Effectiveness of checkuser Options

[Peter Damian]

I'm working on a document that is a detailed and point by point comment on WMUK's submission to the charity commission, July and September 2011. Note this is not public yet, as 'dogbiscuit' got access to a copy privately via FOI. The document (which I strongly believe was written by our friend 'Fae') contains many misleading or downright inaccurate claims.

Section 13.3.8 of the submission says ""There is also “CheckUser” software that enables a small number of selected and vetted volunteers to establish, in many cases, whether two editors are from the same ISP, and often where that ISP is located. This information is mostly used to detect blocked editors who try to return under a different account name. "

My experience of checkuser is that it is almost completely ineffective as a control over determined, intelligent users, and that evaders are usually caught out by stupidity or carelessness, rather than by the software itself. Examples are the easily availability of dynamic IPs (such as my own service provider, who kindly change my IP daily), the availability of 'hot spots' (public wifi networks), internet cafes, use of proxies.

Any other ideas to contribute to this section? I would be particularly interested in narratives or stories from experienced evaders.

As always, my email is edward at logicmuseum.com.

This post has been edited by Peter Damian:

[Kelly Martin]

Indeed, I would argue that checkuser is actually overused and misused more often than not. In fact, its main use (other than to identify and interdict serial vandals, a purpose that really cannot be argued as anything other than legitimate) is to identify and punish those who attempt to game its internal political system. This is of no concern to the UKCC; the UKCC is not particularly interested in, nor charged with resolving, internal political disputes within the charities it regulates. Only when such disputes are so endemically severe that they threaten the ability of the charity to effectively self-regulate does the UKCC have an interest.

[SB_Johnny]

Indeed, I would argue that checkuser is actually overused and misused more often than not. In fact, its main use (other than to identify and interdict serial vandals, a purpose that really cannot be argued as anything other than legitimate) is to identify and punish those who attempt to game its internal political system. This is of no concern to the UKCC; the UKCC is not particularly interested in, nor charged with resolving, internal political disputes within the charities it regulates. Only when such disputes are so endemically severe that they threaten the ability of the charity to effectively self-regulate does the UKCC have an interest.

Yup. I was a CU on 3 projects (a bit after Kelly's time), and this is right on the money, more or less. Aside from the WP CUs (who use it politically), most of the "other project" CUs are just trying to be helpful and chase down the grawpy types. Poet-horde-dude being the obvious exception, of course.

[No one of consequence]

Aside from the WP CUs (who use it politically), most of the "other project" CUs are just trying to be helpful and chase down the grawpy types. Poet-horde-dude being the obvious exception, of course.

For what it's worth, when I was active, I only found 2 (or maybe three) cases of WP checkusers using it "politically" and I came down pretty hard on both of them. One is no longer a CU, and I don't care enough any more to check the other one. (This was one of the things I was specifically concerned about when I wrote the essay that led to the audit committee. Of course, after two years, I expect the audit committee, if it even still exists, is as bogged down and useless as the rest of the bureaucracy.)

[TungstenCarbide]

Aside from the WP CUs (who use it politically), most of the "other project" CUs are just trying to be helpful and chase down the grawpy types. Poet-horde-dude being the obvious exception, of course.

For what it's worth, when I was active, I only found 2 (or maybe three) cases of WP checkusers using it "politically" and I came down pretty hard on both of them. One is no longer a CU, and I don't care enough any more to check the other one. (This was one of the things I was specifically concerned about when I wrote the essay that led to the audit committee. Of course, after two years, I expect the audit committee, if it even still exists, is as bogged down and useless as the rest of the bureaucracy.)

Does checkuser compare password hashes? (i'm assuming it does)

Here are the current checkusers; http://en.wikipedia.org/wiki/Special:ListUsers/checkuser

Jclemens and Versageek don't have a creation date for their account in this listing. wonder what's wrong with the database.

Most checkusers don't create content, they just engage in mmorpg.

For what it's worth, when I was active, I only found 2 (or maybe three) cases of WP checkusers using it "politically" and I came down pretty hard on both of them.

When checkuser is run on an established editor, that editor should get a banner, like the yellow talk page message. That would eliminate spurious uses, since the checkuser knows they'd have to answer for themselves.



This post has been edited by TungstenCarbide:

[Kelly Martin]

Does checkuser compare password hashes? (i'm assuming it does)

No, that requires database access.

Jclemens and Versageek don't have a creation date for their account in this listing. wonder what's wrong with the database.

That means their accounts were created before the modification that added creation date data to user records. Sometime in late 2004, if I recall correctly, although some accounts created after that date also lack creation dates, for reasons that I'm not clear about. In some cases, the creation date shown is actually the time of the account's first edit, not the time the account was actually created.

[TungstenCarbide]

Does checkuser compare password hashes? (i'm assuming it does)

No, that requires database access.

I've enjoyed probing cu's capability on occasion. In several cases the only 'technical' similarity between the accounts was the password, everything else was different - computer, browser, isp or tor, location ... but the checkuser report matched the accounts with a 'likely, based on technical evidence'. I'm starting to suspect they lied. The accounts were obviously the same user, based on behavior, I made sure it was obvious.

Interestingly, the list of my "suspected" sockpuppets is more accurate than the list of "confirmed" sockpuppets, with one error vs. two.

This post has been edited by TungstenCarbide:

[TungstenCarbide]

Interestingly, the list of my "suspected" sockpuppets is more accurate than the list of "confirmed" sockpuppets, with one error vs. two.

Considering that most of my accounts have "TungstenCarbide" in the name, and that I generally take no measures to mask my identity from cu (unless probing cu's capabilities), it's surprising the number of mistakes made. Wikipedia's sockpuppet identification machinery isn't very good. False positives probably drive away a lot of new editors who feel like they've been slapped in the face.