Overview
The Nuke extension enables administrators to delete all pages created in the last 30 days* by a specified user or IP address.
With the move to IP Masking, a straight transition of functionality in the Nuke extension would simply replace 'IP address' with 'temporary account'. This may, however, be a substantial downgrade in functionality, if users expect to be able to mass-delete pages created from an IP address across multiple temporary accounts. There are a number of open questions about whether a straight transition to temporary accounts is sufficient, or if additional work is required here to maintain expected functionality.
The core question we need to answer is: Do we need to implement a feature in Nuke whereby administrators can delete pages created by multiple temporary accounts which used the same IP address?
*30 days is the Wikimedia production default length of time that revisions are stored in the recentchanges table, which this extension uses.
Temporary accounts
When a temporary account is created for a user, a one-year cookie is created, during which time their contributions will be associated with this temporary account. Clearing the cookie will give the user a new temporary account on their next edit. Changing IP address will not change the user's temporary account. As such, a temporary account can be associated with multiple IP addresses over its lifespan (T325456).
Can Nuke identify and delete pages when the target unregistered user is ...
| Currently | Future | |
|---|---|---|
| Switching IP address | No | Yes |
| Clearing cookies | Yes | No** |
| Both | No | No |
It's worth noting that with IP masking and the introduction of per-user cookies, tools like Nuke will actually be more effective against users who do not delete their cookies.
**This is the case which could be addressed by this ticket - a user clears their cookies but does not change IP address.
Data
- What percentage of Nuke actions are currently taken on unregistered vs registered users?
- 33% of Nuke deletions target an unregistered user. On some wikis this is as high as 40-50%.
Questions
- Editors will be able to reveal the IP address of individual temporary accounts, but will they be able to link an IP address to multiple temporary accounts, or is this a CheckUser-level feature as it is for registered accounts?
- This is currently unclear - no feature is planned to enable admins to link an IP address to multiple temporary accounts, and Legal review will be required if that feature, or our proposed change to Nuke, is to go ahead.
- How much riskier is it that an individual can cycle temporary accounts on the same IP address by deleting cookies (future behaviour), as compared to cycling IP addresses (current behaviour)?
- Clearing cookies is much easier for a bad actor than cycling IP addresses quickly, though the latter is already being done by some vandals. It remains unclear how many vandals would clear their cookies but not also cycle IP address, but this does open up an easier attack avenue.
- Disabling cookies for a website in Chrome is as simple as adding the URL to the list of sites which can never use cookies. With this setting enabled, each edit is linked to a new temporary account:
- To what degree would administrators see a straight equivalence of IP address to temporary account as a downgrade in functionality?
- We spoke to some English Wikipedia and Commons admins who use Nuke. They were concerned that this is a downgrade in functionality, though it may not have much impact on en.wiki since page creation vandalism by IPs is negligible. As such we want to speak to more admins from other communities.