Jump to content

Talk:IP Editing: Privacy Enhancement and Abuse Mitigation/Archives/2023-05

From Meta, a Wikimedia project coordination wiki

Change in the eyes of not-so-tech users

I've been an admin for quite some years now and I still dislike dealing with IPs in general. IP-range actions are clunky and include multiple innocents and conversation with IPs is even clunkier because you can't tag/notify them and the talkpages are shared with multiple random users which create confusion from both sides. IP masking looks like it adds another thin layer of complexity to this infrastructure but at least it adds the ability to tag/notify users. This may solve the IP privacy problem - which is what we're trying to address here - but the whole infrastructure still looks rather complex for not-so-tech users. "You have some edits attributed to some long strings of numbers (old IP edits), some edits attributed to short strings of numbers (new temporary masks), some pseudonyms, some names including the word "bot" in them and some what look like real life full names." It must be understood that many people still struggle to understand how bot usertalkpages work. (Many people don't even understand that Wikipedia hasn't got an editing staff for that matter.) We have only 1 kind of user(talk)page for all these cases. Communication in IP/IP-ranges/Temporary accounts is such a peculiar thing on its own: We are literally sending bottle-messages in the internet ocean and hoping that they get picked by that one person we randomly exchanged glances 2 days ago.

Keeping all that in mind, I'd wish for at least that whatever gets implemented it is accompanied with an UI that makes it easy to make sense of what's going on. Just adding plainly ?1234/Show IP into the mix, without any specific text formatting of any kind or tooltips just makes everything appear even more "Greek" to non-geek users.

So, to recap: I'd personally wish for a more adapted user(talk)page infrastructure that addresses my concerns above and makes it easier for non-tech savvy users to understand what is going on, communicate well and utilize the information at pages such as user contributions or page histories better. Considering that to be too a too gigantic change on its own (and mostly related to the Growth initiative than what this project is trying to address per se) I'd just wish that at least some steps are taken so that IP masking on its own doesn't contribute even more to such confusion. We should be aware that the new methodology will allow for a more dynamical system than the old IP way because more people in the internet world know how to clear cookies than they knew how to reset a dynamic IP. The way the text addressed the prefixes being chosen in IP Editing: Privacy Enhancement and Abuse Mitigation#What will temporary usernames look like? section scared me a bit as it made me think that this whole (important!) thing would be introduced by just adding a random character in front of the name (numbers) and be done with it. As mentioned, many users have no idea what is going on and who is writing Wikipedia currently and they would have even less idea if this happened. (Not to mention that real non-temporary accounts already exist with such symbols in front to make things even worse in that direction.)

For whatever is worth, I'd go on with the caret suggestion as it looks less likely to be confused with "normal speech" symbols and is less confusing than introducing longer number strings such as the year alternative. - Klein Muçi (talk) 05:10, 9 May 2023 (UTC)

I've become aware that in the practical sense we wouldn't have some edits attributed to some long strings of numbers (old IP edits), some edits attributed to short strings of numbers (new temporary masks) more than we'd have some edits attributed to some long strings of numbers (old IP edits), some edits attributed to other types of long strings of numbers (new temporary masks) because differently from what the current mockups may make you believe, the numbers would incorporate more than 5 ciphers in most practical scenarios. In this case, from non-tech-savvy eyes the change may be rather unnoticeable because we'd just switch one long string of numbers with another long string of numbers starting with a special symbol. This lowers a bit the level of concern I've talked about above. — Klein Muçi (talk) 06:01, 9 May 2023 (UTC)
I don’t think Communication in […] Temporary accounts is such a peculiar thing on its own: We are literally sending bottle-messages in the internet ocean is true, this is actually one thing temporary accounts will improve: while people can indeed easily delete cookies if they want to get a new identity, it’s less likely that they get a new identity in two days unintentionally. And unintentional new identities are much more important from a communication point of view – if one gets a new identity intentionally, they could just as well ignore messages sent to them intentionally. —Tacsipacsi (talk) 19:41, 10 May 2023 (UTC)
Tacsipacsi, you are right. Somehow I had created the impression that once the browser was closed the connection with the temporary account would be reset, completely forgetting the cookie's aim. That solves most of my supposed problems I believe. — Klein Muçi (talk) 00:59, 11 May 2023 (UTC)
Some web browsers are set to clear cookies when they're closed. This makes sense for shared computers in a school or library. But most people don't have their web browsers set that way. Whatamidoing (WMF) (talk) 03:20, 13 May 2023 (UTC)

Some comments about patrolling and IP information

There are some my patrolling experience with ip's editing which need IP info: If an article is associated with a specific region, and the IP address information shows that it corresponds to this region, and if is's edit is negative or obviously a vandalism, I can consider undo it directly, and know that the users in that place are trying to vandaling the article (may be to defend a specific point of view, or ridicule the characters, etc); If the IP address information does not belong to that place, or after I undo the edit, there will be a new IP address to repeat the edit soon, it may be necessary to determine the IP region or ISP information, and this could be specific to using proxies in different regions (where obviously no one will edit that article), or the two addresses belong to different subnets of the same ISP, or the ISP is a data center or hosting provider which is obviously used as a proxy.

Based on the above, for some non-administrator group like patrol, sometimes, detailed IP information is useful. I noticed that the permission to "Access a full view of the IP information" seems to be only intended for a limited group. Does this mean that this permission is no longer assigned to other groups, such as patrol? Should IP Masking a veil for anonymous users, but still transparent for patrollors?

On the other hand, the relationship between temporary usernames and IP addresses seems to be an M-N relationship, and there may be two situations:

  • The temporary username is switched between multiple IP addresses, which may be using a proxy to jump to different regions, or just different subnets under the same ISP. At least he doesn't know that cookies can be cleared to replace a new temporary username.
  • There are multiple temporary usernames under the same IP. It means that this address may be an exit of a NAT device, or a vandal has emptied cookies to try to forge many natural person users.

Based on the above two cases, is there some new tools or user interface to query these cases?

