Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Wikipedia: Wikitech

Anonymous user id on wikipedia?

 

 

Wikipedia wikitech RSS feed   Index | Next | Previous | View Threaded


awight at wikimedia

Dec 18, 2012, 10:57 AM

Post #1 of 11 (1302 views)
Permalink
Anonymous user id on wikipedia?

I've been digging around in our cookie jar, as part of my work with
Fundraising, and I have a few questions about the cookies we set on
anonymous users.

First, I am deeply impressed with the care we have taken to respond to
the community's privacy concerns, and after first-hand experience
negotiating with our lawyers to implement an additional cookie, I think
that WMF deserves its place as a model to the rest of the internet. I
would like to help clean up or at least explain the few oversights I
identify below, so that we can be fully confident that we are doing
everything we can to prevent abuse of our visitors' privacy.

1) Anonymous users are given a 1-year cookie which uniquely identifies
them. After logging out and clearing all cookies from my browser, I
visited en.wikipedia.org and received this cookie. Why would an
anonymous user be given an identifying token?
> mediaWiki.user.id=oDNtHcMSeGMSZyRehhuC7ypQRuPEGk3a; expires=Wed, 18
> Dec 2013 18:25:38 GMT; path=/; domain=en.wikipedia.org

2) Anonymous users are enrolled in clicktracking. I was surprised
because the extension page at
http://www.mediawiki.org/wiki/Extension:ClickTracking specifies that it
affects "users", and I think it should very explicitly state that it
affects "logged-in users and anonymous visitors" if that is really the
intention.
> clicktracking-session=0orJJTU79otWR6x1m8ykUAyasVpZJBn2x; path=/;
> domain=en.wikipedia.org

3) Registered user's cookies are not cleared at logout. This seems like
a pretty basic fix.
> enwikiUserName=Adamw; expires=Sun, 16 Jun 2013 18:43:51 GMT; path=/;
> domain=en.wikipedia.org; Secure; HttpOnly

Ideally, an anonymous user, whether or not they have ever been logged in
as a registered user, will not transmit any personally identifying
information in their requests. All three of these cookies violate that
principle. I have not found any public debate on the issue, hopefully
others are interested in this topic.

Regards,
Adam Wight

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


tylerromeo at gmail

Dec 18, 2012, 12:28 PM

Post #2 of 11 (1268 views)
Permalink
Re: Anonymous user id on wikipedia? [In reply to]

1) This I have no idea about, but it's definitely not in the core, because
my test wiki doesn't set this cookie. It has to be an extension.

2) "users" does not imply "logged-in users". The extension page says it
tracks users' clicks, which is accurate as that is exactly what it does. If
it meant to say only logged in users, it would have said that. However, it
may be wise for a functionality to be introduced in that extension that
does actually restrict clicktracking to only logged in users if configured
that way. On the other hand, this isn't a privacy issue since it does not
associate the user's tracking with their identity in any way (even when
logged in, the clicktracking session is separate from their actual session).

3) That is done on purpose. It's a convenience feature. Notice how when you
logout and then go back to the login page that your username is already
filled in for you. AFAIK, it isn't used in any way by MediaWiki to identify
the user.

*--*
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | tylerromeo [at] gmail



On Tue, Dec 18, 2012 at 1:57 PM, Adam Wight <awight [at] wikimedia> wrote:

> I've been digging around in our cookie jar, as part of my work with
> Fundraising, and I have a few questions about the cookies we set on
> anonymous users.
>
> First, I am deeply impressed with the care we have taken to respond to the
> community's privacy concerns, and after first-hand experience negotiating
> with our lawyers to implement an additional cookie, I think that WMF
> deserves its place as a model to the rest of the internet. I would like to
> help clean up or at least explain the few oversights I identify below, so
> that we can be fully confident that we are doing everything we can to
> prevent abuse of our visitors' privacy.
>
> 1) Anonymous users are given a 1-year cookie which uniquely identifies
> them. After logging out and clearing all cookies from my browser, I
> visited en.wikipedia.org and received this cookie. Why would an
> anonymous user be given an identifying token?
>
>> mediaWiki.user.id=**oDNtHcMSeGMSZyRehhuC7ypQRuPEGk**3a; expires=Wed, 18
>> Dec 2013 18:25:38 GMT; path=/; domain=en.wikipedia.org
>>
>
> 2) Anonymous users are enrolled in clicktracking. I was surprised because
> the extension page at http://www.mediawiki.org/wiki/**
> Extension:ClickTracking<http://www.mediawiki.org/wiki/Extension:ClickTracking>specifies that it affects "users", and I think it should very explicitly
> state that it affects "logged-in users and anonymous visitors" if that is
> really the intention.
>
>> clicktracking-session=**0orJJTU79otWR6x1m8ykUAyasVpZJB**n2x; path=/;
>> domain=en.wikipedia.org
>>
>
> 3) Registered user's cookies are not cleared at logout. This seems like a
> pretty basic fix.
>
>> enwikiUserName=Adamw; expires=Sun, 16 Jun 2013 18:43:51 GMT; path=/;
>> domain=en.wikipedia.org; Secure; HttpOnly
>>
>
> Ideally, an anonymous user, whether or not they have ever been logged in
> as a registered user, will not transmit any personally identifying
> information in their requests. All three of these cookies violate that
> principle. I have not found any public debate on the issue, hopefully
> others are interested in this topic.
>
> Regards,
> Adam Wight
>
> ______________________________**_________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/**mailman/listinfo/wikitech-l<https://lists.wikimedia.org/mailman/listinfo/wikitech-l>
>
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


pleasestand at live

Dec 18, 2012, 1:41 PM

Post #3 of 11 (1281 views)
Permalink
Re: Anonymous user id on wikipedia? [In reply to]

On 12/18/2012 03:28 PM, Tyler Romeo wrote:
> 1) This I have no idea about, but it's definitely not in the core, because
> my test wiki doesn't set this cookie. It has to be an extension.

Merely calling the mediaWiki.user.id() JavaScript function, which was
introduced into core MediaWiki in
https://www.mediawiki.org/wiki/Special:Code/MediaWiki/78539 , sets the
one-year cookie. Nothing in core MW (except for the corresponding QUnit
test) actually uses the function.

However, the following code in
extensions/E3Experiments/experiments/openTask.js does call that
function. I can confirm this code is executed merely by loading
Wikipedia's Main Page.

// FIXME for anons, calling mw.user.id() simply ensures the
// "mediaWiki.user.id" cookie is set, if it isn't already.
if ( !$.cookie( 'mediaWiki.user.id' ) ) {
if ( mw.user.id() === mw.user.getName() ) {
$.cookie( 'mediaWiki.user.id', generateId(), { expires:
365, path: '/' } );
}
}

> 3) That is done on purpose. It's a convenience feature. Notice how when you
> logout and then go back to the login page that your username is already
> filled in for you. AFAIK, it isn't used in any way by MediaWiki to identify
> the user.

Even if you do not check "Remember my login on this browser", the
username is saved for 180 days (which, by the way, is four times the
duration set out in the WMF privacy policy). As far as I can tell, this
"feature" has existed at least since the phase3 reorg in 2003, if not
before then.

--
Wikipedia user PleaseStand
http://en.wikipedia.org/wiki/User:PleaseStand

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


ori at wikimedia

Dec 18, 2012, 3:46 PM

Post #4 of 11 (1280 views)
Permalink
Re: Anonymous user id on wikipedia? [In reply to]

Dario attempted to respond but mailman is bouncing his message. Posting on his behalf.

From: Dario Taraborelli <dtaraborelli [at] wikimedia>
Subject: Re: [Wikitech-l] Anonymous user id on wikipedia?
Date: December 18, 2012 2:09:56 PM PST
To: Wikimedia developers <wikitech-l [at] lists>

To further clarify the use of this randomly assigned token, we use mediawiki.user.id to count client events that occur as part of a given funnel. For example: we count impressions, button clicks or submit events to measure whether an experimental version of a feature has a higher conversion rate than the default version. We rely on tokens to be able to deduplicate event counts and make sure that when users reload a form multiple times this doesn't affect conversion measurements. These measurements are being used to optimize feature design and to assess the impact of small experiments run by the Foundation's editor engagement teams.

As Kevin notes, the cookie is set by the mw.user.id() function – which you can call and test in your browser's JS console – and it persists across browser sessions. The function is currently called by a number of extensions that need to set a token and assign users to a bucket or test condition as part of testing.

Dario


--
Ori Livneh


On Tuesday, December 18, 2012 at 1:41 PM, Kevin Israel wrote:

> On 12/18/2012 03:28 PM, Tyler Romeo wrote:
> > 1) This I have no idea about, but it's definitely not in the core, because
> > my test wiki doesn't set this cookie. It has to be an extension.
>
>
>
> Merely calling the mediaWiki.user.id() JavaScript function, which was
> introduced into core MediaWiki in
> https://www.mediawiki.org/wiki/Special:Code/MediaWiki/78539 , sets the
> one-year cookie. Nothing in core MW (except for the corresponding QUnit
> test) actually uses the function.
>
> However, the following code in
> extensions/E3Experiments/experiments/openTask.js does call that
> function. I can confirm this code is executed merely by loading
> Wikipedia's Main Page.
>
> // FIXME for anons, calling mw.user.id() simply ensures the
> // "mediaWiki.user.id" cookie is set, if it isn't already.
> if ( !$.cookie( 'mediaWiki.user.id' ) ) {
> if ( mw.user.id() === mw.user.getName() ) {
> $.cookie( 'mediaWiki.user.id', generateId(), { expires:
> 365, path: '/' } );
> }
> }
>
> > 3) That is done on purpose. It's a convenience feature. Notice how when you
> > logout and then go back to the login page that your username is already
> > filled in for you. AFAIK, it isn't used in any way by MediaWiki to identify
> > the user.
>
>
>
> Even if you do not check "Remember my login on this browser", the
> username is saved for 180 days (which, by the way, is four times the
> duration set out in the WMF privacy policy). As far as I can tell, this
> "feature" has existed at least since the phase3 reorg in 2003, if not
> before then.
>
> --
> Wikipedia user PleaseStand
> http://en.wikipedia.org/wiki/User:PleaseStand
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists (mailto:Wikitech-l [at] lists)
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l




_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


bawolff+wn at gmail

Dec 18, 2012, 3:50 PM

Post #5 of 11 (1263 views)
Permalink
Re: Anonymous user id on wikipedia? [In reply to]

On Tue, Dec 18, 2012 at 5:41 PM, Kevin Israel <pleasestand [at] live> wrote:

>
> Even if you do not check "Remember my login on this browser", the
> username is saved for 180 days (which, by the way, is four times the
> duration set out in the WMF privacy policy). As far as I can tell, this
> "feature" has existed at least since the phase3 reorg in 2003, if not
> before then.

Not really. The cookie expiration was bumped to 180 days back in
August of 2011. Before that we had a shorter expiry. See
https://www.mediawiki.org/wiki/Special:Code/MediaWiki/94430 . Given
that the user has to agree to the remember me function, I do not feel
this is a privacy concern.

>Ideally, an anonymous user, whether or not they have ever been logged in as a >registered user, will not transmit any personally identifying information in their >requests.

I'm not sure, but I thought I heard somewhere that we give logged out
users cookies to ensure that some local caching is invalidated.

-bawolff

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


tylerromeo at gmail

Dec 18, 2012, 6:12 PM

Post #6 of 11 (1267 views)
Permalink
Re: Anonymous user id on wikipedia? [In reply to]

>
> I'm not sure, but I thought I heard somewhere that we give logged out
> users cookies to ensure that some local caching is invalidated.

This is true. I believe it has to do with Squid and how it uses cookies to
determine whether to serve a cached page or not.

I'm a little uneasy about this tracking, but I can understand the
reasoning behind it.

*--*
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | tylerromeo [at] gmail



On Tue, Dec 18, 2012 at 6:50 PM, bawolff <bawolff+wn [at] gmail> wrote:

