[Foundation-l] New draft of privacy policy
Gregory Maxwell
gmaxwell at gmail.com
Sun Jun 15 22:37:46 UTC 2008
On Sun, Jun 15, 2008 at 10:15 AM, geni <geniice at gmail.com> wrote:
> 2008/6/15 Anthony <wikimail at inbox.org>:
>> Someone should answer Gregory's question first: "Why do we grant the
>> equivalent of checkuser rights over a majority of our contributors to
>> every person on the planet?"
>>
>> "Historical accident" was the only thing I could come up with.
>
> It's hard not to. If we were to say assign a random number to every IP
> then by now someone would have published a partial list of number to
> IP relationships.
How? I can't see how they could do this except by even more limited
means than they can use to currently publish User name->IP
connections.
The only means I can see someone connecting an opaque ID with an IP is:
1. Actually editing from that IP and recording the result.
2. Tricking a user on that IP into following an external link.
3. Checkuser
4. Compromise of the foundation servers.
...
All of those are a much higher hurdle than the casual leaks users
perform on their own all the time. For example, today, just minutes
after complaining about it I was somehow logged out on meta and
managed to accidentally disclose my IP. It's a constant problem.
We could also do blocked encryption for partial addresses: Encrypt
the first 24 bits, then the whole 32 bits. This would leak a lot more
information, but it would preserve the ability for everyone to quickly
tell if two unregistered users are on the same /24.
> If the number assigns keep changing well we know the
> problems that we had with AOL back in the day.
I don't see a huge need to make the numbers change.. but we could
address this if we wanted to.
We could provide a two part identifier for unregistered users:
Enc(Secret[n-1], IP), Enc(Secret[n], IP) and increment N every 3
months, so if a particular IP goes 6 months between edits the
connection will be broken. Given the rate of IP reassignment in the
internet doing this would be reasonable.. but I don't see why it would
be necessary.
For example, On day one an unregistered user would look like
User:.AY3BXQM,B4WVJAM
Three months later:
User:.B4WVJAM,W93GI2A
Three months later:
User:.W93GI2A,CT7WLMA
If the user didn't make the middle edit the unregistered identities
would become disconnected except for checkusers. ::shrugs:: As I said,
I don't see the need of anything that complex.
More information about the foundation-l
mailing list