Requests for comment/Exposure of user IP addresses

This request for comments is regarding exposure of user IP addresses.

Previous discussions
[FIXME: there have been a million wikitech-l, mediawiki-l, Bugzilla, and wiki discussions about this; find and cross-reference here please. See candidates.]


 * T20981
 * T2556
 * T7486
 * T64979
 * mediawiki-l/2009-May/030979.html
 * m:Talk:Privacy policy/Archives/2013
 * m:Talk:Privacy policy/Archives/2013 (2)
 * m:Talk:Privacy policy/Archives/2013 (2)
 * wikimedia-l/2015-March/077341.html

Related discussions

 * EventLogging/UserAgentSanitization
 * Thread:Talk:Requests for comment/Structured logging/IP address and other personal identifying information
 * Logs

Background
Currently within MediaWiki, if a user chooses not to log in, MediaWiki uses their assigned IP address as the user identifier. If a user edits while logged out, the IP address is recorded and stored in perpetuity as a username would be.

If a user edits whiled logged in, the associated address is privately stored for 90 days and only accessible by system administrators, or in the case of Wikimedia wikis and other wikis using the CheckUser extension, a small group of trusted users. After 90 days, the information is purged from the system and no longer accessible.

Advantages to using IP addresses

 * Knowing whether an IP address belongs to a school or the U.S. Congress or whatever can be helpful information.
 * IP addresses are relatively difficult to change for an average user, helping prevent vandalism and other repetitive harm to the projects.
 * IP address ranges can be blocked.

Disadvantages to using IP addresses

 * Privacy concerns!
 * Users can be unknowingly and unwillingly identified when editing while logged out.
 * Information about underlying IP addresses used with user accounts can be subpoenaed by law enforcement during the retention period.

Proposals
Related to the previous discussion above. Usually some kind of salting, random name thing.