From: Stanton McCandlish <mech@eff.org>
To: ld231782@longs.lance.colostate.edu (L. Detweiler)
Message Hash: 5f77dd0025bfa1732e6e9a7305767f649d17964f2c271253def9f66a762af1b8
Message ID: <199310262026.AA14561@eff.org>
Reply To: <9310240835.AA08908@longs.lance.colostate.edu>
UTC Datetime: 1993-10-26 20:31:26 UTC
Raw Date: Tue, 26 Oct 93 13:31:26 PDT
From: Stanton McCandlish <mech@eff.org>
Date: Tue, 26 Oct 93 13:31:26 PDT
To: ld231782@longs.lance.colostate.edu (L. Detweiler)
Subject: Re: pseudospoofing survey
In-Reply-To: <9310240835.AA08908@longs.lance.colostate.edu>
Message-ID: <199310262026.AA14561@eff.org>
MIME-Version: 1.0
Content-Type: text/plain
> 1. `True Name' -- for our purposes let this be defined as the name on
> your birth certificate, your legal identity.
That's a bad definintion. The name on *my* b.c. is NOT my legal identity.
[2. name one goes by all the time on the net, 3. anonymous]
> 4. `pseudonymous' -- a variation of (3) where arbitrary identification
> is used to build up a reputation under a presumed name, but
> characteristics of the message make clear that the identity is an
> *alias* for someone's *unique* identities under (1) or (2). The
> nicknames associated with the Helsingius server ID's would be an example.
>
> 5. `pseudoanonymous' or `pseudospoofed' -- the message could either be
> someone's `true name' or an invented alias, but *no* characteristics of
> the message (including the message by the author) can discriminate
> exactly *which*.
I fail to see how, under this definition, it differs from category 2. If
I'd ALWAYS posted under the name George P. Schrader, then that is the
identity that would be ascribed to me. No one can tell if "Stanton
McCandlish" is my true name either. None of you actually know that. I
could be a persona of Shari Steele for all anyone really knows.
> Very serious abuses of (5) can lead to insideous deception and
> treachery, particularly in the interplay between public and private
> messages, and I'm absolutely aghast to see the capability for (5)
> championed as `privacy' here and in my mailbox by many people (or
> phantoms, I'm in total confusion) I used to respect. But this is all another essay.
I think you are missing a major point, namely that in the future world of
the net, ANYONE can do this. The entire meaning of "identity" is going to
change, and the meaning of "person" and "you" and "me", even as it is
ALREADY changing. Read up in Hackers Dictionary, as a small example, of
how Guy L. Steele still is known as gls (his login ID from 15 years ago)
EVEN BY HIS WIFE, in day to day conversation. People become their online
personae. If people happen to have more than one, SO WHAT? It is in
human nature to have multifaceted personalities, and I for one don't see
any real difference between wearing black and being glum one day while
wearing colours and being cheerful the next, and using 2 different online
pseudos. It may not be CONVENIENT for the reader, but is it really
anyone's business if I am who I say I am, and if someone else that they've
been conversing with is also me? It is unusual, but it's not evil. It's
really no more strange that halloween or a masquerade ball.
In the case of forged identities stolen from someone else, yes that could
be a problem, but the problem is not the technology that allows it, but
the ATTITUDE that allows it. Guns don't kill people, people do.
> In (3) and (4), the reciever *knows* that the message can be from
> *anyone*. In (5), the receiver does *not* know, and may even be
> *misled* into believing that a message is in categories (1) or (2) when
> it is in fact in fact `anonymous'. IMHO this is *very* dangerous.
This is patently false. I say this on the grounds that in ALL cases of
ALL email, people know that the message can be from anyone. Period. End
of story. If you do not authenticate the message w/a digital sig, and if
the recipient does not verify it, that is NOT the fault of the
technology that makes "pseudospoofing" possible, it is the fault of the
users, if they believe that mail that says it's from X must perforce
necessarily be from X. If people do NOT know this, it is again not the
fault of the net or of anonymous services, it is the fault of the
clueless. What you advocate seems strikingly like suggesting that we
eradicate emacs, because someone somewhere might not RTFM and might cry
and whine about not being able to use it right.