Although the foundation tries to introduce some third-party services to identify possible proxies, I don't think these measures are comprehensive. Intuition and past experience based on original and detailed IP information are useful tools for patrollors. Read it. --Cwek (talk) 07:55, 9 May 2023 (UTC)

@Cwek, most patrollers will be able to get the IP addresses at their home wiki. For example, unless these wikis choose more stringent requirements, you will be able to see full IP addresses at zhwiki, Wikidata, Commons, Meta-Wiki, and MediaWiki.org. At other wikis, you should be able to see the country that the temporary editor geolocates to.
In the first situation (one name + many IP addresses), I believe that the normal, everyday tools should work. A username-based block will block the temporary editor, and the IP addresses can be revealed so that an admin can calculate a range block.
In the second situation, the AHT team has been talking about a new tool, or improvements to existing tools, to deal with this. I believe (but I might be wrong, and it's early days, so it might change) that the CheckUser tools will be able to find all the usernames using an IP address (just like it works for registered editors like you and me), and they might try to build a tool that will help authorized non-CheckUsers find related accounts (e.g., all the students editing from the same school). But I have heard no firm promises about this. Whatamidoing (WMF) (talk) 03:34, 13 May 2023 (UTC)

Tools that use IPs

I am working in a tool that will show all contributions in a IP range, that would help administrators and stewards to take decisions about range blocks and also to investigate if an specific IP is in a range frequently used for vandalism. Now what should I do? Should I give up that idea or make that tool available only for administrators and stewards? Will IPs continue to be seen in the xxwiki_p.actor.actor_name column in the db replicas? I also have other ideas for IPs analysis, but with this restriction maybe I will have to abandon them. Danilo.mac talk 16:10, 9 May 2023 (UTC)

@Danilo.mac, I think we need to talk to the Wikimedia Foundation Legal department about this project. I'm sure that @MMoss (WMF) will be interested in hearing more about what is (and isn't) shown in your tool. Do you have a page that describes it? Or can you post more details here? As an example, I understand that there is a difference between saying "User:Example and User:Exemplo both use the same IP address" vs saying "User:Example and User:Exemplo both use the IP address 127.0.0.1".
I don't know the answer to your question about the xxwiki_p.actor.actor_name column in the db replicas. I'm not even sure if they've decided that yet. I'll pass your question along, and if the answer is known, someone will probably post it here. Whatamidoing (WMF) (talk) 03:40, 13 May 2023 (UTC)
@Whatamidoing (WMF) and MMoss (WMF): The tool is still in initial development, it is a natural language query tool that will show different types of data, one of the data I was planning to show is the IP range contributions. The idea is that when you query something like "123.456.789.0/24 contributions" the tool would list something like "123.456.789.004 -> 10 edits in eswiki; 123.456.789.147 -> 56 edits in enwiki, 4 in commons; etc..." with links to the IPs contributions pages in each wiki. There is no way to link the IPs to accounts, that info is restricted to checkusers and people that have access to private data, the great majority of tools don't have that access, my plan is only create an easy way to search and organize public data. Danilo.mac talk 16:42, 13 May 2023 (UTC)
Just to be sure it is clear, when I say "IPs contributions" I am talking about anonymous contributions. "IP" and anonymous user are treated as synonymous for the majority of volunteers. Danilo.mac talk 17:03, 13 May 2023 (UTC)
You might be interested in the new mw:User account types page, which compares the three types.
Will the "10 edits in eswiki" link to those edits? I could see a non-linking tool being useful to admins even if it didn't associate the IP address with any usernames (temporary or registered). I am imagining an admin wondering "If I block this /22, which is about a thousand IP addresses, how many edits would this interfere with?" Whatamidoing (WMF) (talk) 03:03, 16 May 2023 (UTC)
If the tool was working today, that would link to "[[:es:Special:Contributions/123.456.789.4|10 edits in eswiki]]", but with the IP mask enabled it won't be possible to link to any edit. And yeah, that is the idea, to help admins see the impact of their IP range blocks. Danilo.mac talk 15:24, 16 May 2023 (UTC)
BTW, it sounds like the IP addresses won't be in the actor_name column. They'll be stored the same way (or very similar?) that the IP addresses are stored for logged-in editors like you and me. But hopefully someone with a stronger grasp of the details will be along with the information you need. Whatamidoing (WMF) (talk) 05:07, 16 May 2023 (UTC)
@Danilo.mac The purpose of the IP Masking project is to remove IPs from public access, which will include the IPs currently stored in actor_name. In the future, all IPs will be handled by the CheckUser extension, which will store IPs for registered users and temp users for up to 90 days. Access to CheckUser and its data is currently only be available to users with specific user rights. This is the latest ticket we have referencing this change, but you can find other tickets and discussions under the main MVP epic, especially under the "Update features" epic where you can see more details about these changes. Please, feel free to add comments or tasks on those epics and subtasks, and I'm also happy to answer here any questions you might have about these changes. JCNunez (WMF) (talk) 10:33, 16 May 2023 (UTC)
Thanks both for the information. Without access to the IPs the tool can not work as I was planning. Maybe I can make the tool work for a short period of time before the IP mask be enabled. If possible, it would be great if an "anonymous IPs dump" would be created for each wiki, with all IPs that edited the wiki logged-out and the total edits for each IP, that would allow my tool to continue to work without link the IPs to the edits they made. Danilo.mac talk 15:24, 16 May 2023 (UTC)

Vandals/sockpuppets

As of right now, I largely disagree with this proposal. I think it's going to make it much easier for persistent vandals and sockpuppets of banned/blocked users to cause disruption by constantly creating new temporary accounts by clearing cookies or using Incognito. Not to mention that it would make it harder for people to file sockpuppet investigations for IP socks of banned users as geographical evidence is often used for determining if a given IP is a sock or not. And, if the number of new temporary accounts sharply increase, this can also potentially increase backlogs in sockpuppet investigations.

Given these concerns I have, are there any ways as of now to address them? Again, I just don't want vandalism to increase any more on Wikipedia as a Recent Changes Patroller myself. -- Shadow of the Starlit Sky (talk) 13:14, 1 May 2023 (UTC)

Welcome, @Shadow of the Starlit Sky. I see you've been editing for almost two months now. I'm really happy to hear from you, because it's unusual for a new user to find out about "back end" projects like this. If you don't mind, please tell me how you found out about this, so I can make sure that it gets updates in the future. I'd love to hear from more people like you.
On to the main point: Under the legal policy, you wouldn't have full access to other people's IP addresses for another four months. (And it will be more than four months before this is seen at any wiki, so you should expect to have access to IP addresses, unless the English Wikipedia decides to set a higher limit.) However, even without that access, you would be able to use tools that provide the name of the country that a logged-out user was editing from.
I'd also be interested in hearing about the tools and methods you are currently using, if you want to tell me more about how you contribute. Whatamidoing (WMF) (talk) 00:57, 2 May 2023 (UTC)
@Whatamidoing (WMF) I'm pretty sure I found this "IP masking" thing after seeing it first in a Meta page then getting curious on what exactly it might mean. And furthermore, I actually know a lot of the "back end" Wikimedia stuff as I have been a longtime lurker (~6 months) before creating an account and actively editing. Actually, I found out about all of this back end stuff in the first place after being curious as to why Wikipedia isn't breaking down if "anyone could edit it", which led me in a rabbit hole where I looked over old SPI's, LTA cases and ANI archives. At that time, it was very much fascinating indeed to see these places on Wikipedia as I had never thought about the "back end" of Wikipedia before.
As of right now, most of my counter vandalism work is done by using Twinkle and RedWarn (mostly the latter). As for catching block evasion/sockpuppets, I usually try to compare the behavioral evidence between the different accounts first then report to SPI and/or AIV as needed. If said socks appear to be IP's, I usually geolocate the IPs to see if they locate to the same place and run a proxy check on them to obtain further information on whether socking/proxying was occuring or not. Shadow of the Starlit Sky (talk) 02:52, 2 May 2023 (UTC)
Thanks.
I'm not sure whether this will affect RedWarn/Ultraviolet, but User:Asartea, User:Prompt0259, or User:Chlod may have a clearer idea, and they'll want to know about this even if it doesn't require any updates. User:SD0001 and User:Novem Linguae know how to coordinate things with the Twinkle crew. (Quick reminder: This is at least five months away. Don't panic today. But do please get this on your calendar.) Whatamidoing (WMF) (talk) 03:48, 2 May 2023 (UTC)
Petrb probably wants to know about this for Huggle, too. Whatamidoing (WMF) (talk) 05:23, 20 May 2023 (UTC)
Thanks for the ping, @Whatamidoing (WMF)! For reference, our plans on integrating IP masking can be found on phab:T335084. It's not fully fleshed out yet, but that's mostly because we're waiting on other documentation and planning to mature first, lest we get ahead of ourselves and have to refactor existing code.
@Shadow of the Starlit Sky: The team behind Ultraviolet is definitely going to add support for IP masking when it eventually rolls around. From what I can read here, the workflow affected is mostly outside what we can do as tool developers. I'm still unsure of the specifics of the "name of the country that a logged-out user was editing from" feature/tool that Whatamidoing mentioned, but speaking as a counter-vandalism editor, this seems to be enough for the work you plan to do on the English Wikipedia. At least on enwiki, blocking IPs is not only based on geographical evidence but also behavioral patterns, as you mentioned. We'll be sure to gather feedback from editors to gauge how well future changes to UV perform once IP masking is enabled. Chlod (say hi!) 04:10, 2 May 2023 (UTC)
It looks like the "IP info" feature/tool is the last item on the page in Special:GlobalPreferences#mw-prefsection-betafeatures, if you'd like to try it out. I understand that the geolocation is better outside of Asia, but that it's not bad, and often sufficient for routine purposes. There is more information in IP Editing: Privacy Enhancement and Abuse Mitigation/IP Info feature. Whatamidoing (WMF) (talk) 21:30, 2 May 2023 (UTC)
Thanks for the ping. We can certainly get Twinkle updated if that is needed. I've created a tracking ticket here. Couple questions. 1) What WMF team is working on the coding of the IP masking software? 2) Will the masked usernames correspond 1:1 with IPs? If they do not correspond and are randomly scrambled, that could make anti-vandalism a real headache. 3) Is there a migration guide somewhere for developers that states what is changing from a technical standpoint? Sounds like mw.util.isIPAddress() is changing, anything else? Thanks. –Novem Linguae (talk) 08:55, 2 May 2023 (UTC)
@Novem Linguae:
  1. AHT (the Anti-Harassment team)
  2. Masked usernames will correspond to web browsers, so User:12345 at school will be the same as User:12345 at home. User:12345 will always be unique, so (unlike IP addresses) no matter where you see that username, it will be the same person (or at least the same web browser; there's no way to know who's on the other side of the keyboard).
  3. The migration guide is not finished, because they still have open questions. IP Editing: Privacy Enhancement and Abuse Mitigation/Updates#April 2023: The Plan for IP Masking is the most up-to-date information (but not super technical). However, there will be more information provided, once it's something the team feels like you can rely on.
Whatamidoing (WMF) (talk) 21:34, 2 May 2023 (UTC)
2) Ah, interesting approach. Will they generate a unique username based on IP address + useragent? That's actually a pretty decent idea, although could still lead to false positives, for example, a school computer lab full of identical versions of Google Chrome.
4) Do you know if this will this be implemented in core or via an extension? –Novem Linguae (talk) 22:42, 2 May 2023 (UTC)
2) Oh, sorry, @Novem Linguae, I was unclear. It's cookie-based, so it's set per individual browser. The numbers will be sequential (except there will be some gaps, e.g., due to lost connections in between the user starting to publish an edit and it actually getting published). They're talking about the format for the usernames, and I'd love to have your advice in the section above. The key point is that if there's some special character that you really don't want to see at the start of the usernames, like * or -, now's the time to speak up.
4) All of the above. This work touches everything. For third-party MediaWiki installations, it will still be possible to have IP editors. That option just (after the transition) won't be available on WMF-hosted wikis. Whatamidoing (WMF) (talk) 23:12, 2 May 2023 (UTC)
Do we know how long before the cookies expire? Will cookie expiration dates be extended with every site visit? Regarding "core vs extension", my question is, will it be implemented as extension such as mw:Extension:IP Masking, or will the code be added to core via a settings variable such as $wgMaskIPs? Thanks for your answers, will help me wrap my head around this :) –Novem Linguae (talk) 23:19, 2 May 2023 (UTC)
This is an open question. At the moment, as @NKohli (WMF) says below, AHT is planning a 12-month expiration date. This matches the login time for registered accounts. It is not likely to be longer than that, and it won't be automatically extended. But it could be shorter (six months? 90 days?), if there were a good reason for that.
There has also been some discussion about supporting manual extension. I don't think that's likely to be available (or relevant) in the first months, and it might never happen. Whatamidoing (WMF) (talk) 04:49, 5 May 2023 (UTC)
I can add some nuance to what @Whatamidoing (WMF) said above.
2) Masked usernames (which we call temporary accounts) will be tied to all the IPs that are associated with that account. So if a user obtains an IP address when editing at their home and then commute to work and edit from a different IP address - they will both be tied to the same temporary account and stored as such in the database. This is very similar to how things work for registered accounts. If you look at our most recent update, you can see how the "Reveal" feature would work for patrollers.
4) The basic work in implementing IP Masking is in MW Core. There will be a config variable to turn it on. Third-party wikis can decide if this is something they want but we won't be forcing this on anyone. Internally, we are utilizing Checkuser to store the relationship between usernames and IP addresses (again, very similar to what happens for registered accounts). Checkuser extension will also host the API to surface this information. This is purely because it keeps things easy and consistent on a technical front.
5) A cookie for a temporary account will expire 1 year from the creation of that account. It will not be extended with every visit. We want the temporary account experience to feel ephemeral rather than something the users get attached to. We are taking this as an opportunity to nudge people to create accounts where possible. For the same reason we won't be giving temporary accounts extra features or benefits that are associated with fully registered accounts. The only difference there is that temporary users will be able to receive notifications when they get mentioned because this will facilitate better communication and has been long requested by the communities.
These are great questions! Please keep them coming. We are putting together a technical guide but we still have some things we want to figure out - especially about how we can support volunteer tools. We'll publish a draft version as soon as we can. Thanks! NKohli (WMF) (talk) 19:20, 3 May 2023 (UTC)
@Chlod @Novem Linguae @Whatamidoing (WMF) Oh, and I forgot to say one thing; how will this impact cross wiki abuse mitigation efforts? As of right now, I check global contribs (for IP's) and CentralAuth (for registered accounts) to catch cross wiki abuse/vandalism. Also, how will this impact the global block procedures for IP addresses? -- Shadow of the Starlit Sky (talk) 13:28, 2 May 2023 (UTC)
Tools like https://guc.toolforge.org/ are expected to work (or to working after some updates) for all three mw:User account types. I don't know whether Special:CentralAuth will recognize temporary usernames.
I think there will be some slight differences in the global block procedures, but for the most part, I think it's going to amount to an extra click (to reveal the IP address, which you then handle just like you did before).
The team has been talking about some inconvenient aspects of the current setup (e.g., there's no global checkuser), and it's possible that some of these things will be improved. Overall, I expect it to be a mixed bag: this gets easier, that gets harder. Whatamidoing (WMF) (talk) 23:06, 2 May 2023 (UTC)
I was an administrator in ruwiki and if I would have time, I will again.
So, there would be vandal in this mask you would provide him. I will ban him, he will return. Would I understand it? His new name name would be similar to his old name if ip is similar?
How would I find IP-range that I need to block to get rid of him? Carn (talk) 05:50, 9 May 2023 (UTC)
Let's assume vandal is not an idiot and don't use cookies.
I don't understand how we should fight against proxies with this "upgrade" our wiki was not ask for and really we don't need it...
I don't really like people who take all the steps of the Foundation with hostility. But. You are imposing a new mechanism on us, and as usual, we ourselves will have to find ways to adapt to them if we want to preserve what we have. At the same time, you are on a salary, and we are volunteers.
Can we vote in our wiki not to turn on this mechanism? Carn (talk) 06:01, 9 May 2023 (UTC)
Hi @Carn. Sysops and patrollers will still have access to IP, so it should not be a problem to fight vandalism and to detect open proxies. (In fact, we even get access to more information for basic vandals, as their edits will be grouped by a cookie and not by their IP adress.) Best regards, Jules** (talk) 10:34, 9 May 2023 (UTC)
Tnx! Sorry for emotions Carn (talk) 10:36, 9 May 2023 (UTC)
@Carn, it's okay. It appears that we don't have any choice about this. It's going to require some extra work from everybody, and I don't know anyone who is completely happy about it. MediaWiki has to be changed, bots need to be updated, messages need to be re-written, and everyone has to figure out how to use the new system. This will be a lot of work. If we all work together, it may be a bumpy trip, but I think we'll get through this.
I know that ruwiki has some awesome technical contributors like @Jack who built the house, so ruwiki will probably fare better than average, even if it's not 100% smooth sailing. Whatamidoing (WMF) (talk) 03:14, 13 May 2023 (UTC)

Will temporary account created when being warned or disallowed by abuse filter?

Hello, I am wondering if a temporary account will be created when the edits triggered the abuse filter by being warned or disallowed (or blocked) by abuse filter. I had looked through the page but I cannot find anything about edits triggering the abuse filter before a temporary account created. 132.234.229.107 00:55, 17 May 2023 (UTC)

This is still an open question for the engineers. I think we will need to create a temporary account for them but I will confirm this once I find out the answer. Thanks. -- NKohli (WMF) (talk) 11:50, 19 May 2023 (UTC)
I believe that the key point is that they don't really want IP addresses to appear in any public logs for Special:AbuseFilter. Whatamidoing (WMF) (talk) 05:00, 20 May 2023 (UTC)

Privacy concern of accessing temporary account all used IP address

Based on the current plan, users who meet the requirements will be able to reveal all IP addresses. Revealing all IP address used by that temporary account is similar to how Checkuser currently work. The temporary account only belongs to one person, rather than an IP address could be used by many people. The requirement of accessing temporary account IP addresses is also quite low compared to Checkuser requirement. It could lead to privacy concerns, as we can easily know what someone used IP addresses in those 90 days. Even if they are not Checkuser and cannot meet the Checkuser requirements, they could do the same thing as Checkuser. This does not make sense.

Thus, it is suggested that even if users meet the requirements of access to temporary account IP addresses, they still cannot access all IP addresses and can only access recently used IP addresses (e.g. 7 days or 3~5 IP addresses, etc). If they need to access all IP addresses, they could ask for help from Checkusers (of course in line with Access to nonpublic personal data policy), and maybe we could create a new role called Temporary Account Checkuser for only checking temporary account 's IP addresses. Just my two cents. Thanks. SCP-2000 07:39, 12 May 2023 (UTC)

cc @Cwek: who shared this concern in zhwiki local discussion. SCP-2000 07:43, 12 May 2023 (UTC)
I don't understand the concern? Currently all users can see all IP addresses from logged-out editors. We can easily determine someones IP addresses for the last couple of years by looking at IP-Ranges and their edit behaviour (that's how many LTA IP addresses & ranges are identified). IP-Masking making those IP addresses available to just some users is already a huge privacy improvement.
Limiting view access to only a couple of days / IP addresses would make it much harder to determine IP ranges of vandals/LTA which is not only needed for blocking but also for many abuse filters.
One might consider raising the WMF requirements for getting IP access (e.g. 1000 edits and at least 12 months account age), but limiting access for non-Checkusers the way you suggested is a bad idea. Johannnes89 (talk) 08:49, 12 May 2023 (UTC)
Sorry for the confusion. My personal thought is that the temporary account actually should be treated as "account". Both of them belong to individual, but the difference between a temporary account and a registered account is the expiration time. A temporary account is set to expire after a year, while a registered account never expires. To clarify, it is not a masked IP address, instead it is an account.
I am worrying that users can easily access "account" IP addresses (compare to Checkusers), especially they can access all used IP addresses in those 90 days. It would be great if we can raising the requirements for getting IP access etc, to protect users privacy. Thanks. SCP-2000 14:46, 12 May 2023 (UTC)
Temporary accounts are nowhere near an actual account, with the most obvious example being the definition of sockpuppetry. A user must use only one single account even when on multiple devices, while anonymous users using temporary accounts can never use the very same temporary account when on multiple devices. Temporary accounts belong to devices, or strictly speaking, cookies, and not an individual, and thus should never be treated like a regular registered account. Privacy-wise, not allowing everyone to see anonymous user IP addresses is already protecting user privacy, adding that local communities can impose stricter requirements to IP info access. If temporary accounts are to be treated like regular accounts, why not just disable anonymous editing and require an account for editing then. LuciferianThomas 20:28, 12 May 2023 (UTC)
The sockpuppetry rules are not quite so strict as that. (After all, I use two accounts – one for work and one for fun – and nobody objects to that.)
You are correct that temporary accounts cannot be shared across browsers. If I were editing under the temporary account system, instead of being logged into two regular accounts ("work-me" and "volunteer-me"), I would have three: "Safari-me", "Chrome-me", and "Firefox-me". Right now, under the current IP system, if I weren't logged in, I would have "home-IP", "library-IP", "iPhone-IP", "visiting-someone-IP", and who knows how many others. Whatamidoing (WMF) (talk) 03:53, 13 May 2023 (UTC)
Well, obviously, the "must" is a generalization. For regulars who don't know the specific rules of sockpuppetry, using only one account is the only option since they couldn't have done the proper secondary account declarations. LuciferianThomas 07:28, 14 May 2023 (UTC)
About "all" IP addresses:
This is one of those details that is not 100% settled. The plan that I heard (as of early May 2023, and it might change!) is that if you see a temporary username – let's call our pretend editor User:~1234-5678-2023 – then you could click the button and see the IP address (let's pretend it is 127.0.0.1). But once you know the IP address, a normal, non-CheckUser editor could not click a button to show you all of the other temporary editors who also use 127.0.0.1. You would have to click on all the temporary usernames to find all of the IP addresses separately, just on the chance that one of them is also using 127.0.0.1.
So:
  • You see User:~1234-5678-2023 (public information).
  • You reveal 127.0.0.1 (only because you are a trusted editor).
  • But you can't reveal that 127.0.0.1 was also used by User:~3508-2039-2024 and User:~2409-3489-2023. Only a Checkuser could do that.
As I said, this might change. There are two obvious ways that it could change:
  1. A built-in button, perhaps on Special:Contributions, that can find related temporary accounts.
  2. A separate tool (e.g., at http://tools.wmflabs.org) that can produce a list of related accounts.
In both of these cases, it would be possible to give access only to some people (e.g., admins, because they might want to block all of the accounts using similar the IP addresses) or to anyone who can reveal the IP addresses.
If experienced patrollers have recommendations, I'm certain that the AHT team would like to hear them. Whatamidoing (WMF) (talk) 04:03, 13 May 2023 (UTC)
The privacy concern is that you will be able to reveal as a trusted editor that User:~1234-5678-2023 used IP addresses 1.1.1.1, 123.45.67.89, 8.8.8.8 and A::1 – one of which may be their home IP address (revealing where they live and which landline/cable internet provider they have), the other one their cellphone address (revealing their mobile provider), the third one a free WiFi on the train (revealing what train they commute with) and the fourth one their work IP (revealing what company they work at). These four addresses cannot be connected right now (unless one’s logged in, in which case check users can connect them, but others can’t), but they will be connectable without signing any NDA. —Tacsipacsi (talk) 11:03, 14 May 2023 (UTC)
Hey.

A built-in button, perhaps on Special:Contributions, that can find related temporary accounts.

It seems to me that it would definitely be needed to fight some LTA or non-trivial cases, and it should handle CIDR ranges. Otherwise abuse mitigation would be harder with IP Masking than it is now… — Jules* talk 13:25, 16 May 2023 (UTC)
That sounds similar to what User:Danilo.mac is suggesting above.
I wonder: Would you want any "related accounts" button to include registered editors? Whatamidoing (WMF) (talk) 16:55, 16 May 2023 (UTC)
No, I was thinking only to temporary accounts: a button that gives all temporary accounts who used a given IP (or IP range) during the last 90 days. So we can find temporary accounts using the same IP to make vandalisms, as we do today by checking the IP contribs.
(Accessing registered editors is currently a CU restricted tool and I see no reason to change that.) — Jules* talk 17:57, 16 May 2023 (UTC)
This reminds me: I need to ask the team about IP Editing: Privacy Enhancement and Abuse Mitigation/Similar Editors. I don't know enough about that idea yet. Whatamidoing (WMF) (talk) 05:07, 20 May 2023 (UTC)
I hear that this idea (finding other temp accounts that used the same IP) came up at the Wikimedia Hackathon 2023 last weekend. Whatamidoing (WMF) (talk) 17:57, 23 May 2023 (UTC)
Thanks for the info, @Whatamidoing (WMF). FYI, we launched a poll on fr-wp about being a pilote wiki. We also created an information page. On this occasion, I talked on IRC with several patrollers and two sysops: they strongly agree on the fact that we really need a tool (for users with IP reveal right) that can find temporary accounts related to an IP adress, and that for when IP Masking will be deployed. Best, — Jules* talk 18:00, 24 May 2023 (UTC)
Hi. I definitely agree with Jules* above: a tool that could list all the temporary accounts or the contributions of an IP address would be extremely useful. I have no doubt that some LTA vandals will know that they only have to delete cookies in order to change their temporary account, thus making it even easier for them to disappear than changing their IP address.
The tool could be similar to the one we have today when looking for all contributions of an IP range: instead of having all the contributions of all the IPs in that range, we would have all the contributions of all the temporary accounts using this IP. Antimuonium (talk) 18:04, 24 May 2023 (UTC)

Be a pilote wiki

Hi,

On fr-wp, we are considering to propose the fr-wp community to be a test wiki for IP Masking. Before submitting this proposal to our community, we have some questions:

  • How will the test take place?
  • How long will it be? permanent or not?
  • If not, will the temporary accounts stay that way, or will they be replaced by old IP?
  • Should the community decide before the test the criterias to get access to the IP reveal right?
  • How to be prepared for the test, how to make sure there is no major disturbance?
  • If there is a major bug/disturbance, is that possible to stop or pause the test?

Best, — Jules* talk 15:10, 13 May 2023 (UTC)

Hello, @Jules*. I am always happy to hear from you. Here are my initial answers:
  1. How will the test take place?
    • This is not yet certain. It might be a type of A/B test (=you would see some old-style IP editors and some new-style temporary users throughout the whole test). There is also a possibility of it being run as a cycle (turn on for 100% of logged-out editors for one hour, and then turn it back off; fix whatever was broken; repeat until most broken things have been found and fixed).
    • Also: The French Wikipedia cannot be the first wiki. The AHT team has agreed to start with a smaller wiki first, so that if there are major problems on the first day, it will affect only a few people. So perhaps by the time such a large wiki can be contemplated, some things will have already been fixed, and there will not be a major disturbance.
  2. How long will it be?
    • This is not officially decided, but it might be permanent. This is because it could be confusing to logged-out editors to be a temporary user one day but an IP user the next time. They would need a few weeks to collect data, so that is probably the minimum length.
  3. If not, will the temporary accounts stay that way, or will they be replaced by old IP?
    • Even if it has to be turned off, the temporary usernames will remain in the page history. The old/existing IP addresses will remain, too. I understand that neither the devs nor the lawyers want anyone to change the names that are recorded in the page history.
  4. Should the community decide before the test the criterias to get access to the IP reveal right?
    • Yes, please! There is some information at Access to temporary account IP addresses FAQ/fr. I think that all of the large wikis should have a discussion about whether the minimum criteria are high enough to suit their local communities. I would be very interested in hearing about the community's decision, and I think several editors watching this page would also be interested.
  5. How to be prepared for the test, how to make sure there is no major disturbance?
    • Here are my ideas, and perhaps other people will have ideas for you, too.
    • Technical: Scripts like NAVPOPS and Twinkle may need to be updated. I believe there is a local editing toolbar that is popular at the French Wikipedia because of its customizable buttons (e.g., for posting template messages), and some editors may find that they want to update their buttons (e.g., to stop posting "Welcome, IP user" and instead post "Welcome, temporary user"). (@Tacsipacsi and @Patrik L., do your home wikis also use custom toolbars for patrollers?) It might be useful for patrollers and other editors to make a list of all the tools they use, so you know which ones to check.
    • Help pages and other written messages: Pages that talk about "IP editors" should be updated. You might want to write a new rule about when (if?) it is fair to post the IP address of a temporary editor on wiki. For example, it might be fair to post "I've blocked 127.0.0.1 because this is the long-term abuser", but if someone posts "User:~2023-1234-1234, whose IP address 127.0.0.1, did a good job improving this article", then that is not fair and should be oversighted to protect the good user's privacy.
    • Communication: Telling people that this change will happen is helpful. It is best if people are not surprised. At such a large wiki, it is helpful to post messages on different pages, and also to post multiple times on the central pages. You might want to create a local project page, to track information. (Smaller wikis will probably not want to do this.)
    • Testing: It was available at https://de.wikipedia.beta.wmflabs.org/ and will eventually become available at the other mw:Beta Cluster instances.
  6. If there is a major bug/disturbance, is that possible to stop or pause the test?
    • Yes, it should be, although it might be a bit more difficult than usual. Most tests can be stopped about 15–30 minutes after the decision is made. There is a small chance that stopping this test would require a little longer than usual (hours, not weeks), or to block logged-out editors for little while during the transition.
I appreciate your interesting questions. What else do you need to know? Whatamidoing (WMF) (talk) 03:47, 16 May 2023 (UTC)
Thank you very much for your answers, @Whatamidoing (WMF). I will report them to the community and we will definitely create a project page for coordination, as IP Masking is a huge change and there is a lot to do. I have an additional question: considering that first wikis to test IP Masking will be small wikis, do you have a rough idea of when fr-wp would be testing IP Masking? It would help us to get organized. Best regards, — Jules* talk 10:53, 16 May 2023 (UTC)
Another question: are the change for Abusefilter rules anticipated? On fr-wp for example, Abusefilter is a tool extensively used to fight vandalisms and other abuses. — Jules* talk 11:20, 16 May 2023 (UTC)
@Jules*, now I have to confess to my pessimism about schedules. The official timeline says that IP masking will not be on any wiki (except test wikis) until at least 1 October 2023. They hope to get it out on the first small wiki(s) sometime in October–November–December.
But... December is filled with holidays, and late November is a busy time for Fundraising (=a bad time to break the wikis). So if it doesn't get deployed by mid-November, it might be postponed until after the holidays and fundraising season.
And these things always take longer than I think they will, so I would not be completely surprised if it didn't reach the first small wiki(s) until January. So I see two possible timelines:
  • Somewhat optimistic schedule: First small wikis in November, first mid-sized wikis in January, maybe French (or another large wiki) in February or March.
  • Somewhat pessimistic schedule: First small wikis in January, first mid-sized wikis in March, first large wiki in June.
I leave the decision about which schedule is most likely to you. ;-) Whatamidoing (WMF) (talk) 17:18, 16 May 2023 (UTC)
I haven't heard anything specific about AbuseFilter. Since temporary accounts are a new/third kind of account, the rules about "if the editor is an IP" might need to be updated. However, I don't have any specific information about it. I'll see what I can find out. Whatamidoing (WMF) (talk) 17:20, 16 May 2023 (UTC)
It looks like there are some Phab tasks about AbuseFilter. The two most central-sounding ones are phab:T331653 and phab:T307060. Whatamidoing (WMF) (talk) 17:24, 16 May 2023 (UTC)

Results of the poll are positive: fr-wp community is overall OK to be a pilote wiki. — Jules* talk 10:48, 6 June 2023 (UTC)

Thank you, Jules*. I'm glad to hear that your home community is willing to help us this way in the future. Thank you for starting that conversation and for bringing the results here. Whatamidoing (WMF) (talk) 23:09, 6 June 2023 (UTC)

Wouldn't it be easier to just make registration mandatory?

I was reading the comments in this talk page and some Phabricator tasks related to IP masking, and I see a lot of developers work, new concepts being created and possible problems that the change can cause. Wouldn't it be easier to just make registration mandatory? The account registration only require an username and a password, the e-mail is optional, it can be done in few seconds, and the experience in ptwiki (my home wiki) showed positive results. Temporary accounts will be similar to regular accounts in some aspects, but it is more complex to deal with, and all that increase in the work of developers and patrollers is just because we can not require the editors to fill a very simple and fast registration? What is the real problem in require registration? I would like to see a comparison of the advantages and disadvantages of create the IP masking feature and just make registration mandatory, and then make a global request for comment to the global community choose what they prefer. I belive the mandatory registration would win. Danilo.mac talk 22:48, 17 May 2023 (UTC)

Hi @Danilo.mac. It is a fair point, but a lot of communities, including mine (fr-wp), are hostile to requesting registration, even knowing it is "a very simple and fast registration"; they want people to be able to edit wikis without registration. Kind regards, — Jules* talk 11:20, 18 May 2023 (UTC)
I often find myself not editing wiki sites (e.g. IMDb) if they require a “very simple and fast registration”. (Yes, IMDb does require an email address, but not the email address is the issue for me.) Registering an account requires a level of commitment which IP editing and temporary accounts don’t. I don’t know how you measured success on ptwiki, but I’m sure you did lose some editors even if the overall results were considered positive. —Tacsipacsi (talk) 19:27, 18 May 2023 (UTC)
There is this study made by WMF that showed positive impacts, see graphs of "Number of active user editors", "Number of reverts" and "Impacts on administration". Danilo.mac talk 21:43, 23 May 2023 (UTC)
I worry about the long-term consequences. My first edit was fixing a typo as an IP; I might not have made that edit if I first had to register. Would requiring registration narrow the pipeline for future generations of editors? I don't know. I worry that it might.
One thing I've long been curious about is: How much of the core community began editing before registering their accounts? I don't think anyone has ever done any research on this. Whatamidoing (WMF) (talk) 18:07, 23 May 2023 (UTC)
It would be an interesting research, but I don't know if there are data that can be used to identify that with precision. However, I recently made a tool to analyze user retention that can help visualize some tendencies, we can see in the ptwiki graph that the number of registered users had a spike when the registration become mandatory (oct 2020), and after the spike the user retention appears to have stabilized above the level it was when the registration was optional, the interactive diagonal line in the tool helps to visualize that. Danilo.mac talk 21:43, 23 May 2023 (UTC)
That's an interesting visualization. It looks like the "early days" were over by 2006, and 2013 is the trough, when few new accounts are being created. If memory serves, this is also when the Portuguese Wikipedia had unusually aggressive use of CAPTCHAs. There's a sudden spike in newcomers in 2020.
It looks like there's a substantial shift, such that in (e.g.,) 2015, if you saw a registered editor's name in RecentChanges, it had a significant change of being a long-time editor. This is no longer as true. I wonder whether that change changes how people evaluate changes. For example, are they more suspicious of all registered editors? Less suspicious of all editors? Whatamidoing (WMF) (talk) 20:22, 28 May 2023 (UTC)
What I perceived is that users are less tense, I see less conflict between users, I think that is probably because the reduce in vandalism (reverted edits reduced by half). We were overburdened by the vandalism for years, and we tried many things to reduce it before take the decision of the mandatory registration, we probably have the best collection of antivandalism filters in all wikis, patrollers use tools like huggle, but nothing get close to the reduce in vandalism we had with the mandatory registration. Danilo.mac talk 00:32, 29 May 2023 (UTC)
Does ptwiki have anti-vandalism and anti-spam bots, like w:en:User:ClueBot NG and w:en:User:XLinkBot? When those bots came online, a lot of bad edits still happened, but they were immediately reverted by the bots. The net result is that we lost a lot of editors whose primary activity was reverting vandalism. This led to about six or eight years of people worrying about the decline in the number of editors (it's since flattened out). I think that content metrics would be more appropriate: How long is the median article? Is there a picture? Are people learning what they want to know? Whatamidoing (WMF) (talk) 04:09, 6 June 2023 (UTC)

Where's the privacy enhancement

Currently everyone can see the IP addresses, and while from privacy standpoint that is not good, at least it's transparent. By that I mean that anyone can see that anyone can see the IP addresses. (I know that many people don't even know what an IP address is.) In the future IPs will be hidden from the general public, but it will still be possible for pretty much anyone to see them: they just need to wait 6 months and do some editing and then they'll either get the IP access automatically or they can apply for it. How is that enhancing the privacy of the unregistered users? And how is it going to be communicated to the unregistered users in a way that there is any chance of them understanding what a temporary account actually is? And understanding that their browser will store a cookie that records all the IP addresses that they have used with their temporary account, be it at home or at work/school etc.

I've been following this project from the beginning and waiting for the moment when I'll understand how this is better for the unregistered editors, and I still don't get it. kyykaarme (talk) 17:03, 3 May 2023 (UTC)

Hello, @Kyykaarme, I am happy to see your name here.
Currently, everyone can see the IP addresses. In the future, only a small fraction of people will be able to see the IP addresses. It is true that, with sufficient patience and effort, any individual could (probably) become part of that small fraction of people (more than registered editors, but still only a small percentage of users). It is also true that with sufficient patience and effort, a determined individual could become a CheckUser. In the end, "visible to some" is still improved privacy than "visible to all", even if it might not be as much of an improvement as would be ideal.
The messages in all the editing interfaces will have to change. To give an example, phab:T335590 outlines some of the proposed changes for talk pages. We are probably going to add a link to mw:Help:Temporary accounts as well.
(I believe that the IP address will be recorded on the server, just like yours and mine are now, and not in the cookie itself. The cookie records the automatic username.) Whatamidoing (WMF) (talk) 05:02, 5 May 2023 (UTC)
Hey, @Whatamidoing (WMF), thanks for the reply. It seems that IP masking is being treated as if the logic is the same as when the interface admin group was created to make it less likely that someone uses certain admin tools maliciously. With IP masking we should instead think about the issue from the point of view of the unregistered users. It's irrelevant to them that their IP was previously visible to everyone (maybe they have never even edited before), and instead what matters to them is who can access their IP now and if that's something that the user understands. If we care about people's privacy we should make sure that they understand what happens with their personal information (like an IP address). Also, since there's going to be a cookie that lives in the user's browser, I assume that there has to be a cookie notification that the user will have to agree to? (In the EU at least.) And yes, there's also a group of volunteers who can access almost anyone's IP, and IMO that should also be communicated to the (registered) users, so that they can decide if they agree to it or not. kyykaarme (talk) 18:28, 21 May 2023 (UTC)
I'm sure that Legal will update foundation:Privacy policy and foundation:Cookie statement between now and then, and these are linked on every page.  
The in-software messages are also being updated. The most relevant ones (e.g., the note at the top of the editing window that says you're logged out) will link to Help:Temporary accounts. Whatamidoing (WMF) (talk) 00:59, 23 May 2023 (UTC)
Updating disclaimers or policy pages is not the same thing as giving users the choice of consenting to the cookie that will be placed in their device for 12 months. Under GDPR rules the website can place cookies into the user's device without consent only in certain circumstances. Log-in cookies don't necessarily need a cookie notification, but the pseudo-account users aren't actively choosing to log in, they are just trying to edit and the pseudo-account is created for them automatically. They are then "logged in" for up to a year in a pseudo-account without an easy way to "log out". And all the while the cookie will collect personal information (regardless of where the information is actually stored) of that person and giving possibly dozens or hundreds of people access to that information.
Even if that's legal (and I have my doubts), I think it's unethical if the users are duped into believing that their personal information is much more private than it actually is, and they are not told in advance and therefore given the option to choose if they want to edit under these circumstances or if they'd rather create an actual user account or just not edit at all. kyykaarme (talk) 18:10, 6 June 2023 (UTC)
@Kyykaarme, I don't understand "the cookie will collect personal information". What do you mean?
For example, right now, if I go to the Finnish Wikipedia, I get a cookie called "fiwikiUserName" that has a value of "Whatamidoing%20%28WMF%29". The domain is fi.wikipedia.org (naturally enough). It has an expiration date of next year, and aside from a couple of settings, like whether it's for https: use, that's it. The cookie's contents aren't going to change. How does the cookie "collect personal information"? Whatamidoing (WMF) (talk) 22:57, 6 June 2023 (UTC)
The cookie will enable the aggregation of the edits the user made within a year, and everyone with the IP viewer user right will be able to access all the IPs the user has used. That is the personal information that the cookie collects. kyykaarme (talk) 17:47, 17 June 2023 (UTC)
@Kyykaarme, are you saying that Special:Contributions/WhatamIdoing is "collecting personal information" that is using a cookie to "enable the aggregation" of my edits? Whatamidoing (WMF) (talk) 23:01, 22 August 2023 (UTC)
Special:Contributions/WhatamIdoing doesn’t list the IP addresses you’ve used in the past years. Special:Contributions for a temp user would, for anyone with IP viewer right, thus allowing those users to link edits to IP addresses (which is what we want to avoid) as well as linking IP addresses to each other (which is today not possible at all – unless guessable from the edit pattern –, so it’s a step backwards privacy-wise). – Tacsipacsi (talk) 23:19, 23 August 2023 (UTC)
I think it's a mixed situation. Right now, anyone with access to the internet (=several billion people) can see the IP for an unregistered editor, forever.
In the future, only a small percentage of registered editors (probably less than 1% of all registered accounts; about 0.5% at enwiki, assuming they don't impose tighter restrictions locally [and they might]) will be able to see the IP address for unregistered users, for 90 days.
So far, this is obviously an improvement in privacy. Then we add:
The 0.5% of editors who can see the IP address can see all the IP addresses (but still only for 90 days).
Overall, I think that trading "a few people can temporarily see all of them" for "everyone can see each of them separately forever" is a privacy improvement. But if the communities think this is an unreasonable tradeoff, and they would prefer that only checkusers be able to see all of the IPs, then I believe it's technically feasible to restrict access to just the most recent one. Whatamidoing (WMF) (talk) 06:56, 24 August 2023 (UTC)
That still does not address the fact that said cookie (used to create and later identify the pseudoaccount) will allow aggregation of edits done from the same device, even if the user IP address changes. Nowadays, only checkusers are able to see that kind of aggregated data, but after IP Masking goes live, at least in its current design, the number of users that would be able to see (and link) IP addresses with pseudoregistered users (aggregated data based on non-public PII) will increase. This makes temporary accounts second-class accounts with regards to privacy. As for the cookie used to create the pseudoaccount and allow MediaWiki to attribute edits done by that device up to 12 months, it is my understanding that these types of cookies require an active and informed consent according to EU Law (See ECJ Judgement of 1 October 2019, Planet49 GmbH, C‑673/17, ECLI:EU:C:2019:801, § 82 (1)). As such, you need to clearly inform the user and allow him to consent in a manner that can be proven afterwards (premarked checkboxes or no checkboxes at all are not okay). Thanks, —MarcoAurelio (talk) 11:36, 24 August 2023 (UTC)
Yes, exactly. Currently IP users are in a hotel with no locks on the doors. In the new system there will be locks on the doors, but many, many people will have a master key. The IP users deserve to know that fact so that they can make an informed decision on whether they want to subject themselves and their private information (IP address) to this situation. I consider that to be a moral right of the users, but people from different parts of the world also have different expectations and actual legal rights when it comes to cookies and other privacy issues. How often do non-EU citizens see cookie notices? I see them daily and yes, I actually take the time to read them, and every now and then I hit the backspace because I don't want to visit a website where it takes too much effort to control the cookies that are inserted into my device. kyykaarme (talk) 17:52, 24 August 2023 (UTC)
MarcoAurelio, would you prefer to have the account name to change every time the IP changes?
(Kyykaarme, I see cookie notices every day. Personally, I don't need a checkbox to control cookies in my web browsers, but perhaps someone benefits from it.) Whatamidoing (WMF) (talk) 06:12, 28 August 2023 (UTC)