MediaWiki and OpenID Connect

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

MediaWiki and OpenID Connect

Adam Sobieski
Wikitech-l,

Greetings. I would like to describe an exciting scenario possible with OpenID Connect.

In the scenario, after choosing to verify their name on their Wikipedia account, a user logs onto Wikipedia and uses OpenID Connect to link their Wikipedia account to multiple verified accounts, for example their Facebook and LinkedIn accounts. At the end of the process, we can envision the user obtaining a checkmark next to their full name on Wikipedia, their real name and a verification icon appearing next to their edits and on their user page. There might even be, per user settings, hyperlinks to their Facebook and LinkedIn pages on their Wikipedia user page. With such features, we can envision allowing groups of users or admins to determine that certain articles require a verified account to edit.

Presently, OpenID Connect functionality is available for MediaWiki as an extension. I would like to see the OpenID Connect functionality under discussion expanded to support scenarios including aforementioned and also integrated into MediaWiki.

Thank you. I hope that the above ideas are also interesting to you in the Wikitech-l community.


Best regards,
Adam Sobieski
http://www.phoster.com/contents/

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Chad
On Fri, May 4, 2018, 1:21 PM Adam Sobieski <[hidden email]> wrote:

> With such features, we can envision allowing groups of users or admins to
> determine that certain articles require a verified account to edit.
>

Why would this be desirable?

-Chad

>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Adam Sobieski
Chad,

I’m working on a new Wikipedia article, Account Verification (https://en.wikipedia.org/wiki/Account_verification).
Account verification can enhance the quality of online services, mitigating sockpuppetry, bots, trolls, spam, vandalism, fake news, disinformation and election interference.

Account verification was initially a feature for public figures and accounts of public interest, individuals in music, acting, fashion, government, politics, religion, journalism, media, sports, business and other key interest areas. Account verification was introduced to Twitter in June 2009, Google+ in August 2011, Facebook in February 2012, Instagram in December 2014, and Pinterest in June 2015.

In July 2016, Twitter announced that, beyond public figures, any individual could apply for account verification. In March 2018, during a live-stream on Periscope, Jack Dorsey, co-founder and CEO of Twitter, discussed the idea of allowing any individual to get a verified account (https://variety.com/2018/digital/news/twitter-verified-account-open-everyone-1202722587/).

In April 2018, Mark Zuckerberg, co-founder and CEO of Facebook, announced that purchasers of political or issue-based advertisements would be required to verify their identities and locations. He also indicated that Facebook would require individuals who manage large pages to be verified (https://www.facebook.com/zuck/posts/10104784125525891).

These events of March and April of 2018 occurred just recently. These issues are both important and contemporary.

I’m looking at administrative functions such as page protection and considering scenarios where one or more administrators would determine that a page requires a verified account to edit. “Verified users” would be another column in the table, Interaction of Wikipedia user groups and page protection levels, at: https://en.wikipedia.org/wiki/Wikipedia:Protection_policy#Overview_of_types_of_protection .

I would like to respond to your question both quickly and thoroughly. This is part one (quickly) and I will work on part two (thoroughly) over the weekend and respond early next week.


Best regards,
Adam

From: Chad<mailto:[hidden email]>
Sent: Friday, May 4, 2018 9:03 PM
To: Wikimedia developers<mailto:[hidden email]>
Subject: Re: [Wikitech-l] MediaWiki and OpenID Connect

On Fri, May 4, 2018, 1:21 PM Adam Sobieski <[hidden email]> wrote:

> With such features, we can envision allowing groups of users or admins to
> determine that certain articles require a verified account to edit.
>

Why would this be desirable?

-Chad

>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Max Semenik
Have you tried discussing this with the community? Let me tell you what
their reaction will be: "we don't care who you are, we care what are your
sources". Everywhere online, exposing your real life identity means a
possibility of real life problems: stalking, harassment, attempts to get
someone you have a content dispute with fired. And I'm not even theorizing:
all the above things have happened on Wikipedia, multiple times. Social
networks want to have people's confirmed identities so that they could sell
them to the highest bidder. We at Wikimedia are different - we want to know
as little about our users as possible, and a bit less than that.

On Fri, May 4, 2018 at 7:14 PM, Adam Sobieski <[hidden email]>
wrote:

> Chad,
>
> I’m working on a new Wikipedia article, Account Verification (
> https://en.wikipedia.org/wiki/Account_verification).
> Account verification can enhance the quality of online services,
> mitigating sockpuppetry, bots, trolls, spam, vandalism, fake news,
> disinformation and election interference.
>
> Account verification was initially a feature for public figures and
> accounts of public interest, individuals in music, acting, fashion,
> government, politics, religion, journalism, media, sports, business and
> other key interest areas. Account verification was introduced to Twitter in
> June 2009, Google+ in August 2011, Facebook in February 2012, Instagram in
> December 2014, and Pinterest in June 2015.
>
> In July 2016, Twitter announced that, beyond public figures, any
> individual could apply for account verification. In March 2018, during a
> live-stream on Periscope, Jack Dorsey, co-founder and CEO of Twitter,
> discussed the idea of allowing any individual to get a verified account (
> https://variety.com/2018/digital/news/twitter-verified-
> account-open-everyone-1202722587/).
>
> In April 2018, Mark Zuckerberg, co-founder and CEO of Facebook, announced
> that purchasers of political or issue-based advertisements would be
> required to verify their identities and locations. He also indicated that
> Facebook would require individuals who manage large pages to be verified (
> https://www.facebook.com/zuck/posts/10104784125525891).
>
> These events of March and April of 2018 occurred just recently. These
> issues are both important and contemporary.
>
> I’m looking at administrative functions such as page protection and
> considering scenarios where one or more administrators would determine that
> a page requires a verified account to edit. “Verified users” would be
> another column in the table, Interaction of Wikipedia user groups and page
> protection levels, at: https://en.wikipedia.org/wiki/
> Wikipedia:Protection_policy#Overview_of_types_of_protection .
>
> I would like to respond to your question both quickly and thoroughly. This
> is part one (quickly) and I will work on part two (thoroughly) over the
> weekend and respond early next week.
>
>
> Best regards,
> Adam
>
> From: Chad<mailto:[hidden email]>
> Sent: Friday, May 4, 2018 9:03 PM
> To: Wikimedia developers<mailto:[hidden email]>
> Subject: Re: [Wikitech-l] MediaWiki and OpenID Connect
>
> On Fri, May 4, 2018, 1:21 PM Adam Sobieski <[hidden email]>
> wrote:
>
> > With such features, we can envision allowing groups of users or admins to
> > determine that certain articles require a verified account to edit.
> >
>
> Why would this be desirable?
>
> -Chad
>
> >
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>



--
Best regards,
Max Semenik ([[User:MaxSem]])
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Stas Malyshev
In reply to this post by Adam Sobieski
Hi!

> Account verification was initially a feature for public figures and
> accounts of public interest, individuals in music, acting, fashion,
> government, politics, religion, journalism, media, sports, business
> and other key interest areas. Account verification was introduced to
> Twitter in June 2009, Google+ in August 2011, Facebook in February
> 2012, Instagram in December 2014, and Pinterest in June 2015.

