That seems like a fairly serious blunder given the project's stated goals but hopefully just an oversight or byproduct of an immature product that's still a proof of concept. If it never gets changed then I don't see how anyone could take the project seriously.
Before TOR, there was mature security software called the anonymous remailer. "mature": the software had already gone through 3 iterations of design and implementation and was well-regarded by security professionals and security activists.
Problem was that not enough people used the network of remailers to provide anonymity. So, the maintainers of the third-generation remailer software (Mixminion) switched to working on TOR, reasoning that if TOR succeeded then a remailer network could be deployed on top of TOR.
The developers did not try to compete with TOR by running web traffic over the remailer network because it was too slow for that.
Point is that being slower than TOR can be fatal for an anonymity network.
Public anonymity is actually pretty useless for political dissent. If a statement is made anonymously you can't know whether it is the work of the freedom fighter or the government propaganda office. What you want for political dissent is not anonymity, but separable identity bindings (c.f. Satoshi Nakamoto).
Public anonymity is useful for one thing, though: providing plausible deniability for the distribution of pirated content and child pornography.
This assumes the statement is not verifiable. Most political statements are easily verifiable once they actually make it out of a particular political stronghold. The goal with public anonymity is to continue making such statement while staying out of jail until such political stronghold is no longer.
You are using a non-standard definition of "verify". For the purposes of this discussion, we don't care whether a political speaker accurately predicts how many undocumented immigrants will steal old ladies' purses in the next year. We only care that e.g. the radical dissidents we hear from today are the same ones that we heard from last week. This has nothing to do with CP.
EDIT: I'm pretty sure we're all responding to your invocation of Satoshi Nakamoto. If anonymity wasn't important to that person or persons, why don't we know who she or they are?
I'm pretty sure that's not what why-el meant by "verifiable". What you're talking about is identity-binding, the value of which I explicitly acknowledged in my original comment.
Depends on the context really. You can verify something as either correct and incorrect, depending on what data you choose and how you interpret a statement. That's not a problem of verification, that's a problem of vague statements though.
Leaking specific Snowden slides in response to Clapper's or Alexander's false testimony to Congress and American people.
Any example of NSA Project BULLRUN success involving a U.S. security product that Americans or our infrastructure depend upon.
Watergate.
The Pentagon Papers.
The leakers in drone division that revealed people are killed based on metadata and possession of cellphones.
The NDA's and legal warnings behind Stingray's.
Any secret conversations between Goldman Sachs and U.S. government before government handed them up to a trillion plus criminal immunity.
Many conversations in liability and risk management discussions in the food, drug, automotive, and defence industries industries.
Conversations between lobbyists and politicians involving all industries.
I'd say these would be a start on protecting Americans from abuse, saving them tons of money, and keeping many from being killed under false pretences. Anonymity helped in many of these cases and would've helped in others. Need more? This country has so much evil that I could probably go on and on.
Note: Upvoted you as before just to make sure people see the examples and remember how important privacy/anonymity is in opposition of corrupt government. ;)
I think the federalist papers show the value of pseudonymity over anonymity. The credibility and force of the middle and later pieces was strengthened by the reputation built up by the early ones. Though there were multiple authors, they explicitly coordinated, so it wasn't like an anonymous collective or even NT-esque pseudepigrapha.
There are some famous single work dissent publications though. What about the The Gulag Archipelago?
Comex's point about building verifiable pseudonymity on top of anonymity is also well taken.
I wonder where you draw the line, when there's no real way to verify lineage.
Later pieces were strengthened by the reputation built up by the early ones... but how did people know they were from the same author(s)? Just because it said so? Well, anyone could say so. Does that mean it's anonymous, or does the fact that others are unlikely to borrow the pseudonym mean it's effectively pseudonymous?
I'm not sure, but my guess is that the pseudo-anonymity was maintained through a trusted proxy, specifically the newspaper publisher who knew the identity of the authors.
Today you could just publish a public key with the first article and sign every article thereafter with the matching private key.
You're right to some extent, except in cases where the data is easily verifiable by a third party.
I also think you're right that anonymity is of limited use for deeper reasons: it doesn't inspire, and it shows a lack of courage. Real change happens when people publicly stand up against power -- at risk to themselves, their livelihoods, their friends, and their families. Real change requires the will to put yourself in harm's way, but that will is precisely what inspires others to do the same and actually gets the ball rolling. A bunch of anonymous trolls will never inspire resistance even if they're right because they are not taking a leadership role.
Unfortunate that you're getting disagreement-downvoted for making a valid criticism.
> providing plausible deniability for the distribution of pirated content and child pornography.
It helps with any banned or unpopular content, such as anti-government content in many countries or religious content in a locale where that religion is oppressed.
Yes, of course it helps. My point is just that anonymity is neither necessary nor sufficient, and so there might be better ways to accomplish the actual goal, and anonymity should not be the end of the discussion. That's all.
You're pushing that anonymity is the end of the discussion by fighting it continuously without pushing a better alternative. The NSA slides show that Tor-backed anonymity worked better than I thought it would. It's helping all kinds of people in pro-surveillance and censorship states. So, it's a working solution for many.
What's your alternative again that the average person can easily do without a lot of legal risk or technical knowledge?
> My point is just that anonymity is neither necessary nor sufficient
It may not be sufficient but it is clearly necessary in cases where attaching your meatspace identity would get political dissidents arrested or killed.
And the pedantry regarding anonymous vs. pseudonymous communication is quite irrelevant. You can send a pseudonymous message over an anonymous network by signing it and you can send an anonymous message over a pseudonymous network by creating a new pseudonym for each message. They're fungible.
It isn't necessary in the same way that a guard rail on a cliff isn't necessary. It's still a very good idea, cheaper, and less risky than the alternatives.
If you have anonymity, you can trivially turn it into pseudonymity by signing all messages with the same public key (which is what Satoshi Nakamoto did...).
Distributing pirated content and child pornography is perfectly doable with just pseudonymity.
Satoshi published a PGP key, but never signed any of his public communication. Reading the recent email[1] sent under his name suggests why:
Bitcoin was designed to be protected from the influence of charismatic leaders, even if their name is Gavin Andresen, Barack Obama, or Satoshi Nakamoto.
> If you have anonymity, you can trivially turn it into pseudonymity
That's true. But anonymity isn't necessary (and by itself it's not sufficient).
> Distributing pirated content and child pornography is perfectly doable with just pseudonymity.
That depends on how the pseudonymity is implemented. If it's provided by a trusted third party, for example, it might not be so easy to use it to distribute child porn.
In a dual-state like U.S., there's no such thing as a trusted third party. The public legal system has courts that can override their protection for arbitrary reasons that can't be forseen by users. The Lavabit trial showed that one whistleblower using the service was enough for FBI to get judge to order them to compromise all users while also ordered to lie to same users about their privacy. And then there's the secret system that lets FBI "compel" U.S. companies to "SIGINT enable" their systems for NSA. However that happens. Then NSA shares that info with FBI and many other organizations that can charge people while telling them how to avoid due process. So, your concept is utter non-sense that doesn't reflect reality.
Further, a trusted third party having a goldmine like this won't work because every intelligence service and organized crime group in the world will come for them. It's the problem with all escrow at the national level. Even DOD hasn't been able to stop hackers from beating their systems with spearfishing and regular malware. And the LEO's plus DOD tell us they can secure a digital goldmine that will be specifically targeted by all attackers while being required to share with any court upon receipt of a piece of paper or digital request? Huh?
That's true, but there is precedent for this sort of thing being viable. Lawyers, for example, are trusted third parties that provide this sort of protection in certain cases. We could, as a society, decide that providing political anonymity is important enough that we establish a profession whose job it is to provide it.
I'm not saying this is necessarily the best option. All I'm saying is that it's an option. If there's one other option there may be many other options. We ought to spend some time thinking about them rather than simply accepting as dogma that anonymity is an unalloyed good, and that anyone who challenges this view ought to be downvoted into oblivion.
>Lawyers, for example, are trusted third parties that provide this sort of protection in certain cases.
"[Attorney-Client Privilege] It applies in all situations, though a lawyer may be required to testify regarding client communications under compulsion of law." [0] All that you do in that system is shift the risk from the client to the attorney. If the attorney is not willing to lay down their life for you then you're out of luck. How does one verify that an attorney will not give them up if compelled?
> We ought to spend some time thinking about them rather than simply accepting as dogma that anonymity is an unalloyed good, and that anyone who challenges this view ought to be downvoted into oblivion.
People raping children and spreading the depiction of those acts is bad, but if you want provable protection then you have to take the bad with the good. If the anonymity or pseudo-anonymity is not trustless then it should not be trusted in life or death scenarios.
Oh come on. Think of the children should be 4th comment in any cryptography critique. Not first. But at least we know Directory Comey's HN handle now.
But anyway - a situation like Iran, Turkey or Thailand (were slandering the royalty is a persecution tool now) will allow to tell political jokes safely.
It's a shame you're getting down-voted because I think this is actually the most cogent response to my comment of any that I've seen so far (at least the part about political jokes, not so much the think-of-the-children part).
The problem is that anonymity won't save you from a government that doesn't tolerate political jokes. Hiding the joke's originator won't prevent the government from punishing you if they find a copy of it on your laptop or your server.
No, anonymity by itself won't save you, though can sharply decreases the odds of getting caught if you are careful. What anonymity does instead is probably the most important part of starting any movement that is mutually exclusive with "acceptable" political views.
When a political situation starts to work against the interested of the common person, most people tend to notice, at least in some small way. If nothing else, they notice some of the harmful effects that are starting to affect them. As they (greatly) outnumber the people "in charge", they only need to use their strength in numbers (either politely with the vote/etc or violently with the pitchfork and molotov.
Unfortunately, this can be prevented by creating a situation where people fear retribution and fear that any action they take will not be successful. When you believe that not enough people would join you or that there is no way you to achieve that critical mass of people, learned helplessness sets in. It becomes "obvious" that "fighting corruption is futile", when it really is as simple as everybody simply trying.
This is why the 1st Amendment has a right to assembly, and why "free speech zones" and other obvious abridgements of that right were important to fight. It's also why a lot of people in power got very, very scared at the "Occupy" movement. People assembling so they can see first-hand that they are not alone in their views is one of the only ways to undo the learned helplessness. It is hard to argue with empirical evidence; seeing that you view is actually popular can start a revolution.
So what does this have to do with anonymity? It's one of the best ways (and one of the only long-term successful ways, historically) to solve the "first mover" problem. A single anonymous statement that bluntly points out how everybody knows that the emperor isn't wearing any clothes gives permission[1] to everybody else to also acknowledge this fact. Without the anonymity, it is extremely difficult to find people willing to fall on their sword.
Worse, lack of anonymity can be restated as the people in power knowing who is talking to each other (you can follow the flow of memes). This map of social organization allows for the targeting of people that might become such a focal point that rallies the masses. Cut off a few potential whistleblowers or potential leaders when they are inexperienced and "testing the waters" keeps the real problems from happening. The FBI used to call this "COINTELPRO". I leave it as an exercise for the reader to decide if such tactics are still being used.
Your fundamental problem is that you're assuming anonymity is some sort of shield against a government, while the real utility of anonymity is how it lets you acquire strength in numbers to fight that same government.
[1] For an interesting discussion on how language allows multiple levels of knowledge ("(I think) she knows" vs "I know that she knows that I know that she knows"), try this RSA Animate: https://www.youtube.com/watch?v=3-son3EJTrU
You can't have an anonymous Satoshi Nakamoto (as in untrackable by the government) if you don't have the anonymity capability to begin with. If you have that capability, building a new "persona" online that people can trust is the easy part.
But right now it seems very hard to do something like that, especially if you're the US government's target, and Tor isn't quite adequate for it, either.
I feel the complete solution is pretty well understood though: use an anonymization technology like TOR to hide your real-world identity, then use cryptography like gpg to link your messages with your pseudonym. That's what Satoshi Nakamoto did too, isn't it?
There's this new invention called the Internet that lets you easily communicate with people who live in other countries. But this was just an example. There are other ways to establish pseudonymity without anonymity.
Public anonymity is the most important first building block to public dissent. Human nature is not to voice thoughts to those who disagree with them. Anonymity gives an outlet for thoughts; it gets the ball rolling. Seeing others anonymously expressing your most secret thoughts allows you the mental energy to express those thoughts pseudonymously, to organize and communicate and reassure each other of idea-worth.
Aren't pirated content and child pornography just restrictions on free speech that we're blindfolded to?
To see why, imagine an advanced other country - so advanced that their economic system doesn't rely on protecting intellectual property. They've somehow made it work so they don't need those rights and it's even more efficient that way. Now that country will say "the rest of the would should enjoy the freedoms we have", "we'll help those poor Americans to pirate movies they way our people can.". But America doesn't have the advanced economic system and pirating there is actually harmful to their particular type of economy, so that advanced foreign power is not really helping at all.
This is what freedom of political speech is like in many countries. Free speech alone isn't helpful, it's harmful. It creates riots and civil wars. It kills people because the political system isn't able to cope with it. You might say the ends justify the means, but people still get killed and they won't enjoy the ends, even if they somehow do come about. c.f. Syria.
I can't tell if you're trolling or not but I'll bite.
You're perverting the definition of "speech". Creation/dissemination of child pornography is not a statement of opinion (and its malicious too, which would exempt it from protection); creation/dissemination of child pornography is an act that directly and tangibly harms others. Same goes for pirated content. I know there's lots of HN readers who believe that libertarianism and meritocracy will solve the world's ills but cmon man, you really think child pornography should be protected speech????
American jurisprudence has taken a troubling tack on free speech, choosing to take it in a very libertarian direction. In fact the biggest loser of such libertarian free speech ideals is the American political system: shameless attack ads that cheapen political discourse, the fusion of money and political favour (PACs), and the rise of populist rightwing hate-mongers who routinely attack minorities and inspire intolerance. Funny, a piece of legislation originally created to protect the citizens from their government is now being used by citizens (politicians) to destroy the government....
I'm a firm believer in free speech but it made a lot more sense 300 years ago when the government could easily control your speech. In 2015, with the internet and mobile phones, the government would have an incredibly difficult time preventing people from expressing their unfavourable opinions. Maybe it's time to stop living in the past and instead create legislation that reflects the world we live in today.
That's why you sign it with a key. Only Satoshi can sign as Satoshi. Using an anonymous broadcast network to publish it is just another layer of convenience and security.
That is actually what you want. You want arguments to gain support based on their merits. You can't prevent propaganda from getting everywhere, in such places where this is most important it's already everywhere. You just want competing ideas to have a chance.
No. What matters is not the content but whether or not you believe the content. And knowing the source is very important for making that assessment.
Suppose you hear that Barack Obama is a Muslim who is secretly plotting the demise of the United States. The credibility of that statement changes a lot depending on whether it comes from an anonymous source or from, say, Loretta Lynch.
The paper on Dissent gives a pretty good use case - groups like Wikileaks, where "members may wish to send messages to each other, to the whole group, or to a non-member, such that the receiver knows that some member sent the message but no one knows which member...We also wish to hold members accountable, however, not by compromising their anonymity and allowing some authority or majority quorum to unmask a member whose messages prove unpopular, but rather by ensuring that no malicious member can abuse his (strong) anonymity to disrupt the group’s operation. For example, a malicious member should be unable to corrupt or block other members’ messages, overrun the group with spam, stuff ballots, or create unlimited anonymous Sybil identities [17] or sock puppets [36] with which to bias or subvert the group’s deliberations."
It's a wonderful theory, but here's an actual data point: when I was at JPL, in the very early days of the internet (mid-to-late 90's), they set up an internal usenet newsgroup, and they set it up so that by default all posts were anonymous. The group was only accessible by JPL employees. The express purpose was so that employees could state their views freely without fear of reprisals.
It was an unmitigated disaster. It basically degenerated into the on-line equivalent of lord-of-the-flies, with some of the the most vicious flame-fests I have ever seen (and I've seen some real conflagrations). They eventually removed the anonymity-by-default and all the vitriol ended instantly.
Two interesting facts:
1. The "anonymity" wasn't real anonymity. The server simply rewrote the "from" header in each message to be from anonymous (which, of course, made things very confusing)
2. After "anonymity" was turned off, it was still trivial to spoof a "from" header and achieve the same level of anonymity as before. But no one did.
I do not deny that anonymity can be useful in some circumstances. But it's no panacea.
Most of these are positive. Majority of criminal activity is not on Tor or anonymity networks: just regular Internet. Well, actually boardrooms, streets, and people's homes but the Internet too. ;)
In any case, we don't rid ourselves of a tool because the corrupt can use it. To support your examples, we'd have to eliminate cameras, any tool for making art, all storage mechanisms, and all transmission mechanisms. We don't because the benefits are worth whatever occasional abuse happens. Applies to Tor, too. Especially true when your opponent has significant resources. Even mighty NSA, per Snowden slides, were having quite a bit of trouble despite near global visibility into network traffic. An easy-to-deploy version of that with huge crowds to get lost in is both useful for many people and effective if used correctly.
Unfortunately, the limited take-up means using it makes you stand out. I pointed this out back when people asked why I use custom methods (example [2]) instead of Tor. Plus, the endpoints weren't secure so I figured it would be beaten by the compromise of a number of nodes which send data back to those in control. So, not safe against the strongest attackers. Made a design strategy [2] for high assurance Tor but I doubt it will get implemented. Software is still useful against lesser attackers, though. So, I keep it around. Hopefully get more takeup to give attackers more difficulty.
Note: I just got another example in my news feed about why private by default can be helpful. Texas school and authorities messed a kid up because he was in possession of a homemade clock. Tracing his work to his real identity is why his life might never be the same. Otherwise, it would've been some scary messages on the Internet. :O Add in illegal NSA spying, mapping of social networks, parallel construction, Patriot Act, torture flights, secret courts w/ secret interpretations of law, civil forfeiture, a rigged system that leads to 97% plea rate... there's plenty for Americans to worry about if they're not a favored class with picture-perfect life. The less all these assholes, government or not, know about us the safer we are. I'll add that it's the theory behind the Fourth and Fifth Amendments, too.
