My turn to rise to the bait...

Dr. Frederick B. Cohen writes:

...

I have been thinking about the issues of anonymity for some time, and I have been convinced for some time that you can't have both integrity and anonymity.

What's your working definition of "integrity" in this context ?

Integrity:= 1) Steadfast adherence to a strict moral and ethical code. 2) A state of being unimpaired; soundness. 3) The quality or condition of being whole or undivided; soundness Also) soundness, completeness, Alternatively: 1) Strict personal honesty and independence... 2) Completeness; unity... 3) The state of being unimpaired; soundness...'' In this context, I might be misinterpreted as having meant that it is impossible to have both integrity and anonymity. That is not what I meant, although it is probably also true in a very strict sense. To clarify, I don't think you can assure integrity when you have anonymity. This follows from my earlier writings (circa 1984-89), which are fairly extensive, and in which I made the only marginally supported claim that you can't have (i.e., assure) both integrity and secrecy in a system with sharing. This came originally from the result that integrity + secrecy = no sharing (ala the combination of Biba and Bell-LaPadula) which was extended into a POset which characterizes the extent to which integrity and secrecy can be maintained based on transitive information flow. The less mathematical reasoning is that in order to be able to verify integrity, you have to be able to examine the information that is secret, while having secrecy requires that you not be able to have independent verification. Thus the two limit each other. Anonymity, in this copntext, can be thought of as secrecy. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

Dr. Frederick B. Cohen writes:

...

I have been convinced for some time that you can't have both integrity and anonymity. [and in a followup] I might be misinterpreted as having meant that it is impossible to have both integrity and anonymity. That is not what I meant, [...]

Er, thanks for the clarification....

A typical quotation taken out of context. You missed the part after "I meant" where I explained that I meant you couldn't assure ... - That is, you could have both or not have both, but you couldn't be certain that you had both.

...

Integrity:= 1) Steadfast adherence to a strict moral and ethical code. 2) A state of being unimpaired; soundness. 3) The quality or condition of being whole or undivided; soundness Also) soundness, completeness, Alternatively: 1) Strict personal honesty and independence... 2) Completeness; unity... 3) The state of being unimpaired; soundness...''

In this context, I might be misinterpreted as having meant that it is impossible to have both integrity and anonymity. That is not what I meant, although it is probably also true in a very strict sense.

All right, what makes you think that ? Lest we wave our hands too much and totally misunderstand each other, let me lay down a more concrete scenario. If you have a substantially different scenario in mind, let me know.

Suppose that I send an anonymous message to a public forum such as this. I and the message seem to "have anonymity" by any standard I can presently imagine. Now, in what ways might I or the message lack integrity in this situation ?

If the message was not of any particular import to anyone, integrity would not be a very big issue, but suppose you took quotes out of context and cleverly tried to construct a picture of the other person as not being reputable. People who read the message might believe that what you said was true, or at least had a grain of truth to it. That sort of message lacks integrity, and the reason it lacks integrity is because it has anonymity, not just because it's false and misleading. To clarify even further, I seem to recall a posting some months ago from an anonymous source declaring a new on-line for-sale forum called the Internet Security Newsletter (or some such thing). The anonymity of the poster in the context of asking for money and the fact that one of the people who was claimed to be on the board of editors was not, in fact, a participant, led to the question of who the person was. It turned out that this person had a substantial history of putting forth falsehoods as well as other related things that might have been very helpful in evaluating the credence of his statements. It turned out that the newsletter was, at least in some sense and without making value judgements, legitimate; but the anonymity of the person making the posts made it harder to assure the integrity of the statements made, which exacerbated the assurance issue.

I haven't broken my personal ethical codes, although perhaps I've violated someone else's. I have been honest, at least as much as I am generally honest in anything I write. I am not lying by donning the cloak of anonymity; I have not misrepresented my identity, merely refused to reveal it. The content of the message can be considered sound as much as anything else can. The message is incomplete in the sense that it does not include the true identity of the author -- is this what you would claim as a failure of integrity ? All messages are incomplete in the sense that various important facts are absent from them.

I don't know you, which also means that I don't know your motives. This brings up the problem that, even though your postings may be true and your motives honorable, they may not be, and there is no way to look into your background and evaluate your history in order to assess your statements. In many cases, I believe statements because of their source and my experience with that source. I understand that over time, reputations can be built up for pseudonyms (which are not necessarily anonyms) but then, with a pseudonym we might reasonably ask what the motive is for hiding the real identity. Is it for fun? Because it's there? In solidarity for those who have legitimate reasons for remaining anonymous? Or is it a means to influence others for personal or national gain? Is it a way of spreading disinformation? Is it a way to escape liability for slanderous statements? Is it a way to keep people from finding out that there is a personal grudge being played out? Without knowing the motive, how can we assess the statements? In fact, how can we know that the original pseudonym still applies? Someone could kill you and take over your pseudonym, and even though we might hear of your death, the pseudonym might continue based on your reputation but with another actual source. It's an interesting concept that each statement should/could be taken on its own and evaluated independently of the rest of a person's life context, but in my experience, that has serious problems.

...

To clarify, I don't think you can assure integrity when you have anonymity.

This follows from my earlier writings (circa 1984-89), which are fairly extensive, and in which I made the only marginally supported claim that you can't have (i.e., assure) both integrity and secrecy in a system with sharing. This came originally from the result that integrity + secrecy = no sharing (ala the combination of Biba and Bell-LaPadula) which was extended into a POset which characterizes the extent to which integrity and secrecy can be maintained based on transitive information flow.

The less mathematical reasoning is that in order to be able to verify integrity, you have to be able to examine the information that is secret, while having secrecy requires that you not be able to have independent verification. Thus the two limit each other.

Anonymity, in this copntext, can be thought of as secrecy.

