
How ‘strong anonymity’ will finally fix the privacy problem - endswapper
http://venturebeat.com/2016/10/08/how-strong-anonymity-will-finally-fix-the-privacy-problem/
======
dogma1138
Anonymity is not privacy, privacy is the level of agency one has over their
own information and it's dissemination.

Technically anonymity is antithetical to privacy these are two different
concepts and I am really sick of them being mashed together.

Anonymity allows you to disclose information that cannot be attributed to you
hence you as an individual has no agency over it, you can't anonymously share
an intimate secret in private with some one since you are both anonymous.

Relying on anonymity is generally a poor tactic to control privacy because you
and the ones you share information with have no visibility on what is going
on.

You are also effectively racing against the ability of adversaries to be able
to reveal your identity which isn't a fight you will be winning.

Privacy:

Alice shared [SECRET] with Bob; Eve can't read it;

Anonymity:*

Anon shared [SECRET] with Anon; Eve knows she didn't share or get anything, so
Alice and Bob are talking, Bob doesn't know if he shared his secret with
Alice; Alice doesn't know if she received the secret from Bob.

*If Bob and Alice shared identifying information prior to sharing a secret there is no anonymity between them, this is in the domain of privacy.

~~~
ENGNR
I think they mean anonymity from the ISP/phone maker/app. Merely exchanging
certificates in some trusted manner first turns your anonymity example into
the privacy one.

And cert management is probably 'just' a UX/education issue at this point

~~~
dogma1138
You need to be careful with that, because anonymity reduces privacy.

Let's get rid of Eve for a moment.

Say Alice has a secret that she loves tomatoes, she wants to share that secret
with Bob.

She can go to Bob and whisper "I love tomatoes" in his ear, in this case Alice
has high degree of privacy because she knows (or has very high confidence) she
is talking to Bob, she can verify that they are alone and take additional
precautions, in this case she also shares the least information possible
needed to convey her secret to Bob, and is not forced to share any additional
information.

Say Bob has a secret that he's scared of Flamingos, he wants to share this
secret with Alice.

Alice is away on a trip so Bob and Alice use an anonymous messaging app.

Bob now effectively has less privacy because the level of privacy is directly
tied to the confidence that Bob has that he is talking to Alice, Alice also
has less confidence that she is talking to Bob. Bob can't know for sure he is
sharing his information with Alice, and he doesn't know if the party that
received that information would respect Bob's privacy, Alice doesn't know for
sure the information came from Bob and she might not know she needs to keep
that information a secret.

If Alice and Bob share additional information to prove their identity the
level of privacy is also reduced both because they had to create additional
identifiable (and hence private) information, and they were forced to share
information beyond what is needed hence losing agency over what information
they would like to share.

The 2nd thing many people confused or mix anonymity with is "deniability" (to
an outside observer) or the fact that one cannot prove that 2 parties have
exchanged information; in this case anonymity is again a problem since a
system that is truly anonymous whilst providing deniability does not provides
privacy, and a system that is not truly anonymous whilst providing some
privacy does not provides deniability since it forces parties to exchange high
confidence identifiable information in the process.

You can have a system that is (~)100% private and is (~)100% deniable for
example you can have a network of nodes in which all nodes talk to one another
at a constant rate the information is either fed from the node operator when
they want to send a message or from a random source and all traffic is
encrypted so your information is both private and deniable.

Another setup is some sort of random path routed network similar to TOR or any
other onion/pass-the-package router in which when a node sends a message to
another node that message would go through a random number of nodes and no
node but the destined one would know if it's the final node or not, if nodes
on this network are also authenticated and the messages are strongly signed
this would both provide deniability and privacy.

Now likely there aren't non-theoretical solutions that are 100% of anything,
but people really need to stop relying on anonymity for privacy, in the worse
case you have no privacy because you don't know who you talking too, at the
best case you have no-anonymity because you have to generate and send
identifiable information which also reduces your privacy.

------
programmarchy
> You can be very sure that the anonymous person you communicated with last
> week is the same anonymous person you are communicating with and potentially
> transacting with today.

> You can be very sure that your pattern of transactions will not reveal who
> you are.

How are these not mutually exclusive?

I can understand how the first one would work with a digital signature, but
seems like you'll still need to trust the person you're transacting with to
not reveal your history.

~~~
divbit
Mathematically you can do it with ring sigs. I have developed some related
tech at mooti.co

------
MrQuincle
I don't know if these considerations are that widely shared.

Personally I think of three lines of attack:

1\. I own my data and should be able to sell my data. For all kind of reasons.
Sometimes sharing data will protect my privacy!
[https://www.linkedin.com/pulse/evil-postman-anne-van-
rossum?...](https://www.linkedin.com/pulse/evil-postman-anne-van-
rossum?trk=pulse_spock-articles)

2\. It should be possible to define laws that forbid to copy. I'm fine with
sharing my data at a particular moment for a particular purpose. If that party
would be forbidden to copy that data I have a chance that I actually can "have
the right to be forgotten". Every time a person requires that data it would
need to do another request. This is kind of the idea behind
[https://www.qiyfoundation.org/](https://www.qiyfoundation.org/) (based on
blockchain, but that's irrelevant here).

3\. My ideal scenario is not having unencrypted data at all: homomorphic
encryption, see
[https://en.wikipedia.org/wiki/Homomorphic_encryption](https://en.wikipedia.org/wiki/Homomorphic_encryption).

~~~
tarr11
I just copied your data by reading this comment, though.

~~~
MrQuincle
Not storing data might be limited to substrates where it can actually be
deleted indeed. :-) I'm not arguing for deleting memories. ;-)

------
jwatte
We all emit information constantly by just existing. The only equilibrium is
complete transparency. Which, if it was universal, would be a great outcome!

~~~
alphor
Not the dominant strategy, unfortunately.

------
WireWrap
If "You can be very sure that the anonymous person you communicated with last
week is the same anonymous person you are communicating with and potentially
transacting with today." that person DOESN'T have strong anonymity.

If "You can be very sure that any transaction you make cannot be disputed."
then you DON'T have strong anonymity.

~~~
mikekchar
I could not find a non-paywalled definition of strong anonymity. The closest I
got was the abstract for a paper by Kawai et al (2009) that claimed it would
define the term, but failed to do so in the abstract.

I've also done a search for strong anonymity and deniability and I don't see
anything that indicates there is a link. I wonder if there is a problem with
definitions here. Can you give a link to what you think of as strong
anonymity?

~~~
saurik
FWIW, I spent a minute with Google and found this (and hopefully copy and
pasting this link has meaning).

[https://books.google.com/books?id=JTKHDAAAQBAJ&pg=PA231&lpg=...](https://books.google.com/books?id=JTKHDAAAQBAJ&pg=PA231&lpg=PA231&dq=%22strong+anonymity%22+definition&source=bl&ots=IdDuOIjXQH&sig=TxffbaGp4ZZfthG54CHhn_qaZg4&hl=en&sa=X&ved=0ahUKEwi74vH_sczPAhUGKyYKHQybCc8Q6AEILzAF#v=onepage&q=%22strong%20anonymity%22%20definition&f=false)

~~~
mikekchar
Interesting. Although you will note that in their definition, one of the
parties (the bank) _knows_ the identity of the customers. By tracing the
transactions, they can deduce the identity. The original article specified
pseudonymous transactions, so either the system is trivially strong privacy or
(more reasonably) this definition is not really suited to this discussion.

------
vorotato
How can I be strongly anonymous without having a personality. Isn't my
personality a pattern that can be traced?

------
ianai
I wish society would just become more inclusive.

~~~
bpchaps
That's not the problem in so many cases. If you ever try to do anything
remotely adversarial (investigative journalism, whistleblowers, for example),
you'll find that the anonymity problem goes far beyond cultural inclusivity.
That said, strong anonymity doesn't really solve everything since
metadata/sentence structure is still damning.

~~~
ianai
I'm not offering a perfect solution. I just think it'd help.

~~~
bpchaps
Believe me, I completely agree. It's the number one problem I face on a daily
basis and it fills me with stupid amounts of desperation that seems to only
make matters worse. For me, 'fixing' the lack of inclusivity is the number one
thing that should be worked on as a society if we ever want our future
generations to live contently. The problem with talking about inclusivity is
that in many ways it seems to be a symptom of a much larger set of problems.
It's an enormous problem that won't fix itself and there are things that you
can do to help, even with small contributions.

Find something to fix and, well - fix it. No matter how difficult or time
consuming it is, it'll at least give you a perspective into where problems
truly are. There are loads and loads of addressable problems which may not fix
anything now, but it can set the foundation for ten years from now. Voting
isn't your only course of action.

Finding ways to fix niggling class/social/economic issues is a great start and
I highly recommend that you try. My personal project along these lines is to
find invalidly created parking tickets in Chicago. The hope there is that it
will reduce the stress of lower income communities and give them a bit more
financial freedom to get out of bad situations.

If you want to talk about this more, I'd love to - hubblefisher at gee mail

