Schneier on Security
A blog covering security and security technology.
« Data Mining and Amazon Wishlists |
| Friday Squid Blogging: Promachoteuthis Sloani »
January 5, 2006
Kevin Kelly on Anonymity
He's against it:
More anonymity is good: that's a dangerous idea.
Fancy algorithms and cool technology make true anonymity in mediated environments more possible today than ever before. At the same time this techno-combo makes true anonymity in physical life much harder. For every step that masks us, we move two steps toward totally transparent unmasking. We have caller ID, but also caller ID Block, and then caller ID-only filters. Coming up: biometric monitoring and little place to hide. A world where everything about a person can be found and archived is a world with no privacy, and therefore many technologists are eager to maintain the option of easy anonymity as a refuge for the private.
However in every system that I have seen where anonymity becomes common, the system fails. The recent taint in the honor of Wikipedia stems from the extreme ease which anonymous declarations can be put into a very visible public record. Communities infected with anonymity will either collapse, or shift the anonymous to pseudo-anonymous, as in eBay, where you have a traceable identity behind an invented nickname. Or voting, where you can authenticate an identity without tagging it to a vote.
Anonymity is like a rare earth metal. These elements are a necessary ingredient in keeping a cell alive, but the amount needed is a mere hard-to-measure trace. In larger does these heavy metals are some of the most toxic substances known to a life. They kill. Anonymity is the same. As a trace element in vanishingly small doses, it's good for the system by enabling the occasional whistleblower, or persecuted fringe. But if anonymity is present in any significant quantity, it will poison the system.
There's a dangerous idea circulating that the option of anonymity should always be at hand, and that it is a noble antidote to technologies of control. This is like pumping up the levels of heavy metals in your body into to make it stronger.
Privacy can only be won by trust, and trust requires persistent identity, if only pseudo-anonymously. In the end, the more trust, the better. Like all toxins, anonymity should be keep as close to zero as possible.
I don't even know where to begin. Anonymity is essential for free and fair elections. It's essential for democracy and, I think, liberty. It's essential to privacy in a large society, and so it is essential to protect the rights of the minority against the tyranny of the majority...and to protect individual self-respect.
Kelly makes the very valid point that reputation makes society work. But that doesn't mean that 1) reputation can't be anonymous, or 2) anonymity isn't also essential for society to work.
I'm writing an essay on this for Wired News. Comments and arguments, pro or con, are appreciated.
Posted on January 5, 2006 at 1:20 PM
• 121 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"The advantages of anonymity grow linearly with the population; the disadvantages grow with the square of the population." --Shirky's Law
You might point out how the argument about Wikipedia is totally bogus. It's not a failing of Wikipedia that allowed that bogus information onto that page. It's the failing of the people that took the information is reliable without checking into it. Everyone reading Wikipedia should know that it's (was) edited anonymously, and thus could contain any amount of false information.
I think it is a matter of semantics.
You say anonymity is essential for free and fair elections, but I have never had a truly anonymous vote in an election. It is, like Kelly says, pseudo-anonymous.
The officials have a record that I went to vote. They even wrote down what ticket I used to punch out the card with. That part of the election process is definitely not anonymous.
I cannot vote unless I prove my identity and eligibility to vote (not anonymous).
One can also argue that no two perforated cards will tear in the same way and so with careful (albeit tedious) examination a determined individual can find out what card I used to vote and therefore find out my vote after the fact.
I believe one of the points he is making is that what he calls pseudo-anonymity is "good enough" anonymity for most things.
Anonymity and privacy are not antonyms.
We speak of anonymity in the context of privacy because electronic anonymity is a method for advancing privacy by making electronic data collection more difficult.
Kelly's opinion of anonymity is correct. The solution is to limit electronic data collection and archiving - privacy - not anonymity.
Maybe one of the relevant questions is "anonymity in whose sight?"
Often anonymity debates present anonymity as nobody else knows. But, in day to day life, there are many situation where one is not seeking such total anonymity, where one may want one or a few people to know one's identity but that info goes no further.
Yes, I realise this getting into blurring anonymity, privacy, and confidentiality. Yet some of the force of the "anonymity" debates come from the hint that it's all or nothing. No surprise that the debates can get stormy as some perceive the vacuum of accountability while other see a fishbowl existence.
"Anonymity is essential for free and fair elections"
I don't know where you vote, but I always have to show a drivers license and sign a book next to my name. I'm never anonymous. My actual vote is unmonitored, however. In the context of this discussion, I'm not anonymous, but my actions within a specific set of parameters are free and unmonitored (i.e. I can select one of 2 or more candidates, write in a candidate, or select none. However, hitting the machine with a sledgehammer is not allowed, regardless of how I feel about the total lack of worthy candidates)
I don't know that I agree with Kelly, but I understand the context.
I can see where he's coming from. If I hand the girl at the hardware store my credit card, I want my identity confirmed, at least momentarily, and an acurate record of my bill transmitted to my credit card company.
What I don't want is a complete and undying record of my purchases going straight to the desk of some insane bureaucrat who is likely to decide that, since you need Trisodium Phosphate to make explosive X, we need to round up all the people who bought Trisodium Phosphate in the past few months and ship them off to Syria for an "interview".
Anonymity isn't just failing to give a name, it can be giving a false name. For example, I've had an alias on various BBS's that I've used since 1990. I used that as my login name on many unix systems since then. There are some people who only know me by my real name, others only by my alias, and some know both. My reputation in real life is tied to the experiences those people have with me, not with my name. Likewise, online my reputation is tied to interpretations of what I have to say. There are only a handful of people I regularly interact with online and in real life outside of work.
Case in point, how would anyone here know if this is my real name? I've met Bruce in person, but even if he were to remember my name or face, there is nothing that ties those to postings on this blog, since that was years ago.
The one point about Kevin's essay I find interesting is that I've never fully believed in anonymity being necessary. Being able to create a persona that does not readily tie back to me is good enough for me. Then again, I've heard of how people can figure out by sequence numbers on ballots correspond with which voters, so I don't believe that system is truly anonymous against a motivated and resourceful attacker.
I'm with Knowler on this one - anonymity is specifically a bad idea when it comes to free and fair elections, because it would mean that one person would have as many votes as he or she chose to exercise. Free and fair elections, on the one-man/one-vote principle absolutely require that there be a way to recognise whether one man has voted before.
The "dip your finger in the ink" solution used in many areas where literacy is relatively uncommon sounds great, but leads to an obvious denial of service attack (either by subterfuge or force, I paint your finger with ink on election day, and viola - I have disenfranchised you; there are similar attacks on identified voting - threaten to fire or hurt someone if you see them attend the polling station, for instance; one 'fix' is to mandate attendance on polling day)
The solution that has worked well for many countries, for many decades (centuries, perhaps) is to maintain a secured place in which votes are made and stored, and require as price of entry the identification of an individual with the right to vote. Thus there is no anonymity, but the vote is fair because a vote cannot be tied to a specific individual (except in some logically obvious cases - if only one person votes for you, you can be pretty sure that it was you, and you should be calling your 'friends' and 'supporters').
When you think of anonymity, picture someone parachuting out of a high-flying aircraft in loose-fitting clothes and a ski-mask. You don't know who that is, or where they come from, or even their gender. If that person votes, do you have free and fair elections? If hordes of such anonymous arrivals vote, is your election free and fair? How do you know it's not the same person, over and over?
I would also like to add that pseudo-anonymity is essential for fair elections.
If I were not required to prove my eligibility before voting, I could go to another country, bring a thousand visitors in and pay them to vote for my favorite candidate or issue. The indelible ink on the finger method can only prevent me voting multiple times. Only a verification of my identification then verification of my eligibility can prevent that kind of fraud.
Verification of identity also helps preventing the election fraud where political candidates recruit homeless people from the street, feed them, and pay them to vote for a specific candidate.
Two hundred years ago, most people in the USA were anonymous to the state and federal government level but were known at the county level.
Devils advocate here:
Anonymity is essential for free and fair elections.---> I've made unanswered arguments here before that anonymity guarantees that elections can never be validated. The right to anonymity should be exercisable just like the right to be silent or the right to a jury trial.
It's essential for democracy and, I think, liberty. --->Just not true, the arguments that anonymity is needed for democracy all revolve around the belief we live in a lawless land. What about this statement "It's essential for democracy that the police be able to pursue criminals.", but doesn't the criminal have a right to anonymity in your world view?
"It's essential for democracy that the medical health community be able to warn of a spreading plague." but doesn't the Aids patient have a right to anonymity in your world view?
It's essential to privacy in a large society, and so it is essential to protect the rights of the majority against the tyranny of the majority...and to protect individual self-respect.--->Individual self-respect has nothing to do with anonymity. If your cannot stand behind your words and action what sort of self respect do you really have?
"I don't even know where to begin."
Begin by explaining what anonymity is and isn't. People who agree with Kelly seem to have strange ideas about what anonymity is.
Game theory should play a role in the appropriate mix of privacy/anonymity that works well for society. If you lie, it is beneficial, if you are anonymous and remain so, but the rest of society is penalized.
The system of society becomes stronger connected but also more rigid the less the fudge factor of anonymity is applied. Similar to noise, an amount of anonymity is probably necessary for an operational society and it depends on the state of society on how much the optimum is. Privacy (to various degrees, on various levels of information flow) helps to channel information and should work similarly to structure the system.
Just food for thought.
Kelly is right: In a perfect society, whithout abuses of power, anonymity is not needed. It is not needed for voting, since no-one would blackmail you, or otherwise influence you unfairly. It would not be needed for whistleblowing, since there is nothing to blow your whistle about. It would not be needed to keep your interest in AIDS drugs secret, since nobody would abuse the power of having that piece of information about you.
We do not live in a perfect society. Information obtained about our (perfectly legal, and not even morally doubtful) activities can easily be turned against us.
Anonymity is an effective countermeasure against other people gaining information about ourselves. It protects us from other people abusing this information, by not letting them get it.
"Pseudoanonymity", as Kelly puts it, is a way of handing over your identity (and the data associated with it) to a trusted party, for example ebay. There's nothing wrong with doing that, and clearly this has a positive effect on your trustworthyness in the eyes of others dealing with you (for example, using the trusted platform as well). It also usually prevents other natural persons from obtaining your identity.
However, it does not prevent more powerful players from getting to you. Anonymity protects us from power abuses from the side of the government, while pseudoanonymity does not. Note that democratic, law-abiding governments are the exception, not the rule.
I'm getting really angry about this stupidly constructed biology analogy. Isn't it nice that whatever point you want to make, you can construct some arbitrary analogy in car manufacturing, sports or biology that fits your intended conclusion and use it to "illustrate" your point?
Well, I think anonymity is like oxygen, or maybe vitamin C for organism. Both are very necessary, and the more of them, the better an organism works, until you cross a (very high) threshold when it starts to become toxic, like everything else (including water). Now whose analogy is the right one? Back to square one please.
I think the voting anonymity Schneier is referring to is the right not to be associated with who you voted for, not the fact that you voted or have the right to vote. The idea is that a candidate's thugs shouldn't be able to pay a visit to all the people who didn't vote for him in the night for a kneecap workover, because they should never be able to get a list of who voted for whom. And it needs to be anonymous (as opposed to merely "confidential") because it is specifically the people who are likely to come into power, and thus most likely to be able to force access to "confidential" information, that should never have access to it.
With regard to the Wikipedia argument by Kelly, the problem has exactly zero to do with anonymity. If Wikipedia required people to identify themselves, that still wouldn't prevent a deluded individual with an axe to grind, or someone who makes an honest mistake about a topic, from entering bogus information into it. All it would do is attach a name to the bogus information, and unless you happen to know the individual, that does you no good in judging the validity of the contributed information.
(Indeed, one could argue that a massive collaborative project like Wikipedia would be HINDERED by requiring identification, since that would discourage a lot of people from contributing, and Wikipedia depends on massive participation.)
The bottom line with Wikipedia is that anyone using it knows (or should know) that it is the result of massive public collaboration, and take that into consideration as they peruse its content.
Anonymity from a different prospective;
Truly dangerous personal often do not realize or care they are dangerous till it is too late.
For instance, the drunk driver often doesn't realize they are not able to drive.
The US Congressman in the news recently who killed the motorcycle rider didn't realize how his low blood sugar affected his driving.
My own grandmother fell asleep and drove off the rode after driving 10 hours.
Now if anonymity was not a rule we would have a computerized traffic monitoring system that could watch for drunk drives, erratic drivers, and drivers that have been behind the wheel for too many hours and Force them to pull over or alert authorities.
I believe this could be applied to virtually any sphere. I use the car analogy this anyone can understand the situations described.
Kevin Kelly has a point if it concerns there that anonymity for many systems is a problem. This does not mean however that it is an insuperable problem. Personal I believe that anonymity a sounder under the Western society and democracy is. This does not want say all that anonymous must be, but for a heap matter is that nevertheless an essential requirement.
For much matter, if for example placing reported on these blog it is not relevant or someone is not anonymous or. The reader must self form an opinion builds on the messages he read.
Concerning Wikipedia I can be short; the point from pdf23ds is a good one.
Privacy and anonymity and trust are things, which are independently of each other, but relations have. In his text Kevin Kelly these sweep points on a hope. That is according to me too easy.
(sorry for my not too best English)
"Anonymity is essential for free and fair elections. It's essential for democracy and, I think, liberty."
I am not sure that is true. In some cases it has value. But voter fraud can only exist in such a world. In truth we can never know if any secret election has ever been a true representation of the voters wishes.
A price for everything.
My two cents go for three «classics» on this:
The Anonymous Fallacy
P.S. To the Anonymous Fallacy
Both generated this answer:
Response to the Anonymous Fallacy
Altought I believe the first two essays are correct (basically, to prove a point) as time passes and I see the uses of anonimity on the Internet I think the arguments on the third essay (the «Response» becames more valid as a general principle. There are exceptions, of course, as you said, for elections and other situations, but for example anonymity is prone to really bad communications (e.g. weblogs, boards, etc.) misunderstandings, trolling and others – all because of the lack of information on the «sender» that is, by default, a «feature» of anonymity.
I really support the conclusion:
"Conclusion: the idea that all statements should be considered in their own right and without the bias of knowing who has authored the statement does have merit, especially as a warning against extreme prejudice. However, removing context from any argument will make it less intelligeable, and knowing who has authored a statement may be part of that context. The main obstacle (which is a consequence of this essential role for contexts) is however a practical one: without the context, many selection mechanisms that are essential for efficiency (and that prevent the regresses mentioned above) will not work."
Wow, way too many things going on in my head in response to that.
The main thing that Mr. Kelly fails to see is that in a democracy such as ours where we have representatives to voice our opinions; it is useful if not essential that the people whose voices are being represented remain anonymous. Now, on the other hand the people responsible, namely the representatives, must not be anonymous. They should be held accountable so they can be scrutinized and trusted.
If we lose our ability to remain anonymous as individuals, by everything we do on the internet being tracked or phone calls being recorded or even our actual movements being tracked etc., how are we able to disagree with the ruling powers. Hell, the patriot act allows one to be detained indefinitely (I believe) on grounds that you may be a terrorist. So say you sympathize some with some of the beliefs of a group that may be a terrorist organization, but by no means condone the groups actions or even all their beliefs. Now if you don't remain anonymous you will be flagged as terrorist. Wow imagine if this happened to our founding fathers, where would we be today?
It's ridiculous, in a perfect world maybe you could get away with it, but not here. I'm sorry I just don't trust the government enough to say here are the keys to my private life do as you will. Am I doing anything wrong or against the law no, but who knows I may have said something at one time or went to some meeting somewhere that is deemed suspicious, now I'm screwed because I couldn't do it anonymously.
This is not Soviet Russia this is not China. If we lose our anonymity it will be worse than both. For who will be left to even be able to say anything against the powers that be, fearing if they do they will be punished?
I'd agree that people are confusing confirmation of identity with anonymity (or more accurately indiscernability) of the choice. People may be very happy to have their identity confirmed, but not correlated.
Perhaps it would be better if rather than providing people with a identifying token like a passport, providing them with a zero knowledge proof mechanism instead. This would essentially allow someone to prove their identity to a verifier, but not to allow that verifier to be trusted by anyone else. This would hopefully allow them to discern the difference between people but not correlate them with anyone else you happen to prove your identity to...
One final point I'd like to make is that blades are necessary. Preparing food, eating food, working with materials, constructing objects would be very difficult without blades. Blades can also be used to damage, destroy and kill. It is not an attribute of the blade as to how it is used. It is not the case that a certain number of blades in the world is ok, each and every instance of a blade has the potential to be used for good things (like whistleblowing) and bad things (like false accusation). The biological analogy just doesn't fit. I'm not sure the blade one does either, but at least it highlights a different perspective...
I have never read such a mismash of unfocused quasi-metaphoric non-arguments in my life as this essay by Kelly.
One extreme end of the privacy spectrum is anonymity. The other is full disclosure of personal information. There is nothing wrong with any position along the spectrum, as long as you are there by complete informed consent. The problem is that almost no one currently is completely informed, and therefore, almost no one can really consent.
Better, therefore, to err in the direction of caution, which is to say, anonymity.
In general I think that anonymity is not the best perspective. Privacy is. Problems arise when unauthorized people can correlate different kinds of information--e.g., for a whistleblower, correlating the complaint to a real name, or, for a voter, correlating the real name (known from the list of registered voters) to a vote. So what society needs is not the right to anonymity as such, but the right for each person to present different pseudo-identities and to control the ability of people to correlate between them. Examples of pseudo-identities are not just whistleblower and voter, but also patient, employee, consumer, etc. And when we receive information from a pseudo-identity, in the general case we need to be able to obtain as much information about that pseudo-identity as its owner permits, so that we can judge how seriously to take the information (thus for Wikipedia we need to know whether the information was contributed competely anonymously, or by somebody with some reputation at stake, though I have no good ideas as to how that could be presented in practice).
"People who agree with Kelly seem to have strange ideas about what anonymity is."
Bingo. I am tempted to call this trolling. Use some common sense. Nobody has advocated the absolute anonymity strawman some of you are building up just for the sake of contradictoriness. I always vote anonymously, in the sense that is relevant here. If you prefer, call it "pseudo-anonymity" but that is really beside the point for this discussion.
"Like all toxins, anonymity should be keep as close to zero as possible." Bullshit. The metaphor kills any meaningful discussion. What Kelly could have justifiably said is that there are situations when anonymity is not desirable. Still, I would maintain that the option to stay anonymous should always be available unless identification is required for compelling reasons, and in these cases, the intrusion must be limited to the minimum and privacy and confidentiality must be protected.
> However in every system that I have seen where
> anonymity becomes common, the system fails.
This is close to the classic management problem, "if everybody owns the problem, nobody owns the problem", but not quite the same. What he's talking about is being unable to determine who owns the problem.
I agree that a completely anonymous (ie, no identification, authentication, or authorization mechanisms) system is unworkable, and that a great many interpersonal relationships require trust.
But completely anonymous systems are really rare (wikipedia is one example, but how many others are there, really? Most systems require some sort of identification or authentication).
I can set up a yahoo! mail account anonymously, but once I start using that mail account, or tie it into accounts on some web site, etc.... I'm establishing an identity. And nobody can easily hijack my yahoo account, so at the very least people who know me as "firstname.lastname@example.org" can have some level of expectation that nobody *else* is "email@example.com".
> There's a dangerous idea circulating that the option of
> anonymity should always be at hand, and that it is a noble
> antidote to technologies of control.
This is an interesting point - in a sense easy anonymity is a dangerous thing. However, put it in the context of the beginning of his article:
> "At the same time this techno-combo makes true anonymity in
> physical life much harder."
Isn't this a much bigger problem right now? Messing with wikipedia or sending millions of spam messages is pretty minor compared to the massive invasions into the average citizen's *real life* privacy...
>>Kelly's opinion of anonymity is correct. The solution is to limit electronic data collection and archiving - privacy - not anonymity
But this is exactly the situation that can never be achieved. If information is there it WILL be archived regardless of legal restrictions. And there will be those who are convinced that it would be a waste to 'throw away' the archived data.
The ONLY way to protect privacy is at the user end, personally controlled anonymity being a powerful tool for that purpose.
Excuse my ignorance. But who the hell is this Kelly that his opinion about anonymity is relevant to me?! ;-)
By the way: an intellectual writing such nonsense ("gequirlte Scheisse" in German) would be intellectually dead in Europe. Rest in peas, Kevin! :-)
"to protect the rights of the majority against the tyranny of the majority..."
I think you meant "minority" there, but with either word it's a true statement. =)
"By the way: an intellectual writing such nonsense ("gequirlte Scheisse" in German) would be intellectually dead in Europe."
Schoen waers. Leider wird in old Europe genauso viel gequirlte Scheisse losgelassen. But you are right - who the hell is this Kelly? Bruce, was that necessary???
"I don't know where you vote, but I always have to show a drivers license and sign a book next to my name. I'm never anonymous."
You're confusing 2 different things. Is there any way that I can find out who you voted for? No. Therefore your vote was anonymous. This is completely different from showing ID before being *allowed* to vote. I don't think anyone here is against proving that you are eligible to vote, as long as no record of your actual vote is kept that could be linked to you.
Anonymous: you can't identify me later.
Confidential: you promise not to identify me later.
The problem with merely Confidential is that the information about identity exists, and so it can be abused, lost, etc. That is, the promise can be broken.
The strength of Anonymous is that the information simply doesn't exist, so there's no possibility of the promise of Confidentiality being violated.
If Pseudonymous (having a pseudonym) can bring the strength of Anonymous to bear on the problem of Confidential, then I'd say Pseudonymous wins. But if it can't, then Anonymous should win.
Privacy and anonymity are inseparable. If you cannot be anonymous in certain transactions then you cannot have privacy.
Choicepoint's Derek Smith is fond of contrasting today's society to the small town past, where every member of a community knew everyone else. He uses that to justify the immense store of information that Choicepoint holds on all of us.
One fallacy in that analogy is that in the small town past, the familiarity was reciprocal. How much do average people know about the people at Choicepoint who hold such extensive information about everyone else?
Consider also that there is no parallel in the small town past for the monopoly of information that Choicepoint possesses, nor for the extent of that information, nor for the capability to mine that information to gain an unjust advantage, or to suppress and control.
There is not much the average person can do to protect himself from this. Occasional anonymity may be of some value in this regard, but the occasional nature of it is a fatal flaw.
An interesting perspective on the purposes an anonymity can be gained from the Babylonian Talmud Kiddushin 40a 6 lines from the bottom, where it offers the opinion that someone who can't control themself from sinning should seek the cloak of anonmity.
I find it interesting that the author in an article arguing against the value of anonyminity also feels compelled to use the phrase "dangerous idea."
Anonymity is beneficial to assassins and voters. Lack of anonymity only works against a voter. Replace assassin and voter with any good/bad guy and the results are the same. Knowing that I am who I am is a lot different than knowing who I voted for, my favorite type of underwear, my choice in pr0n movies, religious affiliation, number of original teeth in my head, etc.
That's a good one, random. In fact, it is important to note that in cases when complete anonymity cannot be maintained, pseudonymity is often a second-best solutiion. Privacy isn't an "All or nothing"-question.
Rereading Kelly's "dangerous idea" essay, I started thinking about his concluding paragraph and its assertion: "Privacy can only be won by trust, and trust requires persistent identity, if only pseudo-anonymously."
Is that the "only" way privacy can be won? It leaves out the matter of context for privacy and with whom we earn trust. What kinds of "privacy"? (I run into examples of micro-communities -- such as the Amish and some Chasidic sects -- where the members have little privacy but the group has much larger privacy of a communal sort.)
One more thing. I just can't resist asking in jest about Kelly's reference to anonymity being a "toxin": Are there toxicological studies on anonymity? LD50s and other data?
"Egads! Half the rats in this cage are dead already and we used only .001mg/L anonymity!"
Wikipedia is not an anonymous system. I have an ID, and a password that I use to authenticate my changes. It is possible to make anonymous changes, but the change itself is marked clearly as an anonymous one. Trust in Wikipedia pages grows as more people spend more time improving them and validating their accuracy. Look at any "featured article" (there 846 of them according to http://en.wikipedia.org/wiki/Featured_article)
On the other hand, there is an ongoing Cleanup Taskforce seeking bad pages and fixing them. It's recent status:
"... there were 11328 articles tagged for cleanup as of 15:14, 03 December 2005 (UTC). This means that we are working on an astounding 1.336% of Wikipedia's articles".
The question of anonymity is closely tied to the notion of role, to get the discussion from encyclopedias back to computer security. When I go into the library to read a book, I should be expected to provide identity sufficient to justify the role I am playing. If my role is to read books and the library makes books available to the general public, I should only have to justify that I'm a person. If I want to take a book home and the library lends books only to individuals in my County, I should have to show that I'm a County resident, and present a library card differentiating me from everybody else in the County. The fact that Librarian is my neighbor and knows that I usually read the Science Fiction and Computer Security books is true, but there is no role where this level of information is needed.
The troubling privacy concerns, that drive the desire more widespread anonymity, is the case where some folks are looking to escalate my role into a new role without my knowledge. They are looking for folks in the "terrorist" role, without a sound definition of the role that can be externally determined. They have some flawed (actually dubious or silly) indicators for the terrorist role, like you are interested in explosive chemicals. They don't want to expose their indicators, by having a "terrorist only" section of the library, as this would lead to ridicule of their ineptitude. Rather, they would like to troll up a lot of data and see if anything interesting is collected. We once called this the "Crosstabs All" method of statistical research (read a 1970s SPSS manual if you don't get the ancient reference). You find nothing this way, but you use up a lot of CPU cycles and give every appearance of working hard. It's a classic case of "agenda" where they need to show action rather than improvement.
I prefer not to interact with such folks, as they cause a lot of confusion and I like a more calm life. So, I pay cash for items and avoid identifying myself where I can. I'm not a terrorist, just a libertarian.
The mathematics of the situation should appeal to a cryptographer. There are several steps of identity that it becomes important to prove:
1. Identity itself is a rather nebulous concept. I have several identities, some of which will later be possessed by someone else (those are frequently referred to as roles, and tied to my identity as a person, but are just as frequently assumed to be my identity). Revealing your identity, and tying it to something, is perhaps the greatest threat to privacy. This form of identity should not be required for voting.
2. Identity as a member of a group is important to prove - in the election scenario, that would mean that you are able to demonstrate that you have the right to vote.
3. Identity as a counted member of a group is the next step that is required for voting, to ensure that each person who has the right to vote is only voting once in each race.
4. Identity of vote - this is harder still to evaluate, but is necessary to ensure that ballot-stuffing and ballot-hiding cannot occur. It ought to be possible to determine that "the voice of the people" is the same as the numbers revealed as the ballot count.
We're entering a period where mathematics looks like it might be up to the task of investigating these problems and finding solutions. I'm not quite smart enough to see the solutions myself, but I like to think that I'll be able to recognise them when they do appear.
At present, our voting system requires proof (or claim, in some precincts) of identity number 1 - who you are - in order to assert identity number 2 - that you have the right to cast a vote. A tally of primary identity is maintained in order to keep the third identity issue under check, to make sure you have not previously cast a vote (would elections change if votes could be recanted or recast later in the day?).
As for identity issue 4, the check that the numbers express the will of the people, that seems to be where most systems break down completely. The best systems to date appear to be the hand-written paper record, where it is incredibly difficult to produce forgeries in a quantity sufficient to throw the vote (except in close races) while still making the records look sufficiently different from one another to fool a dedicated observer.
Electronic voting systems that record only a count completely foil any assertion that an election can be monitored for accuracy, and fraud can only be detected when the will of the people is significantly overturned. A close election can be easily subverted using such a system without any chance of detection.
As a last note, many of the cryptographic solutions I've heard suggested to date fall down either by making it possible for an individual to manufacture several keys for themselves (thereby voting multiple times) or for an individual to verify in which way they voted (thereby offering the chance of fraud by bribery / coercion, which is currently protected against by keeping the ballot secret, so your briber / coercer cannot tell whether or not you followed their wishes)
The problem with anonymity, particularly online, is the potential for a single person to have unlimited identities. That removes responsibility because the consequences of any actions are directed not toward the user, but toward the user's identity. People think, "I can do what I want, because no matter what happens, I can always become someone else."
Think, for example, of voting or ebay. Both are anonymous, and both are SAFER because they're anonymous. However, both only work because each identity represents exactly one person.
I like the idea of anonymity. I consider myself a libertarian, and I'm fully aware of the value of anonymous speech in a free society.
However, I've worked in and around the internet antiabuse industry for going on seven years now, and as a practical matter, any truly anonymous system on the internet rapidly becomes a magnet for abuse. Behind every large-scale usenet troll is an anonymous remailer. Most email spam is sent from trojanned end-user machines that drop fully-anonymizing proxies that hide the spammers' origins. And as noble as the motivation behind the EFF's TOR project are, I'll eat my hat if child pornographers aren't using it to distribute some of the wrongest filth ever created.
Personally, I don't see a way for the internet to have both anonymity and some means of accountability. Ultimately, someone needs to be accountable if crimes, torts, harm to society, or even just harm to the net are taking place.
This was an old argument that had gone 'round and 'round a dozen times long before the first day I walked into a large internet provider ops room in 1999. If you've got an answer, I look forward to it.
From the article:
> "However in every system that I have seen where anonymity becomes common, the system fails."
I would like to see examples of such systems that have failed. Many systems do move toward pseudo-anonimity, but that is a far cry from being a complete failure.
> "Privacy can only be won by trust, and trust requires persistent identity, if only pseudo-anonymously."
True, trust does require identity. But that identity, by his own confession, does not have to be your full, real-life identity. I can trust something as long as I can identify something. It does not matter what goes on behind that identity, however, as that does not concern me. All I need is a front that I can recongize, the back can lead anywhere as it is of no concern to me *where* it leads to, but rather I am merely concerent *that* it does lead somewhere, where ever that may be. (This is not necessarily true for everyone, as some people have legitimate need to know your physical person. For example, the IRS probably isn't content just knowing your pseudo-name.)
> "In the end, the more trust, the better."
This statement requires qualification. As it stands, this is not true whatsoever. The correct statement would be: "The more *earned* trust, the better." This is not minor nit-picky word play, it is the basis of security.
More trust != good. Trust is useless, actually it is destructive, unless it is placed in the *correct* entity. If you cannot validate that the entity you are trusting is trustworthy, the more trust you bestow to them the worse off you actually are.
Thus, the issue at hand here is NOT about distributing trust, but rather about earning that trust. And that's where Kelly makes his biggest mistake, I believe. He concentrates on how much trust is being distributed, when in reality he should be focusing on what efforts are made to gain trust. Look at how to earn it, not distiribute it. I believe that when a given party has proved themselves worthy of receiving trust, the appropriate amount will fall naturally to them. They need not worry about how much trust they are receiving, but rather how trustworthy they are making themselves. When someone/thing is trustworthy enough, they will naturally recieve about as much trust as they are due. In other words, I believe that if you take care of the means, the ends will self-rectify.
Who is Kevin Kelly?
Kevin Kelly was an editor to the Whole Earth Review.
Kevin Kelly runs the cooltools mailing list. (http://www.kk.org/cooltools/)
Kevin Kelly appears to enjoy travelling and is involved with "the Long Now" if anyone is aware of that project.
Why does his opinion matter more than that of anyone else? It doesn't. But he probably has more readers than most of us. I find some of his ideas very interesting, even when I disagree with them. In this case I think both Kevin and Bruce have interesting points and would probably argue with both of them in some respects.
Yes, anonymity is important. Yes, anonymity is dangerous. Where the balance point should be is the real question. Where does anonymity start being more dangerous than useful, and is that where it should balance.
The argument against anonymous voting is that it is unverifiable. At no point can you guarantee that the outcome of the elction was not altered.
> We once called this the "Crosstabs All" method of statistical
> research. You find nothing this way, but you use up a lot of
> CPU cycles and give every appearance of working hard.
Ain't that the truth. Germane to the Data Mining thread as well.
Great. Then let's issue mandatory "Hello! My Name Is ..." badges.
The 'toxin level' analogy is flawed. We have resistant strains of bacteria, due in part to our growing use of antibacterial this-and-that; doctors have also considered a causal relationship between playing in a less-than-perfectly-sterile environment (i.e. dirt) and allergies/asthma in adulthood.
Even vaccinations work on exposure to denatured toxins. A zero-toxin approach renders a system ill-prepared for contact with an infectious agent.
In a democracy, we shouldn't have to earn trust. We should be trusted until we prove we don't deserve it.
The privacy/anonymity argument is tired and the two sides are fairly polarised in their views. Beating on it more and more isn't going to do much good. There needs to be a new angle in the discussion.
How about comparing and contrasting accountability and anonymity. The systems which are sited as failing failed because they needed some kind of accountability. The systems that privacy advocates usually use as examples of where privacy should be respected work because there is no need for accountability (in voting, the voters are not accountable to the vote takers).
@ Jennifer Granick
> In a democracy, we shouldn't have to earn trust. We should
> be trusted until we prove we don't deserve it.
Within reason. I hope you're not advocating trusting the general population with access to M-1 tanks or RPG's until they prove they don't deserve it :)
You can be private in your thoughts and stay anonymous to all, but when you start interacting with others, it's esssential that the "other" side know who are they dealing with.
They may choose not to care about your identity, but if they do, i can't see it your right to stay hidden.
Since I greatly respect both yourself and Kevin Kelly (whome I assume is the same KK that runs kk.org) I'd love to have the two of you debate this topic.
The worrying thing about Kelly's essay is the glib notion that "In the end, the more trust, the better".
No. No. No. No. No.
Trust is a dangerous thing. Always.
It is the stock in trade of the confidence trickster and the thief. It is an evil thing. The less, the better.
Remember the security definition of 'trusted'. A thing is trusted if it can cause you harm. Think of brakes, parachutes and safety catches: trust means risk and danger.
The more people you trust, the more con artists you will trust, and the more you will get ripped off.
The whole point of ID checks is to *avoid* trusting people.
> Like all toxins, anonymity should be keep as close to zero as possible.
If think this goes too far.
A minimal level of anonymity is needed (or pseudo-anonymity). Focusing on the Internet use case, when you hit a web site the minimal amount of information that you disclose about yourself is your IP (this can be hidden with anonimizers).
You shouldn't have to give up more information than that until you trust the person on the other end. You don't know what they could do with and you should have to worry about it. Once the other end earns some of your trust you could give more info about yourself (e-mail address, physical location) on the condition that the webmaster will not give out that information.
Anonimity is about not having to give out information (so you don't have to worry about the "wrong people" getting hold of it); privacy is about the information you gave away only being accessed by the "right" people.
With credit cards, you have privacy in that the CC company knows where and much you spent (so they know how the money should flow), but you have anonimity in that the CC company doesn't know what you purchased. Of course you have neither anonimity, nor privacy, with the store that you purchased the things.
With voting, you have anonimity in that the information you gave (the vote) can't (?!) be traced back to you, but you give up a little privacy in that you have to create a public (?) record that you showed up at the polling station.
Going back to web sites, you could be completely anonymous when posting an Anonymous Coward comment on Slashdot to most of the planet, but the fact that your IP is logged on their servers means you're only partially anonymous to the server operators.
Regarding anonymity and voting... I recently discovered that with a quick search on one of the 10-billion-or-so "private eye" sites out there, anyone on earth can find out my wife's name, daughter's name, and everywhere I've lived, down to the town, and in some cases, the street. And for a fee, they can get more.
How? Because I registered to vote, and that made my identity public information.
Four faces of anonymity, at least:
Our system of jurisprudence -- in theory -- relies on the threat of a jury of twelve agreeing that, Fella, you done wrong. The prior anonymity of those twelve -- even if they are later identified -- means if you want to do wrong you'll have to take your chances with the random selection you get.
Another use of anonymity is anonymous tips. Personally, I quit giving any because I know my identity can be traced, at least partially if not completely. The only avenue I would use is a mailing adress I could send a finger-print-free postcard to, but nobody offers them anymore, it's all websites and phone numbers -- or walkins to an 'ombudsperson'. I simply do not trust the authorities not to barter with my identity as their coin to get something they want from somebody.
Anonymity would be proper in the application of the law, since everyone is supposed to be equal under the law. However, as we all know, socio-economic class can be guessed at by visual inspection, so when a cop stops somebody he will know whether (1) the arrest will be off the books and never be reported and (2) the arrest will make the book and the law will be laid down on the poor bastard. If an officer has to see me and know who I am and where I live before he will know what body of law applies to me, he's a bent copper, no question, but he is also run-of-the-mill.
Anonymity generally works out to the bad when the FBI does background checks and everyone interviewed gets a scot-free shot at character assassination, slander, and innuendo.
Why cite Kelly on this issue? There are many, much more sophisticated discussions of this issue elsewhere. The trouble with geeks is they spend too much time writing code and eating pizza out of boxes in college! For crying out loud, the issues here are fundamental sociological concerns, you could turn to just about any of the major social theorists from the Enlightenment period onwards for significant discussion of these issues.
Total anonymity is a non-starter. It means no accountability, no trust, no reciprocity, and a complete breakdown of social organization. But there are situations where anonymity is important so the trick is in the balance. Suggest you read some of the essays here, where many of the issues are laid out:
One quote to get you started:
"A consideration of contexts and rationales where anonymity is permitted or required must be balanced by a consideration of the opposite. When is identifiability required, expected or permitted? The rationales here seem simpler, clearer and less disputed. While there are buffers and degrees of identification, the majority of interactions of any significance or duration tilt toward identification of at least some form. As Scottish moral philosophers such as David Hume argued, human sentiments and social needs favor it. It is more difficult to do ill to others when we know who they are and must face the possibility of confronting them. Mutual revelation is a sign of good faith which makes it easier to trust (not unlike the handshake whose origin reportedly was to show that one was not carrying a weapon). It is a kind of sampling of one's inner-worth or an early showing of part of one's hand. It also makes possible reciprocity, perhaps the most significant of social processes.
The latter is from from Gary T. Marx "What's in a Name? Some Reflections on the Sociology of Anonymity", The Information Society, vol. 15, no. 2, pp. 99-112, 1999 but also see what appears to be a later version: Gary T. Marx "Identity and Anonymity: Some Conceptual Distinctions and Issues for Research", In J. Caplan and J. Torpey, Documenting Individual Identity. Princeton University Press, 200. Also other essays at the URL above.
And speaking of Hume, isn't the larger concern here one of tyranny, that not having anonymity will make some of us vulnerable to a faction, a group lacking in accountability to the whole? Maybe this is a real concern, as it isn't clear that Hume's, and by extension and Madison's, checks against factionalism still hold. If that's the case concerns about not having anonymity aren't the problem; they are the symptom.
From the court case Doe v. 2TheMart.com:
The right to speak anonymously was of fundamental importance to the establishment of our Constitution. Throughout the revolutionary and early federal period in American history, anonymous speech and the use of pseudonyms were powerful tools of political debate. The Federalist Papers (authored by Madison, Hamilton, and Jay) were written anonymously under the name "Publius." The anti-federalists responded with anonymous articles of their own, authored by "Cato" and "Brutus," among others. See generally McIntyre, 514 U.S. 341-42, 115 S.Ct. 1511. Anonymous speech is a great tradition that is woven into the fabric of this nation's history.
The right to speak anonymously extends to speech via the Internet. Internet anonymity facilitates the rich, diverse, and far ranging exchange of ideas. The "ability to speak one's mind" on the Internet "without the burden of the other party knowing all the facts about one's identity can foster open communication and robust debate." Columbia Ins. Co. v. Seescandy.Com, 185 F.R.D. 573, 578 (N.D.Cal.1999). People who have committed no wrongdoing should be free to participate in online forums without fear that their identity will be exposed under the authority of the court. Id.
"But that doesn't mean that 1) reputation can't be anonymous ...". I am not so sure about that one. Any reputation system must keep track of histories of transactions and therefore it can at best be 'pseudoanonymous'. The number of agents who need to know this history can be reduced if there are some agents who are trusted by many. And for any given reputation system I can trade off between reputation and anonymity by choosing the number of pseudonyms I use. But I can't see how we can have both reputation and true anonymity.
Anonymity removes responsibility?
The inference being those who are identified can be held accountable - but this often isn't true. Nor is every anonymous person irresponsible. Anonymity can be a vital defence against facism (personal, community & state) but opportunity to escape responsibility can reveal poor character.
I personally would like to maintain the freedom to negotiate trust with whom I choose.
Seems discussions like this sometimes need many alternative viewpoints to get the whole story. Anonymity has a large tie-in with comfort through protection. If we wish no harm on ourselves, or wish to take no responsibility, anonymity is the path we choose. But now we want comfort through protection by other means, through local, state, government, and supra-national authorities. As humans have become more modern, we have become more dependant on unseen external entites for our existence. Almost no one is a true individual anymore. So to maintain their ever increasing comfort level, people give more control to external entites. They currently can not increase their comfort level through anonymity through reasonable means for most people. So long as easy to use tools for anonymity are lacking, people will give up more control to external entities, and thus fall victim to a police state that is all knowing. Sousveilance may provide an avenue to mitigate the negative societal changes brought on by full disclosure, but as the majority acquiesce to external control, society will change. Whether that change is good or not is a separate discussion.
But those who cling to anonymity now, for good or ill, appear to be relics of the past. A past where there was more violence, and less comfort. Anonymity requires an acceptance of extremes. My ability to be anonymous provides those with harmful intent to thrive. If I am willing to accept the risk that my daughter will be used in child pornography if I support anonymity, and that I have no real recourse against those who would exploit her, than I am willing to live in what appears to be a lawless land. Ultimately a supporter of anonymity is a survivalist, and one who accepts that any harm can befall them.
The often overused quote of Benjamin Franklin is somewhat appropriate, but should be modified.
"Those who give up some essential liberty for comfort, deserve no privacy."
As many posters noted the problem with true digital anonymity (which *is* at least temporarily pseudonimous anyway, and one has to trust the anonymizer not to record the mapping between the identity and the alias) is that it is too easy to create a lot of fake identities.
The solution to this problem is quite simple and obvious - the mere fact of existence of an identity shouldn't be a basis for trusting the holder of this identity with anything. No matter how benign the use of some resources, it should not be permitted to identities carrying no recommendations and/or track record.
The second-order problem is use of an established identity as a guarantor of reputation of fake identities is similarly easily fixed by using some form of feedback of the new identity's reputation score to its guarantors's scores. Properly designed, such back-propagating reputation scoring makes generating false identities simply useless.
Note that the process of giving recommendations between real people *or* identities can be effectively blinded, so the guarantor/guarantee couldn't recover mapping between the real name and the digital identity.
I claim that people who insist that total anonymity equals total irresponsibility are failing to consider the implications of the practical irreversibility of trapdoor functions. It is certainly just as possible to maintain reputatuions for a "population" of digital identities as between real people; and it is possible to make crossings (for purposes such as providing recommendations and guarantees) between the "real" and "digital" identity domains without exposing the mapping (at least to the operators of untrusted systems).
The security of general voting (which, on the face, would require trusting identities just because they exist) is a non-issue, simply because democracy is a fraud. First of all, the claim that someone can "represent" voters is totally bogus: if groups A and B having different opinions compete for "representation" by choosing a representative, after the elections the opinion of losing group is simply ignored, not "represented", assuming that the representative is a honest man, and does what he promised (which real politicans universally fail to do unless there's correspondence with their personal interests).
The second fundamental problem with democracy is that the agenda is framed by few people, and not by the general voters. It makes any subsequent voting completely useless - all of us are familiar with the common situation when all offered "choices" are bad or unacceptable to us. This means that the democratic voting is a coerced choice, not a free election. The fact that the coercion is not absolute (as in case of dictature) does not change the fraudulent nature of the claim that the choice is free. It is about as free as the choice between life and money offered toi the victim by a mugger.
It does not make any sense to discuss security or anonymity of the inconsequential part of the democratic decision-making process (i.e. tallying votes) when the process itself is fundamentally and irrepairably broken.
To make Wikipedia an example of how anonymity is bad, you have to implicitly admit that Wikipedia has had anonymity up till now, and Wikipedia is on the whole a tremendous success story. Apart from the Wikipedia anecdote KK does not disclose any evidence for his position, it is generalizations and questionable analogies from there.
I think you've got to ask yourself, where would Wikipedia be without anonymity? What would have happened if, from the outset, Wikipedia had said "all transactions will be logged with your real name, phone number, and home address"? How many contributions would they have gotten?
Anonymity may be necessary only if other people have it. If one has the ability to hide things, but another doesn't, the one who does has an advantage. But if no one has the ability to hide anything - then perhaps no one needs to.
In political terms, I don't think being able to be anonymous makes anyone safer. When confronted with bad rules, anonymously violating them is the chicken's way out.
If one who disagrees with a bad law can use anonymity to avoid it, one loses not only the incentive to have the law fixed, but also the integrity to influence it.
Schneier's writing would have little impact if he was writing anonymously.
I think for every 1 good thing that happens in politics by way of anonymity, 10 bad things happen because corrupt politicians, too, can act anonymously.
I'ld like to quote (paraphrase?) Joichi Ito, keynote speaker at the CCC Congres:
"Those in power like to work in secret, but have their subjects fully transparant."
Anonymity is a weapon in the fight against those that have showed to abuse their power. The pen is mightier than the sword and such.
Uh, shouldn't we be going Beyond Fear? :-) The only rational way to resolve these things is a risk-management approach on a case-by-case basis. Vapid generalisations like "anonymity is bad" and "privacy is good" are not sufficient for wise actions.
And what actions? None of you have suggested how to change the system that we live in! But I think a legistlative approach is needed because no company is going to design an information security system in which their customers don't trust them. (or can disavow at any time.) Security is built in the interests of primarily the builder.
"Within reason. I hope you're not advocating trusting the general population with access to M-1 tanks or RPG's until they prove they don't deserve it :)"
Our founding fathers pretty much allowed this. At least what was available in their day. A cannon or two was not unresonable on a private ship or for the militia. In general a citizen is no more and no less likley to misue anything than a government employee.
When voting I don't want to be anonymous to the poll workers. What I want is privacy in the both. To the tax collector I want to be known and my transaction visable, that is I want to be able to prove that _I_ paid my _taxes_.
In the private sector a transaction can provide anonymous access and privacy. One of the advantage of a generic currency (dollar bills) is that the seller is safe in the value of the payment without having to trust the buyer.
MathFox: "Those in power like to work in secret, but have their subjects fully transparent."
Precisely. That's I would be in favor of transparency for everyone. Those in power especially.
The right arguments for anonymity have to do with cases like whistleblowers and battered and raped women.
Pseudonymity is generally enough when privacy advocates say they want anonymity - if it takes a court order to link a pseudonym to a real person, that's usually 'anonymous enough'.
"My ability to be anonymous provides those with harmful intent to thrive. If I am willing to accept the risk that my daughter will be used in child pornography if I support anonymity, and that I have no real recourse against those who would exploit her, than I am willing to live in what appears to be a lawless land. Ultimately a supporter of anonymity is a survivalist, and one who accepts that any harm can befall them."
This comment was made anonymously... does the poster really believe that nonsense?
"The right to speak anonymously was of fundamental importance to the establishment of our Constitution. Throughout the revolutionary and early federal period in American history, anonymous speech and the use of pseudonyms were powerful tools of political debate. The Federalist Papers ..."
Yes, I agree. However, lots of people who argue for anonymity now cite the Federalist Papers and early American political history and it is not obvious the argument applies as they rarely make the case. There is some merit in the argument but it's blanket extension to any situation without any contextualization or justification is spurious. There were good reasons for writing anonymously then. For one, some of the anonymous writers of the time (e.g. Westchester Farmer) who were identified were attacked and imprisoned. There weren't the speech protections we take for granted today; this was the pre-constitutional period. Anonymous political writing of the time should rather be seen in the context of such writing in Britain in the 18th and 17th Cs where expression of certain political or religious views could result in all manner of nasty things. I'm fairly sure I don't want the leading political figures of today writing anonymously. An Iraqi politician maybe--they'd have some cause.
I would say that he does. After all, they make perfect sense.
The value of anonymity rests on a simple principle - that the best way to protect one's interests is a certain level of opacity in one's dealings. For all that people speak of transparancy as being the ultimate goal of any free and civilized society, the fact remains that in practice, we don't often reward transparency, and use our collective power to reward those who make the institutions around us more transparent. If being a whistleblower made one a public hero, and retaliation against whistleblowing a punishable offense (not necessarily legally - if AT&T, for instance, found its customers fleeing to the competition after being caught targeting a whistleblower), there would be no need to protect the anonymity of whistleblowers. (You could, of course, argue that in such a situation would likely reduce the need for whistleblowng in the first place, but that's a different issue.)
To this degree, Kevin Kelly is absolutely correct. Using anonymity to protect against potential abuse tends to merely obviate the need to reduce those abuses. (Or it can be seen as a capitulation to the inevitability of such abuses.) Of course, I understand that perfect transparency is about as obtainable as perfect anonymity. But I think that it must be understood that opacity is more conducive to abuse than transparency - which is why the common model is to push for transparency in others, while trying to retain opacity for oneself - either out of an idea that one is less like to be abusive than others, or out of deliberate bad faith.
Lyger: excellent thoughts.
I think though that perfect transparency is much easier to obtain than perfect anonymity. Anonymity is about interacting with the environment yet not leaving tracks. That's a paradox. Transparency is about interacting with the environment and leaving tracks. That's much, much easier. If, of course, one wants it.
Ouroboros: ""My ability to be anonymous provides those with harmful intent to thrive. If I am willing to accept the risk that my daughter will be used in child pornography if I support anonymity..."
piglet: "This comment was made anonymously... does the poster really believe that nonsense?"
Lyger: "I would say that he does. After all, they make perfect sense."
I now request that Lyger, Ouroboros and the other cranks here give up their anonymity and state name, address and political affiliation. Or shut up.
Anonymity is like a tool, neither good nor bad.
The question is, where is that tool needed? What is the problem to be solved?
One problem anonymity (perhaps) addresses is privacy. If *everything* about a person is collected in one place, that information could be mined by an adversary (think of an oppressive government, a burglar, a blackmailer, a political opponent, an employer...) to harm the individual. Anonymity in certain transactions may reduce the information that can be collected.
Another problem anonymity addresses is accountability. There are situations where society benefits by NOT holding individuals accountable (for example, who you voted for in the last election; who is writing a blog critical of government; who is that person asking questions about AIDS on a forum).
The ability to scan faces in a crowd, identify each, and select those with the largest bank accounts / most expensive homes could be extraordinarily dangerous.
We need a way to partition information to prevent threatening combinations from being brought together. For most of us today, it might be too late. But perhaps our children can be spared this threatening invasion of privacy. Anonymity is one tool that might help.
Just a terminological heads-up: the proper term is "pseudonymity," which means using false names, or "pseudonyms". "Pseudo-anonymity" isn't a technical term at all, but if it were, it would mean something like "false anonymity." If you use it, it's a sure sign you don't know the field.
I'd suggest that people try to avoid "pseudo-anonymity" even if that's what you actually mean, since people will wonder whether you're just screwing up "psedonymity". For instance, when Kelly says "pseudo-anonymity," I can't tell whether he's advocating a pseudonymous system where actions by a single identity are linkable to each other, but not traceable to the user; or whether he's avocating a fake anonymous system where the anonymity you get is fake since the system knows who you are.
"pseudo-anonymous, as in eBay, where you have a traceable identity behind an invented nickname"...I've always understood pseudonymity to be a persistent identity, but not necessarily traceable to me.
With pseudonymity, you can have the best of both worlds....reputations, plus immunity from getting your physical self thrown in prison for expressing the wrong opinions.
Anyone interested in anonymity versus pseudonymity could not do better than to read the novel Earthweb by Marc Stiegler.
I do not use Wikipedia because of the trust and reliability issues. If something is incorrect in an area I know something about, than how could I consider trusting it about something I am uncertain about. This is the reason I completely quit reading Stephen Jay Gould after his bogus "review" of The Bell Curve. His attack had nothing to do with what I had actually read in the book, so how could I trust his information about things I did not know something about already.
"I now request that Lyger, Ouroboros and the other cranks here give up their anonymity and state name, address and political affiliation. Or shut up."
You realize, of course, that you're making the point that you hope to refute. By requesting a one-way transfer of information, while retaining your own anonynimity, you hope to use the threat of exposure to people who would still be hidden from us to silence those who you disagree with.
Anonymity comes with costs. Part of the price of being able to post comments in an anonymous forum like this one is that you must occasionally suffer the snide comments of people who don't have the desire to be associated with them.
If the police had the ability to enter our homes and search them without restraint, the possibility exists that they would catch people who were involved in crimes, or hiding ill-gotten goods (or people) in their homes. But, without the ability to sanction the police if officers use that power simply for their own ends, one expects that abuses would be rampant.
Lacking a belief in the inevitabilty of the abuse of universal transparency, it seems worth a shot. But uneven transparency does little to mitigate the risks to the early adoptors.
"This is the reason I completely quit reading Stephen Jay Gould after his bogus "review" of The Bell Curve. His attack had nothing to do with what I had actually read in the book, so how could I trust his information about things I did not know something about already."
Maybe this is because you don't understand the basics. Gould's criticism focused among other issues on the statistical theory behind The Bell Curve, which isn't discussed within the book, and on the fact that the authors did not disclose the confidence intervals and p-values in their plots.
Back to the topic, what has your complaint to do with anonymity? As to wikipedia, those who don't trust it had better understand that Encyclopedia Britannica can't be trusted either (http://www.nature.com/news/2005/051212/full/438900a.html) This is the result of a scientific comparison, but you may choose not to trust Nature either. I think this is but a variation on the old internet-bashing routine: every idiot can post something on the internet, and they can't even be held accountable, etc. This is completely beside the point:
The pre-Internet information distribution was no more trustworthy than that. Whether anonymous or not, a large part of what the traditional media, politicians and "experts" are telling us is bullshit. The internet is different, not in that it is more or less accurate but in that it makes it much easier to verify any given information - but this requires a certain maturity and a healthy dose of sceptics on the user side.
Identity may or may not be necessary for trust, but it certainly makes trust easier.
Anonymity may or may not be necessary for privacy, but it certainly makes privacy concerns easier to address.
Security does rely upon authorization.
Authorization doesn't necessarily require identification and authentication, unless there are levels of privilidge attached to each identity.
Assuming you agree with those points, then, the obvious problem is not "anonymity" vs "identity", but instead the association of independent identities (aka, "privacy").
In other words, I don't particularly care if Amazon tracks my purchases. I don't particularly care if Citibank tracks my credit card usage. In both individual instances, I can gain a benefit and the merchant can gain a benefit. I do strongly object, however, to Citibank and Amazon sharing information with each other. In this case, regardless of the advantage to the merchant, I gain no benefit. Moreover, their sharing of the information can lead to a detriment to me, their customer.
So the real issue isn't precisely anonymity (both Amazon and Citibank need to know who I am to do business with me), but instead privacy (what right to Amazon and Citibank have to talk about me behind my back?)
I remember an earlier thread somewhere on this blog where I pointed out that it's perfectly reasonable for a merchant to track my purchasing in the same manner that the old Mom and Pop grocery store used to track my purchases way back before computers were around.
However, back in those "good old days" if Pop started talking to other people in town about what I was buying, I could find Pop outside the pub and offer to bust his nose for him. In other words, Mom and Pop had escalated privilidge in their knowledge about part of my identity (my purchasing trends), but back then I had a relationship of immediacy with Mom and Pop -> if they started blabbing around town about how I was buying a lot of booze, I would immediately know about it, and immediately be able to take steps.
This certainly isn't the case now. Merchants can tell other merchants whatever they like about me and my purchasing trends, and I have no recourse to protect my privacy... other than to resort to anonymity (ie, use cash and not use a club card, for example)
This is a detriment to me, as a consumer (primarily in convenience but also monetarily as those club cards affect price) but it's also a detriment to the merchant, because now they LOSE the benefits that they were getting out of associating an identity with the purchases being made.
This is the issue I think that is currently evading the merchant community -> if they cannot offer privacy to their customer base in return for identity information, eventually their customer base will demand anonymity as the only method of obtaining privacy.
If you don't want your customers to be anonymous, you need to offer them privacy.
"You realize, of course, that you're making the point that you hope to refute. By requesting a one-way transfer of information, while retaining your own anonynimity, you hope to use the threat of exposure to people who would still be hidden from us to silence those who you disagree with."
Could it be that sarcasm is lost on you, lyger? I just ask you to be consistent. You are saying anonymity is bad so walk the talk.
"You are saying anonymity is bad so walk the talk."
I said nothing of the sort. The point was that anonymity has CONSEQUENCES - just like transparency has consequences. If you can't tell the difference, it's little wonder that your sarcasm falls flat. :)
Lyger, you said you agree with this:
"But those who cling to anonymity now, for good or ill, appear to be relics of the past. A past where there was more violence, and less comfort. Anonymity requires an acceptance of extremes. My ability to be anonymous provides those with harmful intent to thrive... the risk that my daughter will be used in child pornography if I support anonymity... a lawless land... a supporter of anonymity is a survivalist" bla bla bla ;-)
"THE CASE of John Siegenthaler’s entry in Wikipedia is a perfect rerun of about a dozen recurring net.wars of the last ten to fifteen years: *anonymity versus accountability; scalability of social spaces; old media versus new; trust; and so on.*
The way some of the mainstream press gleefully went after Wikipedia, you’d think none of them had ever made a mistake. That part of the story was reminiscent of the case that made Matt Drudge’s name, his publication of a rumor about then White House aide Sydney Blumenthal. Drudge was accused of giving journalism a bad name (as if the tabloids hadn’t done that already) and lowering standards (Rupert Murdoch, anyone?). In fact, in the Nature study comparing Wikipedia to Encyclopedia Britannica Wikipedia didn’t come off badly, at least in the science areas the study looked at. What’s really startling about that study, though, is how many errors are in Britannica. ..."
And? I see nothing in that quote that states that anonymity is a bad thing - just that it has some consequences that we understand to be bad things. You could just as easily make the point that my acceptance of photographic technology requires that I accept the risk of someone taking dirty pictures of children - that's a far cry from saying that all cameras are bad, and that they should be banned. To me, the point of that quote was that people who say that the answer to any possible issues around information abuse is ALWAYS more privacy aren't owning up the fact that privacy has its own downsides as well. Or that they always feel that those donwsides are better than the alternatives no matter what. Given that interpretation (which I suspect differs from yours), I agree with the quote.
There are ways to give new electronic identities in a way that makes them have some value.
The simplest case would be allowing an anonymous person to get a public key signed for a specific cash value by a reputable organization. Then when people are dealing with this identity, they know what the cost to the person would be to acquire a comparable new identity would be. This could provide guidance when dealing with an identity that otherwise doesn't have a reputation as yet.
More complicated schemes could be developed where the person effectively puts up an anonymous bond by giving more to the reputable organization who then assumes an aggregate liability on behalf of the identity for the amount of the bond.
While at first glance Kelly does give the impression of being "against" anonymity, actually he is only against "too much" of it.
There is no way to disagree with that, as an abstract statement. For example, no one would support anonymous marriage or anonymous candidates for President. Both are clear cases where anonymity makes no sense whatsoever.
Then again, being against "too much" privacy is quite meaningless as long as you don't address exactly where you want to draw the line.
In the Internet context, the vital question is if people should be allowed to use the Internet anonymously (as they are right now), or if everyone logging on needs to get a number plate registered with the government (like with cars) first.
The only concrete statement is his opinion that Wikipedia is a "failed system" because of excessive anonymity. I don't share the opinion that Wikipedia has failed in any way and therefore don't see any necessity to have number plates for Wikipedia editors.
I'll give you one major argument for anonymity.
Next time you interview someone for a job, try Googling/Yahooing them. You might be surprised at some of the stupid things people post under their real names.
I'll give you one major argument for anonymity.
Next time you interview someone for a job, try Googling/Yahooing them. You might be surprised at some of the stupid things people post under their real names.
If people had to use their real names online, the internet would never have taken off. In our society, where so many entities practice data mining and the person with the biggest dB wins, you're a fool if you use your real name online or in newspaper/magazine letters to the editor. All your information IS collected somewhere and MAY eventually be used against you. It might be the government, a corporation, your insurance company or one of so many other possibilities. Remember, everything you write or post online or in any media outlet is saved and indexed somewhere forever.
I do believe I was just called a fool.
"You might point out how the argument about Wikipedia is totally bogus. It's not a failing of Wikipedia that allowed that bogus information onto that page. It's the failing of the people that took the information is reliable without checking into it. Everyone reading Wikipedia should know that it's (was) edited anonymously, and thus could contain any amount of false information."
Right. It's not a failure of anonymity. It's a failure of process.
"You say anonymity is essential for free and fair elections, but I have never had a truly anonymous vote in an election. It is, like Kelly says, pseudo-anonymous.
"The officials have a record that I went to vote. They even wrote down what ticket I used to punch out the card with. That part of the election process is definitely not anonymous.
"I cannot vote unless I prove my identity and eligibility to vote (not anonymous)."
Elections might be a bad example, because there are two very separate systems at work. There's the system that determines if someone is eligible to vote. That system is most certainly not anonymous. Then, there is the separate system of voting and vote counting. That system needs to be anonymous.
The two systems, of course, need to be decoupled from one another so that the identification procedures of the first do not contaminate the anonymity of the second.
"Anonymity and privacy are not antonyms.
"We speak of anonymity in the context of privacy because electronic anonymity is a method for advancing privacy by making electronic data collection more difficult.
"Kelly's opinion of anonymity is correct. The solution is to limit electronic data collection and archiving - privacy - not anonymity."
I agree that there are serious nomenclature problems out there, as people use words like "anonymity" and "privacy" and "confidentiality" more-or-less interchangably.
To me, anonymity equals "privacy of identity." If I walk around in public, but no one knows who I am, I am anonymous.
"Maybe one of the relevant questions is 'anonymity in whose sight?'
"Often anonymity debates present anonymity as nobody else knows. But, in day to day life, there are many situation where one is not seeking such total anonymity, where one may want one or a few people to know one's identity but that info goes no further."
Certainly that's true. Like everything else in security, there are degrees. When I am enjoying a dinner out with friends, I want to be known to my companions but anonymous to everyone else. Much of the debate about when the police can ask to see your ID centers around the circumstances in which the police can break your wall of anonymity. And so on.
So you're right; most of the time it only makes sense to talk about who you are anonymous from. I contend that it is important for society, in many instances, to be about to be anonymous from the police and from the government. If we are not, then we open up the possibility -- and the probability -- of police and government abuse.
"The one point about Kevin's essay I find interesting is that I've never fully believed in anonymity being necessary. Being able to create a persona that does not readily tie back to me is good enough for me."
If it's a persona that doesn't to tie back to you, then it's anonymity. (If you go to AA meetings and give the same fictitous name each time, you are anonymous.)
"Begin by explaining what anonymity is and isn't. People who agree with Kelly seem to have strange ideas about what anonymity is."
That's an essay in itself.
(I'm in the middle of writing my Wired piece on this, and I'm focusing on another aspect of the essay. But a coherent statement about what anonymity is and isn't would be a useful contribution to the debate.)
@ Dig: "Kelly is right..."
This is good. I am going to use some of it in my essay.
"a coherent statement about what anonymity is and isn't would be a useful contribution to the debate"
Anonymity could be defined as the absence of identifying information.
The less uniquely identifiable you are the more anonymous you will be at the time. However, since identities are not constants, for anonymity to be functional it must be coupled with an absense of obligation to identify oneself. The less you have to reveal about yourself over time the more anonymous you will remain.
Just a guess...
"If you go to AA meetings and give the same fictitous name each time, you are anonymous."
Ah, but your anonymity is tied to all forms of identity information (starting with the three factors - you have, you know, you are), not just a name. Sherlock Holmes (and other classic detective novels) have many fine examples of this, where the suspect is identified by a unique tatoo, hat, hair, gait, etc..
"The main thing that Mr. Kelly fails to see is that in a democracy such as ours where we have representatives to voice our opinions; it is useful if not essential that the people whose voices are being represented remain anonymous."
I agree; his misses the power imbalance. But that's what I thnk all the everything-in-public-all-the-time people miss. Read David Brin's _The _Transparent_Society_ and you see the same problem.
"I think you meant "minority" there, but with either word it's a true statement. =)"
"An interesting perspective on the purposes an anonymity can be gained from the Babylonian Talmud Kiddushin 40a 6 lines from the bottom, where it offers the opinion that someone who can't control themself from sinning should seek the cloak of anonmity."
Anyone care to provide an English translation of the relevent passage?
"True, trust does require identity. But that identity, by his own confession, does not have to be your full, real-life identity. I can trust something as long as I can identify something. It does not matter what goes on behind that identity, however, as that does not concern me."
Exactly. Trust requires accountability, and that accountabiilty may or may not be tied to an flesh-and-blood identity.
"The argument against anonymous voting is that it is unverifiable. At no point can you guarantee that the outcome of the elction was not altered."
Not true. There are some simply beautiful cryptographic election protocols that provide both auditability and anonymity.
"In a democracy, we shouldn't have to earn trust. We should be trusted until we prove we don't deserve it."
That's certainly 100% true, and it's what separates a real democracy from a police state.
"You can be private in your thoughts and stay anonymous to all, but when you start interacting with others, it's esssential that the 'other' side know who are they dealing with."
Absolute hogwash. There are times when I go through quite a bit of my day having no idea who I am dealing with. (In paticular, I remember walking around a market in Equador, buying food and dry goods. I had no idea who I was dealing with, and neither did they. As long as my government-issued pieces of paper were accepted as money, and the stalls didn't look like places where I could get food poisioning, everyone was happy.)
"As long as my government-issued pieces of paper were accepted as money, and the stalls didn't look like places where I could get food poisioning, everyone was happy."
That's degrees of anonymity. If you were unable to see the stalls and they were unable to see the paper, you would probably both ask for more information, which lessens the anonymity.
Your paper made you more trusworthy than someone who was carrying money from another country that could not be identified. Their stalls had some degree of cleanliness, or maybe you assessed the behavior and body-language of the sellers, to determine the safety of their goods. That's not total anonymity.
"There are times when I go through quite a bit of my day having no idea who I am dealing with."
Actually, I think it would be more accurate to say there are times when we go through life where we don't care about who we are dealing with.
Information is available to us that would establish all kinds of uniqueness for those we interact with, as anthropologists are keen to point out.
In fact, the very idea of voting implies that you are authorized by whatever group holding the election to cast your ballot, which means you are already more unique from those who are not authorized and therefore a degree less anonymous than if you were indistinguisable.
I just posted a lengthy essay about how identity was the key to moving forward to new areas on the web, albeit this can be done with anonymous accountability rather than true identity. If anyone is interested, it is posted on my website (the essay with Digital Identity in the title). It mainly focuses on blogging, but there are some interesting ideas in there on a number of things, if you can get past the first few paragraphs of boring introduction for non-technical folks.
"buying food and dry goods. I had no idea who I was dealing with, and neither did they"
I'll go a bit further on this, based on some of the discussion from a presentation in the Nevada desert a few years ago by a guy who had spent years trying to erase his data from the public. Whenever possible, his dealings with others were via proxy, never direct, and he disseminated white noise and mixed signals to help throw people off of his true identity when he had to be in public. For example during the presentation he repeatedly changed the name of the place he called "home". At the start he would say "in London, where I live" and then a few minutes later say "since my home is in LA" and then later "but living in Baltimore has had its challenges, etc..
Of course someone asked him if he still voted, and his answer was "only by mail".
Approximate translation of Babylonian Talmud Kiddushin 40a
Rabbi Ilayi the elder says: If one sees that their inclinations are overpowering their normal behavior, they should go to a location where nobody knows them, wear black and be covered in black and do as their heart desires, so as to not defile the name of heaven in public.
Whether someone is anonymous or not often makes no difference to how much you should trust the information given -- that can often be determined by analyzing solely the substance of what is said.
Often when issue is analysed in the public sphere, many arguments emphasize who has brought the issue to the public's attention, or who is commenting on it, rather than the substance of the comments. Those facts are not always unimportant, but solely focusing on them is an easy, and lazy way of arguing things.
Sometimes this matters, but a lot of times, it shouldn't, and is just used as a means of obfuscation.
like fine automobiles, anonymity and privacy are personally driven by people who appreciate them, rarely imposed externally. because i appreciate these things, i routinely switch digits in my social security number, carry supermarket club cards in fake names and occasionally flame somebody under a pseudonym.
along comes some pundit who says too much anonymity is bad, and i must sacrifice some of mine for the common good. this argument is doomed to failure due to the inability to objectively determine "common good", the difficulty in identifying what, if anything, we have left over as a "commons" and most of all, my unwillingness to sacrifice outlook/habits/philosophy which work for me in return for such a nebulous payback.
kevin kelly wasn't really talking to us as individuals because he's hopefully smart enough to realize this. he was talking to any government policymakers out there who were reading his farts, essentially, persuading them to take away from us some of our anonymity and privacy. i get an evil grin when people like this use the word "trust".
Great. I was reading through that saying to myself, "Sounds just like conventional socilogical analyses of things like the rise of money transaction, privacy, anonymity..." and lo, there's Gary Marx at the end.
For the life of me, the security world really need to draw on more sociology. I know. I know. We're all commie pinko reds. :)
Anonymity has an immense spiritual significance. What is the immense spiritual significance?
The concept of keeping principles above personalities.
Tradition Twelve is all about humility. Nameless, Un recognized, Unconditional, without praise.
Labels are worldly and use for one reason, one reason only, Identification/ recognition of People places and things
Through individual anonymity, is similar to the Christian principle of the flesh is much weaker than the spirit., How does the flesh or personality take over?
A new comer comes in wants to stop and believes in the spirit (God) yet he can’t stop drinking. A.A. message is no mater what he can stop Job no job wife no wife on and on.
All he has to do is discover within how to clean house and trust in God.
Our book also states that People , Places and Things can easily divert us these are of the flesh.
The new come is then dragged into the flesh by a certain group of people telling him he has to get a sponsor or he won’t make it. As if the meeting he or she is at on their own is not enough!
Then out of fear the sponsor tries to administer there message believing it will keep them sober when the message of A.A. is clear and precise That no human power could relive another but God could and would if sought. The monkey comes off the newcomers back just for not drinking, the monkey may be gone but the circus will be still there.
The number one killer in A.A. is personalities and the personalities come from a outside label that is not even in the Big Book, Steps or Traditions. In Fact the traditions talk against people that believe “they��? have a way. The newcomer gets sicker as the personality of the sponsor gets stronger especially if he or she is right! which causes the newcomer to drift further away from the spirit that can intuitive handle situations that use to baffle them. This is the downfall of A.A. as BillW warned us in the Traditions.
If you have trouble understanding a Tradition go back to the first one until you understand. For it is better to understand than to be understood.
Some want to live – others live to want.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.