How effective is checkuser? Options

[Ather]

If I wanted to run several accounts how likely is checkuser to pick me up? If I changed my IP each time I logged on how would they trap me? How long to they log IP addresses for? Do they keep a permanent record of my account creation IP? Do they record me logging on but not editing? What other info do they store and for how long? All this info is needed purely for research purposes

[anthony]

If I wanted to run several accounts how likely is checkuser to pick me up? If I changed my IP each time I logged on how would they trap me? How long to they log IP addresses for? Do they keep a permanent record of my account creation IP? Do they record me logging on but not editing? What other info do they store and for how long? All this info is needed purely for research purposes

I wouldn't count on any information you receive here about checkuser to be accurate. The checkusers have lied in the past about what sorts of checks they have done, who they have checked, how long they were storing results, etc.

[Krimpet]

I wouldn't count on any information you receive here about checkuser to be accurate. The checkusers have lied in the past about what sorts of checks they have done, who they have checked, how long they were storing results, etc.

Well, the actual code running on the servers is open to inspection, so the actual capabilities are a matter of public record.

The changelogs to the CheckUser extension are an interesting read. For example, an enwiki checkuser (Voice of All (T-C-L-K-R-D) ) tried in mid-2008 to quietly increase the retention time from three months (what it is currently) to five months, only to be overridden later by the WMF's Tim Starling with the sharply worded:

Revert change to $wgCUDMaxAge. If you want such a policy change, have an open discussion about it, don't get together with some troll-hunting mates on a private mailing list and make your own rules.

Earlier that year, VoiceOfAll was also very eager to add a pen register for e-mails sent through the Special:Emailuser interface - his first attempt at the feature was overruled by Brion Vibber with the reasoning:

Disable email logging for now -- violates our present privacy policy by logging information that we currently say is kept private (email addresses) as well as information we don't mention but which feel very creepy to log for checkuser view (subject line of mails and times and targets of private mails)

The feature was eventually greenlighted only after it was modified to not record subject lines, and to hash usernames in a way only sysadmins with database access could decipher.

[Peter Damian]

If I wanted to run several accounts how likely is checkuser to pick me up? If I changed my IP each time I logged on how would they trap me? How long to they log IP addresses for? Do they keep a permanent record of my account creation IP? Do they record me logging on but not editing? What other info do they store and for how long? All this info is needed purely for research purposes

There was an anecdotal view when this was discussed here last year that only the IP when the account was created is stored. For this reason, it may be wise to wait for your IP to change before you create any second (or nth) account.

The other received view, which is definitely correct, is that checkusers look at behaviour rather than anything else. Thus if you create a second account to continue an argument, or an editing sequence begun by another account, particularly if it seems abusive or controversial, and you are very likely to get picked up.

Well, the actual code running on the servers is open to inspection, so the actual capabilities are a matter of public record.

I looked at some of this code and it is pretty impenetrable (being code). Could someone with more expertise be able to say what it is doing?

[dogbiscuit]

I looked at some of this code and it is pretty impenetrable (being code). Could someone with more expertise be able to say what it is doing?

A quick skim through it and it seems that it is not doing anything special.

In simple terms, the IP and user are stored in the Wikipedia DB. The check user finds:

User ids for IPs
IPs for user IDs
Edit counts for IPs and users
Block logs and other such info

and presents this. It is then up to the operator to ponder the data and see what conclusions to draw.

The screens appear to have some useful queries to help investigate deeper, but in simple terms, all that lives in behind the magic incantation Check User is the fact that Wikipedia stores the user id and IP address.

For some reason Wikipedians get hyper-excited about Wikipedia recording IPs when just about every web site in the world does it as part of its basic funtionality.

[Herschelkrustofsky]

Keep in mind that checkuser is frequently used to provide a fig leaf of credibility for bans that are done on the basis of suppressing an incorrect POV. It doesn't have to identify your IP number as identical to that of another user (although that would be a slam dunk,) it merely has to make a plausible connection, geographic or otherwise.

[Kelly Martin]

It's my understanding that checkuser now also captures your browser identification string, which can be pretty distinctive. However, interpreting the data that checkuser provides requires a good deal of knowledge about how the Internet is structured, and my experience is that very few of the holders of the checkuser privilege actually have that knowledge. It's my conclusion that they're making it up as they go along, and that means expectation bias plays a large role in the outcome of any investigation.

[dogbiscuit]

It's my understanding that checkuser now also captures your browser identification string, which can be pretty distinctive. However, interpreting the data that checkuser provides requires a good deal of knowledge about how the Internet is structured, and my experience is that very few of the holders of the checkuser privilege actually have that knowledge. It's my conclusion that they're making it up as they go along, and that means expectation bias plays a large role in the outcome of any investigation.

Or rather the Wikipedia database captures the browser string. The point to be rammed home is, as you say, that there is no black magic in the CheckUser tools - they simply present captured information (and as far as I am aware - which isn't very - there have been no significant database modifications to enable sooker-sekret-sloothing) and it is up to people to divine the entrails so presented.

There are certain divinations which are appropriate and obvious - others that are purely speculative. There is nothing better for discovering socks than a mistaken edit. The biggest hindrance to check users is the principle that it is either uncivil our outing to even request a check so half the time it relies on who you know to get a check.

[gomi]

This site shows you in a readable way what your browser string and other "checkuser" information looks like. It leaves out one string, "referrer", which is what page you came from, which CU also includes, and a few HTTP headers like XFF (forwarded-for, which identifies proxies). Here is one that shows all the headers, but doesn't break out the browser string pieces. There are a million of these around the web.

This page documents the interface adequately.

The only open question is whether they retain the user creation IP forever. I think they do, but don't have any proof in the code, because I can't be bothered to go look at it.

Note also that nothing in Wikipedia's checkuser data retention policy will help you if a CU wants to salt away results in a file on his or her computer for months or years. Other than that, it would appear that CU data on en.wp is retained for 90-120 days.

There are Firefox add-ons for changing your browser string and your referrer. If you're going to sock, then use them.

[Krimpet]

It's my understanding that checkuser now also captures your browser identification string, which can be pretty distinctive. However, interpreting the data that checkuser provides requires a good deal of knowledge about how the Internet is structured, and my experience is that very few of the holders of the checkuser privilege actually have that knowledge. It's my conclusion that they're making it up as they go along, and that means expectation bias plays a large role in the outcome of any investigation.

User-agent identification has been there for a pretty long time, at least since 2007. It is of course easily spoofable; some pranksters knowing they're going to be checked have left secret messages in their string for that reason.

I think the average competence of the checkusers has risen considerably since they started appointing or electing non-arbs to the position - it was much worse when all of the checkusers were arbs or former arbs, since the technical know-how to read and interpret the data doesn't exactly overlap with the mediation skills the arbs are selected for.

[gomi]

... since the technical know-how to read and interpret the data doesn't exactly overlap with the mediation skills the arbs are selected for.

[Krimpet]

... since the technical know-how to read and interpret the data doesn't exactly overlap with the mediation skills the arbs are selected for.

I'm talking in theoretical terms, here.

For some reason Wikipedians get hyper-excited about Wikipedia recording IPs when just about every web site in the world does it as part of its basic funtionality.

Funny thing is, just about every other wiki software package in wide use other than MediaWiki displays the hostname and IP address of logged-in users, including the UseModWiki software Wikipedia originally ran on. Apparently a conscious design decision was made in the development of what's now MediaWiki to start keeping hostnames private; kind of silly in my opinion.

This post has been edited by Krimpet: Thu 31st December 2009, 5:41pm

[John Limey]

If I wanted to run several accounts how likely is checkuser to pick me up? If I changed my IP each time I logged on how would they trap me? How long to they log IP addresses for? Do they keep a permanent record of my account creation IP? Do they record me logging on but not editing? What other info do they store and for how long? All this info is needed purely for research purposes

If you change IPs every time, you'll be fine, depending on what you mean by change. If that just means rebooting your router every time you log on such that you get a different IP out of the pool, then after long enough it won't take that great a jump to connect the accounts if they're subjected to scrutiny. It's important to remember that check user isn't like the justice system and "beyond a reasonable doubt" is not the standard of proof.

The more different your IPs are, the better. If you use one account at home and another at a coffee shop down the block, that's much stronger. The CU will still reveal that you're operating in the same general area, and thus if there's enough suspicion (justified or not) that you're socking, you'll probably still get nailed. The further apart the IPs you use are, the better. For quite a while, I used one sock at my home in the suburbs and another at my office downtown (in a major American city). In such a situation, it becomes very difficult to argue that the accounts are the same on the basis of the CU evidence, but you know "living in England in a very similar way" still happens.

Thus, it's even better to use one account at home, and one on the road. I believe, based on my own experience, that the IP you create an account from is stored forever. So, if you're on vacation far from home and there's wifi, use the opportunity to create a new sock. If you're far enough away (e.g., different countries) then the CU evidence might even be sufficient to clear you of socking despite overwhelming similarities in edit patterns, etc. (but of course it might not). If you travel regularly to somewhere (back home to visit family, a frequent business trip) create an account that you only use there.

Proxies are also your friend. Wikipedia does a pretty job of blocking them, but if you work at it, you can stay ahead of them. Check to see if the proxy's blocked before using it, then go ahead. Depending on how much effort you're willing to put in, you can create several account completely unconnected to your socking purpose and use them through the proxy to provide yourself with some cover.

There are many other best practices: Use different browsers for different accounts (it's a small thing, but it can matter on the margins), try to be active at different times of day on different accounts (this is a double edged sword, but it can work for you), lie low if they start to come after you, come up with plausible explanations for strange behavior and put them forward before anyone comes asking questions, don't draw attention to yourself, etc.

At the end of the day, though, socks are caught on the basis of behavior not IP address data, etc. So just follow some basic common sense practices. First of all, it's important to create socks BEFORE you need them. If you create the account 3 months before the AfD, RfA, POV-dispute, etc. that you're trying to influence, and make 200 or 300 edits, then you won't attract scrutiny the way you would with an account started the day of the debate. The deeper the cover for each sock account the better. If they don't look at all like socks, you'll never suffer from a CU anyway, and two accounts that don't look like socks can get away with IP addresses in the same region, while two accounts that look like socks might not. In general, a sock is more valuable anyway if it has a longer editing history and more wiki friends.

Avoid dead giveaways of socking. Don't edit your monobook, show up at AfD (unless you write an article that gets nominated), show up at RfA, or show up at ANI (unless you're being discussed) for 200 edits. For the first 50-100 edits, don't use edit summaries and stay away from talk pages. If you do end up on a talk page, don't sign your first few posts. Make some mistakes with the markup in your first few edits, and don't use templates for at least 100 edits. Don't cite any policies for quite a while.

It's also important to make it look like you have a reason for where you're editing. If you want to eventually win an AfD, starting gradually involving your socks in AfD. It's often a good idea to have an account start an article that you know will end up at AfD, then you have an obvious reason for being there to begin with. If you want to win a POV-war, it'll often take a mix of socks and it can be helpful to have some that seem neutral, but it's suspicious if you create an account, fix 70 spelling mistakes, and then get involved in a full-on edit war.

In closing, as I've gone on for a while now, remember that the checkusers are pretty much just regular people with an average amount of common sense, and an above-average involvement in wiki-politics. When socking, just think to yourself, "if I were an outside observer, would I connect these two accounts?"

[anthony]

For some reason Wikipedians get hyper-excited about Wikipedia recording IPs when just about every web site in the world does it as part of its basic funtionality.

Funny thing is, just about every other wiki software package in wide use other than MediaWiki displays the hostname and IP address of logged-in users, including the UseModWiki software Wikipedia originally ran on. Apparently a conscious design decision was made in the development of what's now MediaWiki to start keeping hostnames private; kind of silly in my opinion.

Good point. I think anonymity was only a side-effect of the original wikis. The intended design principle was "we aren't going to put you through the hassle of signing up", not "we're going to let you sign up 100 times under 100 different pseudonyms". IIRC, the original software didn't even have logins. You were expected to sign your name, but the only guard against signing someone else's name was that the first three parts of your IP were in the history for everyone to see (e.g. 192.168.88.xxx). One funny thing is that nowadays you can't even edit this way without getting yelled at by a bunch of admins who want you to sign your posts with ~~~~ instead of with "- Your Name" (they've even got a bot which adds those stupid "unsigned post by #.#.#.#" messages).

