Page MenuHomePhabricator

Hide account creation/autocreation times
Open, Needs TriagePublic

Description

The exact timestamp of account creation might make it easy to identify a user via web traffic analysis in certain scenarios. (This is even more true for autocreation, see T21161: Don't autologin if local account doesn't exist (don't autocreate if user doesn't explicitly login).) There is no particular reason to disclose this information publicly and hiding it would improve user privacy. It is not tricky though:

  • We'd have to truncate timestamps on log / API pages. That part is easy enough.
  • We'd have to stagger how events appear in the logs (e.g. if the account creation time is truncated to the hour, then don't display log events which happened in the current hour) - still easy.
  • "Snap" internal things like APCOND_AGE so they align to the truncation.
  • Hide users from the list of all users if they are very new. Maybe a flag in the user table, removed periodically for old-enough accounts?
  • Filter out the log events from public feeds (IRC, EventStream) or delay and batch them somehow (which probably doesn't fit well into the current architecture - although maybe Kafka could be used for that?).

OTOH maybe there's not much use case for having public account creation logs in the first place and they should just be limited to users with private data access? (The new user log was added in rMWe8215b27e423: Add newuser log to core, before it seems we used Extension:Newuserlog; neither details the use cases. Needed for fighting spambots at least, but that's a pretty limited and trusted set of users.)

Event Timeline

Tgr created this task.Feb 17 2019, 5:07 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 17 2019, 5:07 AM

Note, this bug partially overlaps with a secret bug T184012