Certain MediaWiki: pages will reveal that a (blocked) user has been using that IP address, to any third party using the same IP.
In particular:
- MediaWiki:Autoblocker
- MediaWiki:Cantcreateaccount-text
As far as WMF projects are concerned the information relating a user to an IP should only be available to designated WMF staff and checkusers.
Worse the current text of
- MediaWiki:Autoblockedtext
encourages the third party to publish the IP and account name on the Internet, unsing the {{unblock-auto}} template, which will remain publicly available in history, and archives, effectively for perpetuity.
Therefore the following steps should be taken:
0. A list of affected MediaWiki: pages should be created.
- On all WMF projects the pages should be re-written with a more neutral message, excluding any identifying information.
- The mechanism that passes the identifying information to the pages should be removed.
- Each project, with support where necessary, should perform an audit/oversight on uses (including uses in history) of the following templates (or their equivalents)
- Template:Unblock-auto
- Template:Unblock-auto reviewed
- Template:Unblock-auto on hold
You can see where this has been done correctly, though possibly the private data is still visible to administrators, by viewing the history of wp:en:User talk:Leodj1992.
Version: 1.22.0
Severity: normal
URL: https://meta.wikimedia.org/w/index.php?title=Wikimedia_Forum&oldid=5729964#Privacy_violation
See Also:
T44345: Blocks from AbuseFilter show up as performed from the target's IP address in Checkuser
T58227: Provide original user name as "intended blockee" in case of autoblock
T15131: Allow admins to correlate autoblocks to originating block (currently admin cannot see IF in fact the IP is autoblocked)