Home Updates Messages SandBox

Should IP Addresses be Published?

Once in a while an user will pop up on #wiki or some other wiki-related channel, and complain (or even rant) that his IP address was published on a wiki (in the RecentChanges log) and how that's a crime against privacy and anonymity in Internet. Most of those people don't really know what an IP address is and what can be done with it – they are unable to point to any threat that publishing their IP exposes them to – but they feel it's not right. Well, feelings are important, so I decided to try and look at it a little bit closer.

The first step is of course looking for existing materials and past discussions on the topic. Surprisingly, I couldn't find a lot of it. There is some discussion at Meatball:PostAnonymously and some single comments scattered over all of the Meatball:SoftSecurity category, but nothing really meaty. Attempts to search the original C2 wiki failed – couldn't find anything relevant, too much to search. If you remember any such discussions, please let me know.

The second step is looking at the situation and trying to formulate the problem (or problems). "General privacy concerns" doesn't sound too well. I'll try to list the concerns how I understood them – there may be more or they may be different.

I'll try to analyze these potential threats. Some of them are real, some seem to stem from urban legends about how the Internet works, they can still be partially true. Note that you are invited to edit and add your thoughts.

Somebody knows my IP

Well, technically you did tell your IP. You have to do it in order to have a two-way communication – otherwise it wouldn't be possible to send data back to you (for example, page content). Whatever you do on the Internet, your IP address is known not only to you, your ISP and the admins of the site you're connecting with – it's also known to everyone along the path of your data packets and in their close network vicinity. So, you are telling them your IP just by using your network.

My IP was published

But now everyone can see my IP, not only some technicians and site admins who I have no choice but to trust. My IP is revealed publicly. Last time I did so with my e-mail address I received tons of spam. Now I'll be targeted by spammers, viruses, worms and all sorts of hackers.

That's not entirely true. You see, the hackers already knew your IP address. Along with other 4228250624 addresses. It's not like they are secret or something. Ok, they now know that this particular address is being used by someone – this probably strips a zero or two from that number. Still nothing terribly specific. They could have picked that number at random as well.

As a side note, it is possible to get to know your IP address without being the site's admin (or an admin along the way of your data packets) even when it's not published so openly. For example, I can upload an image on my own web server, and put that image on some wiki page. Your browser will obediently try to download the image in order to show it to you, so it will connect with by web server. At this point I have your IP address, together with the exact time you requested the page and some more information about your operating system, browser, etc.

They can correlate my IP with my name or nick

This seems to be a real issue, at least in some situations. If your opinions are controversial and you are famous online, you might have some enemies or stalkers. They can use the information you published about you to stalk you, either online or in the real life. The @IP@ address is part of this information – it can be used to find your activity online, to attack your computer (with DOS attacks or by trying to hack it) or to find your physical location (without access to your ISP data this is very inaccurate).

Then again, this kind of threats are not unique to the Internet – you can as well be attacked after a public speech or even punched in the face by an angry interlocutor. It's the job of the Police and other such services to protect you against it.

Many wiki users will reveal detailed information about them anyways – this is part of building trust in the community. Of course, it's optional. If you are afraid to reveal your IP address, don't post on a wiki or use some form of an anonymizer.

Database of names and addresses

The data can be obtained without it being published on RecentChanges, as I already explained, but it requires some effort and must be done at the time of posting (or before). So it needs to be targeted. Publishing it in bulk makes it possible to mine the wikis for data about their posters – and to create a database with names and addresses. And you can do it after the fact of posting, as the data is available online and in various web caches. Then the database can be used to do evil.

How can the database be used to do evil? This is not clear to me. Here are some possibilities that I've heard:

Advertisers: They don't care who I am (name and such), but they care about my profile and habits and the like. And they do harvest it. Google has build a huge infrastructure only for that. They have a search engine, Google Ads, but they also offer to collect statistics about your web sites, and many web sites do have their code on them – this means they already collect your IP address and there is hardly anything you can do about it.

RIAA/MPAA: they will just go directly to your ISP and demand the logs. Much more detailed than anything you could harvest from a wiki.

Every website: I suppose it's the "catchall" case. But I fail to see what they would need to know who I am and how it could be used against me. But I suppose this point should be broken up into more detailed discussion. It surely brings up the memory of a scene from the "Minority Report" movie.