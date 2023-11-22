Background:
There are many reasons for wishing to post as Anonymous Coward (AC). Almost all of them can be divided into 1 of 2 groups: those wishing to protect their identity so that they are not leaving a searchable trail of their views or personal data on the internet, or those not wishing to be held responsible for their actions. The problem that SoylentNews faces is that they are all treated the same by the site software. This has meant that the majority of ACs are now having to suffer an exclusion ban preventing them from participating in the full site because of the actions and behaviour of a small but significant minority.
This proposal is intended to outline a method by which ACs could regain access to all areas of the site while maintaining their anonymity.
The ban was imposed reluctantly and I have been seeking a solution to the problem. I believe that I may have identified such a solution but if it is not acceptable to our community (including ACs) then it can go no further. I wish to outline my proposal here and leave it open to comments to see if it can be at least part of the solution.
There is nothing inherently wrong in anonymity but it does cause problems for sites such as ours. The site can only treat individual ACs differently if it can identify them as different entities. This does not require any personal information but there has to be something that makes AC[0] different from AC[1]...AC[n]. Whereas IP hashes were once a practical solution they are no longer as effective as they were in 2014 for various reasons, including the increasing adoption of IPv6 and the widespread use of TOR and VPNs. The only other 'personal' information that the site held was an optional email contact address. This too is no longer valid because ACs fear that they will be identified by someone or some organisation and held to account for their views sometime in the future. As things stand, ACs have to be treated as a single account.
There has to be a token of some kind which is provided by the AC to the site. There is no avoiding this fact. The token must not be relatable to any real person or account because there will always be a fear that it could be used against them. Therefore the token must be generated by the ACs themselves so that they have complete trust in it and know that it contains nothing that will provide a link to them.
In the outline below, specific formats or time periods are simply examples. They can be changed to suit as circumstances dictate.
Assumptions:
ACs will continue to have full and free access to journals. Some of those ACs may also want to participate in the discussions on the main site as fully as possible, including perhaps the ability to moderate other comments and receive karma.
Theoretical outline:
The AC will create their own token in a specific format (I suggest a SHA256 hash) using any method they wish. They will then know how that token was generated and can be assured that it contains no other information. The SHA256 hash has been chosen to ensure that it has a reasonable chance of being unique and to make it impractical for an attacker to mount a brute force attack.
If an AC wishes to participate in main site stories he must register the token that he has generated with the site. This will be done through a web page and the only information that will be required is the token. The web page would also provide a randomly generated token if the AC does not know how to create one themself, but this will only be created if a button requesting one is pressed. The web page will acknowledge receipt of the token, display it on the screen and allow the AC to copy/paste it, or verify that it is the same that he intended to input, and record it in a safe place. The only information that the site will hold is the token. If the token is lost or corrupted by the AC then the site can do nothing to help recover it as it does not know to which AC it belongs. The AC alone is responsible for the security of the token.
There will then be a waiting period of a predetermined duration before the token will be activated on the site. Perhaps several days or even a week or two. This is to prevent 'drive-by' abuse of the front page stories. There has to be an 'implied' cost to help combat the requests for repeated tokens, although the delay alone cannot prevent such an occurrence by itself.
Once the waiting period has elapsed, the AC can attempt to comment on main page stories. The first time that they do this the site will prompt the AC for their token and, if accepted, they will receive a cookie which will permit them to comment on stories. The cookie will have a set life - let us assume for the moment that this is 6 hours. Once the cookie has lapsed the procedure will begin again when the AC next attempts to make a comment.
While the cookie is valid the AC can continue to use the site in exactly the same manner as any logged in user. The only information that the site will have is that the token is currently active and what remains of the cookie's period of validity. It will not know any other information. The AC comments will appear exactly as they always have. It will not display any additional information regarding the AC, indeed there is no additional information to display.
Tokens that are not used over an extended period of time (e,g 3 months) will be deleted from the database. This is to prevent a potential bad actor from building up a list of valid tokens that could be subsequently used for a combined attack on the site.
If an AC account is used in any way that contravenes the normal running of the site, including but not limited to excessive Spam posting, personal attacks, threats, intimidation or moderation abuse, then the token can be revoked immediately by the site and to prevent it from being used again.
Possible Weaknesses:
Theoretically there is nothing to prevent an AC from creating multiple tokens. However, experience has shown that there is nothing to gain by doing this unless the tokens are used to abuse the system. Mod bombing, coordinated moderation abuse etc could (and occasionally does) take place with logged in accounts as well. There are procedures and software in place to assist with the detection of such activity. Tokens that remain dormant for an extended period of time will be deleted to help prevent multiple token generation.
The site will know nothing about the identity of the AC so, other than by revoking a token to remove access to the front page, the AC cannot face a permanent ban that would prevent them from accessing some parts of the site. This is exactly the situation we are in today.
Any widespread abuse of the system can be countered by switching the token/cookie authorisation off, thus resulting in ALL ACs being restricted to journals only: this again is the position that they are in today. The main site will always be protected in preference to supporting AC posting.
Additional Advantages:
The proposal ensures that ACs can continue to use TOR or VPNs to further protect their security and anonymity.
ACs who have a valid token could theoretically also create journals, and have moderation rights in journals too if this was thought to be desirable.
As individual ACs will have an internal (but meaningless) identity they can also have moderation points, karma etc. I realise that this is not considered to be of any worth by most ACs but the fact remains that it is a possibility.
What Is Now Required?
I am trying to identify an acceptable solution to a major problem. This is a discussion, and with current resources there is as yet no estimate of when such a system could be introduced to our site. We are not going to invest significant effort if the proposal is unacceptable to our community which includes ACs.
I am not an expert on cryptography, nor will I be the one writing the code if the if this option is eventually implemented. I need people who have more experience than I have in these areas to help solve any problems that exist in this proposal. By all means tell me it will not work if that is the case, but a potential solution is much more valuable to me.
I therefore welcome any comments on the practical aspects of this initiative and, just as importantly, on whether it receives the approval of our AC community. I would hope to see a clear statement indicating how many ACs would use this system if it was to be implemented. Staying silent will have to count as a 'No' vote, I will post this as a Meta and as a Journal entry to gather as many comments as I can. I cannot foresee the site ever returning the the position that existed earlier on this year without some major changes in the way we protect and control access to the discussions on the main pages. This may not be a perfect solution but it is, in my opinion, a practical one at least worth considering and possibly trialling if the software changes required are not too onerous.
(Score: -1, Offtopic) by Anonymous Coward on Saturday November 26, @03:43PM
(Score: 3, Insightful) by MIRV888 on Saturday November 26, @04:15PM (7 children)
Why I personally don't mind if I am identifiable on this page. I appreciate the lengths you go to to allow people to participate anonymously. I do not envy trying to offer anonymity vs trolls & jackasses that ruin a good (and rare) thing.
(Score: 2) by janrinok on Saturday November 26, @04:41PM (5 children)
If the system is abused by a small number of individuals then we can manage that with the software that we already have. If it is more widespread then I wouldn't hesitate to switch the token system off, if it was only my decision to make.
Extensive abuse is very labour intensive to manage and control. We simply haven't got the staff, which was part of the reasoning for simply stopping all AC participation from the main stories. There were other alternatives suggested but nobody stepped forward to make them viable. I would hope that the AC community would also be keen to stop any abusers who might deny them of their desire to participate.
(Score: 4, Interesting) by JoeMerchant on Saturday November 26, @05:00PM (4 children)
If it were my system, I would track the token used to post each AC comment, internally no exposure to the published pages, and if a token is used abusively have the admin option to censor some or all of that token's historical postings from future searchability and publication with an easy to use setting.
This might also be used as a warning system: token user could see their censored material but nobody else does, and the censorship explanation can state that there is a simple start and end setting for the censor control. This is your warning, any further abuse will result in a token censor end date of 2047....
Україна досі не є частиною Росії.
(Score: 2) by janrinok on Saturday November 26, @06:19PM (3 children)
If we think that someone is abusing the system then the token will be revoked. We cannot tell them why - they are anonymous aren't they?
(Score: 2) by JoeMerchant on Saturday November 26, @06:49PM (2 children)
Well, the "tell them why" could be a reply to the censored message which (message and reply) are now only viewable by the holder of the token that posted it. This is my point about limited anonymity: posts would be distinguishable by poster's token to the admins, allowing retroactive censorship based on that token.
It may not meet some ideas of anonymity, but use of the token is pretty much over that line already.
Україна досі не є частиною Росії.
(Score: 2) by janrinok on Saturday November 26, @07:12PM
The token is completely anonymous. It is made by the AC. Only they know how it was made.
(Score: 2) by janrinok on Saturday November 26, @07:53PM
You are getting into the management and control aspects of this proposal. First lets find out if the entire community will accept it. This is just the user side of the proposal. How we manage it is a staff issue.
Essentially, the proposal means that we can create dummy accounts based upon the token and thus manage all accounts the same way while at the same time we are able to react differently to different AC actions - something that we cannot currently do.
All accounts are distinguishable to the admins. Retrospective action has always been possible but the current view is that, unless there are compelling reasons to remove something (assuming that it is possible to remove it which it isn't in many cases), posts should be left in place rather than the site being accused of censorship.
(Score: 4, Insightful) by aafcac on Saturday November 26, @05:56PM
I had stopped posting under a name previously because weeding out the troll responses to anything I posted was too much work. If most of the time the only responses are being flooded out by a bunch of trolling, then there's not much point in having a name attached as it's very hard to have any sort of conversation.
(Score: 4, Interesting) by Anonymous Coward on Saturday November 26, @05:08PM (1 child)
This is exactly what will happen. Trolls will create sock puppet entries each day then sit on them until they "mature", then abuse them to hell and gone. The current system right now seems to be better than it was eight months ago, but this would be a step in the wrong direction.
The current moderation system is broken because there are not enough active users moderating in good faith to make it work. The system only works if there are sufficient people moderating such that bad actors can't easily overwhelm it. We aren't there yet and this change will not encourage more people to join and/or participate.
My personal opinion is that the hash idea could have some utility. Every logged in user could have a hash associated with their account, and moderations made to comments apply to the account, regardless of whether the comment was posted as AC or not. I fail to understand why someone gets to be an asshat without repercussions just because they posted as an AC.
The only other option is a meta-moderation system where bad moderations are identified and the offender's moderation privileges are revoked. Given the state of the site though, the odds of implementing any sort of new feature are slim to none.
The final thing that is clear is that based on the story submissions over the past year, the community has little interest in active participation. The only people submitting stories are the staff and a couple of trolls. People will complain about the stories that are submitted and/or chosen for the front page, but those same people will never have submitted a story themselves. If you just want to passively read the headlines then find a good RSS reader.
(Score: 2) by janrinok on Saturday November 26, @08:02PM
This proposal would ensure that this will not happen. At the moment there is only 1 AC account. Every AC shares that account. If we ban one, then we ban them all. That is why we have the current situation. The proposal is intended to enable us to penalise those ACs who abuse the system while allowing the others to continue.
However, if the level of abuse and false token generation is too high then we can always revert to what we have today. I happen to think that most ACs would like to make a genuine contribution to discussions. It is up to us to find a way of allowing that to happen without returning to the situation that we had a few months ago. It is for the ACs to demonstrate that they are sincere when they say that they want to participate fully in the site.
(Score: 2) by JoeMerchant on Saturday November 26, @05:28PM (1 child)
If Chrome would remember my AC token as a password, then I would use such a system, particularly if there were some easy way on my end to switch into "real anonymous" mode and back out again.
If I had to store the key and copy paste it periodically into the system, me, personally, I wouldn't bother, but then I am not terribly concerned about masking my identity (and I have some personal views about "hiding in plain sight" being more effective than going to efforts like VPN and TOR...)
Україна досі не є частиною Росії.
(Score: 2) by fab23 on Saturday November 26, @07:06PM
Independently I came up with a similar idea. This would make life easier for AC users and probably also reduce the amount of adjustments needed in the code elsewhere.
On the "Create Account" page give the option to create a real user or an AC user, then:
So in general the login system is the same for all (real users and AC), and features like karma and moderation points does not need any adjustments. Journal may not be possible, see below.
As I see it only adjustments are needed in all the parts where the Nickname, UID and other stuff is displayed. So instead of displaying 'SNAC<random-string-with-variable-length> (<UID>)' with a link behind, it must only display "Anonymous Coward" without any link. To recognize the AC for that a flag in the database is needed. Probably all the options available in /my/info should not be available to an AC account, as this else has to be removed again where it else would be displayed. Also on top of a comment from an AC the link to the journal should not be displayed. Maybe journals will be tricky anyway, as with this the AC at least could be identified with the generated Nickname, as it is used in the link. So maybe it could be easier to not allow an AC user to create journal entries.
