CheckUser IS magic pixie dust

[MysteriousStranger]

We all know the saying that CUs enjoy using: "Checkuser is not magic pixie dust." Yet, I've encountered CUs who clearly believe that it IS.

I am behind two accounts identified on en-wiki as sockmasters. One is from awhile back, and has an extensive SPI. The other is more recent, and has no SPI.

The older one has 70-some "confirmed" sockpuppets; two of them have nothing to do with me. I tried to tell that to admins on multiple occasions, only to be reverted, ignored, and occasionally told "well, talk to a Checkuser about it." Problem was, it was after the three-month data-holding period had passed, so there was nothing to be done anyway. Judging by when the accounts were blocked, I'd guess that they were created on two separate public networks I used (computer terminals at university libraries). One network I would call small-to-medium-sized; the other is quite large. Neither account had editing habits similar to my own. Yet, because they were on the same networks as mine, they were automatically mine.

The second, more-recent sockmaster's labeling has been even more problematic: 22 "confirmed" socks, out of which 4 are completely unrelated to the rest. In this case, it was mobile networks, and I know very little about these accounts---but their editing habits were drastically different from mine. In this case, Materialscientist was the only CU with any real involvement in tagging; apparently he knows nothing about the fallibilities of the CU tool. In CU guidelines, they're told to avoid using technical results as the only criterion for labeling a sock, especially if there is no behavioral similarity. Yet, in practice, what the tool turns up is all that matters. It ticks me off, because well-meaning users get blocked for using the wrong computer, basically.

[Larkin]

We all know the saying that CUs enjoy using: "Checkuser is not magic pixie dust." Yet, I've encountered CUs who clearly believe that it IS.

I am behind two accounts identified on en-wiki as sockmasters. One is from awhile back, and has an extensive SPI. The other is more recent, and has no SPI.

The older one has 70-some "confirmed" sockpuppets; two of them have nothing to do with me. I tried to tell that to admins on multiple occasions, only to be reverted, ignored, and occasionally told "well, talk to a Checkuser about it." Problem was, it was after the three-month data-holding period had passed, so there was nothing to be done anyway. Judging by when the accounts were blocked, I'd guess that they were created on two separate public networks I used (computer terminals at university libraries). One network I would call small-to-medium-sized; the other is quite large. Neither account had editing habits similar to my own. Yet, because they were on the same networks as mine, they were automatically mine.

The second, more-recent sockmaster's labeling has been even more problematic: 22 "confirmed" socks, out of which 4 are completely unrelated to the rest. In this case, it was mobile networks, and I know very little about these accounts---but their editing habits were drastically different from mine. In this case, Materialscientist was the only CU with any real involvement in tagging; apparently he knows nothing about the fallibilities of the CU tool. In CU guidelines, they're told to avoid using technical results as the only criterion for labeling a sock, especially if there is no behavioral similarity. Yet, in practice, what the tool turns up is all that matters. It ticks me off, because well-meaning users get blocked for using the wrong computer, basically.

What can CUs glean about a user's computer anyway? I understand IP address and browser. How much more? The name of the computer, the network group being used? I don't believe that for a minute about the three month rule. I mean that it's observed. I also believe they have access to recent traffic. I mean not edits, which obviously they can examine from the contributions log, but pages visited. I suspect they consider themselves an elite of the elite, above all criticism. Bit like the NSA really (or rather GCHQ my part of the woods).

Pointers to links discussing the issue?

[greybeard]

Here's an example of what most people's browser reveals to WP or any other site:

Code: Select all

Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Host: centralops.net
Referer: https://www.google.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Upgrade-Insecure-Requests: 1
DNT: 1

The User-Agent string, in particular, along with the IP address, is the source of most of the "pixie dust". It's far from a fingerprint, but if you use the same computer and browser ful different socks, someone will always have reason to say you're a sock, especially if the IP is similar or the same.

[Triptych]

What can CUs glean about a user's computer anyway? I understand IP address and browser. How much more? The name of the computer, the network group being used? I don't believe that for a minute about the three month rule. I mean that it's observed. I also believe they have access to recent traffic. I mean not edits, which obviously they can examine from the contributions log, but pages visited. I suspect they consider themselves an elite of the elite, above all criticism. Bit like the NSA really (or rather GCHQ my part of the woods).

Pointers to links discussing the issue?

I think that a checkuser can see a user's email address if he or she has entered one in Wikipedia's email function. And of course once the checkuser has the email address, it can be websearched for, which is potentially devastating to user privacy if the user entered an email address he or she has used for years.

The WMF doesn't warn users about this when they set up the email function. Bad admins like Dennis Brown and bad WMF employees like Philippe Beaudette will say it's a case of WP:BEANS, which is the metaphor they use to assert users should be kept in the dark (don't tell them about the beans) so Wikipedia's sick crew of creepy and stalkery anonymous "investigators" can be more effective.

Sorry I can't give you a link, but I base my belief on a page on Meta describing how Meta checkuser searches work, which I recall reading with surprise that they yield the email address. I am not prepared to go and hunt down that page right now.

[lilburne]

Don't people have different emails for every interaction?

[Poetlister]

@Greybeard: That reminds me of the IP that was banned as an open proxy because there were edits from it using several different browsers. In fact, it was an Internet cafe with a load of different machines.

@Triptych: No, they can see the IP from which an e-mail was sent, but not the address. A developer can extract the address, but that's rare.

[Triptych]

@Triptych: No, they can see the IP from which an e-mail was sent, but not the address. A developer can extract the address, but that's rare.

Here's the Meta page where I got the idea: https://meta.wikimedia.org/wiki/CheckUs ... ser_status.

Determine whether the user being checked has sent an email using MediaWiki interface to some other user. The time of the event is logged, the destination email address and user ID are obscured.

By saying particularly that the destination email is obscured, isn't the clear implication that the sender's is not?

[Poetlister]

By saying particularly that the destination email is obscured, isn't the clear implication that the sender's is not?

No, I think that's just sloppy wording.

[Triptych]

By saying particularly that the destination email is obscured, isn't the clear implication that the sender's is not?

No, I think that's just sloppy wording.

Perhaps a checkuser will chime in here in this thread to clear things up.

[tarantino]

By saying particularly that the destination email is obscured, isn't the clear implication that the sender's is not?

No, I think that's just sloppy wording.

Perhaps a checkuser will chime in here in this thread to clear things up. ;)

Poetlister was a checkuser.

[MysteriousStranger]

We all know the saying that CUs enjoy using: "Checkuser is not magic pixie dust." Yet, I've encountered CUs who clearly believe that it IS.

I am behind two accounts identified on en-wiki as sockmasters. One is from awhile back, and has an extensive SPI. The other is more recent, and has no SPI.

The older one has 70-some "confirmed" sockpuppets; two of them have nothing to do with me. I tried to tell that to admins on multiple occasions, only to be reverted, ignored, and occasionally told "well, talk to a Checkuser about it." Problem was, it was after the three-month data-holding period had passed, so there was nothing to be done anyway. Judging by when the accounts were blocked, I'd guess that they were created on two separate public networks I used (computer terminals at university libraries). One network I would call small-to-medium-sized; the other is quite large. Neither account had editing habits similar to my own. Yet, because they were on the same networks as mine, they were automatically mine.

The second, more-recent sockmaster's labeling has been even more problematic: 22 "confirmed" socks, out of which 4 are completely unrelated to the rest. In this case, it was mobile networks, and I know very little about these accounts---but their editing habits were drastically different from mine. In this case, Materialscientist was the only CU with any real involvement in tagging; apparently he knows nothing about the fallibilities of the CU tool. In CU guidelines, they're told to avoid using technical results as the only criterion for labeling a sock, especially if there is no behavioral similarity. Yet, in practice, what the tool turns up is all that matters. It ticks me off, because well-meaning users get blocked for using the wrong computer, basically.

What can CUs glean about a user's computer anyway? I understand IP address and browser. How much more? The name of the computer, the network group being used? I don't believe that for a minute about the three month rule. I mean that it's observed. I also believe they have access to recent traffic. I mean not edits, which obviously they can examine from the contributions log, but pages visited. I suspect they consider themselves an elite of the elite, above all criticism. Bit like the NSA really (or rather GCHQ my part of the woods).

Pointers to links discussing the issue?

What I've read seems to indicate that the server itself deletes the data after three months. I agree that they do seem rather NSA-like. I mean, very little accountability, and there's even that section in "Checkuser block" messages that says regular admins can be summarily desysopped for undoing a CU block. It just surprises me how little some of them seem to know. I mean, as for the most recent batch, I'm on a Windows Phone, which is rather uncommon. I'm sure that not all 4 of those wrongly associated with me were using the horrid, buggy IE Mobile.

[Vigilant]

We all know the saying that CUs enjoy using: "Checkuser is not magic pixie dust." Yet, I've encountered CUs who clearly believe that it IS.

I am behind two accounts identified on en-wiki as sockmasters. One is from awhile back, and has an extensive SPI. The other is more recent, and has no SPI.

The older one has 70-some "confirmed" sockpuppets; two of them have nothing to do with me. I tried to tell that to admins on multiple occasions, only to be reverted, ignored, and occasionally told "well, talk to a Checkuser about it." Problem was, it was after the three-month data-holding period had passed, so there was nothing to be done anyway. Judging by when the accounts were blocked, I'd guess that they were created on two separate public networks I used (computer terminals at university libraries). One network I would call small-to-medium-sized; the other is quite large. Neither account had editing habits similar to my own. Yet, because they were on the same networks as mine, they were automatically mine.

The second, more-recent sockmaster's labeling has been even more problematic: 22 "confirmed" socks, out of which 4 are completely unrelated to the rest. In this case, it was mobile networks, and I know very little about these accounts---but their editing habits were drastically different from mine. In this case, Materialscientist was the only CU with any real involvement in tagging; apparently he knows nothing about the fallibilities of the CU tool. In CU guidelines, they're told to avoid using technical results as the only criterion for labeling a sock, especially if there is no behavioral similarity. Yet, in practice, what the tool turns up is all that matters. It ticks me off, because well-meaning users get blocked for using the wrong computer, basically.

What can CUs glean about a user's computer anyway? I understand IP address and browser. How much more? The name of the computer, the network group being used? I don't believe that for a minute about the three month rule. I mean that it's observed. I also believe they have access to recent traffic. I mean not edits, which obviously they can examine from the contributions log, but pages visited. I suspect they consider themselves an elite of the elite, above all criticism. Bit like the NSA really (or rather GCHQ my part of the woods).

Pointers to links discussing the issue?

