Sockpuppet check via hashing

Cross-posted to en:Wikipedia talk:Sock puppet

How about revising the WikiMedia software so that along with each edit, a hashed version of the editor's IP address would be listed in the edit history? That way, it would be possible to determine if two users have the same IP address, without actually giving away their IP address. Joo-joo eyeball 15:23, 21 Jun 2005 (UTC)

Discussion is needed again

from CheckUser due to its former place; it is painful for me to edit the whole page! ;( Aphaia++

This is obviously not true anymore. I know other developers do it regularly per request of editors. Anthere 08:04, 31 July 2005 (UTC)
I think you mean something else - developers besides Tim do not use CheckUser - they have no need for it because they can look directly into the database with other tools. And as far as I know Tim is the only dev with "checkuser" permissions. -- Jeronim 04:06, 15 August 2005 (UTC)
I understand what you mean. You are correct, it is different. I had a look on the steward log and saw a couple of editors were checkusers (such as myself for testing), Shizao on ja at some point, Taw on pl.... it does not really matter who is, but the fact is we just can't say only David and Tim are. Anthere 06:26, 15 August 2005 (UTC)
I originally wrote that it was just Tim and David since I wasn't expecting so many stewards to go round just assigning themselves the permission with no prior discussion of it. Obviously I was wrong. Angela 23:04, 16 August 2005 (UTC)
Fact is, I wanted to test how the feature was working, and never succeeded to understand how it did. But since several stewards now have this permission, maybe we need to rediscuss this or make a more stringy policy ? Anthere
Maybe.
  • An up-to-date list of people who has this flag (if necessary, and perhaps so, or precisely, if such a list should be provided, and if so, where such a list is availabe - perhaps on meta).
  • How an editor can be granted this flag
would be needed to discuss in my humble opinion. Aphaia++ 06:10, 20 August 2005 (UTC)

Checkuser programming availability

I'm starting a site that uses MediaWiki, and I'm having trouble finding if there is a way I can locate a registered user's IP address on my wiki. Is checkuser some sort of mod I can add on to my wiki? For legal purposes it's important to be able to locate a users IP address if needed. --Amcordo 05:25, 5 October 2005 (UTC)

I would personally like to see this feature be made available to more communities than just the English Wikipedia, but I am concerned about potential misuse of it, and the violation of privacy for users who have not been disruptive. I would appreciate any comments about this feature, and answers to the questions below.
Please feel free to add new questions below. This is only a survey of opinion, not a vote. Other answers might be found on the mailing lists. See the related threads on foundation-l, wikipedia-l, and wikitech-l.
Thanks. Angela 03:43, 12 Apr 2005 (UTC)
A summary of the opinions given between 11 and 28 April is on the mailing list. Angela 15:17, 28 Apr 2005 (UTC)
So are you saying that as of right now, this feature is not available to any administrators using mediawiki for their personal, commericial, or educational entities? I run the mediawiki at our university and we would very much like to use Checkuser for various reasons, but through extensive research (including the mailing list links you linked to from what I can see) I could not find any definite information of how to get CheckUser. If it is not being public released due to the concern of misuse then I must say that I find that an absolutely rediculous reason. There are other, more complicated ways to get this information in some cases by people who run wikis/forums/etc but this doesn't leave us an easy way to deal with wiki spammers and various other issues that have arrisen on our wiki. --

Comment from someone with access to this feature

I should point out that I barely use it — its availability to the en: Arb Com directly is somewhat controversial, but I've some experience of net-abuse tracing and know what the results mean or don't, and I only use it when there's clearly some important issue. (Last use was to check on an apparent sock of Rienzo. Use before that was to check the zillion abusive socks in the Baku Ibne arb com case.)

I get a lot of people asking me to check something casually and I have to say "no". Although if people on en: think it's relevant to an arb com case, the "Requests for clarification" section on en:WP:RFAr is the right place to suggest. The edit evidence had better be there, though, I'm not going on fishing expeditions.

I think the issue is less "who should have access" than "what circumstances justify checking?" Spurious sock puppet allegations are almost routine in en: arb com cases. I think my own use of it could be expanded, but there are no guidelines in place and I'm not sure what makes obvious and elegant sense - David Gerard 12:29, 12 Apr 2005 (UTC)

How I'm currently using it

My current criterion for use of the function is "decently substantiated suspicion of sockpuppetry in current ArbCom case." Of late I've used it as well for "decently substantiated suspicion of sockpuppetry to violate ArbCom ban or restriction." This means I won't run checks until a case is active. If it's not noted elsewhere, I note it on en:Wikipedia:Requests for arbitration/Developer help needed.

I would find it useful to check on anyone who comes near the ArbCom, but that's probably not a good idea, especially judging from the opinions below — and people are scared enough to come near the ArbCom anyway. - David Gerard 15:30, 18 Apr 2005 (UTC)

Note that devs already do all this unchecked

I must point out the dev sysadmins do this already as they feel they need to, and no-one is told. So does any website — the admins look through the logs concerning suspected abuse as they see fit.

The question here is how to extend that to others so we don't need to bug the devs unnecesarily when they're trying to, e.g., run the site. Not to do anything that isn't happening already or that shouldn't be happening already. - David Gerard 20:39, 12 Apr 2005 (UTC)

Do you think this feature should be made more widely available?

  • Certainly, since this information would be very helpful not only in resolving accusations of sockpuppetry, but also in vandal-patrolling. Also developers are often too busy with other, more important tasks to be able to perform these checks on request. — Dan | Talk 03:54, 12 Apr 2005 (UTC)
  • Yes with a couple of buts:
    • Every large community should have 1 or 2 people only
    • Those people should only be able to check witnin their own community
    • Abuse (as in making peoples ip adres known publicly) should be severely punished. Think about a projectwide ban.

Waerth 04:37, 12 Apr 2005 (UTC)

  • Certainly, but penalties for misuse should be severe, e.g., de-sysopping with a long ban. jni 06:23, 12 Apr 2005 (UTC)
    • How do you define misuse ? Anthere 16:58, 17 Apr 2005 (UTC)
      • Speaking only for myself: Using it for personal reasons. Fishing expeditions, i.e. using it at all without prior cause. Publicly revealing a user's IP address or threatening same. Using the information discovered to make complaints, except to ISPs, or threatening same. There are probably other forms of abuse that I simply haven't thought of yet. —Charles P. 19:42, 17 Apr 2005 (UTC)
        • Those are definite abuses, yes. Though if there's strong suspicion someone is sockpuppeting as an IP, then whether there's a link is the actual question. Then there's whether the IP is static, quasi-static (e.g. a cable/DSL IP that's theoretically DHCP but in practice doesn't change very often) or dynamic - David Gerard 15:37, 18 Apr 2005 (UTC)
  • Yes. It should be made available to people who can be trusted to handle it responsibly. Unresponsible behaviour can both be using it too much and uncarefull handling of the information, such as making it public. Gebruiker:Danielm
  • Yes on a very limited basis. This involves access to confidential information, and anyone with this access should have a history of level-headed administration and respect for privacy. There are very few offenders that bring vandalism to the level where this tool is required, but their behaviour may be spread across several projects. Those with this access should be able to check other projects in pursuit of a problem individual. Eclecticology 07:37, 12 Apr 2005 (UTC)
  • yes, but on a limited basis. also, both use and abuse should be better defined first. oscar 10:31, 12 Apr 2005 (UTC)
  • Perhaps just a little. At present the problem is not who, it's when - David Gerard 12:29, 12 Apr 2005 (UTC)
  • Yes, but with caution. Eclecticology has expressed the reasons already. —Charles P. 22:37, 12 Apr 2005 (UTC)
  • No, it should even be restricted to those developers and or system administrators responsible for the continuity of the technical infrastructure. The feature being used by system administrators without any supervision right now - there might be a theoretical risk of abuse, but that itself is not a sufficient case to implement oversight right now. Dedalus 07:22, 13 Apr 2005 (UTC)
  • Yes, it should be available to more people. You can't depend on a little amount of people to come up with important info in time. Yesterday, I came across a vandal who kept changing his name. In cases like these an IP ban would be very useful and stop such people from giving admins too much junk to clean up. [[User:MacGyverMagic|MacGyverMagic|(talk)]] 08:13, Apr 14, 2005 (UTC)
  • I think it should be more widely available, or at least something like it. Currently, even if a sockpuppet is obvious to people familiar with the user in question, it's difficult to convince a third party unless you get a developer or find someone willing to sort through loads of circumstantial evidence. Isomorphic 21:40, 18 Apr 2005 (UTC)
  • No as long as the user whos IP you are requesting does not acquiesce -- Nichtich 21:28, 20 Apr 2005 (UTC)
  • NO. This is an extremely bad idea. There are a wide variety of people of different backgrounds on this network and allowing IP viewing is generally a bad idea and adds a severe chilling effect to Wikipedia in my opinion. I think this power should be very much limited. As well there should be an offical process to use it, such as an arbcom or other such venue or investigative body looking into the specific issue of sock puppets. Evidence should be presented then when the panel thinks that a person has been using sockpuppets a designated trustee can check and verify the IP addresses of the accussed accounts. --ShaunMacPherson 03:04, 6 May 2005 (UTC)
  • No. I do not believe even that editors should be privileged with the ability to use it. We already have a police, a court system (which uses its own precedents for law) and various sets of "investigators". Too many people enjoy all that stuff more than actually making an encyclopaedia. Revert vandals, ignore insults, don't feed the trolls. Do those three things and this wouldn't even be a problem. 203.103.60.206 06:38, 11 May 2005 (UTC) Sorry, forgot this is meta and I'm not a user here -- I'm user:Grace Note on WP.
  • Yes, and I see no reason that it cannot be a fairly widespread tool (a major subset of all sysops possibly). LiveJournal has always had the capability for individual users and community managers to see IP addresses of everyone posting or commenting in those places without any major (or minor that I am aware of) issues. There is a strong benefit for the capability to do quick checks on newly-registered usernames (just as some of us might sit on Special:Newpages and check everything below 100B) to see if there may be reasons to watch and/or welcome newcomers. All users leave their IP address everywhere else on the net and the "value" in knowing such a thing is generally low (if the user has a fixed IP) and negligible (if like most people their IP address is DHCP-allocated and changes regularly). The growth of puppets and in userids whose only activitity is to blatantly destroy WP content and value needs a suitable tool to assist the community in maintaining the quality of WP. The expectation that editors are not vandals was fine when the numbers and size of WP was small. Now, for en, de and more, the problem is increasing and the need for such tools follows our certain desire to maintain WP. One other thing; I'd probably remove the ability to block an IP address from someone authorised to view IP addresses (person chooses which power they have) as that would reduce any likelihood of abuse. --VampWillow 14:29, 17 May 2005 (UTC)
  • No I agree with 203.103.60.206. --Malathion 23:00, 3 Jul 2005 (UTC)

If so, who should be given access to it?

