Talk:Trust and Safety Product/Temporary Accounts

The following Wikimedia Foundation staff monitor this page: SGrabarczuk (WMF) Timezone: UTC+1/+2 Language(s): pl, en NKohli (WMF) Timezone: UTC-7/-8 Language(s): hi, en In order to notify them, please link their username when posting a message.

Archives
Older archives on Meta January 2024 February 2024 March 2024

If an LTA from Chicago posts his rants on a small European wiki as an IP (easily switching to IPs from South America, Africa, South Asia), a good counter measure is to filter out IP edits on all his favorite topics, given that they're NOT coming from the wiki's +95% known IPs: our regular IP users can freely edit articles on stalin and rocky and...

If IPs will be discoverable only by clicking on each edit, there will be no way for me to analyze our usual IP ranges. He's smart enough to use private browsing, he can do all kinds of damage, so in this new scenario he wins. I have absolutely no idea how our abuse filters will work, given that most of them cover only IP (ab)users, who (luckily) represent the majority of our vandals. Is this being discussed? With emphasis on small(er)/nonglobal wikis? pon_or (talk) 17:21, 16 April 2024 (UTC)Reply

Hi. Apologies for the slower reply.

If you have the rights to see IP addresses for temporary accounts and also the rights to block users, you will be able to use Special:Block to see all the IP addresses used in the last 90 days by a specific temporary account.

Furthermore, we will be adding a special page that allows you to see the contributions made by all temporary accounts on an IP address in the last 90 days.

We are also updating AbuseFilter to add a variable for the IP address used by a temporary account. This variable will be restricted to filters that can only be viewed and edited by those with the ability to see temporary account IP addresses. This means that you will be able to continue to use filters that match edits made from ranges you identify as being nearly always problematic in specific topic areas.

Hopefully this helps, and if you still have unresolved questions please do ask. WBrown (WMF) (talk) 08:45, 28 May 2024 (UTC)Reply

I'm very discouraged when I found out that we will use temporary accounts. I'm a long-term IP editor also (tens of thousands IP edits on Commons, since late 2022, mostly file categorization). It is interesting for me to edit via various and unusual IPs, much more interesting than via dull unwanted temporary accounts. Will be a choice for an anonymous editor either use temporary account or continue to use IPs? I don't want to "protect" my "privacy". Юрий Д.К. (talk) 04:06, 18 April 2024 (UTC)Reply

@Юрий Д.К.: Hello, due the the legal reasons (the longer version explanation), it is impossible to have a choice for users continue to use IPs. Of course, they can still create an (permanent) account if they want. Thanks. SCP-2000 (talk) 04:32, 18 April 2024 (UTC)Reply

Publication of the following en:Legal opinion has been authorised by Юрий Д.К., a holder of advanced permissions on two Projects with a quarter of a million edits (who takes no responsibility for the contents):

Let's kill this canard that it is legally impossible to edit using IP addresses stone dead. It is claimed that there is "risk to users whose information is published in this way." That's like claiming that it is legally impossible for a stuntman to perform a stunt because of the risk to him personally. But he assumes the risk - to prevent him earning his living in a way he enjoys is to breach his human rights. You might as well ban boxing, cricket, football, golf, horseracing, motor racing and rugby, all of which have seen fatalities. This is why, if this ill-informed scheme ever comes to fruition, it will be challenged in the European Court on day one. It's cleverly constructed to breach consumers' human rights - there will be a little notice saying a temporary account will be created. It does not say that it will link together all the IP addresses used by the editor over the next year, which will typically run into the hundreds. Just look at the information provided when you click "account details" on your email account. That information is accessible only to you, but you have no control over who is getting the information stored in the cookie - Wikimedia couldn't tell you anyway, because they don't know! The Court has ruled the user must be given the opportunity to make "a clear and informed choice" about whether she wants a cookie or not - i.e. "yes" or "no". A dialogue box must be presented explaining EXACTLY what this cookie will do and EXACTLY WHO will be able to access the information. The user must be given the choice between accepting this privacy-invading scheme or using her IP, which will not be linked to any other IP the editor may use.

Legal says "legal ethics and privilege" disable them from communicating a legal opinion of their intention to "mask IPs of non-logged-in editors from all visitors to the Wikimedia projects." There is nothing ethical about withholding a legal opinion from the people who will be affected by it. Why is the Foundation invoking "legal privilege" to hide the reasons for its decisions from the people who pay their salaries? If their claim is true, why does Trust and Safety Product/Global User Contributions even exist? It should be superfluous. And why does newly-minted Steward Johannnes89, who has said the information is freely available to "Global rollbackers", issue year-long blocks to people who raise privacy concerns?

It's because the truth is far, far worse. This is what the Foundation are hiding:

... On enwiki, I have no access to "Connection method," "Connection owner," "Real IP/Proxy," "Static/Dynamic," and "Number of devices on IP," but according to that page, all this information should be accessible by autoconfirmed users and above. - Mokadoshi 18:07, 6 March 2024

KGB agents will be queuing up to register Wikipedia accounts. If you're not prepared to dump the scheme entirely, I suggest the following:

"I have read the explanation of how the cookie will infringe my privacy. I * reject the cookie * accept the cookie"

If having clicked "accept" the editor then clicks "publish" the edit is recorded. If having clicked "reject" the editor then clicks "publish" the following dialogue box appears:

"Your IP address will be publicly recorded. Do you wish to continue? * Yes * No"

If the editor clicks "Yes" the edit is recorded. If she clicks "No" the edit is aborted. 80.5.88.70 11:02, 4 June 2024 (UTC)Reply

Hey everyone, this is another small update, I've just created a new page Trust and Safety Product/Global User Contributions about a tool we're working on, related to temporary accounts. Over time, we'll be adding new information and pictures to that page.

For clarification, if you're curious about the naming: the new tool's name will be the same as the current one's because the current GUC will stop working, and the new GUC will have all its features.

Thanks! SGrabarczuk (WMF) (talk) 16:36, 8 May 2024 (UTC)Reply

How are database dumps going to indicate temporary users? In particular wikidatawiki stub-meta-history.xml. Currently the contributor element has an ip= attribute for ip users. Bamyers99 (talk) 15:04, 21 May 2024 (UTC)Reply

Hello @Bamyers99. Thanks for reaching out. I wanted to make sure I fully understand the question. Are you asking specifically about the new attribute used for temporary accounts instead of ip=? SGrabarczuk (WMF) (talk) 16:53, 21 May 2024 (UTC)Reply

If there is a new attribute, then that is what I am asking about. Its name and value type. Bamyers99 (talk) 17:03, 21 May 2024 (UTC)Reply

Hey, I'm coming with an answer from our engineers. We aren't planning on adding a new attribute. Instead, the current assumption is that the existing attribute for logged-in users would be used, and the value would be the temporary account name.

What do you think about this? We're open to discussing the developer experience side on Phab.

Thanks! SGrabarczuk (WMF) (talk) 00:50, 22 May 2024 (UTC)Reply

That works for me. T345855 shows the pattern to look for in the account name to identify a temporary account. Bamyers99 (talk) 12:58, 22 May 2024 (UTC)Reply

Thanks for the question and comments, @Bamyers99. I filed T365693 with a proposal for setting an attribute in the dumps. Please comment there if you have opinions on that. KHarlan (WMF) (talk) 11:50, 23 May 2024 (UTC)Reply

Hi, I'm the maintainer of the WP 1.0 bot, and the corresponding website at https://wp1.openzim.org. We have multiple points at which we store user data, and are currently using OAuth as an authentication mechanism. Currently, I believe only users with accounts will be able to OAuth. This leads to a few questions:

• In the future, will temporary account holders also be able to grant OAuth permissions/sign in with OAuth?
• If so, would they lose their user data on our tool if their temporary account gets lost/deleted? (I assume yes).
• If that's the case, is there any way for the OAuth flow to return information about if the account is temporary, so we can display a warning message or deny access, as appropriate?

Thanks! Audiodude (talk) 18:06, 21 May 2024 (UTC)Reply

We haven't decided yet (see T344721) I think for the initial release of temporary accounts, we would probably not allow temporary accounts to sign in with OAuth, to simplify things. KHarlan (WMF) (talk) 07:37, 27 May 2024 (UTC)Reply