After banning the same person more than a dozen times from the Drudge Retort, I decided to experiment with a new site feature this afternoon that turned into a failure of epic proportions. I'm documenting it here so that other people who run online communities will avoid making the same mistake.
Throughout its history, the Retort has attracted a small number of users who delight in creating a large amount of trouble. They want to prove that no moderation system has ever been devised that can hold them. I am not questioning their decision or their singleminded pursuit of this goal. It is important to have hobbies.
When I see a new user show up who acts like somebody I've kicked off, I have written code that determines whether other users have connected to the server with the same IP address. Nine times out of 10, this reveals the user's real identity and I drop the account.
Since Retort users are conscientious about flagging offensive comments, I thought it would be a good idea to let users check whether a user has shared an IP address with others on the site. No IP addresses were revealed. My site checked the addresses associated with a user and posted a report like this:
ToniTennille has used the same IP address as the following users:
- TheCaptain, user level user
- MuskratLove, user level user
Within an hour, it became clear that this was a terrible idea. So terrible, in fact, that I must downplay my own poor judgment by using the passive voice.
Mistake was made.
If an Internet service provider, employer or school assigns IP addresses to its users from a small pool of addresses, people who don't know each other will share the same IP. I thought the Retort wasn't particularly large -- the site has 18,900 users, 1,700 of whom have logged in the past 90 days -- so the chances were slim that users who don't know each other at all would have ever shared an IP address.
Inaccurate conclusion reached.
As it turns out, there are a lot of people who share IP addresses for entirely innocent reasons completely without their knowledge. This was particularly true on my site of people using BlackBerries. Before I took the new feature offline, there were a dozen false positives. The flaw in my thinking is that I only was looking at shared-IP information when I already had reason to suspect that a user was bogus. So I could tell pretty quickly whether I had caught a troublemaker or not. When I wasn't sure, I ignored the information.
Retort users, on the other hand, gleefully checked out everybody and reported back the results, whether or not they made any sense.
I have a good track record with user privacy on my sites. As a general rule, I don't provide any personal information about my users to people who ask, no matter what the reason. As I've told a few lawyers and one police agency, I only would reveal a user's IP address or similar identifying information in response to a court order.
The new feature never revealed any IP addresses. But it was still staggeringly stupid and misleading, and all I can say in my defense is that I recognized the error and killed the experiment 1 hour and 43 minutes after it began.