Ben Laurie blathering

Freedom with Accountability

In a comment on an earlier post Stephen Engberg says:

Ben, I think you are missing the main issue here. The clue to online security is not anonymity but the ability to isolate a context. Within the context, you can achive convenience without adding substantially to linkability.

“Freedom with accountability” means that it is ok to be accountable in a context, but not to have all contexts linked. It is a one-way street from context to person without the link from person to context.

In other words, we need to break the illusion that privacy is about non-accountability. It is true in some instances such as the protection of certain rights of minorities. But not in the general term when it comes to commercial or government transactions.

I don’t really understand where this is coming from at all. Firstly, “online security” is way too general for me to have any idea what he really means.

Secondly, I didn’t say that anonymity was required in all circumstances, but unless you have anonymity you cannot achieve unlinkability, so its a requirement that the underlying system supports anonymity. Anonymity is the TCP/IP of Identity Management.

Of course, there are contexts in which transactions are inherently linkable – for example, if I get stuff physically delivered to me, then different deliveries are linkable, at least to my address, if not necessarily to just me. But, if I want any chance of separating contexts, then I have to have access to resources anonymously.

Anonymity, of course, provides non-accountability. So, rather than “need[ing] to break the illusion that privacy is about non-accountability”, we need to do exactly the opposite – make everyone understand that in order to have any privacy at all, we must accept the side-effect of non-accountability.


  1. Thought you might be interested in this if you’ve not seen it already. Bruce Schneier has been touching on this subject off and on lately in his blog. Today he has a piece in Wired as well on the subject.

    Comment by Matt — 12 Jan 2006 @ 18:10

  2. Yeah, I saw Bruce’s post and his essay in Wired. The post is handy because it lets you see the general opinion of the peanut gallery to his comments. Thankfully, it’s a little easier to point out flaws in logic on a blog than it is with an article in a magazine. As for the actual content of what Bruce said, I think Shirky has a much, much better point (his opinion quoted in the first comment on Bruce’s post, originally from his Many2Many post on Kuro5hin).

    I think Bruce’s biggest weakness has always been that he only cares about one side of the argument. I think this was most tellingly exhibitted awhile back with regards to a particular court case where it was claimed that the presence of encryption software (in this case, PGP) was evidence of intent to conceal wrongdoing. Bruce’s response was simply, “I am speechless.” Or in other words, “What the heck? How dare they conclude that since very few people use PGP, and since it can be used to conceal wrongdoing, and since the accused certainly has a lot of evidence against him suggesting that he did do the crimes he was accused of, then perhaps the encryption software he had on his computer might be further evidence supporting the case that he knowingly committed the crimes and might have wanted to conceal it?” In this particular case, the man was apparently doing the whole pedophilia thing. Bruce never bothers to mention this of course, because siding with the pedophiles is never a good move, politically. But really, the main problem is that Bruce was so blinded by his cause that he never considered (or at least never publicly considered) that perhaps the courts had decided to do the obvious thing, and take context into account. The post was followed by hundreds of posts by other bloggers commenting on the subject, most of which bore titles like, “Use GPG, Go To Jail!”

    And in this issue, again, he comes down hard on the side of privacy and anonymity, without even so much as lip-service to the far greater advantages of identifiability. Ironically, the arguement that Bruce linked to in the Wired essay was quite clear that the benefits to identifiability were much more numerous than the benefits to non-identifiability in most circumstances.

    Of course, it’s also perfectly possible that Bruce is well aware of the issues, but chooses not to talk about the other side, simply because it doesn’t make for sufficiently sensational copy. But somehow I don’t think that possibility puts Bruce’s opinions in a better light.

    Comment by Bob Aman — 17 Jan 2006 @ 23:21

  3. Sure, you are right. Anonymity is the essence of non-linkability and we most always take ofset in anonymity when building Identity models and implementations across infrastructure. But there isnt much you can do anonymously so this is hardly the interesting aspect.

    The main challange is how to preserve non-linkability even when you pass a point where you become a risk to others and a need for accountability emerge. Otherwise you end up in these hopeless scenarios, where you have anonymity in all transactions that doesnt really matter, but no control and full linkability in all that do. The real challenge thus lies in enabling security in commercial and government transactions. If you solve these value-related areas, you take away by far the most security threats.

    Notice that just because there is a way to establish linkability it does not mean that it is easy, undetectable, free of charge, forever, easily linkable with other accountable transactions etc. Naturally not trusting “trusted” parties. We know a range of security primities never put in use. What makes you think that you cannot have physical delibery non-linkable? You can always use a drop-point model.

    Comment by Stephan Engberg — 29 Apr 2006 @ 2:00

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress

E-mail It