IP: PRIVACY Internet Hide and Seek: Staying Under Cover (fwd)

[Dave Farber <farber () cis upenn edu>]

> Date: Sun, 11 Apr 1999 01:17:54 +0300 (EEST)
> From: Luther Van Arkwright <waste () zor hut fi>
> To: cypherpunks () toad com
>
> http://www10.nytimes.com/library/tech/99/04/circuits/articles/08pete.html
>
> April 8, 1999
>
> STATE OF THE ART / PETER H. LEWIS
>
> Internet Hide and Seek: Staying Under Cover
>
>     W ASHINGTON -- He did his best to remain anonymous, but within days
>     after an expert programmer released the Melissa computer virus into
>     the world late last month, the police reported that his identity had
>     been cracked. Investigators used a tracking mechanism the Microsoft
>     Corporation had secretly installed in its Office software to gather
>     information on its customers surreptitiously.
>
>     In Yugoslavia, meanwhile, messages poured onto the Internet from the
>     war zone, providing what appeared to be firsthand accounts of Serbian
>     atrocities against ethnic Albanians in Kosovo. Privacy advocates
>     realized that if the Serbian authorities were able to trace the
>     identities of the writers, many lives could be lost. Ominously,
>     messages from some writers had stopped suddenly.
>     
>     The privacy groups moved swiftly to provide the writers with special
>     access to Anonymizer.com, an Internet service that allows users to be
>     anonymous and untraceable online, and with information about PGP, a
>     data encryption program so strong that the United States prohibits
>     its export.
>     
>     These two cases, worlds apart, underscore a growing dilemma that now
>     confronts the electronic world. "Anonymity has incontestable value in
>     a huge number of situations, and it is constitutionally protected,"
>     said Philip Reitinger, a prosecutor for the Justice Department,
>     speaking at a Computers, Freedom and Privacy conference here today.
>     Moments later, during a panel discussion, he added, "If you're
>     serious about prosecuting crime on the global communications
>     infrastructure, you have to have traceability.
>     
>     "Should communications on the Internet be traceable in some
>     circumstances? And if so, what should the rules be?"
>     
>     The issue is a broad one because anonymity is not of interest only to
>     criminals and dissidents, and not available only to the technically
>     astute. New technologies are emerging that enable even casual
>     Internet users to be anonymous online for the first time. At the same
>     time, new technologies are being deployed to gather ever more
>     personal information from users.
>     
>     In recent weeks, a debate has emerged over new technologies that have
>     been deployed to allow companies to track individual users on the
>     Internet. The Intel Corporation embedded a unique identification
>     number in its Pentium III processor that would enable network
>     operators to identify individual computers on the Internet, and the
>     Microsoft Corporation designed a "globally unique identifier" that
>     secretly appears in Microsoft Office documents and can be used to
>     trace files back to a specific person. The Microsoft Office
>     identification number was used in the Melissa investigation.
>     
>     Some privacy tools are being simplified and made available
>     commercially to a broad audience, allowing anyone to browse the World
>     Wide Web and use E-mail without being identified. The technologies
>     are morally neutral. They could be used, for example, to commit a
>     crime or to report one anonymously. The tools, like the Anonymizer
>     (www.anonymizer.com)
>     , are also useful simply for browsing the Web without having to give
>     up personal information to marketers, for visiting sex-related Web
>     sites without potential embarrassment, posting messages on newsgroups
>     using pseudonyms and for avoiding spam, the bulk-mail advertising
>     pitches that advertisers send incessantly to E-mail addresses they
>     have culled from the Net.
>     
>     "The Internet has shifted the balance away from privacy, and these
>     are attempts to bring it back," said David Banisar, an officer of the
>     Electronic Privacy Information Center (www.epic.org)
>     .
>     
>     There are other anonymity systems in the works.
>     
>     AT&T Labs-Research in New Jersey, a system called Crowds is being
>     tested that operates on the premise, familiar to any New Yorker, that
>     one can be anonymous in a crowd. In the Crowds system, large groups
>     of geographically dispersed Internet users would be able to band
>     together and their individual Web page requests would be randomly
>     forwarded through a shared computer called a proxy server. The
>     operator of the Web site would not know which member of the crowd
>     submitted the request, and neither would anyone else in the crowd.
>     More information is available at
>     www.research.att.com/projects/crowds.
>     ___________________________________________________________________
>   
>   On-line anonymity tools insure privacy as well as shield wrongdoers. 
>     ___________________________________________________________________
>   
>     At the Lucent Corporation's Bell Labs, another anonymity system
>     called the Lucent Personalized Web Assistant allows a Web user to
>     create a pseudonym for each Web site; the same pseudonym would be
>     used on each visit. The Web site operator would not know the
>     visitor's true identity but could still build a profile of the user's
>     preferences that could be used to tailor advertisements and content
>     to the customer on subsequent visits. More information about Lucent's
>     system is available at www.lpwa.com.
>     
>     Yet another anonymity system under development, this one at the
>     Government's Naval Research Laboratory, is Onion Routing. An Onion
>     Router (www.onion-router.net) hides not only the content of messages,
>     but also the very fact that two people are communicating over a
>     public network.
>     
>     One of the more intriguing anonymity services under development is
>     Freedom, a Windows program developed by a Canadian company, Zero
>     Knowledge Systems (www.zeroknowledge.com). Freedom, which is expected
>     to be available for public testing next month, is similar to the
>     Lucent system in that it enables users to establish pseudonyms that
>     are consistent over time. That would allow a user to participate
>     freely in a discussion group without worrying about being identified.
>     
>     Freedom is expected to cost $50 a year for five separate digital
>     pseudonyms (extra identities are $10 a year). These on-line personas
>     cannot be traced to reveal the user's identity.
>     
>     The technical details of the system, including strong data
>     encryption, masked Internet addresses and proxy servers, are hidden
>     behind a simple user interface, which I've tried in early form. After
>     a user chooses a persona by clicking on it, all identifying
>     information is stripped from the original request and replaced by the
>     information created for the pseudonym.
>     
>     Millions of Internet users already employ pseudonyms; America Online,
>     for example, calls them screen names and allows each subscriber to
>     have several. But in most cases a pseudonym can be traced to its real
>     owner, often when the Internet company is compelled by a court order
>     to divulge the information or is tricked into doing so.
>     
>     For example, the giant defense contractor Raytheon Corporation sued
>     more than 20 employees earlier this year for posting pseudonymous
>     messages about the company on the Internet. At least two employees
>     resigned after Yahoo, in response to a court subpoena, revealed the
>     true identities behind the postings. Ray-theon asserts that the
>     messages, which contained gossip and criticisms of the company,
>     divulged proprietary and confidential information.
>     
>     With Freedom, not even Zero Knowledge Systems can link the pseudonyms
>     to a user's real identity. The company knows only that the person has
>     a Freedom account.
>     
>     The oldest commercial service offering anonymity, and the only one
>     currently available to users of any Internet-connected computer, is
>     Anonymizer.com. Unlike Freedom, Anonymizer does not require the user
>     to download or install any special software. For a fee of $5 a month,
>     users can process Web browsing requests and send messages through
>     Anonymizer's proxy servers. (There is also an unlimited free browsing
>     service, but Anonymizer inserts a delay, typically 10 seconds, on
>     page views in the free service. The paid service has no delays.) For
>     an extra fee, Anonymizer will also allow users to receive E-mail
>     responses and set up Web pages.
>     
>     In either case, the user types the address of the Web site to be
>     visited, and the request is sent to Anonymizer's proxy computer. The
>     proxy strips off the customer's identifying information and forwards
>     the request to the Web site, which knows only that the request is
>     coming from Anonymizer. The page or graphics file is then returned to
>     the user's computer, and the site can be bookmarked for return visits
>     with the anonymity intact.
>     
>     If a company is tracking Web usage by its employees -- which the
>     courts have ruled is legally permissible, along with reading
>     employees' E-mail and listening to their phone calls -- it will see
>     only that the user is connected to Anonymizer.com, but it will not be
>     able to find out what sites are being visited. For that reason, a
>     number of companies prohibit employee access to the Anonymizer site.
>     Other companies use Anonymizer regularly to visit the Web sites of
>     competitors and gather information, and law enforcement agencies use
>     it routinely to check up on people under investigation.
>     
>     At the other end of the line, some commercial sites do not allow
>     connections from Anonymizer, either because they require visitors to
>     provide personal information before granting them access or because
>     they have had bad experiences with Anonymizer users who abused the
>     system with bogus credit card scams or harassing messages. Anonymizer
>     was forced to block its users' access to the White House Web site
>     because customers were sending threats to the President.
>     
>     Anonymizer boots out customers who try to use the system to send
>     batches of spam, or in response to complaints from people being
>     harassed through the site.
>     
>     As with all of the anonymous services now being developed for the
>     Internet, the good has to be balanced with the bad.
>     
>     "The real world is routinely anonymous," said Lance Cottrell,
>     Anonymizer's chief executive. "When you drive down the street,
>     typically there is no one photographing your license plate, no one
>     keeping track of where you park and how long you stay. What's unusual
>     about the Internet is that everything is by default logged and
>     tracked. What's aberrant is not the presence of anonymity on the
>     Internet, but that you have to take special steps to achieve it."
>     
>     State of the Art is published on Thursdays. Click here for a list of
>     links to other columns in the series.
>       ________________________________________________________________
>     
>     Related Sites
>     These sites are not part of The New York Times on the Web, and The
>     Times has no control over their content or availability.
>     
>     * www.anonymizer.com
>     * www.epic.org
>     * www.research.att.com/projects/crowds
>     * www.lpwa.com
>     * www.onion-router.net
>     * www.zeroknowledge.com
>       ________________________________________________________________
>     
>     
>    Peter H. Lewis at lewis () nytimes com welcomes your comments and
>    suggestions.
>
>   Copyright 1999 The New York Times Company