Just passing through but ... why don't you take advantage of Movable Type's nifty IP Blocking tool?

Posted by: Aaron on October 17, 2002 11:11 PM

---

 

Aaron, that is a good point. However, why should I block a particular IP? Which IP? I would need a concrete mechanism to check an IP against a valid email account or user profile. Movable Type doesn't provide anything that, from what I can tell. Further, when someone complains, should I simply block an IP? My answer: Nope, especially since no one did anything truly offensive. Right now I am thinking I need a more robust content management system. (Grumble, grumble.)

One more comment. This is blog, not a major web site or corporate portal. How important is this issue? What is the true scope? Is this a tempest in a teapot? If yes, doesn't it at least get you thinking about identity theft in general?

Posted by: John S. Rhodes on October 17, 2002 11:20 PM

---

 

I am uncomfortable with my identity abuse being a point of whimsical discussion on a site you own and control instead of it being taken seriously. If you have to even ponder the issue, it's clear it's time to kill this persona. The next one I'll only use on responsible web sites with site owners willing to address improper conduct. Thanks, John.

Posted by: Jack on October 17, 2002 11:42 PM

---

 

"I am uncomfortable with my identity abuse being a point of whimsical discussion on a site you own and control instead of it being taken seriously."

Whimsical? Hardly. This is a very serious issue. And, I think it is fair to discuss openly how to address this issue. Socially, technically, and personally.

The problem is that I really don't know who is who. If I start removing postings, where does it end? If people post as each other, and if they use fake information, how will I know the truth? Seems like a slippery slope and I am not sure how to handle the situation. That is why I have not (yet?) removed the "fake" posting.

"If you have to even ponder the issue, it's clear it's time to kill this persona."

I'm sorry Jack, but I really do need to ponder the issue. It isn't because I am neglecting your request, or that I don't take it very seriously. I do take it seriously, which means I need to think about the next steps.

This issue forces me to think in drastic terms. I might need to stop all postings. I might need to install a more robust content management system. These kinds of actions will probably cost me time and money.

Taking the wrong action could also mean a loss of respect. If I act slowly, it looks like I don't care. If I act swiftly, it sends the message that I censor WebWord. None of this is trivial.

Posted by: John S. Rhodes on October 18, 2002 12:12 AM

---

 

Well done John. Like and SUPPORT your approach! Have always admired the way you facilitate webword. *Cringes as he says this* ... but perhaps a login/account is required on webword. Would this assist in terms of accuracy and validation of those posting?

Posted by: daniel szuc on October 18, 2002 12:25 AM

---

 

"...but perhaps a login/account is required on webword."

This raises a usability barrier, but it protects people. Certainly seems like the right thing to do. And yes, I definitely think it would help with getting a handle on the accuracy and validation of postings. I think the main issue is implementation; time, energy and money.

Posted by: John S. Rhodes on October 18, 2002 12:30 AM

---

 

Agree, there would be an initial barrier. If you can create a scenario where the site can keep the session alive without requiring a re-login everytime you boot up the PC ... that would be super! Appreciate the time and money factor. Guess the intial registration should also not be too scary *long and complex* Would people be willing to pay a small yearly subscription? *opens up can of worms* This may assist fund a small development effort? *rattles coin can*

Posted by: daniel szuc on October 18, 2002 12:38 AM

---

 

this is a hard issue. anybody who has ever moderated a blog, discussion board, or email list knows that making these kind of decisions is diffuclt, and most moderators i know take the issues very seriously. i see no indication of any difference here.

the complication, i believe, goes beyond the "who's telling the truth?" issue, although that's part of it. i think it goes to what makes any kind of online community interesting and dynamic; one component of that is the personality (read: identity) of active community members. frequent posters become known to others who are part of the community, and their reputation begins to have some value, based on their contributions.

it appears at first blush that the new poster is hitching onto the jack's reputation, and thus compromising the meaning and value. hence, jack's strong response: it's like something is being taken from him. not his identity exactly. i don't imagine anybody's entire identity is tied to a blog. but still, something.

on a gut level, this doesn't "feel" right. with a system like movable type, it doesn't seem too easy to avoid this (though i'm not mt expert). i think if it's possible to avoid through technology, that's a reasonable solution.

i certainly can't say what the "right" thing to do would be. i would be inclinded personally to use the email address from the post in question to get a verification of who it goes to, and maybe let folks know that if you use an invalid email address, your posts are subject to removal. i think that not using someone's name and email to post should be a no-brainer, and i wouldn't have any personal qualms about removing such a post...