> On Tue, Dec 18, 2012 at 5:41 PM, Kevin Israel <pleasestand [at] live>
> wrote:
>
> >
> > Even if you do not check "Remember my login on this browser", the
> > username is saved for 180 days (which, by the way, is four times the
> > duration set out in the WMF privacy policy). As far as I can tell, this
> > "feature" has existed at least since the phase3 reorg in 2003, if not
> > before then.
>
> Not really. The cookie expiration was bumped to 180 days back in
> August of 2011. Before that we had a shorter expiry. See
> https://www.mediawiki.org/wiki/Special:Code/MediaWiki/94430 . Given
> that the user has to agree to the remember me function, I do not feel
> this is a privacy concern.
>
> >Ideally, an anonymous user, whether or not they have ever been logged in
> as a >registered user, will not transmit any personally identifying
> information in their >requests.
>
> I'm not sure, but I thought I heard somewhere that we give logged out
> users cookies to ensure that some local caching is invalidated.
>
> -bawolff
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


mflaschen at wikimedia

Dec 18, 2012, 8:07 PM

Post #7 of 11 (1264 views)
Permalink
Re: Anonymous user id on wikipedia? [In reply to]

On 12/18/2012 06:50 PM, bawolff wrote:
> On Tue, Dec 18, 2012 at 5:41 PM, Kevin Israel <pleasestand [at] live> wrote:
>
>>
>> Even if you do not check "Remember my login on this browser", the
>> username is saved for 180 days (which, by the way, is four times the
>> duration set out in the WMF privacy policy). As far as I can tell, this
>> "feature" has existed at least since the phase3 reorg in 2003, if not
>> before then.
>
> Not really. The cookie expiration was bumped to 180 days back in
> August of 2011. Before that we had a shorter expiry. See
> https://www.mediawiki.org/wiki/Special:Code/MediaWiki/94430 . Given
> that the user has to agree to the remember me function, I do not feel
> this is a privacy concern.

No, I tested and Kevin is correct. The "remember me" controls whether
the user_token cookie is set:
https://www.mediawiki.org/wiki/Manual:User_table#user_token . In
practice, this means you will be logged in for 180 days.

But even if you don't check it, your username and user id (but not
password or "being logged in") will be cached in a cookie for 180 days.

I believe the relevant code starts at
https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes/User.php;h=28ff63004797bdf8c1bcb1696a7526f294b3a283;hb=refs/heads/master#l2845
.

I have reported the 30 v. 180 discrepancy to legal [at] wikimedia

Matt Flaschen

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


tylerromeo at gmail

Dec 18, 2012, 9:47 PM

Post #8 of 11 (1261 views)
Permalink
Re: Anonymous user id on wikipedia? [In reply to]

Maybe I'm missing something, but where is the 180 days number coming from.
When User::setCookies() sets the cookies, it gives it no expiry, so in
reality the cookie persists until the browser removes it.

*--*
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | tylerromeo [at] gmail



On Tue, Dec 18, 2012 at 11:07 PM, Matthew Flaschen
<mflaschen [at] wikimedia>wrote:

> On 12/18/2012 06:50 PM, bawolff wrote:
> > On Tue, Dec 18, 2012 at 5:41 PM, Kevin Israel <pleasestand [at] live>
> wrote:
> >
> >>
> >> Even if you do not check "Remember my login on this browser", the
> >> username is saved for 180 days (which, by the way, is four times the
> >> duration set out in the WMF privacy policy). As far as I can tell, this
> >> "feature" has existed at least since the phase3 reorg in 2003, if not
> >> before then.
> >
> > Not really. The cookie expiration was bumped to 180 days back in
> > August of 2011. Before that we had a shorter expiry. See
> > https://www.mediawiki.org/wiki/Special:Code/MediaWiki/94430 . Given
> > that the user has to agree to the remember me function, I do not feel
> > this is a privacy concern.
>
> No, I tested and Kevin is correct. The "remember me" controls whether
> the user_token cookie is set:
> https://www.mediawiki.org/wiki/Manual:User_table#user_token . In
> practice, this means you will be logged in for 180 days.
>
> But even if you don't check it, your username and user id (but not
> password or "being logged in") will be cached in a cookie for 180 days.
>
> I believe the relevant code starts at
>
> https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes/User.php;h=28ff63004797bdf8c1bcb1696a7526f294b3a283;hb=refs/heads/master#l2845
> .
>
> I have reported the 30 v. 180 discrepancy to legal [at] wikimedia
>
> Matt Flaschen
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


pleasestand at live

Dec 18, 2012, 10:03 PM

Post #9 of 11 (1264 views)
Permalink
Re: Anonymous user id on wikipedia? [In reply to]

On 12/19/2012 12:47 AM, Tyler Romeo wrote:
> Maybe I'm missing something, but where is the 180 days number coming from.
> When User::setCookies() sets the cookies, it gives it no expiry, so in
> reality the cookie persists until the browser removes it.

From User::setCookies():
foreach ( $cookies as $name => $value ) {
if ( $value === false ) {
$this->clearCookie( $name );
} else {
$this->setCookie( $name, $value, 0, $secure );
}
}

From the doc comment for User::setCookie():
@param $exp Int Expiration time, as a UNIX time value; if 0 or not
specified, use the default $wgCookieExpiration

From WebResponse::setcookie():
if ( $expire == 0 ) {
$expire = time() + $wgCookieExpiration;
}

From DefaultSettings.php:
$wgCookieExpiration = 180*86400;

--
Wikipedia user PleaseStand
http://en.wikipedia.org/wiki/User:PleaseStand

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


mflaschen at wikimedia

Dec 18, 2012, 10:07 PM

Post #10 of 11 (1263 views)
Permalink
Re: Anonymous user id on wikipedia? [In reply to]

On 12/19/2012 12:47 AM, Tyler Romeo wrote:
> Maybe I'm missing something, but where is the 180 days number coming from.
> When User::setCookies() sets the cookies, it gives it no expiry, so in
> reality the cookie persists until the browser removes it.

Here
(https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes/User.php;h=28ff63004797bdf8c1bcb1696a7526f294b3a283;hb=refs/heads/master#l2864)
User::setCookies calls User::setCookie (singular) with expiration 0 for
UserID and UserName. I don't know where you see no expiration.

However, User::setCookie
(https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes/User.php;h=28ff63004797bdf8c1bcb1696a7526f294b3a283;hb=refs/heads/master#l2794)
itself says "if 0 or not specified, use the default $wgCookieExpiration"

It actually calls WebResponse::setcookie
(https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes/WebResponse.php;h=e4677380f4d61a7b45fcdaa922c199499ac2a712;hb=refs/heads/master#l41).
Both User::setCookie and WebResponse::setcookie default the $exp if it
is not passed in, though it is in this case. setcookie does that
expiration logic.

0 corresponds to expire = time() + $wgCookieExpiration.

I don't see any way there can be an infinite cookie.

Matt Flaschen

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l


tylerromeo at gmail

Dec 18, 2012, 11:21 PM

Post #11 of 11 (1263 views)
Permalink
Re: Anonymous user id on wikipedia? [In reply to]

Ah, I see. Thanks for the explanation. It's a bit misleading, because in
PHP's actual setcookie function, using 0 as the expiry makes it expire at
the end of the session.

*--*
*Tyler Romeo*
Stevens Institute of Technology, Class of 2015
Major in Computer Science
www.whizkidztech.com | tylerromeo [at] gmail



On Wed, Dec 19, 2012 at 1:07 AM, Matthew Flaschen
<mflaschen [at] wikimedia>wrote:

> On 12/19/2012 12:47 AM, Tyler Romeo wrote:
> > Maybe I'm missing something, but where is the 180 days number coming
> from.
> > When User::setCookies() sets the cookies, it gives it no expiry, so in
> > reality the cookie persists until the browser removes it.
>
> Here
> (
> https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes/User.php;h=28ff63004797bdf8c1bcb1696a7526f294b3a283;hb=refs/heads/master#l2864
> )
> User::setCookies calls User::setCookie (singular) with expiration 0 for
> UserID and UserName. I don't know where you see no expiration.
>
> However, User::setCookie
> (
> https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes/User.php;h=28ff63004797bdf8c1bcb1696a7526f294b3a283;hb=refs/heads/master#l2794
> )
> itself says "if 0 or not specified, use the default $wgCookieExpiration"
>
> It actually calls WebResponse::setcookie
> (
> https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob;f=includes/WebResponse.php;h=e4677380f4d61a7b45fcdaa922c199499ac2a712;hb=refs/heads/master#l41
> ).
> Both User::setCookie and WebResponse::setcookie default the $exp if it
> is not passed in, though it is in this case. setcookie does that
> expiration logic.
>
> 0 corresponds to expire = time() + $wgCookieExpiration.
>
> I don't see any way there can be an infinite cookie.
>
> Matt Flaschen
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Wikipedia wikitech RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.