Given how much controversy and unhealthy dynamics surrounds verified
accounts on Twitter (not sure about Pinterest etc. - don't have any info
there) I do not think it is a good idea to copy it. If there's an
individual need to establish link between legal identity of somebody and
their Wiki credentials, there are easy ways to do it - e.g. publish a
signed message both on wiki user page under the account and on the
resource known to be controlled by the person, etc. But I don't think
special status like that would be very useful or very welcome.
Also note linking one's legal identity to Wiki edits may be very
dangerous in some countries. Requiring people to take that risk to edit
certain pages is not really a good thing.

--
Stas Malyshev
[hidden email]

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Adam Sobieski
In reply to this post by Max Semenik
Max,



Thank you. These ideals of which you speak are similar to those of argumentation. In the ideals of argumentation, reason should prevail. In this way, it doesn’t matter who makes an utterance, what matters is the utterance, its veracity, logical soundness, and so forth. The ideals of collaboration in argumentation are for reason to prevail, for the quality of the discussion, in software engineering, for the quality of the software, and in Wikipedia, for the quality of the encyclopedia article.



I will collect together all of the points raised over the weekend and respond to them early next week in a lengthy letter. Also, I think that after some discussion, we should have material for a Wikipedia article, Account Verification on Wikipedia which I would link to from a new section of Account Verification.



I think that we can untangle MediaWiki and Wikipedia. If it becomes possible for MediaWiki projects to utilize OpenID Connect to link accounts, as I am describing, then we would be able to say that every MediaWiki software user including Wikipedia could choose to activate and configure such MediaWiki features and the matter would be one of discussing whether the Wikipedia project should use the MediaWiki software features. I think that there are two points, whether MediaWiki could/should provide account verification features for its users and whether Wikipedia should make use of such features.





Best regards,

Adam



________________________________
From: Wikitech-l <[hidden email]> on behalf of Max Semenik <[hidden email]>
Sent: Friday, May 4, 2018 10:37:36 PM
To: Wikimedia developers
Subject: Re: [Wikitech-l] MediaWiki and OpenID Connect

Have you tried discussing this with the community? Let me tell you what
their reaction will be: "we don't care who you are, we care what are your
sources". Everywhere online, exposing your real life identity means a
possibility of real life problems: stalking, harassment, attempts to get
someone you have a content dispute with fired. And I'm not even theorizing:
all the above things have happened on Wikipedia, multiple times. Social
networks want to have people's confirmed identities so that they could sell
them to the highest bidder. We at Wikimedia are different - we want to know
as little about our users as possible, and a bit less than that.

On Fri, May 4, 2018 at 7:14 PM, Adam Sobieski <[hidden email]>
wrote:

> Chad,
>
> I’m working on a new Wikipedia article, Account Verification (
> https://en.wikipedia.org/wiki/Account_verification).
> Account verification can enhance the quality of online services,
> mitigating sockpuppetry, bots, trolls, spam, vandalism, fake news,
> disinformation and election interference.
>
> Account verification was initially a feature for public figures and
> accounts of public interest, individuals in music, acting, fashion,
> government, politics, religion, journalism, media, sports, business and
> other key interest areas. Account verification was introduced to Twitter in
> June 2009, Google+ in August 2011, Facebook in February 2012, Instagram in
> December 2014, and Pinterest in June 2015.
>
> In July 2016, Twitter announced that, beyond public figures, any
> individual could apply for account verification. In March 2018, during a
> live-stream on Periscope, Jack Dorsey, co-founder and CEO of Twitter,
> discussed the idea of allowing any individual to get a verified account (
> https://variety.com/2018/digital/news/twitter-verified-
> account-open-everyone-1202722587/).
>
> In April 2018, Mark Zuckerberg, co-founder and CEO of Facebook, announced
> that purchasers of political or issue-based advertisements would be
> required to verify their identities and locations. He also indicated that
> Facebook would require individuals who manage large pages to be verified (
> https://www.facebook.com/zuck/posts/10104784125525891).
>
> These events of March and April of 2018 occurred just recently. These
> issues are both important and contemporary.
>
> I’m looking at administrative functions such as page protection and
> considering scenarios where one or more administrators would determine that
> a page requires a verified account to edit. “Verified users” would be
> another column in the table, Interaction of Wikipedia user groups and page
> protection levels, at: https://en.wikipedia.org/wiki/
> Wikipedia:Protection_policy#Overview_of_types_of_protection .
>
> I would like to respond to your question both quickly and thoroughly. This
> is part one (quickly) and I will work on part two (thoroughly) over the
> weekend and respond early next week.
>
>
> Best regards,
> Adam
>
> From: Chad<mailto:[hidden email]>
> Sent: Friday, May 4, 2018 9:03 PM
> To: Wikimedia developers<mailto:[hidden email]>
> Subject: Re: [Wikitech-l] MediaWiki and OpenID Connect
>
> On Fri, May 4, 2018, 1:21 PM Adam Sobieski <[hidden email]>
> wrote:
>
> > With such features, we can envision allowing groups of users or admins to
> > determine that certain articles require a verified account to edit.
> >
>
> Why would this be desirable?
>
> -Chad
>
> >
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>



--
Best regards,
Max Semenik ([[User:MaxSem]])
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Adam Sobieski
In reply to this post by Adam Sobieski
Thank you again for the concerns and comments responded to in the following letter.

INTRODUCTION

Two distinct topics are discussed: (1) MediaWiki should provide its software users with OpenID Connect functionality including to verify their names and accounts via account linking, and (2) Wikipedia should make use of such MediaWiki features.

On topic one, there are a large number of MediaWiki software users [1][2] and use case scenarios. On topic two, “MediaWiki's most famous use has been in Wikipedia” [3], thus it makes sense to carefully discuss MediaWiki software and Wikipedia simultaneously.

CONFIGURABILITY

Importantly, we can consider options for configuration for system administrators (users of MediaWiki software) and their end users. For example, a system administrative option could be whether to activate the account verification features. Account verification could then be either optional or required for their users. Allowing their users to verify their accounts, system administrative configuration can specify whether their verified users have a configuration setting with regard to whether to display their real names or their usernames.

Configuration options for MediaWiki system administrators and subsequently contingent configuration options for end users can maximize utility for all parties concerned across a large number of MediaWiki use case scenarios.

In this way, Wikipedia can choose whether and configurably how to utilize MediaWiki account verification features in a manner that exactly aligns with their policy.

SOCKPUPPETRY

“In 2012, Wikipedia launched one of its largest sockpuppet investigations, when editors reported suspicious activity suggesting 250 accounts had been used to engage in paid editing.” [4]

“On August 31, 2015, the English Wikipedia community discovered 381 sockpuppet accounts operating a secret paid editing ring.” [5]

PAGE PROTECTION OPTIONS AND ACCOUNT VERIFICATION

System administrators of MediaWiki could configure MediaWiki to allow administrative users the capability to protect content with a mode such that only verified accounts could edit that content.

“Why would this be desirable?”

Reasons include, but are not limited to: (1) per the rationale for semi-protection [6] and extended confirmed protection [7], (2) an administrator determines that one or multiple unverified accounts involved in an incident are sockpuppets, bots, trolls, spammers, vandals, etc, (3) detecting or preventing conflict of interest editing.

TWITTER ACCOUNT VERIFICATION CONTROVERSY

“Given how much controversy and unhealthy dynamics surrounds verified accounts on Twitter, I do not think it is a good idea to copy it.”

