Talk:IP Editing: Privacy Enhancement and Abuse Mitigation: Difference between revisions

IP Editing: Privacy Enhancement and Abuse Mitigation/header

SpBot archives all sections tagged with {{Section resolved|1=~~~~}} after 14 days and sections whose most recent comment is older than 120 days.

Please remember that this page is used by people from a number of communities, with different native languages. If you avoid using acronyms from your home wiki, that will help them participate in the discussion.

It seems to me that this is a highly technical and extremely overcomplicated way of putting an end to unregistered editing. There is no effective way to implement IP masking that doesn't cause one of the following two effects:

1. Hamstring the ability of vandal-fighters to stop disruptive editing
2. Continue to expose IP information to a sufficiently large group of vandal-fighting editors

Masking IPs will cause one of those two things to happen; there is no middle ground where we can continue to stop disruptive editing while simultaneously preventing IPs from being exposed to nearly all "experienced" editors who contribute to vandal-fighting (which, on en-wp alone is tens of thousands of users). You're fooling yourself if you think you can find that magical middle ground. Since the lawyers appear to be in charge, it's far more likely that it's going to be #1 than #2. And the moment that it becomes clear that our ability to stop vandalism has been removed, the next step will be an RfC to end unregistered editing permanently, and all of this work to mask IPs will have been a colossal waste of time because no one will even use it.

We're bending over backwards to come up with a complex way to name an unregistered user something like "AnonymousUser-99f0ba64", and to attempt to track their IPs behind the scenes (or using cookies or whatever) so that they are still "AnonymousUser-99f0ba64" even if their IP address changes. Well, guess what? That sounds a whole lot like we're auto-registering an account for unregistered users. The only difference is that we're auto-naming their account for them, not requiring them to assign a password to that account, and not encouraging them to even use that same account if they edit from a different device.

So, why go through all of this work? What is the benefit? Just end unregistered editing already and save everyone the trouble. Creating an account is such a small hurdle to overcome in order to edit Wikipedia; anyone who really wants to make an edit will go through the 4-second process to register an account. We don't even require that users connect their account to an email address, like every other website on the internet. A user could quickly and easily register a new account every day, if they wanted to. Both Wikipedia and the internet at large are a lot different than they were 20 years ago. Registering an account to use a website is so commonplace now that very few people will bat an eye at being required to register an account to edit. At the very least, we should conduct a trial (similar to en:WP:ACTRIAL) to understand the effects of requiring all users to register. Will the number of non-vandalism edits being made to Wikipedia plummet? Will the number of new users registered skyrocket? Who knows? But, let's find out before embarking on this convoluted IP masking quest that is destined to trigger the end of unregistered editing anyway. (Furthermore, if IP masking is forced upon projects and they reactively decide to end unregistered ending in response, there won't be time to conduct a trial to understand and mitigate the effects of ending unregistered editing.)

Otherwise, if we're going to continue to allow unregistered editing, then we should simply require unregistered users to explicitly consent to their IP address being publicly logged and forever connected to the edit they're about to make, and require them to explicitly waive all rights connected to the privacy of their IP address. I'm no lawyer, but surely if a user explicitly consents to their IP address being exposed, then WMF would not be exposed to any legal liability. Like, literally, before every edit that they make, a giant 45-page EULA pops up and they have to scroll to the bottom and hit the "I've read and accept this" button. I'm sure the lawyers would love that idea. Scottywong (talk) 23:45, 8 December 2020 (UTC)[reply]

Hi Scottywong, I've tried addressing this in the discussions above, to give an understanding of why the Foundation thinks investing in a long process is worth the time and effort. In short, the research we have on wikis and compulsory registration does indicate there's a problem – if it's important enough for them they might register, but if it isn't? If they'd gradually start editing because the threshold was so very low? I see your home wiki is English Wikipedia; please remember that English Wikipedia is at the far end of the spectrum when it comes to already available content and number of editors. There's a balance between "protect what we have" and "get new content", in that it's difficult to make it more difficult for the editing we don't want without making it more difficult for the editing we want, and almost all our wikis are in greater need of more content (and thus people who can add it) than English Wikipedia is. Also, the importance of unregistered editing varies a lot from wiki to wiki both when it comes to how common it is and how much is reverted (i.e. deemed not suitable). For example, my home wiki specifically asked the question "if we do IP masking, do we want to turn unregistered editing off?" and came to the conclusion that it didn't. This is what I wrote when The Signpost asked for a comment:

Why do IP masking at all, some ask. Why not disable IP editing instead? We’re investing significant time and resources in trying to solve this because we’re convinced that turning off unregistered editing would severely harm the wikis. Benjamin Mako Hill has collected research on the subject. Another researcher told us that if we turn IP editing off, we’ll doomed the wikis to a slow death: not because the content added by the IP edits, but because of the increased threshold to start editing. We can’t do it without harming long-term recruitment. The role unregistered editing plays also varies a lot from wiki to wiki. Compare English and Japanese Wikipedia, for example. The latter wiki has a far higher percentage of IP edits, yet the revert rate for IP edits is a third of what it is on English Wikipedia: 9.5% compared to 27.4%, defined as reverted within 48 hours. And some smaller wikis might suffer greatly even in the shorter term.

