You Can't Get Rid Of Anonymity Online, Even If You Wanted To
from the welcome-to-the-internet dept
While some politicians still think that it's possible to get rid of anonymity online, the truth is a lot more complicated. Bruce Schneier has an excellent new column where he breaks down why it's not really possible to end anonymity online, no matter how hard people try:
Imagine a magic world in which every Internet packet could be traced to its origin. Even in this world, our Internet security problems wouldn't be solved. There's a huge gap between proving that a packet came from a particular computer and that a packet was directed by a particular person. This is the exact problem we have with botnets, or pedophiles storing child porn on innocents' computers. In these cases, we know the origins of the DDoS packets and the spam; they're from legitimate machines that have been hacked. Attribution isn't as valuable as you might think.And of course, this doesn't even get into the question of why you'd want to remove anonymity. While there's always one or two people in our comments who claim that anonymity should be ditched to make people "responsible for what they say," that's ridiculous. Responsibility is separate from identity, and there are times when it's much more "responsible" for someone to be able to post something anonymously.
Implementing an Internet without anonymity is very difficult, and causes its own problems. In order to have perfect attribution, we'd need agencies -- real-world organizations -- to provide Internet identity credentials based on other identification systems: passports, national identity cards, driver's licenses, whatever. Sloppier identification systems, based on things such as credit cards, are simply too easy to subvert. We have nothing that comes close to this global identification infrastructure. Moreover, centralizing information like this actually hurts security because it makes identity theft that much more profitable a crime.
And realistically, any theoretical ideal Internet would need to allow people access even without their magic credentials. People would still use the Internet at public kiosks and at friends' houses. People would lose their magic Internet tokens just like they lose their driver's licenses and passports today. The legitimate bypass mechanisms would allow even more ways for criminals and hackers to subvert the system.
On top of all this, the magic attribution technology doesn't exist. Bits are bits; they don't come with identity information attached to them. Every software system we've ever invented has been successfully hacked, repeatedly. We simply don't have anywhere near the expertise to build an airtight attribution system.