Alternative to IP address logging (identicons)

[azurelunatic]

Title:
Alternative to IP address logging (identicons)

Area:
comments, anonymous comments

Summary:
Offer identicons (or an equivalent method, for non-visual site users) as an alternative to IP addresses to attempt to distinguish Little Thing One from Little Thing Two, when both are commenting anonymously in someone's journal.

Description:
This suggestion is inspired by fiddlingfrog's suggestion on LiveJournal, and I thank him very much for bringing it up there. http://suggestions.livejournal.com/1085295.html #Dreamwidth IRC was also helpful in sorting out quite a bit of this.


Add identicons as another option for journals that allow anonymous comments, but don't necessarily want completely anonymous comments. This could be instead of, or in addition to, directly logging IP addresses for the journal owner to access. For visual users, an icon can sometimes also be more immediately recognized than an IP address.

Completely anonymous comments would still be available for places that require them, such as anonymous games (fic memes, anonymemes, love memes) and journals who wish to allow the totally anonymous comment experience.

For users who would like to attempt to tell anonymous commenters apart to the extent offered by IP address logging, but without actually logging IP addresses of all anonymous commenters, using an identicon could be a useful compromise.

The use of identicons in a journal should be disclosed to potential commenters similar to the way that IP address logging is disclosed, so a commenter may make their own decision prior to commenting.

Identicons on otherwise completely anonymous comments could be displayed to all visitors to that entry.

Identicons on comments that had their IP address logged could have the identicon displayed to all visitors, and continue to have the IP address displayed to only the journal owner.

The same identicon could be used all over the site for the same IP address; fiddlingfrog suggests that to provide a little more anonymity for anonymous users in different contexts, that the identicon could also use journal information (same identicon for same IP all through a single journal, but different in each journal) or even by entry (same identicon in one entry but different in the next, even in the same journal).

When "named anonymous" commenting is implemented, identicons could be created based on name, email address, or external journal location, to add visual interest to the comment space. Named anonymous commenters might be able to choose for themselves whether to use an identicon.


Should journals that use identicons log the IP address in a place where it could be accessed by appropriate site administrators (staff, Terms of Service team), but not the journal owner?

Identicons, or lack thereof, would make no difference to the anti-spam team.



What are identicons?

Identicons are little pictures based indirectly on identifying information. The identifying information (IP address, email address, etc.) has been passed through a process that mangles it non-reversibly while still keeping it most likely unique. If the same data is presented to the process a second time, it should come out in the same mangled format as the first.

Once the identifying information has been mangled into something equally unique, but no longer identifying (for example, an IP address that has been mangled can't be used to locate someone's Internet Service Provider or rough geographical location) it can be used to create an image, or maybe a sound file, or maybe just served up raw if there's no better way to get the information to a user in a form that's accessible to them.

Wikipedia article on identicons: https://secure.wikimedia.org/wikipedia/en/wiki/Identicon


Possible confusion:

Identicons do not provide any more continuity of identity than the source they are derived from. An identicon that is derived from an email address is likely to be the same person, so long as that person does not share their email address with anyone else, and so long as they keep the same email address.

Identicons derived from IP addresses have the same problems with matching comments to their actual human author as IP addresses, but without the additional helpful information that can be obtained from an IP address. Three anonymous comments coming from three different IP addresses that belong to the same internet service provider and are assigned to the same local area might actually be the same person. Since identicons cannot be reverse-engineered to reveal the originating IP address, the same three comments would have different identicons and might not be suspected to be the same person.

An identicon that is based on an IP address would only indicate a single person so long as the same person had one IP address and no other, and did not share it with anyone else commenting. If multiple anonymous users (say, from the same household at the same time, or same general geographic area and internet service provider at different times) commented and had the same IP address when commenting, they would be issued the same identicon and might be mistaken for each other. A single person might comment from home, comment from work, comment again from home after rebooting their cable-modem, and have three different IP addresses and therefore three different identicons.


Specific implementation suggestions

The "Vash" (visual hash) identicon generation engine is free to open source projects with a GPL-compatible license. Dreamwidth's code is licensed under the GPL + Artistic license. This particular implementation of the concept is aware of quite a few accessibility needs and is willing to work with projects if there are additional needs that their product does not currently support. If identicons are different for each journal space, the journal owner could conceivably provide settings to make identicons in their own space best suited to their own needs. http://www.thevash.com/index.html http://www.thevash.com/docs.html#faqs

Poll #7853 Alternative to IP address logging (identicons)

Open to: Registered Users, detailed results viewable to: All, participants: 52

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
11 (21.2%)

Should be implemented with changes. (please comment)
4 (7.7%)

Shouldn't be implemented.
12 (23.1%)

(I have no opinion)
25 (48.1%)

(Other: please comment)
0 (0.0%)

Comments

[jeshyr]

Would this cause any significant server load?

