[tor-dev] Fwd: [Wikitech-l] Can we help Tor users make legitimate edits?

Zack Weinberg zackw at panix.com
Fri Dec 28 23:26:25 UTC 2012

The author asked me to forward this message to tor-dev.  I can vouch
for their personal interest in making something happen here and their
being in a position of ability to do so from Wikimedia's end.  Replies
should go to wikitech-l and/or the author as well as here.  It looks
like there was quite a bit of a thread there already:
(note in particular that their primary concern seems to be
"sockpuppets" rather than spammers).

---- Begin forwarded message:
From: Sumana Harihareswara <sumanah at wikimedia.org>
To: wikitech-l at lists.wikimedia.org
Subject: [Wikitech-l] Can we help Tor users make legitimate edits?

TL;DR: A few ideas follow on how we could possibly help legit editors
contribute from behind Tor proxies.  I am just conversant enough with
the security problems to make unworkable suggestions ;-), so please
correct me, critique & suggest solutions, and perhaps volunteer to help.

The current situation:
We generally don't let anyone edit or upload from behind Tor; the
TorBlock extension stops them.  One exception: a person can create an
account, accumulate lots of good edits, and then ask for an IP block
exemption, and then use that account to edit from behind Tor.  This is
unappealing because then there's still a bunch of in-the-clear editing
that has to happen first, and because then site functionaries know that
the account is going to be making controversial edits (and could
possibly connect it to IPs in the future, right?).  And right now
there's no way to truly *anonymously* contribute from behind Tor
proxies; you have to log in.  However, since JavaScript delivery is hard
for Tor users, I'm not sure how much editing from Tor -- vandalism or
legit -- is actually happening.  (I hope for analytics on this and thus
added it to https://www.mediawiki.org/wiki/Analytics/Dreams .)  We know
at least that there are legitimate editors who would prefer to use Tor
and can't.

People have been talking about how to improve the situation for some
time -- see http://cryptome.info/wiki-no-tor.htm and
.  It'd be nice if it could actually move forward.

I've floated this problem past Tor and privacy people, and here are a
few ideas:

1) Just use the existing mechanisms more leniently.  Encourage the
communities (Wikimedia & Tor) to use
https://en.wikipedia.org/wiki/Wikipedia:Request_an_account (to get an
account from behind Tor) and to let more people get IP block exemptions
even before they've made any edits (< 30 people have gotten exemptions
on en.wp in 2012).  Add encouraging "get an exempt account" language to
the "you're blocked because you're using Tor" messaging.  Then if
there's an uptick in vandalism from Tor then they can just tighten up again.

2) Encourage people with closed proxies to re-vitalize
https://en.wikipedia.org/wiki/Wikipedia:WOCP .  Problem: using closed
proxies is okay for people with some threat models but not others.

3) Look at Nymble - http://freehaven.net/anonbib/#oakland11-formalizing
and http://cgi.soic.indiana.edu/~kapadia/nymble/overview.php .  It would
allow Wikimedia to distance itself from knowing people's identities, but
still allow admins to revoke permissions if people acted up.  The user
shows a real identity, gets a token, and exchanges that token over tor
for an account.  If the user abuses the site, Wikimedia site admins can
blacklist the user without ever being able to learn who they were or
what other edits they did.  More: https://cs.uwaterloo.ca/~iang/ Ian
Golberg's, Nick Hopper's, and Apu Kapadia's groups are all working on
Nymble or its derivatives.  It's not ready for production yet, I bet,
but if someone wanted a Big Project....

3a) A token authorization system (perhaps a MediaWiki extension) where
the server blindly signs a token, and then the user can use that token
to bypass the Tor blocks.  (Tyler mentioned he saw this somewhere in a
Bugzilla suggestion; I haven't found it.)

4) Allow more users the IP block exemption, possibly even automatically
after a certain number of unreverted edits, but with some kind of
FlaggedRevs integration; Tor users can edit but their changes have to be
reviewed before going live.  We could combine this with (3); Nymble
administrators or token-issuers could pledge to review edits coming from
Tor. But that latter idea sounds like a lot of social infrastructure to
set up and maintain.

Thoughts? Are any of you interested in working on this problem?  #tor on
the OFTC IRC server is full of people who'd be interested in talking
about this.

Sumana Harihareswara
Engineering Community Manager
Wikimedia Foundation

More information about the tor-dev mailing list