Misplaced Pages

Latest revision as of 03:59, 11 January 2025

• Table of contents
• First discussion
• End of page
• New post

• WP:VPM
• WP:VPMISC

Discussions are automatically archived after remaining inactive for a week.

• Refining the administrator elections process
• Blocks for promotional activity outside of mainspace
• Voluntary RfAs after resignation
• Proposed rewrite of WP:BITE
• LLM/chatbot comments in discussions

• view
• edit
• history
• watch
• archive
• talk
• purge

How to handle plagiarism from Misplaced Pages?

Hey all, hope everyone here is doing well. Today I woke up to discover that a podcaster I follow had plagiarised part of an article I wrote, as well as parts of some other articles (some of which I had contributed to, others not). The podcaster did not cite their sources, nor did they make it clear that they were pulling whole paragraphs from Misplaced Pages, but they ran advertisements and plugged their patreon anyway. This is not the first time an article I wrote for Misplaced Pages has been plagiarised and profited off (earlier this year I noticed a youtuber had plagiarised an entire article I had written; I've also noticed journalists ripping off bits and pieces of other articles). Nor is this limited to articles, as I often see original maps people make for Wikimedia Commons reused without credit.

Obviously I'm not against people reusing and adapting the work we do here, as it's freely licensed under creative commons. But it bugs me that no attribution is provided, especially when it is required by the license; attribution is literally the least that is required. I would like attribution of Misplaced Pages to become more common and normalised, but I don't know how to push for people off-wiki to be more considerate of this. In my own case, the 'content creators' in question don't provide contact details, so I have no way of privately getting in touch with them. Cases in which I have been able to contact an organisation about their unattributed use of Misplaced Pages/Wikimedia content often get ignored, and the unattributed use continues. But I also have no interest in publicly naming and shaming these people, as I don't think it's constructive.

Does anyone here have advice for how to handle plagiarism from Misplaced Pages? Is there something we can do to push for more attribution? --Grnrchst (talk) 13:59, 16 December 2024 (UTC)

Sadly there are plenty of lazy sods who think that copying directly from Misplaced Pages is "research". This has happened with some of the articles that I have been involved with. It's rude, but hard to stop.--♦IanMacM♦ 14:13, 16 December 2024 (UTC)

I would start by writing to the podcaster and politely explaining to them that they are welcome to use the material but are required to provide attribution. They may simply be unaware of this and might be willing to comply if properly educated. Failing that, I assume the podcast was being streamed from some content delivery service like YouTube. You might have better luck writing to the service provider demanding that the offending material be taken down.

Realistically, crap like this happens all the time, and there's probably not a whole bunch we can do to prevent it. RoySmith (talk) 14:37, 16 December 2024 (UTC)

To support RoySmith's point, for those who may not have seen it, here is a very long youtube video about youtube and plagiarism . (Works just having it on as background audio.) CMD (talk) 14:59, 16 December 2024 (UTC)

Funnily enough, plagiarism from Misplaced Pages comes up a couple times in that video. MJL also made a very good response video, which I think was a useful addition in the conversation of crediting Wikipedians. --Grnrchst (talk) 15:10, 16 December 2024 (UTC)

Thanks, I'll give that a listen. CMD (talk) 15:18, 16 December 2024 (UTC)

Aye, I figured it be an uphill battle trying to accomplish even minor changes on this front. As I can't find a way to contact the creator directly, sending an email to the hosting company may be the best I can do, but even then I doubt it'll lead to anything. Thanks for the advice, anyhow. --Grnrchst (talk) 15:12, 16 December 2024 (UTC)

If it's a copyright violation (e.g., exact wording), rather than plagiarism (stealing the ideas but using their own words), then you could look into a DMCA takedown notice. WhatamIdoing (talk) 03:25, 17 December 2024 (UTC)

@WhatamIdoing: It was more-or-less word for word, with a couple tweaks here and there. I don't want the episode pulled, I really just want Misplaced Pages cited, but I can't figure out any way to get in direct contact with any of the people involved. --Grnrchst (talk) 10:16, 17 December 2024 (UTC)

It's possible that the way to get in touch with them is a DMCA takedown notice. Having your platform take down the whole episode tends to attract attention. You could make it easy on them by suggesting a way to fix the problem (maybe they could add something like "This episode quotes Misplaced Pages in several places" to the end of the notes on the podcast?). WhatamIdoing (talk) 18:33, 17 December 2024 (UTC)

I'm curious as to what the plagiarized article in question is. Often there is no majority authorship of an article (in terms of bytes added), which might complicate DMCA claims. JayCubby 18:35, 17 December 2024 (UTC)

Anyone who contributed enough content to be copyrighted can issue a DMCA notice. The glaring problem with this approach is that the DMCA only applies if the copy is published in the United States. Phil Bridger (talk) 18:51, 17 December 2024 (UTC)

What about servers or companies based in the States (perhaps I've misremembered what little I know of copyright law)? JayCubby 18:56, 17 December 2024 (UTC)

@JayCubby: It's an article I wrote 99.9% of, minus minor copyedits by other users. I'm cautious about revealing which one as I think it would make it easy to figure out the podcast in question, and I'd still prefer to handle this privately rather than go full hbomberguy. Also, having now gone through more of the episode, it's not just that one article that got text lifted from it; text was also copied in whole or in part, without attribution, from other Misplaced Pages articles I have contributed to (but didn't author) and an article on another website that publishes under a CC BY-NC-ND license. I don't know how I would handle notifying the other parties that got plagiarised either. I haven't combed through the entire episode yet, but already a sizeable portion consists of unattributed text, either identical to the source or with minor alterations. --Grnrchst (talk) 19:29, 17 December 2024 (UTC)

One man deserves the credit, one man deserves the blame... JayCubby 00:42, 17 December 2024 (UTC)

Hmm... would Misplaced Pages:Standard CC BY-SA violation letter be of help? JayCubby 01:17, 30 December 2024 (UTC)

@JayCubby: I hadn't seen this until now, I think I assumed a while back that this thread had already been archived. Thanks for letting me know about this! I'll keep it on hand for future cases. --Grnrchst (talk) 13:56, 9 January 2025 (UTC)

Unfortunately, you're talking about a medium where many people's understanding of copyright law, even when they do demonstrate an awareness that it exists and is applicable, is largely demonstrated by videos posted on YouTube of clips from movies and TV shows with the note "Copyright infringement not intended". Which, I sometimes leave a comment pointing out to them, is akin to dashing out of a clothing store with an armful of unpaid-for merchandise while shouting "Shoplifting not intended". Largoplazo (talk) 14:10, 2 January 2025 (UTC)

I've found Misplaced Pages plagiarized in scientific journal articles. I have no tolerance for that and I contact the publishers directly. But little to nothing comes of it. In the one instance, I waited almost a year but nothing really happened. Upon pushing the matter, the publishers allowed the authors to make some trivial changes but there was no retraction. (See my banner notes at the top of Talk:Semi-empirical mass formula if you are interested in this example.) Fortunately, this kind of plagiarism may be common in less prestigious journals and by less prestigious authors from universities in countries that may not care about plagiarism of Western sources. Jason Quinn (talk) 08:39, 24 December 2024 (UTC)

@Jason Quinn Wrong section? You wanted to post below? _{Piotr Konieczny aka Prokonsul Piotrus| reply here} 17:03, 24 December 2024 (UTC)

Yes, it was. Sorry about that. I moved my comment (along with yours) to the proper spot. Jason Quinn (talk) 21:12, 24 December 2024 (UTC)

@Jason Quinn PS. Make sure to use PubPeer and comment on those articles! _{Piotr Konieczny aka Prokonsul Piotrus| reply here} 17:04, 24 December 2024 (UTC)

I'll check it out. Jason Quinn (talk) 21:12, 24 December 2024 (UTC)

Looks like the publisher has a ... somewhat questionable reputation to put it politely. Jo-Jo Eumerus (talk) 10:10, 26 December 2024 (UTC)

Some years ago, we found a source saying that the 20% of lowest-ranked journals had a higher risk of copyright violations. (They did tend to be journals from developing countries or otherwise with limited resources – think "Journal of the Tinyland Medical Society".) I have discouraged using journals from the lowest ranked quintile ever since. WhatamIdoing (talk) 04:42, 26 December 2024 (UTC)

As an aside, I'm pretty sure I've been the "benefactor" of scholarly citogenesis several times—uncited additions from a decade ago that I'm scouring for cites and pondering whether to rewrite from scratch, when I find a passage that pretty much has the same structure and specifics (uncontroversial stuff, mind) and I smile. I do wonder if I should be so happy, but I figure they're qualified to conduct original research and this isn't likely to introduce poor quality infomation. Remsense ‥ 论 04:48, 26 December 2024 (UTC)

When the plagiarism is substantial, please remember to tag the talk page with {{backwardscopy}}. WhatamIdoing (talk) 21:49, 27 December 2024 (UTC)

Copyright infringement of Misplaced Pages by other people is not immoral, so I don't believe it's in anyone's best interest to try to police it at all. We write this stuff with the hopes that it is accurate and that it will be shared. The podcaster in question shared it. Presumably, if you are proud of it, you also consider it accurate. Big Success. No Stress.

