Set IP Logging to 'Opt-In' Rather than 'Opt-Out'

[boundbooks]

Title:
Set IP Logging to 'Opt-In' Rather than 'Opt-Out'

Area:
Entries and Commenting

Summary:
Currently, all newly created DW journals and communities have IP logging turned on by default. My suggestion is that IP logging should be turned off by default, with the ability to turn it on by 'opting-in' and enabling it.

Description:
While IP logging has it uses – namely, preventing sockpuppeting, discouraging trolling and ID-ing spam – it also comes with a high privacy cost. When making a comment on an IP logging post, one makes a wish: 'I will give this post my current location and hope that this information will never be used that against me.'

For the majority of DW journals and communities, default IP logging is over-kill. Most journals and communities are not experiencing continual sockpuppeting or trolling or other situations in which moderators would need to be able to pinpoint the address of a commentor in order to unravel what's occurring. Yet because IP logging is opt-out rather than opt-in, most DW journals and communities take this personal location information without thought and record it for as long as they exist.

I do not argue that IP logging should be removed as a service, but rather that it should be not be enabled as part of the default settings. Journal owners and communities should have that debate about privacy and moderation on their own and potentially with their community members. The removal of the privacy of their members and commentors should be a conscious, thoughtful decision, rather than simply one made by the default settings.

I am well aware that IP logging/IP address information is already being taken by Dreamwidth itself. However, I feel that there is a tremendous difference between these two states: 1) information existing on Dreamwidth's servers and accessible to Dreamwidth's employees/code volunteers 2) IP addresses being handed by default to all original posters, journal owners and community administrators.

The argument that 'one should never need to conceal an IP address, because one should know that IP addresses are always logged' fails to make a distinction between theoretical perfect privacy and practical privacy. It presumes that one is engaged in criminal activities that are pursued by the FBI rather than concerned about the kind of personally damaging information that participating in fandom activity or a complaint about a job situation can become in the hands of a malicious fellow-user. Making IP logging no longer enabled by default in created journals/communities is measurable progress towards practical, every-day privacy.

IP logging reveals sensitive information for all users, but the cost is even higher for rural users. If one's IP address simply reveals 'Chicago, Illinois, USA', it is unlikely that the contents of one's journal could be used to find a specific user. On the other hand, if one is a commenting from a small town, personal details as well as IP logging make it remarkably easy to whittle down and discover an identity. I myself live in a relatively rural area, and as such my cost of remaining anonymous is far higher than a fellow metropolitan-living friend. Information such as the name of my college, when combined with the name of my town, would whittle me down to a list of less than ten possible people in that town. Combined with gender and a rough age range, and the list becomes a list of one. As such, I am extremely cautious about anything I post. My city-dwelling friend, who actively gives college, gender and age range information, remains on a possible list of thousands of fellow alumni in their city.

My suggestion is intended to improve the privacy of Dreamwidth users, which I feel is in line with the goals of the Dreamwidth community. Since IP logging would remain as an 'opt-in' option for users or communities who needed this tool, the only problems I can think of would possible be things on the 'back end' of Dreamwidth, possibly if successful site-wide spam-reporting requires the majority of journals/communities to IP-log.

Poll #7707 Set IP Logging to 'Opt-In' Rather than 'Opt-Out'

Open to: Registered Users, detailed results viewable to: All, participants: 62

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
16 (25.8%)

Should be implemented with changes. (please comment)
0 (0.0%)

Shouldn't be implemented.
35 (56.5%)

(I have no opinion)
10 (16.1%)

(Other: please comment)
1 (1.6%)

Comments

[ninetydegrees]

Dear People-Who-Know do you think this would make the Antispam and Abuse teams' work harder?

[boundbooks]

+1, because I would really love to know the answer to this question. I really didn't have a way of finding out before I submitted my suggestion, but I hope that someone in this community can provide this information. :)

[azurelunatic]

I don't think that it would necessarily make antispam work harder.

[denise]

Yes, it would. If IP logging isn't on at the time a comment was made, it's not possible to retrieve that information without direct database access, and the people who have direct db access (and know how to tickle the information out of the db; it's not obvious) don't have a lot of time to do lookups like this. It wouldn't be a problem for antispam, since when an anon comment is deleted as spam the IP address information is then shown in the antispam system, but it would make things difficult for the ToS team; IP address information is never used as a sole proof of identity (nor should it be since it's so easy to work around) but it can be indicative.

