Julian Sanchez header image 2

photos by Lara Shipley

Anonymity Loves Company

December 14th, 2009 · 6 Comments

It’s something of a cliche among privacy researchers that “anonymity loves company“: Anonymizing mix networks (e.g. Tor) are more secure and more anonymous the more people are using them. Glossing the geekalicious details, the basic idea is lots of different encrypted communications, going to and from lots of different people, get chopped, scrambled, and sent back out again. In effect, they hide in the crowd. This makes it more difficult for a prospective eavesdropper to intercept a particular targeted communication, but it also—perhaps more importantly—deprives the aspiring snoop of  crucial important metadata for traffic analysis, which is a huge but neglected component of signals intelligence.

It’s no surprise that privacy advocates tend to be big boosters of these kinds of privacy and anonymity enhancing technologies. Which may be why you seldom hear people make the following policy argument, though it seems (and I’m open to correction by those still geekier than I) at least superficially plausible to me. Adoption of these technologies is likely to be substantially correlated with the general perception that ordinary Internet communications, and perhaps even ordinary encrypted Internet communications, are insecure. Since such networks tend to be slower and somewhat more cumbersome than ordinary secure communications, they will be worth using only to the extent that people are worried about highly sophisticated adversaries capable of doing mass traffic analysis, and perhaps even breaking some commercial encryption. In most cases, that means governments.

Now suppose that both innocent privacy-conscious citizens and ordinary (i.e. non-terrorist) criminals come to believe that governments are able to easily acquire routing information or intercept communications, and that even when such acquisition occurs for intelligence or counterterrorism purposes, that information may routinely be handed over to criminal prosecutors. That is, I think  it’s fair to say, increasingly true of U.S. law. One possible result, as people become more cognizant of this, is that you get a lot of innocent or low-priority criminal traffic providing cover for the Serious Bad Guys that intel investigators are primarily worried about. The point can, I think, be generalized from the specific case of mix networks to any type of surveillance that becomes less effective as the number of diverse types of people engaging in patterns of surveillance-evading behavior increases. (And in fact, one place where I have heard a similar argument made is with respect to border control—where the expansion of markets in smuggling people or relatively benign recreational drugs provides both resources and cover for more seriously dangerous contraband.) The counterintuitive result is that if you’re concerned about our ability to spy on a very tiny number of incredibly dangerous people, it may be in your interest to (publicly—but in a democracy that has to mean actually over the long run) adopt more restrictive surveillance policies in order to reassure both innocents and “ordinary” criminals that they need not employ security measures that provide positive externalities to the highest-priority targets.

Tags: Privacy and Surveillance · Tech and Tech Policy


       

 

6 responses so far ↓

  • 1 RickRussellTX // Dec 15, 2009 at 12:59 am

    Although I concur wholeheartedly, I think that Tor/Freenet approaches fly so far beneath the radar of regular law enforcement that I can’t really imagine them shaping policy.

    It would be interesting to know whether actual internet-tapping has been used effectively in law enforcement. The only cases that make it into the public sphere seem to be boring “we found this stuff in his browser history” or “we undeleted some files on his hard drive” cases that are light years from sophisticated. We know it’s been happening (http://www.wired.com/science/discoveries/news/2006/04/70621), but it’s not at all clear to me that it’s actually producing results.

  • 2 Scott // Dec 15, 2009 at 11:44 am

    Very true, but a political non-starter. I know many people who have started encrypting email with PGP just because of this reason. I am sure when this percentage gets above 10 or so there will be calls for banning encryption, which will just add fuel to the fire.

  • 3 sam // Dec 15, 2009 at 12:42 pm

    ” I am sure when this percentage gets above 10 or so there will be calls for banning encryption, which will just add fuel to the fire.”

    There was a move some years ago to ban PGP in this country. See the wiki page–and discover that the government decided than any encryption program that used keys longer than 40 bits was deemed a munition! And also see how Zimmerman brilliantly tried (successfully it seems) to outfox the government by using that nasty old ploy the First Amendment.

  • 4 Blar // Dec 15, 2009 at 9:43 pm

    The trick is to let them classify it as a munition, and then break out the Second Amendment.

  • 5 Stuart Armstrong // Dec 16, 2009 at 12:12 pm

    Very good point.

    But there is an agent problem. It might be in the interest of every government if they spied less on their citizens, in the aggregate. But for individual governments, individual agencies, and individual agents/investigators to want more spying capacity for themselves.

  • 6 m65 // Feb 16, 2010 at 6:54 am

    good read thanks for the share. i really like the way the article is written and also the design of the website