User account self-deletion allows bad actors to delete and recreate the same account name to "lose" changeset discussion and block history

[SomeoneElseOSM]

URL

https://github.com/openstreetmap/openstreetmap-website/pull/3398

How to reproduce the issue?

There have been a number of recent examples of the following sort of activity, but lets give a specific example:

A user account was created with a name "francisdouglas88614" to "force through" some changes that they local community decided were not correct. The UID was 19014237, and due to it being a problematic returning vandal they were reverted and blocked until they contacted the DWG with https://www.openstreetmap.org/user_blocks/7071 (see previous messages in that chain of blocks for the history).

They then delete that account, and create another one - francisdouglas88614 / 19021744, and try and force through their changes again. They were reverted and blocked with https://www.openstreetmap.org/user_blocks/7074.

They then delete that account, and create another one - francisdouglas88614 / 19031302, and try and force through their changes again. They were reverted and blocked with https://www.openstreetmap.org/user_blocks/7077.

This is just 1 username here; there are at least 9 or 10 others. I don't believe that it is unfair to "name and shame" this account as this user has been widely discussed elsewhere.

Basically, this is pretty much as predicted by https://github.com/openstreetmap/openstreetmap-website/issues/1853#issuecomment-387682751 .

In additions to previous problems noted such as https://github.com/openstreetmap/openstreetmap-website/issues/3585 .

To be clear, the idea behind https://github.com/openstreetmap/openstreetmap-website/pull/3398 absolutely makes sense; but we should prevent it from being used by bad actors as it currently is. There may of course be reasons why a long-term-blocked user should be able to delete their account, and they can always ask the admins to do that. What I'm suggesting is that a user shouldn't be able to engage on vandalism, get caught, delete their account and repeat the process ad infinitum.

Screenshot(s) or anything else?

n/a

[natrius]

I found an example for this issue: User #20535412: , Karl535 and #20557454: Karl535. I cannot check the old edits and while the new accounts edits don't look too bad, we have reason to believe this is a currently blocked user trying to circumvent his block.

And on a sidenote, i'm pretty sure its AustrianMapper above who is accusing me of various somewhat serious stuff.

[osmhomeblog]

Only logged in users should be able to see bans

You become a public person in OpenStreetMap by walking around with a name tag at public OpenStreetMap events, like natrius Negreheb. Participation in the OpenStreetMap opinion-forming process requires that a mapper states his or her real identity. OpenStreetMap is currently posting blocks clearly visible to everyone on a user's user page. Anyone who has worked on OpenStreetMap for years and whose pseudonym is therefore known to many friends and acquaintances must expect that anyone who uses OpenStreetMap data in the future will come across this block . This also applies to contributions that are harmless in relation to the ban imposed and remain in the database. So OpenStreeteMap operates a public pillory, which today is completely out of date, deleting a pseudonym and thereby eradicating such a public pillory is therefore a completely natural, understandable and healthy reaction. One solution would be to at least only show bans to registered contributors, but that is also technically questionable.

[hungerburg]

AustrianMapper points at issues, the GDPR is rightfully concerned about. To fully understand, it should be known, that a banned Austrian mapper created dozens of accounts to fly under radar. At times using pseudonyms that match the names of real people that never did edit openstreetmap at all nor in a manner to get them banned. A grace period should be enough to protect the innocent?

[osmhomeblog]

Hungerburg stay on topic, once again by creating pseudonyms with the same name for real people you are spreading out-of-the-box claims and don't provide any practical example. However, there is another problem. Anyone who deletes their pseudonym must currently expect that their opponents will then take over this name, so Negreheb nutrius himself operates the avatar https://wiki.openstreetmap.org/wiki/User:Adresshistoryorg which corresponds to the formerly known avatar https:// wiki.openstreetmap.org/wiki/User:Beautifulplaces#Subavatars is very similar to adresshistory_org. Why a name can currently be re-registered immediately after it has been deleted has no parallel in any project that I know of

[gravitystorm]

A cooldown period has been implemented in #4313. It's a configurable delay, so the OSMF can adjust the period to find out what works best (striking a balance between vandals trying to cover their tracks, and people who are simply finished with their account).

I think there is further work that can be done here, so that even after the cooldown period expires, we can still tackle the problems listed at https://github.com/openstreetmap/openstreetmap-website/issues/4018#issuecomment-1780953601 . And of course the problems mentioned there that the cooldown doesn't resolve. But after 50+ comments in this thread, that would be better done in a fresh issue.