denise: Image: Me, facing away from camera, on top of the Castel Sant'Angelo in Rome (Default)
Denise ([staff profile] denise) wrote in [site community profile] dw_biz2012-04-11 06:02 pm

RFC: username squatting: how should we handle it?

So, one of the things that has come up repeatedly recently is the question of username hoarding and account trading/selling. We've been trying very hard to work out a policy to manage the problem (and how to handle it when it happens) that will be fair to everyone and will only affect people who are honestly abusing open account registration, not people who are using the site legitimately.

People have reported some of the most egregious squatting/hoarding and trading, and we've been holding off on taking any definite actions because we've been having trouble formulating a policy that's fair to everyone and working out what consequences there should be.

We have an idea of what we think we should do, but we also know that this has the potential to negatively affect people who are using the site in a performative/creative style (roleplay, fiction projects, collaborative performance art) instead of a personal journaling style. We don't want to interfere with that legitimate use, so we'd like to hear feedback. To keep the discussion away from "pick holes in a specific proposal", I'm not going to share the full range of what I'm thinking yet; instead I'm going to lay out the problem and let everybody brainstorm.

The goal here is:

* To formulate a policy regarding username squatting that prevents squatting, without placing undue restraint on the many and varied ways people use Dreamwidth for performative/creative work;

* To prevent rewarding people for bad behavior and encourage fair play and community responsibility;

* To prevent username trading and selling (which is not only a violation of the Terms of Service but is a very bad idea because a traded account will never and can never be secured);

* To take away the advantages of username squatting/hoarding with minimal administrative overhead and in a way that returns desireable squatted usernames to the pool of available usernames.

1. The Problem

Open account registration means that people can create accounts easily, which is great for activity and ease-of-use but has also led to multiple people creating hundreds of accounts in order to sit on usernames they think will be useful or valuable later.

This is a problem for multiple reasons:

* It leads to people trading or selling usernames that have some kind of value to the community. (A side note: Trading or selling an account is against the Terms of Service, because a traded account will never again be secure or secureable. We have asked and asked and asked people to stop doing it, and it's still happening. We're likely going to start cracking down more on account trading and selling, whether it happens on or off Dreamwidth. If you have an account you don't want to use anymore, set its status to 'deleted', and the username will be available for renaming to after it's fully purged from the system; the rename process is deliberately set up to both move the old contents of the account out of the way and to prevent security problems in the future.)

* It leads to people registering accounts and usernames they have no intention of ever using, because those usernames have value and can be used in those trades. This prevents people who would actually use the account (and the username) from having access to those usernames, and encourages people who would not otherwise want to violate the Terms of Service to participate in account trading because they want those usernames.

* It rewards people who are behaving badly and penalizes people who are not behaving badly, encouraging a "land grab" mentality where people who would not otherwise behave badly feel that they have to act now or lose out. (In short, it's a textbook example of the tragedy of the commons.)

* It results in hundreds of accounts with usernames that are desireable to the community sitting around empty and unused.

* It requires us to spend dozens of person-hours adjuticating disputes, handling complaints, and researching situations of username hoarding and account trading, which is time that could best be spent elsewhere.

(One note I should also add: for all of this, I'm only discussing personal accounts -- not communities. Communities can be passed from admin to admin without the same security risk.)

2. Additional Considerations

Putting any kind of numbers on what constitutes "legitimate" use, and addressing any question of how many accounts one person can have, quickly runs into a problem. There are legitimate reasons to have and use multiple journals, and any time you try to quantify the question, you quickly run into the problem of separating abusive account registration from legitimate account registration. There is simply no easy way to put one set of numbers down and say "this is the limit", because Situation A can wind up being abusive account registration despite not hitting the numbers (if the person registering the accounts has no intention of ever using them, or is registering them because there's a very slim chance they might want to use them someday but it isn't likely) and Situation B can wind up being legitimate account registration despite exceeding the numbers (if the person is using those accounts, has used those accounts, or honestly intends to use those accounts relatively soon).

(Not to mention, someone with malicious or self-centered intent could always say that they do intend to use the accounts very soon, when in reality they don't intend to use the accounts for anything other than trading, selling, or hoarding.)

We definitely know there are multiple reasons to want to have multiple accounts, and on the surface, it is often impossible to separate abusive account registration from legitimate account registration. It's a spectrum, and it's wickedly hard to develop any kind of objective metric: there is an inherent amount of subjectivity, and intent plays a huge part. (And, of course, we can't know what someone's intent is, not for sure; all we can look at is behavior.)

