|
Home > Archive > Anonymous Servers > January 2006 > Anonymity and Accountability
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Anonymity and Accountability
|
|
| Thomas J. Boschloo 2006-01-15, 5:46 pm |
| Source: <http://www.schneier.com/crypto-gram-0601.html#1>
In a recent essay, Kevin Kelly warns of the dangers of anonymity. It's
OK in small doses, he maintains, but too much of it is a problem: "(I)n
every system that I have seen where anonymity becomes common, the system
fails. The recent taint in the honor of Wikipedia stems from the extreme
ease which anonymous declarations can be put into a very visible public
record. Communities infected with anonymity will either collapse, or
shift the anonymous to pseudo-anonymous, as in eBay, where you have a
traceable identity behind an invented nickname."
Kelly has a point, but it comes out all wrong. Anonymous systems are
inherently easier to abuse and harder to secure, as his eBay example
illustrates. In an anonymous commerce system -- where the buyer does not
know who the seller is and vice versa -- it's easy for one to cheat the
other. This cheating, even if only a minority engaged in it, would
quickly erode confidence in the marketplace, and eBay would be out of
business. The auction site's solution was brilliant: a feedback system
that attached an ongoing "reputation" to those anonymous user names, and
made buyers and sellers accountable for their actions.
And that's precisely where Kelly makes his mistake. The problem isn't
anonymity; it's accountability. If someone isn't accountable, then
knowing his name doesn't help. If you have someone who is completely
anonymous, yet just as completely accountable, then -- heck, just call
him Fred.
History is filled with bandits and pirates who amass reputations without
anyone knowing their real names.
EBay's feedback system doesn't work because there's a traceable identity
behind that anonymous nickname. EBay's feedback system works because
each anonymous nickname comes with a record of previous transactions
attached, and if someone cheats someone else then everybody knows it.
Similarly, Wikipedia's veracity problems are not a result of anonymous
authors adding fabrications to entries. They're an inherent property of
an information system with distributed accountability. People think of
Wikipedia as an encyclopedia, but it's not. We all trust Britannica
entries to be correct because we know the reputation of that company,
and by extension its editors and writers. On the other hand, we all
should know that Wikipedia will contain a small amount of false
information because no particular person is accountable for accuracy --
and that would be true even if you could mouse over each sentence and
see the name of the person who wrote it.
Historically, accountability has been tied to identity, but there's no
reason why it has to be so. My name doesn't have to be on my credit
card. I could have an anonymous photo ID that proved I was of legal
drinking age. There's no reason for my e-mail address to be related to
my legal name.
This is what Kelly calls pseudo-anonymity. In these systems, you hand
your identity to a trusted third party that promises to respect your
anonymity to a limited degree. For example, I have a credit card in
another name from my credit-card company. It's tied to my account, but
it allows me to remain anonymous to merchants I do business with.
The security of pseudo-anonymity inherently depends on how trusted that
"trusted third party" is. Depending on both local laws and how much
they're respected, pseudo-anonymity can be broken by corporations, the
police or the government. It can be broken by the police collecting a
whole lot of information about you, or by ChoicePoint collecting
billions of tiny pieces of information about everyone and then making
correlations. Pseudo-anonymity is only limited anonymity. It's anonymity
from those without power, and not from those with power. Remember that
anon.penet.fi couldn't stay up in the face of government.
In a perfect world, we wouldn't need anonymity. It wouldn't be necessary
for commerce, since no one would ostracize or blackmail you based on
what you purchased. It wouldn't be necessary for internet activities,
because no one would blackmail or arrest you based on who you
corresponded with or what you read. It wouldn't be necessary for AIDS
patients, members of fringe political parties or people who call suicide
hotlines. Yes, criminals use anonymity, just like they use everything
else society has to offer. But the benefits of anonymity -- extensively
discussed in an excellent essay by Gary T. Marx -- far outweigh the risks.
In Kelly's world -- a perfect world -- limited anonymity is enough
because the only people who would harm you are individuals who cannot
learn your identity, and not those in power who can.
We do not live in a perfect world. We live in a world where information
about our activities -- even ones that are perfectly legal -- can easily
be turned against us. Recent news reports have described a student being
hounded by his college because he said uncomplimentary things in his
blog, corporations filing SLAPP lawsuits against people who criticize
them, and people being profiled based on their political speech.
We live in a world where the police and the government are made up of
less-than-perfect individuals who can use personal information about
people, together with their enormous power, for imperfect purposes.
Anonymity protects all of us from the powerful by the simple measure of
not letting them get our personal information in the first place.
This essay originally appeared in Wired:
<http://www.wired.com/news/columns/0,70000-0.html>
Kelly's original essay:
<http://www.edge.org/q2006/q06_4.html>
Gary T. Marx on anonymity:
<http://web.mit.edu/gtmarx/www/anon.html>
| |
| Thomas J. Boschloo 2006-01-15, 5:46 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Thomas J. Boschloo wrote:
> Source: <http://www.schneier.com/crypto-gram-0601.html#1>
It should be obvious from the link that this essay was written by Bruce
Schneier, I should have put that in the subject field..
Thomas
- --
Robert Heinlein: "When in danger or in doubt, run in circles, scream and
shout"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQB5AwUBQ8p53AEP2l8iXKAJAQEwXQMgkUHytaPv
WIYzZ92enDP/hRaDzsef9ggY
r6OZIBk7lOGpoxlKwW5DozhMlTLQXMWtbj+zkpqh
C4ujM528kY2UT6umxq5qo83Y
qOkGA7kjlwXVn8EDX75B2AjmIlj6J9Ry5bnD8g==
=PKk6
-----END PGP SIGNATURE-----
| |
| Anonymous 2006-01-15, 5:47 pm |
| On Sun, 15 Jan 2006 17:13:43 +0100, Thomas J. Boschloo wrote:
> Source: <http://www.schneier.com/crypto-gram-0601.html#1>
>
>
> And that's precisely where Kelly makes his mistake. The problem isn't
> anonymity; it's accountability. If someone isn't accountable, then
> knowing his name doesn't help. If you have someone who is completely
> anonymous, yet just as completely accountable, then -- heck, just call
> him Fred.
Good observation. Why can't this be used with remailers, where somebody
who wants to use a remailer sends his public key to remailer-central,
which distributes it to the existing remailers?
When he posts through a chain of remailers, he signs his message with the
key, and the exit remailer checks its database of keys. If the signature
matches, the post is sent on to the m2n gateway or nntp server; otherwise
it's dropped.
Each post will have a header with the key id in it, encrypted to the key
of the exit remailer.
If the poster is a louse, his key can be identified and yanked by the
operator of the exit remailer and the information sent to remailer-central
which will tell all of the remailers to yank that key.
He remains completely anonymous, but accountable.
> This essay originally appeared in Wired:
> <http://www.wired.com/news/columns/0,70000-0.html>
>
> Kelly's original essay:
> <http://www.edge.org/q2006/q06_4.html>
>
> Gary T. Marx on anonymity:
> <http://web.mit.edu/gtmarx/www/anon.html>
-=-
This message was sent via two or more anonymous remailing services.
| |
| Thomas Hühn 2006-01-15, 5:47 pm |
| Am 15 Jan 2006 18:48:53 -0000 schrieb Anonymous:
> On Sun, 15 Jan 2006 17:13:43 +0100, Thomas J. Boschloo wrote:
>
>
> Good observation. Why can't this be used with remailers, where somebody
> who wants to use a remailer sends his public key to remailer-central,
> which distributes it to the existing remailers?
>
> When he posts through a chain of remailers, he signs his message with the
> key, and the exit remailer checks its database of keys. If the signature
> matches, the post is sent on to the m2n gateway or nntp server; otherwise
> it's dropped.
>
> Each post will have a header with the key id in it, encrypted to the key
> of the exit remailer.
>
> If the poster is a louse, his key can be identified and yanked by the
> operator of the exit remailer and the information sent to remailer-central
> which will tell all of the remailers to yank that key.
>
> He remains completely anonymous, but accountable.
Doesn't change a thing. He can upload a new key to the central server
immediately. Or he can upload thousands of keys.
I've been playing with the idea of requiring hashcash, not per message, but
per "identity". Require a hashcash string that takes weeks (or even months)
to create. Then you have an totally anonymous "identity", but you cannot
get many of them in quick succession.
It's not perfect, though, for obvious reasons.
I've heard that Microsoft has a patented method, that isn't CPU-intensive,
but memory-subsystem-bandwidth-intensive, which makes the differences
between older and newer computers smaller.
Thomas
| |
| privacy.at Anonymous Remailer 2006-01-15, 5:47 pm |
|
admin <admin@eelbash.org> wrote:
> Good observation. Why can't this be used with remailers, where somebody
SHUT UP EELBASH!
| |
|
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 15 Jan 2006 18:48:53 -0000, Anonymous wrote in
Message-Id: <0E41ZU4638732.5756134259@anonymous>:
> Good observation. Why can't this be used with remailers, where somebody
> who wants to use a remailer sends his public key to remailer-central,
> which distributes it to the existing remailers?
http://en.wikipedia.org/wiki/User:Lunkwill/nym
This solution is currently being used by wikipedia to allow Tor users to
edit entries whilst being accountable for what they do. It's very
similar to what you are describing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBQ8rWV2oLu9HNUqmMAQqc9Qf/foy+ySvosec+ZM0rC+bB1Ij0I6RVBAOb
ifmXDVuHisu+e1gPtJ/ G0xN+mccFVsOuucME6nS+ig0kYpyER+isRssYv2O
Gmx3M
zEztIsoWWMMM69q1a30Sr4vtjBi88kSMm4KUk4ar
Y50k9q5lurfSG4S60pdH+uYT
Dm/dLt99L8NfvTSva2SVhWXebSqri0OkHKzbOO/LPlEY8o4OCTalIdnAH97dpsZK
VayiSNH9CXMrRGJvCp5y1OfTtP8z+qxmv986cDA4
Z9HaA4c2Th4Tdl9pOY6p+grI
mIZphGvyUDHYbcaGhtePqaQ0NREPXCn8AYmx8Xwv
FYCcLRSalCyTvQ==
=SdS7
-----END PGP SIGNATURE-----
--
pub 1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE EBB4 94A6 7A09 8ED5 7743
uid Admin <admin.bananasplit.info>
| |
| Anonymous 2006-01-15, 8:46 pm |
| In article <0E41ZU4638732.5756134259@anonymous>
Anonymous <BigappleRemailer@bigapple.yi.org> wrote:
>
> Good observation. Why can't this be used with remailers, where somebody
> who wants to use a remailer sends his public key to remailer-central,
> which distributes it to the existing remailers?
>
> When he posts through a chain of remailers, he signs his message with the
> key, and the exit remailer checks its database of keys. If the signature
> matches, the post is sent on to the m2n gateway or nntp server; otherwise
> it's dropped.
>
> Each post will have a header with the key id in it, encrypted to the key
> of the exit remailer.
>
> If the poster is a louse, his key can be identified and yanked by the
> operator of the exit remailer and the information sent to remailer-central
> which will tell all of the remailers to yank that key.
>
> He remains completely anonymous, but accountable.
No, he doesn't remain anonymous because there is a key that identifies
all of his messages as from one person. Remailers provide anonymity,
which includes not being able to connect one post/email to another
post/email.
