Types of Anonymity
In this paper, the word "message" is used to designate any communication unit (e-mail, newsgroup article, web page, pamphlet, book, rumour, etc.)
Anonymity means that the real author of a message is not shown. Anonymity can be implemented to make it impossible or very difficult to find out the real author of a message.
A common variant of anonymity is pseudonymity, where another name than the real author is shown. The pseudonym is sometimes kept very secret, sometimes the real name behind a pseudonym is openly known, such as Marc Twain as a pseudonym for Samuel Clemens or Ed McBain as a pseudonym for Evan Hunter , whose original name was Salvatore A. Lombino . A person can even use multiple different pseudonyms for different kinds of communication.
An advantage with a pseudonym, compared with complete anonymity, is that it is possible to recognize that different messages are written by the same author. Sometimes, it is also possible to write a letter to a pseudonym (without knowing the real person behind it) and get replies back. It is even possible to have long discourses between two pseudonyms, none of them knowing the real name behind the other's pseudonym. A disadvantage, for a person who wants to be anonymous, is that combining information in many messages from the same person may make it easier to find out who the real person is behind the pseudonym.
A variant of pseudonymity is deception [Donath 1996], where a person intentionally tries to give the impression of being someone else, or of having different authority or expertise.
Anonymity before the Internet
Anonymity is not something which was invented with the Internet. Anonymity and pseudonymity has occurred throughout history. For example, William Shakespeare is probably a pseudonym, and the real name of this famous author is not known and will probably never be known.
Anonymity has been used for many purposes.
A well-known person may use a pseudonym to write messages, where the person does not want people's preconception of the real author color their perception of the message.
Also other people may want to hide certain information about themselves in order to achieve a more unbiased evaluation of their messages. For example, in history it has been common that women used male pseudonyms, and for Jews to use pseudonyms in societies where their religion was persecuted.
Anonymity is often used to protect the privacy of people, for example when reporting results of a scientific study, when describing individual cases.
Many countries even have laws which protect anonymity in certain circumstances. Examples:
A person may, in many countries, consult a priest, doctor or lawyer and reveal personal information which is protected. In some cases, for example confession in catholic churches, the confession booth is specially designed to allow people to consult a priest, without seeing him face to face.
The anonymity in confessional situations is however not always 100 %. If a person tells a lawyer that he plans a serious crime, some countries allow or even require that the lawyer tell the police. The decision to do so is not easy, since people who tell a priest or a psychologist that they plan a serious crime, may often do this to express their feeling more than their real intention.
Many countries have laws protecting the anonymity of tip-offs to newspapers. It is regarded as important that people can give tips to newspapers about abuse, even though they are dependent on the organization they are criticizing and do not dare reveal their real name.
Advertisement in personal sections in newspapers are almost always signed by a pseudonym for obvious reasons.
Is Anonymity Good or Bad?
In summary, anonymity and pseudonymity can be used for good and bad purposes. And anonymity can in may cases be desirable for one person and not desirable for another person. A company may, for example, not like an employee to divulge information about improper practices within the company, but society as a whole may find it important that such improper practices are publicly exposed.
Good purposes of anonymity and pseudonymity:
+ People dependent on an organization, or afraid of revenge, may divulge serious misuse, which should be revealed. Anonymous tips can be used as an information source by newspapers, as well as by police departments, soliciting tips aimed at catching criminals. Everyone will not regard such anonymous communication as good. For example, message boards established outside companies, but for employees of such companies to vent their opinions on their employer, have sometimes been used in ways that at least the companies themselves were not happy about [Abelson 2001]. Police use of anonymity is a complex issue, since the police often will want to know the identity of the tipper in order to get more information, evaluate the reliability or get the tipper as a witness. Is it ethical for police to identify the tipper if it has opened up an anonymous tipping hotline?
+ People in a country with a repressive political regime may use anonymity (for example Internet-based anonymity servers in other countries) to avoid persecution for their political opinions. Note that even in democratic countries, some people claim, rightly or wrongly, that certain political opinions are persecuted. [Wallace 1999] gives an overview of uses of anonymity to protect political speech. Every country has a limit on which political opinions are allowed, and there are always people who want to express forbidden opinions, like racial agitation in most democratic countries.
+ People may openly discuss personal stuff which would be embarrassing to tell many people about, such as sexual problems. Research shows that anonymous participants disclose significantly more information about themselves [Joinson 2001].
+ People may get more objective evaluation of their messages, by not showing their real name.
+ People are more equal in anonymous discussions, factors like status, gender, etc., will not influence the evaluation of what they say.
+ Pseudonymity can be used to experiment with role playing, for example a man posing as a woman in order to understand the feelings of people of different gender.
+ Pseudonymity can be a tool for timid people to dare establish contacts which can be of value for them and others, e.g. through contact advertisements.
There has always, however, also been a dark side of anonymity:
– Anonymity can be used to protect a criminal performing many different crimes, for example slander, distribution of child pornography, illegal threats, racial agitation, fraud, intentional damage such as distribution of computer viruses, etc. The exact set of illegal acts varies from country to country, but most countries have many laws forbidding certain "informational" acts, everything from high treason to instigation of rebellion, etc., to swindling.
– Anonymity can be used to seek contacts for performing illegal acts, like a pedophile searching for children to abuse or a swindler searching for people to rip off.
– Even when the act is not illegal, anonymity can be used for offensive or disruptive communication. For example, some people use anonymity in order to say nasty things about other people.
