Wikipedia:Village pump (proposals)/suspend sysop rights of inactive admins

Add links
Source: Wikipedia, the free encyclopedia.
The following discussion is closed. Please do not modify it. Subsequent comments should be made in a new section. A summary of the conclusions reached follows.
I have closed this RFC as successful. As such, I have added this paragraph to
WP:ADMIN. Wording tweaks can be performed as necessary, but the underlying principle has been soundly approved. NW (Talk) 03:52, 2 July 2011 (UTC)[reply
]
See also: Wikipedia:Village pump (proposals)/Account security

The issue of Inactive Admins has reared it ugly head again after one admin account was hijacked by White supremacist editors. Arbcom made an emergency De-sysop of Spencer195 (talk · contribs · blocks · protections · deletions · page moves · rights · RfA) whose last edit was in 2005 to prevent possible damage to the community. Given Spencer195 off the Wikipedia for six years before being compromised there seems no assurance that dormant account are as safe as assumed.

Its been three years since the last major proposal on this was made. In that time Wikipedia prominence has grown and I think the Language on that proposal is right on with what needs to happen now.

Proposed language to be Added at Wikipedia:Administrators#Review and removal of adminship
  • Admin accounts which have been completely inactive for at least one calendar year (with no edits or administrative actions in that time) will be automatically desysopped. This is not to be considered binding, or a reflection on the user's use of, or rights to, the admin tools; if an inactive admin returns to Wikipedia, they may be resysopped by a bureaucrat without further discussion, providing they left Wikipedia in good standing and not in controversial circumstances, and that their identity is not in dispute. The admin will be contacted one month prior to the expiry of the one-year timeframe on their user talk page, and again a few days before the limit. If the account has a valid e-mail address, the user will also be contacted via that medium. The summary in the user rights log will make it clear that the desysopping is purely administrative."

This proposal allows a dignified desysopping and the ability to Re-Sysop if they choose to return to Wikipedia. The Resident Anthropologist (talk)•(contribs) 22:33, 31 May 2011 (UTC)[reply]

Endorsement/Opposition

On the last line of the proposed clause, rather than "purely administrative" (which will introduce another potential ambiguity), perhaps "purely while account is inactive"? Ncmvocalist (talk) 13:15, 2 June 2011 (UTC)[reply]
I support this, but y'know... "good luck" Choyoołʼįįhí:Seb az86556 > haneʼ 22:43, 31 May 2011 (UTC)[reply]
I certainly wouldn't object if I disappeared for a year and came back to find that the tools had been removed - in fact, I'd expect it. I'd go further and say that an admin who comes back after over one year's absence needs to agree to read up on all the policy changes before the bureaucrat hands the mop back. Elen of the Roads (talk) 22:48, 31 May 2011 (UTC)[reply]
I Support this though I might like to push it to two years of inactivity but never the less i support the principles behind this and would not object to a one year time frame. Seddon talk|WikimediaUK 22:50, 31 May 2011 (UTC)[reply]
Support based on the security concerns of having high-privilage accounts which aren't being used. A year seems about right. -- Eraserhead1 <talk> 22:52, 31 May 2011 (UTC)[reply]

Support very reasonable proposal Murray Langton (talk) 09:29, 1 June 2011 (UTC)[reply]

I Support this. It make sense. But, there would have to be no strings attached; readminship would have to be automatic upon request, and any outstanding issues would have to then go through normal processes. Maybe 18-24 months is a better timeframe. Ocaasi c 23:05, 31 May 2011 (UTC)[reply]
  • Oppose per
    isn't supposed to be a big deal and anything done with the admin bit can be undone, so there is really no emergency here. --Tothwolf (talk) 23:15, 31 May 2011 (UTC)[reply
    ]
That would be helpful I feel. Sorry if I set folks off on the wrong track above - I was just intending to expound how I would react if it were me. Elen of the Roads (talk) 23:18, 31 May 2011 (UTC)[reply]

Question: what guarantees are there that the putative resysopping procedure would not be a point of security vulnerability, by having imposters come along and try to claim the account ("oh and the old email address is history, pls help")? Rd232 talk 23:20, 31 May 2011 (UTC)[reply]

I would say a
Crat's judgement. The Crat's I know would be suspicious of such a request and probably discus it with other crats before doing it. Personally its better than simply having it to begin with. The Resident Anthropologist (talk)•(contribs) 23:23, 31 May 2011 (UTC)[reply
]
I would think any admin coming back after 6 years of inactivity and asking for rights reinstated right away would be suspicious anyway. And at least at that point, they are being noticed. As it is, nobody is watching their (lack of) activity. ▫ JohnnyMrNinja 23:31, 31 May 2011 (UTC)[reply]
This would be better if another little group, of crat's trusted users because crats already have lots to do. But still, I support. Also, what happens if an account like his gets highjacked or hacked into before 1 year? ArbCom cannot come fast enough. ~~EBE123~~ talkContribs 20:35, 1 June 2011 (UTC)[reply]
The reasoning doesn't stand up if they are active on other WM projects, especially if they have
SUL. I don't think a WP admin who is busy at Commons should be considered inactive in this context. ▫ JohnnyMrNinja 00:49, 1 June 2011 (UTC)[reply
]
The most common measurement of inactivity uses Special:Contributions, and therefore sees nothing more than whether the person made any edits to undeleted pages specifically on the English Wikipedia within the specified time. IMO such a measurement is inadequate for this purpose, but it's the most likely to be used. WhatamIdoing (talk) 01:34, 1 June 2011 (UTC)[reply]
In that case all they have to is to make a couple of edits somewhere when they get the warning. Is that so much to ask? Johnbod (talk) 02:45, 1 June 2011 (UTC)[reply]
Actually, policy states in pretty clear language that
Wikipedia is not compulsory, so yes, I think it is a little unrealistic. --Tothwolf (talk) 04:26, 1 June 2011 (UTC)[reply
]
Hardly "unrealistic". If you think it is "unreasonable" I'd have to disagree strongly. Johnbod (talk) 11:48, 1 June 2011 (UTC)[reply]
So, because it's "only" happened twice so far, we should continue to memorialize the accounts of long-departed – and quite possibly deceased – editors by keeping all of their advanced rights on their account in perpetuity? On the off-chance they rise from the dead and decide to resume editing, is it really an onerous requirement that they stop by the bureaucrats' desk on the way back in and say "hey, before I start blocking people and deleting pages, has anything changed since 2004 that I should be aware of?" The idea that these accounts hold no interest whatsoever for people with malicious intent (because it's "only" happened twice so far that we know of) is naive, frankly. 28bytes (talk) 03:39, 1 June 2011 (UTC)[reply]
The problem is partly with inactive accounts, because the best person to detect hijacking is the person whose account it is. Removing the bit from such accounts has a variety of small benefits, including reduced security risk and better admin stats, and less risk of admins returning and not being up to speed (the act of having to ask for the bit back underlines that they have a need for seeing what changes they might have missed). If the benefit is small and the cost is very small, it's worth doing. Rd232 talk 16:45, 1 June 2011 (UTC)[reply]
  • Support We'll have to do this some time, or our admin list will slowly become a phantom army. Johnbod (talk) 02:45, 1 June 2011 (UTC)[reply]
    And why is that a bad thing? Ajraddatz (Talk) 02:47, 1 June 2011 (UTC)[reply]
    • Er, because! Does that really need answering? If we have a list of admins, it's rather more useful if they actually are admins rather than ex-admins. Even if Rip van Admin does decide to return eventually, things change round here, & after a few years they may be seriously out of touch. If they can't be bothered to do a couple of edits when they get the warning, they should be de-activated. It isn't much about security as far as I'm concerned. Johnbod (talk) 02:56, 1 June 2011 (UTC)[reply]
  • Fetchcomms stole the words from my mouth. This change isn't needed - active admins are more likely to be compromised, and the problem is people using bad passwords, not keeping rights when they go inactive. Plus, while it happens once in a blue moon, this shouldn't be so much of a concern that we need to take this pointless action to "prevent" it. Ajraddatz (Talk) 02:47, 1 June 2011 (UTC)[reply]
  • It would be useful to know how many 1yr, 2yr, 3yr etc inactive admins there actually are. Ah yes, here at Wikipedia:List of administrators/Inactive. We already have more inactive than active admins (on the different "30 or more edits in the last 2 months" criterion), and there are 2 who have not edited at all since 2002. Opposers might like to produce arguments for keeping them live. There are 75 who have not edited since 2007 or earlier, and 246 who last edited before June 1 2010. Johnbod (talk) 03:02, 1 June 2011 (UTC)[reply]
    How about "why remove"? You are trying to fix a system which isn't broken. Ajraddatz (Talk) 03:16, 1 June 2011 (UTC)[reply]
What "system" applies to someone who hasn't edited in over 9 years, a time when WP was utterly different in so many ways? I believe the Pakistani phone directories only used to add new entries, never removing the old ones. That didn't work either. Most non-historical databases need housekeeping to remain useful, passports need renewing, and so on. Do you really want to keep people on the list "to infinity and beyond"? Johnbod (talk) 03:27, 1 June 2011 (UTC)[reply]
  • Support. In the real world, when you leave your job or a volunteer position, you turn in your keys to the building. It's absolutely bizarre that accounts that have not even logged in since 2004 (!) or earlier still maintain advanced rights. 28bytes (talk) 03:25, 1 June 2011 (UTC)[reply]
Agree absolutely, but to be picky, logging on, and edits on deleted articles, are not counted in the figures here - just recorded edits on live articles. Johnbod (talk) 03:30, 1 June 2011 (UTC)[reply]
There's two flaws with that analogy: one, Wikipedia is not the real world; and two, inactive does not mean a user has left. They're taking a break—maybe extended, but you don't know when they're returning, right? In the "real world", you would get to keep your keys if you were going on a vacation, and if something happened and you weren't able to return them, the boss isn't going to hunt you down to get them back. /ƒETCHCOMMS/ 03:40, 1 June 2011 (UTC)[reply]
If you mean a metal key on a chain, you're right, they're probably not going to send a bounty hunter after you to retrieve it. If you mean a plastic RFID badge that lets you into the building (which is much closer to the situation here): you'd better believe they'd deactivate that if you went on a short vacation and never came back. Any IT head that had a policy otherwise would justifiably be fired. 28bytes (talk) 03:53, 1 June 2011 (UTC)[reply]
One of the best points so far. -- Eraserhead1 <talk> 07:52, 1 June 2011 (UTC)[reply]
28bytes, your analogy is closer to a proposal to automatically change peoples' passwords after a year of inactivity. The RFID badge is like a password—the sysop tools are like a pair of scissors. Following your logic, it would make sense to automatically disable logins from user names that haven't edited/made a logged action in over a year, and then have some sort of system to restore the login when requested. Because a spambot running under a non-admin account is just as destructive as a rogue admin account (which is not very destructive in the end), and given that there are millions more non-admin accounts than admin accounts, it would make sense to think about those, first. /ƒETCHCOMMS/ 13:13, 1 June 2011 (UTC)[reply]
That's a bit of a red herring. Anyone can register an account instantly and start wreaking havoc with a spambot (or indeed, not register an account and wreak havoc with a spambot). Whatever incentive there might be compromise an inactive non-admin account (instead of just registering an account) is minuscule in comparison to compromising an admin account. 28bytes (talk) 14:24, 1 June 2011 (UTC)[reply]
Not necessarily. If someone's IP(s) is/are rangeblocked, then they would go for hacking others' accounts. Given that rangeblocks are often applied to stop frequent sockmasters, it's not unlikely that someone will try to take over another account rather than create one from scratch. There's also the "established" bit—anyone who would try to use the Clifford Adams (talk · contribs) account for deceptive purposes would be quickly found out, while someone who chooses a non-admin account would probably not be noticed that much. Being an admin makes the account stick out much more. And again: the amount of damage a compromised admin account could wreak before being stopped is very little. Or even a compromised crat account. If necessary, a dev could simply remove the ability for crats to change userrights until the whole thing was sorted out. So there's almost no chance that someone would succeed in creating an army of rogue admin or steward accounts. /ƒETCHCOMMS/ 18:54, 1 June 2011 (UTC)[reply]
Without getting too far into
bean territory, I can think of plenty of ways a malicious person or group could cause a lot of damage with the sysop flag. That the damage could be stopped and the mess cleaned up is rather beside the point... why would we want to make it easier for people do so much damage in the first place? Not everyone who gains access to an admin account is going to be as stupid and obvious about it as our most recent (known) example. 28bytes (talk) 19:08, 1 June 2011 (UTC)[reply
]

Suspend sysop rights after 1 year of inactivity - arbitrary break 1

  • I note also this failed proposal from 2004 to de-activate 5 admins who had already been inactive for over a year. The amazing thing is that none of them had over 1,000 edits in total. Yet they are still on the books, except for one who died in 2009 without editing again. Johnbod (talk) 03:46, 1 June 2011 (UTC)[reply]
    • And out of that list, how many of those accounts have been compromised? I find it interesting that of that short list, two of those editors, Khendon and Sugarfish are not "inactive". --Tothwolf (talk) 04:16, 1 June 2011 (UTC)[reply]
      • Neither Khendon nor Sugarfish were actually inactive for a full year and would not be affected by the current proposal. I am still looking for any admin who returned after more than a full year. Yoenit (talk) 11:39, 1 June 2011 (UTC)[reply]
      • (ec) Taking Khendon for example, the first screen of his edits (150 is that?) takes you back over 5 years to January 2006, & from a scan of the edit summaries he has done no admin actions in them. Yet he counts as an active admin. Aren't we kidding ourselves here? As I say above, this isn't about security for me, just realistic figures and normal database housekeeping. Johnbod (talk) 11:44, 1 June 2011 (UTC)[reply]
  • Password security About the only "prevention" for the problem of poor passwords would be to enforce the use of strong passwords with something like cracklib which is based on
    unrealistic. The truth is, non-admin accounts are much more commonly compromised and are more commonly sought after by people wishing to use them as sockpuppets. Accounts with the admin bit are less of a target because they tend to be too high profile for such abuse. --Tothwolf (talk) 04:01, 1 June 2011 (UTC)[reply
    ]

Also, is there any way for a bot or some other automated process to notify Bureaucrats of an admin that has not logged in to any WMF project in a year, or will we be forced to go by WP edits? ▫ JohnnyMrNinja 04:50, 1 June 2011 (UTC)[reply]
    • These are good questions. The "abroad at University" argument doesn't hold much weight to me, when every country in the world has internet access. The "busy at work" argument is reasonable, but for a whole year without a single edit or admin action on any Wikimedia project? This seems a little far fetched. -- Eraserhead1 <talk> 07:40, 1 June 2011 (UTC)[reply]
      • More like "no life at university" :). Although, I guess if a user was in China or something, editing would be much more difficult. JohnnyMrNinja, I don't think even CU can detect logins. Edits, we can track, but not when someone logs in. /ƒETCHCOMMS/ 13:16, 1 June 2011 (UTC)[reply]
  • Oppose. This would not reduce the already-small risk of compromised admin accounts or improve admin quality. On the first point,
    WP:PEREN#Demote inactive admins mentions that developers say an inactive account is less likely to be hacked than an active one (and, as Tothwolf mentions above, non-admin accounts get hacked even more often). On the second point, I'm not convinced that someone who could be trusted with the tools one, two, or even five years ago can't be trusted with them now. Yes, policy and consensus changes. However, two things have not changed: (1) our mission to create a neutral, verifiable free encyclopedia, and (2) the fundamental roles and responsibilities of admins. I'd like someone to point out an instance where an admin came back from a long break and proved themselves no longer worthy of the mop and bucket. A returning admin may have to get used to things like new blocking capabilities and minor changes in usual practice, but these are not such earth-shattering changes that they can no longer be trusted to use the tools properly. szyslak (t) 05:46, 1 June 2011 (UTC)[reply
    ]
    What counts in security is the probability multiplied by the damage, the damage for hacking a non-admin account is trivial. -- Eraserhead1 <talk> 07:52, 1 June 2011 (UTC)[reply]
    I agree that an admin account in the wrong hands is a very bad thing. However, inactive admin accounts are no less secure than active ones, and appear to be even less likely to be compromised per above. What is needed is better password security per Tothwolf above, not removal of access based on a factor that doesn't even make the accounts less secure. (Even when an admin rampage does happen, the damage is temporary, reversible, and necessarily limited. Come to think of it, someone could do even more damage without an admin/crat account...) szyslak (t) 08:43, 1 June 2011 (UTC)[reply]
    How would you propose to increase the password security of inactive accounts? Only thing I can think of is emailing them a randomly generated password, but many of them don't have email enabled and for those that do there is no garantuee the mail account is not inactive as well. Yoenit (talk) 09:41, 1 June 2011 (UTC)[reply]
  • An account with the admin bit cannot really create any more damage than a a "regular" account. Most anything done with either account can be undone without too much difficulty.

    Where something becomes much harder to deal with is when someone has obtained non-admin accounts and uses them as sockpuppets to influence discussions, XfD, etc. Such actions are much more harmful to Wikipedia than the very occasional event of an account with the admin bit being compromised. Such sockpuppetry is yet something else we can link to the editor retention issue. [1] [2] As I mentioned above, "admin accounts" are not really suitable for this type of abuse because actions done by accounts with the admin bit draw more attention. (Those who are truly paranoid should be pushing for the locking of infrequently used accounts which have high edit counts ;P ...and yes, that is sarcasm.) --Tothwolf (talk) 15:29, 1 June 2011 (UTC)[reply]

  • Support But why wait a whole year? Bring it down to 3-6 months. Lugnuts (talk) 06:30, 1 June 2011 (UTC)[reply]
    • Anything less than a year is probably too short, life does interfere sometimes. -- Eraserhead1 <talk> 07:52, 1 June 2011 (UTC)[reply]
  • Question Are there are any cases where an administrator returned who would have been desysoped under the current proposal (so no edits at all for more than a year)? Yoenit (talk) 07:58, 1 June 2011 (UTC)[reply]
  • Support. All good reasons stated already. In addition I like it cause it can be confusing for people who don't know of any admins by name to find an active one. I see noobs leave messages for admins who haven't been active for a long time cause they don't know any better, then wait frustrated for a response. I would indeed cut down the time to 6 months, or at least add as a matter of policy that if you're inactive that long you may expect a warning to be placed on your user page by a third party, if you don't put one there yourself, that users shouldn't expect a reply or action from you until further notice. Desysopping is preferred though, as the bit is easier to track than user page content, the database would remove you from any admin lists etc. Equazcion (talk) 08:36, 1 Jun 2011 (UTC)
  • Support (I know it's not a vote, but I just want to be clear to anyone perusing) - I like 1 year but I think 2 might be less offensive to some (on the off chance they get really distracted), and I'd be more comfortable if there were a way to determine login activity vs WP editing activity. The arguments about active accounts being more vulnerable may well be valid, but those editors will notice, whereas inactive editors won't. Non-admin accounts may get hacked more often, but there are many-times more non-admins, and their passwords are probably easier on-the-whole. Someone specifically targeting an admin account knows something about what they are doing, and they may not make any waves once they have the account, maybe even having the name changed. Maybe they just log in to see admin-only pages and logs? Just because nobody is spreading racist propaganda doesn't mean their accounts weren't compromised. Also, if they have been logging in and not editing, they will notice the talk page message they will get, and hopefully respond. If they don't respond, for whatever reason, then it is highly unlikely they would even notice their privileges are gone, much less care. Another good is that our active admins are highlighted. Can anyone actually envision any admin who passed an RfA, then left for several years, and is upset that need to let someone know they are back before they start deleting and blocking again? They would see the politely-worded notice on their talk page and scream "This is what I get for serving my country!?!?!" and then go on a rampage through their hometown? What is the possible bad that can come from this proposal? I've had email websites deleted for less inactivity. People gone for that long probably would want to ease back into regular editing, let alone settling 3rr disputes, for the day or so it would take a Bureaucrat to reinstate them. ▫ JohnnyMrNinja 09:07, 1 June 2011 (UTC)[reply]
    • ...and, if they did turn out to be so unreasonable in their expectations upon returning after so long, they wouldn't make very good admins. Equazcion (talk) 09:16, 1 Jun 2011 (UTC)

I have no doubt I will find more if I go through the history of Wikipedia:List of administrators/Inactive. None of them did serious damage after being compromised, but this is definitely a vulnerability. Yoenit (talk) 11:55, 1 June 2011 (UTC)[reply]

