Talk:IP Editing: Privacy Enhancement and Abuse Mitigation

Active discussions


IP Editing: Privacy Enhancement and Abuse Mitigation Archive index
This page is to collect feedback for the privacy enhancement for unregistered users project.
Hoping to hear from you. You can leave a comment in your language if you can't write in English.
Filing cabinet icon.svg
SpBot archives all sections tagged with {{Section resolved|1=~~~~}} after 7 days and sections whose most recent comment is older than 90 days.

Please remember that this page is used by people from a number of communities, with different native languages. If you avoid using acronyms from your home wiki, that will help them participate in the discussion.

Make separate user right for "unmasking" IPsEdit

A danger I fear: If only checkusers can unmask IPs, wikis will need to increase the checkuser count by an order of magnitude, just to keep up. That's an order of magnitude more accounts that could be compromised. So the unintended consequence will be to decrease privacy for registered users. Instead there should be a separate right, given out more freely than checkuser. Suffusion of Yellow (talk) 20:40, 19 October 2020 (UTC)

It will need to be a userright - more than admins (let alone CUs!) will need access. A discussion should be had with Johan as to what, presumably fairly strenuous, set of criteria will be needed, whether it will be globally/locally provided, etc. Nosebagbear (talk) 21:03, 19 October 2020 (UTC)
We're talking about what we can do, internally – it's been suggested before – and will get back to you as soon as I can with our thoughts around this. /Johan (WMF) (talk) 17:05, 20 October 2020 (UTC)

Who can access the IP of an unregistered editor?Edit

OK, so this is what we're thinking right now: We could create a new user right, which would give access to the full IP. We could look into making it an opt-in function, dependent on yet undefined criteria. This could simplify bureaucracy but make access less flexible. The important part here is that we need to know who has access at any given point. I want to stress that we haven’t tried to answer all questions here, as we’re trying to solve this together with you.

An idea could be to create three tiers.

  1. The vast majority of people who access our wikis would see the IPs fully masked.
  2. All admins could see them partially masked (the first three parts of an IP being visible). This could be helpful to see patterns even if they don’t have the new user right. Partially masking them reduces the privacy risk for the unregistered user.
  3. The new user right – in addition to checkusers and stewards – would have access to the entire IP.

Thoughts? /Johan (WMF) (talk) 17:02, 21 October 2020 (UTC)

First 3 parts, does it applies to ipv6 too? In addition, since it's privacy related, why not oversighters also have the full access? As we now OS logged out user IPs too. And the new userright seems so like interface admin, there are wikis which IAs are given like per request, while others are very strict. Will communities get to decide or WMF will mandate the process (or rather % of the new userright / admins etc). And will 2FA be needed for this right? Camouflaged Mirage (talk) 17:05, 21 October 2020 (UTC)
Camouflaged Mirage: Masking the equivalent information value of IPv6 addresses, to be clear. (:
I want to stress that this is a conversation starter to figure out what the different communities' needs are, rather than trying to define exactly how this would work – my examples are not exhaustive. There will be some sort of requirement from the Foundation, since this has to do with handling user data, but really, tell us what you think would work best? My personal best guess – not speaking for the team, just for myself – is that an automatic opt-in process would probably make requirements more similar across the wikis than if it was a user right that was manually assigned.
The 2FA question is a very good one. /Johan (WMF) (talk) 17:27, 21 October 2020 (UTC)
How would the automatic opt-in process work and what kind of requirements would it have? A certain number of edits? kyykaarme (talk) 19:37, 8 November 2020 (UTC)
kyykaarme: That's one of the things we'd have to figure out together, if we decide to go down that road instead of a user right the communities control handing out. Consider this more a discussion starter than a proposal. Would we need a certain period of time? How do we handle previous blocks? Do we see them as a sign of users who can't handle the norms of the wiki? What's the process for those who were unfairly blocked and immediately unblocked, or blocked themselves for some reason? And so on. /Johan (WMF) (talk) 04:00, 9 November 2020 (UTC)
It's difficult to give suggestions, when I don't know what the WMF requires from the users who can see IP addresses in the future. I first thought from your three tier plan that the user right would be between admin and CU, but then you said that it would be easier to get the user right than it is to become an admin in enwiki. Does that mean that the WMF is willing to give all one thousand+ admins in enwiki the new user right, if they want it? And then how many more users, a few hundred "trusted" vandal fighters, or a few thousand? From your comments I also understand that the users probably have to be adults and possibly sign the confidentially agreement (with their username). Checkusers often have a long history and are trusted by the community, but in the opt-in version this new user right will be given to pretty much anyone, it seems, as long as they contribute long enough and maybe haven't gotten blocked. And are you going to communicate to the unregistered editors that there are X amount of users who can see their IP addresses? kyykaarme (talk) 17:59, 18 November 2020 (UTC)
kyykaarme: Understandably. This is sort of a friendly rope pulling between the privacy requirements and legal necessities on the one hand, and our ability to defend the wikis on the other hand. We have a lot of people being concerned they wouldn't be able to handle spam and vandalism in the comments here and elsewhere, and we don't want to risk that, so we are talking about giving more people access than we'd have done if it was based on e.g. my needs as a vandal fighter on my home wiki (which isn't terribly concerned) and what would have been preferable from a privacy perspective. We're still in the process trying to find the right balance. I assume we'd want to keep some sort of warning that not logging in will lead to being more exposed as well as not having access to most preferences or a reliably permanent identity, like today but not quite the same. /Johan (WMF) (talk) 05:17, 19 November 2020 (UTC)
And I get that some of you will feel that it should be easier to get this user right than adminship, and look askance at why this would be necessary, but remember that while this talk page is currently dominated by users from English Wikipedia, the English Wikipedia Request for Adminship process is an outlier and we need something that works for all wikis.
If you’ve been around for nine months, have a thousand edits, been active in discussions in the Wikipedia namespace to show that you’re aware what the community is, and been somewhat active in patrolling, there’s a fair chance you’ll be completely unopposed in a request for adminship on my home wiki. On some small wikis, you’ll get a time-limited adminship when you request it and the two other users who turn up say sure, why not. The global minimum for permanent adminship on Wikimedia content wikis is five editors supporting you.
The process and requirements to gain adminship vary a lot. We figure that the ability to handle sensitive information here is below what’s currently required in e.g. the English Wikipedia Request for Adminship process, but above what the global minimum can mean in practice. /Johan (WMF) (talk) 17:27, 21 October 2020 (UTC)
I will suggest a mass message to village pumps in every wiki to solicit what every community thinks if this is what you hoped for. Thanks for the replies, appreciate it.Camouflaged Mirage (talk) 17:32, 21 October 2020 (UTC)
Yes, we're planning on some sort of MassMessage, to make sure vandal fighters on all wikis are aware of what's happening and how they can participate in the process. /Johan (WMF) (talk) 17:35, 21 October 2020 (UTC)
Thanks. One more, if we are speaking about global issues, how will wikis without local communities work, they are now patrolled by SWMT and global rollbackers, sysops, stewards handle the issues. Will these groups be granted access to the new userrights on these wikis? I understand the different rights systems as I edit wikis ranging from large ones (with local crats) and small ones (which I was once a perm sysop on a small content wiki). If we are saying we can accept users lower than enwp RFA bar and higher than perm sysop other wikis bar, then for enwp, sysops should be given the right to view full. One user in the middle range, let say a small wiki perm sysop + enwp rollbacker, he can see the IP address in homewiki, but not on enwp, if we trust them on one, why not all? Anyway the same IP user will be seen by the same person. I know it's hard to define what exactly is, I agree a massmessage will be proper, I think we might even benefit from a global RFC similiar to how global sysops is conceived for the new userrights. This will be benefical IMO. Camouflaged Mirage (talk) 17:41, 21 October 2020 (UTC)
Hmm, @Johan (WMF):, this is at least a good discussion benchmark. I thank you for your bottom half - I was absolutely going to step in and make a point that it should be lower, but of course you are right as regards variable levels for adminship. Hmm. I will have to have a think, please excuse the whirring hamster noises. I realise it continues the userright proliferation, but would it make sense to actually have two userrights (akin to edit filter helper and edit filter manager), the lower (partial vision) of which would be the "given to all admins", but could also be given to others under one criteria set - while the other (full vision) would be under a higher set? I'm not set on that, but would like to hear your and others' feedback. Nosebagbear (talk) 19:19, 21 October 2020 (UTC)
I think it would be logistically easier, if you go that route, to decide what global and local permissions the foundation considers this access equivalent to. If it's equivalent to the 'trust' for rollbacker, for example, then projects like enwiki might as well bundle the permission into the rollback user right. I'm not sure it should be a separate user right, imo that increases the burden/workload for all projects to have to start assigning that to people. ProcrastinatingReader (talk) 22:17, 30 December 2020 (UTC)
I think this proposal still lacks crucial details in that it says nothing about what exactly the regular users will see instead of an IP address. That is, 'how' will an IP address be masked? If you plan to assign the IPs individualized aliases, then how exactly will that work? That's not an aside question. E.g. will it be possible to tell that two individualized IP aliases for IP addresses from the same geographical area do come from a common geographical area? Or will the aliases be assigned randomly? Or perhaps in the same linear order as the IPs come online and make their first WP edits? Or using some other scheme? This question matters a great deal for anti-vandalism and SPI considerations, and the matter can't just be omitted from the above discussion. Nsk92 (talk) 23:12, 22 October 2020 (UTC)
Nsk92: Just to be clear, this isn't a proposal as much as it is a conversation starter. In order to solve these questions, we're trying to bring the communities into the process as early as possible, instead of trying to figure out everything on our own and risk missing crucial things. We're sort of taking the kind of conversation that normally lives in Phabricator and having it on the wikis where it's more accessible for more Wikimedians. Do you have use cases we should be aware of here? A preferred solution? /Johan (WMF) (talk) 23:54, 22 October 2020 (UTC)
From the prospective of anti-vandalism and SPI work, the least harmful solution version of IP masking would be some system of assigning internal IP aliases that effectively serves the same purposes that the current public IP address system does. That is an alias system where, say, two IP editors with "similar" (in whichever ways the term is precisely quantified) public IP addresses are assigned "similar" internal aliases. That might still allow for some modified form of range-blocking; in cases of sock puppetry and block evasion it would also make it easier (as the current system does) to infer that the same editor is engaged in IP hopping. I have no idea if such a way IP aliases is technologically feasible (plus, I suppose, you'd have to make sure that one can't actually de-scramble it), but in terms of preserving the functionalities of the current system, that'd be most useful, IMO. Nsk92 (talk) 10:11, 23 October 2020 (UTC)
As a note, this discussion is clearly critical, (certainly we need something far better than mere cookies) but it's not inherently related to this specific conversation topic (they warrant their own section), which is who will have access to the information (whether that be the default - whatever that turns out to be), partial, or full. The discussion will logically expand into "and what are going to be the levels needed for those access rights" Nosebagbear (talk) 10:25, 23 October 2020 (UTC)

Statement from the Wikimedia Foundation Legal departmentEdit

This is a statement from the Wikimedia Foundation Legal department. They are reading the conversation, but there will unfortunately be limits to what answers they can give, or we'd have told you all the details from the beginning, of course. /Johan (WMF) (talk) 16:19, 28 October 2020 (UTC)

StatementEdit

Hello All. This is a note from the Legal Affairs team. First, we’d like to thank everyone for their thoughtful comments. Please understand that sometimes, as lawyers, we can’t publicly share all of the details of our thinking; but we read your comments and perspectives, and they’re very helpful for us in advising the Foundation.

