Privacy and Anonymity

A few weeks ago, I had the opportunity to have a discussion with Dr. Greg Shannon about privacy and anonymity. He had some very interesting insights, and with his permission, I thought I would share some of the conversation. I’ve made some edits– mostly my responses, to make them more concise– but nothing too major.

  1. What is your definition of privacy? anonymity? Especially from an information-theoretic point of view?

  2. I contend that privacy and anonymity are illusions, and always have been. In particular, that your privacy and anonymity are mostly a function of that no one cares about you per se. What do you think?

  1. I would define anonymity, from an information-theoretic point of view, as the ability to conceal identifying characteristics of yourself. This might be as simple as your name, but information warfare tends to be much more complex than that– so for instance, being able to act with anonymity may require you to conceal not just who you are, but who gave you the information upon which you are acting; this, in turn, may prevent you from taking certain actions, due to the risk of revealing an information source.

    Privacy is somewhat more nebulous; I suppose I would posit that privacy is the ability to release only the information that you choose, in an information theory sense. For instance, I might consider intimate relations with a significant other a matter of privacy; they are certainly not anonymous, but they are not things one would wish to share with the outside world. (Of course, there are exceptions.)

  2. It is nearly always possible to breach a wall of anonymity, it is true– especially given the unlimited resources of a government (especially one endowing itself with police powers). I don’t think that makes the concept invalid. A related example might be that we classify safes not as “impenetrable,” but rather on their ability to withstand an attacker with certain grades of tools and expertise for a certain length of time– and yet we do not consider physical security an illusion. I would submit that in a similar vein, we construct a wall of anonymity in proportion to the attacks that it is likely to face– a government compared to, say, a disgruntled classmate.

Hmm. But what does “conceal” mean?

Do you see any difference between identifying characteristics such as labels like name, address, etc., and behavioral characteristics like walks fast, avoids the letter “e”, likes video blogs over audio blogs, etc.?

Reputations are hard to maintain and verify as it is without the Internet. For example:

Reputations cut both ways. And, since it’s hard enough to gauge an entity when you can look at them, I can understand why people have little interest in truly anonymous on-line interactions, for the most part.

I believe that part of this comes from the fact that reputations are built in part by reputation by association. A degree from Harvard, JHU or Purdue is meaningful precisely because of the reputation by association. Names and binding matter.

I don’t know that I agree with your assumption that the Internet makes it harder to gauge the true nature of an entity. One of the advantages of the Internet, in my view, is that it allows us to fully separate appearance from thought.

Of course, this is unrealistic– primarily (and perhaps most depressingly) because people don’t want to have to make a full-stack valuation on everyone with whom they come into contact, on or off the Internet, though there are other reasons. So we do need a system for determination and communication of reputation. (One such system would be that in my previous blog post.) My point would be that there’s nothing in reputation that can’t be preserved in anonymity– to take from a recent movie, people can know V’s words and deeds, without ever knowing who he truly is. The same is true with reputation by association; to take Shade (from another previous blog post) as an example, we can ascertain that she works as a key player in the Identity space, simply through her active association with OpenID and its major players. If Purdue, in your example, has a special reputation, that is commuted upon its students, regardless of their name.

The only useful definition of concealment of which I am aware related to information theory would essentially be a type of deniability– that is, actions related to the information acquired from a secret source do not reveal the existence of that source, and toward that end, do not increase beyond some threshold the likeliness of the existence of a secret data channel of which the enemy needs to be aware.

Perhaps, then, there’s a better definition of privacy: preventing any one entity, or coalition of entities, from forming a coherent picture whose outline reveals details you would like to keep secret. As an example, a friend of mine once bought two rolls of duct tape, twenty-five feet of rope, one box of condoms, and a birthday card; had he simply bought them at different stores or on different occasions, none of them would have been exceptional, nor would there be any particular thing to tie them together– but their simultaneous purchase greatly horrified the saleslady at the store in question, even though he assures me they were for four different purposes.

So then, people of the Internet: what do you think? Are there additional properties you think are important to either privacy or anonymity?