The things mention from janrinok, like 'waiting period' or 'not used over an extended period of time' can still be implemented.
This is just an idea to think about, maybe I missed something important.
(Score: 3, Insightful) by NotSanguine on Saturday November 26, @06:15PM (1 child)
If you don't want to be identified as your real life identity, that's easy to do without all this rigamarole:
1. Connect via TOR [torproject.org] to an anonymity focused email service (Proton Mail [proton.me] comes to mind) and create an account;
2. Connect to Soylent News (again, via TOR) and register as a user using the email address created in (1), then confirm that address, then (optionally) don't access that email account and/or disable/delete the email account created;
3. Always connect to Soylent News (SN) via TOR, log in, then post everywhere as an AC.
SN can then allow AC posting for logged in users only without users potentially being threatened by motivated opponents and/or state actors.
That removes issues with SN (or anyone else) being able to identify your real life identity.
What that doesn't do is allow ACs to shitpost, harass and spam the site, as they will actually have accounts which can be tied to their AC posts, allowing the admins to block access to accounts which engage in destructive behavior.
There can even be some transparency there, with admins providing a list of comments that caused suspensions/bans to accounts without revealing the account names/UIDs themselves.
It seems to me that in the above scenario anyone who comes to post in good faith can do so as AC without being concerned about being tracked/doxxed. What's more, this protects everyone involved.
It's not SN's responsibility to keep you anonymous if that's required for you. That's your responsibility. SN's responsibility (IIUC) is to provide a place for open discussion of a variety of topics. Full stop.
I appreciate Janrinok's suggestion, but I believe it's both unnecessary (see above) and would be a big drain on admin and developer resources -- resources that are in short supply here.
tl;dr: If you don't want to be identified anywhere as your real-life identity, you should do the above everywhere. IMHO, that's not too much to ask of those who want to participate in good faith, especially as it allows the site to address those who want to act in bad faith.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by NotSanguine on Saturday November 26, @06:19PM
I'd also point out that in the scenario I suggest, the "hash" is the UID/account created. No additional dev or admin resources required.
To put a really fine point on it, if you want to participate in good faith, but are concerned about your IRL safety, my suggestion will work just fine.
Those who don't wish to participate in good faith will just be banned/suspended and nothing of value will be lost.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 5, Insightful) by bloodnok on Saturday November 26, @06:15PM (3 children)
Apologies if I'm being dense, but I don't see what this would achieve that couldn't be done more easily with a simple cookie.
This system can establish that a posting AC is the same AC as posted another time. So can a cookie.
This system requires the hash to be generated up front as a demonstration of intent to play by the rules by the particular AC. A post-enabling cookie could be generated by visiting a page that exists solely for that purpose and that asks the AC to play nicely.
This system can be spoofed by creating multiple hashes. This would be like deleting a cookie or otherwise manually managing cookies.
The AC might be concerned that a cookie generated by SN contains identifying information but since they don't really provide any other than spoofable IP, or spoofable browser identifiers that seems like a non-problem.
Could someone please explain what I'm missing?
__
Majorly baffled
(Score: 3, Insightful) by NotSanguine on Saturday November 26, @06:22PM (1 child)
I can't speak for anyone else, but I use a cookie auto-delete add on which clears all cookies set in a tab ten seconds after I close that tab.
And so for me, such a cookie would disappear (and a new AC "identity"created for me) every time I close an SN tab or restart my browser. Those who want to operate in bad faith can easily do the same.
As I suggested, why not just use the existing account system for this? Is there some reason why that's not viable?
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by janrinok on Saturday November 26, @06:46PM
The account system only works with accounts. ACs do not have individual accounts. They all share the same account. That is why they are either all banned or all allowed under the current system.
This proposal means that, within SN, we can create a dummy account for each token and then we CAN manage them using the accounts system.
(Score: 2) by janrinok on Saturday November 26, @06:42PM
People can delete cookies. I delete cookies every time I switch of my browser. How to do you relate a comment on day one with another comment on day two if they delete the cookie in between? Moderation abuse and cooperative abuse take place over a period of time and not just with a single comment or moderation. For example, if an account consistently and repeatedly down moderates based on a user ID rather than comment content that is abuse. It is an attempt to prevent somebody from expressing themselves based purely on who they are. It happens now with both named and AC accounts. The system can usually detect that.
There has to be an exchange of a token from the AC to the site. The site then has a token that is meaningless but can exist over a period of time without anyone deleting it. Without a valid cookie for that specific token the AC cannot log in, furthermore the cookie is renewed after a period of time anyway. The proposal suggests 6 hours but that is a figure currently plucked out of the air.
The system can be spoofed by having multiple accounts too - and that is also detected. Multiple hashes will be an abuse of the system.
The only information that we have is the token - and they gave that to us. There is no other identifying information.
However, if you can explain to me how your proposal can solve that problem then I will gladly consider it.
(Score: 3, Interesting) by wisnoskij on Saturday November 26, @06:45PM (3 children)
This sounds like a more complicated user name/password combo. Just generate a random username and password, the browser will remember this for you and you click a checkbox to post as AC if you want. Their is no more information in a hash than a random password and username, it is just harder to use.
(Score: 2) by janrinok on Saturday November 26, @07:10PM (2 children)
That would work but has its own problems. The advantage of a hash is that it is very easy to validate (set length, defined character set, is acceptable for the existing software, for displaying using html, and for use in mysql).
Not all usernames are acceptable. For example, the following have been used to create accounts over recent weeks: (NSFW) Ghost of Jan's Wife, Janrinok Is A Faggot, Khallow Is A Faggot, Fuck You Fags, LOL Janrinok's Wife Is Dead , ROFL at Janrinok's Dead Wife, Fuck You Niggers, Azuma Hazuki 3.0, Pedobear1956, Kill Yourself Dalek, Unban Aristarchus NOW, Aristarchus Will Win, Niggers, Fuck You Wetbacks, Fuck You Kikes etc. There are several hundred such user names. All of those accounts have been disabled and banned.
Some days we have up to 120 fake accounts being created, some with character strings that appear to be designed to try to crash the software and/or database.
(Score: 0) by Anonymous Coward on Saturday November 26, @07:59PM
Little Bobby Tables rears his ugly head again.
(Score: 2) by wisnoskij on Saturday November 26, @08:14PM
Yes, but this is an old common problem presumably with decent solutions that exist. Also I did no think you were not allowing any new named accounts? But at the end of the day, you have to allow users to post something without vetting it. You can vet all the usernames to prevent people from seeing bad users names, but you cannot vet all the posts. So who cares if steve posts troll messages vs n****r posts troll messages? I would argue allowing n****r to post messages is better, because sometimes trolls are not always that obvious.
But if you want to go this way, then just generate the username yourself like modern multiplayer games do.
Also if the user is generating their own hash themselves, can they not just create a legitimate hash with those words in it? I guess you can force him to submit the hash and the original data for you to verify.
(Score: 2) by acid andy on Saturday November 26, @07:51PM (1 child)
I reckon unfortunately the real tinfoil hat wearers in the first group simply won't want anything that can tie many of their posts together. If an authoritarian seized the database, hacked it or it was leaked to them, they could build a profile on each AC based on their collection of posts. The AC can try not to leak personal information in their posts but across multiple posts things like writing style, political and religious views, interests, skills, etc. could be ascertained.
Of course there's no way around this because linking multiple AC posts together to identify them as one person is precisely the control you feel is needed.
Yes I can see this is essential but I expect you've already considered you may need additional hurdles to discourage many registrations being attempted in parallel or in short succession. How about once more than a certain number of AC registrations are pending, any additional applicants have to submit an article to the site and have it accepted to proceed?
Master of the science of the art of the science of art.
(Score: 2) by janrinok on Saturday November 26, @08:11PM
I have considered some of the security aspects of the site management. However, it would be foolish of me to discuss in public what security measures we take now or in the future to protect the site. They do directly affect the use of the site (unless somebody is trying to abuse the system) and are more of a management problem.
If people are that interested they can step forward and ask to join the team. :)
How would we know that the submission came from the same AC requesting the token? I have to admit though that I like the way that you are thinking!