Misplaced Pages

Revision as of 03:28, 10 January 2016

RFC

I feel drawn to open an RFC to see if the community agrees with the close. 73.162.132.47 should be blocked, as it's clearly a sock of 169.230.155.123; clerks refuse to even allow an SPI to mention the IP. As far as I can tell, a checkuser is totally called for in this case. link to case (link edited to refer to editable copy since live copy has been disrupted), which includes detailed argument backed by policy and IIRC, common practice.

RFC: Is it reasonable to expect to be able to ask for and expect a clear response from a clerk with respect to each IP I've noted on this page: Sock? And to do so without being subject to the chilling effects of vague intimidating comments by admins? Should a CheckUser be run in this case? Why/Why not? (Struck; I'm told I can't request comments on that question.) Which of the reported IPs should be blocked? Why is this being quashed/covered up? Summary: SPI reported socking and requested a checkuser because multiple IPs are editing the same articles and tells indicate the master is very experienced It's confirmed that there's socking, but no checkuser is done; the close is:

"*Two sock IPs blocked for 3 days, master IP warned. Range-block is not possible, as the range is very large. CheckUser can't help here, it is used only to compare named accounts, not anonymous IPs. I'm closing the case. <sig of Vanjagenije>"

The fourth IP was not blocked; the involved Admin and CheckUser refuse to block it OR explain why. They refuse to check if other IPs are the same (not-logged-in) user, arguing nonsensically that the privacy policy doesn't allow it - while policy doesn't allow (logged-in) accounts to be publicly connected to IPs; connections between IPs are allowed.

--Elvey 17:41, 11 December 2015 (UTC)

As the SPI page mentions, "Additionally, CheckUsers will not publicly connect an account with an IP address per the privacy policy except in extremely rare circumstances." To me, this isn't an exceptional case. Also, I agree with Vanjagenije's comments. Please note that checkuser requests are not subject to consensus. Checkusers are trusted to use the tool appropriately and won't run checks that conflict with our policies or procedures. We can certainly run checks against IPs privately, be we won't comment on it. In a SPI case it's best to determine the merits of a block on the behavior and known technical data of the IPs. (e.g. If they geolocate close or belong to the same range.) Mike V • Talk 22:32, 11 December 2015 (UTC)

You say you could run checks against IPs privately, but the closing indicates Vanjagenije did NOT do that, so your point is cold comfort. It's obvious if you read even half of what I wrote on the case that I'm quite aware of your first point, so I don't know why you're making it. It's a distraction; I'm tempted to {{cot}} it. You say you agree with his comment (there's only one), yet you don't refer to any polices to back up your ILIKE IT and his comment doesn't refer to policies that back it up either. I'd prefer a reply that didn't bring up obvious points of agreement as if they're points of contention but did address the points I raised, to the reply you've left, User:Mike V. --Elvey 23:34, 11 December 2015 (UTC)

Well, let's look at Vanjagenije's statement: Two sock IPs blocked for 3 days, master IP warned. I agree with the action taken and the duration of the block. Range-block is not possible, as the range is very large. This is correct. The IPv4 is a /16 range and the IPv6 is a /28 range. Unless there is significant disruption and minimal collateral damage, we won't block ranges this large. There's no policy saying we should or should not block the range. It's using proper discretion to achieve the desired results while impacting as little users as possible.

CheckUser can't help here, it is used only to compare named accounts, not anonymous IPs. I'm closing the case. As I mentioned, We won't use checkuser to connect IPs to accounts. If you were looking to connect the IPs together, that doesn't require the use of checkuser tools and a determination can be made via WHOIS, geolocation, and/or rDNS. Even if a private checkuser was run, we will not make a comment on the SPI page. In this specific instance, a private check will not be run because there is no evidence of account abuse, everything has occurred via IP addresses. Mike V • Talk 00:42, 12 December 2015 (UTC)

Again, I don't know why you bring up irrelevant points of non-contention. I've collapsed/commented them out as they're an irrelevant distraction. If you insist on continuing the disruptive distraction, I guess you'll revert my commenting out and chastise me. Hopefully you won't do something so POINTY. Clearly you're not actually reading what I'm asking you and Vanjagenije, again and again, to read and address. Again: You say you agree with his comments, yet you STILL don't refer to any polices to back up your ILIKEIT and his comment doesn't refer to policies that back it up either.