> To further emphasize this distinction, in some sense categories (1) -
> (2) are *attributable* to *unique* identities. When I see messages in
> categories (1) or (2) on a mailing list, in my mailbox, or in Usenet
> postings, FTP articles, whatever, I can attribute them to unique people
> by definition. We also might call (1) `accountable', and if an online
> account under (2) can be traced to a legal identity, it would be also.
You most assuredly cannot confidently attribute any non-signed (and
unverified-by-you) message to any unique person, by the definition of what
email consists of and how it is produced. Simply the existence of
"pseudospoofing" makes this so.
> Categories (3) and (4) are *not* attributable to unique identities. A
> single person could post anonymously multiple times or pseudonymously
> under multiple identities. If a person has only one pseudonym, let's
> say that's `quasi- or semi- accountable'.
This also makes no sense to me. How can one be said to be
"quasi-accountable", particularly since there is no way for you to
acertain that they DO only have one pseudo? To be accountable, someone or
something must make you account.
> But not only is (5) *not* attributable to *identities*, it is not
> `attributable' to any of the previous *categories*! Hence, let's call
> messages in the categories (1) - (2) `attributable', (3) - (4)
> `nonattributable', (1) - (4) `uncamouflaged', `white', `open' or
> `unsurreptitious', and (5) `nonattributable' and `camouflaged',
> `black', or `surreptitious'. (I leave it to subsequent debate to
> stabilize on the most descriptive and memorable terms.)
Not to mention the rather stale (and, someone would say sooner or later,
racist) psychology at work here. I don't argue from the "PC" side of
things, but "black and white"? Come now. The real world, whether virtual
or otherwise is a very very grey place. This Tolkienism is simply
impractical.
> This *camouflage* that various cypherpunks promote, apparently up to
> the highest levels of `leadership', is IMHO inherently subversive.
> Because no one here seems to be afraid of subversion and anarchy, and
> even embraces it, let me go further and say it is *destructive* not
> only to societies but to *any* social interaction, even interpersonal.
> IMHO It is not just a recipe for anarchy, it is a recipe for chaos and
> barbarianism, *particularly* when associated with personal mail
> (including mailing lists).
How is this destructive? If I see a man on the street, and later that
night go out to a local concert, and am entertained by a "woman" singer that
is actually the man I passed that morning, in drag, what damage has been
done? Has my life suddenly been shattered, the fabric of society ripped
apart, because I've see the same physical person in 2 outfits, and was
none the wiser? If I "meet" 2 "individuals" virtually on the net, and
they are the same person, how have I, or the net, been harmed? Provided
no one is trying to defraud me, what have I lost? What have you lost?
And whoever it is behind the multiple idents may actually GAIN, if they
are the sort of person that cannot fully express themselves without
playing a role (which is a signifcant proportion of the people in the world).
Who are YOU to take that away from them?
This whole line of argument strongly reminds me of the the one that goes
like this: online communication is a bad thing, because people don't
behave like their true selves, and misrepresent themselves. We should ban
computer mediated communcation, because it is a heartless sham, a cold
fraudulent falsehood, and will be misused by the schizoprenic and the
sociopathic.
> In fact, apparently not only are `some' cypherpunks in favor of `black'
> postings, they are in favor of *concealing* the very existence of the
> capability, so as to potentially manipulate and brainwash others in an
> undetected concerted conspiracy! I think I will define this as `evil blackness'. <g>
Puh-leeeeze. I discard this conspiracy theory on the basis that you
accuse them of what you would yourself do: keep people from using the
capability [whether it's true or not is irrelevant].
> now, I just want to make the distinctions clear for the survey, which
> follows. The survey will help me determine the extent of `blackness'
> and `evil blackness'.
I take that back, this isn't Tolkienish, it's Lovecraftian. I would like
to remind you that "evil" is a term from "morals", which are baseless and
have no universality outside the closed group. If you wish to discuss
whether using pseudonymy in this manner is *ethical* or not, then by all
means please do so.
> 1. What is your `true name'?
Stanton McCandlish
>
> 2. Do you have a unique online identity other than your true name?
Yes.
> 3. How long have you been on the internet?
a few years (depends on how you wish to define "the internet".
> 4. How many mailing lists are you on?
At my peak, which I am reaching again, about 25 or more; counting
newsgroups, Fido echos, and the like, I follow several 100 online
conferences, again at peak.
> 5. Are `black' / `camouflaged' identities feasible or possible on the
> internet today? If so, how in particular? Comment on public access and
> UUCP sites if possible.
Certainly. Sign up with Netcom as "John Bigboote" and presto.
With UUCP, Fido <-> UUCP gating, or pure Fido or QWK mail, I can generate
as many personae as I wish.
> 6. To what extent do you think `camouflaged' identities exist on the
> internet currently?
To a large extent, and growing, though probably less than 1% of personae
on the net are fake.
> Where are they used?
Where are they NOT used?
>What mailing lists or
> newsgroups are particularly dense with `black' postings?
soc.culture.african, soc.culture.african.american, bit.tech.africana,
rec.music.afro-latin.
> Have you ever
> received any in email?
To be serious again, who knows? I think it highly likely.
> 7. Have you ever posted under a `camouflaged' identity? if so, where? How often?
Certainly. Not that often, but it comes in handy.
> 8. Are you aware of any potential `abuses' of `black' messages? Has it
> turned into a big problem anywhere? Do you have any horror stories? Are
> there any `cabals' or `silent conspiracies'? have any debates or
> projects been `poisoned' or `sabotaged'?
No this is silly. For one thing, all it takes to veryify in the case of
fraudulent use of another's name or reputation (i.e. posing a non-existent
big-wig at IBM) is a phone call.
> 9. Are you neutral on the capability of `black'/`camouflaged' messages,
> or do you strongly promote/support or condemn it? Is it harmless or dangerous?
I am neutral on it, just as I am neutral on the issue of what anyone does
with any tool or capablility. When it is attacked however, I am in
support if of (the tool, not the attack).
> 10. Is society aware of `black messages'? if not, what would `they'
> think in general? if so, what is the consensus on the practice?
I think so. I think it is immediately apparent to anyone that uses this
medium more than casually and for a short time that all is not as it seems
and that forgery of postings is not particularly surprising.
> 11. Is it fundamentally technically impossible to prevent *widespread*
> black messages if there was an incentive or consensus to do so? Or is
> it feasible with technology?
Anything is feasible. The question is what price will you pay to remove
this capability from the system? (incl. human costs, not just monetary ones.)
No one needs you to protect us from ourselves or eachother.
> 12. What are internet policies in general on `black' messages? What
> should they be? Should they be restricted and prevented? allowed? Keep
> in mind the distinctions of posts to mailing lists, Usenet posts, and personal mail.
What is an "internet policy in general"? I have yet to see such a thing.
There would appear to be no RFCs on the subject if that is what you mean,
and netiquette doesn't seem to mind, it THAT's what you mean. I'm not
sure the next questions under section 12 have any relevancy to anything.
Please define "should". Who get's to decide what "should" be done? It
might be better to ask "what is feasible" and "is there any reason NOT to
allow psuedonymity in whatever form it takes, provided one does not step
on the rights of others?" Thing is I don't think you could stop it,
unless you completely restructured the net, at all levels from the
mail software to the societal structure.
> 13. Please list any resources on this subject: email addresses of
> specialists, pointers to papers, etc.
Have none for you, probably because it's a non-issue.
Sorry to seem like I'm going off on you, but I just don't see the reason
in this entire line of rambling and fingerpointing. There are certainly
more important things to get excited and active about.
--
-=> mech@eff.org <=-
Stanton McCandlish Electronic Frontier Foundation Online Activist & SysOp
"A nation that is afraid to let its people judge the truth and falsehood of
ideas in an open market is a nation that is afraid of its people." -JFK
NitV-DC BBS 202-232-2715, Fido 1:109/? IndraNet 369:111/1, 14.4V32b 16.8ZyX
Return to October 1993
Return to “Stanton McCandlish <mech@eff.org>”