For Those Who Don’t Want To Believe

Excellent article from Jon Evans at TechCrunch about a month ago, relevant to the Nym Wars.

Cheap and/or ubiquitous cameras and facial recognition make surveillance ever more omnipresent; the dangers and uncertainties of other new technologies, like hobbyist UAVs, lead to calls for even greater scrutiny; and eventually online anonymity/pseudonymity will be the only kind there is. That isn’t entirely a bad thing. It’s because of crowdsourced surveillance that New York police lieutenant Anthony Bologna faces two investigations after apparently gratuitously pepper-spraying protestors. But it means the ability to remain pseudonymous online will only become more and more important in the years to come.

Do the services that connect people online seem to realize this? Sadly, the answer mostly ranges between “No” and “Hell, no.” Twitter is the only major social network that doesn’t have a real-names policy, and the only one with a history of going to bat for its users’ privacy. But while the online journalists in Mexico who dare to report on its brutal drug wars are beheaded after their real identities are connected to their online bylines, while Syrians are detained and interrogated because of their Facebook accounts, Vic Gundotra has idiotically compared Google Plus’s real-name policy to “wearing a shirt to a restaurant,” and both Eric Schmidt and Mark Zuckerberg’s sister Randi have called for real identities to be attached to all online activity.

Social media could render covert policing ‘impossible’

The generalized government demand for fully transparent identity turns out to have a downside for government officials (other than outing their gay hookups and sexting)

(via TechWorld)

Not even police officers can hide due to online information and use of biometrics, says ex-AFP commissioner

Facebook has proven to be one of the biggest dangers in keeping undercover police officers safe due to applications such as facial recognition and photo tagging, according to a adjunct professor at ANU and Charles Sturt University.

Mick Keelty, a former Australian Federal Police (AFP) commissioner, told the audience at Security 2011 in Sydney that because of the convergence of a number of technologies including biometrics, undercover policing may be “impossible” in the future.

He explained that were safety risks associated with undercover policing if people could be identified online.

“You can’t just immerse an officer into a crime group; it takes up to seven years to get them into the right place [in the gang] where they can feed back the intelligence that you need,” Keelty said.

“Than there is the cost of doing that such as when the AFP targets motorcycle gangs or when governments across the world have entered into agreements to place critical witnesses in prosecution matters in different parts of the world to hide them.”

Keelty is currently undertaking research into the policy implications of social networking for covert operations by police and security agencies.

He shared findings from a social networking survey conducted with the NSW Police, the AFP and other security agencies from December 2010 to February 2011.

“We surveyed them to try and measure the extent of exposure they already had in having their photos uploaded to the internet,” he said.

“The results found that 90 per cent of female officers were using social media compared with 81 per cent of males.”

The most popular site was Facebook, followed by Twitter. Forty seven per cent of those surveyed used social networking sites daily while another 24 per cent used them weekly. All respondents aged 26 years or younger had uploaded photos of themselves onto the internet.

“The thinking we had with this result means that the 16-year-olds of today who might become officers in the future have already been exposed.

“It’s too late [for them to take it down] because once it’s uploaded, it’s there forever.”

Of the people surveyed, 85 per cent had their photos uploaded on to the internet by another person.

Keelty said that until recently this has been a real problem because Facebook refused to remove photographs, but because of competition from Google+ it had started to remove photos at people’s request.

Alarmingly, 42 percent of respondents said it would be possible to identify their relationship with other people, including family and friends.

“If you have someone in the service who is trying to remain anonymous for whatever reason, it is still possible through other relationships to find them,” Keelty said.

The results of the survey would be used to inform future policy guidelines within both state and federal police agencies.

The Economist notices that there’s no such thing as online anonymity

I mean, seriously, we’ve been leaving footprints the whole time.  They’ve been tracked for years, and are still discoverable.  But kudos to the Economist for putting it succinctly to an audience that probably hasn’t thought about it.

WAY back in the early days of the web, in 1993, the New Yorker ran a cartoon featuring two dogs sitting in front of a computer. The internet-savvy canine is saying to its friend: “On the internet, nobody knows you’re a dog.” This joke captured the freewheeling anonymity of the early stages of internet adoption, but it doesn’t work now. Today websites often know a great deal about their visitors, including their names and interests.

The ability to use the internet anonymously is being eroded on several fronts. Some popular websites, including Facebook, the leading social network, and Quora, a popular question-and-answer site, require users to give their real names, and block people who are suspected of using pseudonyms. Other sites ask that users provide their real names in order to be able to leave comments, in the hope that discussions will be more civil if people have to reveal their identities.

In recent months security researchers have shown that if you use your real identity on some sites, you can be identified when you visit others. One way this can happen involves “cookies”, the snippets of data that websites deposit on visitors’ computers, so that returning visitors can be recognised. It sounds creepy, but cookies are generally anonymised. Cookies can reveal things about your browsing habits—they are used to target advertising, for example, based on other sites you have visited—but they do not usually know who you are.

