Anonymity and Accountability

Last week I blogged Kevin Kelly's rant against anonymity. Today I wrote about it for Wired.com:

And that's precisely where Kelly makes his mistake. The problem isn't anonymity; it's accountability. If someone isn't accountable, then knowing his name doesn't help. If you have someone who is completely anonymous, yet just as completely accountable, then -- heck, just call him Fred.

History is filled with bandits and pirates who amass reputations without anyone knowing their real names.

EBay's feedback system doesn't work because there's a traceable identity behind that anonymous nickname. EBay's feedback system works because each anonymous nickname comes with a record of previous transactions attached, and if someone cheats someone else then everybody knows it.

Similarly, Wikipedia's veracity problems are not a result of anonymous authors adding fabrications to entries. They're an inherent property of an information system with distributed accountability. People think of Wikipedia as an encyclopedia, but it's not. We all trust Britannica entries to be correct because we know the reputation of that company, and by extension its editors and writers. On the other hand, we all should know that Wikipedia will contain a small amount of false information because no particular person is accountable for accuracy -- and that would be true even if you could mouse over each sentence and see the name of the person who wrote it.

Please read the whole thing before you comment.

Posted on January 12, 2006 at 4:36 AM • 69 Comments

Comments

JJanuary 12, 2006 6:42 AM

I had started to write something here about eBay and how it allows me to stay anonymous with respect to other nicknames inside the system, even though I am known to eBay "the company," but that that is ok, when I wen off on a tangent about the ratings system. This gave me a new train of thought.

EBay works because the community is self-regulating to a big degree. Anonymous nicknames/handles rate each other based on contact and interactions. The system becomes karma based. With eBay, it's necessary to have a 3rd party know both people's identities because things of recognized value, money, services, or goods, are involved. But you see similar phenomena on places like Slashdot, where users are rated based on their contributions to the community by other members. All information that goes into a user's registration on Slashdot can be fake, but they can still be considered a valued member of the community, with their karma ranking very high, rated "friend" by lots of people, because all that matters is the content they post (this lack of responsibility for a physical thing in the real world is why anonymity to the "3rd party" is ok here). Users who don't contribute to the health of the community are flagged with low comment rankings, their karma goes down, they are marked as "foe" by lots of other users, with the consequence that their low-value contributions are given less weight.

If the community is responsible for itself, then anonymity is not that big a problem, the community will figure out how to route around it in order to survive and survive.

Ian EiloartJanuary 12, 2006 6:56 AM

Hmm, That first comment is taking about "karma based" self regulation. Well, actually that is a form of accountability. I guess accountability lies wherever someone can be made to suffer for bad behaviour - even if that suffering is just in the form of bad publicity.

Now, the question is "what is anonymity?" Well, literally is means "having no name". So, what's a name? Does it have to be a name registered at birth? No, it's just a label that can be used to identify a person. And, identity is actually a fuzzy concept - in that cases of mistaken identity are common, even in the judicial system.

For example, my name doesn't uniquely identify me - there are exactly two of us in the world, I believe. However, if you me me, you'd have a pretty high degree of confidence that I wrote this - assuming I haven't lied about my name.

Anyway, my conclusion is that you can't say "anonymity is bad", or good. In each circumstance, you have to decide what degree of confidence you can have in a person. Knowing that person's real identity can help - but only if you have previous experience of that person's trustworthyness. You can get that in a pseudonymous system without knowing their real name. For example, on Wikipedia, it helps to know that the person who wrote article A also wrote article B. You're unlikely to be better informed by knowing their name and address.

JJanuary 12, 2006 7:11 AM

I was mostly agreeing that accountability is good, but does not discourage the ability to remain anonymous. In these cases, anonymity does not hurt the community because of accountability. EBay management can punish an abuser, but on Slashdot, the other users do it themselves, without the editors and managers having to mod down every troll.

In either case, abusers of the cloak of anonymity are punished, without having their real life identity (which is really all I care about, in this case) revealed to the other people they interact with directly (other anonymous users of the system).

I was agreeing with Bruce that accountability and anonymity are not the same. The Slashdot example is just an example where even the trusted "3rd party" he refers to in the article does not need to know your true identity, because what is being dealt with does not have the same level of value in the real world as what is dealt with in other places, like for example, what is traded on eBay.

Bill P. GodfreyJanuary 12, 2006 7:14 AM

There are several Bill Godfreys out there, so I added an extra 'P' initial to be unique. If I ever want to be anonymous I could just go back to being "Bill Godfrey" again.

Bill, technically "William".

(This isn't a very good comment. Sorry.)

IkesterJanuary 12, 2006 7:20 AM

"For example, on Wikipedia, it helps to know that the person who wrote article A also wrote article B. You're unlikely to be better informed by knowing their name and address"

Right on! In the cyber world, we exist as username "identities". So in a real sense we are not anonymous within the cyber communities we frequent. Call it "pseudo-anonymity" if you will but any cyber community that doesn't maintain it, will have anonymity problems.

Bill P. GodfreyJanuary 12, 2006 7:30 AM

A problem could come when an identity is "disposable". If I can create a sock-puppet alias for myself, I can become indistinguishable from a new user.

To prevent this, the third-party keeper-of-identities mentioned could perhaps charge for membership, or raise the bar for the real-identity checks. Both would have the effect of discouraging new users.

Membership has its advantages?

Ryan ErwinJanuary 12, 2006 7:38 AM

Your comment about having your name on your bank card is a particularly interesting one. I'm living in Shanghai and standard "debit" card doesn't have your name on it anywhere. If you want to use that debit card at a point of sale, the clerk hands you a keypad to enter your 6-digit PIN. Depending on the location and size of purchase, you may also be asked to sign the receipt. You are never asked for identification. Personally, I think the system works great. Accounts here also have the benefit of NOT being dollar denominated...

--Ryan Erwin
Shanghai, PRC

JJanuary 12, 2006 7:41 AM

I feel like I am not on the same wavelength as others here. If there is no way for the person I am dealing with to equate the nick I use on a site with my meat-space identity, then I consider that anonymity. On Slashdot, it is *very* easy to achieve that, since you can hide your identity from the third-party (Slashdot maintainers) as well as the other users. On eBay, the people you interact with in everyday transactions, the people behind other nicknames, cannot do this (at least, to the best of my admittedly limited eBay knowledge -- can user Foo call or write eBay and request the real name and addr of user Bar? I would guess not, but don't know for sure).

wkaJanuary 12, 2006 7:41 AM

From the essay: "For example, I have a credit card in another name from my credit-card company. It's tied to my account, but it allows me to remain anonymous to merchants I do business with."

I would be interested in learning more about his practice. Is this a totally fake name (or perhaps a relative's name)? Which credit-card companies allow this?

Ed T.January 12, 2006 7:48 AM

I am also interested in this "credit card in another name" -- when I present a card, often times I am asked to also show a photo ID, where they match my face to the photo to the name on the ID to the name on the card as an anti-fraud measure. Sounds like this system wouldn't work in your case, Bruce.

-EdT.

ChrisJanuary 12, 2006 9:20 AM

RE: Karma-ranking

Karma ranking only "works" when everyone doing the ranking uses the same criteria to determine the rank. It works on ebay because everyone is measuring the same things -- "did I get my stuff" and "was I paid promptly". There are (generally) no fuzzy human opinions to get in the way of the ranking.

In my opinion it is totally broken on slashdot because of the diverse criteria used to assign mod points. Some points are assigned on idiological grounds, political view points, and some just because the moderator didn't like an unrelated post by the same author. I have to browse at -1 and wade through all the worthless f1rst p0st! comments just to find the interesting tidbits that don't conform to /. groupthink.

As an accountability system, /. karma rankings just don't work.

Alun JonesJanuary 12, 2006 9:57 AM

In a system with no "trackback" from the pseudonym to the original person, karmic feedback can be foiled by simply creating a new pseudonym without any of the detrimental baggage of the pseudonym that has been used in the past to commit fraud.

eBay's system, if it has no trackback to the "meatspace identity", works only to identify those people that have consistently been wonderful. It cannot identify people that are consistently awful, because they can hit the reset button at any time, and will come in as fresh faces. Is that accountability?

pigletJanuary 12, 2006 10:00 AM

"We all trust Britannica entries to be correct because we know the reputation of that company, and by extension its editors and writers. On the other hand, we all should know that Wikipedia will contain a small amount of false information because no particular person is accountable for accuracy --" Now I'm puzzled by that example. Bruce, are you the last not to have heard of the Nature study showing that Wikipedia is about as reliable as Britannica?

I think the comparison is missing the point not only empirically but in principle. Both Wikipedia and Britannica are the result of collective and more or less anonymous work. In both cases, it doesn't matter to the reader who wrote the particular entry. Granted, in Britannica, the author can be traced back and his or her credentials checked but does anybody actually do this?

Both Wikipedia and Britannica are public persons, and in that sense Wikipedia is no more anonymous than Britannica. "Accountability" is attached not so much to a natural person who is held responsible and can be sued, but to the public person, the brand name. It's the reputation of the brand that is at stake, in both cases. Accountability on the level of the individual contributor hardly enters into the equation. What does enter is verification. Both use vastly different verification mechanisms to ensure quality (and thus defend their reputation) - here we have the real difference.

pigletJanuary 12, 2006 10:06 AM

I would add to point to scientific peer review as an example of anonymous verification. Of course, the editor knows both authors and reviewers, but authors and public don't know the reviewers and the reviewers shouldn't know the authors (it has been found that editors' decisions are biased by knowing the authors, or even their country of origin, so in principle, the whole process should be anonymized). The important aspect is not who is doing what, but the fact that it is verified. Similarly, Wikipedia's problem is how to ensure verification, not identification.

AGJanuary 12, 2006 10:29 AM

I have a problem with your whole line:

"completely anonymous, yet just as completely accountable"
"no particular person is accountable for accuracy "

The accuracy of information has nothing to do with who authored it.

raoufJanuary 12, 2006 10:31 AM

There is one main issue that is hinted but not explicitely mentioned in Bruce's article. Namely that anonymity in a digital world does not mean lack of identity but rather a separate identity with corresponding accountability requirements. There is no need for my identity as a library patron be linked to my identity as a grocery shoper or my identity as an Ebay trader or a bank customer.
Each of these are separate identities, which should remain separate.
Incidentally, the last two identities for instance could use better ways of accountability than is the common practise.

AlanJanuary 12, 2006 10:32 AM

Bruce, I agree with a lot of what you say in the Wired article and I'm glad you followed up on my earlier link (in the Kelly discussion) to the Marx articles. However, I'm not sure your quote in the Wired piece accurately reflects Marx's take on the issues. You write "But the benefits of anonymity -- extensively discussed in an excellent essay by Gary T. Marx -- far outweigh the risks." That's a little one sided isn't it? In a section that starts with the quote from a well-known song "...and look out for Mr. In-between" Marx writes, "Easier sung than done. The key issue for ethics and public policy is under what conditions is it right or wrong to favor anonymity or identifiability? As the examples above suggest there are many contexts in which most persons would agree that some form of anonymity or identifiability is desirable. But there are others where we encounter a thicket of moral ambiguity and competing rationales and where a balancing act may be called for." And at the end of the essay he writes: "As the competing rationales discussed above suggest, there are value conflicts (and conflicting needs and consequences) here which make it difficult to take a broad and consistent position in favor of or against anonymity." I'm not sure you get the "balance" any better than Kelly and you don't get Marx's sense that in some areas there are no easy positions for one or the other but just trade-offs of various gains and losses.

AnonymousJanuary 12, 2006 11:07 AM

A karmic accountability system for Wikipedia isn't terribly difficult to create. You'd have to track the number of edits a user has, and how often their edits were altered. The ratio of significantly altered edits to all edits would determine rank (not counting alterations that I make to my own edits). All that's required is a method for determining how significantly a string is altered, plus some arbitrary benchmarks to determine initial scores.

Of course, this only works if only logged users can edit.

CheburashkaJanuary 12, 2006 11:18 AM

If someone creates a wikipedia entry for me that claims I'm a child molester, I want to be able to sue them for libel.

I do not want to rely on the network of wikipedia fans to fix it.

I do not want to spend my time and energy fixing my wikipedia entry.

I do not think I lost my right to sue for libel with the invention of the Internet.

pigletJanuary 12, 2006 11:27 AM

Cheburashka,
if a big tabloid newspaper claims you're a child molester, you can of course sue them. That's really fun, you know, you only need to spend all your time, energy and money on your fight for your reputation and with a bit of luck, ten years later, they will have to retract their false claims. Of course, you then will have lost your job, your friends, your spouse, your reputation, but at least, they are not anonymous, they can be sued!

If the same happened with Wikipedia, you would have to log into the internet and correct the article yourself. Now that would really be a hassle! Let's all agree that libel courts are a much much better solution!!!

Kevin KellyJanuary 12, 2006 11:45 AM

All,

Kevin Kelly here.

I am heartened by the vigorous response to my brief essay for Brockman's "What is your dangerous idea?" question, both by Bruce as well as the many comments here and in the earlier blog post. I'll reply in this thread simply because it is the most current.

There was a severe misunderstanding in so many comments that I can only attribute that to my lack of making my point clear, so I will retry more forcefully.

I believe anonymity is essential. It is vital to a healthy society and market. Without the option of anonymity I believe a society would be less than optimal. Indeed I would fight vigorously to keep the option of being anonymous as an essential part of any society. It is both humane and wise. In this way I consider anonymity to be an essential and necessary element of society. (I thought that was clear from my essay, but gauging from Bruce's remarks and the comments of others, it was apparently not.)

At the same time I think there can be too much anonymity exercised. When it becomes a default option it posions the community. This is what I meant by saying it is like a rare-earth metal: essential in small doses but toxic in large doses. My argument was not against anonymity but against too much of it.

What do I mean by anonymity? An untraceable, unaccountable, undistinguishable agent. Someone who engages in an activity cloaked in the identity of the tag "anonymous." I do not mean a vendor in a vegetable market whose name you do not know, because that person is both distinguishable and potentially traceable. I mean people who post using anonymous.

Again, I see no problem with posting anonymously as long as the overall incidents of it remain small in the larger system. But it is a problem of the commons, and this is my point in the essay.

Eveyone should have the right to being anon (or grazing on the lawn), but if everyone exercises that right the commons is diminished. Rather than regulation, I think the rememdy is a cultural ethic that declares that anonymity should be kept to a minimum because it is a claim against the commons. We all have a right to the commons, but we all have an obligation to minimize the exercise of that right.

I believe a healthy society keeps anonymity as low as it can, without removing the option.

I thought I said all this in my essay, but perhaps others can point to me where I misspoke.

ShuraJanuary 12, 2006 12:10 PM

Quoting anomyous:

"A karmic accountability system for Wikipedia isn't terribly difficult to create. You'd have to track the number of edits a user has, and how often their edits were altered. The ratio of significantly altered edits to all edits would determine rank (not counting alterations that I make to my own edits). All that's required is a method for determining how significantly a string is altered, plus some arbitrary benchmarks to determine initial scores. Of course, this only works if only logged users can edit."

The basic idea of a "karma" system for Wikipedia is not necessarily bad, I think, but this doesn't work for obvious reasons - it means that those who edit high-profile articles will get punished for it.

Your fundamental mistake is the implicit assumption that subsequent edits somehow "counter" previous edits - that there are two or more parties involved who all try to pull the article in their own direction, and that lots of edits mean that there's a lot of contestion. That may be true on occasion, but in reality, it's more like several parties building something together - cooperation rather than competition.

@piglet and @Cheburashka: I agree with piglet. You cannot have free speech without their being the possibility of it being abused - short of requiring government-issued photo ID licenses for things like buying a computer or connecting to the Internet, you won't be able to prevent someone from writing a libellous Wikipedia entry about you. Get used to it - we live in a world where bad things can happen; but I, at least, am happy to live with these risks if it means that I can live in a reasonably free world where I don't have to live in constant fear of the "Big Brother".

(Of course, cynics would argue that we already do live in an Orwellian dystopia, but I'm not that cynical. Yet.)

LygerJanuary 12, 2006 12:15 PM

@ Kevin Kelly

"I believe a healthy society keeps anonymity as low as it can, without removing the option."

This statement, taken by istelf, can be read to say that a healthy society ACTIVELY takes steps to suppress some arbitrarily-defined "too much" anonymity. Perhaps this could be phrased that: "While a healthy society recognizes a right of anonymity, it recognizes the damaging effects of reduced accountability, and therefore does not foster reliance on that right to maintain a balance of power between competing interests when other, more transparent options are available, and effective." Much wordier, of course, and therefore perhaps unsuitable for shorter essays, but maybe less seemingly anonymity-hostile.

pigletJanuary 12, 2006 12:21 PM

"What do I mean by anonymity? An untraceable, unaccountable, undistinguishable agent. Someone who engages in an activity cloaked in the identity of the tag "anonymous." I do not mean a vendor in a vegetable market whose name you do not know, because that person is both distinguishable and potentially traceable."
Absolute anonymity as in this definition exists almost exclusively only on the internet. I think most of us use a broader definition of anonymity. The fact that people can see my face in a public space does not make me less anonymous.

"I thought I said all this in my essay, but perhaps others can point to me where I misspoke." Your poison analogy is bad rhetorics. Apart from that, your conclusion that anonymity should be kept to the necessary minimum is not borne out by your arguments. Why shouldn't anonymity be the default option that should only be restricted where necessary? Let's looka at an analogous case: would you say that free speech is like a poison and should be restricted to the absolute necessary, or would you say that it should be restricted only if absolutely necessary?

AlanJanuary 12, 2006 12:26 PM

Following on from Kelly's response above, the debate here is where one strikes the balance. I don't think anyone is suggesting that either total anonymity or total identifiability are desirable. Anyone? If we accept that, I think the next thing one might point out is that where one strikes the balance isn't at all obvious.

Ed T.January 12, 2006 12:29 PM

@Kevin,

While I understand (and appreciate) the point you are making, there are several items that come to mind:

1) On the Internet, true anonymity is difficult -- not impossible, but difficult. Who did/said what can often be reconstructed using log files and tracing the path the communication took.

2) However, it is easy to mask your identity (for example, by posting as someone else) because too many people are lazy when it comes to tracking down the originator of a post/email/blog comment, thinking that "since it is written that Joe Blow said it, it must have been the Joe Blow that put those other entries/emails out. Or, that because that person in the chat room claims to be a 13 year-old girl, it must be true, which leads to a look of total shock on the perv's face when he shows up at "her" door to find a news crew there, and his face on the evening news.

3) While this does cause some problems (especially when people post insulting, slanderous, or other offensive things while hiding behind the "anonymous" moniker or the pseudoanonymity of a "handle"), there are mitigating controls (ignore the oafs, or track them down if they say illegal/slanderous things).

4) There are other places in society where "anonymity" (the inability to tie a specific person to a specific action) is essential -- for example, in the process of voting. Society has a right to know that I voted (more importantly, that those who voted were entitled to vote), and to know who received how many votes (to determine the winner of the election), but they have neither the need, nor the right, to know how I (or anyone else) voted in the election.

6) Another area where anonymity is not necessarily a bad thing is in the marketplace. A cash transaction is by its nature an anonymous transaction, with no record being maintained in many cases of who bought what. This is under attack, as more people (in the name of "combating money laundering") want to force records to be kept of each and every transaction, including who the purchaser was. This is leading down a slippery slope, where eventually a Big-Brotherish government could easily monitor all our purchases, and adjust benefits accordingly (for example, by denying certain medical care to those who bought too many fast food hamburgers during their life.)

The real danger with everything being traceable is that people then want to start tracing everything, and many times the end result of all that activity is something that was not foreseen.

-EdT.

LygerJanuary 12, 2006 1:25 PM

@ Ed T.

"This is leading down a slippery slope, where eventually a Big-Brotherish government could easily monitor all our purchases, and adjust benefits accordingly (for example, by denying certain medical care to those who bought too many fast food hamburgers during their life.)"

There's nothing wrong with this, except for the fact that common practice allows agencies to change the rules after the fact. I have no problem with understanding that doing unhealthy things will jeopardize my insurance coverage, as I am making myself a higher risk - but I want to know that up front. This is the REAL problem with a lot of the "Big Brother" scenarios - the idea that your actions will be tracked so that someone can punish you for something that you didn't realize was wrong, or was perfectly acceptable when you committed the act.

A number of people, however want to use privacy as a shield against things that technically signed up for, but the other party didn't have the means at the time to make stick. But the idea that just because some clause of a contract, freely entered into, was impossible to enforce when the contract was signed doesn't mean that it should never be enforceable. Using privacy as a means of ducking responsibilities that we freely chose to take on reduces our accountability - and we have no more or less right to be unaccountable than anyone else does.

Mike SherwoodJanuary 12, 2006 1:50 PM

@Lyger

Being able to collect a large amount of data that's currently unusable allows for changing the rules after the fact. If you have the data, you can wait to process it until it becomes cost effective.

