Requests for comment/Poetlister and Cato

The following request for comments is closed. The request was successfully resolved.


Please leave all your comments and notes on the talk page. This page will be used only by the staff and those involved in the current situation

This page is to document the Poetlister/Cato matter that has recently become public.

FT2 (Talk email) 08:08, 6 September 2008 (UTC)[reply]

Initial statement

edit

This is a partial report, to give the "bare bones" to the communities. I will follow up more over the next few days.

Summary

edit
  • First off, I wish to state, for the record, that WMF Office personnel were kept abreast of the investigation . They were kept in the loop with our discussions and our findings. Other people (some listed below) were kept appropriately informed as this went down, and a log was kept for auditability.
  • I have also gone to great lengths to avoid needing to expose the persons real identity in order to conclusively close this sock case. I think that approach has general agreement. However, the matter is not completely closed or certain, as yet, and there are remaining ends to sort out.

Background to case

edit
  • In May 2007, enwiki arbcom determined that a number of accounts were a sock-puppet ring, of which the best known socks now are probably Runcorn and Poetlister. The identification was based upon strong Checkuser evidence from 2007, and behavioral evidence. The enwiki announcement did not say more than that a sock ring involving an admin account was identified and banned.
Examples of abuse include engineering bans for spurious reasons, stacking keep/delete debates for POV warring (pro judaism, pro BDSM), abuse of admin tools to soften blocks on hard-blocked open proxies for abusive sock-puppetry, and stacking appointment debates/votes. When caught, the user deceived, and deceived again.
(More recently in August 2008, as a demonstration that little has changed, Poetlister modified the wikipedia review forum to mildly attack Greg Kohs (User:Thekohser). He then imported that dispute onto enwiki by -unsuccessfully- stacking the DRV on the article on that user's website MyWikiBiz. The article was kept almost unanimously making this a pointless gesture.)
  • There was considerable disbelief, partly fueled by the decision to not publicize the evidence, which led to strong views in some quarters that Poetlister and related accounts were mis-accused. Poetlister's editing gained respect on en:wikiquote, and Poetlister was given admin, then bureaucrat access and (so far as I know) carried those tasks out to the community's satisfaction. Following on from this, Poetlister was given access to one account on enwiki in May 4 2008, since the editing record elsewhere showed a chance "she" had reformed. link. The other known socks remained blocked.
  • As with all rehabilitated sock-users, Poetlister was checked from time to time. Evidence came to light of renewed socking, but not of an obviously abusive kind, leading to a far closer check, checkuser, and cross-wiki checkuser. The results showed that Poetlister was very likely indeed to also be Cato, a checkuser and admin at Wikiquote, with some OTRS access, and known to be associated with Poetlister. Wikiquote checkuser Aphaia was informed, and is deeply thanked for her help and understanding, as is her colleague Jeff Q for his discretion.

Investigation

edit
  • A major investigation took place, in which to ensure privacy, I kept most things to myself and two others, letting extremely trusted others in only to the extent needed to verify the validity of evidence and findings. The user was identified, as was irrefutable evidence of the abuse, and the process of watching was allowed to continue until ready to act. The cross-wiki checkuser work was carried out by steward Spacebirdy to trace all known IPs and accounts on other wikis, except for Wikiquote where it would have been visible. Checkuser Jayvdb also assisted.
  • To protect the community during the investigation, Cato was placed under close scrutiny. His entire checkuser log was examined together with a wikiquote checkuser, and all actions except one (a test of an open proxy on his own sock-puppet Yehudi) appeared legitimate. On two other occasions he tried to questionably suggest a wiki matter did not need others' involvement but the checkuser tool was not abused. The conclusion was that as expected, abuse of high level access was very difficult, and his work was almost entirely "safe". He was therefore allowed to keep access, unaware, during the investigation. (In January, enwiki arbcom had undertaken as a project, a review of the realistic risks of, and potentials for, admin and other access abuse. This provided useful confirmation.)
  • I would like to skip over the detail here. It's relevant, of wide interest, but also needs weighing carefully before writing and other things need handling beforehand. I will come back to it. Suffice to say, I identified the following accounts as all confirmed to be Poetlister:
  • enwiki - Bedivere, Habashia, Poetlister, Yehudi and "others still under investigation". (I have deliberately held some back).
  • other WMF - Poetlister, Yehudi, Cato, Londoneye, Brownlee, Taxwoman, Newport.
  • off-site - Guy @ Wikipedia Review [I believe WR are missing the hard proof of "their" Guy - not the same as JzG. It was easily found, and since it is not privacy breaching nor increases the risk to the sock-user, it will be passed to that site's admins as a goodwill gesture and to reduce doubts.]
  • The evidence in this case was remarkable and extensive. It can be summed up as follows:
  1. We know beyond doubt who Poetlister is.
  2. I tracked down contact information for the identity he had claimed, borrowed, or used.
  3. We know beyond doubt a number of significant individuals he has held himself to be (impersonated and used their identity)
  4. We have tracked him through checkuser, to his familiar anon proxies, to a significant extent.
  5. We have hard, hard evidence (beyond checkuser) for multiple socks.
  6. There is a huge amount of behavioral evidence
  7. The use of different socks to edit different areas fails. Each sock's edits do still tie them together despite that effort.
Specifically related to Cato:
  1. Cato has been shown by cross-wiki checkuser to be enwiki Bedivere at the highest CU confidence levels.
  2. Enwiki Bedivere was already a suspected sock of Poetlister, and edited at least one relatively obscure article that other suspected sock Habashia edited.
  3. Cato geolocates when not using proxies (and sometimes with proxies), to the same country/city where Poetlister lives.
  4. Cato however skilled, kept many of Poetlister's socks' mannerisms.
  5. Cato had asked various users what the evidence was related to Runcorn. That is reasonable, since Cato is a checkuser in the same community that was considering Poetlister for enhanced access. What is less honest is that I asked round the others in the investigation, had they had at any time, an inquiry from an unknown user interested in the case. One had. Bedivere/Cato had approached one of the other users, pretending to be a 15 year old minor who was a "new user" and "some day interested in being an admin", and fantastically curious about how Runcorn was identified.. even though that was actually old, long before.
  6. Poetlister's real operator has a regular schedule that shows up in time analysis. I do not plan to give details. Suffice to say that when he is busy on this schedule, so has Cato been, on every single occasion in 2008. This is not unusual as both skip editing at times. However there was one sole exception up until end July, and on that occasion both Poetlister and Cato edited at a similar time: P-C-P-P.
  7. Poetlister's identity (known from the results of the investigation) has been passed to the WMF office with a request to compare to Cato's (which is known, like all CheckUsers) so it's clear what is what. The WMF office has not breached privacy, and therefore they have not commented back with a direct answer, but nor have they stated it was different from Cato's. I assume if it was, it is likely that they would have said so, given the seriousness of the case. So I take this to mean it is likely that they were similar or the same. In fact the response I received a while later was to remove the access as soon as possible, consistent with the need to fully investigate.

Investigation (II)

edit
  • The evidence presented us with a problem. The person themselves is not really notable and has a small web footprint. The evidence could cause serious problems to his real life - work, marriage, kids, religious activities, and really given that cost, there is no need to post this person's name all over the place. I shall not do so, and I hope others will follow suit. There is a way to handle this area that probably could remove most questions - although perhaps now the doubt is much reduced. It will take a few days to accomplish. I hope the community will be understanding.
  • I had expected 2-3 more weeks but events overtook this inquiry. I learned wikipedia review were on his trail independently, and by chance had also made very similar discoveries of fact. I have no confirmation if they are right or not, but I believe from hearsay that they very likely are. If so, then there was a risk: at any time, Poetlister might be "outed" and might switch from appropriate to inappropriate use of access. This was a very hard scenario to judge, since the last socks were still being investigated, and time was needed. Checkuser can be revoked by any steward, and is also very easy to watch. OTRS needs a special admin to revoke access, not just "any steward", and also if removed is not visible on the wiki (hence few questions). I therefore had Cato's OTRS access terminated (including all related access). It is arguable whether checkuser could have been removed at the same time. the difference is that since one is less visible, we could remove the risk that was harder to fix (on an emergency basis) if abused, and not raise the matter to public attention. It was important not to derail the investigation as the risk of other socks was high.
  • Over the past month, Poetlister's activities have become more and more exposed on wikipedia review, adding pressure and skepticism there. Today the matter became public, to the extent that Poetlister began seeking renames, un-SUL, deletions, and other methods of hiding himself. The risk was felt to be too high of abuse, and so I used the authorization given earlier to act when needed, and checkuser access was terminated. A check by a steward confirms that to the best of our knowledge there was no abuse. Wikiquote checkusers will surely review that for themselves. The de-checkuser is temporary pending wikiquote community discussion, and I have apologized in advance for it to Aphaia and through her, to the wikiquote community. My post can be found here. Aphaia has since emailed to say it is understood and that she has given it a nod.

Current situation and intention

edit

At present, the case surrounding Poetlister and Cato is in an interesting situation. The evidence collected has been kept to very few people indeed due to its potential for harm. Many of those asked to review are not enwiki arbcom, to relieve suspicion of narrow review or prior history. An indication of the users who have been made aware of this to some or other extent are as follows:

I also plan to email Poetlister/Cato himself. At present all suspension of access is temporary. Any enwiki socks will be blocked, and the matter will be passed to Office and the other Wikimedia communities for their own actions, posted here for discussion, and I will collate evidence for formal review over the next 48 hours (it's been a bit rushed).

We are still investigating a number of possible socks.

Impact assessment

edit

Poetlister/Runcorn gave his sock-puppets very detailed biographies and conducted each in a way which led many people to sincerely believe that they were real, and their ban for socking was gross injustice. Poetlister gained a reprieve on Wikiquote, a smaller WMF project (77k articles to Wikipedia's 2.6m, 45k users to its 8m) where by necessity trust plays a major role and is the main decider on high level access. Over time he acquired several admin sock-puppets including one with OTRS access, and checkuser access on the wikiquote project. I identified the issue shortly after that access was gained, but by then it was too late to annul the decision.

Curtailment - Instead his socks were kept very tightly supervised and checked, and any special permissions were restricted to very minor areas where little to no harm could be done during the investigation. All actions(except one sock-test) were apparently legitimate; it is very hard to abuse high level access due to the cross checking proccesses enforced by Office, and because he was never given other than minor access. As such, he could not easily abuse OTRS or CU and both were being monitored, and there was good cause to keep him unaware while investigating. He was unable to breach WMF privacy measures on a larger project, and was able only to gain access to privacy based matters on a smaller project where actions are far more easily watched. Even so, he was almost immediately identified.

Data - Cato did not have access to discussions by checkusers using the IRC channel, because none of the socks used IRC. Nor did Cato have access to the global checkuser log since this was disabled (I am told) in rev:29527, January 2008, prior to appointment in March, nor gained access to the full scope of OTRS (per Cary), and was not allowed to expand his scope within OTRS as other users might be allowed. The checkuser mailing list is mostly used for blatant vandalism related sock-farms, cross-wiki vandalism and the like. It has almost no traffic that would be exploitable in this context, and as a global list, it is only seldom used for site specific cases.

Proposals - I have made proposals and gather that measures are already in hand at Office to review the case for privacy security. However users should note that it is quite likely Cato identified honestly to WMF (or at worst someone in his household). It was not the identification that's the problem, but the past history of the same person as an abusive banned administrator, sock-user, edit warrior, and admin on a site which has unpleasant associations for many on the project, that was concealed. No identification process would have noticed those things. He gained his access by deception of his community. However, because his role required an exemplary record to achieve, and was scrutinized by others afterwards, the opportunities to use it wrongly were considerably lower than might at first seem the case, and carefully managed.

It is my hope that no abuse took place, and there is a good chance this is so. Given the situation at the point I first became aware, the only way evidence was sure to be gathered was by checking and watching, a calculated risk.

FT2 (Talk email) 08:08, 6 September 2008 (UTC)[reply]

Comments by others involved in the investigation

edit

(See talk page for further comments and discussion by users not involved in the investigation)

James F. - I have nothing substantive to add to the above. I still would like to believe that the above is all a mistake, and that Cato is in fact entirely separate from the other accounts. However, the evidence is compelling, and has built up over the past year or so until coming to a head just yesterday.
If nothing else, I hope that the lessons learnt from this include a fostering of greater trust and sharing of concerns between wikis.
James F. (talk) 09:04, 6 September 2008 (UTC)[reply]
Aphaia - I'd like to thank all the people involved to this investigation for their patience and efforts. Also I thank them for their understanding I myself has not yet hastily caught their conclusion on this identification, while I accept this emergent action in the course, as well as their understandings the final decision should be made by English Wikiquote community itself.
Me either substantive to add to the above. I still would like to believe it was just a mistake, and without reviwing the law data, I myself am equal to the conclusion the identification of two known accounts on English Wikiquote, or three whose achievements on Wikimedia project I greatly respect. At the same time I respect the conclusion of the people whom I trust and are deeply involved into this investigation. Having been informed, I think I understand their concerns. I particularly take it serious that they all reach a similar thought of possible account stacking through investigation from different aspects.
I don't talk if the evidence I haven't seen is compelling. I would like to have a counterpart statement from the investigated. But I agree the worst expected case, if happens, would be a big deal and de-checkuser is one of surest way to prevent that, and in this context I support this removal as far as it is temporal which FT2 and another involved WMF personnel have assured.
I welcome wholeheartedly two things: 1) investigating CU and office as well as FT2 who has led this investigation, and of course myself, all the involved party seems to agree Cato did no misuse checkuser power. 2) I deeply thank all the involved parties agree English Wikiquote has to decide about this issue. For sysop access of Cato, Poetlister and Yehudi, since all their actions are logged, we have not to discuss it here: it is completely the internal community issue. CU is a bit different since it is regulated by Foundation policy but as far as I understand it is still up to Wikiquote community if Cato gets back the access, since WMF office has no reason at this moment to revoke his access as the user who they think not to abuse this power.
To Wikiquote community: sorry for my long silence (I've been noticed it by the end of July), but then there was still a chance it was just a weak allegation and then we wouldn't need to expose even the fact it was alleged. I am sorry to see it public now, and our amiable admin(s) are now in a dispute but also welcome they as claimed or he as alleged would have a chance to give his own argument. I don't take it wrong this was initiated by Enwiki arbcom side, since CU abuse is a serious matter all Wikimedia project may be affected. I also deeply appreciate all the involved parties I've been interacted that they respect the autonomy of each project. Wikiquote is now informed and it is time of its own review and decision. I don't say investigation, since it is already on the above: as for Cato we haven't seen any abuse. It is therefore a matter of trust within the community. Give your feedback here or elsewhere - on the community. Wherever it is discussed, it is ultimately our own matter.
I concur with James: fostering of greater trust and sharing of concerns between wikis are significantly important, on our growing project. It helps in a hard situation like this. I hope this case is a good lesson for the greater Wikimedia community as well as for each particular wiki-community. --Aphaia 10:19, 6 September 2008 (UTC)[reply]
Sam Korn ("Smoddy") - A short note -- while I have not seen all the evidence, I have seen a good deal of it and much of it has been summarised to me. I am entirely confident in endorsing FT2's findings, both in their accuracy and in the degree of confidence with which they are presented. He has done sterling work, and I thank him and all the others who have contributed to the investigation. Sam Korn 11:11, 6 September 2008 (UTC)[reply]
Rlevse - I have not seen all the evidence either, but what I have seen is extremely compelling and solid. FT2 became so familiar with these accounts that in August he predicted a certain set of socks would behave a certain way during a certain timeframe--which was about 2 weeks into the future. He made another prediction for the month of September (this month) but that is now likely overtaken by events. I've now been involved with this for about 5-6 weeks. This is probably the most extensive socking case in wiki history--then there's the matter that the puppetmaster attained some very high level accesses. There is an extreme need for privacy here as innocent real world people who don't even use wiki have been affected. I have to echo Sam Korn in saying I am very confident in FT2's findings and FT2 did a superb piece of investigative work here. RlevseTalk 13:30, 6 September 2008 (UTC)[reply]
Jayvdb - I nominated Poetlister to sysop on English Wikisource, with a reasonable knowledge of the earlier issues on English Wikipedia, and crossed my fingers and watched carefully. I have been extremely impressed with this persons dedication to, and understanding of, both Wikisource and Wikiquote, and Wikipedia for that matter. However, there have been several strange occurrences on Wikisource, which I will let FT2 explain or I will provide more info after if necessary. I have carefully reviewed the contributions by the involved accounts, and all have been doing good work. Exceptional work even, at times. Despite my own concerns (AGF and all that), I strongly endorsed this person to regain the ability to edit on English Wikipedia because at the time there was insufficient evidence, and low risk of problems on English Wikipedia as all edits would be closely reviewed (and they have been).
Since then, I have watched this inquiry develop and have had a close-up of the evidence over several weeks. A lot more evidence has come to light; enough for me to both endorse temporary removal of access to sensitive data, and also that the only sensible conclusion is that these are all the same person. I would dearly like to say this wasnt so, as it is many separately valued accounts being considered here. But when these accounts are linked to a single person, the trust of all three communities has been broken, to varying degrees.
I look forward to any of these accounts meeting up with another Wikimedian to dispel the doubts.
I am of the opinion that CU access should not be given to anyone who is not willing to make the effort to confirm their identity in person if need be, and endorse that proposal if suggested. John Vandenberg 14:12, 6 September 2008 (UTC)[reply]
Jpgordon - I've also nothing of substance to add other than endorsing FT2's analysis. I never quite understood the why of the Poetlister game, but at this point it seems pretty pathetic, and the actual person involved should be allowed to slink silently away. --Jpgordon 14:44, 6 September 2008 (UTC)[reply]
Jimbo Wales - I also have nothing to add. This incident has affirmed my trust in the processes at en.wikipedia and I hope that we will see some strengthening of standards at en.wikiquote. This is not a criticism of en.wikiquote, to be sure. It is a small project and therefore more informal.--Jimbo Wales 23:01, 6 September 2008 (UTC)[reply]
Cary Bass - I have little more to add and agree with Jimbo above; this has demonstrated that our process does, in fact, work. While Cato may have had access to some *sensitive* information with regards to the email lists and the otrswiki, because of the number of users involved in these projects, especially otrs, this should only reinforce the fact to those other users not to list anything that you don't want getting public. I also recommend strongly anyone against hurling invective against any of the large number of people who supported Poetlister, Cato or any of the related personae. It is a central tenet of assuming good faith that we believe in the reformation of previous problem users, to turn these people's trusting nature into some kind of indictment is simply unfair. Cary Bass demandez 03:07, 7 September 2008 (UTC)[reply]
I meant to add that I think FT2 has done a fairly reasonable job in not rushing to judgment and presenting the facts in a manner that doesn't pillory anyone, and allows the individual to just go away. I believe a lot of people can learn a lesson in how real human beings should be treated, no matter who they are. Cary Bass demandez 03:10, 7 September 2008 (UTC)[reply]
Coren - I have examined during the investigation some of the information relating to Poetlister's real world identity and evidence that a number of accounts were under control of that single individual. This was at FT2's request, as a neutral observer, being neither part of the arbitration committee nor a checkuser but simply an arbcom clerk. I fully endorse FT2's appraisal of the matter and applaud the delicate handling of the matter given that it involved a fairly egregious breach of trust across many wikis, and might have very undesirable real-world repercutions. — Coren 02:22, 10 September 2008 (UTC)[reply]
Lar - A link to this page s:Wikisource:Scriptorium#Statement on use of socks was in an email sent to me by an account that has communicated with me before as Poetlister. I expect it's of some relevance, as it confirms quite a few things. ++Lar: t/c 01:22, 14 September 2008 (UTC)[reply]
Confirming this is the address I have been in correspondence with as Poetlister, and the edit in question was posted by Cato. FT2 (Talk email) 01:26, 14 September 2008 (UTC)[reply]

Follow up #1

edit

A lot has happened in the last week since I wrote this, briefly summed up as follows:

  1. A number of wikipedia review editors had operated a parallel investigation in August 2008. Their starting point was roughly: a partner of one of the girls whose photos were used by Poetlister, had in fact asked for photo removal via enwiki's volunteer helpdesk. They had not supplied evidence, and were suggested to speak to "Taxwoman" directly (the Poetlister account concerned). They did so, and did not come back to indicate any problem, so the matter went idle shortly afterwards. That was in 2006. By chance their email was still active two years later as of August 2008, and thus a number of the photos were able to be identified, along with the identity of the person operating the Runcorn/Poetlister socks. The person concerned has been contacted, appears highly likely legitimate, and knows we're working on it and where it's at.
  2. I wrote on September 13, an email to Poetlister. It summed up the steps I needed to conclude the matter from my own perspective, and the process that would be appropriate to follow if more forcible clearing up was needed. One of the matters referenced was confirmation of the sock ring. A few hours later, a number of socks that had been publicly identified, were confirmed by the "Cato" account at s:Wikisource:Scriptorium#Statement_on_use_of_socks (diff update #1), rendering analysis of the prior evidence on these, somewhat moot. Completeness is not yet confirmed, but a number of socks referenced above are confirmed, meaning that some aspects at least are now closed.
  3. A significant amount of off-wiki and real-world activity is still ongoing.

FT2 (Talk email) 22:08, 14 September 2008 (UTC)[reply]