Wikipedia:Wikipedia Signpost/2010-08-16/Spam attacks
Large scale vandalism revealed to be "study" by university researcher
Two heavy spam attacks on the English Wikipedia last month have been traced back to a researcher at a U.S. university, in an affair that is likely to add to existing debates about the ethics of Wikipedia research.
The incidents
The first attack occurred on July 14, with several autoconfirmed accounts (example) inserting the message "Want to be inches larger?" in large letters on top of many different articles, linking to an online shop. In a blog post for computer security firm Sophos ("Wikipedia hacked - Footballers need help in bed?", a reference to 2010 FIFA World Cup, one of the affected articles), Chester Wisniewski, a senior security advisor at the company, described the vandalism, noting that the advertised site had an unusual appearance: "Unlike the usual spam for penis pills and cheap Canadian drugs that uses a couple of 'medical professionals' to promote the site, this campaign uses a photo of a satisfied couple" (he included a screenshot, too). Wisniewski's observations were quoted in news reports about the attacks that appeared on Softpedia.com [2] and on Spamfighter.com [3].
Following the attacks, Versageek blocked a number of other accounts with the rationale "abusing multiple accounts for spamming - checkuser block" and posted the following on the talk page of an established user, under the heading "Misdirected Testing?":
- Checkuser results suggest that one of your linkspam related software tests may inadvertently be pointing to the English Wikipedia rather than test wiki. Please check your settings & adjust accordingly.
The account belongs to A. W., a doctoral student at the University of Pennsylvania's Department of Computer and Information Science. On his university home page, he states:
- Currently, I work on the Quantitative Trust Management (QTM) project under the advisement of [I.L.], [S.K.], and [O.S.]. My recent research has been on spam mitigation techniques, the prevention of vandalism on Wikipedia, and spatio-temporal reputation.
W. is known to Wikipedians as the developer of STiki, a vandalism detection tool released earlier this year which relies on a "spatio-temporal analysis" of revision metadata and machine learning techniques. It has received praise by several of its users and was the topic of W.'s presentations at several conferences (Eurosec, Wikisym, Wikimania).
W.'s edits during the following days do not show a reaction to Versageek's note. On July 20, another heavy spam attack occured, inserting a message on top of many articles that read "Congratulations! Wikipedia's one-billionth user. Click to collect your prize!". (Example of one of the autoconfirmed accounts used for the attack.) Many readers of Wikipedia appear to have been troubled by the message, judging from the questions about it in web fora and on Wikipedia's help desk. Some suspected a PC virus infection ("My sister was searching on wikipedia and the following text came up in big red letters: ..." [4]).
On the following day, SirFozzie blocked a number of accounts for "Abusing multiple accounts" and left the following comment on the talk page of W.'s main account:
- I have blocked this account (amongst others) for the recent issues with regards to recent tests done on Wikipedia's articles. Please contact the Arbitration Committee via email [...] at your earliest timeframe, to discuss this. SirFozzie (talk) 16:37, 21 July 2010 (UTC)
The contributions of one of the accounts blocked by SirFozzie show a rapid succession of edits to the Sandbox with the edit summary "an exploration into rate-limiting".
The ArbCom later confirmed to the Signpost that W. had carried out both attacks.
Resolving the affair
On August 11, ArbCom member Risker posted the following statement on W.'s talk page:
“ | The Arbitration Committee has reviewed your block and the information you have submitted privately, and is prepared to unblock you conditionally. The conditions of your unblock are as follows:
[...] |
” |
W. reacted to the unblock offer ten minutes later, stating:
“ | "I agree to these conditions, and offer a sincere apology to the community. | ” |
As clarified by ArbCom to The Signpost, condition 3. refers to the possibility that the English Wikipedia might develop a community process to oversee research, and to the Research Committee that the Wikimedia Foundation intends to form (see last week's Signpost coverage).
According to an RfC announcement about the introduction of the "Researcher" user rights group last June (see Signpost coverage), W. had requested to be granted this new right back then, but his application had been put on hold by the Foundation's Deputy Director Erik Möller, suggesting it should be handled by the community.
Interview
W. agreed to answer several questions about the affair to the Signpost:
- 1. What were your motives for carrying out these edits?
- An economic study of spamming behaviors on Wikipedia was conducted. That is, for a link addition (or group thereof), how many (1) see the link, (2) click the link (click-through), and (3) continue to make a purchase on the destination site (conversion). The net-profit of these sales can then be compared to the cost of making the link additions, and an economic argument made about such behaviors[1].
- The experiments allowed us to obtain data that convincingly demonstrates (1) that Wikipedia is vulnerable to major spam attacks, which can be highly profitable to the perpetrators, and (2) that current protection mechanisms are insufficient. Having shown this, it was our intention to collaborate with WP/WM/WMF on solutions to prevent truly malicious attacks of this nature.
- 2. Why did you choose these particular forms of vandalism for your test?
- To an end-user, we desired our experiments to appear consistent with what a truly malicious entity (i.e., a spammer) might attempt. In this manner, the click through and conversion rates we measured would be unbiased. Blatant link placement on popular articles permits many users to see the link -- even under the assumption it will be reverted seconds later. Vulnerabilities in Wikipedia make it trivial for users to obtain the privileges necessary to carry out such an attack.
- Internal to the experiment, protections were taken to ensure no harm to participants (e.g., Wikipedia users). Our external links took users to an online business under our control, a pharmacy. The payment functionality of this pharmacy was disabled, and therefore could only measure an “intent to purchase.” Further, the IP addresses of our visitors were not stored (our goal was to measure their quantity).
- 3. Was one of your advisors ([I.L.], [O.S.], or [S.K.]) aware of these actions, and if yes, did he approve them?
- [S.K.] was not aware of these experiments. [I.L.] and [O.S.] were aware of my motivations in these experiments, and support them.
- 4. Any other comments you would like to make on the issue?
- Our decision to engage in active measurement involved many considerations. Primarily, more passive strategies were believed to be inappropriate. For example, a proxy-based redirection of existing spam was considered. But, the nature of existing spam events is such that statistics would not speak to the economics of a blatant strategy that targets popular pages. Further, a large quantity of such redirection events (somewhat disruptive) would have been required to obtain meaningful statistics.
- Objective data could not be obtained without these experiments and their non-consenting participants. Attempting to have participants “opt in” or “de-briefing” them after their participation presents both technical and practical difficulties. Opt-in procedures would bias user behavior. Given the “pipeline” nature of experiments, ex-post facto “de-briefing” is difficult, and may have forced us to sacrifice user anonymity. Additionally, our pharmacy collected a minimal amount of data about visitors – a level consistent with what most major websites measure.
- Some users have speculated that these experiments were the result of a mis-configuration of my anti-vandalism tool, STiki. I would like to clarify that this is not the case. STiki remains a safe tool, which is still under active development, and working hard to locate acts of vandalism on Wikipedia.
- Finally, we apologize to the Wikipedia community for any disruption caused, and reinforce that our intentions were for the betterment of the community.
[Note: The names of the UPenn researchers have been redacted to initials for this article.]
Discuss this story
Has the university been contacted with ethics concerns? Has anyone verified that the supervisors have in fact supported this "research"? - David Gerard (talk) 08:52, 17 August 2010 (UTC)[reply]
Anyone who thinks that it's a "vulnerability" that Wikipedia can be edited freely should be banned forever, no matter how many college degrees they have. This is like someone stealing all the change from the charity jar to demonstrate how "weak" the honor system is. I see nothing but a fundamental lack of clue, along with demonstrated malicious behavior. Gigs (talk) 19:11, 17 August 2010 (UTC)[reply]
If the University of Pennsylvania institutional review board approved this, then I say we should let it go. If it is exempt from IRB jurisdiction then were at least the two faculty advisers who were “aware of [your] motivations in these experiments” briefed in detail on what you were planning to do before you did it, and did they approve of the actions themselves (rather than merely the motivations)? Bwrs (talk) 05:10, 20 August 2010 (UTC)[reply]
Redaction
Why redact the name of the guy who did this? It's easy enough to figure out from the links provided to diffs. Powers T 13:12, 17 August 2010 (UTC)[reply]
Wikipedia:WikiProject Vandalism studies
It may be useful to note that the author of the study was a member of Wikipedia:WikiProject Vandalism studies and that this project intends to determine the scope and type of vandalism that occurs on wikipedia. Remember (talk) 13:46, 17 August 2010 (UTC)[reply]
Re-inventing the wheel -- hubris or folly?
About 5 to 10 volunteers spend a lot of time dealing with spam problems here and on other Wikimedia projects. I may be wrong but I don't think A.W. communicated with any of us. It would have been helpful to us to have some input into A.W.'s research. We do not have the resources of an Ivy League university behind us and it might have been useful to point his research towards those particular challenges we've found especially vexing.
Conversely, A.W.'s research might have been more useful to him, his advisors and his university had he bothered to find out what these Wikipedia volunteers already know about spam. Collectively, we've spent 1000s of hours studying spammer patterns -- their motivations, their methods, etc. Some of us have spent time in black hat spammer forums --the spam world has its own little multinational ecosystem of players with various economic niches. Other volunteers have developed various tools and scripts for spotting, tracking and cleaning up spam. If nothing else, we're aware of many of our own vulnerabilities. For obvious reasons, we don't post everything we know online since we know some spammers read and disseminate stuff posted at WikiProject Spam, its very active talk page and Meta-wiki's Talk:Spam blacklist page.
Step One in academic research is to find out what's already been learned, then build on it rather than repeat it. Perhaps A.W.'s been communicating with others and I'm just not aware of it. Otherwise, he's wasted not just our time and resources but his own and that of his sponsors. The editors who involuntarily wasted their time on A.W.'s research probably don't appreciate it anymore than his school's faculty would enjoy one of us periodically knocking over their desks in the name of science.
This has to be embarrassing for his school's computer science department. As annoyed as I am, at some level I feel sorry for this guy; I'm sure he has talent and promise and I hope for his sake this doesn't damage his career too much. --A. B. (talk • contribs) 14:08, 17 August 2010 (UTC)[reply]
mike@enwiki:~$
18:11, 17 August 2010 (UTC)[reply]Perhaps slow down use of write API
I am not a developer, but perhaps we could put a limit on autoconfirmed-and-below's use of the write API, perhaps to only, say, 20 times per minute (one every three seconds) per IP or per user, rather than allowing just one of these users to post the same link to 172 articles in the space of 3 minutes (average of 57.3 posts per minute or one post every 1.05 seconds)? Clearly, we don't want to limit approved bots in this manner, but it would cut down significantly on vandalbots and spambots. Bk314159 (talk) 16:35, 17 August 2010 (UTC)[reply]
Researcher Response
Wikipedia community,
This is "A.W.", the researcher who led the aforementioned experiments. It is obvious this topic is the source of some controversy and for very good reasons. Since the publication of the Signpost article, I have been asked many questions; via (1) discussion pages, (2) my own talk page, and (3) privately via email.
I believe it to be in the best interest of all parties to not immediately address these queries. For the protection of WM/WP/WMF, the minutiae of my experiments should not be put into the public domain until the developers have protections ready. I'll note I have already provided my code to developers -- and asked ArbCom to put me in contact with a developer so I can cooperate with them beyond the terms of my unblocking.
Following this post, I will also contact ArbCom regarding what information I should share, with whom, and when. Pending that, I will in due time return to (1) engage those who have contacted me, (2) actively participate in discussions about what transpired, and (3) discuss how I plan to cooperate to create a more secure WP/WM. Until that time, please do not interpret my lack of communication as an act of bad faith. Thank you. -- A.W. 19:55, 17 August 2010 (UTC)—Preceding unsigned comment added by A.W. 19:55, August 17, 2010
No harm to participants
I'm sorry that the "researcher" has such a limited view of harm to participants. Sure, he apparently didn't take money from people, but where do we go to get our time and energy back? It's like saying that a noisy, all-night party next door "didn't harm the neighborhood", because all it did was temporarily disrupt everyone's sleep.
I like to believe that I'm a reasonable person: I think that for every editor-hour we spent responding to and cleaning up his "harmless" vandalism, this "researcher" owes the community an equivalent number of hours patrolling Special:RecentChanges. WhatamIdoing (talk) 23:07, 23 August 2010 (UTC)[reply]
This is simply exploitation. A.W. surreptitiously creates a situation where a whole load of volunteers spend their time dealing with his disruption, so that he can get academic brownie points. What is disturbing is the way ArbCom seem OK about this. On a transactional level A.W. gains both a data set and some cred, then trades the dataset with ArbCom, in order to cash in on more cred with little more than a slap on the wrist. This is not good!Harrypotter (talk) 09:33, 24 August 2010 (UTC)[reply]
Epilogue