CheckUser
Requests have recently been made to the Board asking for verification that a user is sockpuppeting on one of the larger Wikipedias. At least two of the developers felt this was a matter for the Board or for an arbitration committee (although that Wikipedia doesn't have an arbcom), and were therefore not happy to give out details about the IP address of this user. Checking IPs is no longer a developer-only task since a new feature allows sock puppet checks.
Special:CheckUser allows a user with "checkuser" permissions to find all the IP addresses used by a particular logged in user, and to show all the contributions from a given IP address, including those made by logged in users.
Currently the only people with the necessary permissions to use CheckUser are Tim Starling (who wrote the code for this) and David Gerard (who uses it on behalf of the English Wikipedia Arbitration Committee).
This data is only stored for one week, so edits made prior to that will not be shown via CheckUser. A log is kept of who has made which queries with the tool. This log is available to those with the checkuser permissions.
I would personally like to see this feature be made available to more communities than just the English Wikipedia, but I am concerned about potential misuse of it, and the violation of privacy for users who have not been disruptive. I would appreciate any comments about this feature, and answers to the questions below.
Please feel free to add new questions below. This is only a survey of opinion, not a vote. Other answers might be found on the mailing lists. See the related threads on foundation-l, wikipedia-l, and wikitech-l.
Thanks. Angela 03:43, 12 Apr 2005 (UTC)
- A summary of the opinions given between 11 and 28 April is on the mailing list. Angela 15:17, 28 Apr 2005 (UTC)
Comment from someone with access to this feature
I should point out that I barely use it — its availability to the en: Arb Com directly is somewhat controversial, but I've some experience of net-abuse tracing and know what the results mean or don't, and I only use it when there's clearly some important issue. (Last use was to check on an apparent sock of Rienzo. Use before that was to check the zillion abusive socks in the Baku Ibne arb com case.)
I get a lot of people asking me to check something casually and I have to say "no". Although if people on en: think it's relevant to an arb com case, the "Requests for clarification" section on en:WP:RFAr is the right place to suggest. The edit evidence had better be there, though, I'm not going on fishing expeditions.
I think the issue is less "who should have access" than "what circumstances justify checking?" Spurious sock puppet allegations are almost routine in en: arb com cases. I think my own use of it could be expanded, but there are no guidelines in place and I'm not sure what makes obvious and elegant sense - David Gerard 12:29, 12 Apr 2005 (UTC)
How I'm currently using it
My current criterion for use of the function is "decently substantiated suspicion of sockpuppetry in current ArbCom case." Of late I've used it as well for "decently substantiated suspicion of sockpuppetry to violate ArbCom ban or restriction." This means I won't run checks until a case is active. If it's not noted elsewhere, I note it on en:Wikipedia:Requests for arbitration/Developer help needed.
I would find it useful to check on anyone who comes near the ArbCom, but that's probably not a good idea, especially judging from the opinions below — and people are scared enough to come near the ArbCom anyway. - David Gerard 15:30, 18 Apr 2005 (UTC)
Note that devs already do all this unchecked
I must point out the dev sysadmins do this already as they feel they need to, and no-one is told. So does any website — the admins look through the logs concerning suspected abuse as they see fit.
The question here is how to extend that to others so we don't need to bug the devs unnecesarily when they're trying to, e.g., run the site. Not to do anything that isn't happening already or that shouldn't be happening already. - David Gerard 20:39, 12 Apr 2005 (UTC)
Do you think this feature should be made more widely available?
- Certainly, since this information would be very helpful not only in resolving accusations of sockpuppetry, but also in vandal-patrolling. Also developers are often too busy with other, more important tasks to be able to perform these checks on request. User:Rdsmith4/Sig 03:54, 12 Apr 2005 (UTC)
- Yes with a couple of buts:
- Every large community should have 1 or 2 people only
- Those people should only be able to check witnin their own community
- Abuse (as in making peoples ip adres known publicly) should be severely punished. Think about a projectwide ban.
Waerth 04:37, 12 Apr 2005 (UTC)
- Certainly, but penalties for misuse should be severe, e.g., de-sysopping with a long ban. jni 06:23, 12 Apr 2005 (UTC)
- How do you define misuse ? Anthere 16:58, 17 Apr 2005 (UTC)
- Speaking only for myself: Using it for personal reasons. Fishing expeditions, i.e. using it at all without prior cause. Publicly revealing a user's IP address or threatening same. Using the information discovered to make complaints, except to ISPs, or threatening same. There are probably other forms of abuse that I simply haven't thought of yet. —Charles P. 19:42, 17 Apr 2005 (UTC)
- Those are definite abuses, yes. Though if there's strong suspicion someone is sockpuppeting as an IP, then whether there's a link is the actual question. Then there's whether the IP is static, quasi-static (e.g. a cable/DSL IP that's theoretically DHCP but in practice doesn't change very often) or dynamic - David Gerard 15:37, 18 Apr 2005 (UTC)
- Speaking only for myself: Using it for personal reasons. Fishing expeditions, i.e. using it at all without prior cause. Publicly revealing a user's IP address or threatening same. Using the information discovered to make complaints, except to ISPs, or threatening same. There are probably other forms of abuse that I simply haven't thought of yet. —Charles P. 19:42, 17 Apr 2005 (UTC)
- How do you define misuse ? Anthere 16:58, 17 Apr 2005 (UTC)
- Yes. It should be made available to people who can be trusted to handle it responsibly. Unresponsible behaviour can both be using it too much and uncarefull handling of the information, such as making it public. Gebruiker:Danielm
- Yes on a very limited basis. This involves access to confidential information, and anyone with this access should have a history of level-headed administration and respect for privacy. There are very few offenders that bring vandalism to the level where this tool is required, but their behaviour may be spread across several projects. Those with this access should be able to check other projects in pursuit of a problem individual. Eclecticology 07:37, 12 Apr 2005 (UTC)
- yes, but on a limited basis. also, both use and abuse should be better defined first. oscar 10:31, 12 Apr 2005 (UTC)
- Perhaps just a little. At present the problem is not who, it's when - David Gerard 12:29, 12 Apr 2005 (UTC)
- Yes, but with caution. Eclecticology has expressed the reasons already. —Charles P. 22:37, 12 Apr 2005 (UTC)
- No, it should even be restricted to those developers and or system administrators responsible for the continuity of the technical infrastructure. The feature being used by system administrators without any supervision right now - there might be a theoretical risk of abuse, but that itself is not a sufficient case to implement oversight right now. Dedalus 07:22, 13 Apr 2005 (UTC)
- Yes, it should be available to more people. You can't depend on a little amount of people to come up with important info in time. Yesterday, I came across a vandal who kept changing his name. In cases like these an IP ban would be very useful and stop such people from giving admins too much junk to clean up. [[User:MacGyverMagic|MacGyverMagic|(talk)]] 08:13, Apr 14, 2005 (UTC)
- I think it should be more widely available, or at least something like it. Currently, even if a sockpuppet is obvious to people familiar with the user in question, it's difficult to convince a third party unless you get a developer or find someone willing to sort through loads of circumstantial evidence. Isomorphic 21:40, 18 Apr 2005 (UTC)
- No as long as the user whos IP you are requesting does not acquiesce -- Nichtich 21:28, 20 Apr 2005 (UTC)
If so, who should be given access to it?
- I think sysops can be trusted with this access (I myself would find it quite useful in combatting vandalism). User:Rdsmith4/Sig 03:59, 12 Apr 2005 (UTC)
- Something above sysops (we don't need that many Big Brothers). The feature's access log should be visible to all users, just like the other logs. -- Netoholic @ 04:37, 12 Apr 2005 (UTC)
- One or two people per project only Waerth 04:38, 12 Apr 2005 (UTC)
- As long as there is some check on this power (user notification, see below) then I think all admins should have it for vandalism fighting. --Duk 04:42, 12 Apr 2005 (UTC)
- Give the access to all bureaucrats. Something for them to do while not promoting sysops. Access logs should be public. jni 06:20, 12 Apr 2005 (UTC)
- To determine this we would need to determine the privacy sensitiveness of an ip-address. It is certainly less sensitive than i.e. a credit card number, but likely more sensitive than a bank account number. It might perhaps be best compared to a postal address or phone number, which means it is not secret, but should be handled with care. So, people who are able to handle it with care should get access to it. Certainly these are stewards. Bureaucrats are also highly trusted people within a project. While sysops/moderators certainly are able to make carefull decisions (they do that everytime when dealing with vandals) their number makes improper usage more likely. So IMHO, giving stewards and bureaucrats access will result in a minimal amount of abuse. Giving sysops/moderators access will likely give some incidents, which communities would need to deal with. Gebruiker:Danielm 07:01, 12 Apr 2005 (UTC)
- Stewards should certainly have access, as should bureaucrats for well-established projects. In some of the smaller projects the opportunity to see if a bureaucrat can be trusted is very limited. The only reason they don't get into arguments is that they don't have anyone to arguewith. Admins who make a crusade out of chasing vandals would not be good candidates. Access logs should probably not be public; it would be difficult to make them public without releasing confidential information. This would be especially unfair in situations where the accused turns out to be innocent. Eclecticology 07:52, 12 Apr 2005 (UTC)
- firstly: stewards, on all projects. second: bureaucrats of the larger wikis, with access to "their" wiki only. oscar 10:32, 12 Apr 2005 (UTC)
- Steward or bureaucrat level - David Gerard 12:29, 12 Apr 2005 (UTC)
- I should add: IP numbers are a POWERFULLY contentious thing to have floating around. Think of the sort of malignant user who would harass other users who disagree with them if only they could find them, or their employer - David Gerard 20:47, 12 Apr 2005 (UTC)
- Both, Steward and bureaucrat level. -- Get It 13:04, 12 Apr 2005 (UTC)
- for stewards yes. But I'd rather have each community which needs this feature elect two or three people who should have access to this feature than automatically giving it to the buerocrats. First: it requires technical knowledge to interprete the results correctly (and not announce publically that someone is a sockpuppet just because he shared a proxy with a troll). buerocrats are not elected in regard to this. Second: on some (smaller) wikis buerocrats are not elected at all, but the first person who does quite some work on the wiki gets buerocrat status. Often they are not known very well by the rest of the international community. distribute power, checks and balances and so... last thing: all sysops should definitely not have access to this feature. abuse potential too high (see above about interpreting the data). Require realname and an explicit agreement to a policy of use for this feature. --Elian 16:10, 12 Apr 2005 (UTC)
- Being elected as a bureaucrat is no guarantee of trustworthiness. Perhaps the stewards as a group could decide which bureaucrats should have this access, or in some cases even grant the privilege to some other persons. (Would that mean finding a new name for a person with this capability, perhaps prætor :-)) Eclecticology 19:38, 12 Apr 2005 (UTC)
- What about frumentarius? :-) —Charles P. 22:01, 12 Apr 2005 (UTC)
- Being elected as a bureaucrat is no guarantee of trustworthiness. Perhaps the stewards as a group could decide which bureaucrats should have this access, or in some cases even grant the privilege to some other persons. (Would that mean finding a new name for a person with this capability, perhaps prætor :-)) Eclecticology 19:38, 12 Apr 2005 (UTC)
- Stewards only. 119 19:47, 12 Apr 2005 (UTC)
- Stewards only, for those wikis of which they can read the language. TeunSpaans 20:07, 12 Apr 2005 (UTC)
- Stewards, plus at least two users (think of the consuls) on each of the larger projects. The users should be selected anew, publicly, not granted the ability based on some previously-held status. —Charles P. 22:40, 12 Apr 2005 (UTC)
- David Gerard and Tim Starling are doing a responsible job and showing an enormous restraint in using it. That amount of restraint has not been displayed by all expansion advocates. The case for restricting is probably stronger than the case for expansion. Dedalus 07:25, 13 Apr 2005 (UTC)
- I understand your against expanding it. You created 2 sockpuppets that tried to upset a vote. Today another 2 of your sockpuppets where found out. With the rate you make sockpuppets I would give this reaction as well. Waerth 20:34, 13 Apr 2005 (UTC)
- It should be available to a select number of people chosen through a vote. Perhaps bureaucrats so they have something else to do than just promoting admins. [[User:MacGyverMagic|MacGyverMagic|(talk)]] 08:13, Apr 14, 2005 (UTC)
- Correctly interpreting the results of a sockpuppet check is more than just a matter of comparing IP addresses. The person doing the check also needs to check to see if the address is an open proxy, a transparent proxy run by an ISP, a round-robin proxy like AOL uses, a dialup account, a NAT box used by a school, and a number of other things. It's not something that the average Joe Bureaucrat knows how to do. --Carnildo 19:58, 14 Apr 2005 (UTC)
- Generally I feel this task should be given to the bureaucrats, not the sysops. Inter\Echo 17:50, 15 Apr 2005 (UTC)
- Certainly not all admins, but I'm not sure who should have it. Admittedly, I would love to have this for myself, even if I wouldn't use it much. Sockpuppets annoy me mightily. Isomorphic 21:46, 18 Apr 2005 (UTC)
- This isn't just a matter of access and trustworthiness. You also have to know what the data means, what it indicates and the strength of that indication. The bar for access should be "high," but should also include some appreciation of both the ethical privacy considerations and technical issues with IP address investigation. I don't know how we would select those users in a Wiki environment. Demi 07:34, 19 Apr 2005 (UTC)
- A handfull of Admins and all stewards should this acces be granted. -- MichaelDiederich 15:26, 25 Apr 2005 (UTC)
- An a bureaucrat on en who makes many of the promotions, I'm not going to self-promote myself as trustworthy, but I will comment that it would be highly useful if bureaucrats on large projects who have become trusted in promoting should either be able to check IP addresses or have quick access to Stewards who would do it for them.
- It would enable bureaucrats to judge sockpuppetry in deciding close nominations
- It would discourage such sockpuppetry in the first place if the SPs realize they can be easily found out -- Cecropia 21:18, 1 May 2005 (UTC)
- two users per project of significant size (say 10,000 articles plus) and stewards (this may mean we need more stewards). Leave it up to each comunity to decide who.Geni 00:16, 2 May 2005 (UTC)
Should it be limited to stewards, or to wikis with arbitration committees?
- Stewards only might be a good start. -- Netoholic @ 04:38, 12 Apr 2005 (UTC)
- I feel all big projects should have one or two people who are able to do it. Waerth 04:39, 12 Apr 2005 (UTC)
- It is important that someone has access to this function who speaks the language of the project and can make a judgement about the issues that require the IP-address verification. A few people per project fullfills this requirement. Gebruiker:Danielm
- no, i think each larger project should have at least one (rather active) person with access. oscar 10:34, 12 Apr 2005 (UTC)
- Every wiki should have one or two (so that the one is not the only one relied upon) - David Gerard 12:29, 12 Apr 2005 (UTC)
- At least two. Perhaps a few more with access to the logs only, if they're not to be made public. —Charles P. 14:36, 12 Apr 2005 (UTC)
- To Stewards and a particularly trusted member of the recognised Arbitration Committees (2 users can't just club together and declare themselves the Arbitration Committee for their wiki). Certainly, not to bureaucrats, which is a very general position. James F. (talk) 17:30, 12 Apr 2005 (UTC)
- If there is so much work using this tool in a project that it overwhelms the time of a single person, it is probably being overused. If only one project-specific person has this right it is probably enough; the stewards are still there to investigate any possible abuse of nthe right. Eclecticology 19:29, 12 Apr 2005 (UTC)
- Not quite - it's simple enough to enter a username and get IPs that have used it, or enter an IP and get usernames that have used it. It can take time to do a check properly, though, do a whois and nslookup on all IPs, understand what those mean, etc. Two per project also means you're not depending on a single person - David Gerard 20:36, 12 Apr 2005 (UTC)
- No, I think bureaucrats can be trusted with the feature too. [[User:MacGyverMagic|MacGyverMagic|(talk)]] 08:13, Apr 14, 2005 (UTC)
- The Stewards could need some support by some trusted admins or so -- MichaelDiederich 15:28, 25 Apr 2005 (UTC)
Does the privacy policy need be adjusted to allow the use of this feature?
- It should note the CheckUser feature. And [1] should be updated accordingly.--Duk 04:05, 12 Apr 2005 (UTC)
- Yes. Gebruiker:Danielm
- yes. oscar 10:35, 12 Apr 2005 (UTC)
- Actually, I think it's already covered in investigating things for the security of the wiki - David Gerard 12:29, 12 Apr 2005 (UTC)
- can't harm to mention it. --Elian 16:11, 12 Apr 2005 (UTC)
- Already covered; I checked for this a month or so ago. James F. (talk) 17:29, 12 Apr 2005 (UTC)
- Absolutely -- Nichtich 21:28, 20 Apr 2005 (UTC)
Should the user be notified when CheckUser is run on them?
- Absolutely, people deserve to know when they are being investigated. It could be a notice that is only visible to the user, similiar to the message notice. Duk 04:00, 12 Apr 2005 (UTC)
- No, because nine out of ten investigations would be false alarms anyway. It would create a false unrest and maybe even huge arguments. It is better to keep accusations silent untill you have gathered the evidence. No need to rock a boat otherwise. Waerth 04:43, 12 Apr 2005 (UTC)
- Yes, it might create
hugeoccasional arguments, exactly the type of check that would keep it from being abused.--Duk 09:04, 12 Apr 2005 (UTC) - If nine out of ten users checked are innocent, then I have to question the reasoning that led to them being checked. --Duk 17:38, 12 Apr 2005 (UTC)
- Let's say I'm editing from a high-school computer lab. I might be one of thirty or so people editing from that school. Say one of the thirty is a vandal. An IP check on that vandal will bring up the school's IP address, and the user check on that IP to see who might be a sockpuppet will bring up all thirty of us. But 29 are innocent.
- Or let's say I'm vandalizing from an AOL account. An IP check on me will bring up the AOL proxies I'm editing through, and a sockpuppet check on those IP addresses will bring up thousands of users -- everyone who's ever edited through AOL.
- A sockpuppet check, by its very nature, will frequently bring up a lot of false positives. --Carnildo 00:27, 13 Apr 2005 (UTC)
- You've misread the question; notification would go the the account that was checked, not all the resulting possible matches. This would alert a user they were being specifically targeted and checked out, and they would have cause for complaint if there was no reason to run it. Although, now that you mention it, I can see some people wanting to be alerted that their ip information was viewed in the course of a sockpuppet investigation (not myself though). --Duk 20:56, 13 Apr 2005 (UTC)
- Yes, it might create
- No, in an investigations multiple users will be queried, the majority will be innocent. It will make people think they are suspect, while in a lot of situation it won't be the case. Gebruiker:Danielm
- Precisely - David Gerard 12:29, 12 Apr 2005 (UTC)
- No, doing do would cause more problems than it solves. Eclecticology 07:57, 12 Apr 2005 (UTC)
- not just the user. either all users be able to check the log, or only those who have access to the feature. once CheckUser has become a more widely accepted procedure, there will hopefully be less arguments about it. oscar 10:41, 12 Apr 2005 (UTC)
- Not necessarily - David Gerard 12:29, 12 Apr 2005 (UTC)
- Absolutely. We don't want a Big Brother feature, do we? -- de.Carbidfischer 12:36, 12 Apr 2005 (UTC)
- Notify the user and keep the logs as public as possible. No §213 please. —Charles P. 14:34, 12 Apr 2005 (UTC)
- Can I call Godwin's on that? James F. (talk) 17:32, 12 Apr 2005 (UTC)
- No. —Charles P. 21:56, 12 Apr 2005 (UTC)
- I'll suggest it then. This is not an experiment in Internet democracy, it's a project to write an encyclopedia. As I note above, on any website the sysadmins will look through logs at will. Our devs already have the power to look through the logs at will, and do so. And no-one is told. And I wouldn't stop them, either. This is about extending a small portion of that ability to others, so as not to bug the devs while they're trying to run the site - David Gerard 21:59, 12 Apr 2005 (UTC)
- And I'll suggest that now that we have the opportunity to change a bad practice, we should take advantage of it. The accumulation of unaccountable, uncheckable power in the hands of a select clique of informers has the potential to do far more harm than any number of sockpuppets and trolls. —Charles P. 22:10, 12 Apr 2005 (UTC)
- I certainly hope you'll email wikitech-l about this problem, so that they understand the depth of your concerns. Or we could just run a top-100 site without any sysadmins, since you think they inherently can't be trusted - David Gerard 23:09, 12 Apr 2005 (UTC)
- I certainly hope you'll familiarize yourself with the concept of necessary evils, and realize that transparency and accountability are the best checks on abuse. —Charles P. 23:38, 12 Apr 2005 (UTC)
- I talked about the sysadmins who run the site, you responded saying "And I'll suggest that now that we have the opportunity to change a bad practice, we should take advantage of it. The accumulation of unaccountable, uncheckable power in the hands of a select clique of informers ..." I mean, WTF? You do realise that the process of administering a website involves complete access to this stuff all day every day? That's what sysadmins do - David Gerard 23:41, 12 Apr 2005 (UTC)
- I can do nothing about what the developers do or don't do with their access to this information, even when they blatantly abuse it. I can do something about what non-developers do with it—or I could, if the sole non-developer with the ability to cross-check IPs weren't so strenuously resisting efforts to make sure he is kept accountable. Why is that, by the way? —Charles P. 03:03, 13 Apr 2005 (UTC)
- I don't think I am, hence encouraging discussion here. However, I wish you luck in your campaign to impeach Tim Starling - David Gerard 11:29, 13 Apr 2005 (UTC)
- You're just arguing vociferously against someone who wants you held accountable. But perhaps we're in Wiki:HeatedAgreement. I know I want this tool available to non-developers, and perhaps you do want to be held accountable. —Charles P. 13:33, 14 Apr 2005 (UTC)
- I don't think I am, hence encouraging discussion here. However, I wish you luck in your campaign to impeach Tim Starling - David Gerard 11:29, 13 Apr 2005 (UTC)
- I can do nothing about what the developers do or don't do with their access to this information, even when they blatantly abuse it. I can do something about what non-developers do with it—or I could, if the sole non-developer with the ability to cross-check IPs weren't so strenuously resisting efforts to make sure he is kept accountable. Why is that, by the way? —Charles P. 03:03, 13 Apr 2005 (UTC)
- I talked about the sysadmins who run the site, you responded saying "And I'll suggest that now that we have the opportunity to change a bad practice, we should take advantage of it. The accumulation of unaccountable, uncheckable power in the hands of a select clique of informers ..." I mean, WTF? You do realise that the process of administering a website involves complete access to this stuff all day every day? That's what sysadmins do - David Gerard 23:41, 12 Apr 2005 (UTC)
- I certainly hope you'll familiarize yourself with the concept of necessary evils, and realize that transparency and accountability are the best checks on abuse. —Charles P. 23:38, 12 Apr 2005 (UTC)
- I certainly hope you'll email wikitech-l about this problem, so that they understand the depth of your concerns. Or we could just run a top-100 site without any sysadmins, since you think they inherently can't be trusted - David Gerard 23:09, 12 Apr 2005 (UTC)
- And I'll suggest that now that we have the opportunity to change a bad practice, we should take advantage of it. The accumulation of unaccountable, uncheckable power in the hands of a select clique of informers has the potential to do far more harm than any number of sockpuppets and trolls. —Charles P. 22:10, 12 Apr 2005 (UTC)
- I'll suggest it then. This is not an experiment in Internet democracy, it's a project to write an encyclopedia. As I note above, on any website the sysadmins will look through logs at will. Our devs already have the power to look through the logs at will, and do so. And no-one is told. And I wouldn't stop them, either. This is about extending a small portion of that ability to others, so as not to bug the devs while they're trying to run the site - David Gerard 21:59, 12 Apr 2005 (UTC)
- No. —Charles P. 21:56, 12 Apr 2005 (UTC)