We do need to do something, though, because there are few definite cases of what we consider abusive account registration going on: not only is it unfair to the community as a whole, but if we don't do something about it soon, the problem will only get worse as others see that there is an advantage to behaving badly and no incentive to not behaving badly.

3. Some Examples

Using some examples from roleplaying that people bring up a lot whenever this sort of discussion arises, I'll give some examples, in order to properly calibrate what I'm talking about.

You'll note that in each of these, instead of giving numbers, I'm saying "a high number of accounts" or "an extremely high number of accounts" -- I don't want to get into giving numbers, because that makes people immediately focus on the numbers and start thinking of ways that they can imagine needing X number of accounts instead of thinking about the underlying questions. Whatever numbers we go with, if we do go with a number-based policy, will almost certainly be set by looking at the actual patterns of registration and use; instead of saying "500 accounts" or "1000 accounts", we will instead say "registration at one standard deviation" or "registration at the 99th percentile" or something like that. (We also won't ever go looking for instances. I'm talking, here, about what we should do when they're reported to us.)

I'm also not defining "activity" (or 'light activity', 'regularly used', yadda) based on concrete numbers -- number of posts, number of comments, etc -- because if we say something like "any account with fewer than 5 posts and 10 comments made by 2 weeks after creation" or whatever, then people who are looking to hoard usernames will create an account, make 5 posts and 10 comments within the first 2 weeks, and continue onward. (Not to mention, people who want to make trouble for other people will hover over accounts that have been created by people who already have a lot of accounts, and on that 14th day will report them to us and say "look, this is being squatted!")

With those caveats in mind, examples of what I would consider all the way over on the "this is probably abusive account registration" side:

* the person who registers an extremely high number of accounts within a very short period, with multiple usernames for every single character they can think of all at once, without any plans to start using those accounts in the near future but just to have the names;

* the person who registers every possible variant of every possible username that they can think of for a particular character in order to try to keep anyone else from being able to play that character without coming to them to trade/sell the account;

* the person who sees that a particular fandom is getting popular and goes to register every variant of every username they can think of for every character in that fandom so that they have a lock on the fandom;

* the person who registers every username they can think of for a character or fandom, then immediately lists them for sale/trade.

All the way over on the "this is probably legitimate account registration" side:

* the person who has a high number of accounts, but regularly logs into each account to make posts or comments with the account;

* the person who's been playing heavily on DW for a long time, so has a high number of inactive accounts that still have content in them (because each account was active once and was retired when the game ended/they dropped the character/etc) who wants to keep the old content for posterity's sake or in order to keep a game's archives preserved;

* the person who plays the same few characters in a number of different games that each require a unique journal, so they have multiple accounts/username variants for each character but each one is regularly (or semi-regularly) used;

* the person who has a high number of regularly-used (or previously-used-but-archived) accounts, but also has a handful of accounts that aren't being used yet, for characters they're developing.

In the middle, and not at all as clear-cut -- things that could be perfectly legitimate if done by Person A but, if done by Person B, could be an attempt to circumvent any policy we wrote by looking like legitimate account registration while really being a cover for abusive account registration:

* the person who has an extremely high number of accounts, a small number of which are heavily used, the larger part of which are very lightly used (one or two posts, the occasional comment), and a large part of which are being held in reserve (any/all of: a placeholder post, a filled-out profile, a lightly-customized style, but no real activity past the initial creation and placeholder setup);

* the person who has an extremely high number of accounts, each of which was very lightly used for a very short period of time and then allowed to fall inactive;

* the person who has an established pattern of registering a large number of accounts for characters they might want to play someday, but who has a pattern of not doing anything with those accounts for a very long time (if at all).

4. The problems of putting that into policy

So: how do we write a policy that allows us to distinguish "almost certainly abusive account registration" from "almost certainly legitimate account registration", is sensitive to the grey areas in between, and can't be easily gamed by people who are trying to look like they're creating legitimate accounts but are really just abusing the system?

One thing that is not helpful in cases like this is looking purely at numbers of accounts registered. Whenever this comes up, some people immediately ask, "Well, what do you need all those accounts for?" There are perfectly legit reasons to have a large number of accounts, though: that is absolutely not in doubt and we don't ever want to get to a place where we put absolute hard limits on usage. People who are using the site heavily are awesome! People who are doing great creative things on Dreamwidth are awesome! We love seeing it!

We just don't want to reward the people who are trying to capitalize on open account registration, and we want to strongly encourage people against registering accounts "just in case". In an ideal world, people would only register an account when they're ready to start actively using it very, very soon. (Barring a margin of error for "I made this account and then my life exploded and I had to put everything on hold for a few months", of course, which is a major problem with any time-based guidelines.)

Another problem: given that there are all these grey areas and all these huge whopping questions of intent, any time something like this is reported to us, it requires a ton of research. We don't want to spend hours of our time looking into every single last case of "this person has a lot of usernames registered" that's reported to us in order to figure out where on the sliding scale of legit vs abusive that particular situation falls. We've got very limited resources for investigating that kind of thing: DW has two full-time employees, three part-time employees, and a bunch of volunteers, but most of those people are technical (and everybody who handles ToS stuff also does tons of other work) and we flat-out don't have the resources to spend much time on this kind of thing.

Any answer has to take all this into account.

5. Disincentives

There are a few disincentives we can apply to prevent username hoarding and trading/selling. There's advantages and disadvantages to each; I won't get too far into them, just list them off and hit the highlights.

The solution can also be a combination of some or all of these, and when we start talking about "eminent domain" type solutions of confiscating squatted usernames, I'm definitely not talking about unilaterially taking all the accounts away from somebody we think is username squatting without contacting them first and talking over each particular, unique situation, arriving at an agreement about what constitutes reasonable usage in that situation, and letting people decide which accounts they want to voluntarily relinquish. I'm also, again, not talking about us going out and actively looking for possible squatting scenarios: I'm talking about what to do when people report potential squatting to us, and we think there's a really good chance that at least some squatting is involved.

That having been said, here are some of the possibilities:

* We can manually rename accounts that have been squatted. We've done this before, in the early days when people were trying to "land grab" popular usernames: the account still belongs to the person who registered it, it just gets renamed from "username" to "ex_username123", just like a rename token does. Big advantage to this one is that it preserves anything that might have been in the account, just under a different username. This makes the system think "username" has never been registered, so it can be created from the account creation page as though it never existed in the first place. Disadvantage is that it is work: we have to write a custom script for each instance.

* We can scramble the password so it can't be logged into, force the account status to deleted, and purge it from the system. This preserves any comments that were made elsewhere (in communities and in other journals) -- they show up with the account username crossed out -- and frees the username up for being renamed to. It can't be registered from the account creation page, but it can be renamed to using a rename token. Disadvantage is that it doesn't preserve any content that was in the account itself, and (like the other option) it's a lot of work.

* We can put in some kind of technical restrictions on account creation, trying to limit how many accounts someone can register per week/month/whatever. (We already do this with communities, in order to prevent landgrabs there: the restriction is set at a level where few people ever run into it during the course of legit use, and those people who do run into it with legit use can just spread out their comm creation over time. Anything we did to similarly restrict personal account creation would be set at a point where we thought people wouldn't run into it regularly unless they were deliberately trying to namesquat, and then be adjustable over time if it gets tripped too often by legit use.) I'm really on the fence about this: I think it would be too likely to interfere with legit use. We could always implement this and then set the limit to something we think is really high, though.

* We can implement some kind of technical restriction on account creation that kicks in after you have a certain number of accounts registered somehow -- either a blanket "after you have X accounts registered, you can only make Y accounts per week/month/whatever", or something that we can enable for specific people who we think are abusing open account registration. The advantage to this (and to the previous bullet point) is that they're relatively hands-off and don't need much attention from us; the disadvantage is that it might start an "arms race" of people trying to work around the restrictions, and it doesn't do anything to handle cases where someone already has an extremely high number of accounts registered.

* We can say that we don't care at all about how many accounts people have registered or whether they're using them at all, but if/when any kind of account trading gets reported to us, we can "confiscate" the account (whether it's already changed hands or whether it's just been listed for trade). The advantage there is that it would keep us from having to do any kind of judgement call about squatting, and it would definitely address the trading/selling problem. Disadvantage is that it would just drive trading/selling even further underground than it already is, and we'd have more problems verifying whether the trade/sale offer was actually made by the person who controls the account -- it would tempt people to try to "frame" holders of popular usernames (post somewhere saying the account is for trade even though they don't control it, screenshot the post, report it to us) in order to get a popular username. It also wouldn't address the case of someone squatting on hundreds of usernames for the "ooh shiny" factor rather than future trading/selling.

* Or, of course, we can officially say that we don't care about any of this, let the situation stay exactly as it is, and not do anything if people are squatting on a ton of usernames. We're kind of on the fence. I mean, this is all a lot of work to handle what is, right now, not very many instances of truly egregious cases. The only thing that makes me a little nervous about picking this is that this sort of thing spirals: what's a relatively minor problem right now could become a major problem as people feel like they have to grab everything they might want someday as fast as they can, leading to squatting as defense against squatting. Still, we could always officially Not Care as a service, and leave it up to the community as a whole to enforce whatever social norms they felt was appropriate by methods of expressing disapproval, community shunning, etc.

I'm sure there are other possibilities I'm not thinking of, so that's why I'm posting -- to see what ideas y'all come up with!

There are a ton of other things I can think of, but this is long enough already and I don't want to make it too overwhelming. I'll turn the discussion over to the floor and see what everybody comes up with.

Parameters for discussion: you don't need to give more examples of legitimate use or reasons why people might want to have multiple accounts. Likewise, please don't offer up specific situations (either hypothetical or actual) and ask "is this squatting?" We know there's tons of reasons why people would want to have lots of accounts (and we want to encourage the creative use of DW and avoid having any kind of "chilling effect" as much as possible), and we're not ready to talk specifics yet.

As always in discussions such as these, please remember there are many different ways to use Dreamwidth, and a) any solution we put into place has to work for the benefit of the service as a whole; b) we're looking for solutions that will, at best, only slightly inconvenience legitimate good-faith usage, while stopping things that are negatively affecting the entire community; c) however, it may not be possible to completely avoid affecting legitimate good-faith usage completely and this is a trade we may have to make.

With that, I'll turn it over to the floor for discussion!
lollobrigida: (TW = Jack Clueless)

[personal profile] lollobrigida 2012-04-11 11:24 pm (UTC)(link)
While I do appreciate that you are looking into it, and I do agree that there are certain individuals that I'm sure have far too many names - this is all coming up after all the other comments that have been made about how DW would never revoke an account.

Granted, I'm sure notifications would be put into place so someone wouldn't have a username snaked out from under them, but it still seems like an issue that is far too complex to just set a standard rule down.

Requesting that people trim their username lists down, possibly approaching those with large lists and asking them to set some accounts to delete so that you can purge those, with their permission, and open up the names to others without a fee, or even limiting people after a certain # of accounts are created seems a far better option than trying to figure out who is using what for what and how often.

I know that there are accounts that don't seem active that don't even have validated email addresses, since I have tried to PM the owner of some of them asking if they would be willing to delete the account so that I could rename one of mine, but you can't PM anyone without a validated email.

I also know that for a lot of RPers your username is what identifies you. There are cases where you can have your username and then someone takes the same name but places an underscore into it. It's a very tricky situation and our usernames and ownership of them is something a lot of us really pride ourselves on. Creating a name and then creating the variation with the underscore could also be seen as "hoarding" but for us, it's a matter of not wanting to be mis-identified as someone else.

I have created back-ups for archiving and for claiming OpenID accounts so that imported comments match up. I have taken names that I had wanted but were too long for LJ standards, and I try to utilize what I have before I make more, but there is always going to be an instance - especially in RP circles - where you're just going to want to play someone new.

Putting limits on how long an account is active, how active it is - that's where the trouble comes in.

Considering how supportive DW is of the RP community and how much we all talk about how great you guys are and how much we appreciate all you do, I would have thought just asking those people with lots of accounts if they could stop making them or to delete X number of them or something -- that they wouldn't deceive you and try to claim they plan on using them. That's possibly wishful thinking, too, but it still stands that we ask you guys all the time for things - so why not ask those users to help you guys out?
lollobrigida: (Damon = Run the List)

[personal profile] lollobrigida 2012-04-12 12:32 am (UTC)(link)
I just know that a major concern of users that if the "magical username they are pining for" becomes released that there is a cost associated with renaming an account. While some of us are willing to do that, if we can get in touch with said user, and they are willing to set the account to delete - but if it is a grand action thing or a choice DW makes on a whole - that cost doesn't penalize the person that held onto the name, but the end user that wanted it for valid reasons.

I'm pretty sure that if an account doesn't have a confirmed email address it does make it easier for trade/sell. Because, correct me if I'm wrong, but that means the end user can take the account, set-up their email and then confirm it and have that be the originating email. It would be as if you had typed in the wrong email address to open the account. Your notification never comes, so you verify your email or correct it and resend it. Your account isn't tied to the typo-inclusive email address, is it?
cloudsinvenice: woman resting her head on her hand, thinking (Default)

[personal profile] cloudsinvenice 2012-04-13 09:34 am (UTC)(link)
I think the issue of cost is a really good point. Over on LJ I set up an alert for a username I coveted on a never-used account, and when it got purged recently I got an email letting me know. But I found I couldn't register the account name, only rename my existing account to that name, which I chose not to do because I preferred not to support the site financially in light of various issues. Now, that's my choice, but it bothers me to think of people generally running into this kind of issue in relation to a username that has been squatted.
fracturedsoul: (Default)

[personal profile] fracturedsoul 2012-04-12 07:19 am (UTC)(link)
Maybe a "if you haven't confirmed your email address in X days from account creation, the account will be unregistered" type thing should be part of the solution.

Jumping in to say that I think this would be a great idea. I totally understand that it's possible for someone to leave an account lying around for a while, and that sometimes there's trouble with an email account so maybe it'll take a few days, but if someone hasn't confirmed their email address six months, a year after registering, they probably weren't that invested in the account to begin with.
lollobrigida: (Default)

[personal profile] lollobrigida 2012-04-12 02:38 pm (UTC)(link)
This is especially true since you can't do much of anything until you have confirmed your email address.
lady_ganesh: A Clue card featuring Miss Scarlett. (Default)

[personal profile] lady_ganesh 2012-04-14 12:18 am (UTC)(link)
And if they were, they can probably come up with another username.
archangelbeth: An anthropomorphic feline face, with feathered wing ears, and glasses, in shades of gray. (Default)

[personal profile] archangelbeth 2012-04-12 10:34 pm (UTC)(link)
"if you haven't confirmed your email address in X days from account creation, the account will be unregistered"

That sounds fair. Heck, give 'em a whole month, even. You may want to add that if the email address bounces when someone tries to contact them (this would be something that would be reported by other users, not investigated otherwise?), you reserve the right to make a judgment call about whether a journal appears to be being squatted on. (Or if someone got their email changed out from under them; I had to fix nearly 20 years worth of accounts when that happened to me!)
vlion: cut of the flammarion woodcut, colored (Default)

[personal profile] vlion 2012-04-14 02:18 am (UTC)(link)
"if you haven't confirmed your email address in X days from account creation, the account will be unregistered"

That doesn't sound hard to do in an automated fashion: have a mailbox, a script that creates an account, then checks the mailbox 24 hours later and follows the confirm link.
stealthily: kim pine from scott pilgrim in a yellow bikini, her arms folded and side-eyeing someone (Default)

[personal profile] stealthily 2012-04-27 12:22 am (UTC)(link)
True, but like it was said above, it would make it more difficult to trade accounts because at the moment if you don't confirm the email, it's safer for the person buying to set their new email and confirm and the account creator can't take it from them because the old email was never confirmed. That would put people off buying accounts, although some people might still try if they didn't know that traded accounts are insecure. And if people used bots or scripts, would DW know because they were doing things too quickly? Plus it's against TOS to do those things so DW would have a legit reason to kick them: using automated tools.

Admittedly I don't know anything about what exactly one can do with bots and scripts, so please correct me if I'm wrong.
lollobrigida: (Default)

[personal profile] lollobrigida 2013-09-04 09:39 pm (UTC)(link)
I'm just coming back to this after over a year to see if anything else had been discussed. Mostly, because I just went to PM someone with an "empty" account (no icons, no entries, no comments) that was registered in 2010 and it still doesn't have a confirmed email account attached to it.

+ This message can't be sent to [personal profile] screamer because the recipient's email address hasn't been confirmed.

I know that I'm not the only one that is frustrated with this sort of thing. Is there anything that can be done with these accounts? even if it's allowing PMs to go to an unconfirmed email account?

Sometimes these people don't even remember registering the account in the first place.
lollobrigida: (Default)

[personal profile] lollobrigida 2013-09-05 03:43 pm (UTC)(link)
I have been able to message people and have them delete their account so that it would be purged when they get purged. Just for clarification.

And the only reason I had recommented to this was because in your reply to me a year ago you had been talking about those accounts with unconfirmed emails. I was just curious if anything had come of it, but seeing your reply I can see there hasn't been.