Links

Ben Laurie blathering


Identity Isn’t Just Identity Management, Anonymity Isn’t Privacy

There’s been more comment on identity management and anonymity. It seems there’s two points that are commonly being overlooked or ignored.

Firstly, when I say anonymity should be the substrate I am not just talking about the behaviour of identity management systems, I also mean that the network itself must support anonymity. For example, currently, wherever you go you reveal your IP address. Any information you give away can be correlated via that address. People sometimes argue that this isn’t true where you have a dynamic address, but in practice that isn’t the case: most dynamic addresses change rarely, if ever – certainly they tend not to change unless you go offline, and the rise of always-on broadband makes this increasingly unusual. Even if the address does change occasionally, you only need to reveal enough information in the two sessions to link them together and then you are back to being correlated again.

Secondly, people seem to think that privacy is an adeqaute substitute for anonymity. I don’t believe this: privacy is all about voluntarily not linking stuff you could link. Anonymity is about making such linking impossible. Microsoft’s Cardspace claims to provide anonymity where, in fact, it is providing privacy. Stefan Brands comes close with his selective disclosure certificates, but they are still linkable, sadly. These systems only provide privacy if people agree to not make the links they could make. Anonymity provides privacy regardless of people’s attempts to undermine it. That’s why you need to have anonymity as your bottom layer, on which you build whatever level of privacy you can sustain; remember that until physical onion routing becomes commonplace you give the game away as soon as you order physical goods online, and there are many other ways to make yourself linkable.

6 Comments

  1. [...] Much is being written around the thread of conversation that David Weinberger started and I responded to. I resolved long ago never to speak publicly about "privacy," as the conversation seems to immediately dive into a black-hole of nothingness. However, at the risk of falling into the same hole around "anonymity," I will try to say something intelligent about this subject. Please note, I’ve tried this in the past (the date on that article is 2002), but here I am trying again. [...]

    Pingback by » Should the online world reflect the "real" world? | Digital ID World | ZDNet.com — 15 Aug 2006 @ 16:51

  2. [...] There is some debating going on in the Identity community about anonymity. See here, here, here and here. Today I came across this post from Eric Norlin which I found very enlightening for me. More specifically this paragraph really got my attention: Every transaction in the real-world involves not only explicit identification (ATM cards, credit cards, driver’s licenses, or the proxy of cash), but also implicit identification. By implicit identification, I mean the subtle body language and sociological clues that all persons engaged in transactions use (both consciously and subconsciously.) There is not a waitress or convenience store clerk on the planet that will not begin “identifying” the ability of a customer to live up the implicit social contract of commerce based upon their attributes (appearance, cleanliness, socially accepted standards of behavior, etc). This is not the real-world as we’d like it to be. This is the real-world as it is. [...]

    Pingback by Ruminations on Identity » Do you really think you are anonymous? — 15 Aug 2006 @ 18:45

  3. > Anonymity is about making such linking impossible. … Stefan
    > Brands comes close with his selective disclosure certificates,
    > but they are still linkable, sadly.

    Come on Ben, you should know better!

    MULTIPLE credentials that have been issued to the same user (whether known to the issuer or identifiable by tracing the user’s IP address or such at issuing time) are not just UNTRACEABLE but also UNLINKABLE. On the other hand, and I suspect this is creating the confusion, the SAME credential of a user that is REUSED _is_ linkable – by design. Namele, a single “multi-show unlinkable” credential would be COMPLETELY insecure in all settings with only one exception. That one exception is the case where credentials must always be shown with respect to unlinkable pseudonyms that have previously been established and hooked up with different verifiers; in this setting, it is still highly preferable to use our digital credentials as opposed to the few academic proposals for “multi-show unlinkable credentials” that are out there, which are highly impractical. (Specifically, it is more efficient to withdraw hundreds of unlinkable “copies” of the same credential than to use a single “multi-show unlinkable” credential hundreds of times.)

    > These systems only provide privacy if people agree to
    > not make the links they could make.

    That is NOT true for our technology, Ben. We’ve gone through extreme lengths to design our credentials technology and our SDK such that the user (=client software) is in 100% control of the correlation powers that others will have (or will not have:-) – both with regard to untraceability AND unlinkability. There is NO product out there that comes close to our privacy guarantee, which is: the untraceabi8lity and unlinkability of a user’s actions are UNCONDITIONALLY guaranteed EVEN IF: (1) the issuer and ALL verifiers collude, have infinite computing power and infinite computing resources, and attempt to build in backdoors (perhaps as yet unknown) in the issuer’s cryptographic system set-up, and (2) the issuer and all verifiers deviate from the credential protocols they engage in in an attempt to learn correlation information. No amount of encryption power, collusion, or data analysis can leak to the EVEN A SINGLE BIT of correlation information being learned.

    > Microsoft’s Cardspace claims to provide anonymity
    > where, in fact, it is providing privacy.

    While Cardspace may provide “privacy” in the “policy” sense (as does Liberty), it certainly does NOT provide “privacy by design” by any cryptographer’s stretch of the imagination. (Self-asserted infomation aside, but ANY system can easily avoid linkability for the disclosure of such identity data.) For third-party asserted identity claims, InfoCard does not does not provide untraceability NOR unlinkability, for reasons that you have explained yourself in an earlier blog entry of yours. Using multiple PKI identity or attribute certs (or something similar) for different verifiers does NOT give one unlinkability or untraceability anymore than the “aliases” in Liberty Alliance give the user “pseudonymity – all linkin and tracing powers are out there. Compare with cookies that are used across sites – here things are much worse, however, because the “cookies” are typically strongly bound to their retriever’s identity at issuing time, universally unique, signed by their issuer, and typically used in suchy a way that every “cookie” leaves behind a digital signature of its user.

    In any case, Ben, keep up the great blogging on the importance of privacy.

    – Stefan

    PS I unsubscribed over the weekend from the idworkshop mailing list, however I will keep following your blog :-)

    PPS The final preview version release date of our SDK package is in the first week of September, marking the end of close to three years of dedicated SDK design and implementation effort of our team. We’ll send one your way, if you’re interested.

    Comment by Stefan Brands — 16 Aug 2006 @ 3:02

  4. Hi Ben. Regarding Stefan’s technology, although multiple showings of the same Digital Credential are linkable (the same public key and Issuer’s signature are seen by the recipients), the efficient issuance of multiple unlinkable DCs in parallel makes it quite practical to get true unlinkability by simply selecting a different DC for each showing. Since their use can never be traced back to their issuance, it’s quite simple to use Digital Credentials such that their use is fully unlinkable.

    Comment by Greg — 16 Aug 2006 @ 14:05

  5. [...] I was musing the other day about identity management and anonymity. One of the problems with anonymity is it implies that anyone can create a new “identity” for themselves at any time. Of course, these identities tend to rapidly become pseudonymous rather than anonymous, because of the limitations of current technology, but that hardly matters since you can create new ones whenever you need. [...]

    Pingback by Links » Identity, Anonymity, Reputation, eCash and the Sybil Attack — 3 Sep 2006 @ 15:00

  6. [...] I often get the impression that people think I believe I can fix the world by providing cunning crypto. As they say above, its not the whole answer, but I do believe its vital to start from a position of anonymity or you can’t choose what you do reveal about yourself. [...]

    Pingback by Links » A Surveillance Society — 4 Dec 2006 @ 13:21

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress