Problems of anonymous posts
-----BEGIN PGP SIGNED MESSAGE----- (This is from Hal; I still can't post from Portal.) After going to enormous efforts to create a network of anonymous remailers, we are hoist by our own petard, as our list receives strange, irrelevant, and argumentative posts through our own anonymous remailers. (Not all anonymous posts are like this, but there have been quite a few in the last few weeks which fall into these categories.) This should challenge us to reconsider the value of anonymity and remailers. Are we working only to make the net safe for the immature and incoherent? I would say not, but these posts should remind us of how incomplete is the infrastructure needed for successful use of anonymity. A brief recap of the benefits of anonymous mail: presently, on the net, all mail is tagged with the sender and destination. This means that not only the recipient, but any net snoopers and sysops at systems through which the mail passes, may be able to know that person A is sending mail to person B. This kind of information can be used to build up dossiers of who talks to whom. Worse, as we move into an era of electronic commerce, more and more of our lives may begin to take place on the net. We may shop, find entertainment, do business, even work for a living across the network. This will open up even more opportunities for collecting data about how we live our lives. In my opinion, the best way to preserve our privacy is to make it impossible to collect this data. Anonymous remailers, and their cousins, IP bouncers (which perform an analogous function for telnet-type connections), can prevent the collection of this kind of information by hiding exactly who is communicating with whom. These services can serve as the basis for the other privacy-protecting technologies we've been discussing, such as digital cash. There's not much point in using digital cash to prevent tieing customers to vendors if monitoring the net will provide that information anyway. This isn't just a futuristic concern, either. Already today the government is taking steps which could, under some not-so-far-fetched extrapolations, get people on the list in trouble. Many people on this list have communicated with Phil Zimmermann, for example. What if email logs were used to track all those people down, and they became suspects in this criminal investigation that the government seems to be pursuing? It's not even impossible that the government could someday try to paint the cypherpunks themselves as a subversive organization. Think how much more difficult any such diabolical attack would be if people subscribed to the list via remailers, under digital pseudonyms. These days, with the shaky legal status of cryptography, we of all people should be able to see the benefits of anonymous communication. The problem is, then, how to gain the benefits of anonymity, while avoiding the abuses. One solution which we have long discussed is reputations and pseudonyms; another is making people pay to use remailers. The way reputations work is that people would digitally sign their anonymous postings. This way someone could post anonymously and build up a reputation by means of a series of postings signed under the same name. As time went on, they would no more want to damage the reputation of their pseudonym than they would want to damage their reputation under non-anonymous posting. To make this work, people need to be able to easily filter their mail on the basis of the pseudonym it came from, rather than the (irrelevant) anonymous remailer which sent it. Then they can choose to accept and read mail from anonymous posters who have built up a good reputation while ignoring that from those who have ruined their good (pseudo) name. Karl Barrus has done some experiments along these lines. He described some time back a system he had for working with the elm mail reader, one of the most common Unix-based mail agents. The software will display the true originator of PGP-signed posts (anonymous or not). This allows readers to apply the same standards to signed anonymous mail as to regular mail. It raises anonymous posters to the same level, and holds them to the same standards, as other posters. This software could allow anonymous posters to build up their reputations, encouraging more responsibility on their part. The other solution, pay-for-use remailers, has also been pioneered by Karl. His idea is to make the remailer a little harder to use by forcing the user to include some digital postage (based, I think, on what Tim May called "poor man's postage stamps"). This could help reduce the volume of anonymous mail and make it less likely that joke or trivial messages would be posted. (We could even consider applying Karl's approach to the list as a whole; people would have to apply ahead of time for posting tokens in order to post. This might force people to take a little more care and time in their postings.) I don't think Karl's efforts have been sufficiently appreciated here. He is quietly working to create the tools needed to allow anonymity to be a useful and important part of the net architecture rather than the annoying sideshow that it sometimes seems to be becoming. We need to support Karl, work to bring his innovations into other remailers and other mail agents, if we want to gain the benefits from what we have done so far. Hal Finney hfinney@shell.portal.com -----BEGIN PGP SIGNATURE----- Version: 2.3a iQCVAgUBLMFf3qgTA69YIUw3AQEp9QP/UyEvuQgM6GKiKdkZtHJw4/NhMwQDihrs 2D8weSeUQpKHPpxEnXiDEG6qswI0B4auq+hK3EDYIzccA6c6/+0Xa7SzESsujtjs VDRY7BNphAQ8ix6vd4Ti2vuk8sWa7IHasuAF+UytJrUXPaMbJgH1u/84M9HstA4t kNQ3venrgh4= =CFWw -----END PGP SIGNATURE-----
Hfinney writes some excellent comments on anon remailers and how to deal with them. Possible low-tech solution: mail-list software where the moderator has the ability to screen messages from particular sites and/or accounts. In other words: IF account is in <list of jerks> THEN let_me_see_it_first ELSE IF site is in <list of anon sites> THEN IF account is NOT in <list of trusted anons> THEN let_me_see_it_first Question: how easy is it to use public information (ie: out of the phone book), PGP and an anon-remailer to create a "Fake ID"
H. Finney <hfinney@shell.portal.com>
After going to enormous efforts to create a network of anonymous remailers, we are hoist by our own petard, as our list receives strange, irrelevant, and argumentative posts through our own anonymous remailers. (Not all anonymous posts are like this, but there have been quite a few in the last few weeks which fall into these categories.)
I've been thinking about this a lot lately. I think a large part of the problem as you indicate is associated with reputation. How does one build up a reputation and identity in cyberspace in general? Part of the problem IMHO is that this list software & the internet in general is extremely vulnerable to a lot of different kinds of spoofing. People are very sensitive to the perception of a `consensus' -- they are deeply influenced by what they perceive to be the `majority opinion'. What if that `opinion' was not an accurate representation of reality? what if a few people were creating the illusion that some different kind of consensus existed? what if that `agenda' were actually something inherently wicked like lawlessness or anarchy? what if a conspiracy created the impression that some project or progress was underway when it really wasn't? or that some person was loudly favored or condemned by the `group'? this could be especially problematic if any kind of intimidation were happening `behind the scenes' in email. who would ever know? unless the dissatisfaction reached the list, how would we find out? another problem is that, at the same time being strongly influenced by a lot of flames, people just delete them out of sheer distaste and they may not be around later for inspection. what really is our assurance that all these email addresses actually exist and represent *unique* people? there really is very little currently. I think newsgroups are far less vulnerable to this kind of spoofing, but unfortunately mailing lists are *extremely* vulnerable. (Keep in mind, there are a whole set of other benefits and detriments in *other* categories which I'm not talking about here.) In the former we have thousands of subscribers all checking on each other's honesty. If a suspicious address or opinion pops up, there is some probability someone will notice, and cases of spoofing would probably be noise drowned out in the representative opinion. Also, distribution is centralized, so that `message blocking' is not very feasible. In the latter case, i.e. mailing lists such as this one, there is a much closer knit community that is geographically isolated. Individuals on the list are far more susceptible to spoofing. People are more likely to see *every* message including the `spoofed' ones. There are far fewer people to `check up' and those that are there may not have the technical expertise. What's worse, the list is not `distributed' in a certain sense. If someone wants to get out the message that `something wrong is going on' it could be censored because of the centralization of the distribution. This wouldn't work with Usenet because the distribution of the messages (e.g. NNTP servers) is generally cleaved from the people with strong self-interests in the traffic (e.g. people who post to group [x]). This cyberspace stuff can be a *very* powerful influence on many. It is an electronic community, and peer pressure is *extremely* powerful. Many people do not have an extremely strong internal `moral compass' and could be influenced by this kind of corrupt magnetism associated with a `conspiracy of spoofing'. Note that reputations are crucial in not only persuading us to listen attentively to those we respect, but to `tune out' the lunatics and criminals. * * * Spoofing Regarding the what also gets my vote as `strangest posting of the year' by `S. Boxx', Philippe D. Nave, Jr. <pdn@dwroll.dw.att.com> (based on my email, a loyal cypherpunk and fellow Denverite!) wrote:
[...] it seems that the point of the message is that there is a lot of smoke coming from people who use aliases or anonymous remailer services to post to the cypherpunks list. Does this posting contribute to that problem, or have I missed something? [...] What the hell ?!? I've either missed something significant (and would appreciate enlightenment) or this is a candidate for 'strangest post of the year'. If 'S. Boxx' really exists and is the author of this posting, I apologize- if not, then come out from behind your damn remailer and quit contributing to the problem. As for monitoring the list for traitors, go ahead- I post under my own name, and I don't give a shit what you do with the text. If I was concerned about lurkers building 'traitor files', I'd encrypt my messages and happily watch you choke on them.