Additionally, it does not do to mix complaints about plagiarism and copyright infringement together. Copyright is law, and plagiarism is not law. Just like us, the podcaster is fully within their rights as the users of text to copy it without attribution when their use isn't a copyright violation. If it was enough text for you to notice this, I'll trust you that it was a lot of text. But, just FYI, if someone copies a little from an article (or even a little from several articles), they would not need a license to do that and their lack of compliance with the unneeded license would not constitute copyright infringement. lethargilistic (talk) 08:37, 2 January 2025 (UTC)

I disagree, plagiarism of Misplaced Pages content is immoral, as the plagiarizer is (at least implicitly) claiming authorship of someone else's work, and is also a violation of the licensing terms (attribution is required). As an editor who has seen their contributions to Misplaced Pages plagiarized, I do not expect widespread recognition of my work, but I do resent some else taking credit for it. Donald Albury 17:10, 2 January 2025 (UTC)

I wouldn't go so far as to call it immoral, which implies deliberate malfeasance. Copyright law is complicated. There are a myriad of permissive licenses in use, some of which require attribution, some of which don't. It's unrealistic to expect most people to understand anything beyond "Misplaced Pages is free".

What bothers me more is when you explain to somebody that it's OK that they're using your stuff but they need to add an attribution and they argue with you. That's when it crosses the line from ignorance to deliberate. RoySmith (talk) 17:22, 2 January 2025 (UTC)

On your first point Misplaced Pages is free, Help:Introduction to Misplaced Pages doesn't explain that Misplaced Pages's content is copyrighted (unless you go into one of the policy links), and the footer is the kind of thing I'd ignore on any other website. I wonder if it could be reworded to something likeYou are free to reuse text under the Creative Commons Attribution-ShareAlike 4.0 License; additional terms may apply.

Though with most of the instances of plagiarism there are no measures we could take to prevent plagiarists. JayCubby 18:07, 2 January 2025 (UTC)

enwiki gets about 400 million page views per day. Help:Introduction to Misplaced Pages gets about 4500 per day. So, to a reasonable approximation, nobody reads it. RoySmith (talk) 18:27, 2 January 2025 (UTC)

100% agree with Donald. --Grnrchst (talk) 13:53, 9 January 2025 (UTC)

I would call it immoral. It's not just wronging the people who put the labour into writing an article, who are having their hard work done for the commons repackaged for private profit without even the slightest acknowledgment, it is also wronging the people that read/watch/listen to the creator, as they are being intentionally deprived of the knowledge of where this information is coming from and where they can go to verify the information. I also disagree that what they did is "sharing"; they didn't link to this article or say they got their script from here, but instead took the credit for it and profited off it. That's not sharing, that's appropriation. Honestly I find the idea that I should be grateful that someone ripped off my work rather insulting. --Grnrchst (talk) 13:51, 9 January 2025 (UTC)

Moving another user's essay to project space

I'd had it in mind for quite some time to write an essay in project space about announcements. I've seen entire sections consisting of sentences with the word "announced" in them, giving the impression that the subject's history consists not of events and actions at all but only of announcements that such events or actions were planned, leaving the reader to wonder whether any of them ever actually happened. I wanted to exhort people who add to an article, in November 2024, "In November 2024 it was announced that X would be joining the series as a regular character in the new season" to return after the new season begins and replace the text about the announcement with "In April 2025, X joined the series as a regular character" or, if X didn't join the series after all, to remove the sentence as probably irrelevant, unless some mention is to be made of why X's addition to the series didn't come to pass.

So one day recently I sat down to begin such an essay, but first checked the status of the obvious shortcut, WP:ANNOUNCED—and found that it already existed as a redirect to a user-space essay belonging to User:HuffTheWeevil. That essay is quite thorough and covers most of the ground that I had had in mind, and I think it would be useful to have it in project space. So, while noting that that user hadn't edited in over two years but thinking the might see and respond to a ping if they even read Misplaced Pages while logged in, I went to their talk page to leave basically the same message that I've written here, to ask if they would be averse to having their essay moved to project space.

That was four weeks ago, and there've been no edits in that time by the user. I was wondering whether it would be reasonable, without express permission, either to move or copy the essay to project space and retarget WP:ANNOUNCED there. Also, if that were to happen, I'm seeking a good title. Floating around in my head:

• Misplaced Pages:Stuff finally happens
• Misplaced Pages:Prefer actions to announcements
• Misplaced Pages:Did the announcement ever come true?
• Misplaced Pages:Well, did it happen or not?

Largoplazo (talk) 17:35, 30 December 2024 (UTC)

What a good notion! That type of language in articles irks me too. Especially personal life sections that read "they announced they were engaged, they announced the wedding date, they got married, they announced they were expecting, they had a baby" and so on. (Sorry I don't have an answer to your questions, but I do like the idea.) Schazjmd (talk) 23:25, 30 December 2024 (UTC)

Articles about companies, particularly finance companies, drive me crazy in that way. You'd think from some of their articles that they're more noted for their announcements than for what they've actually done. "In October 2018, ABC announced that they were acquiring at 30% share in GHI. In February 2019, they announced the coming release of version 5 of their product." Did the GHI buy-in ever happen? Did they ever release version 5? Who knows??? The article doesn't say! Largoplazo (talk) 00:02, 31 December 2024 (UTC)

Even more annoying is when media happily passes on announcements, but fails to pay any attention when they actually happen, so we're left sourceless. Schazjmd (talk) 00:20, 31 December 2024 (UTC)

To go off a bit on a tangent, this is like when the media report someone's arrest (which goes on to be covered here) and then never follow up (leaving Misplaced Pages readers in the lurch). Largoplazo (talk) 00:39, 31 December 2024 (UTC)

I wouldn't mess with someone else's user space without asking them first (with the obvious exception of reverting vandalism), there might be a reason they didn't want it in project space. I do agree that this is an issue in articles though. Gnomingstuff (talk) 19:42, 2 January 2025 (UTC)

The question appears to be about whether it's okay, after you have asked them, waited a month, and still not gotten a response. WhatamIdoing (talk) 02:50, 8 January 2025 (UTC)

I would also suggest not moving people's userspace essays to mainspace. Looks like the shortcut did a good job here of directing you to the correct location. Hopefully that happens a lot in these types of situations. –Novem Linguae (talk) 22:39, 2 January 2025 (UTC)

I would agree that moving things out of someone’s userspace without their OK is bad form.

That said… no one “owns” the topic (whether that topic is for an essay or for an article). Consider writing your own essay/article on the topic (in your own userspace), and moving that to Mainspace. Then notify the other editor so they can amend your work if they want to (that is up to them). Blueboar (talk) 14:03, 3 January 2025 (UTC)

People have been trying to get me to move User:RoySmith/Three best sources to project space for years. I keep refusing because it's my own personal opinion and I don't want people editing my opinion (which they do anyway, but at least I feel justified reverting those in my userspace). I once had somebody hijack the WP:THREE redirect and point it to their own essay (quickly reverted). I once had somebody put the redirect up for deletion (quickly closed as keep). RoySmith (talk) 15:11, 3 January 2025 (UTC)

meh… Personally, I think personal essays should be marked as “User” and not “WP” (even for a shortcut) but whatever. Blueboar (talk) 20:35, 3 January 2025 (UTC)

You had a good idea that's been linked by lots of people, including me. Surely the Misplaced Pages way is to share it with the rest of us? Phil Bridger (talk) 20:59, 6 January 2025 (UTC)

I like the Stuff finally happens title. Either rewrite so you're not using the userspace version, or move it (I think since you've asked, this can count as being bold) Newystats (talk) 19:14, 6 January 2025 (UTC)

It usually is considered a bit rude to move something without receiving permission. At the same time since they haven't edited more than minimally in nine years that really is not that big a concern, and ultimately all pages belong to the community. Since content is licensed under CC BY-SA and the GFDL, you could also both move the page and then copy-back an archived version to the original location under WP:CWW that they would retain more control over this has been done before.

Unless you think updates are needed though it probably isn't necessary since the primary distinction between user and projectspace essays is the degree of control exerted over the contents of the essay by the original author. Granted, projectspace is a little more restrictive compared to userspace, but that distinction is not really important to this case. 184.152.68.190 (talk) 20:13, 6 January 2025 (UTC)

How do I make a separate "userpage"

Ive seen people make separate pages that are still attached to their user, like this one: User:Littleghostboo/Story and I never knew how to make pages like this. Can someone please tell me how?

Thanks, Tenebre_Rosso_Sangue, Editing with SSStyle! (talk) 16:46, 3 January 2025 (UTC)

Easy, peasy. Just type "User:Tenebre.Rosso.Sangue995320/whatever" into the search box and hit return. That'll take you to a page that says "Misplaced Pages does not have a user page with this exact name" with a "Start the User:Tenebre.Rosso.Sangue995320/Whatever page" link. Click the link and off you go. RoySmith (talk) 16:51, 3 January 2025 (UTC)

Thank you! Tenebre_Rosso_Sangue, Editing with SSStyle! (talk) 16:55, 3 January 2025 (UTC)

As an alternative, you could put a link on your user page that looks like ]. That'll show up as a redlink. Click it and you'll be in the same place you were before. RoySmith (talk) 16:57, 3 January 2025 (UTC)

Misplaced Pages 25th anniversary

As English WP is coming up to this in a few days - are preparations being made?

