1993-09-08 - the Pitfalls and the Pendulum of Anonymity

Header Data

From: “L. Detweiler” <ld231782@longs.lance.colostate.edu>
To: cypherpunks@toad.com
Message Hash: 8bd7e939189042305d18191d23820cc5bbfa5899125de558cdd4b3f58e0ef0d0
Message ID: <9309080324.AA21869@longs.lance.colostate.edu>
Reply To: <9309072304.AA10914@octopus.chp.atmel.com>
UTC Datetime: 1993-09-08 03:31:47 UTC
Raw Date: Tue, 7 Sep 93 20:31:47 PDT

Raw message

From: "L. Detweiler" <ld231782@longs.lance.colostate.edu>
Date: Tue, 7 Sep 93 20:31:47 PDT
To: cypherpunks@toad.com
Subject: the Pitfalls and the Pendulum of Anonymity
In-Reply-To: <9309072304.AA10914@octopus.chp.atmel.com>
Message-ID: <9309080324.AA21869@longs.lance.colostate.edu>
MIME-Version: 1.0
Content-Type: text/plain

baumbach@atmel.com (Peter Baumbach) raise the problem with the
anon.penet.fi remailer: he sends email to someone who does not have an
ID on the server. They reply, causing the server to automatically
allocate them an ID. He now knows their anonymous ID. This can also
happen if somebody `accidentally' responds to a message directed to
their `cleartext identity' (not sent through the server) anonymously
through the server.

Since no one else has posted on this yet I will.  The short answer is
that you can tell them to use your address `na[x]' and their anonymous
identity won't be revealed, and if they are using the server they might
know that (is it stated in the introduction material? it sure should be).

The collective list psyche realized this was a problem in an epiphany
about 6 months ago (due credit, I recall it was Deadbeat who brought it
to everyone's attention). It was a very lively exchange because J.
Helsingius was also involved simultaneously. (In fact, I'd call it one
of the few great testaments to cypherpunk prowess.) The problem is
rooted in two circumstances:

(1) the server was mainly intended for posting to newsgroups at its
origination, where the automated anonymizing (J. Helsingius' term:
`automated double blinding') makes sense. If someone posts to a
newsgroup anonymously, it is harmless and perhaps beneficial for
replies to that posting to be automatically anonymized.

(2) however, a major use of the server is email-to-email mail, so to
speak. in this case the scenario raised by Deadbeat in the past &
Baumbach recently reveals the pitfalls in the `feature'.

the automated anonymizing feature, implemented with the best of
intentions, has come back to haunt J. Helsingius rather rudely--it is
perhaps the greatest weakness of the server, other than the corrected
`forge-without-passwords' aspect (where someone can forge an email
message from: address and possibly determine anonymous-to-identity
mappings through trial and error if no passwords are used).

J. Helsingius has announced grand visions for the amazing, spectacular,
and impending Mark II server that will incorporate full encryption
(user keys mappings and a server key), along with a new default in
which replies to anonymous email will not be automatically anonymized.
Arriving `sometime in the fall'. If anyone wants it sooner, donate a
hard drive or something to this great living cypherpatriot, who has
personally monitored contributed to the list for suggestions and
maintenance over many months span.

There are multitudes of treacherous pitfalls to anonymity, far more
complex than the mere simplicity of keeping a password secret, and it
requires almost superhuman attention, precision, and cleverness to
avoid them all. It is like juggling multiple identities. In fact, the
studies on multiple personality disorder are very fascinating in this
light. Under an anonymous identity, one must respond as if certain
knowledge is known and other aspects are *not* known. This reminds me
of cases of MPD in which one personality can drive a car, and the other
cannot, for example. Analogously, if I revealed in some anonymous
message that I knew some secret or private aspect of one of my other
identities, `the jig is up'.

In fact, it would be very useful to try to enumerate all the various
pitfalls of maintaining an anonymous identity. One trick might go like
this: carry on a conversation with a person anonymously. Then, suppose
one has a pretty good guess of the person's identity. Send the next
snippet in the dialogue to the cleartext identity of your suspect. If
s/he responds as if nothing was different in the conversation, carrying
it on further, using the anonymous ID or even the regular one, you have
it nailed. If you get the response `what are you talking about?' the
test was inconclusive. This shows the absolute importance of looking to
*whom* a message you received was addressed to! was it to *you* or to
*you* or to ...

Ah--anonymity is such a delicate facade, and it is an apt symbolism on
multiple levels when the only difference between silent secrecy and
horrifying exposure teeters precariously [as if] on the order of the
two typed keystrokes `na'!

p.s. I would like to know if there is a way to (1) automatically get
traffic statuses from anon.penet.fi, and (2) get a list of supported newsgroups.