  • Something above sysops (we don't need that many Big Brothers). The feature's access log should be visible to all users, just like the other logs. -- Netoholic @ 04:37, 12 Apr 2005 (UTC)
  • One or two people per project only Waerth 04:38, 12 Apr 2005 (UTC)
  • As long as there is some check on this power (user notification, see below) then I think all admins should have it for vandalism fighting. --Duk 04:42, 12 Apr 2005 (UTC)
  • Give the access to all bureaucrats. Something for them to do while not promoting sysops. Access logs should be public. jni 06:20, 12 Apr 2005 (UTC)
  • To determine this we would need to determine the privacy sensitiveness of an ip-address. It is certainly less sensitive than i.e. a credit card number, but likely more sensitive than a bank account number. It might perhaps be best compared to a postal address or phone number, which means it is not secret, but should be handled with care. So, people who are able to handle it with care should get access to it. Certainly these are stewards. Bureaucrats are also highly trusted people within a project. While sysops/moderators certainly are able to make carefull decisions (they do that everytime when dealing with vandals) their number makes improper usage more likely. So IMHO, giving stewards and bureaucrats access will result in a minimal amount of abuse. Giving sysops/moderators access will likely give some incidents, which communities would need to deal with. Gebruiker:Danielm 07:01, 12 Apr 2005 (UTC)
  • Stewards should certainly have access, as should bureaucrats for well-established projects. In some of the smaller projects the opportunity to see if a bureaucrat can be trusted is very limited. The only reason they don't get into arguments is that they don't have anyone to arguewith. Admins who make a crusade out of chasing vandals would not be good candidates. Access logs should probably not be public; it would be difficult to make them public without releasing confidential information. This would be especially unfair in situations where the accused turns out to be innocent. Eclecticology 07:52, 12 Apr 2005 (UTC)
  • firstly: stewards, on all projects. second: bureaucrats of the larger wikis, with access to "their" wiki only. oscar 10:32, 12 Apr 2005 (UTC)
  • Steward or bureaucrat level - David Gerard 12:29, 12 Apr 2005 (UTC)
    • I should add: IP numbers are a POWERFULLY contentious thing to have floating around. Think of the sort of malignant user who would harass other users who disagree with them if only they could find them, or their employer - David Gerard 20:47, 12 Apr 2005 (UTC)
  • Both, Steward and bureaucrat level. -- Get_It 13:04, 12 Apr 2005 (UTC)
  • for stewards yes. But I'd rather have each community which needs this feature elect two or three people who should have access to this feature than automatically giving it to the buerocrats. First: it requires technical knowledge to interprete the results correctly (and not announce publically that someone is a sockpuppet just because he shared a proxy with a troll). buerocrats are not elected in regard to this. Second: on some (smaller) wikis buerocrats are not elected at all, but the first person who does quite some work on the wiki gets buerocrat status. Often they are not known very well by the rest of the international community. distribute power, checks and balances and so... last thing: all sysops should definitely not have access to this feature. abuse potential too high (see above about interpreting the data). Require realname and an explicit agreement to a policy of use for this feature. --Elian 16:10, 12 Apr 2005 (UTC)
    • Being elected as a bureaucrat is no guarantee of trustworthiness. Perhaps the stewards as a group could decide which bureaucrats should have this access, or in some cases even grant the privilege to some other persons. (Would that mean finding a new name for a person with this capability, perhaps prætor :-)) Eclecticology 19:38, 12 Apr 2005 (UTC)
  • Stewards only. 119 19:47, 12 Apr 2005 (UTC)
  • Stewards only, for those wikis of which they can read the language. TeunSpaans 20:07, 12 Apr 2005 (UTC)
  • Stewards, plus at least two users (think of the consuls) on each of the larger projects. The users should be selected anew, publicly, not granted the ability based on some previously-held status. —Charles P. 22:40, 12 Apr 2005 (UTC)
  • David Gerard and Tim Starling are doing a responsible job and showing an enormous restraint in using it. That amount of restraint has not been displayed by all expansion advocates. The case for restricting is probably stronger than the case for expansion. Dedalus 07:25, 13 Apr 2005 (UTC)
    • I understand your against expanding it. You created 2 sockpuppets that tried to upset a vote. Today another 2 of your sockpuppets where found out. With the rate you make sockpuppets I would give this reaction as well. Waerth 20:34, 13 Apr 2005 (UTC)
  • It should be available to a select number of people chosen through a vote. Perhaps bureaucrats so they have something else to do than just promoting admins. [[User:MacGyverMagic|MacGyverMagic|(talk)]] 08:13, Apr 14, 2005 (UTC)
  • Correctly interpreting the results of a sockpuppet check is more than just a matter of comparing IP addresses. The person doing the check also needs to check to see if the address is an open proxy, a transparent proxy run by an ISP, a round-robin proxy like AOL uses, a dialup account, a NAT box used by a school, and a number of other things. It's not something that the average Joe Bureaucrat knows how to do. --Carnildo 19:58, 14 Apr 2005 (UTC)
  • Generally I feel this task should be given to the bureaucrats, not the sysops. Inter\Echo 17:50, 15 Apr 2005 (UTC)
  • Certainly not all admins, but I'm not sure who should have it. Admittedly, I would love to have this for myself, even if I wouldn't use it much. Sockpuppets annoy me mightily. Isomorphic 21:46, 18 Apr 2005 (UTC)
  • This isn't just a matter of access and trustworthiness. You also have to know what the data means, what it indicates and the strength of that indication. The bar for access should be "high," but should also include some appreciation of both the ethical privacy considerations and technical issues with IP address investigation. I don't know how we would select those users in a Wiki environment. Demi 07:34, 19 Apr 2005 (UTC)
  • A handfull of Admins and all stewards should this acces be granted. -- MichaelDiederich 15:26, 25 Apr 2005 (UTC)
  • An a bureaucrat on en who makes many of the promotions, I'm not going to self-promote myself as trustworthy, but I will comment that it would be highly useful if bureaucrats on large projects who have become trusted in promoting should either be able to check IP addresses or have quick access to Stewards who would do it for them.
  1. It would enable bureaucrats to judge sockpuppetry in deciding close nominations
  2. It would discourage such sockpuppetry in the first place if the SPs realize they can be easily found out -- Cecropia 21:18, 1 May 2005 (UTC)
  • two users per project of significant size (say 10,000 articles plus) and stewards (this may mean we need more stewards). Leave it up to each comunity to decide who.Geni 00:16, 2 May 2005 (UTC)
  • As needed. Any trusted user who can make a case for needing this ability should be apply on Requests for permissions–perhaps with the minimum requirement that the user is already an admin. Their intent to apply should be posted publicly on their local wiki(s) and discussed to determine community opinion on their need and suitability for having this ability; stewards then decide whether it is appropriate to grant them, as with any other request for permissions. I'd imagine that currently there are few enough who need CheckUser that this is feasible; there should be only few who have it, and most likely those who do will be bureaucrats, stewards, or arbitrators. Mindspillage (spill yours?) 14:47, 21 August 2005 (UTC)
  • either two persons per large project ( the top twelve?), or stewards only, again only for large projects. Absolutely no bureaucrats or administators. Whoever is given the capability should also have some prior knowledge, or get some training, on tracking IPs before getting the capability. I can see it being way too easily abused if it was given to a larger group of editors. BlankVerse 15:30, 12 October 2005 (UTC)