Some of the confusion around account verification on Twitter stems from misunderstanding. What is the checkmark? What does it mean? What does account verification mean when controversial figures’ accounts are verified? Some people, for example, misunderstood that it suggested endorsement by Twitter. “In July 2016, Twitter announced […] that verification ‘does not imply an endorsement.’” [8]

ACCOUNT VERIFICATION AND USER PAGES

“If there's an individual need to establish link between legal identity of somebody and their Wiki credentials, there are easy ways to do it – e.g. publish a signed message both on wiki user page under the account and on the resource known to be controlled by the person, etc.”

System administrators could also configure for users to have an option to select for their linked account pages to be hyperlinked to from their user pages. Collaboration on Wikipedia articles can be an opportunity to socialize and connect on other websites.

REAL NAMES AND SAFETY

“Everywhere online, exposing your real life identity means a possibility of real life problems: stalking, harassment, attempts to get someone you have a content dispute with fired. And I'm not even theorizing: all the above things have happened on Wikipedia, multiple times.”

“Requiring people to take that risk to edit certain pages is not really a good thing.”

As aforementioned, system administrative configuration options could include allowing verified users to choose whether to display their real names or to display their usernames.

Proponents of real-name policies include Mark Zuckerberg. “Facebook’s CEO and Founder Mark Zuckerberg defended [Facebook’s real-name policy], saying, ‘We know people are much less likely to try to act abusively towards other members of our community when they’re using their real names.’ A Pew Research study from 2014 supports Zuckerberg’s claim, proving that ‘half of those who have experienced online harassment did not know the person involved in their most recent incident.’” [9]

SOCIAL MEDIA EXECUTIVES

“Social networks want to have people's confirmed identities so that they could sell them to the highest bidder.”

Social networks are in a crisis, as evidenced by recent testimony before Congress. Their policies with regard to account verification are genuine attempts to solve problems, some described to them by Congress, not gambits to acquire more user data. Account verification mitigates sockpuppetry, bots, trolls, spam, vandalism, conflicts of interest, fake news, disinformation and election interference.

(https://www.c-span.org/video/?443543-1/facebook-ceo-mark-zuckerberg-testifies-data-protection , https://www.c-span.org/video/?443490-1/facebook-ceo-mark-zuckerberg-testifies-data-protection)

WIKISCANNER

“Internet experts, for the most part, have welcomed WikiScanner.” [10]

“Wikipedia co-founder Jimmy Wales spoke enthusiastically about WikiScanner, noting in one source that ‘It brings an additional level of transparency to what's going on at Wikipedia’ and stating in another that it was ‘fabulous and I strongly support it.’ The BBC quoted an unnamed Wikipedia spokesperson's praise for the tool in taking transparency ‘to another level’ and preventing ‘an organisation or individuals from editing articles that they're really not supposed to.’ In responding to the edits from the Canadian Ministry of Industry, spokesman for the Wikimedia Foundation Jay Walsh noted that neutrality of language and guarding against conflicts of interest are two of the central pillars of Wikipedia, adding that ‘The edits which should be trusted would come from people who don't possess a conflict of interest, in this case, it would be worthwhile saying that if someone is making edits from a computer within the government of Canada … if it was someone within that ministry, that would theoretically constitute a conflict of interest.’ Wales has speculated on a possible warning to anonymous editors: ‘When someone clicks on ‘edit,’ it would be interesting if we could say, ‘Hi, thank you for editing. We see you're logged in from The New York Times. Keep in mind that we know that, and it's public information’ … That might make them stop and think.’” [11]


[1] https://en.wikipedia.org/wiki/MediaWiki#Sites_using_MediaWiki
[2] https://en.wikipedia.org/wiki/Category:MediaWiki_websites
[3] https://en.wikipedia.org/wiki/MediaWiki
[4] https://en.wikipedia.org/wiki/Conflict-of-interest_editing_on_Wikipedia
[5] https://en.wikipedia.org/wiki/Orangemoody_editing_of_Wikipedia
[6] https://en.wikipedia.org/wiki/Wikipedia:Protection_policy#Semi-protection
[7] https://en.wikipedia.org/wiki/Wikipedia:Protection_policy#Extended_confirmed_protection
[8] https://en.wikipedia.org/wiki/Twitter#Verified_accounts
[9] https://www.csmonitor.com/Technology/2015/1101/Does-Facebook-s-real-name-policy-really-protect-its-users
[10] https://www.nytimes.com/2007/08/19/technology/19wikipedia.html
[11] https://en.wikipedia.org/wiki/WikiScanner#Wikipedia_reaction

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

David Barratt
"As aforementioned, system administrative configuration options could
include allowing verified users to choose whether to display their real
names or to display their usernames."

I think you might be missing the point, we don't even want to collect that
data in the first place, let alone allow non-marginalized users to display
their real name (thereby identifying the marginalized users who opted out).

It is clear that using your real name has real-world harm (
https://www.eff.org/deeplinks/2014/09/facebooks-real-name-policy-can-cause-real-world-harm-lgbtq-community)
and there is a coalition to stop Facebook from enforcing this policy (
https://act.eff.org/action/dear-facebook-authentic-names-are-authentically-dangerous-for-your-users
).

In fact, Wikipedia itself recommends against using your real name (
https://en.wikipedia.org/wiki/Wikipedia:Username_policy). I truly regret
using my real name in my personal user account (
https://en.wikipedia.org/wiki/User:Davidwbarratt), just from my
contributions (
https://en.wikipedia.org/wiki/Special:Contributions/Davidwbarratt) you can
very easily figure out the region where I live. Next, put my last name into
a public record search for my region (
http://www.ocpafl.org/searches/ParcelSearch.aspx) and you will have my
physical address and a nice picture of where I live.

Thankfully I am not in a marganziled group, but I hope you see how easy
that would be. Even if the identity is not displayed, if it's stored in our
database, there is a potential for that data to be exposed.

I will probably take a moment at some point to change my username to a
pseudonym (when I come up with a good one), but username changes are
public, so it would be pretty easy to search for my new username and find
the record of the name change.

The pew study you referenced (
http://www.pewinternet.org/2014/10/22/online-harassment/) does not suggest
that users were anonymized only that a plurality of the victims of
harassment "said a stranger was responsible for their most recent
incident." Also, correlation does not imply causation (
https://en.wikipedia.org/wiki/Correlation_does_not_imply_causation).

There are many things we could do to mitigate harassment on Wikipedia, but
a real name or account verification is not one of them. As an experiment, I
would recommend finding, and attempting to go through, all of the steps
required to report harassment. It's depressingly difficult. Another thing
we can do is implement granular blocks (
https://phabricator.wikimedia.org/T190350) to block accounts from specific
pages, categories, or namespaces rather than a whole site block.

There are probably many more ideas that can be implemented, but again, I
don't know of any evidence that a real name or account verification policy
actually works, but there's a growing consensus that the policy causes more
harm than good.

On Sat, May 5, 2018 at 7:50 AM Adam Sobieski <[hidden email]>
wrote:

> Thank you again for the concerns and comments responded to in the
> following letter.
>
> INTRODUCTION
>
> Two distinct topics are discussed: (1) MediaWiki should provide its
> software users with OpenID Connect functionality including to verify their
> names and accounts via account linking, and (2) Wikipedia should make use
> of such MediaWiki features.
>
> On topic one, there are a large number of MediaWiki software users [1][2]
> and use case scenarios. On topic two, “MediaWiki's most famous use has been
> in Wikipedia” [3], thus it makes sense to carefully discuss MediaWiki
> software and Wikipedia simultaneously.
>
> CONFIGURABILITY
>
> Importantly, we can consider options for configuration for system
> administrators (users of MediaWiki software) and their end users. For
> example, a system administrative option could be whether to activate the
> account verification features. Account verification could then be either
> optional or required for their users. Allowing their users to verify their
> accounts, system administrative configuration can specify whether their
> verified users have a configuration setting with regard to whether to
> display their real names or their usernames.
>
> Configuration options for MediaWiki system administrators and subsequently
> contingent configuration options for end users can maximize utility for all
> parties concerned across a large number of MediaWiki use case scenarios.
>
> In this way, Wikipedia can choose whether and configurably how to utilize
> MediaWiki account verification features in a manner that exactly aligns
> with their policy.
>
> SOCKPUPPETRY
>
> “In 2012, Wikipedia launched one of its largest sockpuppet investigations,
> when editors reported suspicious activity suggesting 250 accounts had been
> used to engage in paid editing.” [4]
>
> “On August 31, 2015, the English Wikipedia community discovered 381
> sockpuppet accounts operating a secret paid editing ring.” [5]
>
> PAGE PROTECTION OPTIONS AND ACCOUNT VERIFICATION
>
> System administrators of MediaWiki could configure MediaWiki to allow
> administrative users the capability to protect content with a mode such
> that only verified accounts could edit that content.
>
> “Why would this be desirable?”
>
> Reasons include, but are not limited to: (1) per the rationale for
> semi-protection [6] and extended confirmed protection [7], (2) an
> administrator determines that one or multiple unverified accounts involved
> in an incident are sockpuppets, bots, trolls, spammers, vandals, etc, (3)
> detecting or preventing conflict of interest editing.
>
> TWITTER ACCOUNT VERIFICATION CONTROVERSY
>
> “Given how much controversy and unhealthy dynamics surrounds verified
> accounts on Twitter, I do not think it is a good idea to copy it.”
>
> Some of the confusion around account verification on Twitter stems from
> misunderstanding. What is the checkmark? What does it mean? What does
> account verification mean when controversial figures’ accounts are
> verified? Some people, for example, misunderstood that it suggested
> endorsement by Twitter. “In July 2016, Twitter announced […] that
> verification ‘does not imply an endorsement.’” [8]
>
> ACCOUNT VERIFICATION AND USER PAGES
>
> “If there's an individual need to establish link between legal identity of
> somebody and their Wiki credentials, there are easy ways to do it – e.g.
> publish a signed message both on wiki user page under the account and on
> the resource known to be controlled by the person, etc.”
>
> System administrators could also configure for users to have an option to
> select for their linked account pages to be hyperlinked to from their user
> pages. Collaboration on Wikipedia articles can be an opportunity to
> socialize and connect on other websites.
>
> REAL NAMES AND SAFETY
>
> “Everywhere online, exposing your real life identity means a possibility
> of real life problems: stalking, harassment, attempts to get someone you
> have a content dispute with fired. And I'm not even theorizing: all the
> above things have happened on Wikipedia, multiple times.”
>
> “Requiring people to take that risk to edit certain pages is not really a
> good thing.”
>
> As aforementioned, system administrative configuration options could
> include allowing verified users to choose whether to display their real
> names or to display their usernames.
>
> Proponents of real-name policies include Mark Zuckerberg. “Facebook’s CEO
> and Founder Mark Zuckerberg defended [Facebook’s real-name policy], saying,
> ‘We know people are much less likely to try to act abusively towards other
> members of our community when they’re using their real names.’ A Pew
> Research study from 2014 supports Zuckerberg’s claim, proving that ‘half of
> those who have experienced online harassment did not know the person
> involved in their most recent incident.’” [9]
>
> SOCIAL MEDIA EXECUTIVES
>
> “Social networks want to have people's confirmed identities so that they
> could sell them to the highest bidder.”
>
> Social networks are in a crisis, as evidenced by recent testimony before
> Congress. Their policies with regard to account verification are genuine
> attempts to solve problems, some described to them by Congress, not gambits
> to acquire more user data. Account verification mitigates sockpuppetry,
> bots, trolls, spam, vandalism, conflicts of interest, fake news,
> disinformation and election interference.
>
> (
> https://www.c-span.org/video/?443543-1/facebook-ceo-mark-zuckerberg-testifies-data-protection
> ,
> https://www.c-span.org/video/?443490-1/facebook-ceo-mark-zuckerberg-testifies-data-protection
> )
>
> WIKISCANNER
>
> “Internet experts, for the most part, have welcomed WikiScanner.” [10]
>
> “Wikipedia co-founder Jimmy Wales spoke enthusiastically about
> WikiScanner, noting in one source that ‘It brings an additional level of
> transparency to what's going on at Wikipedia’ and stating in another that
> it was ‘fabulous and I strongly support it.’ The BBC quoted an unnamed
> Wikipedia spokesperson's praise for the tool in taking transparency ‘to
> another level’ and preventing ‘an organisation or individuals from editing
> articles that they're really not supposed to.’ In responding to the edits
> from the Canadian Ministry of Industry, spokesman for the Wikimedia
> Foundation Jay Walsh noted that neutrality of language and guarding against
> conflicts of interest are two of the central pillars of Wikipedia, adding
> that ‘The edits which should be trusted would come from people who don't
> possess a conflict of interest, in this case, it would be worthwhile saying
> that if someone is making edits from a computer within the government of
> Canada … if it was someone within that ministry, that would theoretically
> constitute a conflict of interest.’ Wales has speculated on a possible
> warning to anonymous editors: ‘When someone clicks on ‘edit,’ it would be
> interesting if we could say, ‘Hi, thank you for editing. We see you're
> logged in from The New York Times. Keep in mind that we know that, and it's
> public information’ … That might make them stop and think.’” [11]
>
>
> [1] https://en.wikipedia.org/wiki/MediaWiki#Sites_using_MediaWiki
> [2] https://en.wikipedia.org/wiki/Category:MediaWiki_websites
> [3] https://en.wikipedia.org/wiki/MediaWiki
> [4]
> https://en.wikipedia.org/wiki/Conflict-of-interest_editing_on_Wikipedia
> [5] https://en.wikipedia.org/wiki/Orangemoody_editing_of_Wikipedia
> [6]
> https://en.wikipedia.org/wiki/Wikipedia:Protection_policy#Semi-protection
> [7]
> https://en.wikipedia.org/wiki/Wikipedia:Protection_policy#Extended_confirmed_protection
> [8] https://en.wikipedia.org/wiki/Twitter#Verified_accounts
> [9]
> https://www.csmonitor.com/Technology/2015/1101/Does-Facebook-s-real-name-policy-really-protect-its-users
> [10] https://www.nytimes.com/2007/08/19/technology/19wikipedia.html
> [11] https://en.wikipedia.org/wiki/WikiScanner#Wikipedia_reaction
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

masti-2
In reply to this post by Adam Sobieski
Adam,
this is not technical but community problem. That should be first
discussed with the communities - all of them - not only en.wiki whether
there is any need for that solution. Which I doubt.

I do not see many positives coming from using it but a lot of negatives.
Enforcing that would mean having much less contributors.

Also as already stated it would force us into getting more information
about contributors which is not what the communities want. Especially in
the moment of upcoming GDPR regulation that affects whole commmunity.

masti

On 04.05.2018 22:21, Adam Sobieski wrote:

> Wikitech-l,
>
> Greetings. I would like to describe an exciting scenario possible with OpenID Connect.
>
> In the scenario, after choosing to verify their name on their Wikipedia account, a user logs onto Wikipedia and uses OpenID Connect to link their Wikipedia account to multiple verified accounts, for example their Facebook and LinkedIn accounts. At the end of the process, we can envision the user obtaining a checkmark next to their full name on Wikipedia, their real name and a verification icon appearing next to their edits and on their user page. There might even be, per user settings, hyperlinks to their Facebook and LinkedIn pages on their Wikipedia user page. With such features, we can envision allowing groups of users or admins to determine that certain articles require a verified account to edit.
>
> Presently, OpenID Connect functionality is available for MediaWiki as an extension. I would like to see the OpenID Connect functionality under discussion expanded to support scenarios including aforementioned and also integrated into MediaWiki.
>
> Thank you. I hope that the above ideas are also interesting to you in the Wikitech-l community.
>
>
> Best regards,
> Adam Sobieski
> http://www.phoster.com/contents/
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Adam Sobieski
Masti,



Technically speaking, OpenID Connect includes user information (https://openid.net/specs/openid-connect-core-1_0.html#UserInfo , https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) and this data, possibly extending to include “name_verified”, “account_verified” and “account_verification_score”, facilitates the corroboration of user data across accounts and account linking.



As you indicate, these unfolding topics could be, instead of a technical discussion, a community discussion. It seems that the mitigation of sockpuppetry, bots, trolls, spam, vandalism, fake news, disinformation and election interference, on the one hand, is being weighed against optional data collection on the other hand (see also configurability discussed at: https://lists.wikimedia.org/pipermail/wikitech-l/2018-May/089922.html).



That is an excellent point about GDPR. I will read more about GDPR.





Best regards,

Adam



________________________________
From: Wikitech-l <[hidden email]> on behalf of masti <[hidden email]>
Sent: Monday, May 7, 2018 10:05:09 AM
To: [hidden email]
Subject: Re: [Wikitech-l] MediaWiki and OpenID Connect

Adam,
this is not technical but community problem. That should be first
discussed with the communities - all of them - not only en.wiki whether
there is any need for that solution. Which I doubt.

I do not see many positives coming from using it but a lot of negatives.
Enforcing that would mean having much less contributors.

Also as already stated it would force us into getting more information
about contributors which is not what the communities want. Especially in
the moment of upcoming GDPR regulation that affects whole commmunity.

masti

On 04.05.2018 22:21, Adam Sobieski wrote:

> Wikitech-l,
>
> Greetings. I would like to describe an exciting scenario possible with OpenID Connect.
>
> In the scenario, after choosing to verify their name on their Wikipedia account, a user logs onto Wikipedia and uses OpenID Connect to link their Wikipedia account to multiple verified accounts, for example their Facebook and LinkedIn accounts. At the end of the process, we can envision the user obtaining a checkmark next to their full name on Wikipedia, their real name and a verification icon appearing next to their edits and on their user page. There might even be, per user settings, hyperlinks to their Facebook and LinkedIn pages on their Wikipedia user page. With such features, we can envision allowing groups of users or admins to determine that certain articles require a verified account to edit.
>
> Presently, OpenID Connect functionality is available for MediaWiki as an extension. I would like to see the OpenID Connect functionality under discussion expanded to support scenarios including aforementioned and also integrated into MediaWiki.
>
> Thank you. I hope that the above ideas are also interesting to you in the Wikitech-l community.
>
>
> Best regards,
> Adam Sobieski
> http://www.phoster.com/contents/
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Adam Sobieski
In reply to this post by David Barratt
David,



Pertinent data to our discussion includes the number of occurrences of sockpuppetry, bots, trolls, spam, vandalism, fake news, disinformation and election interference on Wikipedia. Are these not important problems to be solved?



Regarding online harassment, which I opine is also an important problem to be solved, there could be a number of categories of scenarios to consider: whether the harassing party is anonymous, pseudonymous or using their real name, and whether the harassed party is anonymous, pseudonymous or using their real-name. There appears to be a total of 9 categories of scenarios to consider and that could be a part of the complexity discussing the topic of mitigating online harassment. I can put some thought into innovations for Wikipedia in this regard.



You might be interested in: Jang, M., Foley, J., Dori-Hacohen, S., & Allan, J. (2016). Probabilistic Approaches to Controversy Detection. In Proceedings of the 25th ACM International on Conference on Information and Knowledge Management (pp. 2069–2072). New York, NY, USA: ACM. https://doi.org/10.1145/2983323.2983911 . As we can consider the detection of controversy, we might also be able to algorithmically detect occurrences of harassment in Wikipedia discussion areas.



Regarding whether real names promote safer or less safe communities, I observe from your hyperlink that those voicing concerns with respect to Facebook and real names, the Nameless Coalition, include: Access, ACLU, Center for Democracy and Technology, Digital Rights Foundation, Electronic Frontier Foundation, #forabetterFB, Global Voices Advocacy, Human Rights Watch, Internet Democracy Project, One World Platform, Point of View and Take Back the Tech.



Providing options for users to display a real name or pseudonym, including after optional account verification processes, seems to address the specific concerns raised by the Nameless Coalition.





Best regards,

Adam



________________________________
From: Wikitech-l <[hidden email]> on behalf of David Barratt <[hidden email]>
Sent: Monday, May 7, 2018 9:49:35 AM
To: Wikimedia developers
Subject: Re: [Wikitech-l] MediaWiki and OpenID Connect

"As aforementioned, system administrative configuration options could
include allowing verified users to choose whether to display their real
names or to display their usernames."

I think you might be missing the point, we don't even want to collect that
data in the first place, let alone allow non-marginalized users to display
their real name (thereby identifying the marginalized users who opted out).

It is clear that using your real name has real-world harm (
https://www.eff.org/deeplinks/2014/09/facebooks-real-name-policy-can-cause-real-world-harm-lgbtq-community)
and there is a coalition to stop Facebook from enforcing this policy (
https://act.eff.org/action/dear-facebook-authentic-names-are-authentically-dangerous-for-your-users
).

In fact, Wikipedia itself recommends against using your real name (
https://en.wikipedia.org/wiki/Wikipedia:Username_policy). I truly regret
using my real name in my personal user account (
https://en.wikipedia.org/wiki/User:Davidwbarratt), just from my
contributions (
https://en.wikipedia.org/wiki/Special:Contributions/Davidwbarratt) you can
very easily figure out the region where I live. Next, put my last name into
a public record search for my region (
http://www.ocpafl.org/searches/ParcelSearch.aspx) and you will have my
physical address and a nice picture of where I live.

Thankfully I am not in a marganziled group, but I hope you see how easy
that would be. Even if the identity is not displayed, if it's stored in our
database, there is a potential for that data to be exposed.

I will probably take a moment at some point to change my username to a
pseudonym (when I come up with a good one), but username changes are
public, so it would be pretty easy to search for my new username and find
the record of the name change.

The pew study you referenced (
http://www.pewinternet.org/2014/10/22/online-harassment/) does not suggest
that users were anonymized only that a plurality of the victims of
harassment "said a stranger was responsible for their most recent
incident." Also, correlation does not imply causation (
https://en.wikipedia.org/wiki/Correlation_does_not_imply_causation).

There are many things we could do to mitigate harassment on Wikipedia, but
a real name or account verification is not one of them. As an experiment, I
would recommend finding, and attempting to go through, all of the steps
required to report harassment. It's depressingly difficult. Another thing
we can do is implement granular blocks (
https://phabricator.wikimedia.org/T190350) to block accounts from specific
pages, categories, or namespaces rather than a whole site block.

There are probably many more ideas that can be implemented, but again, I
don't know of any evidence that a real name or account verification policy
actually works, but there's a growing consensus that the policy causes more
harm than good.

On Sat, May 5, 2018 at 7:50 AM Adam Sobieski <[hidden email]>
wrote:

> Thank you again for the concerns and comments responded to in the
> following letter.
>
> INTRODUCTION
>
> Two distinct topics are discussed: (1) MediaWiki should provide its
> software users with OpenID Connect functionality including to verify their
> names and accounts via account linking, and (2) Wikipedia should make use
> of such MediaWiki features.
>
> On topic one, there are a large number of MediaWiki software users [1][2]
> and use case scenarios. On topic two, “MediaWiki's most famous use has been
> in Wikipedia” [3], thus it makes sense to carefully discuss MediaWiki
> software and Wikipedia simultaneously.
>
> CONFIGURABILITY
>
> Importantly, we can consider options for configuration for system
> administrators (users of MediaWiki software) and their end users. For
> example, a system administrative option could be whether to activate the
> account verification features. Account verification could then be either
> optional or required for their users. Allowing their users to verify their
> accounts, system administrative configuration can specify whether their
> verified users have a configuration setting with regard to whether to
> display their real names or their usernames.
>
> Configuration options for MediaWiki system administrators and subsequently
> contingent configuration options for end users can maximize utility for all
> parties concerned across a large number of MediaWiki use case scenarios.
>
> In this way, Wikipedia can choose whether and configurably how to utilize
> MediaWiki account verification features in a manner that exactly aligns
> with their policy.
>
> SOCKPUPPETRY
>
> “In 2012, Wikipedia launched one of its largest sockpuppet investigations,
> when editors reported suspicious activity suggesting 250 accounts had been
> used to engage in paid editing.” [4]
>
> “On August 31, 2015, the English Wikipedia community discovered 381
> sockpuppet accounts operating a secret paid editing ring.” [5]
>
> PAGE PROTECTION OPTIONS AND ACCOUNT VERIFICATION
>
> System administrators of MediaWiki could configure MediaWiki to allow
> administrative users the capability to protect content with a mode such
> that only verified accounts could edit that content.
>
> “Why would this be desirable?”
>
> Reasons include, but are not limited to: (1) per the rationale for
> semi-protection [6] and extended confirmed protection [7], (2) an
> administrator determines that one or multiple unverified accounts involved
> in an incident are sockpuppets, bots, trolls, spammers, vandals, etc, (3)
> detecting or preventing conflict of interest editing.
>
> TWITTER ACCOUNT VERIFICATION CONTROVERSY
>
> “Given how much controversy and unhealthy dynamics surrounds verified
> accounts on Twitter, I do not think it is a good idea to copy it.”
>
> Some of the confusion around account verification on Twitter stems from
> misunderstanding. What is the checkmark? What does it mean? What does
> account verification mean when controversial figures’ accounts are
> verified? Some people, for example, misunderstood that it suggested
> endorsement by Twitter. “In July 2016, Twitter announced […] that
> verification ‘does not imply an endorsement.’” [8]
>
> ACCOUNT VERIFICATION AND USER PAGES
>
> “If there's an individual need to establish link between legal identity of
> somebody and their Wiki credentials, there are easy ways to do it – e.g.
> publish a signed message both on wiki user page under the account and on
> the resource known to be controlled by the person, etc.”
>
> System administrators could also configure for users to have an option to
> select for their linked account pages to be hyperlinked to from their user
> pages. Collaboration on Wikipedia articles can be an opportunity to
> socialize and connect on other websites.
>
> REAL NAMES AND SAFETY
>
> “Everywhere online, exposing your real life identity means a possibility
> of real life problems: stalking, harassment, attempts to get someone you
> have a content dispute with fired. And I'm not even theorizing: all the
> above things have happened on Wikipedia, multiple times.”
>
> “Requiring people to take that risk to edit certain pages is not really a
> good thing.”
>
> As aforementioned, system administrative configuration options could
> include allowing verified users to choose whether to display their real
> names or to display their usernames.
>
> Proponents of real-name policies include Mark Zuckerberg. “Facebook’s CEO
> and Founder Mark Zuckerberg defended [Facebook’s real-name policy], saying,
> ‘We know people are much less likely to try to act abusively towards other
> members of our community when they’re using their real names.’ A Pew
> Research study from 2014 supports Zuckerberg’s claim, proving that ‘half of
> those who have experienced online harassment did not know the person
> involved in their most recent incident.’” [9]
>
> SOCIAL MEDIA EXECUTIVES
>
> “Social networks want to have people's confirmed identities so that they
> could sell them to the highest bidder.”
>
> Social networks are in a crisis, as evidenced by recent testimony before
> Congress. Their policies with regard to account verification are genuine
> attempts to solve problems, some described to them by Congress, not gambits
> to acquire more user data. Account verification mitigates sockpuppetry,
> bots, trolls, spam, vandalism, conflicts of interest, fake news,
> disinformation and election interference.
>
> (
> https://www.c-span.org/video/?443543-1/facebook-ceo-mark-zuckerberg-testifies-data-protection
> ,
> https://www.c-span.org/video/?443490-1/facebook-ceo-mark-zuckerberg-testifies-data-protection
> )
>
> WIKISCANNER
>
> “Internet experts, for the most part, have welcomed WikiScanner.” [10]
>
> “Wikipedia co-founder Jimmy Wales spoke enthusiastically about
> WikiScanner, noting in one source that ‘It brings an additional level of
> transparency to what's going on at Wikipedia’ and stating in another that
> it was ‘fabulous and I strongly support it.’ The BBC quoted an unnamed
> Wikipedia spokesperson's praise for the tool in taking transparency ‘to
> another level’ and preventing ‘an organisation or individuals from editing
> articles that they're really not supposed to.’ In responding to the edits
> from the Canadian Ministry of Industry, spokesman for the Wikimedia
> Foundation Jay Walsh noted that neutrality of language and guarding against
> conflicts of interest are two of the central pillars of Wikipedia, adding
> that ‘The edits which should be trusted would come from people who don't
> possess a conflict of interest, in this case, it would be worthwhile saying
> that if someone is making edits from a computer within the government of
> Canada … if it was someone within that ministry, that would theoretically
> constitute a conflict of interest.’ Wales has speculated on a possible
> warning to anonymous editors: ‘When someone clicks on ‘edit,’ it would be
> interesting if we could say, ‘Hi, thank you for editing. We see you're
> logged in from The New York Times. Keep in mind that we know that, and it's
> public information’ … That might make them stop and think.’” [11]
>
>
> [1] https://en.wikipedia.org/wiki/MediaWiki#Sites_using_MediaWiki
> [2] https://en.wikipedia.org/wiki/Category:MediaWiki_websites
> [3] https://en.wikipedia.org/wiki/MediaWiki
> [4]
> https://en.wikipedia.org/wiki/Conflict-of-interest_editing_on_Wikipedia
> [5] https://en.wikipedia.org/wiki/Orangemoody_editing_of_Wikipedia
> [6]
> https://en.wikipedia.org/wiki/Wikipedia:Protection_policy#Semi-protection
> [7]
> https://en.wikipedia.org/wiki/Wikipedia:Protection_policy#Extended_confirmed_protection
> [8] https://en.wikipedia.org/wiki/Twitter#Verified_accounts
> [9]
> https://www.csmonitor.com/Technology/2015/1101/Does-Facebook-s-real-name-policy-really-protect-its-users
> [10] https://www.nytimes.com/2007/08/19/technology/19wikipedia.html
> [11] https://en.wikipedia.org/wiki/WikiScanner#Wikipedia_reaction
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Gergo Tisza
In reply to this post by Adam Sobieski
On Fri, May 4, 2018 at 10:21 PM Adam Sobieski <[hidden email]>
wrote:

> In the scenario, after choosing to verify their name on their Wikipedia
> account, a user logs onto Wikipedia and uses OpenID Connect to link their
> Wikipedia account to multiple verified accounts, for example their Facebook
> and LinkedIn accounts. At the end of the process, we can envision the user
> obtaining a checkmark next to their full name on Wikipedia, their real name
> and a verification icon appearing next to their edits and on their user
> page. There might even be, per user settings, hyperlinks to their Facebook
> and LinkedIn pages on their Wikipedia user page. With such features, we can
> envision allowing groups of users or admins to determine that certain
> articles require a verified account to edit.
>

There has been a fair amount of discussion (mainly after the Essjay affair)
on verified expert accounts on English Wikipedia, but ultimately the idea
has been rejected. You can read about it at [1].
As others have noted, account linking is a fairly minor convenience for
having verified real-life identities; if there was any intent to make that
happen it would have happened regardless of software support.

Having non-public account linking (as an antispam measure that has better
user experience than captchas) is a more feasible idea IMO; I wrote some
thoughts on that at [2].

If you just want public links to verified accounts in MediaWiki (as opposed
to Wikipedia / other Wikimedia projects), there is nothing stopping you;
you should propose a patch to the OpenID Connect maintainer (all it takes
is probably just adding a hook such as GetPreferences to display the
information at the appropriate place) or write your own extension.

[1] https://en.wikipedia.org/wiki/Wikipedia:There_is_no_credential_policy
[2] https://www.mediawiki.org/wiki/User:Tgr_(WMF)/external_login
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Adam Sobieski
Gergo,



In response to some discussion, I now consider there to be two distinct topics: (1) MediaWiki software should provide configurable OpenID Connect features for account verification and account linking, (2) Wikipedia should utilize and configure such features at all, in a certain way or have a certain policy.



With respect to topic one, MediaWiki software, there are dozens of projects at and outside of the Wikimedia Foundation which utilize MediaWiki software. There is also an OpenID Connect extension: https://www.mediawiki.org/wiki/Extension:OpenID_Connect .



With respect to topic two, Wikipedia, account verification features and resultant options and tools for administrators mitigate a number of problems, including but not limited to: sockpuppetry [1][2][3], multiple accounts [4], conflict of interest editing [5][6], advocacy editing [7], propaganda [8], bots [9], griefing [10], trolling [11], spamming, vandalism [12], fake news [13][14], misinformation [13][14] / disinformation [14], political manipulation and election interference.



While data is scarce with regard to the number of occurrences of each on Wikipedia, we can see that the administrative processes of mitigating sockpuppetry, for instance, are costly and continual, investigations occurring daily [3].



To indicate the importance of the problems listed above, I am searching for more Wikimedia Foundation materials [14].



Thank you for the hyperlinks. Those interested in the future of credentials technology might find the W3C Credentials Community Group interesting (https://www.w3.org/community/credentials/).





Best regards,

Adam



[1] https://en.wikipedia.org/wiki/Wikipedia:Sock_puppetry

[2] https://en.wikipedia.org/wiki/Wikipedia:Signs_of_sock_puppetry

[3] https://en.wikipedia.org/wiki/Wikipedia:Sockpuppet_investigations

[4] https://en.wikipedia.org/wiki/Wikipedia:Username_policy#Using_multiple_accounts

[5] https://en.wikipedia.org/wiki/Wikipedia:Conflict_of_interest

[6] https://en.wikipedia.org/wiki/Conflict-of-interest_editing_on_Wikipedia

[7] https://en.wikipedia.org/wiki/Wikipedia:Advocacy

[8] https://en.wikipedia.org/wiki/Wikipedia:Propaganda

[9] https://en.wikipedia.org/wiki/Wikipedia:Bot_policy

[10] https://en.wikipedia.org/wiki/Wikipedia:Griefing

[11] https://meta.wikimedia.org/wiki/What_is_a_troll%3F

[12] https://en.wikipedia.org/wiki/Wikipedia:Vandalism

[13] https://blog.wikimedia.org/2017/07/17/misinformation-fake-news-censorship/

[14] https://meta.wikimedia.org/wiki/Strategy/Wikimedia_movement/2017/Sources/Considering_2030:_Misinformation,_verification,_and_propaganda



________________________________
From: Wikitech-l <[hidden email]> on behalf of Gergo Tisza <[hidden email]>
Sent: Tuesday, May 8, 2018 6:33:24 AM
To: Wikimedia developers
Subject: Re: [Wikitech-l] MediaWiki and OpenID Connect

On Fri, May 4, 2018 at 10:21 PM Adam Sobieski <[hidden email]>
wrote:

> In the scenario, after choosing to verify their name on their Wikipedia
> account, a user logs onto Wikipedia and uses OpenID Connect to link their
> Wikipedia account to multiple verified accounts, for example their Facebook
> and LinkedIn accounts. At the end of the process, we can envision the user
> obtaining a checkmark next to their full name on Wikipedia, their real name
> and a verification icon appearing next to their edits and on their user
> page. There might even be, per user settings, hyperlinks to their Facebook
> and LinkedIn pages on their Wikipedia user page. With such features, we can
> envision allowing groups of users or admins to determine that certain
> articles require a verified account to edit.
>

There has been a fair amount of discussion (mainly after the Essjay affair)
on verified expert accounts on English Wikipedia, but ultimately the idea
has been rejected. You can read about it at [1].
As others have noted, account linking is a fairly minor convenience for
having verified real-life identities; if there was any intent to make that
happen it would have happened regardless of software support.

Having non-public account linking (as an antispam measure that has better
user experience than captchas) is a more feasible idea IMO; I wrote some
thoughts on that at [2].

If you just want public links to verified accounts in MediaWiki (as opposed
to Wikipedia / other Wikimedia projects), there is nothing stopping you;
you should propose a patch to the OpenID Connect maintainer (all it takes
is probably just adding a hook such as GetPreferences to display the
information at the appropriate place) or write your own extension.

[1] https://en.wikipedia.org/wiki/Wikipedia:There_is_no_credential_policy
[2] https://www.mediawiki.org/wiki/User:Tgr_(WMF)/external_login
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Kaartic Sivaraam
On Tuesday 08 May 2018 07:57 PM, Adam Sobieski wrote:
> In response to some discussion, I now consider there to be two distinct topics: (1) MediaWiki software should provide configurable OpenID Connect features for account verification and account linking, (2) Wikipedia should utilize and configure such features at all, in a certain way or have a certain policy.
>

I think Gergo has made a valid and strong point by pointing out a
decision that has already been made [0].

Regardless, you might be very interested in finding a conclusion to a
long-standing problem. Unfortunately, this doesn't seem to be the right
place to discuss this (as already noted by someone else on this thread).
Try discussing this in the "Wikimedia Forum" [1] or the "Village pump of
enwiki" [2] and similar pages on other projects. You would get a better
discussion there.

[0]: https://en.wikipedia.org/wiki/Wikipedia:There_is_no_credential_policy

[1]: https://meta.wikimedia.org/wiki/Wikimedia_Forum

[2]: https://en.wikipedia.org/wiki/Wikipedia:Village_pump


--
Sivaraam

QUOTE:

“The most valuable person on any team is the person who makes everyone
else on the team more valuable, not the person who knows the most.”

      - Joel Spolsky


Sivaraam?

You possibly might have noticed that my signature recently changed from
'Kaartic' to 'Sivaraam' both of which are parts of my name. I find the
new signature to be better for several reasons one of which is that the
former signature has a lot of ambiguities in the place I live as it is a
common name (NOTE: it's not a common spelling, just a common name). So,
I switched signatures before it's too late.

That said, I won't mind you calling me 'Kaartic' if you like it [of
course ;-)]. You can always call me using either of the names.


KIND NOTE TO THE NATIVE ENGLISH SPEAKER:

As I'm not a native English speaker myself, there might be mistaeks in
my usage of English. I apologise for any mistakes that I make.

It would be "helpful" if you take the time to point out the mistakes.

It would be "super helpful" if you could provide suggestions about how
to correct those mistakes.

Thanks in advance!


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Adam Sobieski
My thanks to all for an interesting discussion / debate. I hope that those who participated also enjoyed the exchange of ideas.

Those so interested are expressly welcomed to contribute on the encyclopedia article(s) Account Verification (https://en.wikipedia.org/wiki/Account_verification) and a potential Account Verification on Wikipedia section or article where I will collate and summarize our discussion and what I learned during it. I will be sure to reference content utilized in our discussion (e.g. [1]).


Best regards,
Adam

P.S.: My thanks again to Gergo. I may take Gergo up on petitioning the MediaWiki OpenID Connect team with regard to these highly configurable features or myself contributing to the MediaWiki codebase (https://www.mediawiki.org/wiki/Developer_hub). I do write software and know PHP.

[1] https://en.wikipedia.org/wiki/Wikipedia:There_is_no_credential_policy

From: Kaartic Sivaraam<mailto:[hidden email]>
Sent: Tuesday, May 8, 2018 1:26 PM
To: Wikimedia developers<mailto:[hidden email]>; Adam Sobieski<mailto:[hidden email]>
Subject: Re: [Wikitech-l] MediaWiki and OpenID Connect

On Tuesday 08 May 2018 07:57 PM, Adam Sobieski wrote:
> In response to some discussion, I now consider there to be two distinct topics: (1) MediaWiki software should provide configurable OpenID Connect features for account verification and account linking, (2) Wikipedia should utilize and configure such features at all, in a certain way or have a certain policy.
>

I think Gergo has made a valid and strong point by pointing out a
decision that has already been made [0].

Regardless, you might be very interested in finding a conclusion to a
long-standing problem. Unfortunately, this doesn't seem to be the right
place to discuss this (as already noted by someone else on this thread).
Try discussing this in the "Wikimedia Forum" [1] or the "Village pump of
enwiki" [2] and similar pages on other projects. You would get a better
discussion there.

[0]: https://en.wikipedia.org/wiki/Wikipedia:There_is_no_credential_policy

[1]: https://meta.wikimedia.org/wiki/Wikimedia_Forum

[2]: https://en.wikipedia.org/wiki/Wikipedia:Village_pump


--
Sivaraam

QUOTE:

“The most valuable person on any team is the person who makes everyone
else on the team more valuable, not the person who knows the most.”

      - Joel Spolsky


Sivaraam?

You possibly might have noticed that my signature recently changed from
'Kaartic' to 'Sivaraam' both of which are parts of my name. I find the
new signature to be better for several reasons one of which is that the
former signature has a lot of ambiguities in the place I live as it is a
common name (NOTE: it's not a common spelling, just a common name). So,
I switched signatures before it's too late.

That said, I won't mind you calling me 'Kaartic' if you like it [of
course ;-)]. You can always call me using either of the names.


KIND NOTE TO THE NATIVE ENGLISH SPEAKER:

As I'm not a native English speaker myself, there might be mistaeks in
my usage of English. I apologise for any mistakes that I make.

It would be "helpful" if you take the time to point out the mistakes.

It would be "super helpful" if you could provide suggestions about how
to correct those mistakes.

Thanks in advance!


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Andre Klapper-2
On Wed, 2018-05-09 at 00:12 +0000, Adam Sobieski wrote:
> My thanks to all for an interesting discussion / debate. I hope that
> those who participated also enjoyed the exchange of ideas.
>
> Those so interested are expressly welcomed to contribute on the
> encyclopedia article(s) Account Verification (https://en.wikipedia.or
> g/wiki/Account_verification) and a potential Account Verification on
> Wikipedia section or article where I will collate and summarize our
> discussion and what I learned during it. I will be sure to reference
> content utilized in our discussion (e.g. [1]).

A potential Account Verification on [English] Wikipedia article already
exists and you already linked to it:

> [1] https://en.wikipedia.org/wiki/Wikipedia:There_is_no_credential_policy

Cheers,
andre
--
Andre Klapper | Wikimedia Bugwrangler
https://blogs.gnome.org/aklapper/


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

Adam Sobieski
A quick update: I moved a summary of our discussion from the encyclopedic content at the Account Verification article to an essay: https://en.wikipedia.org/wiki/Wikipedia:Account_Verification .


Best regards,
Adam Sobieski
http://www.phoster.com/contents/

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki and OpenID Connect

David Barratt
Although... while I don't think we should encourage private data
disclosure, if people want to discluse that data, I think it should be
structured.

Therefor, I think global users should be Wikibase items on Meta
https://phabricator.wikimedia.org/T173145

This would allow people to expose data they are already exposing on their
user page in a structured system.

On Thu, May 10, 2018 at 10:53 PM Adam Sobieski <[hidden email]>
wrote:

> A quick update: I moved a summary of our discussion from the encyclopedic
> content at the Account Verification article to an essay:
> https://en.wikipedia.org/wiki/Wikipedia:Account_Verification .
>
>
> Best regards,
> Adam Sobieski
> http://www.phoster.com/contents/
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l