Hey all, hope everyone here is doing well. Today I woke up to discover that a podcaster I follow had plagiarised part of an article I wrote, as well as parts of some other articles (some of which I had contributed to, others not). The podcaster did not cite their sources, nor did they make it clear that they were pulling whole paragraphs from Wikipedia, but they ran advertisements and plugged their patreon anyway. This is not the first time an article I wrote for Wikipedia has been plagiarised and profited off (earlier this year I noticed a youtuber had plagiarised an entire article I had written; I've also noticed journalists ripping off bits and pieces of other articles). Nor is this limited to articles, as I often see original maps people make for Wikimedia Commons reused without credit.

Obviously I'm not against people reusing and adapting the work we do here, as it's freely licensed under creative commons. But it bugs me that no attribution is provided, especially when it is required by the license; attribution is literally the least that is required. I would like attribution of Wikipedia to become more common and normalised, but I don't know how to push for people off-wiki to be more considerate of this. In my own case, the 'content creators' in question don't provide contact details, so I have no way of privately getting in touch with them. Cases in which I have been able to contact an organisation about their unattributed use of Wikipedia/Wikimedia content often get ignored, and the unattributed use continues. But I also have no interest in publicly naming and shaming these people, as I don't think it's constructive.

Does anyone here have advice for how to handle plagiarism from Wikipedia? Is there something we can do to push for more attribution? --Grnrchst (talk) 13:59, 16 December 2024 (UTC)[reply]

Sadly there are plenty of lazy sods who think that copying directly from Wikipedia is "research". This has happened with some of the articles that I have been involved with. It's rude, but hard to stop.--♦IanMacM♦ ^{(talk to me)} 14:13, 16 December 2024 (UTC)[reply]

I would start by writing to the podcaster and politely explaining to them that they are welcome to use the material but are required to provide attribution. They may simply be unaware of this and might be willing to comply if properly educated. Failing that, I assume the podcast was being streamed from some content delivery service like YouTube. You might have better luck writing to the service provider demanding that the offending material be taken down.

Realistically, crap like this happens all the time, and there's probably not a whole bunch we can do to prevent it. RoySmith (talk) 14:37, 16 December 2024 (UTC)[reply]

To support RoySmith's point, for those who may not have seen it, here is a very long youtube video about youtube and plagiarism [1]. (Works just having it on as background audio.) CMD (talk) 14:59, 16 December 2024 (UTC)[reply]

Funnily enough, plagiarism from Wikipedia comes up a couple times in that video. MJL also made a very good response video, which I think was a useful addition in the conversation of crediting Wikipedians. --Grnrchst (talk) 15:10, 16 December 2024 (UTC)[reply]

Thanks, I'll give that a listen. CMD (talk) 15:18, 16 December 2024 (UTC)[reply]

Aye, I figured it be an uphill battle trying to accomplish even minor changes on this front. As I can't find a way to contact the creator directly, sending an email to the hosting company may be the best I can do, but even then I doubt it'll lead to anything. Thanks for the advice, anyhow. --Grnrchst (talk) 15:12, 16 December 2024 (UTC)[reply]

If it's a copyright violation (e.g., exact wording), rather than plagiarism (stealing the ideas but using their own words), then you could look into a DMCA takedown notice. WhatamIdoing (talk) 03:25, 17 December 2024 (UTC)[reply]

@WhatamIdoing: It was more-or-less word for word, with a couple tweaks here and there. I don't want the episode pulled, I really just want Wikipedia cited, but I can't figure out any way to get in direct contact with any of the people involved. --Grnrchst (talk) 10:16, 17 December 2024 (UTC)[reply]

It's possible that the way to get in touch with them is a DMCA takedown notice. Having your platform take down the whole episode tends to attract attention. You could make it easy on them by suggesting a way to fix the problem (maybe they could add something like "This episode quotes Wikipedia in several places" to the end of the notes on the podcast?). WhatamIdoing (talk) 18:33, 17 December 2024 (UTC)[reply]

I'm curious as to what the plagiarized article in question is. Often there is no majority authorship of an article (in terms of bytes added), which might complicate DMCA claims. JayCubby 18:35, 17 December 2024 (UTC)[reply]

Anyone who contributed enough content to be copyrighted can issue a DMCA notice. The glaring problem with this approach is that the DMCA only applies if the copy is published in the United States. Phil Bridger (talk) 18:51, 17 December 2024 (UTC)[reply]

What about servers or companies based in the States (perhaps I've misremembered what little I know of copyright law)? JayCubby 18:56, 17 December 2024 (UTC)[reply]

@JayCubby: It's an article I wrote 99.9% of, minus minor copyedits by other users. I'm cautious about revealing which one as I think it would make it easy to figure out the podcast in question, and I'd still prefer to handle this privately rather than go full hbomberguy. Also, having now gone through more of the episode, it's not just that one article that got text lifted from it; text was also copied in whole or in part, without attribution, from other Wikipedia articles I have contributed to (but didn't author) and an article on another website that publishes under a CC BY-NC-ND license. I don't know how I would handle notifying the other parties that got plagiarised either. I haven't combed through the entire episode yet, but already a sizeable portion consists of unattributed text, either identical to the source or with minor alterations. --Grnrchst (talk) 19:29, 17 December 2024 (UTC)[reply]

One man deserves the credit, one man deserves the blame... JayCubby 00:42, 17 December 2024 (UTC)[reply]

Hmm... would Wikipedia:Standard CC BY-SA violation letter be of help? JayCubby 01:17, 30 December 2024 (UTC)[reply]

@JayCubby: I hadn't seen this until now, I think I assumed a while back that this thread had already been archived. Thanks for letting me know about this! I'll keep it on hand for future cases. --Grnrchst (talk) 13:56, 9 January 2025 (UTC)[reply]

Unfortunately, you're talking about a medium where many people's understanding of copyright law, even when they do demonstrate an awareness that it exists and is applicable, is largely demonstrated by videos posted on YouTube of clips from movies and TV shows with the note "Copyright infringement not intended". Which, I sometimes leave a comment pointing out to them, is akin to dashing out of a clothing store with an armful of unpaid-for merchandise while shouting "Shoplifting not intended". Largoplazo (talk) 14:10, 2 January 2025 (UTC)[reply]

I've found Wikipedia plagiarized in scientific journal articles. I have no tolerance for that and I contact the publishers directly. But little to nothing comes of it. In the one instance, I waited almost a year but nothing really happened. Upon pushing the matter, the publishers allowed the authors to make some trivial changes but there was no retraction. (See my banner notes at the top of Talk:Semi-empirical mass formula if you are interested in this example.) Fortunately, this kind of plagiarism may be common in less prestigious journals and by less prestigious authors from universities in countries that may not care about plagiarism of Western sources. Jason Quinn (talk) 08:39, 24 December 2024 (UTC)[reply]

@Jason Quinn Wrong section? You wanted to post below? _{Piotr Konieczny aka Prokonsul Piotrus| reply here} 17:03, 24 December 2024 (UTC)[reply]

Yes, it was. Sorry about that. I moved my comment (along with yours) to the proper spot. Jason Quinn (talk) 21:12, 24 December 2024 (UTC)[reply]

@Jason Quinn PS. Make sure to use PubPeer and comment on those articles! _{Piotr Konieczny aka Prokonsul Piotrus| reply here} 17:04, 24 December 2024 (UTC)[reply]

I'll check it out. Jason Quinn (talk) 21:12, 24 December 2024 (UTC)[reply]

Looks like the publisher has a ... somewhat questionable reputation to put it politely. Jo-Jo Eumerus (talk) 10:10, 26 December 2024 (UTC)[reply]

Some years ago, we found a source saying that the 20% of lowest-ranked journals had a higher risk of copyright violations. (They did tend to be journals from developing countries or otherwise with limited resources – think "Journal of the Tinyland Medical Society".) I have discouraged using journals from the lowest ranked quintile ever since. WhatamIdoing (talk) 04:42, 26 December 2024 (UTC)[reply]

As an aside, I'm pretty sure I've been the "benefactor" of scholarly citogenesis several times—uncited additions from a decade ago that I'm scouring for cites and pondering whether to rewrite from scratch, when I find a passage that pretty much has the same structure and specifics (uncontroversial stuff, mind) and I smile. I do wonder if I should be so happy, but I figure they're qualified to conduct original research and this isn't likely to introduce poor quality infomation. Remsense ‥ 论 04:48, 26 December 2024 (UTC)[reply]

When the plagiarism is substantial, please remember to tag the talk page with {{backwardscopy}}. WhatamIdoing (talk) 21:49, 27 December 2024 (UTC)[reply]

Copyright infringement of Wikipedia by other people is not immoral, so I don't believe it's in anyone's best interest to try to police it at all. We write this stuff with the hopes that it is accurate and that it will be shared. The podcaster in question shared it. Presumably, if you are proud of it, you also consider it accurate. Big Success. No Stress.

Additionally, it does not do to mix complaints about plagiarism and copyright infringement together. Copyright is law, and plagiarism is not law. Just like us, the podcaster is fully within their rights as the users of text to copy it without attribution when their use isn't a copyright violation. If it was enough text for you to notice this, I'll trust you that it was a lot of text. But, just FYI, if someone copies a little from an article (or even a little from several articles), they would not need a license to do that and their lack of compliance with the unneeded license would not constitute copyright infringement. lethargilistic (talk) 08:37, 2 January 2025 (UTC)[reply]

I disagree, plagiarism of Wikipedia content is immoral, as the plagiarizer is (at least implicitly) claiming authorship of someone else's work, and is also a violation of the licensing terms (attribution is required). As an editor who has seen their contributions to Wikipedia plagiarized, I do not expect widespread recognition of my work, but I do resent some else taking credit for it. Donald Albury 17:10, 2 January 2025 (UTC)[reply]

I wouldn't go so far as to call it immoral, which implies deliberate malfeasance. Copyright law is complicated. There are a myriad of permissive licenses in use, some of which require attribution, some of which don't. It's unrealistic to expect most people to understand anything beyond "Wikipedia is free".

What bothers me more is when you explain to somebody that it's OK that they're using your stuff but they need to add an attribution and they argue with you. That's when it crosses the line from ignorance to deliberate. RoySmith (talk) 17:22, 2 January 2025 (UTC)[reply]

On your first point Wikipedia is free, Help:Introduction to Wikipedia doesn't explain that Wikipedia's content is copyrighted (unless you go into one of the policy links), and the footer is the kind of thing I'd ignore on any other website. I wonder if it could be reworded to something likeYou are free to reuse text under the Creative Commons Attribution-ShareAlike 4.0 License; additional terms may apply.

Though with most of the instances of plagiarism there are no measures we could take to prevent plagiarists. JayCubby 18:07, 2 January 2025 (UTC)[reply]

enwiki gets about 400 million page views per day. Help:Introduction to Wikipedia gets about 4500 per day. So, to a reasonable approximation, nobody reads it. RoySmith (talk) 18:27, 2 January 2025 (UTC)[reply]

100% agree with Donald. --Grnrchst (talk) 13:53, 9 January 2025 (UTC)[reply]

I would call it immoral. It's not just wronging the people who put the labour into writing an article, who are having their hard work done for the commons repackaged for private profit without even the slightest acknowledgment, it is also wronging the people that read/watch/listen to the creator, as they are being intentionally deprived of the knowledge of where this information is coming from and where they can go to verify the information. I also disagree that what they did is "sharing"; they didn't link to this article or say they got their script from here, but instead took the credit for it and profited off it. That's not sharing, that's appropriation. Honestly I find the idea that I should be grateful that someone ripped off my work rather insulting. --Grnrchst (talk) 13:51, 9 January 2025 (UTC)[reply]

Hello, before I added a category, this file was uncategorized on Commons, but was used on a page on the Greek language wikipedia. Maybe using Petscan?, is there a way of searching say all pages in the category Museums in Greece, and its subcategories, to list images used on those pages that are uncategorized in Commons? Thank you, Maculosae tegmine lyncis (talk) 08:06, 28 December 2024 (UTC)[reply]

@Maculosae tegmine lyncis: Something like this seems to already exist: commons:Category:Media needing category review by usage. MKFI (talk) 18:21, 1 January 2025 (UTC)[reply]

I'd had it in mind for quite some time to write an essay in project space about announcements. I've seen entire sections consisting of sentences with the word "announced" in them, giving the impression that the subject's history consists not of events and actions at all but only of announcements that such events or actions were planned, leaving the reader to wonder whether any of them ever actually happened. I wanted to exhort people who add to an article, in November 2024, "In November 2024 it was announced that X would be joining the series as a regular character in the new season" to return after the new season begins and replace the text about the announcement with "In April 2025, X joined the series as a regular character" or, if X didn't join the series after all, to remove the sentence as probably irrelevant, unless some mention is to be made of why X's addition to the series didn't come to pass.

So one day recently I sat down to begin such an essay, but first checked the status of the obvious shortcut, WP:ANNOUNCED—and found that it already existed as a redirect to a user-space essay belonging to User:HuffTheWeevil. That essay is quite thorough and covers most of the ground that I had had in mind, and I think it would be useful to have it in project space. So, while noting that that user hadn't edited in over two years but thinking the might see and respond to a ping if they even read Wikipedia while logged in, I went to their talk page to leave basically the same message that I've written here, to ask if they would be averse to having their essay moved to project space.

That was four weeks ago, and there've been no edits in that time by the user. I was wondering whether it would be reasonable, without express permission, either to move or copy the essay to project space and retarget WP:ANNOUNCED there. Also, if that were to happen, I'm seeking a good title. Floating around in my head:

• Wikipedia:Stuff finally happens
• Wikipedia:Prefer actions to announcements
• Wikipedia:Did the announcement ever come true?
• Wikipedia:Well, did it happen or not?

Largoplazo (talk) 17:35, 30 December 2024 (UTC)[reply]

What a good notion! That type of language in articles irks me too. Especially personal life sections that read "they announced they were engaged, they announced the wedding date, they got married, they announced they were expecting, they had a baby" and so on. (Sorry I don't have an answer to your questions, but I do like the idea.) Schazjmd (talk) 23:25, 30 December 2024 (UTC)[reply]

Articles about companies, particularly finance companies, drive me crazy in that way. You'd think from some of their articles that they're more noted for their announcements than for what they've actually done. "In October 2018, ABC announced that they were acquiring at 30% share in GHI. In February 2019, they announced the coming release of version 5 of their product." Did the GHI buy-in ever happen? Did they ever release version 5? Who knows??? The article doesn't say! Largoplazo (talk) 00:02, 31 December 2024 (UTC)[reply]

Even more annoying is when media happily passes on announcements, but fails to pay any attention when they actually happen, so we're left sourceless. Schazjmd (talk) 00:20, 31 December 2024 (UTC)[reply]

To go off a bit on a tangent, this is like when the media report someone's arrest (which goes on to be covered here) and then never follow up (leaving Wikipedia readers in the lurch). Largoplazo (talk) 00:39, 31 December 2024 (UTC)[reply]

I wouldn't mess with someone else's user space without asking them first (with the obvious exception of reverting vandalism), there might be a reason they didn't want it in project space. I do agree that this is an issue in articles though. Gnomingstuff (talk) 19:42, 2 January 2025 (UTC)[reply]

The question appears to be about whether it's okay, after you have asked them, waited a month, and still not gotten a response. WhatamIdoing (talk) 02:50, 8 January 2025 (UTC)[reply]

I would also suggest not moving people's userspace essays to mainspace. Looks like the shortcut did a good job here of directing you to the correct location. Hopefully that happens a lot in these types of situations. –Novem Linguae (talk) 22:39, 2 January 2025 (UTC)[reply]

I would agree that moving things out of someone’s userspace without their OK is bad form.

That said… no one “owns” the topic (whether that topic is for an essay or for an article). Consider writing your own essay/article on the topic (in your own userspace), and moving that to Mainspace. Then notify the other editor so they can amend your work if they want to (that is up to them). Blueboar (talk) 14:03, 3 January 2025 (UTC)[reply]

People have been trying to get me to move User:RoySmith/Three best sources to project space for years. I keep refusing because it's my own personal opinion and I don't want people editing my opinion (which they do anyway, but at least I feel justified reverting those in my userspace). I once had somebody hijack the WP:THREE redirect and point it to their own essay (quickly reverted). I once had somebody put the redirect up for deletion (quickly closed as keep). RoySmith (talk) 15:11, 3 January 2025 (UTC)[reply]

meh… Personally, I think personal essays should be marked as “User” and not “WP” (even for a shortcut) but whatever. Blueboar (talk) 20:35, 3 January 2025 (UTC)[reply]

You had a good idea that's been linked by lots of people, including me. Surely the Wikipedia way is to share it with the rest of us? Phil Bridger (talk) 20:59, 6 January 2025 (UTC)[reply]

I like the Stuff finally happens title. Either rewrite so you're not using the userspace version, or move it (I think since you've asked, this can count as being bold) Newystats (talk) 19:14, 6 January 2025 (UTC)[reply]

It usually is considered a bit rude to move something without receiving permission. At the same time since they haven't edited more than minimally in nine years that really is not that big a concern, and ultimately all pages belong to the community. Since content is licensed under CC BY-SA and the GFDL, you could also both move the page and then copy-back an archived version to the original location under WP:CWW that they would retain more control over this has been done before.

Unless you think updates are needed though it probably isn't necessary since the primary distinction between user and projectspace essays is the degree of control exerted over the contents of the essay by the original author. Granted, projectspace is a little more restrictive compared to userspace, but that distinction is not really important to this case. 184.152.68.190 (talk) 20:13, 6 January 2025 (UTC)[reply]

Ive seen people make separate pages that are still attached to their user, like this one: User:Littleghostboo/Story and I never knew how to make pages like this. Can someone please tell me how?

Thanks, Tenebre_Rosso_Sangue, Editing with SSStyle! (talk) 16:46, 3 January 2025 (UTC)[reply]

Easy, peasy. Just type "User:Tenebre.Rosso.Sangue995320/whatever" into the search box and hit return. That'll take you to a page that says "Wikipedia does not have a user page with this exact name" with a "Start the User:Tenebre.Rosso.Sangue995320/Whatever page" link. Click the link and off you go. RoySmith (talk) 16:51, 3 January 2025 (UTC)[reply]

Thank you! Tenebre_Rosso_Sangue, Editing with SSStyle! (talk) 16:55, 3 January 2025 (UTC)[reply]

As an alternative, you could put a link on your user page that looks like [[/whatever]]. That'll show up as a redlink. Click it and you'll be in the same place you were before. RoySmith (talk) 16:57, 3 January 2025 (UTC)[reply]

As English WP is coming up to this in a few days - are preparations being made?

Who are the longest serving Wikipedians (ie contributing regularly enough to be so considered)? A check shows there are presently 156 members of the Wikipedia:Twenty Year Society (and, I assume, some more who do not choose to join or are unaware of it), so the 25 year equivalent will be smaller still (and the various higher-year groups always will so be, and increase more slowly than the shorter timespan ones). Jackiespeel (talk) 13:31, 4 January 2025 (UTC)[reply]

With the caveat that the account creation info stored in the database may not be accurate for the oldest accounts (as I understand it, they may be even older if they transitioned from the pre-MediaWiki software, or the information might be blank), see Wikipedia:Database reports/Active editors with the longest-established accounts for a list of the oldest accounts who have made an edit in the last 30 days. isaacl (talk) 18:54, 4 January 2025 (UTC)[reply]

We're coming up to our 24th anniversary ... Graham87 (talk) 14:38, 5 January 2025 (UTC)[reply]

The 25th anniversary is in a year, Wikipedia was founded in 2001. QuicoleJR (talk) 16:58, 8 January 2025 (UTC)[reply]

Wikipedia was founded in 2001. It’s almost been around for 24 years. 1.158.154.238 (talk) 04:10, 9 January 2025 (UTC)[reply]

Even in a year's time I don't think we should be doing much to celebrate. Maybe do that if Wikipedia is still going strong when all of the people who were around at the beginning are dead. That would be after a lot more than 25 years, and would show that Wikipedia has life of its own apart from the people that make it up. Many institutions have been around for a lot more than 25 years. Phil Bridger (talk) 10:57, 9 January 2025 (UTC)[reply]

I'm trying to fill out a list of "year in review" publications and I'm finding it difficult. I wanted to reach out and see if anyone knows any sources that come out annually (whether discontinued or still in publication) that summarize the previous year in a given field. The list so far is at Wikipedia:WikiProject Years/Resources and I'd really appreciate any suggestions or additions so we can get more scholarly and high quality sources on articles about years. Thebiguglyalien (talk) 02:01, 5 January 2025 (UTC)[reply]

I wonder if Annual Reviews (publisher) covers what you want. WhatamIdoing (talk) 02:52, 8 January 2025 (UTC)[reply]

I checked a few and there are a lot of articles about different subjects like you'd expect in a journal, but it doesn't look like they have anything to the effect of "here are the main takeaways/developments from this year". Thebiguglyalien (talk) 18:14, 8 January 2025 (UTC)[reply]

There’s a French series of this I’ve encountered but I’m not sure how useful that would be. PARAKANYAA (talk) 17:30, 8 January 2025 (UTC)[reply]

Depends on what it covers. If it's comprehensive and covers a global scope, that would be incredibly useful. If it's specifically about France, I'm also interested in finding some that are country-specific for articles like 2010 in France. Thebiguglyalien (talk) 18:16, 8 January 2025 (UTC)[reply]

This user's contributions are very strange. He only adds references to food articles, always recipes from the same website. In fact, I think he writes the recipes himself, since both the recipes and the user are E. Joven. I don't want to accuse anyone, but it also seems suspicious to me. He sometimes replaces pre-existing references with his own. How do I know if this user uses Wikipedia for self-promotion? The user: Emjoven – El Mono 🐒 (es.wiki account) 05:54, 6 January 2025 (UTC)[reply]

Please provide links to examples. Thanks. PamD 07:03, 6 January 2025 (UTC)[reply]

The links are to a site which says it's run by Ed Joven. The wiki account name is Emjoven. This one's not hard to figure out. RoySmith (talk) 16:57, 6 January 2025 (UTC)[reply]

I've reverted the most recent additions (in places where there was already at least as good a ref) and replacements. Largoplazo (talk) 17:27, 6 January 2025 (UTC)[reply]

And where do I ask questions like this? Another Wiki User the 3rd (talk) 16:39, 7 January 2025 (UTC)[reply]

Hey there @Another Wiki User the 3rd. You can ask simple questions like this at the WP:TEAHOUSE if you want. As for the requirements to run as a candidate in the yearly arbcom elections, there's surely a list of official requirements somewhere on one of the WP:ACE pages. I'd highly recommend becoming an admin first though, and the practical minimum edit count for becoming an admin based on who has passed recently is around 8,000 edits. Hope this helps. –Novem Linguae (talk) 16:43, 7 January 2025 (UTC)[reply]

WP:HELPDESK and WP:TEAHOUSE are probably better venues for questions like that. Wikipedia:Arbitration Committee Election/Rules covers your question, Candidates: Registered account with 500 mainspace edits that is not prevented from submitting their candidacy by a block or ban, meets Foundation's Access to nonpublic personal data policy, and has disclosed alternate accounts (or disclosed legitimate accounts to Arbcom). Arbitrators may not serve as members of either the Ombuds Commission or the WMF Case Review Committee while serving as arbitrators. Withdrawn or disqualified candidates will be listed in their own section on the candidates page unless their candidate page can be deleted under WP:G7. ScottishFinnishRadish (talk) 16:43, 7 January 2025 (UTC)[reply]

Not sure where to post this, or whether I'm overreacting, but I find this recent article by The Forward very concerning. Scoop: Heritage Foundation plans to ‘identify and target’ Wikipedia editors. It outlines how the Heritage Foundation is going to (or is already) attempting to identify editors who are 'abusing their position' by publishing content the group believes to be antisemitic. Methods of identification include:

• facial recognition software (not sure how this would work, considering most don't post their faces here) and a database of hacked usernames and passwords
• creating fake accounts to lure editors into revealing personal information or clicking malicious tracking links
• checking for resuse of usernames/passwords in breached databases
• more found in their slideshow for this [2]

ARandomName123 (talk)^{Ping me!} 23:28, 7 January 2025 (UTC)[reply]

May I suggest only clicking those two external links if you have a VPN on. They are very clear in these documents that they plan to harvest Wikimedian IP addresses using bait links that they control. –Novem Linguae (talk) 23:57, 7 January 2025 (UTC)[reply]

Actually, I think those two links are to the newspaper that did the investigative reporting, rather than the Heritage Foundation. So not as risky as I thought. –Novem Linguae (talk) 00:10, 8 January 2025 (UTC)[reply]

Yes, those links point to the website of The Forward, a 127-year-old publication known in Yiddish as פֿאָרווערטס and formerly known in English as The Jewish Daily Forward. Definitely not a Heritage Foundation property! Largoplazo (talk) 03:09, 8 January 2025 (UTC)[reply]

True, but to be fair to the Heritage Foundation, The Forward also harvests "IP addresses using bait links that they control", the bait being interesting and informative articles by sensible reporters. Sean.hoyland (talk) 09:11, 8 January 2025 (UTC)[reply]

Suspected IP-grabber domains are eligible for the m:Spam blacklist (and the local one as well). Suspicious links can be opened with tools like https://urlscan.io/. Make sure your password is long, strong, and unique, and if you don't have access to two-factor authentication you can request it at m:SRGP. You should also use a Wikipedia-specific (or at least Wikipedia-identity-specific) email address. This advice also applies to other places where you talk about Wikipedia or use the same identity. If you see something suspicious, report it to an administrator/functionary/steward/arb/etc. AntiCompositeNumber (talk) 00:41, 8 January 2025 (UTC)[reply]

Maybe all this should also be noted in a more visible place like WP:AN? (I have now done so). Clovermoss🍀 (talk) 04:08, 8 January 2025 (UTC)[reply]

Here's the deal, they don't plan on throwing the malicious links in (only) contentious articles. They are going to identify "targets", and then edit other topics the "targets" are interested in. That is when the bad sources will enter pages with fewer watchers (to discern which GET to associate with the suspected user).

Potential targets should click links on one device with a vpn, and edit on a different device.

This isn't new, one of our CUs had to step down because they were doing the same to try to catch UPE a few years ago, and I assume other groups have been doing so for awhile. 166.205.97.61 (talk) 06:51, 8 January 2025 (UTC)[reply]

I was thinking that they were probably going to pose as editors on talk pages, and engage in debates where'd they post links, partially hidden like this: AP News, which looks like it goes to an AP News site, which would be common on these sort of talk pages, but actually goes to example.com. (replacable with a tracking link). Most editors wouldn't think to hover over it to check the address. ARandomName123 (talk)^{Ping me!} 16:39, 8 January 2025 (UTC)[reply]

• If they're going to be using domains they control for this, should we start adding Heritage Foundation domains to the spam blacklist? This might require going to WP:RSN to deprecate their website, which is currently used on 5000 pages and is probably deprecable on its (dis-)merits in the first place. A few of their other domains are listed on the library of congress page for them. That wouldn't prevent them from creating additional honeypot domains, of course, but I don't see how we can continue to link to their website if they're using it in this manner. --Aquillion (talk) 13:28, 8 January 2025 (UTC)[reply]

  It would be safe to assume that their main domains would also participate in the cookie tracking, especially seeing as it is so heavily linked. I agree that their known domains should be deprecated as likely malicious. 166.205.97.61 (talk) 15:52, 8 January 2025 (UTC)[reply]

  Deprecating and blacklisting the link globally will protect editors and readers from accidentally clicking the links. This is a serious privacy concern if the Heritage Foundation collects data from visitors. Ahri Boy (talk) 03:45, 9 January 2025 (UTC)[reply]

  Heritage Foundation seems to be making not only a threat against our WP:NOTCENSORED policy, but threatening retribution against wikipedia editors for building consensus on perrenial source reliability. I think blacklisting HF domains, and any subsequent honeypot domains is a sensible idea Bejakyo (talk) 17:10, 8 January 2025 (UTC)[reply]

Sigh. Nice work by Forward. Sean.hoyland (talk) 05:45, 8 January 2025 (UTC)[reply]

@AntiCompositeNumber that is a useful site, I revert a lot of spam 'cunningly disguised' as a genuine link.

I'm in the UK. Honestly, if they want my ip they can have it. I'm moving soon lol. Knitsey (talk) 08:02, 8 January 2025 (UTC)[reply]

I'm not familiar with US law, but is something like creating fake accounts to lure editors into revealing personal information or clicking malicious tracking links legal? Nobody (talk) 09:19, 8 January 2025 (UTC)[reply]

@1AmNobody24 I'm wondering if those companies, proudly displayed at the end of the document, are aware of their connection with this 'plan'? Knitsey (talk) 09:28, 8 January 2025 (UTC)[reply]

Yeah, I just had to re-read Phishing to make sure it's definition hadn't changed... Nobody (talk) 09:31, 8 January 2025 (UTC)[reply]

Honestly I don't want to wait on US law to (maybe) protect our editors. We should be proactively blocking Heritage Foundation domains from interacting with en.wp using whatever means are necessary. Simonm223 (talk) 14:31, 8 January 2025 (UTC)[reply]

All Wikimedia wikis too. We can't let everyone accidentally access that data-collecting nonsense. Ahri Boy (talk) 08:35, 9 January 2025 (UTC)[reply]

Considering they're the people behind Project 2025, and Trump is coming to power, I do not have too much trust in relying on US law. ARandomName123 (talk)^{Ping me!} 16:19, 8 January 2025 (UTC)[reply]

It's probably a misuse of computer systems (what Aaron Swartz was charged with) and violates the TOS. WMF can and should sue Heritage if they try to pull this kind of shit. voorts (talk/contributions) 21:00, 8 January 2025 (UTC)[reply]

I'm not worried for myself - I edit with my real name and am pretty sure I have freely given away enough information to enable anyone to distinguish me from anyone else who shares my name - but I'm worried for those who live under more repressive regimes. Some of those are in prison because of what they have said on Wikipedia, and many live under regimes that the Heritage Foundation would be vehemently opposed to. Phil Bridger (talk) 14:33, 8 January 2025 (UTC)[reply]

Yeah kind of the same situation here. While my username is not directly my personal name it's the same one I use on literally all platforms and is easily connected to my real-world identity. I don't consider myself as an anonymous editor. But we do need to protect anonymous editors. And not just in what we conventionally see as "repressive regimes" either. I'd say that there are considerable threats to the safety of anonymous editors in the United States from such a mass dox. Simonm223 (talk) 14:36, 8 January 2025 (UTC)[reply]

On the contrary, this doxxing campaign, apparently led by a former FBI agent and organized by a US-based organization, is specifically targeting editors in the Palestinian-Israeli conflict topic area, who are likely to face threats from the "democratic" regimes of the western world, namely those with expansive antisemitism definitions and where anti-Palestinian sentiment is rampant among the media, political and corporate class. It is the editors based there who everyone should be worried about. Makeandtoss (talk) 15:07, 8 January 2025 (UTC)[reply]

Sigh, take caution North American editors, you will need to arm up & watch your backs with these people. There's a clear agenda being pushed to shut down those who would combat disinformation / advocate fact checking, and that's either via ballot box or the ammo box. TheTechLich (talk) 15:28, 8 January 2025 (UTC)[reply]

Arming individual Wikipedians does not seem like a particularly effective response to what is being threatened here. _signed, Rosguill ^talk 16:35, 8 January 2025 (UTC)[reply]

Arming the community with information is more our schtick. "Be afraid!" may work for click media, but a check at RSNP is always a wiser place to start. BusterD (talk) 17:55, 8 January 2025 (UTC)[reply]

With regards to the facial recognition software, it is probably simple enough to run it through the many meetup photos we conveniently provide and categorize on Commons, sometimes even helpfully linking faces to usernames and perhaps even real names already. CMD (talk) 15:46, 8 January 2025 (UTC)[reply]

I'm sure these guys are not totally clueless, but probably best if we don't give them any ideas they hadn't allready thought of. RoySmith (talk) 15:52, 8 January 2025 (UTC)[reply]

I considered that, but this one seems obvious enough for them given facial recognition is already mentioned in their document, and yet also probably something worth making editors more aware of. CMD (talk) 15:58, 8 January 2025 (UTC)[reply]

Maybe it isn't a good idea to match those faces to usernames? QuicoleJR (talk) 16:56, 8 January 2025 (UTC)[reply]

I crossposted this to Commons although I don't know what action can realistically be taken. I don't think this is anything they haven't thought of already, the doc already mentions "cross-referencing usernames." Gnomingstuff (talk) 17:09, 9 January 2025 (UTC)[reply]

• My real name is Pat Sajak and I live in LA. GMG^talk 15:54, 8 January 2025 (UTC)[reply]

  Negative, I am a meat popsicle. ScottishFinnishRadish (talk) 15:57, 8 January 2025 (UTC)[reply]

  Easy there fuzzy little man-peach. Ever drunk Baileys from a shoe? TheTechLich (talk) 16:04, 8 January 2025 (UTC)[reply]

  I'm Old Gregg! Lewisguile (talk) 17:28, 8 January 2025 (UTC)[reply]

Facial recognition...

Maybe by the camera of ur devices？--Jason2016426 (talk) 14:45, 9 January 2025 (UTC)[reply]

A range block is in order, at the very least, lets be preventative. Slatersteven (talk) 15:57, 8 January 2025 (UTC)[reply]

• The report says that they're going to use a "database of hacked usernames and passwords". Do we know whether this is from other websites who have been hacked, or whether there's been a data breach at Wikipedia itself? ARandomName123 (talk)^{Ping me!} 16:21, 8 January 2025 (UTC)[reply]

  There is also a possibility they're making at least some shit up. Gråbergs Gråa Sång (talk) 16:23, 8 January 2025 (UTC)[reply]

  Yes, or it's sloppy reporting. As far as I can see it's the only place where passwords are mentioned. Phil Bridger (talk) 16:28, 8 January 2025 (UTC)[reply]

  The combination of malicious tracking links (fairly clever) and facial-recognition technology (rather useless for what they're trying to do here) suggests that they have some people who know what they're doing, but that their leadership (or at least their communications lead) is easily fooled by buzzwordy tech and has no idea what they're doing. _signed, Rosguill ^talk 16:32, 8 January 2025 (UTC)[reply]

  It's a pitch deck to potential donors who are presumably not super tech savvy, so things were probably kept simple and buzzy to both not overwhelm an be attractive. -- Patar knight - ^chat/_{contributions} 16:35, 8 January 2025 (UTC)[reply]

  Sure, but it seems like a red flag that facial recognition technology is anywhere near the slide deck. They may as well threaten us with "the blockchain". _signed, Rosguill ^talk 16:38, 8 January 2025 (UTC)[reply]

  I don't think that's right. If they can use facial recognition successfully to de-anonymize an editor they may be able to use various pressure tactics against that editor. I think their goal, whether through facial recognition and tracking links is to de-anonymize. They will meet with varying success but I definitely can imagine (with one way already listed above) ways facial recognition could be a threat to otherwise anonymous editors. Best, Barkeep49 (talk) 16:50, 8 January 2025 (UTC)[reply]

