Re: TOR and the Digital Freedom Conversation

["Joel L. Rosenblatt" <joel () COLUMBIA EDU>]

I understand the point - but my point is that this will become harder and
harder to do - one of the few truly anonymous things that you could do was
to walk into a store and buy something for cash, but that is mostly gone at
this point. Sure, it's possible to walk around with a hat and a fake
nose/mustache/glasses, and as long as you don't interact with anyone, be
relatively anonymous.  If you want to do anything two-way in today's world,
you will leave a trail that, with the proper motivation, will most likely
enable someone with skills and access to find you.

While the discussion is very interesting, I have not seen any suggestions
on how you would accomplish this anonymity and still live in the real world
today.

I'm not saying it's impossible, but it is really hard

Joel



Joel Rosenblatt, Director Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
Public PGP key
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3


On Wed, Dec 11, 2013 at 12:38 PM, Tim Doty <tdoty () mst edu> wrote:

> Case 2 was meant to illustrate a point, not as an exclusive "it is only
> useful in this case". In point of fact, what you are describing simply
> underscores the necessity of methods of maintaining anonymity in the face
> of increasing surveillance.
>
>
> On 12/11/2013 08:46 AM, Joel L. Rosenblatt wrote:
>
> > I would argue that your Case 2 example is no longer valid in many cases -
> > citing the lady who lost her ticket and was tracked using video footage of
> > her buying the ticket sold at that time - I know it's not exactly the same
> > (she did use a credit card, but that was used to verify her identity after
> > then found her - it was $50 million that they handed her)
> > http://www.dailymail.co.uk/news/article-2518174/Canadian-
> > woman-Kathryn-Jones-wins-50m-lost-lottery-ticket.html
> >
> > It is becoming increasingly difficult to "go off the grid" or ever hide
> > from the grid.
> >
> > My 2 cents
> >
> > Joel
> >
> >
> >
> >
> > Joel Rosenblatt, Director Network & Computer Security
> > Columbia Information Security Office (CISO)
> > Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033<%20212%20854%203033>
> > http://www.columbia.edu/~joel
> > Public PGP key
> > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
> >
> >
> > On Wed, Dec 11, 2013 at 9:27 AM, Tim Doty <tdoty () mst edu> wrote:
> >
> >  On 12/10/2013 06:22 PM, Jones, Mark B wrote:
> > >  There is a difference between 'Privacy' and 'Secrecy'
> > > >
> > > You are correct that there is a difference, but they are not exclusive.
> > > While the use of authentication and no anonymity may be an approach to
> > > protecting published online information from those without access, it
> > > does
> > > nothing to preserve privacy in the face of authorized but unwanted
> > > access.
> > > Nor does it address the loss of privacy from complete tracking -- in
> > > fact,
> > > a true lack of anonymity would destroy privacy.
> > >
> > > Case 1: I want to store information in the cloud, but I want to retain
> > > confidentiality of the data. This is a case where strong
> > > authentication/no
> > > anonymity would be a viable approach, but there is no reason to deny
> > > anonymity in a general sense. That is, strong authentication can be used
> > > to
> > > establish an access control to a data set without requiring that a
> > > person's
> > > identity be publicly disclosed.
> > >
> > > Case 2: I desire to have some privacy in my actions. Some degree of
> > > anonymity is *required* to accomplish this. For example, if I buy some
> > > books on medieval mysticism it used to be that a simple cash transaction
> > > kept it essentially private. There are some caveats (if the seller knows
> > > my
> > > personally then they will know I bought them, but for a random person off
> > > the street it would be essentially anonymous).
> > >
> > > It is trivial to demonstrate a connection between privacy and anonymity.
> > > Those promoting a police state are naturally against anonymity. Those
> > > promoting privacy understand the utility of strong encryption and
> > > anonymity.
> > >
> > > Tim Doty
> > >
> > >   Tor seems like it
> > >
> > >  may lean toward the latter.
> > > > I have found that the following site has a useful perspective on privacy
> > > > issues:  http://www.privacilla.org
> > > >
> > > > Here are some key quotes:
> > > >
> > > > "Importantly, privacy is a personal, subjective condition. One person
> > > > cannot
> > > > decide for another what his or her sense of privacy should be."
> > > >
> > > > "While privacy is held up as one of our highest values, people also
> > > > constantly share information about themselves by allowing others to see
> > > > their faces, learn their names, learn what they own, and learn what they
> > > > think. In fact, it is a desirable lack of privacy that allows people to
> > > > interact with one another socially and in business. This does not mean
> > > > that
> > > > people should lose control over the information they want to keep
> > > > private.
> > > > It means that generalizations about privacy are almost always wrong."
> > > >
> > > > http://www.privacilla.org/fundamentals/whatisprivacy.html
> > > >
> > > >
> > > >
> > > > Also 'Privacy' is not the same as 'anonymity'.  It is my opinion that
> > > > strong
> > > > authentication and the lack of anonymity are the keys to improved
> > > > privacy
> > > > online.  Only with strong authentication can consumers and services be
> > > > held
> > > > accountable for behavior online.
> > > >
> > > >
> > > >
> > > > From: The EDUCAUSE Security Constituent Group Listserv
> > > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeffrey Sabin
> > > > Sent: Tuesday, December 10, 2013 2:24 PM
> > > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > > Subject: [SECURITY] TOR and the Digital Freedom Conversation
> > > >
> > > >
> > > >
> > > > All,
> > > >
> > > >
> > > >
> > > > Given the wider US technology community discussions on online privacy
> > > > and
> > > > monitoring - this seems to be very topical.  In case anyone was not
> > > > aware,
> > > > this story is taking place at Iowa State University with Tor being a
> > > > relevant part of the discussion:
> > > >
> > > >
> > > >
> > > > http://www.insidehighered.com/news/2013/12/10/digital-
> > > > freedom-groups-road-re
> > > > cognition-sparks-legal-debate-iowa-state-u
> > > > <https://urldefense.proofpoint.com/v1/url?u=http:/
> > > > /www.insidehighered.com/ne
> > > > ws/2013/12/10/digital-freedom-groups-road-recognition-
> > > > sparks-legal-debate-io
> > > > wa-state-u&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=
> > > > o50KCUcRVN10tgtglyNVFw2kmiz
> > > > yPIIFTSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%
> > > > 2FRMEVn0qZFzyM2pgE%3D%
> > > > 0A&s=5dcb52d50601a7d4ddc3b0479ff3aa4491e442f9a0d830ba2ff5db38ae6c9762>
> > > >
> > > >
> > > >
> > > > and
> > > >
> > > >
> > > >
> > > > https://www.eff.org/deeplinks/2013/12/open-letter-urging-
> > > > universities-encour
> > > > age-conversation-about-online-privacy
> > > > <https://urldefense.proofpoint.com/v1/url?u=https:
> > > > //www.eff.org/deeplinks/20
> > > > 13/12/open-letter-urging-universities-encourage-
> > > > conversation-about-online-pr
> > > > ivacy&k=yYSsEqip9%2FcIjLHUhVwIqA%3D%3D%0A&r=
> > > > o50KCUcRVN10tgtglyNVFw2kmizyPIIF
> > > > TSGui%2BBSZ5A%3D%0A&m=hnGoebKdLtnE2yvxLiQ0OlhXMu%
> > > > 2FRMEVn0qZFzyM2pgE%3D%0A&s=
> > > > 75b3522379697ac135dd77ae55292b93024c9c4ab21538dc9f8faf9b4a1fd56e>
> > > >
> > > >
> > > >
> > > > Realizing that this isn't necessarily new, but given this recent story,
> > > > I
> > > > am
> > > > curious to know what others are doing or observing as it relates to Tor
> > > > and
> > > > it's discussion at your particular institution.
> > > >
> > > >
> > > >
> > > > Many thanks,
> > > >
> > > >
> > > >
> > > > Jeff
> > > >
> > > >
> > > >
> > > > Jeffrey D. Sabin
> > > >
> > > > DIRECTOR, COMMUNICATIONS AND NETWORK SERVICES
> > > >
> > > >
> > > >
> > > > oit
> > > >
> > > >
> > > >
> > > > Dial Center
> > > >
> > > > 2507 University Avenue    Des Moines, Iowa 50311-4505
> > > >
> > > > Tel  515.271.2935
> > > >
> > > > Fax 515.271.1938
> > > >
> > > > 1.800.44.DRAKE x2935
> > > >
> > > > E-mail jeff.sabin () drake edu