Please add below any points left aside when the policy went live.

The policy went live despite the problem pointed out in "The Log" section of the discussion. The removal (archival) of the discussion suggests there are no unresolved questions, all is settled and everybody's happy. It's not a good policy to wipe out valid concerns on the basis that "no one is motivated to fix the problem" - if the tool is not working right, don't pretend it is. There are more and more people complaining that things happen / are decided behind the community's back - this just adds to it. 130.225.58.4 09:47, 8 November 2005 (UTC)
Yup; BUT; the change of log requires developer input. And it seems no developer wants to take care of it. On the other hand, we have people screaming to have the status going live. So, either we delay until we have found funds and a developer to pay to do the changes to the log, or we let the policy go live for now, with the thought in mind that we need the log (I agree we do need this log). Do you have a source of funding ? Do you have a developper available ? Anthere 11:36, 8 November 2005 (UTC)
Let me say that it is not a theoretical problem. Right now in the Polish Wikipedia there's an outrage at what the community considers an abuse of bureaucrat powers. The action that caused the doubts of the community was discovered only thanks to the publicly available log. If the log hadn't been there to be viewed, the community would've been deprived of the right to be informed and react (I am not taking sides in this conflct here, I just defend the ordinary Wikipedians' right to know). Telling people to "shut up and trust me" is arrogant and, as the situation in PL shows, doesn't work well. Then, there is more to it. If the community repeatedly and explicity expresses their mistrust to user A and user B, giving A&B even more rights to exercise behind the back of the community is plainly wrong (again, it is not theoretical).
Now, on the technical question. If someone runs a bot adding interwiki, but as a side effect stripping accents off letters, would you be satisfied by the answer "I won't fix the bot, because there's no motivation and funding to do so, but I will continue to run it, because interwiki are important"? You wouldn't. How is this situation different? If the tool is not functional, but no one want to fix it, drop the tool.
tsca 12:22, 8 November 2005 (UTC)
We should not always rely on technical stuff to succeed to go through things.... A first solution here is not to limit yourself to one checkuser (currently, on pl.wiki, Taw), but to have at least 2 checkusers who can check each other. The second point is it seems to me that if there was a suspicion of problem, we might imagine that a group of editors is allowed to see the checkuser log (by receiving it by email ?) after individual agreement not to display data. An important point is that it should be possible to remove these powers in case of an abuse (which is in comparison so difficult to do for a sysop in most communities).
For the technical consideration.... I understand your view point. But then, do you suggest that the tool use is totally restricted again to developers only (done in the database, so with no log....), or ? What do you suggest doing while there is no log, if we decide that no log means no tool use. What to replace ? Anthere 14:05, 8 November 2005 (UTC)
1. The discussion is about the privacy policy of the Foundation; it's not about the Polish wiki which was merely used to illustrate the point that logs are important (and there are 2 ppl with checkuser permissions in PL anyway)
2. if there was a suspicion of problem - there's never going to be any suspicion, if there's no log. No abuse is ever going to be discovered if there is no log.
3. As for the technicalities: sorry to put it this way, but it's up to the people who push for this imperfect tool to find a solution and motivate developers. I understand your uncomfortable position: one side says "we want our toy NOW", the other one says "I can't be bothered to improve it". But this problem is not solved by making the policy official - this move only legitimises the current malpractice and sweeps the concerns out of sight. tsca 14:58, 8 November 2005 (UTC)
Full ack and thanks tsca, to rub it in, well written. I've got nothing to add. --:Bdk: 15:11, 8 November 2005 (UTC)
The user who pushed for that tool is as far as I know David Gerard. And possibly indirectly Taw ? Note that these are the two non stewards with access with the tool right now... They did not ask for a public log. Most of the current checks are done by David and the activity is not checked by anyone. Anthere 17:15, 8 November 2005 (UTC)
Incidently, I did not know pl had two check users .... Anthere
Because there aren't, unless you count people with all-wiki checkuser access. Taw 17:50, 8 November 2005 (UTC)
There are: you and Datrio, who granted himself CheckUser rights @ PL.wiki (see Bureaucrat log) (to be clear, I don't oppose any of you having the rights). It's beside the point here anyway. tsca 18:05, 8 November 2005 (UTC)
I removed my CheckUser permission a few days ago. I didn't use it at all, anyway. My main purpose was to check the logs, but it turned out I can do it just as good from Meta. And I still have them on Meta, mainly for checking the logs ;) Datrio 18:12, 8 November 2005 (UTC)
It's immaterial whether you have the rights this very moment as long as you can re-acquire them any time you wish. The fact is that PL.wiki has 2 CheckUser users. As to whether you used the rights or not - well, there's no log ;-P tsca 18:24, 8 November 2005 (UTC)

