Dr. Frederick B. Cohen writes:
I have been convinced for some time that you can't have both integrity and anonymity. [and in a followup] I might be misinterpreted as having meant that it is impossible to have both integrity and anonymity. That is not what I meant, [...]
Er, thanks for the clarification....
A typical quotation taken out of context. You missed the part after "I meant" where I explained that I meant you couldn't assure ... - That is, you could have both or not have both, but you couldn't be certain that you had both.
Integrity:= 1) Steadfast adherence to a strict moral and ethical code. 2) A state of being unimpaired; soundness. 3) The quality or condition of being whole or undivided; soundness Also) soundness, completeness, Alternatively: 1) Strict personal honesty and independence... 2) Completeness; unity... 3) The state of being unimpaired; soundness...''
In this context, I might be misinterpreted as having meant that it is impossible to have both integrity and anonymity. That is not what I meant, although it is probably also true in a very strict sense.
All right, what makes you think that ? Lest we wave our hands too much and totally misunderstand each other, let me lay down a more concrete scenario. If you have a substantially different scenario in mind, let me know.
Suppose that I send an anonymous message to a public forum such as this. I and the message seem to "have anonymity" by any standard I can presently imagine. Now, in what ways might I or the message lack integrity in this situation ?
If the message was not of any particular import to anyone, integrity would not be a very big issue, but suppose you took quotes out of context and cleverly tried to construct a picture of the other person as not being reputable. People who read the message might believe that what you said was true, or at least had a grain of truth to it. That sort of message lacks integrity, and the reason it lacks integrity is because it has anonymity, not just because it's false and misleading. To clarify even further, I seem to recall a posting some months ago from an anonymous source declaring a new on-line for-sale forum called the Internet Security Newsletter (or some such thing). The anonymity of the poster in the context of asking for money and the fact that one of the people who was claimed to be on the board of editors was not, in fact, a participant, led to the question of who the person was. It turned out that this person had a substantial history of putting forth falsehoods as well as other related things that might have been very helpful in evaluating the credence of his statements. It turned out that the newsletter was, at least in some sense and without making value judgements, legitimate; but the anonymity of the person making the posts made it harder to assure the integrity of the statements made, which exacerbated the assurance issue.
I haven't broken my personal ethical codes, although perhaps I've violated someone else's. I have been honest, at least as much as I am generally honest in anything I write. I am not lying by donning the cloak of anonymity; I have not misrepresented my identity, merely refused to reveal it. The content of the message can be considered sound as much as anything else can. The message is incomplete in the sense that it does not include the true identity of the author -- is this what you would claim as a failure of integrity ? All messages are incomplete in the sense that various important facts are absent from them.
I don't know you, which also means that I don't know your motives. This brings up the problem that, even though your postings may be true and your motives honorable, they may not be, and there is no way to look into your background and evaluate your history in order to assess your statements. In many cases, I believe statements because of their source and my experience with that source. I understand that over time, reputations can be built up for pseudonyms (which are not necessarily anonyms) but then, with a pseudonym we might reasonably ask what the motive is for hiding the real identity. Is it for fun? Because it's there? In solidarity for those who have legitimate reasons for remaining anonymous? Or is it a means to influence others for personal or national gain? Is it a way of spreading disinformation? Is it a way to escape liability for slanderous statements? Is it a way to keep people from finding out that there is a personal grudge being played out? Without knowing the motive, how can we assess the statements? In fact, how can we know that the original pseudonym still applies? Someone could kill you and take over your pseudonym, and even though we might hear of your death, the pseudonym might continue based on your reputation but with another actual source. It's an interesting concept that each statement should/could be taken on its own and evaluated independently of the rest of a person's life context, but in my experience, that has serious problems.
To clarify, I don't think you can assure integrity when you have anonymity.
This follows from my earlier writings (circa 1984-89), which are fairly extensive, and in which I made the only marginally supported claim that you can't have (i.e., assure) both integrity and secrecy in a system with sharing. This came originally from the result that integrity + secrecy = no sharing (ala the combination of Biba and Bell-LaPadula) which was extended into a POset which characterizes the extent to which integrity and secrecy can be maintained based on transitive information flow.
The less mathematical reasoning is that in order to be able to verify integrity, you have to be able to examine the information that is secret, while having secrecy requires that you not be able to have independent verification. Thus the two limit each other.
Anonymity, in this copntext, can be thought of as secrecy.
I understand the nature of the information flow argument, but I don't see that it's applicable. You appear to contend that the assurance of the integrity of an anonymous message depends upon the examination of information that is "secret", that is, _not part of the message_. But no message is complete -- all messages have many such associated "secrets" not available as part of the messages. So the claim seems to be vacuous: we can assure the integrity of neither anonymous nor verinymous messages.
An important point. The more we know, the more certain we can be. With computer-based anonymity as it is practiced today, and ignoring the examples of the pseudonyms that were broken by legal warrant, we have very little knowledge about the originator of a message, and thus we have very little assurance of the integrity of their messages. The history built up over time for a given pseudonym certainly increases the assurance associated with it, but there are other problems with this. Example: I have two (N) pseudonyms that put forth different points of view specifically directed to create different kinds of credence to different audiences. If the audiences knew that both (several) of the pseudonyms were in fact the same person, they would have very different beliefs about the individual given the combined picture than they might get from any one of the pictures.
Perhaps the rejoinder will be that anonymous messages have a _characteristic_ piece of missing "secret" information, namely the senders' True Names. But you have yet to offer any argument that only certain special "secrets" must be examined in order to verify integrity.
It's not only the True Name that's at issue. It's the association of a set of messages and historical information with a source. For example, if we knew you were a KGB agent working in the disinformation and economic espionage branches, we might evaluate your postings differently than if we knew you were a high-school student from Deluth whose father taught her a lot about cryptography when she was young. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236