Security experts Bruce Schneier and Marcus Ranum have a point-counterpoint debate at Information Security concerning anonymity on the Internet. (Last year, the two publishedÂ point-counterpoint essays about online privacy at SearchSecurity.com.)
An excerpt from Schneier’s post on anonymity:
Universal identification is portrayed by some as the holy grail of Internet security.Â Anonymity is bad, the argument goes; and if we abolish it, we can ensure only the proper people have access to their own information. We’ll know who is sending us spam and who is trying to hack into corporate networks. And when there are massive denial-of-service attacks, such as those against Estonia or Georgia or South Korea, we’ll know who was responsible and take action accordingly.
The problem is that it won’t work. Any design of the Internet must allow for anonymity. Universal identification is impossible. Even attribution — knowing who is responsible for particular Internet packets — is impossible. Attempting to build such a system is futile, and will only give criminals and hackers new ways to hide. […]
Implementing an Internet without anonymity is very difficult, and causes its own problems. In order to have perfect attribution, we’d need agencies — real-world organizations — to provide Internet identity credentials based on other identification systems: passports, national identity cards, driver’s licenses, whatever. Sloppier identification systems, based on things such as credit cards, are simply too easy to subvert. We have nothing that comes close to this global identification infrastructure. Moreover, centralizing information like this actually hurts security because it makes identity theft that much more profitable a crime.
An excerpt from Ranum’s post on anonymity:
It’s unfortunate that in the present environment anyone who wants to advocate Internet anonymity is largely serving a constituency of scammers, spammers and shills. Because that’s who 99.9999% (a statistic I just made up) of the people who are taking advantage of anonymity are. I’d say “they’re not our friends” but the fact is, we don’t know who they are — and most of us would like to shut them down, if we could; they are parasites and they are costing every one of us money. […]
Here’s the part Bruce neglected to mention: identity has a value. A name such as Voltaire can come to mean a great deal, compared to some sock puppet created by a batch script in order to post blog-spam. One way to grapple with that problem would be to adjust the economics of disposable identities so they cost more. Let Voltaire pay for two: “Voltaire” and “FranÃ§ois-Marie Arouet,” identities and let Spammer Bob, who uses 10,000 a day, try to figure out where and how to purchase or steal them. If they’re valuable, their owners will take precautions to protect them, so stealing them might eventually turn out to be difficult. […]
Obviously, today’s Internet technology supports nothing such as high integrity Internet-wide identity service for a price. As Bruce points out, the current infrastructure doesn’t support anything such as ID-carrying traffic. But maybe it should.