Who are the longest serving Wikipedians (ie contributing regularly enough to be so considered)? A check shows there are presently 156 members of the Misplaced Pages:Twenty Year Society (and, I assume, some more who do not choose to join or are unaware of it), so the 25 year equivalent will be smaller still (and the various higher-year groups always will so be, and increase more slowly than the shorter timespan ones). Jackiespeel (talk) 13:31, 4 January 2025 (UTC)

With the caveat that the account creation info stored in the database may not be accurate for the oldest accounts (as I understand it, they may be even older if they transitioned from the pre-MediaWiki software, or the information might be blank), see Misplaced Pages:Database reports/Active editors with the longest-established accounts for a list of the oldest accounts who have made an edit in the last 30 days. isaacl (talk) 18:54, 4 January 2025 (UTC)

We're coming up to our 24th anniversary ... Graham87 (talk) 14:38, 5 January 2025 (UTC)

The 25th anniversary is in a year, Misplaced Pages was founded in 2001. QuicoleJR (talk) 16:58, 8 January 2025 (UTC)

Misplaced Pages was founded in 2001. It’s almost been around for 24 years. 1.158.154.238 (talk) 04:10, 9 January 2025 (UTC)

Even in a year's time I don't think we should be doing much to celebrate. Maybe do that if Misplaced Pages is still going strong when all of the people who were around at the beginning are dead. That would be after a lot more than 25 years, and would show that Misplaced Pages has life of its own apart from the people that make it up. Many institutions have been around for a lot more than 25 years. Phil Bridger (talk) 10:57, 9 January 2025 (UTC)

Year in review sources

I'm trying to fill out a list of "year in review" publications and I'm finding it difficult. I wanted to reach out and see if anyone knows any sources that come out annually (whether discontinued or still in publication) that summarize the previous year in a given field. The list so far is at Misplaced Pages:WikiProject Years/Resources and I'd really appreciate any suggestions or additions so we can get more scholarly and high quality sources on articles about years. Thebiguglyalien (talk) 02:01, 5 January 2025 (UTC)

I wonder if Annual Reviews (publisher) covers what you want. WhatamIdoing (talk) 02:52, 8 January 2025 (UTC)

I checked a few and there are a lot of articles about different subjects like you'd expect in a journal, but it doesn't look like they have anything to the effect of "here are the main takeaways/developments from this year". Thebiguglyalien (talk) 18:14, 8 January 2025 (UTC)

There’s a French series of this I’ve encountered but I’m not sure how useful that would be. PARAKANYAA (talk) 17:30, 8 January 2025 (UTC)

Depends on what it covers. If it's comprehensive and covers a global scope, that would be incredibly useful. If it's specifically about France, I'm also interested in finding some that are country-specific for articles like 2010 in France. Thebiguglyalien (talk) 18:16, 8 January 2025 (UTC)

Red flag?

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

Special:Contributions/UserYak : red flag?

69.181.17.113 (talk) 07:32, 5 January 2025 (UTC)

What makes you think there is a "red flag"? Every edit they have made seems to be reverting blatant vandalism. 86.23.109.101 (talk) 09:34, 5 January 2025 (UTC)

69.181.17.113, I think anyone looking at this report will find it too cryptic to take any action. All I can see is that this user could use edit summaries more, but I've no idea if that's the red flag that you mention. Phil Bridger (talk) 09:55, 5 January 2025 (UTC)

How do I know if this user uses Misplaced Pages for self-promotion?

This user's contributions are very strange. He only adds references to food articles, always recipes from the same website. In fact, I think he writes the recipes himself, since both the recipes and the user are E. Joven. I don't want to accuse anyone, but it also seems suspicious to me. He sometimes replaces pre-existing references with his own. How do I know if this user uses Misplaced Pages for self-promotion? The user: Emjoven – El Mono 🐒 (es.wiki account) 05:54, 6 January 2025 (UTC)

Please provide links to examples. Thanks. PamD 07:03, 6 January 2025 (UTC)

The links are to a site which says it's run by Ed Joven. The wiki account name is Emjoven. This one's not hard to figure out. RoySmith (talk) 16:57, 6 January 2025 (UTC)

I've reverted the most recent additions (in places where there was already at least as good a ref) and replacements. Largoplazo (talk) 17:27, 6 January 2025 (UTC)

Is there a minimum edit count for ArbCom?

And where do I ask questions like this? Another Wiki User the 3rd (talk) 16:39, 7 January 2025 (UTC)

Hey there @Another Wiki User the 3rd. You can ask simple questions like this at the WP:TEAHOUSE if you want. As for the requirements to run as a candidate in the yearly arbcom elections, there's surely a list of official requirements somewhere on one of the WP:ACE pages. I'd highly recommend becoming an admin first though, and the practical minimum edit count for becoming an admin based on who has passed recently is around 8,000 edits. Hope this helps. –Novem Linguae (talk) 16:43, 7 January 2025 (UTC)

WP:HELPDESK and WP:TEAHOUSE are probably better venues for questions like that. Misplaced Pages:Arbitration Committee Election/Rules covers your question, Candidates: Registered account with 500 mainspace edits that is not prevented from submitting their candidacy by a block or ban, meets Foundation's Access to nonpublic personal data policy, and has disclosed alternate accounts (or disclosed legitimate accounts to Arbcom). Arbitrators may not serve as members of either the Ombuds Commission or the WMF Case Review Committee while serving as arbitrators. Withdrawn or disqualified candidates will be listed in their own section on the candidates page unless their candidate page can be deleted under WP:G7. ScottishFinnishRadish (talk) 16:43, 7 January 2025 (UTC)

Heritage Foundation intending to "identify and target" editors

Not sure where to post this, or whether I'm overreacting, but I find this recent article by The Forward very concerning. Scoop: Heritage Foundation plans to ‘identify and target’ Misplaced Pages editors. It outlines how the Heritage Foundation is going to (or is already) attempting to identify editors who are 'abusing their position' by publishing content the group believes to be antisemitic. Methods of identification include:

• facial recognition software (not sure how this would work, considering most don't post their faces here) and a database of hacked usernames and passwords
• creating fake accounts to lure editors into revealing personal information or clicking malicious tracking links
• checking for resuse of usernames/passwords in breached databases
• more found in their slideshow for this

ARandomName123 (talk) 23:28, 7 January 2025 (UTC)

May I suggest only clicking those two external links if you have a VPN on. They are very clear in these documents that they plan to harvest Wikimedian IP addresses using bait links that they control. –Novem Linguae (talk) 23:57, 7 January 2025 (UTC)

Actually, I think those two links are to the newspaper that did the investigative reporting, rather than the Heritage Foundation. So not as risky as I thought. –Novem Linguae (talk) 00:10, 8 January 2025 (UTC)

Yes, those links point to the website of The Forward, a 127-year-old publication known in Yiddish as פֿאָרווערטס and formerly known in English as The Jewish Daily Forward. Definitely not a Heritage Foundation property! Largoplazo (talk) 03:09, 8 January 2025 (UTC)

True, but to be fair to the Heritage Foundation, The Forward also harvests "IP addresses using bait links that they control", the bait being interesting and informative articles by sensible reporters. Sean.hoyland (talk) 09:11, 8 January 2025 (UTC)

Suspected IP-grabber domains are eligible for the m:Spam blacklist (and the local one as well). Suspicious links can be opened with tools like https://urlscan.io/. Make sure your password is long, strong, and unique, and if you don't have access to two-factor authentication you can request it at m:SRGP. You should also use a Misplaced Pages-specific (or at least Misplaced Pages-identity-specific) email address. This advice also applies to other places where you talk about Misplaced Pages or use the same identity. If you see something suspicious, report it to an administrator/functionary/steward/arb/etc. AntiCompositeNumber (talk) 00:41, 8 January 2025 (UTC)

Maybe all this should also be noted in a more visible place like WP:AN? (I have now done so). Clovermoss🍀 (talk) 04:08, 8 January 2025 (UTC)

Here's the deal, they don't plan on throwing the malicious links in (only) contentious articles. They are going to identify "targets", and then edit other topics the "targets" are interested in. That is when the bad sources will enter pages with fewer watchers (to discern which GET to associate with the suspected user).

Potential targets should click links on one device with a vpn, and edit on a different device.

This isn't new, one of our CUs had to step down because they were doing the same to try to catch UPE a few years ago, and I assume other groups have been doing so for awhile. 166.205.97.61 (talk) 06:51, 8 January 2025 (UTC)

I was thinking that they were probably going to pose as editors on talk pages, and engage in debates where'd they post links, partially hidden like this: AP News, which looks like it goes to an AP News site, which would be common on these sort of talk pages, but actually goes to example.com. (replacable with a tracking link). Most editors wouldn't think to hover over it to check the address. ARandomName123 (talk) 16:39, 8 January 2025 (UTC)

• If they're going to be using domains they control for this, should we start adding Heritage Foundation domains to the spam blacklist? This might require going to WP:RSN to deprecate their website, which is currently used on 5000 pages and is probably deprecable on its (dis-)merits in the first place. A few of their other domains are listed on the library of congress page for them. That wouldn't prevent them from creating additional honeypot domains, of course, but I don't see how we can continue to link to their website if they're using it in this manner. --Aquillion (talk) 13:28, 8 January 2025 (UTC)

  It would be safe to assume that their main domains would also participate in the cookie tracking, especially seeing as it is so heavily linked. I agree that their known domains should be deprecated as likely malicious. 166.205.97.61 (talk) 15:52, 8 January 2025 (UTC)

  Deprecating and blacklisting the link globally will protect editors and readers from accidentally clicking the links. This is a serious privacy concern if the Heritage Foundation collects data from visitors. Ahri Boy (talk) 03:45, 9 January 2025 (UTC)

  Heritage Foundation seems to be making not only a threat against our WP:NOTCENSORED policy, but threatening retribution against wikipedia editors for building consensus on perrenial source reliability. I think blacklisting HF domains, and any subsequent honeypot domains is a sensible idea Bejakyo (talk) 17:10, 8 January 2025 (UTC)

Sigh. Nice work by Forward. Sean.hoyland (talk) 05:45, 8 January 2025 (UTC)

@AntiCompositeNumber that is a useful site, I revert a lot of spam 'cunningly disguised' as a genuine link.

