Trust and Safety Product/IP Info

Our goal is to make it easier for admins and patrollers to access information about IP addresses.

A lot of on-wiki anti-abuse workflows heavily rely on information revealed by IP addresses. This information may affect the way an editor interacts with an unregistered user. At the moment, retrieving and understanding this information is not an easy task.

This project is a step towards improving support for the anti-abuse task forces. We hope it will be very useful as we move forward on the Temporary accounts project.

There is a legal policy regulating how this tool may be used. As a condition of access, users must agree to the that policy.

What the feature looks like and who has access to it

This information doesn't reflect the current settings but will soon be correct (T375086).

IP Info is available for some logged-in users. It is displayed in a box on the Special:Contributions page of unregistered editors. An abridged version is accessible via a popup on log, history, and recent changes pages.

For detailed information on who has access, see Access to Temporary Account IP Addresses Policy.

IP reveal log

A log is kept of queries made using the IP Information tool and how the information was accessed. Access to this log is limited to Foundation staff and certain advanced user groups. The following is an example of what is logged:

  • 10 May 2022 User:A viewed limited IP Information popup for 1.1.1.1
  • 10 May 2022 User:B viewed full IP Information popup for 2.2.2.2
  • 10 May 2022 User:C viewed limited IP Information infobox for 3.3.3.3
  • 10 May 2022 User:D viewed full IP Information infobox for 4.4.4.4

Information available

Please note that IP information is not guaranteed to be correct. It is for the most part based on the relevant IP information provider's own good faith efforts to identify and classify activity (from these IP addresses / IP address ranges) which it has observed across the wider Internet.

Field Source Description Where accessible
Location Maxmind The geographic location associated with the IP address. Popup and Special:Contributions
ISP Maxmind The Internet Service Provider associated with the IP address. Popup and Special:Contributions
ASN Maxmind The autonomous system number associated with the IP address. Special:Contributions
Organization Maxmind The organization operating this IP address (may differ from ISP). Special:Contributions
Version Parsed by MediaWiki IP address version v4 or v6. Special:Contributions
Behaviors Spur - client.behaviors Specific types of activity which devices have engaged in or have been previously affiliated with, using this IP address. Special:Contributions
Risks Spur - risks Risks that Spur has determined based on their collection of data. These risks vary and will matter differently based on specific use-cases of Spur Context data. Special:Contributions
Connection type Spur - client.types The different types of client devices that have been observed using this IP address. Special:Contributions
Tunnel operator Spur-tunnels.operator The provider or operator of the VPN service that this IP address has been associated with. Special:Contributions
Proxies Spur - client.proxies Proxies that have been observed using this IP address. This does not mean that all traffic from this IP address is associated with this proxy network, since the IP address may be in use by both proxied and non-proxied traffic. Special:Contributions
Users on this IP Spur - client.count The average number of clients that have been observed on this IP address. It takes into account all activity from this IP address. This is calculated over a 24 hour period. Special:Contributions
Active blocks On-wiki data The number of active blocks against this IP address. Popup and Special:Contributions
Contributions On-wiki data The number of wiki edits made from this IP address. Popup and Special:Contributions

Updates

: Functionality changes and graduating the feature out of beta

IP info became available on all wikis as a beta feature in 2022. Since then, it has gone through a lot of changes:

  • Spur as an additional data source. Initially, data about IP addresses was mostly coming from Maxmind, and was supplemented by our own on-wiki data. In the previous update from May 2022, we mentioned that we were contacting Spur, another source of information about IP addresses. Since then, we have integrated their data into IP Info, and currently, our feature uses Maxmind, Spur, and on-wiki information. For a detailed description on what data comes from which source, see T341395.
  • A lot of development was part of our broader work on temporary accounts (T340895). Here is an overview of the most important changes:
    • Full or no information. There have been two levels of access to the IP Info data: Basic and Advanced. We have decided to align this with the settings making it possible for experienced users to see IP addresses of temporary accounts. Everyone meeting the requirements defined in the Access to Temporary Account IP Addresses Policy will have full access to the IP Info data, and those not meeting the requirements will simply not have access to IP info. (T375086)
    • Special:IPInfo. Many IP addresses may be associated with a given temporary account. We are building a new special page to address this. It will show tabulated IP data for a temporary user where each row will display information for an IP address. This page will be linked from the the Contributions page. (T349534)
    • IP Info on Special:Contributions for temporary accounts. When viewing Special:Contributions for a temporary account, users with access to IP Info data will have information about the IP address used most recently by the temporary account. (T349715)
    • The IP Info popup is displayed next to IP addresses. On wikis with temporary accounts enabled, the IP Info popup will be displayed also next to temporary account names. (T349716) In the popup, a help link will be displayed to help users understand better what the feature is and what it offers exactly. Most likely, the project page will be linked there. (T375090)
  • Graduating out of beta. We no longer need to keep IP Info as a beta feature and have decided to make it a regular part of the interface. It will be useful for all logged-in users checking IP address data to moderate and maintain the wiki. (T356660)