The border between illegal and legal but offensive use is not very sharp, and varies depending on the law in each country.
Anonymity on the Internet
Even though anonymity and pseudonymity is not something new with the Internet, the net has increased the ease for a person to distribute anonymous and pseudonymous messages. Anonymity on the Internet is almost never 100 %, there is always a possibility to find the perpetrator, especially if the same person uses the same way to gain anonymity multiple times.
In the simplest case, a person sends an e-mail or writes a Usenet news article using a falsified name. Most mail and news software allows the users to specify whichever name they prefer, and makes no check of the correct identity. Using web-based mail systems like Hotmail, it is even possible to receive replies and conduct discussions using a pseudonym.
The security for the anonymous user is not very high in this case. The IP number (physical address) of the computer used is usually logged, often also the host name (logical name). Many people connect to the Internet using a temporary IP number assigned to them for a single session. But also such numbers are logged by the ISP (Internet Service Provider) and it is possible to find out who used a certain IP number at a certain time, provided that the ISP assists in the identification. There are also other well-known methods for breaking anonymity, for example elements can be included on a web page, which communicates information without knowledge of the person watching the web page. Some ISPs have a policy of always assisting such searches for the anonymous users. In this way they avoid tricky decisions on when to assist and not assist such searches.
In the case of e-mail, the e-mail header itself contains a trace of the route of a message. This trace is not normally shown to recipients, but most mailers have a command named something like full headers to show this information. An example of such a trace list is shown in Figure 1 .
The Internet: Anonymous Forever
This essay previously appeared in Information Security as the first half of a point-counterpoint with Marcus Ranum. Marcus's half is here.
Universal identification is portrayed by some as the holy grail of Internet security. Anonymity is bad, the argument goes; and if we abolish it, we can ensure only the proper people have access to their own information. We'll know who is sending us spam and who is trying to hack into corporate networks. And when there are massive denial-of-service attacks, such as those against Estonia or Georgia or South Korea, we'll know who was responsible and take action accordingly.
The problem is that it won't work. Any design of the Internet must allow for anonymity. Universal identification is impossible. Even attribution -- knowing who is responsible for particular Internet packets -- is impossible. Attempting to build such a system is futile, and will only give criminals and hackers new ways to hide.
Imagine a magic world in which every Internet packet could be traced to its origin. Even in this world, our Internet security problems wouldn't be solved. There's a huge gap between proving that a packet came from a particular computer and that a packet was directed by a particular person. This is the exact problem we have with botnets, or pedophiles storing child porn on innocents' computers. In these cases, we know the origins of the DDoS packets and the spam; they're from legitimate machines that have been hacked. Attribution isn't as valuable as you might think.
Implementing an Internet without anonymity is very difficult, and causes its own problems. In order to have perfect attribution, we'd need agencies -- real-world organizations -- to provide Internet identity credentials based on other identification systems: passports, national identity cards, driver's licenses, whatever. Sloppier identification systems, based on things such as credit cards, are simply too easy to subvert. We have nothing that comes close to this global identification infrastructure. Moreover, centralizing information like this actually hurts security because it makes identity theft that much more profitable a crime.
And realistically, any theoretical ideal Internet would need to allow people access even without their magic credentials. People would still use the Internet at public kiosks and at friends' houses. People would lose their magic Internet tokens just like they lose their driver's licenses and passports today. The legitimate bypass mechanisms would allow even more ways for criminals and hackers to subvert the system.
On top of all this, the magic attribution technology doesn't exist. Bits are bits; they don't come with identity information attached to them. Every software system we've ever invented has been successfully hacked, repeatedly. We simply don't have anywhere near the expertise to build an airtight attribution system.
Not that it really matters. Even if everyone could trace all packets perfectly, to the person or origin and not just the computer, anonymity would still be possible. It would just take one person to set up an anonymity server. If I wanted to send a packet anonymously to someone else, I'd just route it through that server. For even greater anonymity, I could route it through multiple servers. This is called onion routing and, with appropriate cryptography and enough users, it adds anonymity back to any communications system that prohibits it.
Attempts to banish anonymity from the Internet won't affect those savvy enough to bypass it, would cost billions, and would have only a negligible effect on security. What such attempts would do is affect the average user's access to free speech, including those who use the Internet's anonymity to survive: dissidents in Iran, China, and elsewhere.
Mandating universal identity and attribution is the wrong goal. Accept that there will always be anonymous speech on the Internet. Accept that you'll never truly know where a packet came from. Work on the problems you can solve: software that's secure in the face of whatever packet it receives, identification systems that are secure enough in the face of the risks. We can do far better at these things than we're doing, and they'll do more to improve security than trying to fix insoluble problems.
The whole attribution problem is very similar to the copy-protection/digital-rights-management problem. Just as it's impossible to make specific bits not copyable, it's impossible to know where specific bits came from. Bits are bits. They don't naturally come with restrictions on their use attached to them, and they don't naturally come with author information attached to them. Any attempts to circumvent this limitation will fail, and will increasingly need to be backed up by the sort of real-world police-state measures that the entertainment industry is demanding in order to make copy-protection work. That's how China does it: police, informants, and fear.
Just as the music industry needs to learn that the world of bits requires a different business model, law enforcement and others need to understand that the old ideas of identification don't work on the Internet. For good or for bad, whether you like it or not, there's always going to be anonymity on the Internet.
Categories: Computer and Information Security, Privacy and Surveillance