1997-06-11 - LPWA

Header Data

From: Michael Stutz <stutz@dsl.org>
To: cypherpunks@toad.com
Message Hash: 231ec108f4b0cbe18a0a47cf0df3f02b29194509537104ab6f52f40b1d8f4783
Message ID: <Pine.LNX.3.94.970610223456.6818L-100000@seka.nacs.net>
Reply To: N/A
UTC Datetime: 1997-06-11 02:53:46 UTC
Raw Date: Wed, 11 Jun 1997 10:53:46 +0800

Raw message

From: Michael Stutz <stutz@dsl.org>
Date: Wed, 11 Jun 1997 10:53:46 +0800
To: cypherpunks@toad.com
Subject: LPWA
Message-ID: <Pine.LNX.3.94.970610223456.6818L-100000@seka.nacs.net>
MIME-Version: 1.0
Content-Type: text/plain



http://www.wired.com/news/technology/story/4375.html

Covering Your Tracks via a Helping Hand
by Michael Stutz

6:02pm  10.Jun.97.PDT Ironically, when it comes to privacy on the
Net, you often have to turn to middlemen for help.

In the latest in a long string of software and services that act
as intermediaries for two parties when at least one of the
parties wants anonymity, a technology demonstration was announced
by Lucent Technologies on Tuesday. The Lucent Personalized Web
Assistant enables users to maintain Web anonymity even on sites
that require email registration. The LPWA acts as an anonymous
proxy server, handling HTTP requests between a user and a Web
site so that the user remains anonymous, said Alain Mayer, one of
LPWA's developers. LPWA also filters the HTTP protocol so that no
unwanted information goes out from the user, he said.

Unlike the Anonymizer, a popular anonymous Web browsing service,
it cannot perform temporary, nonproxy, anonymous Web sessions,
but it does allow for anonymous accounts on Web sites that
require it. "It computes on your behalf all kinds of username and
passwords you'll need at different Web sites, in such a way that
they will appear completely unrelated. On top of that, it will
assign you a different email address" for each site that is
visited.

The problem, Mayer says, is that many commercial Web sites
require online registration before you can access their
information. Besides the fact that many people do not like this -
and choose not to visit those sites - this poses a number of
logistical problems. "One problem is that you have to remember
all the username and passwords that you give out the next time
you come back," said Mayer. "And if you always use the same set
of username and passwords, these sites can potentially can get
together and see wherever you're going and trace you down."

The goal in designing LPWA was to address "where convenience and
privacy can go hand-in-hand," Mayer said. "If you design privacy
in software, it entails that you have to give on the convenience
side. Our main goal was to combine these two possibly
antagonistic goals."

Currently, Lucent stores no information about LPWA users, since
the anonymous usernames and passwords are generated by a
cryptographic function. When a user connects to a site that
requires a login, "\U" is entered for a username and "\P" for a
password; LPWA then interprets this and supplies the
cryptographically generated username and password to the site.
Unlike some anonymous remailers, which store translations
of users on hard disks, nothing would be retrieved from an LPWA
should it be compromised by a government or other entity.

But could commercial sites ban LPWA access by their own means?
Mayer doesn't think so. "Potentially, a Web site can always
refuse email from certain domains," he said, "but we can always
find different domains, not just lpwa.com. What we hope is that
commercial Web sites don't see us as an enemy but as a friend,
because if users feel more secure in having certain things
protected that they feel strongly about, then they also hopefully
will feel better about giving certain other demographic
information that the Web site can use. If this system gets
popular, both sides will gain."

While LPWA is now online, it should just be considered a demo;
future versions may evolve into a commercial product that
corporations could use with their firewalls, or ISPs could
provide as an added benefit. LPWA is built on top of the popular
Apache server software and runs on Unix - so it is plausible that
in the future, individuals will run it on their own machines.
"It's technically feasible to have this run on your laptop," said
Mayer, "and if you're willing to live with the performance
degradation you can even have it connect to another one and
another one, so you don't have to trust anybody."

Justin Boyan, author of the Anonymizer, imagines that schemes
like chains of proxies are conceivable, but you'll always have to
trust the community you are connected with. "It is a matter of
trust. It's an issue of, 'Do you trust the people or the
organization behind the middleman?' [LPWA] does require you to
trust Lucent if you use it, and it requires you to trust
anonymizer.com if you want to use us."

But why trust Lucent? Mayer thinks that's a very good question.
"You shouldn't," he said. "This is only a demonstration, and
hopefully will generate enough interest that this will be put in
places that are not in our hands. We don't even want to have this
responsibility - it's not our business. Do you trust your ISP?
That's a question you have to ask yourself anyway."

Copyright (c) 1993-97 Wired Ventures, Inc. and affiliated companies.
All rights reserved.






Thread