What I've read seems to indicate that the server itself deletes the data after three months. I agree that they do seem rather NSA-like. I mean, very little accountability, and there's even that section in "Checkuser block" messages that says regular admins can be summarily desysopped for undoing a CU block. It just surprises me how little some of them seem to know. I mean, as for the most recent batch, I'm on a Windows Phone, which is rather uncommon. I'm sure that not all 4 of those wrongly associated with me were using the horrid, buggy IE Mobile.

Anyone who imagines that the 3 month stale data deadline isn't routinely and ubiquitously violated by CU private storage is utterly fooling themselves.

[Ihatemyusername]

This reference to a prior finding by the Audit Subcommittee against Chase Me is pretty interesting. He was apparently warned for his use of checkuser tools 3 years before they were finally taken away from him. It led to me finding this page listing anonymised summaries of all AUSC cases.

There were apparently two cases, one somewhere between October 2010 and Jun 2011, and the other between July 2011 and February 2012, that ended with a "recommendation to the Arbitration Committee." I'm guessing these must have been recommendations to remove the tools, as the subcommittee could just warn someone themselves instead of getting Arbcom to do it. Does anyone know if Arbcom actually followed through with these recommendations, or if they were ignored?

[MysteriousStranger]

We all know the saying that CUs enjoy using: "Checkuser is not magic pixie dust." Yet, I've encountered CUs who clearly believe that it IS.

I am behind two accounts identified on en-wiki as sockmasters. One is from awhile back, and has an extensive SPI. The other is more recent, and has no SPI.

The older one has 70-some "confirmed" sockpuppets; two of them have nothing to do with me. I tried to tell that to admins on multiple occasions, only to be reverted, ignored, and occasionally told "well, talk to a Checkuser about it." Problem was, it was after the three-month data-holding period had passed, so there was nothing to be done anyway. Judging by when the accounts were blocked, I'd guess that they were created on two separate public networks I used (computer terminals at university libraries). One network I would call small-to-medium-sized; the other is quite large. Neither account had editing habits similar to my own. Yet, because they were on the same networks as mine, they were automatically mine.

The second, more-recent sockmaster's labeling has been even more problematic: 22 "confirmed" socks, out of which 4 are completely unrelated to the rest. In this case, it was mobile networks, and I know very little about these accounts---but their editing habits were drastically different from mine. In this case, Materialscientist was the only CU with any real involvement in tagging; apparently he knows nothing about the fallibilities of the CU tool. In CU guidelines, they're told to avoid using technical results as the only criterion for labeling a sock, especially if there is no behavioral similarity. Yet, in practice, what the tool turns up is all that matters. It ticks me off, because well-meaning users get blocked for using the wrong computer, basically.

What can CUs glean about a user's computer anyway? I understand IP address and browser. How much more? The name of the computer, the network group being used? I don't believe that for a minute about the three month rule. I mean that it's observed. I also believe they have access to recent traffic. I mean not edits, which obviously they can examine from the contributions log, but pages visited. I suspect they consider themselves an elite of the elite, above all criticism. Bit like the NSA really (or rather GCHQ my part of the woods).

Pointers to links discussing the issue?

What I've read seems to indicate that the server itself deletes the data after three months. I agree that they do seem rather NSA-like. I mean, very little accountability, and there's even that section in "Checkuser block" messages that says regular admins can be summarily desysopped for undoing a CU block. It just surprises me how little some of them seem to know. I mean, as for the most recent batch, I'm on a Windows Phone, which is rather uncommon. I'm sure that not all 4 of those wrongly associated with me were using the horrid, buggy IE Mobile.

Anyone who imagines that the 3 month stale data deadline isn't routinely and ubiquitously violated by CU private storage is utterly fooling themselves.

I'm sure some of them copy-paste those data into Word files.

[MysteriousStranger]

This reference to a prior finding by the Audit Subcommittee against Chase Me is pretty interesting. He was apparently warned for his use of checkuser tools 3 years before they were finally taken away from him. It led to me finding this page listing anonymised summaries of all AUSC cases.

There were apparently two cases, one somewhere between October 2010 and Jun 2011, and the other between July 2011 and February 2012, that ended with a "recommendation to the Arbitration Committee." I'm guessing these must have been recommendations to remove the tools, as the subcommittee could just warn someone themselves instead of getting Arbcom to do it. Does anyone know if Arbcom actually followed through with these recommendations, or if they were ignored?

That doesn't surprise me. Any other AUSC stuff regarding misuse of Checkuser? I feel like several other CUs are also the type who would totally do that.

[Alison]

I think that a checkuser can see a user's email address if he or she has entered one in Wikipedia's email function.

Nope!

[Triptych]

I think that a checkuser can see a user's email address if he or she has entered one in Wikipedia's email function.

Nope!

I stand corrected then, and hooray for Action Alison!

[The Joy]

I think that a checkuser can see a user's email address if he or she has entered one in Wikipedia's email function.

Nope!

I stand corrected then, and hooray for Action Alison!

Ah, but the paranoia and mystique that surrounds CheckUser may keep some ne'er-do-wells at bay. Someone will no doubt appear at Alison's WP talkpage and wag their finger at her for removing some of that mystique.

Then, Alison wags a finger of her own back...

[Larkin]

We all know the saying that CUs enjoy using: "Checkuser is not magic pixie dust." Yet, I've encountered CUs who clearly believe that it IS.

I am behind two accounts identified on en-wiki as sockmasters. One is from awhile back, and has an extensive SPI. The other is more recent, and has no SPI.

The older one has 70-some "confirmed" sockpuppets; two of them have nothing to do with me. I tried to tell that to admins on multiple occasions, only to be reverted, ignored, and occasionally told "well, talk to a Checkuser about it." Problem was, it was after the three-month data-holding period had passed, so there was nothing to be done anyway. Judging by when the accounts were blocked, I'd guess that they were created on two separate public networks I used (computer terminals at university libraries). One network I would call small-to-medium-sized; the other is quite large. Neither account had editing habits similar to my own. Yet, because they were on the same networks as mine, they were automatically mine.

The second, more-recent sockmaster's labeling has been even more problematic: 22 "confirmed" socks, out of which 4 are completely unrelated to the rest. In this case, it was mobile networks, and I know very little about these accounts---but their editing habits were drastically different from mine. In this case, Materialscientist was the only CU with any real involvement in tagging; apparently he knows nothing about the fallibilities of the CU tool. In CU guidelines, they're told to avoid using technical results as the only criterion for labeling a sock, especially if there is no behavioral similarity. Yet, in practice, what the tool turns up is all that matters. It ticks me off, because well-meaning users get blocked for using the wrong computer, basically.

What can CUs glean about a user's computer anyway? I understand IP address and browser. How much more? The name of the computer, the network group being used? I don't believe that for a minute about the three month rule. I mean that it's observed. I also believe they have access to recent traffic. I mean not edits, which obviously they can examine from the contributions log, but pages visited. I suspect they consider themselves an elite of the elite, above all criticism. Bit like the NSA really (or rather GCHQ my part of the woods).

Pointers to links discussing the issue?

What I've read seems to indicate that the server itself deletes the data after three months. I agree that they do seem rather NSA-like. I mean, very little accountability, and there's even that section in "Checkuser block" messages that says regular admins can be summarily desysopped for undoing a CU block. It just surprises me how little some of them seem to know. I mean, as for the most recent batch, I'm on a Windows Phone, which is rather uncommon. I'm sure that not all 4 of those wrongly associated with me were using the horrid, buggy IE Mobile.

Anyone who imagines that the 3 month stale data deadline isn't routinely and ubiquitously violated by CU private storage is utterly fooling themselves.

Yes, exactly. Thanks everyone for your responses. Helpful and appreciated.

Probably a silly question, but what about uploading a file? For example if I upload a file from my computer whose full path is something like C:\Larkin\Socks\Me.jpg can that be seen by CUs? Presumably it can be seen at developers' level? Or is that not so.?

[Wonderer]

If they wanted to, they could pin a lot more socks on you. It's not like a cop who plants a gun or drugs on a suspect, there at least has to be some kind of material evidence to be publicly examined by a jury in case the cop's misdeeds aren't just neatly explained away by Internal Affairs.

But with CheckUser evidence, can't they just make stuff up as it suits them? If a particular CheckUser wants to get rid of three or four different users he hates, can't he just conflate them all into one evil sockmaster? If there are any troublesome overlapping timestamps, can't he just tweak them by a few minutes so as to not overlap?

Presumably there is some sort of checks and balances for CheckUsers, which is why the 3-month deadline can be very handy: if CheckUser A has been hoarding "stale" CheckUser data, what are the odds CheckUser B has also hoarded the same data? It then becomes that much easier for CheckUser A to claim that the data says whatever he wants it to say.

[Parabola]

The real fuzzy bullshit w/r/t checkuser is two words: ~behavioral evidence~

Do you use the word "that" too often and end your sentences with periods? Seems identical to this sockmaster someone's obsessed with!

[Zoloft]

The real fuzzy bullshit w/r/t checkuser is two words: ~behavioral evidence~

Do you use the word "that" too often and end your sentences with periods? Seems identical to this sockmaster someone's obsessed with!

We all know there's a bitter group of people very suspicious of people with periods.

[auriental]

By saying particularly that the destination email is obscured, isn't the clear implication that the sender's is not?

No, I think that's just sloppy wording.

Perhaps a checkuser will chime in here in this thread to clear things up.

I am most certainly not a checkuser on any WMF project (but have been elsewhere.) Unless they have a private customised version of the CheckUser.php extension beyond the open source version (let your paranoia go wild) there is no slot available in the CU database tables for storing email details (in fact have a look at the structure here (seems up-to-date to me): https://phabricator.wikimedia.org/diffu ... hanges.sql.

Now all this proves is that the actual CheckUser interface does not reveal email addresses. Why bother? It says nothing whatsoever about someone with direct access to the database engine. Surely a simple:

Code: Select all

select user_name,user_email from user where user=...;

is not too taxing to understand?

[MysteriousStranger]

The real fuzzy bullshit w/r/t checkuser is two words: ~behavioral evidence~

Do you use the word "that" too often and end your sentences with periods? Seems identical to this sockmaster someone's obsessed with!

We all know there's a bitter group of people very suspicious of people with periods.

Zing!

[Poetlister]

But with CheckUser evidence, can't they just make stuff up as it suits them?

Yes, they can. It should be possible for another Checkuser to check it, but that doesn't always happen.

[auriental]

Presumably there is some sort of checks and balances for CheckUsers, which is why the 3-month deadline can be very handy

I am probably feeding the paranoia here but note the utility does not in any way enforce purging records after any specified period. A default installation of the CheckUser extension holds records forever and although it might be sensible to set up a periodic cron job to execute the canned flush procedure (purgeOldData.php) nothing explicitly even recommends this.

[Triptych]

Presumably there is some sort of checks and balances for CheckUsers, which is why the 3-month deadline can be very handy

I am probably feeding the paranoia here but note the utility does not in any way enforce purging records after any specified period. A default installation of the CheckUser extension holds records forever and although it might be sensible to set up a periodic cron job to execute the canned flush procedure (purgeOldData.php) nothing explicitly even recommends this.

The WMF says the data is purged, but in similar matters, the WMF is known to lie to its contributors:

"Only persons whose identity is known to the Wikimedia Foundation shall be permitted to have access to any nonpublic data or other nonpublic information produced, collected, or otherwise held by the Wikimedia Foundation, where that data or other information is restricted from public disclosure by the Wikimedia Privacy Policy."

[Wonderer]

A point from Parabola very much worth repeating (emphasis mine):

The real fuzzy bullshit w/r/t checkuser is two words: ~behavioral evidence~

This could easily be used to manufacture sockpuppets to pin on someone else. Let's say, hypothetically, I work for Monsanto PR. There are specific facts that have been reported in newspapers but which my client doesn't want repeated in Wikipedia. But this one pesky Wikipedia user keeps putting them in, complete with citations to said newspapers.

So I go to a public library (probably a good idea not to use Monsanto computers), create a few sockpuppets. I operate them in imitation of the pesky Wikipedia user, editing the same articles as him, and a few unrelated articles to give the impression I'm actually trying to hide my sockpuppetry. The technical data might not match up the pesky Wikipedia user, but the behavioral evidence, whoa, bam! Take that, m.f.er!

[Poetlister]

Most findings by Checkusers are not based solely on checkuser data; sometimes, they are not based on such data at all. Checkusers, like anyone else, can form their own conclusions based on publicly available information.

[Triptych]

Most findings by Checkusers are not based solely on checkuser data; sometimes, they are not based on such data at all. Checkusers, like anyone else, can form their own conclusions based on publicly available information.

You're saying that checkusers sometimes extend their investigations off Wikipedia, making use of websearch engines, but especially Google, and other Internet possibilities and tricks and so forth, to hunt down their (charitably) suspects or (less charitably) targets.

But their authority, such as it is, accorded to them by WMF and Arbcom and other administrative Wikipedia participants, can't reasonably be seen to extend beyond Wikipedia. So they're off on their own when they do this. Unless you listen to Fluffernutter, who argued that via writing this in policy (or perhaps just agreeing amongst themselves and on IRC and mailing list secret channels) the Wikipedia administrative set could extend to particular designees some sort of authorized hunting expeditions to get those they perceive as enemies of Wikipedia. She didn't say that in so many words, but that was what she advocated, I emphasize. I am not prepared to hunt down the link where she said that though.

Fluffernutter is Karen Ingraffea of upstate New York USA and arbitrator Courcelles is her husband Brad Ingraffea (unless he is a fiction) which I also gleaned from publicly available information.

[Zoloft]

I doubt that Courcelles is a fiction.

[Kelly Martin]

The User-Agent string, in particular, along with the IP address, is the source of most of the "pixie dust". It's far from a fingerprint, but if you use the same computer and browser ful different socks, someone will always have reason to say you're a sock, especially if the IP is similar or the same.

The problem with using user agents as a "fingerprint" is that there really aren't that many unique user agents, and lots of distinct people will have the same user agent.

Confirmation bias runs amok in the interpretation of checkuser data; typically the checkuser has already decided whether or not the person is a sock, and will find evidence in the actual checkuser data output that confirms their original decision, whether or not such evidence is actually there.

[Kelly Martin]

I think that a checkuser can see a user's email address if he or she has entered one in Wikipedia's email function. And of course once the checkuser has the email address, it can be websearched for, which is potentially devastating to user privacy if the user entered an email address he or she has used for years.

Checkusers do not have access to this information, unless they're also database administrators, and all of the latter category are WMF staff. I realize that some people persist in insisting that this data is available, but it is not. There have been times that people have figured out correlations, but they have involved people using webmail services that preserve the sender's IP in headers, allowing for cross-service correlation, or other means by which people have inadvertently disclosed their IP address, thus allowing a checkuser to then correlate their email address with their Wikipedia account.

[Kelly Martin]

Anyone who imagines that the 3 month stale data deadline isn't routinely and ubiquitously violated by CU private storage is utterly fooling themselves.

I have checkuser data that is approaching ten years old stashed away in various unsavory places, although probably not where I could find it now even if I wanted to.

[Kelly Martin]

Probably a silly question, but what about uploading a file? For example if I upload a file from my computer whose full path is something like C:\Larkin\Socks\Me.jpg can that be seen by CUs? Presumably it can be seen at developers' level? Or is that not so.?

The full path on your local device from which you upload is (generally) transmitted as part of the metadata on the upload attachment. MediaWiki strips path data when it parses this data and sanitizes it generally, in part because several browsers mispopulate this field and so its contents are highly unreliable. The raw data is not stored anywhere by MediaWiki, so the only way to capture it would be if a sysadmin set up a trap trace, something which Wikimedia has only done on very rare occasions.

[Larkin]

Probably a silly question, but what about uploading a file? For example if I upload a file from my computer whose full path is something like C:\Larkin\Socks\Me.jpg can that be seen by CUs? Presumably it can be seen at developers' level? Or is that not so.?

The full path on your local device from which you upload is (generally) transmitted as part of the metadata on the upload attachment. MediaWiki strips path data when it parses this data and sanitizes it generally, in part because several browsers mispopulate this field and so its contents are highly unreliable. The raw data is not stored anywhere by MediaWiki, so the only way to capture it would be if a sysadmin set up a trap trace, something which Wikimedia has only done on very rare occasions.

Thanks for that.

[thekohser]

The problem with using user agents as a "fingerprint" is that there really aren't that many unique user agents, and lots of distinct people will have the same user agent.

I thought it was actually very rare to have the exact same user agent as another random Internet user?

Anyway, this site doesn't seem to understand what market share means.

[Poetlister]

Most findings by Checkusers are not based solely on checkuser data; sometimes, they are not based on such data at all. Checkusers, like anyone else, can form their own conclusions based on publicly available information.

You're saying that checkusers sometimes extend their investigations off Wikipedia, making use of websearch engines, but especially Google, and other Internet possibilities and tricks and so forth, to hunt down their (charitably) suspects or (less charitably) targets.

I didn't actually say that, although even that is not unknown. I was thinking more of "tells" such as daily and weekly edit times, topics of interest and what someone (probably SlimVirgin) dubbed "sophisticated linguistic skills".

[thekohser]

...and what someone (probably SlimVirgin) dubbed "sophisticated linguistic skills".

Wasn't that Durova?

[Triptych]

I think that a checkuser can see a user's email address if he or she has entered one in Wikipedia's email function. And of course once the checkuser has the email address, it can be websearched for, which is potentially devastating to user privacy if the user entered an email address he or she has used for years.

Checkusers do not have access to this information, unless they're also database administrators, and all of the latter category are WMF staff. I realize that some people persist in insisting that this data is available, but it is not.

Perhaps part of the misunderstanding stems from this part of the checkuser info page on Meta (bold added):

CheckUser is an interface for users with the checkuser permission. A user with CheckUser status on a wiki can in particular check if a user is or isn't a sockpuppet of another user on that wiki (not on all wikis). By using it, users are able to:

Determine from which IPs a user has edited or done a logged action or password reset on the Wikimedia wiki;
Determine the edits, logged actions and password resets on the Wikimedia wiki of a specific IP (even when logged in);
Determine whether the user being checked has sent an email using MediaWiki interface to some other user. The time of the event is logged, the destination email address and user ID are obscured.

This information is only stored for a short period (currently 3 months), so edits made prior to that will not be shown via CheckUser. A log is kept of who has made which queries with the tool. This log is available to those with the checkuser-log permission:

20:08, 22 August 2015 CheckUser got IP addresses for Example (talk | contribs | block) (a very good reason for looking at their IPs)
20:08, 22 August 2015 CheckUser got users for 127.0.0.1 (another good reason)

See Help:CheckUser for the user manual.

So what is that about? Why have the feature at all if the destination email and user ID are obscured? Why doesn't it say that the sender's email is obscured, if it is? Should we assume that the checkuser implementation on Meta is configured differently with this bonus feature, and that English and the others don't have it?

Poetlister thinks the text may be sloppily worded, but it's clearly referring to *something*.

[MMAR]

Confirmation bias runs amok in the interpretation of checkuser data; typically the checkuser has already decided whether or not the person is a sock, and will find evidence in the actual checkuser data output that confirms their original decision, whether or not such evidence is actually there.

This sounds about right to me. Wikipediots are suckers for confirmation bias, that much is obvious after just a few days browsing on AN/I.

I think I already know the answer, but has there ever been any actual research, WMF sponsored or otherwise, into what the actual false positive rate of these people actually is. Factoring in of course that you're only going to know for sure that a mistake was made in a tiny number of cases - discerning the true rate will require an informed adjustment.

[Poetlister]

...and what someone (probably SlimVirgin) dubbed "sophisticated linguistic skills".

Wasn't that Durova?

I very much doubt it. Can anyone else recall the phrase? Is anyone on good enough terms with SV to ask her?

[MysteriousStranger]

Confirmation bias runs amok in the interpretation of checkuser data; typically the checkuser has already decided whether or not the person is a sock, and will find evidence in the actual checkuser data output that confirms their original decision, whether or not such evidence is actually there.

This sounds about right to me. Wikipediots are suckers for confirmation bias, that much is obvious after just a few days browsing on AN/I.

I think I already know the answer, but has there ever been any actual research, WMF sponsored or otherwise, into what the actual false positive rate of these people actually is. Factoring in of course that you're only going to know for sure that a mistake was made in a tiny number of cases - discerning the true rate will require an informed adjustment.

How would one define "false positive," anyway? I mean, in the case of mine, I'm sure the other accounts were using the same network and maybe even the same IP address, but they still weren't me. Would that be a false positive? Or are we just talking false technical data, like saying two addresses are related when they aren't? The workings of CU are so shrouded in secrecy by the WMF that I'm not really sure what's being discussed here.

[MMAR]

Confirmation bias runs amok in the interpretation of checkuser data; typically the checkuser has already decided whether or not the person is a sock, and will find evidence in the actual checkuser data output that confirms their original decision, whether or not such evidence is actually there.

This sounds about right to me. Wikipediots are suckers for confirmation bias, that much is obvious after just a few days browsing on AN/I.

I think I already know the answer, but has there ever been any actual research, WMF sponsored or otherwise, into what the actual false positive rate of these people actually is. Factoring in of course that you're only going to know for sure that a mistake was made in a tiny number of cases - discerning the true rate will require an informed adjustment.

How would one define "false positive," anyway? I mean, in the case of mine, I'm sure the other accounts were using the same network and maybe even the same IP address, but they still weren't me. Would that be a false positive? Or are we just talking false technical data, like saying two addresses are related when they aren't? The workings of CU are so shrouded in secrecy by the WMF that I'm not really sure what's being discussed here.

Any failure. It hardly matters why they made the mistake, the issue is, is anyone tracking how often it happens....

[thekohser]

...and what someone (probably SlimVirgin) dubbed "sophisticated linguistic skills".

Wasn't that Durova?

I very much doubt it. Can anyone else recall the phrase? Is anyone on good enough terms with SV to ask her?

I was thinking of this from Durova's pen:

Wikisleuthing

It's kind of like solving detective mysteries, the sort of volunteer work I do. I'll speak candidly about some things I've learned while I've made over 19,000 edits at this site—things I've wanted to say to a lot of the people I've wound up blocking or banning. I've kept quiet until now because these words could get misinterpreted if I wrote them in the wrong context, so I'm setting this out in essay form.

If you're getting ideas to bend Wikipedia to your own purposes then you are almost certainly devising plots that I have read many times before. And if you follow through on those ideas you will leave a trail of mistakes that is very familiar to a wikisleuth. Plenty of users before you thought the same tricks would be foolproof. People like me foil those plots all the time. We even have our own slang for the tactics. Attempts to manipulate this site rarely stay in the live version very long, but those edits do get archived in site histories. That should make you stop and think. Some people who've tried to exploit this site have ended up very sorry that they acted rashly.

I may be confusing the "linguistic" aspect of her block of User:!! based in part on his use of the German language as "proof" that he was a "ripened sock".

Whatever. I'm sure Poetlister will find a way to belittle my clarification.

[Triptych]

I was thinking of this from Durova's pen:

Wikisleuthing

It's kind of like solving detective mysteries, the sort of volunteer work I do. I'll speak candidly about some things I've learned while I've made over 19,000 edits at this site—things I've wanted to say to a lot of the people I've wound up blocking or banning. I've kept quiet until now because these words could get misinterpreted if I wrote them in the wrong context, so I'm setting this out in essay form.

If you're getting ideas to bend Wikipedia to your own purposes then you are almost certainly devising plots that I have read many times before. And if you follow through on those ideas you will leave a trail of mistakes that is very familiar to a wikisleuth. Plenty of users before you thought the same tricks would be foolproof. People like me foil those plots all the time. We even have our own slang for the tactics. Attempts to manipulate this site rarely stay in the live version very long, but those edits do get archived in site histories. That should make you stop and think. Some people who've tried to exploit this site have ended up very sorry that they acted rashly.

I may be confusing the "linguistic" aspect of her block of User:!! based in part on his use of the German language as "proof" that he was a "ripened sock".

Whatever. I'm sure Poetlister will find a way to belittle my clarification.

Ah this is an old one in which Wikipedia Review peripherally factored. Durova's justifications were a more verbose version of SBJ's recent comment here that administrative action is reasonably taken based on the "gut feeling and good judgement" presumably possessed by each Wikipedia administrator. "Not the facts, Ma'am," as Joe Friday would always not say.

The Register did an okay writeup on it (http://www.theregister.co.uk/Print/2007 ... t_mailing/) ut I'll quote parts:

In banning this account, Durova described it as an "abusive sock puppet," insisting it was setup by someone dead set on destroying the encyclopedia. "This problem editor is a troublemaker whose username is two exclamation points with no letters," read the block. "He is a ripened sock with a padded history of redirects, minor edits, and some DYK work. He also indulges in obscene trolling in German, and free range sarcasm and troublemaking. If you find this user gloating, or spot his nasty side, hit him with the banhammer."

But a bunch of editors said !! (written by some as "Bang Bang") was actually a great editor. Durova had attempted to preempt any examination of whatever her reasoning was by saying only Arbcom was virtuous and intelligent enough to understand the deep analysis she claimed to have used:

"Due to the nature of this investigation, our normal open discussion isn't really feasible," she said. "Please take to arbitration if you disagree with this decision." "I am very confident my research will stand up to scrutiny," she said. "I am equally confident that anything I say here will be parsed rather closely by some disruptive banned sockpuppeteers. If I open the door a little bit it'll become a wedge issue as people ask for more information, and then some rather deep research techniques would be in jeopardy."

But then evidently (I haven't seen the email she sent on the until-then secret mailing list she and some other administrators were using, anyone?) came the big reveal: Durova had described her "deep analysis" on this mailing list and it was a big suspicion-filled big baloney sandwich that anyone with half a brain could quickly critique and take apart as no evidence at all. So the reason Durova sought to keep it in secretive channels is because she wanted a receptive audience of others that thought like her (and SBJ). In the email, says The Register, she alleged that Bang Bang's *good editing* was the telltale sign of sockpuppetry, that Bang Bang was thus clearly a mole sent by Wikipedia Review to gain influence and then destroy Wikipedia from within.

