I’ll note too that even absent Heritage Foundation threats, this can be useful to spur development of the project (i.e. for people who don’t want a permanent account but don’t feel comfortable having their IP permanently, publicly attached to edits). Probably the reason it hasn’t been done in the past is it’s almost certainly going to make it easier for bad actors to fly under the radar. Before, you either had to show your IP address (which can reveal your location and will usually uniquely identify who edited something for at least a little bit; you also can’t use a VPN without special permission) or you had to register a single account (where if you created multiple, a sockpuppet investigation would often find out).
So there’s an inherent trade-off, but I think right-wing threats of stochastic terrorism really tipped the scales.
Well you say you can use a VPN, but you may often see that you’re not able to edit using a VPN IP if that IP block has been used for vandalism in the past. So then you’d have to potentially revert to a coffee shop or library which would still identify your location.
Point of clarification: I said that you can’t use a VPN, and that’s because those IPs are blocked. As noted, you need to ask for a special exception, which for most people isn’t navigable and may not even be granted without a good stated reason and/or trust built up through good edits.
I might have to go lookup their implementation. I feel like a good way of addressing your concern would be a secure hash of the IP address combined with a persistent random number.
The same IP would always map to the same output and you wouldn’t be able to just pre-compute it and bypass everything.
What’s the persisted random number? Sounds like a salt, but usually each user has their own salt right? I assume we are not talking about logged in users here? Or are we?
Since the goal is to create a correlation ID that maintains privacy, you need the result to be consistent. Hashing four billion IPs might take a minute, but it’s fundamentally doable in a reasonable time.
By using some much large value that you keep secret, you’re basically padding the input to make the search space large enough that it’s not realistically able to be enumerated.
Normally each user would have their own salt so that if two users have the same password, they hash to different values. In this case, you would want two users with the same IP to map to the same value, and simply for that value to not lead to an actual IP address.
I’ll note too that even absent Heritage Foundation threats, this can be useful to spur development of the project (i.e. for people who don’t want a permanent account but don’t feel comfortable having their IP permanently, publicly attached to edits). Probably the reason it hasn’t been done in the past is it’s almost certainly going to make it easier for bad actors to fly under the radar. Before, you either had to show your IP address (which can reveal your location and will usually uniquely identify who edited something for at least a little bit; you also can’t use a VPN without special permission) or you had to register a single account (where if you created multiple, a sockpuppet investigation would often find out).
So there’s an inherent trade-off, but I think right-wing threats of stochastic terrorism really tipped the scales.
Well you say you can use a VPN, but you may often see that you’re not able to edit using a VPN IP if that IP block has been used for vandalism in the past. So then you’d have to potentially revert to a coffee shop or library which would still identify your location.
I was surprised I was blocked from editing even after logging in. They do hate some IP blocks.
Point of clarification: I said that you can’t use a VPN, and that’s because those IPs are blocked. As noted, you need to ask for a special exception, which for most people isn’t navigable and may not even be granted without a good stated reason and/or trust built up through good edits.
Oh whoops, my bad I must have been reading too quickly. Thanks for clarifying!
I might have to go lookup their implementation. I feel like a good way of addressing your concern would be a secure hash of the IP address combined with a persistent random number.
The same IP would always map to the same output and you wouldn’t be able to just pre-compute it and bypass everything.
What’s the persisted random number? Sounds like a salt, but usually each user has their own salt right? I assume we are not talking about logged in users here? Or are we?
Since the goal is to create a correlation ID that maintains privacy, you need the result to be consistent. Hashing four billion IPs might take a minute, but it’s fundamentally doable in a reasonable time.
By using some much large value that you keep secret, you’re basically padding the input to make the search space large enough that it’s not realistically able to be enumerated.
Normally each user would have their own salt so that if two users have the same password, they hash to different values. In this case, you would want two users with the same IP to map to the same value, and simply for that value to not lead to an actual IP address.
So you just use one salt for all IP addresses, but you keep it secret.
Essentially.
I’m sure there’s other ways to accomplish the goal but that’s the first one that came to mind.