Wikipedia talk:IP block exemption/Archive 1

Archive 1Archive 2Archive 3

This discussion is whether to enable IP Block exemption on the English Wikipedia. This proposal would allow CheckUsers (or some other process) to grant on a per user basis, the ability for that user to edit via a blocked proxy.

Prenotes

I have proposed this as an offshoot of Wikipedia talk:Blocking policy/Tor nodes. Please tell thoughts and mercilessly edit the project page. It is my hope that we can come to a middle ground that allows some trust metric to be established to allow editors to edit via tor. The associated bug is bugzilla:9862. I think once a process can be determined and a consensus to do this thing established, we can do this thing. M-ercury at 23:16, January 14, 2008

You mean bugzilla:9862?? --Solumeiras talk 23:23, 14 January 2008 (UTC)
Thank you :) M-ercury at 23:24, January 14, 2008

As a note, I have crossposted to VPT VPP V-proposal and the mailing lists. M-ercury at 23:27, January 14, 2008

Discussion

Given they are best placed to confirm need and monitor abuse, were this to be implemented I think it would need to be checkusers who granted/removed this permission. WjBscribe 23:29, 14 January 2008 (UTC)

Makes sense, no objections here. M-ercury at 23:29, January 14, 2008
I think limiting granting/removing to checkusers may be a bit much, as checkusers are necessarily limited to a small, trusted group of users due to the nonpublic data involved in checkuser requests, while the list of such requests is likely to become bigger than the small list of checkusers to handle - it may be best to make it an admin privilege like blocking/unblocking, but, like blocking, to require careful discretion and accountability by admins who twiddle the bit. Checkusers could still promptly remove the permission "per checkuser results" if checkuser data indicates someone is abusing the privilege, much like they block IPs being used to abuse. --krimpet 00:28, 15 January 2008 (UTC)
The IP exemption is an immunity to CheckUser - the editor will test positive for using the same IPs as banned users and vandals, or any other editor using proxies. If you know they're using proxies then you know the CheckUser results already. The point about CheckUsers being busy is a good one, but they are actually of no use at all in this process. I would suggest the editors would need community approval instead. The only real way to prevent abuse is to get them to lodge their real identity with the Foundation. -- zzuuzz (talk) 00:38, 15 January 2008 (UTC)
How is IP exemption an "immunity to CheckUser"? All it does is ignore blocks of IP addresses or ranges; the fact that the user has contributed through that IP addresss or range is still recorded. The reason CheckUsers are necessary is to confirm that a particular account is in fact editing through proxies and thus needs this exemption; it wouldn't be granted to users who don't need it, however trustworthy they may be, in order to keep things more manageable – Gurch 03:47, 15 January 2008 (UTC)
As I mentioned, all a CheckUser will be able to say is that anyone making use of the IP block exemption is using the same IP addresses as banned users and vandals. This will always be the case. You don't need a CheckUser to tell you that - they won't have any more information than the rest of us except the ability to match up the random cases where this has happened. Users on Tor don't stick to a single IP address, they are randomly assigned one from the same pool that vandals get one from. Existing vandals and sockpuppeteers use open proxies - anyone can use open proxies - this is a useless requirement for qualification for the exemption. -- zzuuzz (talk) 10:48, 15 January 2008 (UTC)
  • I would give myfull support to such a change in policy: I am one of the editor affected by the block in the People's Republic of China, as I spend a lot of time over there and will be moving back to Beijing in July this year for at least 12 months. I would hate not being able to edit Wikipedia. Poeloq (talk) 23:31, 14 January 2008 (UTC)
  • Having seen the introduction of rollback, well anyway... My first comment is that this will not be the great panacea it is intended to be or that some think it will be. It will not liberate all of China. We currently hardblock open proxies because they are used by sockpuppet vandals. We should therefore only be granting block exemptions to established editors (much much more so than rollback because only CheckUsers will be able to identify abuse), and hardly anyone from China will have any opportunity to become established. This proposal will however provide an excuse to systematically block open proxies, which will actually reduce the number of edits from Chinese users. -- zzuuzz (talk) 23:33, 14 January 2008 (UTC)
On second thoughts, not even CheckUsers will be able to identify abuse. All they will see is two or more established editors using the same IP address, and possibly a load of vandals and banned users using it too. I could have told you that. I'm not sure that they will even have any better insight than non-admins about who to give the bit to. -- zzuuzz (talk) 00:08, 15 January 2008 (UTC)
Users requesting exemption from anonymous blocks will in the first place have to have a good contribution history; this can trivially be checked by anyone via Special:Contributions. If an IP address is hard-blocked, vandals and banned users won't be able to edit through it. Only administrators and those with this permission can. Abuse of exemption will be easy to detect -- exemption only applies to indivdual user accounts, so the account can simply be blocked.
If a non-hard-blocked open proxy is checkusered, then one could concievably see a mixture of vandals and constructive contributors, and it is in such a situation that checkuser advice is required; while any administrator can identify and hard-block such a proxy, if it was being used legitimately as well, a checkuser could identify and grant exemption to any constructive contributors who were using the proxy but lacked exemption – Gurch 03:40, 15 January 2008 (UTC)
Open proxies are already systematically blocked despite many complaints. It would of course be nice to restrict proxy blocking to cases where actual abuse has occured, but it looks like that's not going to happen; and even if it did, this proposal would still improve the situation – Gurch 03:43, 15 January 2008 (UTC)
This proposal page followed a discussion about a new bot to enforce a total prohibition of Tor nodes editing. It would be relatively easy to make this bot. Currently a lot of Tor nodes do edit, many hundreds of them, and as a result we get a lot of good edits and a lot of good editors, including a lot from China. We currently have "free blocking" which reduces the abuse from Tor, systematic blocking is a whole other thing and one that this proposal encourages. -- zzuuzz (talk) 11:06, 15 January 2008 (UTC)
  • This won't solve all problems in all cases: it won't liberate China, stop Tor abuse, save the whales, etc., but I think it will be efficacious enough to the point that it's worth enabling on enwiki. It has my full support. GracenotesT § 02:52, 15 January 2008 (UTC)
  • Support 963% – Gurch 03:32, 15 January 2008 (UTC)
  • I also support this. It would be nice, as well, if the permission could be removed from admins at their request; I have no need for an ipblock-exempt permission, and being removed from that group would benefit me (I'd know if my IP was blocked, and would be able to do something about it, and it would also reduce the number of admin accounts that could be hacked into via open proxies). --ais523 13:54, 15 January 2008 (UTC)
That sounds good, if this proposal passes, then we can open a bug request on that, should not be a policy issue for self removal I don't think. Regards, M-ercury at 13:57, January 15, 2008
  • I've wanted this for ages now, so I support. --Deskana (talk) 18:07, 18 January 2008 (UTC)
  • I too have long thought this was a good idea. Support - granted! --Gwern (contribs) 21:03 20 January 2008 (GMT)
  • Support - I've spent some time weighing this up and, yes, we should do this. Regarding checkuser workload; yes, it's busy right now but the answer to that is to grant more checkuser privs rather than holding back on important policy. As checkuser, I'd be open to working this - Alison 21:10, 20 January 2008 (UTC)
  • Support - I thought this already existed but on second thought I realized it was an +admin can bypass all IP blocks thing. I see no reason why someone who isn't going to be an idiot cannot edit. Plenty of school IP's are shining examples of why user edit ability is a good thing -- Tawker (talk) 22:27, 20 January 2008 (UTC)
  • Oppose unless exemption privilege is given to admins (see "180 degree turnaround" below for rationale). Expanding privacy-invading CU rolls to accomodate something that can be dealt with reasonably by admins is bad policy (the same kind that is rapidly turning my beloved country into a land-of-the-no-longer-free police state). And I say this as both an admin and CU at English Wikiquote, who has fought those very clever vandals who would — will — take advantage of the lack of knowledge of admins. It's far too easy these days to succumb to the desire to swat all mosquitos with a tactical nuke just because a few of them are especially virulent. Let's try a more measured response first. ~ Jeff Q (talk) 00:33, 21 January 2008 (UTC)

Evidence that the world won't end, and a counter argument

All the major Wikipedias block open proxies (or things that look like them) such as Tor exits when they find them. But they are horribly ineffective at blocking tor exits. Users of tor can select particular exits to use, so we haven't blocked tor from dedicated bad guys unless we've blocked ALL exits. When I looked a few months ago (with User:Shadow1) we found there were thousands of unblocked tor exits. Yet, Wikipedia was not and is not overwhelmed with TOR abusing vandals. Given that, it would follow naturally that allowing an exemption for some named accounts should not cause the end of the world.

The best counter argument that I can muster is that so long as Wikimedia does not have robust SSL support, especially for login, and does not run its own TOR exit enclaves, we should be cautious in encouraging users to use TOR because they are far more vulnerable to password interception and other types of surveillance by unscrupulous exit node operators. If a user is only concerned with evading the Chinese firewall there are other more robust options, ... and tor itself is still highly vulnerable to blanket blocks by the Chinese government, they just haven't bothered yet.--Gmaxwell (talk) 23:43, 14 January 2008 (UTC)

Agree, perhaps when granting the right, we encourage them to use the SSL login, and make it robust. Regards, M-ercury at 23:45, January 14, 2008
Not sure if this technically possible, but I would allow only SSL login. Poeloq (talk) 00:10, 15 January 2008 (UTC)
Another counter to the argument that it should not cause the end of the world would be that a rubber-stamped certified ok-to-use untraceable sockpuppet system would be a far more attractive vector for abuse than common or garden TOR use. --bainer (talk) 01:21, 15 January 2008 (UTC)
Perhaps I misunderstand you, because I don't see that one: Since enwp has failed to block most tor exists anyone wanting such an account can just find an unblocked exit (picking one at random should work), and use that one to create an account. Then they can edit from it. Chances are they could continue that way for a long time without attracting any attention. If they happen to be the only user editing WP from that exit (not unlikely, Tor is painfully slow and at last count there were >>1000 unblocked exits) then a checkuser would look totally boring. Even with a couple of other users a checkuser wouldn't too different that checkusering a shared school IP. So in other worse it's pretty much always been possible in theory for a naughty user to use TOR to create an untraceable sockpuppet.
The 'certified ok-to-use' bit might still matter but if someone is going to break the rules do you think they care if part of their rule breaking is approved? --Gmaxwell (talk) 02:53, 15 January 2008 (UTC)
Just to clarify, editors are permitted to edit via a proxy, until that proxy is blocked. This would just grant a technical blocking exception on a per user basis. I don't see any "approved rule breaking" here. Please fix me if I misinterpret you. Best regards, M-ercury at 03:01, January 15, 2008
I think one of the main reasons that we haven't set up a bot to block every Tor node that can exit to Wikipedia is because of users in nations like China who rely on them to be able to edit. Once this is implemented, there's really no reason not to, and there is already some ongoing discussion on the best way to do it. This proposal has my support. Mr.Z-man 02:38, 15 January 2008 (UTC)
No, it's because the community won't let a bot run with admin rights. Open proxies are hard blocked on sight. Period. Mackensen (talk) 05:26, 15 January 2008 (UTC)
Mackensen is correct that they aren't blocked simply because the community won't let a bot run with admin rights (there have been two RFAs exactly for this, afair). China is not a good argument: Have you ever used Tor? It's SLOW. There are better proxies available. Tor is currently as vulnerable to blocking by China as Wikipedia. Although "open proxies are blocked on sight. Period." is perhaps somewhat misleading, since the majority of Tor, the highest profile open proxy network, is not blocked. More like "We claim to block open proxies, but we're not very effective at carrying it out". --Gmaxwell (talk) 20:17, 15 January 2008 (UTC)
What they said. I don't see any reason for this proposal. The only way someone could get access is if their connection info is already known (has to be an already trusted user, remember), which negates the whole point of the Tor access. SirFozzie (talk) 00:32, 16 January 2008 (UTC)
Regarding unblocked tor, you're right. There are presently about 650 tor nodes that allow wikipedia access, and, about 200 of those are presently blocked (right around 30%). SQLQuery me! 21:03, 15 January 2008 (UTC)
I'm not sure how you're generating TOR exits, but you're doing it wrong. ;) You should use the exitlist python script [1]. Against my current cached tor node directory I see 1800 exits that can reach one of the five WMF entrances (203.212.189.253:80, 91.198.174.2:80, 66.230.200.100:80, 66.230.200.219:80, 66.230.200.219:443). When I looked some months ago, there were a a few more exits and only about 10% blocked. Still, in either case.. as I said.. We don't actually block tor, at least not very well. --Gmaxwell (talk) 21:20, 15 January 2008 (UTC)
I do use the py script, then, I filter off the blocked ones, however, I don't check all WMF sites... Just 66.230.200.100, hadn't thought about any of the others :) SQLQuery me! 05:24, 16 January 2008 (UTC)
BTW, even checking ALL exits, 20% come up blocked. SQLQuery me! 05:25, 16 January 2008 (UTC)

