Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Forbid anonymous comments for notes #1543

Closed
Zverik opened this issue May 16, 2017 · 73 comments

Comments

@Zverik
Copy link
Contributor

commented May 16, 2017

We in Russia have encountered a person that is leaving anonymous one-letter comments to all of the notes. That got me thinking, why do we do that, allowing anonymous comments? I understand anonymous reports: people can help improving the map without registering. But comments cannot add anything helpful: reporters who commit, register.

@HolgerJeromin

This comment has been minimized.

Copy link
Contributor

commented May 16, 2017

I had seen in the past anonymous comments like: "yes, shop xy is really closed".
This was useful data.
But on the other side there are many comments "oh, in the last comment i forgot got login. It was me."

@VladimirSlavik

This comment has been minimized.

Copy link

commented May 18, 2017

What happens if the anonymous reporter comes back to answer a question?

@TakutoRU

This comment has been minimized.

Copy link

commented May 19, 2017

Of hundreds closed by me notes I found maybe 5 when really anonymous reporter answered question. Others were OSM users who forget to login, or "hit and run" notes, which was never revisited again by author.
Maybe some captcha on comments help with mass bot spamming? False alarms from spam comments to my notes start to be annoyance.

@RicoElectrico

This comment has been minimized.

Copy link

commented Jul 9, 2017

While I've seen these single character comments in Gdańsk, in my experience legitimate anonymous comments are not that rare.

Still, the system is too loose indeed. We could require a captcha for more than a few comments from the same person.

@rory

This comment has been minimized.

Copy link

commented Jul 9, 2017

IME i haven't seen many anonymous comments, it's rare in Ireland. But I have seen cases where there has been follow up feedback provided in an anonymous comment.

@gravitystorm

This comment has been minimized.

Copy link
Collaborator

commented Jul 10, 2017

From the above comments it looks like there are both unwanted anonymous comments along with useful ones. So it's not clear to me that we should block them. Rather than basing it on the experiences of a few people it might be worth examining the wider situation.

We publish all the notes including comments at http://planet.openstreetmap.org/notes/ . Someone might be willing to run some analysis of these, to see how many anonymous comments vs regular comments, whether there's any correlation between types (or lengths) of comments vs how quickly they are resolved, and so on.

Alternatively, we can approach this a different way, and instead make it easier for users to flag unhelpful comments, whether anonymous or not, see e.g. #1576

I realise the originally reported problem is genuine, I just don't want us to throw the baby out with the bathwater.

@Zverik

This comment has been minimized.

Copy link
Contributor Author

commented Jul 17, 2017

Well, until you've all started receiving one-letter anonymous comments for every note you left, you won't get what we are experiencing here in Russia. In case of seemingly helpful answers, you cannot know if the comment was left by the same mapper, or just by a passing-by troll. Actually I can set up a bot that replies "Yes, I confirm that" to most of the notes, and 99% of mappers will consider that a legitimate comment.

Anonymous notes are okay, since they are annotated with "don't trust this blindly", but anonymous comments turn our notes system into a 4chan.

@simonpoole

This comment has been minimized.

Copy link
Contributor

commented Jul 17, 2017

While I believe it has been suggested before, just to re-iterate: we could copy Wikipedias pseudo-anonymous approach here and store and display the IPv4/v6 address in lieu of a user name. This might work as a bit of a deterrent to not all too clued up spammers that I suspect is what we are seeing.

The downside is that we would need to have specific ToU for the Notes subsystem and that it could legally be problematic from a privacy pov (naturally as deep pocketed WMF has a vested interest in the system it is likely that we would get support if it ever came to real trouble).

@tomhughes

This comment has been minimized.

Copy link
Member

commented Jul 17, 2017

We do store the IP address!

@Zverik

This comment has been minimized.

Copy link
Contributor Author

commented Jul 17, 2017

Instead of IP addresses we could display them hashed, essentially giving anonymous users temporary user names.

But the next question is, will that help banning anonymous users, and deleting all of their comments?

@matkoniecz

This comment has been minimized.

Copy link
Contributor

commented Jul 23, 2017

How complicated it would be to enable captcha that would make spam more obnoxious also for our single letter spammer commenter?

And yes, I can confirm that single letter comment spam on Russia is obnoxious. For now I set mail route that deletes all notifications that anonymous user commented on my note.

@tomhughes

This comment has been minimized.

Copy link
Member

commented Jul 23, 2017

How does one "enable captcha" for an api exactly?

Not that we want to - captchas are hopeless. Plus the main source of captchas actively aids an OSM competitor.

@joostschouppe

This comment has been minimized.

Copy link

commented Jan 2, 2018

In 2016, there were 37687 comments by logged in users, and 16336 anonymous comments. In May to June of 2017, there was a normal amount of logged in comments, but 89.458 anonymous comments. From the conversation here, I guess they just stopped spamming in Russia? Since August of this year, anonymous comments are back to normal.
Do you guys still think it's worth seeing if useful anonymous comments have real added value? I made the numbers above unrelated to this thread, see this diary post for some more stuff (with links to my scripts). If there's still interest related to this issue, I could give it a go.

@MaartenDeen

This comment has been minimized.

Copy link

commented Feb 10, 2018

I think anonymous comments should have to be treated the same as anonymous wiki edits. Editor known by IP adress so spammers have less obscurity and can be addressed by their actions.
So a comment should not come from "Anonymous", but from IP 1.2.3.4 (Anonymous)" or so.
We are all anonymous to some degree and having a name does not mean that you're that person, but this way you can attribute different comments to the same person. And I think that is a valuable tool.

@woodpeck

This comment has been minimized.

Copy link
Contributor

commented Jul 17, 2018

I have personally been fighting a very persistent vandal over the last year or so, who has created thousands of anonymous notes with bogus content. It is relatively easy to detect and remove them in a somewhat automated fashion. However, this user increasingly takes to vandalising existing notes (typical example: https://www.openstreetmap.org/note/799041), effectively making the notes system unusable in their area of interest. Policing these edits is difficult because there's no real-time feed of note comments and no way of deleting individual note comments. Hence the only remedy available is either hiding the note altogether (losing valuable information), or hiding it and creating a new, "cleansed", version, which also loses information about when and by whom the note was first created.

I am therefore, once again, proposing that anonymous users should not be allowed to comment on notes. (I am ok with anonymous users creating new notes.)

I realize that I am trying to introduce a general change to fight a very specific issue but I think that the abuse pattern we're seeing here could easily happen, and has apparently happened, elsewhere.

@dieterdreist

This comment has been minimized.

Copy link

commented Jul 17, 2018

@harry-wood

This comment has been minimized.

Copy link
Contributor

commented Jul 20, 2018

I noticed this today around Denver (not all of the notes there, but a lot of those have these junk single letter replies).

Is there an IP address we can block related to this vandal? That's a question only sysadmins can answer. @tomhughes said we are storing IP addresses of commenters, so my question is: did this vandal stick to a reasonably fixed IP address? and could we block it? Presumably we do do some general web server IP blocking already for heavy traffic abusers.

I appreciate that's a short-term fix, because they may just swap to a different IP address, and if they don't, other future vandals surely will begin a cat n mouse game that way, but... seems like a first thing to try if we didn't already.

(I think conventional web security wisdom is that you shouldn't play IP address blocking games, but if we're serious about allowing anonymous text contributions in the long run, then we may need to go down wikipedia's "soft security" route, and so maybe it does make sense to start doing some policing by IP address)

@matkoniecz

This comment has been minimized.

Copy link
Contributor

commented Jul 20, 2018

conventional web security wisdom is that you shouldn't play IP address blocking games

Maybe it changed, but Wikipedia had some more or less successful IP-based blocks. It is not very helpful with dedicated vandals willing to pay for private VPNs, but it blocks at least bored teenagers.

@tomhughes

This comment has been minimized.

Copy link
Member

commented Jul 20, 2018

It's quite interesting - the address behind that note has opened about 500 notes, with sensible-ish descriptions (often one word) in Russian.

It has also commented 5000 times all them just a single character.

I have blocked the address and hidden all the one letter comments.

@matkoniecz

This comment has been minimized.

Copy link
Contributor

commented Jul 20, 2018

I have blocked the address and hidden all the one letter comments.

Thanks!

@harry-wood

This comment has been minimized.

Copy link
Contributor

commented Jul 20, 2018

Cool. Let's if that works as a solution in this case at all.

More generally with the "Forbid anonymous comments" idea suggested here I think it's OK-ish, but I'm tempted to dream up a more subtle ramping up of restrictions. @RicoElectrico suggested "require a captcha for more than a few comments" which doesn't work because we can't put a captcha on an API. However the hybrid of these ideas would be....

Forbid anonymous users from making more than a few comments per day.

@MaartenDeen

This comment has been minimized.

Copy link

commented Jul 20, 2018

Can the anonymous user that posted the last 3 comments here also be blocked. It is bullying what he does.
And no doubt it is the same person as the one who made the other spam comments.

@Zverik

This comment has been minimized.

Copy link
Contributor Author

commented Jul 20, 2018

How much work would you put on admins to avoid blocking anonymous commenters? How many people would need to be affected by these malicious anonymous people? Does it need to be Tom or Harry? Are there examples of reliably useful comments that you would like to keep receiving?

@woodpeck

This comment has been minimized.

Copy link
Contributor

commented Jul 22, 2018

Side note: I wrote "there is no way of deleting individual note comments". While this is true, I noticed that the data model actually already supports the deletion (hiding) of individual note comments and there are even tests for ensuring they are indeed hidden, but there is neither an API nor a web user interface for this at the moment. I created a wishlist issue #1934 for that.

@ligfietser

This comment has been minimized.

Copy link

commented Nov 1, 2018

Can the anonymous user that posted the last 3 comments here also be blocked. It is bullying what he does.
And no doubt it is the same person as the one who made the other spam comments.

The same Troll is now commenting on notes he created himself or every other note in the area (Utrecht Province) with words like "how long does it take to put it on the map?" or even commanding "Mapper X, do something!" This is so frustrating that I dont use or look on the note reports anymore.

@matkoniecz

This comment has been minimized.

Copy link
Contributor

commented Nov 1, 2018

"how long does it take to put it on the map?" or even commanding "Mapper X, do something!"

My approach in cases like this is to close note and recreate it (I skip recreation of original reporter was insulting and complained about minor unimportant missing things - like one unmapped shop among thousands of other unmapped).

@ligfietser

This comment has been minimized.

Copy link

commented Nov 1, 2018

That will trigger the Troll even more, and I will get all those spam in my email box, no thank you.

"how long does it take to put it on the map?" or even commanding "Mapper X, do something!"

My approach in cases like this is to close note and recreate it (I skip recreation of original reporter was insulting and complained about minor unimportant missing things - like one unmapped shop among thousands of other unmapped).

@Zverik

This comment has been minimized.

Copy link
Contributor Author

commented Nov 1, 2018

I wonder if forbidding anonymous edits back in 2009 was met with similar reluctance.

Repeating myself: while anonymous notes might have some value, anonymous comments absolutely do not. You do not know if a commenter is a note reporter, you do not have any continuity, absent security restrictions make it easy to spam, and absence of moderation turns it into a 4chan.

@harry-wood

This comment has been minimized.

Copy link
Contributor

commented Nov 1, 2018

It's too extreme to say anonymous comments have absolutely no value. Repeating VladimirSlavik's question "What happens if the anonymous reporter comes back to answer a question?" ...but maybe they're causing too much pain for the value they add.

Is the single character commenter back again? Does it look like the same person or a small number of people causing a problem? I'm wondering if my idea still looks like it would help:

Forbid anonymous users (identified by IP address) from making more than a few comments per day. It could show a message "Thanks contributing to OpenStreetMap via notes. If you wish to add more, please create an account to identify yourself"

@matkoniecz

This comment has been minimized.

Copy link
Contributor

commented Nov 27, 2018

each anonymous user

You may give each IP a random ID, but not to each user (one user may use many IPs - in extreme separate for every action, many users may use one IP - school or in some cases entire country may use single IP)

@jaapdevries1

This comment has been minimized.

Copy link

commented Dec 3, 2018

Anoniem is nog steeds bezig met nieuwe opmerkingen en het geven van vervelende reactie. Zie een reactie
van hem https://www.openstreetmap.org/note/1542596#map=15/51.7054/5.3373&layers=N en https://www.openstreetmap.org/note/1578045#map=13/52.1294/5.3699&layers=N

Ik kan nog steeds geen opmerkingen of een reactie plaatsen. Ik betreur dat niemand mij kan helpen met mijn probleem. Zelfs de DWG helpt mij niet 👎 .
Mijn ip adres is: Netherlands 90.145.225.154

Jaap de Vries


Anonymous is still working on new comments and giving annoying reaction. See a comment
  from him https://www.openstreetmap.org/note/1542596#map=15/51.7054/5.3373&layers=N and https://www.openstreetmap.org/note/1578045#map=13/52.1294/5.3699&layers= N

I still can not comment a note or post comment. I regret that no one can help me with my problem. Even the DWG does not help me 👎.
My IP address is: Netherlands 90.145.225.154

@smaprs

This comment has been minimized.

Copy link

commented Jan 3, 2019

Hi, there's a flood of anonymous notes in Brazil too right now, most probably by one single user. I was thinking, a suggestion: it's not nice just forbiding, so what about limiting anonymous notes to 3, or 1, by day (detecting by IP)? If it's a spammer, it would be forced to halt; if it's really interested, will either register or resume next day. I dont know how, know very little about programming.

@matkoniecz

This comment has been minimized.

Copy link
Contributor

commented Jan 3, 2019

One user may use many IPs and many users may use one IP. School or in some cases entire country may use a single IP.

@smaprs

This comment has been minimized.

Copy link

commented Jan 3, 2019

Ok, there will be always some pros and cons. The problem keeps standing. Any pro-active suggestion to effectively solve this problem?

@naoliv

This comment has been minimized.

Copy link

commented Jan 3, 2019

While there's no consensus on that, could we at least forbid anonymous users to close notes?

A note created or commented by an anonymous, while inconvenient/annoying, can be verified later (having only the disadvantage of spending time and energy on it; but does not generate damage to the information or OSM).

A note closed, however, can potentially lead to loss of information (for example, someone reported that there is a shop in a certain location and an anonymous user simply closes that note).

This applies mainly to anonymous users who end up closing each and every open note they find on the map.

@matkoniecz

This comment has been minimized.

Copy link
Contributor

commented Jan 3, 2019

could we at least forbid anonymous users to close notes

Can you link to any note closed by anonymous user? AFAIK it is impossible to do as not logged in user.

@naoliv

This comment has been minimized.

Copy link

commented Jan 3, 2019

Can you link to any note closed by anonymous user? AFAIK it is impossible to do as not logged in user.

Why didn't I test it...

I am sorry.

@SomeoneElseOSM

This comment has been minimized.

Copy link

commented Jul 23, 2019

Ok, there will be always some pros and cons. The problem keeps standing. Any pro-active suggestion to effectively solve this problem?

As has been suggested many times previously, prevent anonymous users from commenting on existing notes. I would go further than that and also suggest that we prevent anonymous users from creating notes in the first place.

Any value that anonymous note comments and notes have is far outweighed by the problems that they cause - see the long thread above for evidence of this. The DWG also gets numerous reports of problem notes (often large numbers of notes in the same area at the same time). As @woodpeck mentions above there are a few things we can do on a note-by-note basis, but without a user account to hang the notes off there's no action that we can take against a note spammer that would prevent them from adding more.

@woodpeck

This comment has been minimized.

Copy link
Contributor

commented Aug 11, 2019

https://www.openstreetmap.org/note/808072 recent example of the kind of garbage we have to deal with from anonymous note commenters.

@Zverik

This comment has been minimized.

Copy link
Contributor Author

commented Aug 12, 2019

I see a kind of double standards regarding this website. When I suggested we give maps.me users a simpler access to the website by implementing the same oauth access as for google and microsoft, it was almost unanimously blocked, 'cause it might hurt the map (I guess — isn't that the only argument we can have?). When dozens of active members ask for closing anonymous comments that visibly hurt the mappers' experience, it is still blocked, because even a slightest contribution matters.

It can be either the first or the second. If a slightest contribution matters, then we should open to all, including the dreaded maps.me (although the moment is obviously lost). If mappers matter, then at least anonymous comments should be closed.

@simonpoole

This comment has been minimized.

Copy link
Contributor

commented Aug 12, 2019

Just so that everybody can read what the problem with @Zverik PR was at the time I offer #1433 (note no mention of 'cause it might hurt the map).

@Zverik

This comment has been minimized.

Copy link
Contributor Author

commented Aug 12, 2019

Yeah, there were very vague reasons which boiled down to "This issue is blocked because it requires a policy decision". Then I made the policy (openstreetmap/operations#162), and everyone basically ignored it, because accepting or rejecting the policy would mean people would need to do something.

But you're derailing the discussion. I know you're triggered with maps.me, but this is not about maps.me. This is about removing spam and not bothering mappers with info they cannot use.

Why #1926 which closes this issue has not been merged yet? Could people in power please give an answer people could act on? Do we need another policy?

@richlv

This comment has been minimized.

Copy link

commented Aug 13, 2019

All anonymous comments I recall are spam or people forgetting to log in.
As a community, we waste tons of time on these that is not offset by one-off useful anonymous comment.

@gravitystorm

This comment has been minimized.

Copy link
Collaborator

commented Aug 13, 2019

Why #1926 which closes this issue has not been merged yet? Could people in power please give an answer people could act on?

I don't think you'll like my answer, but here goes. I can't speak for anyone else and I don't know what the other maintainer thinks on this topic. But for me, it simply hasn't got to the top of my own priority list. There's only so many days in a week that I can spend on this project. I've even stepped down from OWG in order to spend more time here. But with so many open pull requests, so many open issues, my own priorities for the project (in particular, support for multiple API versions, and making it easier for new developers to get started) and all the other stuff, not everything gets done as fast as I would like, nor as fast as everyone else would like.

It doesn't help that, behind the scenes, notes are implemented in a decidedly sub-optimal fashion, so any time I go near them I want to ignore the topic and work on other things!

Do we need another policy?

Policies can help with certain things, but not e.g. making me work harder :-)

@Zverik

This comment has been minimized.

Copy link
Contributor Author

commented Aug 14, 2019

Andy, I appreciate you working on the website, and I'm happy to see quite a lot of progress in its internal implementation. I don't require you or anybody to do anything with the matter. All I want is a clear decision that this — restricting anonymous notes — needs to be done and will be done in near future. Maybe not by coding, but by commenting on the ready-made pull request. I'd prefer not to see more discussion topics like how do we identify anonymous users or should we improve moderation.

This issue is as of yesterday the most commented and the one with the most reactions on this issue tracker. If that doesn't mark it as the most important from a user side, I don't know what does.

@matkoniecz

This comment has been minimized.

Copy link
Contributor

commented Aug 14, 2019

I don't require you or anybody to do anything with the matter. All I want is a clear decision that this — restricting anonymous notes

Reviewing PR and making decision is something that needs to be done. And especially with such policy decision - dealing with following complaints that are likely no matter what the decision will be made.

@richlv

This comment has been minimized.

Copy link

commented Aug 16, 2019

Here's a valid anonymous comment... no wait, another user who got logged out :)
https://www.openstreetmap.org/note/1729759

As for complaints, a few options:
a) Send them all to me. I'll try to reply to all with a polite, canned response.
b) Auto-suggest people complaining that they should survey and fix all anonymous notes first.