Should it be limited to stewards, or to wikis with arbitration committees?

  • Stewards only might be a good start. -- Netoholic @ 04:38, 12 Apr 2005 (UTC)
  • I feel all big projects should have one or two people who are able to do it. Waerth 04:39, 12 Apr 2005 (UTC)
  • It is important that someone has access to this function who speaks the language of the project and can make a judgement about the issues that require the IP-address verification. A few people per project fullfills this requirement. Gebruiker:Danielm
  • no, i think each larger project should have at least one (rather active) person with access. oscar 10:34, 12 Apr 2005 (UTC)
  • Every wiki should have one or two (so that the one is not the only one relied upon) - David Gerard 12:29, 12 Apr 2005 (UTC)
  • At least two. Perhaps a few more with access to the logs only, if they're not to be made public. —Charles P. 14:36, 12 Apr 2005 (UTC)
  • To Stewards and a particularly trusted member of the recognised Arbitration Committees (2 users can't just club together and declare themselves the Arbitration Committee for their wiki). Certainly, not to bureaucrats, which is a very general position. James F. (talk) 17:30, 12 Apr 2005 (UTC)
  • If there is so much work using this tool in a project that it overwhelms the time of a single person, it is probably being overused. If only one project-specific person has this right it is probably enough; the stewards are still there to investigate any possible abuse of nthe right. Eclecticology 19:29, 12 Apr 2005 (UTC)
    • Not quite - it's simple enough to enter a username and get IPs that have used it, or enter an IP and get usernames that have used it. It can take time to do a check properly, though, do a whois and nslookup on all IPs, understand what those mean, etc. Two per project also means you're not depending on a single person - David Gerard 20:36, 12 Apr 2005 (UTC)
  • No, I think bureaucrats can be trusted with the feature too. [[User:MacGyverMagic|MacGyverMagic|(talk)]] 08:13, Apr 14, 2005 (UTC)
  • The Stewards could need some support by some trusted admins or so -- MichaelDiederich 15:28, 25 Apr 2005 (UTC)
  • I think this power should be very much limited to arbcom or stewarts or one beaurocrat at most, and the person who gets this power should be elected in someway and it should be for only a limited amount of time. As well there should be an offical process to use it, such as an arbcom or other such venue or investigative body looking into the specific issue of sock puppets. Evidence should be presented then when the panel thinks that a person has been using sockpuppets a designated trustee can check and verify the IP addresses of the acussed accounts. People need the freedom to advocate (and play devil's advocate) on issues without the spector of being revealed and harassed. --ShaunMacPherson 03:04, 6 May 2005 (UTC)
  • Exactly. There is nothing actually wrong with using a sockpuppet. It's only using one for nefarious purposes that's frowned on. Give this power to sysops and it will promptly be abused. User:Grace Note.203.103.60.206 06:43, 11 May 2005 (UTC)
  • No. HuWiki is still a small Wikipedia, but we already see sockpuppets abusing policies (3RR, evading blocks etc.) Right now if we need a check we have to go and ask a developer with enough time on their hands to do it for us. We don't have an ArbCom, but I'd like to see our one bureocrat get this permission, so when there is serious concern that a problem user uses sockpoppetry in violation of our policy he can check upon request. (Of course in HuWiki only.) -- Nyenyec 19:27, 23 September 2005 (UTC)

Does the privacy policy need be adjusted to allow the use of this feature?

  • It should note the CheckUser feature. And [1] should be updated accordingly.--Duk 04:05, 12 Apr 2005 (UTC)
  • Yes. Gebruiker:Danielm
  • yes. oscar 10:35, 12 Apr 2005 (UTC)
  • Actually, I think it's already covered in investigating things for the security of the wiki - David Gerard 12:29, 12 Apr 2005 (UTC)
  • can't harm to mention it. --Elian 16:11, 12 Apr 2005 (UTC)
  • Already covered; I checked for this a month or so ago. James F. (talk) 17:29, 12 Apr 2005 (UTC)
  • Absolutely -- Nichtich 21:28, 20 Apr 2005 (UTC)

Should the user be notified when CheckUser is run on them?