Instead you appeal to authority. AGAIN. Shame on you for that. STOP IT!

AGAIN: I'd prefer a reply that didn't bring up obvious points of agreement as if they're points of contention but did address the points I raised, to the reply you've left.

What part of do you not understand? I've proven it with examples and reference to policy; link to case (link edited to refer to editable copy since live copy has been disrupted), which includes detailed argument backed by policy and IIRC, common practice. Which trump your appeal to authority. --Elvey 03:50, 12 December 2015 (UTC)

From the checkuser policy:

The disclosure of actual checkuser data (such as IP addresses) is subject to the privacy policy, which requires that identifying information not be disclosed except under the following circumstances:

With the permission of the affected user;

Where the user has been vandalising articles or persistently behaving in a disruptive way, data may be released to non-checkusers to allow the making of IP blocks or rangeblocks, or to assist in the formulation of a complaint to relevant Internet Service Providers or network operators; and

Where it could reasonably be thought necessary to protect the rights, property or safety of the Wikimedia Foundation, its users or the public. Mike V • Talk 16:33, 12 December 2015 (UTC)

That in no way helps you. I understand and don't dispute that "CheckUsers will not publicly connect an account with an IP address per the privacy policy". It's clear you are simply not reading what I've written. I can't force you to. But it pisses me off that you totally ignore that I've proven it with examples and reference to policy; link to case (link edited to refer to editable copy since live copy has been disrupted), which includes detailed argument backed by policy and IIRC, common practice. --Elvey 00:29, 15 December 2015 (UTC)

In regards to this, it seems you missed my comment above where I said, If you were looking to connect the IPs together, that doesn't require the use of checkuser tools and a determination can be made via WHOIS, geolocation, and/or rDNS. Mike V • Talk 01:17, 15 December 2015 (UTC)

No. You're jumping to a mistaken conclusion. It does not follow from this that I missed your comment at all. Rather, it seems you my comment where I said, "Even if only to identify other IPs associated with these IPs, CheckUser can be used to help here." CheckUser User:DeltaQuad has admitted the info is available to do this. Your comment is not relevant because the connection between the IPs is firmly established, not through WHOIS, geolocation, and/or rDNS, but rather through the behavioral evidence - including the diff I labeled "SMOKING GUN" and have directed you to umpteen times now; You STILL haven't blocked 73.162.132.47, which I reported as part of this SPI ages ago. Why are you protecting sock 73.162.132.47? You could be using the CheckUser tools to identify other IPs associated with these IPs being used to sock, without publicly connecting an account with an IP address, without violating policy. WHY AREN'T YOU DOING IT? --Elvey 04:57, 15 December 2015 (UTC)

• Hi @Elvey:. So I've seen your ping here (and I don't know the context of what your talking about with me), and I've tried to read what's going on. I'm not sure I fully understand, please bear with me. As I read it, you wish for us to connect IPs to other IPs without commenting publicly, but just blocking? If that's the case, i'll address that. It's not technically possible for us to be able to determine if an IPv4 and IPv6 address are related. IPv6 doesn't have any useful geolocation, and I'm not comfortable connecting an IP to another IP purely on a useragent, it's just not how CU works. If your asking about between the two IPv6 connections, unless they are on the same range, I run in to the exact same issue. I have removed your request for an RFC as it's up to a CU to determine if it is within the checkuser and privacy policies to run a check. If you wish to have an RFC on clerk procedures, please feel free to do so at WT:SPICLERK. -- Amanda (aka DQ) 05:49, 15 December 2015 (UTC)
  • This issue was brought up in the #wikipedia-en IRC channel by Elvey, and I was going to write a longer comment, but User:DeltaQuad's comment here explains it perfectly. I consider this matter resolved. --(ʞɿɐʇ) ɐuɐʞsǝp 01:55, 18 December 2015 (UTC)

• (restored comment) DQ, I understand why you're not comfortable connecting an IP to another IP purely on a user agent - it's gotten you into trouble before. It was merely your mention of user agents when discussing that trouble, that prompted me to mention you. Thanks for piping up. However, this carefully retained capability to keep browser fingerprints made it rather hard for me to see how it could be true that "It's not technically possible for us to be able to determine if an IPv4 and IPv6 address are related." I've asked a CU about this on IRC. I was told that CU data DOES include fingerprint data, but the CU left without disclosing what data was included beyond the user agent string. Another CU implied the CU tool gives IP and user agent, but not whether more info was logged. In any case, it's my understanding that all the following are clearly true:

1. We can see that the IPv4 and IPv6 addresses I reported are all confirmed related purely on behavioral evidence- including the diff I labeled "SMOKING GUN" and on admissions that I have directed your fellow investigators to review umpteen times now.
2. I do wish for you to connect IPs to other IPs. No CU of any kind has been done on ANY of the 6 9 reported IPs, however.
3. Why is Mike V STILL protecting sock 73.162.132.47 despite the SMOKING GUN evidence I keep pointing him to? I have no clue; the excuse that the data is old rings hollow.
4. A CU could check to see if any logged in users have used any of the 6 9 listed IPs that this socking person (and it appears only this socking person) used while not logged in. That is WP:NOTFISHING; it would not be a policy violation to do so or disclose any results state (without disclosing any results) that this had been done. (Correction - swapped end of this line and the following.)
5. A CU could check to see if any IPs in the range of the 6 9 listed IPs that this socking person (and it appears only this socking person) used while not logged in have edited in related areas. That is WP:NOTFISHING; it would not be a policy violation to do so or state (without disclosing any results) that this had been done disclose any results.

Do you dispute any of them?--Elvey 05:08, 18 December 2015 (UTC)

Also, DQ: Your removal of my RFC feels very heavy handed, and unnecessarily so. I would ask you to reconsider, and rather than being so heavy handed, express yourself in a comment, as it is after all a Request for Comments. The question was not merely whether it is within the checkuser and privacy policies to run a checkuser in this case; you misrepresented it, and closed it based on that clear misrepresentation. --Elvey 05:08, 18 December 2015 (UTC)

I'm not 100% on what exactly is covered by Browser fingerprinting, so i'll tell you more directly. Available to us in Checkuser is only a useragent and IP attached to every single edit or logged action. No further information is available to us. 1 & 3 I don't have an opinion on, as I have been speaking generically, and not addressing this specific case. #2 I haven't looked at the CU logs, and as I have declined to do so before, I will decline again on identifying if an IP has been checked when it relates to an account. It's been subject of several discussions on WT:CheckUser, of which the majority if not all checkusers agree that we don't identify if something has been checked if it risks infringing privacy rights. The 2601:643:8100:8AF4:/64 IPs are very likely the same person by default. Individual users in IPv6 are assigned a subnet /64 to themselves. The other two IPv4 addresses we could give a result on, but if there is a smoking gun as you say...then it wouldn't be needed in the first place. When comparing IPv6 to IPv6 (in a different subnet) or to IPv4, we run into an issue. We rely on geolocation of IP addresses to connect them togeather. IPv6 has either no geolocation or really crappy geolocation (like wrong country). So until that is remedied, it's not possible to make that connection. #4/5 I would be able to check the IP for accounts, but I would not be able to say if I checked the IPs as it could hint to any blocked accounts (or relating edits) being connected to those IPs. So it's possible if that is satisfied. Re. the RfC, could you please then state the purpose of the RFC? If it has the whether or not a CU should be done part removed, I shouldn't have much objection to it. But also depending what it is, this is a horrible venue to hold an RFC at, and if you give the scope, I'd be willing to point you in the right direction. -- Amanda (aka DQ) 07:37, 18 December 2015 (UTC)

DQ, thanks for the detailed reply. I notice that you have (in the Non-denial denial sense) NOT directly indicated whether you a)are aware of and b) know for a fact whether: more info useful for identifying socks is logged than just current login (if any), IP and user agent, however. I wouldn't press the existence of logs of "other information as well", if the supposed/implied lack of them wasn't being used as an excuse not to connect IPs to other IPs, or if the hostility some folks directed toward me about this for no apparent reason didn't make me feel like said folks were hiding something.

You and Vanjagenije direct me to WT:CheckUser. I find no discussion there showing consensus that checkusers cannot say if they checked IPs. Please link to the discussion(s) you refer to. Rather, I'm able to find many discussions, where checksesrs have stated that they've checked IPs. a recent example. This supposedly applicable policy to refuse to use/disclose usage of the tool is shown by such examples to be a smokescreen.

