[WG-InfoSharing] [Fwd: Anonymity from CRYPTO-GRAM, February 15, 2010]

Judi Clark coach at digitalIDcoach.com
Mon Feb 15 18:52:49 EST 2010 

Anonymity is a topic of interest to our current meeting discussions.

Also fwiw, a following bit of news on Facebook employees and privacy,
and a brief, amusing video.

  judi

-------- Original Message --------
Subject: 	CRYPTO-GRAM, February 15, 2010
Date: 	Mon, 15 Feb 2010 00:55:12 -0600
From: 	Bruce Schneier <schneier at SCHNEIER.COM>
To: 	CRYPTO-GRAM-LIST at LISTSERV.MODWEST.COM


...

     Anonymity and the Internet

Universal identification is portrayed by some as the holy grail of 
Internet security. Anonymity is bad, the argument goes; and if we 
abolish it, we can ensure only the proper people have access to their 
own information. We'll know who is sending us spam and who is trying to 
hack into corporate networks. And when there are massive 
denial-of-service attacks, such as those against Estonia or Georgia or 
South Korea, we'll know who was responsible and take action accordingly.

The problem is that it won't work. Any design of the Internet must allow 
for anonymity. Universal identification is impossible. Even attribution 
-- knowing who is responsible for particular Internet packets -- is 
impossible. Attempting to build such a system is futile, and will only 
give criminals and hackers new ways to hide.

Imagine a magic world in which every Internet packet could be traced to 
its origin. Even in this world, our Internet security problems wouldn't 
be solved. There's a huge gap between proving that a packet came from a 
particular computer and that a packet was directed by a particular 
person. This is the exact problem we have with botnets, or pedophiles 
storing child porn on innocents' computers. In these cases, we know the 
origins of the DDoS packets and the spam; they're from legitimate 
machines that have been hacked. Attribution isn't as valuable as you 
might think.

Implementing an Internet without anonymity is very difficult, and causes 
its own problems. In order to have perfect attribution, we'd need 
agencies -- real-world organizations -- to provide Internet identity 
credentials based on other identification systems: passports, national 
identity cards, driver's licenses, whatever. Sloppier identification 
systems, based on things such as credit cards, are simply too easy to 
subvert. We have nothing that comes close to this global identification 
infrastructure. Moreover, centralizing information like this actually 
hurts security because it makes identity theft that much more profitable 
a crime.

And realistically, any theoretical ideal Internet would need to allow 
people access even without their magic credentials. People would still 
use the Internet at public kiosks and at friends' houses. People would 
lose their magic Internet tokens just like they lose their driver's 
licenses and passports today. The legitimate bypass mechanisms would 
allow even more ways for criminals and hackers to subvert the system.

On top of all this, the magic attribution technology doesn't exist. Bits 
are bits; they don't come with identity information attached to them. 
Every software system we've ever invented has been successfully hacked, 
repeatedly. We simply don't have anywhere near the expertise to build an 
airtight attribution system.

Not that it really matters. Even if everyone could trace all packets 
perfectly, to the person or origin and not just the computer, anonymity 
would still be possible. It would just take one person to set up an 
anonymity server. If I wanted to send a packet anonymously to someone 
else, I'd just route it through that server. For even greater anonymity, 
I could route it through multiple servers. This is called onion routing 
and, with appropriate cryptography and enough users, it adds anonymity 
back to any communications system that prohibits it.

Attempts to banish anonymity from the Internet won't affect those savvy 
enough to bypass it, would cost billions, and would have only a 
negligible effect on security. What such attempts would do is affect the 
average user's access to free speech, including those who use the 
Internet's anonymity to survive: dissidents in Iran, China, and elsewhere.

Mandating universal identity and attribution is the wrong goal. Accept 
that there will always be anonymous speech on the Internet. Accept that 
you'll never truly know where a packet came from. Work on the problems 
you can solve: software that's secure in the face of whatever packet it 
receives, identification systems that are secure enough in the face of 
the risks. We can do far better at these things than we're doing, and 
they'll do more to improve security than trying to fix insoluble problems.

The whole attribution problem is very similar to the 
copy-protection/digital-rights-management problem. Just as it's 
impossible to make specific bits not copyable, it's impossible to know 
where specific bits came from. Bits are bits. They don't naturally come 
with restrictions on their use attached to them, and they don't 
naturally come with author information attached to them. Any attempts to 
circumvent this limitation will fail, and will increasingly need to be 
backed up by the sort of real-world police-state measures that the 
entertainment industry is demanding in order to make copy-protection 
work. That's how China does it: police, informants, and fear.

Just as the music industry needs to learn that the world of bits 
requires a different business model, law enforcement and others need to 
understand that the old ideas of identification don't work on the 
Internet. For good or for bad, whether you like it or not, there's 
always going to be anonymity on the Internet.

This essay originally appeared in Information Security, as part of a 
point/counterpoint with Marcus Ranum.  You can read Marcus's response 
below my essay.
http://searchsecurity.techtarget.com/magazinePrintFriendly/0,296905,sid14_gci1380347,00.html 
or http://tinyurl.com/ydvm725

Comments that anonymity is bad:
http://www.theregister.co.uk/2009/10/16/kaspersky_rebukes_net_anonymity/ 
or http://tinyurl.com/yknbuh2
http://curiouscapitalist.blogs.time.com/2010/01/30/drivers-licenses-for-the-internet/ 
or http://tinyurl.com/yfjg7up

Storing child porn on innocents' computers:
http://www.huffingtonpost.com/2009/11/09/internet-virus-frames-use_n_350426.html 
or http://tinyurl.com/yg8jaka

Onion routing:
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci775657,00.html?int=off 
or http://tinyurl.com/y9onwrt


** *** ***** ******* *********** *************

     News

...
I don't know if this discussion of privacy violations by Facebook 
employees is real, but it seems perfectly reasonable that all of 
Facebook is stored in a huge database that someone with the proper 
permissions can access and modify.  And it also makes sense that 
developers and others would need the ability to assume anyone's identity.
http://therumpus.net/2010/01/conversations-about-the-internet-5-anonymous-facebook-employee/?full=yes 
or http://tinyurl.com/yaxu5j5


Finally:

Not relevant but funny:

Deconfliction: this is well worth watching.
http://www.youtube.com/watch?v=g39xIewgGaM


-- 
 Judi Clark, Digital ID Coach          coach at digitalIDcoach.com
 Helping you pull yourself together   http://digitalIDcoach.com

More information about the WG-InfoSharing mailing list