For example, if you're speeding and don't get caught, there's no penalty. I would venture to guess the majority of drivers speed on a daily basis. Now, what if it were possible to assess fines for every one who ever sped over their lifetime? That changes the rules substantially. Right now, the only penalty is if you get caught, which is pretty much when you're doing it. If you get nailed a few times, you might stop doing it. Of course, if you're only told many years later that you'll be fined for all of that, you have lost the choice in the interim.

There are those who would say the solution is "don't do that", but speeding is just an example of a currently unenforced law. We have thousands of laws on the books that are not enforced for any number of reasons. If those suddenly became enforceable, and a significant number of them had fines attached, it suddenly becomes very cost effective to go back and find out who should be fined.

pigletJanuary 12, 2006 1:51 PM

"There's nothing wrong with this... A number of people, however want to use privacy as a shield against things that technically signed up for, but the other party didn't have the means at the time to make stick."

And if they put a clause into the contract that they can monitor your sex habits, there's nothing wrong with that either, "in principle", as long as it's black and white? I wonder where you get that bullshit from. Privacy is a Right.

LygerJanuary 12, 2006 2:07 PM

@ Mike Sherwood

And...?

The idea that "you can't catch me in the act, so I have the right to get away with it" isn't enshrined anywhere. Not all crimes, you'll remember, have a statute of limitations. But, technically, we can change that. There's nothing keeping us from pressuring our political establishment from placing a SOL on minor traffic that makes them expire after one month. (Or, in places with binding initiatives, putting the rules on the books ourselves.) Then it no longer becomes cost effective for local authorities to keep the data on people's driving speeds. I would say that our own perceived helplessness in the face of institutions is a larger threat to us than the institutions themselves in any number of cases.

But I actually disagree that being able to punish someone using a previously unenforcable rule is the same as retroactively making something a punishable offense. The fact that an activity is hard to detect and sanction should not, in and of itself, grant it de facto legality.

Ed T.January 12, 2006 2:10 PM

@Mike,

The scenario you refer too isn't that far off. As more of the roads become toll roads, and as more of these require "EZ-Tag" auto-pay devices (essentially RFID tags on the windshield), and as traffic monitoring agencies use these tags to measure the speed, the day gets closer when the cities, becoming more cash-strapped, realize these data bases are a cash cow waiting to be milked. (Remember, speed can easily be measured if you know the distance between two points, and the time the object passed each point.)

The penalties for speeding (and red-light running, and other such nefarious activities) are calculated, in part, based on the probability of getting caught. When getting caught is pretty much automatic, the penalties no longer represent the same risk they did earlier, and in fact could quickly bankrupt the individual -- this is one of the reasons I oppose the use of red-light cameras. Besides, if the goal of traffic enforcement is to stop bad behavior, then being notified of the offense several weeks after the fact (when the ticket comes in the mail) is totally ludicrous -- after all, when you get stopped for a violation, you tend to be really, really careful -- at least for awhile (at least, I do.)

Ed T.January 12, 2006 2:19 PM

@Lyger,

"But the idea that just because some clause of a contract, freely entered into, was impossible to enforce when the contract was signed doesn't mean that it should never be enforceable."

Yeah -- however, in far too many cases the idea of "freely entering into" a contract is a sick joke. Try buying a house in the Houston TX area, built in the last 30 years, that doesn't come with a set of "deed restrictions" that resembles a small novel in size -- and includes such things as "you can't paint your house without getting a committee's approval of the color" -- I can tell you, you won't find one.

Also, the case about medical care I was referring to didn't necessarily mean "insurance company" -- there are folks advocating that people who engage in "risky lifestyles" (smoking, overweight, eat fast food, don't exercise) be denied certain types of medical care period -- even if they can afford to pay for it themselves. (I remember hearing that this was being proposed, somewhere in the UK.) In this instance, things we have no control over (if your parents said "we are eating at McDonald's", could you have stopped them when you were a kid?), we could end up being held 'accountable' for.

-EdT.

pigletJanuary 12, 2006 2:26 PM

The last few comments are way of the mark. Lyger is arguing that any privacy intrusion is acceptable if it is somehow justified by a law or contract. What he misses is that:

- Privacy is a right, there is a limit on how much it can be restricted, even if it were for a legitimate reason. Restrictions must be legitimate, necessary and proportional. In the example given, monitoring all purchases of an individual just to find out whether they eat hamburgers is obviously and ridiculously disproportionate.

- Businesses cannot be allowed to dictate contract conditions as they please. They must respect the basic rights of their customers. Don't say that you can refuse to sign. The client often doesn't have a choice, as is the case in the health insurance business, which is why there must be strict regulations.

LygerJanuary 12, 2006 2:27 PM

Say, Mr. Kelly...

Why talk about privacy at all? Why not: "I believe a healthy society keeps UNACCOUNTABILITY as low as it can, without removing the option." After all, celebrities escape punishment all the time for things that would send us peons to jail - often for a long time, and everone knows that they were guilty - but their fame accords them a certain level of unaccountability for their actions.

Piglet's analogy still holds - would you say that unaccountability is more poisonous to society and should be restricted to cases where it is absolutely necessary, or would you say that it is more nutritive, and therefore should be restricted only when absolutely necessary, given that we understand it to be both simultaneously? (Sorry that I elaborated your idea a bit, Piglet. Forgive me if I broke it.)

But more to the point of this weblog, however, since one of Mr. Schneier's common points is that "security through obscurity" isn't a particularly great idea, it seems that "unaccountability through anonymity" wouldn't be an ideal standard either, but rather a last resort.

pigletJanuary 12, 2006 2:37 PM

"unaccountability through anonymity"

Nobody has been advocating that. What you fail to grasp is that there isn't necessarily a connection between the two. You haven't even begun to discuss the question how accountability can be promoted, Lyger, and neither has Mr. Kelly. The next thing then would be to recognize that accountability implies standards to which the individual is subjected. One reason why we have free speech (to come back to my example) is the sheer difficulty of agreeing on those standards.

LygerJanuary 12, 2006 2:41 PM

@ piglet

But contracts of adhesion (one so imbalanced in favor of one party over the other that there is a strong implication it was not freely bargained) are already illegal - but the rules are not enforced. Taking steps to eliminate the factors (like lack of enforcement) that make such contracts legally and financially viable are better than allowing (or forcing) individuals to decide whether or not they should be allowed to break a contract.

But one thing... Your comment concerning health insurance implies that health coverage is so important and expensive that companies can't be allowed to bar people from coverage based on their own bad habits. That strikes me as more an issue with the health care system, rather than the insurance system. If acceptable, everyday activities can lead to problems so expensive that the average person can't be expected to be able to pay to mitigate them, we've got a HUGE problem on our hands... (and I think that we do... but that's outside the scope of this blog...)

LygerJanuary 12, 2006 3:05 PM

@ piglet

"What you fail to grasp is that there isn't necessarily a connection between the two."

Oh, come on now, really. Just because I can articulate a concept of "unaccountability through anonymity" doesn't mean I think that there's ALWAYS a connection. Just like items can be obscure without being secure and vice versa, people can be unaccountable witout being anonymous - I said as much in the comment you were replying to. Just because we don't see eye to eye on this (or sometimes, have simple semantic differences) doesn't make either of us stupid, you know.

And to the degree that PRIVACY can be defined as "being able to do something in public, without risk of sanction, because nobody knows exactly who did it," then it does entail an element of "unaccountability through anonymity." And there are any number of privacy advocates who post here.

geesh...

By the way... universal accountability is not the answer... just because someone performs some given action, doesn't mean anyone should care. One shouldn't be called upon to justify every little thing they do.

Marc A. PelletierJanuary 12, 2006 3:17 PM

"If acceptable, everyday activities can lead to problems so expensive that the average person can't be expected to be able to pay to mitigate them, we've got a HUGE problem on our hands"

The problem is insurers *claiming* you present additional risk by doing X. The interest of insurers is to _not_ pay claims. The problem is if they can go into your past to find some nit to pick to avoid paying you, they will.

You're presuming that insurers would forbid a list of "bad things" and just look backwards to enforce that list-- what will happen is that they will look backwards and construct the list from what they see.

That's always the danger with data collection. Someone *will* find a use for that data you hadn't anticipated, and wouldn't have agreed to at the time. What if some future governement decides that readers of "Beyond Fear" are subversive elements and decide to go back in time and see who ever bought that book?

Likely? Maybe not. But having the data lying around makes it possible, and increasingly likely as time passes.

No putative gain in statistical correctness for insurers can possibly be worth that risk. Except for the insurers, of course.

RvnPhnxJanuary 12, 2006 4:11 PM

@Lyger
"But I actually disagree that being able to punish someone using a previously unenforcable rule is the same as retroactively making something a punishable offense. The fact that an activity is hard to detect and sanction should not, in and of itself, grant it de facto legality."

So we should have to explicitly declare things legal for them to be so? Or do you want to stick with the currently common system of something being legal until it is declared otherwise? While you can't technically seem to have it both ways only a very few areas of ones life are truly affected by any prohibition on "ex post facto" determinations of correctness.
The fact of the matter is that while something may not be legal many systems of law require that evidence be available a priori to the determination of actual guilt, and that the law under which that guilt shall be determined be in place prior to the gathering of such evidence. This is not a limitation with applies to the civil sphere however (as opposed to the system of crimial courts and such).
So, what are we left with in the end? Would you not agree that we are better off under system where activities are legal until declared otherwise (without requiring an explicit sanction from the powers that be)?
Remember, I am not saying that just because you didn't get caught means that you didn't do something wrong--I am drawing a very fine line here. The problem here is that in most systems of law actions are legal in a de-facto manner--unless agreed upon otherwise, and without respect for how one may get caught.
Do you really think that legality of an action should hinge on the ability of a third party to monitor that action? (I doubt it, but I hope you can see why I ask.)

CheburashkaJanuary 12, 2006 4:15 PM


if a big tabloid newspaper claims you're a child molester, you can of course sue them. That's really fun, you know, you only need to spend all your time, energy and money on your fight for your reputation and with a bit of luck, ten years later, they will have to retract their false claims. Of course, you then will have lost your job, your friends, your spouse, your reputation, but at least, they are not anonymous, they can be sued!

If the same happened with Wikipedia, you would have to log into the internet and correct the article yourself. Now that would really be a hassle! Let's all agree that libel courts are a much much better solution!!!

At what point in time did we decide to give up being a democracy and let computer programmers decide what rights people have and what relief they're entitled to?

You have your opinion of the court system and I have mine (yours is naive and, frankly, just wrong), but one thing you do NOT have is the right to take away my right to make such decisions for myself.

pigletJanuary 12, 2006 4:49 PM

Lyger: "Your comment concerning health insurance implies that health coverage is so important and expensive that companies can't be allowed to bar people from coverage based on their own bad habits."

I didn't say this, and I'm not discussing health insurance any further because it has nothing to do with the subject of this discussion. What I am certainly saying is that companies can't be allowed to monitor the purchases of their clients, whether it be to track hamburgers or whatever.

pigletJanuary 12, 2006 4:54 PM

Lyger: "And there are any number of privacy advocates who post here."

Thank goodness there aren't only trolls in this thread.

Jack C LiptonJanuary 12, 2006 5:01 PM

Note that I'm posting this under my "assumed identity" to provide a disconnect between my "real life" and "virtual life".

Some of the people who have tended to want to manage a level of anonymity are those who write adult/erotic stories in order to provide a level of "plausible deniability".

Granted, if the authorities decide to unmask everyone (as has happened to penet.fi some years back to deny the ability to anonymously redirect mail for reasons that aren't clear at the moment) then that ALONE provides a level of intimidation.

If we all have to wear a placard that provides full identification with a list of all of our predilections and peccadillos that everyone we pass on the street can see, right there we have an example of a means to "enforce conformity" and weed out those who choose to exceed any narrow standards established via "consensus" (even if projected by a small minority).

We, as a people, tend to advance when non-conformists are *not* shunned or otherwise punished for thinking new thoughts. (Granted, a lot of the "popular culture" seems to stigmatize an ability to think and create.)

LygerJanuary 12, 2006 6:51 PM

@ RvnPhnx

I agree with you completely. So, let's change what I wrote to read thusly: "The fact that an otherwise illegal activity is hard to detect and sanction should not, in and of itself, grant it de facto de-criminalization."

BusybodyJanuary 12, 2006 6:56 PM

piglet "Thank goodness there aren't only trolls in this thread."

Pot. Kettle. Black.

LygerJanuary 12, 2006 7:56 PM

@Marc A. Pelletier

'What if some future governement decides that readers of "Beyond Fear" are subversive elements and decide to go back in time and see who ever bought that book?'

Piglet's going to start screaming "Troll!" again, but he/she can kiss my ass.

My point is this. I never want to be in a situation where the only way that I can protect my own security is for no-one but me to know what I'm doing. I have no problem with a right to privacy. But HAVING that right and ENFORCING that right are two very different things, and just because something is illegal doesn't mean that people don't do it - even in broad daylight. Therefore, I don't want to have to RELY on that right to be secure. If the majority of the population decides that everyone who's ever read "Beyond Fear" is going to be taken out and shot, those readers are screwed, no matter WHAT laws are in place, if they're detected. I don't want to be in a position where I have to be suspicious of everyone I speak with, who can actually tell someone else about me. Jack C Lipton is right to note that we're much better off "when non-conformists are *not* shunned or otherwise punished for thinking new thoughts." And I perfectly understand that until that day comes about, we're better off - in the here and now - with more privacy than less.

But we shouldn't entrust our security to our ability to be sneaky, or other people's ability to keep secrets. Yep - sometimes it's the only option you've got. That doesn't make it a GOOD option, so I prefer to work for better ones - even if it costs me something.

What keeps everyone who reads "Beyond Fear" safe from everyone else is their apathy. I would rather that everyone know I read the book, and nobody care, than everyone care that I read the book and nobody know. So, I will advocate the former over the latter, because the former is more secure. Yes, what people don't care about today could be the trigger for mass hysteria tomorrow. But I could get hit by a car tomorrow (and, driving on 405 every morning makes that a very real possibility) and no longer be in any position to care.

If a police officer comes to my door, and says that they're looking for evidence of a crime that I didn't commit, if I trust them, they get to come in. Hell, I'll even offer them a drink. And I don't want some privacy-rights activist in my face later that day screaming about how I should be acting like I never trust anyone. Because if the police can't act openly in doing the job we demand of them, they'll act in secret. Because even if we tell them they can't be secretive - if they're better at it than we are - we'll never know. And I'd rather know what they're up to, than always have to be looking under the houseplants for microphones.

peachpuffJanuary 12, 2006 8:27 PM

@Kevin Kelly
"I thought I said all this in my essay, but perhaps others can point to me where I misspoke."

That blank space at the end, where you didn't mention any of this new stuff about cultural remedies and unaccountable, indistinguishable, agents.

None of that was obvious, partly because it's wrong. Bruce has now written an article about how anonymity is not the same as unaccountability, and most people consider obviously fake names to be anonymous even when they are distinguishable.

Besides, you started your rant with a reference to technological tools and how they affect privacy and anonymity. Then you said that anonymity should exist in "vanishingly small doses" because it's needed by "the occasional whistleblower, or persecuted fringe." Put together, that's a pretty clear call to write anonymity out of the system and let people who don't like the system eke by outside it.

Anonymous DaveJanuary 12, 2006 8:41 PM

Ther was an incident on ask mefi that started back in November that should be absolutely fascinating to anyone interested in online identity, anonymity and ebay fraud:

http://ask.metafilter.com/mefi/27155

Short version: poster asks a question claiming to be victim of fraud. Observant community members get suspicious and realize the poster actually IS the scammer. Members do some amateur detective work to expose his identity and alerted his victim to the thread.

pigletJanuary 13, 2006 8:02 AM

"If a police officer comes to my door, and says that they're looking for evidence of a crime that I didn't commit, if I trust them, they get to come in."
You might consider putting a sticker on your door "police always welcome". Oh, wait. "If I trust them". You think it's up to you to decide what the police may or may not do? You're funny, guy.

"And I don't want some privacy-rights activist in my face later that day screaming about how I should be acting like I never trust anyone." Yeah, those screaming activists. How annoying they can be. Especially if they exist only in your fantasy.

"Because if the police can't act openly in doing the job we demand of them, they'll act in secret." The "job we demand of them" is to get a search warrant if they want to search your home. That's it. It's the law. Not too complicated to understand, and no connection whatsoever to our discussion of "anonymity". Just trolling, and that's why I'm leaving it here.

Bruce SchneierJanuary 14, 2006 2:35 PM

"I would be interested in learning more about his practice. Is this a totally fake name (or perhaps a relative's name)? Which credit-card companies allow this?"

It's actually easy to get a credit card in another name. I learned this some years ago, when my stepdaughter went on a trip to Mexico. I wanted to give my wife a copy of my credit card. I called my credit card company, they asked me for her name, and they sent me a credit card in her name with my number. That's it.

In another life, I write restaurant reviews. So I keep another copy of my credit card, with my credit card number, in a random name.

So my advice is to call your credit card company and ask that they send you a card in whatever name you like.

Bruce SchneierJanuary 14, 2006 2:39 PM

"Bruce, I agree with a lot of what you say in the Wired article and I'm glad you followed up on my earlier link (in the Kelly discussion) to the Marx articles. However, I'm not sure your quote in the Wired piece accurately reflects Marx's take on the issues."

My intention wasn't to paint Marx as 100% pro privacy. I tried to use his essay as a reference for the various benefits of privacy, and not to imply that he makes the same trade-off as I do. I admit that my sentence "But the benefits of anonymity -- extensively discussed in an excellent essay by Gary T. Marx -- far outweigh the risks" could have been better phrased. Maybe I should have said "But the justifications for anonymity...."

Bruce SchneierJanuary 14, 2006 2:41 PM

@ Kevin Kelly

Glad to have you here.

"I believe a healthy society keeps anonymity as low as it can, without removing the option."

I see your point, but I think I disagree. But I'm not sure. It all hinges on the definition of "as low as it can." My guess is that you put that line far lower than I do.

Scott GoodwinJanuary 15, 2006 12:40 PM

Your argument is spot-on; unfortunately people blur these two together and make assumptions about causation that are fallacious. Another argument that highlights this issue: your credit rating. The only reason a creditor needs to know your identity is so they can look up the credit history associated with that identity. The identity itself doesn't matter, and if they could look up the credit history associated with you as an anonymous person, it would serve the same purpose of accountability. The fact that identity thieves, who obviously aren't you, can steal your identity shows the fallacy that knowing your real identity is needed: they aren't you, yet you are made accountable for their actions in your name. So even when identity _is_ known, it doesn't actually serve as a means of accurate accountability.

/s.

Stephan EngbergJanuary 15, 2006 2:40 PM

Hi Bruce,

As often, an excellent article. only see the need to comment on one point. But this is a critical issue.

When you make accountable annonymity, you assume that you have to use a "trusted third party" !?

Even though, I clearly agree that third parties needs to be involved, the question is how to avoid or minimize the need for trust !!!

Microsoft Passport and other gatekeepers are the model problem. If these entities are the only ones with knowledge to link transaction, they accumulate real and unimaginable power.

But since I dont the necesity of such third parties to be designed in such a way, why not merely ensure accountable anonymity for normal value-creating transactions as the default to build trust.

As Bart Preneel often say: If you dont have to trust it, you can.

Back in 2002, I made a presentation addressing these issues at the EU IST Conference in Copenhagen. Its online here.
http://www.obivision.com/Papers/...

There are plenty of challenges, but surely we want to leave our children a better world.

Randy FischerJanuary 15, 2006 3:12 PM

Here's a quote from the Boston Globe,
http://www.boston.com/news/globe/ideas/articles/...
which is an article previewing the forthcoming book, ''Who Controls the Internet?"

I enclose it because the quote contradicts Bruce's claims of eBay's reputation system being enough to ensure the safety of its buyer and sellers. Can't wait for the publication of the book.


- quote starts -

For example, what do you think protects eBay customers from fraud? Is it the much-lauded ''feedback" system that lets buyers and sellers rate one another's trustworthiness-the feature the columnist and globalization guru Thomas Friedman says has made eBay a ''self-governed nation-state." Or can you shop on eBay safely for the same reason Friedman can walk New York streets without getting mugged: American laws and American cops?

In fact, Goldsmith and Wu observe, eBay's ''level of integration with and dependence on law enforcement is remarkable." The company employs hundreds of internal security experts, who mine data for suspicious patterns of activity and alert US officials when they detect scams. Indeed, eBay has found it can't operate in countries-like Russia-without strong legal systems.

pigletJanuary 16, 2006 8:16 AM

"The company (ebay) employs hundreds of internal security experts, who mine data for suspicious patterns of activity and alert US officials when they detect scams."

Very interesting. Once again, the important thing is verification, not identification. Observe that this costs a lot of money, but ebay can't afford not to pay it - its business model depends on its reputation. Wikipedia doesn't make money and can't afford to hire factcheckers, so it has to rely on verification by community effort, which works reasonably well but of course not 100%.

Andrew PhillipsJanuary 16, 2006 8:53 AM

Another issue here, I think, is the extent to which the interactions of users
are influenced by their reputation. In a community where the ability to conduct
profitable transactions depends strongly on trust, a positive "public image" is
of immense value, and the consequences of a tarnished image suitably adverse as
to provide a strong disincentive to carrying out unacceptable actions. As you
note, as long as this reputation is linked to the "trading identity", it is
essentially irrelevant whether this be an artist's pseudonym, an eBay users
handle or one's real name.
However, in most communities there are certain scenarios in which the punishment
of ostracism is insufficient: the payoff from one "bad" action - a bank heist, a
massive fraud - may be sufficient for you to risk the loss of your reputation;
certain acts may be regarded as so "morally" unacceptable that additional
punitive measures are deemed necessary etc.
It is in these cases that anonymity becomes a means of evading punishment, and
in which a link to the "real" identity, on which the punishment is usually to
be inflicted, seems to be necessary.

As regards the discussion of Wikis in this context, the key difference, to my
mind, is that, in contrast to the examples of eBay or the "real world", a
contributor's reputation is of minimal value. Apart from the fact that the
reliability of the author is not readily apparent to the reader of an article,
developing and maintaining an image of trustworthiness is of little benefit as
the author does not stand to gain from having his or her articles believed or
cited. The main, perhaps the only disincentive to those with the time and
inclination to lie is that mendacity carries a considerable social stigma:
being branded a liar is not "good for business".
However, having the image of a "throwaway" identity tarnished is not a problem
if, in the absence of a history and, hence, a trail of accountability, it is
easily replaced with another. Here, then, one might argue that the risk of
social stigma would be a more effective deterrent if linked to a "real"
identity. Given the likelihood of ever coming into contact with a fellow
contributor to a system as large as Wikipedia, though, I personally would
regard that as debatable...

pigletJanuary 16, 2006 9:35 AM

"Here, then, one might argue that the risk of social stigma would be a more effective deterrent if linked to a "real" identity. Given the likelihood of ever coming into contact with a fellow contributor to a system as large as Wikipedia, though, I personally would regard that as debatable..."

Social stigma is a very effective deterrent in a tribal society. In the modern society, its effectivty is very limited and this was true long before the internet. However, one gets the impression that many posters (not least Kevin Kelly) who insist on the adverse effects of anonymity still have a tribal society in mind. The tradeoff between anonymity and accountability simply isn't as you believe. Disclosure of identity has almost no value to the average member of the internet "tribe". Only powerful impersonal entities, i.e. governments and corporations, can effectively leverage it as an instrument of control.

DavidJanuary 18, 2006 11:02 AM

"More anonymity is good," is a dangerous idea [Kevin]
and, although
"Anonymity will not kill the Internet" [Bruce]
I believe
"The price may be too high" [David]


Bruce, I agree with you when you say that the real issue is not anonymity, but accountability. You also make the point that accountability has historically been tied to identity, even though what name a person uses generally does not matter. However, you then claim that while the pseudo-anonymity offered by a pseudonym may provide protection from other individuals, it cannot protect you from those -such as the government or big business- who have the resources and power to uncover your true identity. Consequently, you see (true untraceable) anonymity as the only option we have.

I beg to differ. I believe that the price of allowing truly anonymous communications on the Internet may be too high. Why? Well, for one thing, those in positions of power could also avail themselves of anonymity, effectively making them unaccountable for (at least some of) their actions. More importantly though, because accountability is so fundamental to the well-being of society, we must not sacrifice it, lest we risk our individual freedom and even survival. My article, "Anonymity on the Internet: Why the Price May Be Too High" (http://portal.acm.org/citation.cfm?doid=505248.505267) argues this in more detail.

We need accountability precisely because we live in a less than perfect world, and this means we must not allow truly anonymous communications. In today's (western-style) societies, privacy is also important for the very same reason, though it is clearly not a necessity for societies in general.

pigletJanuary 18, 2006 12:20 PM

"The price may be too high"
Definitely: your article must be purchased. Why don't you just tell us why "the fabric of our society is at risk" from anonymous internet communication, and what you suggest to save the civilization?

pigletJanuary 20, 2006 12:12 PM

Here's an ironic twist to our anonymity discussion: Wikipedia Germany was temporarily shut down by a court order because in an article about the hacker Tron, who died mysteriously in 1998, they reveal his true name. His parents sued to protect his, and their, right to remain anonymous. So is this a victory for anonymity, against anonymity? What would Kevin Kelly have to say? ;-)

http://www.theregister.co.uk/2006/01/20/...

John David GaltJanuary 21, 2006 12:57 PM

[I've ignored previous comments because I receive Bruce's material on the mailing list rather than the blog, and wrote this as an e-mail reply.]

Bruce Schneier wrote:
_EBay's feedback system doesn't work because there's a traceable identity behind that anonymous nickname. EBay's feedback system works because each anonymous nickname comes with a record of previous transactions attached, and if someone cheats someone else then everybody knows it._

I beg to differ. Without that traceable identity behind each nickname, the accountability would disappear, because anyone who wanted to engage in cheating on Ebay would simply use a throwaway Hotmail or Yahoo account to create an Ebay account for that transaction. This is why both Ebay and Paypal require all sellers to register a bank account with them -- and insist on verifying it -- before allowing them to act as sellers.

And of course, Ebay or any other commerce site could similarly cheat and get away with it if the site owner's own identity were successfully kept hidden.

Ultimately, all e-commerce requires that it be possible, in principle, for police to drag any participant into court and make him answer to the law. (Or at least, some equivalent mechanism of accountability such as depositing a bond with an escrow agent who himself IS police-accessible is an absolute necessity.)

The proof of this, on several levels, can be seen in what kinds of commerce already work on the net and what kinds don't. Many businesses that have tried to operate on the net, including perfectly legal ones such as tobacco sellers, have been successfully shut down merely by the government persuading a few big names in the banking industry to stop providing those businesses with needed services. Meanwhile, the "crypto anarchy" people have uniformly failed to successfully create any kind of anonymous e-currency or anonymous marketplace, precisely because the would-be "trusted third parties" who would operate them have all made themselves unaccountable (either through anonymity or by making their potential customers sign away the right to use the law to enforce obligations against them) -- and he who is unaccountable is inherently untrustworthy.

_Similarly, Wikipedia's veracity problems are not a result of anonymous authors adding fabrications to entries. They're an inherent property of an information system with distributed accountability._

They are living proof of the fact that the democratic voting process is not reliable as a source of truth. The Wikipedia controversy has nothing to do with anonymity, except that anonymity may be what's protecting the author of the contested material from being sued for defamation.

_Historically, accountability has been tied to identity, but there's no reason why it has to be so. My name doesn't have to be on my credit card. I could have an anonymous photo ID that proved I was of legal drinking age. There's no reason for my e-mail address to be related to my legal name.

This is what Kelly calls pseudo-anonymity. In these systems, you hand your identity to a trusted third party that promises to respect your anonymity to a limited degree._

I agree that pseudo-anonymity does not make one untrustworthy, precisely because traceability is preserved. Of course, any such system carries with it "moral hazard" on the part of the trusted third party. Ultimately no "pseudo-anonymous" person can be more accountable than the TTP who holds the secret of his identity, since any legal process which attempts to hold the "pseudo-anonymous" person accountable requires either getting the TTP's cooperation or having the police compel the TTP to divulge the information.

_In a perfect world, we wouldn't need anonymity. It wouldn't be necessary for commerce, since no one would ostracize or blackmail you based on what you purchased. It wouldn't be necessary for internet activities, because no one would blackmail or arrest you based on who you corresponded with or what you read. It wouldn't be necessary for AIDS patients, members of fringe political parties or people who call suicide hotlines. Yes, criminals use anonymity, just like they use everything else society has to offer. But the benefits of anonymity -- extensively discussed in an excellent essay by Gary T. Marx -- far outweigh the risks._

I am convinced that technology is headed -- permanently -- in the direction of making it easier to find things out and harder to hide them. Even the privacy of the contents of one's brain will soon fall, as scientists unlock the chemical information-storage code of the brain. Thus ultimately, any effort to preserve anonymity is doomed to failure. So I suggest, instead, that we start enacting laws to deal with the hazards which make anonymity useful for rightful purposes. For instance, it needs to be illegal for an employer or landlord to discriminate against you based on your sexual practices or whom you associate with or what political party you belong to, because it will soon be impossible to prevent those people from learning those things about you.

_In Kelly's world -- a perfect world -- limited anonymity is enough because the only people who would harm you are individuals who cannot learn your identity, and not those in power who can.

We do not live in a perfect world. We live in a world where information about our activities -- even ones that are perfectly legal -- can easily be turned against us. Recent news reports have described a student being hounded by his college because he said uncomplimentary things in his blog, corporations filing SLAPP lawsuits against people who criticize them, and people being profiled based on their political speech.

We live in a world where the police and the government are made up of less-than-perfect individuals who can use personal information about people, together with their enormous power, for imperfect purposes._

That is certainly true, and governments have shown time and again that they are not to be trusted. The only solution -- if it can be done -- is for enough people to insist on minimizing the scope of government that it can finally be done. (I have in mind something along the lines of the "Common Economic Protocol" in Stephenson's "The Diamond Age".)

_Anonymity protects all of us from the powerful by the simple measure of not letting them get our personal information in the first place._

And if that kind of anonymity were ever going to be possible again -- which I believe is unlikely -- it would be a very mixed blessing, both for the anonymous individual and for those who might want to do business with him. Certainly I would want to be paid in advance if I sold him/her anything.

John David GaltJanuary 21, 2006 1:04 PM

Some paragraphs of the preceding item were quotes from the original article, but your blog software seems to have silently eaten my HTML "italics" directives. Please fix.

rodmarJanuary 19, 2011 1:21 PM

"The problem isn't anonymity; it's accountability."

"EBay's feedback system doesn't work because there's a traceable identity behind that anonymous nickname. "

"Historically, accountability has been tied to identity, but there's no reason why it has to be so."

"The security of pseudo-anonymity inherently depends on how trusted that "trusted third party" is.
Pseudo-anonymity is only limited anonymity."

"Anonymity protects all of us from the powerful by the simple measure of not letting them get our personal information in the first place."

I belief that anonymity is the best mechanism to achieve privacy in the online world, protect against repression, and achieve freedom of speech.
But I also belief that individuals should be held accountable for any misbehavior that they perform online, although I don't agree with the argument that the only way to achieve this is by completely removing online anonymity.

At some point I was confused by your position in this post. Do you belief that we should have unconditional anonymity on the network? Or do you think that we should also be held accountable for any misbehaving action that we perform online? And if so do you think that it is possible to have accountability without any kind of traceable identity system?

Because in my opinion if you want accountability you will always have to rely on a trusted third party, which can ultimately be coerced by government or other entities into revealing a given identity, completely undermining the purpose of the anonymity system.

Clive RobinsonJanuary 20, 2011 12:32 AM

@ rodmar,

"I belief that anonymity is the best mechanism to... ...achieve freedom of speech."

It is one way to allow for freedom of speach, another is to have freedom of speach enshrined in law (1st Amendment etc)

"But I also belief that individuals should be held accountable for any misbehavior that they
perform online"

For an individual to be held to account they must be identifiable in some way, thus it would appear you are arguing for freedom of speach enshrined in law.

However you go on to say,

"although I don't agree with the argument that the only way to achieve this is by completely removing online anonymity."

If an individual has full anonymity then they are free to act in anyway they chose within the limits of the communications channel they use. That is they can behave in a way others regard as irresponsible and the only way to sensure them is by putting up counter argument and alowing others to make their own judgment.

If however you wish to take action against the person because they have commited some kind of offense to "society" that is covered by statute, then you have to be able to identify them to the degree required by the statute.

It used to be the case that under criminal law the "burden of proof" was "beyond reasonable doubt", and civil law worked to the much lower standards of "reasonable probability". Now post 9/11 in many cases the level for criminal prosecution has dropped to at best "reasonable probability" and in civil cases the assumption is now the "accused" is guilty be default and has to prove their inocence beyond any doubt.

The original levels of "burden of proof" where set for the very reasonable reason that there was a massive imbalance between the power exercisable by the state and the individual.

However the change has alowed the state to excercise "whim" not "justice" that is they can now look at your "free speach" and say it has "terroristic intent", they can look at your legaly owned possessions and say your possession of them indicates "terroristic intent", they can look at where you have been and say your choice of journy indicates "terroristic intent", they can look at your places of edducation and say they indicate "terroristic intent", they can look at your hobbies and social interests and say they show "terroristic intent", even the choice of what you read can be said to indicate "terroristic intent".

In effect they can look at your entire life and any where you have excercised andy choice they can construe the choice you have made as indicating "terroristic intent". Even if you try to show that you had no such intent they will bring in "experts" to show you are "in their opinion" lying. And because these experts are supposadly impartial your only defense is to bring in your own experts at your own expense, whilst also (through your taxes) also pay for the prosecution against you.

This procedure is known as "Stripping of Rights" and we see it being employed more and more not just by state actors but those with commercial interests based on deciving the public (see various cases brought before Justice Eady in the UK, or google "simon singh" and "British chiropractic Association").

Thus the only two defences an individual of limited resources has against this is either to "do and say nothing" or to "do and say things anonymously".

Even the right's people thought they had (1st amedment) have been chipped away (see "shouting fire" in a crowded place and later cases).

It is either "full anonymity" or no "free speach".

And sadly as we are finding there is no anonymity in the modern world where you with your own imperfect records have to be able to demonstrate against the might than vastly superior resources obtains which says it has "found patterns" that "positively identify you" according to their "expert".

And even if you do keep perfect records they will still be able in those things that when presented a certain way will make you look guilty.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..