Anonymity Won't Kill the Internet
By Bruce Schneier
January 12, 2006
In a recent essay, Kevin Kelly warns of the dangers of anonymity. It's OK in small doses, he maintains, but too much of it is a problem: "(I)n every system that I have seen where anonymity becomes common, the system fails. The recent taint in the honor of Wikipedia stems from the extreme ease which anonymous declarations can be put into a very visible public record. Communities infected with anonymity will either collapse, or shift the anonymous to pseudo-anonymous, as in eBay, where you have a traceable identity behind an invented nickname."
Kelly has a point, but it comes out all wrong. Anonymous systems are inherently easier to abuse and harder to secure, as his eBay example illustrates. In an anonymous commerce system -- where the buyer does not know who the seller is and vice versa -- it's easy for one to cheat the other. This cheating, even if only a minority engaged in it, would quickly erode confidence in the marketplace, and eBay would be out of business. The auction site's solution was brilliant: a feedback system that attached an ongoing "reputation" to those anonymous user names, and made buyers and sellers accountable for their actions.
And that's precisely where Kelly makes his mistake. The problem isn't anonymity; it's accountability. If someone isn't accountable, then knowing his name doesn't help. If you have someone who is completely anonymous, yet just as completely accountable, then -- heck, just call him Fred.
History is filled with bandits and pirates who amass reputations without anyone knowing their real names.
EBay's feedback system doesn't work because there's a traceable identity behind that anonymous nickname. EBay's feedback system works because each anonymous nickname comes with a record of previous transactions attached, and if someone cheats someone else then everybody knows it.
Similarly, Wikipedia's veracity problems are not a result of anonymous authors adding fabrications to entries. They're an inherent property of an information system with distributed accountability. People think of Wikipedia as an encyclopedia, but it's not. We all trust Britannica entries to be correct because we know the reputation of that company, and by extension its editors and writers. On the other hand, we all should know that Wikipedia will contain a small amount of false information because no particular person is accountable for accuracy -- and that would be true even if you could mouse over each sentence and see the name of the person who wrote it.
Historically, accountability has been tied to identity, but there's no reason why it has to be so. My name doesn't have to be on my credit card. I could have an anonymous photo ID that proved I was of legal drinking age. There's no reason for my e-mail address to be related to my legal name.
This is what Kelly calls pseudo-anonymity. In these systems, you hand your identity to a trusted third party that promises to respect your anonymity to a limited degree. For example, I have a credit card in another name from my credit-card company. It's tied to my account, but it allows me to remain anonymous to merchants I do business with.
The security of pseudo-anonymity inherently depends on how trusted that "trusted third party" is. Depending on both local laws and how much they're respected, pseudo-anonymity can be broken by corporations, the police or the government. It can be broken by the police collecting a whole lot of information about you, or by ChoicePoint collecting billions of tiny pieces of information about everyone and then making correlations. Pseudo-anonymity is only limited anonymity. It's anonymity from those without power, and not from those with power. Remember that anon.penet.fi couldn't say up in the face of government.
In a perfect world, we wouldn't need anonymity. It wouldn't be necessary for commerce, since no one would ostracize or blackmail you based on what you purchased. It wouldn't be necessary for internet activities, because no one would blackmail or arrest you based on who you corresponded with or what you read. It wouldn't be necessary for AIDS patients, members of fringe political parties or people who call suicide hotlines. Yes, criminals use anonymity, just like they use everything else society has to offer. But the benefits of anonymity -- extensively discussed in an excellent essay by Gary T. Marx -- far outweigh the risks.
In Kelly's world -- a perfect world -- limited anonymity is enough because the only people who would harm you are individuals who cannot learn your identity, and not those in power who can.
We do not live in a perfect world. We live in a world where information about our activities -- even ones that are perfectly legal -- can easily be turned against us. Recent news reports have described a student being hounded by his college because he said uncomplimentary things in his blog, corporations filing SLAPP lawsuits against people who criticize them, and people being profiled based on their political speech.
We live in a world where the police and the government are made up of less-than-perfect individuals who can use personal information about people, together with their enormous power, for imperfect purposes. Anonymity protects all of us from the powerful by the simple measure of not letting them get our personal information in the first place.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..