Monday, February 04, 2008


Anonymity, and levels thereof

In a recent edition of his Wired column Security Matters, well-known computer security expert Bruce Schneier comments on what he calls a “false dichotomy” between “security” and “privacy”. He rejects the notion that you have to give up some of one to get more of the other.

It’s not a long essay; go read it. When you do, note this part in particular:

The debate isn’t security versus privacy. It’s liberty versus control.

You can see it in comments by government officials: “Privacy no longer can mean anonymity,” says Donald Kerr, principal deputy director of national intelligence. “Instead, it should mean that government and businesses properly safeguard people’s private communications and financial information.” Did you catch that? You’re expected to give up control of your privacy to others, who — presumably — get to decide how much of it you deserve. That’s what loss of liberty looks like.

That has reminded me that I’ve been meaning, for some time, to write about anonymity on the Internet.

Before we look specifically at the Internet, I’ll point out that anonymity in general — in real life, as well — can work both for and against your safety and security.

Suppose you interrupt a drug dealer as he’s about to kill someone, and the victim gets away. So do you. People saw you and the dealer, but no one knows who you are. The fact that you’re anonymous works in favour of your safety, because the drug dealer can’t come find you and take revenge.

Suppose, though, that he manages to follow you home. The fact that you’re anonymous can now work against you, because no one else who saw you knows who you are or where you live. The dealer might feel freer to attack you, thinking he’ll get away with it.

And so, there are times you want to be anonymous, and times when you don’t... and there are various reasons for making the choice one way or the other.

So, too, is it on the Internet. I choose to blog with no anonymity: I use my real name and point at my personal web page, and it’s pretty easy to search around and find out lots of stuff about me. When I started this blog I made that choice, because I knew I’d be talking about things I believe in, things that are important to me, and I wanted to stand clearly behind them. Not all bloggers do it that way, and other choices are certainly valid. Reasons to blog anonymously, or semi-anonymously, can include concerns about one’s personal safety, about one’s job, about harassment of one’s family, and so on. And maybe one just wants to.

But, wait: I said “semi-anonymously”. Isn’t being semi-anonymous rather like being semi-pregnant, or semi-unique?

Well, no. There are different levels of anonymity. They have different uses, and you might choose to mix them, and use different levels for different situations. I can think of at least four levels; perhaps readers can think of more:

  1. Full disclosure, as I use on this blog.
  2. Not personally identified, but everything is connected, as with a common pseudonym. I’d get this if I didn’t identify myself on this blog, and then used the name “staringatemptypages” to post to mailing lists and other discussion groups, to post comments to others’ blogs, to identify myself on social networking sites... maybe even to buy and sell on eBay.
  3. Compartmentalized, where activity here is not connected to activity there, as with a set of pseudonyms. I might use “staringatemptypages” for most things, but have another pseudonym for my eBay transactions, and another for certain online discussions that I’d like to keep separate.
  4. Fully anonymous... no use is connected to any other use.
You can see where it might be useful for people not to know who you are, really, but to know when you comment today that you’re the same guy who commented last week. That’s the “semi-anonymous” state I was talking about.

Of course, since much of this isn’t really authenticated, I can post a blog comment as “weirdsnarkydude” today, and you can post one as “weirdsnarkydude” tomorrow. Some systems, of course, have some checks, so it varies. With some systems, for example, you can’t just snag a random pseudonym; you either log in, or you’re anonymous, and that prevents someone else from using my pseudonym.

There’s been some debate, as we’ve developed anti-spoofing standards for email, about what to do about anonymity there. The rough consensus — though, clearly, not everyone agrees — is that there are good reasons to be able to send anonymous email, and that will never go away. On the other hand, there’s probably a limited number of recipients for anonymous email. If a standard for digitally signing all email messages should ever pick up enough momentum that it were actually used widely enough, I’d probably be happy to reject all mail that wasn’t so identified, because I have no reason to get anonymous email. My congressman, on the other hand, probably should allow anonymous mail (but probably wouldn’t, because there’d be too much spam in the mix).

Anyway, that makes the point that while there are good reasons to support anonymity, not every application needs to allow it in all cases.

But even when we’re anonymous, are we really anonymous? Are our identities really hidden?

Back to the physical world for a moment: People engage in all manner of rude and illegal behaviour in their cars — behaviour they’d never do if they were face to face with someone. We do this because we perceive a sort of anonymity in our cars that we don’t have when we’re face to face. Yet we’re certainly not truly anonymous there: my car’s license plate makes me traceable (and if you think that only the police can trace that, maybe you’ll also believe my friend in Nigeria when he offers to send you millions of dollars).

That brings up a distinction between being identified or being anonymous... and being traceable or not. And most of what we do on the Internet is traceable.

If I should post a blog comment as “weirdsnarkydude”, no one would know who that was — at least before now — and no one would connect it to me. As far as you or I are concerned, it would be anonymous. But if, say, my comment made a threat (like, oh, say, Brent Caflisch did) and someone considered it sufficiently credible, the authorities could go to the host of the target blog and get the Internet address that the comment was posted from (probably with a court order for it). The address would tell them who was providing weirdsnarkydude’s Internet service, and a check with them — again, with a court order to help — should uncover weirdsnarkydude’s identity.

That information isn’t readily available to everyone, so we say that in my guise as weirdsnarkydude I’m anonymous. But because it’s available through this sort of search, we say that my activity as weirdsnarkydude is traceable.

It’s possible to be untraceable, or to make tracing arbitrarily difficult. One can engage an Internet Service Provider that doesn’t keep records — records that don’t exist can’t be demanded by the police or a court. Of course, a law could be written requiring all ISPs to keep those records. But then I could use an ISP in another country, which could flout that law. And so on — it becomes a sort of arms race.

There are also anonymizing services that reduce traceability as well. You can, for example, route your web browsing through a proxy service that can do a number of things, such as hiding your IP address (all proxies do that; the web server only sees the address of the proxy, not the address of the user of the browser), removing referrer information, and lying about browser-version information. If the service does a good job — and, as above, does not keep records linking your Internet address to your activity — what you do will not be readily traced, even by motivated officials with court orders.

There are drawbacks to using an anonymizing proxy. Many web sites won’t work without browser “cookies” and those cookies can hold the information needed to identify and/or trace you anyway. And some web sites won’t work if you’re using a proxy at all (in my opinion, such web sites are broken, since there are perfectly sensible reasons to use proxies, quite apart from this discussion).

How much of this you do depends upon how much you want to hide, and how much you care about staying hidden.


lidija said...

I just went on a tirade about internet privacy last night and got a bit excited (miffed) about some trends. Whether or not one has a need/want to hide, I wish there still were an option of privacy, which, as you point out, there isn't all the time.

Michael Froomkin said...

You might be interested in my paper on anonymity, which sets out a slightly different 4-part typology: Anonymity and its Enmities.

(a shorter, updated version, with less on the typology is here)

-Michael Froomkin

voytek said...

There are so many issues regarding email. Sometimes you want to send an email anonymously so the recipient cannot tell who you are. Sometimes you want the recipient to know who you are but do not want anyone else to know you sent him an email. Other times you may not care who knows who you are talking to as long as they do not know what you are saying.

There is a whole website devoted to this topic at They even offer a free service for sending anonymous emails that are (nearly) untraceable.