Login
Login

Wikipedia:Requests for comment/Temporary account IP-viewer#rfc 6E5B591

Background

: Discussion preceding this RfC and ongoing discussion about the intersection of TAIV and other user rights.

:See also this FAQ.

{{User:ClueBot III/DoNotArchiveUntil|1753657278}}

{{rfc|prop|rfcid=EA00C59}}

The WMF is removing public access to IP addresses and replacing them with temporary accounts. (This will not affect visibility of IP addresses or edits from before implementation.) Temporary accounts are tied to browser cookies, which are set to expire three months from the first edit. This means that they will be different across web browsers and devices. The WMF has determined that temporary accounts are necessary to protect user privacy and comply with legal requirements, while maintaining the ability to edit Wikimedia sites anonymously.

The WMF has also created a new user right for access to temporary account IP addresses, which has come to be known as temporary account IP-viewer (TAIV). The minimum criteria for editors (other than functionaries, 'crats, and admins) seeking the user right are:

  1. minimum account age of 6 months and 300 edits;
  2. specifically applying for access;
  3. opting in for access via Special:Preferences; and
  4. "[a]gree[ing] to use the IP addresses in accordance with these guidelines, solely for the investigation or prevention of vandalism, abuse, or other violations of Wikimedia Foundation or community policies, and understand[ing] the risks and responsibilities associated with this privilege".

Activation and use of the right will be logged.

Users who are site-blocked will lose the user right. Stewards may revoke the right upon request at :meta:Steward requests/Permissions#Removal of access "if the user is determined to have misused the temporary account IP addresses or local community consensus dictates removal."

What should the criteria for granting this right be?

17:01, 21 June 2025 (UTC)

Questions

Question 1: Should we adopt the minimum or heightened standards for TAIV? If the latter, please specify.

Question 2: Should we authorize any of the following actors to request removal of TAIV upon evidence of misuse of the right?

  • Option A: the Arbitration Committee or its delegates
  • Option B: a consensus of (i) functionaries, (ii) 'crats, or (iii) admins
  • Option C: individual (i) functionaries, (ii) 'crats, or (iii) admins

Survey (Question 1)

  • Option 1A: (i) 500 edits/6 months and (ii) a demonstrated need for TAIV, as evidenced by counter-vandalism work, participation in NPP or AfC, sock hunting, etc. You should at least have extended confirmed to get this user right. The demonstrated need requirement is to ensure editors have a good track record and prevent abuse up front. I do not believe that we need to specify that editors should not be blocked or banned because I think that should usually be heavily weighed against an editor seeking any permission. voorts (talk/contributions) 17:01, 21 June 2025 (UTC)
  • :Note: If consensus for option 1A does not develop, I think that we should default to the WMF minimum. voorts (talk/contributions) 21:27, 22 June 2025 (UTC)
  • :I also think we can trust admins not to grant this right to editors who have had their extended confirmed revoked. voorts (talk/contributions) 22:12, 22 June 2025 (UTC)
  • Option 1A per voorts, but I think that logging every single instance of the usage of the right is overkill 𐩣𐩫𐩧𐩨 Abo Yemen (𓃵) 17:13, 21 June 2025 (UTC)
  • Option 1A, tho I would still prefer a explicit "not under any kind of sanctions for X months" rider attached, I think the current requirement are okay as a initial blueprint for the community to start with. Sohom (talk) 17:29, 21 June 2025 (UTC)
  • Option 1A Our Discussion already tells why. OPHYRIUS 17:48, 21 June 2025 (UTC)
  • Meh. One part of me wants to say "Of course we want this as strict as possible", but honestly, there's no practical difference between 6/300 and 6/500. The important thing is that you have to make a specific application; I think we can trust the folks at WP:PERM to exercise good judgement on who they give it to. RoySmith (talk) 18:24, 21 June 2025 (UTC)
  • What Voorts said. Seems like a good standard. Mrfoogles (talk) 22:32, 21 June 2025 (UTC)
  • What Voorts said but would tie it directly to EC. We already have set 6/500 as a standard here, and it makes sense to just say "must meet Extended Confirmed threshold" rather than create multiple standards. Dennis Brown - 00:06, 22 June 2025 (UTC)
  • :Extended confirmed is 30 days, not 6 months. voorts (talk/contributions) 00:17, 22 June 2025 (UTC)
  • I'd prefer the WMF minimum here, 300 edits/6 months. We're still going to have PERM admins reviewing each request and they can exercise their discretion. No need to tie their hands. This right is really no big deal. Toadspike [Talk] 06:57, 22 June 2025 (UTC)
  • Minimum. As with Toadspike, I trust that reviewing admins will grant the permission when appropriate. If they judge that an editor with 300 edits has need of, and can be trusted with, the permission then so be it. fifteen thousand two hundred twenty four (talk) 07:11, 22 June 2025 (UTC)
  • What Voorts said but with the replacement of "500 edits" with "must be extended-confirmed". For most editors this is equivalent but requiring EC automatically excludes editors who had EC revoked for gaming their edit count. Dan Leonard (talk • contribs) 20:21, 22 June 2025 (UTC)
  • :EC can be granted early, so this would have to be an additional requirement rather than a replacement. Jruderman (talk) 22:08, 22 June 2025 (UTC)
  • WMF minimum plus demonstrated use case at the discretion of the grantor. — rsjaffe 🗣️ 20:29, 22 June 2025 (UTC): amended to include that the request must have a reasonable use case attached to it (such as, but not restricted to, being on NPP). Just like rollbacker requests, want a reason attached to the request. — rsjaffe 🗣️ 22:13, 22 June 2025 (UTC)
  • :I agree with you here, but this is a basic part of the PERM process, so I'm not sure we need to specify it separately. For example, WP:PERM/R doesn't specifically say that users must explain why they want the right, even though they must. Toadspike [Talk] 09:08, 23 June 2025 (UTC)
  • Minimum. WMF's move is rather absurd — it's hardly a privacy issue when you refuse to log into your own account, or when you refuse to create one — but we're stuck with it. We shouldn't make the situation worse by making users jump through additional hoops. Nyttend (talk) 04:01, 23 June 2025 (UTC)

Discussion (Question 1)

  • {{u|Abo Yemen}} regarding {{tq|logging every single instance of the usage of the right is overkill}}, every time a checkuser views a user's IP address, the access is logged. Surely the same should apply to TAIP. RoySmith (talk) 17:18, 21 June 2025 (UTC)
  • : Moved from survey section. That is not something that we can change. I believe that the rationale behind logging is that, like CU, the user right provides access to private data. voorts (talk/contributions) 17:16, 21 June 2025 (UTC)
  • ::See :wmf:Policy:Wikimedia Access to Temporary Account IP Addresses Policy#Use of temporary account IP addresses:{{pb}}
  • :::The following actions are logged:
  • :::* When a user accepts the preference that enables or disables IP reveal for their account.
  • :::* Revealing an IP address of a temporary account.
  • :::* Listing the temporary accounts that are associated with an IP address.
  • :: voorts (talk/contributions) 17:24, 21 June 2025 (UTC)
  • :::so basically WP:XC users are going to be the new checkusers? Is there a way to oppose this temp acc proposal altogether? 𐩣𐩫𐩧𐩨 Abo Yemen (𓃵) 17:26, 21 June 2025 (UTC)
  • ::::No and no. voorts (talk/contributions) 17:31, 21 June 2025 (UTC)
  • ::::: ): 𐩣𐩫𐩧𐩨 Abo Yemen (𓃵) 17:35, 21 June 2025 (UTC)
  • ::::Not by default, only on request at WP:PERM. Sohom (talk) 17:31, 21 June 2025 (UTC)
  • ::::An RFC to disable editing without an account. ScottishFinnishRadish (talk) 19:47, 21 June 2025 (UTC)
  • :::::I would totally support that. I don't see what value IP editing adds. It certainly doesn't give the editor any additional privacy. If anything, an IP editor has less privacy because their IP address leaks information. With TAIP, the ability to correlate multiple IP addresses leaks a lot more information. And on our side, what we get is a lot more work to manage it, not to mention all the effort that has gone into developing the feature. RoySmith (talk) 21:31, 21 June 2025 (UTC)
  • ::::::With TAIP, the ability to see multiple IP addresses is still only given to those with special permission, so TAIP users have much less exposure than IP editors do. Remember that checkusers can already see the IPs of people with accounts. With TAIP only checkusers will be able to see the IPs of those without accounts. And the value that IP editing adds is allowing people to edit the encyclopedia with less friction -- less friction means more people working on it, which makes it overall better, ideally. Mrfoogles (talk) 22:30, 21 June 2025 (UTC)
  • :::::::Re: {{tq|With TAIP only checkusers will be able to see the IPs of those without accounts}} I suspect that's not what you intended to say. RoySmith (talk) 23:51, 21 June 2025 (UTC)
  • ::::Only real checkusers can look at these logs. JJPMaster (she/they) 04:34, 23 June 2025 (UTC)
  • :::::That's not true. The logs are publicly available, as with all logged actions. voorts (talk/contributions) 12:39, 23 June 2025 (UTC)
  • ::::::Special:Log/checkuser-temporary-account seems to be limited to CUs as of right now - will that change, or am I looking in the wrong place? WindTempos they (talkcontribs) 13:02, 23 June 2025 (UTC)
  • :{{outdent|5}} Nevermind; I was confusing this with the log of blocked IP addresses, which will still be available. See, for example [https://no.wikipedia.org/wiki/Spesial:Blokkeringsliste?wpTarget=&wpOptions%5B%5D=autoblocks&wpOptions%5B%5D=userblocks&wpOptions%5B%5D=tempuserblocks&blockType=&limit=50&wpFormIdentifier=blocklist]. voorts (talk/contributions) 13:24, 23 June 2025 (UTC)
  • There's 1 point, the user having TAIV, would about a half CU. WMF rolled out this policy only for privacy of the anonymous editors. It's one of the reasons extended confirmed is required as only trusted users should receive this right (Most of the users voting this are from the preceding discussion). This would also reduce chances of socks receiving TAIV as they would likely be caught before the get extended confirmed. OPHYRIUS 17:55, 23 June 2025 (UTC)

Survey (Question 2)

  • All of the above: Generally, admins can already revoke advanced permissions, and we trust them to do so without abusing that authority. But, since the WMF requires that stewards process removals of TAIV, we should make it our "local community consensus" that a good faith request from any of the above actors "dictates removal" of the user right. voorts (talk/contributions) 17:01, 21 June 2025 (UTC)
  • :Hey, I wanted to clarify that admins can also remove TAIV: "users authorized to grant such access are also authorized to terminate access" (the third paragraph in the Removing access section). SGrabarczuk (WMF) (talk) 10:03, 23 June 2025 (UTC)
  • All of the above. Allowing somebody to view private data means they have the ability to abuse that data (post it publicly, for example). If somebody has gone rogue, the first person (admin, etc) to observe this should be able to prevent further harm by revoking the right quickly. If it turns out they over-reacted, it's easy enough to restore it after some discussion. This is similar to the "tool of first resort" philosophy used by oversighters. RoySmith (talk) 17:24, 21 June 2025 (UTC)
  • AotA, What folks above me have said, we should have a zero tolerance policy for mucking around with private data, particularly one that could be used to deanonymize users. Sohom (talk) 17:34, 21 June 2025 (UTC)
  • All of Above per RoySmith & Sohom. OPHYRIUS 17:48, 21 June 2025 (UTC)
  • All of the above -- it should be easy for anyone admin or above to request removal of permissions like this. Mrfoogles (talk) 22:31, 21 June 2025 (UTC)
  • All of the above per the above. Dennis Brown - 00:07, 22 June 2025 (UTC)
  • All (aka Option C). Admins should be able to yoink TAIV on their own. But ArbCom may have more experience in assessing use/abuse of a tool like this. Toadspike [Talk] 07:01, 22 June 2025 (UTC)
  • All per voorts. fifteen thousand two hundred twenty four (talk) 07:17, 22 June 2025 (UTC)
  • All of course. Surprised there is a requirement for Stewards to process removals, but, as an optional advanced permission, quick removal is a good thing, so empowering all on that list is good. — rsjaffe 🗣️ 20:27, 22 June 2025 (UTC)
  • All of the above, plus the ability to be removed by community consensus at AN or AARV. JJPMaster (she/they) 04:36, 23 June 2025 (UTC)

Discussion (Question 2)

  • For those supporting options B and C: if one admin, bureaucrat, or functionary requests removal, can their request be overridden by a consensus of a group of admins, bureaucrats, or functionaries? Do they need to find consensus against removing the privilege, or does a lack of consensus to remove the privilege suffice? isaacl (talk) 16:46, 22 June 2025 (UTC)
  • :I assume that one could go to Wikipedia:Administrative action review. — rsjaffe 🗣️ 20:26, 22 June 2025 (UTC)
  • ::I agree. This would be the same as any other admin removing a right that they're authorized to. If reversal is necessary, it's easy enough to ask the stewards to give the right back. voorts (talk/contributions) 20:37, 22 June 2025 (UTC)
  • :::In this case, I think option B should be omitted from the actual written policy. The normal collaborative practice is that administrators can take an action on their own initiative, but if a consensus (in most cases, within the community) is determined, then it takes precedence. Option B only allows for a consensus to be established among administrators, bureaucrats, and functionaries. If review is to take place at the administrative action review venue, then the normal collaborative practice suffices. isaacl (talk) 21:43, 22 June 2025 (UTC)
  • ::::I think a consensus of functionaries (e.g., on the CU/OS email group if someone reports TAIV abuse concerns to them) should be allowed to authorize revocation of the right. Likewise, a consensus of admins on a user talk page deciding on unblock conditions should be allowed to agree to revoke TAIV. The community shouldn't be overriding functionary determinations (that's for ArbCom and the Ombuds), and they could review a consensus of admins via AN as always. voorts (talk/contributions) 21:51, 22 June 2025 (UTC)
  • :::::Sure, but that's a subset of option C, since any individual functionary or admin can implement the consensus from a group of functionaries or admins, just like a group of checkusers today can consult with each other to decide on implementing a block. I agree it make sense that functionary decisions to revoke the privilege, which could be based on private information, shouldn't be reviewable by the community. isaacl (talk) 02:12, 23 June 2025 (UTC)
  • Given @Szymon's comment above, I think this question is now a moot point. Any objections to closing it? voorts (talk/contributions) 12:37, 23 June 2025 (UTC)
  • :Although any admin may be technically capable of removing the privilege, the community still needs to establish a process of how to decide when it should be removed: can an individual admin decide on removal, or does it have to be a community consensus? Can checkusers and oversighters act unilaterally (with any review to be performed by the arbitration committee)? (I'm not sure if bureaucrats should be in a different category than admins for this process.) isaacl (talk) 16:44, 23 June 2025 (UTC)
  • ::Well the question was framed as "who can ask the stewards to remove it", but now that we know we don't need the stewards, the question being presented here is incorrect/inapt. Additionally, why do we need to decide on if admins can remove the right? Admins are already the ones who will be granting the right and can remove it. Why should this user right be different than other ones? voorts (talk/contributions) 16:51, 23 June 2025 (UTC)
  • :::To me, who pushes the buttons is a distinct issue from the decision-making process. So I think the idea that the user right should be handled the same as the current ones still applies even if a request had to be made to the stewards to actually remove the privilege. Question 2 seemed to me to be examining other decision-making processes, but I agree a version of it is not needed if no one wants to consider other processes. isaacl (talk) 17:34, 23 June 2025 (UTC)

General discussion

{{block indent|em=1.6|1=Notified: Wikipedia:Administrators' noticeboard, Wikipedia talk:Requests for permissions, Wikipedia talk:User groups, Wikipedia:Village pump (policy), Wikipedia:Village pump (proposals), Wikipedia:Village pump (WMF), Template:Centralized discussion. voorts (talk/contributions) 17:06, 21 June 2025 (UTC)}}