Page MenuHomePhabricator
Create Task
Maniphest T213875

Explore alternatives to browser fingerprinting for anti-abuse efforts
Closed, ResolvedPublic
Actions

Description

Currently, MediaWiki software allows permissioned users to stop a person from performing actions (e.g. editing, creating pages, messaging other users) by blocking their username, IP address, or IP range. Block evasions are simple on Wikimedia wikis.

The Anti-Harassment Tools team at the Wikimedia Foundation has been tasked with looking to modernize our blocking tools to make blocks more effective and less easy to evade. The impetus is for Long-Term-Abuse but this project may be further reaching. There will be no silver bullet but it is the responsibility of the WMF to install safeguards for our users, our staff, and the content that we host.

Browser fingerprints are being investigated in T213351 but there are alternatives that we should explore. Please use this task to discuss alternatives.

Related Objects

Event Timeline

TBolliger created this task.Jan 15 2019, 11:12 PM
Restricted Application added subscribers: MGChecker, Aklapper. · View Herald TranscriptJan 15 2019, 11:12 PM
TBolliger triaged this task as High priority.Jan 15 2019, 11:12 PM
TBolliger mentioned this in T213351: Timeboxed investigation into browser fingerprinting for anti-abuse report to WMF Board.
TBolliger moved this task from Backlog to User blocking on the MediaWiki-User-management board.
Nuria subscribed.Jan 16 2019, 12:14 AM

Rather than focusing on the bad actor why not focus in the target giving them tools to protect interactions? For example: they can protect their talk pages such to post you need to know the "secret" word (similar to a captcha), this way interactions are "whitelisted"

MGChecker added a comment.Jan 16 2019, 12:20 AM
In T213875#4883103, @Nuria wrote:

Rather than focusing on the bad actor why not focus in the target giving them tools to protect interactions? For example: they can protect their talk pages such to post you need to know the "secret" word (similar to a captcha), this way interactions are "whitelisted"

I don't think whitelisting can work in a Wiki, as working there is heavily dependant on communicating with each other.

dbarratt subscribed.Jan 16 2019, 12:24 AM

What about a blacklist? We do that for email & echo notifications and the feedback has been positive.

BU_Rob13 subscribed.EditedJan 16 2019, 4:11 AM

Something as simple as a user-enabled time-limited semi-protection of their own talk page would certainly throttle some amount of abuse. A blacklist doesn't really work with LTAs, since they're using multiple accounts.

Bawolff subscribed.Jan 16 2019, 6:49 AM

I think any conversation that starts from a place of "Lets stop all abuse" is not going to go anywhere. There's lots of different types of abuse on the wiki, involving different methods, motives and sophistication. Solutions are not going to be one size fits all and it will probably be a poor solution if it doesn't start from a place of usecases.

Krenair subscribed.Jan 16 2019, 3:37 PM
Peachey88 subscribed.Jan 19 2019, 12:19 AM
MER-C subscribed.EditedJan 24 2019, 2:36 PM

Anti-abuse will always require a defence in depth approach - to limit the scope to just the stickiness of the banhammer is mistaken. The flip side is making abuse easier to find, investigate and take action against. Reverting and blocking faster, as well as detecting all of it also has a deterrent effect. Making blocks stickier will run into privacy problems, but making detecting and dealing with abuse easier involves only code and UI design. Here are some thoughts:

  • Patching obvious shortcomings e.g. T196575
  • Workflow improvements e.g. T176867, T189391
  • Capability improvements e.g. T146837
  • Machine readability to help volunteer tool development and detection algorithms e.g. T56328
  • Transitioning the existence of harassment vectors (email in particular) to privileged information
  • Penetration testing of anti-abuse measures
  • User-managed blacklists as mentioned above
TBolliger moved this task from Untriaged to Product/Tech backlog on the Anti-Harassment board.Jan 24 2019, 5:51 PM
TBolliger added a comment.Jan 24 2019, 11:15 PM

Thank you @MER-C. I completely forgot about T196575 — what an obvious first step!

TBolliger closed this task as Resolved.Mar 1 2019, 5:43 PM

Our team has published our recommendations here: https://meta.wikimedia.org/wiki/Community_health_initiative/Blocking_tools_and_improvements#March_1,_2019

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits