Links

Ben Laurie blathering


Physical Onion Routing

One of the recurring themes in my musings about identity management is my desire for unlinkability – if every transaction (in the broadest sense of that word) is independent of every other then it makes it difficult (I’d like to say impossible, but I’m a cynic) for anyone to build up a picture about you (for whatever value of “you” you’d like to choose).

But the thing that drives a coach and horses through this worthy goal is physical goods. All too often you end up wanting something delivered – a book, a CD, beer – and it has to go to somewhere linkable to you.

So, it occurred to me that you could arrange the physical equivalent of onion routing. Choose a friend, encrypt your address with his public key. Then choose another and encrypt friend one’s address and your encrypted address with his key, and a third and encrypt the second’s address, friend one’s encrypted address and your doubly-encrypted address to him. Give your provider of goods the third’s address and the encrypted package.

The provider then wraps your parcel up three times. On the outside of the third wrapper he puts the address of the third friend and the encrypted package. When it arrives at friend three, he decrypts the package, getting friend two’s address and a new encrypted package, which he then applies to the outside of the parcel and sends it on. Friends two and one repeat the process, the parcel arrives at your house, no-one knows where it came from and who it went to. Yes, friend one knows you got something, but has no idea where it came from. Friend three knows where it came from but not who it went to, and friend two separates them.

Any volunteers?

3 Comments

  1. […] Secondly, people seem to think that privacy is an adeqaute substitute for anonymity. I don’t believe this: privacy is all about voluntarily not linking stuff you could link. Anonymity is about making such linking impossible. Microsoft’s Cardspace claims to provide anonymity where, in fact, it is providing privacy. Stefan Brands comes close with his selective disclosure certificates, but they are still linkable, sadly. These systems only provide privacy if people agree to not make the links they could make. Anonymity provides privacy regardless of people’s attempts to undermine it. That’s why you need to have anonymity as your bottom layer, on which you build whatever level of privacy you can sustain; remember that until physical onion routing becomes commonplace you give the game away as soon as you order physical goods online, and there are many other ways to make yourself linkable. […]

    Pingback by Links » Identity Isn’t Just Identity Management, Anonymity Isn’t Privacy — 15 Aug 2006 @ 12:32

  2. […] My first answer would be: no. In some cases (actually, in a lot of cases) I would prefer a level of anonymity that is stronger compared to what I would normally get in the real world. I believe we can achieve this with the right technology. But keep in mind that it will not be easy, as explained by Ben Laurie: That’s why you need to have anonymity as your bottom layer, on which you build whatever level of privacy you can sustain; remember that until physical onion routing becomes commonplace you give the game away as soon as you order physical goods online, and there are many other ways to make yourself linkable. […]

    Pingback by Ruminations on Identity » Do you really think you are anonymous? — 19 Aug 2006 @ 12:31

  3. Physical Onion Routing, and A Great Blog

    Onion Routing is particurally well suited to the internet because strong crytography can prevent the nodes from reading the content of your messages, and they are set up as automated servers. But just as some of the nuances are lost in the analogy fro…

    Trackback by UtterNoncesense — 21 Aug 2006 @ 16:51

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress