Talk:Anti-Harassment Tools/CheckUser Improvements

• Seems neat but not too different from the existing Special:CentralAuth. When I want to look up multiple accounts I'm usually more interested in seeing if there's any overlap in technical data. I also generally only care about enwiki, since that's the only place I can take any action.

  What you have here seems better fit for a public-facing special page, maybe Special:CentralAuthMultiple, or something. Mostly of use to stewards, not local CUs. — MusikAnimal ^talk 19:47, 4 October 2019 (UTC)Reply

• I agree with what MusikAnimal said. -- zzuuzz ^(talk) 05:37, 8 October 2019 (UTC)Reply

• @MusikAnimal and Zzuuzz: , the idea here was to provide the information Special:CentralAuth provides but in one view for all of the linked accounts instead of the Checkuser having to do the lookup for each account separately. We can definitely restrict the information to a single wiki (the wiki where the check is being run) and offer an option to view information for all wikis (for global cases). With that in mind, do you think this could be useful? -- NKohli (WMF) (talk) 12:23, 8 October 2019 (UTC)Reply

• How does this compare with Special:MultiLock? Note that it might be restricted to stewards. – Ajraddatz (talk) 17:59, 8 October 2019 (UTC)Reply

• @Ajraddatz: I don't have access to that special page but my understanding is that that interface, though it provides a similar level of information, is for when you need to lock multiple accounts. We are trying to surface all that information in CheckUser so basic information about the accounts can be viewed before deciding whether a check is warranted. Do you think it would help to tie in Special:MultiLock with CheckUser? -- NKohli (WMF) (talk) 19:00, 8 October 2019 (UTC)Reply

• 100% yes. As it is, when I have a list of accounts to multilock I need to manually add their names into separate CU windows. Any improvement to that workflow would be amazing. (pic of multilock interface) – Ajraddatz (talk) 19:13, 8 October 2019 (UTC)Reply

• @Ajraddatz: The Get users interface in CheckUser has an option to select multiple accounts and block them all. Is that similar to what you are looking for? Do you use it much? -- NKohli (WMF) (talk) 06:04, 9 October 2019 (UTC)Reply

• Comparing edit counts and registration dates could be helpful, but in my workflow I usually already know what accounts I want to check (and that there's strong enough evidence to warrant those checks). The hard part is identifying any crossover in technical data. So in my case I'd probably go straight to the second screen that you have listed. — MusikAnimal ^talk 21:10, 8 October 2019 (UTC)Reply

• From what I read it might be helpful as a safety net to make sure that you are checking the right accounts. --Rschen7754 18:19, 8 October 2019 (UTC)Reply

• @Rschen7754: do you imagine this being an Are you sure you want to check the following users? kind of step? -- NKohli (WMF) (talk) 19:00, 8 October 2019 (UTC)Reply

• It could be, as I've heard stories of users accidentally being checked (and even though I rarely used CU when I had access, I managed to mistype an IP range). But I would hesitate to make it mandatory for everyone. --Rschen7754 04:42, 9 October 2019 (UTC)Reply

• The preliminary check page should be part of Special:CentralAuth (i.e. being allowed to supply multiple users) so that everyone can benefit from it. There is no sensitive information on the proposed mockup that justifies restricting it to checkusers. MER-C (talk) 13:00, 12 October 2019 (UTC)Reply
• I think this is a useful tool. But as on the other comments, it should be a public tool. That public tool should have a link to perform a check on the accounts, only visible for checkusers (like for checkusers there is a link to the checkuser tool on the contribution page). For the tool on a specific wiki it should only show that specific wiki, with a link to meta to do a crosswiki check. With that, the local tool should link to the local contributions, the crosswiki one should per wiki have a link to local contributions and have a link to guc. Regarding guc, I think that should then not be an 'external' tool anymore, but integrated as a special page on meta. Akoopal (talk) 16:13, 13 October 2019 (UTC)Reply

• @MER-C and Akoopal: I agree that it is all public information and could be made available to all users. Our foremost priority is to make improvements to CheckUser. Testing this feature with a small group of users will allow us to gather quick feedback and iterate faster. Regarding making guc a special page, that is definitely highly desirable but it would be a very big project in itself. We want to focus our efforts towards reducing the biggest pain points of using CheckUser first. -- NKohli (WMF) (talk) 05:44, 17 October 2019 (UTC)Reply

• @NKohli (WMF): Agreed to start testing small, but for the sake of separation, make it two separate pages I would say, this tool and the new CU tool. What about my comment having the crosswiki one on meta, and on the local wiki just offer it for that wiki, and link there to the normal local contributions instead? Akoopal (talk) 21:28, 17 October 2019 (UTC)Reply

• Display ASN and geolocation information next to IPs. (see also phab:T174553) Huji (talk) 00:50, 5 October 2019 (UTC)Reply

• @Huji: This is definitely something we have been thinking about. We would need to coordinate with the Operations and Security teams to fulfill that request. While we do that groundwork, we hope to meanwhile improve existing CheckUser data presentation. -- NKohli (WMF) (talk) 12:29, 8 October 2019 (UTC)Reply

• ...

• I assume this is a proposed makeover for the "Get IP addresses" view. This seems quite good; it would quickly tell me whether or not the the accounts might be related, and whether I need to check individual IPs or ranges. I don't need a separate tab for each account I look up. Good stuff!

  For "Anything else?", we should include all the same information we have currently, such as block/lock status and user groups. Preferably "Activity" would show a full date range of editing activity, as it does currently. While I know this isn't a proper wireframe, I don't think a tabular format would work well given the amount of information and links we'd need to display. I personally find the status-quo to be readable enough. Note also we customize the links with w:MediaWiki:Checkuser-toollinks.

  I don't think this UI could replace "get users" (and obviously not "get edits"). We need to see individual IP users in addition to accounts, and the option to see everyone's edits. This helps to further conclude if there is a connection and whether hard blocks are appropriate. There are use cases to "get edits" by a single account or IP, too. — MusikAnimal ^talk 23:00, 8 October 2019 (UTC)Reply

• Make accessible full HTTP headers. The WMF is automatically supplied that information, and it may be useful in addition to UA/location. MER-C (talk) 13:02, 12 October 2019 (UTC)Reply

• Thanks MER-C. I will be checking in with Legal about Ops about that exposing that information. -- NKohli (WMF) (talk) 05:44, 17 October 2019 (UTC)Reply

• In case the query was run for the last week, two weeks or last 30 days; instead of the maximum allowable period, the log message in the checkuser log could say so I think. —MarcoAurelio (talk) 09:34, 22 October 2019 (UTC)Reply

Note: We are not adding any new information to the tool, as a first step. We are looking to improve access to the information already being presented in the tool. We want to be able to deliver value quickly and iterate based on the feedback we receive.

• Making phab:T146837 a reality would be a dream come true. Even just doing exact matches (no wildcards) would be of great help. — MusikAnimal ^talk 19:50, 4 October 2019 (UTC)Reply
• As far as I can see, this is just replacing the initial steps - the 'preliminary check' is similar to the CentralAuth page, which is not usually important, and the 'Checkuser' section is just replacing the 'Get IP addresses' stage in the current tool. The latter is of course a very important starting point for looking at accounts, and I'm sure it can be improved, but is only ever part of the story. The all important bit is the 'Get edits' part, or 'ipcheck' as it's (perhaps) called here, which I don't see discussed at all. Maybe no changes, or something else is planned for it? That would be OK, but it's not clear from this page. The other important bit is the 'Get users' part of the current tool, which is indispensable for blocking large numbers of accounts - again not mentioned. The page does rather ominously mention 'showing all the necessary data in one interface', which I find difficult to imagine. So perhaps we are missing how this proposal fits into the rest of the picture? -- zzuuzz ^(talk) 05:37, 8 October 2019 (UTC)Reply

• I see the ipcheck refers to the ipcheck tool, which is sometimes useful but just one of many. What the 'Get edits' part currently does is add the context for what is being done at the time, and the precise timeline of events. I'm also having difficulty imagining what the proposed data will look like for a prolific multi-account socker using multiple addresses in a range at multiple times. These can be picked up relatively easily with the current 'get edits' tool. -- zzuuzz ^(talk) 13:43, 8 October 2019 (UTC)Reply

• @Zzuuzz: Thanks for the feedback. I'm curious to learn more about your workflow with CheckUser. In the several CheckUser interviews we did, we rarely saw Get edits being used. Get IP addresses and Get users were primarily used. When is it that you would use Get edits and what does it offer that the other views don't? The current view described on the page would list all the IPs used by all the accounts under question (and also identify other accounts using the same IPs). Could you give me a made up example of a case where you think the proposed views won't work? Thank you so much! :) -- NKohli (WMF) (talk) 16:14, 8 October 2019 (UTC)Reply

• OK, I can accept I might be a bit of an outlier. I hardly ever use 'Get users', except to block many accounts after having got the edits. I wonder if one difference might be that I am rarely looking to confirm whether one user is another, instead I am mainly looking for other sockpuppet accounts and especially the collateral for IP blocks. In the language of this page I will more often do most profiling after the checking. I'm also looking a lot at ranges with multiple people. You can't say that one user (that you've come across) is another just because they use the same IP and user agent - you need to look at what they're doing and the timeline of events (things like IP switching and browser changes are only really clear in this view). Additionally you see all the data in one view (filter hits, account creation, deleted edits, password resets, ...). So I think some of this might be lost. I also have to repeat though, being able to block 50 accounts from the CU results with a couple of clicks is a Great Thing. -- zzuuzz ^(talk) 20:28, 8 October 2019 (UTC)Reply

• I use "get edits" whenever I need a timeline. For example:

• 2019-10-09 00:10 GermanyFan edits History of Germany
• 2019-10-09 00:12 StarWarsFan01 edits Star Wars
• 2019-10-09 00:13 StarWarsFan02 edits Star Wars
• 2019-10-09 00:14 StarWarsFan03 edits Star Wars
• 2019-10-09 00:14 GermanyFan edits History of Germany
• 2019-10-09 00:15 StarWarsFan04 trips an edit filter on Star Wars

• Everyone is on the same IP address and is indistinguishable from each other. However, GermanyFan has no interest in Star Wars whatsoever, and the various Star Wars fans don't care about the history of Germany. "Get edits" is useful in highlighting the Star Wars fans as potential socks and differentiating GermanyFan from them. Otherwise, I have to spend a lot of time in the Editor Interaction Analyser. Like Zzuuzz, I like being able to see a timeline of everything that has happened on an IP address or IP range. NinjaRobotPirate (talk) 10:57, 9 October 2019 (UTC)Reply

• The workflow for another type of typical check looks something like this:
• Vandal A is an obvious LTA sockpuppet - instant block.
• We probably want to block their IP address because we've blocked a lot of their accounts recently (Vandal B), and also block (and revert!) the other 30 accounts they've probably created that we don't know about. Get IP addresses for User A - we find they are editing throughout a highly dynamic /39 IPv6 range.
• Get edits for the range (or users, it doesn't really matter here). Examine the contributions and timelines for the range, to identify the other accounts.
• This is a type of check that most CUs will have done and know how to do. But it's at this point I can't imagine what the proposed check or results will look like:

• Now what? Can we block this guy and his sockfarm or not? -- zzuuzz ^(talk) 14:40, 9 October 2019 (UTC)Reply

• @NinjaRobotPirate and Zzuuzz: This is extremely helpful, thank you! I understand the use case for Get edits much better now. Would it be helpful if the tool can generate the timeline for edits (similar to what NinjaRobotPirate made but with more info) based on the usernames and IPs that are input on the first screen? I understand right now the tool can only do it for one user/IP at a time. If that will be helpful, what kind of information would you expect from such a timeline? -- NKohli (WMF) (talk) 14:01, 11 October 2019 (UTC)Reply

• I didn't quite understand the usefulness of "get edits" at first, either. The tool provides much more information than what I posted, of course, but I was just trying to give an uncomplicated example (I wouldn't want it streamlined down to what I posted). If by "first screen" you mean the table you labeled "preliminary check", I don't really know. It sounds like it would be useful, but it's difficult for me to visualize exactly what the results would be. I'm used to the current way of doing things. I hated the CheckUser UI at first, but it's grown familiar. NinjaRobotPirate (talk) 15:43, 11 October 2019 (UTC)Reply

• @NinjaRobotPirate: No, the screen before that (don't have a mock yet), in step 1 where we take an input of all the usernames/IPs you want to look at. We can come up with a Get edits like interface for the edits by those users/IPs in the tool which can generate a timeline for you, similar to the one you posted. You wouldn't have to look up the Get edits for each user like you have to right now. What are the key things that you are looking for, when you use Get edits? I imagine if users are checking the same pages, that is something to make note of. What else do you do that can possibly be flagged by the tool automatically? (also @MusikAnimal: on this thread) -- NKohli (WMF) (talk) 17:04, 11 October 2019 (UTC)Reply

• "Get edits" can be used for both usernames and IP addresses/ranges. On usernames, it's occasionally useful to see all of someone's edits annotated with their system configuration. You can see this information elsewhere but not at a glance. "Get edits" can also be used on IP ranges to see all edits made by all accounts on that IP range. If you know someone uses a really generic system configuration, "get users" might not be as useful as "get edits". "Get users" can tell you who all the Firefox users are on a Verizon IP range, but sometimes you don't really care about that. You're more concerned with finding Verizon customers who edit Star Wars articles regardless of browser. "Get edits" will tell you that. It's also useful for finding edit summaries. For example, it's easy to find Verizon customers who habitually call people fascists in their edit summary in "get edits". "Get users" is great for finding sock puppets based on technical matches, and sometimes I use it to find behavioral matches, too. The problem is that I tend to open up a lot of tabs if I use it this way. For example, I'll sometimes open a new tab for each suspicious-looking editor and skim over their contributions. If I already know the sockmaster and I can skim over their edits fast enough, this can be substantially faster than "get edits". "Get edits" returns a lot of useless information, especially on busy IP ranges. If I want to see Firefox users on Windows 7 who edit Star Wars from Verizon IP ranges, "get edits" will list them. However, it also lists everybody else, and there's no way to filter out the millions of Chrome users, Windows 10 users, or MacOS users. At least with "get users" I don't have megabytes of useless information cluttering my screen, even if it doesn't tell me anything about who's editing Star Wars. I'm not really sure if any of this answers your questions... I can try to think more about this later. NinjaRobotPirate (talk) 02:27, 12 October 2019 (UTC)Reply

• I've always wanted some indication of the language, ie, the Accept-Language or perhaps Accept headers. And I also think not using the enwikiUserName (or equivalent) cookie is a totally missed opportunity. -- zzuuzz ^(talk) 05:37, 8 October 2019 (UTC)Reply
• I'm not sure I'm on the same page as my colleagues. I find I often do things differently. That said, I have some features I'd like to see in the current interface. They mainly consist of adding the ability to sort and to filter. I'll do the Get IP addresses first:
  • Sort by IP rather than chronologically, although it's fine to sort chronologically within IP.
  • Give me IP ranges without my having to copy them into the text box at the bottom.
• Get users:
  • Filter out blocked users.
  • Filter out unblocked users.
  • Filter out unregistered users.
  • Filter out no-edit users.
  • Filter out selected users.
  • Give me the ability to get date ranges for each user/IP, as opposed to just the overall date range for all their edits (this is sort of a blend of Get edits and Get users but without quite the business of Get edits).
  • Give me the ability to get log entries for the IPs (again something that is shown in Get edits but not in Get users.
  • Give me the ability to see if two or more registered users are not only using the same range but individual IPs.
• I may add more to this list. I'm going by memory, and checking may bring more to mind.--Bbb23 (talk) 00:38, 9 October 2019 (UTC)Reply
• ...

• I definitely want filters. NinjaRobotPirate (talk) 10:57, 9 October 2019 (UTC)Reply

• Long term, a graph representation of the relationships between IPs and accounts may be helpful, especially for complex investigations. MER-C (talk) 13:05, 12 October 2019 (UTC)Reply
• Finally took the time to look, in general this looks ok. What I am wondering, I see in the example the 'extra users' sessions for accounts found on the IP's. Will that be automatic or would that be a next step? There are cases where you check two accounts by just checking their ip, and if they don't match, also not range match, you don't need nor want to look up the ip's. What I would really like is for the 'get ip' case to already show the user agents, something you now need to check the ip's for. Further more, a handy way from the 'check ip' button to check the range instead is a must I think. When dealing with IPv6 you should always check the /64 (although there are use-cases for checking the ip itself). What might be nice would be a dynamic table that expands, for the complicated cases. I have had cases, where on the IP's you find new users, checking the users give new ip's again, and on those ip's you find again other users. So a button 'check this ip and add the users to the table' would be nice. Again, it should not be automatic as there might be users you don't want to check on dynamic ranges based on user agent. Akoopal (talk) 15:58, 13 October 2019 (UTC)Reply

• @Akoopal: Good point about making that check for other linked editors optional. We are still thinking about the UI for accepting an IP range in addition to an IP. Would you say the range should be automatically generated from the IP address? I will be sharing some design mockups early next week and would be really interested to hear your thoughts on that. -- NKohli (WMF) (talk) 05:44, 17 October 2019 (UTC)Reply

• @NKohli (WMF): For the range checks, I think there can be different approaches for IPv4 and IPv6. For IPv6 an dropdown where you can select the /128, /64, /56, 48 and then a field where you can specify a bigger range will probably do. For this one, the /64 might even be default. Of course it should zero the last 64 bits of the IP address to calculate the proper range. For IPv4, it will be much more difficult as there are so much different sizes used. At first just a field to fill in, defaulting to /32 (1 IP) to start with. Looking up the range with the IP registries might be a nice one, offer that via a dropdown, then /32 default, the discovered range as second and the fill in as the last one or something. Does that make sense a bit? Akoopal (talk) 21:19, 17 October 2019 (UTC)Reply

With the current checkuser tool, if a check is tried on a busy range it may exceed a maximum number for results and then only gives a list of IP addresses with the number of edits per address which is not very usable (failed check). It does not give proper results. A desired feature would be to paginate the results (Page 1, Page 2, etc. as necessary) for busy ranges.

One current way around the max number exceeded is to select a lower time frame from a pull down box but this shortens the 90 day period to either one month, two weeks or one week. That loss of data is sometimes undesirable depending on the case that you are working on. That is already built in as a feature of the current tool.

Another workaround to retain the full 90 day information involves splitting the network and running separate checks. For example (using Class B reserved range), if a /16 range (172.16.0.0/16) fails because it is too busy then you might could split the network in half and run a check on 172.16.0.0/17 and then run a check on 172.16.128.0/17. If those fail then you can run four separate checks on 172.16.0.0/18, 172.16.64.0/18, 172.16.128.0/18 and 172.16.192.0/18. If that fails then you can run eight separate checks and so on. Some checkusers acquired their cu bit by being elected to Arbcom and may not have a strong networking background so they aren't likely to try this second workaround. It would make it easier for all checkusers to have pagination on busy range results which would forego the need for workarounds.
⋙–Berean–Hunter—► ((⊕)) 21:41, 8 October 2019 (UTC)Reply

Would it be possible to put alerts on certain IP-ranges / UA data so certain editors get flagged? (I know, likely these are flags that only checkusers will see, maybe only to admins?)

The current situation on-wiki is now that we see an editor with a pattern (possibly through AbuseFilter) that is recognised and that editor gets reported to CheckUsers to see the data behind the editor. That is often a Always-Too-Late action, prolific sockers are already on another account, and you keep hunting. It must be possible to flag certain combinations so that if a sock performs an action on wiki they get matched against the pattern. Setting the filter should be at CheckUser discretion and only used on serial-violators (and not to pre-emptively 'catch' editors). --Dirk Beetstra ^{T C} (en: U, T) 13:11, 9 October 2019 (UTC)Reply

@MusikAnimal, Zzuuzz, and NinjaRobotPirate: and others - I tried to enlist the various features and use cases for the three Get options in CheckUser. Does the below seem accurate? What other use cases do you have for these views? I'd appreciate your help in teasing those out. Thank you. -- NKohli (WMF) (talk) 05:56, 12 October 2019 (UTC)Reply

This looks pretty good to me. It could probably be doubled in size after thinking for a week about every use case possible, but it's a good overview. NinjaRobotPirate (talk) 18:54, 13 October 2019 (UTC)Reply

Yes, this sums it up nicely. A few minor corrections: For "Get IP addresses", a date range should be shown for activity (from available data), not just the latest action. I also think all views show the block status, current or previous. Next, the number shown next to usernames/IPs I believe is a count of logged actions as well as edits (or at least it should be, if it isn't). Finally, "Get edits" can be used on accounts too. I think you've got all the primary use cases covered. Best, — MusikAnimal ^talk 21:39, 14 October 2019 (UTC)Reply

Get IP addresses[edit]

Features

• Shows the IP addresses associated with a user account.
• Shows the timestamp for the latest activity on each IP address
• Shows the number of edits made by the IP along with a number for total edits made by accounts operating on that IP address, indicated by something like: [2] (~5 by all users)
• Provides links for tools to run checks on an IP

Use cases

• Used to get a quick overview of a user account activity
• To immediately see if this might be a big sock farm if the number of edits from the same IP is high
• Run various checks for the listed IPs with the help of the tools linked under the IP address to find out the location information, if it is behind a Tor node or VPN etc.
• ...

Get Users[edit]

Features

• Shows the IP editors and user accounts editing from a given IP or IP range.
• For each record -
  • Shows activity time period (start - end) and number of edits (denoted by something like [20])
  • Offers an option to run a WHOIS check on an IP
  • Offers an option to look at talk/contribs for an account
  • Shows IPs and user agents associated with the editor
• Allows one to select IP editors and user accounts from the list and to block them (along with some block options)

Use cases

• Used to find sleeper accounts/other socks that are created from the same IP or IP range
• ...

Get Edits[edit]

Features

• For a given IP or IP range, it displays a timeline of edits and log actions by the user accounts or IP editors operating from that IP or IP range.
• Dates are in descending order (latest first).
• Records are grouped by date. Each record displays:
  • If it is a log record.
  • Links to diff and history if not a log action/record.
  • Timestamp of activity
  • Page (if edit action)
  • Editor
  • Info about editor privileges
  • Info about whether editor was previously blocked
  • Edit summary of the edit
  • IP address
  • User-agent string

Use cases

• Used to identify if two users are the same based on their activity pages, IPs, UAs
• Sometimes used to figure out if a single user is behaving suspiciously based on their activity
• Identify other accounts/editors from an IP range that might be behaving in a similar fashion as a known sock
• ...

MediaWiki:Checkuser-toollinks and MediaWiki:Checkuser-userlinks-ip often have to be customised locally due to either the default links provided not working or not being enough. Having Wikimedia overrides for those via the WikimediaMessages extension would help. I don't think we want to push, e.g. wmflabs tools on the CheckUser extension itself for all MediaWiki installs outside Wikimedia to use. Further local customisation will still be allowed of course, but at least those who have to do crosswiki checks such as stewards will actually have some tools that work. Thank you. —MarcoAurelio (talk) 09:32, 22 October 2019 (UTC)Reply

@MarcoAurelio: Right. I heard similar feedback from MusikAnimal so we will be keeping a way for those links to be overridden if desired. I hope at some point in the future we can have an integrated service in MediaWiki so we do not need users to go to external tools to look up the information they need. -- NKohli (WMF) (talk) 14:13, 28 October 2019 (UTC)Reply

@MusikAnimal, Zzuuzz, Ajraddatz, NinjaRobotPirate, MarcoAurelio, Huji, Akoopal, and Rschen7754: We have been working on preparing a set of mocks for a redesigned CheckUser experience that we will be sharing with this group soon. Meanwhile, we have a question about the blocking feature built into the Get users view. 1) How often do you use the blocking feature in CheckUser?
2) We are thinking about decoupling CheckUser functionality from blocking and instead providing a better, integrated experience with `Special:Block` instead. What do you think about this idea?
Thanks in advance! -- NKohli (WMF) (talk) 05:20, 31 October 2019 (UTC)Reply

1) I don't know exactly. I don't use it every day, but it's a lifesaver when I do use it. I would guess several times a week. There are a couple long-term vandals on English Wikipedia who create dozens of new accounts before we catch them. The cleanup is very frustrating, but having the CU/blocking process cleanly integrated like this makes it easier. 2) In general, I doubt non-checkusers need this functionality, though it might be useful for blocking a large, organized group of vandals who attack the same article. I can't promise that I won't complain if this slows down my workflow, but if it's easier for you to maintain the code by doing this, I'll take that into account before complaining. NinjaRobotPirate (talk) 05:49, 31 October 2019 (UTC)Reply

I'll echo what NinjaRobotPirate said. 1) I would say I use it less often, but when I do I usually block anywhere from 10 to 50 (or more) accounts. The convenience is amazing. The alternative is 50 browser tabs and many hundreds of mouse clicks, and that's really exhausting and time-consuming. 2) If you're actually going to provide a better experience with the same or better abilities elsewhere, then I'm sure that needs no comment. But I'll comment just in case. I can understand if you'll find it easier to remove it from the CU extension. I don't think this facility will be very useful to non-CUs - I'm sure some batch-block scripts have probably been written for admins on enwiki but they're not common. The practical alternative would be username exporting and either Javascript blocking or a new ability for multiple usernames at Special:Block. It's certainly not my preference to remove the integration of this feature, but I'm sure we could get by. -- zzuuzz ^(talk) 08:11, 31 October 2019 (UTC)Reply

I use the feature a lot, because via scripting we have it integrated with Special:MultiLock as well. Please keep the feature around. Thanks! —MarcoAurelio (talk) 11:05, 31 October 2019 (UTC)Reply

I use the block feature rarely, but I agree with Ninja that when we do need it, it is a life saver.

The decoupling idea is not necessarily bad. One option can be to allow a user to "select" (i.e. check the checkbox next to) a bunch of users in the CU interface, have a button that would allow copying those usernames to clipboard, and then have an interface in Special:Block (say, Special:MultiBlock) that would take a list of usernames and allows you to block them all at once.

Putting my MW developer hat on, from a code perspective it also makes sense to abstract out the multiuser block feature from CheckUser and make it a core feature (or its own extension, kind of like the Nuke extension). Huji (talk) 19:18, 31 October 2019 (UTC)Reply

@NinjaRobotPirate, Zzuuzz, MarcoAurelio, and Huji: Thanks for all the input! It is helpful to know that the feature is useful. After talking to the engineers, I will circle back with you all to discuss potential options and we can collectively decide what is most useful for you. Thank you. -- NKohli (WMF) (talk) 18:07, 5 November 2019 (UTC)Reply

@MusikAnimal, Zzuuzz, Ajraddatz, NinjaRobotPirate, MarcoAurelio, Huji, Akoopal, and Rschen7754: Hi all! I shared an update on the project page. It outlines some of the things we have learnt from this page so far that we have designed some mockups around. These are early-stage mockups and there are a lot of details to work out. My biggest question from you all is whether these make sense at a high-level and provide the information you seek from the tool. Looking forward to your feedback.
If you're interested in participating in a usability test for the mockups, please let me know below or over email. Thanks. -- NKohli (WMF) (talk) 21:56, 5 November 2019 (UTC)Reply

Happy to participate in a usability test. – Ajraddatz (talk) 22:34, 5 November 2019 (UTC)Reply

What's involved in usability tests? The mockups look OK to me. NinjaRobotPirate (talk) 23:55, 5 November 2019 (UTC)Reply

The mock-ups look good to me as a first step. Depending on the level of involvement for the usability test (the time it takes, does it have to be over Skype or something or can it be done through email, how near in the future is it planned for) I may be able to participate as well.

Some additional thoughts (for now or for later);

• I would really like the timeline to be also presented as a graph.
• Some of the features of DEWKIN (such as punch card) may also be good to have.
• I still think that the actual UA string should be exposed somehow. (It can be hidden by default)
• The aggregate data that is shown for IPs ("13 from all users") should also be shown for UAs.

Best, Huji (talk) 00:33, 6 November 2019 (UTC)Reply

Looking good! I concur with Huji that the full user agent should be accessible somehow. I really like that it infers the browser/OS for you, but this can't always be done as UAs can be completely arbitrary. Also ideally I could get directly to Compare/Timeline tabs, similar to how it is now with radio buttons for which view you want. I see the value in the CentralAuth-style view for stewards but I doubt I'd use it much. In my case I'm just trying to find accounts with technical overlaps and/or check for collateral damage. That said a lot may be missing with the "Include all users who are using the same IPs" option, unless you can somehow have it go by the ranges. I doubt you could without producing too much noise, so perhaps it could just compute ranges for me based on the surfaced IPs (same as copying pasting IPs into the range calculator), and have a link to check just those range(s). That'd be amazing! That'd shave off a lot of time copying/pasting IPs. Finally, I worry about the table format. What you have presented is super clean, but a lot of stuff is missing such as the user groups (positions of trust might tell me this user is likely unrelated), block/lock status (current and previous), the date range of activity (I see only a single date in each row), basic links like talk/block/contribs, and of course the community-maintained links -- all of this may not confine nicely into a table. Perhaps we could have a little expand/collapse link to reveal this? Otherwise I think the current "Get users" view could work well as it's already designed to show data for multiple users. The only difference would be that you could query for multiple users/IPs from the beginning, which is a great improvement! Kind regards — MusikAnimal ^talk 03:30, 6 November 2019 (UTC)Reply

Hmm. I share some views of MusikAnimal above, and I see some improvements from the previous proposal. I just have a few comments. 1) I think these examples could benefit from some real world data (anonymised obviously) of some real prolific sockpuppeteers, based on real CU activity. Users "Apples" and "Oranges" is one thing, but show me (and please practise on) a 20-account LTA on a /39 range with plenty of collateral, and preferably some other examples. 2) I agree the UA information should not always be permanently reduced from its current format. Some details are important. I'm of the opinion there should be more of this user-provided information available where it's useful (a tooltip might be an idea). 3) IP addresses are missing from the timeline view. Considering a CU operating on ranges, it can be useful to see IP sticky/switching behaviour - especially with IPv6. You could say that's now incorporated in the "Compare" view, but I'm not sure that's an improvement. And I hope one of the options for "Type of activity" is "All". Thanks. -- zzuuzz ^(talk) 19:38, 6 November 2019 (UTC)Reply

Thanks all! To summarize, I'm hearing these as feedback:

• Timeline as a graph
  • @Huji: Can you elaborate more on this? What kind of a graph are you envisioning? With the highlighting feature you would be able to highlight a set of pages for example and all those rows will be highlighted, showing all the users who have edited those pages.
• Aggregate data for UAs
  • I believe this should be doable but I will check with the engineers on this.
• Show the complete UA string
  • This will be the case. The first iteration of the tool will not have the parsed UA string. Once we build that, we will ensure there is still a way to access the complete UA string. As part of this, we hope we can also flag non-standard user-agent strings in the UI.
• Compute ranges automatically to check on
  • @MusikAnimal: This should be doable. My concern is how do we present the information usefully if there are too many results to show. If you search for a range and 1000 users turn up, is it useful to show all 1000 of them? Should we try to limit them and ask the user to try a smaller range? I'm also concerned about the technical limits we'll run into which will make loading results slow.
• Table format
  • I do want to make sure we show everything that is currently available in CU. I think the table can be changed to include everything in the same UI. I'll discuss more with Prateek (our designer) about this.
• Real world data
  • This is a good point and something we are considering doing. I will try to share an updated mock with some real world examples (anonymized) within the next week or two. If you have an example in mind (not a very extreme one as stress-testing will come later, this is for the mocks only) please let me know privately or on CU wiki.
• IP addresses on timeline view
  • Should be added, yes.
• IP sticky/switching behavior
  • If I understand you right, this should be achievable with the highlighting we are planning to build. You'll be able to highlight all rows in the timeline for a given user or IP or page edited etc.
• All as a type of activity
  • Yes, that will be one of the types.

Thanks. -- NKohli (WMF) (talk) 02:21, 7 November 2019 (UTC)Reply

@Ajraddatz, NinjaRobotPirate, and Huji: thank you for expressing interest in the usability tests! They shouldn't take more than 20 minutes, and can be done at your leisure - no explicit scheduled interview needed. These tests will involve recording your screen as well as audio, if you have a microphone enabled. Please email me, clo@wikimedia.org, for more details (and this goes for anyone else who might be interested in participating in the usability tests). —User:CLo (WMF) (talk) 18:40, 7 November 2019 (UTC)Reply

With regard to the timeline, what I am thinking is something like this:

In many cases, one of the first steps of running CU is to determine if the accounts are editing on similar days or not. As I pointed out, the Punch Card feature of DEWKIN can also be helpful (e.g. to see if the users edit during similar times of the day). Huji (talk) 20:18, 7 November 2019 (UTC)Reply

@MusikAnimal, Zzuuzz, Ajraddatz, Rschen7754, MER-C, Akoopal, Huji, MarcoAurelio, NinjaRobotPirate, Bbb23, Berean Hunter, and Beetstra: Pinging everyone who's chimed in on this page in the past. Hi all, I want to share some interactive mockups that our team has been using to do our series of user tests up until now. I want to share these with you to give you a sense of the direction we are going in for the new tool and get your feedback. You can find the mocks on this link. The mocks are along the tool outline we initially set out with.

Please keep in mind that because they are just mockups, not everything will work and you will probably find some bugs. Also, some things have changed since the last time this mockup was updated. This mostly involves design changes. There are also some features in the works that are not present in the mocks here. For example, we are working on incorporating MusikAnimal's feedback to allow looking up a range in the Checkuser interface (mock here).

With that said, I would like your feedback in the following categories. Thanks so much for your time. -- NKohli (WMF) (talk) 01:49, 8 May 2020 (UTC)Reply

• I am very grateful to see filters and colors implemented. This finally brings the user interface into the 1990s. The export thing looks useful, too, but I might want to post results in an email to a mailing list. NinjaRobotPirate (talk) 05:33, 8 May 2020 (UTC)Reply

  @NinjaRobotPirate: The export button would let you copy the text in a wikitext table format which could be copied over to an email easily. You could also select the table to copy but depending on big it is, it might not be easy. -- NKohli (WMF) (talk) 02:38, 12 May 2020 (UTC)Reply

• Abridged browser information (see phab:T175587) Huji (talk) 12:16, 8 May 2020 (UTC)Reply

  @Huji: While this feature is in the mocks, it is not present in the first version of the tool. That's because when we started delving into it we found a few technical challenges. So we decided to make basic improvements first (like looking up multiple users). We're hoping we can implement abridged browser information at some point. In the meantime though, there will be a feature to let you filter for the same user agent in the datset. -- NKohli (WMF) (talk) 02:38, 12 May 2020 (UTC)Reply

• The filters look very helpful for searching longer lists. Looks like it will save a lot of time. I also like the feature in the block interface that allows you to replace their userpages with sock tags.
  ⋙–Berean–Hunter—► ((⊕)) 20:41, 8 May 2020 (UTC)Reply

• The UI is pretty different. I like that all the users on an IP address highlight when you hover over that IP address, but this isn't so obvious unless you are hovering over an IP address. I wonder if there's a way to make it a bit more obvious at a glance, without having to hover over anything. It looks like we'll be able to sort by IP address. I suppose that will make it fairly obvious. NinjaRobotPirate (talk) 05:33, 8 May 2020 (UTC)Reply

