Thursday, March 25, 2010

Anonymity at the source

One of the longer and more intricate threads on this blog has been anonymity. One of my early aha! moments in tracing that thread was realizing that being anonymous comes of having other people who could be you. Perhaps more precisely, saying that an anonymous person did something means saying that there are a number of people who could have done it. The more the better. Later, I learned that this concept has been formalized under the name of anonymity set.

I also learned that, since anonymity can have value, there are economic considerations involved.  If someone is going to willingly belong to an anonymity set which could be associated with some nefarious deed, they'll want to be compensated for that risk. Following this through, it would appear to be fairly difficult to get a robust and secure anonymous network set up.

These two insights gave me some confidence in understanding the broad outlines of anonymity in general, and some assurance that anonymity on the web has much in common with anonymity in the world at large. However, there's at least one case in the real world that doesn't seem to carry over well to the web: radio.

A radio receiver is passive. Absent fairly high-powered eavesdropping equipment, no one knows what station I'm listening to at any given time. Web browsing is active. If I'm listening to web radio, the server knows exactly what content it's sending where. If I want to listen anonymously, I have to associate myself with a set of other people who also might be listening to my particular station and then obscure my connection with the server so that any of us might be the one accessing that particular content.

With radio, even if I am the only person in the world listening to radio, I could still be listening to anything. The only way to know that people aren't listening to some particular content is to crack down on possession of receivers and to go after the broadcasters, who may be out of jurisdiction. Both of these are done, but not entirely successfully.

The only analog I can think of on the net would be to stream everything to everyone and leave it to the clients to filter out exactly what was of interest. This pushes anonymity back to the source. Instead of having a number of people who could be listening to a particular channel, the necessary confusion comes from not knowing which channel a particular listener might be listening to. As with radio, even if there were only one client in the world, there would be no way to tell just what that client was accessing. Keeping the source of the content anonymous is still an exercise in the familiar sort anonymity, but that much is the same in the real world.

Since this comes at the price of bandwidth, it will generally not be an attractive option. This is one place where the distinction between true broadcast (radio) and point-to-point (the net) really matters. The closest real-world example of radio-like anonymity I can think of -- and I may well be missing something -- would be Usenet news [If you're reading this now, there's a good chance you've never used or heard of Usenet.  Technically, Usenet still exists as of this writing.  Nonetheless, I've changed the verbs in the next paragraph to past tense -- D.H. Sep 2018].

Depending on the settings, the news server at your particular site might well have been grabbing the entire hierarchy, from sci.math to alt.you.really.dont.want.to.know. Anyone who trusted (or controlled) the news server could then read whatever they wanted. If your news server was owned by your academic department, you were probably on solid ground, but if you were using a web interface to access some public server, you were in the same spot as with anything else on the web.

I should say here that, as always, technical considerations are not the only ones that matter. In practice, the web seems to be a fairly open place with reasonable assurances of privacy. Likewise, in practice there is never a foolproof guarantee of anonymity, on the web or off.

No comments: