1995-10-18 - Anonymity: A Modest Proposal

Header Data

From: Modemac <modemac@netcom.com>
To: cypherpunks@toad.com
Message Hash: be42472561b069df2da6442bc783579e2f8dbfdeb057adb4d8defbbf503e0e1d
Message ID: <Pine.3.89.9510180431.A22347-0100000@netcom4>
Reply To: N/A
UTC Datetime: 1995-10-18 11:59:35 UTC
Raw Date: Wed, 18 Oct 95 04:59:35 PDT

Raw message

From: Modemac <modemac@netcom.com>
Date: Wed, 18 Oct 95 04:59:35 PDT
To: cypherpunks@toad.com
Subject: Anonymity: A Modest Proposal
Message-ID: <Pine.3.89.9510180431.A22347-0100000@netcom4>
MIME-Version: 1.0
Content-Type: text/plain

Several weeks back, I posted a message stating the need (in my opinion)
for a system of anonymity on the Internet that would be more secure than
the anonymous remailers.  Despite the valuable service provided by the
remailers, I am troubled by their vulnerability.  It seems likely that
at some point in the near future, a remailer is going to be silenced,
and possibly (though not inevitably) the contents of its database made
public.  This may possibly lead to criminal charges being filed against
someone, based on alleged criminal acts in which the remailer plays a
(I am not going to state what these "criminal acts" may be, because I
don't know which ones will be involed.  I don't know when this blow to
the remailer system will come, or who it will happen to.  I simply
believe that, given the growing trend towards censorship and 
anti-privacy in government and business circles, the blow will come
sooner or later.)
The vulnerability of the remailer system, in my opinion, rests in the
fact that a remailer is physically located in a certain place.  This
makes the remailer a target for attacks, as shown by the futile
efforts (so far) of the so-called "church" of Scientology to silence
the remailers at anon.penet.fi and xs4all.nl.  (The original demand
of Scientology in the Penet affair was for the entire contents of
Julf's database to be revealed, but fortunately Julf was able to limit
the exposure to a single user.  When Scientology attempted to raid
xs4all, their original seizure order was against the remailer itself
- -- but fortunately (again) the remailer itself had been closed two
months before.  The representative of Scientology had to re-phrase the
seizure order on the spot, declaring instead that the reason for the
seizure was the existence of the infamous "Fishman Affivavit" on
an xs4all Web page.)
I believe a system of anonymity is needed that can withstand attacks
of this sort.  The current remailer system may be able to weather the
oncoming storm, but it will suffer damage in the process.  A system
to reduce the effect of pro-censorship forces on sources of online
anonymity is needed.
But what shall this system be?
Since the prime vulnerability of the remailers rests in their physical
locations, we have the possibility of physically hiding their
locations.  This is impossible in the long run, and it hampers the
ability to set up a remailer on a short-term basis.  How hard is it to
set up a node that is hidden from efforts to discover its location?
If setting up a remailer requires you to go into hiding, many 
would-be privacy activists will be dissuaded from giving it a try.
Rather, I wonder if it would be possible to devise a system that
introduced a random element into the picture, one that lessens the
possibility of blame being placed on any one individual, or any one
site.  The Netherlands responded to Scientology's attack on xs4all
by spreading the Fishman Affivavit far and wide.  At the time of this
writing, this document now exists on more than eighty Web pages in
Holland, and this makes it far more difficult for Scientology to stop
the spread of information.  (They are still trying, however.  The
latest word from Europe is that a member of Scientology's "Office of
Special Affairs" has flown to Europe, and is now calling service
providers and individual users.  A lawyer for Scientology is there as 
well.  See alt.religion.scientology for more details of this case.)
Using Scientology as an example once again (this will be my last
mention of it, I promise), note the failure of the "church" to shut
down alt.religion.scientology.  They have tried every possible means
to prevent the newsgroup from spreading information to the world, and
every attempt to stop this "leak" has failed.  If it was possible to
effectively eradicate a newsgroup, Scientology would certainly have
done so by now.  Alt.religion.scientology cannot be shut up because it
is distributed to thousands of sites around the world, thus making it
impossible to shut them all down.
That's why I believe a newsgroup for anonymous messages would be able
to withstand attacks by would-be censors.
Previously, I had suggested the possibility of a "moderated" anonymous
newsgroup that would forward all postings to the address of the
"moderator," where they might then be randomly distributed to
remailers before being posted to the anonymous newsgroup.  However,
that idea had several inherent weaknesses, including attacks on the
"moderation" site and newgroup messages designed to compromise the
newsgroup and send postings to other places.  The way to prevent a
newsgroup from being compromised in this manner, then, would use a
different method -- one that is immune to control messages.
In the course discussion with a group of cyberpunks on IRC a couple of
days ago, another possible system for anonymity was devised.  This
system can reply on a unmoderated newsgroup as a source for messages.
Instead of forwarding messages to an address in order to hide the ID
of an anonymous poster, it was suggested that PGP be used to protect
the messages themselves.  
The basic idea for this system goes like this:
     1) A person writes a message and encrypts it with PGP.
     2) That person then posts his message to the "anonymous messages"
     3) A remailer scanning the newsgroup picks up the message,
        decrypts it, strips the headers and makes it anonymous, and
        sends it to its destination.
Because the anonymous messages come to the remailer by scanning a
newsgroup, tracking a remailer's incoming-mail logs would be useless.
To offer further protection for the remailers, a random system could
be devised to ensure that no one knows exactly which remailer scans a
particular message at a particular time.
I am not a programmer, and some of the technical details in this
proposal go over my head.  Hopefully you can clairfy some of the
points presented here and see if this system is possible or not.
The actual remailer code, involving scanning the newsgroup for
PGP-encrypted messages and stripping headers, could be written with
PERL scripts.  This would keep it portable, and it would be easy for 
a person to tell if it has been tampered with.  This code would be
distributed widely.
A series of remailers would be used to decrypt anonymous messages.
A "token" (like the token ring of IBM fame) would be passed back and
forth between all of the Cryptoclients in the remailer network, so
that only one remailer would be "active" at any given time.  This
token would be passed back and forth at random, so no one would know
exactly which remailer is being used to anonymize a message.
The "token" is the key to this remailing system.  This token would
include necessary information such as the last message scanned, and
to coordinate timing among the remailers.  This will work to avoid
duplication of messages.  (Of course, the remailers should also hold
messages for a random amount of time -- say, up to two hours -- in
order to prevent someone from being traced, based on the time he
posted his encrypted message to the newsgroup.)
The decryption key for the anonymous messages would be created using a
2047-bit PGP key.  To prevent this key from falling into the wrong
hands, a "web of trust" could be used to pass pieces of the key among
each other.  If enough sites trust remailers trust a site, that site
will receive enough pieces of the group key to be able to respond and
"accept" the token.
The public key for this PGP key would be sent to the keyservers.
People would encrypt their messages using this key.
The mental image I have is that of a virtual "anon demon," zipping
back and forth among the network of remailer sites, stopping at each
site to scan messages from the newsgroup and send them to their
destinations.  If a large network of remailers is connected in this
fashion, it becomes impossible to prevent stop anonymous messages
from reaching their destination simply by attacking one site, or even
a series of sites.  The "anon demon" would simply bypass the
compromised sites and use other points in the network.
Comments are welcome concerning the vulnerability of this system, its
complexity, its ability to withstand attacks, and any other
constructive criticism.
Version: 2.6.2