In 2010, however, privacy experts twice pointed out that Facebook was sending information about its users to the same advertisers that track browsing using cookies. It is not known what, if anything, the advertisers did with this information. The potential, however, is clear: the Facebook data could have been used to deanonymise the browsing histories associated with the cookies. Facebook plugged this leak of personal information, but only after the problem was given prominent coverage in the Wall Street Journal. When the leak was highlighted by computer scientists in August 2009, nine months earlier, Facebook took no action.

Another anonymity-eroding technique was recently flagged by computer scientists. It relies on “history stealing”, in which a security flaw in a user’s web browser allows rogue websites to retrieve fragments of his browsing history. This may not directly reveal his identity, but can be very revealing. For example, if a user has joined three groups on a social network, there is a limited overlap between the groups’ membership lists, and those lists are public, it may simply be a matter of working out who belongs to all three groups.

This sounds rather contrived, but it works in practice. Gilbert Wondracek at the Vienna University of Technology in Austria and his colleagues built a history-stealing website aimed at groups on Xing, a business-orientated social network. Mr Wondracek’s analysis of over 6,500 Xing groups, containing a total of more than 1.8m users, suggested that his rogue site would be able to determine the identity of around four in ten visitors. A trial run, in which Mr Wondracek invited colleagues who use Xing to visit his history-stealing site, showed this estimate to be about right. The vulnerability he exploited has since been addressed by the engineers behind several browsers, including Firefox and Safari, but has so far not been fixed in Microsoft’s Internet Explorer.

Meanwhile, Facebook has quietly gained the ability to monitor its users’ wanderings elsewhere on the web. Many sites now include Facebook “Like” buttons. Click one, and your Facebook profile will be updated with a message linking to the page in question. This feature helps people share content with friends, but it also allows Facebook to track its users’ browsing. In fact, merely going to a page containing a “Like” button while logged into Facebook is enough to notify the social network of your visit, whether or not you click the button.

Where is all this heading? It is clear that many firms can now track people as they move around the web, and can sometimes link these browsing histories to specific individuals and their personal information. If the days of anonymous browsing are not over yet, some observers think they soon will be. As Julie Cohen, a legal scholar at Georgetown University, put it in a prescient paper published 15 years ago, the internet era is “as much an age of information about readers as it is an age of information for readers”. Speaking at the Techonomy conference last year, Eric Schmidt of Google distinguished between privacy, which he said should be respected, and anonymity. “Absolute anonymity could lead to some very difficult decisions for our governments and our society as a whole,” he said.

But anonymity is freeing. It lets people go online and read about fringe political viewpoints, look up words they are embarrassed not to know the meaning of, or search for a new job without being thought extremist, stupid or disloyal. In America some judges have recognised that browsing habits will change if people feel that they are being watched. In rejecting a government demand for book-purchase data from Amazon, an online retailer, a judge wrote that the release of the information would create a chilling effect that would “frost keyboards across America”. Librarians have long understood this, which is why they keep readers’ files confidential. But many of the new custodians of people’s reading records do not seem inclined to do the same.

Won’t they have to change their name?

Dave Marcus, director of McAfee Labs security research communications who attended the session, says it’s time for Anonymous to take ownership of its hacks and actions. “Do it openly and take credit for it,” he said.

A full run-down of the Black Hat panel at Dark Reading.

Power and Identity

Microsoft researcher Danah Boyd argues in this article that ‘The people who most heavily rely on pseudonyms in online spaces are those who are most marginalized by systems of power.

I could point out that Google+ and Facebook are staffed by privileged men, so obviously these points wouldn’t have occurred to them, but I want to keep this blog more in the observer role of online identity…so I’ll just recommend you read Boyd’s article and think about what happens worldwide when people are forced to use one name for all spaces.  (One name to rule them all; one name to find them)

Bitcoin isn’t actually all that anonymous

Researchers from University College Dublin have conducted an analysis of anonymity on Bitcoin, and found it is not inherently anonymous, and that in many cases, users and their transactions can be identified. They use techniques such as context discovery and flow analysis to investigate and visualize an alleged theft of Bitcoins, which, at the time of the theft, had a market value of approximately half a million U.S. dollars.

Read their blog for more (plus nice graphics!)


Bitcoin is not inherently anonymous. It may be possible to conduct transactions is such a way so as to obscure your identity, but, in many cases, users and their transactions can be identified. We have performed an analysis of anonymity in the Bitcoin system and published our results in a preprint on arXiv.


There’s no such thing as online privacy

For more than a decade, tracking systems have been taking note of where you go and what you search for on the Web — without your permission. And today many of the personal details you voluntarily divulge on popular websites and social networks are being similarly tracked and analyzed.

Website security company Dasient presented examples of PC-based tracking techniques getting extended in a troublesome way to Internet-connected mobile devices at Black Hat.  You can get their full paper/presentation, Mobile Malware Madness and How to Cap the Mad Hatters: A Preliminary Look at Mitigating Mobile Malware, at their website.

For an intro to the topic, check out USA Today; for a more geeky analysis, check out