New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Forbid anonymous comments for notes #1543
Comments
I had seen in the past anonymous comments like: "yes, shop xy is really closed". |
What happens if the anonymous reporter comes back to answer a question? |
Of hundreds closed by me notes I found maybe 5 when really anonymous reporter answered question. Others were OSM users who forget to login, or "hit and run" notes, which was never revisited again by author. |
While I've seen these single character comments in Gdańsk, in my experience legitimate anonymous comments are not that rare. Still, the system is too loose indeed. We could require a captcha for more than a few comments from the same person. |
IME i haven't seen many anonymous comments, it's rare in Ireland. But I have seen cases where there has been follow up feedback provided in an anonymous comment. |
From the above comments it looks like there are both unwanted anonymous comments along with useful ones. So it's not clear to me that we should block them. Rather than basing it on the experiences of a few people it might be worth examining the wider situation. We publish all the notes including comments at http://planet.openstreetmap.org/notes/ . Someone might be willing to run some analysis of these, to see how many anonymous comments vs regular comments, whether there's any correlation between types (or lengths) of comments vs how quickly they are resolved, and so on. Alternatively, we can approach this a different way, and instead make it easier for users to flag unhelpful comments, whether anonymous or not, see e.g. #1576 I realise the originally reported problem is genuine, I just don't want us to throw the baby out with the bathwater. |
Well, until you've all started receiving one-letter anonymous comments for every note you left, you won't get what we are experiencing here in Russia. In case of seemingly helpful answers, you cannot know if the comment was left by the same mapper, or just by a passing-by troll. Actually I can set up a bot that replies "Yes, I confirm that" to most of the notes, and 99% of mappers will consider that a legitimate comment. Anonymous notes are okay, since they are annotated with "don't trust this blindly", but anonymous comments turn our notes system into a 4chan. |
While I believe it has been suggested before, just to re-iterate: we could copy Wikipedias pseudo-anonymous approach here and store and display the IPv4/v6 address in lieu of a user name. This might work as a bit of a deterrent to not all too clued up spammers that I suspect is what we are seeing. The downside is that we would need to have specific ToU for the Notes subsystem and that it could legally be problematic from a privacy pov (naturally as deep pocketed WMF has a vested interest in the system it is likely that we would get support if it ever came to real trouble). |
We do store the IP address! |
Instead of IP addresses we could display them hashed, essentially giving anonymous users temporary user names. But the next question is, will that help banning anonymous users, and deleting all of their comments? |
How complicated it would be to enable captcha that would make spam more obnoxious also for our single letter spammer commenter? And yes, I can confirm that single letter comment spam on Russia is obnoxious. For now I set mail route that deletes all notifications that anonymous user commented on my note. |
How does one "enable captcha" for an api exactly? Not that we want to - captchas are hopeless. Plus the main source of captchas actively aids an OSM competitor. |
In 2016, there were 37687 comments by logged in users, and 16336 anonymous comments. In May to June of 2017, there was a normal amount of logged in comments, but 89.458 anonymous comments. From the conversation here, I guess they just stopped spamming in Russia? Since August of this year, anonymous comments are back to normal. |
I think anonymous comments should have to be treated the same as anonymous wiki edits. Editor known by IP adress so spammers have less obscurity and can be addressed by their actions. |
I have personally been fighting a very persistent vandal over the last year or so, who has created thousands of anonymous notes with bogus content. It is relatively easy to detect and remove them in a somewhat automated fashion. However, this user increasingly takes to vandalising existing notes (typical example: https://www.openstreetmap.org/note/799041), effectively making the notes system unusable in their area of interest. Policing these edits is difficult because there's no real-time feed of note comments and no way of deleting individual note comments. Hence the only remedy available is either hiding the note altogether (losing valuable information), or hiding it and creating a new, "cleansed", version, which also loses information about when and by whom the note was first created. I am therefore, once again, proposing that anonymous users should not be allowed to comment on notes. (I am ok with anonymous users creating new notes.) I realize that I am trying to introduce a general change to fight a very specific issue but I think that the abuse pattern we're seeing here could easily happen, and has apparently happened, elsewhere. |
2018-07-17 12:54 GMT+02:00 Frederik Ramm <notifications@github.com>:
I am therefore, once again, proposing that anonymous users should not be
allowed to comment on notes. (I am ok with anonymous users creating new
notes.)
+1, it will also avoid that registered mappers leave anonymous comments by
accident because they haven't been noticing they weren't logged in (happens
occassionally to me).
If you remove this functionality I would expect your vandal to move to
creating new notes (if he is insistent).
An alternative idea could be to hide anonymous comments and/or notes from
people that are not logged in (any logged in user could moderate to either
delete them or make them visible). So vandals like this would not have the
"satisfaction" of seeing the results of their actions.
|
I noticed this today around Denver (not all of the notes there, but a lot of those have these junk single letter replies). Is there an IP address we can block related to this vandal? That's a question only sysadmins can answer. @tomhughes said we are storing IP addresses of commenters, so my question is: did this vandal stick to a reasonably fixed IP address? and could we block it? Presumably we do do some general web server IP blocking already for heavy traffic abusers. I appreciate that's a short-term fix, because they may just swap to a different IP address, and if they don't, other future vandals surely will begin a cat n mouse game that way, but... seems like a first thing to try if we didn't already. (I think conventional web security wisdom is that you shouldn't play IP address blocking games, but if we're serious about allowing anonymous text contributions in the long run, then we may need to go down wikipedia's "soft security" route, and so maybe it does make sense to start doing some policing by IP address) |
Maybe it changed, but Wikipedia had some more or less successful IP-based blocks. It is not very helpful with dedicated vandals willing to pay for private VPNs, but it blocks at least bored teenagers. |
It's quite interesting - the address behind that note has opened about 500 notes, with sensible-ish descriptions (often one word) in Russian. It has also commented 5000 times all them just a single character. I have blocked the address and hidden all the one letter comments. |
Thanks! |
Cool. Let's if that works as a solution in this case at all. More generally with the "Forbid anonymous comments" idea suggested here I think it's OK-ish, but I'm tempted to dream up a more subtle ramping up of restrictions. @RicoElectrico suggested "require a captcha for more than a few comments" which doesn't work because we can't put a captcha on an API. However the hybrid of these ideas would be.... Forbid anonymous users from making more than a few comments per day. |
Can the anonymous user that posted the last 3 comments here also be blocked. It is bullying what he does. |
How much work would you put on admins to avoid blocking anonymous commenters? How many people would need to be affected by these malicious anonymous people? Does it need to be Tom or Harry? Are there examples of reliably useful comments that you would like to keep receiving? |
Side note: I wrote "there is no way of deleting individual note comments". While this is true, I noticed that the data model actually already supports the deletion (hiding) of individual note comments and there are even tests for ensuring they are indeed hidden, but there is neither an API nor a web user interface for this at the moment. I created a wishlist issue #1934 for that. |
The same Troll is now commenting on notes he created himself or every other note in the area (Utrecht Province) with words like "how long does it take to put it on the map?" or even commanding "Mapper X, do something!" This is so frustrating that I dont use or look on the note reports anymore. |
My approach in cases like this is to close note and recreate it (I skip recreation of original reporter was insulting and complained about minor unimportant missing things - like one unmapped shop among thousands of other unmapped). |
That will trigger the Troll even more, and I will get all those spam in my email box, no thank you.
