• Should we only block account creation, so unblocked, logged-in temporary accounts can still edit?

They should prevent the same actions as local autoblocks.

• Should we allow global autoblocks for all global user block, or just temporary account blocks?

All global account blocks

• Should we only lookup IP addresses that were used for edits, or for all actions?

Match what is used for local autoblocks.

Should we only lookup IP addresses that were used for edits

Note: when blocking an account, an autoblock may be placed on one most recent IP of the account based on rc_ip column.

• Should we only block account creation, so unblocked, logged-in temporary accounts can still edit?

JJMC89 said we should emulate local autoblocks on this, and I will defer to a stewards point of view on this. If necessary, the global autoblock should be modifiable if there is too much collateral.

• Should the global autoblock be against the last IP used across all wikis, or the last IP from each wiki?

I would argue that for the time being we should go with the last used IP across all wikis, because:

• A user may have made an edit a few weeks ago on one wiki and therefore the autoblocked IP is unlikely to actually be their IP address
• It will be easier to manage one autoblock (i.e. one instance of an autoblock that affects one IP) than trying to manage multiple autoblocks. In a worst case, it could be 800 different IPs we are blocking if we do per-wiki.

We can always change this behaviour if necessary.

• Should we allow global autoblocks for all global user block, or just temporary account blocks?

I agree with JJMC89 that we should allow autoblocks for all global account blocks. Stewards can choose if they wish to autoblock, so we can leave it up to a per-block basis as to whether they are applied.

• Should we only lookup IP addresses that were used for edits, or for all actions?

The way we have configured the cuci_user table (which will provide the IP address to autoblock) is to use all actions. Therefore, this question is answered by that database design choice.

• Should we implement global cookie blocks at the same time? (Note T345245: Mitigate phase-out of third-party cookies in Wikimedia production)

We could, but I think doing that should be a separate piece of work that is tagged under T355286: [Epic] Globally blocking a temporary account should prevent further account creations. AFAIK that has not been identified as a pilot wiki blocker, so working on that through this project could delay the completion of this (which we want to avoid).

In T368955#9950311, @Bugreporter wrote:

Should we only lookup IP addresses that were used for edits

Note: when blocking an account, an autoblock may be placed on one most recent IP of the account based on rc_ip column.

Thanks for the note.

In CheckUser we recently added the ability for more than one IP address to be autoblocked, which can be controlled by configuration. I intend to make it possible to customise the number of IPs that are autoblocked in the same manner using a different config (in case a wiki wishes to use less autoblocks for global blocks).

Any thoughts on my answers are welcome. If I get no responses in the next few days, I'll close this task.

In T368955#10145392, @Dreamy_Jazz wrote:

• Should we implement global cookie blocks at the same time? (Note T345245: Mitigate phase-out of third-party cookies in Wikimedia production)

We could, but I think doing that should be a separate piece of work that is tagged under T355286: [Epic] Globally blocking a temporary account should prevent further account creations. AFAIK that has not been identified as a pilot wiki blocker, so working on that through this project could delay the completion of this (which we want to avoid).

I have filed T374734: Apply cookie blocks for global blocks.