The biggest privacy problem in Wikipedia has always been the permanent
public exposure of casual editors' IP addresses.
Secondarily, we store logged-in editors' IP addresses for a limited time,
exposing all editors' IP addresses to access by staff and volunteer
accounts which could be stolen or misused as well as to any potential
attacker who gains sufficient access to the database systems.
I would like to suggest that the Wikimedia editor community, along with the
Wikimedia Foundation as steward of the software and servers, have a serious
consultation about committing to fix this:
1) Eliminate IP address exposure for non-logged-in editors. Those editors
should be either given a random, truly anonymous identifier, or required to
create a pseudonym as a login.
2) Seriously think about how this will affect workflows tracking and
fighting vandalism, and provide tools that do not depend on public exposure
of network addresses.
3) Avoid public exposure or long-term logging of any other
location-specific or network-specific information about anonymous users.
4) Consider stronger controls on storage of IP addresses in the databases
and how they are secured, in the face of possible attacks through social
engineering, security vulnerabilities, or state action. Think about what
really needs to be stored and what types of data recovery are possible when
storing truly personal-private data in shared databases.
-- brion vibber (brion @
pobox.com / brion @
wikimedia.org)
Lead Software Architect, Wikimedia Foundation