[Foundation-l] Release of squid log data

[SlimVirgin]

On 9/19/07, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> On 9/19/07, SlimVirgin <slimvirgin at gmail.com> wrote:
> [snip]
> > My understanding is that, with the information people are considering
> > releasing, it would be possible for someone to work out which editor
> > had which IP address, which would be a serious betrayal of trust.
>
> Hopefully you can see from my prior posts on this thread that I favor
> a conservative handling of private data and you won't mistake my point
> below for an insensitivity to your concerns.
>
> I agree that the log data must not be handled in a way that reduces
> privacy, but I disagree with the implied claim that there is a high
> level of privacy for *editors* to begin with.
>
> If editors are betting on the privacy of their IP addresses to avoid
> harassment or stalkers then they are making a bad bet. I do not want
> people to be surprised when they discover the privacy they thought
> they had did not really exist.
>
> There are many ways a users IP can be leaked. For example, whenever
> you follow a link to an external site your address is leaked to that
> site. Any administrator can inject CSS or JS into your personal or the
> site wide files which could cause your browser to connect to another
> site and give away your address. Your use of email along with your
> account can reveal your address. We have a great many checkusers, and
> while they are trustworthy their machines or accounts could become
> compromised. Checkuser data is sent unencrypted to checkusers across
> the Internet. ... it's very very very easy to accidentally edit while
> logged out, especially when you cross over to one of our other wikis
> like commons or meta.

Yes, I agree that protecting IP address is hard. Just as an example,
we have one stalker (and I'm using the word advisedly) who posts links
on people's talk pages to what appears to be Wikipedia articles,
purportedly asking for advice, but in fact diverting that user to the
stalker's own website, so he can pick up the IP. He's also sent
e-mails with disguised links that divert people to a blog he has
access to.

The concerns of people being harassed are partly to do with not
wanting people to know where we edit from, but also to do with fears
that the more determined stalkers could get into the user's computer
if they knew the exact IP, which is a more serious invasion than
knowing you live in New York or wherever.
>
> The protections provided today are not bad. But they are not very good
> because very good protection would be someplace between highly
> inconvenient and impossible.
>
> Only the most paranoid and inconvenience tolerant people have a
> fighting chance of keeping their totally secret during a long editing
> carrier.
>
> Most people simply lack the foresight (few expect stalkers the day
> they make their first edit), technical expertise, and patience
> required to strongly protect their anonymity while editing.
>
> Providing privacy strong enough to stop a stalker for people who are
> indirectly spewing out large amounts of information about themselves
> in the form of edits is just a really hard problem which I don't have
> a solution for...

I agree with you. It's very tricky.

The only workable solution I can see is to make it less likely that
stalkers will want to target particular admins. One way to do that
would be to set up anonymous admin accounts that multiple admins could
use. So for example, if a difficult user needs to be blocked, any
admin could access the joint admin account to make the block. The user
would only see that User:Admin1 had blocked him. Only trusted people
would have access to which admin had made a block with User:Admin1 at
time T.

I know it would complicate things, and it might make admin abuse a
little more likely. And we'd still have the problem of potential
leaks, so it wouldn't be foolproof by any means.

Sarah