Lance Detweiler lists some problems with freely available anonymity, and suggests that those of us who are pushing for unrestricted anonymity are unwise. Many others on the list argue that unrestricted anonymity and privacy are necessary and even inevitable. First off, I should say that I think this is absolutely the most critical issue that we cypherpunks must address: how desirable is anonymity, what restrictions should we accept and/or push for, and what technological options can we offer as solutions? Secondly, I think that some of us are talking past each other, by ignoring the distinction between short-term and long-term solutions. Lance, for instance, concentrates on short-term problems with anonymity while ignoring some easy-to-implement fixes for these problems in the medium to long term. Tim May emphasizes the long-term inevitability of crypto anarchy while skipping lightly over the practical problems of sysops trying to keep their systems running in the short term. Let's recognize the distinction between short-term and long-term. To help you out, I offer this handy diagram, which I've filled in with my own opinions. Are restrictions on anonymity... Desirable Necessary Feasible ---------------------------------------------------- Short-term (3yrs) | No Some Yes | Medium-term (10yrs) | No No Partly | Long-term (20yrs) | No No Partly | ---------------------------------------------------- More discussion of specific issues to follow in another message. To sum up, my opinions are that in the short term, remailers must try to be good network citizens in order not to get kicked off the "one and only" network. In the long term, -- Marc Ringuette (mnr@cs.cmu.edu) Subject: Future of anonymity (SHORT-TERM) Lance Detweiler lists a few problems with freely available anonymity: - newsgroup noise - pornography GIFs - email bombs / crashed computers - Mafia & terrorist uses He seems to believe that the best way to combat these problems is to provide only limited anonymity, which is to be broken at the request of the proper authorities. [If I've misconstrued what you're saying, Lance, I apologize. Some cypherpunks are certainly saying this.] I disagree that it is necessary for a remailer operator to reveal the sender of a piece of mail under any circumstances, and I will not trust a remailer which does not IMMEDIATELY THROW AWAY the correspondence between input and output addresses. I won't try to argue in detail that partial anonymity is not very useful. I'll just say this: if a remailer operator must be a moral arbiter of when to release an anonymous address, then my assurance of anonymity becomes much more tenuous and subjective, and the legal burdens on the remailer operator become much greater. --- I'd now like to deal with the practical objections to this suggestion in the SHORT TERM. First, let's postulate that anonymity is a desirable thing to have, if we can limit its bad effects. If we could solve the worst of the practical problems, without keeping logs which allow tracing a message to its source, wouldn't it be desirable to do so? I would divide the problems into two types: problems with volume and problems with content. The first three of Lance's objections were volume problems; the last was a content problem. My answer to the problems with content: tough. It's a freedom of speech thing. The only legitimate concern I see, in the short term, is anonymous flooding. This is going to be one of the toughest objections to deal with in implementing an anonymous remailer, and one of the biggest practical concerns, because there is the real possibility of abuse of our poorly-controlled networks (for which the only remedy to date has been to trace the problem to its source). Here's my suggestion: let's provide remailers which guarantee not to flood the network with high volume, but keep no logs and are unable to trace messages back to their source. We can deal with the actual mechanism of such volume control later; my point is that I'm suggesting that the ONLY limitation we place on remailed messages is a volume limitation. This restriction could of course go away once we have digital postage stamps, but seems a reasonable one for remailers which don't charge money. Remailer operators will have I propose the following solution: that remailer operators voluntarily compile aggregate "volume reports" I would predict that the primary means by which anonymity will be restricted are: short-term: crackdowns on anonymous remailing sites medium to long term: by convincing most people to participate in "real person only" newsgroups and to use "real person only" email handlers. These limitations could be implemented via the PEM public key hierarchy, for instance.