  @NinjaRobotPirate: That's true, the highlighting feature isn't obvious until the user "discovers" it. Our hope is that it will become apparent to the users as they start looking through the data and after once or twice, that feature will become obvious to them. We will also add ample documentation for the feature in the help docs. As for sorting by IP addresses, seems like there are technical challenges to doing that. We might not be able to make it work for all use cases. The engineers are still talking about the technical possibilities for making it work. -- NKohli (WMF) (talk) 02:59, 12 May 2020 (UTC)Reply

• This design is also IP/user based and can make it even harder for us to ever achieve UA-based queries (see phab:T146837) Huji (talk) 12:16, 8 May 2020 (UTC)Reply

  @Huji: I don't think having the design be IP/user based makes the possibility of having UA-based search hard. It's possible that in the future there could be a button to expose all users using a given user-agent, much like the button we have to expose all users using a given IP address. -- NKohli (WMF) (talk) 02:59, 12 May 2020 (UTC)Reply

• The mock-up doesn't show how things will look when a user has more than one UA for the same IP (see phab:T26411 and phab:T170508) Huji (talk) 12:16, 8 May 2020 (UTC)Reply

  @Huji: Ah. There will a separate row in the table for each different IP, UA and activity time period. I think that got missed in the mocks. -- NKohli (WMF) (talk) 02:59, 12 May 2020 (UTC)Reply

• 1) The block interface, particularly for IP addresses. Half the time, we're probably going to be hard-blocking the IP. The default block length of one week seems arbitrary. And are we blocking all the IPs that have been used? All accounts found? It's difficult to tell how this works without a fully working dataset. A particular concern I have is about privacy. Checkusers will often (not always) try and obfuscate any connection between accounts and IP addresses, perhaps by staggering the blocks or using other smoke and mirrors. This interface, by blocking IPs and accounts at the same time, will make this connection obvious by default. I suspect I would be inclined to remove IP addresses from this interface. It's not often that we will want to mass-block multiple IP addresses (and we will not want to add the same tags). 2) I do hope for the "Dropdown with IP ranges" we can use custom ranges, like the /23 ranges used by BT IPv4, or the /40 ranges used by Verizon IPv6. -- zzuuzz ^(talk) 22:02, 8 May 2020 (UTC)Reply

  @Zzuuzz and Berean Hunter: . Thanks for pointing this out. The blocking interface will actually look different from the one in the mocks. As we were thinking about the best way to allow checkusers to block, we came to the conclusion that it's best if we offer checkusers the same UI as Special:Block but with the additional options that Checkuser blocking form has. There will be an option for the checkuser to select users/IPs they want to block and they will be taken to a special page called Special:InvestigateBlock, which is a modification of Special:Block in a way that allows blocking multiple users. This block form will be pre-filled with the users the checkuser selected. The checkuser can submit the form after checking the relevant options and setting the time period they want. It's not in the mocks. My apologies about that. You can find a couple screenshots and more detail in phab:T248530.

  Regarding your second question, @Zzuuzz: , in the initial version we were considering having a default list of ranges. We're also being cautious because the bigger ranges we allow, the longer it will take to fetch the data, especially given that multiple users are being looked up. If you were to make a default list of possible ranges, which ones would you include? Thanks. -- NKohli (WMF) (talk) 02:59, 12 May 2020 (UTC)Reply

  I can understand the need for caution, but I also understand the 5,000 record limit of the current tool is one of the most common complaints about it, and some of us very often deal with large busy ranges. To answer the question though, a compromise I would suggest is that if you can't make the IPv4 prefix multiples of 2, which I would strongly prefer, then at least make it multiples of 4. For IPv6, please double those numbers. We can probably get by with minimum range sizes (maximum prefixes) of /24 and /64 respectively (aside from /32 and /128). -- zzuuzz ^(talk) 06:15, 12 May 2020 (UTC)Reply

• Highlighting non-standard UAs (see phab:T234980) Huji (talk) 12:16, 8 May 2020 (UTC)Reply
• Essentially, go through phab:T237486 and bring as many of them into life in the mock-up as possible. Huji (talk) 12:16, 8 May 2020 (UTC)Reply
• I believe this may be covered by what Huji has linked above but, yes, having the pertinent whois and geolocation info display in one place would be great. Displaying which ones are proxies would be great too but if not done automatically then having a link to autofill and complete the proxy checking would be second best. It's better than cutting and pasting in a different tab which is what we do now. One of the big goals is to reduce the number of browser tabs that we have to have open.
  ⋙–Berean–Hunter—► ((⊕)) 20:59, 8 May 2020 (UTC)Reply

  @Berean Hunter: Good news, we are working on bringing the IP information into the user interface, not just for checkusers but more broadly on the project. You can read more about it here. I would love to hear your thoughts on the talk page discussion. It's a few months down the line. It involves vetting and contracting with external IP services to gather the data, ensure reliability etc. There's a few challenges to that work. I will be posting a project page for it within the next few days and I'll let you know when I do. -- NKohli (WMF) (talk) 03:04, 12 May 2020 (UTC)Reply