I hope that at least explains where we're coming from.

(Anecdotally, I was almost exclusively unregistered editor for the first four years or so of my Wikipedia editing. This gave me years to form a habit. It wasn’t important to me when I started. I just fixed spelling errors because it required nothing of me, not even logging in. Then it gradually became the thing that eats most of my waking hours.)

With regards to the legal part, my understanding is that no, unfortunately, it’s not quite that simple. That's how it may have worked in the early days of Wikipedia; it no longer does. /Johan (WMF) (talk) 17:51, 13 December 2020 (UTC)[reply]

Well, you're right that different Wikipedias have different user counts, article counts, editing rates, and vandalism rates. Perhaps this suggests that a one-size-fits-all approach to IP masking for all Wikipedias is not a good idea.

Regarding the studies suggesting that requiring user registration would condemn all Wikipedias to a slow death, I'm not seeing it. The studies you linked to on that specific subject are mostly about how unregistered editing historically helped to get Wikipedia off the ground in the early days. I don't see any studies that suggest that requiring registration now (especially on the larger, more active projects) would cause a catastrophic collapse of Wikipedia. After all, there are some Wikipedias that already don't allow unregistered editing, and to my knowledge, they haven't imploded. En-wiki already doesn't allow unregistered users to create new articles, and there is a significant percentage of pages that are not editable by unregistered users (via page protection and other similar mechanisms). Wikipedia is not the same as it was 20 years ago. It's a mature project that people want to influence, and I'd be very surprised if a one-time 30-second registration process is going to discourage someone who wants to contribute, especially when nearly every other website on the modern internet requires registration. I think this deserves more serious consideration. While it's true that requiring registration might not be right for every project, I would be very surprised if IP masking doesn't eventually cause the largest projects (especially en-wiki) to ban IP editing. Scottywong (talk) 15:48, 14 December 2020 (UTC)[reply]

But alls this work is something we'd have to do anyway, in that scenario. (: We are also looking closely at what's happening on Portuguese Wikipedia, which is a major wiki where unregistered editing is currently not possible, so that's a research project that is ongoing to gather more data, specific for a mature Wikipedia. It's too early to say anything yet, but we – in the broad sense, of course – will know more about how Portuguese Wikipedia was affected before we do any actual masking. /Johan (WMF) (talk) 16:35, 14 December 2020 (UTC)[reply]

@Johan (WMF): while I can certainly accept the case that different projects would accept the concept of IP masking against that of blocking IPs, I would like to ask on additional focus on the options bit raised by OP.

To stop this having major effect (and I would note that my (and many respondents who made such comments in the original consultation) definition of success is "no net increase in "uptime" of problems, no net increase in false positives, no net increase in editor time taken to carry out tasks" will indeed require a) very broad access for most IP information. Probably not tens of thousands on en-wiki alone as IP said, but certainly above 5000 within a couple of years and b) broad access for all IP information - probably about 2000 on enwiki (1100 admins plus other key individuals)

That, by the way, assumes that people with partial information can indeed do functionally all of their work without needing to refer cases to someone with full vision. I'm still not quite sure how well that holds up, but I'll take it as granted for now.

I do share a concern that spreading it that broadly (factoring across all projects) rends the project somewhat moot, or Legal are going to want a tighter close, which is going to have a major effect. Nosebagbear (talk) 10:59, 8 March 2021 (UTC)[reply]

I am not certain if I am allowed to comment here, but I certainly welcome the end to (or at least the limiting of) IP editing. Not having to contend with well meaning anonymous editors and the steady stream of vandals will free up a lot of time to add content. And, with limits on anonymous editing, we will be able to communicate with new editors instead of them floating around and never realizing that there are IP talk pages. Of course, it would be nice if this was happening more publicly, instead of here, "in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.'" Mr.choppers (talk) 01:51, 23 March 2021 (UTC)[reply]

Mr.choppers: Is there anything in particular you'd want us to do information-wise? We're planning on letting on all admins across the wikis know by posting on their talk pages, but we want to re-assess and figure out where we are in the process first, so we don't give them old information.

To get an idea of how what we've done so far: I see you're active on Commons and English Wikipedia; I wrote w:en:Wikipedia:Wikipedia Signpost/2020-11-01/Op-Ed in an attempt to explain it on the latter wiki. We've repeatedly included in Tech/News, which is sent to both commons:Commons:Village pump/Technical and w:en:Wikipedia:Village pump (technical) and a hundred other community pages across wikis, and is transcluded on the English Wikipedia community portal (w:en:Wikipedia:Community portal#Technical news), we've posted to wikimedia-l, the international Wikimedia mailing list, and some groups on social media where Wikipedians discuss internationally, we've had some local conversations to see if we'd get different feedback in other languages (i.e. are there workflows we're missing on other wikis if we just talk about this in English) and are planning another round, we ran some discussions about the plans at the last Wikimania that was able to take place, and reached out specifically to checkusers and stewards. /Johan (WMF) (talk) 08:02, 23 March 2021 (UTC)[reply]

I believe that I, as most editors, do not ever visit to those places. We edit the pages that are of interest to us and we do not generally visit any sort of meta-pages whatsoever. I am here as a result of an admin mentioning this policy to me by happenstance. These changes will be hugely disruptive (I think, it is very unclear what may actually happen) and would, in my eyes, merit a direct notice to all users before such change is decided on. Mr.choppers (talk) 11:21, 23 March 2021 (UTC)[reply]

To be clear, the Legal team has declared that this is something they need to happen, and given the Wikimedia Foundation Product department to figure out how (which we're trying to do here). So let's be honest here: this was not a decision they made with community input, since legal decisions are not matters of consensus. This doesn't mean that we shouldn't make sure the communities are aware: we want to develop this together with patrollers and others from the Wikimedia communities, and we desperately need a lot of feedback and criticism and suggestions along each step for this to work properly. But it hasn't been hidden to have a decision made without anyone noticing and then say "hey, this was something we decided together!", because it wasn’t a collaborative decision or a proposal as much as an investigation.

It's just difficult to find the right level of shouting loud enough so enough people hear but not so loud it comes in the way of their editing. /Johan (WMF) (talk) 17:50, 23 March 2021 (UTC)[reply]

First, a procedural note: In my opinion, this entire affair has been completely mishandled when it comes to communication. If this is a legal issue, don't give us an FAQ and "motivation" statement that implies that it isn't, only to then reverse and give us a statement from legal that has about as much meaningful content as this template. I know and appreciate that everyone involved has the project's best interests in mind, but this really, really, really should have been handled better.

Persistence: I think cookies are a bad idea, because they are relatively easy to circumvent and get rid of. Using them would also mean that someone could establish multiple distinct identities by just running different browsers. Stick with IPs to establish identities.

User right: If you don't want communities abandoning IP editing as soon as this is passed, there will have to be a user right and it will have to be granted to a substantial number of users; people who regularly deal with vandalism, sockpuppetry, long-term abuse^{[note 1]} and undisclosed paid editing^{[note 2]} will need continued access to full IPs. Partially for proxy detection, partially for informed examination of IP ranges and WHOIS data. If this would be an acceptable compromise, we could consider requiring users to sign an NDA, which may alleviate some of the (legal) concerns involved here. I for one would be happy to do that if it means continued access to unmasked IPs.

Ranges: Consider allowing range queries like Anonymous123/16 for everyone, and to consider providing the size of the involved subnets^{[note 3]} and displaying them on IP Contribution pages, which would allow users without special access to look at ranges without any substantial privacy impact.

Proxies: I don't see that much use in providing yes/no VPN and TOR indicators; known VPN ranges and TOR nodes are already globally blocked. The more problematic proxies are webhosts and open proxies, which will be hard to detect without manual review.

Implementation: We need to get this right on first try. The risk of communities abandoning IP editing is significantly higher if this doesn't work from day one.

All in all, I am still convinced that this will create more problems than it solves, no matter how good the implementation; but alas, what's decided is decided. I urge everyone involved to work towards a solution that restricts and disrupts existing community processes as little as possible. Best, Blablubbs (talk) 14:20, 13 December 2020 (UTC)[reply]

Blablubbs: Thanks for the feedback, it's much appreciated. About us saying "sorry, Legal says so, we have to do this", that was not our assumption when we started. Legal was involved earlier too, and there was a statement about their support for this project on the talk page early on, but while I understand the change in motivation and what can be done and can't is confusing, it reflects an actual change in understanding for the team behind the project, not just in how we communicate. /Johan (WMF) (talk) 16:10, 13 December 2020 (UTC)[reply]

And to be clear, this is not about one specific law or one specific jurisdiction, as stated above. /Johan (WMF) (talk) 16:13, 13 December 2020 (UTC)[reply]

Hi Johan, thanks for the response. I had an off-wiki chat with Darren-M, trying to figure out why legal cannot be more clear. So in the hopes of obtaining at least a modicum of clarity, I'll try to ask some direct questions, mostly related to this statement: We can’t spell out the precise details of our deliberations, or the internal discussions and analyses that lay behind this decision, for the reasons discussed above regarding legal ethics and privilege.

• While legal cannot unilaterally disclose the reasoning because of attorney-client privilege, the WMF – being the client – absolutely can. So if privilege is the argument for being obscure, why doesn't the WMF at least partially waive it or provide a statement itself?
• Does legal believe that we may currently be open to litigation because of existing laws?

• If not, why are we citing no specific legislation while also citing privilege to avoid disclosing anything?

• Is there any current or pending litigation regarding privacy of IPs on Wikimedia projects?
• Is this being done to avoid future liability because WMF legal believes that laws that might make public disclosure of IPs illegal will be passed?

• If so, why is the feature not just developed and shelved until such laws potentially come into effect, given the strong opposition by the community?
• If so, why can we not be more open about what those future liabilities are, given that they are not currently a threat?

• Has the Board endorsed this decision? If not, what is the most senior level it has been endorsed at?

I'm aware I won't be able to get full responses to all of those questions, but I'd appreciate an attempt at giving the community more than what are arguably non-answers. I am not asking for details about specific liabilities, or for specifics about internal discussions; I merely want to know on a meta-level what the nature of the cited threat is: Given that it's used to override community consensus, it seems like a good idea to be as transparent as possible – and I don't believe legal's statement meets that standard. Thanks and best, Blablubbs (talk) 23:14, 13 December 2020 (UTC)[reply]

Blablubbs: Just wanted to acknowledge that I've read this and that I'm passing it on to the Legal department. /Johan (WMF) (talk) 23:37, 13 December 2020 (UTC)[reply]

@Johan (WMF): Thank you for passing that on. I'm going to also somewhat tactlessly ask: did Legal change their minds between their initial discussions and more recently with you/your team about it being a necessity, or did they just insufficiently make it clear it was a necessity (perhaps because they felt that if it was going to be introduced, stating it as a legal requirement seemed unneeded to them)? Nosebagbear (talk) 16:23, 14 December 2020 (UTC)[reply]

To be honest, I think this is a question more about the difference in how you understand a legal position if you're a lawyer or a non-lawyer, though of course a lot of things have happened in a year and things keep changing. Legal is working even closer with us now. /Johan (WMF) (talk) 17:07, 22 December 2020 (UTC)[reply]

Regarding ranges: this seems like a privacy issue. This would make it quite trivial to determine what country someone lives in, for example, and depending on the CIDR sizes permitted you could even get an ISP. Whilst you might not think this is the biggest deal, currently if someone has a registered account it's not possible for anyone to know that, and the same applies on any site with registration, so this is a fair change in the norm.

Regarding NDAs: a lot of active editors are not comfortable with doing so. Indeed, only a fraction of users are functionaries or have access to non-public information. I think requiring editors enter into legal agreements to continue doing the work they're doing is not a good outcome. ProcrastinatingReader (talk) 22:26, 30 December 2020 (UTC)[reply]

Thanks for the feedback, ProcrastinatingReader. Just wanted to acknowledge we're reading and taking into account. /Johan (WMF) (talk) 22:41, 6 January 2021 (UTC)[reply]

@Johan (WMF): - just a reminder that Legal have yet to respond to the questions posed by @Blablubbs: and myself. I wouldn't have thought these questions were particularly onerous or complex to draft responses for, so I trust we can look forward to a full reply from Legal shortly? Best, Darren-M (talk) 21:51, 20 January 2021 (UTC)[reply]

Ping acknowledged. /Johan (WMF) (talk) 05:01, 26 January 2021 (UTC)[reply]

​@Johan (WMF), I know it isn't your call if and when legal responds, but it's been another month and if we're not going to get a reply, I'd appreciate it if we could just get a statement that says so outright – though, as outlined above, I'm still not entirely clear why it isn't possible to make a statement that is at least marginally less vague. Best, Blablubbs (talk) 15:17, 21 February 2021 (UTC)[reply]

Blablubbs: Noted, and I'll pass it along. I can assure you that they read this page, so anything being pointed out here is seen, not just by me. /Johan (WMF) (talk) 11:52, 22 February 2021 (UTC)[reply]

Pinging both anyone from Legal watching at @Johan (WMF):, who has the misfortune of being significantly more visible and takes flak for (in)actions outside his control. I'd like to echo Blablubbs' point (another) 3 weeks on - if Legal aren't going to reply to queries and concerns about their opening statement then they need to actually say so openly.

In a distinct point, because I don't want to ping Johan three times in 4 minutes, I'd just like to push ProcrastinatingReader's comment that NDA signing is likely to cause major issues due both to reticence but also to effort. The whole reasoning for retaining IP masking rather than mandatory accounts is because of barrier to entry, but there are barriers to entry to lots of tasks, not just joining wikipedia. People might sign to avoid disrupting their task flow that's already active, but why would anyone new go into handling IP-heavy CVU if the barriers get high. The trade-off needs to be considering not just who we might lose immediately, but who we might fail to recruit into that backend work going forwards Nosebagbear (talk) 11:16, 8 March 2021 (UTC)[reply]

I do work on this project, so it's completely natural and fine to let me know any and all issues and concerns! Passing this on, too. /Johan (WMF) (talk) 12:08, 8 March 2021 (UTC)[reply]

What is "CVU"? kyykaarme (talk) 05:51, 10 March 2021 (UTC)[reply]

@Kyykaarme: Counter-vandalism unit, en.wiki's wikiproject on counter-vandalism, but also used as a bit of a catch-all term for all the different counter-vandalism activities and individuals even if they aren't technically part of the project Nosebagbear (talk) 10:59, 23 March 2021 (UTC)[reply]