|
I wonder if forbidding anonymous edits back in 2009 was met with similar reluctance. Repeating myself: while anonymous notes might have some value, anonymous comments absolutely do not. You do not know if a commenter is a note reporter, you do not have any continuity, absent security restrictions make it easy to spam, and absence of moderation turns it into a 4chan. |
It's too extreme to say anonymous comments have absolutely no value. Repeating VladimirSlavik's question "What happens if the anonymous reporter comes back to answer a question?" ...but maybe they're causing too much pain for the value they add. Is the single character commenter back again? Does it look like the same person or a small number of people causing a problem? I'm wondering if my idea still looks like it would help: Forbid anonymous users (identified by IP address) from making more than a few comments per day. It could show a message "Thanks contributing to OpenStreetMap via notes. If you wish to add more, please create an account to identify yourself" |
You may give each IP a random ID, but not to each user (one user may use many IPs - in extreme separate for every action, many users may use one IP - school or in some cases entire country may use single IP) |
Anoniem is nog steeds bezig met nieuwe opmerkingen en het geven van vervelende reactie. Zie een reactie Ik kan nog steeds geen opmerkingen of een reactie plaatsen. Ik betreur dat niemand mij kan helpen met mijn probleem. Zelfs de DWG helpt mij niet 👎 . Jaap de Vries Anonymous is still working on new comments and giving annoying reaction. See a comment I still can not comment a note or post comment. I regret that no one can help me with my problem. Even the DWG does not help me 👎. |
Hi, there's a flood of anonymous notes in Brazil too right now, most probably by one single user. I was thinking, a suggestion: it's not nice just forbiding, so what about limiting anonymous notes to 3, or 1, by day (detecting by IP)? If it's a spammer, it would be forced to halt; if it's really interested, will either register or resume next day. I dont know how, know very little about programming. |
One user may use many IPs and many users may use one IP. School or in some cases entire country may use a single IP. |
Ok, there will be always some pros and cons. The problem keeps standing. Any pro-active suggestion to effectively solve this problem? |
While there's no consensus on that, could we at least forbid anonymous users to close notes? A note created or commented by an anonymous, while inconvenient/annoying, can be verified later (having only the disadvantage of spending time and energy on it; but does not generate damage to the information or OSM). A note closed, however, can potentially lead to loss of information (for example, someone reported that there is a shop in a certain location and an anonymous user simply closes that note). This applies mainly to anonymous users who end up closing each and every open note they find on the map. |
Can you link to any note closed by anonymous user? AFAIK it is impossible to do as not logged in user. |
As has been suggested many times previously, prevent anonymous users from commenting on existing notes. I would go further than that and also suggest that we prevent anonymous users from creating notes in the first place. Any value that anonymous note comments and notes have is far outweighed by the problems that they cause - see the long thread above for evidence of this. The DWG also gets numerous reports of problem notes (often large numbers of notes in the same area at the same time). As @woodpeck mentions above there are a few things we can do on a note-by-note basis, but without a user account to hang the notes off there's no action that we can take against a note spammer that would prevent them from adding more. |
https://www.openstreetmap.org/note/808072 recent example of the kind of garbage we have to deal with from anonymous note commenters. |
I see a kind of double standards regarding this website. When I suggested we give maps.me users a simpler access to the website by implementing the same oauth access as for google and microsoft, it was almost unanimously blocked, 'cause it might hurt the map (I guess — isn't that the only argument we can have?). When dozens of active members ask for closing anonymous comments that visibly hurt the mappers' experience, it is still blocked, because even a slightest contribution matters. It can be either the first or the second. If a slightest contribution matters, then we should open to all, including the dreaded maps.me (although the moment is obviously lost). If mappers matter, then at least anonymous comments should be closed. |
Yeah, there were very vague reasons which boiled down to "This issue is blocked because it requires a policy decision". Then I made the policy (openstreetmap/operations#162), and everyone basically ignored it, because accepting or rejecting the policy would mean people would need to do something. But you're derailing the discussion. I know you're triggered with maps.me, but this is not about maps.me. This is about removing spam and not bothering mappers with info they cannot use. Why #1926 which closes this issue has not been merged yet? Could people in power please give an answer people could act on? Do we need another policy? |
All anonymous comments I recall are spam or people forgetting to log in. |
I don't think you'll like my answer, but here goes. I can't speak for anyone else and I don't know what the other maintainer thinks on this topic. But for me, it simply hasn't got to the top of my own priority list. There's only so many days in a week that I can spend on this project. I've even stepped down from OWG in order to spend more time here. But with so many open pull requests, so many open issues, my own priorities for the project (in particular, support for multiple API versions, and making it easier for new developers to get started) and all the other stuff, not everything gets done as fast as I would like, nor as fast as everyone else would like. It doesn't help that, behind the scenes, notes are implemented in a decidedly sub-optimal fashion, so any time I go near them I want to ignore the topic and work on other things!