Anonymous notes seem to have been of low value from the very beginning - https://help.openstreetmap.org/questions/23106/removing-anonymous-notes-from-map .

@matkoniecz

This comment has been minimized.

Copy link
Contributor

commented Aug 16, 2019

Anonymous notes seem to have been of low value from the very beginning

Poland has many useful anonymous notes (with strong evidence that majority is really from people without accounts)

@tomhughes

This comment has been minimized.

Copy link
Member

commented Aug 16, 2019

We're not talking about anonymous notes here, only about additional anonymous comments on existing notes. So the first comment can still be anonymous, just not later ones.

@Adamant36

This comment has been minimized.

Copy link

commented Aug 17, 2019

I've gotten some useful anonymous responses before when asking what the name of some place is or if a road goes through. That said, I'm not sure it balances out the bad. Maybe a way to do it would be to limit anonymous responses to two messages or something. Then the person could leave the initial message, respond if need be, but not spam the note system.

@Igmu

This comment has been minimized.

Copy link

commented Aug 29, 2019

First, the irony of having to login and discuss whether the need to log in to make a comment.

Imagining for anonymous participation:
Political restriction to access current information.
"Open" should be open to all and errors should be reduced by population of contributors.
Save on storage? More contributors vs user info?

Against anonymous without a Turing Test nor logging with credentials:
Trolls.

@verdy-p

This comment has been minimized.

Copy link

commented Aug 30, 2019

classic bahesian spam detection can help: if the bahesian score is too low, discard it directly from anonymous users. If it's in a middle range (possibly frequent, but also in comments sent by logged in users), consider using a captcha to confirm it (and inform the user that he could avoid the captcha by creating an account and logging in).
If the comment is long enough (giving details, or a non intrusive link e.g. to a photo site where users must be logged in, or to wellknown peer-reviewed data sources, consider adding it reasonnably so that these details can be reevaluated, or explaining a situation like local changes not currently visible in the aerial, or recent works/damages, or a press article) it can be kept (as long as the link itself is not in a banned spamming domain)
Bahesian score filters work quite well for emails, why couldn't they be used for comments ? There are already good datasources for evaluating mail contents if we don't want to host out own local database for Bahesian evaluation (e.g. Wikimedia uses several parsers to autodetect and evaluate edits in articles, plus some whitelists and blacklists, and other sources like DNSBL providers)

@verdy-p

This comment has been minimized.

Copy link

commented Aug 30, 2019

Another way would also be to limit the frequency of comments by "anon" IP (e.g. 1 per hour, then a captcha will be presented). If the IP is known to be in an open proxy, the threshold could be adjusted to 1 per 4 hours before the captcha is presented). Open proxies are not always bad, they are sometimes the only way to connect (from shared internet accesses in developing countries) and to help preserving users's privacy (or avoid local political/social/religious troubles for some mapped topics), or when people are traveling abroad and cannot use their regular ISP without excessive costs.

There are also open wifi hotspots in hotels, restaurants, cafés, transportations, whose IP is always changing and reused by many unrelated users, sometimes from very different locations, and some mobile ISPs that never provide any stable IPv4 address but connect them with non routable temporary IPv4 that changes at each request, they are proxies by the ISP (not every mobile ISP provide IPv6 connectivity to allow unique and stable IPv6 instead of an unstable proxied IPv4). Let's not cut the route for the exploding number of mobile users.

@verdy-p

This comment has been minimized.

Copy link

commented Sep 8, 2019

Can you explain your "down votes" just above? What is wrong against mobile users, when mobile are in some countries the only way to connect in most areas and all rural areas? Isn't this change highly biased in favor users located in well developed countries that will only map from their chair based on aerial photography ? How can most local users then easily comment these remotely made mappings? The best tool they have if their smartphone or tablet, or shared PCs in cafes, with unstable connections and very short sessions. Well if we block them here, they will contribute to Facebook or Twitter, not to OSM...

@openstreetmap openstreetmap locked as resolved and limited conversation to collaborators Sep 8, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
You can’t perform that action at this time.