Posted by: Ken Harthun
anonymity, Internet, onion routing, Secure Computing, Security, Security policy
There’s a faction that believes the solution to all our security woes on the Internet is a universal identification scheme. Anonymity is a bad thing in their book and if we get rid of it, we’ll know where all the bad stuff is coming from. We’ll be able to identify the spammers, the phishers, the source of all the DDoS attacks, malware mongers and the predators who threaten our children. We’ll achieve Internet Utopia!
Only, it won’t work. To eliminate anonymity would mean that every single packet on the Internet be tagged with the identity of the sender. The bandwidth cost would be astronomical, for one thing, not to mention the cost of implementing an infrastructure to certify the identity of every user and computer on the Internet. Besides that, it’s just too easy to re-anonymize a packet. I have to agree with Bruce Schneier’s position in the essay Schneier-Ranum Face-Off: Should we ban anonymity on the Internet? Here’s an excerpt of a key point:
Even if everyone could trace all packets perfectly, to the person or origin and not just the computer, anonymity would still be possible. It would just take one person to set up an anonymity server. If I wanted to send a packet anonymously to someone else, I’d just route it through that server. For even greater anonymity, I could route it through multiple servers. This is called onion routing and, with appropriate cryptography and enough users, it adds anonymity back to any communication.
The push for universal identification on the Internet, besides being an impossible task, is a concept almost as ridiculous as banning the killing of certain animals we use for food on the grounds that it’s cruel.
Well, maybe it’s not quite that bad, but it’s close.
What do you think?