Policies can help with certain things, but not e.g. making me work harder :-) |
Andy, I appreciate you working on the website, and I'm happy to see quite a lot of progress in its internal implementation. I don't require you or anybody to do anything with the matter. All I want is a clear decision that this — restricting anonymous notes — needs to be done and will be done in near future. Maybe not by coding, but by commenting on the ready-made pull request. I'd prefer not to see more discussion topics like how do we identify anonymous users or should we improve moderation. This issue is as of yesterday the most commented and the one with the most reactions on this issue tracker. If that doesn't mark it as the most important from a user side, I don't know what does. |
Reviewing PR and making decision is something that needs to be done. And especially with such policy decision - dealing with following complaints that are likely no matter what the decision will be made. |
Here's a valid anonymous comment... no wait, another user who got logged out :) As for complaints, a few options: Anonymous notes seem to have been of low value from the very beginning - https://help.openstreetmap.org/questions/23106/removing-anonymous-notes-from-map . |
Poland has many useful anonymous notes (with strong evidence that majority is really from people without accounts) |
We're not talking about anonymous notes here, only about additional anonymous comments on existing notes. So the first comment can still be anonymous, just not later ones. |
I've gotten some useful anonymous responses before when asking what the name of some place is or if a road goes through. That said, I'm not sure it balances out the bad. Maybe a way to do it would be to limit anonymous responses to two messages or something. Then the person could leave the initial message, respond if need be, but not spam the note system. |
First, the irony of having to login and discuss whether the need to log in to make a comment. Imagining for anonymous participation: Against anonymous without a Turing Test nor logging with credentials: |
classic bahesian spam detection can help: if the bahesian score is too low, discard it directly from anonymous users. If it's in a middle range (possibly frequent, but also in comments sent by logged in users), consider using a captcha to confirm it (and inform the user that he could avoid the captcha by creating an account and logging in). |
Another way would also be to limit the frequency of comments by "anon" IP (e.g. 1 per hour, then a captcha will be presented). If the IP is known to be in an open proxy, the threshold could be adjusted to 1 per 4 hours before the captcha is presented). Open proxies are not always bad, they are sometimes the only way to connect (from shared internet accesses in developing countries) and to help preserving users's privacy (or avoid local political/social/religious troubles for some mapped topics), or when people are traveling abroad and cannot use their regular ISP without excessive costs. There are also open wifi hotspots in hotels, restaurants, cafés, transportations, whose IP is always changing and reused by many unrelated users, sometimes from very different locations, and some mobile ISPs that never provide any stable IPv4 address but connect them with non routable temporary IPv4 that changes at each request, they are proxies by the ISP (not every mobile ISP provide IPv6 connectivity to allow unique and stable IPv6 instead of an unstable proxied IPv4). Let's not cut the route for the exploding number of mobile users. |
Can you explain your "down votes" just above? What is wrong against mobile users, when mobile are in some countries the only way to connect in most areas and all rural areas? Isn't this change highly biased in favor users located in well developed countries that will only map from their chair based on aerial photography ? How can most local users then easily comment these remotely made mappings? The best tool they have if their smartphone or tablet, or shared PCs in cafes, with unstable connections and very short sessions. Well if we block them here, they will contribute to Facebook or Twitter, not to OSM... |
We in Russia have encountered a person that is leaving anonymous one-letter comments to all of the notes. That got me thinking, why do we do that, allowing anonymous comments? I understand anonymous reports: people can help improving the map without registering. But comments cannot add anything helpful: reporters who commit, register.
The text was updated successfully, but these errors were encountered: