Anonymity and the Internet

Universal identification is portrayed by some as the holy grail of Internet security. Anonymity is bad, the argument goes; and if we abolish it, we can ensure only the proper people have access to their own information. We'll know who is sending us spam and who is trying to hack into corporate networks. And when there are massive denial-of-service attacks, such as those against Estonia or Georgia or South Korea, we'll know who was responsible and take action accordingly.

The problem is that it won't work. Any design of the Internet must allow for anonymity. Universal identification is impossible. Even attribution -- knowing who is responsible for particular Internet packets -- is impossible. Attempting to build such a system is futile, and will only give criminals and hackers new ways to hide.

Imagine a magic world in which every Internet packet could be traced to its origin. Even in this world, our Internet security problems wouldn't be solved. There's a huge gap between proving that a packet came from a particular computer and that a packet was directed by a particular person. This is the exact problem we have with botnets, or pedophiles storing child porn on innocents' computers. In these cases, we know the origins of the DDoS packets and the spam; they're from legitimate machines that have been hacked. Attribution isn't as valuable as you might think.

Implementing an Internet without anonymity is very difficult, and causes its own problems. In order to have perfect attribution, we'd need agencies -- real-world organizations -- to provide Internet identity credentials based on other identification systems: passports, national identity cards, driver's licenses, whatever. Sloppier identification systems, based on things such as credit cards, are simply too easy to subvert. We have nothing that comes close to this global identification infrastructure. Moreover, centralizing information like this actually hurts security because it makes identity theft that much more profitable a crime.

And realistically, any theoretical ideal Internet would need to allow people access even without their magic credentials. People would still use the Internet at public kiosks and at friends' houses. People would lose their magic Internet tokens just like they lose their driver's licenses and passports today. The legitimate bypass mechanisms would allow even more ways for criminals and hackers to subvert the system.

On top of all this, the magic attribution technology doesn't exist. Bits are bits; they don't come with identity information attached to them. Every software system we've ever invented has been successfully hacked, repeatedly. We simply don't have anywhere near the expertise to build an airtight attribution system.

Not that it really matters. Even if everyone could trace all packets perfectly, to the person or origin and not just the computer, anonymity would still be possible. It would just take one person to set up an anonymity server. If I wanted to send a packet anonymously to someone else, I'd just route it through that server. For even greater anonymity, I could route it through multiple servers. This is called onion routing and, with appropriate cryptography and enough users, it adds anonymity back to any communications system that prohibits it.

Attempts to banish anonymity from the Internet won't affect those savvy enough to bypass it, would cost billions, and would have only a negligible effect on security. What such attempts would do is affect the average user's access to free speech, including those who use the Internet's anonymity to survive: dissidents in Iran, China, and elsewhere.

Mandating universal identity and attribution is the wrong goal. Accept that there will always be anonymous speech on the Internet. Accept that you'll never truly know where a packet came from. Work on the problems you can solve: software that's secure in the face of whatever packet it receives, identification systems that are secure enough in the face of the risks. We can do far better at these things than we're doing, and they'll do more to improve security than trying to fix insoluble problems.

The whole attribution problem is very similar to the copy-protection/digital-rights-management problem. Just as it's impossible to make specific bits not copyable, it's impossible to know where specific bits came from. Bits are bits. They don't naturally come with restrictions on their use attached to them, and they don't naturally come with author information attached to them. Any attempts to circumvent this limitation will fail, and will increasingly need to be backed up by the sort of real-world police-state measures that the entertainment industry is demanding in order to make copy-protection work. That's how China does it: police, informants, and fear.

Just as the music industry needs to learn that the world of bits requires a different business model, law enforcement and others need to understand that the old ideas of identification don't work on the Internet. For good or for bad, whether you like it or not, there's always going to be anonymity on the Internet.

This essay originally appeared in Information Security, as part of a point/counterpoint with Marcus Ranum. You can read Marcus's response below my essay.

EDITED TO ADD (2/5): Microsoft's Craig Mundie wants to abolish anonymity as well.

What Mundie is proposing is to impose authentication. He draws an analogy to automobile use. If you want to drive a car, you have to have a license (not to mention an inspection, insurance, etc). If you do something bad with that car, like break a law, there is the chance that you will lose your license and be prevented from driving in the future. In other words, there is a legal and social process for imposing discipline. Mundie imagines three tiers of Internet ID: one for people, one for machines and one for programs (which often act as proxies for the other two).

Posted on February 3, 2010 at 6:16 AM • 62 Comments

Comments

MuffinFebruary 3, 2010 6:55 AM

Well said. To put it more succinctly: if you outlaw anonymity on the Internet, only outlaws will have anonymity on the Internet.

gregFebruary 3, 2010 7:17 AM

There is also legal issues to prevent anonymity. These legal issues cross more than 100 different countries all with different laws and even legal systems. It would take only one, and you have your anonymity back. Like money laundering.

Fire walling countries doesn't work that well either. Not that it doesn't stop some countries from tring.

NoodleFebruary 3, 2010 7:24 AM

I'm not sure I follow how Ranum mentions "Bruce neglected to mention: identity has a value" when Bruce is saying that losing anonymity will make the value of identity more valuable to a thief. I don't see how this system that (isn't really) described by Ranum is supposed to do more than charge someone for some kind of uniqueness which could be stolen and then used to hang the owner with (sort of like CC pin numbers do - anything fraudulent you're either lying or you gave it to someone)

Clive RobinsonFebruary 3, 2010 8:00 AM

@ Bruce,

You forgot to mention that it is impossible for some to prove who they say they are to a stranger.

One of the falacies about ID documents is that you could tie them to an individual via their bio-metrics. So what the document could be one of hundreds that point to the same bio-metrics

The problem is although in theory you could trace back everyones DNA to work out who the maternal relatives are it comes up against a problem.

Infidelity, there are a very very large number of people who are not actually related to their "fathers" in some parts of the UK it was found that a very high percentage.

Then there is adoption and a whole host of other issues such as badly kept records, parents who did not register the birth of their child and quite a few more other reasons.

Then there is the new generation of problems people who's DNA has changed (Bone Marrow etc).

I recently had multiple unit's of blood transfused into me so my blood DNA is a mixture of possibly six people. Over time my own blood DNA will (hopefuly) return.

Some establishing who you are is at some point in the chain a matter of trust.

And as we know trust can be abused in many ways.

It is part of the risk of living and it is important that it be there for us to live as humans. Contary to what people may tell you being able to learn "hinky" is part of growing up. We cannot be "molly coddled" all our lives.

Also without the risk we will quickly get to the point where those who can abuse the trust of the system with stelth will be able to frame anybody they chose with time.

That sort of power in any individuals hands is just unimaginable.

It is time our Politicos came to except the fact that there are new rules in the intangable "information world" and few if any of the constraints that hold the tangable world in check.

For instance,

1, No real distance vector constraints, thus everywhere is local.
2, No real force multiplier constraints, thus one person could be an army.
3, No real copy limits, it's just bits and bytes to be duplicated at will.

Untill people take these first three points on board then they will design systems wit hidden assumptions that will be exploitable in some way.

And "digital ID's" will be the first targets Cyber-naredowells will go for...

caseyFebruary 3, 2010 8:15 AM

Ranum is using a straw man tactic- Bruce did not say -

"just because something will always be there, it's right"

Also he did not address the idea that all systems will be cracked. He offers $1000 to be the only Marcus Ranum, but neglects the dire consequences if his scheme fails. He offers no way to remedy a stolen super-ID.

He does not argue to ban anonymity either. In his rebuttal, he suggests using an expensive phony ID.

Lastly, the sun will not collapse when it runs out of hydrogen, but fuse heavier elements for some time.

I am not swayed that we need to address anonymity on the Internet.

Another KevinFebruary 3, 2010 8:29 AM

uniqueness which could be stolen and then used to hang the owner

That's rather the point, if you think like a high-level politician:

Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre. -- Richelieu

(Give me six lines written in the hand of the most honest man, and I will find in them something to have him hanged.)

The GovernmentFebruary 3, 2010 8:59 AM

Seems we need to 'convince' this Bruce guy he is wrong, he somehow saw past the 'security' facade of our regulations and right to the true purpose.

jacobFebruary 3, 2010 9:00 AM

I agree. The more the powers that be or wanna be try to control or profit from information or identity the more people will slip through the "cracks". ie the Riaa tries to control music. People simply encrypt or exchange hard drives. What they should do is try to sell more value. The Ipod comes to mind. My wife has bought more then 1k of music because it's convenient and relatively inexpensive. She has bought 10-15$ per week for quite a while. And no I have never bought a single song from Apple. Although it did take me weeks to convert thousand CDs.

The example of Peds is a good one. Files either on a computer (Riaa) or Pron should not dismiss good police work. It is in some cases an excuse not to do a through job of studying the case.

There are examples of people be investigated who did not even own a computer. Try to figure that out.

IN todays world almost everyone has a computer. The desire to keep information private is not unreasonable, but all too often the argument is that noone should want to protect any information. The government (VA) or UK have lost information. I have told my son to assume that anyone can read what you do on the internet at any time. Protect what you can, limit info given out, encrypt, encrypt, encrypt. Do not assume that government or law enforcement is your friend. Sad but true.

HJohnFebruary 3, 2010 9:07 AM

I agree. A lot of times, identifying the source machine does not lead us to the perpetrator, it just leads us to another victim.

Imagine a criminal stealing license plates off someone elses car, committing a crime, then putting the license plates back on the original car.

RyanFebruary 3, 2010 9:25 AM

We would be able to eliminate (or at least hugely reduce) spam if everyone had to have a valid email certificate verified by a CA. Email clients could reject all email that's unsigned, so spammers couldn't quickly set up junk email accounts to send spam from.

It's pretty common practice in spam to not have a valid reply address at all. You can put anything you want in the "from" field, whether the address exists or not. By forcing all email to be signed, spam would be virtually eliminated.

Mark S.February 3, 2010 9:27 AM

Let's not forget the new kerfluffle in Australia where the Attorney General got a law passed banning anonymous comments on blogs. He was motivated because of a comment on the AdelaideNow website from a person he claimed was fictitious and created to attack him.

He backed down after it was pointed out that it was unconstitutional and the fictitious person was real and lived 500 meters from the AG's electorate office.

http://www.adelaidenow.com.au/...

PaulFebruary 3, 2010 9:30 AM

Anonymity is a key ingredient to creating freedom and security. The point about dissidents in Iran, China and elsewhere is an repeating theme in such struggles. Think back a little over two centuries ago: The USA was a series of colonies under British rule. Many of our founding fathers used anonymous writings and publications (e.g. the Federalist Papers) to help win support for the cause of independence. Without anonymity, they would have easily been identified, captured and probably executed for treason.

Also, consider another example: An car maker designs a vehicle that has a flaw that could lead to fatal crashes if not fixed. Profit margins are very good for this vehicle, so management proceeds to sell many thousands of units. An employee, wanting to prevent the loss of life resulting from these vehicles, sends an anonymous tip to a news agency. Said agency then does an investigation and expose on the vehicle, causing public outcry and forcing the manufacturer to recall the vehicle and repair the flaw.

Whether the employee is ever named is irrelevant...The shield of anonymity gave the person the ability to overcome fear of reprisal and make the tip.

JanFebruary 3, 2010 9:37 AM

Sometimes the internet is less anonymous than people want it to be. I think this is quite an interesting attempt to spy on the average user. Although the technique is not new, the results are quite nice. Clearly you might not want to be identified the next time you visit your favorite porn, torrent or whatever side. As the authors point out, this gives the bad guys a variety of new potential phishing attacks to play with.

http://www.iseclab.org/papers/sonda-TR.pdf

TexasDexFebruary 3, 2010 9:42 AM

Ranum's first mistake in his counterpoint is that he assumes that Bruce is saying that crime on the internet is 'right'. Bruce's point, as I read it, is that a small amount of crime is preferable to the idea of governments having draconian capabilities to unmask dissent, or just squash it.

Ranum happily admits he pulled the 99.9999% number out of his ass, but uses it to argue his point anyways. He makes no credible argument that removing anonymity is even technically possible. My favorite part is where he argues that if their identity is valuable people will take measures to protect it. Does he not read the news? Valuable things--bank account info, passports--get stolen all the time, partly because the public is dumb but mostly just because they're valuable, and there's lots of incentive to steal them.

My favorite part though is where he advocates paying outrageous amounts of money for what is essentially an email certificate, and assumes that everybody else will want to do the same so that they only get email from other people with $1000 bucks on hand. This answers only a small subset of anonymous activity on the internet, and people haven't been willing to pay for personal email certificates in the past, why will they in the future?

::sigh:: where's that Slasdot spam solution debunking form when you need it?

HJohnFebruary 3, 2010 9:42 AM

@Ryan: "We would be able to eliminate (or at least hugely reduce) spam if everyone had to have a valid email certificate verified by a CA. Email clients could reject all email that's unsigned, so spammers couldn't quickly set up junk email accounts to send spam from."
__________

It's a trade off. We could reduce spam your way, it would also reduce if free accounts were eliminated.

The spammers would then resort to attacking valid accounts and certificates more. They already do this in order to abuse the trust of the person they hijack, but they would just do it more without access to free accounts or certificate-less accounts.

For almost everything, there is an upside and a downside. The downside of anonymity is obviously abuse. However, the downside of identity is diminished privacy and being framed through impersonation.

Bill NyeFebruary 3, 2010 9:50 AM

@TexasDex: Here it is.
your post advocates a

( ) technical
( ) legislative
(x) market-based
( ) vigilante

approach to fighting spam. your idea will not work. here is why it won't work. (one or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) spammers can easily use it to harvest email addresses
( ) mailing lists and other legitimate email uses would be affected
( ) no one will be able to find the guy or collect the money
( ) it is defenseless against brute force attacks
( ) it will stop spam for two weeks and then we'll be stuck with it
(x) users of email will not put up with it
( ) microsoft will not put up with it
( ) the police will not put up with it
( ) requires too much cooperation from spammers
(x) requires immediate total cooperation from everybody at once
(x) many email users cannot afford to lose business or alienate potential employers
( ) spammers don't care about invalid addresses in their lists
( ) anyone could anonymously destroy anyone else's career or business

specifically, your plan fails to account for

( ) laws expressly prohibiting it
( ) lack of centrally controlling authority for email
( ) open relays in foreign countries
( ) ease of searching tiny alphanumeric address space of all email addresses
( ) asshats
( ) jurisdictional problems
(x) unpopularity of weird new taxes
( ) public reluctance to accept weird new forms of money
( ) huge existing software investment in smtp
( ) susceptibility of protocols other than smtp to attack
(x) willingness of users to install os patches received by email
( ) armies of worm riddled broadband-connected windows boxes
( ) eternal arms race involved in all filtering approaches
( ) extreme profitability of spam
(x) joe jobs and/or identity theft
( ) technically illiterate politicians
( ) extreme stupidity on the part of people who do business with spammers
( ) dishonesty on the part of spammers themselves
( ) bandwidth costs that are unaffected by client filtering
( ) outlook

and the following philosophical objections may also apply:

( ) ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) any scheme based on opt-out is unacceptable
( ) smtp headers should not be the subject of legislation
( ) blacklists suck
( ) whitelists suck
( ) we should be able to talk about viagra without being censored
( ) countermeasures should not involve wire fraud or credit card fraud
( ) countermeasures should not involve sabotage of public networks
(x) countermeasures must work if phased in gradually
(x) sending email should be free
( ) why should we have to trust you and your servers?
( ) incompatiblity with open source or open source licenses
( ) feel-good measures do nothing to solve the problem
( ) temporary/one-time email addresses are cumbersome
( ) i don't want the government reading my email
( ) killing them that way is not slow and painful enough

furthermore, this is what i think about you:

(x) sorry dude, but i don't think it would work.
( ) this is a stupid idea, and you're a stupid person for suggesting it.
( ) nice try, assh0le! i'm going to find out where you live and burn your house down!

ObijanFebruary 3, 2010 9:57 AM

"somehow prevent others from posting or sending messages with my identity"

Just use message boards that use OpenID then. That gives everybody a working standard implementation to verify the "identity" of a URL. Solved.

Marcus, pay up!

Richard SchneemanFebruary 3, 2010 9:57 AM

Data is money, and you shouldn't give up your privacy unless you're getting paid for it. I got so sick of people selling my information I wrote a spam tracking application http://www.whyspam.me so I could see exactly who was making off of my personal data.

Be safe.

TexasDexFebruary 3, 2010 10:05 AM

@Bill Nye:

You forgot this one:

(x) it will stop spam for two weeks and then we'll be stuck with it

Once you've gone to a certificate-only email system, it's not really feasible to go back, BUT spam will still happen anyways.

HamptonJFebruary 3, 2010 10:27 AM

+


" Anonymity is bad..."

__________

Ironic that the entire basis of American government is the 'secret ballot' -- personally anonymous voting.


Why should the government permit cowardly citizens to hide their choices in such serious public matters ??

{..sarcasm}

Voting is a such a scared & patriotic duty that the government should maintain a public web database of all formal votes ever cast by specific citizens, clearly identifying individuals with their detailed voting records. Anonymity is bad !

Honest citizens should cheer the public display of their votes. There is no downside to "public" voting.

Marcus RanumFebruary 3, 2010 10:35 AM

From the "I paid $20,000 Dollars and all I got was this lousy ID" department:
Marcus typically makes a good counter point, but lost out on this one. I'm a bit disappointed in him (or is it myself?). He usually shows a bit more acumen when dealing with security and creative thinking. Try harder next time Marcus! You can do it!
-me

RHFebruary 3, 2010 10:50 AM

"Every software system we've ever invented has been successfully hacked, repeatedly."

Not L4 =)
(or is that too small to be considered a "system?")

CharlesFebruary 3, 2010 10:52 AM

Dear Bruce,

though I very much agree with your point: Universal Id is bad, I think you are missing a point:

Universal Id is bad because it is stated as a principle and not linked with actual uses.

In many western country having an id when you want to do some specific things is necessary (e.g. have a drink when you look young), but you dont have to display your id in the streets when you are walking.

I found some of your arguments a bit unsatisfactory: "Bits are bits; they don't come with identity information attached to them." Well, words are words, but shooting abuse at your neighbour is illegal and punishable by law any way, when you can write the same abuse and keep it in your private locker all you want without any legal issues. Context is everything IMO

spaceman spiffFebruary 3, 2010 11:24 AM

@Charles
"In many western country having an id when you want to do some specific things is necessary (e.g. have a drink when you look young), but you dont have to display your id in the streets when you are walking."

Just say that to any number of young men in the USA who have been arrested for WWB (Walking While Black) because they didn't have their ID, or objected to something the "peace" officer said or did.

Bryan FeirFebruary 3, 2010 12:08 PM

@Bruce:
Bits are bits; they don't come with identity information attached to them.

I know Matthew Skala has posted here in the past, but his 'What Colour are your bits' essay discusses this, and the culture clashes that result between computer professionals who are 'colour-blind' and legal professionals who are highly colour-aware, both by profession.

http://ansuz.sooke.bc.ca/lawpoli/colour/...

AnyfishFebruary 3, 2010 12:29 PM

@RH Feb 3, 2010 10:52: Not to mention KeyKos (an old successfull Timesharing Os), Eros (KeyKos descendant) and Capros (Eros descendant).

Identity Based Access Control doesnt work when any process one fires up has one's full authority to do what ever to your files and or resources.(One resource: printing, is expensive as shown by price comparation cart between ink and human blood)

Authorization Based Access Control as avocated by object capabilities and other such systems might make computing more secure and relieable than todays systems.

-Anyfish

http://capros.org/
http://wiki.eros.org/
http://www.cap-lore.com/

JimFiveFebruary 3, 2010 12:54 PM

@Anyfish
Authorization based Access Control might work in a business setting but I don't think it is going to cut it for home users. You end up with something like that Windows Security thing (What is it called?) that is constantly asking "Deny or Allow?"
--
JimFive

DCFebruary 3, 2010 12:59 PM

"those who use the Internet's anonymity to survive: dissidents in Iran, China, and USA".

There, fixed that for you.
@Bill Nye,
are you the guy who originated that nice checkbox list on Slashdot? If so, kudos, if not, well, it was worth broader attention anyway.

Doug

Stephan EFebruary 3, 2010 1:36 PM

This position on banning anonymity is basically a fundamental threat to both democracy and free markets.

Free markets work because consumers have barganning power vs. suppliers. The assymetry of transparant consumers vs. increasingly more powerfull providers make market processes funcitoning increasingly worse - it will make us poor.

Democracy is not about centralised control of citizens - the second you get it, democracy fails. Look to the socialist countries.

But the real clue here is that it is not so much about anonymity as about eliminating linkability across non-related transactions.

edFebruary 3, 2010 2:16 PM

@Ryan: "We would be able to eliminate (or at least hugely reduce) spam if everyone had to have a valid email certificate verified by a CA. Email clients could reject all email that's unsigned, so spammers couldn't quickly set up junk email accounts to send spam from."

What if the spammers set up their own CA? What if they corrupt a small CA? And they keep doing this over and over. Now the problem is how to certify CA's as not issuing certs to spammers. Then you have to certify the certifiers of CA's. Infinite regress ensues.

What if a cert's private key is stolen by malware? The cert is revoked, costing the innocent user a re-issue fee, but the malware isn't removed before recalculating the key, so the new cert is compromised again. Boon times for CA's, costly times for innocent users.

CressFebruary 3, 2010 3:10 PM

I'm sure it's been said in the comments and the rest of the article, but I don't have a lot of time to read today... Miscreants would just impersonate or compromise other individuals anyway so this system is even more flawed.

Remember that case with the malware on the substitue teachers computer that made pop-up ads of adult images appear? Hell, there wasn't even proof that she did anything but she was still assualted in the court room. Make all users 'universally identifiable' and how well the system holds up.

DanFebruary 3, 2010 3:27 PM

"Even if everyone could trace all packets perfectly, to the person or origin and not just the computer, anonymity would still be possible. It would just take one person to set up an anonymity server." Good point, and I think these two sentences could save a lot of people a lot of money trying to eliminate anonymity.

There are times, however, when we'd like to keep from being bothered by people who are anonymous. To that end, we can set up our firewalls to eliminate traffic from sources we do not trust. For example, people talk about using a CA to qualify email. This is probably not necessary; all we need to do is set up a system where each email recipient only receives email from sources that have either A) properly identified themselves through a bounce-back mechanism, or B) are on a local list of qualified email senders. There is already software that will implement that strategy. And I'm sure there are other strategies equally as effective.

Bottom line is, I believe, Internet anonymity is an unobtainable fantasy. But that doesn't mean that we cannot protect ourselves from anonymous troublemakers.

DavidFebruary 3, 2010 4:32 PM

In general, I wholeheartedly agree.

In particular, tracing attacks back to members of a botnet, if detection and communication is reliable, could be valuable as you could inform the owners of those computers that they should fix them.

pfoggFebruary 3, 2010 4:51 PM

@Ranum Here's the part Bruce neglected to mention: identity has a value. ... I'd be happy to pay $1,000 to be the only mjr@ranum.com on the Internet and be able to somehow prevent others from posting or sending messages with my identity.

Here's the part Ranum neglected to mention (and probably is unaware of): to an introvert, anonymity has value. It allows an introvert to constrain a non-social interaction (e.g. buying something at a store) to remain non-social (once it's done, it's done -- no ongoing connections or contacts). It also allows social interaction (e.g. commenting on a blog) to be compartmentalized (responses can occur only on the blog).

These things have value to an introvert because to an introvert any random or ongoing social interaction represents a noticeable cost, and the possibility of such issues functions as a 'chilling effect': if a persistent, accessible identity is required, these people will tend to remain silent in the absence of specific need or exceptional circumstances.

It's easy to count anonymity abuses, but how does one count neutral uses? Ranum more or less ignores the possibility that anonymity might serve neutral, personal, non-criminal intent. On the other hand, however many introverts there are (25% of the population is often quoted, but never substantiated), I would suggest that most or all would choose to constrain and compartmentalize ordinary internet activities, given the choice.

anonymous (ha!)February 3, 2010 8:20 PM

@Marcus Ranum

You don't have to shell out $1,000: it's free and it's called public key cryptography. If you want to pay $1,000 dollars for an alias, I know a Nigerian banker who can help you with that. However, if you just want to make sure that when Voltaire posts it is the real Voltaire, whoever that is, that is already completely doable.

Unless you ban the very technology, the very source code that currently allows me use onion routing to access this website anonymously, you cannot force spammers to reveal their identity. Grow up and deal with it.

fjpoblamFebruary 3, 2010 9:38 PM

@HamptonJ *Voters* are anonymous (In fact, there is some flap always going on in our area about requiring some sort of photo identification for voters).

It is their *VOTES* that are anonymous, and the fact that their votes are not associated with their identities during the counting of the votes.

bonelyfishFebruary 3, 2010 10:17 PM

Universal identity may be security expert's holy grail, a silver bullet security expert wished for but will not deliver.

Firstly, do you want to wear a name badge wherever you go? Showing credit card to whoever you meet? Sometimes you just want to keep being anonymous.

Personally I have several email accounts so I can be anonymous in forum, shielded from spamming, keep contact with friends, keep business transactions separated.

When we open a bank account, you got to be identified. If doing serious transaction you have to get identified. But you can go into a pub and call yourself whatever you like.

Secondly, will universal identity stops spamming or crimes? NO. In countries with ID card issued to citizens, there are many (homeless) people eager to sell their identities or bank accounts.

AnonymousFebruary 4, 2010 3:25 AM

I wish that more people understood that this is a technical solution to a social problem that we haven't been able to solve in all of human history.

Also, I wish they understood the lesson of prohibition: black markets are subject to the network effect. In other words, the more people willing to join it, the more powerful and influential it is. I really don't want to see the market for identity theft (or identity farming) expand. It's bad enough as is.

PseudonymousFebruary 4, 2010 3:45 AM

I wish that more people understood that this is a technical solution to a social problem that we haven't been able to solve in all of human history.

Also, I wish they understood the lesson of prohibition: black markets are subject to the network effect. In other words, the more people willing to join it, the more powerful and influential it is. I really don't want to see the market for identity theft (or identity farming) expand. It's bad enough as is.

I have to admit, though, it's odd to read this and then realize that your comment here gets blocked if you choose the name 'Anonymous', even for irony's sake.

Maik TippsFebruary 4, 2010 7:13 AM

It´s very difficult to give the right answer for this problem. On the one hand i don´t want that someone knows exactly what i do in the internet but to catch criminals it is good to have not so much anonymity....

sooth sayerFebruary 4, 2010 8:07 AM

I agree with the analysis and some of the comments - though argument about licensing weapons and not having "illegal weapons" with citizens is EXACTLY the same - I am sure Bruce is on the other side of the gun control :-)

LucianFebruary 4, 2010 8:45 AM

Look at facebook, myspace, linked in, people share personal information to other people, to the public. I think in the future, some websites will be able to make something to have "verified IDS" on the web or something like this. For example for IP's, i verify my IP and all websites where i go with my IP know that in that interval i was on their websites.

