I’m not quite convinced here. Are 1000 or 5000 bad changes / objects significantly better than 9000? I.e. is it really worth the effort? If the limit is 1000 or 5000 objects, then using multiple accounts will still allow to make 9000 bad edits very easily.
Unless there is also a limit regarding account creation. Creating multiple OSM accounts is not forbidden but maybe we can limit the account creation to 1 per day per email address.
this limit exists already
you already can create a single account for given email address, ever (though it is easy to get piles of disposable mails anyway)
Still 9 times more effort to setup accounts. Not a big barrier but always something.
And there were also annoying to revert broken imports adding broken stuff on even larger scale (original motivation for Limit number of edits per user and day · Issue #2342 · openstreetmap/openstreetmap-website · GitHub ).
There seems to be nothing left by that account, so thanks everyone for reverting!
A couple more that there are still objects last modified by, though, are SdfN5h5163 and dfn5h54563. Those accounts’ edits might need checking because in a couple of cases they seem to have edited the same object sequentially.
Love the discussion, thank to all the great replies.
I think the intent I had seems to be mirrored nicely; normal beginning editors will be able to do mapping without noticing the limits. Growing in permissions as their work progresses. Only the rare addicted-to-this person should hit ceilings.
What is important to me is the social part. The current group of mappers, and everyone commenting here, are self selected as people that are Ok figuring stuff out on their own. Finding that wiki, possibly even joining this forum or some chat. All without the UI giving any indication that this is possible or even useful.
This means we have ignored a large chunk of the population that is not so brave with their mapping efforts. We have a ‘I would like to get someone to review my edit’ checkbox which has no real-life effect of someone actually coming to review it in most cases.
The social part is underdeveloped and we self-selected our community to be filled with people that are Ok with that. The Dutch community is quite busy and has various social channels, which is awesome and I wish I found out about the earlier than I did. For instance.
So the numbers should be picked based much less on how much damage they can do, but much more about how much the edit should be team-approved. I see someone talking about editing a forest. Or mapping houses. These are great examples of things that people would appreciate help with. A quick review, a simple pointer to examples. ANY human interaction, really.
So, sure, you can increase the limits to allow the brave to add loads of stuff, and that may work in various cases. But it may also dramatically backfire with the work needing loads of love afterwards and some mappers will just leave instead of doing that.
The point is that the bigger the changes (area, points etc), the greater the risk of the person going in a different direction as the rest of the community is going.
And that is the reason for limiting their rights, not because of them being destructive but because it works better if we share the knowledge with new people. Propagate the culture, as it were.
The good part is, the vandalism is solved with the same approach without us explicitly aiming for that.
Someone mentioned StreetComplete, which has a great way of rewarding people by giving them some tokens of appreciation based on the work they did. It has no value or effect, but the social concept is known to the streetcomplete people.
I’m sure that the guys behind that project would be willing to join the conversation on combining their stuff into some ‘levels’ design we can make for the OSM database.
In that light, the limits should not be too high, its not about vandalism per-sé, it is about triggering a social and inclusive direction for the OSM teams.
And that means that this would not be a change in isolation. It would trigger more ways that make the mapping experience less about doing something in total isolation, which frankly is what it is today.
This limits on accounts would in my view be a trigger where the rest becomes something that fits and makes sense. Thus leading to a system of building community and onboarding to our culture.
No it doesn’t. There’s no attempt to limit the number of OSM accounts per single email account. As an example, I’ve just signed up again here with exactly the same gmail address that I use for normal OSM access but with a “+” modifier on it. I can do that again, and again, and again, and the process would be pretty simple to automate (in fact I’d be surprised if the very large numbers of accounts created by this nefarious user weren’t created automatically).
The idea that any one person could sit on 10s, 100s or even 1000s of dormant, valid, OSM accounts is frankly ridiculous. This shouldn’t be a discussion about “how many edits can new accounts make” before they have to stop, it should be “how do we stop one person accumulating 100s or 1000s of valid accounts” that they can then perform vandalism with.
There’s a board meeting tomorrow. I would very much expect this issue to pop up in “Any other business” or “Guest comments or questions”. You’re on the board - make something happen to prevent this sort of thing occurring again.
– Andy (writing in a personal capacity and without consulting any DWG colleagues).
I think that thinking is perfectly in line with the idea that a fresh account is nearly useless for vandalism purposes, as this thread suggests.
Naturally, to limit new accounts being created on the same email does look like a sane thing to do too. But certainly orthogonal to the value proposition of limiting accounts.
these email aliases are treated as separate email accounts, similarly someone with catchall redirect and own domain can register multitude of accounts using single real mail.
And fundamentally we cannot really restrict to single OSM account per single real mail account. At least not without allowing signups only from some limited pool of email providers and banning all unknown ones - which has own issues.
Maybe there should be a special custom logic to defang that Gmail + aliases, given Gmail popularity
is this feature being used by vandals? is there already open issue for that on OSM website repository?
Main problem here is that typical solutions (require verification using SMS code, require payment, pile annoying CAPTCHa, manual account activation, heavily restrict signup eligibility, require government issued id card, require Google/Microsoft/Steam/FB/etc account, require vouching by existing user, verification using credit card but without charging user etc) have own problems that are very likely even worse.
Though more general problem, “osm website development could be going better” to phrase it diplomatically is something that board is trying to solve/improve/help/not make worse. Sadly without big successes at least for now.
I will be trying to do something, but right now I have no obvious idea what can be done and is not already being attempted (at least for collecting unreasonable number of user accounts).
Limiting how much single user account can do can be more tractable, but still will not help much if someone can create thousands of user accounts.
(writing in a personal capacity and without consulting with anyone, that is not an official announcement).
That’s only possible because we let them. There is absolutely no technical reason that says that it has to be the case.
I’m not suggesting that. I am suggesting that someone should not be able to sign up for thousands of dormant accounts. As I said above, I’m sure that any restrictions can be brought in at a high enough level to not inconvenience any normal users.
Most of that list is simply FUD - we’re not talking about implementing a full KYC system here; just putting enough in place to ensure that one individual cannot create potentially thousands of dormant accounts to use later for nefarious purposes.
Yes.
No. A public issue tracker doesn’t seem the ideal place to discuss how people might exploit OSM’s sign-up process.
If I was on OSMF’s board, I’d have two items at the top of my list following this incident:
Did you also try the part with the
?
No. 
Didn’t receive an email. Guess my provider doesn’t allow it.
Exactly, all these discussions in the open of how to fix/prevent will wise these guys up too, in fact I think a recent thread could have been a fishing expedition to find out how to by a ‘concerned citizen’.
Absolutely wonderful discussion here, everybody. I still don’t know how I feel about all this (limiting initial user contributions, with a “ramp up” to “full” over time seems on the “more wise” side), as we are talking about making fundamental changes to the “openness” of OSM. A major cultural shift, in other words.
And in the spirit of “constructive criticism,” I’ll offer a minor correction / clarification to the initial post: all users do not (quite) have the ability of “every account can do anything and everything.” Not quite, as the DWG’s (most powerful) tools of blocking and banning (effectively shutting down an account) are not available to everyone (and that’s a good thing). The difficulty is in managing the vandalism, even knowing there is a fair amount of “user-level users” (without DWG privileges) who are doing some, maybe even much (I don’t think quite “most”) of the cleanup of “bad edits.” Some of these are vandalism, some are more simply, more innocently “ignorance” or “laziness” (like not reading wiki when needed). Still, “it takes a village” (to be stewards of good map data) and this is a gigantic effort: our “garden of global data” has weeds and even pests, but we pluck out the nasty and sometimes give a lethal zap to those who are so pesky they deserve to be shown the exit door.
As I hear (loud and clear) DWG members (like @SomeoneElse) asking for “any takers?” in his requests for additional assistance to “keep the garden weeded,” is there something we could do to better formalize these sorts of tasks? A kind of “Deputy DWG” role (without block or ban powers, but who merely are offered a basket of potential cleanup tasks)? The vetting of volunteers / contributors who would become members of this “squadron” should likely reside with DWG itself, but then there is the cost of organizing the “baskets.” That could be a “win-win,” that could be a “break even,” I’m not sure.
I add that a DWG member with a small squadron (or three, or more) of “helpers” (whom don’t have block or ban power, but are given specific tasks to unravel back to sanity) communicating via a more-secure (one-to-one) channel, like encrypted email, goes a distance to thwart this. We won’t put this on an issue tracker.
“Wise guys” (the bad guys) watch. There is much to like about being security aware like this. Squashing these like the bugs they are one-by-one with a stealthy approach where bad guys can only guess what we (the good, the mighty, OSM) might next do is correct. Or at least part of correct.
Wisdom ahead, everyone. There are approaches to doing this, doing this well, and doing this well into the future. We are on our way there now.
Sure, but the original discussion on limits like that related to 25 changes per changeset & 250 changes per day, so 5 of your example buildings = 25 changes = 1 CS = 1/10th of their initial allowance.
How many brand new mappers set out to map a forest on their first day? 
& how many “normal mappers”, especially newbies, will ever need to create multiple accounts? Sure, a few DWG members have separate revert accounts, other people have Import accounts. How many multiples are there throughout OSM? Maybe 100 out of 10000000 users?
You raise a very valid point, although OT to vandalism as such.
Those “please review my changes” should report somewhere, in the same way as Pascal has his Notes pages https://resultmaps.neis-one.org/osm-notes.
I don’t know if we would then need a Review Team working on them, or just leave them for anybody to look at as they feel like it?
See, what happens with “squadrons” helping out DWG is that (at least at first), you can “tune” these teams so they ask the DWG member (frequently, at first) whether an edge is being probed. As these emerge, the squads “know what to do.”
This is an effective technique. Only the “questionable, now” bubbles up to the DWG member at the leadership of the squadron. At some point, it might make sense to appoint a “squad leader” (major or colonel or so, if I were to get military with the hierarchy). The captains who fly “know what to do.”
Go with this. If / as you are overwhelmed as a DWG “general,” it can only help. It seems about right.
Postscript: I’m a conscientious objector to war, but I do understand military hierarchy as being effective against “enemy combatants,” which is what vandals are. Act accordingly.
The war situation is only temporary.
there is a simple filter in OSMCha for this. It’s fairly easy for anybody willing to set a bbox around their desired area and set the filter to the “review rquested” flag
There is a tool for this by Pascal too, the “Find Suspicious OpenStreetMap Changesets”-Tool.
However, as you can see, it was not made specifically for review requested changesets, but rather needs some filters to be set first. So a dedicated tool for review requested changesets would still be great.
I myself sometimes review these changesets (in Germany) if I have time and feel like it. However, it is very time consuming to really review these changesets in detail. And sometimes it is actually horrifying to see what changes new users try to make (unintentionally of course) that would stay in the live database probably for a long time if I hadn’t checked some of the changesets.