There is a log...

I made a quick check. The log starts end of june by a test by Taw. Till now, the following editors have been doing checks

  • Tim Starling : 1 (on himself)
  • Shizao : 2
  • Grin : 11
  • Anthere : 15
  • Waerth : 17
  • André : 18
  • Datrio : 34 (not all on pl....)
  • Oscar : 49
  • Taw : well over a hundred probably
  • David : well well over a thousand I'd say (just on the 8th of november, he did over a hundred checks)

A rather serious point I raised is that the log is currently logging ALL checks by all checkusers, all projects together. While this is good to monitor other editors activity, it seems quite obvious to me the log will very soon become absolutely impossible to use....due to the number of request. The biggest point to follow is check of a certain person activity. So, one change I would like to see in the current log (as well as in the public log) is the possibility to follow the activity of a unique checkuser (just as we can do so for any other type of activity).

I am not sure it is clear for everyone, so I add a precision. The log list ALL requests done. The checkuser status is given per project, but even if I am only checkuser on frwiki right now, I can see the activity of Taw on plwiki for example.

Anthere 09:37, 9 November 2005 (UTC)


How is such a "public" log going to look like ?

The log looks like that (with new data, just the format was preserved):

11:55, 6 November 2005 David Gerard got IPs for Januar
11:56, 6 November 2005 David Gerard got IPs for Februar
11:57, 6 November 2005 David Gerard got edits for 1.2.3.4
11:58, 6 November 2005 David Gerard got edits for 1.2.3.5
11:59, 6 November 2005 David Gerard got edits for 1.2.3.6

Looking at such a log, everyone can find out that the checkuserer suspected Januar and Februar of being the same person, and that that person's ips are 1.2.3.4, 1.2.3.5, 1.2.3.6. That reveales to the public almost everything that can be revealed.

Do you want to left it as:

11:55, 6 November 2005 David Gerard got IPs for some user
11:56, 6 November 2005 David Gerard got IPs for some user
11:57, 6 November 2005 David Gerard got edits for some ip
11:58, 6 November 2005 David Gerard got edits for some ip
11:59, 6 November 2005 David Gerard got edits for some ip

Or do you want some more data ? It's not just an implementation problem. If there was a log format, in which we could agree to publish, it would be possible to code it in one evening. But I don't see anything close to such an agreement. Taw 17:50, 8 November 2005 (UTC)

Looking at such a log, everyone can find out that the checkuserer suspected Januar and Februar of being the same person
Right, that should be made public.
and that that person's ips are 1.2.3.4, 1.2.3.5, 1.2.3.6.
That mustn't be made public, and should be logged literally as "an IP". tsca 18:05, 8 November 2005 (UTC)
Right, it sounds like a good solution. I totally agree, that having such a log, would be a real advance in respect of transparency and fairness. Taw, could you code this please? .. I'm just an observing IP ;) - 80.145.248.159 18:27, 8 November 2005 (UTC)

Is there a consensus that such a log, with only ips replaced by "some ip" (and as tsca proposes, with usernames left), should be published ? I'm not sure if it's such a great idea. Taw 21:01, 9 November 2005 (UTC)

Wouldn't it be possible to apply an algorithm to the IPs which transforms them into a unique ID, in a way that does not allow for easy reconversion from ID to IP? - This would 1) allow to see whether different user checks by different persons or at different points of time concern the same IP and 2) give the users the possibility to know whether their IP has been the object of checks. /krolik


And if we do publish that, there are certainly going to be users complaining about being checked. I think every user should be checked if the checkuserer has a reasonable suspicions, and the checkuserer shouldn't have to be kept back by being afraid of starting a flamewar. Taw 21:12, 9 November 2005 (UTC)

Checkuser certainly should be kept back by the prospect of possible reactions of the community and be prepared to justify his/her action - that's the point of the whole thing; and it's not enough to "have suspicions" - what you need is a valid reason to prove or disprove them. tsca 21:55, 9 November 2005 (UTC)

If we start giving away the checkuser access, there will be enough people with log access to find any possible abuses.

It would be much better if it was possible to add a short note with every check, like in the other logs, to ease the abuse checking (not that I'm expecting any). But such a log with notes should definitely not be made public, because they're certain to reveal some private information. Taw 21:12, 9 November 2005 (UTC)

grin's comments

Well, I see there is another policy again. :) Oh well, then some inputs for you. The policy basically okay. I only found one 'unacceptable sentence:

  • "The editor must be aware of the privacy policy. After gaining consensus (70%-80%) in his local community, with at least 25-30 editors approval, ..."

Now this is not right. There are wikis with much less total active editors, not to mention those who in any given time are interested in politics (eg. voting). Consensus is fine, and the vote should be well announced but apart from that I would not say any relevant minimal value (we use 10 for minimum in consensus votes which is approximately 10% of the active editors). This should be fixed.

it is precisely because some wikis are quite small that this limit has been set. CheckUser is an important stuff, it is important that the tool is not given by anyone asking for it and supported by his 3 buddies. Anthere 09:41, 9 November 2005 (UTC)
I strongly disagree with that phrasing. "Quite small" in this case means a wiki in the 10000+ artices group; in your phrasing all wikis are "small" which isn't en, de, fr and other 100000+ ones. Even 1000+ wikis can have sockpuppet and wandal problems, and it is not right to think that "I contribute in a large wiki, so 'small ones' aren't that important". I do know - from experience! - how hard it is to check someone through stewards, and while it is okay for a community of 10 to ask the stewards there are communities of 30-50 active and 50-100 semi-active editors where it is a real problem. You may or may not have checked what percentage of the people on enwiki (for example) votes. Do look. I would guess well below 10%, so requesting 40 votes suggests at least 400 active editors, which is appx. 5000 registered editors and 50000+ articles. I disagree in putting the limit this high. I understand your opinion (I hope you do understand mine), so let us hear other people as well. My suggestion is minimum 10 editors and 2/3 of the votes (>66%), it is well above the "3 buddies" you mentioned. --grin 10:06, 9 November 2005 (UTC)
Just to make it clear, I absolutely do not mean small projects aren't important Grin :-) I have contributed on simple at a time where there was only one edit per month; On a frwiki where sometimes there were no edits per day, and from time to time to a frwikinews (often anonymously :-)), which I believe is still in the small projects size. Now, let me see... the problem you are reflecting is the comparison between the number of articles and the number of active editors. Okay, we can discuss this. Can you pick a collection of wikis of various size and indicate for each, the number of active editors ? We can narrow the margin this way.
You just ask me the impossible. There is no stats anymore, and I am not active on smaller languages. Doing a wide query (for me) would require outrageous amount of time. I can only tell you about huwp since that's where I am active, and the numbers I have quoted are the real numbers: we have 18000+ articles, around 100 active editors and usually 10-20 votes in crucial votings like policies. Maybe people can quote relevant examples of their home wikis. I suggest minimum 10 based on the assumption that this limit is valid for 10.000+ article wikis and very active 1000+ ones. --grin 21:54, 10 November 2005 (UTC)
As for the 66%, no, sorry, I strongly disagree. On many projects, a % of 75% is required for sysop. Here, for steward, I remember the % is 80%. I believe the checkuser status is a "sensitive" issue enough so that it should not be granted with a lesser % than sysops... and probably should require a % similar to stewards. Otherwise, there is something pretty weird and not very consistant. So, I stick to my 75-80%. What do you think ? Anthere 13:52, 9 November 2005 (UTC)
This is not really a good question, since it has been already written: w:Wikipedia:Consensus. If it is usually accepted as 75-80% then I won't question that. Let it be. ;-) --grin 21:54, 10 November 2005 (UTC)

The "min. 2 checkusers" wasn't mentioned last time, but it's a good idea. When I created our policy I prevented this problem by creating a public log. I see that you're debating about just that. :) Our log looks like that, and have a variable data content: for successful checks the result is most often logged (no IP ever logged but matching accounts or successful checks), and for unsuccessful checks usually only the timestamp and the reason for the check is logged (but the reason may be missing if it was not public; it still has to be along with the below mentioned policy).

We have our request policy which is a bit more strict than this proposal; I already referenced it, so if people chose it to be ignored and not commented upon, then be it. Still feel free to read and comment it.

Btw I hereby allow anyone to check my checkuser logs and compare it to the public log. :-) One entry per logical search, not every checkuser request though. --grin 20:08, 8 November 2005 (UTC)

Question on removal of access

In "CheckUser Policy"

Any user account with checkuser status that is inactive for more than a year will see his checkuser access be removed.
In case of abusive use of the tool, the steward or the editor with CheckUser privilege will be immediately removed the access. This will in particular happen if checks are done routinely on editors without a serious motive to do so (links and proofs of bad behavior should be provided).
Who's watching them? Is someone going to routinely inspect the logs? Otherwise, how are we supposed to develop suspicion? I appreciate this is not the place to put this, officially, but it's a question no-one is yet willing to answer, so I'm putting it here. Rob Church Talk 01:43, 9 November 2005 (UTC)
It's a good question. Maybe they could have a "checkuser log" available to all admins that just shows the username/ip of the person they checked without the result so that uninvolved people can point out conflicts. WhiteNight T | @ | C 02:26, 9 November 2005 (UTC)

Not that easy as it sounds since mostly all checks are done like:

  • check userA
  • check userB
  • check IP / some IPs / all IPs of userA (depending on the result and the problem with the user)
  • check IP / some IPs / all IPs of userB (depending on the result and the problem with the user)

So you see, usually the log already "contains" the result. Maybe if the IPs would be blanked it could be used, but then again it may be way too broad to provide all admins with that information, since [basically] anybody can be an admin, and I was told many times that "the more the better". Some (hopefully rare) checks are not really useful to be broadcasted (like checking a sockpuppet and getting negative result; the check itself may offend the person which is often unnecessary and would be bad). But that is only an opinion. --grin 10:19, 9 November 2005 (UTC)

It's a great opinion though. What I would say is just in the case of the ips just say "checking against IPs" and don't actually show the ips. It could be broad to provide all admins with all admins with the info, but only a few admins are going to have the time to be actively checking the thing, plus - only the ones who the person with checkuser access are going to be to able to actually draw a conclusion that there is a conflict. The thing about offending people is a concern, however the whole point of the checkuser thing is to somewhat finagle around privacy in general anyway - so if anything if a certain person gets offended a lot then maybe there is a better solution then checkuser to the situation? (not taking into account run-of-the-mill vandals - which are just that, vandals - the whole point is that it should be used mostly for that and if a checkuser person is checking someone against vandals a lot then there is probably a bigger conflict problem there). WhiteNight T | @ | C 20:39, 9 November 2005 (UTC)