On some occasions, we need to keep specifics of our work or our advice to the organization confidential, due to the rules of legal ethics and legal privilege that control how lawyers must handle information about the work they do. We realize that our inability to spell out precisely what we’re thinking and why we might or might not do something can be frustrating in some instances, including this one. Although we can’t always disclose the details, we can confirm that our overall goals are to do the best we can to protect the projects and the communities at the same time as we ensure that the Foundation follows applicable law.

Within the Legal Affairs team, the privacy group focuses on ensuring that the Foundation-hosted sites and our data collection and handling practices are in line with relevant law, with our own privacy-related policies, and with our privacy values. We believe that individual privacy for contributors and readers is necessary to enable the creation, sharing, and consumption of free knowledge worldwide. As part of that work, we look first at applicable law, further informed by a mosaic of user questions, concerns, and requests, public policy concerns, organizational policies, and industry best practices to help steer privacy-related work at the Foundation. We take these inputs, and we design a legal strategy for the Foundation that guides our approach to privacy and related issues. In this particular case, careful consideration of these factors has led us to this effort to mask IPs of non-logged-in editors from exposure to all visitors to the WIkimedia projects. We can’t spell out the precise details of our deliberations, or the internal discussions and analyses that lay behind this decision, for the reasons discussed above regarding legal ethics and privilege.

We want to emphasize that the specifics of how we do this are flexible; we are looking for the best way to achieve this goal in line with supporting community needs. There are several potential options on the table, and we want to make sure that we find the implementation in partnership with you. We realize that you may have more questions, and we want to be clear upfront that in this dialogue we may not be able to answer the ones that have legal aspects. Thank you to everyone who has taken the time to consider this work and provide your opinions, concerns, and ideas.

