[PracticalSecurity] Anonymity - great technology but hardly used

Mon Oct 24 16:56:26 PDT 2005

--- begin forwarded text

 Date: Mon, 24 Oct 2005 23:31:34 +0200
 To: practicalsecurity at hbarel.com
 From: Hagai Bar-El <info at hbarel.com>
 Subject: [PracticalSecurity] Anonymity - great technology but hardly used
 Sender: PracticalSecurity-bounces at hbarel.com

 Hello,

 I wrote a short essay about anonymity and pseudonymity being
 technologies that are well advanced but seldom used.

 Following are excerpts from the essay that can be found at:
 http://www.hbarel.com/Blog/entry0006.html

 In spite of our having the ability to establish anonymous surfing,
 have untraceable digital cash tokens, and carry out anonymous
 payments, we don't really use these abilities, at large. If you are
 not in the security business you are not even likely to be aware of
 these technical abilities.

 If I may take a shot at guessing the reason for the gap between what
 we know how to do and what we do, I would say it's due to the overall
 lack of interest of the stakeholders. Fact probably is, most people
 don't care that much about anonymity, and most of the ones who do,
 are not security geeks who appreciate the technology and thus trust
 it. So, we use what does not require mass adoption and do not use what does.

 Anonymous browsing is easy, because it does not need an expensive
 infrastructure that requires a viable business model behind it;
 fortunately. A few anonymity supporters run TOR servers on their
 already-existent machines, anonymity-aware users run TOR clients and
 proxy their browsers through them, and the anonymity need is met. The
 onion routing technology that TOR is based on is used; not too often,
 but is used. The problem starts with systems that require a complex
 infrastructure to run, such as anonymous payment systems.

 As much as some of us don't like to admit it, most consumers do not
 care about the credit card company compiling a profile of their money
 spending habits. Furthermore, of the ones who do, most are not
 security engineers and thus have no reason to trust anonymity schemes
 they don't see or feel intuitively (as one feels when paying with
 cash). The anonymous payment systems are left to be used primarily by
 the security-savvy guys who care; they do not form a mass market.

 I believe that for anonymity and pseudonymity technologies to survive
 they have to be applied to applications that require them by design,
 rather than to mass-market applications that can also do (cheaper)
 without. If anonymity mechanisms are deployed just to fulfill the
 wish of particular users then it may fail, because most users don't
 have that wish strong enough to pay for fulfilling it. An example for
 such an application (that requires anonymity by design) could be
 E-Voting, which, unfortunately, suffers from other difficulties. I am
 sure there are others, though.

 Regards,
 Hagai.

 _______________________________________________
 PracticalSecurity mailing list
 PracticalSecurity at hbarel.com
 http://hbarel.com/mailman/listinfo/practicalsecurity_hbarel.com

--- end forwarded text

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'