Well, another 3 weeks later, we're more than 3 months in and at this point I think it's pretty clear I won't be getting a reply or even an acknowledgement that I won't get one. I don't think my specific questions urgently need an answer (though I do still think they're relevant), and I know everyone involved has the best of intentions, but I do think this is a great example for the chronic communication and community relations issue the WMF has as an institution: If you're going to try your hand at playing government and unilaterally impose a vision on the community (who you're supposed to be working for and not against) against its explicit wishes, you're also going to have to acknowledge what makes governance work: Responsiveness, responsibility and accountability. And I'm really not seeing a lot of that, here or elsewhere. Blablubbs (talk) 13:13, 1 April 2021 (UTC)[reply]

Whilst I do personally think some form of IP masking is a good idea and support this change, I agree the communication is lacklustre. At the same time, the FAQ says there's no rocket on this plan and this isn't a "proposal" yet, so possibly WMF resources are stretched between the board stuff and the UCOC and whatever else is going on currently. ProcrastinatingReader (talk) 14:24, 3 April 2021 (UTC)[reply]

Here is an example of where knowing at least the city had value to more than just direct vandal-fighting, it was used in wider discussion of improper influence. w:en:Wikipedia:Wikipedia Signpost/2020-12-28/Opinion "How to make your factory's safety and labor issues disappear" Mqsobhan was not gone for good. On December 3, an anonymous editor with an IP address from Dhaka, Bangladesh deleted most of the article, but was immediately reverted. If IP addresses are no longer openly published, rough location be? Pelagic from Sydney (talk) 01:39, 12 January 2021 (UTC)[reply]

Just wanted to acknowledge that this has been seen and is not ignored. /Johan (WMF) (talk) 12:02, 10 March 2021 (UTC)[reply]

Once the WMF implements IP masking, our efforts to block VPNs and open proxies (en:WP:WPOP) will be effectively dead. I think it does not matter how many users get the new user rights, we will not be able to cope. Does the WMF plan to implement any new anti-abuse tools?

I would like to make a concrete proposal: the WMF could license the spur.us feed, which includes most IPs associated with VPNs and open proxies and actively block all of them globally. It is not a solution to every problem, but proxy blocking would be handled even more efficiently than today. Also, the cost of licensing such a database is peanuts for the WMF, and I think it makes sense to do it in-house.

I mention spur.us because it is currently giving us very good results on enwiki, but there may be other options. Best, --MarioGom (talk) 23:15, 9 March 2021 (UTC)[reply]

Thanks for the feedback! We'll investigate. /Johan (WMF) (talk) 12:01, 10 March 2021 (UTC)[reply]

Hi Johan,

Sort of a mixed bag here, since it includes questions from at least three sections that are now somewhat buried by other comments.

1) Do you have any thoughts on the issue that to get close to current standards is going to require a very broad "most-IP info" and broad "all IP-info" sharing, which is presumably not desired by Legal, and couldn't happen if NDAs were required for full IP-info? (That's two distinct issues I realise)

2) I'm going to assume Legal haven't got back to you with regard to Blablubbs' questions. Could it be added to something like the next set of Wikimedia Clinic hours as a topic (where I believe there's a Legal rep)?

3) On the userright discussion, which has somewhat petered out, I'm going to copy one comment I made in regard to your correct statement that tying it to admin may be tricky due to the different standards. "this is at least a good discussion benchmark. I thank you for your bottom half - I was absolutely going to step in and make a point that it should be lower, but of course you are right as regards variable levels for adminship. Hmm. I will have to have a think, please excuse the whirring hamster noises. I realise it continues the userright proliferation, but would it make sense to actually have two userrights (akin to edit filter helper and edit filter manager), the lower (partial vision) of which would be the "given to all admins", but would also be given to others under one criteria set - while the other (full vision) would be under a higher set [which might be all admins plus others on some projects, but only a subset of admins on others]". It was just a discussion starter, but would be good to consider it, and several other proposals made in the thread, in more detail. Nosebagbear (talk) 11:08, 23 March 2021 (UTC)[reply]

Nosebagbear: Good questions, which I think we should address as a team rather than me alone, so I'm going to bring this up internally rather than replying to it right now. Responding here just to acknowledge that it has been seen and is not ignored. /Johan (WMF) (talk) 17:48, 23 March 2021 (UTC)[reply]

Nosebagbear: I just had a conversation with NKohli (WMF), and issues 1) and 3) sort of need to be solved together, in a way. We'll put something together so there's something tangible to talk about, and then we can spread the word more broadly. /Johan (WMF) (talk) 17:49, 25 March 2021 (UTC)[reply]

An update on this: We're in meetings, but it's work across several teams in different parts of the organisation, and we have to make sure that everything is technically and legally realistic. Sorry this is taking so long: we really don't want to show you what we have in mind, have everyone think about it, leave feedback, come up with plans and so on, and then come back and tell you that, no, sorry, apparently this didn't work, let's start over. /Johan (WMF) (talk) 15:52, 14 April 2021 (UTC)[reply]

I see reference of previous discussions on meta and a current request for feedback on Wikidata, but nothing yet on the Wikipedia, the by far biggest communities being affected by this.

And then i read a line like:

Please understand that sometimes, as lawyers, we can’t publicly share all of the details of our thinking; but we read your comments and perspectives, and they’re very helpful for us in advising the Foundation.

Which is frankly speaking legalese bullshit, suggesting again a rather intransparent process (from the community's perspective) and it is again a recipe to piss off large parts of Wikipedia communities.--Kmhkmh (talk) 03:59, 11 May 2021 (UTC)[reply]

Yes. The legal team is correct in saying that this must happen, but they need to stop making incorrect statements like, "as lawyers, we can’t publicly share all of the details of our thinking". What they should be saying is, "We don't want to share all of the details of our thinking because it would damage the WMF", which is correct. --Gnom (talk) 09:48, 11 May 2021 (UTC)[reply]

I agree with your statement with regard to "can't" and "don't want to".

However at least at first glance I disagree with the rest.

Why exactly is it correct that it must (rather should) be done. Which law is requiring that? And if so why did it take for legal team 20 years to figure that out? Which laws have been ignored for 20 years or have changed in the mean time?

The damage to WMF or WP is impossible to assess without knowing the exact reasoning and what type of damage is to be considered here. As far as the often difficult and contentious relationship with the community is concerned, I'd probably argue that repeated intransparency and potentially not clearly/openly stated (aka hidden) agendas are doing the most damage.--Kmhkmh (talk) 10:48, 11 May 2021 (UTC)[reply]

I am a lawyer specialising in data protection laws, and I have been asking myself about the lack of privacy compliance at Wikipedia for a number of years. From my own professional experience, I am confident that this can be implemented in a way that protects logged-out users and at the same time does not hinder our anti-vandalism efforts. Happy to talk about this in more detail. --Gnom (talk) 11:20, 11 May 2021 (UTC)[reply]

I have no issue with hiding IP (in particular since IP6) assuming it is done right and support it. My issue is with the process, information policy and intransparency of arguments surrounding this feature.--Kmhkmh (talk) 15:51, 12 May 2021 (UTC)[reply]

Kmhkmh: Just to explain how we've reasoned around where to start conversations, this page on Meta has been our main conversation (and we've flagged it in various ways, including on a lot of Wikipeidas), but in order to make sure we hear from various communities (e.g. not just Wikipedias, not just in English and so on), we've started conversations on various wikis to get different local perspectives. A number of those have been Wikipedias. You can find the links to (and summaries of) the conversations on French, Chinese, Swedish and Arabic Wikipedia here. I wrote a piece for the Signpost in English at w:en:Wikipedia:Wikipedia_Signpost/2020-11-01/Op-Ed with conversation below. This is of course not exhaustive. We will have something tangible to present in how we plan to give access to IPs for people who need them soon, at which point we hope to invite more people who haven't seen this yet to comment. /Johan (WMF) (talk) 20:33, 28 May 2021 (UTC)[reply]

Quite frankly I don't see the point of this initiative. Seemingly it has already been decided that action needs to be taken while we still haven't read about one single valid reason to even consider it.

I'm very happy with the status quo of users who can either log in, contribute via IP or abstain from editing. In Germany we have some very nice twitter-bots alerting us about edits from IP-nets owned by various federal authorities and that is a watchdog-function I'd dearly miss, and that's just one minor example. --Eloquenzministerium (talk) 22:46, 16 May 2021 (UTC)[reply]

The point is that this is something we have to do as norms and regulations around internet privacy has changed quite a lot in the last twenty years. See Gnom's comments above, too. I do realise the statement at IP Editing: Privacy Enhancement and Abuse Mitigation#Statement from the Wikimedia Foundation Legal department has very little actual content at the moment.

The conversations have been important to guide the technical development, not to form a yes/no decision – legal decisions has never been a matter of community consensus. In order to not cause significant harm, we need to a) be careful about how we do masking and b) make sure that people who need access to IPs for vandal fighting still have that, even if we hide them from the rest of the world. We're not going to just take the situation as it is today and then remove visible IPs and do nothing else to balance that, which I think is how a lot of editors visualise this change. We'll be presenting our ideas (based on previous conversations here) on how to what to hide and from whom within a few weeks. These conversations has been core in guiding our work. /Johan (WMF) (talk) 20:33, 28 May 2021 (UTC)[reply]

@Johan (WMF): I actually agree with hiding IPs (assuming it is done right) and probably agree that this not suited for yes/no by the community and that the WMF has to push it independent of that for legal reasons. However imho if the latter is case the case the WMF needs to communicate those legal reasons clearly and transparently, pseudo explanations like the one I quoted at the beginning of this sections should be no-go and vague references privacy and changed laws are not enough. Note this is not just about lack content with regard to implementation specific, but this is about intransparency and a lack of content with regard to the legal reasoning, that is which laws and changes in law in what countries force the WMF legally to hide the IPs. Or is the whole thing more a voluntary service to protect the privacy of anonymous contributors (which can be seen good thing on its own). All of is rather unclear to me at the moment (and I suspect for the communities at large) and that is my issue with the process. The legal argument/requirements (and what they are based) should be communicated openly from the start.--Kmhkmh (talk) 07:02, 29 May 2021 (UTC)[reply]

@Kmhkmh: Given that they have failed, for now closing in on 3 months, to even provide the "meta" reasons for not providing their reasons, I doubt Legal are going to give us anything approaching answers any time soon. Given this timeline, it's gone beyond the traditional slow legal turnaround time and Covid-19 and entered culpable rudeness. Something that would actually be viewed as bitey on most projects.

@Johan (WMF):, in terms of a discussion that doesn't involve Legal *directly* (but may), you said you were going to talk to your team a while back about the point I raised that while proximate info will be enough for some, the numbers needing full details was going to be fairly large (on en-wiki, much larger than the admin corps, for example) and the number needing some of that info even larger, have you had any further thoughts on that?

Finally In the most recent update on interim IP-masking steps, there have been various questions and concerns raised by a couple with far more SPI/proxy knowledge than I, could we (they) get answers to that as soon as, please? Nosebagbear (talk) 22:35, 29 May 2021 (UTC)[reply]

Yes, we are working on getting all the last details down for how we envision this and the process and the requirements; we should get that here in a couple of weeks. Regarding the proxy questions, they are important; unfortunately, this is something we haven't had time to look into yet, partly because the team had to urgently work on SecurePoll to make sure the board elections can finally take place. I have hope Legal will be able to comment soon, too, although not as soon as we can present ideas on who and how will have access. /Johan (WMF) (talk) 02:43, 31 May 2021 (UTC)[reply]

Seems like interesting information regarding progress of development/policy drafting is available there. --Count Count (talk) 13:56, 17 May 2021 (UTC)[reply]

Jeez, that would have been good to have posted here at the time. Thanks for raising it, Count. Nosebagbear (talk) 00:45, 19 May 2021 (UTC)[reply]

Hey folks, a pretty important update: IP Editing: Privacy Enhancement and Abuse Mitigation#Updates ("10 June 2021") now has a section on how the actual masking and unmasking could work. We look forward to your comments.

I'll include this in Tech News soon, and from there we'll add more channels to let people know it exists. /Johan (WMF) (talk) 10:06, 10 June 2021 (UTC)[reply]

The major comment I have about this is that the threshold for partial access/the threshold for granting the user right seems really weird. 1y/500 is a massive mismatch between time and edits (500 edits within a month is entirely reasonable, and within 2 to 3 basically every active editor will have reached it). I think having something like 90d/500 for partial access, and 6m/1000 for the new userrights seems like more logical thresholds.

Then a few questions: A) how will logging/access be implemented exactly? Will users with the new user right for full access have the same preference opt in as others? If this opt is toggled, does the editor then automatically see the IP address, or will it require some kind of button click per time/IP Address you see? Will the log log every time a editor sees a full IP adresss? Asartea ^{Talk (Enwiki Talk (preferred))} 13:33, 10 June 2021 (UTC)[reply]

Thank you for your feedback, Asartea! This is not to dig in and try to defend the current thresholds, which are definitely open for discussion, but just to explain the reasoning behind them: we've tried to make it difficult to create new accounts for the purpose of accessing IPs, but not put them so high that we'd take the IP as a tool away from people who use them today. This way, you can't make 500 edits by say digging into categorisation (which you can easily do in a day) and just wait a couple of months.

As for your questions, this is not yet entirely decided. NKohli (WMF), when you're back, do you have any technical comments here? /Johan (WMF) (talk) 17:25, 10 June 2021 (UTC)[reply]

Asartea's thresholds sound reasonable to me, if they're going to be global standards. Johan, we certainly have people who work in the field before a year. To give a human example who is active on this discussion, @Blablubbs: while they created their account in 2014, actually started editing exactly a year ago (so imagine an example if they had registered then). They became a full SPI clerk before that year was up, something I assume you're aware that en-wiki doesn't hand out lightly. I think the Community could accept higher standards on the editing side - which might involve good edit counts in different namespaces if you want to go complex, in return for reducing the time Nosebagbear (talk) 18:29, 10 June 2021 (UTC)[reply]

This plan seems reasonable to me. The lower edit count requirement will be good for projects with 'less to do' than enwiki. Presumably the access will be global, i.e. having 500 edits on any wiki should allow access to info on all wikis. A broad interpretation of "community process" to grant access seems advisable, for example for enwiki it would be better if this is just a request at WP:PERM left open for a few days and allowing comments, rather than having it be an RfA-like process and requiring the input of ~100-200 editors. ProcrastinatingReader (talk) 16:05, 10 June 2021 (UTC)[reply]

I think we envisioned the default as being per wiki, sort of like how almost all other user rights are also assigned per wiki, but with awareness that there needs to be global access for people active in cross-wiki vandalism. /Johan (WMF) (talk) 17:25, 10 June 2021 (UTC)[reply]

I concur with ProcrastinatingReader, the overall solution sounds reasonable to me, but thresholds should probably be defined per wiki. --Vituzzu (talk) 17:40, 10 June 2021 (UTC)[reply]

So how will people with full access be able to discuss and report IPs to each other? Will there be a private namespace that is invisible to people without IP access for things like anti-vandalism? Is it fair to accuse people in places they can't see? Kusma (talk) 18:13, 10 June 2021 (UTC)[reply]

And evidence also needs to be provided to the person on their user talk page if they're blocked, otherwise it becomes impossible for them to appeal in an informed fashion, and, as appealing is so tough, they will often need to see it before being blocked. Nosebagbear (talk) 18:23, 10 June 2021 (UTC)[reply]

Is the full IP address information still ephemeral? That would be a deal breaker. MER-C (talk) 18:15, 10 June 2021 (UTC)[reply]

I don't particularly care who is editing through tor exit nodes and the like but they still need blocking. This is the case even if we outright ban IP editing. Indeed since we will no longer get the hint that there is a bunch of vandalism coming from some random IP the foundation may need to look into providing proxy tracking services.Geni (talk) 15:16, 10 June 2021 (UTC)[reply]

This is on our to-do list! We have a couple of things we're looking into here. /Johan (WMF) (talk) 17:25, 10 June 2021 (UTC)[reply]

Does this mean even users, who has the ability to view full IP addresses, will be forced to unmask every IP separately, by doing some action on every masked IP on page's history? Does this mean every this users, when they open page history, will not see all IP's, like now? It's catastrophe for many inwiki activities, not even anti-vandalism. MBH (talk) 17:44, 10 June 2021 (UTC)[reply]

I imagine that every unmasking would have to be logged, or otherwise it would be easy to create a public website that contains all the masks. Kusma (talk) 18:17, 10 June 2021 (UTC)[reply]

I'm going to double down on MBH's comment - I had some issues when I saw that. Even if it's just "click/hover" it's going to significantly slow the speed of just looking at a full view history log. It would make in non-workable - this has to be done without any functionality loss and this would be a significant loss. Nosebagbear (talk) 18:20, 10 June 2021 (UTC)[reply]

First I want to say that the general idea is very good and this change needs to be done, but as always with these discussions I'm going to have to focus on the negatives (what could be improved).

Exemption

First, if the concensus ends up being to implement this, the absolute minimum that needs to be done for privacy is that users with any kind of added permission (administrator, IP-block-exempt, pending changes reviewer, etc) should be automatically exempt from all kinds of IP lookups except by checkusers.

Users with these permissions have a track record of good edits, requiring a minimum of 500 edits (in practice 1000+), as well as vetting by the awarding admin (talk page checks, checks on their contributions to date, etc). These editors are more likely to be involved in wikipolitics as well as being more likely to edit controversial areas, so allowing their city and country to be looked up (which can be done with the first 3 groups in an IP address) by literally anyone with 500+ edits would just be a blatant violation of privacy and would drive these editors away from contributing. I know I wouldn't edit anymore.

If the person decides to put in those tens of hours to make a few vandalism edits in the future, at a minimum they deserve the time of a checkuser who can see and understand what's going on before making sockpuppetry accusations.

Notification

Additionally:

1. a notice should be sent to the user when their IP is looked up

2. a reason must be given for the lookup (e.g. just a text box near the button to access the IP)

3. a log on the lookup should be made (possibly accessible by admins only as they can enforce against abuse)

Every major service, whether it's run by Microsoft, Google, etc, notify users of when government requests are made (so more weight than some editor's hunch) unless they "are legally prohibited from doing so", so it's only right to inform users that someone has been given access to their city, country, and could possibly track when they have their computer on (set up an ping request against your own IP and you'll see this can be done - as long as the ping works your computer is on). With the current system, notification of a checkuser investigation serves this role of notification. This would:

1. discourage people from wandering around Wikipedia looking up everyone's IPs out of curiosity (or worse)

2. it means a user who is being harrassed can appeal and take steps to protect their privacy

3. it makes this an absolute last resort.

Access

All users with accounts over a year old and at least 500 edits will be able to access partially unmasked IPs without permission ... This will be accessible via a preference where they agree not to share it with others who don't have access to this information. Nonsense. Only administrators should be able to grant this permission to ensure the person has a track record of good edits, can understand the importance of respecting privacy, and actually gets involved in anti-vandalism. On the request page for this permission they can state they understand not to share this information, making a permanent and publicly accessible record. If anyone has concerns about that specific user getting the permission that also gives them the opportunity to state their reasoning for the awarding admin. Uses x (talk) 18:51, 10 June 2021 (UTC)[reply]

The SPI process now is carried on in publicly readable pages where incident reporters, SPI clerks, and checkusers all communicate with each other. It's one thing to say that appropriately privileged users will have access to the full IP addresses, but if we must agree not to disclose this information publicly, the entire SPI process will be unable to function. RoySmith (talk) 20:02, 10 June 2021 (UTC)[reply]