  • Absolutely, people deserve to know when they are being investigated. It could be a notice that is only visible to the user, similiar to the message notice. Duk 04:00, 12 Apr 2005 (UTC)
  • No, because nine out of ten investigations would be false alarms anyway. It would create a false unrest and maybe even huge arguments. It is better to keep accusations silent untill you have gathered the evidence. No need to rock a boat otherwise. Waerth 04:43, 12 Apr 2005 (UTC)
  • Yes, it might create huge occasional arguments, exactly the type of check that would keep it from being abused.--Duk 09:04, 12 Apr 2005 (UTC)
  • If nine out of ten users checked are innocent, then I have to question the reasoning that led to them being checked. --Duk 17:38, 12 Apr 2005 (UTC)
    • Let's say I'm editing from a high-school computer lab. I might be one of thirty or so people editing from that school. Say one of the thirty is a vandal. An IP check on that vandal will bring up the school's IP address, and the user check on that IP to see who might be a sockpuppet will bring up all thirty of us. But 29 are innocent.
    • Or let's say I'm vandalizing from an AOL account. An IP check on me will bring up the AOL proxies I'm editing through, and a sockpuppet check on those IP addresses will bring up thousands of users -- everyone who's ever edited through AOL.
    • A sockpuppet check, by its very nature, will frequently bring up a lot of false positives. --Carnildo 00:27, 13 Apr 2005 (UTC)
      • You've misread the question; notification would go the the account that was checked, not all the resulting possible matches. This would alert a user they were being specifically targeted and checked out, and they would have cause for complaint if there was no reason to run it. Although, now that you mention it, I can see some people wanting to be alerted that their ip information was viewed in the course of a sockpuppet investigation (not myself though). --Duk 20:56, 13 Apr 2005 (UTC)
  • No, in an investigations multiple users will be queried, the majority will be innocent. It will make people think they are suspect, while in a lot of situation it won't be the case. Gebruiker:Danielm
  • No, doing do would cause more problems than it solves. Eclecticology 07:57, 12 Apr 2005 (UTC)
  • not just the user. either all users be able to check the log, or only those who have access to the feature. once CheckUser has become a more widely accepted procedure, there will hopefully be less arguments about it. oscar 10:41, 12 Apr 2005 (UTC)
  • Not necessarily - David Gerard 12:29, 12 Apr 2005 (UTC)
  • Absolutely. We don't want a Big Brother feature, do we? -- de.Carbidfischer 12:36, 12 Apr 2005 (UTC)
  • Notify the user and keep the logs as public as possible. No §213 please. —Charles P. 14:34, 12 Apr 2005 (UTC)
    • Can I call Godwin's on that? James F. (talk) 17:32, 12 Apr 2005 (UTC)
      • No. —Charles P. 21:56, 12 Apr 2005 (UTC)
        • I'll suggest it then. This is not an experiment in Internet democracy, it's a project to write an encyclopedia. As I note above, on any website the sysadmins will look through logs at will. Our devs already have the power to look through the logs at will, and do so. And no-one is told. And I wouldn't stop them, either. This is about extending a small portion of that ability to others, so as not to bug the devs while they're trying to run the site - David Gerard 21:59, 12 Apr 2005 (UTC)
          • And I'll suggest that now that we have the opportunity to change a bad practice, we should take advantage of it. The accumulation of unaccountable, uncheckable power in the hands of a select clique of informers has the potential to do far more harm than any number of sockpuppets and trolls. —Charles P. 22:10, 12 Apr 2005 (UTC)
            • I certainly hope you'll email wikitech-l about this problem, so that they understand the depth of your concerns. Or we could just run a top-100 site without any sysadmins, since you think they inherently can't be trusted - David Gerard 23:09, 12 Apr 2005 (UTC)
              • I certainly hope you'll familiarize yourself with the concept of necessary evils, and realize that transparency and accountability are the best checks on abuse. —Charles P. 23:38, 12 Apr 2005 (UTC)
                • I talked about the sysadmins who run the site, you responded saying "And I'll suggest that now that we have the opportunity to change a bad practice, we should take advantage of it. The accumulation of unaccountable, uncheckable power in the hands of a select clique of informers ..." I mean, WTF? You do realise that the process of administering a website involves complete access to this stuff all day every day? That's what sysadmins do - David Gerard 23:41, 12 Apr 2005 (UTC)
                  • I can do nothing about what the developers do or don't do with their access to this information, even when they blatantly abuse it. I can do something about what non-developers do with it—or I could, if the sole non-developer with the ability to cross-check IPs weren't so strenuously resisting efforts to make sure he is kept accountable. Why is that, by the way? —Charles P. 03:03, 13 Apr 2005 (UTC)
