Anonymity by Design versus by Policy

by phobos | September 17, 2009

There have been some recent stories in the news about various "anonymous" bloggers and commenters being unmasked by court order. A business promises not to give up your identity unless forced to do so via court order. This is anonymity by policy. If a business doesn't have your identity, then there is nothing to divulge. This is anonymity by design.

Advocates for anonymous comments understand the value of being able to speak freely. However, if you're simply connecting from your home or office, parts of your identity are leaked to the site on which you commented. As shown above, you can be unmasked fairly easily. Some sites simply respond to a subpoena, others legal threats, and still others simply don't care; giving away your identity with any request. There are plenty of valid reasons to want to protect your identity in a blog, comment, or feedback form.

I've participated in "anonymous reviews" being conducted in a company where employees get to give their opinion on anything in the company: strategy, management, branding, etc. Human Resources rolls out the "anonymous survey" with great fanfare as a chance for the line employees to get their voice heard. At the same time, upper management asks IT to ascertain which IP address maps to which employee, whether connecting internally or not. Employees quickly figure out what's going on and feel undervalued and coerced into toeing the company line. And management lacks the feedback they probably should hear. In this case, anonymity by policy doesn't help anyone actually improve the company.

Another example is the Iraqi Rewards Program run by the CIA. It's designed such that concerned Iraqi's can report illegal activities and get a reward for verified intelligence. Essentially, an anonymous tip line. The issue is an Iraqi citizen will go into an Internet cafe and have an encrypted conversation with cia.gov. This is bad for the people who want to report something. An observer on the network only sees someone talking to cia.gov with encryption. A truly anonymous tip line should protect the identity of the tipster, and provide the tipster with the ability to divulge as much of their identity as comfortable.

The examples and news stories above show you the difference between anonymity by policy and anonymity by design. We encourage the courts to keep raising the requirements before forcing a provider to divulge your identity. We encourage companies to learn how privacy can enhance their relationship with their customers. We designed Tor such that relying on court tests and company policies isn't your only protection. Tor users and relay operators don't have the data to divulge. This is anonymity and privacy by design.

Comments

Please note that the comment area below has been archived.

September 18, 2009

Permalink

The Ontario Privacy Commissioner has ads about Privacy by Design. Perhaps there is something in common.

September 18, 2009

Permalink

I recently dropped a comment on a blog, and they responded mentioning that tor isn't all its cracked up to be. The conversation had nothing to do with tor, they just saw I was using it based on their logs, I guess. They mentioned that it has exit nodes leakage issues or some such. I don't profess to understand all that, so what I'm wondering is if that means they can see more specific information about me, or if its just showing tha I use tor. Mind shedding some light?

We make it easy for sites to detect if you exit from Tor. Unless you give more information, all someone will see is you are coming from Tor.

There's lots of misinformation out there about Tor. People either don't understand it or purposely choose to not try.

September 21, 2009

In reply to phobos

Permalink

I am Expert i cant connect with tor in 3 days ago
the governmental telecommunication company in Iran close any port in internet traffic excluding 80
please help us !!!

hi.i noticed my download software,one line has 443 port number.then in the next line it says connection close.and retry.i couldn't run my TOR in the last two days,even with many bridges,with different port number.please,do not let them to close these few holes to the free world.this is exactly they want.and also any kind of address,such as gmail which starts with HTTPS is not reachable still.
thanks

September 19, 2009

Permalink

I was not aware that people could detect that you were using Tor??? Yes any more info here would be much appreciated.

it is easy to detect that a web comment was made via tor, because the list of tor exit node ip addresses is public. however, your system may still leak information to blog and comment websites due to various weaknesses in browser design and implementation. torbutton (and some other software) is designed to address the latter sorts of issues.

I suppose that makes it easy compared to detection of some other security measures, but it wouldn't seem to be effortless. Unless I am missing something, there would still need to be a dynamic process to harvest the current exit nodes (I'm assuming that exit nodes change over time, not just relays), and an automated or manual process to compare the IP address source for comments to that list. I wouldn't think that most blog publishers would have an incentive to make that effort.

September 19, 2009

Permalink

hi.i noticed my download software,one line has 443 port number.then in the next line it says connection close.and retry.i couldnt run my TOR in the last two days,even with many bridges,with different port number.please,do not let them to close these few holes to the free world.this is exactly they want.and also any kind of address,such as gmail which starts with HTTPS is not reachable still.
thanks

September 19, 2009

Permalink

I agree with using Tor to protect your privacy. But as I have seen a rise of a new type of spammer. I disagree with abuse some names users have decided to use Tor for. As is I just started running a website to have a few users of Tor abuse my contact form to spam up my email box. So now I have all IP addresses banned server-side.

You I use Tor myself once in a while, but I my opinion it users like these that make Tor have a bad name. As is I'm think of disallow the use of proxies on my site.
Other then that go Tor.

No one that I know likes receiving spam. But an important and elemental point of information privacy is that it be without exception. As soon as you begin making it conditional (your definition of spam or mine? - your definition of freedom fighter vs terrorist or mine?) you have started your toboggan down a very steep and slippery slope inevitably leading to massive compromises of privacy from all kinds of motivations for all manner of beneficiaries (few of them good or even benign).

I am also not too clear on how Tor facilitates this. I could drop a comment on your web form using any number of anonymous email addresses (assuming that there is even a script that checks for valid addresses). I can tell you from professional experience that ISPs that are eager to go after UCE abusers, even when furnished with a complaint and email headers, are in a very small minority. Since a web form could be filled in by someone in a public library, at an internet hotspot, or from a computer at their workplace, I would think that ISPs would be even more reluctant to go after this kind of abuser. In short, I see not reason why Tor would be necessary or even very useful for this (although it may have been used).

Tor lets you decide how much information to give to the site/person on the other end of your connection. In your examples, sure someone could do that, but then the IP address is logged on the remote site, any ISP along the path could see the traffic and connection, and in most locations, there are observers who could place you at the computer (observers could be other patrons or cameras).

ISPs go after all sorts of abusers, they don't care where the connection originates. It depends upon your ISP.

September 25, 2009

Permalink

i can not connect to Tor since yesterday. i tried every Bridges but it dosen't work out.

the port doesn't work. please help us.

October 02, 2009

Permalink

Is Tor a transparent or disguised proxy?

October 05, 2009

Permalink

Torcheck at Xenobite.eu seems to have expired June 2009. Is there a new current torcheck site available to verify valid Tor page

October 26, 2010

Permalink

anyone know how I can make tor shows an IP address specified, an IP address from which I got the number previously, is for business proposal (I want tor shows I am in the office)