  My sense is that the overlap between editors that they are trying to de-anonymize and editors that can be meaningfully linked to images of themselves is near zero. _signed, Rosguill ^talk 16:53, 8 January 2025 (UTC)[reply]

  The plan is to learn enough about "targets" through web tracking and comparison to stolen user data to identify potential Facebook or Twitter accounts. They will then attempt to match personality profiles of editors with what they learn from these other sources - including pictures. 166.205.97.61 (talk) 17:07, 8 January 2025 (UTC)[reply]

  It would not be particularly difficult to see if someone's username is also their email, if an email is listed on their userpage, or to obtain an email if they reply to a Wikipedia email (IIRC your email is kept anonymous as long as you do not reply) and then comparing that to emails in publicized data breachs and trying any associated passwords. People should be checking https://haveibeenpwned.com/ and/or using any in-built tools for this in their password managers to see if this might apply to them and changing passwords as required. -- Patar knight - ^chat/_{contributions} 16:30, 8 January 2025 (UTC)[reply]

  Also, editors should not respond to Wikipedia emails that look like spam or nonsense out of politeness (e.g. "I think you have the wrong email?") if they want to be extra cautious. -- Patar knight - ^chat/_{contributions} 16:33, 8 January 2025 (UTC)[reply]

  Also, editors can choose to reply on someone's User talk page instead of replying by email. FactOrOpinion (talk) 18:21, 8 January 2025 (UTC)[reply]

  There were recent cyberattacks on the Internet Archive. Many editors here often use their book loaning service. I urge them to change their email address and password if it is similar to that of the archive. The AP (talk) 10:48, 9 January 2025 (UTC)[reply]

Are T&S aware of this? Ymblanter (talk) 16:30, 8 January 2025 (UTC)[reply]

Do they have an on-WP "place"? Gråbergs Gråa Sång (talk) 16:33, 8 January 2025 (UTC)[reply]

An email was sent by RoySmith a couple minutes ago, see the phab task. ARandomName123 (talk)^{Ping me!} 16:36, 8 January 2025 (UTC)[reply]

Yes, I've already informed them of it. GorillaWarfare (she/her • talk) 19:57, 8 January 2025 (UTC)[reply]

• Is there a way to poison link harvesting? Horse Eye's Back (talk) 16:47, 8 January 2025 (UTC)[reply]

  Click through using a different device on a vpn. Send various other IPs through to muddy the waters. Realistically, if they create a fake publisher with a fake book about an obscure topic that they think a "target" will argue about, only a few hits will exist to the link, and the IP of the editor will be exposed. Wikipedia really should provide a proxy that disables Javascript when clicking through to links. This would hide all editor IPs. 166.205.97.61 (talk) 17:10, 8 January 2025 (UTC)[reply]

  I like the idea of being able to open links through wikipedia so to speak. Horse Eye's Back (talk) 17:20, 8 January 2025 (UTC)[reply]

I think we should put a note about this on T:CENT to make more people aware. QuicoleJR (talk) 17:49, 8 January 2025 (UTC)[reply]

It's on Jimbo's talk, AN, ANI and VP(m). T:CENT seems way overboard at this point. BusterD (talk) 17:58, 8 January 2025 (UTC)[reply]

• As I think about this, I have concerns that range broadly. I realize that what I'm going to say may sound alarmist to some editors, but I sincerely and soberly think that this is a realistic reading of what Heritage and their allies are saying and demonstrating they intend to do. This really isn't about antisemitism. There are people in Project 2025 with white nationalist and Christian nationalist inclinations who are antisemitic themselves. This is about a much broader attempt in the US to transition from democracy to autocracy, and combating antisemitism is simply a convenient banner to slap onto this first broadside. In fact, the hostility to Wikipedia – the labeling of us as "Wokepedia" – comes from the same playbook as attacks on the mainstream press and universities. The sometimes-successful attempts to bring down some university presidents was likewise framed as their failure to speak out against Hamas, but it was really about wanting to diminish universities' credibility as authoritative sources of truthful information. Same thing now for us. For an authoritarian power, honest providers of unbiased truth are an existential threat. We aren't going to change our content to parrot an Orwellian POV about MAGA, so we are a target.

I want to push back against what some editors have said, about using one's real-life identity as a way of preventing outing. In a narrow sense, it's technically true that if you "out" yourself, there's no point in anyone else doing it. But once your identity is known, you become vulnerable to all of the kinds of real-life harassment that doxed people find themselves subjected to. It doesn't matter, in that regard, how they found out your identity. And it's not just if you've edited about Israel-Palestine. It could be if you've edited anything about climate and fossil fuels, gender, immigration, vaccines, and of course, American politics. I doubt that they have the bandwidth to actually identify and harass every editor who could possibly be seen as editing information that goes against a MAGA POV, but they will likely find some easily identified targets, whom they will use to "set an example", as a way of instilling fear in our editing community. I fully expect that, in the coming months, Jimbo Wales will be hauled before a hostile and performative Congressional hearing, much in the manner of university presidents. I hope very much that he will be better prepared than Claudine Gay was.

Yeah, I know this is grim. But I believe the first step in dealing with this is to go into it with our eyes open, to know what we are dealing with, what motivates it. And, more than harming individual editors, the real objective of Heritage et al. is to instill fear in the rest of us. If we become too fearful to revert POV edits, they win. In a very real sense, we have to keep doing what we have been doing, and continue to be a reliable resource for NPOV information. --Tryptofish (talk) 18:54, 9 January 2025 (UTC)[reply]

Is there any essay with tips to protect anonymity/privacy on wikipedia? I know about WP:OUTING but proactive tips could also be helpful. In general, don't think this heritage slide deck is that useful and unlikely to work, but after other similar issues (see the Asian_News_International#Wikimedia Foundation case), it would be nice if we have useful tips to make sure bad actors can't target folks who wanna keep their wikipedia lives separate from their other life. Bluethricecreamman (talk) 16:54, 8 January 2025 (UTC)[reply]

@Your Friendly Neighborhood Sociologist has a good section on her user page User:Your_Friendly_Neighborhood_Sociologist#OPSEC Meluiel (talk) 16:59, 8 January 2025 (UTC)[reply]

(edit conflict)The problem with that would be that bad actors could read it too to work out ways round it. Personally I work on the principle that anyone determined enough can find out who I am anyway so I don't even try to be anonymous, but I understand why that doesn't work for everyone. Phil Bridger (talk) 17:02, 8 January 2025 (UTC)[reply]

Same here, if they can be arsed they will manage it. Especially (referring back to the India crap) if you have a government on your side. Slatersteven (talk) 17:15, 8 January 2025 (UTC)[reply]

Yes, making it more difficult at an individual level to identify you makes it more difficult, and therefore costly, at a global level to identify editors. Best, — Jules* ^talk 19:13, 8 January 2025 (UTC)[reply]

I think an important thing to understand here is that the baseline risk of being outed, even if you do absolutely everything right, is higher than a lot of people realize. There are over 100 volunteers with the ability to view your IP, and an order of magnitude more who pose subtler but equally dangerous risks that I won't get in to. All of these people are vulnerable to bribery, coercion, threats, deceit, and violence, same as anyone else. Now, a difference here is that most of those attack vectors are actual felonies in the US. Heritage, despite its willingness to engage in mustache-twirling levels of evil scheming, probably does not want to have its people go to prison, and get its own corporate veil pierced. They do have that reference to cracking accounts, which is a crime, but it's not clear how serious they are about it; they could also mean it in the sense of not cracking but correlation attacks, e.g. matching a username to someone's Facebook URL. But most of what they're talking about is, essentially, the maximally invasive strategy that doesn't blatantly violate any criminal laws.

