http://www.wired.com/news/technology/story/4375.html Covering Your Tracks via a Helping Hand by Michael Stutz 6:02pm 10.Jun.97.PDT Ironically, when it comes to privacy on the Net, you often have to turn to middlemen for help. In the latest in a long string of software and services that act as intermediaries for two parties when at least one of the parties wants anonymity, a technology demonstration was announced by Lucent Technologies on Tuesday. The Lucent Personalized Web Assistant enables users to maintain Web anonymity even on sites that require email registration. The LPWA acts as an anonymous proxy server, handling HTTP requests between a user and a Web site so that the user remains anonymous, said Alain Mayer, one of LPWA's developers. LPWA also filters the HTTP protocol so that no unwanted information goes out from the user, he said. Unlike the Anonymizer, a popular anonymous Web browsing service, it cannot perform temporary, nonproxy, anonymous Web sessions, but it does allow for anonymous accounts on Web sites that require it. "It computes on your behalf all kinds of username and passwords you'll need at different Web sites, in such a way that they will appear completely unrelated. On top of that, it will assign you a different email address" for each site that is visited. The problem, Mayer says, is that many commercial Web sites require online registration before you can access their information. Besides the fact that many people do not like this - and choose not to visit those sites - this poses a number of logistical problems. "One problem is that you have to remember all the username and passwords that you give out the next time you come back," said Mayer. "And if you always use the same set of username and passwords, these sites can potentially can get together and see wherever you're going and trace you down." The goal in designing LPWA was to address "where convenience and privacy can go hand-in-hand," Mayer said. "If you design privacy in software, it entails that you have to give on the convenience side. Our main goal was to combine these two possibly antagonistic goals." Currently, Lucent stores no information about LPWA users, since the anonymous usernames and passwords are generated by a cryptographic function. When a user connects to a site that requires a login, "\U" is entered for a username and "\P" for a password; LPWA then interprets this and supplies the cryptographically generated username and password to the site. Unlike some anonymous remailers, which store translations of users on hard disks, nothing would be retrieved from an LPWA should it be compromised by a government or other entity. But could commercial sites ban LPWA access by their own means? Mayer doesn't think so. "Potentially, a Web site can always refuse email from certain domains," he said, "but we can always find different domains, not just lpwa.com. What we hope is that commercial Web sites don't see us as an enemy but as a friend, because if users feel more secure in having certain things protected that they feel strongly about, then they also hopefully will feel better about giving certain other demographic information that the Web site can use. If this system gets popular, both sides will gain." While LPWA is now online, it should just be considered a demo; future versions may evolve into a commercial product that corporations could use with their firewalls, or ISPs could provide as an added benefit. LPWA is built on top of the popular Apache server software and runs on Unix - so it is plausible that in the future, individuals will run it on their own machines. "It's technically feasible to have this run on your laptop," said Mayer, "and if you're willing to live with the performance degradation you can even have it connect to another one and another one, so you don't have to trust anybody." Justin Boyan, author of the Anonymizer, imagines that schemes like chains of proxies are conceivable, but you'll always have to trust the community you are connected with. "It is a matter of trust. It's an issue of, 'Do you trust the people or the organization behind the middleman?' [LPWA] does require you to trust Lucent if you use it, and it requires you to trust anonymizer.com if you want to use us." But why trust Lucent? Mayer thinks that's a very good question. "You shouldn't," he said. "This is only a demonstration, and hopefully will generate enough interest that this will be put in places that are not in our hands. We don't even want to have this responsibility - it's not our business. Do you trust your ISP? That's a question you have to ask yourself anyway." Copyright © 1993-97 Wired Ventures, Inc. and affiliated companies. All rights reserved.