It’s no coincidence that the name of one of today’s most notorious groups of criminal hackers is “Anonymous.” Whether you agree or disagree with their philosophies and agenda and the positions they’ve taken, there’s no denying that they’ve broken the law by defacing websites, creating denial of service attacks, disrupting business operations, and even reportedly threatening individuals. The question of whether the illegal acts were justified as acts of civil disobedience in furtherance of a legitimate cause is something that I discussed in last month’s post, “(Cyber) Rebels with a Cause.“
The focus of this article is whether anonymity in cyberspace is a good thing or a bad thing when it comes to cybercrime. The ability to communicate online under a fake name (or no name at all) is a well-established tradition, illustrated humorously by the famous cartoon published in the New Yorker back in 1993 that was captioned, “On the Internet, nobody knows you’re a dog.” And it extends far beyond political dissidents and “hacktivists.”
Evolution of online anonymity
One could argue that there was much more anonymity on the Internet in its early days than now. The “handles” or screen names adopted by users of Internet Relay Chat (IRC) and online services such as CompuServe and AOL often revealed little about their owners’ real identities. You might talk to HeartDoc or FoxyLady229 every day for a year without knowing who he/she really was – or indeed whether you were talking to a he or a she.
Anonymity is still alive and well in many online circles. Comments on news sites and blog sites are often posted under obviously fake monikers such as FedUp in Frisco or Just Another Peon. Wikipedia, one of the largest and most popular online information resources, is – by its own description, “written mostly by authors using either unidentifiable pseudonyms or IP address identifiers.”
In stark contrast, however, popular social networks such as Facebook and Google+ require as part of their Terms of Service that you use your real name. In fact, Google+ has aggressively enforced that policy by suspending the accounts of members of its beta who are suspected of using a pseudonym. And worse, by some interpretations of the federal Computer Fraud and Abuse Act, such violation of a website’s terms of service is considered a criminal offense under the language prohibiting “exceeding authorized access” on a computer. (Luckily for all the Facebook users who post under their dogs’ or cats’ names, the Senate Judiciary Committee has, in the process of increasing penalties, proposed an exemption for those guilty only of ToS violations.
The trend to prohibit and even criminalize those who take steps to create anonymity online may seem a bit counterintuitive, given today’s growing concerns over privacy issues in the electronic realm. There has been much written over the years regarding the “right to privacy” (a right that, despite widespread misconceptions to the contrary, is not enumerated in the U.S. Constitution but has been defined by U.S. Supreme Court opinions).
At the same time, as more and more innocent people have been victimized by cybercriminals, there have emerged calls for an end to anonymity. With spammers, scammers, stalkers, pedophiles and others up to no good hiding behind the anonymity afforded by the Internet to avoid detection and get away with crimes they wouldn’t risk in “real life,” online identity verification has become a big issue – and a big business.
The September 11, 2001 terrorist attacks brought about a new attitude regarding proof of identity, both online and off. Those events spurred a push for a national I.D. card in the U.S., much more stringent rules for issuing identification documents by the states, and the Patriot Act required banks and some other entities to get more confirmation of identity before doing business with customers. Thus we now have two conflicting drives at work: On the one hand, the desire to prevent identity theft and protect those who want to be left alone and not tracked when they aren’t doing anything wrong, and on the other hand, the desire to make it easier for law enforcement to track down and charge those who are doing wrong.
Here’s one example of how our attitude toward anonymity has changed over the years: When caller I.D. for telephones first appeared, many people considered it a breach of their privacy for the recipient of a phone call to be able to know, before answering, who was calling (and to know the phone number from which the call was being made). Many people blocked caller I.D. so their names and/or numbers wouldn’t be displayed when they placed a call. Today, most of us look at it differently; we believe we have a right to know who’s calling us, and many of us won’t answer a call if the caller I.D. information is blocked. Rather than seeing caller I.D. as an invasion of the privacy of the caller, we see placing anonymous calls as an invasion of the privacy of the recipient.
How anonymity enables cybercrime
There are many ways a criminal (or anyone else) can hide his/her identity in most online venues. These range from methods that work only “on the surface,” concealing your identity from those who are technically unsophisticated – such as changing the name in your email client – to methods that are difficult to defeat even by professional law enforcement officials who have the resources to discover source IP addresses and subpoena records from ISPs.
Anonymizers are tools that help you to hide or disguise your identity online. Web anonymizers use proxy servers to act as a “go-between” for Internet communications, thus hiding the identifying information of the computer where a communication originates. These servers are operated as anonymizing services and are often located in a jurisdiction outside the country where the communications originate. To make traffic analysis more difficult, these services can use multiple proxies in a chained configuration so that the original sender’s communications go from one to another to another, often crossing many national borders and making it especially difficult to track the path back to the original sender. They can also return your results via an encrypted channel. The more simultaneous users there are, the more difficult it will be to track back to a particular user.
Email anonymizers, or remailers, receive and forward your mail to its final destination, hiding your email address, originating server and IP address, etc. from the recipient. Remailers may or may not be chained, and often encrypt the messages and/or divide them into packets of equal size so that the data all looks the same. Remailers are often used for legitimate purposes, such as a way for sites like Craigslist or Match.com to allow potential buyers to communicate with sellers without revealing the users’ email addresses. However, these types of remailers don’t provide real anonymity. They hide your email address from the other users and general public, but your real information may still be logged on the server and linked to the IP address from which your mail originated. To truly anonymize your email, it would need to pass through multiple remailers so that no one server has a record of both the origin and the final destination.
There are, of course, legitimate reasons to use real anonymizers, too. In fact, anonymity is used not just by criminals, but also by those who are victims of crimes.
How anonymity protects crime victims
Most folks are familiar, at least through the movies and TV, with the U.S. government’s federal witness protection program. Those whose lives may be in danger from retaliation for testifying or giving information against violent criminals charged with federal crimes are given new identities and relocated to keep the criminals from finding and hurting them. Many victims of less high profile crimes have created their own private versions of the program by moving away from their assailants, but today geographic location doesn’t necessarily keep you safe. A determined stalker can find you on the Internet and torment you without ever physically coming near you (or worse, can identify your physical location through your online information).
It’s easy enough to say (if you’re not the one in the situation) that such victims should just stay off the Internet altogether but in today’s connected world that’s not easy to do. And should an innocent person who’s been victimized by another have to give up a legitimate pleasurable activity such as having friends on Facebook because of the other person’s obsession? The obvious solution (which Facebook prohibits in its ToS) is to create an online identity in another name to keep that violent person from your past from finding you.
Even if no one is “after” you, having been the victim of a high profile crime is something you might not want broadcast to the world every time you log onto a web site or online forum. If you have a unique name and it’s been in the news, the ability to disguise your identity in Internet communications with people you don’t know intimately can make your life a lot easier.
What’s the answer?
There are many people today calling for more privacy rights at the same time others are advocating a complete elimination of anonymity – including requiring verified authentication credentials in order to go online; criminalizing anonymization technologies; and making it illegal to use a false name in any online venue. Is there a way to balance the valid points made by both parties to the issue? Where do you stand?