There are people out there who don't give a fuck about violating criminal laws. Because they're ideologues, because they're unstable, because they're foreign agents, whichever. There is no way to mitigate that risk. Even completely abandoning the system of volunteer access to private information would just reduce the risk, not make it go away. So people who are reading this news and are really scared, who are thinking "My life would be over if I got outed like this", should understand that even if we came up with technical steps to mitigate every idea Heritage has, their IP is still no more secure than the weakest link in the entire cross-wiki system of privileged accounts, and that's not something we can fix, because vulnerability to money, lies, and violence is a bug in human.exe, not in MediaWiki. Remember that Wikipedia:How to not get outed on Wikipedia offers only two 100% effective strategies: Out yourself, or don't edit. Anything else is taking a gamble. -- Tamzin^{[cetacean needed]} (they|xe|🤷) 17:59, 8 January 2025 (UTC)[reply]

@Tamzin, maybe the strategy all along, is to scare people into abandoning editing Wikipedia? All they need to do is produce a low quality PDF, throw in a bunch of scare quotes, link to their partners that will help them dox, and bobs your uncle. Job done. They could even open some throw away accounts and make it obvious they are trying to trap people, without actually doing any trapping. Knitsey (talk) 19:41, 8 January 2025 (UTC)[reply]

I completely agree with Tamzin here. As one of the reportedly top pro-Hamas editors who hijacked Wikipedia's narrative, or whatever it was, and someone with no expectation of online privacy, I think maintaining a "fuck those guys" stance towards these kinds of efforts to interfere with Wikipedia helps to keep your eye on the ball. If someone is afraid of being outed, don't edit in the PIA topic area. Anyone who follows policy and guidelines in the topic area and simply summarizes the contents of reliable sources etc. will be targeted by someone at some point, labelled pro-Palestinian, or pro-Hamas, or antisemitic etc. by easily manipulated credulous fools, racist ultranationalists, radicalized youth, sociopathic POS MFs who celebrate violence and destruction, offensively polite inauthentic extremists etc. It has always been like this. The volume has been turned up a bit recently, presumably to distract from all the death and destruction and/or monetize it via online attention or donations to ridiculous projects camouflaged as righteous missions. But I encourage people to edit in the topic area without being afraid. Where else are you going to encounter so many interesting people and have a chance to be casually defamed by the world's richest man? Sean.hoyland (talk) 04:25, 9 January 2025 (UTC)[reply]

Not being able to create a non-gambling scenario doesn't mean we shouldn't try to weigh the games in our favor. Let's not just say fuck those guys in a way that means we don't bother making them try a little. CMD (talk) 05:58, 9 January 2025 (UTC)[reply]

Oh absolutely. Make them work hard. They might come up with some good ideas. I would even say try to be understanding because for many of the people who support these kinds of efforts, I think this is their happy place where they can come together and think of themselves as good guy victims fighting the good fight against demons, play at being part of the intel community chasing Nazis etc. rather than having to look at and document reality. What's the phrase, mistaking an idea for the world or something. Sean.hoyland (talk) 08:13, 9 January 2025 (UTC)[reply]

There is definitely a risk of the chilling effect being a deliberate strategy the Heritage Foundation uses – if there are less active editors focusing on reliable sources in a certain topic area (not specifically having PIA in mind, but also other politically contentious areas they might target), it leaves more openings for Heritage folks to come and POV-push there. Chaotic Enby (talk · contribs) 18:20, 9 January 2025 (UTC)[reply]

This may be useful. Wikipedia:Personal security practices Ckoerner (talk) 19:31, 8 January 2025 (UTC)[reply]

Also see meta:Wikimedia Foundation/Legal/Community Resilience and Sustainability/Human Rights/Digital Security Resources. GorillaWarfare (she/her • talk) 19:58, 8 January 2025 (UTC)[reply]

The risk is not so much someone getting your IP, so much as someone piecing together bits of information about you and cross-referencing them with your other online presences.

Suppose you edit Israel/Palestine articles, but you also make some edits to the article for a local business near, say, Omaha, Nebraska, and you also edit some MLB pages. Now you are no longer just "some person editing in Israel/Palestine articles" but "some person editing Israel/Palestine articles who is likely to be located in the Omaha area and who is likely interested in baseball." Which describes a lot of people, obviously, but also a lot fewer than before. Add to that people's talk page comments, which might include offhand details about their life and definitely provide examples of their writing style.

Before anyone brings it up I am not revealing any secrets that someone hasn't thought of, this is basically how online doxing, private investigation, etc. works. Gnomingstuff (talk) 17:21, 9 January 2025 (UTC)[reply]

Some more media:

• Wikipedia Won't Let Elon Musk Fluff His Resume. Heritage Foundation Will Help By Terrorizing The Editors.
• The People Behind Project 2025 Want to Reveal the Identities of Wikipedia Editors Gråbergs Gråa Sång (talk) 19:29, 8 January 2025 (UTC)[reply]

One would think that reportedly soliciting donations to pay for a project that would violate the WMF's TOU in multiple ways (and maybe the law), would be the kind of thing that would put a 501(c)(3)'s nonprofit exemption at risk. Levivich (talk) 23:20, 8 January 2025 (UTC)[reply]

It would if the IRS wanted to go after them (they won't). voorts (talk/contributions) 23:31, 8 January 2025 (UTC)[reply]

A section was created at WP:RSN (Wikipedia:Reliable sources/Noticeboard#Heritage Foundation planning to dox Wikipedia editors) suggesting that the Heritage Foundation website be deprecated and blacklisted, but it was closed with a message that that was the wrong board. Let's figure out if we want to do this and what the right board is. I think the right board might be an RFC at WP:VPPR. The text of the RFC could be something like Due to credible threats of attempting to dox Wikipedia editors and harvest their IP addresses, should all known Heritage Foundation URLs, including https://heritage.org/, be added to the local spam blacklist? This section can serve as the WP:RFCBEFORE. Thoughts? –Novem Linguae (talk) 08:53, 9 January 2025 (UTC)[reply]

• Yes, but perhaps the wording should be broadened to include any other domains which might reasonably be believed to serve as part of the Heritage IP-harvesting plan. Johnuniq (talk) 09:08, 9 January 2025 (UTC)[reply]

Wikipedia:Reliable_sources/Noticeboard#The_Heritage_Foundation is ongoing. Gråbergs Gråa Sång (talk) 09:15, 9 January 2025 (UTC)[reply]

That discussion appears to be purely about reliability. I was thinking we might need a discussion somewhere approaching the blacklist / editor safety angle of having hyperlinks to their website. –Novem Linguae (talk) 10:57, 9 January 2025 (UTC)[reply]

Please describe the potential danger from the links which are currently on Wikipedia and which would ostensibly be removed following blacklisting—is it connected to the "controlled links" and "redirects" discussed in the pdf?

Technical Fingerprinting (Controlled Domain Redirects):

• Controlled Links: Use redirects to capture IP addresses, browser fingerprints, and device data through a combination of in-browser fingerprinting scripts and HTML5 canvas techniques
• Technical Data Collection: Track geolocation, ISP, and network details from clicked links
• Cross-Session Tracking: Follow device or browser sessions through repeated visits by setting cookies.
• User is only on domain for < 2 seconds prior to redirection

Online Human Intelligence (HUMINT):

• Persona Engagement: Engage curated sock puppet accounts to reveal patterns and provoke reactions, information disclosure
• Behavioral Manipulation: Push specific topics to expose more identity related details
• Cross-Community Targeting: Interact across platforms to gather intelligence from other sources.

—Alalch E. 11:56, 9 January 2025 (UTC)[reply]

Yes. Most websites won't do anything with our IP information when we visit. It'll go in a log somewhere and never be looked at again. But a bad actor such as these guys might look at the http_referer, see that it's from wikipedia, maybe even see the exact page you were on before you clicked the link, then do bad things with that info. For example they could cross reference timestamps of edits to a wiki page to their IP server logs and make some educated guesses about whose username that ip is. Then they could do geolocation on the IP to determine a city. Then maybe they already have some information on you in their database from one of the other techniques mentioned in that slide. So now they can use all that together to confirm exactly who you are and harass you. –Novem Linguae (talk) 12:33, 9 January 2025 (UTC)[reply]

Noting that links on Wikipedia have the noreferrer attribute set. Modern browsers tend to respect this attribute and do not set the Referrer header for subsequent requests. Sohom (talk) 12:48, 9 January 2025 (UTC)[reply]

Do they? Checking just now, I see the pages set referrer=origin but there's no noreferrer in sight. This means sites will get https://en.wikipedia.org/ as the referrer, but no information on the specific page. OTOH, if the attacker placed the specific link on only one page, they could use that as a signal. Anomie⚔ 13:11, 9 January 2025 (UTC)[reply]

I am concerned that would require quite a lot of scrutiny to prevent if a referrer can be set within a specific link. This is definitely, in my eyes, a point in the yes blacklist column. Simonm223 (talk) 13:30, 9 January 2025 (UTC)[reply]

@Anomie The noreferrer attribute It is set on a individual link level and should be set for all external links generated through wikitext on Wikipedia. You can kinda verify this by setting up a netcat server nc -lvp 1337 and then clicking on this link to see what headers your browser sends.

@Simonm223 Custom referrers cannot be set for a specific link, you can disable referrers for specific links (which is already done for all external links by our MediaWiki installations) or set a per-page directive to influence how much information is sent by the browser to other websites (Wikipedia chooses to only send origin information, which is the industry standard since it doesn't leak too much PII, however, we could probably raise a ticket on phabricator to set the per-page directive to same-origin to prevent third-party sites from getting any information at all). Sohom (talk) 14:06, 9 January 2025 (UTC)[reply]

Would there be any negative impact to the project for us setting the per-page directive to same-origin? Simonm223 (talk) 14:14, 9 January 2025 (UTC)[reply]

I don't think so, but there might be tooling that depends on the presence of the referrer header that I am unaware of. The best approach would be to file a phabricator ticket to find out. Sohom (talk) 14:39, 9 January 2025 (UTC)[reply]

According to Wikipedia:Spam blacklist, there is precedent for "some sites which have been added after independent consensus" (which I read as sites added for sui generis non-spam reasons), and all four linked discussions are from RS/N so it might not be a bad location per se. Whatever the case, if there is an RfC, I think it should authorise a braoder scope as Johnuniq states, to allow the addition of further dox harvesting urls without needing to hold another RfC or similar. CMD (talk) 09:19, 9 January 2025 (UTC)[reply]

All those discussions started with the question of whether the source is unreliable and the answer was that it is not just unreliable, it is spam. Basically normal RS/N discussions. The discussion I closed started with the question of computer security. And if and when heritage.org and possible other domains are blacklisted it will not be because of simply "spam". —Alalch E. 10:24, 9 January 2025 (UTC)[reply]

What happened to Mediawiki talk:Spam-blacklist? —Alalch E. 10:16, 9 January 2025 (UTC)[reply]

I don’t care one way or the other on this (as I avoid political articles like the plague). But to play “devil’s advocate”, it strike me that blocking them is exactly what they want… it just feeds their narrative. And it won’t stop them from doxing our editors in response. So it’s kind of pointless, and may cause more harm than good. Have fun storming the castle! Blueboar (talk) 15:14, 9 January 2025 (UTC)[reply]

How does banning bad actors, who chose to be bad actors, harm the project?--3family6 (Talk to me | See what I have done) 17:23, 9 January 2025 (UTC)[reply]

Their narrative already has enough food to last a long time. It's not like if we don't block them they'll say "actually, we changed our mind, wikipedia is OK now." Gnomingstuff (talk) 17:40, 9 January 2025 (UTC)[reply]

Given the threat to Dox, and use of links to phish for data, yes all links to them might be spam (or in fact malware). Yes, this might well go someway to prevent abuse. Slatersteven (talk) 15:07, 9 January 2025 (UTC)[reply]

If we were to set the noreferrer attribute and also have the per-page directive set to same-origin, I really wouldn't see a need to send it to the spam blacklist. There are going to be times where this website might be useful (for example, as a supplementary source when writing about historical policy proposals). The technical solution seems superior here, lest we have to start whitelisting a bunch of urls/pages (the website is used on over over 5000 pages).

The technical solution of setting the noreferrer attribute or making a per-page directive to same-originwould also provide much broader protection than just for problems with one url; we'd be stuck playing whack-a-mole otherwise, and a robust solution is better if we want to protect privacy. Think of, for example, the state-owned media sites that we permit linking to; they could easily be doing the same thing here. And there's good reason to believe that certain governments have been trying to unmask and harass Wikipedia editors—using URLs to phish for IPs is not hard to do, and it's really not hard for a well-capitalized group to have one-off domains for this exact purpose. — Red-tailed hawk _(nest) 17:26, 9 January 2025 (UTC)[reply]

if that's a possible solution, i might have started RFC too early... would prefer a compromise to protect users than jumping to plain blacklisting. Bluethricecreamman (talk) 17:55, 9 January 2025 (UTC)[reply]

Folks were already doing bolded votes before a proper RFC was placed at RSN, so appetite seemed high. Made an RFC at Wikipedia:Reliable_sources/Noticeboard#RFC:_The_Heritage_Foundation, notifying here Bluethricecreamman (talk) 15:39, 9 January 2025 (UTC)[reply]

Can somebody answer me at Talk:Xavi Simons. Thanks Like the windows (talk) 22:45, 8 January 2025 (UTC)[reply]