                    • I don't think I am, hence encouraging discussion here. However, I wish you luck in your campaign to impeach Tim Starling - David Gerard 11:29, 13 Apr 2005 (UTC)
                      • You're just arguing vociferously against someone who wants you held accountable. But perhaps we're in Wiki:HeatedAgreement. I know I want this tool available to non-developers, and perhaps you do want to be held accountable. —Charles P. 13:33, 14 Apr 2005 (UTC)
    • Yes, sorry, we seem to be. My apologies for escalation on my part. I have no objection to accountability; my main difficulty at present is that there aren't any rules. Though I'll probably end up writing the first draft ;-) I find this discussion very important to get a handle on what makes sense. It's just as well I'm of superlative moral purity and utterly incorruptible, really, otherwise we'd have had trouble by now - David Gerard
  • No. If they are accused based on that information, they should be informed, but there's no reason to alarm people who have been falsely fingered by users that they've done anything wrong. James F. (talk) 17:32, 12 Apr 2005 (UTC)
  • Yes. You are invading someone's privacy by doing this, and they have a right to a notification and explanation. I do not think this reluctance to "alarm" people is reasonable; if you cannot explain to the user being investigated why you have seen fit to investigate their access history, then it would appear the tool has been used frivolously. 119 19:30, 12 Apr 2005 (UTC)
    • I must point out the dev sysadmins do this already as they feel they need to, and no-one is told. So does any website - the admins look through the logs concerning suspected abuse as they see fit. The question here is how to extend that to others so we don't need to bug the devs unnecesarily when they're trying to, e.g., run the site - David Gerard 20:39, 12 Apr 2005 (UTC)
      • I administer many sites so I understand where you are coming from here. However I'd like specific examples involving Wikipedia where an admin has had to find a correlation between usernames and ip addresses (outside of the cases that this tool was deisgned for obviously). I would argue that finding such a correlation is not necessary outside these isolated cases. Also, it's considerably harder to become a system admin (admin meaning someone with developer access in this case) than to become a Wikipedia admin. So should the criteria for getting access to this sensitive information be that you must be a wikipedia developer simply because they already have access to sensitive information? Just because a sysadmin can access sensitive information doesn't mean they should. For instance, someone with root access can snoop on anyone, but does this mean they should. I'd say no. I think the same applies here. { MB | マイカル } 23:58, 12 Apr 2005 (UTC)
        • Of course. Ultimately, though, we do have to trust them. The tool logs all uses - David Gerard 01:10, 13 Apr 2005 (UTC)
  • Yes, agree with 119. TeunSpaans 20:05, 12 Apr 2005 (UTC)
  • Just a comment, it *is* privacy sensitive information, and should be cared for, but know that you reveal your IP-adress constantly to people you don't know as you access the internet. The only way to keep it secret is to not use your internet connection. For example, it is in any e-mail you send. If you reply to someones e-mail, you reveal your ip-address. It's like a postal address, it is privacy sensitive information, but is used in any of your communication and a lot of people know it. Gebruiker:Danielm
  • I am shocked by David Gerard's and Tim Starling's attitude concerning privacy in general and especially concerning the CheckUser feature. If you want to check a user, why don't you want to tell him oder her about that?! Is this a free encyclopedia or a 1984-like place with a Scientology-like style of leadership? I'm really shocked. Perhaps it would be better to leave the Wikimedia projects, like the German Ulrich Fuchs did with Wikiweise. -- de.Carbidfischer 13:51, 13 Apr 2005 (UTC)
    • and I'm shocked by this statement. Tim and David show enormous restraint in using this feature and do queries only in cases of abuse. In fact everyone who has the ability to check for sock puppets does so in a responsible way at the moment AFAIK. --Elian 02:10, 14 Apr 2005 (UTC)
    • ?! I've used this feature much less than I've ever wanted to, and only in very clear cases of its applicability. I'm sure Xenu would fully approve of my uses of this tool. One thing I really want to come out of this discussion is some idea of what uses would be reasonable and what wouldn't - David Gerard 23:55, 14 Apr 2005 (UTC)
      • Perhaps I misread your intentions. But looking at what you said to those who wanted a notification and how you said it, I thought that your intentions weren't that user-friendly. If I was completely wrong, I'll apologize. But I'm still not entirely convinced. -- de.Carbidfischer 17:05, 15 Apr 2005 (UTC)
  • Absolutely, in every case. -- Nichtich 21:28, 20 Apr 2005 (UTC)
  • No, the person who will do the check is a trusted person and will know what to do and what not to do -- MichaelDiederich 15:29, 25 Apr 2005 (UTC)
Can I exclude abuse just by trusting the one who uses the feature? Of course not. -- 84.146.163.166 13:37, 29 Apr 2005 (UTC)

