On Mon, Dec 30, 2013 at 6:10 PM, Tyler Romeo <tylerro...@gmail.com> wrote: > On Mon, Dec 30, 2013 at 7:34 PM, Chris Steipp <cste...@wikimedia.org> wrote: > >> I was talking with Tom Lowenthal, who is a tor developer. He was trying to >> convince Tilman and I that IP's were just a form of collateral that we >> implicitly hold for anonymous editors. If they edit badly, we take away the >> right of that IP to edit, so they have to expend some effort to get a new >> one. Tor makes that impossible for us, so one of his ideas is that we shift >> to some other form of collateral-- an email address, mobile phone number, >> etc. Tilman wasn't convinced, but I think I'm mostly there. >> > > This is a viable idea. Email addresses are a viable option considering they > take just as much (if not a little bit more) effort to change over as IP > addresses. We can take it even a step further and only allow email > addresses from specific domains, i.e., we can restrict providers of > so-called "throwaway emails".
Email is pretty shallow collateral, esp if you actually allow email providers which are materially useful to people who are trying to protect their privacy. Allowing e.g. only email providers which require SMS binding, for example, would be pretty terrible... This is doubly so because the relationship is discoverable: e.g. you only really wanted to use the email to provide scarcity but because it was provided it could be used to deanonymize the users. (Even if you intentionally didn't log the email-user mapping, it would end up being deanonymized-by-time in database backups; or could be secretly logged at any time, e.g. via compromised staff) FAR better than this can be done without much more work. Digging up an old proposal of mine… A proposal for more equitable access to ipblock-exempt. In the "Jake requests enabling access and edit access to Wikipedia via TOR" thread on wikitech-l[http://lists.wikimedia.org/pipermail/wikitech-l/2013-December/073764.html] the issue of being able to edit Wikipedia via TOR was highlighted. Some people appear to have mistaken this thread as being specifically about Jake. This isn't so— Jake is technologically sophisticated and has access to many technical and social resource. Jake-the-person can edit Wikipedia, with suitable effort. But Jake-as-a-proxy-for-other-tor-users has a much harder time. Ipblock-exempt as implemented today doesn't— as demonstrated [http://lists.wikimedia.org/pipermail/wikitech-l/2013-December/073773.html] —even work for Jake. It certainly doesn't work for more typical users. Many people believe that Wikipedia has become so socially important that being able to edit it— even if just to leave talk page comments— is an essential part of participating in worldwide society. Unfortunately, not all people are equally free and some can only access Wikipedia via anti-censorship technology or can only speak without fear of retaliation via anonymity technology. Wikipedia must balance the interests of preventing abuse and enabling the sharing of knowledge. Only so much can be accomplished by prohibiting access to tor entirely: Miscreants can and do use paid VPNs and compromised hosts to evade blocks on a constant basis. Ironically, abusive users who are unconcerned about breaking the law have an easier time editing Wikipedia then people simple concerned with unlawful surveillance. That isn't a balance. In order to better balance these interests, I propose the following technical improvement: A new special page should be added with a form which takes an unblocked username and which accepts a base64 encoded message which contains a random serial number and a RSA digital signature with a well known Wikimedia controlled private key, we'll call this message an exemption token. If the signature passes and the serial number has never been seen before, the serial number is saved, and Ipblock-exempt is set on the account. Additionally, the online donation process is updated with some client side JS so that for every $10 donated the client picks a random value, cryptographically blinds the random value [https://en.wikipedia.org/wiki/Blind_signature#Blind_RSA_signatures.5B2.5D:235], and submits the blinded values along with the donation. When the donation is successful, the donation server signs the blinded values and returns them and the clients unblind them and present the messages to the users. [RSA blinding is no more complicated to implement than RSA signing in general. It requires a modular exponentiation and multiply and a modular inversion] The donor is free to save the messages, give them out to friends, or press some button to give them to the tor project. Each message entitles one account to be exempted, and Wikimedia is unable to associate donations with accounts due to the blinding. Finally, the block notice should direct people to a page with instructions on obtaining exemption tokens. This process would provide a guaranteed bound on the amount of abusive use of ipblock-exempt. If an account is abused it can simply be blocked, the abuser may obtain another exemption token, but only at the cost of making another $10 donation. Non-donation-based exceptions would continue to be available as they are now, to anyone who can figure out how to get one. This would be a strict improvement over not allowing the access at all, or only handling out to people with political connections and the time to figure out how to get it activated. Right now the cost of access is basically hours of work figuring out how to do it, getting to know the right people, and begging for a flag— all with no guarantee of success. Or the cost is the cost of illegally using a compromised host, etc. This isn't perfect— it creates a bias towards people in wealthier nations which can afford the tokens, but most people don't need their tokens and so it would be reasonable to expect substantial token charity to exist. The existence of IP blocking at all creates a bias towards editors with an agenda or copious free time to blow which probably dwarfs any biases created by any particular exemption process. A key point here is that the idea is fully general— I suggest the donation mechanism as one I hope would be appealing to vandal-fighters: Every time a "bad guy" gets through and you waste your time banning them at least you get the warm-glow of knowing you induced another donation if they want to try again. But some people immediately freak out at "paying for accounts"— I think the argument is bogus because any requirement is a "payment"— but, whatever, if you don't like that one you can use _any_ scarce process to issue exemption tokens... If you like— you could also support multiple issuers of blinded tokens instead of just the wikimedia ones simply by adding public keys to the set of allowable keys, perhaps configurable as just a mediawiki space message. Then instead of donations-to-wikimedia being the scarce resource, other parties (e.g. the tor project, EFF, or otherwise) could issue blinded tokens... and then you could just have a community decision over if any particular scarce token source was scarce enough to be acceptable. If the exemption process logged which token authority was used, you could retroactively revoke all the tokens from a particular issuer if it turned out to be issuing too many trouble making ones... though I expect simply no longer accepting that issuer for new exceptions would be sufficient. Even if you only bothered supporting a single issuer who issued one token per email address— basically getting you the email address functionality that I'm responding to— the blinding process has the advantage of making it infeasible to use this process to deanonymize users... so all you would really learn is that an email address (meeting whatever criteria the issuer demands) got expended to get the exemption, and nothing more. And even if someone compromised the infrastructure and started secretly logging things they couldn't learn anything more than timestamp correlations (which might be pretty fuzzy if there is a long delay between the token getting issued and the account using it, esp if the issuer is a third party). _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