    • There have been many others (Wikipedia:Former administrators lists some; see also Wikipedia:Wikipedia Signpost/2007-05-07/Admins desysopped). Many of these were active admin accounts that were compromised, however. And due to weak passwords. The problem is weak passwords. You don't guess a user's password if it's strong. If we look at the percentage of inactive compromised admin accounts out of all total admins ever, we'll all find that it is very small. /ƒETCHCOMMS/ 19:03, 1 June 2011 (UTC)[reply]
      • Which amounts to saying, "I'm hungry, but this sandwich isn't going to solve my impending bankruptcy problem, so I won't eat it." Rd232 talk 20:44, 1 June 2011 (UTC)[reply]
  • Support. I would only consider it normal that I would no longer automatically be a sysop after a year of inactivity. I wouldn't oppose a period of two weeks to a month of regular editing required before getting the rights back either, to decrease the chance of someone coming along and claiming to be me. While this suspension of rights may have few advantages, I believe they still outweigh the very small disadvantages.
    Fram (talk) 12:16, 1 June 2011 (UTC)[reply
    ]
  • Support. This has been standard policy at the other two projects I edit at, Wikibooks and Commons. The former uses a year and the latter six months. Both require notification of an inactive admin via email/talk page and allow for 30 days to respond. I see nothing wrong with reducing risk. While both inactive and active admins are targets, active admins will notice if they're locked out of their account or are performing bad actions. Inactive admins can be taken over without their original owner noticing. Additionally, having the list of admins actually reflect people that can assist is helpful to users and allows for use of tools like http://toolserver.org/~vvv/adminstats.php without errors due to too many admins. Adminship is "no big deal" as stated above, so there's really no need for consternation that it could be taken away if not used. Objections to the contrary make me wonder if it really is seen as a badge of honor. – Adrignola talk 13:02, 1 June 2011 (UTC)[reply]
    • Commons' policy is actually much harsher than this one and not exactly comparable. They only count admin actions, not edits. So it is more of a "if you aren't using the tools you don't need them even if you're editing". Killiondude (talk) 16:27, 1 June 2011 (UTC)[reply]
  • Support @@@@ — Preceding
    Nev1 (talkcontribs
    )
Add on the hacking of active vs. inactive admin accounts; the obvious difference is that if an active admin account gets hacked, that person is likely to notice, inform the necessary parties, and the problem can quickly be nipped in the butt. But if an inactive admin account gets hacked it might take a long time before the activity (even if it's disruptive and damaging to the project) is noticed and hence there's much more of a possibility of a major snafu.Volunteer Marek (talk) 17:26, 1 June 2011 (UTC)[reply]
  • Support. Common sense. bd2412 T 17:52, 1 June 2011 (UTC)[reply]
  • Support (but for different reasons). Verifying account integrity is a basic function and shouldn't require consensus, just do what needs to be done. But why is there a presumption that administrators are appointed for life or that the proverbial mop is an entitlement that need not be returned to the bucket? Frankly, the presence of a contingent of former Wikipedians who may or may not return with administrative powers, unfamiliar with recent happenings, is kinda creepy. Any administrator who takes leave of the project ought to check back in when they return. I'm not saying they should have to re-up as a nominee, just tell everyone they're back and mean to be active again. - Wikidemon (talk) 10:07, 2 June 2011 (UTC)[reply]
  • Analysis and suggestion.
  1. Although disconcerting and very undesirable, hijacked admin accounts can't do much harm that isn't obvious and won't get a block in a reasonable time.
  2. The problem is to be sure that a long-term inactive account of an established user that resumes activity, is under the same control it was before. That's so whether or not the account was desysopped in between.
  3. Desysopping in the interim has a "feel-good" factor but doesn't actually achieve much. If reactivated user X asks for a resysop the issue is still "how do we know this is the correct account holder". But if they resumed editing after a long break as an admin the same question would be asked.
  4. The problem will get worse over time, as long standing users taking breaks or resuming editing after several years.
  5. The solution is to encourage admins to provide some way they can verify they are the correct owners of the account if needed, even if only to Arbcom or WMF. It must not rely on the email address which can be changed by the hijacker.
  6. A trivially simple example would be to ask all new admins to email Arbcom with a word, string, or textual sentence, which is harmless in itself and simply kept on the Arbcom records. If the account is hacked, the text will be known to the true account owner but probably not to a hijacker. Another way would be to provide a standard toolserver page for committed identity, making it very easy to use for verification.
  7. The policy could then be simply, "Users resuming activity as an admin after a break of more than a year, may be asked by any users to verify to Arbcom that they are the correct account holder. Administrators are advised to use one of the following methods in advance, to ensure they can do so if needed: <list>"
FT2 (Talk | email) 17:52, 1 June 2011 (UTC)[reply]
FT2, that's completely missing the point. The main issue isn't the
iridescent 18:04, 1 June 2011 (UTC)[reply
]
Can't be. Desysopping after a year's absence would not address that problem - if you stopped now and came back in a year nobody would claim you only knew the 2005 way of working (or equivalent). When would an admin be "out of date"? Consistent long term absence or low use for say 3 years or more could be a reason. So could 5+ years since their RFA. But a "one year inactivity = desysop" is not targeting "out of date knowledge". Also the header to this section makes clear it's about compromised accounts. FT2 (Talk | email) 18:11, 1 June 2011 (UTC)[reply]
Have a look at my support comment above: I suggested giving bureaucrats the discretion, at a resysopping request, to require reconfirmation RFA if activity is sufficiently low overly a sufficiently long time period. Plus, re your point 5, see my remark below about email address changes triggering a notification to the old address. Rd232 talk 18:14, 1 June 2011 (UTC)[reply]
I'd like a pint of whatever it is you're having FT2; the section title I see is "Suspend sysop rights after 1 Year of inactivity", nothing to do with compromised accounts.
Fatuorum 18:23, 1 June 2011 (UTC)[reply
]
Mine's a pint of
spring water, then, Malleus :) Immediately after the section title: "The issue [is]... Inactive Admins... admin account was hijacked... emergency De-sysop [] to prevent possible damage... there seems no assurance that dormant account are as safe as assumed.... three years since the [] last major proposal on this was made..." FT2 (Talk | email) 18:47, 1 June 2011 (UTC)[reply
]
"[...] it's admins with knowledge of the policies of 2005, trying to enforce the policies of 2011"... can you point to cases where this has previously been a problem? I'm not a fan of hypothetical scenarios being used to push for "solutions in search of problems". --Tothwolf (talk) 19:55, 1 June 2011 (UTC)[reply]
Off the top of my head, it has recently been an issue at ITN with old admins adding hooks to the main page without consensus and without adhering to ITN guidelines. I'm sure there are much more compelling cases (and I would hope others will provide them) than that out there, but I just thought I'd say that it is an issue. Jenks24 (talk) 06:39, 8 June 2011 (UTC)[reply]

Suspend sysop rights after 1 year of inactivity - arbitrary break 2

  • Support -- I don't see any particular downside to this. I agree that it should be almost-automatic to get the tools back, subject to bureaucrats' discretion. --SarekOfVulcan (talk) 18:25, 1 June 2011 (UTC)[reply]
  • Oppose. Per Tothwolf. This is also seems to be another solution in search of a problem. Ruslik_Zero 18:35, 1 June 2011 (UTC)[reply]
  • Question: "Desysopping" has naturally come to assume a pejorative connotation; is there some short euphemism, similar to, but better than, "suspension" or "mop-lifting", that anyone can think of? The administrator's done absolutely nothing wrong, any more than any other editor who takes a wikibreak; he or she hasn't attacked the Project, broken any rules, abused the rights of others or deserted Wikipedia. In fact some break from Wikipedia, even a long one if more important matters intervene, can be a healthy thing for those who get too deeply involved. —— Shakescene (talk) 18:50, 1 June 2011 (UTC)[reply]
    • Good point about the language. Perhaps rights could be "put on hold"? Or perhaps "expired", which would reflect the time-based element; and then the term for restoring the rights could be "refreshing". Rd232 talk 19:10, 1 June 2011 (UTC)[reply]
  • Support, especially since "if an inactive admin returns to Wikipedia, they may be resysopped by a bureaucrat without further discussion." It's not quite like what Bus stop said above, that this policy "will incentivize a minimum amount of edits in a given period of time." Guoguo12 (Talk)  20:01, 1 June 2011 (UTC)[reply]
If the worst thing about the proposal is that it creates an incentive for sysops to return to Wikipedia at least once a year I don't think we have much to worry about. ▫ JohnnyMrNinja 20:14, 1 June 2011 (UTC)[reply]
  • Comment: People might be interested in Jimbo's previously expressed strong opinion on this topic [3] Not intended as
    Argumentum ad Jimbonem as I'm not sure I agree with him, just thought it was worth pointing out. the wub "?!" 20:08, 1 June 2011 (UTC)[reply
    ]
  • I suggest that the crat sends an email to say that. With a link to reactivate the sysop bundle. ~~EBE123~~ talkContribs 20:54, 1 June 2011 (UTC)[reply]
  • Support, I think it will also be okay to push it to 2 years of inactivity. One question..In the spanish wiki, to be an admin you have to have an email acount, in here you don't need to?? (I said it because it said "It will also be contacted through mail if he has a valid one".--Lcsrns (Talk) 21:06, 1 June 2011 (UTC)[reply]
  • Support per my long-standing view that admin accounts may and have been compromised and gamed, as seen in the very recent User:Spencer195 fiasco. Moreover, there is a social aspect to it, as it seems that lately some admins who return after several years of relative dormancy are sorely inadequate in current guidelines, policy, and practices, which can and has frustrated the community quite a bit. I would also propose a "graduated" approach to asking for the bit back given the following conditions: those inactive over a year may ask a bureaucrat for the bit back with no problems, while those inactive for two or more years would need to go through another RFA to get it back. –MuZemike 21:40, 1 June 2011 (UTC)[reply]
  • Comment with regards to damage, with a normal account its been suggested that you can push an XfD in one direction or another. The issue with that is that actually lots of people get involved in those kinds of discussions, and so while you might be able to push a discussion from no-consensus to delete or from delete to no-consensus you aren't going to be able to do more than that - and you have to make different arguments with each different account, and use a different writing style, both of which are hard to do effectively.
  • You might be more able to influence a discussion on a single talk page with multiple accounts, but that is very small scale, and you risk getting caught if the user asks for any mediation of the dispute, and even there you have to keep your arguments different and your writing styles different - it would be really obvious if you left any tells due to the small numbers in the discussion. If hypothetically there were two people in this discussion who were actually the same person it would be pretty hard as you'd have to check every pair on the same "side", even if you knew one of them it would be pretty hard, whereas in a talk page discussion if two out of the three people on one side of the discussion started making the same tell then it would be obvious they were the same person.
  • With an admin account sure if you start being really unsubtle you're going to get caught, as the person has here, but actually its pretty clear that as an admin you get quite a bit of discretion - especially when you aren't interacting with a regular. Even more so if you were prepared to withdraw your disruptive admin decisions when they got to your talk page (or even when it got to ANI) its certainly my experience that the possibility exists that you could get away with quite a lot without anyone realising. -- Eraserhead1 <talk> 21:52, 1 June 2011 (UTC)[reply]
    • With any anonymous open-to-all internet group like we have at Wikipedia, it would be unreasonable to assume that none of our current accounts are compromised. Surely, at least some of our accounts are not the editors who originally started them, as accounts can be passed on or shared without the communities knowledge. If someone were smart and unscrupulous, they could make a business of starting and selling off admin accounts to PR firms and corporations. Study RfAs, become an admin, and then advise the buyer on how to remain unnoticed. I don't think it is likely, but it is certainly possible. ▫ JohnnyMrNinja 22:06, 1 June 2011 (UTC)[reply]
      • ...and why would people not do the same with non-admin accounts? Create a new account, vandal fight using automated tools such as a modified version of AWB disguised as twinkle (perhaps even creating the vandalism with throw-away socks), rack up several thousand edits or more and sell the account off to a similar buyer. This is done all the time with in-game currency and other non-tangible items of value, and you can't say that this hasn't or isn't occurring here. --Tothwolf (talk) 02:18, 2 June 2011 (UTC)[reply]
        • Sorry that wasn't clear, I meant that it's likely it happens across the board, and possibly with admin accounts. The anonymous nature of the site means that we will never know how many accounts are being run by someone other than the person who started the account. I meant this more as a comment on the comment before, and it doesn't actually have much bearing on the conversation at hand. If a regular account is compromised and starts making slightly different edits, but not making waves, it doesn't really matter in the long run. It's not worse than the 500 edits a day adding the word "poo" in amusing places. ▫ JohnnyMrNinja 03:06, 2 June 2011 (UTC)[reply]
          • Ah, ok, I guess I misunderstood you then. "The anonymous nature of the site means that we will never know how many accounts are being run by someone other than the person who started the account." That I do agree with. I guess the way I could sum up what I was saying above, is anytime you have something such as a user account which could have any sort of monetary value, you will also have people interested in the buying/selling/trading of such "goods". Even low-userid accounts on Slashdot have not been immune to this.

            "If a regular account is compromised and starts making slightly different edits, but not making waves, it doesn't really matter in the long run." Just to play devil's advocate for a moment, but would the same not be true for an admin account? ;P In the old days, admin functions were handled with a single shared account which lots of people had access to. Perhaps over time we've gone too far in other direction in restricting the admin bit too much and have in effect made the admin bit more "valuable" than it should be, both to those who might buy/sell/trade accounts and as a status symbol for those who have it but don't actually use the tools it provides access to? --Tothwolf (talk) 18:02, 4 June 2011 (UTC)[reply]

    • Clearly you aren't familiar with how such people operate then. If someone manages to gain access to an admin account, they are going to use the tools and that gets noticed. Abuse of non-admin accounts can go on for much longer periods of time and results in much more long term harm to Wikipedia and editor morale. --Tothwolf (talk) 02:16, 2 June 2011 (UTC)[reply]
  • Support the general principle. I'm not crazy about notifying the admin one month in advance. If their e-mail account had been compromised, sending an e-mail to them is an invitation for impostors. A Quest For Knowledge (talk) 22:03, 1 June 2011 (UTC)[reply]
  • Oppose, but not strongly so. My line of thinking is pretty much the same as fetchcomm's above. We haven't had any problem de-sysoping compromised accounts, and I think anyone that's managed to be an admin for any length of time would have the sense to look around to see what's changed. (at least I'd hope so). —
     ?  01:18, 2 June 2011 (UTC)[reply
    ]
  • Support. Don't think it'll be that big a win in terms of protection from compromise, but I don't perceive any tangible disadvantage; and while I'm a respecter of tradition, I don't think this one has anything but inertia behind it. Choess (talk) 03:39, 2 June 2011 (UTC)[reply]
  • Support—It's surprising this procedure doesn't exist already; important for the protection of the project and us as editors. Tony (talk) 03:48, 2 June 2011 (UTC)[reply]
  • Oppose, further discussion on both issues is necessary (account security, and the problem of inactive admins). This proposal in its current form doesn't solve either problem. --Chris 06:24, 2 June 2011 (UTC)[reply]
  • Support -- industry best practice to prevent identity theft should be regarded as an essential precaution for the protection of both readers and editors, and not a right for the duration of the account. --Ohconfucius ¡digame! 08:05, 2 June 2011 (UTC)[reply]
  • Support - Admin tools never expire? Why? Lightmouse (talk) 09:53, 2 June 2011 (UTC)[reply]
  • Support, deactivating inactive accounts is generally a good practice in terms of securing computer systems. In regard to the security issues, I would suggest that there is also a danger from a hacker who does not make their presence known, since since admins have access to places normal editors do not. I do not think we should assum that we can spot a bad actor by their bad actions. There's no emergency here, but if we notify inactive admins and create a low bar for an automatic bit flip, I see little down side. --Nuujinn (talk) 10:09, 2 June 2011 (UTC)[reply]
  • Oppose - We've only had 2 cases where former admins had their accounts hijacked, one being
    Talk • Contribs)10:10pm • 12:10, 2 June 2011 (UTC)[reply
    ]
    I don't know if there is a list somewhere, and these aren't easy to research, but User:RickK, User:Spencer195, User:Vancouverguy, User:Zoe (best quote ever). These are the ones that I saw before I got tired of cross-referencing. There don't appear to be a ton of admins that were banned for being compromised after a period of inactivity. These are the ones that made it obvious enough that they got banned instead of de-sysoped or going unnoticed. It's not like there is a noticeboard that admins post to when they come back from a 3 year furlough and now have different interests. ▫ JohnnyMrNinja 14:09, 2 June 2011 (UTC)[reply]
    "The threat lies purely with current admins" is an odd thing to say given that this proposal was sparked in part by a 6-year-inactive admin account being recently compromised. 28bytes (talk) 15:20, 2 June 2011 (UTC)[reply]
If there is a problem with current admins being hijacked, that suggests we should also improve security for them. That might include requiring secure login, committed identity and minimum password length. But that should be a separate proposal, and it doesn't argue against the current proposal.--agr (talk) 16:26, 2 June 2011 (UTC)[reply]
  • Support The fact that we continue to use the default of keeping permissions in place indefinitely just because there is no policy stating otherwise is foolish and contributes to the perception of admin as a rank, status, or award. I do not find any of the opposes to be convincing in any way as this proposal does no harm to the project, and may have the ability to protect it. Even if the occasion of a compromised account is rare, there is no good reason to leave the temptation out there as a juicy target for those who seek to do damage. Suspension of admin rights on inactive accounts is easily reversible, and should be subject to the discretion of Crats to ensure that returning admins are up to date on policy changes. This can be as simple as the word of the returning admin if a crat is satisfied with that. Jim Miller See me | Touch me 13:45, 2 June 2011 (UTC)[reply]
  • Support - this seems like a reasonable step to give some protection against hacked accounts and folks with out-of-date knowledge. Is it perfect? Of course not, but it would be a step better than leaving these accounts on the books, and the opposers have not convinced me of any actual harm in doing it. Slight positive with no negative yields a net positive for the project. LadyofShalott 14:16, 2 June 2011 (UTC)[reply]
  • Support I take the point that inactive accounts are no more likely to be compromised than active ones. However, active ones are doing good, while inactive ones are not - so there's no loss to suspending rights. Further, we will eventually get to the point where inactive accounts outweigh actives ones - so removing the inactive ones will significantly lower the total number of accounts, which can't but improve security. Note, I am supporting this only on the basis that it is a no-fuss easily reversed suspension. The gain is not sufficient to justify the bureaucracy involved in any process for retrieval of rights. Bureaucrats should by default restore on request (always allowing for an exercise of common sense in exceptional circumstances).--Scott Mac 17:11, 2 June 2011 (UTC)[reply]
  • Support I endorse the concept of not having dangling privileges out there for any holder of advanced privileges beyond a specific date of inactivity. We don't want people who successfully got autopatrolled to go on a extended holiday and come back writing new articles very questionable conformity to standards. Equally, If an admin is inactive for over a year and a half, I want them to do some editing first to demonstrate that they understand policies before we hand the keys to the janitorial supply closet back. Yes it means a fractional increase in the amount of work the Burecrats will do, but in the long run it reduces the possibility of actions not in confirmity with the community's consensus. Hasteur (talk) 20:46, 2 June 2011 (UTC)[reply]

Suspend sysop rights after 1 year of inactivity - arbitrary break 3

Comment: I'm amazed people are still questioning the benefits of this (obviously people may have differing opinions on whether the benefits are worth the costs). Let's clarify the logic. The risk we're trying to mitigate is that to Wikipedia, i.e. the risk of any admin account being breached.

Define: A = number of active admin accounts, I = number of inactive admin accounts (definition of inactivity doesn't matter for the logic, but let's say no edits for 1 year, as per proposal) Define: S1 = insecurity of active accounts (0-1 variable: 0=perfect security, 1=complete insecurity), S2 insecurity of inactive accounts. Then

Risk of any admin account being breached = (A * S1) + (I * S2)

For there to be zero benefit from the proposal, either I needs to be zero (no inactive admin accounts), or S2 needs to be zero (i.e. inactive accounts have perfect security). Clearly neither is true, and therefore the proposal has security benefits, by reducing I to zero.

Quod erat demonstrandum. Rd232 talk 09:46, 9 June 2011 (UTC)[reply
]

I'm not sure that an equation is the best way to look at this. The only way this proposal could have benefit is if it decreases S2 – and I, along with several others by the look of it, don't see that it does. The other point is that initiating a major change must have not just some benefit beyond zero, but a significant benefit. And as I've pointed out just above, there is no greater risk of an inactive account actually being compromised than an active account; no greater potential for disruption; and no decreased possibility of it being spotted simply due to its inactive status. I agree that compromised admin accounts in general are a problem, but this proposal seems to only focus on one arbitrary part of that problem. ╟─TreasuryTagwithout portfolio─╢ 10:00, 9 June 2011 (UTC)[reply]
"I'm not sure that an equation is the best way to look at this." - it is, it makes it clear and simple. I'm sorry you still don't get it. Rd232 talk 10:31, 9 June 2011 (UTC)[reply]
Or perhaps I (and the other opposers) do get it but simply disagree with you? ╟─TreasuryTagtortfeasor─╢ 10:35, 9 June 2011 (UTC)[reply]
I'm not talking about all opposition, I'm talking about people denying that the proposal has any security benefit. The equation proves this is untrue. Rd232 talk 11:02, 9 June 2011 (UTC)[reply]
In short, I feel that the proposal is vaguely like the police saying, "In order to fight crime, we're going to randomly select ten ordinary houses and station officers outside them round the clock." Yes there is obviously a benefit above zero, because those ten houses will be safe from burglary, but they were no more likely to be burgled than any others to begin with. Concentrating security efforts on an arbitrary group of potential targets is a bad approach for all sorts of reasons. ╟─TreasuryTaghigh seas─╢ 10:04, 9 June 2011 (UTC)[reply]
What part of deactivating unused accounts with high privileges is random? It's nothing like your analogy, it's more like deactivating keycards from employees who haven't been seen or heard from in a year. Rd232 talk 10:31, 9 June 2011 (UTC)[reply]
What part of deactivating unused accounts with high privileges is random? It's not random but arbitrary: a subtle distinction. Is there anything about an inactive account which makes it easier to compromise? Yes or no? ╟─TreasuryTagtortfeasor─╢ 10:35, 9 June 2011 (UTC)[reply]
Your question demonstrates that you have not understood the equation. It is irrelevant whether S2 is greater than S1 (which it obviously is, the discussion at the security RFC indicates why), the only thing that matters is that the total security risk from inactive accounts is simply I*S2. That total risk can be reduced to zero by the proposal ("yes or no?"). PS how is targeting inactive accounts arbitrary? "Yes I don't work here any more but deactivating my keycard is arbitrary, what about the people who still do?" Rd232 talk 11:02, 9 June 2011 (UTC)[reply]
People no longer working for a specific employer traditionally go through a slightly more formalised process than people who simply don't use a particular online login for x months. ╟─TreasuryTagAlþingi─╢ 11:04, 9 June 2011 (UTC)[reply]
So? You're nitpicking about the analogy, which is funny given the extraordinary weakness of your police officer analogy above. Bottom line: deactivating unused high-privilege logins is standard security practice. Rd232 talk 11:28, 9 June 2011 (UTC)[reply]
...given the extraordinary weakness of your police officer analogy above. Since you seem not to be behaving with the politeness and open-ness to others' points of view which I generally see from you, I'll withdraw from this line of discussion. ╟─TreasuryTagconstablewick─╢ 11:51, 9 June 2011 (UTC)[reply]
There are clearly at least some security benefits of doing this (given its standard IT policy, I'd say some was probably an understatement), and given that only one inactive for longer than a year admin has come back, the price of doing it seems pretty minor. -- Eraserhead1 <talk> 23:36, 9 June 2011 (UTC)[reply]
To give a better analogy, why does no operating system (since XP) allow users to run as root by default? Giving users extra privileges makes it easier to run their computers, but it also introduces security risks, so that's why you don't give people root access by default, and have sudo or UAC. -- Eraserhead1 <talk> 23:41, 9 June 2011 (UTC)[reply]
Any supposed security benefit is based on the assumption that desysopping an account inherently makes it safe. As I've said above, allowing users to simply get the rights back with a post to a noticeboard means that that assumption has little basis in reality. If someone can figure out how to hack an account, I imagine they're capable of manipulating a trivial process. I'd rather have a known security issue than a false sense of security. Mr.Z-man 01:58, 10 June 2011 (UTC)[reply]
  • Support; personally, what worries me is access to deleted pages and revisions. A compromised account that deletes the main page is not going to last long anyways, but it's entirely possible that a stolen admin account be used for this indefinitely. — Coren (talk) 11:11, 9 June 2011 (UTC)[reply]
  • Support; This policy should be implemented as soon as possible. My76Strat talk 16:34, 9 June 2011 (UTC)[reply]
  • Support. An obvious prophylactic. Any highly experienced user could think of some very nasty things to do with admin rights. I can think of some doozies that are far beyond anything any vandal has ever done, though obviously I'm not going into any specifics. If four accounts have been compromised, that makes a fifth not very unlikely and next time we could get a much smarter vandal.--Fuhghettaboutit (talk) 22:55, 9 June 2011 (UTC)[reply]
  • Oppose lots of reasons, but SoWhy puts it very well. --Dweller (talk) 10:34, 14 June 2011 (UTC)[reply]
  • Support - Per WP:USEITORLOSEIT. I additionally think it would be beneficial to have more accurate information as to exactly how many ACTIVE administrators there are at any moment. Regularized desysopping of inactive people would help get the count right. Carrite (talk) 15:27, 14 June 2011 (UTC)[reply]
  • Oppose - if return of rights is automatic then this is just extra process that will require more time from bureaucrats and stewards without any appreciable security gain. WJBscribe (talk) 17:21, 14 June 2011 (UTC)[reply]
    • It isn't clear that it will be automatic. That depends on how the closing admin closes the proposal. -- Eraserhead1 <talk> 17:58, 14 June 2011 (UTC)[reply]
  • Support - Desysoping inactive accounts is sensible, and is done on other projects without any major issues. Even if benefits relating to security and having an accurate list of admins are minor, it it still worth doing.
    CT Cooper · talk 22:46, 14 June 2011 (UTC)[reply
    ]


Suspend sysop rights after 1 year of inactivity - arbitrary break 4

  • Support. Can't see any downside to this. It increases security and any admin who is inactive for over a year and wants their admin rights back can regain them extremely easily. Jenks24 (talk) 08:15, 18 June 2011 (UTC)[reply]
  • Support. This is reasonable. Moray An Par (talk) 12:47, 19 June 2011 (UTC)[reply]
  • Support. Something like this is way overdue. Now that WP is middle-aged (as Internet sites go) it needs to deal with problems such as this, and this seems reasonable and in no way an over-reaction. I perhaps would have preferred a shorter time perio (6 months?), but this will do. Beyond My Ken (talk) 22:15, 20 June 2011 (UTC)[reply]
  • Support (unless I've !voted previously?) - No real reason not to. Eagles 24/7 (C) 23:29, 20 June 2011 (UTC)[reply]
  • Support. Overdue. Jd2718 (talk) 02:31, 21 June 2011 (UTC)[reply]
  • Support. Jenks24 nailed it above. Kcowolf (talk) 03:58, 21 June 2011 (UTC)[reply]
  • Support as a minimum measure.--Cube lurker (talk) 12:47, 21 June 2011 (UTC)[reply]
  • Support - This has been needed for ages and ages. LONG overdue. Those arguing that active admin accounts are at higher risk of being compromised ignores the fact that the more admin accounts we have, the greater chance that ONE or more of them can be compromised. Simple statistics. The ones not being used can be desysopped to lessen the total, not to mention keep the categories accurate and help people in need of help find an admin who is actually around and able to help them. There is no downside to this that I can see and arguments for the status quo just because "that's the way it's always been" aren't very convincing to me. - Burpelson AFB 13:05, 21 June 2011 (UTC)[reply]
  • Support - Overdue and a proven security issue. See also
    WP:AN#Inactivity and security for another view on the issue. Mjroots (talk) 14:12, 21 June 2011 (UTC)[reply
    ]
  • Support - it's just good sense. J. Spencer (talk) 17:35, 21 June 2011 (UTC)[reply]
  • Support not for security reasons but just to keep our list of active admins accurate and up-to-date. ElKevbo (talk) 17:47, 21 June 2011 (UTC)[reply]
  • Weak Oppose Per others' analysis. This isn't a big problem requiring a big solution, and rogue admin accounts are not a substantial enough threat. But the way the proposal is crafted it is unlikely to do much harm except
    WP:CREEP and a little bit more work for Bureaucrats. --causa sui (talk) 19:56, 21 June 2011 (UTC)[reply
    ]
  • Support I thought I supported already, but it appears I didn't. This proposal has several real advantages and no noteworthy disadvantages as far as I can see. Yoenit (talk) 21:48, 21 June 2011 (UTC)[reply]
  • Support I do not see the issue with asking the people that the community displayed their trust in to at least make one edit within every 365 days. As far as I can tell there is not even a restriction that says that it has to be a mainspace edit. They could just log in and make a comment on their own talk page, or if they know they're going to be away longer then the year there could be some way that before they leave that they could indicate this to prior to leaving so that they do not loose their status. This seems like something that should be done, though I'm not as concerned with the security issues, but just seems like common sense that those with power that are not around anymore should lose that power. I think that even when they come back they should have to go through some re-approval process by the community to gain back the rights, which assuming they left on good terms shouldn't be that much to ask and quick, maybe not a full RfA but maybe something similar because to not make a single edit on the site in a year makes me think that they no longer believe in the project. I know since I'm not a very experienced editor my opinion won't mean much but that is it. Jnorton7558 (talk) 06:21, 22 June 2011 (UTC)[reply]
  • Support. Adminship is not a big deal. --Conti| 00:20, 23 June 2011 (UTC)[reply]
  • Support for security and tidiness of knowing who is an admin. Would support much lower time also. Some other active websites do this in two weeks(subject to an excpetion of the admin saying they are going to be away/holiday in advance.) Regards,
    talk) 02:12, 23 June 2011 (UTC)[reply
    ]
  • Support Security hazard, evolving policies, etc. True, all admin actions are reversible... but not easily. I know you can't do it anymore, but for example, it used to be possible for admins to delete pages such as United States that have a lot of revisions. The servers aren't happy when you delete something like that and restore it again. I'm sure there's other examples on MediaWiki of actions that would be quite difficult to reverse. --Rschen7754 07:13, 23 June 2011 (UTC)[reply]
  • Weak support I don't find the limited evidence for compromised sysop accounts very compelling. Specifically there is absolutely no evidence suggesting that an inactive account is any more or less at risk than a semi active account or an account kept active in a perfunctory manner. However the downsides are limited and it is reasonable best practice to remove advanced permissions from people after they depart an organization. Protonk (talk) 15:07, 23 June 2011 (UTC)[reply]
  • Support the concept strongly. But have some reservations about implementation. The phrasing "The admin will be contacted one month prior to the expiry of the one-year timeframe" has enough holes to drive a truck through. Contacted by whom? Exactly one month? Is more than a month OK? What if more than eleven months elapses before the email notification, is enforcement estopped? I'd prefer that notice be given at some time after a specified period, say eleven months (or twelve, to follow Rd232's suggestion), then after another 30 days, the bit can be removed.--SPhilbrickT 17:41, 23 June 2011 (UTC)[reply]
    • I would imagine the clock starts after editing stops. So 11 months after the last edit, the system can leave a talk page message and an email (if available) and if the admin logs in at any point in that 11 months or in the last month after the notice the clock resets to another 11 months. Protonk (talk) 22:23, 23 June 2011 (UTC)[reply]
  • Support This seems like common sense. Vitually every other website of any significance removes administrative permissions from people who vanish or simply stop logging in for an extended period of time. As other's I would also support a shorter timeframe, but a year is ok too. My primary concern is not one of someone going on a vandalism spree, in fact that would be easy to detect and not too hard to revert and deal with. What scares me is the administrator access to deleted pages and revisions, some of which are deleted for critical privacy reasons. I can very easily imagine someone with malicious intent compromising a dormant admin account and rather than editing, using it to view personal information that was specifically deleted so as not to be available to the public. Administratorship is a privilege given to people the community has trust in. Decreasing the number of accounts overall by desysopping long-dormant ones will in my eyes significantly reduce the overall number, resulting in fewer being available for people to try and compromise. And if someone comes back and wants their tools back, then asking a trusted bureaucrat and (theoretically) being checked out a bit by said 'crat is not to omuch to ask, nor is simply logging in and making an edit once a year. My guess is that most of the current admin accounts who have no edited in many years have no intention of using them again. Night Ranger (talk) 22:44, 23 June 2011 (UTC)[reply]
  • (Conditional) Support So long as there are enough 'crats about that any requests made on
    'crat chat are handled quickly, this seems like an eminently reasonable common sense proposal. If there are problems, we change it back to the status quo and reinstate any admins who are no longer active. Commons has similar activity requirements although they require admins perform an admin action - delete or block, say - to keep the admin bit, whereas this proposal just requires them to edit once in a while. There is only one slight point of contention though: a sensible solution would have to be found for people with higher user rights, namely 'crats, Checkusers, Oversighters. If a CU or OSer goes AFK for a year, it might be a bit strange for them to lose their sysop rights but still maintain the higher rights. —Tom Morris (talk) 15:55, 26 June 2011 (UTC)[reply
    ]
  • Support. On balance, the risk of injury to the project seems greater from allowing a group of dormant, privileged accounts to linger unsupervised than from requiring minimal scrutiny over reactivation of those accounts. I would hope that the process for suspending admin status is open, transparent, and public. Hullaballoo Wolfowitz (talk) 18:57, 26 June 2011 (UTC)[reply]
  • Support. It seems like a common sense thing, Sadads (talk) 21:22, 26 June 2011 (UTC)[reply]
  • Support on condition that the admin is informed of whether or not he may face difficulties in regaining his status due to the circumstances under which he left.--Wehwalt (talk) 14:15, 27 June 2011 (UTC)[reply]
  • Support. This goes without saying for me. It boggles the mind that we could, in the next few years, be coming across administrators who have not edited for a decade. The Cavalry (Message me) 15:02, 27 June 2011 (UTC)[reply]
  • Support this proposal after I've had a chance to analyze the situation. There are three main reasons why this should be adopted practice:
  1. Inactive administrators may not be up-to-date on currently policies and how to handle situations, as especially seen with the cases on the administrator account Nabla as evidenced by this discussion and the administrator account Asterion as evidenced by this discussion.
  2. The security standpoint:
    1. The higher amount of administrator accounts there are, the higher the probability that a hacked account will also have sysop privileges, even when we ignore the fact that some of those administrators may still be active, as evidenced by the Spencer195 fiasco.
    2. There is also the possibility that an account with sysop privileges with have "silent abuse" with the view-deleted userright.
    3. Administrators did not know/worry about password strength and account security back then as much as the administrators of today do now.
  3. Newbies looking through Special:ListAdmins and trying to find an administrator to help them with something important that may require sysop privileges will be disappointed when they find many of the admins they are trying to contact are dead/retired/inactive.
  • In my opinion drawn from these conclusions, there are far more benefits to removing advanced privileges from administrator accounts than there are harm to doing so. To the opposers, even if you argue that 2) there are higher chances of an active sysop account being hacked than an inactive one and 3) newbies should know already by looking at the retired template above inactive accounts, you cannot ignore 1. There is already evidence as seen by two different incidents on the administrators' noticeboard showing lack of knowledge or adherence to current policies and practices coming from inactive sysops. TeleComNasSprVen (talkcontribs) 20:06, 27 June 2011 (UTC)[reply]
  • Support It's standard practice in many realms to remove privileges from those who no longer use them, whether for good reasons or for bad; simply abandoning the tools should be sufficient for no-fault de-sysopping, as long as it's made abundantly clear that these admins became former admins because of nothing that they did wrongly. Moreover, TeleComNasSprVen's final point is good: it doesn't help to have inactive people listed in places where others might request help. Building on ElKevbo's point, it's good to do a little house cleaning sometimes. Finally I do disagree with this proposal in one way: I would prefer to see a Commons style of inactivity de-adminship — policy there requires that someone who loses the rights due to inactivity must go through a new RFA. I'm happy to see someone re-adminned without an RFA if they lost the rights at their own uncontroversial request, but in many such cases, the users remain active and thus not likely to be compromised without us knowing it: since inactivity is the reason that these admins will be de-sysopped, we don't have as solid of a reason to believe that they're the same people as they originally were. Nyttend (talk) 04:53, 28 June 2011 (UTC)[reply]
  • Support - as others have said, I find this to be uncontroversial, mainly for the security reasons. Logan Talk Contributions 05:13, 28 June 2011 (UTC)[reply]
  • Support. Cla68 (talk) 13:13, 30 June 2011 (UTC)[reply]
  • Support - This is a no-brainer as long as the admin can get their tools back just by asking for them. However, I'd go even farther and say that if an admin is inactive for a longer period of time (like 2 or 3 years), then the tools should be taken away permanently and they should be required to go through another RfA to get them back. After an admin is away for 2-3 years, it's reasonable to want to ensure that the admin is still familiar with the policies/guidelines, and is up to date on what has changed since they left.
    converse 17:22, 30 June 2011 (UTC)[reply
    ]

Discussion

Moved to talk page
The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Wikipedia:Village_pump_(proposals)/suspend_sysop_rights_of_inactive_admins&oldid=1147981477"