More relevantly, though, the default setting for newly-created DW accounts (anon commenting off, IP logging on) was chosen because we thought it was better for the default to be more protective, rather than less protective, and we thought it was better to allow people to choose to be less protective if they wanted to, rather than having to choose to be more protective if they wanted to. That keeps people from being vulnerable because they didn't know enough to change the settings, while allows people who want to preserve more of their commenter's (perceived, see below) privacy can do so if they want. It also can help to eliminate at least one go-round with the Terms of Service team in the event of harassing comments; the first thing the ToS team will say is "turn off anonymous commenting, turn on comment IP logging" and having them set from the beginning can help.

Another thing that having comment IP logging enabled by default (and anon commenting off by default) helps with is the issue of abandoned accounts. It's pretty common on any service to see a drop-off of people creating accounts and then wandering away because they decided the service isn't for them, and on LJ it was (and still is) pretty common for those abandoned accounts to become nothing more than spam graveyards. Comment IP logging is less of a spam deterrant than no-anon-comments-allowed, but it can still help. We were trying to make our initial settings be protective enough to make abandoned accounts less of an "attractive nuisance", so we set them as restrictive as we thought we could reasonably justify while still not going over-the-top and restricting commenting entirely.

Also, since obtaining the IP address of visitors to your journal is trivially easy, turning off IP logging can give people a false sense of security; IMO it's better to explicitly have the "this account is set to log the IP address of everyone who comments" notice than to not have it there and people think they're 'safe' while the account owner has a custom mood theme that logs all accesses, etc.

All of these are, I think, very good reasons to keep comment IP logging the default behavior (and, of course, continue to let people turn it off if they wish) -- especially the last one, since I am very firm that sites shouldn't give their users a false sense of security -- and I almost, almost rejected this suggestion based on that (which is why it took so long for the suggestion to make it out of the queue, heh). It will take some very strong arguments to convince me otherwise. But eventually I decided it was worthwhile to give people a chance to make those arguments, and to give them a chance to convince me.

[denise]

Replying-to-myself: as a reference for my last point (the false sense of security), here's an essay I wrote about the common myths of IP addresses, and how trivially easy it is to obtain someone's IP address without their even commenting on your journal.

[boundbooks]

I'm glad that this conversation is happening on DW, and honestly the points about the effect on the spam team is a good enough argument as to why not to implement this, as I mentioned in my original post: "the only problems I can think of would possible be things on the 'back end' of Dreamwidth, possibly if successful site-wide spam-reporting requires the majority of journals/communities to IP-log."

The thing that makes me sad about this kind of discussion, though, is when it descends into 'Didn't you know that someone can get your IP anyway through an image/file/etc' rather than addressing the specific issue at hand. In summation, I did know about the image/file/etc, I do know about proxies, and I did read that essay back when it was posted.

I'm going to copy and paste my comment to someone else below: "My thought was not that one is inherently 'safe' on a journal that opts out of IP logging, but rather that getting the IPs via a file on a server that one controls is a far higher level of difficulty for the average user that I think most people involved in the technical aspect of Dreamwidth/IT understand. Heck, even having ever had control of a server bumps you in a stratosphere of technical competency that most people will never reach.

I know that it is really, really easy to get IPs with files, but your point involves a ramping up of my original argument that I think is unfair as well as greatly overestimating average technical knowledge. There's a difference between 'it could be done by someone with a fair degree of technical knowledge' and 'let's give out this information anyway.' There's always a way to get this information, but there's a difference between having to do something to get it and being handed it automatically. =/

Most people do not have the ability to get their own server, or even know how to upload a file onto it. However, everyone can see the IPs if they're auto-included in a comment. I'm glad that DW is having this discussion, but it makes me sad when this discussion is taken to 'well in X scenario' rather than really looking at the specifics of the question at hand."

In summation, I'm happy to see this suggestion not implemented for reasons of spam and abuse-team work load. That is a good and fine reason for me. However, I wish that discussions about this issue did not come in two flavors of retorts: "Everyone is a very technically competent person and could logging your IP through files anyhow" or "Clearly, the person requires a 101 discussion about how the internet works."

There's an inherent paradox in that kind answer which assumes that people 1) don't understand how IPs work and 2) that the majority of people are running their own servers with secret files embedded on their journals. That kind of answer, which relies on a paradox where users are both super competent and super clueless, leaves me very unsatisfied.

[matgb]

Most people do not have the ability to get their own server, or even know how to upload a file onto it

Everyone has the ability--I got one, cheap, specifically so that I could learn the rest of it, you don't need a full server, just access to logs on one and basic file hosting, and you can get that for less than $20 per year.

In addition, there are multiple services out there that can embed stuff and give you the info--LJtoys used to provide it as a service here and on LJ, Statcounter and similar do similar.

Until I got my server, I didn't know how to upload a file, I got one in order to learn. Now, I no longer need it and have ceased paying.

There is no paradox though. Many people don't understand how IPs work, but some of us do (I taught myself while blogging as it interested me). There are clueless people, som eof whom get paranoid about things they needn't be about or that they need to learn about, and there are others that really really aren't.

If I wanted to I could grab your IP from you replying to me here. I'm not going to. It's not the majority that matters, it's that a) a big enough minority, especially on blogging sites like DW can and b) the people you need to worry about abuse stuff definitely can as learning it is really really easy.

You only need one person logging your IP to then publish it, one abusive friend. You don't need the majority, just one person (people doing "First post" stuff on comms and embedding images? some of them could easily be tracking the IP of every reader of the post, how would you know?)

[ninetydegrees]

Thanks for such a thorough answer!

[azurelunatic]

I am deeply grateful that the default is to turn off anonymous commenting, incidentally. There are excellent reasons for anonymous commenting to exist, but a good 95%+ of our spam volume is anonymous.

[matgb]

we thought it was better for the default to be more protective, rather than less protective, and we thought it was better to allow people to choose to be less protective if they wanted to

I believe that was the correct choice. I would've turned IP logging on on signup anyway, but most wouldn't know what it was until it happened.

I've had abusive comments, and more recently I've had cause to confirm a comment was from someone in an area of London they claimed to be--people that care can turn it off, people that don't understand get a degree of safety that's useful.

It's pretty common on any service to see a drop-off of people creating accounts and then wandering away because they decided the service isn't for them, and on LJ it was (and still is) pretty common for those abandoned accounts to become nothing more than spam graveyards

Does IP logging help for that though? Spam team have access to full logs, but can't see IP address of an abandoned account.

I've been thinking of some other ideas for that problem anyway, poke me to submit some suggestions soon (preferably when my capital city isn't on fire, but, y'know).

[denise]

IP logging doesn't help much for automated abuse of abandoned accounts (and if you reread the comment you'll see I mention that :P) but it can serve as a deterrant for non-automated abuses. Someone who finds the abandoned account of someone they think is so-and-so, with whom they have an ongoing internet slapfight, might think twice before commenting with the latest round of abuse if they're confronted with the "your IP address is being logged" message. (Those messages are, IMO, like the little sticker advertising the home-security system homeowners stick in their window/put up on a stick in their garden/etc.)

(also: *sends you buckets of flame-stopping goop*)

[azurelunatic]

Anonymous-off by default helps enormously for abandoned accounts, as such a high volume of the spam is anonymous.

[musyc]

Wow. Thank you for such a thorough explanation, Denise. A good many things there to consider.

[deborah]

I agree on all counts, and I agree that it is trivially easy to do hidden IP logging ("invisible.gif" will do it in a heartbeat). That being said, the original poster's point that IP's have different amounts of invasive information depending on where and who you are is an important one. I'm not sure there's anything we can do about it, but we should take it seriously and see if there IS.

The one thing I never want dreamwidth to be is the Zuckerburg family, proudly declaring that other people's security anonymity concerns are nonsense and irrelevant. Which is not what I think anyone here is doing! But I do think these concerns are important and we should think about whether or not there are ways our site security could address them.

(In this case, I don't think there is. But I am not a privacy expert by any stretch of the imagination.)

[denise]

Yeah, I've thought about this a lot recently (the problem of some people's IP geolocation information being/feeling more invasive due to population density, accuracy of geolocation data, etc) and I honestly haven't been able to come up with much, except to encourage education about what IP address information can do/contain/identify and reinforcing to people that if it's a privacy/safety issue they should never browse the internet unproxied. (and this is probably something that should go into a FAQ, but docs in general are totally sliding way down my priority list lately.) Because anything other than that really is a false sense of security, and I think catering to a false sense of security is worse than active dismissal of privacy concerns -- because at least with active dismissal, you're at least having the conversation, you know?

Too many conflicting issues :/

[azurelunatic]

One of the things for the FAQ when (heh) it's written (why do I have a feeling this is what I'll be starting on after Lunch) -- images-turned-off browsing.

[stealthily]

There're also things like the Ghostery add-on, which detects and blocks web bugs, ad beacons and tracking pixels. Although I have found that it doesn't automatically block every one, it just tells you they're there. And if course it wouldn't work if the bug was set up by someone on their own server, or was a small provider like LjToys that ghostery is not aware of. I was quite surprised by how many there were- some web pages have them in double digits- that's over 10 different ad companies following you about at any 1 time.

[azurelunatic]

I must say, I especially appreciate the way your username goes with your comment here.

[daweaver]

the default setting for newly-created DW accounts (anon commenting off, IP logging on) was chosen

Was there a community discussion about this?

I almost, almost rejected this suggestion based on that

I'm glad this didn't happen, robust discussion about policy can only improve it. When the gatekeeper sweeps the prospect of change under the carpet, nothing can get better.

I stand by my earlier argument: the consensus interpretation is that EU law protects a citizen's IP address as personal information, and Dreamwidth must meet some entirely reasonable safeguards. One of them is that Dreamwidth must explicitly declare why it's collecting personal information (which it does in the Privacy Policy), and not use it for other purposes. So long as Dreamwidth continues to meet its legal obligations, I have no further comment on the original Suggestion.

[denise]

There was no community discussion, no, for two reasons: one, it was before we had a community, and two, certain anti-abuse and site management decisions do get made without discussion, either because a decision needs to be made quickly or because providing enough information for uninvolved people to make an educated decision would reveal information detrimental to the service. (I love you guys and I love community discussion, because many brains working in concert are better than a few of us making decisions, but we don't publicise all of our anti-abuse tools and we never will.)

When the gatekeeper sweeps the prospect of change under the carpet, nothing can get better.

Yes, but conversely, if I can see no argument being advanced that would make us change our policy, allowing it through for discussion would be irresponsible (and frustrating) of me. For instance, I generally reject suggestions involving "make this particular feature that's a heavy motivator for people to buy paid accounts available to free accounts" (the recent discussion re: expanding comments is an exception, since I was of two minds about it), or suggestions involving giving free accounts more icon slots, because of course people are going to want to get more features on a free account, but doing so would be detrimental to the service. There are times when the effort necessary to get everybody up to speed to make intelligent decisions wouldn't be worth the time it took, or situations where the motivation for the individual conflicts with the motivation for the service as a whole, when I just don't think that discussion would go anywhere useful.

(It's fairly rare. Most of what gets bounced out of the suggestions queue are duplicates of existing suggestions or things we already have bugs open for. But there are times when I bounce stuff because i just don't see discussion going anywhere useful.)

[deborah]

indeed. I have a custom mood theme, which makes tracking everyone who sees my posts trivial, as the images are hosted on my home server. I never look at the logs, but I could.

[boundbooks]

My thought was not that one is inherently 'safe' on a journal that opts out of IP logging, but rather that getting the IPs via a file on a server that one controls is a far higher level of difficulty for the average user that I think most people involved in the technical aspect of Dreamwidth/IT understand. Heck, even having ever had control of a server bumps you in a stratosphere of technical competency that most people will never reach.

I know that it is really, really easy to get IPs with files, but your point involves a ramping up of my original argument that I think is unfair as well as greatly overestimating average technical knowledge. There's a difference between 'it could be done by someone with a fair degree of technical knowledge' and 'let's give out this information anyway.' There's always a way to get this information, but there's a difference between having to do something to get it and being handed it automatically. =/

Most people do not have the ability to get their own server, or even know how to upload a file onto it. However, everyone can see the IPs if they're auto-included in a comment. I'm glad that DW is having this discussion, but it makes me sad when this discussion is taken to 'well in X scenario' rather than really looking at the specifics of the question at hand.

[denise]

Just to be accurate, not everyone can see an IP address if an account is logging IP addresses. The logged IP addresses are only visible to:

* the owner of the account
* the admin of the community (if a community)
* the poster of the entry (if a community)

I couldn't come into your journal, where you're logging IP addresses, and see the IP address of your commenters.

[boundbooks]

I did know, but thank you for reiterating. :)

Also, I woke up today and realized that I'd been more than a little shirty yesterday. My apologies for being testy and taking it out in the comments.

[denise]

I think we've all had days like that! Thanks for the apology :)