Monday, March 06, 2006

The Futility of Anonymity

As a people, we place great value on our personal privacy. Very few of us would gladly accede to State scrutiny of our every move. This sentiment is captured by one of our revered Founders, on the eve of war with Britain:

Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God! I know not what course others may take; but as for me, give me liberty or give me death!

Closely related to privacy, many of us (myself included) are fascinated with and motivated to the enabling of anonymity. Though distinct, both rely on the ability to hide or obscure some information. Anonymity, like privacy, played an instrumental role in our nation's founding. But is anonymity real, or is it illusion? Is anonymity even possible? In particular, can anonymity exist on the Internet?

Whether anonymity might possibly be brought about, I cannot say. I would argue, though, that it has never really existed in the past. I doubt greatly that it will exist in the near future, either.

Why do I claim that anonymity has never existed? We will ignore, for this discussion, the variety of anonymity that results from an author's identity becoming lost through time. Nobody who wishes to benefit from anonymity has this in mind. What I claim is that true anonymity from our contemporaries is an illusion, because no work of authorship exists in a total vacuum. The authorship of The Federalist Papers is not known through the claims of its authors, but through their prominence as proponents of the Constitution and samples of their other writings. Even absent these, the articles were published in newspapers, and must have somhow been delivered. Even if under cover of darkness, the odds of avoiding all observation over the course of 85 articles is remote.

That aside, a letter might be printed anonymously by a newspaper, but that does not mean that it was received anonymously. The Washington Post, for instance, requires a name, address, and telephone number for letters, though names may be withheld on publication. Even unsolved murders have suspects: someone had motive; reputations abound; nobody knows the drifter's name, but they remember him and would recognize him. There is always speculation, whether or not there is proof.

In a society bound by the rule of law, and possessing rules and standards of evidence, a functional sort of anonymity might arise. If you cover your tracks well enough, you might escape official punishment. Social punishment, however, is another issue, and suspicion of wrong-doing is often enough to have a severe impact on an individual. If a crime or indiscretion is committed, and some individual "seems like the kind to do that," little else might be needed for community sanctions to be put into place.

Because there are people who are interested in anonymity, the problem has inevitably entered the electronic world, where it presents a special challenge that has attracted a great deal of technological interest. The fundamental difficulty with the network is that it carries data, which must be able to get from one location to another. This means that the intended recipient must somehow be specified, or the data sent in effect to every potential receiver in the world. An observation of this data reveals some or all of the path it takes, and over a large number of data transmissions, a determined adversary can learn a great deal about the data's origin. We can add to this the fact that our current network includes the origin of the data as a part of the transmission, though this can be forged without much difficulty, as long as a response is not required.

The exact origin of specific data can be obscured through various techniques. These generally involve the accumulation of a number of messages and their delayed transmission in random order, often with random "noise" data and simultaneous transmissions of data to receivers who have no interest in them but are participants in the "anonymizing" system. At best, these provide what is termed 1-out-of-n anonymity. That is, the sender (or receiver) of the data can be determined no better than belonging to a set of n individuals.

These systems rely on the honesty of the intermediaries (servers or other participants) storing and forwarding the data. While dishonest intermediaries can be accommodated, there is always an assumption about the maximum number that might be dishonest. This is unavoidable, and not necessarily a problem, so long as the assumption that is designed into the system holds. Because the assumption might be violated, we cannot say with certainty that the system is anonymous.

Setting aside the issue of honest participants, to what extent does such a system provide practical anonymity? The situation is very similar to whistle-blower hotlines. Calls to whistle-blower hotlines will show up in phone company logs; it is through law and convention that these calls maintain "anonymity." A warrant can negate this protection, however, and the existence of a whistle-blower is still only 1-out-of-n protection, since the set of people who could blow the whistle is limited. Thus there will be a set of suspects, and the difficulty of narrowing this down to a much smaller set will depend greatly on the circumstances.

1-out-of-n anonymity is a particularly dangerous illusion when the standards of proof are much different than in this country. To a repressive government, mere participation in a computer system providing this "protection" might be taken as evidence of guilt. Those taking a principled stand by using such a system, despite using it exclusively for activities that are already permitted, will nonetheless be viewed as subversives.

This leads to an issue that applies to privacy as well, and has more thoroughly been studied in that context. Encrypted communications are very useful for hiding the contents of messages from prying eyes, but again might in and of themselves be viewed as evidence of misdeeds. There is a term of art: rubber-hose cryptography. This relates to the fact that it is often not necessary to spend hundreds of thousands of hours of computer time to break an encryption key when an equally successful result can be obtained if you spend ten minutes to break a kneecap to learn that same key. The same approach can, in many circumstances, be used to "revoke" someone's anonymity. Technological measures, like all measures, have their weakest points, and these points are not necessarily (in fact, rarely) technological.

Where does this leave us? The technological approaches to anonymity have led to a considerable amount of very interesting research, both theoretical and practical. Viewing this research as a way to restore anonymity in an environment hostile to anonymity is, however, misleading. Anonymity, in its truest sense, has never existed. What appears to us as anonymity arises more from social convention and good will than from any real obscuration of identity.