Trust and Safety Product/Temporary Accounts/Updates/2025-05 Access to IP addresses on pilot wikis

Changes to the way some users are granted the right to see temporary account IP addresses

Hello! This is the Trust and Safety Product team. We would like to share that we have decided to change the requirements for access to temporary account IP addresses. The impact on your community will be minimal. We are planning on implementing the change in the week of May 26 (T393358 + T393360 + T390942). I will keep you updated about the details.

We are only changing the rules for users who do not have extended rights (e.g. admins, bureaucrats, checkusers – see the policy for more examples) but their account is a minimum of 6 months old, and who have made a minimum of 300 edits on this wiki. They will lose access to IP addresses (T393360), and to have it back, they will need to apply for the right. Admins or stewards will decide whether to grant it (T390942). This will entail human manual work, but this method will be safer than if we continued to grant the rights automatically. We want to emphasize that fewer than five users who don't have extended rights have ever revealed a temporary account's IP addresses on your wiki.

We made this decision based on what we heard from you, piloting wikis, particularly Romanian Wikipedians. We also consulted on options with Stewards, and had discussions on Meta-Wiki and about 20 Wikipedias with large communities. When we deploy temporary accounts to more wikis, we will evaluate the impact and may adjust our approach again.

In addition, we'd like you to know that requirements for access to the IP Info feature will be identical with the ones for access to the temporary accounts' IP addresses (a user will either have full information or none).

The rationale for the change

We chose the current numerical thresholds and automatic granting before deploying temporary accounts on any wiki. However, it’s become clear to us that these requirements are quite low and it is still too easy for bad-faith actors to gain access to temporary account IP addresses. We want temporary accounts to meaningfully improve editor privacy, so we need to be more restrictive. Our goal is to more consistently limit IP address access to only those who need it.

How will this work

When a user without extended rights needs to view temporary account IP addresses, they will need to file a request for being added to the Temporary account IP viewers group. They will file the request to admins (the local communities will be able to decide what that process will be) or stewards (for wikis without local admins).
The software will require that the user has at least 300 edits and the account since at least 6 months. Admins will not be able to grant temporary account IP access to accounts that do not meet that criteria; however, stewards can grant temporary account IP access to accounts that do not meet that criteria, though they should only do so if there is valid reason. This is a minimum, and we encourage you to enforce higher thresholds.
The user reviewing the request will check if the user applying for the right meets requirements and that they have provided a valid justification. The right itself will be granted through Special:UserRights.
Users who grant requests for the right will also handle removal of the right.

We would also like to clarify some details. For your convenience, we will also document some of it in the project FAQ.

Access to IP addresses

Separation of the new right (checkuser-temporary-account) out to a new group (Temporary account IP viewers), as opposed to technically attaching it to any existing group (like patroller). We have decided to do this for a few reasons:
- Having access to IP addresses carries risk. This right is similar to checkuser. IP addresses are considered personally identifiable information (a kind of personal data). Outside actors who want to access IP addresses will now need to interact with users who have this right. Users with this right should be aware of this, and alert to the possibility of suspicious access requests.
- Good practices for privacy protection. Giving access to users who are trusted but do not need access to carry on their work is not in line with good practices for processing personal data.
- Removal of right. Access to IPs will be logged (example). If any misuse of this right is detected, it can be taken away separately from any other permissions the user may hold. It would be difficult and sometimes also unreasonable to remove the rights unrelated to access to IP addresses.
- You may grant the new right to all users belonging to a certain existing group individually. These users must meet the criteria for Temporary account IP viewers, though.
- For clarity – all this does not affect administrators, bureaucrats, checkusers, stewards, and other groups mentioned in the global policy.
Activity requirement. With regards to users who would need to be granted access manually, the policy says that they "must edit or take a logged action to the local project at least once within a 365-day period". This requirement is not changing.

Process of granting the right

Formality of granting the right. There is no need for discussions or votes like Request for Adminship. It does suffice if a single admin makes a decision using their own judgement.
Additional requirements for the users applying for the right.
- You have autonomy over the process for granting the right. You can adopt thresholds higher than 300 edits, or disallow the "non-admin+" users to have the right. The granting process can be as basic or elaborate as you deem appropriate.
- Which criteria admins should take when deciding whether to grant the right – how to tell whether a user needs access to IP addresses? There are no mandatory requirements beyond a minimum of 300 edits and a 6 month old account. You may introduce additional criteria related to trust to the user (such as no prior blocks or copyright violations) or experience in patrolling activities.
Additional burden on administrators. We understand the toil of having to grant and remove an additional right. This is indeed a downside. We think that it will only have to be a one-time effort to grant this right to a larger number of people. We are curious if you can find ways to limit this burden.

Next steps on your side we would like to suggest

We are encouraging you to consider adopting a policy on granting and removing the right, if you think you need to add anything to the global policy.
We are encouraging you to start granting the right. Considering our data (up to a few non-functionaries have ever revealed temporary account IP addresses here), we believe you don't need to rush or spend a lot of time preparing for this before the change comes into force, though.
We would like to show you what level of wiki-bureaucracy seems sufficient from our point of view. In the sandbox, we have created a draft of what a page with requests for the flag could look like. Of course the final content of the page will depend on your community. We do not want to imply that we are instructing you on this matter.

Let us know if you have any questions. Thank you!