- Yes, sorry, we seem to be. My apologies for escalation on my part. I have no objection to accountability; my main difficulty at present is that there aren't any rules. Though I'll probably end up writing the first draft ;-) I find this discussion very important to get a handle on what makes sense. It's just as well I'm of superlative moral purity and utterly incorruptible, really, otherwise we'd have had trouble by now - David Gerard
- Can I call Godwin's on that? James F. (talk) 17:32, 12 Apr 2005 (UTC)
- No. If they are accused based on that information, they should be informed, but there's no reason to alarm people who have been falsely fingered by users that they've done anything wrong. James F. (talk) 17:32, 12 Apr 2005 (UTC)
- Yes. You are invading someone's privacy by doing this, and they have a right to a notification and explanation. I do not think this reluctance to "alarm" people is reasonable; if you cannot explain to the user being investigated why you have seen fit to investigate their access history, then it would appear the tool has been used frivolously. 119 19:30, 12 Apr 2005 (UTC)
- I must point out the dev sysadmins do this already as they feel they need to, and no-one is told. So does any website - the admins look through the logs concerning suspected abuse as they see fit. The question here is how to extend that to others so we don't need to bug the devs unnecesarily when they're trying to, e.g., run the site - David Gerard 20:39, 12 Apr 2005 (UTC)
- I administer many sites so I understand where you are coming from here. However I'd like specific examples involving Wikipedia where an admin has had to find a correlation between usernames and ip addresses (outside of the cases that this tool was deisgned for obviously). I would argue that finding such a correlation is not necessary outside these isolated cases. Also, it's considerably harder to become a system admin (admin meaning someone with developer access in this case) than to become a Wikipedia admin. So should the criteria for getting access to this sensitive information be that you must be a wikipedia developer simply because they already have access to sensitive information? Just because a sysadmin can access sensitive information doesn't mean they should. For instance, someone with root access can snoop on anyone, but does this mean they should. I'd say no. I think the same applies here. { MB | マイカル } 23:58, 12 Apr 2005 (UTC)
- Of course. Ultimately, though, we do have to trust them. The tool logs all uses - David Gerard 01:10, 13 Apr 2005 (UTC)
- I administer many sites so I understand where you are coming from here. However I'd like specific examples involving Wikipedia where an admin has had to find a correlation between usernames and ip addresses (outside of the cases that this tool was deisgned for obviously). I would argue that finding such a correlation is not necessary outside these isolated cases. Also, it's considerably harder to become a system admin (admin meaning someone with developer access in this case) than to become a Wikipedia admin. So should the criteria for getting access to this sensitive information be that you must be a wikipedia developer simply because they already have access to sensitive information? Just because a sysadmin can access sensitive information doesn't mean they should. For instance, someone with root access can snoop on anyone, but does this mean they should. I'd say no. I think the same applies here. { MB | マイカル } 23:58, 12 Apr 2005 (UTC)
- I must point out the dev sysadmins do this already as they feel they need to, and no-one is told. So does any website - the admins look through the logs concerning suspected abuse as they see fit. The question here is how to extend that to others so we don't need to bug the devs unnecesarily when they're trying to, e.g., run the site - David Gerard 20:39, 12 Apr 2005 (UTC)
- Yes, agree with 119. TeunSpaans 20:05, 12 Apr 2005 (UTC)
- Just a comment, it *is* privacy sensitive information, and should be cared for, but know that you reveal your IP-adress constantly to people you don't know as you access the internet. The only way to keep it secret is to not use your internet connection. For example, it is in any e-mail you send. If you reply to someones e-mail, you reveal your ip-address. It's like a postal address, it is privacy sensitive information, but is used in any of your communication and a lot of people know it. Gebruiker:Danielm
- I am shocked by David Gerard's and Tim Starling's attitude concerning privacy in general and especially concerning the CheckUser feature. If you want to check a user, why don't you want to tell him oder her about that?! Is this a free encyclopedia or a 1984-like place with a Scientology-like style of leadership? I'm really shocked. Perhaps it would be better to leave the Wikimedia projects, like the German Ulrich Fuchs did with Wikiweise. -- de.Carbidfischer 13:51, 13 Apr 2005 (UTC)
- and I'm shocked by this statement. Tim and David show enormous restraint in using this feature and do queries only in cases of abuse. In fact everyone who has the ability to check for sock puppets does so in a responsible way at the moment AFAIK. --Elian 02:10, 14 Apr 2005 (UTC)
- ?! I've used this feature much less than I've ever wanted to, and only in very clear cases of its applicability. I'm sure Xenu would fully approve of my uses of this tool. One thing I really want to come out of this discussion is some idea of what uses would be reasonable and what wouldn't - David Gerard 23:55, 14 Apr 2005 (UTC)
- Perhaps I misread your intentions. But looking at what you said to those who wanted a notification and how you said it, I thought that your intentions weren't that user-friendly. If I was completely wrong, I'll apologize. But I'm still not entirely convinced. -- de.Carbidfischer 17:05, 15 Apr 2005 (UTC)
- Absolutely, in every case. -- Nichtich 21:28, 20 Apr 2005 (UTC)
- No, the person who will do the check is a trusted person and will know what to do and what not to do -- MichaelDiederich 15:29, 25 Apr 2005 (UTC)
- Can I exclude abuse just by trusting the one who uses the feature? Of course not. -- 84.146.163.166 13:37, 29 Apr 2005 (UTC)
- No, as same the police has no duty to inform those who they investigate. If necessary, the editors who will be granted this power could make reports to the board, trusted users' group, an trusted third party like ombusman (elected or appointed by the board) or any other appropriate trusted people for preventing to abuse their preveledges. --Aphaia | Translate Election | ++ 17:13, 25 Apr 2005 (UTC)
- Yes. ugen64 21:08, 2 May 2005 (UTC)
What circumstances merit checking?
(I'm asking this one because I have this ability and I'm not entirely sure myself. I'm looking for the obviously elegant principle for an answer. - David Gerard 17:49, 12 Apr 2005 (UTC))
- Perhaps a parallel to search warrants can be drawn. Before a judge will grant such a warrant the person seeking it must show reasonable cause. Eclecticology 19:17, 12 Apr 2005 (UTC)
- I feel that this tool should be rarely if ever used to find sock puppets. If this tool simply tells you which accounts have been used from which ip address this is not enough evidence to prove the use of "sock puppet" accounts. I for instance access Wikipedia via a machine which has no real ip address but rather shares a real ip address with several hundred machines. I know for a fact that other people on my network use Wikipedia, and I have no doubts that some of them will be browsing similar pages as me. So, while this tool might be helpful, I feel that it provides far too much opportunity for abuse if it were to be allowed to be used by the general population. Admins already block IPs in similar ranges when fighting "vandals" often blocking legitimate users. Also, this tool could and would provide a huge invasion of privacy by potentially removing anonymity from the use of Wikipedia. Please let this tool be a last resort in serious cases. { MB | マイカル } 18:05, 12 Apr 2005 (UTC)
- Well, yeah. There's no substitute for clue on the part of the checker. If stewards or bureaucrats get this tool, they'll very much need a quick course on subjects such as spamtracing - David Gerard 20:47, 12 Apr 2005 (UTC)
- Simply from a technical point of view, the wide use of this tool as it is currently implemented would probably involve synchronization issues resulting in the corruption of the log (I had a similar experience with the paypal donations script I've worked on). { MB | マイカル } 18:05, 12 Apr 2005 (UTC)
- I assume Tim will test that ;-) - David Gerard 20:47, 12 Apr 2005 (UTC)
- Reasonable cause and the request of some other user (no using this to snoop on personal enemies), which should be made and recorded publicly: on the wiki or mailing list, not in private e-mail or IRC. —Charles P. 22:44, 12 Apr 2005 (UTC)
- I agree, with some reservation: the arbcom list should count, go-ahead from $MONARCH (currently Jimbo) should count - David Gerard 23:55, 14 Apr 2005 (UTC)
- I can think of two valid uses, the already mentioned sock puppet identification and tracing vandals with user accounts. Sock puppet identification is only necessary if there is a suspection of abuse (i.e. voting multiple times), vandal identification is only necessary if a block doesn't stop him from vandalising. In certain circumstances, it might be used to complain to a vandal's ISP. Gebruiker:Danielm
- Use of multiple accounts isn't the same as sockpuppeteering. It seems sometimes some people do confuse the two. This page and the Wikipedia-l mailing list do show a lot of fall out of the Waerth versus Wikix case on the Dutch Wikipedia (where health is rapidly deteriorating), while mediation (though not by a formal arbitration committee) is going on. Elegant positive principles are hard to state. There might be some negative ones. Someone start his request with "I want to know if X is the same as Y"? This is a case for clear denial on IP-address check. The answer should be: "Go ask X, go ask Y, don't ask me." Another negative one is that it might be a means of last resort. Reasonable cause is not sufficient. Have other means been tried? Did they work? Voting is on several projects only allowed by users who created an account at least one month ago, and have made at least one hundred edits. The voter - suspected of sockpuppeteering - might just have casted an illegal vote. Illegal votes get striken through - there is no need to check IP-adresses. Checking IP-adresses in that case is imho totally unnecessary and seriously abusive. There is no need to solve a case that has already been resolved. That would be a waste of time, energy and other resources. The Wikipedia project for example consumes time, energy and other resources to create an encyclopedia and is not a project to reduce the uncertainty of some people wondering if X is the same as Y. If people can't live with that uncertainty, they probably need a Wiki-break. Relax, cool down, stop hunting, don't feed trolls, revertly slowly, exercise control over your emotions. The standard reply to any checking request might be: "I understand you do have a problem serious enough to report to me. I noted it. You can probably fix the problem yourself by other means (without checking IP-adresses). Come back after 72 hours if the problem has not been fixed I show me what you've done to solve it in another way" That sounds like a procedural solution. Dedalus 08:22, 13 Apr 2005 (UTC)
- As you are sock pupetteer yourself who has been identified of serious abuse I understand your desire to limit IP-address checking as much as possible. Gebruiker:Danielm
- I second DanielM we found another 2 of them today. Stop it dedalus. You can use sockpuppets as long as they are not upsetting. Keep them out of talkpages and votes, it is extremely frustrating that by now with every new user coming along that starts voting I have to think is this one of Dedalus puppets? Simply striking them doesn't work. You shouldn't do it in the first place. Waerth 20:39, 13 Apr 2005 (UTC)
- As you are sock pupetteer yourself who has been identified of serious abuse I understand your desire to limit IP-address checking as much as possible. Gebruiker:Danielm
- The user that is checked has to approve -- Nichtich 21:28, 20 Apr 2005 (UTC)
- I think you have something misunderstood here. This feature is for investigating abuse. Do you require the police in a country to seek permission from a thief before starting investigations? --Elian 15:52, 21 Apr 2005 (UTC)
Let everyone use it
The only reason to limit access is that it might violate users' privacy if other users could see their IP addresses. But so long as the CheckUser function doesn't report actual IP addresses, there's no privacy problem. Have it report something like the md5sum of the real IP address, and then salt that by adding a secret number known only to the CheckUser author (to prevent hypothetical attacks by an obsessive compulsive takes the md5sum of every possible 256^4 IP address.) Not that IP addresses are that secret anyway; you already display those of any non-logged in user. Here's mine: 24.125.116.65 11:11, 13 Apr 2005 (UTC)
- A hash of the IP address would not be useful. My wikitech-l post gives some reasons for this [2]:
Ben Brockert wrote: > YA-feature request: how about making it more private for the users? > Instead of the utility taking one username and giving IP addresses, have > it take two usernames and have it say whether or not they are the same > IP? Or the same /24, to catch the dialup users. I don't think all sysops > should have access to all user's IPs (I say that as a sysop, not as a > tinfoil'd user), but I also think kicking sockpuppets should occur well > before arbitration. Unfortunately the situation is more complex than that. Many users are behind proxies, either mandated by their ISP or by choice. Occasionally two legitimate users may use the same public or school computer. Partial IP matches, such as someone using the same regional ISP, are very useful despite not being certain. Two users using regional ISPs from different regions is an excellent indication that they are not the same person. Dialup pools and DHCP pools for DSL users are usually larger than /24. If we could make a magic script that somehow compared two IP addresses and produced a percentage likelihood that they were the same person, then maybe we could avoid releasing IP addresses. But at present, allowing competent humans to compare hostnames and traceroutes, check for open ports, request whois information, visit ISP webpages, etc. is the only way to produce useful information. -- Tim Starling
- Proof that there is no connection between two users is just as valuable socially as proof that two users are the same. The widespread use of DHCP pools for DSL users makes exact IP matches easily avoidable by a technically capable user. Some ISPs use proxies, causing a large number of users to come from the same IP address. Some users use open proxies, which is suspicious behaviour and useful information. This feature was carefully designed based on my experience with sockpuppet investigation, to give useful information in response to a typical request. -- Tim Starling 12:11, 13 Apr 2005 (UTC)
- Yep. IP matching is an art, not a technical procedure susceptible to Taylorism - David Gerard 23:55, 14 Apr 2005 (UTC)
At discretion of arbcom, subject to veto
All the gubbins seems to me to be a symptom of our understandable suspicion about abuse of this feature. The best solution to me seems to be to place this feature at the discretion of the arbitration apparatus of each individual Wiki, subject to veto, separately, by the board and Jimbo. Power to flip the appropriate bits to grant or revoke the ability to use this feature should continue to reside with whoever has it now, who as de facto custodian of user privacy would have an absolute veto. Arbcom should also be responsible for ensuring that the feature is used only according to its instructions. The log of all accesses of this feature (when used and by whom) should be public if possible. Further information should not be made available but should be available by a report run by the developers on request of arbcom. User:Tony Sidaway 15:30, 28 Apr 2005 (UTC)
- There are only 2 or 3 wikis with an arbcom. So basically you are teling other wiki ... you cannot use it! Waerth 09:45, 29 Apr 2005 (UTC)