Published: 02 Feb 2010
Point: Bruce Schneier
Universal identification is portrayed by some as the holy grail of Internet security. Anonymity is bad, the argument goes; and if we abolish it, we can ensure only the proper people have access to their own information. We'll know who is sending us spam and who is trying to hack into corporate networks. And when there are massive denial-of-service attacks, such as those against Estonia or Georgia or South Korea, we'll know who was responsible and take action accordingly.
The problem is that it won't work. Any design of the Internet must allow for anonymity. Universal identification is impossible. Even attribution -- knowing who is responsible for particular Internet packets -- is impossible. Attempting to build such a system is futile, and will only give criminals and hackers new ways to hide.
Imagine a magic world in which every Internet packet could be traced to its origin. Even in this world, our Internet security problems wouldn't be solved. There's a huge gap between proving that a packet came from a particular computer and that a packet was directed by a particular person. This is the exact problem we have with botnets, or pedophiles storing child porn on innocents' computers. In these cases, we know the origins of the DDoS packets and the spam; they're from legitimate machines that have been hacked. Attribution isn't as valuable as you might think.
Implementing an Internet without anonymity is very difficult, and causes its own problems. In order to have perfect attribution, we'd need agencies -- real-world organizations -- to provide Internet identity credentials based on other identification systems: passports, national identity cards, driver's licenses, whatever. Sloppier identification systems, based on things such as credit cards, are simply too easy to subvert. We have nothing that comes close to this global identification infrastructure. Moreover, centralizing information like this actually hurts security because it makes identity theft that much more profitable a crime.
And realistically, any theoretical ideal Internet would need to allow people access even without their magic credentials. People would still use the Internet at public kiosks and at friends' houses. People would lose their magic Internet tokens just like they lose their driver's licenses and passports today. The legitimate bypass mechanisms would allow even more ways for criminals and hackers to subvert the system.
On top of all this, the magic attribution technology doesn't exist. Bits are bits; they don't come with identity information attached to them. Every software system we've ever invented has been successfully hacked, repeatedly. We simply don't have anywhere near the expertise to build an airtight attribution system.
Not that it really matters. Even if everyone could trace all packets perfectly, to the person or origin and not just the computer, anonymity would still be possible. It would just take one person to set up an anonymity server. If I wanted to send a packet anonymously to someone else, I'd just route it through that server. For even greater anonymity, I could route it through multiple servers. This is called onion routing and, with appropriate cryptography and enough users, it adds anonymity back to any communications system that prohibits it.
Attempts to banish anonymity from the Internet won't affect those savvy enough to bypass it, would cost billions, and would have only a negligible effect on security. What such attempts would do is affect the average user's access to free speech, including those who use the Internet's anonymity to survive: dissidents in Iran, China, and elsewhere.
Mandating universal identity and attribution is the wrong goal. Accept that there will always be anonymous speech on the Internet. Accept that you'll never truly know where a packet came from. Work on the problems you can solve: software that's secure in the face of whatever packet it receives, identification systems that are secure enough in the face of the risks. We can do far better at these things than we're doing, and they'll do more to improve security than trying to fix insoluble problems.
The whole attribution problem is very similar to the copy-protection/digital-rights-management problem. Just as it's impossible to make specific bits not copyable, it's impossible to know where specific bits came from. Bits are bits. They don't naturally come with restrictions on their use attached to them, and they don't naturally come with author information attached to them. Any attempts to circumvent this limitation will fail, and will increasingly need to be backed up by the sort of real-world police-state measures that the entertainment industry is demanding in order to make copy-protection work. That's how China does it: police, informants, and fear.
Just as the music industry needs to learn that the world of bits requires a different business model, law enforcement and others need to understand that the old ideas of identification don't work on the Internet. For good or for bad, whether you like it or not, there's always going to be anonymity on the Internet.
Bruce Schneier is chief security technology officer of BT Global Services and the author of Schneier on Security. For more information, visit his website at www.schneier.com.
Counterpoint: Marcus Ranum
Obviously, we need to deal with reality, but you've made the mistake of assuming that just because something will always be there, it's right. By that logic, most crime would be OK, and I think we probably agree that it's not. As you say, the music industry needs to learn that the world of bits needs another business model -- but the fact that it's being pushed into adopting a new model because of rampant theft should not excuse the theft. Indeed, it's suspiciously close to blaming the victim, since we're implicitly telling the music industry that they have no recourse and society washes its hands of their problem: "figure out how to survive" is not the advice anyone in a precarious position is going to appreciate.
It's unfortunate that in the present environment anyone who wants to advocate Internet anonymity is largely serving a constituency of scammers, spammers and shills. Because that's who 99.9999% (a statistic I just made up) of the people who are taking advantage of anonymity are. I'd say "they're not our friends" but the fact is, we don't know who they are -- and most of us would like to shut them down, if we could; they are parasites and they are costing every one of us money.
When I think of anonymity, I think of Voltaire (François-Marie Arouet), and the Watergate era's Deep Throat (William Mark Felt). These individuals used anonymity because of concerns for political retribution against them for their ideas or disclosures. Obviously, these individuals -- and others -- are the good side of anonymity: they used it to protect themselves against power. In fact, it seems to me that the socially significant anonymous identities haven't held up very well -- they don't need to. At a certain point, everyone knew who Voltaire really was, and Deep Throat's eventual uncovering represented a financial windfall for his heirs. At the point where anonymity has served its social purpose, it can be discarded safely. Conversely, the scammers, spammers and shills never will come clean because they wish to be sheltered indefinitely. Personally, I doubt that the number of people who need anonymity is very significant and--as Bruce says--those who do will always be able to get it.
Here's the part Bruce neglected to mention: identity has a value. A name such as Voltaire can come to mean a great deal, compared to some sock puppet created by a batch script in order to post blog-spam. One way to grapple with that problem would be to adjust the economics of disposable identities so they cost more. Let Voltaire pay for two: "Voltaire" and "François-Marie Arouet," identities and let Spammer Bob, who uses 10,000 a day, try to figure out where and how to purchase or steal them. If they're valuable, their owners will take precautions to protect them, so stealing them might eventually turn out to be difficult.
I'd be happy to pay $1,000 to be the only firstname.lastname@example.org on the Internet and be able to somehow prevent others from posting or sending messages with my identity. I'd also be fairly happy to only accept e-mails from people who felt their identity was valuable enough that they were willing to plunk down some cash for it. Spammer Bob isn't going to pay $1,000 for each e-mail address he uses, and I don't want his oh-so-valuable message, anyway. You'll find that in areas where identities have value, such as cell phones, people are a bit more reluctant to use their identity in ways that will reduce its value. I suppose what I'm saying is that e-mail addresses should have value. Indeed, I'd say they're probably already evolving in that direction. We'll know I'm right if an antispam service ever appears that filters messages based on whether or not they are from a verified PayPal account or eBay user with more than 200 positive feedbacks.
Obviously, today's Internet technology supports nothing such as high integrity Internet-wide identity service for a price. As Bruce points out, the current infrastructure doesn't support anything such as ID-carrying traffic. But maybe it should. Hopefully, we're not going to be running IPv4 until our sun runs out of hydrogen fuel and collapses! It would be nice to fix some of this stuff; today's Internet is more an exercise in tolerating mediocrity than anything else, and I see no reason to treat it as something beyond changing.
Marcus Ranum is the CSO of Tenable Network Security and is a well-known security technology innovator, teacher and speaker. For more information, visit his website at www.ranum.com.