Slashdot Mirror
Anonymity on the Internet
Enoch Root was the first to submit a new briefing paper on internet anonymity, published by the libertarian Cato Institute and written by Jonathan Wallace. Wallace cites Supreme Court cases and important historical precedents in favor of anonymity - "Given the importance of anonymity as a component of free speech, the cost of banning anonymous Internet speech would be enormous."
It sounds like his argument could apply to the earlier article about color copies as well. If I ever decide to hand out pamphlets that could be considered "subversive" by anyone in the gov't, I'll be sure to make them black and white. :)
Seriously, though, this seems to be completely the opposite view of the police and FBI. They use every means at their disposal to track down someone whom they consider to be a suspect. They will even do things that they know are illegal and would not stand up in court (i.e. wiretapping without a warrant) to gather information on the suspect so they can find out how to get legal evidence so that they can get a warrant/make an arrest.
These two viewpoints, while each has obvious merit and obvious failings when taken to extremes, need to be met with some kind of compromise. As it stands now, the only compromise is that the technically savvy can have anonymity and the technically ignorant masses get to have their privacy violated.
Anonymity *can* work. Check out Freedom for one example. Proxying is the way to go - non-logging proxies, that is. Does this impede law enforcement? Yes, but only if they're very stupid and don't know what a packet sniffer is.
Another thing about anonymity - I can run off 100 copies of a position I hold against our Governor, which in this case is Ventura (I live in MN) and post it up across the twin cities - anonymously. To do this on the internet, I can use a service like Freedom. There are plenty of alternatives with equal functionality (so don't think I'm plugging /just/ this product), however.
Anonymity isn't dead... the problem is that modern media has the collective intelligence of a lobotomized flatworm... *sigh* it's very easy to cover your tracks... if it wasn't so-called "hacking" (it's cracking, ppl!) would be impossible.
There are a few degrees/varieties of anonymity, though, and, in my mind, corresponding degrees of credibility:
- "Anonymous Coward" clearly says that you aren't willing to identify yourself. I don't know who you are, and I don't even know what other postings might be yours. AC postings have low credibility, in my view.
- A pseudonym that isn't obviously a pseudonym (e.g. posting as "Phil Jones" when that isn't your name) implies a real identity that isn't there. It may be a fictitious identity, or it may be someone else's stolen identity. Either way, the implicit deception leads me to question the credibility of such a person.
- An obviously pseudonymous account establishes an identity (the Mendax Veritas who posted this is presumably the same person or group who posted previous Mendax Veritas messages), but does not provide you with a link back to the real person. (One can be obtained by court order or corporate espionage, but the average citizen can't get it, which is good enough for most purposes.) Credibility can be determined by the poster's history; if I've made sense before, maybe I'm making sense now. This strikes me as more honest than a seemingly-real identity.
With this in mind, my answer is, yes, people should be able to say things without being too easily held accountable for them. Sometimes it just isn't safe to let your identity be known; the death squads, the political police, or your employer may not approve. Or you may find yourself getting sued not because your claims are false, but as an attempt to silence you.As the Cato article observes, auctorial anonymity has a long and distinguished history. It would be a shame to effectively lose it simply because public discourse moves from the print domain to the internet.
I was working on building a good anonymous remailer system a few years ago. The idea would be to distribute the anonymizing effect over as many systems as possible, while denying each system in the chain the ability to work out where the message was coming from or where it was going to. There are several variations on this theme, and a couple of implementations of things close to it.
I stopped working on it when it occurred to me that there were people in the world who would probably put up $50k or more to help me build such a system: terrorist organizations, people plotting to kill someone, street gangs, Hells Angels, etc.
I decided I would stop work on it until I figured out whether or not it was a good idea. I still haven't figured it out.
I'm a Cato sponsor. Depending on one's sponsorship level (read: donations), we receive these. Cato publishes these sorts of briefings all the time. Typically they try to cover issues of the day from a libertarian/free-market perspective. The Internet is a hotbed of both libertarian and statist/regulatory action. Recent relevant briefings cover important policy issues like the need for strong cryptography, non-American encryption products, and the negative effect of corporate welfare on Silicon Valley.
There's an awful lot in the world of regulation that has nothing to do with tech. Cato is at the forefront of exploring free-market alternatives to social security, term limits, welfare reform, and lots and lots of other important topics. As a person closely involved with technology, I'm not always up on these other issues. Cato briefings provide some intellectual ammunition when these non-tech things come up. Lots of people with a libertarian bent come at it from other perspectives - like, say, a pro-laissez-faire-business or a free trade focus. They might not have thought privacy and anonymity issues through. I'm not influential, but maybe some of the people I talk to are. At worst, Cato papers tend to be well thought out and researched; suitable for distribution to and consumption by people who need an alternate viewpoint. Like my congressman.Who really needs one.
I assume Cato sends these to relevant policymakers too; I don't know. Cato staffmembers show up all the time on the political talk show circuit, op-ed columns, etc.