CommentsEdit

  • I'm going to have to say that I'm not sure how much I believe that any of " user questions, concerns, and requests, public policy concerns, organizational policies, and industry best practices" could have applied here, otherwise it would be grossly poor form for Legal to not just run a proper notification to the Community to provide notice that such a consideration was underway and gather information on the first three. It definitely reads, in very vague terms, that it's got to be law-generated. I also find "several potential options on the table" rather irksome, since that would suggest that the options provided thus far meet all the Community needs (that is, no loss of any functionality in countering vandalism & sock-puppetry, no increase in false positives, no increase in time taken to carry out those two tasks). While Johan has certainly engaged, I would neither say we have progressed to "options" stage yet, or to provisions of solutions that are fully "supporting community needs". Nosebagbear (talk) 16:29, 28 October 2020 (UTC)
  • The issue is that why we need this haven't been revealed by legal team. Yes, if we say which law this might contravene, people might sue striaght, but at least we can have a hint on which countries law this might contravene. Regards,Camouflaged Mirage (talk) 16:42, 28 October 2020 (UTC)
  • Sadly, I can't tell if Legal invoking privacy/legal concerns is just "smoke and mirrors" or if there are really legal concerns here. After all, they refused to tell us anything in WP:FRAM and it did just turn out to be interpretation and WMF-created constructs rather than a black-and-white violation of the law or TOS. The answer to the question Is this project the result of a particular law being passed? makes me think that this is the WMF's own deliberation and subjective opinion rather than a black-and-white violation of a particular law. Community trust is low at this point, and condescending political drivel like this that ignores the consensus and objections from the community doesn't help. --Rschen7754 00:44, 30 October 2020 (UTC)
    Also: can we know who wrote the statement? --Rschen7754 00:45, 30 October 2020 (UTC)
    This is probably not that useful - I imagine that several people will have helped write it, and it was probably reviewed by at least the vice-GC. Nosebagbear (talk) 13:36, 30 October 2020 (UTC)
Yes, they collectively reviewed it. /Johan (WMF) (talk) 05:58, 16 November 2020 (UTC)
  • It's not clear if this proposed change has any legal compulsion behind it. It's written to read that way but a careful perusal shows that content doesn't actually say so. The Statement seems to say that the privacy subgroup of the legal team recommends IP masking but it also says that the privacy group operates makes decisions that "are in line with relevant law, with our own privacy-related policies, and with our privacy values." Adding IP masking is clearly within relevant law. What's clearly more interesting is if not having IP masking is within relevant law, especially considering that our Privacy Policy explicitly states that your IP address will be visible if you edit Wikipedia without an account. It's completely consistent with the statement that the privacy group just decided that since IP masking increases privacy, it's a good thing and more in-line with their "privacy values" and therefore they made a recommendation it be implemented. In other words, under just the wording of the Statement, it's possible this is not a necessary legal change but one intended to protect the editing community. I think it's really important that the legal team distinguish between the two here. If there's actual legal compulsion, we have two easy options, 1) add IP masking at least where needed, or 2) deny anonymous editing where needed. On the other hand, if there's no legal compulsion, it focuses the discussion on whether the benefits of this increase in privacy the change outweigh the cost to the project in terms of implementing IP masking. Those are totally different discussions. Jason Quinn (talk) 06:13, 30 October 2020 (UTC)
  • This is a frustrating statement and I think the use of legal privilege as a cloak is unhelpful and misrepresents what that tool is meant to achieve. As others have said, it's not clear where there is a legal basis to the change at all, or whether it has been driven by Legal or by other groups. I cannot see how the community can support the change or can input meaningfully if we don't understand the reasoning. I asked previously, but haven't had a response, on whether the Board has supported this approach? Best, Darren-M (talk) 11:27, 30 October 2020 (UTC)
  • TLDR: Hi this is us, trust us, we can't or won't say anything. Not that I don't think we shouldn't be hiding IP addresses, but these kinds of statements are kinda useless of course, and when you put so many words of window dressing on top, the only expectation should be that people will be annoyed. —TheDJ (talkcontribs) 12:09, 30 October 2020 (UTC)
  • I feel like I have just read a press release from Trump's White House. The Statement even invoked "privilege" to refuse to discuss the specific reasons for the Legal's decision. I suppose next thing we'll hear that some NDA prevents them from speaking more openly. Or perhaps somebody is being audited by the IRS and they have to wait for the results first. Nsk92 (talk) 11:02, 31 October 2020 (UTC)
  • Legal said: We can’t spell out the precise details of our deliberations, or the internal discussions and analyses that lay behind this decision, for the reasons discussed above regarding legal ethics and privilege. In other words this tells us nothing except Legal thought it was a "good idea", and doesn't explain the legal threat or lack of, or whether this is merely a best practice rubber-stamp. So much for community involvement in a potentially devastating decision. --Mrjulesd (talk) 13:58, 31 October 2020 (UTC)
It is much worse than that and the Legal's Statement is unethical and dishonest on several levels. First. nobody is asking them to disclose the "the precise details of our deliberations, or the internal discussions and analyses that lay behind this decision", it's complete BS. They can still explain what their summary conclusions were, at least in broad terms, or even in more specific terms, if there are particular countries/jurisdictions and local privacy laws where our current practices with using unmasked IP addresses may be problematic. Nobody is asking for a detailed legal brief here or an explanation how exactly this brief was produced. Second, the Legal's Statement above is so obfuscating and obtuse in its language that after reading it I understand less than I did before the Statement was issued here. Originally I assumed that our current practices with unmasked IP addresses place WMF in legal jeopardy in some jurisdictions because of some local privacy laws somewhere. But the Statement above uses much more obscure language on this point, as Jason Quinn notes above. So now I don't know what to think, exactly. Third, whatever professional ethical legal "privilege" conundrum the fine folks from Legal think they find themselves in, the WFM officials above them are not limited by such considerations. They can, and in my opinion certainly should, explain to us in their own layman's terms, what the substance of the issue compelling this change is. In fact, I'd rather hear this explanation from somebody at WMF than to read another torturous exemplar of verbal obfuscation and evasiveness prepared by Legal. Nsk92 (talk) 14:57, 31 October 2020 (UTC)
What I know about legal privilege in the US wouldn’t fill a thimble, which I was reminded of when I first tried to answer this requset and it was gently pointed out to me that I was mistaken about how it works.
I could do not just the WMF, but the movement, damage by blindly speculating about things far beyond my area of expertise while publicly representing the Foundation. It's certainly frustrating to be bound by legal aspects in communication from this side, too. If I had things to share that I could share, I would: Not just for the communities, for transparency and so on, but also for purely selfish reasons – it would make my life so much easier. But not only am I not equipped to analyse the legal situation: If privileged information is shared with me in my professional role, I'm legally bound not to spread it. (Otherwise it'd be a very thin paper shield – if lawyers wanted to share something they weren't allowed to, they could just share it with a non-lawyer colleague, who could then tell everyone.)
I know it’s not just one single jurisdiction that worries them, and that they consider our publication of IP addresses out of sync with where modern privacy law in general has moved and is moving, but I know precious little more than that. I’m very much here from the product side of things. /Johan (WMF) (talk) 06:02, 16 November 2020 (UTC)
  • As an attorney who specialises in IT and data protection law, I have very much supported this project since the beginning. I am confident that this change can be implemented in a way that protects the privacy of unregistered users and gives the community the necessary tools to keep vandals at bay. However, it bugs me whenever I read a statement from the legal team that says they can't disclose something for professional reasons. Their client, the Wikimedia Foundation, could simply choose to allow them to disclose whatever they know or think. So the real reason that they're not saying something is that WMF management has consciously decided to keep it a secret, and probably for good reasons – we don't want to make it easy for people to attack us. When that is the case, we should say it that way. Leave out the legal jargon, it just makes the community angry and doesn't help anybody. --Gnom (talk) 22:13, 22 November 2020 (UTC)
  • More questions than answers.
Reading the statement from Legal has left me feeling even more unsure about what is going on. Here is my attempt to interpret the language of the Statement. I don't mean to pick it to shreds for the sake of disparagement; I imagine the words were carefully chosen, so I'm trying to see what we can understand from them and what is still obscure.
we can’t publicly share all of the details of our thinking
We don't want all the details, but some clarity of where the goalposts (and out-of-bounds areas) lie might help.
We believe that individual privacy for contributors and readers is necessary
Of course, but it's debatable whether IP addresses are PII in the same way that residential addresses or phone numbers are. [1]
applicable law, further informed by a mosaic ... guides our approach
So, is it a legal imperative, or just a guide?
this effort to mask IPs of non-logged-in editors
Is it sufficient to have made an effort? If the outcome is "we made some improvements but other changes were found to be impractical", if our eventual position is that we "have made reasonable efforts to protect users' privacy", would that work in a legal sense?
from exposure to all visitors to the Wikimedia projects.
From whom should addresses be masked? Does "visitors" include registered users? Does "all" mean everyone, non-negotiable?
the specifics of how we do this are flexible; we are looking for the best way to achieve this goal ... make sure that we find the implementation
This sounds like you've already decided on the what, per above you can't/won't tell us the why, you just want to consult on the how, right?
we may not be able to answer the ones that have legal aspects.
Everything has some legal aspect. Does that mean Legal can answer nothing publicly? If you can't discuss "applicable law", can you discuss the non-legal "own privacy-related policies, ... our privacy values", "public policy concerns, organizational policies, and industry best practices"?
[Apologies if DT-DL isn't desirable formatting above, feel free to adjust that.]
[1] To match my IP address to my real-life identity, you would have to compel my ISP, or operate a service where you have already made that connection in your own logs. If you call my utility supply company and give them my name, address, and phone number, you'd be a fair step towards impersonating me, but my IP address won't work for you there. On the other hand, addressing information can be used more directly in non-personal-identification ways: if you know my phone number then you can call me and harass me; if you know my IP then you can DoS my connection or crack into my network; if you know where I live then you can throw a Molotov cocktail through the window. So though "privacy" laws may generally be about reputational harm and freedom from unnecessary surveillance, there are other potential harms. There are also things that are legal and required in jurisdictions where Wikimedia operates, but still harmful to the users and to the mission, e.g. assisting local authorities to track down and seize users into custody for being involved in "subversive" Wikimedia activities or for disrespecting the Grand Leader, etc. It's one thing to say you want to protect users' privacy, but if we are not clear on what we're protecting against, then how can we assess how effective are those protections?
I hope everyone is getting a holiday break if it's a festive season in your part of the world. For some of us, being away from the day job means more time to engage in Wikimedia. For those whose job is Wikimedia, then we'll hear from you in good time. Best wishes, Pelagic (talk) 05:15, 29 December 2020 (UTC).
Regarding the [1]: social engineering is very much a thing. More importantly, the DPAs consider "IP addresses" to be PII [1][2] ProcrastinatingReader (talk) 22:08, 30 December 2020 (UTC)
Sure, but one can choose to make their PII public. If people see the big yellow box that says "Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits." and decide to not log in or create an account, I don't see a compelling privacy issue. If they want to not have their IP public, there's a very simple solution. —‍Mdaniels5757 (talk • contribs) 22:58, 30 December 2020 (UTC)
I think the idea is that most people don't know what an IP means. Most people don't know basic password security either, hence some sites need to enforce password strength and 2FA requirements. ProcrastinatingReader (talk) 19:50, 31 December 2020 (UTC)
Pelagic: Thank you for patience, and yes, we're coming back from the holidays now. I can't answer everything, as I'm not from Legal, but to briefly comment on the "all visitors" part, no, it doesn't mean from everyone, including stewards, checkusers and so on – or others: we're talking about how to give more people access to this to combat vandalism elsewhere, e.g. discussions on a potential new user right. /Johan (WMF) (talk) 22:48, 6 January 2021 (UTC)

