Copyright 2000 by Neal R. Wagner.
... I do not believe we have the appropriate technology to make an anonymous service work on the net. Furthermore, I remain completely unconvinced that there is a legitimate need, nor is the level of maturity in the user population sufficiently level where it can be effectively used. It may only be a small percentage of people who cause the problems, but that is true of nearly everything in history.Society has long seen anonymity in such forms as suggestion boxes and anonymous letters. During the American revolution, Madison, Hamilton, and Jay originally published The Federalist Papers in New York newspapers using the name ``Publius'' as the anonymous author. Anonymity has assumed more importance with recent attention to whistle-blowers, who may suffer in many ways, often destroying their career if they do not report anonymously or if they lose their anonymity. One young anti-nuclear power activist even died under mysterious circumstances (Karen Silkwood, in 1974). Other recent important examples are anonymous leaks from government agencies in the U.S. Such leaks have become a common method for these agencies to further their agendas, as well as serving as an outlet for frustrated employees. If media agents can verify the leaked information, then this at least serves the goal of more open access to information. I myself once called a newspaper to give an anonymous report of what I regarded as wrongdoing. I found that a reporter was already working on the story and that I was at least the sixth caller. I had no information to provide that the reporter did not already know.I am a firm believer in privacy, but that is not the same thing as anonymity. Anonymity can be used to violate another's privacy. For instance, in recent years, I have had harassing anonymous notes and phone calls threatening XXX because of things I have said on the net. ... I have seen neighbors and friends come under great suspicion and hardship because of anonymous notes claiming they used drugs or abused children. I have seen too many historical accounts of witch-hunts, secret tribunals, and pogroms -- all based on anonymous accusations. I am in favor of defeating the reasons people need anonymity, not giving the wrong-doers another mechanism to use to harass others.
... any such service is a case of willingness to sacrifice some amount of privacy of the recipients to support the privacy of the posters. You will not find the recipients of anonymous mail being the supporters of such a proposal.
SOMEBODY (an anonymous internet user), from ``Anonymity on the Internet,'' compiled by L. Detweiler, 1992.
Traditional anonymity is prone to technical flaws that might reveal the anonymous source. One has the cartoon image of an under-sized boss sitting inside his own suggestion box, watching employees drop off suggestions. Paper forms for employees to fill out anonymously are subject to a variety of identification techniques. In fact, fingerprinting, surveillance, and other such technologies attempt to detect and uncover anonymity, though in most cases the data supplied by the technology would only be accessed in case of an actual crime. At the same time computer technologies also provide better implementations of anonymity, with emerging methods that even suspicious employees could trust.
Privacy and anonymity are similar, intertwined issues, with anonymity often helping individuals maintain their privacy. Thus a person making a truly anonymous health query is better assured of privacy than if he had to rely for his privacy on the discretion of those answering the query.
Anonymity as a service is another way to support free speech, since without the service speech may be inhibited. As the quote at the start of this writeup makes clear, there are also disadvantages to anonymity, giving a tension between advantages and disadvantages. Unlike the anonymous author of the quote, I contend that appropriate technology and structuring of anonymous services will alleviate the disadvantages and make the anonymous services work well.
However, anonymity makes it easy to violate other people's privacy, to reveal information about them without fear of reprisals or consequences, and such information, once released into the world, cannot be taken back. This applies to the new electronic world as to the old one. The anonymous identity of the Houston ``bubble baby'' (a child with no immune system to protect against disease) remained confidential, though many people knew it. Release of the identity would have been an irreversible transformation.
Individuals are losing anonymity in a global sense as they are transformed into numbers to allow manipulation, to entice them to purchase consumer goods, to convince them to agree with a stand they would oppose on their own, or to exploit them, as journalists sometimes do after a tragedy. Individuals are subjected to private and public surveillance and to identity searches; companies gather customers' buying and renting preferences to store and resell. At the same time, anonymity is increasing locally, as homeowners no longer know their next door neighbors and fear every stranger who walks past their house -- a trend destroying the sense of family and community.
Both the global loss and the local increase of anonymity are detrimental to humanity, and society must reverse these trends. Technology, especially computer technology, is both a contributor to the problems and a provider of partial solutions. Society should limit the accumulation of data about individuals' private lives, especially by businesses. Admittedly, certain surveillance methods would lead individuals to lose the anonymity they have enjoyed as they went about their public activities. However, this anonymity in public was present only because no government or corporation bothered to violate it. Properly used, computers will foster a sense of community for those who have lost it. Isolated individuals will contact others with similar interests anywhere in the world.
The computer revolution brings new possibilities for anonymous services -- to improve lives and to create new problems. Good anonymous services will allow an individual to reclaim the sense of anonymity lost to computer monitoring.
Traditional Anonymity
Standard types of anonymity include suggestion boxes, unsigned letters, whistle-blowers, newspaper reports from unnamed sources, anonymous refereeing of scholarly articles, anonymous dating services, leaks from government agencies, and reporting of statistics about individuals without identifying them. From the nuclear power industry to tobacco companies to the medical establishment, insiders have played decisive roles in reform by contacting authorities or the media -- sometimes anonymously. These traditional forms of anonymity are welcome and beneficial, or irritating and destructive, depending on the perspective. Most traditional anonymous services suffer from a lack of control over the service and from imperfections which can compromise the anonymity.
New ``Caller ID'' services from U.S. phone companies provide the phone number of the caller (and other information) to the person called. There are bewildering possibilities for preventing the phone number from being sent, or for blocking out calls that do not provide the calling number. Understanding the implications of this new technology will take time, since most phone users are accustomed to anonymous phone calls. In the old days, if the party called did not recognize the voice, one could insult them in any way, with the expectation that tracing the call would require prior arrangements and extra time during the call. Now the norm for calls is changing to attribution all the time, so that one could only get anonymity by calling from a pay phone. Anonymity would be better as an unusual special case that is tightly controlled. Thus phones should allow anonymous calls, but should also allow recipients to block anonymous calls and should require that users of pay phones identify themselves. The phone company has a profit motive here: they want to provide a service and extra income to businesses, who could save phone numbers of people who called the business and profit from these numbers. These businesses may make extra money, and may even provide welcome services to users, perhaps through solicitations targeted at the users' interests, but the benefits to society of extensive logged data are mostly missing. One needs, for example, coordination of logged data about purchases of dangerous objects.
Agencies that report statistics try to keep from reporting information about individuals. For example, the U.S. Census Bureau does an excellent job of releasing only summary statistics, so that individuals remain anonymous. For an extreme instance of statistical data leaking individual data, I once taught at a school that revealed my salary even though their policy was not to do so. The school generated a report giving average salaries by category, with no identities listed. My category was ``Associate Professors of Computer Science,'' and the report said there was only one individual in the category; the ``average'' salary listed was my actual salary. Whenever a large amount of statistical data is reported, and especially if a system supports statistical queries, clever methods may break the system's anonymity and allow deduction of data about individuals.
Most people see partial benefit from each anonymous service listed at the head of this section. There are other less common services that illustrate benefits. Anonymous AIDS queries provide one example. Anyone worried about AIDS is usually also concerned that a query or test they initiate remain confidential. This is especially troubling in smaller cities. Even the knowledge that an employee has been tested can lead to problems, including loss of a job and of friends. This particular issue is crucial because those infected with AIDS might put off a test for fear of repercussions. Recent trial programs have handled AIDS questions and AIDS testing by mail, using unobtrusive packaging and mailing addresses. It is expected that a number of people will use this service who might be afraid of a normal clinic setting.
There are still pitfalls in the processing of anonymous services. In one current AIDS information system, users in the U.S. dial an 800 number to access the system. Many of these users do not realize that even with the blocking of Caller ID services, the user's number is transmitted in case of an 800 call. More serious pitfalls are illustrated by a recent murder in San Antonio, Texas. The victim had been hiding from her boyfriend, but he located her through Caller ID at a mutual friend's house.
Young people seeking answers about sex provide another example of the benefits of anonymity. This particularly applies to gays of high-school age, who often have nowhere to obtain information -- not from peers in school, or from teachers, counselors, or anyone else. Anonymous and confidential contacts, especially over the Internet, can be a big help.
Anonymity on the Net
Anonymity and anonymous services are part of the larger picture of Internet services for users. In fact, many Internet users do not realize the extent of their loss of anonymity -- when they browse the web they unknowingly leave their Internet address. And the browsed site can leave information on the user's machine in the form of a ``cookie'': an entry recording the use, one that other sites can access as well.
At present, the Internet is conducting a vast experiment with anonymous services, in which dozens of individual sites volunteer to function as free anonymizing remailers, that is, as sites that take an input message, strip off identifying header information, and forward the message (mail or news) with an anonymous identifier. They may also add a ``handle,'' known formally as an anonymous net identity, to the message. In this way readers or recipients of messages will know when several such messages come from the same source. Individuals can also send a message to this anonymous source, without knowing the recipient's identity in the ``real'' world. For additional protection of anonymity, users will go through more than one stage of remailer, or go through several telephone or telnet connections. Several proposals add new ways to provide Internet anonymity.
One widely-used remailing site was the Finnish ``anon.penet.fi,'' which until recently processed 6000 messages per day. This site and others periodically shut down when someone uses them to send a particularly loathsome message, such as a death threat to the U.S. President, racial or ethnic slurs, or a posting to a dog-lovers group about how to cook dogs. Complaints to a remailer will seldom elicit anyone's identity, but may result in loss of remailing privileges. This Finnish site was less vulnerable to pressure from U.S. agencies than were sites in the U.S.
An infamous anonymous posting to the ``sci.astro'' newsgroup gave a purported transcript of last desperate crew dialog during the U.S. Space Shuttle Challenger disaster. This posting went through the Finnish site, and there were outraged cries for the system administrator to reveal the poster's identity. This was never done, and his identity remains a secret. Recently, however, the Finnish site was involved in a court battle asking them to reveal another anonymous identity and has temporarily closed. Dozens of other anonymizing sites are available, and one can even use a free e-mail service, giving a false name, for modest security.
More recently, companies have emerged that supply anonymous services for a fee. One of the largest of these provides free anonymous e-mail, anonymous browsing for a fee, and soon will allow telephone connections to their service that are protected by 128-bit cryptographic keys for considerable security. However, this particular company provides its service from the U.S. and so could be ordered by a U.S. court to reveal anonymous identities. With this service, a person browsing the web would only reveal the anonymous service's address to the visited web site and would not provide any cookies to reveal personal preferences.
Another company now allows participants in anonymous chat rooms to switch from typed discourse to an automatically connected voice connection, one that remains anonymous. Thus two or more parties can continue their discussion more conveniently on the phone and yet remain anonymous.
Uses of anonymity have evolved that are similar to the occasional anonymous letters published by advice columnists. The usual motive is that revealing their identity would embarrass themselves or others. Such unsigned letters are the newspaper equivalent of a moderated Net newsgroup willing to post unsigned contributions. More serious uses include electronic discussion groups and support groups where the subject area is sensitive, such as sexual abuse. Groups like these may function better than traditional ones because there are no face-to-face encounters and no identities to get in the way. Without anonymity it is hard for an important person, say, an army general, to get psychotherapy, let alone group therapy.
The Internet is just now entering the era of split identities. Human society has always had individuals with secret identities or secret lives. Now just at the time when proposals for tracking in public would make a traditional form of secret life harder to conceal, Internet anonymity services will make secret electronic identities feasible. Imagine the benefit when well-known individuals can contribute to a discussion group anonymously -- without appearing to make official comments on matters of public policy.
Future Anonymous Services on the Net
This section presents a collection of related proposals for new and enhanced services which, taken together, would make anonymity work better on the Net. However, further experimentation would be needed to design and implement such a system. Similar proposals apply to the U.S. Caller ID systems.
First, one should require that any anonymous message be identifiable as such from header information. This is currently the case with many remailers, but is not ``required.'' With such a guaranteed addition, automated software systems would recognize anonymous messages and could deal with them as the user, or newsgroup, or other human agent might dictate. A user or newsgroup could decide not to receive anonymous messages.
Second, provide two kinds of official anonymous remailers: one with logging of user identity information and one without logging. In extreme cases, the identity of a sender of a message to the logging remailer would be revealed -- perhaps for certain crimes. The sender's identity for the unlogged remailer would not even be available for retrieval. Both versions would identify the message as anonymous and would identify in the header which type of remailer was used. In this way a user or newsgroup might elect to receive messages for which the identity of the originator was logged and not to receive the other type of message. In case of abuse, the logged remailer would terminate the service. If termination were globally coordinated, it would be a serious sanction, though coordination across cultural boundaries might be difficult. Rules determining abuses must be unambiguously formulated and widely disseminated; rules for revealing logged information would also be needed. Termination would not be possible with the unlogged remailer.
These anonymous remailers would work well in conjunction with authentication services. Cryptographic techniques combined with identity verification allow authentication of a message. Because senders of messages attach digital signatures to verify their identities, the recipient can be certain of the sender and can be certain that the message arrives unaltered. Such a system allows only two kinds of messages: authenticated and anonymous. A recipient of a message or reader of news would know either that the message was formally anonymous or that the identity of the sender had been verified. Users should keep in mind that authentication also protects against fake messages mailed in their own names.
Any non-authenticated message should be regarded as anonymous, even if it says ``Your loving Grandmother Thora'' at the bottom. Traditionally, confidence in the origin of a letter has been based on clues like handwriting and personal references, as well as postmarks and return addresses. All such clues can be forged with effort. In the new electronic world there are (usually) no handwriting clues, but the other clues, though present, can be faked as easily as before. The new electronic signature bears a resemblance to the old-fashioned signature scrawled across the sealed flap of an envelope, but the electronic version is much more secure. Signatures would prevent poison pen letters -- not anonymous, but falsely attributed -- that can have a devastating effect. In the U.S., if the President receives a non-anonymous threatening letter, the purported sender will at the least spend a bothersome time explaining that he did not originate the letter.
Authentication is important for new filters attached to mail and news software. In this context a filter is software that eliminates selected portions of the data. A given newsgroup or individual could elect to receive only authenticated messages. One could remain unaware even of attempts to send anonymous messages. Any message received would have a clearly indicated sender identity. On the other hand, a given newsgroup or user could elect to receive logged anonymous messages or even unlogged ones. If a newsgroup posted such messages, each user could elect to filter them out while reading news. (In the current system, some newsgroups are also moderated, meaning that an individual moderator receives all prospective postings and decides whether, and in what edited form, they will be posted to the actual newsgroup. Currently, such newsgroups are bothered with bogus, anonymous postings.) The same filters on mail and news can sift through, looking for messages that seem objectionable, uninteresting, or otherwise undesirable. As time passes filters will arise with higher ``intelligence'' -- better able to decide what a user wants to see and what the user is not interested in.
There are clever tricks from cryptography that implement more complicated anonymous activities. For example, there are methods whereby anonymous senders can identify themselves unfailingly as members of a certain group -- any group at all, like say, female company employees. A company official receiving an anonymous message about female employee grievances would know with certainty that the message originated with a member of the affected group. It would also be easy to authenticate that a message was signed by a certain specific number of members of the group, while revealing nothing about the identities of the particular senders. Anonymous messages from a group can be implemented using secret-sharing schemes. As the name implies, these methods allow several individuals to share a secret. Using schemes like these, one could be sure that access to any object, such as a safe or a computer or a contract, depends on cooperation and agreement of a fixed number of individuals from a larger group.
There are other trickier uses of cryptography, too complicated to explain fully here. For example, David Chaum has proposed methods for using anonymous identifiers to support anonymous credit reporting, similar to the current credit bureaus but without the names attached.
Summary
Anonymous services are important -- worth undergoing the effort to provide, worth enduring the problems with abuses. In the end, the improved freedom of speech is reason enough to retain anonymity, and specific applications mentioned here give further reasons. Online service providers can prevent most abuses by using firm control over the anonymous service itself. Authentication of messages will allow such service providers and their users to regard each unauthenticated message as anonymous. In this way a user can ignore attempts at anonymous communications and need not even be aware of them.