Wikipedia talk:Quick and dirty Checkuser policy/proposal

Who gives the permission ?

>> The community can grant administrators the permission

How does the community grant permission ? Through a vote ? If it is a vote, I'll do a Boothy everytime. Tintin 15:09, 12 October 2005 (UTC)

Care to explain? --fvw* 15:15, 12 October 2005 (UTC)

Let me just say I am a little paranoid about my privacy. It's one thing to give access to the very small group of stewards, quite another to admins - even long term ones - whom, except for very few, I have only passing acquaintance with. Tintin 15:27, 12 October 2005 (UTC)

Admins can already get your IP address if they really want, it just takes a little more setting up. We have access to user javascript which we can use to get your IP, along with a million other ways. The only thing stopping us from doing so is that it's against policy; with this proposal there'd still be that limitation. --fvw* 15:31, 12 October 2005 (UTC)

If that's true (that admins have access to users IPs, even by roundabout means), it's a security hole which violates the Foundation's privacy policy. — Dan | Talk 15:55, 12 October 2005 (UTC)

Why? Developers for instance can do lots of things that violate the privacy policy, however as long as we stop them as soon as we find out that they are doing so having them have the ability to do so isn't a violation. Ditto for admins. --fvw* 16:09, 12 October 2005 (UTC)

Moreover, the devs closely guard who has access to the actual user database and restrict it to those they're reasonably confident they can trust all the way. A sysadmin who is charged with administering a website must have the ability to look at everything that might be vaguely relevant to that job; but (speaking as a professional sysadmin myself) they don't tell - David Gerard 13:18, 13 October 2005 (UTC)

I agree with this proposal. I suggested at the feature's inception (see m:CheckUser) and continue to believe that it be granted to a wider range of users than it is now for vandal-patrolling purposes. This attack has been a minor irritation at best, but a better-written bot could cause damage on a much larger scale. — Dan | Talk 15:55, 12 October 2005 (UTC)

Like Tintin, I'm a bit leary. I edited briefly under my real name before it dawned on me what a poor idea that was, and then for a somewhat longer time under another username, which I abandoned after letting who I used to be slip. I don't mind David Gerard being able to figure out who I am if he had reason to, nor any of the current bureaucrats. But Joe Random User who gets promoted to an admin because he's active on IRC, has been in no big fights yet, and has always used edit summaries in the two months he's been around... no confidence. —Cryptic (talk) 17:08, 12 October 2005 (UTC)

The proposal is not to give all admins checkuser, but only those approved by the community for it. And as I said, any account currently editing is already at the mercy of any admin who chooses to violate policy. Also, in your specific case you'd be safe as there's a pretty short time limit on the edits checkuser lists, two weeks I think? --fvw* 17:13, 12 October 2005 (UTC)

I understand that it's not to give it to all admins; I'm specifically leary of it being given out as a popularity contest, which these sort of community voting thingies inevitably turn into. I wasn't aware of a time limit on checkuser, though, which does make me feel a lot better about this. —Cryptic (talk) 17:17, 12 October 2005 (UTC)

Actually, it's only a one week window ("This data is only stored for one week, so edits made prior to that will not be shown via CheckUser"). A developer would need to check out edits over a longer period of time. Carbonite | Talk 17:17, 12 October 2005 (UTC)

The time varies. It's nominally one week, but it might be two or four or whatever the DB admins have it set to at present. (It's the length of time data is kept in the Recentchanges table.) This is fun when a malefactor thinks they're safe because their abuse is over a week old ;-D - David Gerard 13:18, 13 October 2005 (UTC)

I read somewhere it's either a one-week window or a two-week window, only that I don't remember where. However, if there are objections about giving it to regular admins, how about giving it to a few bureaucrats? They're fewer, and they have been scrutinized much more by the community (an RfB in addition to an RfA) Titoxd^(?!?) 17:24, 12 October 2005 (UTC)

m:CheckUser was out of date. The IPs are now stored for at least a month, not just a week as earlier stated. Angela. 18:04, 13 October 2005 (UTC)

Ah, that would be an improvement for the sockpuppet-checking side of things. Could it be what's causing the slowdown David mentioned though? --fvw* 18:08, 13 October 2005 (UTC)

The issue I have with simply giving CheckUser to all bureaucrats is that they were never intended to have this power. Until recently, the only difference between bureaucrats and admins was that bureaucrats could promote users. A few months ago, they gained the ability to change a user's name (I think this is inactive right now). This was a small change and completely uncontroversial.

Personally, I would trust any of the current bureaucrats with access to CheckUser, but I would oppose granting it to the group en masse. We should grant access through an RfA-like request for CheckUser process. Carbonite | Talk 17:39, 12 October 2005 (UTC)

Don't give it to all of them, then. But that gives us a "candidate pool" from which to pick potential CheckUsers. Titoxd^(?!?) 23:42, 12 October 2005 (UTC)

not really becuase being able to use Checkuser effectively requires a certian level of technical skill.Geni 11:58, 13 October 2005 (UTC)

Note : the current policy does absolutely not give the power to the community to decide who should be given this access. The policy to change this is currently under discussion. Anthere

True, but only because there is no current policy. It also doesn't deny it. --fvw* 18:09, 13 October 2005 (UTC)

CheckUser use logs

The m:CheckUser description states that "A log is kept of who has made which queries with the tool. This log is available to those with the checkuser permissions."

To enhance transparency and reduce concerns about privacy, could we also have a log available to everyone that contains just the number of CheckUser queries performed by each user? Or perhaps just a timestamp and the user's name? With wider access to this function, there would be more oversight and abuses could be spotted and dealt with quickly. Carbonite | Talk 16:16, 12 October 2005 (UTC)

I agree that that would be a good idea, but could we not tie that to this proposal please? As I mentioned earlier, I'm trying to get this through as soon as possible. Something that requires new features to be coded wouldn't exactly help. --fvw* 16:19, 12 October 2005 (UTC)

I completely agree with this proposal and would like to see it go through ASAP. I'm just trying to allievate the concerns of users who may fear that their privacy would be in danger. There's already a log of CheckUser uses, so developing a log that shows less data shouldn't be too difficult or time-consuming. It's just a different view of the same data. Still, a log should not be a prerequisite for granting CheckUser access to more admins. Carbonite | Talk 16:26, 12 October 2005 (UTC)

Well, since this is an emergency proposal (as the "Quick and dirty" in the name suggests), we're going to have to make an official policy when everything is calmer. So, I'd say start thinking about it, but don't tie it to this lightning proposal. Titoxd^(?!?) 17:27, 12 October 2005 (UTC)

Sounds reasonable to me. Let's get this rolling and iron out the detail later. Carbonite | Talk 19:43, 12 October 2005 (UTC)

Sounds workable to me. Now code it ;-) - David Gerard 15:52, 14 October 2005 (UTC)

Moving things along

Right, are there any objections if we open this up to community endorsement/disendorsement tomorrow barring any new objections coming up (I wasn't kidding when I said I wanted to hurry this along)?

If you have any objections to this that can be solved by anything but "I don't want anybody else to get CheckUser", please post them now. --fvw* 19:33, 12 October 2005 (UTC)

If an admin is voted to become a 'vandal hunter', how long will he be one ? Is this going to be a permanent role like being an admin, or a temporary one like a bureaucrat ? There is no need to decide on this now, but when will we take such decisions (Sorry if such things are 'obvious' to experienced users. This is first time I am being part of a discussion like this) ? Tintin 19:42, 12 October 2005 (UTC)

Bureaucrat isn't a temporary position. Perhaps you're thinking of the ArbCom? Carbonite | Talk 19:44, 12 October 2005 (UTC)

Thanks, Arbcom was what I meant. Tintin 19:49, 12 October 2005 (UTC)

It's a good question, I was thinking indefinite, i.e. until the community or arbcom decides against it. Is there any reason why this should be different to the other privs? --fvw* 19:47, 12 October 2005 (UTC)

IMHO, indefinite would be fine. Tintin 20:05, 12 October 2005 (UTC)

I have no objection to granting bureaucrats access to Checkuser, nor would I object to the creation of some sort of specialised position meant explicitly for tracing down vandalism. Wikipedia is growing by leaps and bounds, and unfortunately this also means we need to be able to scale our abilities to perform these sort of anti-vandalism tasks. Hall Monitor 20:56, 12 October 2005 (UTC)

Why tomorrow? There's still blocks being handed out to the VandalBot as of when I wrote this edit. I suggest doing it now. Titoxd^(?!?) 23:43, 12 October 2005 (UTC)

I suppor the proposal and have no objection to granting permissions as stated above. As for still blocking vandalbot, I'm still doing it, have been for hours. An IP block would have been great. Going back to blocking. ∞Who?¿? 10:36, 13 October 2005 (UTC)

I've changed the word "Vote" to "Straw poll" on the page, 'cos it is - it's an attempt to ascertain consensus - David Gerard 09:01, 14 October 2005 (UTC)

Possible addition

I'm not sure if this has been suggested yet, but it might be a good idea to require anyone who is given this access to never openly connect an IP with a registered user (unless it's someone like Willy on Wheels). They might be able to discuss it through email with the user (such as if it is found out that the user had sockpuppets), or in private IRC chat, but not by posting in big letters on the user's talk page: "HEY ARE YOU WINSTON SMITH OF ALBUQUERQUE, NEW MEXICO WITH AN IP OF 127.0.0.1?!?" Anyways, I think I had a point somewhere in there... — BRIAN0918 • 2005-10-12 20:57

Sounds reasonable. Maybe an email with a copy sent to abuse@wikimedia.org or something like that. Titoxd^(?!?) 23:40, 12 October 2005 (UTC)

Depends. I may reveal the IP when they've been sockpuppeting the IP as a separate person to the logged-in name, because then their use of the IP is part of the abuse therefore not covered by the privacy policy. I have also revealed it in cases like a recent one (see WP:ANI) where a block caused collateral damage, and I'm revealing it to say this guy looks OK so far - David Gerard 13:21, 13 October 2005 (UTC)

Great caution is needed

I hate to sound patronising here, but I'd like to remind everyone that privacy is a real-world matter, not a Wiki matter. While it's unlikely, an checkuserer could use a user's IP to expose that user to consequences in the real world. (Think oppressive government. Think of an agent of an oppressive government who starts editing WP and gets promoted to checkuser. Of course, there are probably more common situations in which it could be trouble.) We can't trust someone with powers that have consequences in the real world just because they're a good Wikipedian.

Therefore, I oppose giving anyone checkuser permissions unless their real identity is public and proven true and, preferably, they are personally known to the Foundation. The Foundation should probably also have to approve all cases. It would help if checkuser logs were available to all users and there were a limit on how many times anyone could run checkuser per day. ~~ N (t/c) 20:57, 12 October 2005 (UTC)

So, maybe make it a requirement that anyone who is going to become one has been to a Wikipedia meetup, or that they have to scan their driver's license (blurring the usual numbers) and send it to someone at the Foundation. (or, for even more insanity, require that they take a screenshot of the scanned image while the "You are logged in as User:XYZ" Wikipedia window is in the background. Or require a digital photo of yourself next to the screen with the logged-in-window and driver's license pic opened. :) ) — BRIAN0918 • 2005-10-12 21:08

LOL... when you put it that way, actually my idea doesn't sound so useful. I still think the Foundation should at least have to approve all checkuserers. ~~ N (t/c) 22:28, 12 October 2005 (UTC)

It is an important privacy issue. But as noted below, devs already have this power - David Gerard 13:18, 13 October 2005 (UTC)

I already mentioned this above, but any admin can already do this by changing user javascript or one of the many raw HTML variables. The only ability this adds is is to look slightly into the past, and the only real change is that it entitles the user to retrieve that IP information. --fvw* 21:13, 12 October 2005 (UTC)

Then that should be changed posthaste. ~~ N (t/c) 22:28, 12 October 2005 (UTC)

can't be. However loseing your adminship and being banned from wikipedia for the rest of eternity by a bunch of pissed off admins can often offend.Geni 11:55, 13 October 2005 (UTC)

I don't see how it is wikipedia's job to protect those who are breaking the law by accessing the wiki (oppressive government as you put it.) However, those with this power should have logs of their use of it publically avalible, and getting the access removed should be much easiesr than it is for say, adminship. -Greg Asche (talk) 00:12, 13 October 2005 (UTC)

Agreed. However, that should be written at CheckUser policy when the emergency passes, not here. But does anyone want to make that a blue-link? Titoxd^(?!?) 00:22, 13 October 2005 (UTC)

The page is created, so we can discuss any policy whenever we're not busy with the vandal. Titoxd^(?!?) 00:29, 13 October 2005 (UTC)

Good, we need to push this through and get the ball rolling on actually stopping some vandalism here... -Greg Asche (talk) 00:48, 13 October 2005 (UTC)

Standards

Ok, I don't think there have been any new objections, so let's go for it shall we? How does 5 days, at least 40 participants and at least 80% support needed sound? It might take a little campaigning to get that many people to chime in, but I think that 5 days is the least we can get away with. --fvw* 12:06, 13 October 2005 (UTC)

• For a normal standard, I think 5 by 80 is good. No objection to that. I still think they should grant emergency status if they are going to be unable to assist atm. ∞Who?¿? 12:25, 13 October 2005 (UTC)
  • We may want to make it seven days to match with WP:RFA. And list it at the bottom of that page to have it get sufficient attention. Other than that, fine. We need more checkusers, preferably yesterday. I would also be ok with giving CheckUser rights to all Bureaucrats or all ArbCommers, but the ArbCom is already overloaded as it is so a simple vote would be easiest. Radiant_>|< 13:04, 13 October 2005 (UTC)
    • I meant for getting the policy official, not for appointing people under it. --fvw* 16:29, 13 October 2005 (UTC)
      • Oh. Well, in that case I should point out that 70% is the common bar for policy proposals, and one week is generally the minimum duration they stay up. Just FYI. Radiant_>|< 22:15, 13 October 2005 (UTC)
        • Oh, ok. But this is a pretty big change, and it is in a pretty big hurry, so let's leave it like this, ok? --fvw* 22:18, 13 October 2005 (UTC)

How about an additional: "In an emergency, the power may be assigned by the Arbitration Committee, a Foundation Board member or a developer who presently has the power"? The first two are me trying to pick sufficiently high oversight bodies; the third are the people who presently have the power and guard it closely. For instance, if Tim Starling thinks someone (a) can be trusted to guard the innermost secrets of the DB (b) is competent to understand the results, then they probably are, at least temporarily.

Don't forget that if someone starts spewing data when they shouldn't, their CheckUser bit can be revoked really quickly - David Gerard 15:21, 13 October 2005 (UTC)

I like the general emergency granting idea. "Foundation board member" is fine by me, as is having Jimbo do it. I'm not sure about the other two though; I hate to turn the ArbCom into a "higher level admin/bureaucrat" group. As for admins that seems like a very bad idea. This isn't just about giving people the access (which as I pointed out above, most admins already have something pretty close to), but more about giving them the permission to use it. I don't think that's something the devs should have say over. --fvw* 16:24, 13 October 2005 (UTC)

It might be more sensible to say stewards can assign it, since only they or developers actually can give out this right. All current members of the ArbCom and at least of two of the Board members are not able to set user rights. Angela. 18:12, 13 October 2005 (UTC)

Well, I think that even for emergency use we could have separate people to grant the permission and others (stewards, devs) to enable the access. But though I don't think it need necessarily be them, I have no objection to adding them to the list. --fvw* 18:19, 13 October 2005 (UTC)

Notes from a current CheckUser checker

As the guy who uses it now on en: (mostly so Tim Starling can get on with development and sysadmin matters), a few notes:

• I've added a proviso that the CheckUser checker should look things up when the AC asks. I'm presuming this would include things like checking on antisocial users who've been kicked off by the AC to see if they've returned, which I do a lot of.
• Access by all bureaucrats is good IMO. They're highly trusted people. If people aren't sure about this one, we can reconfirm all current bureaucrats one by one.
• You have to pick people you can trust, and then trust them all the way. Various people are going to ask to have this logged seven ways to Sunday to protect against possible abuses. But adding red tape is just going to be a massive PITA and not actually affect whether the CheckUser checker can be trusted to act with confidence. Basically, we have to pick people we trust not to use the power for evil. Like admins and bureaucrats but more so.
• Remember that a small number of the developers (those who have access to the database) already have this power and use it. They control the horizontal, they control the vertical, they see all and know all — because they have to have complete control in order to administer a top-50 website. But they respect the privacy policy, because that's what you do as a sysadmin. The proposal is to extend access to just one power, so as to avoid a bottleneck of too few people for the job.
• It helps if the person understands various network foo. If not I am most happy to help and show how to interpret stuff. It's an art, not a science.
• Coders with a good grasp of MediaWiki data structures might want to look at the code for Special:CheckUser to see if there's ways to speed it up and/or make it less of a load on the database.
• I really need to write up a Help: page for CheckUser checkers.
• taw on pl: has CheckUser for pl:, I think — worth asking for ideas?

- David Gerard 13:18, 13 October 2005 (UTC)

Note from a current checkuser checker and a board member

This tool is potentially problematic with our privacy policy. Did you read the latter ?

The current policy does not give access to editors, just because they are bureaucrats or because their community decided it. There is a reform ongoing to change the current policy and I will oppose to any editor being made a checkuser until a new policy is adopted, because it is important that a clear policy is agreed before we give access to this tool. Amongst changes, there is need to agree on who will be granted the access and how, about rules of use, and about transparency of the activity (in short, publishing the log). Currently, none of this is agreed upon. It should first be agreed on and this should be done on meta. See m:CheckUser Thanks Anthere

I don't see the problem:

Log data may be examined by developers in the course of solving technical problems, in tracking down badly-behaved web spiders that overwhelm the site, or very rarely to correlate usernames and network addresses of edits in investigating abuse of the wiki.

We just shouldn't read that developers as "the mediawiki developers" but as "those developing the website". If you don't do that we're already in violation of the policy. Also (once again) as noted above, administrators can already get access to IP data, it just takes a little more effort. --fvw* 17:31, 13 October 2005 (UTC)

Can you explain to me exactly how you can get access to IP data with a bit of effort as a sysop ? Anthere

Insert web bugs into the plain-HTML mediawiki variables, retrieve an URL from user javascript, ... --fvw* 17:44, 13 October 2005 (UTC)

I fully agree with fvw's interpretation of existing privacy policy, there is no need to make any changes in order to delegate these CheckUser permissions to a select and trusted few. Hall Monitor 17:52, 13 October 2005 (UTC)

Yeah. This is a system administrator (as distinct from Wiki "sysop"; that's an unfortunate bit of jargon) tool, for keeping the website running - David Gerard 09:01, 14 October 2005 (UTC)

Help:CheckUser

You can see how CheckUser works at meta:Help:CheckUser. I'll add screen shots some time or other - David Gerard 13:01, 14 October 2005 (UTC)

Comments accumulating in Straw Poll

I'm considering migrating the comments from the Straw Poll on the main page to this page and cross-referencing, but I wanted to drop this note here before touching that to provide the opportunity for opposition to this and/or self-movement of items that people have posted as commentary. My thinking is to x-ref on vote-# in both directions. Courtland 23:40, 14 October 2005 (UTC)

It's not making it unreadable, I'd say leave it for now - David Gerard 12:08, 17 October 2005 (UTC)

40 votes

Just noting that 55 votes have been cast now, and there's barely 80% support of the policy. Three hours left on the vote, and we got a result. Titoxd^(?!?) 20:27, 18 October 2005 (UTC)

• I'm glad to see this passed. I should point out that generally, the minimum support for a policy proposal is 70%, so 80.4% clears that with a wide margin. I believe that some of the people who opposed it thought that this proposal was to give checkuser rights to all admins. That is not the case - the intent is to allow users to enter a Requests For Checkuser process, which is similar to a Request For Adminship or Request For Bureaucratship.
• I propose that nominations be added to a new section on the WP:RFA page. I also propose that someone suitable be nominated by tomorrow, because that is ultimately the only way to see how it will work out. Radiant_>|< 22:32, 18 October 2005 (UTC)

• It is unfortunate that this will likely be implemented without any consideration for implementing the checks and balances that were put forth as proposals by the Neutrals or Opposed. This is an assumption, perhaps an incorrect one, but one based on the eagerness and alacrity with which the supporters intend to move forward. Courtland 00:58, 19 October 2005 (UTC)
• Perhaps I was confused, but this was a straw poll, doesn't that imply that it has no bearing on actual policy, that it is more of just a survey/poll to gauge how people feel about it? -- BMIComp (talk, HOWS MY DRIVING) 01:08, 20 October 2005 (UTC)
  • It might have been called a "straw poll", but it was taken to allow green-lighting for action in the absence of policy statements, per the introduction to the poll. That is my understanding, which is consistent with the move to start nominating people to receive the authority discussed. Courtland 03:15, 20 October 2005 (UTC)

A straw poll does not automatically make this policy, no matter how much support there was. There are far too many variables to be worked out. Rob Church ^{Talk | FAHD} 15:49, 29 October 2005 (UTC)

I've just revised the outcome based on the TIME at which this straw poll closed ... determining that it failed to pass (73% vs. 80%). Do not merely revert this by reflex, but discuss why this interpretation is incorrect if you believe it to be so. Courtland 23:07, 24 October 2005 (UTC)

• I've reverted myself and the (expected) reflex reversion invoked by User:Carbonite (it is NOT a MOOT POINT) as I failed to take into account the late-breaking vote changes ... better to get the count right, yes. Courtland 23:14, 24 October 2005 (UTC)

Absolute Disgust

Please see Wikipedia:Administrators%27_noticeboard#Absolutely_Disgusted for the full rant. I am not at all happy with the way things have gone over this matter. Rob Church ^{Talk | FAHD} 17:05, 22 October 2005 (UTC)

• I agree with your comments linked from your note here. However, what mechanism is there to put brakes on the process. It doesn't seem (from a user's point of view) that anything short of locking pages and blocking people (like FVW) would come close to providing a slowdown to the implementation of the proposed matter. Thoughts? Courtland 19:39, 22 October 2005 (UTC)
  • Depends on how far we want to go. From the data protection standpoint in many countries; only the Board of Trustees would be legally able to grant this power. From a practical point of view, an open letter to the Board would be a good start; and we could begin highlighting the problems that this policy proposal has - a straw poll does not immediately ratify it, for instance. Rob Church ^{Talk | FAHD} 21:19, 24 October 2005 (UTC)

Moot point

I'd like User:Carbonite to explain why the outcome of the straw poll is a moot point. Does that mean that privileges have already been granted to people based on the outcome of this poll? Courtland 23:15, 24 October 2005 (UTC)

If that is the case, then some Stewards are going to have some serious explaining to do. Rob Church ^{Talk | FAHD} 15:48, 29 October 2005 (UTC)