--- begin forwarded text Date: Mon, 24 Oct 2005 23:31:34 +0200 To: practicalsecurity@hbarel.com From: Hagai Bar-El <info@hbarel.com> Subject: [PracticalSecurity] Anonymity - great technology but hardly used Sender: PracticalSecurity-bounces@hbarel.com Hello, I wrote a short essay about anonymity and pseudonymity being technologies that are well advanced but seldom used. Following are excerpts from the essay that can be found at: http://www.hbarel.com/Blog/entry0006.html In spite of our having the ability to establish anonymous surfing, have untraceable digital cash tokens, and carry out anonymous payments, we don't really use these abilities, at large. If you are not in the security business you are not even likely to be aware of these technical abilities. If I may take a shot at guessing the reason for the gap between what we know how to do and what we do, I would say it's due to the overall lack of interest of the stakeholders. Fact probably is, most people don't care that much about anonymity, and most of the ones who do, are not security geeks who appreciate the technology and thus trust it. So, we use what does not require mass adoption and do not use what does. Anonymous browsing is easy, because it does not need an expensive infrastructure that requires a viable business model behind it; fortunately. A few anonymity supporters run TOR servers on their already-existent machines, anonymity-aware users run TOR clients and proxy their browsers through them, and the anonymity need is met. The onion routing technology that TOR is based on is used; not too often, but is used. The problem starts with systems that require a complex infrastructure to run, such as anonymous payment systems. As much as some of us don't like to admit it, most consumers do not care about the credit card company compiling a profile of their money spending habits. Furthermore, of the ones who do, most are not security engineers and thus have no reason to trust anonymity schemes they don't see or feel intuitively (as one feels when paying with cash). The anonymous payment systems are left to be used primarily by the security-savvy guys who care; they do not form a mass market. I believe that for anonymity and pseudonymity technologies to survive they have to be applied to applications that require them by design, rather than to mass-market applications that can also do (cheaper) without. If anonymity mechanisms are deployed just to fulfill the wish of particular users then it may fail, because most users don't have that wish strong enough to pay for fulfilling it. An example for such an application (that requires anonymity by design) could be E-Voting, which, unfortunately, suffers from other difficulties. I am sure there are others, though. Regards, Hagai. _______________________________________________ PracticalSecurity mailing list PracticalSecurity@hbarel.com http://hbarel.com/mailman/listinfo/practicalsecurity_hbarel.com --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'