AnonymousFebruary 4, 2010 9:07 AM

@Pseudonymous -

"I have to admit, though, it's odd to read this and then realize that your comment here gets blocked if you choose the name 'Anonymous', even for irony's sake."

It is?

sidelobeFebruary 4, 2010 12:56 PM

Cell phone networks do an excellent job of carrying universal identity. It's not perfect, but it's good enough to entrust to be a system of payments and currency in a number of parts of the world. The networks are very well protected, and it's difficult to use an anonymous device.

You can argue that the networks identify the device but not the holder of the device. But the association of device to holder is good enough to use for the aforementioned payment systems.

The only people who can send me Facebook messages are people I've identified and authorized. I've yet to receive a spam message. I can't say the same for my plain-old anonymous e-mail account, which would be useless without spam filters.

I don't advocate perfect identity for everything. It would be pointless or detrimental for a discussion group such as this. But it sure would be nice to be better able to take advantage of good identity management for more Internet applications.

mooFebruary 4, 2010 1:22 PM

Related to this quote from the essay:

"Just as it's impossible to make specific bits not copyable, it's impossible to know where specific bits came from. Bits are bits."

There is an interesting thing written a few years ago called "What color are your bits?"
http://ansuz.sooke.bc.ca/lawpoli/colour/...
[WARNING: may contain ads which are somewhat NSFW.]

It explores the programmer angle, which is that bits don't really support the attachment of identifiable, tamperproof metadata such as origin info, because any such metadata is also just bits (Bruce summarizes this viewpoint succinctly when he says "bits are bits"). But it also explores the *lawyer* angle, where bizarre metamystical ideas (such as derivative-work-ness according to copyright laws) can be imagined to propagate with a piece of information when the bits themselves are propagated.

Its important for techies to recognize that lawyers and courts routinely can and do reason about intangible "meta" properties that our legal and social systems attempt to apply to information (in whatever forms), even if in general there is no robust technical way of representing this meta info in a way that would carry these meta properties around tangibly and keep them bundled with the works of information (i.e. piles of bits) that they are about. So even if "bits are just bits", they can also have a "color" (or "smell"?) from that point of view. A property that is not capturable in any robust tangible form, but is nonetheless relied on heavily by things like copyright law.

DRM, digital watermarking, etc. can be seen in part, as attempts to solve a part of this impossible problem, of attaching trackable tamper-resistant metadata to bits, or attempt to prevent certain uses of those bits which are undesired by the controller of the DRM.

Anyway, its an interesting world we live in!

HavaCuppaJoeFebruary 4, 2010 4:47 PM

@sidelobe - "Cell phone networks do an excellent job of carrying universal identity."

This is only true to the extent that people agree to behave nicely. I can call you 5 different times in 5 minutes from the same phone with an entirely different identity. All I have to do is switch the SIM card and toss the old one in between calls.

So, inherently, this is no different than internet anonymity. We don't have to police the people that are behaving good do we? But it's these exact good-behaving people are the ones who inevitabley shoulder the burden that Ranum seems to be advocating.

HavaCuppaJoeFebruary 4, 2010 4:57 PM

@Marc Ranum - 'Indeed, it's suspiciously close to blaming the victim, since we're implicitly telling the music industry that they have no recourse and society washes its hands of their problem: "figure out how to survive" is not the advice anyone in a precarious position is going to appreciate.'

From what planet do you come?

"figure out how to survive" is EXACTLY the basis upon which normal US businesses operate. Just try to open up a donut shop in Topeka and you'll find out for yourself how true this is.

The RIAA and its members do NOT have an entitlement to exist, even though this seems to be their fundamental position.

Peter da SilvaFebruary 4, 2010 5:52 PM

The article at http://ansuz.sooke.bc.ca/lawpoli/colour/... that has been twice referenced in this thread is intersting, and contains the germ of truth, but the way it presents itself is misleading and muddies teh water. The "color" in that article is metadata, in the literal sense. It's meta data. It's data ABOUT the data.

It's not inline, as part of the file, but most metadata isn't inline. The name of a file, possibly the most fundamental piece of metadata about it, is rarely stored inside it (and if it is it's often wrong). If I have an encrypted file, the key to decrypt it and the decryption algorithm are metadata. The file has no meaning without that information. If I have an MP3 file, it isn't a piece of music without an MP3 player to play it. The description of the file, the interpreter for the program, the drivers for hardware, these are all metadata.

If you want to use the contents of a file as evidence in court, then you need metadata about how the file got to the courtroom. That's not something magic, it's not "color", it's nothing real computer scientists have any problem with... it's simply out-of-band metadata.

Any1288February 5, 2010 10:19 AM

Ironic that this post cannot be done anonymously.

Animosity is a form of free speech. If animosity becomes illegal, and only the criminals have it, then I will choose to become a criminal.

Bill NyeFebruary 5, 2010 10:25 AM

@DC

I'm definitely not the inventor. It's been around a lot longer than I've been online. Whoever invented it must have been a genius though, because I've seen it used, without additions, to debunk an awful lot of purported solutions to spam.

anon12February 5, 2010 10:29 AM

If animosity is outlawed and prevented by hardware/software means, then most of us will be subjegated under it, but those with the money and resources will have the means to remain anonymous.

Much like the telemarketers that call you up with fake phone numbers. But most individuals can't do that.

Tom BarryFebruary 7, 2010 7:50 AM

I personally believe we have a right to be anonymous on the Internet. However when doing so we should make it obvious we are anonymous.

If we are anonymous that means we are just obviously anonymous. We are not pretending to be someone else. Pretending to be someone else is fraud, illegal, and should be strongly discouraged. We should regularly prosecute all impostors for fraud.

Likewise I believe there is obvious value in optionally being able to prove who we are and authenticate an identity. Since that identity has a value thieves will have an incentive to steal it. But we just have to deal with that.

Just my own opinions.

- Tom

cathygFebruary 8, 2010 8:28 AM

To : Posted by: Charles at February 3, 2010 10:52 AM

You actually MAY be asked to show an ID while you are walking on the street. If you live on a military base - you are OFTEN asked to show your military ID whilst walking in the street.

Americans complain that that their 'rights have been violated' - but actually we should be comfortable with pulling out an ID that shows who we are whenever and by whomever. IMHO: This is not infiltration of my privacy...this means that I am living above reproach, I have the credentials I have EARNED as a citizen of this country and I carry with me proof of this. just like my insurance card (auto insurance is changing exactly how this is determined right now!) I am not saying we should 'chip' everyone...but people should be 'alright' with anyone asking for their identification...as long as it just identifies that person and no other information is on that ID. Even tying your DR LIC to your address is a bit shoddy in forethought isn't it? The system is not perfect, but we should never mind showing an ID.

It would surely slow up the web, adding a lot of non-certifiable data, however to add a universal ID - just nonsense because your identity on the web may be counterfeited very easily.

Rick KellerFebruary 8, 2010 10:44 AM

Not being anonymous means those with the resources will have the ability to do more with the knowledge of my ID. This post here is with my name, but if it was not liked by political powers, or private ones, who knows who might be showing up at my door in the middle of the night and what their intentions are. I would not feel very safe, and that is one of my RIGHTS. To feel safe in my person.

Knowledge is power
Power corrupts
Absolute power corrupts absolutely
.

AnyfishFebruary 9, 2010 9:23 AM

@JimFive at February 3, 2010 12:54 PM:

You mean the incessant "May I?" popups?
That is because designation has been divorced from authorization in Windows, various *NIXes and MacOS (both Classic and X)

In object-capability based systems (like those I linked to) names that name things are kernel/supervisor/programming-lingustically protected entities. In short, if an process (the running instance of an program) cannot name an object then it(program) cant affect the object. Of course objects can be implemented by programs and the name of objects be passed along to other objects.

A Google Tech talk serie that explains it better than I can: http://erights.org/talks/index.html#google-abac

Michael HagertyFebruary 17, 2010 6:03 PM

Dyson has written on the need for pseudonymity, particularly persistent pseudonymity, as a requirement for the development of online communities, especially those in which disclosure of identity might jeopardize an individual's family, job or well-being. I recognize governments are eager to strip away any barriers to instant recognition of identity, but a very real need for a degree of anonymity does exist, without which many online communities would cease to function. To require proof of identity to participate in online communities would present a formidable barrier to many individuals, but pure anonymity would preclude the development of the implicit trust necessary to maintain such communities over time. AA and other organizations, and most certainly their Internet equivalents could not function without at least pseudonymity and the benefit such organizations provide society would be lost.

Jennifer @ Vergent T1 ServiceJuly 27, 2010 5:43 PM

@JimFive--I think it's called User Access Control, and it is the most annoying little piece of code Windows has ever implemented in an OS. I also am going to agree with the previous poster. Maintaining anonymity on the web is a safety issue. There are fraudsters everywhere.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..