I can understand why they got rid of the feature of including the IP addresses in the history (since it generally reveals your location), but in hindsight at that point they probably should have instituted some sort of "one username per person" policy, and given themselves at least a rough method of enforcing it (like an email address which could be passively checked after-the-fact or something).

[Jon Awbrey]

The only thing you need to know about Checkuser is the only thing you need to know about everything else Wikipedian, to wit, or not —

Wikipediots do not give a Φlying Φuck about the truth.

Jon von Bonn

[MZMcBride]

I wrote a guide to socking, but it was deleted from Wikipedia. The text of it:

CODE

So you want to [[WP:SOCK|sock]] and not get caught? Well, it's not exactly easy, but there are definitely some things that can make it easier. The following are some tips for socking well.

== Become familiar with the tracking tools ==
Since you'll likely be socking on a MediaWiki wiki, all of the documentation and source code of the extensions used by the software is publicly available. Read the page about the [[mw:Extension:CheckUser|CheckUser extension]] and browse its [[svn:trunk/extensions/CheckUser|source code]] if you know PHP decently.

Also, it's important to understand Wikimedia's configuration of the extension. The data available to CheckUser is only stored for 90 days. After that, it gets deleted.

== Use different browsers ==
This is one of the easiest ways to sock. The greater the chance you can reduce human error, the better. Instead of having to remember to log in and log out, each browser stores your separate session. Protip: you can tint backgrounds of edit textareas to distinguish them (slight reddish color for alt account, slight blueish color for master account, e.g.).

== Use a shell account ==
Using [[SSH]] or a [[VPN]], use a shell account to proxy. This masks your actual IP address and instead assigns you whichever IP you're proxying through.

Shell accounts can be purchased (from a web hosting provider) or most schools and offices have publicly available VPNs.

However, be warned that some proxies retain XFF headers (see below for more) and others don't. You'll likely need to spoof your headers to be safe.

== Alter your headers ==
When a CheckUser checks your account, they can get header information that looks something like this:
<blockquote>
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_2; en-us) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1
</blockquote>
You need to spoof this info if you'll be using the same computer or browser to sock.

=== XFF ===
[[X-Forwarded-For|XFF]] headers reveal information about your originating IP address. As mentioned above, your proxy may strip the XFF headers, however this isn't guaranteed. Generally speaking, spoofing XFF headers is pointless.

=== User agent ===
[[User agent]] headers are easily spoofed. These reveal the browser you're using. If you're using two separate browsers as suggested above, it's probably still a good idea to spoof the user agent string as it always includes operating system information.

== Alter your behavior ==
This is one of the most important steps to not get caught socking.

=== Time zones ===
It's trivial to map someone's contributions throughout the data. And sock trackers regularly use this tactic to spot patterns between accounts. Edit at different time zones with different accounts. Direct overlap between two accounts ''always'' looks suspicious.

=== Content areas ===
This is rather trivial to understand, yet many people get caught this way. To effectively sock, you have to edit in different areas than your master account. If your master account is involved in every bot discussion, your sock ''should not'' be. While it may be helpful to comment occasionally on bot discussions using your sock account to throw people off, you should avoid similar content areas.

It's equally important to avoid similar types of edits. If you're the master of fixing references, make your sock the master of writing content or the master of typo fixes. Don't have your two accounts making the same type of edits.

=== Edit summaries ===
This is another easy way to get caught. If you ''always'' edit using edit summaries, make sure your alt account does not. Also, make sure you use different types of edit summaries. For example, for a standard reply, many users use "+reply", "re", "r", or "reply". Some even copy and paste part of the message in the edit summary box. Whichever way you choose, be sure to not do the same thing on your alt account.

=== Writing style ===
This is very important if you make a lot of 'public' comments (comments on various noticeboards and talk pages). One obscure word used by both accounts and people could start to ask questions. If you're a poor speller, have one of your accounts use Firefox's spelling checker. If you always spell you as 'u,' well, you shouldn't do that for any reason. But if you do anyway, make sure your other account doesn't do the same thing. Writing style can quickly give away a user's true identity.

