[Foundation-l] Release of squid log data
Gregory Maxwell
gmaxwell at gmail.com
Wed Sep 19 22:48:38 UTC 2007
On 9/19/07, SlimVirgin <slimvirgin at gmail.com> wrote:
[snip]
> My understanding is that, with the information people are considering
> releasing, it would be possible for someone to work out which editor
> had which IP address, which would be a serious betrayal of trust.
Hopefully you can see from my prior posts on this thread that I favor
a conservative handling of private data and you won't mistake my point
below for an insensitivity to your concerns.
I agree that the log data must not be handled in a way that reduces
privacy, but I disagree with the implied claim that there is a high
level of privacy for *editors* to begin with.
If editors are betting on the privacy of their IP addresses to avoid
harassment or stalkers then they are making a bad bet. I do not want
people to be surprised when they discover the privacy they thought
they had did not really exist.
There are many ways a users IP can be leaked. For example, whenever
you follow a link to an external site your address is leaked to that
site. Any administrator can inject CSS or JS into your personal or the
site wide files which could cause your browser to connect to another
site and give away your address. Your use of email along with your
account can reveal your address. We have a great many checkusers, and
while they are trustworthy their machines or accounts could become
compromised. Checkuser data is sent unencrypted to checkusers across
the Internet. ... it's very very very easy to accidentally edit while
logged out, especially when you cross over to one of our other wikis
like commons or meta.
The protections provided today are not bad. But they are not very good
because very good protection would be someplace between highly
inconvenient and impossible.
Only the most paranoid and inconvenience tolerant people have a
fighting chance of keeping their totally secret during a long editing
carrier.
Most people simply lack the foresight (few expect stalkers the day
they make their first edit), technical expertise, and patience
required to strongly protect their anonymity while editing.
Providing privacy strong enough to stop a stalker for people who are
indirectly spewing out large amounts of information about themselves
in the form of edits is just a really hard problem which I don't have
a solution for...
More information about the foundation-l
mailing list