Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity?...
Transcript of Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity?...
![Page 1: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/1.jpg)
Freedom of Speech: Anonymity
Steven M. Bellovin February 23, 2015 1
![Page 2: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/2.jpg)
Why Anonymity?
• Free speech can be unpopular
• Threats of physical harm
• Threats of job loss or other forms of financial coercion
• Social shame—unpopular lifestyles, embarrassment, etc,
• Often, anonymity is necessary for truly free speech
Steven M. Bellovin February 23, 2015 2
![Page 3: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/3.jpg)
Long History of Anonymous Political Speech
• The Federalist Papers were nominally written by “Publius”
• There were many examples in British history of reprisals againstauthors—and of others writing anonymously to avoid such fates (i.e.,the “Letters of Junius”)
• “There can be no doubt that such an identification requirement wouldtend to restrict freedom to distribute information and thereby freedomof expression.” Talley v. California, 362 U.S. 60 (1960).
Steven M. Bellovin February 23, 2015 3
![Page 4: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/4.jpg)
But—What About Accountability?
• Sometimes, we want to hold people accountable for what they say
• We vote by secret ballot, but the legislators we elect (usually) votepublicly
• The Supreme Court has closed deliberations, but its votes and therationale for them are very public
• “during election campaigns . . . false statements, if credited, may haveserious adverse consequences for the public at large.” McIntyre v.Ohio Elections Commission, 514 U.S. 334 (1995).
• More on accountability next class
Steven M. Bellovin February 23, 2015 4
![Page 5: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/5.jpg)
It’s Not Just Political Speech
• The Court has held that all speech can benefit from anonmity: “Thedecision in favor of anonymity may be motivated by fear of economicor official retaliation, by concern about social ostracism, or merely bya desire to preserve as much of one’s privacy as possible. Whateverthe motivation may be, at least in the field of literary endeavor, theinterest in having anonymous works enter the marketplace of ideasunquestionably outweighs any public interest in requiring disclosureas a condition of entry. Accordingly, an author’s decision to remainanonymous, like other decisions concerning omissions or additions tothe content of a publication, is an aspect of the freedom of speechprotected by the First Amendment. ” (McIntyre)
• The Court also noted that law school exams are graded withoutknowing the students’ names
Steven M. Bellovin February 23, 2015 5
![Page 6: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/6.jpg)
Anonymous Speech in Cyberspace
• Assume that we do need anonymous speech. How do we do itonline?
• Virtually all Internet traffic requires an accurate source IP address tobe useful
• Can we achieve useful anonymity?
Steven M. Bellovin February 23, 2015 6
![Page 7: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/7.jpg)
Anonymity versus Pseudonymity
• Anonymity : “The quality or state of being unknown orunacknowledged.” (www.dictionary.com)
• Pseudonymity : “Use of a [fictitious name, especially a pen name]”
• Which do we need, anonymity or pseudonymity?
Steven M. Bellovin February 23, 2015 7
![Page 8: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/8.jpg)
Anonymity
• We cannot have true anonymity at the IP layer
• We can have it at the application layer—we often do, for web sites wevisit
• Is there a linkage? Most applications keep log files showing what IPaddress performed various actions
• How long is this log file kept? Who can access it? Under whatconditions?
Steven M. Bellovin February 23, 2015 8
![Page 9: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/9.jpg)
Pseudonymity
• Pseudonymity is extremely common on the Internet
• Login names, screen names, etc., are all forms of pseudonyms
• Some people have many different ones—and occasionally withmarkedly different apparent attributes
• We can do something similar at the IP layer, by having another nodecarry our traffic
Steven M. Bellovin February 23, 2015 9
![Page 10: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/10.jpg)
IP Addresses
• Recall that IP addresses are assigned topologically
• There are technical benefits to clustering IP addresses assigned toparticular locations by ISPs
• This means that IP addresses can reflect geographic location
Steven M. Bellovin February 23, 2015 10
![Page 11: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/11.jpg)
Where’s Steve?
• When I first created this lecture, my IP address was 206.117.31.142
• Per http://www.ip2location.com/206.117.31.142 I amindeed in Los Angeles
• IP addresses are often leaked by mailers. . .
Steven M. Bellovin February 23, 2015 11
![Page 12: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/12.jpg)
Mail Headers
Received: by machshav.com (Postfix, from userid 512)
id 46A9252D5D7; Wed, 17 Feb 2010 11:56:42 -0500 (EST)
Received: from tarap.cc.columbia.edu (tarap.cc.columbia.edu
[128.59.29.7]) by machshav.com (Postfix) with ESMTP
id 6CFB652D496 for <[email protected]>;
Wed, 17 Feb 2010 11:56:37 -0500 (EST)
Received: from [147.28.2.10] ([147.28.2.10]) (user=smb2132
mech=PLAIN bits=0) by tarap.cc.columbia.edu (8.14.3/8.14.3)
with ESMTP id o1HGtpvm003198 (version=TLSv1/SSLv3
cipher=AES128-SHA bits=128 verify=NOT)
for <[email protected]>; Wed, 17 Feb 2010 11:56:31 -0500 (EST)
Note that it thinks I was at 147.28.2.10, not 206.117.31.142Steven M. Bellovin February 23, 2015 12
![Page 13: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/13.jpg)
What Is Learnable?
• 147.28.2.10 appears because I was using a VPN hosted in Seattle
• IP geolocation thinks it’s in Tokyo—that site used registration data todetermine physical location
• (GMail generally doesn’t show the sender’s IP address)
• Note the “smb2132”—even if I’d changed my From: address, CUITlists my UNI
Steven M. Bellovin February 23, 2015 13
![Page 14: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/14.jpg)
Enter Onion Routing
• A client computer picks a set of 3–4 “relay nodes” and an “exit node”
• (All of these nodes are volunteers)
• The client sends the traffic to the first node, which sends it to thesecond, etc.; the exit node forwards it to the real destination
• The set of Tor nodes, including the exit node, is changed frequently
• In other words, the pseudonym is short-lived
Steven M. Bellovin February 23, 2015 14
![Page 15: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/15.jpg)
Hiding the Source Address
A D
B C
G
F
E
Steven M. Bellovin February 23, 2015 15
![Page 16: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/16.jpg)
Onion Routing
• G thinks that both connections are coming from D
• The real sources—A and B — are hidden
• On subsequent visits, C and Z may be the exit nodes
• Intuitive understanding: nested envelopes
Steven M. Bellovin February 23, 2015 16
![Page 17: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/17.jpg)
Why Multiple Hops?
• If someone is spying on D or its links, they’ll see where traffic iscoming from
• Here, though, traffic is coming from E and C — which is which?
• Can the same attacker spy on E and C?
• Remember that the path will switch soon
Steven M. Bellovin February 23, 2015 17
![Page 18: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/18.jpg)
Using Cryptography
A D
B C
G
F
E
Steven M. Bellovin February 23, 2015 18
![Page 19: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/19.jpg)
What is Known
• Each node knows only the previous and next hops
• Nodes do not know where on the path they are
• Only the exit nodes knows the destination
• Only the entrance node knows the source
• Intuitive understanding: nested sealed envelopes; each hop adds itsown return address
Steven M. Bellovin February 23, 2015 19
![Page 20: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/20.jpg)
Risks of Tor
• Exit nodes have been seized or searched by the police
• What if the exit node is corrupt? That has happened.
• There are varioius statistical attacks on Tor links
• Higher-level data is not anonymized—it can often reveal identity or atleast continuity (e.g., login names or tracking cookies)
• The Silk Road server was somehow found despite using Tor
Steven M. Bellovin February 23, 2015 20
![Page 21: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/21.jpg)
Pseudonymity
• Create an alias that can receive services
• Cryptographically-protected—and changing — path to the realservice
• With Tor, they’re called “hidden servers”
Steven M. Bellovin February 23, 2015 21
![Page 22: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/22.jpg)
Remailers
• Simplest form: mailer has an alias that forwards to you
• More popular before Gmail/Hotmail/YahooMail, etc.
• More complex ones use cryptography, in ways (roughly) similar to Tor
• Recipients identified by a public key and a first-hop email address
Steven M. Bellovin February 23, 2015 22
![Page 23: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/23.jpg)
An Early Remailer: anon.penet.fi
• Simplest form; also supported Usenet posting
• Targeted by “subpoena attack” by the Church of Scientology
• Creator pulled the plug after the second such incident
Steven M. Bellovin February 23, 2015 23
![Page 24: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/24.jpg)
Who Are You if You’re Anonymous?
• How do people know whether or not they can trust your emails ifyou’re anonymous or pseudonymous?
• Reputation—have your mails over time been trustworthy?
• How do they know the same person sent the 100th message as sentthe first 99?
• Messages can be digitally signed
• Note that that problem exists for ordinary email, too!
Steven M. Bellovin February 23, 2015 24
![Page 25: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/25.jpg)
Digital Signatures
• Related to public key cryptography
• Again, everyone has a private key and a public key
• (With public key cryptography, encrypt with the public key and decryptwith the private key)
• For digital signatures, sign (which is really encrypt!) with the privatekey; anyone can verify this with the publicly-known public key
Steven M. Bellovin February 23, 2015 25
![Page 26: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/26.jpg)
Anonymous Payments
• How do you buy something online anonymously?
• In person, we can use cash
• Online, we generally use credit cards
Steven M. Bellovin February 23, 2015 26
![Page 27: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/27.jpg)
What’s the Problem?
• Apart from anonymity, many people have security concerns—is it safeto use a credit card number on the Internet?
• A digital equivalent of cash seems impossible—files (or bits) can becopied, so how can you prevent double-spending?
• Nevertheless, it’s possible
Steven M. Bellovin February 23, 2015 27
![Page 28: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/28.jpg)
Digital Cash
• Invented by David Chaum; many more schemes since then
• Get “coins” from bank; engage in interactive protocol with recipient
• Neither the bank nor the recipient learns the spender’s identity
• The merchant can confirm that the coins are valid
• Does not prevent double-spending; however, the identity of thedouble-spender is revealed to the bank
Steven M. Bellovin February 23, 2015 28
![Page 29: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/29.jpg)
Over-Simplified Intuitive Version of the Protocol
• When Alice withdraws an electronic “coin” from the bank, shereceives a set of digitally-signed “identity halves”, with her name
• An identity half reveals nothing; you need both halves to learnanything about the name
• To accept the coin, the merchant asks for a random subset of 50% ofthe identity halves. These are verifiably from the bank because of thedigital signatures. The halves are sent to the bank to deposit the coin
• If Alice “spends” the same coin again, probablistically at least one ofthe identity halves will match one from the previous instance. Withtwo halves, the bank can recover Alice’s identity
• The details and the math are a lot more complex. . .
Steven M. Bellovin February 23, 2015 29
![Page 30: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/30.jpg)
Bitcoin
• Invented in 2008 by “Satoshi Nakamoto”
• A distributed digital currency—no central bank
• To prevent double-spending, transactions are recorded in theblockchain—an Internet-wide, peer-to-peer, distributed database
• Bitcoins “mined” by solving a hard cryptographic problem
• Payments are made from one bitcoin address to another
Steven M. Bellovin February 23, 2015 30
![Page 31: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/31.jpg)
Bitcoin Isn’t Anonymous
• All transactions are recorded in the public block chain
• This permits traffic analysis of transactions
• Identities can sometimes be linked to real parties, e.g., by engagingin a transaction with someone
• It’s a pseudonymous currency
Steven M. Bellovin February 23, 2015 31
![Page 32: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/32.jpg)
Pseudonymous Payment
• There are a number of widely-used pseudonymous paymentschemes in use, most notably Paypal
• Some “storefronts”—Amazon.com, Google Checkout, others—areeffectively pseudonymous with respect to the merchants
• Primary issue has been security, rather than privacy
• Delivery of physical objects remains problematic
Steven M. Bellovin February 23, 2015 32
![Page 33: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/33.jpg)
Real-World Anonymity
• Thus far, light-weight pseudonymity has sufficed
• Tor is popular among a group of enthusiasts, and has the EFFcoordinating the project—but a commercial analog failed
• Acceptance depends on the threat model
Steven M. Bellovin February 23, 2015 33
![Page 34: Freedom of Speech: Anonymity - Columbia Universitysmb/classes/s15/l_anonymity.pdf · Why Anonymity? Free speech can be unpopular Threats of physical harm Threats of job loss or other](https://reader031.fdocuments.in/reader031/viewer/2022030408/5a87d0a07f8b9a882e8ded55/html5/thumbnails/34.jpg)
Threat Models
• Who are the adversaries, and what are their capabilities and motives?
• Sometimes, the problem is hacking (i.e., Google versus China, orsome cases of harrassment or stalking)
• More often, it’s court orders; most people are not afraid of that threat
• Of course, most people are not aware of their data shadows. . .
Steven M. Bellovin February 23, 2015 34