== Talk with yourself ==
This is an incredibly tricky tactic that can easily backfire, but if done effectively, it can make it seem very, very implausible that the two accounts are connected. This should be done rarely, if at all. The occasional talk page comment to your alt account or point something out to them. Do not give them awards or constantly praise their work. That quickly raises suspicions, especially after a recent incident on the English Wikipedia.

== Avoid double voting in major elections ==
Every user who votes for Board officials or for stewards is CheckUsered. Don't double vote in major elections unless you're sure that your IP information and XFF headers won't reveal a direct similarity.

== Act your age ==
New accounts don't know about noticeboards. They don't usually even know about namespaces. Remember that when someone is examining your contributions history, a normal account always shows a predictable evolution. Be sure to keep this in mind when using your alt account. Sure, you can try to excuse your behavior with claims that you edited anonymously for years or whatever, but it's a whole lot easier to simply edit linearly (using edit summaries more often as time passes, exploring other namespaces, getting involved with the administrative side of things, etc.).

However, as a caveat, do not try to act like a completely new user. Blatant mistakes and downright stupidity will just get more attention focused on you. Play it cool and you'll have no issues.

[Peter Damian]

The only open question is whether they retain the user creation IP forever. I think they do, but don't have any proof in the code, because I can't be bothered to go look at it.

This is the question, which has been raised a number of times in this thread.

[anthony]

The only open question is whether they retain the user creation IP forever. I think they do, but don't have any proof in the code, because I can't be bothered to go look at it.

This is the question, which has been raised a number of times in this thread.

Really? Where's the database schema? I'm pretty sure there's a field there for exactly that piece of information (*).

There are plenty of other open questions, though. For one thing, checkuser isn't the the only place IP addresses are stored. They're also in the server logs, and last time I checked the privacy policy was ambiguous about how long those are kept (and, in fact, a request to clarify it was met with something to the effect of "we don't want to help miscreants by releasing that information").

Also, even if they don't retain IP addresses automatically, checkusers still have the ability to retain them privately.

In the end, I think it's safer to just assume that your IP address is known.

(*) Hmm, it doesn't look like it is. Now that I think about it I thought it was in the logs somewhere, but I don't see it there either. I guess it's stored in cu_changes. Not sure when it's deleted from there.

This post has been edited by anthony: Thu 31st December 2009, 8:45pm

[Ather]

Hey guys, thanks for all the good advice. Some of it is common sense, such as evolving the experience levels of your sock accounts, using differing writing styles on Talk pages and so on, but there's some stuff been suggested that is definitely best practice and that I hadn't thought too much about - talking to yourself, for example (being very careful with this one). I always take the opportunity to create a new sock (I currently have quite a substantial portfolio of sleepers) when I'm away from home using a different IP provider, but I do tend to use the same laptop, so I'll have to watch that one. I would have thought they do retain the creation IP address, but I guess it's pretty much useless information, expecially when dealing with accomplished sockers. Thanks again.

Another quick thought - might a long lag time between sock creation and first edit raise any suspicions?

[MZMcBride]

Really? Where's the database schema? I'm pretty sure there's a field there for exactly that piece of information.

The database schema is here, I think. "cu_log.sql" (the other .sql file) is for "Special:CheckUser/Log", the log of CheckUser actions.

There are plenty of other open questions, though. For one thing, checkuser isn't the the only place IP addresses are stored. They're also in the server logs, and last time I checked the privacy policy was ambiguous about how long those are kept (and, in fact, a request to clarify it was met with something to the effect of "we don't want to help miscreants by releasing that information").

Wikimedia gets about 100,000 requests a second. And something like 99% are views, not edits. Needles and haystacks come to mind. And I think even if they wanted to retain all of that information, they wouldn't have sufficient space. I also think some of this is addressed in the privacy policy directly. Too lazy to look, though.

Also, even if they don't retain IP addresses automatically, checkusers still have the ability to retain them privately.

In the end, I think it's safer to just assume that your IP address is known.

Yes.