⚓ T307164 IP Info log access to staff, stewards, checkusers, ombudsmen

Niharika created this task.Apr 29 2022, 12:11 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 29 2022, 12:11 AM

• AGueyte set the point value for this task to 2.May 2 2022, 5:21 PM

Tchanders moved this task from Triage/To be Estimated to AHaT Sprint 7: The Tin Foil Hat on the Anti-Harassment board.May 3 2022, 3:48 PM

Tchanders edited projects, added Anti-Harassment (AHaT Sprint 7: The Tin Foil Hat); removed Anti-Harassment.

Tchanders claimed this task.May 3 2022, 5:58 PM

Tchanders moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to In Progress 💪 on the Anti-Harassment (AHaT Sprint 7: The Tin Foil Hat) board.

Checkusers can already access the IPInfo log: https://gerrit.wikimedia.org/g/operations/mediawiki-config/+/6858ed934ff0127ca77926e7505a2e05f0bb0ff8/wmf-config/CommonSettings.php#4045

staff and steward group rights are managed on-wiki (T296499#7785816), and I suspect ombuds members are too, based on the conversation here: T295017#7899961

I think there's no more technical work to be done here.

Pinging @Niharika and @STei-WMF

ARamirez_WMF edited projects, added Anti-Harassment (AHaT Sprint 8: The Flat Cap); removed Anti-Harassment (AHaT Sprint 7: The Tin Foil Hat).May 17 2022, 3:22 PM

ARamirez_WMF moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to Needs Design/Product 🎨 on the Anti-Harassment (AHaT Sprint 8: The Flat Cap) board.May 17 2022, 3:24 PM

ARamirez_WMF moved this task from Needs Design/Product 🎨 to Done Q4 2022 on the Anti-Harassment (AHaT Sprint 8: The Flat Cap) board.May 17 2022, 3:50 PM

ARamirez_WMF edited projects, added Anti-Harassment (AHaT Sprint 7: The Tin Foil Hat); removed Anti-Harassment (AHaT Sprint 8: The Flat Cap).

ARamirez_WMF moved this task from Needs Design/Product 🎨 to Done Q4 2022 on the Anti-Harassment (AHaT Sprint 7: The Tin Foil Hat) board.

TheresNoTime subscribed.May 17 2022, 3:57 PM

Tchanders mentioned this in T260597: Deploy IP Info extension to all wikis (as a beta feature).May 25 2022, 12:35 PM

TheresNoTime mentioned this in T309318: Can global sysops have ipinfo-view-full and ipinfo-view-log access?.May 26 2022, 2:26 PM

ipinfo-view-log granted to ombuds

access was granted to staff and steward in T296499#7962227

Thank you @AntiCompositeNumber!

Based on Legal team's feedback, we should keep IP Info log access consistent with checkuser log access.

This isn't being followed since sysops were granted log access in rOMWC9886463a1fba: Add IPInfo viewing rights for certain groups.

T309318: Can global sysops have ipinfo-view-full and ipinfo-view-log access? is also requesting expanded log access.

Thanks @JJMC89. ~~This task was not updated to reflect that sysops should also have this access. I have updated it now.~~ I take back my comment. I believe we never said sysops will have log access in the first place. I will need to consult with Legal about this.

Niharika renamed this task from IP Info log access to sysops, staff, stewards, checkusers, ombudsmen to IP Info log access to staff, stewards, checkusers, ombudsmen.May 27 2022, 6:47 PM

Niharika updated the task description. (Show Details)

@Niharika I've filed T309411: sysop access to ipinfo logs can leak IP addresses that sysops should not have access to with some concerns.

Ameisenigel subscribed.May 27 2022, 8:12 PM

Zabe subscribed.May 28 2022, 10:19 PM

TheresNoTime mentioned this in T309928: Remove `ipinfo-view-log` from sysops.Jun 4 2022, 8:30 PM

In T307164#7963866, @Niharika wrote:

Thanks @JJMC89. ~~This task was not updated to reflect that sysops should also have this access. I have updated it now.~~ I take back my comment. I believe we never said sysops will have log access in the first place. I will need to consult with Legal about this.

Just also noting that the IP Information tool guidelines specifically mentions "A log is kept of queries made using the IP Information tool and how the information was accessed. Access to this log is limited to Foundation staff and certain advanced user groups." — I have filed T309928: Remove `ipinfo-view-log` from sysops, and would strongly recommend we implement this while we wait for Legal's reply. Config changes are "cheap" 🙂

SQL subscribed.Jun 4 2022, 8:45 PM

Can someone add me to T309411 please? :-)

Johannnes89 subscribed.Jun 5 2022, 7:18 AM

In T307164#7981156, @Oshwah wrote:

Can someone add me to T309411 please? :-)

[FTR] Looks to be already done.

It is still dangerous if someone with IP Info log access is compromised (since we have no log on viewing IP Info log). See T310393: IP Info log can be used to deanonymize user

If someone with CU (or CU log, in the case of ombuds) access is compromised, we have much larger issues than the IP Info log.

At least CU data access is logged and if someone abuse it it may be easily detected. views of CU log is not logged (I am not sure whether this is a problem; and it seems there are no retention limit of private data inside) but such log includes primarily data of abusive users, not everyone.

What I concern is if a CU/steward/ombuds is compromised abuse can be made covertly without easy way to detect.

Niharika closed this task as Resolved.Jun 14 2022, 4:59 PM

FriedrickMILBarbarossa added a project: Stewards-and-global-tools.Jul 5 2022, 2:47 PM

FriedrickMILBarbarossa subscribed.Jul 5 2022, 2:59 PM

FriedrickMILBarbarossa awarded a token.Jul 5 2022, 3:16 PM

Niharika moved this task from Backlog to Closed on the IP Info board.Aug 8 2022, 7:58 PM

Tchanders mentioned this in T310393: IP Info log can be used to deanonymize user.Apr 20 2023, 11:21 PM

IP Info log access to staff, stewards, checkusers, ombudsmen
Closed, ResolvedPublic2 Estimated Story Points
Actions

Description

Motivation

Acceptance criteria

Related tasks:

Related Objects

Event Timeline

IP Info log access to staff, stewards, checkusers, ombudsmenClosed, ResolvedPublic2 Estimated Story PointsActions