I am unaware of any current law or proposed law forbidding anonymity on the Internet. Their case seems largely built on an obviously unconstitutional (and technologically illiterate) law in Georgia which was immediately struck down by courts, an article in Communication Daily about some cops' wish list for the 'Net and by a quote, taken heavily out of context, from a justice department official.
/. handle. Most cops also want the Miranda decision overturned, and probably would mind some weaker protections regarding the rights of prisoners, probationers and juveniles - that doesn't mean it's going to happen.
(BTW, here is the quote in it's entirety. I found it in the endnotes:
"I think we are perilously close to a lose-lose situation in which citizens have lost their privacy to commercial interests and criminals have easy access to absolute anonymity." -- Justice Dept prosecutor Phillip Reitinger
This is hardly the statist plea to end anonymity that the author makes it out to be - the concern is legitimate. Reitinger is lamenting the loss of anonymity as much as deploring its drawbacks.)
I have difficulty seeing what kind of law could ban anonymity. As the author points out, "Laws requiring the disclosure of identity in cyberspace would require far-reaching changes in Internet technology." The current political climate makes that unlikely, nor are the courts in the US likely to put up with it.
Conceivably, a law could ban IP spoofing (probably not a bad idea) and anonymous remailers (probably a bad idea, but not the end of the world.) The people who would most suffer would not be those with controvertial ideas to disseminate.
Yes, police tend to be paranoid about anything they can't control and some cops have stupid ideas about how the 'Net ought to work, but that doesn't mean the government is about to come swoop down and take away your
This is like the constant rumours that the FCC wants to regulate the Internet - juicy right-wing government conspiracy theories.
ISP's don't let you sign up anonymously for accounts - not if they want to get paid - and if police trace you back to your ISP they will bend over backwards to tell the cops who you are. ISP's have an interest in rooting out spam, and often try to trace anonymous messages back to their source. If you have lost your anonymity on the 'Net these days, it's not the government that did it to you.
I would think the Cato Institute would fight to the death for companies' freedom to deprive you of anonymity. Perhaps the Cato Institute is taking the distinctly anti-libertarian stance that ISP's should be required to provide you with anonymity, or perhaps they are trying to defend the right of spammers to use communication lines without permission of the owners.
Don';t let this strawman argument get you riled up against a problem that doesn't really exist.
Take any public web service, for example. How anonymous are you? Really?
Answer: Depends on what you call anonymous. If you mean "will another casual reader be able to see where I am", the answer is probably no, so in that sense, I suppose you are anonymous.
On the other hand, the web logs are available to the web master, along with any person who knows what vulnerabilities exist and how to exploit them.
Then, of course, there are packet sniffers, that can monitor everything that passes through a given segment of the Internet.
Many language labs have software for analysing text, to look for similarities in style. In the hands of a wannabe-PI, these could be used to track all the boards you write on, your views and the times you typically write. This can give someone a VERY good profile of you, and a likely line of longitude.
Anonymous remailers get busted weekly, so those don't protect anyone. Even the "better" ones have either been shut down, raided or both.
Proxies only shed the IP, and are only effective if they block traceroutes and pings (including TCP pings). Even then, time-frame analysis, content analysis and correlation between boards can give a good idea as to where you are.
Of course, proxies are useless if they don't protect the packet. Even if encrypted, when going into the proxy, the stream going in and the stream going out only need to be correlated ONCE for your identity to be revealed.
You also have to secure the network between you and the proxy, decently. Someone only has to do a man-in-the-middle attack, by DNS spoofing & telling the Internet that their computer is the proxy, rather than the real one, and all the IP-laden packets will float straight to them.
Of course, none of this is really necessary, if you haven't secured your computer. A portscan of every computer in the US isn't going to take long, on a decent machine. If it was a serious corporate or Government move, you can assume they'd have high-power machines in each State, making it possible to waltz into any computer, ANYWHERE in the US, in a very short span of time.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
-------------------------------------------------- --------------- --------------
I mean, if ACs are being censored, God knows what else they're censoring.
-------------------------------------------------
Long live ACs on Slashdot!
Actually, there's very little new in this paper, although the presentation is very snappy, and the PR blitz is impressive, verging on excessive (I've seen this announcement about 15 times on various lists today).
For a much more detailed, and perhaps more tedious, look at law and anonymity issues, see my paper Flood Control on the Information Ocean: Living With Anonymity, Digital Cash, and Distributed Databases (1996), which discusses the cryptographic foundations of anonymity, and the legal issues it raises. You may also be interested in my 1996 paper on the Clipper Chip, which discusses whether a legal restrictions on crypto use would be consitutional.
Hmmm. Maybe next time I write a paper I should issue a press release? (No, I know, I should write shorter papers....)
A. Michael Froomkin,
U. Miami School of Law,POB 248087
Coral Gables, FL 33124,USA
I have a blog.