I understand the nature of the information flow argument, but I don't see that it's applicable. You appear to contend that the assurance of the integrity of an anonymous message depends upon the examination of information that is "secret", that is, _not part of the message_. But no message is complete -- all messages have many such associated "secrets" not available as part of the messages. So the claim seems to be vacuous: we can assure the integrity of neither anonymous nor verinymous messages.

An important point. The more we know, the more certain we can be. With computer-based anonymity as it is practiced today, and ignoring the examples of the pseudonyms that were broken by legal warrant, we have very little knowledge about the originator of a message, and thus we have very little assurance of the integrity of their messages. The history built up over time for a given pseudonym certainly increases the assurance associated with it, but there are other problems with this. Example: I have two (N) pseudonyms that put forth different points of view specifically directed to create different kinds of credence to different audiences. If the audiences knew that both (several) of the pseudonyms were in fact the same person, they would have very different beliefs about the individual given the combined picture than they might get from any one of the pictures.

Perhaps the rejoinder will be that anonymous messages have a _characteristic_ piece of missing "secret" information, namely the senders' True Names. But you have yet to offer any argument that only certain special "secrets" must be examined in order to verify integrity.

It's not only the True Name that's at issue. It's the association of a set of messages and historical information with a source. For example, if we knew you were a KGB agent working in the disinformation and economic espionage branches, we might evaluate your postings differently than if we knew you were a high-school student from Deluth whose father taught her a lot about cryptography when she was young. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

Futplex <futplex@pseudonym.com> opines: ... [example was here - saving bandwidth]...

It seems to me that the integrity of the statements was rather easily verified based on the merits of the statements themselves. In particular, one or two participants in the forum denied the claims made that they were members of the editorial board.

Granted, some people would have been more inclined to look askance at the messages if they had known the author's True Name. But as the saying goes, "past performance is not a guarantee of future results". You can choose to doubt or believe a message because of the author's past reputation. But reputation is not a reliable predictor of the integrity of future assertions. It's a nice psychological crutch, but reliance on a "rational expectation" is a long way from anything I would call "assurance" or "verification". It doesn't prove anything. The only acceptable method of assurance I can see is careful analysis of the propositions posited, and empirical verification of the facts presented. Leaning on past reputation is accepting an odd form of Proof by Authority.

You are correct in stating that it doesn't prove anything, but that, it seems to me, is universally true. Nothing you can ever do can prove absolute integrity. The issue then comes down to whether you get more integrity by knowing (or having access to) the full body of informaiton about a source. I think you do.

As it happened I had never heard of the True Name of the sender, so the knowledge wasn't useful to me.

But with the name, if you had chosen to, you could have done a great deal to learn about the history of the individual - through his published works, the many fine and not so fine things he has done in his career, etc. It is the availability of this reference material that makes the identity that much more useful.

...

I understand that over time, reputations can be built up for pseudonyms (which are not necessarily anonyms) but then, with a pseudonym we might reasonably ask what the motive is for hiding the real identity. [possible motives...] Without knowing the motive, how can we assess the statements?

By asking yourself if they seem to make sense, checking them against known facts and beliefs, etc. The same methods, IMHO, that are mainly appropriate to assess anyone's statements.

It is interesting that you take this line, especially in a forum where so many people trust so much that is posted without verifying it. For example, who on the cypher punks list verified the posting made by the people from MIT regarding Java? Was it simply the trusted MIT name that caused you to take int on faith? One of the underlying assumptions of the scientific establishment, and in fact science itself, is that results be published and verifiable, but in reality, almost all results are not verified, and even the most startling results aren't verified before many people begin to place trust in them. Example of a relatively quick response to such an assertion was the Cold Fusion situation a few years ago. On the other hand, the professor at the University of Pittsburgh who published results based on faked data (this is a gross simplification, I know) was widely believed for many years. The fact is that, today, there are simply too many results to verify them all along with the underlying data they depend on, the software used to generate them, etc. As a result, we are increasingly left with trusting the people rather than the results. Another issue is that the resources required to reproduce "big science" are not available to most people. Has anyone reproduced Adleman's experiments on bilogical computation? I know of nobody that has, and would love to do it myself, but I don't have the necessary equipment. This is an Earthshaking result with enormous long-term consequences, and I'm certain it's right because I agree with the underlying theory and don't see any reason for anyone to lie about it, but if Nostragnia of the Crydon Republic had published it anonymously, I would be much more hesitant to accept it and so would you (all).

...

In fact, how can we know that the original pseudonym still applies? Someone could kill you and take over your pseudonym, and even though we might hear of your death, the pseudonym might continue based on your reputation but with another actual source.

Of course, the is-a-person problem has been discussed at great length. Digital signatures are as effective for pseudonyms as for anyone else. The messages we've seen "from Alice de `nonymous" might all have come from different senders. They exhibit a common tone and style, but that doesn't assure us of anything. In a sense that makes them more inviting, since there's always the chance that a third party is attempting a clever parody or a sly bit of character assassination.

The question is not whether the signature is right, but rather, are there other reasons to believe or not believe - trust or not trust - etc. the sender. The less anonymity, the better this is revealed.

[...]

...

It's an interesting concept that each statement should/could be taken on its own and evaluated independently of the rest of a person's life context, but in my experience, that has serious problems.

In my experience, that's about all I can usually do in network communication. In principle I _could_ devote scads of time to background investigations of my correspondents, for all except strongly anonymous and strongly pseudonymous parties, but I don't find that approach realistic.

The point of non-pseudonyms is that if you want to know you can try to find out. If others know additional relevant information and decide to reveal it, you can tell that much the better. It also reuces blatant character assasination (which brings some level of civility) and forces people to take personal responsibility for what they say and do. All of these things, in my opinion, increase integrity. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236