Well I speak from experience: there are people who like to get offended, and not unlikely get the suspiction to be a puppeteer. Most often the check is positive and they get the well deserved kick in the backside, but sometimes the check is negative and it is much better to prevent another wave of "this administrator is a fascist, let's vote again to kick him from wikipedia" kind of problems. I do not see this as something I cannot live with (we always get the flames anyway), but my logging intentionally does not contain neither usernames nor IPs when the check was not requested publicly and the result was negative to prevent checked troublemakers to scream even more loud. [So far we have pretty low false negative rate, though.] --grin 22:03, 10 November 2005 (UTC)

What is an arbitration committee?

On a wiki with an arbitration committee only editors approved by arbitrators may have CheckUser status.

Following recent events on the English Wikinews, this policy needs to address what an arbitration committee is. See [1] and [2]. Who decides who an arbitrator is? On the English Wikipedia, this is clearly Jimbo's decision, but the status is much less clear elsewhere, and it's dangerous for this policy to assume that all "arbitrators" are trusted people. Sorry for bringing this up only after the policy went live, but this issue on Wikinews only arose today. Angela 02:46, 9 November 2005 (UTC)

Maybe just make it (the definition of an arbitrator) limited to people sanctioned by Jimbo (speaking of which I don't know if you can say that they are "trusted by the community" if they are directly appointed by THE MAN. Not trying to "stick it to THE MAN" though :)). WhiteNight T | @ | C 20:10, 9 November 2005 (UTC)

Consequenses for abuse?

What are the consequences for abuse of the CheckUser tool? Indefinite ban? - Kookykman|(t)(c)

What kind of abuse? It may vary from warning to ban, probably averaging on revoking special rights. --grin 11:11, 11 November 2005 (UTC)

Clarification on Abuse

The policy states, "This will in particular happen if checks are done routinely on editors without a serious motive to do so (links and proofs of bad behavior should be provided)."

Does this 'links and proofs' requirement apply to each user id to be subjected to checkuser or may any number of users be checked based on any suspicion that they might be sockpuppets of a single person with provably bad behaviour? I have seen the latter done several times already. For example, if a vote is being taken and a few long-standing editors with no history of trouble are siding with one who has previously made trouble is it appropriate to check all of these editors to determine whether they are sock-puppets of the person they are agreeing with? --12.42.50.51 15:40, 2 December 2005 (UTC)

Just as a sidenote - and risking not really answering your question: what possible harm would it cause these users to be checked? I can only see two outcome: either they are sockpuppets of the given troublemaker (and in this case the check seems to be justified) or they are (most probably) not, in this case nothing really happened, the admin mentally registers that they are not puppets, and life goes on. If there is a consensus (I've learned this nice english phrase for significant majority :)) that the checkuser admin does not enjoy the trust of the community anymore and it is backed with some evidence, then it can be acted upon.
In my opinion "abuse" would be something when someone starts looking up others without an (at least) plausible reason. Ot not even that; as real abuse is to reveal (or to use unrelated to wikipedia abuse resolution) this knowledge. As I mentioned: we may call "abuse" different things; I would warn (nicely) people when they clearly look up more than required, and I would kick in the balls [kick, ban, bury] if they violate privacy guidelines (which does not equal to revealing something, which may or may not violate the guidelines). --grin 09:37, 13 December 2005 (UTC)

Worst-case of Abuse

I'm trying to see what the consequences of serious abuse of a tool like this would be? Assuming the absolute worst-case situation, where there is a personal beef between somebody with CheckUser privileges and another registered user (no particular special status for that user), what really is going to be revealed? The IP address that the user had to access a Wikimedia server? Yes, I know that could in turn with a very tech-savvy and net-savvy individual be used for other abuses like stalking and directed IP attacks by virus writers. That should land an abuser in prison... not just being deadmined or have this status removed.

I guess the absolute worst-case would be somebody with CheckUser privileges going down in flames and posting on an external website (harder to delete or revert) all of the IP addresses of every user on the project from their last access. Even so, IP addresses are not personally identifying pieces of information like a national identity number (Social Security numbers anybody?). Far more damaging information can be gleaned from User pages directly and through discussions without even having this sort of tool. I don't think this option should be available to every registered editor/user, but I fail to see why this needs a substantial higher standard than becomming an admin or bureaucrat, or why bureaucrats on smaller projects can't be trusted to intelligently grant this privilege. --Roberth 13:49, 16 December 2005 (UTC)

Translation of the policy

Since not everyone is so good at English, I would like to be able to show my local community at svwiki a translation of this policy. Where should I place such a translation - at svwiki or here at meta? If this is the wrong place for this question, a pointer to the right one will be recieved with gratitude. / Habj 08:02, 30 December 2005 (UTC)

I think having a local translation is perfectly okay :-) Anthere 09:04, 30 December 2005 (UTC)
Done sv:Wikipedia:Checkuser policy. / --Habj 10:07, 2 January 2006 (UTC)

Possible to have CheckUser NOT display IP addresses directly?

copied from Talk:CheckUser by Theo F 08:18, 4 March 2006 (UTC) Seems to me that the main reason for needing to display the IP address is to answer the question "is it the same as used by another user?". For this a one-way function of the IP address could be used. This could be expanded to show mappings within (e.g.) the same /24 IP block, without the admin interface actually revealing what the underlying address is.

If further investigation into what the actual address is needed, then is it necessary for the same person to know the User to Hash(IP) mapping and the Hash(IP) to IP mapping at the same time, or could the roles be separated without compromising the quality of the investigation?

Categories such as "dial-up modem pool with dynamic IP", "ADSL with static IP", "NAT for an organisation <100 people" could be applied to an IP block or individual address by the persons that can see Hash(IP) to IP info, and viewable by ANYONE. Any user might be able to see the IPs that they themselves have used together with comments relating to those IPs or blocks.

Whois information is public and verifiable, so the "IP address to generic comment" mapping might be something that a large portion (or even the whole) of the community could contribute to without knowing how this relates to individual users. This is already done to an extent on a partial ad-hoc basis with varying degrees of anonymity - e.g. en:Template:Cambridge IP, en:Template:PublicIP, en:Template:SharedIP, and various non-templated comments.

This would be further facilitated if visibility is given to a logged-in user of all of their own recently used IP addresses... although care may need to be taken to avoid revealing ones own IP address by virtue of which IP information pages one tags. - (comment by User:Malathion)

So who compiles the list, based on what? We're talking about data with no central source of information at all. You're still going to need a human with trusted judgement in the loop. You can't Taylorise a social problem - David Gerard 23:55, 15 July 2005 (UTC)
I swear I don't remember leaving this comment. I'm pretty sure it wasn't me. --malathion talk 01:29, 23 July 2005 (UTC)
It was User:62.173.111.114 [3]. I haven't looked to see who decided to put my name on it. --malathion talk 01:34, 23 July 2005 (UTC)
"Who compiles the list, based on what" isn't the data being collected already? I don't understand why admins/stewards/some other category can't be trusted with a function that takes two user names and returns a True/False for shared IP (or common IP block) of origin, for edits in the last X days. 68.148.40.121 05:18, 5 November 2005 (UTC)

This could be an good idea, but if used in another way, currently (probably for privacy reasons) instead of the IP address for autoblocks in the IP block list a number (i.e. #999999) is shown. What about if the log showed the info like this:

  • #999999 is shared by:
    • username1
    • username2

This way we would have less problems with privacy policies.
Cheers, Get_It 03:12, 6 November 2005 (UTC)

Return to "CheckUser policy/Archive 2" page.