1993-03-01 - Future of anonymity (short-term vs. long-term)

Header Data

From: Marc.Ringuette@GS80.SP.CS.CMU.EDU
To: cypherpunks@toad.com
Message Hash: 2665eccf20c535d80d95d279992b06b8ad8e0b5d61b03fb1d7b0f8a263539845
Message ID: <9303010042.AA07783@toad.com>
Reply To: N/A
UTC Datetime: 1993-03-01 00:43:02 UTC
Raw Date: Sun, 28 Feb 93 16:43:02 PST

Raw message

From: Marc.Ringuette@GS80.SP.CS.CMU.EDU
Date: Sun, 28 Feb 93 16:43:02 PST
To: cypherpunks@toad.com
Subject: Future of anonymity (short-term vs. long-term)
Message-ID: <9303010042.AA07783@toad.com>
MIME-Version: 1.0
Content-Type: text/plain

Lance Detweiler lists some problems with freely available anonymity, and
suggests that those of us who are pushing for unrestricted anonymity are
unwise.  Many others on the list argue that unrestricted anonymity and
privacy are necessary and even inevitable.

First off, I should say that I think this is absolutely the most
critical issue that we cypherpunks must address:  how desirable
is anonymity, what restrictions should we accept and/or push for,
and what technological options can we offer as solutions?

Secondly, I think that some of us are talking past each other, by ignoring
the distinction between short-term and long-term solutions.  Lance, for
instance, concentrates on short-term problems with anonymity while ignoring
some easy-to-implement fixes for these problems in the medium to long term.
Tim May emphasizes the long-term inevitability of crypto anarchy while
skipping lightly over the practical problems of sysops trying to keep their
systems running in the short term.  Let's recognize the distinction between
short-term and long-term.  To help you out, I offer this handy diagram, which
I've filled in with my own opinions.

  Are restrictions
  on anonymity...           Desirable         Necessary         Feasible
  Short-term  (3yrs)   |       No                Some             Yes       |
  Medium-term (10yrs)  |       No                No               Partly    |
  Long-term   (20yrs)  |       No                No               Partly    |

More discussion of specific issues to follow in another message.  To sum
up, my opinions are that in the short term, remailers must try to be good
network citizens in order not to get kicked off the "one and only" network.
  In the long term, 

-- Marc Ringuette (mnr@cs.cmu.edu)

Subject: Future of anonymity (SHORT-TERM)

Lance Detweiler lists a few problems with freely available anonymity:
  -  newsgroup noise
  -  pornography GIFs
  -  email bombs / crashed computers
  -  Mafia & terrorist uses

He seems to believe that the best way to combat these problems is to
provide only limited anonymity, which is to be broken at the request
of the proper authorities.  [If I've misconstrued what you're saying,
Lance, I apologize.  Some cypherpunks are certainly saying this.]

I disagree that it is necessary for a remailer operator to reveal the sender
of a piece of mail under any circumstances, and I will not trust a remailer
which does not IMMEDIATELY THROW AWAY the correspondence between input and
output addresses.

I won't try to argue in detail that partial anonymity is not very useful.
I'll just say this:  if a remailer operator must be a moral arbiter of
when to release an anonymous address, then my assurance of anonymity
becomes much more tenuous and subjective, and the legal burdens on the
remailer operator become much greater.


I'd now like to deal with the practical objections to this suggestion
in the SHORT TERM.

First, let's postulate that anonymity is a desirable thing to have, if
we can limit its bad effects.  If we could solve the worst of the
practical problems, without keeping logs which allow tracing a message
to its source, wouldn't it be desirable to do so?

I would divide the problems into two types:  problems with volume and
problems with content.  The first three of Lance's objections were volume
problems; the last was a content problem.  My answer to the problems with
content:  tough.  It's a freedom of speech thing.

The only legitimate concern I see, in the short term, is anonymous
flooding.  This is going to be one of the toughest objections to
deal with in implementing an anonymous remailer, and one of the
biggest practical concerns, because there is the real possibility
of abuse of our poorly-controlled networks (for which the only
remedy to date has been to trace the problem to its source).

Here's my suggestion:  let's provide remailers which guarantee not to
flood the network with high volume, but keep no logs and are unable to
trace messages back to their source.  We can deal with the actual
mechanism of such volume control later; my point is that I'm suggesting
that the ONLY limitation we place on remailed messages is a volume limitation.
This restriction could of course go away once we have digital postage stamps,
but seems a reasonable one for remailers which don't charge money.

Remailer operators will have 

I propose the following solution:  that remailer operators voluntarily
compile aggregate "volume reports" 

I would predict that the primary means by which anonymity will be
restricted are:

    short-term:  crackdowns on anonymous remailing sites
    medium to long term:  by convincing most people to participate in 
        "real person only" newsgroups and to use "real person only" 
        email handlers.  These limitations could be implemented via 
        the PEM public key hierarchy, for instance.