What circumstances merit checking?

(I'm asking this one because I have this ability and I'm not entirely sure myself. I'm looking for the obviously elegant principle for an answer. - David Gerard 17:49, 12 Apr 2005 (UTC))

  • Perhaps a parallel to search warrants can be drawn. Before a judge will grant such a warrant the person seeking it must show reasonable cause. Eclecticology 19:17, 12 Apr 2005 (UTC)
  1. I feel that this tool should be rarely if ever used to find sock puppets. If this tool simply tells you which accounts have been used from which ip address this is not enough evidence to prove the use of "sock puppet" accounts. I for instance access Wikipedia via a machine which has no real ip address but rather shares a real ip address with several hundred machines. I know for a fact that other people on my network use Wikipedia, and I have no doubts that some of them will be browsing similar pages as me. So, while this tool might be helpful, I feel that it provides far too much opportunity for abuse if it were to be allowed to be used by the general population. Admins already block IPs in similar ranges when fighting "vandals" often blocking legitimate users. Also, this tool could and would provide a huge invasion of privacy by potentially removing anonymity from the use of Wikipedia. Please let this tool be a last resort in serious cases. { MB | マイカル } 18:05, 12 Apr 2005 (UTC)
    Well, yeah. There's no substitute for clue on the part of the checker. If stewards or bureaucrats get this tool, they'll very much need a quick course on subjects such as spamtracing - David Gerard 20:47, 12 Apr 2005 (UTC)
  2. Simply from a technical point of view, the wide use of this tool as it is currently implemented would probably involve synchronization issues resulting in the corruption of the log (I had a similar experience with the paypal donations script I've worked on). { MB | マイカル } 18:05, 12 Apr 2005 (UTC)
    I assume Tim will test that ;-) - David Gerard 20:47, 12 Apr 2005 (UTC)
  • Reasonable cause and the request of some other user (no using this to snoop on personal enemies), which should be made and recorded publicly: on the wiki or mailing list, not in private e-mail or IRC. —Charles P. 22:44, 12 Apr 2005 (UTC)
    • I agree, with some reservation: the arbcom list should count, go-ahead from $MONARCH (currently Jimbo) should count - David Gerard 23:55, 14 Apr 2005 (UTC)
  • I can think of two valid uses, the already mentioned sock puppet identification and tracing vandals with user accounts. Sock puppet identification is only necessary if there is a suspection of abuse (i.e. voting multiple times), vandal identification is only necessary if a block doesn't stop him from vandalising. In certain circumstances, it might be used to complain to a vandal's ISP. Gebruiker:Danielm
  • Use of multiple accounts isn't the same as sockpuppeteering. It seems sometimes some people do confuse the two. This page and the Wikipedia-l mailing list do show a lot of fall out of the Waerth versus Wikix case on the Dutch Wikipedia (where health is rapidly deteriorating), while mediation (though not by a formal arbitration committee) is going on. Elegant positive principles are hard to state. There might be some negative ones. Someone start his request with "I want to know if X is the same as Y"? This is a case for clear denial on IP-address check. The answer should be: "Go ask X, go ask Y, don't ask me." Another negative one is that it might be a means of last resort. Reasonable cause is not sufficient. Have other means been tried? Did they work? Voting is on several projects only allowed by users who created an account at least one month ago, and have made at least one hundred edits. The voter - suspected of sockpuppeteering - might just have casted an illegal vote. Illegal votes get striken through - there is no need to check IP-adresses. Checking IP-adresses in that case is imho totally unnecessary and seriously abusive. There is no need to solve a case that has already been resolved. That would be a waste of time, energy and other resources. The Wikipedia project for example consumes time, energy and other resources to create an encyclopedia and is not a project to reduce the uncertainty of some people wondering if X is the same as Y. If people can't live with that uncertainty, they probably need a Wiki-break. Relax, cool down, stop hunting, don't feed trolls, revertly slowly, exercise control over your emotions. The standard reply to any checking request might be: "I understand you do have a problem serious enough to report to me. I noted it. You can probably fix the problem yourself by other means (without checking IP-adresses). Come back after 72 hours if the problem has not been fixed I show me what you've done to solve it in another way" That sounds like a procedural solution. Dedalus 08:22, 13 Apr 2005 (UTC)
    • As you are sock pupetteer yourself who has been identified of serious abuse I understand your desire to limit IP-address checking as much as possible. Gebruiker:Danielm
      • I second DanielM we found another 2 of them today. Stop it dedalus. You can use sockpuppets as long as they are not upsetting. Keep them out of talkpages and votes, it is extremely frustrating that by now with every new user coming along that starts voting I have to think is this one of Dedalus puppets? Simply striking them doesn't work. You shouldn't do it in the first place. Waerth 20:39, 13 Apr 2005 (UTC)
  • The user that is checked has to approve -- Nichtich 21:28, 20 Apr 2005 (UTC)
I think you have something misunderstood here. This feature is for investigating abuse. Do you require the police in a country to seek permission from a thief before starting investigations? --Elian 15:52, 21 Apr 2005 (UTC)
  • I think that there can be a way to limit the power of this tool. It could simply spit out a hash of the IP addresses, and then HASHES can be compared to see if they are the same (Both MD5/SHA1/etc. hashes of 124.1.13.4 and 124.1.13.4 would be identical). If they are then a higherup can confirm. Thus there can be comparison with people's privacy (esp. innocent people) being maintained.

Let everyone use it

The only reason to limit access is that it might violate users' privacy if other users could see their IP addresses. But so long as the CheckUser function doesn't report actual IP addresses, there's no privacy problem. Have it report something like the md5sum of the real IP address, and then salt that by adding a secret number known only to the CheckUser author (to prevent hypothetical attacks by an obsessive compulsive takes the md5sum of every possible 256^4 IP address.) Not that IP addresses are that secret anyway; you already display those of any non-logged in user. Here's mine: 24.125.116.65 11:11, 13 Apr 2005 (UTC)

  • A hash of the IP address would not be useful. My wikitech-l post gives some reasons for this [2]:
I went to your link and I do not see anything about hashes. Both MD5/SHA1/etc. hashes of 124.1.13.4 and 124.1.13.4 would be identical, and would be useful.
It could simply spit out a hash of the IP addresses, and then HASHES can be compared to see if they are the same . If they are then a higherup can confirm. Thus there can be comparison with people's privacy (esp. innocent people) being maintained.--ShaunMacPherson 03:04, 6 May 2005 (UTC)
How would it preserve privacy? There are only four billion possible IP addresses. A computer could generate a lookup table of hashes in a few hours, and anyone with sufficient technical knowlege to do sockpuppet checks has the knowlege to generate the table. Further, hashes would make sockpuppet checks harder: 124.1.13.4 and 124.1.13.5 are similar IP addresses, but the MD5 checksum of the first is ed29444e307a3f7f9f8ccd1bd6e8dbcc, while the MD5 sum of the second is 7fd7badab276fc24a52db4b9a516b619 -- no resemblance. If someone was using sockpuppets on a dial-up account with those two addresses, using hashes would prevent the sockpuppets from being detected. --Carnildo 17:58, 6 May 2005 (UTC)
Ben Brockert wrote:
> YA-feature request: how about making it more private for the users?
> Instead of the utility taking one username and giving IP addresses, have
> it take two usernames and have it say whether or not they are the same
> IP? Or the same /24, to catch the dialup users. I don't think all sysops
> should have access to all user's IPs (I say that as a sysop, not as a
> tinfoil'd user), but I also think kicking sockpuppets should occur well
> before arbitration.

Unfortunately the situation is more complex than that. Many users are
behind proxies, either mandated by their ISP or by choice. Occasionally
two legitimate users may use the same public or school computer. Partial
IP matches, such as someone using the same regional ISP, are very useful
despite not being certain. Two users using regional ISPs from different
regions is an excellent indication that they are not the same person.
Dialup pools and DHCP pools for DSL users are usually larger than /24.
If we could make a magic script that somehow compared two IP addresses
and produced a percentage likelihood that they were the same person,
then maybe we could avoid releasing IP addresses. But at present,
allowing competent humans to compare hostnames and traceroutes, check
for open ports, request whois information, visit ISP webpages, etc. is
the only way to produce useful information.

-- Tim Starling
Proof that there is no connection between two users is just as valuable socially as proof that two users are the same. The widespread use of DHCP pools for DSL users makes exact IP matches easily avoidable by a technically capable user. Some ISPs use proxies, causing a large number of users to come from the same IP address. Some users use open proxies, which is suspicious behaviour and useful information. This feature was carefully designed based on my experience with sockpuppet investigation, to give useful information in response to a typical request. -- Tim Starling 12:11, 13 Apr 2005 (UTC)
    • Yep. IP matching is an art, not a technical procedure susceptible to Taylorism - David Gerard 23:55, 14 Apr 2005 (UTC)

At discretion of arbcom, subject to veto

All the gubbins seems to me to be a symptom of our understandable suspicion about abuse of this feature. The best solution to me seems to be to place this feature at the discretion of the arbitration apparatus of each individual Wiki, subject to veto, separately, by the board and Jimbo. Power to flip the appropriate bits to grant or revoke the ability to use this feature should continue to reside with whoever has it now, who as de facto custodian of user privacy would have an absolute veto. Arbcom should also be responsible for ensuring that the feature is used only according to its instructions. The log of all accesses of this feature (when used and by whom) should be public if possible. Further information should not be made available but should be available by a report run by the developers on request of arbcom. User:Tony Sidaway 15:30, 28 Apr 2005 (UTC)

There are only 2 or 3 wikis with an arbcom. So basically you are teling other wiki ... you cannot use it! Waerth 09:45, 29 Apr 2005 (UTC)

Delete; replace with neutral feature; make public

The topic of sock is highly charged, in a political sense. Use of sock, or the application of the label of sock, affects larger issues. I don't want a human making these judgement calls in isolation.

Nobody, with or without m:CheckUser, is able to state definitely that two edits were made by the same human or even from the same machine, except in highly unusual cases. Nor is it easy to rule out socks; in some cases, it appears conclusive, but it rarely is. There are all kinds of ways I might create a sock and nobody with CheckUser access would be able to prove it; all kinds of ways that two innocent (and distinct) humans might make edits -- even edits relating to the same issue -- appearing from the same IP and even appearing to human eyes like socks of one another.

  • Note that there is no way at all to label a given user "a sock". Even if I watch a human with my eyes log in with one account each on two netbar screens, how can I say which is "real" and which the "sock"? By convention, we might say that whichever account was created last is the sock -- but I can bitch that up, too. Sock is a class of relationship between two accounts.

On the other hand, it's pretty easy to draw a mechanical line and say that certain objective measures indicate or suggest socks. Given total access to everything, I could easily build a gizmo that, when handed two users (anon or named), spit out a sock score indicating the degree of connection between them.

Not only are similarities in IP significant; there are several metrics to take into account. The entire process can be objective and automated, and that's the way it should be. Then, let anyone with idle time on his hands enter two users into the interface, push the button, and get the current sock score. No privacy is invaded. Nobody knows the dirty details.

To round out my proposal, let the engine assign arbitrary user names to anon bare-IP users (User:anon-ABC-1234; use a mix of letters and digits, you'll be glad you did). I'm not closing the door on anon editing; such anon accounts would be locked open, so the next tourist editing from the same netbar and IP would be free to use it -- one could not password-protect an anon account. (Don't forget to forbid user creation of accounts that conflict with the anon-account range).

This is needed because IPs tell too much. Nobody at all should have access to this information, least of all should it be splashed on every history, for any browsing cop to see.

Anon user names; automatic sock score generated on the fly by anyone. Done.Xiongtalk* 00:34, 2005 May 9 (UTC)

That's a description of a highly desirable feature, but not one that's actually implementable. You just can't tell this stuff that deterministically from knowing a user's IP. Is the IP highly dynamic, somewhat dynamic, not at all dynamic? Does the ISP run everyone through a fixed proxy, so that 100,000 people all use the same address? Does the ISP run everyone through random proxies, so that two successive edits from the same user might have different IPs? Did the ISP change their configuration two days ago, so data from before is different to data from after? What does a given editing pattern say? What does it actually mean? Etc., etc., etc.
This sort of thing is why checking for sockpuppets is an art, not a science. If you disagree, I urge you to write up an algorithm that implements what you are describing, because it certainly won't be included in MediaWiki until someone codes it - David Gerard 17:38, 11 May 2005 (UTC)
Return to "CheckUser policy/Archive 1" page.