[Mediawiki-l] Email approval before login

Rowan Collins rowan.collins at gmail.com
Mon Dec 5 18:19:32 UTC 2005 

On 05/12/05, Mischa Peters <mischa2023 at gmail.com> wrote:
> I am a little surprised that this is not default functionality. :)

First of all, can I point all those reading this thread to the
discussion of "bug 2065"
[http://bugzilla.wikimedia.org/show_bug.cgi?id=2065] about making
exactly this option available "not for Wikipedia use, but a
configurable option". It includes links to some of the discussions of
why this proposal has been shot down in the past with reference to
Wikipedia itself.



On 05/12/05, Kent S. Larsen II <kent at lusobraz.com> wrote:
> Rob, I don't think that restricting editing is the reason why so many users
> are looking for email verification. Its more to reduce fraud and slander
> and increase the ability to trace who is saying what.

The problem with this argument is that e-mail addresses are in general
no more traceable than the IP addresses that any website can already
log at will. Consider the ease with which someone can create a
hotmail, yahoo! mail, or similar account, not to mention the existence
of sites like mailinator.com, spambob.com, and the like, which offer
completely open and anonymous addresses.

Some previous proposals have been driven to suggest complex
blacklist/whitelist systems to rule out registering with such
"disposable" e-mail addresses, but I'm not convinced that this is even
technically feasible, and it would certainly result in far more people
being discouraged from editting, due to the hoops they'd have to jump
through to do so.

> You may have seen the following horror story:
 http://www.usatoday.com/news/opinion/editorials/2005-11-29-wikipedia-edit_x.htm

For those who haven't yet come upon it, a journalist discovered that
the entry about him on Wikipedia was inaccurate to the point of
libellous; he then decried the fact that he didn't know who to sue,
and blamed Wikipedia for not telling him (and the government for not
letting him sue Wikimedia as a publisher). Firstly, as someone on
Wikipedia-l pointed out, this is no different from just about the
whole of the Internet - a libellous comment on Geocities would be
equally untraceable, with the only difference being that Wikipedia is
more prominent and therefore potentially more damaging.

Now, imagine for a moment that instead of either an IP or a
meaningless screen-name, he was able to extract an e-mail address
attached to that edit (presumably after going through some due process
with the site's admins); would he have been better off? The e-mail
address might be foobar at yahoo.com, or bob at hotmail.com, or
yousuck at mailinator.com, or perhaps an ISP-based address that was no
longer valid. In the first 2 cases, he would have the option of
demanding information from Yahoo! or MSN - this would probably consist
of another IP address, plus some fake name and address details. In the
last case, he would need to find out at what date the account was
registered (meaning Wikipedia would need to have stored this
information), and demand that the ISP tell him who held the named
account at that time - which really amounts to little more than
demanding to know who was assigned a particular IP address at a
particular time.

Re-reading the article, it seems he even *had* the IP address
(presumably the user was not logged in, leaving this plain to see) and
therefore knows the ISP of the user. Since this is, realistically, the
most he'd get out of an e-mail address *anyway*, I don't see that
automated approval would leave anyone better off in such cases.

> Since it is already possible to restrict editing mediawiki to regisistered
> users, seems like a simple, useful thing to add authentication of the email
> address.

Restricting to registered users is itself, in some quarters,
controversial, but in as much as it has any benefit it is in acting as
a "speed bump" or "prickly hedge" - people have to be pretty
determined in order to go through the process of registering just to
vandalise a page. Of course, it also puts off people wanting to make
passing corrections or improvements to the page - I know I've clicked
"edit" on a number of wikis only to abandon when told I need to
register - but this is a trade-off that site administrators have to
consider.

If there is any value in having e-mail approval as part of the
registration process, it is that it raises the entry barrier still
higher - making the hedge even pricklier, in a sense - so that only
really dedicated would-be-users (both good and bad intentioned) will
get through. Maybe allowing site admins to play with this
configuration would be worthwhile, but I remain unconvinced that
actually flicking that switch would have a positive effect.

> I apologize if this is really off topic for this list -- but you kind of
> brought up the subject by assuming that Mischa was against 'open' editing.
> I don't know what his wiki is about or what his policies are, but I don't
> think enforcing a valid email address conflicts with 'open editing.'

Well, whatever the intentions behind it, such enforcement would
actively discourage users from editting pages, by making it harder for
them to do so. In as much as 'open editting' means encouraging as many
users as possible to edit, it is thus at the very least "a step away
from" that principle - for better or worse.

--
Rowan Collins BSc
[IMSoP]

More information about the MediaWiki-l mailing list