If you want an identifiable persona, use a nym server.
| |
| pink helicopters 2006-01-16, 5:48 pm |
| >I've heard that Microsoft has
>a patented method
Microsoft. Right...
| |
| Thrasher Remailer 2006-01-16, 5:48 pm |
| In <0E41ZU4638732.5756134259@anonymous>, BigappleRemailer@bigapple.yi.org wrote:
>On Sun, 15 Jan 2006 17:13:43 +0100, Thomas J. Boschloo wrote:
>
>
>Good observation. Why can't this be used with remailers, where somebody
>who wants to use a remailer sends his public key to remailer-central,
>which distributes it to the existing remailers?
>
>When he posts through a chain of remailers, he signs his message with the
>key, and the exit remailer checks its database of keys. If the signature
>matches, the post is sent on to the m2n gateway or nntp server; otherwise
>it's dropped.
>
>Each post will have a header with the key id in it, encrypted to the key
>of the exit remailer.
>
>If the poster is a louse, his key can be identified and yanked by the
>operator of the exit remailer and the information sent to remailer-central
>which will tell all of the remailers to yank that key.
>
>He remains completely anonymous, but accountable.
>
What's to keep me from creating a couple hundred keys and using them randomly from a pool?
... Nothing.
Stupid idea eelbash!
| |
| Thrasher Remailer 2006-01-16, 5:48 pm |
| In <0E41ZU4638732.5756134259@anonymous>, BigappleRemailer@bigapple.yi.org wrote:
>On Sun, 15 Jan 2006 17:13:43 +0100, Thomas J. Boschloo wrote:
>
>
>Good observation. Why can't this be used with remailers, where somebody
>who wants to use a remailer sends his public key to remailer-central,
>which distributes it to the existing remailers?
>
>When he posts through a chain of remailers, he signs his message with the
>key, and the exit remailer checks its database of keys. If the signature
>matches, the post is sent on to the m2n gateway or nntp server; otherwise
>it's dropped.
>
>Each post will have a header with the key id in it, encrypted to the key
>of the exit remailer.
>
>If the poster is a louse, his key can be identified and yanked by the
>operator of the exit remailer and the information sent to remailer-central
>which will tell all of the remailers to yank that key.
>
>He remains completely anonymous, but accountable.
>
>
Another stupid idea brought to you by Eelbash the Remailer-Hater
SHUT UP EELBASH!
| |
| A.Melon 2006-01-16, 5:48 pm |
| On Mon, 16 Jan 2006 16:04:31 +0000, Thrasher Remailer wrote:
> In <0E41ZU4638732.5756134259@anonymous>, BigappleRemailer@bigapple.yi.org
> wrote:
>
> What's to keep me from creating a couple hundred keys and using them
> randomly from a pool?
>
> .. Nothing.
Is it possible to create keys robotically? How about if a 4096 bit key was
required? Or what about the idea someone else just mentioned, of requiring
a hashcash that takes days or weeks to creaate, but is reusable
indefinitely?
| |
| Thrasher Remailer 2006-01-16, 5:48 pm |
| On Sun, 15 Jan 2006 22:22:05 +0000, TwistyCreek wrote:
> Anonymous wrote:
>
>
> Because such a system is pseudonymous not anonymous. There's a very real
> difference that, if you can't comprehend, makes the two appear to be
> identical. Anonymous systems by definition transmit none of the senders
> identifying characteristics. A digital signature *IS* an identifying
> characteristic, with some major flaws.... it can out the would be
> anonymous sender by the mere fact that a corresponding private component
> to a key pair is in their possession,
Good point. It does increase the possibility of the sender's identity
being discovered, but by how much? And how should that risk be balanced
against whatever benefits such a scheme provides for remailers in general?
> and it does little or nothing to
> thwart abuse by people who share keys.
You mean insane people get together when the do their anonymous remailing?
> It would also pose additional risk
> to users that have their keys compromised, and their integrity impugned by
> attackers that might abuse that "identity".
I can't see how this would happen or how it could last for long. And you
are mistaking the idea: it's not so that someone can establish an identity
in his posts - all signature information would be removed by the remailer
before the post was sent out; the idea is to make the poster accountable
if he is a louse, so that his key can be removed and he can no longer use
it to post.
>
> Besides, we already have a pseudonymous systems in place. They're called
> Nym Servers, and I understand with Mixminion they will be even more
> secure. If you want to build a "reputation" for an alleged identity, use
> that method. It's what it's there for.
Creating an 'identity' was not what was being suggested.
| |
| Borked Pseudo Mailed 2006-01-16, 5:48 pm |
| Thrasher Remailer wrote:
>
> Good point. It does increase the possibility of the sender's identity
> being discovered, but by how much?
Enough to make the difference between anonymous and pseudonymous. Enough
to redefine the entire function of the remailer network.
> And how should that risk be balanced
> against whatever benefits such a scheme provides for remailers in general?
It shouldn't be "balanced" at all. Only a complete incompetent can't grasp
the simple fact that anonymous MEANS anonymous. Only a meddling fool would
suggest compromising the core functionality of a system to address a
problem that isn't even successfully address by their meddling.
>
> You mean insane people get together when the do their anonymous remailing?
You tell us. DO you have contact with other insane people?
>
> I can't see how this would happen or how it could last for long. And you
The concepts you fail to be able to wrap your brain around are quite
apparent. They have been for a very long time now. That utter failure
manifests itself in your idiotic "solutions" and legendary instability.
Things even people with only a casual interest in remailers have no choice
but to see by virtue of their amusing frequency.
>
> Creating an 'identity' was not what was being suggested.
Yes, it is. The fact that you fail to be able to grasp that truth only
belies your unsuitability to offer any sort of solution to begin with, or
be involved in any way.
| |
| Borked Pseudo Mailed 2006-01-16, 8:46 pm |
| A.Melon wrote:
>
> Is it possible to create keys robotically? How about if a 4096 bit key was
Of course it is. PGP/GnuPG themselves might be forced into it, and there's
a considerable number of wrappers and libraries for almost any programming
language you can imagine that would make coding something to spit out new
keys unattended a trivial thing.
| |
| Thrasher Remailer 2006-01-17, 2:48 am |
| In <GQEESX3A38734.1972569444@reece.net.au>, thrasher@reece.net.au wrote:
>On Sun, 15 Jan 2006 22:22:05 +0000, TwistyCreek wrote:
>
>
>Good point. It does increase the possibility of the sender's identity
>being discovered, but by how much? And how should that risk be balanced
>against whatever benefits such a scheme provides for remailers in general?
>
>
>You mean insane people get together when the do their anonymous remailing?
>
>
>I can't see how this would happen or how it could last for long. And you
>are mistaking the idea: it's not so that someone can establish an identity
>in his posts - all signature information would be removed by the remailer
>before the post was sent out; the idea is to make the poster accountable
>if he is a louse, so that his key can be removed and he can no longer use
>it to post.
>
>
>Creating an 'identity' was not what was being suggested.
but you see, that is the effect. if a black hat gets access to msgs before signatures are removed.. say be operating an exit with good stats, then it becomes possible to tie groups of posts together as being by the same author. also, it gives them a pub
lic key to look for the private half of, when they find it, the owner is toast.
better by far to have true anonymity
| |
| Thrasher Remailer 2006-01-17, 2:48 am |
| In article <GQEESX3A38734.1972569444@reece.net.au>
Thrasher Remailer <thrasher@reece.net.au> wrote:
>
> Good point. It does increase the possibility of the sender's identity
> being discovered, but by how much? And how should that risk be balanced
> against whatever benefits such a scheme provides for remailers in general?
Anonymous is anonymous. There are no benefits to reducing that.
Get a new hobby eelbash.
|
|
|
|
|