I'm in the UK. Honestly, if they want my ip they can have it. I'm moving soon lol. Knitsey (talk) 08:02, 8 January 2025 (UTC)

I'm not familiar with US law, but is something like creating fake accounts to lure editors into revealing personal information or clicking malicious tracking links legal? Nobody (talk) 09:19, 8 January 2025 (UTC)

@1AmNobody24 I'm wondering if those companies, proudly displayed at the end of the document, are aware of their connection with this 'plan'? Knitsey (talk) 09:28, 8 January 2025 (UTC)

Yeah, I just had to re-read Phishing to make sure it's definition hadn't changed... Nobody (talk) 09:31, 8 January 2025 (UTC)

Honestly I don't want to wait on US law to (maybe) protect our editors. We should be proactively blocking Heritage Foundation domains from interacting with en.wp using whatever means are necessary. Simonm223 (talk) 14:31, 8 January 2025 (UTC)

All Wikimedia wikis too. We can't let everyone accidentally access that data-collecting nonsense. Ahri Boy (talk) 08:35, 9 January 2025 (UTC)

Considering they're the people behind Project 2025, and Trump is coming to power, I do not have too much trust in relying on US law. ARandomName123 (talk) 16:19, 8 January 2025 (UTC)

It's probably a misuse of computer systems (what Aaron Swartz was charged with) and violates the TOS. WMF can and should sue Heritage if they try to pull this kind of shit. voorts (talk/contributions) 21:00, 8 January 2025 (UTC)

Can't speak for the US law, but I'd say it's an offence in the UK under the Computer Misuse Act 1990 which has extra territorial scope. It's also likely a privacy offence in the UK, EU and many US states. I agree that relying on the legal system is likely to be ineffective (it can't protect people from scams in general after all), but I can't imagine any legitimate organisation would want to be associated with an activity like this (including sharing the information such an exercise uncovered) as the risks of legal action against them would be higher. That is, if, say, a registered political party published material it gained from illegal activity it is far more likely to be prosecuted as they are easy to find compared to the actual hackers. MarcGarver (talk) 08:38, 10 January 2025 (UTC)

I'm not worried for myself - I edit with my real name and am pretty sure I have freely given away enough information to enable anyone to distinguish me from anyone else who shares my name - but I'm worried for those who live under more repressive regimes. Some of those are in prison because of what they have said on Misplaced Pages, and many live under regimes that the Heritage Foundation would be vehemently opposed to. Phil Bridger (talk) 14:33, 8 January 2025 (UTC)

Yeah kind of the same situation here. While my username is not directly my personal name it's the same one I use on literally all platforms and is easily connected to my real-world identity. I don't consider myself as an anonymous editor. But we do need to protect anonymous editors. And not just in what we conventionally see as "repressive regimes" either. I'd say that there are considerable threats to the safety of anonymous editors in the United States from such a mass dox. Simonm223 (talk) 14:36, 8 January 2025 (UTC)

On the contrary, this doxxing campaign, apparently led by a former FBI agent and organized by a US-based organization, is specifically targeting editors in the Palestinian-Israeli conflict topic area, who are likely to face threats from the "democratic" regimes of the western world, namely those with expansive antisemitism definitions and where anti-Palestinian sentiment is rampant among the media, political and corporate class. It is the editors based there who everyone should be worried about. Makeandtoss (talk) 15:07, 8 January 2025 (UTC)

Sigh, take caution North American editors, you will need to arm up & watch your backs with these people. There's a clear agenda being pushed to shut down those who would combat disinformation / advocate fact checking, and that's either via ballot box or the ammo box. TheTechLich (talk) 15:28, 8 January 2025 (UTC)

Arming individual Wikipedians does not seem like a particularly effective response to what is being threatened here. _signed, Rosguill 16:35, 8 January 2025 (UTC)

Arming the community with information is more our schtick. "Be afraid!" may work for click media, but a check at RSNP is always a wiser place to start. BusterD (talk) 17:55, 8 January 2025 (UTC)

With regards to the facial recognition software, it is probably simple enough to run it through the many meetup photos we conveniently provide and categorize on Commons, sometimes even helpfully linking faces to usernames and perhaps even real names already. CMD (talk) 15:46, 8 January 2025 (UTC)

I'm sure these guys are not totally clueless, but probably best if we don't give them any ideas they hadn't allready thought of. RoySmith (talk) 15:52, 8 January 2025 (UTC)

I considered that, but this one seems obvious enough for them given facial recognition is already mentioned in their document, and yet also probably something worth making editors more aware of. CMD (talk) 15:58, 8 January 2025 (UTC)

Maybe it isn't a good idea to match those faces to usernames? QuicoleJR (talk) 16:56, 8 January 2025 (UTC)

That horse left the barn years ago. Even removing such matches now wouldn't help, given how often Misplaced Pages is mirrored. — The Hand That Feeds You: 19:14, 10 January 2025 (UTC)

I crossposted this to Commons although I don't know what action can realistically be taken. I don't think this is anything they haven't thought of already, the doc already mentions "cross-referencing usernames." Gnomingstuff (talk) 17:09, 9 January 2025 (UTC)

• My real name is Pat Sajak and I live in LA. GMG 15:54, 8 January 2025 (UTC)

  Negative, I am a meat popsicle. ScottishFinnishRadish (talk) 15:57, 8 January 2025 (UTC)

  Easy there fuzzy little man-peach. Ever drunk Baileys from a shoe? TheTechLich (talk) 16:04, 8 January 2025 (UTC)

  I'm Old Gregg! Lewisguile (talk) 17:28, 8 January 2025 (UTC)

Facial recognition...

Maybe by the camera of ur devices？--Jason2016426 (talk) 14:45, 9 January 2025 (UTC)

This is concerning, I will make sure to stay safe. ~≈ Stumbleannnn! ≈~ Talk to me 17:53, 10 January 2025 (UTC)

Fun. Cremastra (u — c) 00:29, 11 January 2025 (UTC)

A range block is in order, at the very least, lets be preventative. Slatersteven (talk) 15:57, 8 January 2025 (UTC)

• The report says that they're going to use a "database of hacked usernames and passwords". Do we know whether this is from other websites who have been hacked, or whether there's been a data breach at Misplaced Pages itself? ARandomName123 (talk) 16:21, 8 January 2025 (UTC)

  There is also a possibility they're making at least some shit up. Gråbergs Gråa Sång (talk) 16:23, 8 January 2025 (UTC)

  Yes, or it's sloppy reporting. As far as I can see it's the only place where passwords are mentioned. Phil Bridger (talk) 16:28, 8 January 2025 (UTC)

  The combination of malicious tracking links (fairly clever) and facial-recognition technology (rather useless for what they're trying to do here) suggests that they have some people who know what they're doing, but that their leadership (or at least their communications lead) is easily fooled by buzzwordy tech and has no idea what they're doing. _signed, Rosguill 16:32, 8 January 2025 (UTC)

  It's a pitch deck to potential donors who are presumably not super tech savvy, so things were probably kept simple and buzzy to both not overwhelm an be attractive. -- Patar knight - /_{contributions} 16:35, 8 January 2025 (UTC)

  Sure, but it seems like a red flag that facial recognition technology is anywhere near the slide deck. They may as well threaten us with "the blockchain". _signed, Rosguill 16:38, 8 January 2025 (UTC)

  I don't think that's right. If they can use facial recognition successfully to de-anonymize an editor they may be able to use various pressure tactics against that editor. I think their goal, whether through facial recognition and tracking links is to de-anonymize. They will meet with varying success but I definitely can imagine (with one way already listed above) ways facial recognition could be a threat to otherwise anonymous editors. Best, Barkeep49 (talk) 16:50, 8 January 2025 (UTC)

  My sense is that the overlap between editors that they are trying to de-anonymize and editors that can be meaningfully linked to images of themselves is near zero. _signed, Rosguill 16:53, 8 January 2025 (UTC)

  The plan is to learn enough about "targets" through web tracking and comparison to stolen user data to identify potential Facebook or Twitter accounts. They will then attempt to match personality profiles of editors with what they learn from these other sources - including pictures. 166.205.97.61 (talk) 17:07, 8 January 2025 (UTC)

  I'd add that it's IMO foolish to assume that editors they're trying to de-anoymise and editors with images even on WMF sites is near zero. I haven't see anything to suggest they're going to highly target this. It seems likely to me they'll use a fairly broad brush and target any editors editing in the ABPIA area they don't like. Some editors might have protected their privacy from the getgo. But realistically, a lot of editor especially editors who have been around a while may have felt it doesn't matter if they protect their privacy much since there wasn't any reason why anyone would care. And they themselves might have felt it didn't matter. But editor priorities change, lives change and the world changes. What a 20 year old university student felt might not be what a 40 year old parent feels. How someone in Hungary pre Viktor Orbán (and although not relevant here Türkiye pre Recep Tayyip Erdoğan) felt might not be how they feel now. I mean putting Trump aside, even in the US recent Supreme Court decisions seem to demonstrate risk that editors might not have thought 10-20 years ago. And along with what the extremes of "cancel culture" which despite being something blamed on "liberals" is something those on the right are very happy to use and quite effectively (as shown for example when they target random teachers etc who said something remotely support of trans rights etc) mean that people can find themselves at strong risk. Especially given that a lot of jobs in the US are completely at will (so the employer is free to fire the person for any reason which doesn't violate the law), and history has shown even employers who might be willing to keep someone on often relent after enough pressure. And it's not particularly surprising, expecting staff to tolerate so much abuse directed at them just because the company employees an "unperson" isn't really fair. And Anti-BDS laws means that editors might find themselves at risk in some cases even legally. Note even if an editor has made attempts to scrub the info like pictures they revealed earlier, the nature of Misplaced Pages and even the modern internet means it's actually almost impossible once it's been a few months to prevent a dedicated party finding that. Heck even if they're now editing with a new account, if it's an open secret what their old account was, then you only need someone with that knowledge. BTW the wider stuff that's happened with India is IMo an obvious example. There was at least one random editor who's real name was findable and was reported to some government agency although all they did was either decline to remove a name or maybe at worse undo an edit which lacked consensus (can't remember which). There's also the famous case of Rémi Mathis. Nil Einne (talk) 11:04, 10 January 2025 (UTC)

  It would not be particularly difficult to see if someone's username is also their email, if an email is listed on their userpage, or to obtain an email if they reply to a Misplaced Pages email (IIRC your email is kept anonymous as long as you do not reply) and then comparing that to emails in publicized data breachs and trying any associated passwords. People should be checking https://haveibeenpwned.com/ and/or using any in-built tools for this in their password managers to see if this might apply to them and changing passwords as required. -- Patar knight - /_{contributions} 16:30, 8 January 2025 (UTC)

  Also, editors should not respond to Misplaced Pages emails that look like spam or nonsense out of politeness (e.g. "I think you have the wrong email?") if they want to be extra cautious. -- Patar knight - /_{contributions} 16:33, 8 January 2025 (UTC)

  Also, editors can choose to reply on someone's User talk page instead of replying by email. FactOrOpinion (talk) 18:21, 8 January 2025 (UTC)

  There were recent cyberattacks on the Internet Archive. Many editors here often use their book loaning service. I urge them to change their email address and password if it is similar to that of the archive. The AP (talk) 10:48, 9 January 2025 (UTC)

Are T&S aware of this? Ymblanter (talk) 16:30, 8 January 2025 (UTC)

Do they have an on-WP "place"? Gråbergs Gråa Sång (talk) 16:33, 8 January 2025 (UTC)

An email was sent by RoySmith a couple minutes ago, see the phab task. ARandomName123 (talk) 16:36, 8 January 2025 (UTC)

Yes, I've already informed them of it. GorillaWarfare (she/her • talk) 19:57, 8 January 2025 (UTC)

• Is there a way to poison link harvesting? Horse Eye's Back (talk) 16:47, 8 January 2025 (UTC)

  Click through using a different device on a vpn. Send various other IPs through to muddy the waters. Realistically, if they create a fake publisher with a fake book about an obscure topic that they think a "target" will argue about, only a few hits will exist to the link, and the IP of the editor will be exposed. Misplaced Pages really should provide a proxy that disables Javascript when clicking through to links. This would hide all editor IPs. 166.205.97.61 (talk) 17:10, 8 January 2025 (UTC)

  I like the idea of being able to open links through wikipedia so to speak. Horse Eye's Back (talk) 17:20, 8 January 2025 (UTC)

I think we should put a note about this on T:CENT to make more people aware. QuicoleJR (talk) 17:49, 8 January 2025 (UTC)

It's on Jimbo's talk, AN, ANI and VP(m). T:CENT seems way overboard at this point. BusterD (talk) 17:58, 8 January 2025 (UTC)

If anything, that's a good reason for putting it on T:CENT – most people don't check Jimbo's talk or every single village pump page, but an issue of that importance should be on, well, the centralized discussion where important issues are shown. Chaotic Enby (talk · contribs) 19:19, 9 January 2025 (UTC)

• As I think about this, I have concerns that range broadly. I realize that what I'm going to say may sound alarmist to some editors, but I sincerely and soberly think that this is a realistic reading of what Heritage and their allies are saying and demonstrating they intend to do. This really isn't about antisemitism. There are people in Project 2025 with white nationalist and Christian nationalist inclinations who are antisemitic themselves. This is about a much broader attempt in the US to transition from democracy to autocracy, and combating antisemitism is simply a convenient banner to slap onto this first broadside. In fact, the hostility to Misplaced Pages – the labeling of us as "Wokepedia" – comes from the same playbook as attacks on the mainstream press and universities. The sometimes-successful attempts to bring down some university presidents was likewise framed as their failure to speak out against Hamas, but it was really about wanting to diminish universities' credibility as authoritative sources of truthful information. Same thing now for us. For an authoritarian power, honest providers of unbiased truth are an existential threat. We aren't going to change our content to parrot an Orwellian POV about MAGA, so we are a target.

I want to push back against what some editors have said, about using one's real-life identity as a way of preventing outing. In a narrow sense, it's technically true that if you "out" yourself, there's no point in anyone else doing it. But once your identity is known, you become vulnerable to all of the kinds of real-life harassment that doxed people find themselves subjected to. It doesn't matter, in that regard, how they found out your identity. And it's not just if you've edited about Israel-Palestine. It could be if you've edited anything about climate and fossil fuels, gender, immigration, vaccines, and of course, American politics. I doubt that they have the bandwidth to actually identify and harass every editor who could possibly be seen as editing information that goes against a MAGA POV, but they will likely find some easily identified targets, whom they will use to "set an example", as a way of instilling fear in our editing community. I fully expect that, in the coming months, Jimbo Wales will be hauled before a hostile and performative Congressional hearing, much in the manner of university presidents. I hope very much that he will be better prepared than Claudine Gay was.

Yeah, I know this is grim. But I believe the first step in dealing with this is to go into it with our eyes open, to know what we are dealing with, what motivates it. And, more than harming individual editors, the real objective of Heritage et al. is to instill fear in the rest of us. If we become too fearful to revert POV edits, they win. In a very real sense, we have to keep doing what we have been doing, and continue to be a reliable resource for NPOV information. --Tryptofish (talk) 18:54, 9 January 2025 (UTC)

I don't think you sound alarmist at all. Just look at JD Vance's recent comments:

"The closest conservatives have ever gotten to successfully dealing with the left-wing domination of universities is Viktor Orban’s approach in Hungary. I think his way has to be the model for us — not to eliminate universities, but to give the choice between survival or taking a much less biased approach to teaching."

It should be clear we'll be dealing with a US administration that will be shifting from trying to ensure freedom of speech, to an administration trying to determine what speech is "biased" and how to leverage the government to "correct" that "bias". I don't know to what extant they will be successful, but we should be realistic about the threat that an actively hostile US federal government could pose. Photos of Japan (talk) 23:08, 9 January 2025 (UTC)

I think a lot of Wikipedians would do well to consider the most famous works of Pastor Martin Niemöller Simonm223 (talk) 17:04, 10 January 2025 (UTC)

Yes, that quote of his is something that all thinking persons need to take to heart. Thanks for reminding me of it. --Tryptofish (talk) 18:10, 10 January 2025 (UTC)

Niemoller is not someone to emulate. He only cared about Jews who converted to Christianity. — The Hand That Feeds You: 19:18, 10 January 2025 (UTC)

Thanks for pointing that out. But for our present purposes, his famous quote is what's relevant to the situation at hand. --Tryptofish (talk) 19:34, 10 January 2025 (UTC)

• For those wondering, doxxing is largely considered a form of harassment or stalking in ten U.S. states, although I'm not sure about DC where they are based. E_F 16:45, 10 January 2025 (UTC)

  It's an interesting question, about whether actions carrying out the Heritage threats would be unlawful. I suspect that if one lives in a "blue state", there may be a good likelihood that local authorities would provide legal protections. But sady, it's absolutely clear that what the January 6 insurrectionists did was also unlawful, and yet we have an incoming federal government that says it intends to pardon them. Laws only have force if they are honestly enforced. --Tryptofish (talk) 18:10, 10 January 2025 (UTC)

  I'm not exactly sure how prosecution of doxing-based harrasment charges are carried out (does the location of the victim or attacker grant legal protections, etc.), but at a state-level this is 100% enforcable. Say you live in California, which enforces a one-year imprisonment sentence for doxing, and as it is protected there I'd assume it to be a criminal offense on the state level. E_F 18:20, 10 January 2025 (UTC)

Maintaining anonymity on wikipedia

Is there any essay with tips to protect anonymity/privacy on wikipedia? I know about WP:OUTING but proactive tips could also be helpful. In general, don't think this heritage slide deck is that useful and unlikely to work, but after other similar issues (see the Asian_News_International#Wikimedia Foundation case), it would be nice if we have useful tips to make sure bad actors can't target folks who wanna keep their wikipedia lives separate from their other life. Bluethricecreamman (talk) 16:54, 8 January 2025 (UTC)

Here's some links collected in one place for easier reference. Some of these were mentioned by other people in the thread below, some are from an email T&S sent me recently. Feel free to add more:

• User:Your_Friendly_Neighborhood_Sociologist#OPSEC
• Misplaced Pages:Personal security practices
• meta:Harassment resources
• meta:Wikimedia Foundation/Legal/Community Resilience and Sustainability/Human Rights/Digital Security Resources
• meta:Digital Safety Considerations for Wikimedians
• https://app.learn.wiki/learning/course/course-v1:Wikimedia-Foundation+WMF_HUM001+2022/home
• (Diff) How can a username keep you safe?
• (Diff) Doxing: Have you tried doxing yourself?
• (Diff) Doxing: Why should you care?

@Your Friendly Neighborhood Sociologist has a good section on her user page User:Your_Friendly_Neighborhood_Sociologist#OPSEC Meluiel (talk) 16:59, 8 January 2025 (UTC)

(edit conflict)The problem with that would be that bad actors could read it too to work out ways round it. Personally I work on the principle that anyone determined enough can find out who I am anyway so I don't even try to be anonymous, but I understand why that doesn't work for everyone. Phil Bridger (talk) 17:02, 8 January 2025 (UTC)

Same here, if they can be arsed they will manage it. Especially (referring back to the India crap) if you have a government on your side. Slatersteven (talk) 17:15, 8 January 2025 (UTC)

Yes, but making it more difficult at an individual level to identify you makes it more difficult, and therefore costly, at a global level to identify editors. Best, — Jules* 19:13, 8 January 2025 (UTC)

I think an important thing to understand here is that the baseline risk of being outed, even if you do absolutely everything right, is higher than a lot of people realize. There are over 100 volunteers with the ability to view your IP, and an order of magnitude more who pose subtler but equally dangerous risks that I won't get in to. All of these people are vulnerable to bribery, coercion, threats, deceit, and violence, same as anyone else. Now, a difference here is that most of those attack vectors are actual felonies in the US. Heritage, despite its willingness to engage in mustache-twirling levels of evil scheming, probably does not want to have its people go to prison, and get its own corporate veil pierced. They do have that reference to cracking accounts, which is a crime, but it's not clear how serious they are about it; they could also mean it in the sense of not cracking but correlation attacks, e.g. matching a username to someone's Facebook URL. But most of what they're talking about is, essentially, the maximally invasive strategy that doesn't blatantly violate any criminal laws.There are people out there who don't give a fuck about violating criminal laws. Because they're ideologues, because they're unstable, because they're foreign agents, whichever. There is no way to mitigate that risk. Even completely abandoning the system of volunteer access to private information would just reduce the risk, not make it go away. So people who are reading this news and are really scared, who are thinking "My life would be over if I got outed like this", should understand that even if we came up with technical steps to mitigate every idea Heritage has, their IP is still no more secure than the weakest link in the entire cross-wiki system of privileged accounts, and that's not something we can fix, because vulnerability to money, lies, and violence is a bug in human.exe, not in MediaWiki. Remember that Misplaced Pages:How to not get outed on Misplaced Pages offers only two 100% effective strategies: Out yourself, or don't edit. Anything else is taking a gamble. -- Tamzin (they|xe|🤷) 17:59, 8 January 2025 (UTC)

@Tamzin, maybe the strategy all along, is to scare people into abandoning editing Misplaced Pages? All they need to do is produce a low quality PDF, throw in a bunch of scare quotes, link to their partners that will help them dox, and bobs your uncle. Job done. They could even open some throw away accounts and make it obvious they are trying to trap people, without actually doing any trapping. Knitsey (talk) 19:41, 8 January 2025 (UTC)

I completely agree with Tamzin here. As one of the reportedly top pro-Hamas editors who hijacked Misplaced Pages's narrative, or whatever it was, and someone with no expectation of online privacy, I think maintaining a "fuck those guys" stance towards these kinds of efforts to interfere with Misplaced Pages helps to keep your eye on the ball. If someone is afraid of being outed, don't edit in the PIA topic area. Anyone who follows policy and guidelines in the topic area and simply summarizes the contents of reliable sources etc. will be targeted by someone at some point, labelled pro-Palestinian, or pro-Hamas, or antisemitic etc. by easily manipulated credulous fools, racist ultranationalists, radicalized youth, sociopathic POS MFs who celebrate violence and destruction, offensively polite inauthentic extremists etc. It has always been like this. The volume has been turned up a bit recently, presumably to distract from all the death and destruction and/or monetize it via online attention or donations to ridiculous projects camouflaged as righteous missions. But I encourage people to edit in the topic area without being afraid. Where else are you going to encounter so many interesting people and have a chance to be casually defamed by the world's richest man? Sean.hoyland (talk) 04:25, 9 January 2025 (UTC)

Not being able to create a non-gambling scenario doesn't mean we shouldn't try to weigh the games in our favor. Let's not just say fuck those guys in a way that means we don't bother making them try a little. CMD (talk) 05:58, 9 January 2025 (UTC)

Oh absolutely. Make them work hard. They might come up with some good ideas. I would even say try to be understanding because for many of the people who support these kinds of efforts, I think this is their happy place where they can come together and think of themselves as good guy victims fighting the good fight against demons, play at being part of the intel community chasing Nazis etc. rather than having to look at and document reality. What's the phrase, mistaking an idea for the world or something. Sean.hoyland (talk) 08:13, 9 January 2025 (UTC)

There is definitely a risk of the chilling effect being a deliberate strategy the Heritage Foundation uses – if there are less active editors focusing on reliable sources in a certain topic area (not specifically having PIA in mind, but also other politically contentious areas they might target), it leaves more openings for Heritage folks to come and POV-push there. Chaotic Enby (talk · contribs) 18:20, 9 January 2025 (UTC)

This may be useful. Misplaced Pages:Personal security practices Ckoerner (talk) 19:31, 8 January 2025 (UTC)

Also see meta:Wikimedia Foundation/Legal/Community Resilience and Sustainability/Human Rights/Digital Security Resources. GorillaWarfare (she/her • talk) 19:58, 8 January 2025 (UTC)

The risk is not so much someone getting your IP, so much as someone piecing together bits of information about you and cross-referencing them with your other online presences.

Suppose you edit Israel/Palestine articles, but you also make some edits to the article for a local business near, say, Omaha, Nebraska, and you also edit some MLB pages. Now you are no longer just "some person editing in Israel/Palestine articles" but "some person editing Israel/Palestine articles who is likely to be located in the Omaha area and who is likely interested in baseball." Which describes a lot of people, obviously, but also a lot fewer than before. Add to that people's talk page comments, which might include offhand details about their life and definitely provide examples of their writing style.

Before anyone brings it up I am not revealing any secrets that someone hasn't thought of, this is basically how online doxing, private investigation, etc. works. Gnomingstuff (talk) 17:21, 9 January 2025 (UTC)

Some more media:

• Misplaced Pages Won't Let Elon Musk Fluff His Resume. Heritage Foundation Will Help By Terrorizing The Editors.
• The People Behind Project 2025 Want to Reveal the Identities of Misplaced Pages Editors Gråbergs Gråa Sång (talk) 19:29, 8 January 2025 (UTC)

One would think that reportedly soliciting donations to pay for a project that would violate the WMF's TOU in multiple ways (and maybe the law), would be the kind of thing that would put a 501(c)(3)'s nonprofit exemption at risk. Levivich (talk) 23:20, 8 January 2025 (UTC)

It would if the IRS wanted to go after them (they won't). voorts (talk/contributions) 23:31, 8 January 2025 (UTC)

The easiest way to out editors isn't logging their IP, but Medium.com blogs where some fairly high-level journalism gets posted, and require a login to view more than the first paragraph typically. The easiest way to log in is with a Google OAuth2 dialog, presumably to allow the blog author to create a mailing list of their readers. That's a very easy way to accidentally give your primary gmail to someone with whom you are having an "innocent" discussion. I am too new to know where to put this warning so I ask someone else do so please. Sita Bose (talk) 05:38, 10 January 2025 (UTC)

For those interested in such things, Jimbo made a comment. Gråbergs Gråa Sång (talk) 14:21, 10 January 2025 (UTC)

Spam blacklist?

A section was created at WP:RSN (Misplaced Pages:Reliable sources/Noticeboard#Heritage Foundation planning to dox Misplaced Pages editors) suggesting that the Heritage Foundation website be deprecated and blacklisted, but it was closed with a message that that was the wrong board. Let's figure out if we want to do this and what the right board is. I think the right board might be an RFC at WP:VPPR. The text of the RFC could be something like Due to credible threats of attempting to dox Misplaced Pages editors and harvest their IP addresses, should all known Heritage Foundation URLs, including https://heritage.org/, be added to the local spam blacklist? This section can serve as the WP:RFCBEFORE. Thoughts? –Novem Linguae (talk) 08:53, 9 January 2025 (UTC)

• Yes, but perhaps the wording should be broadened to include any other domains which might reasonably be believed to serve as part of the Heritage IP-harvesting plan. Johnuniq (talk) 09:08, 9 January 2025 (UTC)

Misplaced Pages:Reliable_sources/Noticeboard#The_Heritage_Foundation is ongoing. Gråbergs Gråa Sång (talk) 09:15, 9 January 2025 (UTC)

That discussion appears to be purely about reliability. I was thinking we might need a discussion somewhere approaching the blacklist / editor safety angle of having hyperlinks to their website. –Novem Linguae (talk) 10:57, 9 January 2025 (UTC)

Please describe the potential danger from the links which are currently on Misplaced Pages and which would ostensibly be removed following blacklisting—is it connected to the "controlled links" and "redirects" discussed in the pdf?

Technical Fingerprinting (Controlled Domain Redirects):

• Controlled Links: Use redirects to capture IP addresses, browser fingerprints, and device data through a combination of in-browser fingerprinting scripts and HTML5 canvas techniques
• Technical Data Collection: Track geolocation, ISP, and network details from clicked links
• Cross-Session Tracking: Follow device or browser sessions through repeated visits by setting cookies.
• User is only on domain for < 2 seconds prior to redirection

Online Human Intelligence (HUMINT):

• Persona Engagement: Engage curated sock puppet accounts to reveal patterns and provoke reactions, information disclosure
• Behavioral Manipulation: Push specific topics to expose more identity related details
• Cross-Community Targeting: Interact across platforms to gather intelligence from other sources.

—Alalch E. 11:56, 9 January 2025 (UTC)

Yes. Most websites won't do anything with our IP information when we visit. It'll go in a log somewhere and never be looked at again. But a bad actor such as these guys might look at the http_referer, see that it's from wikipedia, maybe even see the exact page you were on before you clicked the link, then do bad things with that info. For example they could cross reference timestamps of edits to a wiki page to their IP server logs and make some educated guesses about whose username that ip is. Then they could do geolocation on the IP to determine a city. Then maybe they already have some information on you in their database from one of the other techniques mentioned in that slide. So now they can use all that together to confirm exactly who you are and harass you. –Novem Linguae (talk) 12:33, 9 January 2025 (UTC)

Noting that links on Misplaced Pages have the noreferrer attribute set. Modern browsers tend to respect this attribute and do not set the Referrer header for subsequent requests. Sohom (talk) 12:48, 9 January 2025 (UTC)

Do they? Checking just now, I see the pages set referrer=origin but there's no noreferrer in sight. This means sites will get https://en.wikipedia.org/ as the referrer, but no information on the specific page. OTOH, if the attacker placed the specific link on only one page, they could use that as a signal. Anomie⚔ 13:11, 9 January 2025 (UTC)

I am concerned that would require quite a lot of scrutiny to prevent if a referrer can be set within a specific link. This is definitely, in my eyes, a point in the yes blacklist column. Simonm223 (talk) 13:30, 9 January 2025 (UTC)

@Anomie The noreferrer attribute It is set on a individual link level and should be set for all external links generated through wikitext on Misplaced Pages. You can kinda verify this by setting up a netcat server nc -lvp 1337 and then clicking on this link to see what headers your browser sends.

@Simonm223 Custom referrers cannot be set for a specific link, you can disable referrers for specific links (which is already done for all external links by our MediaWiki installations) or set a per-page directive to influence how much information is sent by the browser to other websites (Misplaced Pages chooses to only send origin information, which is the industry standard since it doesn't leak too much PII, however, we could probably raise a ticket on phabricator to set the per-page directive to same-origin to prevent third-party sites from getting any information at all). Sohom (talk) 14:06, 9 January 2025 (UTC)

Would there be any negative impact to the project for us setting the per-page directive to same-origin? Simonm223 (talk) 14:14, 9 January 2025 (UTC)

I don't think so, but there might be tooling that depends on the presence of the referrer header that I am unaware of. The best approach would be to file a phabricator ticket to find out. Sohom (talk) 14:39, 9 January 2025 (UTC)

The last time this came up, the WMF was sort of opposed because they felt letting sources know Misplaced Pages was directing readers to them had benefits Misplaced Pages:Village pump (policy)/RfC: Wikimedia referrer policy. I suspect this hasn't changed. Nil Einne (talk) 10:42, 10 January 2025 (UTC)

Still not seeing it. Are you confusing noreferrer with nofollow, which is present on each link? Anomie⚔ 02:03, 10 January 2025 (UTC)

I'm not confusing it, I do legitimately see a noreferrer attribute, I wonder if it because of a misconfigured userscript of some kind? I had assumed it was there by default, but it appear that safemode removes it. Sohom (talk) 03:00, 10 January 2025 (UTC)

Aah, MediaWiki:Gadget-exlinks.js is the culprit/savior :) Sohom (talk) 03:03, 10 January 2025 (UTC)

According to Misplaced Pages:Spam blacklist, there is precedent for "some sites which have been added after independent consensus" (which I read as sites added for sui generis non-spam reasons), and all four linked discussions are from RS/N so it might not be a bad location per se. Whatever the case, if there is an RfC, I think it should authorise a braoder scope as Johnuniq states, to allow the addition of further dox harvesting urls without needing to hold another RfC or similar. CMD (talk) 09:19, 9 January 2025 (UTC)

All those discussions started with the question of whether the source is unreliable and the answer was that it is not just unreliable, it is spam. Basically normal RS/N discussions. The discussion I closed started with the question of computer security. And if and when heritage.org and possible other domains are blacklisted it will not be because of simply "spam". —Alalch E. 10:24, 9 January 2025 (UTC)

What happened to Mediawiki talk:Spam-blacklist? —Alalch E. 10:16, 9 January 2025 (UTC)

I don’t care one way or the other on this (as I avoid political articles like the plague). But to play “devil’s advocate”, it strike me that blocking them is exactly what they want… it just feeds their narrative. And it won’t stop them from doxing our editors in response. So it’s kind of pointless, and may cause more harm than good. Have fun storming the castle! Blueboar (talk) 15:14, 9 January 2025 (UTC)

How does banning bad actors, who chose to be bad actors, harm the project?--3family6 (Talk to me | See what I have done) 17:23, 9 January 2025 (UTC)

Their narrative already has enough food to last a long time. It's not like if we don't block them they'll say "actually, we changed our mind, wikipedia is OK now." Gnomingstuff (talk) 17:40, 9 January 2025 (UTC)

I don't really see the merit in the "it just feeds their narrative" narrative, to be honest. We're dealing with people who "lie for Jesus". Whether or not we do a thing doesn't matter; they'll say what they like about us regardless. XOR'easter (talk) 02:33, 10 January 2025 (UTC)

Given the threat to Dox, and use of links to phish for data, yes all links to them might be spam (or in fact malware). Yes, this might well go someway to prevent abuse. Slatersteven (talk) 15:07, 9 January 2025 (UTC)

If we were to set the noreferrer attribute and also have the per-page directive set to same-origin, I really wouldn't see a need to send it to the spam blacklist. There are going to be times where this website might be useful (for example, as a supplementary source when writing about historical policy proposals). The technical solution seems superior here, lest we have to start whitelisting a bunch of urls/pages (the website is used on over over 5000 pages).

The technical solution of setting the noreferrer attribute or making a per-page directive to same-originwould also provide much broader protection than just for problems with one url; we'd be stuck playing whack-a-mole otherwise, and a robust solution is better if we want to protect privacy. Think of, for example, the state-owned media sites that we permit linking to; they could easily be doing the same thing here. And there's good reason to believe that certain governments have been trying to unmask and harass Misplaced Pages editors—using URLs to phish for IPs is not hard to do, and it's really not hard for a well-capitalized group to have one-off domains for this exact purpose. — Red-tailed hawk _(nest) 17:26, 9 January 2025 (UTC)

if that's a possible solution, i might have started RFC too early... would prefer a compromise to protect users than jumping to plain blacklisting. Bluethricecreamman (talk) 17:55, 9 January 2025 (UTC)

Probably worth it to also lump The Daily Signal into the list of websites that are owned by the Heritage Foundation. Sohom (talk) 20:39, 9 January 2025 (UTC)

Didn't they fork off to be their own project at some point? — Red-tailed hawk _(nest) 21:41, 9 January 2025 (UTC)

3 June 2024. -- Cdjp1 (talk) 22:24, 9 January 2025 (UTC)

noreferrer is probably insufficient to prevent the attack being described (Normally for this style of attack you would include some sort of code in the url to indicate where the link is coming from and where it is expected to be going). Its also unlikely (Unless they were absolute idiots) for them to use their own domain to perpetuate this attack. Bawolff (talk) 23:28, 9 January 2025 (UTC)

I have to agree I don't see what setting the noreferer hopes to achieve. It seems likely that the plan is to use URIs that have not been posted anywhere except to some highly specific wikipedia pages where they're trying to induce a Wikipedian to click on them perhaps also co-relating it when this editor is active etc. They don't need the referer to know this visitor came from Misplaced Pages. They know because that's the only realistic way someone is visiting that URI. 11:12, 10 January 2025 (UTC) Nil Einne (talk) 11:12, 10 January 2025 (UTC)

The most efficient way to capture metadata on a particular user would be to put the fake link on that user's talk page. "Hey, look at this diff." will work most of the time. Zero 12:18, 10 January 2025 (UTC)

Possibly but I would expected they'd planned to be a little more secretive since that will giveaway the game very fast as well as make tracking and some attempt at mitigation easier. Notably, I would have expected they'd planned this without thinking we'd been having this discussion or know about it, even if it isn't that surprising their plans leaked so a reason to think they might not have wanted to be obvious. Anyway this is largely an aside I guess, the point remains that precisely where, why and how they plan to put their URIs it seems unlikely the referer is that important to them as they expect to be confident the visit is from Misplaced Pages. Nil Einne (talk) 14:46, 10 January 2025 (UTC)

RFC Notification

Folks were already doing bolded votes before a proper RFC was placed at RSN, so appetite seemed high. Made an RFC at Misplaced Pages:Reliable_sources/Noticeboard#RFC:_The_Heritage_Foundation, notifying here Bluethricecreamman (talk) 15:39, 9 January 2025 (UTC)

Preemptive blocking

Given the Heritage Foundation's declared war on Misplaced Pages, I propose that Heritage Foundation domains should be preemptively blocked, so that editors arriving from those domains cannot edit Misplaced Pages. Note that this is completely different from blacklisting or deprecation. My preference would be to go even further and also preemptively block every username that ever edits from Heritage Foundation domains. This is simple self-defence. Zero 10:24, 10 January 2025 (UTC)

While I'm not opposed to this, I think we need to be clear this is much more of a symbolic move than anything likely to be useful. There is almost no chance that Heritage Foundation will use domains that can be associated with them in any way with what they're planning to do since it simply makes no sense. The modern internet means it's trivial for them to register domains which will be almost impossible to associate with them without breaches of info from their internal systems. I mean depending on how long they've been planning this, these domains might even have been associated with some apparently innocuous organisation with aims completely the opposite of the Heritage Foundation. Nil Einne (talk) 11:08, 10 January 2025 (UTC)

Yeah. Gråbergs Gråa Sång (talk) 11:20, 10 January 2025 (UTC)

Maybe, but I go back to "but it does take a bit of effort", and that might be enough (it all depends on how important this is to them). So yes, preemptive (range) block. Slatersteven (talk) 11:57, 10 January 2025 (UTC)

"Misplaced Pages defends anti-semites with cyber-wall!" writes itself. Oh well, what can you do. Gråbergs Gråa Sång (talk) 12:09, 10 January 2025 (UTC)

There are very alternative ways that story could be framed if Misplaced Pages, as a community, has the will to call the Heritage Foundation the WP:DUCK it is. Simonm223 (talk) 12:16, 10 January 2025 (UTC)

Yeah, but HF and Elon wouldn't frame it very alternatively. I'm not saying it's a reason not to block HF domains, but per above I'm not sure how much good it would do. Not that symbolic gestures don't have their use. Gråbergs Gråa Sång (talk) 12:47, 10 January 2025 (UTC)

They already do. Slatersteven (talk) 13:51, 10 January 2025 (UTC)

HF and Elon already frame that story very alternatively? That's very quick of them, the story being less than 4h old. Gråbergs Gråa Sång (talk) 14:10, 10 January 2025 (UTC)

Although I'm not sure about the technical effectiveness of a range block, I hope that no editors will be worried that we should hesitate to take action because those who wish us harm might take the opportunity to frame the story in a way that misrepresents us. The solution to misrepresentation is to get the truth out, fearlessly. Acting out of fear of Heritage and their allies being mean to us just empowers them to keep on doing it. --Tryptofish (talk) 18:01, 10 January 2025 (UTC)

The story (as in The Forward original in this case) will be framed depending of framer, that much is clear:

• Group Behind Project 2025 to Target Rogue Misplaced Pages Editors, Hold Them Accountable: Report
• Heritage Foundation antisemitism effort recycles conspiracy theories

Gråbergs Gråa Sång (talk) 20:16, 10 January 2025 (UTC)

@Slatersteven: no it doesn't take any appreciable amount more effort to register domains with no connection to the Heritage foundation. To do more complicated things and make it seem like it's connected to someone else sure. Nil Einne (talk) 13:53, 10 January 2025 (UTC)

It takes some effort, and it may be that effort is enough to make them re-think, also it makes it easier for us to act. A simple rule of "no posting by the Heritage Foundation" (for example) means we can block without discussion. Slatersteven (talk) 13:57, 10 January 2025 (UTC)

You're mistaken. The effort is considerably less than anything else they plan to do. If I wanted to, I could register a domain in about 3 minutes and you will have no idea who I am. This means I've spent more time discussing this than it would take me to register 10 domains which no external party could connect to me or even to each other. It is absolutely ridiculous to suggest they won't do it. I will strongly oppose this measure if it's being presented as anything other than what it is a symbolic measure because doing so strongly risks misleading editors into thinking we've achieve something we haven't as well as making Misplaced Pages looking completely stupid. Nil Einne (talk) 14:03, 10 January 2025 (UTC)

(edit conflict) I should clarify that attach webhosting to those domains is a bit more effort. Still if it's just basic hosting not that much. The more domains you register, the more likely you are to fall into patterns which will make connecting them to each other more likely. However we're talking about a separate thing here as even if you connect the domains to each other, you still don't know they're connected to the Heritage Foundation. If you need some more sophisticated hosting to do more complicated things it will take more effort. But frankly in the days of AWS etc still not that much. More significantly, the more sophisticated your plans, the more complex the work you have to do anyway. The most it might mean is you're less likely to make a lot of domains completely separated from each other. There's still zero reason to think anyone planning anything will have planned to do it with domains or servers connected to the Heritage Foundation. If we present that idea, we're getting into the extremely dumb TV shows/movies field where everyone find the premise completely ridiculous because someone has come up with this fancy plan but somehow either missed or didn't feel it worth taking the tiny amount of extreme time to fix the obvious flaw in there plan. Nil Einne (talk) 14:31, 10 January 2025 (UTC)

BTW, just to be clear there's a reasonable chance that the process of setting up an account (which will probably mean more than just registering it), and doing whatever they need to do to target even one individual will take considerable more effort than it will be to set up the unconnected domain including all the hosting etc they will use for that attack. Nil Einne (talk) 14:39, 10 January 2025 (UTC)

So give them the Scientology treatment? JJP_Master (she/they) 13:49, 10 January 2025 (UTC)

That's one route, but that problem was a bit different though it's probable HF has done some WP-editing. But if it's framed in a way Arbcom can deal with, sure. Gråbergs Gråa Sång (talk) 14:15, 10 January 2025 (UTC)

I don't think preemptive blocking is the answer. Anyone making disruptive edits can be blocked as usual, but we just don't do preemptive blocking, and I don't think that we should make a special case of the Heritage Foundation. There is nothing special about them. Phil Bridger (talk) 13:54, 10 January 2025 (UTC)

What's special is that they've actively declared they're going to identify and harass Misplaced Pages users. That's enough for me. — The Hand That Feeds You: 19:22, 10 January 2025 (UTC)

Me too. ~≈ Stumbleannnn! ≈~ Talk to me 21:06, 10 January 2025 (UTC)

Assuming this isn’t just a big troll, Blocking/deprecating won’t stop Heritage from acting maliciously against our editors. If anything, it would have the opposite effect - making it more likely that they would act maliciously. Blueboar (talk) 21:46, 10 January 2025 (UTC)

I don't see the point of this. The stuff in The Forward article was about their plans to out/dox people, not edit articles. Editing articles might help push a POV but it won't help dox people. Gnomingstuff (talk) 21:59, 10 January 2025 (UTC)

I believe the main concern is them editing talk pages and interacting with editors. For example, they could just post a message like: "Please see this AP News source", replacing example.com with a unique tracking link that redirects afterwards to the correct webpage. Most editors wouldn't notice before they clicked on it. ARandomName123 (talk) 22:11, 10 January 2025 (UTC)

So like what grabify does? ~≈ Stumbleannnn! ≈~ Talk to me 22:25, 10 January 2025 (UTC)

Not really familiar with it, but sounds like it. ARandomName123 (talk) 22:35, 10 January 2025 (UTC)

They could even have someone post a message on the village pump asking whether Heritage should be banned, and add their malicious links to that discussion! Oh no… They could be everywhere or be anyone. Blueboar (talk) 01:11, 11 January 2025 (UTC)

I propose that Heritage Foundation domains should be preemptively blocked. What's the exact technical proposal here? WP:SPAMBLACKLIST of heritage.org, or something else? preemptively block every username that ever edits from Heritage Foundation domains. If you're talking about pressing the block editing button for the IP addresses of the Heritage Foundation offices, we'd need to find out what those are. Their web server IPs are likely to be different from their office IPs. –Novem Linguae (talk) 22:34, 10 January 2025 (UTC)

The spam blacklist stops us linking to some domains. It doesn't stop editing from those domains. It's completely different. If I announced that I planned to make edits on Misplaced Pages designed to trick other editors into revealing their identities, I would be indeffed immediately. All I'm suggesting is that the threats made by the Heritage Foundation should be treated with the same degree of seriousness. Yes, there are technical difficulties such as identifying the IPs, but that's not an excuse for doing nothing. Zero 03:06, 11 January 2025 (UTC)

We do have an archive page with multiple past conflict of interest edit requests directly from the Heritage Foundation, so it's possible that check users may already be able to surmise the organisation's IP if the employees were editing from the office. Iskandar323 (talk) 03:59, 11 January 2025 (UTC)

Xavi Simons

Can somebody answer me at Talk:Xavi Simons. Thanks Like the windows (talk) 22:45, 8 January 2025 (UTC)

• Misplaced Pages village pump