Of course, hard-blocking all of tor would only be two lines in the configuration file, if anybody could be bothered to gather consensus for that... — Werdna talk 11:12, 24 January 2008 (UTC)

From your statement, I gather you don't know how Tor really works with discernible exit policy? How is two lines gonna be smart about what to block, and what not to block? Two lines, many ramifications. Think about it. Mercury (talk) 13:26, 24 January 2008 (UTC)
I know how tor works. I also know that there are dns blacklists which list all tor nodes, and that I have, myself, modified the DNS blacklist functionality in MediaWiki to accept arbitrary dns blacklists. — Werdna talk 23:37, 24 January 2008 (UTC)

Merge

Should this be accepted, it should be made part of Wikipedia:Open proxies instead of a separate policy page. —{admin} Pathoschild 00:14:08, 15 January 2008 (UTC)

If this were accepted Wikipedia:Open proxies could basically be cut down to "Open proxies may be blocked for any length of time to deal with abuse", since most of the policy page is about the problems it causes. I'd be inclined to turn both that and this into a single paragraph in the blocking policy – Gurch 03:31, 15 January 2008 (UTC)

Not just for proxies

A few years ago I found myself blocked for a month because someone living in my city and using my ISP (Earthlink via dialup) was constantly vandalizing, socking, and switching IPs. The blocking admin would exempt my IP but I would find myself reblocked the next time I connected to my ISP.

I would support such a policy as it would allow established editors to keep editing even if somebody else who just happens to use their ISP is being an idiot.--Ron Ritzman (talk) 01:53, 15 January 2008 (UTC)

Altered proposal accordingly – Gurch 03:27, 15 January 2008 (UTC)

Checkuser vs. Admin

There was some question on who should assign the right, here is what I think would serve. At first, we will have the checkuser group do it, and if the requests become many, we can propose the change to allow admins to do this thing. I think this compromise works, for know, with this especially new feature. M-ercury at 02:47, January 15, 2008

Are you anticipating a lot of requests? If this is implemented I would anticipate only a handful of requests over a period of many months. And as stated above, it is really necessary for checkusers to handle this in order that abuse can be detected and dealt with – Gurch 03:30, 15 January 2008 (UTC)
Not really anticipating a lot. I was only addressing the above question of who. I still agree CU would be best here. M-ercury at 03:46, January 15, 2008
CU does seem appropriate since CUs would presumably be checking for something... (but what? I may be a bit hazy on that part, what is a valid vs. an invalid request here?) I can see the load growing quite a bit which is not necessarily a bad thing. The usual trappings of clerks, process, formatted requests, templates, little symbols to express dismay, outrage, approval, confusion, etc. presumably would arise as well? ++Lar: t/c 04:32, 15 January 2008 (UTC)
Lets hope not. I think a {{done}} userright changed. ~~~~ Or {{not done}} ~~~~ would suffice. When it comes to checkuser information, not all need be explained. M-ercury at 04:48, January 15, 2008
The valid or invalid is really up to you. However, a check to see if the user has edited thru proxy computers to validate the request, or a check revealing strong technical evidence to support a finding of sockpuppetry to invalidate a request, might be suggested. Regards, M-ercury at 04:49, January 15, 2008
That is basically the reason. To keep things manageable, we would only want to grant this to people who have a genuine need for it, not just anyone who is trustworthy. If someone really wants to be exempt from such blocks despite not having a good reason to be, they'll have to become an administrator – Gurch 05:05, 15 January 2008 (UTC)
I'd want some idea of what should be checked for, this seems very nebulous and open ended to me. ++Lar: t/c 00:02, 16 January 2008 (UTC)
Open ended to allow for your judgment. If an editor can show you good cause, you can grant the right. "I edit from China and need to use Tor, here is my account with contributions" would be something you might be presented with. Absence of any pattern of abuse, and if you are convinced that the request is genuine then you grant the right. M-ercury at 00:17, January 16, 2008
Hmm... so basically just a feel good/not feel good call about the whole thing? That's more nebulous than ever. And subject to a LOT of second guessing and monday quarterbacking. ++Lar: t/c 00:35, 16 January 2008 (UTC)
This has far, far too much potential for abuse for all admins to be able to hand it out. If I want to establish a farm of 20 socks, I just have to convince 20 admins via email of my private sob story on how I am in fear for my life and want to edit Wikipedia privately yadda yadda yadda. All of a sudden, I have 20 socks that are block-proof and can never be tied to each other. This has got to be restricted to a small group that can verify stories. --B (talk) 05:36, 15 January 2008 (UTC)
"Block proof"? IP block exemption only allows users to edit through hard-blocked IP addresses. There's nothing to stop the account itself being blocked directly – Gurch 05:38, 15 January 2008 (UTC)
Yes, but you wouldn't know they are socks ... whereas right now, the socks get autoblocked because they are all on the same IP. --B (talk) 05:48, 15 January 2008 (UTC)
Bear in mind that certain people will no doubt be watching the contributions of IP block exempted users like a hawk, and even the slightest bit of misconduct is sure to lead to demands not only for a block but also for a checkuser, which would reveal any other accounts they may be using. Checkusers are run so frivolously these days that I would expect one would be standard practise in the event of abuse from an IP exempted user – Gurch 05:58, 15 January 2008 (UTC)
  • Remember that the exemption applies to all IP editing, not just proxies, and checkusers will be able to (and have in the past) detect users sockpuppeting from normal IP addresses. Such as a user who created vandal username accounts and committed petty vandalism and then logged back in under his own name to revert and report it. Checkusers are not entirely powerless when it comes to tor either; I was discussing a problem with a checkuser and he asked me to check the contributions of three named accounts, and it was clear from their behavior that they were the same person even though they used tor (and as a matter of fact had used the same exit node consecutively). Thatcher 11:56, 15 January 2008 (UTC)

Editors who could be admins

IP exemption sounds like a very nice thing to offer a limited number of highly trusted users. Admins get it automatically now. Is there a way, without creating a whole new RFA-like bureaucracy, to offer it only to highly trusted users, the sort of editors who would likely pass an RFA but for whatever reason do not want to be admins? We should include community discussion as well as having a checkuser rule out any obvious problems. Making it solely a checkuser problem does mean that editors with behavior problems might slip through if a quick check shows nothing obvious, as pointed out above. Thatcher 12:00, 15 January 2008 (UTC)

I don't think this is the right path. I would prefer a simple "May I have the bit for such and such reason". With a CU responding, Yes. or No. Regards, M-ercury at 13:10, January 15, 2008

Publication

Mercury mentioned that this has been mentioned at WP:VPT, WP:VPP, WP:VPR, and the mailing list. It is also currently posted at WP:CENT. A {{watchlist-notice}} was proposed but is currently holding off pending more time. (I see that as a good thing. In my experience, trying to get all of Wikipedia to comment at once overloads things.) Some other places this can be eventually mentioned include: WP:RFC/POLICY via {{RFCpolicy}}; Template:Announcements/Community bulletin board; The Signpost. • One other suggestion: If at all possible, avoid turning this into a vote. Voting/polling tends to turn discussions into a "me-too" fest which actually impedes discussion and determination of consensus. Instead, strive to turn the proposal page into an unbiased presentation of the idea, supposed benefits, and objections and potential pitfalls. Encourage any opposition to bring their objections to this talk page, and factor those into the proposal. In other words, apply WP:NPOV to the project page. If a vote must be called, it should be the last thing done, after all discussion has finished. —DragonHawk (talk|hist) 14:46, 15 January 2008 (UTC) --MZMcBride (talk) 20:26, 15 January 2008 (UTC)

I really don't think that this needs a huge amount of people to comment before implementation. For one, its a bit technical, and if the rollback discussion and the bot RFA's are any indication, trying to bring as many users as possible into a semi-technical discussion leads to unfounded paranoia about things that are extremely unlikely and often impossible to happen. Unlike rollback, this really has no impact whatsoever on the actual workings of the encyclopedia and if executed right, the only people who would notice are the users who need it and the checkusers granting it. Does anyone know if this was sent to the checkuser mailing list? (though I would bet most or all have seen it elsewhere if not) Mr.Z-man 02:24, 16 January 2008 (UTC)
I have asked Alison to forward my email to the mailing list, to checkuser-l. M-ercury at 02:30, January 16, 2008
Mr.Z-man: While I fully agree that "discussion overload" can be a problem, waiting until after implementation can be worse. One way to help allreviate the overload problem is by staggering notices over time. I'm certainly not suggesting everything happen at once. Time is good. There is no deadline. • In general, I find that dismissing objections as "unlikely", "impossible", etc., tends to inflame passions rather than clear the way (it's my belief that's part of the reason such controversy sprung up around RfR; many people were too quick to dismiss comments rather than accept them as earnestly held viewpoints). I suggest addressing any objections head-on: Note them in the proposal, along with counter-measures (and any potential pitfalls with those, and so on), taking care to remain objective. Anticipate discussion rather than trying to squelch it. Presumably, an uncontroversial, well-explained proposal will meet with little objection. If significant numbers of people don't understand it, arguably, the proposal is unclear. —DragonHawk (talk|hist) 03:49, 16 January 2008 (UTC)
I'm not trying to squelch discussion, I'm just suggesting scale. Do we really need 500 people to come and comment on a proposal, that if implemented, most won't notice or be affected by? By default, all admins are IP-block-exempt. I can only think of a couple of RFAs where it has ever come up as part of any discussion of admin rights; its more forgotten about than the unwatchedpages userright that admins have. I'm sure there would be dozens of reasons to oppose this, all of varying degrees of helpfulness/relevance to the proposal: checkusers are too busy, checkusers should not be granting user rights, I don't trust the checkusers, not an open enough process, its not broke so don't fix it, we have too many user rights already, too much bureaucracy, not enough bureaucracy, we don't need sub-admin levels, they should just apply to be admins, too easy to abuse, too strict, etc. Its posted to 3 Village Pumps, at least 2 mailing lists, and WP:CENT - its hardly hidden. Mr.Z-man 04:25, 16 January 2008 (UTC)
And Wikback, I posted to wikback also. :) M-ercury at 05:09, January 16, 2008

180 degree turnaround

There should be no reason to fuss over this, and no particular reason to involve checkusers. Suppose User:Joe Fakeman is a good-hand sockpuppet for the worst vandal ever, and he convinces someone to give him the exemption. He can still only edit from the named account, and if that account vandalizes, the exemption should be immediately revoked. As long as tor nodes are aggressively hard-blocked (bot please) there should be no problem exempting as many named users as we want, because as soon as they start acting up, they can get canned. And, if the nodes are hard blocked and account creation blocked, the only way this person could create new accounts is by logging in, so the creations would all be logged and easily traceable. Thatcher 00:51, 16 January 2008 (UTC)

I agree with Thatcher's point on this one. Admins can easily block misbehaving exempted usernames, and therefore might as well be able to grant and revoke these individual exemptions. Yes, clever vandals can come up with ways to mess with this system, as they can with any system we implement. But checkusers can still deal with these — unless this necessarily tiny community is too busy making decisions on exemptions. I think that we're more likely to allow the rare clever bad guys (as opposed to the common variety of persistent vandals) to overwhelm our system if we assign this task to the smaller community entrusted to fight those really devious folks, than if we give it to the much larger crew to handle a permission that is self-limiting. ~ Jeff Q (talk) 00:20, 21 January 2008 (UTC)

Inactivity Expiry

Just a quick thought, I wouldn't want to see a naughty person gather a number of accounts with ipblockexempt in order to create trouble on-wiki (as far fetched as this is) so perhaps we could have ipblockexempt expire after a period of in-activity, it would be simple enough to re-activate ipblockexempt upon a user returning, just a thought to try and stop a number of dormant accounts with ipblockexempt from building up. Nick (talk) 00:56, 16 January 2008 (UTC)

There's no current software mechanism to do such a thing, so you'd either have to find a developer to create one or use a bot. --MZMcBride (talk) 04:43, 16 January 2008 (UTC)
A bot would be the most sensible idea, I think. The developers wouldn't want to write and commit something like this, I don't think. Nick (talk) 10:13, 16 January 2008 (UTC)
Recently, a quite flexible mechanism was added to MediaWiki for automated usergroup promotion. Currently it can only key off edit count, registration time, and whether you have a validated e-mail address, but it would be very simple to expand it slightly to allow dependence on date of last edit. Then the appropriate autopromotion policy could be configured straightforwardly. —Simetrical (talk • contribs) 02:48, 22 January 2008 (UTC)
Couldn't they still be blocked directly? SQLQuery me! 06:41, 16 January 2008 (UTC)
Yes, they could. The only difference between regular sleeper accounts and ipblock-exempt sleeper account is that it might not be possible to equate the latter accounts by checkuser – but then again, if a sufficient amount of time has passed (CheckUser data expired), the former would not be possible as well. Now, Nick, what do you mean by "trouble on wiki": mass vandalism, or sockpuppetry? In the case of the former, most vandals would not have the patience for that. In the case of the latter, well, we do have some effective social mechanisms to find sockpuppetry. GracenotesT § 16:38, 16 January 2008 (UTC)
It would be just as possible to equate them by checkuser as it would be to equate any other users by checkuser. Ipblock-exempt doesn't hide IP addresses from checkusers, merely from the blocking system – Gurch 01:52, 17 January 2008 (UTC)
If one person was to build up a number of accounts with ipblockexempt, they could theoretically go on a short term vandalism spree or indulge in long term block/ban evasion or long term sockpuppetry. Ipblockexempt, permitting a "bad" user to edit through blocks on their own IP address or through proxy servers could be exceptionally difficult to spot through checkuser. The least we can do is make sure that once an account is given ipblockexempt, it doesn't stay with the permission when it's unused, and it forces users who wish to use accounts with ipblockexempt to have to keep keep editing if they want to keep the permission, which always gives a little more evidence, whether it's the areas of editing, language used or times of edits. Nick (talk) 19:39, 17 January 2008 (UTC)
Why would it be difficult to spot through checkuser? IP block exemption doesn't hide information from checkusers, only from the blocking system. If a known "bad" account is blocked for vandalism, or whatever, any other accounts that have edited through the same IP address(es) can be found by checkuser – Gurch 10:26, 19 January 2008 (UTC)
If a known bad account is blocked for vandalism, any other accounts using the same IP are likely to belong to other people, and any other accounts owned the same vandal are likely to be used on different IP addresses. Open proxy IPs can be switched in seconds, and Tor changes IP regularly anyway by default. CheckUsers will only be able to tell you that someone is using an open proxy, which is something we already know because they have been given block exemption. Precisely which open proxy they used is not relevant. -- zzuuzz (talk) 11:41, 19 January 2008 (UTC)

Question regarding Tor exit nodes' exit policies

Is it possible to determine the exit policy of an individual Tor exit node? With regards to blocking Tor nodes, it would be (in my opinion) unfortunate to block Tor exit nodes whose exit policies deny requests to Wikipedia - as the exit node operator would then be blocked from editing Wikipedia. --Iamunknown 06:09, 16 January 2008 (UTC)

It is, and, I do so regularly, using a simple python script. SQLQuery me! 06:31, 16 January 2008 (UTC)

Consensus?

This proposal strikes at the heart of long standing policy about the use of proxies. Recentish RFAs have failed simply because the community was not willing to grant the bit to users who were editing through TOR and open proxies. Serious concern was raised about the use of proxies to allow the creation of good hand accounts for the purpose of obtaining adminship. The recent fuss over the implementation of rollback shows that there is a sizeable chunk of our community who were uncomfortable with the way that ""consensus" was determined. In short I see lots of potential for drama, disruption and alienation of users with this proposal. My question from this is simple. Is this a solution in search of a problem or the other way round? How many users will be affected by this and how many will choose to apply for this. Does this number justify the drama that will ensue? Spartaz Humbug! 07:39, 16 January 2008 (UTC)

I can't give you a number of how many users will be affected by this, and I don't know how to relate rollback to this discussion. I'm not so much concerned with "zOMG dramaz!" as I am with the editors ability to edit. So I won't. But I can tell you that consensus has changed to how we deal with proxy editing, and how we block them. This is a technical solution to allow folks to use Tor, for editing over blocks. M-ercury at 13:15, January 16, 2008
I realise you are not concerned about this but we have recently seen that we cannot predict how the community will react to new catagories of user and we are basically setting up another group of "trusted" users beyond the usual editing community. I'm seriously concerned that this has the potential to create further strife. What steps are you proposing to ensure this doesn't happen? I'm thinking of wider community feedback as there doesn't seem to have been a particularly wide number of editors weighing into this proposal. Any suggestions? Spartaz Humbug! 19:28, 16 January 2008 (UTC)
We, as a community, made (or are making) a choice to block Tor nodes, so we should also be able to selectively allow certain users to bypass the block(s). This proposal is a fine-tuning of blocking mechanisms we already entrust to admins: we've come a long way since the only "option" available was hard-blocking IPs! User groups are not evil; having more of them is not evil. If the community reacts negatively, it is likely because they attach more weight to user groups than actually exists. If you don't have the time to read through the lengthy archives of WT:NOP (I doubt many people do), I can assure you as a participant in those discussions that the issue of open proxies editing Wikipedia is a problem in search of a solution, and that this is a reasonable solution. As with rollback, the devil is likely in the details (especially bikeshed-painting details), but we'll work it out. GracenotesT § 00:43, 17 January 2008 (UTC)

Consensus.

It appears discussion has died down, and in the discussion, overwhelming support in the form of arguments, counters, and comments were presented. I'm going to tag policy, and if that is stable for a while, I'll open a bug. Regards, Mercury at 19:53, 18 January 2008 (UTC)

It appears East would prefer more time. Mercury at 20:19, 18 January 2008 (UTC)
Yes, four days of discussion among a limited group is far too little to declare policy. east.718 at 20:21, January 18, 2008

This was posted at the Village Pump. What more do you want? I'm all for it. MB83 (talk) 09:55, 19 January 2008 (UTC)

Its been posted for a bit, I'm changing it again. Regards, Mercury at 19:20, 20 January 2008 (UTC)
Fine by me. --Deskana (talk) 19:34, 20 January 2008 (UTC)

Seems far too early to call consensus to me. I don't think any of the concerns I had were handled to my satisfaction. ++Lar: t/c 19:39, 20 January 2008 (UTC)

I looked at the history of the page and see that it's been moved to consensus more than once, and reverted. I don't really think consensus has been achieved so I've moved it back to "proposed". If someone else reverts me so be it but really, you don't have consensus yet and you're fooling yourself if you think you do. ++Lar: t/c 19:43, 20 January 2008 (UTC)
You have reverted because your concerns were not addressed? Could you please rephrase your concerns and I'll do my best to help. Consensus here is to promote, however, we can address your concerns. As an aside, will you strike the fooling yourself comment, it was not that nice. Best regards, Mercury at 19:47, 20 January 2008 (UTC)
Mercury - basically what Lar said. It's too early to call consensus and the checkuser community needs some time to weigh in on this one. We're currently in discussion on the matter and I'll get back here soon with my own comments - Alison 20:10, 20 January 2008 (UTC)

I reverted because I don't think this is a broad enough group of people to say that a policy as important as this one has consensus yet. It needs wider mentioning, (perhaps multiple times in multiple places, AN, AN/I, the signpost, VP multiple times, etc.) and a longer discussion period. What's the rush??? I think people who think that 4 days of discussion among a group this size means consensus was did [1] are indeed fooling themselves. That is not meant to be disparaging, it's just an honest assessment. After the rollback fiasco I'd be very very leery of calling consensus on policy matters hastily. I also commented on the bug, I think you were way premature there, I would suggest you wait a week after you think there's consensus before you tell a developer that there is, rather than a day or two. That way lies danger. ++Lar: t/c 19:56, 20 January 2008 (UTC)

I understand, an thank you for the clarification. I've rolled back (no pun intended) the bug to a resolved LATER status per your comments here and there. I will mention the discussion again at the venues and re enable the watch list notice editprotected.
Will you restate your concerns that were not clarified, I want to help answer them. Best regards, Mercury at 20:02, 20 January 2008 (UTC)
  • I have made another set of targeted announcements to three village pumps, AN, and the two mailing lists. The discussion remains spammed to T:CENT. Regards, Mercury at 21:01, 20 January 2008 (UTC)

Came here from the mailing list. I like the proposal and I also like limiting the ability to toggle this permission to checkusers. DurovaCharge! 22:12, 20 January 2008 (UTC)

To be clear, I like the general idea of the proposal. I also like the idea of this not being handed out by admins, it's sensitive. I'm just concerned that it isn't sufficiently fleshed out yet (more details, but without actually creating a labrinthyne process might be good) and that sufficient time hasn't gone by. Since M has indicated a repeated call for more input just went out, if after a week there still isn't much more input I'll set it to policy from proposed myself! :) ++Lar: t/c 22:52, 20 January 2008 (UTC)

I agree with Lar, but could we make this a hidden permission (or at least concealed in some way) so that we aren't clogging Special:Listusers? That would require a software change. Prodego talk 00:33, 21 January 2008 (UTC)

I like this proposal very much. ViridaeTalk 01:39, 21 January 2008 (UTC)

Consensus can change. If it has consensus now lets just make it policy, if consensus changes later then we can change it. If people here agree it is good to go I see no point in waiting for detractors when the discussion has all but stopped. It has been days since anyone talked here about anything except if it has consensus or not. The very worst that will happen is that a user in good standing will use a blocked IP to vandalize and get their account blocked, if someone is foolish enough to do this then they would have found a way without this policy. (1 == 2)Until 01:56, 21 January 2008 (UTC)
Until, I'm afraid you missed my objection and comments above, just posted a few hours ago. To make the point clearer, I will say here that I oppose both quick approval and using checkusers instead of admins for granting exemptions. The very worst that could happen is we unnecessarily add lots of work for checkusers, and/or add lots of checkusers to do stuff that admins can do, increasing the invasion of privacy without a compelling reason. Since my above posts may have been overlooked and likely to be missed, I'll post a detailed argument below that I recently sent to the CU maillist that addresses some of the concerns and rationalizations in the above discussions, and which I hope makes a good case for giving admins the exempting rights. ~ Jeff Q (talk) 03:27, 21 January 2008 (UTC)
I have addressed below. Mercury at 03:53, 21 January 2008 (UTC)
I did not mean to imply there was 100% agreement on the issue. I consider your concerns valid ones, I will look further into the section below. (1 == 2)Until 04:29, 21 January 2008 (UTC)

  1. ^ an old joke

Exemption by admin, revisited

A parallel discussion on this topic is going on on the Checkuser maillist. One of our esteemed CUs suggested giving the responsibility to checkusers instead of admins was no problem, as the Arbitration Committee had "plenty of people it can promote to checkuser should people find that the workload is too much". I responded with the following tract, which repeats some of what I've already said above but hopefully makes a more comprehensive case for the larger issue.


What scares me is how easily we fall into the idea that more and more privacy invasion is no big deal. The U.S. government's ability to tap anyone, anywhere, without court order or oversight, is also a very useful tool, authorized and implemented by people with good intentions. That doesn't guarantee it will necessarily be used appropriately even by honest public servants the public has explicitly trusted with these responsibilities. Some common laws of human behavior:

  • Anyone given the power to approve or reject people's activities will eventually abuse it, or worry that they may have done so.
  • The greater the workload, the less careful the workers will become, out of simple necessity.
  • The more who have power, the more often abuse of that power will occur.

Because of these laws that even honorable people are subject to, Checkusers should only be doing things as CUs that cannot be done without the information they are permitted to retrieve. One the other hand:

  • IP-block exemptions accidentally given to even the cleverest vandals can be stopped by admins based on hard evidence of misbehavior by the exempted usernames.
  • Vandal sleeper sockpuppets that manage to get exempted can create new vandal usernames, but those new usernames won't be able to use that IP.
  • If vandals are going to create a username for other, unblocked IPs, they have access through those IPs and would them instead. Any vandal stupid enough to use an exempted username for sockpuppet creation would reveal the connection to admins without CU help.

The only reason to call in a CU would be if a large number of exempted usernames were vandalizing similarly or contemporanenously, but this is no different from calling in a CU for any large-scale vandalism. In both cases, the CU would then reveal the connection and/or block all relevant usernames (or request blocking if they aren't admins themselves). Therefore, there is no compelling reason to require CUs to grant the original exemptions.

B's suggestion above under "Checkuser vs. Admin" that there will be clever vandals who will lay out 20 sockpuppets and talk 20 admins into granting exemptions is quite possible. But that's a lot of effort for a vandal to go through, and doesn't change the fact that each sockpuppet is easily blocked by the vastly larger number of admins. And if even one of those 20 admins found the application suspicious, they could call on a CU who would then reveal the connections. Such situations will almost certainly be a small fraction of the exemption cases, just as vandals in general are a small fraction of the editors. (I'm sure it doesn't seem that way to some CUs, but remember that when you're a cop, you have a tendency to look at every unusual situation with suspicion. It's just an innocent instance of selection bias.)

In summary, the scale fits assigning the rights to admins much better than to CUs. Adding to the CU rolls just to manage this exciting new possibility is a frightening expansion of privacy invasion, following another law of human behavior:

  • In times of hardship (real or perceived), we sacrifice principles for immediate solutions, no matter the consequences.

Which reminds me of one of my favorite quotes, usually attributed to Benjamin Franklin:

  • Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.

Let's try letting the admins do this gatekeeping on the basis of demonstrated previous and subsequent good-faith editing, instead of assuming bad faith by expecting the CUs to vet each and every exemption applicant. We can always change this later if we discover a significant and otherwise unresolvable problem with this implementation.

I neglected in that rant to point out that what we decide here will also affect all other projects, many of which don't even have checkusers yet. Requiring a CU for exemptions would prevent those projects' admins from granting editing privileges to usernames with established good-faith histories that are being inadvertently blocked by IP and range blocks — often far larger and more common on smaller projects — and therefore adding to the burden at m:RFCU, all for the sake of perceived future problems with a very small subset of vandals.

I hope that we will consider these points carefully before we rush to declare a consensus of 32 out of millions of editors who may be affected by this policy. ~ Jeff Q (talk) 03:45, 21 January 2008 (UTC)


Most of your argument assumes here that CU work is a privacy invasion. It is not, and they work within the checkuser policy, and the privacy policy. You also seem to assume that if we limit the exemption granting the authority to the CU group, they will abuse it and be less careful with it. I'm not sure how to relate your argument here. This proposal exceeds neither policy. Perhaps why the argument was overlooked, is because it relates only loosely to the proposal. Mercury at 03:52, 21 January 2008 (UTC)
Um, what would the privacy invasion be? The people who will get this are people who need to edit through open proxies or who get autoblocked often so all checkuser will show are open proxies or ISP proxies. Whatever we decide here only affects this project. If other projects want to copy this verbatim they are more than welcome to, but AFAIK no other project is considering it. If they don't have checkusers, they probably don't have much abuse to deal with and could have admins grant it, or they could ask a steward. If a user asks an admin for IP-block-exemption, admins have no way of knowing if their IP address is even blocked. Mr.Z-man 04:14, 21 January 2008 (UTC)
Excellent point Z. If I were in the position to be requesting the permission to exempt a block on ip's for my username, I would feel much better telling a CU the information of why I would need one than anyone else. CU's are tooled better to handle my confidential information because of the work they do. This of course does not imply that any other usergroup (admin of otherwise) is less trustworthy. Mercury at 04:20, 21 January 2008 (UTC)
I don't see any privacy violation from the checkusers, their abilities are well within the privacy policy that Wikipedia advertises. IPs are commonly shown by default on many forums and we go above and beyond to allow our users to be anonymous. You claim that there is concern about abuse, but I don't think our checkusers have a reputation for abuse, nor would this tool be much use compared to their other ones if they chose to abuse it. (1 == 2)Until 04:33, 21 January 2008 (UTC)
[Edit conflict] Checkuser work is an invasion of privacy, authorized by the Foundation for a very, very small number of users highly trusted by their communities to help defeat widespread, persistent, technically advanced vandalism. It violates a basic principle of Wikimedia that people should be able to edit anonymously, and was done solely to defeat manifestly malicious editors who have learned to use WMF's privacy policy against the projects.
But just because something is policy doesn't mean it isn't open to unintentional abuse. Community trust, mature judgment, and even experience does not make people immune from error. The problem is not that people are bad, it's that exigency inevitably leads to questionable use of authority by even the most responsible people. Frankly, I don't believe such authority should be given to anyone who doesn't constantly worry that they might be tempted to use it too much or too broadly.
Because of this, our checkuser staff should be kept as small as possible, and what we ask of checkusers should be limited to those things that only checkusers can do. We should give the right to approve exemptions for IP blocks (which will include a growing number of people editing from China, a country supposedly with over 200 million Internet users) to the much larger set of editors who are already trusted to make judgments based on usernames' edit histories (including deleted contributions), with CUs stepping in only as requested or needed. This reduces the pressure to grow the ranks of authorized privacy invaders. As both an admin and a CU, I strongly feel this is the right approach.
If I'm wrong, and vandalism-by-exemptee overwhelms the admins (and the CUs by their indirect participation), exemption granting can later be shifted to CUs. But the opposite approach — giving it to CUs and shifting it down to admins if we change our minds — would be harder. Taking power away from the powerful (and CUs are surely among the most powerful users on their projects) is always politically difficult. It's best not to grant it until the need is clear and the goal is unachievable by other means. ~ Jeff Q (talk) 04:42, 21 January 2008 (UTC)
How many requests for exemption do you anticipate? I anticipate only but a handful. Should be plenty enough for our CU workgroup without encouraging them to take shortcuts and abuse the system, which I don't think the current group has. Mercury at 04:55, 21 January 2008 (UTC)
I'm going to take some time off from this discussion because every time I try to edit, someone else has already rendered my responses obsolete and incomplete. So take your best shots , but please try to read my concerns as based on general principles, and not accusing anyone of active abuse. ~ Jeff Q (talk) 05:11, 21 January 2008 (UTC)
The USA, UK, Australia, and New Zealand have millions of internet users as well and English is the first language in those countries, yet we only have about 5-7000 active users. The main problem I see with admins granting is "How do admins know?" If someone asks me for this privilege, I don't know if they are actually a Chinese user, a sleeper account who wants to avoid autoblocks, or a user who wants it "just because." Part of the reason for allowing only checkusers to grant it is to limit the usage. If admins grant it simply based on previous good behavior it will be given to lots of people who do not need it. If only CUs can grant it, it will only be given to people who actually have a need. Mr.Z-man 20:35, 21 January 2008 (UTC)
I disagree with your first point "Checkuser work is an invasion of privacy, authorized by the Foundation". The authorization comes from the users themselves. First the user willingly reveals their IP and the time they used it when they connect to any website. Second there is a clearly marked button at the bottom of every page that says "Privacy policy", this describes in detail how and when their personal information will be used. There is no invasion of privacy, no more than a store with a video camera and a sign informing you of such. If the concern is potential abuse then that same concern applies to any special tool. (1 == 2)Until 16:17, 21 January 2008 (UTC)

Based on Jeff Q's input here and on the CU list, I've changed my view. I now think that CUs should only be asked to give information about this if there is a need, (with the idea that sometimes there may not be) but that they should not be deciding on this themselves. Leave that to admins, and leave the CU role as a consultatative one... This seems better to me. ++Lar: t/c 16:48, 21 January 2008 (UTC)

What would be a situation where there is no need, if we only grant it to people who need it, rather than people who only want it? Mr.Z-man 20:35, 21 January 2008 (UTC)
Mr.Z-man, are you talking about the need of editors for exemption, or the need of exemptors to examine CheckUser data? Either way, I respectfully suggest that it isn't obvious how to determine if someone "needs" this information, at least without defining the scope of the situations in which people would make requests, and keeping in mind that there is no foolproof way (even with CheckUser) to ensure the applicant is requesting exemption in good faith. In fact, I'm greatly troubled by the faith that some here who aren't CUs seem to place in the clarity of CU data and the infallibility of the checkusers. (I'm not talking about irresponsibility — I'm confident that every one of our CUs is very responsible — but I can assure you that, as with any human enterprise, errors can and do happen.) ~ Jeff Q (talk) 21:13, 21 January 2008 (UTC)
I'm talking about the need to examine CU data. I know checkuser is not perfect, but its better than nothing. Checkuser can't search for good faith, but it can determine with a much better degree of certainty than an admin's guess whether or not a user needs an exemption. Mr.Z-man 21:56, 21 January 2008 (UTC)
I have faith in the system and the checkusers. There are systems in place to prevent abuse. They work. Mercury at 21:40, 21 January 2008 (UTC)
Mercury, your summary for the above edit said: "I am trobled [sic] by the lack of faith shown by one non-cu". I thought I was being obnoxious by saying this in several places, but apparently I still haven't been clear enough. I am a checkuser. I work with Aphaia on all enwikiquote CU actions, and discuss practices and cross-project situations — including enwiki ones — with other projects' CUs in private communications and through the CU maillist. I know the challenges and limitations of this responsibility from regular exercise of it.
For the record, of the active CUs I've seen post here thus far, Deskana seems to share your untroubled confidence in our practices and the opportunity to apply them here; Alison is also eager to tackle this but agrees that we need time for more discussion, especially on the CU maillist; Lar seems satisfied with the general plan but has apparently caught my concern about expecting CUs to be the gatekeepers; and I remain a voice of opposition, mainly to ensure that we don't act without careful consideration of all the consequences. (If I misrepresented anyone's position, I ask them to correct me.) That leaves 89% of the enwiki CUs and 99% of the remaining non-Steward CUs who have yet to comment on this responsibility you're so anxious to hand us. (It's naive to suggest, as Mr.Z-man does above, that English Wikipedia's decision on this does not affect all the other projects, as it is the 800-pound (400-kilogram) gorilla of Wikimedia when it comes to developer implementation of policy changes.) I'm fairly sure we'll see this policy implemented in some form in the imminent future. I just believe that yesterday is needlessly hasty.
I notice from your curious user-rights and other log history that you may have personal reasons for wanting to improve the mechanisms for sifting good-faith editors from imposters and other miscreants, so I can certainly understand your impatience to "git-r-done!", to quote Larry the Cable Guy. But to paraphrase William Congreve: ratify in haste, repent in leisure. ~ Jeff Q (talk) 04:02, 22 January 2008 (UTC)


I was with you the whole time in this last post of yours, until you mentioned my curious user rights and log entries. Lets stick to the subject at hand and not person type stuff like my logs. I'm here for the project.
What do you think about Lar's suggestion with administrators toggling the button, and CU's acting in a consultative role? Mercury at 04:49, 22 January 2008 (UTC)
Sorry about the odd comment; it did seem like a non-sequitur in retrospect. (Apology made on Mercury's talk page). As far as Lar's suggestion, that's what I've been arguing for, should we decide to implement this exemption system. For the latter decision, I'm too preoccupied offline to do this discussion justice right now, so I'll have to accept what everyone else decides. I'm hoping to review what's been going on down at "Example scenarios" for some illumination. ~ Jeff Q (talk) 04:58, 31 January 2008 (UTC)
From hot to cold: Would it not make sense to entrust this information (certain people must have really private reasons to edit via Tor) ability to those bound by the privacy policy - a user group who has to use discretion in CU activities all the time? Mercury at 05:09, 22 January 2008 (UTC)
I agree that the argument has merit, even though all editors (admins and CUs included) are bound by m:Privacy policy. I'm still hoping to hear more from the CUs themselves (assuming I just haven't caught up to their posts elsewhere yet; the checkuser-l discussion seems to have died off). ~ Jeff Q (talk) 04:58, 31 January 2008 (UTC)
I did not say that other projects would not implement this, but other projects are perfectly capable of forming their own policy. We should form ours to best suit us. Mr.Z-man 05:03, 22 January 2008 (UTC)
The English Wikipedia's decisions for its own configuration have no effect on other projects, unless those other projects individually decide to follow suit. There is no 800-pound gorilla of configuration changes. Global configuration changes are handled separately and discussed as such. —Simetrical (talk • contribs) 19:23, 22 January 2008 (UTC)
Eh? As much as those who primarily edit other projects may dislike it, what en:wp does or does not do... matters to the other projects. Not to the point of forcing any project, but at least as an influencer. ++Lar: t/c 01:31, 24 January 2008 (UTC)
Jeff Q stated:

what we decide here will also affect all other projects, many of which don't even have checkusers yet. Requiring a CU for exemptions would prevent those projects' admins from granting editing privileges to usernames with established good-faith histories that are being inadvertently blocked by IP and range blocks

That statement is simply incorrect. Regardless of what the English Wikipedia sets as its requirements for IP block exemptions (should it adopt them), it will not prevent other projects from doing whatever they decide, through on-project consensus, to do. What enwiki does may or may not influence the opinions of members on those projects, or inform them of options available to them, but that is not what the objection was against, and not what I was responding to. —Simetrical (talk • contribs) 23:55, 24 January 2008 (UTC)
Unless I'm missing something (and that's always a possibility!), if Wikipedia approves this policy with CUs directly controlling the exemption, the developers will implement it that way (if at all), and any project that does not have CUs will have to go to m:RfCU (or a similar and even less quickly serviced place) to get this work done. That's the point I'm trying to make about enwiki as the proverbial massive simian. (I must add the caveat that I haven't been to m:RfCU for a while, and maybe requests are being done in a much more timely fashion than they were was enwikiquote was anxiously awaiting responses. If so, my argument is less urgent, although it doesn't make me any happier having this added to my own plate of responsibilities.) ~ Jeff Q (talk) 04:45, 31 January 2008 (UTC)

Too many rules

I think this edit is encouraging instruction creep, and we should trust the checkuser to use judgment in these cases. I don't think we should over codify here. If there are no objections, I'm going to remove those "elements" Mercury at 06:32, 21 January 2008 (UTC)

Please define "instruction creep". I think the proposal as written fails to explain why it is needed and how it will be used. --JWSchmidt (talk) 06:37, 21 January 2008 (UTC)
I'll try to help if I can...
Why it is needed as written "Such exemptions are designed to allow established users, and on exception, unestablished users at the discretion of the checkuser to edit via a legitimate open anonymizing proxy, such as Tor, or to edit in other circumstances where it is necessary to fully block their IP address, range, or a part thereof."
How it is used as written "Contributors who are not administrators can request IP blocking exemption from a CheckUser on a per user basis if they can show good cause for such an action."

Best regards, Mercury at 06:39, 21 January 2008 (UTC)

Instruction creep is basically adding instructions where no more instructions are needed, desirable for a process. Regards, Mercury at 06:40, 21 January 2008 (UTC)
I think you imagine how this policy will work, but you need to explain how it will work. Other people will imagine it in different ways. You use terms such as "good cause" as if they can only mean one thing. I'm not willing to leave this to people's imaginations. I'd like to see a serious estimate of how many such exemptions will be required during the course of a year. I think there should be a public record of all requests for such exemptions and how the requests were acted upon. --JWSchmidt (talk) 06:54, 21 January 2008 (UTC)
I've edited a little. What are your thoughts? Mercury at 07:02, 21 January 2008 (UTC)
for reference. I'd like to comment on the legitimate proxy section, as it was me who introduced it. There has been some discussion at WT:PROXY about the ethics of using compromised machines without the owner's knowledge. I think we all agree we shouldn't be encouraging it, but we actually usually have no real way of telling the difference. It's an ideal that I thought should be mentioned in passing while this process was being constructed. We don't need specific rules about it - just a mention that if people are using proxies we would like them to be legitimate. We can neither determine nor enforce anything else. I'd also like to share some of the other concerns about who is to be granted this right. The way it is currently worded, absolutely anybody should expect to be granted this right, including a billion people in China, or anyone pretending to be in China. Mercury has anticipated only a handful of requests[2], but this is not what's codified. I agree with JWSchmidt that we need a clearer idea of the criteria for granting it, and I personally would like to see an element of community input considered. I also wonder if the CheckUser policy needs to be adjusted any, and a mention made of whether users requesting this right should expect to be CheckUsered (and if so, what for). Further, I think we need some rationale for why it is that CheckUsers are to be granting this right. There is currently no logical reason (again this is something I put in the proposal, partly because they are generally more sensible than other admins, and partly to prevent the rollback fiasco repeating itself). I also would like to know more about the record keeping, if this is to be a "hidden permission"[3]. I think these are all question which need to be answered before any consensus is declared. -- zzuuzz (talk) 13:50, 21 January 2008 (UTC)

As a "hidden permission" it would almost certainly still show up in the user rights log; just not "in your face" in Special:Listusers. As for the ethics, if we even _start_ to think about this, we need a very clear way to differentiate between the "compromised and/or misconfigured" kind of open proxy, and anonymizer services (not limited to tor). —Random832 15:28, 21 January 2008 (UTC)

I don't think we need to build a set of criteria for the checkusers, they are smart folks who know how to use sense. As for if it is the admins or checkusers that give it out, I think it matters little as there is very little potential for abuse of this tool, and the workload will be rather low. (1 == 2)Until 16:20, 21 January 2008 (UTC)

Example scenarios

We seem to be discussing how things might work without a clear picture of what it would look like to the various folks who might request exemptions, and to whomever would be assigned to grant them. I think we could use some example scenarios that would help us understand how this process would take place, how the load of requests might be managed, and what might go wrong.

I agree with JWSchmidt that we need some idea about what we're getting into before we approve this policy, instead of just approving it and dealing with problems on the fly (which is easier to say if you aren't the one dealing with them). So far, I haven't had much experience fielding requests to unblock IPs that were anonymizer-based and/or weren't manifestly in bad faith. Could someone add a few scenarios, either to the proposed policy page or to a subpage or topic here? I'm thinking along these lines:

  • General process
    • A person is blocked from editing, and the block notice describes how to request an exemption. (How do we permit the requestors to contact an appropriate grantor? Should they post to the IP talk page, with grantors monitoring a category, or should we give a list of grantors to contact by email? What information should we ask of requestors? If it's an IP-talk post, how do we keep the information private? If by email, how to we scale the requests, given tendencies to pick names at the top of a list? How do users who haven't yet edited "show they can contribute to the encyclopedia"?)
    • The contacted grantor reviews the IP or username edit history (based on how the person sent the request) and the claims from the requestor. If a CheckUser seems advisable, the grantor does it (or requests it if they aren't a CU). If they decline to grant, they advise the requestor. (How do we keep track of declined requests, so that someone doesn't just run through the list until they find a cooperative grantor? How does one appeal a refusal?)
    • If the grantor approves, they somehow grant a username the exemption. (Presumably this is easy if the username already exists, but how do we do this for users needing to create a new username? Do we need to log this decision somewhere, or will the rights or other log include enough info for later review in case of problems?)
  • Specific scenarios
    • An editor coming through a TOR or other known anonymizer service, through an exit previously used by vandals. (Do we expect all grantors to monitor Wikipedia:Open proxy detection and other such lists?)
    • A broadband-based (i.e., likely dynamic IP) editor who claims their wireless network was misused by a neighbor. (I'm actually dealing with this one on enwikiquote, and it will impact at least one significant enwiki contributor.)
    • An editor using an IP from a server farm, which generally implies either a compromised server or an unadvertised anonymizer. (A "good guy" may not know which, a "bad guy" is likely to lie, and we can't necessarily tell the difference.)

These are just my initial thoughts. Some of this has been discussed above and on other pages, but I'd like to see a specific map that we could refer to when discussing possible approaches, advantages, and problems. ~ Jeff Q (talk) 19:44, 21 January 2008 (UTC)

Some reciprocative ideas (using the same structure):

  • General process
    • An efficient way to do this would be with a mailing list of granters (this includes any and all admins who apply for the job). Mailing lists can be difficult to wade through/organize, but this approach seems to work for unblock-en-l. User:Armedblowfish suggested that, for Tor users to register, they should first submit a new or significantly developed article. See also {{2nd chance}}. If a mailing list were used, the article could be simply be submitted though that means. For users who have already contributed a lot who decide to or are forced to use an anonymizing proxy, this would be less of an issue.
    • A mailing list could be used to keep a permanent record -- one thread per request. To better ensure that someone does not repeatedly retry, we could not grant requests to those using freely available e-mail addresses: for example, Gmail or Yahoo. This may pose some other problems.
    • The normal procedure would be to create the account, set its e-mail address to that claimed by the account requester, and click the "E-mail new password" button. This situation is complicated by the fact that the new account should be in the ipblock-exempt user group, although falsification of e-mail addresses is less likely with the mailing list approach.
  • Specific scenarios
    • Granters should be familiar with technical details involved in a request, or ask someone who does know.
    • Was sockpuppetry involved? Vandalism? Both?
    • See if WHOIS lists an e-mail address/telephone number representing the server's admin(s), and contact them to see if there's a problem. (This approach is iffy at best, though.)

One disadvantage to mailing lists is that it may introduce more bureaucracy to granting exemption than it's worth. GracenotesT § 20:56, 21 January 2008 (UTC)

It's not necessary to require significant contributions (e.g. a whole new article) before granting someone permission to edit.
I suggest the following system, if technically possible:
  • People can create new accounts via tor nodes, but normally the accounts are not enabled for editing.
  • We maintain a list of account names which are enabled to edit via tor nodes.
  • Any admin can add names to the list at their discretion.
I see this working in practice as follows:
Someone with a working account (with or without significant edit history) contacts an admin and says "I have a thousand friends in China who would like to have their Wikipedia accounts enabled." The admin might reply, "Whoah, not all at once. Give me the usernames of three of them that you think are most likely to quickly become active and well-behaved users." Depending on how the first few work out, the admin might gradually add the rest of the names (perhaps in bunches of 50 at a time, or whatever the admin decides to do) over the next few weeks, monitoring how many of them get indef blocked etc. (It's fine if some of them vandalise and get indef blocked, as long as others are contributing positively. That's how Wikipedia normally works.) Or, the admin could simply say, "Sorry, I'm too busy. Ask somebody else." Each admin could have their own standards. If an admin adds huge numbers of accounts that are all vandals, they would get criticized. I don't think admins adding too many accounts would be much of a problem.
Requiring someone to submit a whole edited article before having one named account enabled would be totally contrary to Wikipedia's normal way of making itself easy to join and edit.
I also like Gracenote's idea of having the blocked user see a notice with information about how to request an unblock. One of the options that could be presented to them could be "find someone you know who already has a Wikipedia account and get them to ask an admin to enable your account." Perhaps as Gracenote suggests, an option via email could also be offered.
Perhaps autoconfirmed users could be granted the ability to enable one other account per day (with this privilege to be removed from particular users if they enable too high a rate of vandalism accounts). --Coppertwig (talk) 14:16, 22 January 2008 (UTC)
I personally like Gracenotes's idea of a mailing list. Unblock-en is not a high traffic list, it might not even be necessary to create a new one. The problem with the system directly above is that monitoring all those accounts could be really difficult. Often users will contribute for a few days/weeks and get bored. In this case though, there is also the possibility that all the accounts are owned by the same person and they are making a few good edits to get the rest of their accounts exempted. Requiring users to write a whole article isn't really necessary, I would suggest that they just have a 1 week period where their edits are monitored after the exemption is granted. Allowing autoconfirmed users to grant exemptions would not be a good idea. Mr.Z-man 16:48, 22 January 2008 (UTC)
It wouldn't be that hard to monitor the accounts, because it wouldn't be necessary to carefully monitor every account -- only to check a few of them to get a rough idea of what percentage of them are editing, apparently productively, and not getting vandalism warnings, blocks etc. Suppose the admin enables 50 accounts (on the strength of behaviour of previous accounts recommended by the same person) and then a few days later checks 6 of the accounts (selected at random) and sees that 4 of them are editing articles and not getting any vandalism warnings (and looks at a few of the edits and they look productive), and 1 has vandalised and has been indef blocked, and 1 has not edited at atll. Then that would be enough information, I would think, to go ahead and enable another 50 of the accounts.
Monitoring individual accounts for a week after creation won't do much good at all. Once an account has been created, recent-changes patrollers will spot vandalism and the account will get blocked if it's vandalising. The problem is if huge numbers of requests come in. A basis of trust has to be established before the account is opened. One way to do this is by having the accounts recommended by someone with some sort of record, e.g. who has recommended enabling of other accounts that have not worked out too badly. Another way might be by email address: i.e. a request comes in and you enable the account, but if 100 more requests come in from the same email address for 100 more accounts, maybe you don't.
Why do you think it would not be a good idea to allow autoconfirmed users to grant exemptions (e.g. one per day, as I suggested above)? --Coppertwig (talk) 17:25, 22 January 2008 (UTC)
I'm less concerned about vandalism than I am other forms of abuse. If 50 accounts are all created at once, 5 or 6 have the same editing patterns, and the other 45 aren't immediately used, I'd be a bit concerned as to whether or not those accounts are all owned by different people. As for autoconfirmed users being able to grant an exception, it might work if we raise the autoconfirm threshold, but otherwise, what's to stop someone from creating a bunch of accounts, letting them age for 4 days, and using them to grant exemptions to themselves? As long as they don't do it really obvious (User:A grants to B, who grants to C, to D...) and do it fairly randomly (A grants to D, E grants to C... and the granting account is then abandoned), people might not notice for a while. Besides, there isn't a huge use for this that we would need thousands of users to be able to grant exemptions. Its just people who need open proxies for security/political reasons or people who use a shared IP that gets autoblocked a lot, there's no reason (and possibly some disadvantages) to give it to anyone who is just "trusted" regardless of need. Mr.Z-man 17:00, 24 January 2008 (UTC)
On the regular system, if a bunch of accounts are causing trouble, then we block the IP address. Analogously, on the tor system, if a bunch of accounts (granted exemption by the same account) are causing trouble, then we take away exemption-granting from that account. If necessary, we could go a step further and take away exemption granting from the grandparent account (the one that granted exemption to the account that granted exemption to the account that caused trouble) etc, or even pre-emptively block accounts that have not yet been used and that have been granted exemption by a suspicious account. Basically, if a bunch of accounts related to each other are well-behaved, then it's fine, and if many of them are not, then we block and remove exemption privileges. That way, people in China who legitimately want to edit can get working accounts, and would be under social pressure to be well-behaved so as to avoid losing editing privileges for their friends.
OK, it could work like this: a vandal editing from a regular IP address creates 50 accounts for themself, waits 4 days, then grants themself a whole bunch of tor-exempt accounts over the next few days, at which point they have about 200 tor-exempt accounts. These accounts then start to cause trouble. Someone investigates the source of these accounts and traces them back to the IP address of the original account from which the original acounts were created. They then (given the right computer tools) quickly find and block all of those accounts. Perhaps blocking the IP address would just automatically block all accounts that were directly or indirectly granted exemption from an account at that IP address; unless some of the users had earned and been granted what could be called a level II exemption, based on demonstrated contributions. --Coppertwig (talk) 00:26, 25 January 2008 (UTC)

Two ideas...

Related bugzilla:9862 btw.

Admins now have access to special:userrights to add rollback to users, why not simply add the ipblockexempt group to that, or alternatively, make it a check-mark in the unblock form and a similar checkbox on the block form?

[_]Click here to make this user exempt from IP blocks.

~Kylu (u|t) 01:18, 29 January 2008 (UTC)

Because on-wiki consensus must be demonstrated before project-specific configuration changes are made. —Simetrical (talk • contribs) 02:46, 29 January 2008 (UTC)
Please show where I suggested that we not seek community consensus? Wouldn't that, in fact, be the purpose of my raising the idea here in the first place? Please explain your statement. ~Kylu (u|t) 02:54, 29 January 2008 (UTC)
Sorry, I'm stupid, I misunderstood. I was thinking of this page more as a developer than as someone interested in the policy issue, and probably didn't get enough sleep. Carry on.  :) —Simetrical (talk • contribs) 17:11, 29 January 2008 (UTC)
Ehe, I didn't make that sound too terribly civil myself! Sorry, Simetrical! ~Kylu (u|t) 03:48, 31 January 2008 (UTC)

I'll support Kylu's suggestions. I would very much like to grant/reccomend that several users access wikipedia via TOR (especially those on the stalking mailing list, somewhat ironically perhaps). I have been peskering poor Jimmy about this since last wikimania. :-) --Kim Bruning (talk) 00:54, 5 March 2008 (UTC)

Discussion has died down

Discussion has died down? I'd really like to see this implemented... there is a ticket on OTRS right now where it'd come in handy. --Deskana (talk) 15:17, 10 February 2008 (UTC)

Me too! I think this could open up access to Wikipedia to a lot of people.
However, I still don't much understand the technical issues. Is there a good explanation somewhere? For example, this page says that administrators are always exempt. Is that true now, or is it just a proposal? Is it technically possible to make administrators exempt without allowing non-admin vandals greater access than they have now? If so, then it must also be technically possible to grant such exemptions to other users, and if that is possible, then I think it certainly should be done; for example, admins could use their judgement in granting exemptions, just as they do for rollback. Being open to editing by just about anyone is one of Wikipedia's great strengths. --Coppertwig (talk) 16:04, 10 February 2008 (UTC)

Who is strongly opposed?

Who is strongly opposed? Speak now or forever hold your silence! :-) --Kim Bruning (talk) 00:58, 5 March 2008 (UTC)

going once --Kim Bruning (talk) 20:36, 5 March 2008 (UTC)

Going Twice!. Seriously, I'm about to declare this policy! --Kim Bruning (talk) 19:13, 6 March 2008 (UTC)
So, as currently proposed, administrators will hand out the exception? (I ask for clarification because, as I recall, it was formerly proposed that check users would hand out the excpetion.) --Iamunknown 05:04, 7 March 2008 (UTC)
Yup, I made the change because several people indicated on the talk page that they preferred it to be handed out by admins instead. It's also likely to be somewhat easier to implement. Any particular issue with the change? --Kim Bruning (talk) 22:35, 7 March 2008 (UTC)
I'd prefer it be check users, but I would also prefer that the proposal get implemented, so I am willing to concede on that point. So, I have no issue with the change. --Iamunknown 18:22, 8 March 2008 (UTC)
Ok! --Kim Bruning (talk) 18:34, 8 March 2008 (UTC)
Kim: This can have all the support in the world, however, there's been no indication from any of the sysadmins that en.wiki will be getting a new user group. So... whether this has {{policy}} or not isn't really relevant. --MZMcBride (talk) 05:10, 7 March 2008 (UTC)
And there won't ever be such an indication unless it is shown to have all the support in the world. :-) At least this is better than having massive controversy --Kim Bruning (talk) 22:35, 7 March 2008 (UTC). I'm "counting" this as a worry about the next step in implementation (which we're going to have to worry about in a minute), rather than an objection. I hope that's correct?

No further issues? No further issues. Gone once, gone twice (see above)... "sold to the man with the funny hat". Setting to policy NOW. This has been amply advertised at VPP for several days. If you had concerns, technically you're too late! :-P --Kim Bruning (talk) 18:34, 8 March 2008 (UTC) in reality, I'm well aware of WP:CCC and I know nothing will happen until I actually place the policy tag, as that's the wiki way. But at least it's totally impossible to say I didn't actually "give folks a chance to be heard", for those who do not support the wiki-way of forming policy. ;-)

I've left a comment on the bug indicating this. Mr.Z-man 00:14, 9 March 2008 (UTC)
Support. Yay! I'm glad it's policy. It still hasn't been explained to me which parts of this still require technical fixes and which parts were already true in the past, but as long as it goes through and opens up editing of Wikipedia by a bunch of people who couldn't previously, I'm all for it! Thanks for taking the initiative, Kim Bruning! --Coppertwig (talk) 17:51, 9 March 2008 (UTC)

Why is this separate?

Considering the very short length, rather than having yet-another-distinct-rule, why isn't this just made part of WP:BLOCK or WP:APPEAL? Just a thought. Vassyana (talk) 23:29, 8 March 2008 (UTC)

For now, it might be good to have it separate so that we have a page specifically linked to the bug request. Merge might be good, after the bug request has been answered. Does that sound good? --Kim Bruning (talk) 15:42, 9 March 2008 (UTC)

Exemption removal

  Resolved

I have added that administrators can also remove the exemption from any non-admin accounts. This will be useful for voluntary removals and other housekeeping. If the exemption is misused through abusive sockpuppetry or block evasion then the account should be blocked in line with the sockpuppetry and blocking policies. There will be no need to remove the exemption. There will be voluntary requests, but forced removal of the IP block exemption should be very rare, and in many situations positively discouraged. -- zzuuzz (talk) 22:00, 10 March 2008 (UTC)

  • Yes, important principle. The presumption should be against exemption, with removal of exemption appealed to ArbCom, and use of it subject to CheckUser. Guy (Help!) 14:29, 12 March 2008 (UTC)
Reading the intro, technically what is being done is exceptional - the right is granted exceptionally, for the purpose of helping established editors (and sometimes less commonly) unestablished ones edit in difficult circumstances. So the above can be addressed by saying so. Edited as follows:
Old - "Such exemptions are designed to allow established users..."
New - "Such exemptions are granted exceptionally, to allow established users..."
Since it is an exception to the norm, saying so is probably a good thing. Will tend to help limit its misuse I think. FT2 (Talk | email) 10:12, 21 March 2008 (UTC)

Who gets?

  Resolved

I'm a bit concerned that as it stands, this right may be handed out a little freely, to a point it may lead to WP:GHBH abuse. The requirement is in there to show hinderance by a firewall or other issue, but it's a little weak.

Especially, repeal should be fairly easy. These are users trusted to the level of admins not to abuse open proxies (for example by socking) - if there is abuse the norm would usually be removal.

May I suggest the following reword:

Who gets an exemption?

Examples of users likely to get an exemption include those users who show they can contribute to the encyclopedia, and (for existing users) with a history of valid non-disruptive contribution, but who are hindered by restrictive firewalls or IP blocks.

All exemptions must be logged and are subject to review and repeal. Exemption may be, and will usually be, withdrawn if there is credible evidence or concern of abuse.

Additions in green.

FT2 (Talk | email) 09:37, 21 March 2008 (UTC)

Follow-up question - should it be handed out to anyone who says "I want to edit Wikipedia but I want to use tor"? As worded its open to anyone "who show[s] they can contribute to the encyclopedia"... which is basically anyone who writes a one para stub, or asks for account creation, or says "Plz I Promise". WP:AGF will mean that's basically "anyone". Intentionally that easy? FT2 (Talk | email) 10:04, 21 March 2008 (UTC)
Seems like a good idea; support. dihydrogen monoxide (H2O) 09:39, 21 March 2008 (UTC)
For the record; [4]. dihydrogen monoxide (H2O) 09:49, 21 March 2008 (UTC)
—/+ Community and ArbCom banned users? Does that deserve an explicit wording? -- FayssalF - Wiki me up® 05:11, 22 March 2008 (UTC)
No need to say. Someone who's banned normally excludes "can contribute", much less "non disruptively". Its a taken for granted, I'd think? FT2 (Talk | email) 06:43, 22 March 2008 (UTC)
I don't know but since anyone can edit (ACE) is still the motto of the project I believe some explicit assertions should be used here. ACE is obviously featured at the main page but it is redirected to WP:INTRO where new users get the "See "edit this page" above? On Wikipedia, you can edit articles right now, even without logging in." as an intro. I would presume some readers (would-be new contributors) would stop reading and just start edit; just right there. The lack of being explicit there brings some troubles to Wiki because, in the advertising regulation lingo, we'd be producing a "false advertising". There's a kind of "non-existence of required information" or at least a perfect solution fallacy. In psychology that is a memory bias. Something like community and arbcom banned users... would definitely not hurt. -- FayssalF - Wiki me up® 07:33, 22 March 2008 (UTC)

Added. FT2 (Talk | email) 02:24, 24 March 2008 (UTC)

Legitimate proxies

I don't understand this bit. What difference does it make to us if an anonymized access is via an authorized or unauthorized route? How would we tell, anyway?

I get the impression this is an ethics point put in, but it has absolutely no practical basis that I can determine. Proxies can be blocked at will, legitimate or otherwise, and if we trust a user account on one anonimized IP then we have identical trust on another.

Unless there's a good rationale, that has a practical viable function, I think this can be removed. FT2 (Talk | email) 02:24, 24 March 2008 (UTC)

It doesn't really have much practical application, and is an ethics point. However consider a user who is using a school IP proxy which has been unintentionally left open and is being used in an unauthorised manner. The user may be asked to stop using that IP, and their exemption should be removed if they fail to stop using it. It's not very practical, but not irrelevant either. -- zzuuzz (talk) 02:33, 24 March 2008 (UTC)
Who would ask them, in this scenario? And why? If the school asks them, then that's them and the school - the school is unlikely to ask us to stop their access when the school can do so far more directly. What is more useful would be that we can ask them not to use a specific proxy. But even then, an owner of a machine being used as a proxy is unlikely to ask us to forbid editing through it, when they can themselves so much more directly control who can use it or proxy through it if they wish. If we trust the user enough to allow proxied editing, then which proxy they use is fairly immaterial. This seems rather impractical. We'll never know 99% of the time, if a proxy is "allowed" by its owner or not, and a user who is using a proxy that someone here has asked them not to will be risking their exemption if they continue anyhow. Remove this redundant item? FT2 (Talk | email) 15:50, 24 March 2008 (UTC)
Like I said, not very practical, but a nice thought. As the explanation now takes up half the policy page I have no problem with removing it completely. -- zzuuzz (talk) 16:04, 24 March 2008 (UTC)
Removed. FT2 (Talk | email) 17:25, 24 March 2008 (UTC)
Sorry I am late to the discussion. I would prefer the "legitimate proxies" sentence not be removed. One example of "legitimate proxies" are the efforts undertaken at Wikipedia:WikiProject on closed proxies. --Iamunknown 05:47, 25 March 2008 (UTC)
I can see how knowing certain closed proxies exist and are handled well, is beneficial. But unless all proxy users will be obligated to use these, can you consider the points above and comment? I don't see how the existence of proxies that we have involvement in will affect our knowledge of proxies we are not involved in. Can you comment on the points above? FT2 (Talk | email) 06:30, 25 March 2008 (UTC)
To be honest, I'm having trouble parsing the above comments. Upon re-reading my own comment, however, I realised that Wikipedia:WikiProject on closed proxies is largely superseded by the ability to assign the ipblock-exempt flag. So, upon second thought, I do not have a problem with the removal of the text. --Iamunknown 05:10, 26 March 2008 (UTC)


Requesting exemption

I've been considering how users would request this. I'd like to suggest that requests for proxy access should only be done on a mailing list. Rationale:

There are two issues: 1/ the request will often be one that should not be publicized on-wiki, and 2/ some degree of control and wider review is desirable, to allow more eyeballs when a user is requesting a right that will mostly defeat technical sock detection measures.

  1. A mailing list keeps it off-wiki as required.
  2. It means a user seeking the right doesn't need to have access to wiki-mail (if they could they usually wouldn't need exemption), find a random admin, and email them, or ask on their talk page.
  3. It allows extra eyeballs on requests, which is important for a request of this nature.
  4. It draws a clear line on exemption "on the quiet", a possible source of abuse. It means that any admin can grant the right, but it ensures others are guaranteed to have been aware too, even if only in passing.
    (If the right may only be given following an email request, then an admin who wishes to try what User:Archtransit tried and covertly enable socking, is greatly inhibited -- the requests by email will have other eyeballs, and the loophole of "I had a private request" whereby the right is given without list-eyeballs will be evident as a breach of IP exemption policy.)
  5. We already have mailing lists for quite closely related functions such as account creation requests and unblocking. One user on the "create an account" list suggested the unblock list since it's almost entirely admins anyway, and may have more experience. Also, one more active list is better than two less active (cuts down list sprawl/keeps it simple).

Thoughts?

I have approached the request an account list to see how they feel; one user there also suggested the unblock list (more admins, more experience). A final option is that granting initially would be limited to checkuser-l, with checkuser inspection a part of the initial granting process, after which any admin can remove/re-add. I'm not sure if anyone wants to go that far though.

FT2 (Talk | email) 15:50, 24 March 2008 (UTC)

Sounds fine to me. --Coppertwig (talk) 20:38, 24 March 2008 (UTC)
Had a chat about this policy, with user:Prodego, who is heavily involved in the unblock-list. He says he's fine with exemption requests being added to that lists work, and sees the point of it.
Thoughts? FT2 (Talk | email) 01:46, 25 March 2008 (UTC)
I originally supported giving only check users the technical ability to add the ipblock-exempt flag - they are considered a trusted group, whereas the entire corp of admins is too large too manage. Others, however, objected, and I conceded (in the interest of generating consensus with regards to this proposal, even if not with my preferred wording). In that spirit, recommending that the ipblock-exempt flag be added only after discussion (or simply no objection without discussion) on the unblock mailing list seems reasonable, at least to me.
I would, however, prefer that it not be so rigid - hence my choice of the word "recommending" - and that this document actively encourage that the addition and (especially) the removal of the flag be taken slowly and with consideration. Also, we should probably get some more voices here. --Iamunknown 05:47, 25 March 2008 (UTC)
I agree about "with consideration", my main thought is, this is a right that defeats checkuser, and whilst it shouldn't be over-rigid, it does need awareness of its effects. It should be granted in some way that it will always have had the chance for consideration by multiple eyeballs before giving, and not in ways that allow avoidance of any other eyeballs.
A mailing list is a commonsense way to suggest requesting it and saying "all requests by email to..." is pretty common for such requests. For example, both account creation and oversight exclusively use the identical way to request action, and aren't at all "rigid" for it. FT2 (Talk | email) 06:42, 25 March 2008 (UTC)
I was about to respond that I agreed with your reasoning that this account flag defeats checkuser. However, I am now not sure; Does it? How does it defeat checkuser? In my mind, to "defeat checkuser" would be the act of editing abusively and somehow hiding your IP address from checkusers - however, checkusers can still determine from which IP addresses an account with the ipblock-exempt flag is editing - though, without removing the flag, any non-anon-only IP blocks would have no effect.
Regarding a mailing list, which I agree would be appropriate in the interest of allowing multiple eyeballs, would it be possible or sensible to ask that requests go to an existing mailing list (the account creation mailing list?) in the interest of not maintaining mailing list upon mailing list? I understand that the current name and functionality ("account creation") does not entirely fit the new task ("requests for ipblock-exempt") - however, I am interested in reducing administrative bloat, and that mailing list (I presume) is already well-trafficked by administrators. --Iamunknown 05:19, 26 March 2008 (UTC)
In short, the unblock-en-l list could pretty easily take up this task, though there are a few points that I would bring up related to ipblock-exempt in general. It would pretty much have to be public on Special:Listusers, hopefully rare, and every user would probably have a well explained reason. It would be no threat to checkusers, simply running a checkuser would uncover the user. I am not sure however that we need a group for this, since it would be so rare. It seems to be unnecessary clutter. Prodego talk 00:23, 27 March 2008 (UTC)
Correction of above: "checkusers can still determine from which IP addresses an account with the ipblock-exempt flag is editing" and "simply running a checkuser would uncover the user".
Unfortunately it wouldn't. A user with IPEXEMPT has been given the ability to edit via any blocked IP or IP range, including any blocked anonymizing proxies such as tor, thus masking their source IP completely in many cases. They might have socks too, or even second accounts on the same or a different proxy, and there would be no way checkuser could advize if they were the same person or half a planet away. So this really would defeat checkuser, and would need care and eyeballs in assigning. FT2 (Talk | email) 11:15, 28 March 2008 (UTC)

Section break - proposed wording

Does anyone have any objection to adding a section as follows. Two fairly similar versions:

== Requesting exemption ==

IP exemption requests are handled by the unblock email list (unblock-en-l@lists.wikimedia.org). Please email this address if requesting exemption.

For reasons of communal scrutiny, administrators are otherwise prohibited from assigning IP exemption to any user without this list being made fully aware, or (exceptionally) following discussion on checkuser-l, otrs-en-l or arbcom-l. It is advisable to discuss first if in doubt, since a poorly-founded exemption will be quickly withdrawn. Granting or reinstating exemption without notifying at least one of these lists for scrutiny purposes, would usually be considered a serious misuse of administrative tools.

=== Unrequested exemption ===

IP exemption may also exceptionally be granted unrequested by administrators (typically checkusers), to aid good-faith users who will be, or have been, affected by a necessary full IP block. As with long-term IP blocks, this should not become a norm, however in some cases, such as a range with heavy persistent vandalism requiring full blocking and one or two well-behaved users, it may be necessary or the best answer.

In such circumstances, the editing history of the user and the abusive range concerned should be carefully reviewed, as should the block itself, before making a decision. The administrator should themself email details of the exemption as soon as practical afterwards, and may wish to send this to checkuser-l rather than unblock-l for privacy purposes. It may sometimes be desirable to inform the user that in order to prevent vandalism, a block has been applied to their IP range, and they have been exempted from it.

If the IP block or block exemption ceases to be needed then IP exemption can also be removed.


2nd version:

== Requesting and granting exemption ==
To request exemption, please email unblock-en-l@lists.wikimedia.org.

For reasons of communal scrutiny, administrators are prohibited from assigning IP exemption to any user without notifying an appropriate administrative mailing list. Granting or reinstating exemption without notifying at least one of these lists for scrutiny purposes, would usually be considered a serious misuse of administrative tools.

=== User requests for exemption ===

IP exemption requests are handled by the unblock email list (unblock-en-l@lists.wikimedia.org). Please email this address if requesting exemption.

Administrators are prohibited from assigning IP exemption to any user without this list being made fully aware, or (exceptionally) checkuser-l, otrs-en-l or arbcom-l. It is advisable to discuss first if in doubt, since a poorly-founded exemption will be quickly withdrawn.

=== Unrequested exemption ===

IP exemption may also exceptionally be granted unrequested by administrators (typically checkusers), to aid good-faith users who will be, or have been, affected by a necessary full IP block. As with long-term IP blocks, this should not become a norm, however in some cases, such as a range with heavy persistent vandalism requiring full blocking and one or two well-behaved users, it may be necessary or the best answer.

In such circumstances, the editing history of the user and the abusive range concerned should be carefully reviewed, as should the block itself, before making a decision. The administrator should themself email details of the exemption as soon as practical afterwards, and may wish to send this to checkuser-l rather than unblock-l for privacy purposes. It may sometimes be desirable to inform the user that in order to prevent vandalism, a block has been applied to their IP range, and they have been exempted from it.

If the IP block or block exemption ceases to be needed then IP exemption can also be removed.

The main difference is that the latter moves the important bit to the top.

FT2 (Talk | email) 12:20, 28 March 2008 (UTC)

Just BE BOLD and {{sofixit}} already. That way I can at least see the automated diffs, rather than do annoying manual vdiff. Thanks. :-) --Kim Bruning (talk) 14:17, 28 March 2008 (UTC)
Done... and there's me seeking consensus like a good editor!! FT2 (Talk | email) 17:44, 28 March 2008 (UTC)

Routinely removing the flag might not be a good idea

I saw someone mention elsewhere (at an RFA question) that an admin might remove the flag when blocking a user. This should obviously not be routine. Removing the flag has a similar effect to:

  • Setting an indefinite ban
  • removing access to user and user talk pages.

In short, it would lock the user out entirely.

This might not be what you want. --Kim Bruning (talk) 14:20, 28 March 2008 (UTC)

If an account is blocked they have no use for the exemption, and there is no point in removing it. What should not be done is to remove the exemption instead of a block, keeping it removed where the account is not blocked, or in particular removing it to a lower standard than a block. The sentence I originally added ("but should normally block the account in the event of misuse.") was changed to "should normally also block the account in the event of misuse", which I think has lost some of this meaning. The exemption should generally not be removed except in the case of (strongly suspected or confirmed) abuse of the exemption, which can only occur through a breach of the sockpuppetry policy. In the event of sockpuppetry the account should be blocked; the exemption should not be removed where there is no misuse of the exemption. As I said above, forced removal of the exemption should be extremely rare, and might never happen at all. -- zzuuzz (talk) 15:48, 28 March 2008 (UTC)
Excellent. :-) --Kim Bruning (talk) 16:18, 28 March 2008 (UTC)

Update

As Kim suggested to be bold, I added the section he commented on. I also rounded out the page with the usual sections - a nutshell at the top, and a "see also" at the bottom, and added a section on "removal". We'll get removals and summing it up may help prevent pointless disputes. It's a fair size update, so it may benefit from review.

I haven't changed any of the existing wording; its requests/removal only, and nutshell/"see also". FT2 (Talk | email) 18:11, 28 March 2008 (UTC)

must notify mailing list?

This rubs me the wrong way. Isn't that a huge bureaucratic boondoggle? Also, I would want to review all discussion on any off-wiki list that has on-wiki consequences. (as derived from WP:WIARM)

But the clincher is that logging is already required (and is already supported by the software, so that'd be automatic).

So I'm removing that text for now, as per WP:BRD, and because it is redundant, and because it violates a basic tenet that all actions should be reviewable on wiki (so I wouldn't make it even a recommendation). Adding a redundant off-wiki aspect to the thing seems bad. Finally the additions are prescriptive, normative, and not based in practice. These are things that are prohibited on policy pages.

So I'm removing those aspects. --Kim Bruning (talk) 14:39, 28 April 2008 (UTC) struck through, as this was worded rather harshly

Okay, I've now actually edited. The thing to remember is that the IPblock exempt flag does not blow up the wiki when used. It's also not some untested new functionality. It's already automatically issued to all > 1000 admins, and nothing untoward has happened so far. :-)

All it does is allow you to log in, in the corner case where your account is not banned and your IP is banned.

So I've basically uncramped some of the cramped language that was added after initial approval, as well as made things a bit more in line with policy being descriptive and advisory. Some of the page is inevitably just making a guess at what the best practice is at the moment, that will likely improve over time as we actually start using it.  :-) --Kim Bruning (talk) 14:54, 28 April 2008 (UTC)

+ Ah, I see now. No, IPBlock-exempt does not immediately allow editing from blocked ip's. Strictly speaking, it only allows access to the log-in screen from a blocked ip.

This is kind of nice, because then if you're an editor in good standing, you can log in, (and only then can you edit).

This could almost be the default behavior, but that's how things grew, I guess. (I said almost, there's some fun things you catch by not having it be default).

I don't think I'm missing anything, am I?

--Kim Bruning (talk) 15:25, 28 April 2008 (UTC)


We might need to check this. I spend a while talking to someone on the wikimedia tech channel, and they pointed me to the updates to the core code which are annotated "Exempt from all types of IP-block" [5]. Apparently it doesn't just allow access to the login screen. (That would actually be illogical since it couldn't check if you had that right unless you were logged in, in which case access to the login screen is unnecessary.) It's a flag which allows a user to edit through any IP block, as initially stated. Through tor blocks, schoolblocks, hard IP blocks, all of them, except a specific block of their username. As stated, sysops already have it, the technology is already indeed tested. FT2 (Talk | email) 16:11, 28 April 2008 (UTC)


Or, to put it inversely, it allows them to edit if their ip is blocked, but their username is not. --Kim Bruning (talk) 16:21, 28 April 2008 (UTC)
I've reverted to 10:36, March 29, 2008, because the edits since then seem provisionally to be based on a misunderstanding of the flag, and of why the policy was therefore written as it was. I've pinged a developer to confirm the effects of the flag for us, in case that's the problem. Once that's cleared up we can discuss the wording here if it's still relevant. But not revert until then? Thanks. FT2 (Talk | email) 16:17, 28 April 2008 (UTC)
I rather wish you had edited and/or reviewed the diverse revisions rather than reverted outright. That's rather unhelpful. There were many other issues with that text, I just toned myself down to the one point to make it easier to reach consensus there first. --Kim Bruning (talk) 16:21, 28 April 2008 (UTC)
Yes to your summary, and now we seem to have agreed, lets look at the wording and effects and such. A moment... FT2 (Talk | email) 16:24, 28 April 2008 (UTC)
Alright, I think your changes are still extremely inelegant, but I haven't actually thought of a more elegant way yet... <makes note to sleep on it> --Kim Bruning (talk) 17:01, 28 April 2008 (UTC)
(Now discussed somewhat, and we have some tentative thoughts, to write up here in a bit) FT2 (Talk | email) 17:08, 28 April 2008 (UTC)

As the developer of this flag (about 18 months ago), I can confirm that having the ipblock-exempt right will exempt you from any blocks which are not placed directly on your username. — Werdna talk 13:01, 29 April 2008 (UTC)

Analysis and draft following discussion

As noted Kim and I discussed this, and reached some tentative conclusions. It suggested to us a way to streamline the use of the function in most cases where anonymity is an avoidable issue.

There are two kinds of use for IPEXEMPT.
  • In most cases, it will probably be used simply to avoid a normal (non proxy) hard blocked IP, such as a vandal range, or to allow a rangeblock to be executed without collateral damage. In this case, the user their need for IPEXEMPT is simply so we can block the range and yet allow a reputable user to edit. They won't be seeking checkuser/IP anonymity, and we can make it conditional on no proxy use.
  • The less common use will be anonymity reasons, the user doesn't have a Wikipedia block on their native IP range/s, but for some good provable reason has a need to to edit via an anonymous proxy system. This might be to avoid censorship/firewalls, or stalking, or some other reason. It is this use - which should be much rarer - that is of serious concern due to abuse.
So the tentative conclusion was that this users seeking IPEXEMPT can be split into two distinct flavors:
  • Users who are given it for the purpose of editing through a rangeblock on a normal non-proxied ISP. The user agrees not to use the IPEXEMPT right to edit via anon proxies, and that they may be checked if needed on this. In this case, they are low risk and any admin can probably grant it if their regular IP range/s are prone to blocking. The control over abuse is that they have agreed not to use anonymizing proxies regardless (which is checkable and a bright line that's easily tested if a dispute arises on their editing). The right may be removed by any admin as/when the range ceases to be blocked.
  • Users who want it to edit anonymously. In this case there is serious potential for abuse, or for admins to grant the right to socks/meats/abusers, so this is the sole case really needing wider eyeballs such as a mailing list before granting. It is also likely, that this will be the less common purpose. (I'd be strongly against agreeing "everyone needs it" without really good evidence, trust, and eyeballs.)

This simplifies things by separating the majority of cases where anonymity and abuse may not be an issue, and where granting is therefore easy, from the minority of requests where anonymity is involved and it is of much more concern.

Draft based on this:

== Use and granting of IP block exemption ==

IP block exemption can be used to allow editing despite a IP block that would normally prevent editing from their IP, and to allow editing via a blocked anonymizing proxy.

=== Using IP block exemption to bypass an IP range block ===

Hard IP range blocks are a form of block used to prevent persistent disruption from temporary and sock-puppet accounts within an IP range. A user with a credible editing record who would be affected by this measure, may be exempted from the block at administrative discretion, to allow them to edit uninterrupted through the IP range block. The conditions for such an exemption are that:

  • the user will be disrupted by an IP block that is placed through no fault of theirs. (This may be confirmed via autoblock or checkuser)
  • the user agrees never to mis-use the exemption to edit through a blocked anonymizing proxy (this may be checked), and,
  • when the block is no longer needed, the exemption will be removed by any administrator.
=== Using IP block exemption for anonymous or proxied editing ===

Editing via an anonymous proxy, can be easily abused, so it is only very exceptionally granted. Examples of users who may reasonably request an exemption include users who show they can contribute to the encyclopedia, and (for existing users) with a history of valid non-disruptive contribution, but are either being hindered by restrictive firewalls, or for exceptional reasons must edit via anonymous proxies.

Note that avoidance of checkuser, or specific checkusers, is not usually considered a sufficient reason - concerns over checkusers should be discussed with the Arbitration Committee or Ombudsman.

There are strict requirements if the user is to be allowed to use IP block exemption to edit anonymously. Granting or reinstating exemption without following these would usually be considered a serious misuse of administrative tools:

  • Exemptions are not given without clear need, and user credibility.
  • All exemptions must be discussed at a reputable administrative mailing list or wiki-page. Typical venues include the unblock, checkuser, and arbcom mailing lists (contact details below), and WP:ANI. Administrators are prohibited from assigning IP exemption with permission to edit anonymously, to any user, without such a list being made fully aware and a reasonable opportunity for review.
  • All exemptions are subject to review and repeal. Exemption may be, and will usually be, withdrawn if there is credible evidence or concern of abuse, or the exemption is no longer necessary.

FT2 (Talk | email) 15:41, 8 May 2008 (UTC)

Adding new unsupervised bureaucracy is too high a price to pay for allowing anonymous access, we'll need to think of something else.

Ok, since we already have the flag now, and don't have suitable mechanisms in place for granting anonymous access, I guess we simply don't grant that for now. We'll likely need extra software mechanisms (like auto-mailer or so) for that particular situation.

For the other cases, we can proceed as agreed. :-)

--Kim Bruning (talk) 00:09, 9 May 2008 (UTC)

  • Concur, and will edit accordingly. We need to consider how to handle anonymity best, but editors who dont want anonymity but just want to edit through a protective range block that covers their school or home etc, we can handle now. I'll sort out the text. FT2 (Talk | email) 00:15, 9 May 2008 (UTC)
  • Not to get sidetracked, but it sounds like the "anonymous" version should only be given out by those with oversight (not admins in general). This is something, as stated, which should be rare, and definitely within the purview of oversight. Though I'm wondering if having oversight means you also have checkuser. If not, that should also be a requirement of having the ability to grant the anonymous version. Perhaps this way we can avoid bureaucracy, and yet keep this out of the way of the typical on-wiki drama : ) - jc37 00:38, 9 May 2008 (UTC)

It's important to note that, as part of our duties, the Arbitration Committee will no doubt be assigning flags where the information behind it would not be publically available. Obviously we'll do our best to give out information, but it will no doubt be the case that we will be assigning flags that any normal administrator should not remove without our permission. This should be added onto the page. --Deskana (talk) 01:04, 9 May 2008 (UTC)

This really is a side-topic, but I wonder why arbitrators don't automatically receive oversight while arbitrators. Elected, trust, and all that. It would at least simplify policy wording : ) - jc37 01:08, 9 May 2008 (UTC)
We do, provided that they are aged 18 or over and willing to identify themselves to the Foundation. --Deskana (talk) 01:12, 9 May 2008 (UTC)
Oh, I thought it was determined for last year's election, that that (18 and personal ID) was required of all arbitrators. Or are you just referencing those who may be "grandfathered" in? - jc37 01:16, 9 May 2008 (UTC)
I forgot that. The essence of what I said is still true. Although it's not policy or anything, it is standard practice that all Arbitrators be granted Oversight and Checkuser rights, if they wish to have them, and are identified. I'm not sure what that has to do with this, though? --Deskana (talk) 01:21, 9 May 2008 (UTC)
As I said, it's slightly off topic. Though I'll note that it makes your request and mine merge nicely. (That those with oversight/checkuser be those who may grant the anonymous version.) - jc37 01:25, 9 May 2008 (UTC)

Heads up

Flag added by Brion Vibber. dihydrogen monoxide (H2O) 23:50, 8 May 2008 (UTC)