Анонимное редактирование: Повышение конфиденциальности и уменьшение злоупотреблений

This page is a translated version of the page IP Editing: Privacy Enhancement and Abuse Mitigation and the translation is 44% complete.

Что такое маскировка IP-адресов и почему Фонд Викимедиа маскирует IP-адреса?

Маскировка IP скрывает IP-адреса незарегистрированных редакторов проектов Викимедиа, полностью или частично, от всех, кроме тех, кому нужен доступ для борьбы со спамом, вандализмом, преследованиями и дезинформацией.

В настоящее время любой желающий может редактировать вики-страницы Викимедиа без учетной записи Викимедиа или без авторизации. Программное обеспечение MediaWiki, на котором работают проекты Викимедиа, запишет и опубликует ваш IP-адрес в своем общедоступном журнале. Любой, кто ищет ваш IP-адрес, найдет его.

У проектов Викимедиа есть веская причина для хранения и публикации IP-адресов: они играют решающую роль в предотвращении вандализма и преследований на наших вики-сайтах.

Однако ваш IP-адрес может указать, откуда вы редактируете, и может быть использован для идентификации вас или вашего устройства. Это вызывает особую озабоченность, если вы редактируете с территории, где наши вики-сайты считаются спорными. Публикация вашего IP-адреса может позволить другим лицам найти вас.

В связи с изменениями в законах и стандартах конфиденциальности (например, в Общих правилах защиты данных и начавшемся глобальном обсуждении вопросов конфиденциальности) юридическая команда Фонда Викимедиа решила защитить конфиденциальность пользователей, скрыв IP-адреса из общего доступа. Тем не менее, мы продолжим предоставлять доступ тем участникам, которым необходимо видеть эти адреса для защиты вики-проектов.

Мы осознаём, что это изменение повлияет на текущие рабочие процессы по борьбе со злоупотреблениями. Мы стремимся разрабатывать инструменты или поддерживать доступ к инструментам, которые после маскировки IP-адресов по-прежнему могли бы выявлять и блокировать вандалов, марионеточные учётные записи, редакторов с конфликтом интересов и других злоумышленников.

Заявления юридического отдела Фонда Викимедиа

март 2023

Hello! Please review the new Access to temporary account IP addresses page for details about how users can gain access to IP addresses. The section on using IP addresses will be updated with details about how and where to access the IP addresses, as well as what is logged when IP addresses are accessed. Please also review a new related page with frequently asked questions. You will notice that both pages use the term "temporary user accounts," which comes from the MVP—more information about the MVP will be shared directly on this page soon. If you have questions or concerns, please reach out on the talk page.


April 2023: План по введению маскировки IP-адресов

As promised, here's an update about how IP Masking would work.

It will cover the changes for both unregistered and registered editors. We want to acknowledge at the outset that we still have lots of open questions and things we have not decided upon. This is our initial plan and does not cover everything we aim to do during this project. As we are proceeding we are discovering new pieces of previously unforeseen work.

Your feedback will help us understand what more we can do to make IP Masking easier on our communities.

This update is an FAQ format as that makes the upcoming changes clear and understandable.

Что меняет маскировка IP-адреса с точки зрения редактора, работающего без входа на сайт?

Currently, before a non-logged-in user completes an edit, they are informed that their edits will be attributed to their IP address.

In the future, before a non-logged-in user completes an edit, they will be informed that their edits will be attributed to a temporary account. Its name will be a number, incrementing for each new account. The account will be tied to a cookie that lives in the user's browser. As long as that cookie exists, the user will keep the same temporary account, and all their edits will be attributed to that account. The IP addresses of the user may change, but the temporary account will not change as long as the cookie exists. A temporary account generated on one wiki will also work on other wikis that the user may contribute to.


Как будут выглядеть временные имена пользователей?

Это пока не известно. Our initial mockups considered using an asterisk as a prefix followed by an auto-incrementing number. (Example: *12345.) You will find these mockups below.

But as some volunteers pointed out, the asterisk is not a good choice because of an outstanding MediaWiki bug.

We are discussing different prefix options and will be conducting user tests with these.

Our current top candidates (in no particular order) are:

  • Caret (^) – User:^12345
  • Hyphen (-) – User:-12345
  • Tilde (~) – User:~12345
  • Exclamation mark (!) – User:!12345
  • Question mark (?)[1]User:?12345
  • Year prefix – User:2023-12345

Do any of these strike you as a great or a terrible choice? Please add your comments either on the talk page or Phabricator.

  1. (While the question mark is a great sign for something unknown and is widely understood, there are details we're still figuring out. For example, it'll need to be encoded into the URL using %3F. This URL encoding shouldn't be a problem, but would be a hiccup for users who are used to typing in URLs by hand.)

Как долго сохраняются временные имена пользователей?

Some time after the first edit (tentatively one year) or as a result of clearing the user's cache, the cookie will automatically expire.

Existing edits will still be attributed to it, though.

After the old username expires, if the user edits again in the future, they will be granted a new temporary account.

What does IP Masking change from the perspective of a patroller?

Limited IP address exposure

The biggest change is that IP addresses will no longer be visible to the general public.

Anyone who does not have an account or does not meet the required thresholds for IP address access (see Legal's update) will not be able to see IP addresses. To mitigate the impact on patrolling, we will be releasing improvements to IP Info Feature.

This will include data from the Spur service.

Obtaining access to IP addresses

Together with the Foundation's Legal department, we have developed new guidelines.

These define who will be able to access IP addresses and how. Users who meet the requirements will be able to opt-in to reveal IP addresses through Special:Preferences. See how the reveal functionality will work in detail.

This access and reveal will be logged and will be available to a limited group of users (CheckUsers, stewards, Trust & Safety).

Better communication channels with temporary editors

Temporary accounts will be linked to a browser cookie.

As long as the cookie persists, the user's edits will be attributed to the same temporary account. Temporary account holders will also be able to receive talk page notifications just like registered users. We hope this will allow for better communication with temporary users. It may also resolve some long-standing issues raised by the communities (see T278838).


Documenting IP addresses for vandals

It will be possible to document IP addresses for bad actors publicly through long-term abuse pages, as currently.

However, care should be taken to not expose IP addresses for other temporary users. When discussing possible bad actors, tools like suppression should be used if the user is not found to be a vandal as suspected.

More details about this can be found in the guidelines.

Tools available for patrolling

Like IP editors, temporary users can be checked and patrolled through Special:Block, Special:Checkuser and Special:Investigate.

Additionally, IP Info Feature can be used to access information about the underlying IP address for the given revision.

We are developing guidelines for Cloud tools and bots to access IPs for patrolling.

We will have an update for this soon.


What happens to existing IP addresses on our sites?

Existing IP addresses that are already recorded on our wikis will remain untouched.

Edits that come in after IP Masking will be attributed to temporary usernames.

Since we will roll out IP Masking gradually, this will mean that this change will happen on different wikis at different times.

How will the IP address reveal functionality work?

Users who can access IP addresses will be able to expose IP addresses for temporary accounts.

Mockups for how this functionality would work:


What will happen to tools and bots that rely on IP addresses to function?

We are working to understand the impact to volunteer-maintained tools.

This is a task for our team as well as the Research and Engineering teams. Next, we will work with Legal to understand which tools may continue to access IP addresses and the guidelines for how they can operate.

We will provide an update on this page once we have a plan of action.

Rollout plans

We plan to test IP Masking slowly, to include ample time for communities' feedback and testing.

We want our rollouts not to hinder communities' processes. Our another priority is to avoid undesirable outcomes for the health of the communities. We have implemented metrics that we plan to watch as we roll out the changes.

We are looking for communities that would be candidates for testing launch (piloting) of IP Masking. We are considering criteria such as number of IP edits the communities receive, urgency of anti-vandalism work, size of the project, and potential for disruption. We will have another update on this page about our chosen candidates closer to the launch of IP Masking. If you'd like your community to test the launch of IP Masking, please make a decision as a community and let us know on the talk page.

Данные о португальской Википедии, отключившей анонимные правки с IP-адресов

Показатели португальской Википедии после введения ограничений

Обновлено 30 августа 2021 года
Здравствуйте. Это краткое обновление показателей португальской Википедии с тех пор, как они начали требовать регистрацию для редактирования. У нас есть подробный отчёт на странице отчёта о воздействии. Этот отчёт включает показатели, полученные с помощью данных, а также результаты опроса, который был проведен среди активных участников португальской Википедии.

В целом, отчёт представляет изменения в положительном свете. Мы не увидели никаких значительных сбоев в работе за тот период времени, в течение которого фиксировались эти показатели. В свете этого нам теперь предлагается провести эксперимент еще на двух проектах, чтобы посмотреть, будет ли наблюдаться подобное воздействие. Все проекты уникальны по-своему, и то, что верно для португальской Википедии, может не подойти для другого проекта. Мы хотим провести ограниченный по времени эксперимент на двух проектах, где для редактирования потребуется регистрация. По нашим оценкам, нам потребуется около 8 месяцев, чтобы собрать достаточно данных и увидеть значительные изменения. По истечении этого срока мы вернемся к отсутствию регистрации для редактирования, пока будем анализировать данные. После публикации данных сообщество сможет самостоятельно решить, хотят ли они и дальше запрещать анонимное редактирование в проекте.

Мы называем это Экспериментом требования входа на сайт (Login Required Experiment). На этой странице вы найдете более подробную информацию, а также график. Эту страницу и ее страницу обсуждения можно использовать для дальнейшего обсуждения этой темы.

Ограничение на редактирование IP-адресов в португальской Википедии

Португальская Википедия в прошлом году запретила незарегистрированным редакторам вносить правки в проект. В течение последних нескольких месяцев наша команда собирала данные о последствиях этого шага для общего состояния проекта. Мы также поговорили с несколькими участниками сообщества об их опыте. Мы работаем над заключительными этапами, чтобы собрать все данные, которые дают точную картину состояния проекта. Мы надеемся вскоре получить обновлённую информацию по этому вопросу.


Разработка инструмента

Обновление 02

As you might already know, we are working on building some new tools, partly to soften the impact of IP Masking, but also just to build better anti-vandalism tools for everyone. It is not a secret that the state of moderation tools on our projects doesn’t give the communities the tools they deserve. There is a lot of scope for improvement. We want to build tools that make it easier for anti-vandalism fighters to work effectively. We also want to reduce the barrier to entry into these roles for non-technical contributors.

We have talked about ideas for these tools before and I will provide a brief update on these below. Note that progress on these tools has been slow in the last few months as our team is working on overhauling SecurePoll to meet the needs of the upcoming WMF Board elections.

Функция получения информации об IP-адресе

Макет для получения информации об IP-адресе

We are building a tool that will display important information about an IP address which is commonly sought in investigations. Typically patrollers, admins and checkusers rely on external websites to provide this information. We hope to make this process easier for them by integrating information from reliable IP-vendors within our websites. We recently built a prototype and conducted a round of user testing to validate our approach. We found that a majority of the editors in the interview set found the tool helpful and indicated they would like to use it in the future. There is an update on the project page that I would like to draw your attention to.

Key questions that we would like to have your feedback on the project talk page:

  • When investigating an IP what kinds of information do you look for? Which page are you likely on when looking for this information?
  • What kinds of IP information do you find most useful?
  • What kinds of IP information, when shared, do you think could put our anonymous editors at risk?

Функция сопоставления редакторов

This project has also been referred to as "Nearby editors" and "Sockpuppet detection" in earlier conversations. We are trying to find a suitable name for it that is understandable even to people who don't understand the word sockpuppetry.

We are in the early stages of this project. Wikimedia Foundation Research has a project that could assist in detecting when two editors exhibit similar editing behaviors. This will help connect different unregistered editors when they edit under different auto-generated account usernames. We heard a lot of support for this project when we started talking about it a year ago. We also heard about the risks of developing such a feature. We are planning to build a prototype in the near term and share it with the community. There is a malnourished project page for this project. We hope to have an update for it soon. Your thoughts on this project are very welcome on the project talk page.

Обновление 01

Like mentioned previously, our foremost goal is to provide better anti-vandalism tools for our communities which will provide a better moderation experience for our vandal fighters while also working towards making the IP address string less valuable for them. Another important reason to do this is that IP addresses are hard to understand and are really very useful only to tech-savvy users. This creates a barrier for new users without any technical background to enter into functionary roles as there is a higher learning curve for them to work with IP addresses. We hope to get to a place where we can have moderation tools that anyone can use without much prior knowledge.

The first thing we decided to focus on was to make the CheckUser tool more flexible, powerful and easy to use. It is an important tool that services the need to detect and block bad actors (especially long-term abusers) on a lot of our projects. The CheckUser tool was not very well maintained for many years and as a result it appeared quite dated and lacked necessary features.

We also anticipated an uptick in the number of users who opt-in to the role of becoming a CheckUser on our projects once IP Masking goes into effect. This reinforced the need for a better, easier CheckUser experience for our users. With that in mind, the Anti-Harassment Tools team spent the past year working on improving the CheckUser tool – making it much more efficient and user-friendly. This work has also taken into account a lot of outstanding feature requests by the community. We have continually consulted with CheckUsers and stewards over the course of this project and have tried our best to deliver on their expectations. The new feature is set to go live on all projects in October 2020.

The next feature that we are working on is IP info. We decided on this project after a round of consultation on six wikis which helped us narrow down the use cases for IP addresses on our projects. It became apparent early on that there are some critical pieces of information that IP addresses provide which need to be made available for patrollers to be able to do their roles effectively. The goal for IP Info, thus, is to quickly and easily surface significant information about an IP address. IP addresses provide important information such as location, organization, possibility of being a Tor/VPN node, rDNS, listed range, to mention a few examples. By being able to show this, quickly and easily without the need for external tools everyone can’t use, we hope to be able to make it easier for patrollers to do their job. The information provided is high-level enough that we can show it without endangering the anonymous user. At the same time, it is enough information for patrollers to be able to make quality judgements about an IP address.

After IP Info we will be focusing on a finding similar editors feature. We’ll be using a machine learning model, built in collaboration with CheckUsers and trained on historical CheckUser data to compare user behavior and flag when two or more users appear to be behaving very similarly. The model will take into account which pages users are active on, their writing styles, editing times etc. to make predictions about how similar two users are. We are doing our due diligence in making sure the model is as accurate as possible.

Once it’s ready, there is a lot of scope for what such a model can do. As a first step we will be launching it to help CheckUsers detect socks easily without having to perform a lot of manual labor. In the future, we can think about how we can expose this tool to more people and apply it to detect malicious sockpuppeting rings and disinformation campaigns.

You can read more and leave comments on our project page for tools.


Отчёт о воздействии IP-маскировки

IP addresses are valuable as a semi-reliable partial identifier, which is not easily manipulated by their associated user. Depending on provider and device configuration, IP address information is not always accurate or precise, and deep technical knowledge and fluency is needed to make best use of IP address information, though administrators are not currently required to demonstrate such fluency to have access. This technical information is used to support additional information (referred to as “behavioural knowledge”) where possible, and the information taken from IP addresses significantly impact the course of administrative action taken.

A Wikimedia Foundation-supported report on the impact that IP masking will have on our community.

On the social side, the issue of whether to allow unregistered users to edit has been a subject of extensive debate. So far, it has erred on the side of allowing unregistered users to edit. The debate is generally framed around a desire to halt vandalism, versus preserving the ability for pseudo-anonymous editing and lowering the barrier to edit. There is a perception of bias against unregistered users because of their association with vandalism, which also appears as algorithmic bias in tools such as ORES. Additionally, there are major communications issues when trying to talk to unregistered users, largely due to lack of notifications, and because there is no guarantee that the same person will be reading the messages sent to that IP talk page.

In terms of the potential impact of IP masking, it will significantly impact administrator workflows and may increase the burden on CheckUsers in the short term. If or when IP addresses are masked, we should expect our administrators' ability to manage vandalism to be greatly hindered. This can be mitigated by providing tools with equivalent or greater functionality, but we should expect a transitional period marked by reduced administrator efficacy. In order to provide proper tool support for our administrators’ work, we must be careful to preserve or provide alternatives to the following functions currently fulfilled by IP information:

  • Эффективность блокировок и оценка сопутствующих эффектов
  • Some way of surfacing similarities or patterns among unregistered users, such as geographic similarity, certain institutions (e.g. if edits are coming from a high school or university)
  • The ability to target specific groups of unregistered users, such as vandals jumping IPs within a specific range
  • Location or institution-specific actions (not necessarily blocks); for example, the ability to determine if edits are made from an open proxy, or public location like a school or public library.

Depending on how we handle temporary accounts or identifiers for unregistered users, we may be able to improve communication to unregistered users. Underlying discussions and concerns around unregistered editing, anonymous vandalism, and bias against unregistered users are unlikely to significantly change if we mask IPs, provided we maintain the ability to edit projects while logged out.

Рабочий процесс Проверяющих (CheckUser)

We interviewed CheckUsers on multiple projects throughout our process for designing the new Special:Investigate tool. Based on interviews and walkthroughs of real-life cases, we broke down the general CheckUser workflow into five sections:

  • Triaging: assessing cases for feasibility and complexity.
  • Profiling: creating a pattern of behaviour which will identify the user behind multiple accounts.
  • Checking: examining IPs and useragents using the CheckUser tool.
  • Judgement: matching this technical information against the behavioural information established in the Profiling step, in order to make a final decision about what kind of administrative action to take.
  • Closing: reporting the outcome of the investigation on public and private platforms where necessary, and appropriately archiving information for future use.

We also worked with staff from Trust and Safety to get a sense for how the CheckUser tool factors into Wikimedia Foundation investigations and cases that are escalated to T&S.

The most common and obvious pain points all revolved around the CheckUser tool's unintuitive information presentation, and the need to open up every single link in a new tab. This caused massive confusion as tab proliferation quickly got out of hand. To make matters worse, the information that CheckUser surfaces is highly technical and not easy to understand at first glance, making the tabs difficult to track. All of our interviewees said that they resorted to separate software or physical pen and paper in order to keep track of information.

We also ran some basic analyses of English Wikipedia's Sockpuppet Investigations page to get some baseline metrics on how many cases they process, how many are rejected, and how many sockpuppets a given report contains.

Использование IP-адресов патрулирующим

Previous research on patrolling on our projects has generally focused on the workload or workflow of patrollers. Most recently, the Patrolling on Wikipedia study focuses on the workflows of patrollers and identifying potential threats to current anti-vandal practices. Older studies, such as the New Page Patrol survey and the Patroller work load study, focused on English Wikipedia. They also look solely at the workload of patrollers, and more specifically on how bot patrolling tools have affected patroller workloads.

Our study tried to recruit from five target wikis, which were

  • Japanese Wikipedia
  • Dutch Wikipedia
  • German Wikipedia
  • Chinese Wikipedia
  • English Wikiquote

They were selected for known attitudes towards IP edits, percentage of monthly edits made by IPs, and any other unique or unusual circumstances faced by IP editors (namely, use of the Pending Changes feature and widespread use of proxies). Participants were recruited via open calls on Village Pumps or the local equivalent. Where possible, we also posted on Wiki Embassy pages. Unfortunately, while we had interpretation support for the interviews themselves, we did not extend translation support to the messages, which may have accounted for low response rates. All interviews were conducted via Zoom, with a note-taker in attendance.

Supporting the findings from previous studies, we did not find a systematic or unified use of IP information. Additionally, this information was only sought out after a certain threshold of suspicion. Most further investigation of suspicious user activity begins with publicly available on-wiki information, such as checking previous local edits, Global Contributions, or looking for previous bans.

Precision and accuracy were less important qualities for IP information: upon seeing that one chosen IP information site returned three different results for the geographical location of the same IP address, one of our interviewees mentioned that precision in location was not as important as consistency. That is to say, so long as an IP address was consistently exposed as being from one country, it mattered less if it was correct or precise. This fits with our understanding of how IP address information is used: as a semi-unique piece of information associated with a single device or person, that is relatively hard to spoof for the average person. The accuracy or precision of the information attached to the user is less important than the fact that it is attached and difficult to change.

Our findings highlight a few key design aspects for the IP info tool:

  • Provide at-a-glance conclusions over raw data
  • Cover key aspects of IP information:
    • Geolocation (to a city or district level where possible)
    • Registered organization
    • Connection type (high-traffic, such as data center or mobile network versus low-traffic, such as residential broadband)
    • Proxy status as binary yes or no

As an ethical point, it will be important to be able to explain how any conclusions are reached, and the inaccuracy or imprecisions inherent in pulling IP information. While this was not a major concern for the patrollers we talked to, if we are to create a tool that will be used to provide justifications for administrative action, we should be careful to make it clear what the limitations of our tools are.

С наилучшими пожеланиями,
Команда разработки инструментов по борьбе с домогательствами (Anti-Harassment Tools Team)

Для обсуждения этого вопроса предлагаем использовать страницу обсуждения. С любыми вопросами, касающимися этого релиза, можно смело обращаться к Niharika Kohli, менеджеру по продуктам – niharika wikimedia.org, с копией Whatamidoing, специалисту по связям с сообществом – $mail2; или можете просто оставить сообщение на странице обсуждения.

Дополнительные сведения или документацию по редактированию IP, маскированию и обзору того, что было сделано до сих пор, включая обсуждения в сообществе, можно найти по приведённым ниже ссылкам.