Posted by: dix on October 18, 2002 12:42 AM

---

 

Was that the real Jack or the fake Jack posting? :)

I find it mildly amusing that a person who has previously admitted that Jack Schonchin is not his real name is now cribbing about identity theft. What identity? If Jack Schonchin is a fake name, where is the question of the theft in the first place? (Hell, technically Jack's "Yahoo address" isn't even valid, and keeps changing all the time.)

Here are some issues:

1) IP banning works only if the person is using a fixed IP. Almost all dial-up accounts have randomly assigned IPs.

2) User registration is NOT supported by MT. John will have to hack the code to create his own system.

3) If Jack says he won't post any more comments on Webword, then we'll just assume that future "Jack" posts are not from him.

4) Delete posts only if they are offensive, porn, or defamatory. If it's on-topic, leave it. People post under all kinds of names here.

Posted by: MadMan on October 18, 2002 12:48 AM

---

 

Post comments based on your real identity and contact OR if you dont want to be identified post anonymously. Agree Madman, dont *winge* about a posting when you have been posting under a fake name anyways.

Posted by: daniel szuc on October 18, 2002 06:38 AM

---

 

I think identity theft is a very important issue - irrespective of the level of theft.

In this case it is not only Jacks persona but his reputation that are at stake. Fake postings can have the impact of damaging Jacks reputation not only on this blog, but in the wider industry. As you link to other sites, other link to you, and potentially Jacks comments.

As nasty as it may be, login maybe the way to go. you could run a general anyone can comment area and then a login area as well. See which gets the most interaction.

I for one don't mind the 10 second inconvenience to log in and I would think that the regulars here would be the same.

I’d be pissed if someone used my persona to post comments – admittedly they may be a positive to my reputation, but hat is not the point….I have a right to be as dumb as I want to be and can be ;-)

Remember - identify theft is about reputations.

Posted by: JB on October 18, 2002 11:15 AM

---

 

Oy, identity theft.

I had this problem at http://loveblender.com/ , a site I've been running as an open forum for romantic poetry for about 6 or 7 years now. It's all homebrew Perl.

For a long time it had a system a lot like the comments here, just enter your name. Eventually I had to set up a simple account system, where people had to enter a legitimate e-mail address to complete the registration process. (I took the time to add some side benefits to, like someone can click on an author's name and see all the works they've submitted to the site)

Another problem I then had...what I call "near identity theft", where someone takes a name confusingly similar to an existing name, and then pretends to be that person (e.g. "Just Some Guy" for an already existing "Just-Some-Guy" user.) These accounts I unceremoniously close as they come up...usually they're formed with some cheap disposable hotmail account, so the e-mail registration isn't perfect, but it is useful enough in eliminating truly trivial account creation...

I have no idea how any of this ties into movable type. And people will bitch about having to set up an account to post, but hey.

Posted by: Kirk on October 18, 2002 11:55 AM

---

 

Oh yeah...I don't think there's any need for a proper "login" with sessions for this. That's only needed if people post to a *lot* of discussions in a short time (as far as I can tell, that's not how WW is usually used.) or if you need to track what people are reading. I've found a simple "enter your username and password above the comment" works fine...in fact, that's one less text box than the current system (though I just noticed the "Remember your personal information" checkbox...with similar cookies, you could remember someone's username and even their password, trading some security for convenience, with the idea that the imposter doesn't have access to the "real user's" PC.)

Posted by: Kirk on October 18, 2002 12:01 PM

---

 

This is a difficult issue, and it is good to see John taking it seriously. Since WebWord is a community, it makes sense to ask everyone and get a well-rounded point of view. Ultimately, the decision is John's.

Login would be cool in that it would protect the identity someone has set up within WebWord by requiring a password in order to use the name. People could continue to use nicknames as desired, but they would be somewhat protected.

Until you have a system like that, you really can't ensure anyone's identity integrity, so MadMan's guidelines about what to delete seem the most straightforward. Unfortunately, that leaves Jack feeling like you haven't addressed his concerns, but there is only so much you can do.

Posted by: Lydia on October 18, 2002 01:46 PM

---

 

John, I'm for one glad that you've asked for community comments on the next move - not only does it respect the community nature of the blog (one of the reasons I frequent), but it allows us each to take a moment to consider the issues before we're facing a similar event (either in having an identity stolen or having sites we run effected).

As for recourse, I can only think of a few ideas (and am not sure which ones would be allowed by Movable Type) -

1) Use the IP block feature - as other posters have said, this really doesn't stop someone but rather inconveniences them slightly. Also, you may accidentally lock out valid participants by locking out a group firewall IP or a serious of rotated dynamic IP's.

2) Login for each participant - certainly an option which we've seen elsewhere, but would inconvenience people when implemented

3) Institute some kind of editorial validation process - not sure how this might work technically, but I could imagine a process where the site sends out a copy of the post to the email provided, allowing the participant to go online and validate their entry. This wouldn't cover confusion of nicknames, but it would ensure that the email given is truly the correct email - "un"validated posts would not appear to the public

4) Most drastically, stop having people comment on articles in the blog. I'm assuming that this is probably too drastic for all of us, but it does remove the issue entirely.

I'd probably opt for instituting a login if I were choosing - while it might institute some initial inconvenience, I think it's a convention users would recognize and accept. Everything else seems to be either too bulky to implement or too restrictive.

Posted by: Jeff on October 18, 2002 02:59 PM

---

 

I reckon the best solution would be to have an optional registration process, so that regular commenters can protect their identity while casual visitors aren't put off commenting occasionally. Posts made by registered users would have slightly different formatting (perhaps put the name in bold with an icon signifying they're registered?), and I don't think it would seem too elitist/cliquey.

Posted by: Matt Round on October 18, 2002 04:47 PM

---

 

All fine suggestions, but remember that John is no programmer, and I'm not sure if he can hack MT to set up a registration system. He has to work within the confines of what he's got. Maybe someone should suggest user registration as a feature for the next version of MT.

If you stop comments on the site, you might as well kiss the community goodbye. I come here more to read what others have to say than for the articles.

JB says: "Fake postings can have the impact of damaging Jacks reputation not only on this blog, but in the wider industry."

I don't think it can affect his reputation in the industry, unless he continues to use the pseudonym in his real workplace too. I use a nickname as well but it's linked to my site, from where you can see my real name. Jack does no such thing.

Posted by: MadMan on October 18, 2002 08:09 PM

---

 

Ya, who cares about write or wrong. If it can't hold up in court, it must be OK.

Posted by: on October 18, 2002 09:09 PM

---

 

I think it is great that Movable Type captures IP addresses! Oh wait, why on Earth would I made that comment? ;-)

Posted by: John S. Rhodes on October 18, 2002 09:26 PM

---

 

Is there a way to keep up with postings without having to *pogo stick* into each separate article log?

Posted by: daniel szuc on October 18, 2002 09:39 PM

---

 

Daniel,

If you poke around here, you might find some good stuff. However, there really isn't an easy way to see what you have and have not read. At least not without a registration system.

Posted by: John S. Rhodes on October 18, 2002 10:08 PM

---

 

Thanks John. Bring on registration, user profiles, login & subscriptions (i.e. receive postings via email) ;)

Posted by: daniel szuc on October 18, 2002 10:21 PM

---

 

As I recall my (over)reaction to the "Austin Powers" takeover-by-proxy of my website back in July, I can certainly understand Jack's concern. At the same time, if Jack freely admits he's using a persona, that doesn't seem to be identity theft at all. I gather that there is more than one person in the world who's named "Jack," anyway.

If you do manage to overcome the technical hurdles and instigate a password system, I think it would probably be useful to permit anonymous posting.

Posted by: Dennis G. Jerz on October 18, 2002 11:55 PM

---

 

I don't think it was so much the name 'Jack,' but that the faker also reproduced his e-mail address.

Posted by: Pez on October 19, 2002 10:13 AM

---

 

Actually, from the standpoint, it doesn't matter whether the real Jack is really named Jack. Someone other than the owner of a certain e-mail address is impersonating the owner of that address. It should be really easy to verify by contacting the owner of the e-mail address. Why is this a gray issue?

Posted by: Pez on October 19, 2002 10:35 AM

---

 

Pez - what if the email details are also fake?

Posted by: daniel szuc on October 19, 2002 10:40 AM

---

 

I guess without too much work you could make the email address a mandatory field and send a copy of the posting to the email address with a note to contact you if they didn't actually make the posting?

Posted by: David Sim on October 20, 2002 05:27 AM

---

 

MovableType has a Trackback feature, which allows users who have their MT blogs to comment on another blog and have that comment appear as a link. This would bypass the issue of identity theft, since users who may be concerned about it could post on their own blog and thus protect their own reputation.

The other alternative would be to make passwords optional. This is very common in IRC, where identity theft can be an issue. This approach allows a user to optionally associate a password with a username.

eg.

Post your comment.
Name [ ] Password (Optional) [ ]
Email Address [ ]
URL [ ]

Posted by: Chui Tey on October 21, 2002 04:09 PM

---

 

I'm not sure Jack had a reputation capable of being damaged, in all honesty.

Given his curmudgeonly persona (displayed above, or else imitated by a note-perfect mimic), I can only imagine that any words written by an imposter would shed a more attractive light on the name.

Posted by: Adam Greenfield on October 23, 2002 06:41 AM

---