This part of your reply re. #2 is way off: "if there is a smoking gun as you say...then it wouldn't be needed in the first place". It's nonsense because the smoking gun connects some of the IPs I reported, but not all of them. This is obvious if you examine this specific case. I find your actions exceedingly frustrating, in that you thereby not only ARE addressing this specific case and yet refusing to properly examine this specific case, but at the same time you are claiming that you are "not addressing this specific case". I would like to tag the IPs for which there's a smoking gun or admission, but I feel I've been vaguely threatened with repercussions if I do so without independent confirmation that there's a smoking gun or admission.

You say "The other two IPv4 addresses we could give a result on." Well, then I say, I hereby request you do so. There are now three. I've been conflicting advice as to whether I can consider that the admissions or smoking guns result in proven socking for the IPs to which they apply. I think it's reasonable to expect to be able to ask for and expect a clear response from a clerk with respect to, each IP I've noted on this page: Sock? And to do so without being subject to the chilling effects of vague intimidating comments by admins. Isn't it?--Elvey 23:43, 18 December 2015 (UTC)

First, let me apologize if I forget to answer any of your questions here or make any small mistakes, I'm very tired but wanted to be able to provide you a response.

I do know for a fact that the information available to checkusers (as in the user right, not the interface) is solely the user agent and IP address of each edit. Active login details are not available to checkusers. That's all that I have additional access to as a checkuser, and I don't have any extra tools that you don't have to get more information.

As for the policies, your right that there is no consensus about it on that page. Only examples of declines are there. That is because as a Checkuser and oversighter, I have had to sign a legal agreement with the WMF to get access to checkuser. That agreement is the Access to nonpublic information policy. Under this section, point A, I must "community members with access to the CheckUser tool must comply with the global CheckUser Policy, and, unless they are performing a cross-wiki check, they must also comply with the more restrictive local policies applicable to the relevant site." So its not consensus that determines what I can and can not do, it's a legal document. I am not willing to violate that agreement in any way and put myself in any legal jeopardy. You also link to Berean Hunter's comments. He is not a checkuser, and only used a tool linked in that text, which does not require any level of special access to use. So he did not have access to useragent data when he made the assessment, which is the only additional information I would have access to if I ran a check on an IP.

I have not at all looked at the case except for reading the list of IP addresses to see what type of IPs we were comparing. If you would like me to look at your case, I'll need time to go through it and decide whether there is significant enough evidence to run a check, as I am not allowed to take your word for it, again by legal agreement. As for your bolded statement, I'll make response to that at a later time. Have a good night. -- Amanda (aka DQ) 06:25, 19 December 2015 (UTC)

FFS, @Elvey: cold stop. You are arguing for the wrong things in the first place. This editor is ONLY editing as an IP of one form or another and is not using an account so there's nothing that a checkuser can do for you. Browser fingerprinting does occur but you aren't getting that this info isn't lifted from the Apache logs and propagated forward to the database for checkuser purposes. This issue is not part of this case so it is only detracting from the matters at hand. No one is protecting anyone so you may owe Mike V an apology. Contrary to your postings here and my talk page, I have been working on the case. I guess you didn't get my ping the other day? That would be the one where I'm letting you know that I'm working on it. I have emailed a bureaucrat (on the same day) with a question concerning the case and I haven't heard back from them. That step is important here. I don't want to open the case on a now non-existent account. I haven't seen any actual disruption and your only claims are that they are avoiding scrutiny, I believe. You are assuming that they have an account but I don't believe so. That IP editor is actually making some good edits and probably a valuable contributor on the whole. They owned up to the other IPs being theirs and have not attempted to influence anything in terms of consensus. The one thing they have done is misused our courtesy vanishing because they came back...er, really never left. I know who this is and I'm not protecting them but I am seeking further guidance from the bureaucrat(s) before going forward. What you may get in this case is the identity of the user but I would be inclined to not block based solely on the violation of the vanishing guideline but rather encourage that editor to resume their account. Between family and very important matters, I will be busy most of the day and I don't see this as being something that requires urgent attention. Now, if you want to present evidence of illegitimate socking here then that might be helpful. Again, all that I've seen so far is that they didn't really vanish but I haven't delved fully into every thread they've been in so I'll let you digest the evidence in my sandbox for now.
 — Berean Hunter (talk) 14:32, 20 December 2015 (UTC)

You say, incorrectly, "Your only claims are that they are avoiding scrutiny." Search the SPI for 'scrutiny' for the others.

