Monday, November 12, 2007

Anonymous three-card monte

Practically everything that happens on the net has an IP addresses attached to it. That's even a decent working definition of the net: anything that happens with an IP address attached.

You can find out a lot from an IP address (you can find out about yours here). IP addresses are typically tied at least to an ISP and a location near your actual address, typically in the same town or one nearby. In some cases they can be nailed down more exactly.

If The Man decides to subpoena your ISP, your ISP can generally provide your exact house address from their records. Even without cooperation from the ISP a dedicated snooper, working for The Man or otherwise, could compile a record of what sites your IP address connected to and, depending on the exact sites, find out all sorts of things about the person or persons using that address, possibly including their identities.

Naturally, not everyone is comfortable with that. Even someone with little to hide may still want to keep it hid, if only out of principle. As a result, there are several services available promising anonymity.

This approach is not without its pitfalls. The site I mentioned above has a pretty good rundown on this. Basically, if you are using an anonymizing service, you are investing a pretty high level of trust in it. Good anonymizers recognize this and take steps to ensure that not even they know what's going on ... an interesting business to be in, to say the least. But hey, Swiss banks seem to do OK.

Now when you visit a site through an anonymizer, that site still has to see some IP address. Otherwise the protocols just don't work. Since you're anonymous, it can't be your IP address, so whose is it? They can't just make one up. Someone else might already be using it, resulting in various havoc. One approach is to grab a block from some lightly-regulated area. Hmm ... this site sure is getting a lot of traffic from Elbonia these days ...

Another is to take the IP addresses of all the people using the service (and there had better be a bunch -- an anonymizer with only one user is not fooling anybody) and throw them in a big pot. When you go to visit a site, you get an address out of the pot [As Hal Finney points out below, this is somewhat oversimplified, but let's go with it.  See this followup for a more accurate picture --D.H. May 2016].

So you decide to use such a service to, well, it's not any of my business, is it? Someone else decides to use this service to visit a Very Bad Site because, well, they don't want anyone to find out, now do they? When they do this, the service happens to pick your IP address out of the pot.

Then The Man comes a-knocking. Your story is: No sir, I was not using that site. Someone else was using my IP address to visit that site. No, I don't know who. You see, I use an anonymizer that switches my IP with other people's. Why? With all due respect, that's none of your business, sir.

Best of luck with that. Bear in mind that The Man is not always known to appreciate the subtleties of such arguments.


Hal Finney said...

Hi, I recently started reading your blog and I find it quite thought provoking. I share many of the same interests although my perspective is very different and I often find myself disagreeing with you. I hope to find time in the future to make more comments.

Now everyone come to my online poker game! Just kidding, this is not blog spam although it may sound like it so far.

As far as IP addresses, from what I understand they are, as the name says, *addresses*. You can't just pick a new one to communicate with someone. If you send a packet with a "from" IP address in Albania, the return packet is going to go to Albania. It's not going to come to you. If you want to receive packets (and virtually all Internet protocols require two-way packet exchanges) you need to use your actual IP address.

There are a couple of different ways anonymizers work. One is that they can be a proxy, sitting in the middle between the end user and the Internet service they are accessing anonymously. That way the Internet server only sees the IP address(es) belonging to the anonymizer. This is how works for example, probably the oldest service of its kind.

The other way is that all the users form a peer to peer network and toss packets around amongst themselves before sending them out on the net. That is similar to what you describe, where your computer may end up sending out packets for someone else in the anonymizing network. Tor ( works this way, although most users are not set up to allow their systems to send out packets, only a few do that - partly for reasons like you describe, fear of liability and such, and partly because of bandwidth limitations.

David Hull said...

Hi Hal,

First, thanks for the kind words. If I'm able to provoke thought (and maybe provide a little light entertainment along the way), this whole exercise is more than worthwhile. And the beauty of "figuring out the web as I go along" is that I might be totally wrong anyway ...

I had a look at your (rather impressive) profile and saw you had a blog as well, which is great, although for some odd reason I couldn't get to any of the posts. One of the beauties of the blogosphere is being able to play out a conversation between (or among) different blogs.

That said, I'm not sure we're so much at odds. I don't think the ideas behind TC are themselves without merit, or that they're inherently at odds with open source. There are already partial solutions in that direction, such as md5 signatures on files to download and the use of certificates in update mechanisms.

I've mainly been taking aim at two targets: First, the full-blown TC everywhere scenario in which my computer is effectively under the control of the OS provider -- though they promise they'll use their awesome power wisely.

The second is the idea that we are necessarily headed down that path and that anything TC-ish is the thin end of the wedge.

To some extent these are both strawmen, but I think the larger point is this: There is a lot of fertile middle ground to explore between anarchy and totalitarianism, but also a lot of work to be done.

The goal is to have a system that can be trusted to do what it says it's doing, while still maintaining the flexibility to, say, completely start over and install a new OS configuration, or a whole new experimental OS, without the system as a whole violently rejecting the new tissue.

Which, as I understand it, is where you come in, fleshing out just how all of this is going to play together.

I've taken a couple of stabs at it, in talking about personal datastores and specialized trusted devices. I do think that trying to make computers tamper-proof in order to protect content is misguided, but that doesn't rule out other, more valid reasons for trying to introduce TC concepts into the mix.

Hope that clarifies things a bit.

David Hull said...

Um, apparently I was responding to something on Hal's web site, not his actual comment. The actual comment is on the money, as I understand it. In the original post, I was trying to skate over the technical details as best I could while still highlighting the very real dilemma involved.