb Marc A. Pelletier:
The problem isn't straight up vandalism (IPBE is no help there -- the account'd get swiftly blocked) but socking. POV warriors know how to misuse proxies and anonymity to multiply "their" consensus, and having IPBE and editing through any sort of anonimizing proxy (including TOR) defeats what little means checkuser have to curb socking.
There are (may be) solutions for this and related issues, see:
(book) Peter Wayner "Disappearing Cryptography" Third edition pages 225-227, 2009. ISBN 978-0-12-374479-1 Chapter 10.7.3 "Stopping Bad user":
"bad users of the onion routing network can ruin the reputation of other users. The Wikipedia, for instance, often blocks TOR exit nodes complete because some people have used the network to hide their identities while defacing the wiki's entries..."
In the further passages Peter Wayner explains a "one straight-forward solution is to use some form of certificates with a *blind signature*, a technique that borrows from some of the early solutions for building anonymous digital cash" (A typical example with "Alice" follows - must read this).
and
http://dx.doi.org/10.1109/TDSC.2009.38
(article) Tsang, P.P.; Kapadia, A.; Cornelius, C.; Smith, S.W., "Nymble: Blocking Misbehaving Users in Anonymizing Networks." IEEE Transactions on Dependable and Secure Computing, vol.8, no.2, pp.256-269, March-April 2011.
I mentioned both in https://bugzilla.wikimedia.org/show_bug.cgi?id=59146 .
On 01/17/2014 02:15 PM, Thomas Gries wrote:
In the further passages Peter Wayner explains a "one straight-forward solution is to use some form of certificates with a *blind signature*, a technique that borrows from some of the early solutions for building anonymous digital cash" (A typical example with "Alice" follows - must read this).
That's no help; because it'd be trivial for any person to get any number of those certificates and we're back to one editor holding multiple identities in a way that cannot be collated by checkusers.
Unless you're willing to add a price tag to this that has value to the socker (and no, "time" or "effort" aren't it -- POV warriors have plenty of both when they have a Truth to Defend™) then it offers no solution.
-- Marc
On 17 January 2014 14:08, Marc A. Pelletier marc@uberbox.org wrote:
On 01/17/2014 01:21 PM, Erik Moeller wrote:
This seems like a valid reason for a global exemption to me, so I'm not sure the current global policy is sufficient.
To be fair, Erik, I don't think it's fair to expect that one would be granted IPBE (especially globally) simply by just remembering to not add "and vandalize" in the request.
On English Wikipedia, at least, IPBE is normally only granted to someone who has some positive history and has an actual /need/ for the bit. The reason for this is simple: It's be abused over and over again historically. The number of times I personally caught someone misusing a proxy for socking that happened to have a "good hand" account with IPBE also on that proxy is much higher than the number of IPBE I've seen used legitimately.
The problem isn't straight up vandalism (IPBE is no help there -- the account'd get swiftly blocked) but socking. POV warriors know how to misuse proxies and anonymity to multiply "their" consensus, and having IPBE and editing through any sort of anonimizing proxy (including TOR) defeats what little means checkuser have to curb socking.
I agree with Marc on this, and further would say that the "reason" given by Erik in his application for IPBE is pretty much a red flag that a user is going to be editing in a controversial and non-neutral manner. It's also a red flag that the user's probably been blocked for doing it before, and thinks this will be a workaround that will prevent him/her from being blocked this time.
Risker/Anne
On Fri, Jan 17, 2014 at 11:08 AM, Marc A. Pelletier marc@uberbox.org wrote:
The problem isn't straight up vandalism (IPBE is no help there -- the account'd get swiftly blocked) but socking. POV warriors know how to misuse proxies and anonymity to multiply "their" consensus, and having IPBE and editing through any sort of anonimizing proxy (including TOR) defeats what little means checkuser have to curb socking.
I understand. Wikimedia's current abuse prevention strategies rely on limits to user privacy being maintained, and any technical solution that attempts to broaden access for Tor users is unlikely to be successful at any significant scale unless this changes, no matter how clever a solution it is.
The Board or global community could decide that protecting users' right to anonymity is more important than having abuse prevention tools relying on IP disclosure, but in the absence of such a Board-level decision or community-wide vote, I don't think the situation relative to Tor users will change. My personal view is that we should transition away from tools relying on IP disclosure, given the global state of Internet surveillance and censorship which makes tools like Tor necessary.
Erik
On 17 January 2014 16:26, Erik Moeller erik@wikimedia.org wrote:
On Fri, Jan 17, 2014 at 11:08 AM, Marc A. Pelletier marc@uberbox.org wrote:
The problem isn't straight up vandalism (IPBE is no help there -- the account'd get swiftly blocked) but socking. POV warriors know how to misuse proxies and anonymity to multiply "their" consensus, and having IPBE and editing through any sort of anonimizing proxy (including TOR) defeats what little means checkuser have to curb socking.
I understand. Wikimedia's current abuse prevention strategies rely on limits to user privacy being maintained, and any technical solution that attempts to broaden access for Tor users is unlikely to be successful at any significant scale unless this changes, no matter how clever a solution it is.
The Board or global community could decide that protecting users' right to anonymity is more important than having abuse prevention tools relying on IP disclosure, but in the absence of such a Board-level decision or community-wide vote, I don't think the situation relative to Tor users will change. My personal view is that we should transition away from tools relying on IP disclosure, given the global state of Internet surveillance and censorship which makes tools like Tor necessary.
Well, Erik, the vast majority of socks are blocked without checkuser evidence, and always have been, on all projects; the evidence is often in the edits, and doesn't need any privacy-invading tools to confirm. I get the notion of reducing or eliminating the public visibility of IP addresses and am quite supportive of it; IPv6 addresses in particular can often disclose far too much personal information.
End of the day, though, absent blocking problematic IP addresses and ranges (which really can't be done unless the person blocking actually knows the IP address or range), the socks and spammers just keep coming. This problem isn't unique to WMF projects, and I don't believe anyone has come up with a solution that allows open/unregistered editing without also using IP information for blocking or limiting access.
Risker
On Fri, Jan 17, 2014 at 1:38 PM, Risker risker.wp@gmail.com wrote:
End of the day, though, absent blocking problematic IP addresses and ranges (which really can't be done unless the person blocking actually knows the IP address or range), the socks and spammers just keep coming. This problem isn't unique to WMF projects, and I don't believe anyone has come up with a solution that allows open/unregistered editing without also using IP information for blocking or limiting access.
I'm not arguing for open editing from Tor. I do think it would be nice if global exemptions could in fact be obtained reasonably easily be emailing stewards@wikimedia.org. While it's true that such requests could be misused, the following are also true:
- We regulate the influx of requests and the exemptions we grant. This means that we can use wait periods, interview questions, and other mechanisms to avoid it turning into a free-for-all. This is effectively the same mechanism riseup.net uses to grant anonymous email addresses.
- We know all the accounts that we have granted global exemptions to and therefore can investigate behavior _across the group_ of Tor users fairly easily, or even subsets of that group such as exemptions granted in a certain time window, by a certain user, etc.
It would allow a motivated person to reset their identity and go undetected provided they avoid the kind of articles and behaviors they got in trouble over in the first place. It's not clear to me that the consequences would be particularly severe or unmanageable beyond that.
Erik
On Fri, Jan 17, 2014 at 6:33 PM, Erik Moeller erik@wikimedia.org wrote:
It would allow a motivated person to reset their identity and go undetected provided they avoid the kind of articles and behaviors they got in trouble over in the first place. It's not clear to me that the consequences would be particularly severe or unmanageable beyond that.
People get banned from Wikimedia projects for off-wiki conduct too that has nothing to do with Wikimedia projects.
On 01/18/2014 12:33 AM, Erik Moeller wrote:
I'm not arguing for open editing from Tor. I do think it would be nice if global exemptions could in fact be obtained reasonably easily be emailing stewards@wikimedia.org. While it's true that such requests could be misused, the following are also true:
What would be involved for someone to misuse _without_ Tor?: 1) Find a free WiFi spot you haven't used before. 2) Create account (no need to enter any Email). 3) Abuse and repeat if you get banned. I tried 1 and 2, obviously not doing 3. It worked on my first try. I wouldn't have thought it would be that easy.
To summarize: It is currently easier for someone to abuse without Tor than with it. An abuser doesn't need that strong anonymity. For someone who wants to do good face editing and needs the stronger anonymity provided by Tor it is currently much more work than for an abuser.
Why should account creation be harder for Tor users than for free WiFi users?
On Sat, Feb 1, 2014 at 12:12 PM, Jan Zerebecki jan.wikimedia@zerebecki.dewrote:
What would be involved for someone to misuse _without_ Tor?:
- Find a free WiFi spot you haven't used before.
- Create account (no need to enter any Email).
- Abuse and repeat if you get banned.
I tried 1 and 2, obviously not doing 3. It worked on my first try. I wouldn't have thought it would be that easy.
Your scenario is based on the premise that Wikipedia vandals care enough about vandalizing Wikipedia that they would get in their car (assuming they're old enough to have a license), drive to the nearest Starbucks, vandalize Wikipedia, and then drive somewhere else when they are blocked.
Most vandals don't put that much effort into it. I would argue that abusing free WiFi hotspots is actually harder than abusing Tor, because it involves physically moving from location to location, as opposed to pressing a button and resetting my identity. Keep in mind we are not trying to permanently block vandals, because that's impossible. We're just trying to make vandalism difficult enough so it is no longer worthwhile.
*-- * *Tyler Romeo* Stevens Institute of Technology, Class of 2016 Major in Computer Science
On Sat, Feb 1, 2014 at 2:20 PM, Tyler Romeo tylerromeo@gmail.com wrote:
Your scenario is based on the premise that Wikipedia vandals care enough about vandalizing Wikipedia that they would get in their car (assuming they're old enough to have a license), drive to the nearest Starbucks, vandalize Wikipedia, and then drive somewhere else when they are blocked.
Also, a lot of wifi hotspots such as restaurants already have had their Wikipedia editing access blocked.