You say "They owned up to the other IPs." They've owned up to a small fraction of the IPs we think are theirs being theirs, and only that after what seems like an unintentional slip left a smoking gun. Long after exhortations to stop socking. --Elvey 21:35, 20 December 2015 (UTC)

Apologies?? Protection?? I don't see Mike V apologizing for anything - for his appeals to authority or for bringing up obvious points of agreement as if they're points of contention. I see no apology for my having to debunk the patently false claim that CheckUser is used only to compare named accounts. I don't see anyone apologizing for the false and defamatory claims that I've been pushing anyone to violate the checkuser or privacy policies. Good luck convincing me that no one is protecting this user while the bulk of the IP socks remain neither tagged nor blocked. You say 169.230.155.0/24 is all him, but there's no block?!

Sorry, I did not see your ping. Good. Good. Good. Thank you. Better would be to see that the IPs were being tagged with IPsock.

Edit: note: (ec; hadn't seen Hunter's comment above when I left this comment.) Thank you, DQ. I appreciate you calmly providing an answer that (to my eyes) cannot be seen as a Non-denial denial that you have access to browser fingerprint data beyond user-agent. What do you mean when you say "Active login details"?

I just don't see how anything that I've asked for (except for what's struck and marked "Correction", above) is asking that the agreement be violated in any way. I don't see how doing anything I've asked for here would be doing what Berean Hunter has done - publicly connect an account and an IP. It's common for SPI's to be closed with tags indicating that a checkuser has been performed and that IPs connected to socking users had been blocked by a commenting admin. The first SPI I thought to check disclosed this. It clearly bears repeating: Valid Misplaced Pages:Sockpuppet_investigations/SPI/CheckUser_criteria include "Likely undetected or "sleeper" socks, getting an IP block (of a repeat sock-user)" - clearly in the latter case, CheckUser is necessarily used to compare named accounts and IPs. WELL?

I get your point about Hunter not being a CU. I would like permission to post the case at this page to the normal place (this talk page's main page) so that the tools and process can work normally. As far as I can tell, doing so would be following the proper procedure for opening an SPI. If not, what's wrong and fixable or not fixable, per PAG?--Elvey 19:13, 20 December 2015 (UTC)

I see that instead of discussing, Vanjagenije is "refusing to be responsive to good-faith questions", choosing instead to do that which is 'unconstructive and creates animosity between editors, making it harder to reach a consensus'.  :-( (substantiation below) --Elvey 00:58, 25 December 2015 (UTC)

The above comment was removed on the basis that it was unsubstantiated. It seems to me to be obvious what I'm referring to, but let me make it more clear that they are substantiated :

Vanjagenije performed 6 edits, including 3 reverts on December 21, 2015; this is the first; the first 3 show what I am referring to as what Vanjagenije chose to do - to do that which is 'unconstructive and creates animosity between editors, making it harder to reach a consensus'.. As far as "refusing to be responsive to good-faith questions", there were several questions I asked; some were implicit; here we see Vanjagenije not only "refusing to be responsive to good-faith questions"but also DELETING some of those questions. I stated, If it't not clear whether this user's behavior constitutes socking, I propose an RFC on that question. And I claimed, Posting from many different IPs on many different networks for months without disclosing, by a user who has had an account while violating our vanishing guideline is socking. But received no reply; instead the comments were evidently ignored and quickly archived without comment. I see no good reason for censoring any discussion in which I ask for confirmation that the tools are giving inaccurate results and for information as to why. I did not have adequate time to provide more evidence; you said the user "misused our courtesy vanishing because they came back...er, really never left"; to me that, along with the blocks that were performed, are strong indicators of adequate evidence in the eyes of clerks and checkusers and I had been unable to figure out what was nonetheless inadequate in your eyes about the evidence that you were referring to or whether you had looked at or understood all the evidence I'd posted. --Elvey 20:13, 26 December 2015 (UTC)

No response needed. Unless you feel like simply being responsive to my good-faith questions, please don't respond at all. I feel that I made no unsubstantiated allegations and I'm not sure if I'm expected or welcome to defend myself from the accusation or not at this point, given the differing views. Am I? It's frustrating when some of my edits that provide unique evidence further substantiating the allegations/issues are repeatedly reverted. --Elvey 20:25, 26 December 2015 (UTC)

I take the lack of response as conceding the point - I made no unsubstantiated allegations.--Elvey 02:57, 3 January 2016 (UTC)

Intentional Disruption

Why do you insist on keeping your disruptive comments in the discussion? Seems very POINTY. I'd written, "I don't know why you bring up irrelevant points of non-contention. I've collapsed/commented them out as they're an irrelevant distraction. If you insist on continuing the disruptive distraction, I guess you'll revert my commenting out and chastise me. Hopefully you won't do something so POINTY." And yet you did the POINTY thing. (You seem to have missed that the policy that you should be familiar with - but don't seem to be - states (at WP:NOTFISHING): "it is not fishing to check an account where the alleged sockmaster is unknown, but there is reasonable suspicion of sock puppetry, and a suspected sock-puppet's operator is sometimes unknown until a CheckUser investigation is concluded.") --Elvey 00:29, 15 December 2015 (UTC)

Newly Discovered, More Damning Evidence

I'm here to provide some of the newly discovered evidence further substantiating the allegations I've made.

I'm being prevented from keeping - and threatened (by a blatantly unCIVIL admin) for placing - additional relevant info on the SPI page. I've identified more socks, but if I open a new SPI, I expect I'll get grief because they haven't edited recently, so I don't see clearly if/why I should do that. Why will no admin tag User talk:73.162.132.47? It's made hundreds of edits.

This person has claimed to be a retired PhD Medicinal Chemist and yet recently claimed working (per User_Talk:Vanjagenije) in pharmaceutical development as a medicinal chemist, but now at UCSF, from whose IP space he sometimes posts AND has claimed to have never been paid for editing AND have no COI with respect to pharmaceutical companies. I just discovered Formerly 98 has admitted to using multiple named accounts in the past: source I've identified a couple of them that are not blocked.  :-( Wonder if the folks involved in the SPI knew that. Well, folks? Did you? (Only one's been identified at the 'real' SPI and is now Renamed_user_51g7z61hz5af2azs6k6.) The statement, "I am curious as to the conditions that would pertain if I were to register." (diff) has become particularly blatant evidence of the worst of sockpuppetry, since my establishing that the user has quite certainly registered at least 3 accounts. It's specifically listed violation of the WP:SOCK policy to deceive editors.

That, on top of all the other evidence, is most certainly abusive sockpuppetry. I'd open an SPI about it if I didn't think it would be closed with no action. The evidence is very strong; if an admin is willing to take decisive action to contain the sockpuppetry, even though the sock accounts I've found haven't been used recently, I'll lay it all out. Some off-wiki evidence will need to be disclosed to fully make the case. --Elvey 22:32, 6 January 2016 (UTC)

• @Elvey: What outcome do you expect from this? What action do you want us to take? Vanjagenije (talk) 02:19, 7 January 2016 (UTC)

Already answered:"no action." Block the UCSF IPs only this user seems to have used, and the accounts. --Elvey 23:37, 7 January 2016 (UTC)

@Elvey: Blocking IP ranges is very sensitive issue. No administrator will block an IP range unless there is ongoing disruption (see:WP:RANGE, se careful judgement and make them as brief as possible). In this particular case, no edits were reported in the past few weeks. So, we will not block any of those IPs or IP ranges unless they become active again. Regarding registered accounts, you have to tell us their names if you want us to block them. Vanjagenije (talk) 00:25, 8 January 2016 (UTC)

Elvey, I'm recently back from a several month break from my CU and SPI duties, so I'm not getting much of an understanding of the disagreement from the section above. I will say this, though: if dynamic IP addresses haven't been used recently, they will not be blocked because a) it is unlikely that the user will have that address again and b) some unrelated person may want to edit from that address. All of the IPv6 addresses listed in the case fall in this category, and the UCSF range is almost certainly shared by numerous faculty, staff, and/or students. If there are non-shared, static IP addresses being used, that's another story, but none of the IPs in the archived cases are actionable as far as I can see. The IP you mention above is a semi-static address, but it hasn't edited in almost a month. However, if you have evidence of multiple accounts being used, please let us know, because I don't see any of them listed (besides the renamed account, of course). ​—DoRD (talk)​ 03:29, 7 January 2016 (UTC)

DoRD: Yes, I "have evidence of multiple accounts being used". They are not listed. Why should I let you know? In other words, what part of "The evidence is very strong; if an admin is willing to take decisive action to contain the sockpuppetry, even though the sock accounts I've found haven't been used recently, I'll lay it all out." do you not understand?

You say "and the UCSF range is almost certainly shared" - but do you have ANY evidence that the active IPs within the UCSF range are shared by IP editors? All the evidence points to them being used here only by this user.

Do you have ANY evidence that the named IPs in the ranges below are shared among multiple IP editors? All the evidence points to them being used only by this user. And that's not just my opinion. In closing the SPI, User:Berean Hunter wrote,

169.230.155.0/24 <=== This whole range is him
2601:643:8100:8AF4::/64 <=== This whole range is him

73.162.132.47 was used from Oct to Dec.

In contrast, with regard to another IPv6 rage, he wrote, "There is a handful of distinct editors using this range anonymously..." so I get not blocking that range.

I can also present lots of evidence that the user's claim (here) of "ignorance of the rules " is not credible. The user frequently cites the rules and has been here since at least 2011.

All potential actors: Given all the socking, and even assuming y'all accept the evidence of multiple accounts, y'all still won't block even the IPs that thus far seem to have only been used by this one editor to edit wikipedia, even the ones that were used over a long period, because of DoRD's a) and b), above? It's clear to me that this editor is not going to stay away; based on past behavior, it's very likely he's resumed editing under accounts and/or IPs not yet linked to these.

The only reason for that that I see is that y'all like the user's edits enough to want him to be able to edit, despite all the rule breaking. There was, after all, heavy stonewalling before even the limited action that has been taken was taken, given the evidence presented at the time. In most cases, clerks --Elvey 23:37, 7 January 2016 (UTC)

Okay, let's try this again.

I am not your adversary, here. I am an experienced sockpuppetry investigator who is trying to understand what you're asking for, so responses like, Yes, I "have evidence of multiple accounts being used". They are not listed. Why should I let you know? aren't going to further your goals. Why should you let me know? Because, how else am I to investigate your complaint? I can't do anything about accounts I'm not aware of.

As for your specific points:

• The UCSF range, Special:Contributions/169.230.155.0/24: The latest edit was made on December 6.

I'm frustrated. Your pointing out that obvious fact seems a continuation of your comments so far, which have been mostly mentioning hurdles that my comments thus far indicate I'm obviously already aware of, rather than something positive. And you are no answering my question. AGAIN: Do you have ANY evidence that the named IPs in the range are shared among multiple IP editors? All the evidence points to them being used only by this user. See longer comment below.--Elvey 23:38, 9 January 2016 (UTC)

• Special:Contributions/73.162.132.47: The latest edit was made on December 8.

Ditto. AGAIN: Do you have ANY evidence that the named IPs in the range are shared among multiple IP editors? All the evidence points to them being used only by this user. --Elvey 23:38, 9 January 2016 (UTC)

• 2601:643:8100:8AF4::/64: Unfortunately, as far as I'm aware, there is no IPv6 range contribution tool, so I don't know when the last edit was. However, that range belongs to Verizon Wireless, and the range is much, much larger than just /64, and no user can be limited to just that range. Also, as a mobile data range, IP address changes are inevitable, frequent, and transparent to the end user.

It's not so hard to click toggle all here. The latest edit was made on December 8. AGAIN: Do you have ANY evidence that the named IPs in the range are shared among multiple IP editors? All the evidence points to them being used only by this user. Also, technically you're wrong/misspoke: 2601:643:8100:8AF4::/64 is a /64. It's not larger than a /64. It's part of a larger range, 2600:1010:b060::/44. If you have any evidence that "no user can be limited to just that range" please offer it; that would surely be valuable not just to me, but generally, and to whomever ID'd it. Verizon certainly can break it up and do different things with different portions of the /44, just as they do with their IPv4 blocks; if you're saying otherwise, I'm very skeptical. --Elvey 23:38, 9 January 2016 (UTC)

Since blocks are meant to prevent ongoing abuse or other disruptive behavior, the IPv4 address and range are stale for blocking purposes, and it would almost certainly cause too much collateral damage (preventing other users from editing) to block a wide swath of Verizon Wireless. Unless the user resumes editing from them, and unless the evidence of sockpuppetry is clear, no blocks will be issued. And again, there's nothing we can do about accounts we're not aware of.

It's clear to me that this editor is not going to stay away; based on past behavior, it's very likely he's resumed editing under accounts and/or IPs not yet linked to these. Alright, if this is the case, if these accounts or IP addresses are discovered, then come back and make a report that we can investigate.

Well, of course I will, but the purpose of SPIs is SUPPOSED to be for tracking, but my (and now SlimVirgin's) efforts at using it for that are being - well - frequently interfered with in a way that some might call sabotage. --Elvey 23:38, 9 January 2016 (UTC)

Look, I don't know anything about this user's editing. I gather that they are editing pharmaceutical-related articles, but other than that, I wouldn't know one of their edits if I tripped over it, so your claims of bias toward the user are insulting. I know that I am trying to follow policy here, and if that gives you the impression that I'm protecting someone, then it's doubtful that we're ever going to see eye-to-eye in this case. If you understand that I'm (we are) trying to follow policy, and trying to do my (our) job the best I (we) can, then we can work together to prevent damage to the project. ​—DoRD (talk)​ 14:07, 8 January 2016 (UTC)

You respond as if you have a guilty conscience, DoRD. Anything critical of behavior in my comment was addressed specifically NOT to you, but rather to y'all. Look, I had what reason to think you were here to investigate impartially and had what reason to think that you intend to do a better job than the other investigators who have participated so far? For all I know, y'all are coordinating your responses on one of those infamous cabal listservs like wpinvestigations-l or some private IRC channel. I've got more than one editor hounding me. So your little lecture is a bit much. But because I AGF, I made sure that anything critical in my comment was addressed specifically NOT to you, but rather to y'all. Give me some credit for that, willya? And when y'all say the IPs are stale for blocking purposes, that rightfully pisses me off, because when I raised the issue of this sock, the IPs were not stale AT ALL. They had just ******* been used. And I see no definition of 'stale' other than the 90 day definition, written into policy, which hasn't come close to being reached, so calling 'em stale seems arbitrary. Do you wish y'all's actions to seem arbitrary; shouldn't stale be defined? You claim that WP:BLOCK says such IPs are stale for blocking purposes, but it says no such thing! If they're stale, it's cuz y'all didn't act in a timely manner. --Elvey 23:38, 9 January 2016 (UTC)

You say. "I am an experienced sockpuppetry investigator who is trying to understand what you're asking for." What portions of the presented evidence have you read in order to do that? What you have NOT done is said that you're what I'm seeking/looking/waiting for - "an admin willing to take decisive action to contain the sockpuppetry, even though the sock accounts I've found haven't been used recently," if the evidence is not weaker than I say it is. --Elvey 23:38, 9 January 2016 (UTC)

Elvey, I pinged you when I left a comment on the SPI page and again below. I don't know whether the pings aren't working.

Re: IP addresses, we're not supposed to block IPs for a long period in case they're not static. Even when they are static, the blocks tend to be short because people can easily change IPs and the new people using those IPs would find themselves unable to edit.

I do agree that this is a case of avoiding scrutiny. The same user has twice been challenged because of inaccurate or poorly presented material made with an account; subsequently abandoned those accounts; then returned to the same articles with IPs. See my post to the SPI page. SarahSV 23:56, 9 January 2016 (UTC)

• @Elvey: I now officially ask you to stop participating in WP:SPI. You are not welcome here any more. Your comments are full of insults towards other users who just wanted to understand you and to help. This is a huge waste of time. Vanjagenije (talk) 01:42, 10 January 2016 (UTC)

Query

Vanjagenije, I see you reverted my comment. Where do you suggest I post it instead? It's not a new SPI, it's a comment that belongs in the most recent one. Mike V archived it on 23 December. Should it be unarchived? Pinging Elvey too. SarahSV 19:43, 8 January 2016 (UTC)

@SlimVirgin: Thank you for trying to help here. It is not allowed to edit archives for obvious reasons, but you can comment here. I am aware of all the information you written and am monitoring the situation. It seams to me that there is no ongoing disruption by this user. We will see how the situation develops. If you have any new information, feel free to post it here, or to open a new investigation on this user. Vanjagenije (talk) 01:49, 10 January 2016 (UTC)