Background

Problem and solution

Before IP Info, when editors wanted to learn about an IP address, they would sometimes need to refer to external, proprietary websites. They would often consult more than one website to cross-check the data or to get all the different pieces of information they needed to do their work. Often an editor would spend a lot of time and energy looking up the data they want to see. We heard about these issues when we asked users about their workflows.

The idea was to provide this data on the Wikimedia wikis, so that editors wouldn't need to go to external websites. This includes surfacing information like:

  • High-level location information about an IP address
  • Owner of the IP address
  • Whether the IP address is known to be behind a proxy or Tor node
  • Whether the IP address is considered malicious by other websites

Benefits and risks

Expand to read 

Benefits

  • Easier patrolling: Patrollers don't need to copy-paste IP addresses to external tools. They also don't need to extract the information. This means lesser manual work.
  • Faster patrolling: It saves patrollers' time by giving them the information they need readily in the interface.
  • Higher reliability: The Foundation can have contracts with providers of reliable datasets, which are translated and updated regularly. This feature may be more reliable than some websites users were dependent on.
  • Lower technical barriers: It is useful for new admins and checkusers. Now, they don't need to have a very good understanding of how to extract information from IP addresses.

Risks

  • Privacy risk: Not everyone is aware of what an IP address string reveals. Many people don't know that unregistered editing leaves a fingerprint which can be used to track them. A lot of registered editors do not know this either. This leads to unintentional privacy for unregistered users (Security through obscurity). Depending on who gets to see the information exposed by this feature, there is a risk of more users seeing the data than before.

How do the communities use IP address information?

Expand to read 

Anti-vandalism

See also: Research:Patrolling on Wikipedia/Report

Single-address blocks bar a single IP address from editing. Administrators can also block IP ranges. This is helpful for dynamic IPs or covering a small range often used for vandalism. To assess collateral damage, administrators should check the coverage of ranges they intend to block.

How administrators handle certain IP blocks depends on the type of address. For example, they handle an edit from an IP address coming from a residential area differently to an edit from an IP registered to a government. If an IP address is registered to a school or a university, administrators apply dedicated templates. If the institution was blocked before, they instruct how to contact them. Then, they help the institution get around the block. These templates can also be used pre-emptively. The goal may be to clear up potential confusion at receiving messages not meant for the user. Another goal may be to point to features only available to registered users.

The IP blocking workflow relies on some IP information. This usually is the registered organization, geographic location, and autonomous system number. This information comes from third-party IP information providers, with no standard service. There are different degrees of accuracy and reliability.

IP addresses are also used in AbuseFilter to make very specific blocks. The goal is highlight some abuse without disrupting the experience of regular users.

IP information is also used by CheckUsers. In particular, they use it whe they deal with alternate account abuse (sockpuppeting). Their tools allow access to potentially-identifying information tied to accounts. These usually do not have their IP addresses exposed.

Anonymity and anonymous editing

Researchers have attempted to determine the effects of unregistered editing on the projects. They have focused on links between anonymity and vandalism. In principle, unregistered users make large portions of constructive edits. A 2013 study noted that about 100,000 anonymous editors made roughly a third of the edits counted in that month. A 2016 study showed that unregistered users "contribute substantially to overall productivity".

No project has disallowed all unregistered user edits. But unregistered users are restricted in what types of contributions they can make. For example, they cannot start new articles or upload files on most of our projects. What's more, there is no guarantee that the person behind a given IP address will be the same every time. This makes it difficult for unregistered users to communicate. It also prevents them from joining their wikis' communities.

Research

Researchers sometimes use IP addresses to learn about the editing practices of users in a given geographic area. Researchers generally only use aggregate information from IPs.

Get in touch