On 1 February 2014 09:12, Jan Zerebecki jan.wikimedia@zerebecki.de wrote:
- Find a free WiFi spot you haven't used before.
- Create account (no need to enter any Email).
- Abuse and repeat if you get banned.
That doesn't always work. Many open access points like this are blocked such that it's not possible to create a new account, but it is possible to edit through an existing one. Libraries and schools are the primary example of this.
To summarize: It is currently easier for someone to abuse without Tor
than with it.
The same is true of blocks. It is currently easier to vandalise when your IP is not blocked than when it is. Should we remove blocking altogether? No. Once you put in place measures to stop abuse through one avenue, people can do that same abuse through another avenue. That's not a reason not to attempt to stop the abuse.
Why should account creation be harder for Tor users than for free WiFi users?
Aside from the fact that this is not always true (see my first point), it's simply because we got much more abuse from users Tor than we did from users of free wifi. And the abuse from Tor was much more critical, such as uploading illegal content, as opposed to the simple block evasion that we typically see from free wifi.
In an ideal world, we wouldn't need to block Tor. Then again, in an ideal world, we wouldn't need blocks at all.
Dan
Il 01/02/2014 20:39, Dan Garry ha scritto:
On 1 February 2014 09:12, Jan Zerebecki jan.wikimedia@zerebecki.de wrote:
- Find a free WiFi spot you haven't used before.
- Create account (no need to enter any Email).
- Abuse and repeat if you get banned.
That doesn't always work. Many open access points like this are blocked such that it's not possible to create a new account, but it is possible to edit through an existing one. Libraries and schools are the primary example of this.
To summarize: It is currently easier for someone to abuse without Tor
than with it.
The same is true of blocks. It is currently easier to vandalise when your IP is not blocked than when it is. Should we remove blocking altogether? No. Once you put in place measures to stop abuse through one avenue, people can do that same abuse through another avenue. That's not a reason not to attempt to stop the abuse.
Why should account creation be harder for Tor users than for free WiFi users?
Aside from the fact that this is not always true (see my first point), it's simply because we got much more abuse from users Tor than we did from users of free wifi. And the abuse from Tor was much more critical, such as uploading illegal content, as opposed to the simple block evasion that we typically see from free wifi.
In an ideal world, we wouldn't need to block Tor. Then again, in an ideal world, we wouldn't need blocks at all.
Dan
Furthermore this kind of issue is more a community affair rather than technical.
Anyway who needs to use TOR has been granting with an exempt for years.
Vito
On 01/17/2014 04:26 PM, Erik Moeller wrote:
I understand. Wikimedia's current abuse prevention strategies rely on limits to user privacy being maintained, and any technical solution that attempts to broaden access for Tor users is unlikely to be successful at any significant scale unless this changes, no matter how clever a solution it is.
Not necessarily. Abuse prevention requires, fundamentally, only one thing: being able to tell that edit X has been done by the same person as edit Y with N% probability. That's the fundamental decision done by administrators and checkusers when deciding whether to block a user or source of edits.
User IP and UA is one of the datapoints that is used for that determination (both by checkusers and, indirectly, by administrators via autoblocks or range blocks); but any other method by which that determination can be made would serve just as well.
That we are not currently able to satisfactorily find a method by which we can attribute online actions to an individual without (currently) placing some limits on their privacy does not mean we never will be able to -- or at least that we'll be able to tip the balance towards more privacy than less.
It's a Hard Problem. Businesses tend to fix it by tying online identities to some physical (and finite) token of existence (like a Credit Card); something which we emphatically would never want to do because that vastly /reduces/ privacy. We don't care to know who someone *is*, just whether they are the same one as before.
IMO, efforts should be directed towards that more fundamental goal; everything else will fall into place from there.
-- Marc
On Fri, Jan 17, 2014 at 01:26:04PM -0800, Erik Moeller wrote:
The Board or global community could decide that protecting users' right to anonymity is more important than having abuse prevention tools relying on IP disclosure, but in the absence of such a Board-level decision or community-wide vote, I don't think the situation relative to Tor users will change. My personal view is that we should transition away from tools relying on IP disclosure, given the global state of Internet surveillance and censorship which makes tools like Tor necessary.
Hear, hear. I couldn't agree more.
My own view:
This matter isn't about dissidents in oppressive regimes or suspected criminals. It never was, but it has become especially apparent to everyone this summer.
The whole world -literally everyone- is being constantly surveilled and our communications recorded for decades to come. Everyone is a suspect and everyone has a file. We'll never be sure again, for example, that actions that we perform today, as innocent as they are now -like a Wikipedia edit- won't be used against us in 5 or 10 years to link us with a crime or group.
All access & edits to Wikipedia being monitored isn't some paranoid theory anymore, we can be more than sure of it. Tor is one of the very few ways to resist to this pervasive surveillance and work around the panopticon of modern states. We *must* find a way to support it as a first-class citizen, for exactly the same reasons Wikipedia has been protective of users' privacy and has a stringent privacy policy.
(I was at 30C3; I got a bazillion complaints from numerous people about this every time I mentioned my affiliation, even before Jake's talk)
Regards, Faidon
wikitech-l@lists.wikimedia.org