Anonymity and Accountability

Web Server Talk > WebserverTalk Community > Anonymous Servers > Anonymity and Accountability

Pages (2): [1] 2 »

Last Thread Next Thread Next

Anonymity and Accountability

Thomas J. Boschloo

01-15-06 10:46 PM

Source: <http://www.schneier.com/crypto-gram-0601.html#1>

In a recent essay, Kevin Kelly warns of the dangers of anonymity. It's
OK in small doses, he maintains, but too much of it is a problem: "(I)n
every system that I have seen where anonymity becomes common, the system
fails. The recent taint in the honor of Wikipedia stems from the extreme
ease which anonymous declarations can be put into a very visible public
record. Communities infected with anonymity will either collapse, or
shift the anonymous to pseudo-anonymous, as in eBay, where you have a
traceable identity behind an invented nickname."

Kelly has a point, but it comes out all wrong. Anonymous systems are
inherently easier to abuse and harder to secure, as his eBay example
illustrates. In an anonymous commerce system -- where the buyer does not
know who the seller is and vice versa -- it's easy for one to cheat the
other. This cheating, even if only a minority engaged in it, would
quickly erode confidence in the marketplace, and eBay would be out of
business. The auction site's solution was brilliant: a feedback system
that attached an ongoing "reputation" to those anonymous user names, and
made buyers and sellers accountable for their actions.

And that's precisely where Kelly makes his mistake. The problem isn't
anonymity; it's accountability. If someone isn't accountable, then
knowing his name doesn't help. If you have someone who is completely
anonymous, yet just as completely accountable, then -- heck, just call
him Fred.

History is filled with bandits and pirates who amass reputations without
anyone knowing their real names.

EBay's feedback system doesn't work because there's a traceable identity
behind that anonymous nickname. EBay's feedback system works because
each anonymous nickname comes with a record of previous transactions
attached, and if someone cheats someone else then everybody knows it.

Similarly, Wikipedia's veracity problems are not a result of anonymous
authors adding fabrications to entries. They're an inherent property of
an information system with distributed accountability. People think of
Wikipedia as an encyclopedia, but it's not. We all trust Britannica
entries to be correct because we know the reputation of that company,
and by extension its editors and writers. On the other hand, we all
should know that Wikipedia will contain a small amount of false
information because no particular person is accountable for accuracy --
and that would be true even if you could mouse over each sentence and
see the name of the person who wrote it.

Historically, accountability has been tied to identity, but there's no
reason why it has to be so. My name doesn't have to be on my credit
card. I could have an anonymous photo ID that proved I was of legal
drinking age. There's no reason for my e-mail address to be related to
my legal name.

This is what Kelly calls pseudo-anonymity. In these systems, you hand
your identity to a trusted third party that promises to respect your
anonymity to a limited degree. For example, I have a credit card in
another name from my credit-card company. It's tied to my account, but
it allows me to remain anonymous to merchants I do business with.

The security of pseudo-anonymity inherently depends on how trusted that
"trusted third party" is. Depending on both local laws and how much
they're respected, pseudo-anonymity can be broken by corporations, the
police or the government. It can be broken by the police collecting a
whole lot of information about you, or by ChoicePoint collecting
billions of tiny pieces of information about everyone and then making
correlations. Pseudo-anonymity is only limited anonymity. It's anonymity
from those without power, and not from those with power. Remember that
anon.penet.fi couldn't stay up in the face of government.

In a perfect world, we wouldn't need anonymity. It wouldn't be necessary
for commerce, since no one would ostracize or blackmail you based on
what you purchased. It wouldn't be necessary for internet activities,
because no one would blackmail or arrest you based on who you
corresponded with or what you read. It wouldn't be necessary for AIDS
patients, members of fringe political parties or people who call suicide
hotlines. Yes, criminals use anonymity, just like they use everything
else society has to offer. But the benefits of anonymity -- extensively
discussed in an excellent essay by Gary T. Marx -- far outweigh the risks.

In Kelly's world -- a perfect world -- limited anonymity is enough
because the only people who would harm you are individuals who cannot
learn your identity, and not those in power who can.

We do not live in a perfect world. We live in a world where information
about our activities -- even ones that are perfectly legal -- can easily
be turned against us. Recent news reports have described a student being
hounded by his college because he said uncomplimentary things in his
blog, corporations filing SLAPP lawsuits against people who criticize
them, and people being profiled based on their political speech.

We live in a world where the police and the government are made up of
less-than-perfect individuals who can use personal information about
people, together with their enormous power, for imperfect purposes.
Anonymity protects all of us from the powerful by the simple measure of
not letting them get our personal information in the first place.

This essay originally appeared in Wired:
<http://www.wired.com/news/columns/0,70000-0.html>

Kelly's original essay:
<http://www.edge.org/q2006/q06_4.html>

Gary T. Marx on anonymity:
<http://web.mit.edu/gtmarx/www/anon.html>

[ Post a follow-up to this message ]