Limit it to only certain jurisdictions?Edit

When I hear "legal", I suspect this might be driven by the European GDPR and other similar laws in a few countries/regions. Why not use IP address block issuance data and publicly-available geocoding to only apply it in regions where those laws are in effect? 69.89.100.135 20:35, 6 November 2020 (UTC)

Hi, sorry for the late reply – we needed to take a proper look and consider this before we could reply. We’ve checked with Legal, and (as noted above on this talk page) the considerations that led to this project aren’t limited to one single jurisdiction. It’s also a gradual process where more and more of the world is moving in a certain direction with regards to online privacy. If we tried to limit it this way, for some international communities this would be gradual, in that over time more and more users would be affected. But periodically we’d also have some communities where a huge shift would happen. Trying to implement this piecemeal would offer a patchy and unbalanced privacy protection, but also have the complications of a constantly changing landscape to adapt to, both technically and for the communities, instead of trying to solve the problems as well as we can from the beginning.
(Thank you for being part of wanting to solve this. Appreciated.) /Johan (WMF) (talk) 07:26, 23 November 2020 (UTC)
It is possible that Wikimedia risks being out of line with some interpretations of recent and future legislation. However, my impression is that these interpretations are still being felt out - and I'm worried the wording above suggests an assumption of a single direction of travel, that cannot be halted or reversed by the actions of groups or individuals, but rather must be accepted and accommodated. WMF is not powerless here; it can go only as far as it needs to, and indeed push back on demands where it believes it has a case, while there's still hope that limits may be curtailed - in line with Wikimedia's vision for everyone to know everything.
At the same time, I appreciate rolling back GDPR/CCPA is not our purpose, and there are practical concerns: court actions or fines may disrupt Wikimedia's operations. But I think we'll still end up running into the issue of "one size does not fit all" - some editing communities will want different levels of privacy to others. What WMF does may both vastly exceed legal requirements in one place, yet be insufficient elsewhere; and creating tools makes it harder to justify not using them. Delegating to editing communities the decision on who has access (if this is actually in the offing) may only be a partial solution. GreenReaper (talk) 05:37, 3 December 2020 (UTC)

How is this not the end of anonymous editing?Edit

It seems to me that this is a highly technical and extremely overcomplicated way of putting an end to unregistered editing. There is no effective way to implement IP masking that doesn't cause one of the following two effects:

  1. Hamstring the ability of vandal-fighters to stop disruptive editing
  2. Continue to expose IP information to a sufficiently large group of vandal-fighting editors

Masking IPs will cause one of those two things to happen; there is no middle ground where we can continue to stop disruptive editing while simultaneously preventing IPs from being exposed to nearly all "experienced" editors who contribute to vandal-fighting (which, on en-wp alone is tens of thousands of users). You're fooling yourself if you think you can find that magical middle ground. Since the lawyers appear to be in charge, it's far more likely that it's going to be #1 than #2. And the moment that it becomes clear that our ability to stop vandalism has been removed, the next step will be an RfC to end unregistered editing permanently, and all of this work to mask IPs will have been a colossal waste of time because no one will even use it.

We're bending over backwards to come up with a complex way to name an unregistered user something like "AnonymousUser-99f0ba64", and to attempt to track their IPs behind the scenes (or using cookies or whatever) so that they are still "AnonymousUser-99f0ba64" even if their IP address changes. Well, guess what? That sounds a whole lot like we're auto-registering an account for unregistered users. The only difference is that we're auto-naming their account for them, not requiring them to assign a password to that account, and not encouraging them to even use that same account if they edit from a different device.

So, why go through all of this work? What is the benefit? Just end unregistered editing already and save everyone the trouble. Creating an account is such a small hurdle to overcome in order to edit Wikipedia; anyone who really wants to make an edit will go through the 4-second process to register an account. We don't even require that users connect their account to an email address, like every other website on the internet. A user could quickly and easily register a new account every day, if they wanted to. Both Wikipedia and the internet at large are a lot different than they were 20 years ago. Registering an account to use a website is so commonplace now that very few people will bat an eye at being required to register an account to edit. At the very least, we should conduct a trial (similar to en:WP:ACTRIAL) to understand the effects of requiring all users to register. Will the number of non-vandalism edits being made to Wikipedia plummet? Will the number of new users registered skyrocket? Who knows? But, let's find out before embarking on this convoluted IP masking quest that is destined to trigger the end of unregistered editing anyway. (Furthermore, if IP masking is forced upon projects and they reactively decide to end unregistered ending in response, there won't be time to conduct a trial to understand and mitigate the effects of ending unregistered editing.)

Otherwise, if we're going to continue to allow unregistered editing, then we should simply require unregistered users to explicitly consent to their IP address being publicly logged and forever connected to the edit they're about to make, and require them to explicitly waive all rights connected to the privacy of their IP address. I'm no lawyer, but surely if a user explicitly consents to their IP address being exposed, then WMF would not be exposed to any legal liability. Like, literally, before every edit that they make, a giant 45-page EULA pops up and they have to scroll to the bottom and hit the "I've read and accept this" button. I'm sure the lawyers would love that idea. Scottywong (talk) 23:45, 8 December 2020 (UTC)

Hi Scottywong, I've tried addressing this in the discussions above, to give an understanding of why the Foundation thinks investing in a long process is worth the time and effort. In short, the research we have on wikis and compulsory registration does indicate there's a problem – if it's important enough for them they might register, but if it isn't? If they'd gradually start editing because the threshold was so very low? I see your home wiki is English Wikipedia; please remember that English Wikipedia is at the far end of the spectrum when it comes to already available content and number of editors. There's a balance between "protect what we have" and "get new content", in that it's difficult to make it more difficult for the editing we don't want without making it more difficult for the editing we want, and almost all our wikis are in greater need of more content (and thus people who can add it) than English Wikipedia is. Also, the importance of unregistered editing varies a lot from wiki to wiki both when it comes to how common it is and how much is reverted (i.e. deemed not suitable). For example, my home wiki specifically asked the question "if we do IP masking, do we want to turn unregistered editing off?" and came to the conclusion that it didn't. This is what I wrote when The Signpost asked for a comment:
Why do IP masking at all, some ask. Why not disable IP editing instead? We’re investing significant time and resources in trying to solve this because we’re convinced that turning off unregistered editing would severely harm the wikis. Benjamin Mako Hill has collected research on the subject. Another researcher told us that if we turn IP editing off, we’ll doomed the wikis to a slow death: not because the content added by the IP edits, but because of the increased threshold to start editing. We can’t do it without harming long-term recruitment. The role unregistered editing plays also varies a lot from wiki to wiki. Compare English and Japanese Wikipedia, for example. The latter wiki has a far higher percentage of IP edits, yet the revert rate for IP edits is a third of what it is on English Wikipedia: 9.5% compared to 27.4%, defined as reverted within 48 hours. And some smaller wikis might suffer greatly even in the shorter term.
I hope that at least explains where we're coming from.
(Anecdotally, I was almost exclusively unregistered editor for the first four years or so of my Wikipedia editing. This gave me years to form a habit. It wasn’t important to me when I started. I just fixed spelling errors because it required nothing of me, not even logging in. Then it gradually became the thing that eats most of my waking hours.)
With regards to the legal part, my understanding is that no, unfortunately, it’s not quite that simple. That's how it may have worked in the early days of Wikipedia; it no longer does. /Johan (WMF) (talk) 17:51, 13 December 2020 (UTC)
Well, you're right that different Wikipedias have different user counts, article counts, editing rates, and vandalism rates. Perhaps this suggests that a one-size-fits-all approach to IP masking for all Wikipedias is not a good idea.
Regarding the studies suggesting that requiring user registration would condemn all Wikipedias to a slow death, I'm not seeing it. The studies you linked to on that specific subject are mostly about how unregistered editing historically helped to get Wikipedia off the ground in the early days. I don't see any studies that suggest that requiring registration now (especially on the larger, more active projects) would cause a catastrophic collapse of Wikipedia. After all, there are some Wikipedias that already don't allow unregistered editing, and to my knowledge, they haven't imploded. En-wiki already doesn't allow unregistered users to create new articles, and there is a significant percentage of pages that are not editable by unregistered users (via page protection and other similar mechanisms). Wikipedia is not the same as it was 20 years ago. It's a mature project that people want to influence, and I'd be very surprised if a one-time 30-second registration process is going to discourage someone who wants to contribute, especially when nearly every other website on the modern internet requires registration. I think this deserves more serious consideration. While it's true that requiring registration might not be right for every project, I would be very surprised if IP masking doesn't eventually cause the largest projects (especially en-wiki) to ban IP editing. Scottywong (talk) 15:48, 14 December 2020 (UTC)
But alls this work is something we'd have to do anyway, in that scenario. (: We are also looking closely at what's happening on Portuguese Wikipedia, which is a major wiki where unregistered editing is currently not possible, so that's a research project that is ongoing to gather more data, specific for a mature Wikipedia. It's too early to say anything yet, but we – in the broad sense, of course – will know more about how Portuguese Wikipedia was affected before we do any actual masking. /Johan (WMF) (talk) 16:35, 14 December 2020 (UTC)

Some thoughtsEdit

First, a procedural note: In my opinion, this entire affair has been completely mishandled when it comes to communication. If this is a legal issue, don't give us an FAQ and "motivation" statement that implies that it isn't, only to then reverse and give us a statement from legal that has about as much meaningful content as this template. I know and appreciate that everyone involved has the project's best interests in mind, but this really, really, really should have been handled better.

Persistence: I think cookies are a bad idea, because they are relatively easy to circumvent and get rid of. Using them would also mean that someone could establish multiple distinct identities by just running different browsers. Stick with IPs to establish identities.

User right: If you don't want communities abandoning IP editing as soon as this is passed, there will have to be a user right and it will have to be granted to a substantial number of users; people who regularly deal with vandalism, sockpuppetry, long-term abuse[note 1] and undisclosed paid editing[note 2] will need continued access to full IPs. Partially for proxy detection, partially for informed examination of IP ranges and WHOIS data. If this would be an acceptable compromise, we could consider requiring users to sign an NDA, which may alleviate some of the (legal) concerns involved here. I for one would be happy to do that if it means continued access to unmasked IPs.

Ranges: Consider allowing range queries like Anonymous123/16 for everyone, and to consider providing the size of the involved subnets[note 3] and displaying them on IP Contribution pages, which would allow users without special access to look at ranges without any substantial privacy impact.

Proxies: I don't see that much use in providing yes/no VPN and TOR indicators; known VPN ranges and TOR nodes are already globally blocked. The more problematic proxies are webhosts and open proxies, which will be hard to detect without manual review.

Implementation: We need to get this right on first try. The risk of communities abandoning IP editing is significantly higher if this doesn't work from day one.

All in all, I am still convinced that this will create more problems than it solves, no matter how good the implementation; but alas, what's decided is decided. I urge everyone involved to work towards a solution that restricts and disrupts existing community processes as little as possible. Best, Blablubbs (talk) 14:20, 13 December 2020 (UTC)

  1. Consider for example that confirmation that one is dealing with this individual is made significantly easier if one can check whether the IP geolocates to London
  2. Which the WMF appears to have largely ignored and kicked to the community, sometimes with devastating results
  3. E.g. /22 and /24 for this IP
Blablubbs: Thanks for the feedback, it's much appreciated. About us saying "sorry, Legal says so, we have to do this", that was not our assumption when we started. Legal was involved earlier too, and there was a statement about their support for this project on the talk page early on, but while I understand the change in motivation and what can be done and can't is confusing, it reflects an actual change in understanding for the team behind the project, not just in how we communicate. /Johan (WMF) (talk) 16:10, 13 December 2020 (UTC)
And to be clear, this is not about one specific law or one specific jurisdiction, as stated above. /Johan (WMF) (talk) 16:13, 13 December 2020 (UTC)
Hi Johan, thanks for the response. I had an off-wiki chat with Darren-M, trying to figure out why legal cannot be more clear. So in the hopes of obtaining at least a modicum of clarity, I'll try to ask some direct questions, mostly related to this statement: We can’t spell out the precise details of our deliberations, or the internal discussions and analyses that lay behind this decision, for the reasons discussed above regarding legal ethics and privilege.
  • While legal cannot unilaterally disclose the reasoning because of attorney-client privilege, the WMF – being the client – absolutely can. So if privilege is the argument for being obscure, why doesn't the WMF at least partially waive it or provide a statement itself?
  • Does legal believe that we may currently be open to litigation because of existing laws?
  • If not, why are we citing no specific legislation while also citing privilege to avoid disclosing anything?
  • Is there any current or pending litigation regarding privacy of IPs on Wikimedia projects?
  • Is this being done to avoid future liability because WMF legal believes that laws that might make public disclosure of IPs illegal will be passed?
  • If so, why is the feature not just developed and shelved until such laws potentially come into effect, given the strong opposition by the community?
  • If so, why can we not be more open about what those future liabilities are, given that they are not currently a threat?
  • Has the Board endorsed this decision? If not, what is the most senior level it has been endorsed at?
I'm aware I won't be able to get full responses to all of those questions, but I'd appreciate an attempt at giving the community more than what are arguably non-answers. I am not asking for details about specific liabilities, or for specifics about internal discussions; I merely want to know on a meta-level what the nature of the cited threat is: Given that it's used to override community consensus, it seems like a good idea to be as transparent as possible – and I don't believe legal's statement meets that standard. Thanks and best, Blablubbs (talk) 23:14, 13 December 2020 (UTC)
Blablubbs: Just wanted to acknowledge that I've read this and that I'm passing it on to the Legal department. /Johan (WMF) (talk) 23:37, 13 December 2020 (UTC)
@Johan (WMF): Thank you for passing that on. I'm going to also somewhat tactlessly ask: did Legal change their minds between their initial discussions and more recently with you/your team about it being a necessity, or did they just insufficiently make it clear it was a necessity (perhaps because they felt that if it was going to be introduced, stating it as a legal requirement seemed unneeded to them)? Nosebagbear (talk) 16:23, 14 December 2020 (UTC)
To be honest, I think this is a question more about the difference in how you understand a legal position if you're a lawyer or a non-lawyer, though of course a lot of things have happened in a year and things keep changing. Legal is working even closer with us now. /Johan (WMF) (talk) 17:07, 22 December 2020 (UTC)
Regarding ranges: this seems like a privacy issue. This would make it quite trivial to determine what country someone lives in, for example, and depending on the CIDR sizes permitted you could even get an ISP. Whilst you might not think this is the biggest deal, currently if someone has a registered account it's not possible for anyone to know that, and the same applies on any site with registration, so this is a fair change in the norm.
Regarding NDAs: a lot of active editors are not comfortable with doing so. Indeed, only a fraction of users are functionaries or have access to non-public information. I think requiring editors enter into legal agreements to continue doing the work they're doing is not a good outcome. ProcrastinatingReader (talk) 22:26, 30 December 2020 (UTC)
Thanks for the feedback, ProcrastinatingReader. Just wanted to acknowledge we're reading and taking into account. /Johan (WMF) (talk) 22:41, 6 January 2021 (UTC)
@Johan (WMF): - just a reminder that Legal have yet to respond to the questions posed by @Blablubbs: and myself. I wouldn't have thought these questions were particularly onerous or complex to draft responses for, so I trust we can look forward to a full reply from Legal shortly? Best, Darren-M (talk) 21:51, 20 January 2021 (UTC)
Ping acknowledged. /Johan (WMF) (talk) 05:01, 26 January 2021 (UTC)
@Johan (WMF), I know it isn't your call if and when legal responds, but it's been another month and if we're not going to get a reply, I'd appreciate it if we could just get a statement that says so outright – though, as outlined above, I'm still not entirely clear why it isn't possible to make a statement that is at least marginally less vague. Best, Blablubbs (talk) 15:17, 21 February 2021 (UTC)
Blablubbs: Noted, and I'll pass it along. I can assure you that they read this page, so anything being pointed out here is seen, not just by me. /Johan (WMF) (talk) 11:52, 22 February 2021 (UTC)

Just give me what I need to find and fight troublemakersEdit

Normal user/non-logged in users probably don't need to see anything more than "this user was not logged in, click on username to see RECENT posts by this same IP address." "Recent" may be 1-30 days for highly-dymanic addresses, several months to year or more "long-term dynamic" ones, and a lot longer for static ones.

Experienced users should be able to see all past posts by the registered net-block so they can make sensible decisions whether to report vandalism or not. This may not be feasible for "large" blocks like /16 and larger or the IPv6-equivalent. Typically, the net-block size would be pulled from internet registry information, but there will always be case-by-case exceptions, like a known static IP address might be be a size of "1 address" or an ISP that was "registered" as a /14 but which was known to sub-divide blocks might have its ranged "carved up" for our purposes.

On request, experienced users should be able to ask for and routinely get the rights to "drill down" to some reasonably small net-block, probably not smaller than a 24 (unless it was already smaller, see above). In other words, if ACME ISP had a /17 block and I knew or suspected it sub-divided its block into /24-blocks, but the WMF didn't so it presented it to me as a /17, I could ask for a view of the /24 block's edits.

Except for known static addresses and known very-small-blocks e.g. /25 and smaller, the ability to "drill down further" should be restricted to those who go through an approval process more serious than "oh, you are an experienced user with no recent history of trouble, here you go, you now have this user-right."

The ability to see actual complete addresses should be further restricted, but on en-wiki at least, it will need to be routinely open to administrators who request the permission and, upon an approval process at least as strict as the one needed to "drill down past a /24." It might not be much more strict than that, or it might be a lot more strict, this is probably where LEGAL will need to step in and advise.

Bottom line: Show me the information I need to make Wikipedia better. I have no problem if other things are hidden, just don't get in the way of me trying to help. Davidwr/talk 15:21, 7 January 2021 (UTC)

Davidwr: Thanks. Yes, the reason this is a long-term project is that we want to work to achieve exactly that. /Johan (WMF) (talk) 15:23, 7 January 2021 (UTC)
And everyone telling us exactly what they need is very helpful. /Johan (WMF) (talk) 15:23, 7 January 2021 (UTC)
Self-reply: Experienced users also need a way to correlate people who, while they are in a different IP address range, are either in the same ISP or the same geography. Case #1 would be a cell phone company that has several distinct IP address ranges it uses "randomly" across an entire nation. Case #2 would be a troublemaker who shifts from his home ISP to his cell phone to the public library to the local coffee shop to ... and so on. I'm not sure what "level of trust" is needed for that, but it's going to be "not too hard to get when requested" to be useful. It might need to be "harder to get" than the "routinely granted" access I mentioned in the second paragraph above (msg. dated 15:21, 7 January 2021 (UTC)). Just as important, maybe more so, is the ability to get a "confirmed NEGATIVE correlation." If two seemingly-similar editors from different net-blocks are from different sides of the planet, that would be VERY helpful to know - either they are unrelated or one or both addresses may need to be checked to see if it is a known or unknown proxy. Speaking of proxies and the like, it would help if "geographically indistinct" addresses like proxies and enterprise-NAT-addresses were flagged as such when known, and if there was a way to ask for a check to be done on an address that "seemed like" it might be "geographically indistinct." Davidwr/talk 15:36, 7 January 2021 (UTC)

Public-interest location infoEdit

Here is an example of where knowing at least the city had value to more than just direct vandal-fighting, it was used in wider discussion of improper influence. w:en:Wikipedia:Wikipedia Signpost/2020-12-28/Opinion "How to make your factory's safety and labor issues disappear" Mqsobhan was not gone for good. On December 3, an anonymous editor with an IP address from Dhaka, Bangladesh deleted most of the article, but was immediately reverted. If IP addresses are no longer openly published, rough location be? Pelagic from Sydney (talk) 01:39, 12 January 2021 (UTC)

Return to "IP Editing: Privacy Enhancement and Abuse Mitigation" page.