Unlisted Publishing And The Burner Account: Responses To Online Surveillance?
from the it's-a-post-snowden-world dept
One of the consolations of spending far too much time online is that you get to witness the birth of new ideas and new terms, along with new uses of existing ones. On Medium, Chris Messina points out two recent examples of creative re-purposing of older ideas and words. The first is the apparently trivial idea of “unlisted” content:
My first personal experience with “unlisted? content online was likely on YouTube. Making a video unlisted means that only people who have the link to the video can view it. It also means that the content won’t be broadcast to followers, or appear on the creator’s public profile. This is known as security through obscurity since the video isn’t secret, it’s just hard to find. An unlisted video can be viewed without requiring authentication.
Services seem to offer “unlisted” publishing to simplify sharing while providing more flexibility. It’s a pragmatic solution to address the challenge that what people think they want (i.e. 100% secrecy and control) isn’t in practice what they’re willing to put up with. It comes down to behavioral economics: if the value of keeping something secret is less than the frustration caused by maintaining its secrecy, people will route around the system designed to keep the thing secret.
As he points out, in addition to YouTube, “unlisted” services are now available from Flickr, Dropbox, Google Drive, Vimeo and Medium. His other cultural find is at a much earlier stage of its development: the “burner account.”
Like most people, “burner” connoted cheap, prepaid, disposable phones used by drug dealers to evade surveillance to me.
…
It’s not the phone that the drug dealers care about? — it’s the repudiability. A burner essentially makes fungible the association between an attribute (like a phone number) and an individual. This is important. Whereas a social security number is used as a lifelong attribute (and is therefore not fungible), a phone number is useful as an identifier only as long as the owner chooses to keep it. Once the number has served its owner’s purpose, it can be recycled back into the pool of available numbers without being traceable to the former owner.
As an example of its evolution, he cites a product called simply “Burner,” created by a friend of his:
Burner is your “other” number — a smart privacy layer for the smartphone era, giving users the power to take control of their communications and personal data.
Enabling users to obtain and manage additional phone numbers for voice, SMS, and MMS communications, Burner is fast, safe and private. Burner lets users get as many numbers as they want, use each as a private line on an iPhone or Android phone, and keep numbers indefinitely or ‘burn’ numbers they no longer need.
But Messina points out that the meme is beginning to spread beyond a single product:
I recently noticed that [Gawker Media’s] Kinja has adopted the “burner” nomenclature for anonymous commenting on its site — the first example I’ve seen of this language being used on the web
As well as their intrinsic value in extending the online ecosystem in novel ways, it’s interesting that both “unlisted” publishing and “burner” accounts are about giving people more control over who knows what they are doing on the Internet, including the ability to hide it in different ways. Maybe that desire for privacy is a response to Snowden’s revelations that we don’t actually have as much of it as we thought.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Comments on “Unlisted Publishing And The Burner Account: Responses To Online Surveillance?”
I was, and still am, blown back by the Snowden revelations. Yeah I thought the US gov was targeting some email addresses and listening to some people’s phone calls. I never expected they were doing it to everybody in the entire world. I never imagined they had to technical means of pulling such a feat off. I’m sure people like Angela Merkel were surprised as well. The NSA makes the Stasi look like a bunch of amateur chumps.
So would Techdirt’s ‘Anonymous Coward’ “account” be considered a Burner?
Re: Re:
I think of a burner account where you need a transient identity of limited duration. The ‘Anonymous Coward’ meme is more in line with the ancient (i.e., pre-2013) idea of Anon’s ‘the message is important, not the messenger’.
Re: Re:
no, not technically. ‘Anonymous Coward’ is a default account, containing none of the benefits of account creation (like monitoring replies).
A burner account is generally used for a single topic. they are used on Reddit all the time. For example, a woman might ask for advice on getting an abortion. If she posted this under her main account, anyone who knew here in real life would then be privy to that information, but by using a burner, she can respond to questions, suggestions, monitor the activity on the page, et cetera. Once the account has served it’s purpose, she can just walk away from it.
Re: Re: Re:
Isn’t the usual name for that a “throwaway account”?
Re: Re: Re: Re:
Yep, Reddit calls them “throwaway accounts”, but you could just as easily call them “burner accounts”. Same concept.
Great idea, but..
So, in theory, having a burner app etc is a great idea, and more privacy is nice for comments.
However, having the app on the phone makes me nervous. Having a burner phone, you can just get rid of it physically. Having an app means that there would likely be a nice little database on the phone of which numbers you have (and possibly which ones you used to have to give you an undelete or similar issues). And then there is the whole business records of the company providing the app, which could come back to haunt you, if they are not secure enough, etc. The joy of the phsyical phone was that you alone controlled it, there was no outside source that could be used against you.
And using it for comments doesn’t really make sense to me,in connotation, unless you are setting up an account (just posting as anonymous means there isn’t anything that needs to be burned per se, if you aren’t logged in, etc). And if it is an account, well, back to business records again. And it’s not like someone can’t make up an email for registration (and that brings us back to why burners are good in that you control the info, you can burn that email just like you toss that phone, without them assisting you).
The key is this: we all want more privacy, but we all know big brother is watching. And how many companies do you trust to have perfect security, or not have enough business records to help find you? To really have any modicum of feeling safe (you likely still arent), you need to be the one in control of it. The more you give that up to others, no matter how much easier that makes your life, the more likely you are to be found. So, great concepts here, but anyone who really wants some real security won’t use them.
Re: Know Your Enemy
It is important to know what adversaries you are protecting against. The Burner phone app is not about protecting you from the government, it is about protecting you from individuals and Big Data. Phone numbers are one of the primary keys in Big Data databases because they have historically been ‘sticky’ — people might move to a new residence, but they’ll keep the same cell phone number.
Don’t let the perfect be the enemy of the good.
As an aside, I recently made a similar analysis and started using a privacy enhancing service that lets me buy virtual prepaid debit cards that can use any name and any address. So now I can make purchases using the name of a former tenant at my current address. His name is already in Big Data so it doesn’t stand out as a possible alias for myself. This won’t stand up to government inspection, they can subpoena or NSL the records if they want to. But for everybody else the obfuscation is good enough to keep me off the radar.
Pleading the Fifth
Well, sometimes having a burner account or publish anonymously is beneficial for another reason — that if you are a party to a legal case or suspected of crime you can sometimes invoke the Fifth Amendment privilege against self incrimination.
Suppose that you are the regular user of a forum, and someone utters something bad bordering on illegality.
If you post under your real name or otherwise identify yourself, you can be subpoenaed to testify, and you can’t plead the Fifth Amendment if it’s a foregone conclusion that you are poster XXX YYY, or may have information leading to incriminating evidence.
But if it isn’t a foregone conclusion that you have an account at that forum, and revealing the information may be incriminating, you can plead the Fifth Amendment and refuse to testify.
Burner account are therefore not just necessary to preserve privacy but are increasingly important for safeguarding the Fifth Amendment.
Great idea, but..
Companies are only required to retain certain records related to the conduct of their business.
If the burner account has been paid for anonymously or in bulk, the investigative trail is cold.
Also I don’t think that a provider of messenging or communication services is required by law to preserve the contents or metadata related to each conversation.
What does it help if the police can prove that I may have paid for an account if all the data necessary to reconstruct what was said and who listened is gone.
If I upload something to Dropbox and encrypt with the recipient’s public key, anonymity is not even necessary if the other party has purged his secret key.
Re: Great idea, but..
“Companies are only required to retain certain records related to the conduct of their business.”
And when it comes to things like customer metadata, only certain companies are so required.
“If the burner account has been paid for anonymously or in bulk, the investigative trail is cold”
That’s not a “but”. That’s a feature.
“If I upload something to Dropbox and encrypt with the recipient’s public key, anonymity is not even necessary if the other party has purged his secret key.”
Anonymity remains very important even when the contents of your communications can’t be read. Metadata is often just as (or more) sensitive than the actual contents.
I’ve always considered temporary email services (like 10 Minute Mail) to be “burner” email addresses.
Good to see
It’s good to see that the old tried-and-true techniques are making a comeback. All of the services I run on my personal servers (except for my email server) are unlisted in this way. Not as a replacement for real security, but in addition to it. It also cuts way down on malicious probing.
The problem with a true burner phone
Is that the burner phone is going to have a high degree of positional overlap with your personal phone, making it more difficult to deny ownership should authorities start looking at you (e.g. it was in the triangle of three cell towers from 8pm to 6am, the same triangle that your house is in and the same triangle that your own phone was in – then the burner and your phone both took the 7:15 train to Charlotte, then spent the next 4 hours next to each other in your office, etc.). One presumes that you could share burners with friends, but that has different complexities and outcomes of course.
Re: The problem with a true burner phone
Well yeah, if you decide to carry two phones, both on… you’re an idiot.
Re: The problem with a true burner phone
This is why burners not only need to be, er, “burned” at the end of their lives, they should also be rotated through a network of users occupying disjoint social environments during their lives. The rate of the cycle of exchange, the size of the group, and physical proximity of group members can all be varied to balance obscurity with usability.
As you said, if you let a burner mirror other records of your activities, then it’s not acting like a pair of gloves. It’s acting like a fingerprint.
We’ve long referred to our home phone number as the burner. It’s only used when signing up for things online or at stores, etc. where they want your phone #. So all the subsequent telemarketing calls go there and we don’t bother to answer it at all.
I also have multiple burner email addresses, not directly tied to me, for use in querying sketchy businesses, etc.
None of them are temporary, but the word “burner” immediately gets the point across.
Re: Re:
“It’s only used when signing up for things online or at stores, etc. where they want your phone #.”
In the few cases where I’m willing to sign up for something that unnecessarily asks for my phone #, I just make one up. By the same token, if they want my SSN without a legal reason for needing it, I give them Richard Nixon’s: 567-68-0515
I, too, have multiple email addresses, but I don’t really consider them burners since I don’t discard them after use. For my “burner” email addresses, I use mailinator.com.
Re: Re: Re:
Heh, I use the name “Hugh Dontneedthis” when I have to supply a name for something. Most everything I log into welcomes me with a “Welcome, Hugh” message.
Re: Re: Re: Re:
When a coffee shop or somesuch wants my name so they can call it out when my order is ready, I tell them “Zeus.”
Re: Re: Re:2 Re:
When a coffee shop or somesuch wants my name so they can call it out when my order is ready, I tell them “Zeus.”
I use “Jetson.” They say, “Jenson?” “No, Jetson.” “Johnson?” Then I get to act like I’ve had a lifetime of dealing with this, and slightly exasperated say, “JETSON … like the cartoon.” And by then they think I’m serious. Gotta maintain deadpan though.
Re: Re: Re:2 Re:
Great idea, but around here, it would get pronounced as “Zee-Us”.
Re: Re: Re:3 Re:
I used to use “Thor”. Perhaps that would go down easier on the pronunciation front.
Sometimes I donate a dollar for some charity or another at the grocery store and they put a little sign up on the wall indicating so. For those, I use the name “Eris”. If I get to write the name on the sign myself, I write it out in full: “Eris, Goddess of Discord”.
Re: Re: Re:
Using your home phone in this way is a great example of a situation where you want to maintain an identity endpoint but firewall people from getting to you (in this case, by ignoring or turning off the ringer).
One problem with using your actual landline phone number this way, however, is that it still enables marketers to append your records via the data cloud. This is why, for example, you wouldn’t want to use your home phone on a supermarket loyalty card — they may not telemarket to you ever, but you have instantly appended your home address and all the specific records tied to you at that address, and all general demographics of your zip code, etc., with your unique purchase history.
Re: Re: Re: Re:
Except … my “home” burn phone is the original landline home number now piggy-backed on my biz VoIP acct, and we moved since then, so the number is tied to an old address, if at all, but not the biz address.
Re: Re: Re: Re:
“This is why, for example, you wouldn’t want to use your home phone on a supermarket loyalty card”
In all fairness, if you have any concern whatsoever about privacy and security then you wouldn’t sign up for a loyalty card in the first place.
Re: Re: Re:2 Re:
Or, use a totally fake identity, with a fake, but real sounding address, using an out-of-town area code for the exchange on the phone number, putting in tomorrow’s date (that’s never noticed), etc. I like to even fill in the blank and sign the form, where it says “I affirm that this data is true and correct”, with the wrong hand, for extra flair…and pay with cash, of course. They’ll never figure out who’s really buying these lousy groceries.
Re: Re: Re:3 Re:
I forgot another trick I’ve used, find a decently long street in your town, with a lot of empty lots. Google Map the street and deduce what number the post office would assign to an added residence, and use that. For example, if two consecutive houses, with an empty lot between, have numbers 102 & 106, use 104, voila!
Re: Re: Re:3 Re:
None of that actually helps very much unless you get a new card every time you buy something at the store. Those cards serve the same function as browser cookies. They don’t have to know your real name or address to perform their tracking function.
Also, if you use a loyalty card and pay with a debit or credit card, then those two things become linked in the database — so they know who you are no matter what you filled out on the application.
Re: Re: Re:
Telephone company test numbers are good to give out as fakes. Something like an ANAC will make autodialing telemarketers waste some time, while a ringback is fun if you expect a person to be dialing.
Re: Re: Re:
That’s dishonest. Stop acting like a dick.
Burner co-founder here
Thoughtful piece. One issue that has become apparent to us in starting this company — and that is evident in the good comment stream here too — is that we need a vocabulary with more precision around the range of services on the anonymous spectrum. If for example you’ve heard the term “anonymish” thrown around, it’s a pretty good indicator that many services are handwave-y around the concept of anonymity but may or may not be truly, fully anonymous and/or encrypted, and people are either being lazy in their investigations or the services themselves are compromised or being ambiguous.
“Anonymous Coward” comments here, for example, are a great example of, basically, an “anonymous guest” mode. It’s very useful and you don’t have to authenticate yourself, but you also don’t get the benefits of an account (e.g., notifications of replies to your comments).
A “Burner” account, both in the sense Chris Messina is talking about in his article and in the sense we think about Burner phone numbers, is an actual account with an actual login, but one under which you can be pseudonymous, and one that you can also easily change if you want to create a new identity (or perhaps maintain multiple identities at once). These services are also great for avoiding finding yourself in marketing databases, or at least “fuzzing” your data within them to some degree. But Burner works by interoperating with the generally available telephone network (CMRS & PSTN carriers). This is its primary advantage, as a single-player user can use it effectively without asking his or her counterparties to download or sign up for anything, but it should be self-evident that any communication through it is only as secure as that entire system –including counterparties’ carriers, hardware, and software — is.
I think of encrypted services as having a different value proposition entirely, but even among them there’s a range (e.g. encrypted message services that still capture metadata, as can be assumed to be the case with companies like Yahoo and Apple who are starting to do encrypted messages, VS companies and services claiming true end-to-end anonymity and encryption). Think of using a service like coinbase vs. buying bitcoins through a strong proxy in a cash transaction. The latter types of services would be the preferred services for whistleblowers, investigative journalists, and fourth-amendment enthusiasts trying to stay truly “off the grid”. The problem with these kinds of services and the reason I’m not naming any of them (setting aside their potential for nefarious uses) is that you have to get them exactly, perfectly right or risk compromising your system. One social hack or single point of infosec failure could be disastrous — especially so if the vulnerability is invisible to the owners or users of the system, as is often the case in surveillance situations. It’s also easy to misunderstand (or misrepresent) them by some obscure but critically important degree.
We take good care to understand and try to be clear about where we sit on the spectrum — the first principle of a privacy policy should always be honesty! Not everyone else takes this approach, but it’s great that there’s discussion starting to happen.
Not to be pedantic, but hopefully it’s obvious that if these nuances are important to you (or your readers, users, etc), you should definitely do your homework.
This article took a hard right turn...
I thought you was going to talk about how people use an unknown account and private link to show a full movie on a YouTube “burner” account. Then if it gets shut down, they just start another YouTube account.
Great idea, but..
“”Companies are only required to retain certain records related to the conduct of their business.””
“And when it comes to things like customer metadata, only certain companies are so required.”
Well what I was thinking of but did not articulate clearly was the legal data retention of metadata some service providers must observe as a condition for staying in business.
Interestingly the EU Data Retention Directive did not apply to online services i.e Dropbox, cyberlockers, online forums or other messenging protocols.
So one could legally set up a blackbox service which business model more or less explicitly was premised on offering burner identities, or at least so until the law catched up.
Cell phones are problematic because they rely on an closely regulated telco infrastructure, but pure IP only services could be commercially viable and legal because there is a limit to mandatory data retention.
Bu
In”If the burner account has been paid for anonymously or in bulk, the investigative trail is cold”
“That’s not a “but”. That’s a feature.”
Yes, and that’s why some nations have banned prepaid anonymous sim cards.
“”If I upload something to Dropbox and encrypt with the recipient’s public key, anonymity is not even necessary if the other party has purged his secret
key.””
“Anonymity remains very important even when the contents of your communications can’t be read. Metadata is often just as (or more) sensitive than the actual
contents.”
If the cloud provider is located outside the investigating jurisdiction, or only cooperates if shown the correct paperwork, even this step will offer some degree of pseudonymity by forcing the government to jump through more hoops.
They can only use the metadata if they are able to correlate information from different providers, and if the investigation is of low importance even forcing the state to fill out some paperwork and check some boxes is good for anonymity.
Cyberlockers
Cyberlockers already employ half secret sharing schemes.
You upload a file, and the link is the ‘secret’ you share with your friends, community or the world.
Officially only the person who knows the link can download the file but the owner of the service or the MPAA or RIAA (if granted exclusive backdoors) might also see it.
This has led to a partition of work — where the cyberlocker enjoys safe harbor because it only hosts files which are often encrypted, the warez forum or community with member access only, and the uploaders who know everything.
If implemented correctly, and there are many way it might go wrong, it’s a perfect small scale way to do piracy and get away with it.