[Foundation-l] New draft of privacy policy

Gregory Maxwell gmaxwell at gmail.com
Sun Jun 15 22:37:46 UTC 2008 

On Sun, Jun 15, 2008 at 10:15 AM, geni <geniice at gmail.com> wrote:
> 2008/6/15 Anthony <wikimail at inbox.org>:
>> Someone should answer Gregory's question first: "Why do we grant the
>> equivalent of checkuser rights over a majority of our contributors to
>> every person on the planet?"
>>
>> "Historical accident" was the only thing I could come up with.
>
> It's hard not to. If we were to say assign a random number to every IP
> then by now someone would have published a partial list of number to
> IP relationships.

How?   I can't see how they could do this except by even more limited
means than they can use to currently publish User name->IP
connections.

The only means I can see someone connecting an opaque ID with an IP is:

1. Actually editing from that IP and recording the result.
2. Tricking a user on that IP into following an external link.
3. Checkuser
4. Compromise of the foundation servers.

...

All of those are a much higher hurdle than the casual leaks users
perform on their own all the time.  For example, today, just minutes
after complaining about it I was somehow logged out on meta and
managed to accidentally disclose my IP.   It's a constant problem.

We could also do blocked encryption for partial addresses:  Encrypt
the first 24 bits, then the whole 32 bits.  This would leak a lot more
information, but it would preserve the ability for everyone to quickly
tell if two unregistered users are on the same /24.

> If the number assigns keep changing well we know the
> problems that we had with AOL back in the day.

I don't see a huge need to make the numbers change.. but we could
address this if we wanted to.

We could provide a two part identifier for unregistered users:

Enc(Secret[n-1], IP), Enc(Secret[n], IP)   and increment N every 3
months, so if a particular IP goes 6 months between edits the
connection will be broken.  Given the rate of IP reassignment in the
internet doing this would be reasonable.. but I don't see why it would
be necessary.

For example,  On day one an unregistered user would look like

User:.AY3BXQM,B4WVJAM

Three months later:

User:.B4WVJAM,W93GI2A

Three months later:

User:.W93GI2A,CT7WLMA

If the user didn't make the middle edit the unregistered identities
would become disconnected except for checkusers. ::shrugs:: As I said,
I don't see the need of anything that complex.

More information about the foundation-l mailing list