Unmasking Policy Draft

NOTICE:

This is a sandbox page.

It is not approved or active policy. It is a draft, and as such, may be incomplete.

This policy is based on English Wikipedia's CheckUser policy.

In the course of managing sockpuppetry cases, certain classes of permanent ban, and Persistently-Abusive Individuals, site staff have needed to access IP addresses of users as part of investigations and to implement IP bans. For any large site, the ability to enact this kind of measure is typical. In our case, Wikidot has the capability to ban both individual IP addresses as well as address ranges, but unlike typical websites, site staff actually have no capability to view normal visitor information (including IP addresses) to be able to retrieve this information.

Of course, this information should not be exposed publicly, nor used inappropriately, as this is private information. But it is still necessary for site staff to make limited use of this information for legitimate disciplinary purposes. As such, we can look at how a larger, reputable site such as English Wikipedia treats this information.

Wikipedia CheckUser Policy

Within MediaWiki (its host wiki software), a select group of trusted users have the capability to retrieve the IP address(es) associated with a user account, or to see other technical information associated with an account or IP address.

Wikipedia's policy says that:

CheckUser data may be used to investigate, prevent, or respond to:

  1. Vandalism;
  2. Sockpuppetry;
  3. Disruption (or potential disruption) of any Wikimedia project; and
  4. Legitimate concerns about bad-faith editing.

The tool may never be used to:

  1. Exert political or social control;
  2. Apply pressure on an editor; or
  3. Threaten another editor into compliance in a content dispute.

Regarding Wikipedia's policy regarding logging, they say the following:

Checkusers are permitted, but not required, to inform an editor that their account has been checked. The result of a check may be disclosed to the community (on a community process page like Wikipedia:Sockpuppet investigations).

Additionally, there is an automatic log of all checks done using the tool. Such a tool would not be produced automatically for us, so we must be rigorous in logging it properly.

All trusted users with this capability have signed a Wikimedia Foundation confidentiality agreement regarding nonpublic information. When such a lookup is performed as part of a legitimate investigation, such as a sockpuppet case, they may only reveal the relevant details of the information, leaning towards less information than more, especially when revealed publicly.

To quote their policy again:

Checkusers may state that different named accounts are operated from the same IP or range, so long as the actual IP address(es) are not specified, or if only non-specific details are given (such as the name of the country, region, or large ISP associated with the IP address). If the checkuser's statement could not lead to another person divining the personal identity of the user accounts in question, such disclosure would be permissible. However, on the English Wikipedia, checkusers are discouraged from making a public statement that connects one or more IP addresses to one or more named accounts, since an IP address is often much more tightly linked to a specific person. (In the case of larger IP ranges, this discouragement is not as great because larger ranges mean a less specific connection can be drawn.) When announcing the results of their checks, checkusers will employ a variety of means to avoid connecting a user to an IP address, but in some cases it is hard to avoid doing so. This policy encourages English Wikipedia checkusers not to allow such connections to be made from their results, but the global privacy policy allows them to do so in the case of serious disruption, and this policy allows checkusers to prioritise compliance with Wikipedia policy over the personal privacy of a user who has abusively edited the encyclopedia.

To go into more detail:

Revealing Information

For instance, in comparing banned user account "Alice" with potentially-innocent user account "Bob", it would be inappropriate to say:

Alice is connecting from 1.2.3.4 and 1.2.3.5, Bob is connecting from 127.127.127.0.

Because Bob may be an unrelated bystander here, exposing his IP information publicly without his consent is not acceptable. Likewise Alice, despite being banned, is entitled to basic levels of privacy.

Instead, such a case should report something like:

Alice and Bob do not have any IP addresses in common.

or

Alice and Bob are likely not the same user.

This reveals nothing about their specifics, and gets to the core of the issue. Of course, it's possible that they are sockpuppets, the nature of IP checks is that it can only really tell give you answers of "yes" and "unsure".

What if Alice made the Bob sockpuppet but was very careful to only visit that account from a public library computer? Or we see that two users connected from the same address, but it was a cellular / mobile network, meaning they could just, by happenstance, be living nearby each other with no actual malicious involvement?

Sometimes additional information may be provided, in cases where it may be pertinent. Such information should tend towards being nonspecific, especially when posted publicly:

Alice and Bob do not share any IP addresses in common, but their main addresses are in nearby cities.

Policy Proposal

Given the above, the proposed policy for unmasking users on the SCP Wiki, which, if approved, is to be created at unmasking-policy.

Unmasking Policy

In the course of managing sockpuppetry cases, certain classes of permanent ban, and Persistently-Abusive Individuals, site staff have needed to access IP addresses of users as part of investigations and to implement IP bans. Wikidot has the capability to ban both individual IP addresses as well as address ranges, but unlike typical websites, site staff actually have no capability to retrieve visitor information (including IP addresses) from the platform.

Note that the SkipIRC network is run independently from the site, so the SkipIRC Privacy Policy is separate from this document.

  • Unmasking should only be done to fight vandalism, spam, sockpuppetry, to effectuate site discipline (such as bans), or as a response to threats against the site or users.
  • Unmasking may never be done to exert political or social pressure, or to threaten, harm, doxx, or out people, users or staff (including banned users).
  • Unmasking is not part of a disciplinary route. Even for users exhibiting strongly problematic behavior, unless there is evidence that unmasking would be necessary (e.g. stated intentions or a history of ban evasion), then it cannot be used.
  • Staff are encouraged to regularly challenge use of unmasking in chat, and ensure there is substantial reason for any use of it. Information can always be collected later if it turns out it is actually needed.

Unmasking may only be done by a member of the Disciplinary Team, an Administrator, or any specially designated individual decided by a consensus of staff members on O5. The list of users currently able to unmask are:

  • [maintained bullet list of users here]

Only the above users may perform an unmasking. Any users outside of this list performing this action on an emergency basis should be combined with an invocation of administrative fiat authorizing them to do it.

The mechanism to unmask is decided within sensitive staff chat and maintained by the Disciplinary Team in coordination with the Technical Team. Because Wikidot does not provide IP retrieval functionality natively, in order to be effective, information about the method to retrieve IP information is limited to staff only.

Only approved mechanisms for unmasking may be used, even if by an otherwise authorized user. Ad hoc or unapproved unmasking of users, whether by site users or staff, is considered a serious disciplinary offense. For instance, a user posting links on the site which have the purpose of harvesting user data, or a staff member using unmasking without informing other staff or for personal reasons.

Performance of this action may only occur after a consensus of staff at large or the Disciplinary Team, either on O5 or within staff chat, discuss and decide that unmasking is necessary for a particular case. The approval must specify the specific users to be checked and the reason they are being checked. Based on this information, they should report a minimal but necessary portion of the information.

They must avoid sharing specific details with any users not needed; for instance to institute an IP ban the checking user may only need to contact one administrator to input that information into the admin panel. Or, if comparing two users to determine if they are sockpuppets, they should give a response indicating their relation, rather than unnecessary private details.

All uses of unmasking must be logged on the Unmasking Records page.

In short, all unmasking of users must meet the following criteria:

  • It must be performed for a legitimate purpose, as illustrated above.
  • It must be approved by staff at the time, and carried out within a reasonable timeframe. Approval by staff is one-time and contemporaneous, old unmasking requests are invalid in the present, new approval must be received.
  • It must be using approved methods by staff.
  • It must be carried out by an approved staff member.
  • The unmasking must be logged on the Unmasking Records page.
  • The unmasking must also be logged on O5, unless this is a PAI case or staff decides that such logging would not be in the interests of site security. Logging on O5 does not need to include any details about the results of the check.
  • The results of the unmasking must only be transmitted in the most minimal fashion possible, to protect user privacy.
  • If any variations from established protocol occur, even by accident, it must be promptly reported to staff. Except for PAI cases, such variations should also be logged on O5.

[timer]

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License