One more bit from The Register's story:

Wales and the Wikimedia Foudation came down hard on the editor who leaked Durova's email. After it was posted to the public forum, the email was promptly "oversighted" - i.e. permanently removed. Then this rogue editor posted it to his personal talk page, and a Wikimedia Foundation member not only oversighted the email again, but temporarily banned the editor.

Then Jimbo swooped in with a personal rebuke. "You have caused too much harm to justify us putting up with this kind of behavior much longer," he told the editor.

[Wonderer]

How would one define "false positive," anyway? I mean, in the case of mine, I'm sure the other accounts were using the same network and maybe even the same IP address, but they still weren't me. Would that be a false positive? Or are we just talking false technical data, like saying two addresses are related when they aren't? The workings of CU are so shrouded in secrecy by the WMF that I'm not really sure what's being discussed here.

A normal person would define a false positive more or less like what you have described. But for most CheckUsers on Wikipedia, the definition of false positive probably changes as is convenient.

For example, suppose CheckUser A and CheckUser B are great friends who always back each other up in any dispute that arises. Then a case comes up that threatens to reveal that CheckUser A has a massive sock army. CheckUser B now understands how he was able to win so many arguments. Now CheckUser B is torn between a moral duty to expose CheckUser A's fraud and a desire to retain a powerful ally. In the end, CheckUser B will probably declare all of CheckUser A's socks to be false positives.

Here's another hypothetical for you to chew on: suppose that at Texas A & M, every single computer on the campus network has been used to access Wikipedia. But most of these accesses are students uncritically accepting what Wikipedia says, even when it contradicts their textbooks, their professors and their own class notes.

Once in a while, a student edits just to see whether Wikipedia really is editable by anyone. His vandalism is quickly reverted and soon forgotten. There is also the occasional professor who tries to correct one thing Wikipedia gets wrong in his area of expertise but soon learns the lesson that his expertise is not wanted on Wikipedia.

Suppose there are only three students at Texas A & M who use Texas A & M computers for actively editing Wikipedia on a regular basis, and further suppose that each of these three have socks with Texas A & M in common but each of them also has socks that they operate from other networks, careful to keep them separate (e.g., Hank Jr. uses different socks from Texas A & M than he does on the off-campus Starbucks WiFi).

To bring this hypothetical scenario to a rousing conclusion, Hank gets into a big argument with a Wikipedia admin who considers Star Trek: Enterprise to be apocryphal (or whatever other issue you like that's unlikely to have real life impact on anyone). Guess what, the Wikipedia admin has CheckUser power. Next thing you know, Hank has lost all his Texas A & M sockpuppets.

But the two other students who actively edit Wikipedia, whom Hank has probably seen on campus, unaware of their commonality with him, have now also lost their Texas A & M sockpuppets. Are those false positives according to a normal person? Meanwhile, Hank can still use his Starbucks sockpuppets, provided he resists the temptation to use them in the big Enterprise canon-or-not brouhaha.

[Poetlister]

Certainly, Piperdown referred to linguistic analysis skills on 11th September 2007. The context looks as if he's joking about SV, though it's not conclusive.

"Crum375 is 99.9% likely not SlimVirgin (although they are tied at the watch page hip by batsignal) based on my keen linguistic analysis skilz."

http://wikipediareview.com/index.php?sh ... entry49415

Then there's this post from Daniel Brandt on 17th October 2007:

"Any "linguistic analysis" experts may find the 59,002-line edit summary file I compiled a couple months ago useful. ... With all that tidying, you'd think that SlimVirgin would be all washed up by now."

http://wikipediareview.com/index.php?sh ... entry54934

And finally, here's Piperdown again on 2nd November 2007:

"i did some cunning linguistic analysis (after paying homage to the Slim Virgin by facing my prayer rug towards Bumfuck, Canada and chanting "The Jimbo, the jayjg, and the slim virgin" 3 times."

http://wikipediareview.com/index.php?sh ... entry57781

[Zoloft]

Certainly, Piperdown referred to linguistic analysis skills on 11th September 2007. The context looks as if he's joking about SV, though it's not conclusive.

"Crum375 is 99.9% likely not SlimVirgin (although they are tied at the watch page hip by batsignal) based on my keen linguistic analysis skilz."

http://wikipediareview.com/index.php?sh ... entry49415

Then there's this post from Daniel Brandt on 17th October 2007:

"Any "linguistic analysis" experts may find the 59,002-line edit summary file I compiled a couple months ago useful. ... With all that tidying, you'd think that SlimVirgin would be all washed up by now."

http://wikipediareview.com/index.php?sh ... entry54934

And finally, here's Piperdown again on 2nd November 2007:

"i did some cunning linguistic analysis (after paying homage to the Slim Virgin by facing my prayer rug towards Bumfuck, Canada and chanting "The Jimbo, the jayjg, and the slim virgin" 3 times."

http://wikipediareview.com/index.php?sh ... entry57781

... cunning linguistic analysis ...

I'd say that's conclusive, really.

[Poetlister]

Yes, two people seem to be using the phrase "linguistic analysis" in a way that links it to SV. Durova uses neither word in the quoted essay, let alone that phrase.

https://en.wikipedia.org/wiki/User:Durova/The_dark_side