I think I speak for many here in saying that I weigh anonymous postings very little, but don't consider the capability a serious problem. They have very significant purposes in e.g. `whistleblowing' `within the system' that I've always been attracted to. On the other hand, I think there is an implicit assumption by virtually everyone here that addresses on public posts and private email that are not specifically anonymous represent *unique* people. That is, if some people were taking advantage of the loose, free, and open atmosphere here to influence opinion or perception of reputations by posting messages under different presumably `real' identities (defined as anything that is not obviously tagged as anonymous), I and probably everyone else would feel very `upset' in the least and `violated' at the most. It would seem like a very serious breach of community trust, and might even have the effect of derailing positive contributions to the `cypherpunk cause' (whether algorithmic or political, the two chief schools of thought). I recall discussions of this related to the Extropians list, which specifically bars this practice. * * * List suggestions The fact that this `uniqueness of real identities' has always been something of an implicit assumption here bothers me. I think anything this delicate and important should be made formal and explicit. We should not simply assume that `everone is honest and no one would be depraved enough to do this.' I think the following guidelines are very reasonable, and might be part of a list charter agreed to by new members: 1) list members are allowed *one* anonymous identity if any. They are required to associate some name with all anonymous posts via that identity. 2) *no one* is allowed multiple `real' identities and in fact any violation of this is considered an extremely serious breach of netiquette & honesty. 3) completely anonymous posts from `outside' the list are allowed; if no pseudoidentity is given they are assumed to come from `outside'. and if anyone has been posting under multiple `real' identies, I think they owe it to everyone here to `come clean'. I don't see why anyone would go to the trouble but if someone was just unstable or obsessive enough to equate reputation with posting traffic, s/he might go off the deep end. The practice amounts to `spoofing' and any patriotic cypherpunk with some integrity ought to recognize that immediately and condemn it, technical capabilities regardless. I would equate this practice with `lying to one's colleagues'. spoofing is probably the #1 crime against cypherpunk ideology. * * * Reputations As for reputations, what can we do about this? I think that there are a lot of solutions to be experimented with in software. One of the best is just to have archives that are searchable by ID. But archives are very disk-consuming. I have some various other ideas that wouldn't require much beyond the current database maintenance of email addresses. Suppose that along with everyone's name, the following statistics were presented: 1) how long they have been on the list in days, 0 if none at all 2) how many postings they have posted here 3) maybe a posting/age ratio -- some people seem to be very sensitive or tune out people with a high one. 4) another idea: tracking the number of responses a given poster has, average, per original post, measured by `re: [x]' subject tracking. now, look what we get with all these. They are all simple to implement. They all can tremendously help us weigh the various opinions that are out there. They can set up a positive feedback system whereby `good' posters potentially really are quantitatively identified. Regarding (4), one way to `punish' a poster for irrelevant postings is to simply not respond, and they will not get any `credit' in this statistic. The problem with this is that from my experience, sometimes my most authoritative and finely-crafted postings generate the least response. But note the point of all these things: they don't necessarily require any digital signatures to implement. Authentication of postings `allowed' to the group really seems like a separate problem to me. Another simple idea is to have a voting system in response to postings. People's `credit' associated with their postings could be listed in headers too. This of course is far more ambitious, and the generally complex problem of authentication rears its ugly head. In addition to all this, I would like to see protocols that guarantee honesty on the part of the list maintainer. When databases like this are maintained, a little unilateral tweaking here and there can be extremely deleterious to community integrity, honesty, and reputations.
I think the following guidelines are very reasonable, and might be part of a list charter agreed to by new members:
1) list members are allowed *one* anonymous identity if any. [etc. ...] [...] spoofing is probably the #1 crime against cypherpunk ideology.
That which can never be enforced should not be prohibited. The claim that a person should have only one pseudonym per forum indicates profound misunderstanding. If someone wants to have multiple cryptographically protected pseudonyms, they will be able to; that is one of the main goals of cypherpunks software. The situations you despise will occur. This is reality. Change your own psychology or change your own software. You will not be able to change the other person. Eric
From: "L. Detweiler" <ld231782@longs.lance.colostate.edu> On the other hand, I think there is an implicit assumption by virtually everyone here that addresses on public posts and private email that are not specifically anonymous represent *unique* people. [...] 1) list members are allowed *one* anonymous identity if any. They are required to associate some name with all anonymous posts via that identity. 2) *no one* is allowed multiple `real' identities and in fact any violation of this is considered an extremely serious breach of netiquette & honesty. [...] deep end. The practice amounts to `spoofing' and any patriotic cypherpunk with some integrity ought to recognize that immediately and [...] crime against cypherpunk ideology. [...]
It's interesting to see the different mental models that people hold of the net. To me, this equation that one truename means one persona is not realistic or reasonable. People spawn personas (-ae?) for many reasons, including psychological exploration, sociological experiments, sexual thrills, or just for practice at maintaining personas. I know of several instances in which one person patted himself on the back circularly, or took half a dozen sides in a discussion -- and can surmise about others. This sort of thing may well happen routinely, particularly in the low-rent areas of Altnet, where participation is a kind of game. What's more, the privacy technology `we' espouse can only promote this. There is no way to maintain this one-to-one equation when working with pseudonyms, when the human "dongle on the keyboard" is no longer a viable identifier. I think the Usenet motto, "Live with it", applies. Eli ebrandt@jarthur.claremont.edu
participants (5)
-
Eli Brandt -
hughes@ah.com -
L. Detweiler -
nobody@soda.berkeley.edu -
Robert J. Woodhead