denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_biz2012-04-11 06:02 pm

RFC: username squatting: how should we handle it?

So, one of the things that has come up repeatedly recently is the question of username hoarding and account trading/selling. We've been trying very hard to work out a policy to manage the problem (and how to handle it when it happens) that will be fair to everyone and will only affect people who are honestly abusing open account registration, not people who are using the site legitimately.

People have reported some of the most egregious squatting/hoarding and trading, and we've been holding off on taking any definite actions because we've been having trouble formulating a policy that's fair to everyone and working out what consequences there should be.

We have an idea of what we think we should do, but we also know that this has the potential to negatively affect people who are using the site in a performative/creative style (roleplay, fiction projects, collaborative performance art) instead of a personal journaling style. We don't want to interfere with that legitimate use, so we'd like to hear feedback. To keep the discussion away from "pick holes in a specific proposal", I'm not going to share the full range of what I'm thinking yet; instead I'm going to lay out the problem and let everybody brainstorm.

The goal here is:

* To formulate a policy regarding username squatting that prevents squatting, without placing undue restraint on the many and varied ways people use Dreamwidth for performative/creative work;

* To prevent rewarding people for bad behavior and encourage fair play and community responsibility;

* To prevent username trading and selling (which is not only a violation of the Terms of Service but is a very bad idea because a traded account will never and can never be secured);

* To take away the advantages of username squatting/hoarding with minimal administrative overhead and in a way that returns desireable squatted usernames to the pool of available usernames.

1. The Problem

Open account registration means that people can create accounts easily, which is great for activity and ease-of-use but has also led to multiple people creating hundreds of accounts in order to sit on usernames they think will be useful or valuable later.

This is a problem for multiple reasons:

* It leads to people trading or selling usernames that have some kind of value to the community. (A side note: Trading or selling an account is against the Terms of Service, because a traded account will never again be secure or secureable. We have asked and asked and asked people to stop doing it, and it's still happening. We're likely going to start cracking down more on account trading and selling, whether it happens on or off Dreamwidth. If you have an account you don't want to use anymore, set its status to 'deleted', and the username will be available for renaming to after it's fully purged from the system; the rename process is deliberately set up to both move the old contents of the account out of the way and to prevent security problems in the future.)

* It leads to people registering accounts and usernames they have no intention of ever using, because those usernames have value and can be used in those trades. This prevents people who would actually use the account (and the username) from having access to those usernames, and encourages people who would not otherwise want to violate the Terms of Service to participate in account trading because they want those usernames.

* It rewards people who are behaving badly and penalizes people who are not behaving badly, encouraging a "land grab" mentality where people who would not otherwise behave badly feel that they have to act now or lose out. (In short, it's a textbook example of the tragedy of the commons.)

* It results in hundreds of accounts with usernames that are desireable to the community sitting around empty and unused.

* It requires us to spend dozens of person-hours adjuticating disputes, handling complaints, and researching situations of username hoarding and account trading, which is time that could best be spent elsewhere.

(One note I should also add: for all of this, I'm only discussing personal accounts -- not communities. Communities can be passed from admin to admin without the same security risk.)

2. Additional Considerations

Putting any kind of numbers on what constitutes "legitimate" use, and addressing any question of how many accounts one person can have, quickly runs into a problem. There are legitimate reasons to have and use multiple journals, and any time you try to quantify the question, you quickly run into the problem of separating abusive account registration from legitimate account registration. There is simply no easy way to put one set of numbers down and say "this is the limit", because Situation A can wind up being abusive account registration despite not hitting the numbers (if the person registering the accounts has no intention of ever using them, or is registering them because there's a very slim chance they might want to use them someday but it isn't likely) and Situation B can wind up being legitimate account registration despite exceeding the numbers (if the person is using those accounts, has used those accounts, or honestly intends to use those accounts relatively soon).

(Not to mention, someone with malicious or self-centered intent could always say that they do intend to use the accounts very soon, when in reality they don't intend to use the accounts for anything other than trading, selling, or hoarding.)

We definitely know there are multiple reasons to want to have multiple accounts, and on the surface, it is often impossible to separate abusive account registration from legitimate account registration. It's a spectrum, and it's wickedly hard to develop any kind of objective metric: there is an inherent amount of subjectivity, and intent plays a huge part. (And, of course, we can't know what someone's intent is, not for sure; all we can look at is behavior.)

We do need to do something, though, because there are few definite cases of what we consider abusive account registration going on: not only is it unfair to the community as a whole, but if we don't do something about it soon, the problem will only get worse as others see that there is an advantage to behaving badly and no incentive to not behaving badly.

3. Some Examples

Using some examples from roleplaying that people bring up a lot whenever this sort of discussion arises, I'll give some examples, in order to properly calibrate what I'm talking about.

You'll note that in each of these, instead of giving numbers, I'm saying "a high number of accounts" or "an extremely high number of accounts" -- I don't want to get into giving numbers, because that makes people immediately focus on the numbers and start thinking of ways that they can imagine needing X number of accounts instead of thinking about the underlying questions. Whatever numbers we go with, if we do go with a number-based policy, will almost certainly be set by looking at the actual patterns of registration and use; instead of saying "500 accounts" or "1000 accounts", we will instead say "registration at one standard deviation" or "registration at the 99th percentile" or something like that. (We also won't ever go looking for instances. I'm talking, here, about what we should do when they're reported to us.)

I'm also not defining "activity" (or 'light activity', 'regularly used', yadda) based on concrete numbers -- number of posts, number of comments, etc -- because if we say something like "any account with fewer than 5 posts and 10 comments made by 2 weeks after creation" or whatever, then people who are looking to hoard usernames will create an account, make 5 posts and 10 comments within the first 2 weeks, and continue onward. (Not to mention, people who want to make trouble for other people will hover over accounts that have been created by people who already have a lot of accounts, and on that 14th day will report them to us and say "look, this is being squatted!")

With those caveats in mind, examples of what I would consider all the way over on the "this is probably abusive account registration" side:

* the person who registers an extremely high number of accounts within a very short period, with multiple usernames for every single character they can think of all at once, without any plans to start using those accounts in the near future but just to have the names;

* the person who registers every possible variant of every possible username that they can think of for a particular character in order to try to keep anyone else from being able to play that character without coming to them to trade/sell the account;

* the person who sees that a particular fandom is getting popular and goes to register every variant of every username they can think of for every character in that fandom so that they have a lock on the fandom;

* the person who registers every username they can think of for a character or fandom, then immediately lists them for sale/trade.

All the way over on the "this is probably legitimate account registration" side:

* the person who has a high number of accounts, but regularly logs into each account to make posts or comments with the account;

* the person who's been playing heavily on DW for a long time, so has a high number of inactive accounts that still have content in them (because each account was active once and was retired when the game ended/they dropped the character/etc) who wants to keep the old content for posterity's sake or in order to keep a game's archives preserved;

* the person who plays the same few characters in a number of different games that each require a unique journal, so they have multiple accounts/username variants for each character but each one is regularly (or semi-regularly) used;

* the person who has a high number of regularly-used (or previously-used-but-archived) accounts, but also has a handful of accounts that aren't being used yet, for characters they're developing.

In the middle, and not at all as clear-cut -- things that could be perfectly legitimate if done by Person A but, if done by Person B, could be an attempt to circumvent any policy we wrote by looking like legitimate account registration while really being a cover for abusive account registration:

* the person who has an extremely high number of accounts, a small number of which are heavily used, the larger part of which are very lightly used (one or two posts, the occasional comment), and a large part of which are being held in reserve (any/all of: a placeholder post, a filled-out profile, a lightly-customized style, but no real activity past the initial creation and placeholder setup);

* the person who has an extremely high number of accounts, each of which was very lightly used for a very short period of time and then allowed to fall inactive;

* the person who has an established pattern of registering a large number of accounts for characters they might want to play someday, but who has a pattern of not doing anything with those accounts for a very long time (if at all).

4. The problems of putting that into policy

So: how do we write a policy that allows us to distinguish "almost certainly abusive account registration" from "almost certainly legitimate account registration", is sensitive to the grey areas in between, and can't be easily gamed by people who are trying to look like they're creating legitimate accounts but are really just abusing the system?

One thing that is not helpful in cases like this is looking purely at numbers of accounts registered. Whenever this comes up, some people immediately ask, "Well, what do you need all those accounts for?" There are perfectly legit reasons to have a large number of accounts, though: that is absolutely not in doubt and we don't ever want to get to a place where we put absolute hard limits on usage. People who are using the site heavily are awesome! People who are doing great creative things on Dreamwidth are awesome! We love seeing it!

We just don't want to reward the people who are trying to capitalize on open account registration, and we want to strongly encourage people against registering accounts "just in case". In an ideal world, people would only register an account when they're ready to start actively using it very, very soon. (Barring a margin of error for "I made this account and then my life exploded and I had to put everything on hold for a few months", of course, which is a major problem with any time-based guidelines.)

Another problem: given that there are all these grey areas and all these huge whopping questions of intent, any time something like this is reported to us, it requires a ton of research. We don't want to spend hours of our time looking into every single last case of "this person has a lot of usernames registered" that's reported to us in order to figure out where on the sliding scale of legit vs abusive that particular situation falls. We've got very limited resources for investigating that kind of thing: DW has two full-time employees, three part-time employees, and a bunch of volunteers, but most of those people are technical (and everybody who handles ToS stuff also does tons of other work) and we flat-out don't have the resources to spend much time on this kind of thing.

Any answer has to take all this into account.

5. Disincentives

There are a few disincentives we can apply to prevent username hoarding and trading/selling. There's advantages and disadvantages to each; I won't get too far into them, just list them off and hit the highlights.

The solution can also be a combination of some or all of these, and when we start talking about "eminent domain" type solutions of confiscating squatted usernames, I'm definitely not talking about unilaterially taking all the accounts away from somebody we think is username squatting without contacting them first and talking over each particular, unique situation, arriving at an agreement about what constitutes reasonable usage in that situation, and letting people decide which accounts they want to voluntarily relinquish. I'm also, again, not talking about us going out and actively looking for possible squatting scenarios: I'm talking about what to do when people report potential squatting to us, and we think there's a really good chance that at least some squatting is involved.

That having been said, here are some of the possibilities:

* We can manually rename accounts that have been squatted. We've done this before, in the early days when people were trying to "land grab" popular usernames: the account still belongs to the person who registered it, it just gets renamed from "username" to "ex_username123", just like a rename token does. Big advantage to this one is that it preserves anything that might have been in the account, just under a different username. This makes the system think "username" has never been registered, so it can be created from the account creation page as though it never existed in the first place. Disadvantage is that it is work: we have to write a custom script for each instance.

* We can scramble the password so it can't be logged into, force the account status to deleted, and purge it from the system. This preserves any comments that were made elsewhere (in communities and in other journals) -- they show up with the account username crossed out -- and frees the username up for being renamed to. It can't be registered from the account creation page, but it can be renamed to using a rename token. Disadvantage is that it doesn't preserve any content that was in the account itself, and (like the other option) it's a lot of work.

* We can put in some kind of technical restrictions on account creation, trying to limit how many accounts someone can register per week/month/whatever. (We already do this with communities, in order to prevent landgrabs there: the restriction is set at a level where few people ever run into it during the course of legit use, and those people who do run into it with legit use can just spread out their comm creation over time. Anything we did to similarly restrict personal account creation would be set at a point where we thought people wouldn't run into it regularly unless they were deliberately trying to namesquat, and then be adjustable over time if it gets tripped too often by legit use.) I'm really on the fence about this: I think it would be too likely to interfere with legit use. We could always implement this and then set the limit to something we think is really high, though.

* We can implement some kind of technical restriction on account creation that kicks in after you have a certain number of accounts registered somehow -- either a blanket "after you have X accounts registered, you can only make Y accounts per week/month/whatever", or something that we can enable for specific people who we think are abusing open account registration. The advantage to this (and to the previous bullet point) is that they're relatively hands-off and don't need much attention from us; the disadvantage is that it might start an "arms race" of people trying to work around the restrictions, and it doesn't do anything to handle cases where someone already has an extremely high number of accounts registered.

* We can say that we don't care at all about how many accounts people have registered or whether they're using them at all, but if/when any kind of account trading gets reported to us, we can "confiscate" the account (whether it's already changed hands or whether it's just been listed for trade). The advantage there is that it would keep us from having to do any kind of judgement call about squatting, and it would definitely address the trading/selling problem. Disadvantage is that it would just drive trading/selling even further underground than it already is, and we'd have more problems verifying whether the trade/sale offer was actually made by the person who controls the account -- it would tempt people to try to "frame" holders of popular usernames (post somewhere saying the account is for trade even though they don't control it, screenshot the post, report it to us) in order to get a popular username. It also wouldn't address the case of someone squatting on hundreds of usernames for the "ooh shiny" factor rather than future trading/selling.

* Or, of course, we can officially say that we don't care about any of this, let the situation stay exactly as it is, and not do anything if people are squatting on a ton of usernames. We're kind of on the fence. I mean, this is all a lot of work to handle what is, right now, not very many instances of truly egregious cases. The only thing that makes me a little nervous about picking this is that this sort of thing spirals: what's a relatively minor problem right now could become a major problem as people feel like they have to grab everything they might want someday as fast as they can, leading to squatting as defense against squatting. Still, we could always officially Not Care as a service, and leave it up to the community as a whole to enforce whatever social norms they felt was appropriate by methods of expressing disapproval, community shunning, etc.

I'm sure there are other possibilities I'm not thinking of, so that's why I'm posting -- to see what ideas y'all come up with!

There are a ton of other things I can think of, but this is long enough already and I don't want to make it too overwhelming. I'll turn the discussion over to the floor and see what everybody comes up with.

Parameters for discussion: you don't need to give more examples of legitimate use or reasons why people might want to have multiple accounts. Likewise, please don't offer up specific situations (either hypothetical or actual) and ask "is this squatting?" We know there's tons of reasons why people would want to have lots of accounts (and we want to encourage the creative use of DW and avoid having any kind of "chilling effect" as much as possible), and we're not ready to talk specifics yet.

As always in discussions such as these, please remember there are many different ways to use Dreamwidth, and a) any solution we put into place has to work for the benefit of the service as a whole; b) we're looking for solutions that will, at best, only slightly inconvenience legitimate good-faith usage, while stopping things that are negatively affecting the entire community; c) however, it may not be possible to completely avoid affecting legitimate good-faith usage completely and this is a trade we may have to make.

With that, I'll turn it over to the floor for discussion!
elf: Computer chip with location dot (You Are Here)

[personal profile] elf 2012-04-12 05:30 am (UTC)(link)
It occurs to me that another reason people give away accounts is that they can be sure that their friend gets it--if it's deleted and purged (at some point a month or more in the future), it's then available for anyone to grab. There's currently no way to say, "I'm deleting this so [email address] can get it," so that's another disincentive for playing by the rules.

I'm not sure I see a way around this, because if you have "hand over username to someone else at cost of a rename token," you'll still have people handing them out for free to their friends, or selling them for half the price of a rename token. If they cost less than rename tokens, that's probably economically troublesome. (I have no idea why rename tokens cost $15, but I assume it's some balance of "it's a damned nuisance to code them" and "we don't want people doing it often." Presumably, if it took no resources & caused no hassles, it'd be as cheap as clearing out icons & reloading them.)

But even with the cost issues, it's possible that being able to "hand off" a username, instead of releasing it into the wild & hoping your friend is there to catch it when it becomes available, might cut down on some of the exchanges among friends.