Page MenuHomePhabricator
Create Task
Maniphest T283177

Anonymous Contributors IP Masking
Closed, InvalidPublic
Actions

Description

Decision Statement Overview: https://docs.google.com/document/d/1YWfvBBYYCdN2sEM3snfrPXEAUYdyg6BgQThXjMs09EY/edit

What is the problem or opportunity?

Currently, anonymous users who make edits to Wikimedia projects are able to do so without creating an account. The problem is that for those edits made, their public IP address is used in place of a username, thus exposing some PII with this given user.

For admins patrolling and protecting projects from vandalism have relied on tools that leverage the exposure of these IP addresses. So the challenge here is to provide privacy to anonymous users while empowering admins to continue to fend off vandalism.

Requirements

IP addresses are no longer viewable to public users
As an anonymous user making an edit, I want my IP address hidden from public, non-authorized users, so that my identity remains private.

IP Data Retention
Remove IP addresses from the database after 90 days.

Create a temporary account for anonymous users
As an anonymous user, I want a temporary account, so that I have privacy and my IP address isn’t available publicly

  • Acceptance Criteria
    • A unique temporary account is reserved. The account is not officially created until an edit is submitted by that anonymous user.
    • The temporary account is associated with the user’s session

What does the future look like if this is achieved?

The privacy of users is protected with no PII being publicly exposed. We also want to continue to encourage contributors who have made anonymous edits.

The role of anti-vandalism is unimpacted by this change and can continue to identify and prevent bad actors from vandalizing projects.

What happens if we do nothing?

User privacy remains at risk for publicly exposing PII such as IP addresses.

Any additional background or context to provide?

IP addresses need to be purged after 90 days in accordance with data retention policy. Likewise, the masking or removing of IP addresses from public exposure are only those anonymous edits moving forward. This does not need to mask or remove the past IP addresses that have been made publicly available.

Why are you bringing this decision to the technical forum?

For contributors feel safe contributing to the movement which aligns to our objective

Our platform and our contributors will be better protected with improved movement management & curation tools (software and practices)

Additional resources

Related Objects
Search...

Event Timeline

sdkim created this task.May 19 2021, 4:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 19 2021, 4:18 PM
WMDE-leszek subscribed.May 19 2021, 5:08 PM
Reedy updated the task description. (Show Details)May 19 2021, 5:40 PM
DannyS712 subscribed.May 20 2021, 2:42 AM
Ladsgroup subscribed.May 20 2021, 5:52 AM
awight subscribed.May 21 2021, 8:56 AM

I'm starting to think, the right framework for this task is given by this clue from the statement of consequences:

WMF could be in violation of GDPR and other data privacy regulations...

Until we can mask IP addresses, we are failing to protect the users' human rights and privacy, causing individuals harm, and biasing who can safely participate in the project.

Can we call this a "High" priority?

awight awarded a token.May 21 2021, 9:08 AM
Izno subscribed.May 21 2021, 4:27 PM

https://meta.wikimedia.org/wiki/IP_Editing:_Privacy_Enhancement_and_Abuse_Mitigation should be linked here.

Jenlenfantwright moved this task from Inbox to Problem Statement Review on the tech-decision-forum board.May 24 2021, 5:16 PM
kostajh subscribed.Jun 2 2021, 7:54 PM
daniel subscribed.Jun 3 2021, 8:46 AM

I made a document comparing the implications of different solutions from a technical perspective: https://docs.google.com/document/d/1uHCZHt4OMY5U2gBMOPL-BHcvMsOPPGGYhcQVNRaGmNk/edit#

Jenlenfantwright claimed this task.Jun 3 2021, 12:17 PM
awight added a comment.Jun 4 2021, 8:57 AM

It's great to see these proposals, thank you for the work put into this so far! I had a few questions,

  • For the "IP masking" suggestion, encryption would have to be performed with a salt, most likely one derived from the session ID. Otherwise, multiple editors coming from the same IP would have the same masked IP which I believe is undesirable. Without a salt, there might also be attacks allowing you to unmask an IP by running the encryption routine directly. This doesn't change the proposal, but is a security detail worth mentioning.
  • The three alternatives suggested so far seem to be very similar: user session is mapped to some form of quasi-permanent identity. Have you also considered a wider range of alternatives, such as anonymous editors having *no* on-wiki identity, being truly anonymous? Short-term records would still be kept for privileged auditing of course. Flagged vandalism could still be correlated with a group of edits, by checkusers.
  • Since the masking is dependent on session, what happens when the user's browser does not establish a session, for example when cookies are disabled? Are we creating a new "temporary" user for every edit? Is that helpful or not? How common is this use case?
daniel added a comment.EditedJun 4 2021, 2:40 PM

For reference, the three options that @awight is referring to from the doc I put together are:

  • "IP Masking": Keep using the user’s IP address as their name, but show a masked (encrypted) version of that name.
  • "Anon Actor": Keep using the “anonymous user” concept in MediaWiki as before, but use a randomly generated name instead of an IP address to represent anonymous users.
  • "Temp Account": Instead of modeling “anonymous” users, always create a user account when a user edits, initially using a randomly generated name.

Note that these are a summary of my own understanding of different options I have heard discussed. These may not necessarily be the options that the team driving this proposal has in mind. I am not part of that team. I summarized my understanding here to see in how far it matches other people's thoughts on the matter.

sdkim renamed this task from Temporary Account Creation for Anonymous Users (IP Masking) to Anonymous Users (IP Masking).Jun 9 2021, 3:05 PM
sdkim updated the task description. (Show Details)
Tgr subscribed.Jun 20 2021, 8:51 PM
sbassett subscribed.Jun 24 2021, 9:01 PM
sbassett added a comment.EditedJun 25 2021, 6:49 PM

IP addresses need to be purged after 90 days in accordance with data retention policy.

Would this include Checkuser data? There's been some (currently private) discussion around that topic recently: T170148.

Tgr added a comment.Jun 28 2021, 4:09 PM

Additional resources

I assume this was meant to be public.

RHo subscribed.Jun 29 2021, 9:21 AM
Prtksxna subscribed.Jun 30 2021, 5:18 PM
Mholloway subscribed.Jul 1 2021, 1:21 PM
Jenlenfantwright renamed this task from Anonymous Users (IP Masking) to Anonymous Contributors IP Masking.Jul 12 2021, 7:48 PM
Jenlenfantwright updated the task description. (Show Details)
Jenlenfantwright moved this task from Problem Statement Review to Research and Prototyping on the tech-decision-forum board.Jul 16 2021, 5:14 PM
sguebo_WMF mentioned this in T284948: Raw IPs of logged-out users disclosed in wiki-replicas.Aug 6 2021, 5:44 PM
STei-WMF subscribed.Sep 23 2021, 12:12 PM
Jenlenfantwright reassigned this task from Jenlenfantwright to sdkim.Oct 5 2021, 3:09 PM
Jenlenfantwright subscribed.
Jenlenfantwright added a comment.Oct 5 2021, 3:12 PM

Withdrawn from technical decision forum as decision on how to proceed wasn't needed in the end, received feedback needed on impact on software/departments which is what was desired.

Jenlenfantwright moved this task from Research and Prototyping to Withdrawn from Process on the tech-decision-forum board.Oct 5 2021, 3:13 PM
Mholloway unsubscribed.Oct 5 2021, 3:37 PM
Tgr added a comment.Oct 6 2021, 5:12 AM

@Jenlenfantwright can you clarify how/when the decision between the implementation options mentioned in T283177#7134490 if not in the current process?

Jenlenfantwright added a comment.Oct 6 2021, 6:21 PM

@Tgr Please consult with @sdkim on your question directly as he can provide more insight into how this will proceed moving forward if at all. Thanks!

Tgr mentioned this in T58828: Provide access to Notifications for anonymous users.Oct 19 2021, 4:20 AM
Ltrlg subscribed.Oct 19 2021, 7:27 AM
Aklapper added a subtask: T58828: Provide access to Notifications for anonymous users.Oct 19 2021, 7:39 AM
AntiCompositeNumber added a parent task: T284948: Raw IPs of logged-out users disclosed in wiki-replicas.Oct 28 2021, 12:32 AM
Aklapper removed sdkim as the assignee of this task.Feb 6 2022, 8:01 PM

Removing inactive task assignee.

Lens0021 subscribed.Feb 18 2022, 2:33 AM
kostajh added a comment.Jan 18 2023, 9:56 AM

Should this be declined in favor of T324492: Temporary accounts - MVP?

Jdforrester-WMF closed this task as Invalid.Jan 18 2023, 3:41 PM
Jdforrester-WMF subscribed.
In T283177#8533999, @kostajh wrote:

Should this be declined in favor of T324492: Temporary accounts - MVP?

I'd say Invalid, given the TDMP process was abandoned. The work (as opposed to TDMP about the work) continues over there, as you say.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL