The Case for a User Registration System

There are many reasons to have a localized comment user registration system for Weblogs. The hottest topic at present is to have registration to keep lazy spammers out by raising the barrier to commenting from minimal to slight. I think that advocating comment registration primarily as a spam-stopping solution gives the whole idea short-shrift.

I think there are a variety of reasons for having a comment user registration system. I think that they involve security for the commentor user, the ability to edit comments after posting [eliminating double-posted comments as well as grievous mistakes], the ability to have follow-ups to you comment flagged to you for your attention via email, as well as comment-spam stopping. Let me take these ideas on one-by-one.

Commentor User Security

This seems a bit silly, I guess, but let me give a good hypothetical situation:

Say I post comments on Alex King‘s Weblog. I submit a name of “Geof”, an email of “gfmorris AT gfmorris DOT com”, and an url of “” with my comments. Alex comes to expect, after a time, that comments with that data triple are mine.

Say someone decides that they hate me and starts posting comments in my name. They haven’t hijacked my computer at all; they’re just posing as me. They appear to be me, and there’s nothing to verify that the comment is from me. Maybe the impostor makes a comment such as, “Hey Alex, I hate you and your assface. Your wife is dog ugly, Tasks sucks, and you should have never been born!”

Alex has three possible choices in his decision tree:

  1. “Geof has lost his frickin’ mind.” Net result: I lose respect in Alex’s eyes. This is a decidedly Bad Thing™.
  2. “Geof was clearly drunk when he posted this. What have I done to piss him off so that he’d get drunk and post on my site?” Net result: Alex spends needless time soul-searching for ways he could have injured me, and there’s a loss of trust in the relationship.
  3. “This has to be some clown pretending to be Geof.” Net result: Alex thinks nothing of it, but starts to worry about comment-spoofing.

In all situations, there’d be an email from Alex to me going, “What the hell, over?” There’d be confusion on my end, and I’d wonder if he was pulling my leg. We’d probably sort it out—Alex is a reasonable guy—but it would be a snookering that would really drive me nuts until we resolved it.

I think it makes sense, in this world where Weblog comments often end up having as much value as the posts themselves, to place the same worth on the comments as you do on the posts. From a logware perspective, you do this by allowing registration for comments. With a user/pass scenario, Alex clearly knows which comments are from me. If someone tries to spoof a comment user-reg-optional system, well, Alex will know that it wasn’t from me. In fact, one could design the comment user-reg-optional system to not allow data triples that are identical to—or similar to, which would be harder, given that you’d have to spend a chunk of time thinking up some regexps to do that for you—registered users.

I think this is a net benefit to the Weblogger and the commentor user, and since net.kooks have long gotten their rocks off of posing as others, well, it’s to be expected.

A brief aside: when Cliff Young, one of the members of Caedmon’s Call, started posting on our forum, we didn’t think it was him. We were convinced that it was someone posing as him–because we’d had someone try that once. The long-time denizens of alt.books.tom-clancy know the name “Adam Yoshida” to be synonymous with “that ass-clown kid who posed as Clancy that one time and trolled a bunch of folks who should know better with a bunch of text about a supposed new book”. Now, I don’t claim to be famous, but if someone decided to slander me—or anyone else—it wouldn’t be hard!

Comment Editing

I’m sure that you’ve posted a comment on a site and wanted to edit it an oh-no-second later. We all have. We either see the typo, or we think of something more to say–or a less inflammatory way to say it, once we’ve realized that we’re being a punk.

How do you solve this? In first generation commenting systems, you have to post a second comment amending the first, which means that you have two comments where you needed only one. If you’re working with a second-generation commenting system—one with the ability for the Weblogger to edit comments, as well as to delete them due to comment spam considerations—your second comment has a “[Weblogger], if you’ll edit the first comment and delete the second, that’d be great” feel to it. Then [Weblogger] gets to edit it for you—doing your bidding, which takes time—and then posts a comment of their own to note that they’ve made the change.

That’s inefficient to me.

Now, there are some reasonable limits here; you don’t want someone being a clown and then retracting it in a later edit. [I hear some people screaming, “Oh, like Dave Winer would if he could?”] It makes sense to have the comment-reg system note how many times an entry’s been edited, and the time of the last edit. This allows folks who come along later to know that there has been an edit. In a database, this is pretty simple; the logware_usercomments table would have a column that increments on every edit, and you timestamp the last bit. Heck, if you wanted, you could store every version of a comment so that people could roll back the versioning; that’s anal-retentive, but some folks are that way, and we love them for it.

I think this provides another service to the commentor user, and it saves work for the Weblogger.

Comment Followups

I don’t know about you, but I find it hard to keep up with all the comments I make on Weblogs. Perhaps this is because I’m a compulsive commentor who thinks that you get to hear my opinion since you’re not asking me to pay to give it. Now that I use a syndication feed aggregator to read a ton more sites, I don’t follow-up on a few sites multiple times a day to see if I’ve gotten a reply to something I’ve written.

An example: just now, I made a comment on a post my friend Christiana wrote. When I made the comment, the logware she uses sent her an email, notifying her of the comment. [This is common to first- and second-generation commenting systems.] If she replies to my comment with one of her own, who gets the email? She does. That’s … perverse.

Now, she could reply to the email that the logware sent her when I commented and say, “Hey, I replied,” but who wants to do that for every comment? Plus, that only works for one-off comments; if one commentor user replies to another commentor user—rather than to the original post itself—the only person who gets any notice is the Weblogger.

I don’t know about you, but I consider that to be poor software behavior. If good software design is that which allows a user to efficiently use his/her time, then the current generation of comment systems is not well-designed in this regard.

Stemming the Tide of Comment Spam

I think that a comment-reg system has been discussed to death in terms of stopping spam, but let me state some clear objectives:

  • Comment|user-reg needn’t be mandatory. Only really anal Webloggers—potentially including me, heh—will completely close comments to non-registered users. In cases where you leave commenting open to non-registered users, it’s easy to stop comment spam with current techniques–blacklists, disallowing HTML, etc. I think this would keep the bar low enough for non-clowns who don’t see the benefit of [or have privacy concerns about] registration systems.
  • A decentralized system means downtime of the system is localized only to your server, so you’re not doing centralized authorization with a TypeKey-like system [or YACCS, or any of the Blogger comment platforms].
  • A decentralized system also can allow you to do FOAF-ish applications, if you wish. Someone more familiar with FOAF than I would need to address that better.
  • Known spammers are easily culled from the system with one click. You keep the data, and that makes it easier to spot punks.

Known Objections

The objection to comment user registration seems to be, “Why bother? That’s an awful lot of work.” I don’t see it like that. Most commenting systems already do authorization by cookie. How do you handle a comment-reg system? User/pass stored in a hash in a cookie. What’s the net difference? Not much. What’s the net expense to the commentor user? They have to expend some effort at one time to register, and I hope that I’ve shown that the commentor user would get a lot of benefit from that effort.

Comment User Registration in Use

If you’re interested in what a system like this would look like, you should consider perusing Amy’s Domesticat, whose logware, Quarto, has comment user-reg out-of-the box. [No, Quarto isn’t available publicly. I don’t know if it ever will be. Please do not pester my friend for the code. She’ll hammer me for even mentioning it, and then I’ll track you down.]

I would be very interested in comments to my thoughts here. I’ll send you an email to any replies I make. 😉

Nota Bene

Please note that this post has should have has changed names. It was originally entited The Case for a Comment Registration System. I realized that this was a bad name for two reasons:

  1. It’s semantically incorrect: we’re registering commentors, not their comments.
  2. It lumps me in with the TypeKey solutions of the world, people who think that comment_reg is the savior of the world in comment spam salvation terms–which it’s not.

I also then further considered that what I’m hoping to improve is user behavior. Logware writers have long sought to improve the experience for their *loggers, but past some nice things in the default templates—which the *logger is free to change at their whim!—not much has been done for the end-user–that is, the poor sap reading the log. I think this is worth doing.

Unfortunately, because I don’t want to break permalinks, I can’t change the title. Such is the issue at hand when you use titles to eliminate crufty URLs.

That said, please pretend that it says “user” and not “comment” in both the happy title and your browser’s location bar. I will if you will.

Since I have upgraded to WordPress 1.2, this is no longer a problem, because WP 1.2 uses a post slug to create a cruft-free URL, rather than sanitizing the post title. It’s a better process, and this entry is now appropriately named.

24 thoughts on “The Case for a User Registration System”

  1. I think you make some very good points, I particularly like the idea of being able to put a little [verified] note next to registered comments. This doesn’t hurt occasional users, gives extra weight to registered commenters and gives you a good place to start changing settings if things get out of hand on your site.

  2. Yeah, I think that a gradually-increasing system is the way to go [if this isn’t clear in the text]. I think that the design of such a system isn’t too bad. Execution probably has headaches that I’ve not considered yet, but to be honest, a lot of the ground has been plowed between logware and WebBBS’s.

  3. heheheheheh. Thanks for the props, dearie.

    You know, I’ve heard the incrementing suggestion several times, and I have to admit that I wish I’d written it into Quarto. For, it’s really not that necessary, because I personally know about 90% of the people who comment there. For other sites [include very long disclaimer about how I’m about 98% likely never to release Quarto] where the possibility of retractions-for-evil-purposes is higher, it WOULD be useful.

    Come to think of it, it wouldn’t be THAT hard. Just one little auto-increment field in the db, and an extra variable in the comment-display function.

    You know, if it weren’t for my friends, I don’t think I’d ever write any code.

    …Whether or not that is a compliment is up for debate. 😀

  4. Excellent analysis of many problems. Thanks! I hadn’t thought about how perverse it was that I get an email when I comment on my blog. It is very annoying, but I’ve been ignoring it.

    I REALLY want to be able to block users with the name Prilosec, Viagra, etc. Just blocking by name alone would be a good start.

    Another thought, hide email address and then authorize the post using the email address as a unique identifier. Anyway, I’ll be stopping back to see what else you have to say.

  5. One of the problems with per-user comment notification is that most blogs don’t support threaded comments (ie: commenting on a comment); instead all comments belong to the top-level post. As such, notifying the poster is appropriate. If commenters want to monitor the thread of the conversation, I think RSS syndication is the tool they should be exploring.

    I think any robust blog package should provide a selection of registration options for people. One that I would strongly advocate (and contribute to the development of) is an email-based authentication system, as is used in the phpBB registration process. If a user supplied an email address with their comment, the blog emails that address with a time-limited authorization URL. If the commenter receives the email and follows the link, the blog immediately releases that comment from the moderation queue. If the time lapses without the commenter following their specific authorization link, then the blog owner can moderate the post as they see fit, as normal.

    This could be extended in various ways to monitor the IP address(es) used by commenters. If the name, email address and URI (or some server-supplied cookie, perhaps) all jibe with the values on record in the database and the IP address has been used before with those same credentials, moderation is bypassed.

    I think a modest barrier to entry for new commenters is okay, provided it’s nothing onerous like “signing up” to a site that lacks a clearly defined privacy policy. Once a commenter has “proven” that they’re reliable, the system ought to get the hell out of their way and let them comment.

    Another option would be PGP or GPG keys for “signing” comments. This would ensure that the poster is who they claim to be, because the PGP signature is the hash of the content encrypted by the poster’s private key (I think — public key cryptography still confuses me a bit). I’ve seen a few musings from Phil Ringnalda about this, and I think it has some real value for those savvy enough to be using PGP to begin with.

    Perhaps PGP-signed comments could be edited by the key holder, even.

  6. PGP-signing is certainly an option for many things, certainly. PGP’s never gotten traction in the marketplace, though, despite many folks’ best efforts. We’ll see on that front.

    As for email auth: that’s probably the best system.

Comments are closed.