[azurelunatic]

Let's see.

It'll have to generate the icon at posting time. Then it'll likely store the icon ... somewhere. Then it'll have to serve up the icons when someone loads the page.

Huh. Anonymous commenters suddenly with icons. How's *that* going to get shoved into the architecture?

Would generating the icons at page load time be more or less expensive than storing and serving?

[denise]

Storing and serving would almost certainly be less expensive than generating at loadtime, especially if icons were persistent across journals; they'd be able to be served out of memcache.

[pseudomonas]

There's a complication that if based on IP address alone it would co-identify people posting from, say, the same university network if they use a single web proxy. I'd be happier with this if based on cookies rather than IP address.

[denise]

There is a fairly trivial way, in the existing codebase, to identify people without the use of IP addresses and with a good chance of distinguishing people using the same network/the same proxy. It doesn't cover two people sharing a computer, nor does it cover one person using multiple computers, but the code-as-is does provide a rough browser footprint method that could be used as the key for a system like this.

[deborah]

so browser cookie, or browser footprint? Because yeah, university networks would break the system, as would a lot of corporate networks.

I like the idea, as long as it is treated as something different from IP logging. IP logging as a secret thing that only the original poster sees, versus identifiers as a way to make conversations with anonymous posters slightly more reasonable. Also as long as people understand that it's not a perfect system: people switch from browser to browser, computer to computer, computer to mobile phone -- and people share computers, even these days.

[denise]

Browser cookie, yeah.

[susanreads]

This is a brill idea but I don't think using IP address as the seed will work, for the reasons given in the post ("Possible confusion"). pseudomonas' suggestion of cookies would work for my computer which has a different dynamic IP address from yesterday, but not for someone who posts from different computers at different times, and if you're on a public network the cookies will disappear at the end of your session, or it might be nobbled so as not to accept cookies. I'd like to see identicons as part of the named anonymous option, so people could put in an email address which wouldn't be shown to anyone but would generate an identicon, or get a cookie-based version otherwise.

[noracharles]

Identicons would be great for named anonymous, if they were based on something the user voluntarily entered, like the email address. That way it's not difficult to change if the picture generated is really ugly.

For other anonymous uses, I can see how the identicon would make the conversation easier to follow in those conversations where the commenters would sign their name anyway, but I'm concerned that it would be a barrier to commenting for most anonymous discussions, especially if the identicon would be the same across journals and comms. So it might not be a very used feature.

[deborah]

but what if it's not the same across journals and communities? That is, instead of using a gravatar-type system, it just uniquely identifies the first anonymous with a red icon, the second anonymous with the yellow icon, etc.?

[noracharles]

In that case it probably would not discourage me from commenting. However I do have a Dreamwidth, so when I choose to comments anonymously it's usually for one of the reasons mentioned above where identicons would be against the spirit of the thing.

When I comment on other blogs where I don't have a username it's usually as named anonymous.

I'm not saying I'm against having the option, I just have a hard time imagining when it would be useful outside of named anonymous situations. I would not enable it in my own journal.

[pauamma]

If you use IP address (or cookie content as someone suggested)+userid of journal/comm as input for the hash, it would be consistent within the journal or comm, but not across journals or comms.

[feathertail]

This is basically what WP does with Gravatars, right? Sounds cool, and seems like a very thorough suggestion. ^.^ Especially the suggesting an alternate method for non-sighted users!

The "named anonymous" level would probably do that, but I'm not sure what else could be used in the interim ...

[daweaver]

So, to create the impression that anon-comment-1 might be from the same person as anon-comment-2, each comment gets some sort of visual hash based on its apparent source? It's liable to misinterpretation, it's almost certainly going to lull people into drawing conclusions not supported by the evidence, and will create a small but noticeable extra server load. In short, it seems about as utterly useless as OPENID, which makes similarly trivial and unreliable assertions about identity.

If Dreamwidth absolutely must go down this road, a few points to make the implementation less bad. Audio idents would be a singularly bad idea, a huge load of computer-generated gibberish delaying and distracting from the substantive comment. It may be advisible to code an extra option "Don't show identicons on anonymous comments", so that those with poor vision can concentrate on the message and not the packaging. (Indeed, this may be an excuse to code the option "don't show icons at all", but that's Scope Creep.)

From a privacy point of view, I would strongly encourage the generation routine to include as much information as possible, at least IP or sessionID + journal + entry. Possibly add in time, in such a way that comments from the same IP on the same entry in a short period look very similar, but not necessarily the same. (UNIX epoch shorn of last 10 bits?)

I'm not familiar with the "named anonymous" proposal for commenters; these could be converted into a display that does preserve across entries, analagous to a default usericon.

I see absolutely no reason why the raw IP addresses should be stored in additional places: this is personal information, and I still think Dreamwidth exposes it more widely than is prudent.