Tuesday, October 10, 2006

Anonymity, Pseudonymity, and Traceability

In the online identity world, the concepts of anonymity, pseudonymity and traceability all seem to be regularly confused with each other in one way or another. Whenever you here someone speak of anonymous transactions, they almost always bring up cash as an example of a real-world equivalent -- however cash isn't anonymous because you typically have to hand it to the relying party, thereby giving up some level of your anonymity.

So, I'd like to suggest we consider the following "definitions":

  • Identified transactions - transactions that take place under a public identity of the user (such as when I use my credit card which has a unique serial number and my name printed on it). Most online transactions which involve the exchange of money fall into this category.
  • pseudonymous transactions - transactions where the actual identity of the user is not provided to the relying party, but when the same user performs multiple transactions, the relying party can tie those transactions together under the same "pseudo" identity. Pseudonymous identity systems typically have requirements to protect against multiple relying parties from tying transactions together by using a different "pseudo" identity for the user at each relying party.
  • Traceable transactions - transactions where the user's identity is not provided, but there is some identifier included in the transaction such that if there was a need someone could eventually trace it back to the issuing party. Most real world transactions are at least traceable because they require that the person who wants to invoke the transaction (e.g. make a purchase) to interact with the relying party (the person at the cash register) and that interaction can lead to traceability (not to mention that the physical cash bills typically have unique serial numbers as well).

    An example of an online equivalent is the user of one-time-use credit card numbers which would never be used again and so can't be used to tie transactions together, but can be traced back to the user through the credit card issuer, if necessary and authorized

  • anonymous transactions - transactions where the identity of the user is not known and the transaction cannot be tied back to the user in any way.

    Access to most published/open web sites which don't require a login (such as google) would be considered anonymous (if you don't let them create cookies on your browser -- the cookies would make them pseudonymous).

    Most cost based services (high value transactions) require some level of identification and thus are not processed in an anonymous fashion.

When you listen to some privacy advocates (and to some people with a product to sell), you would think that the world can't operate without things being "anonymous". I disagree and think that the real and online world has to operate across a spectrum of transactions that span the types above (and probably have some in-between combinations).

Ultimately, the real driver should be towards "just enough" and not towards "none". Ensure that transactions have enough information such that the transaction can be completed, but don't ask for or give any more than is necessary. That is one of Kim Cameron's Laws of Identity (and I think, perhaps, the most important.

Tags : / / / / / /


Pamela said...

So what you're saying is to be truly anonymous in the real world you need to pay in cash & wear a gorilla suit...

Actually that kinda sounds like fun! But then what would you wear while you're paying cash for the gorilla suit?

Conor P. Cahill said...

I think you would also need to pay with coins as bills have serial numbers on them (at least they do here in the USofA).

Kind of hard to buy a car, or even a gorilla suit, that way, but probably OK for a coffee at the neighborhood starbucks (although I would presume that the gorilla suit would provoke some stares).

Note, also, that the gorilla suit itself is probably a tracable identity factor (I think most people would notice you walking down the street and/or getting into a vehicle). :-)

Erik said...

A guy named Stefan Brands who used to work for Zero Knowledge Systems developed a system for non-traceable electronic cash.

Basically, you could get tokens that represented cash, and then trade them anonymously for goods or services. The seller could verify the validity of the token off-line (without connecting to a central authority).

But what is to prevent the buyer from giving the same token to two different sellers? The transactions had a property such that, if the same token were spent twice, the transaction records from the two sellers could be combined to reveal the identity of the buyer.

In all other cases the buyer remained anonymous.

Conor P. Cahill said...

Yeah, I'm well aware of Stephan's work (he's now at Credentica) and the work of others in the digital cash world. They are doing things that enable anonymous transactions (at least from the cash factor itself).

My main point in this article was to identify the different types (and, of course, to add my thought on what I think is really necessary). I personally accept that most things I do are not anonymous (Conor Cahill is my real name) and I'm OK with that as I think are most other people.

Robin Wilton said...

It might also be useful to make the distinction that, when you pay cash, any loss of anonymity arises not from the cash, but from other associated factors (the cashier sees you, you may be caught on CCTV and so on).

Compare and contrast the case where you use chip & PIN to make a purchase: in many such systems, you enter your card in such a way that the cashier can't physically read any of the details on it (including your name); the cashier just sees a confirmation that your PIN has been verified. That's the only factor they get which allows them to assume that you are the valid holder of that card.

And yet the bank knows where and when you spent your money, and the supermarket's POS system knows who you are too. As far as the interaction between you and the cashier goes, this is about as anonymous as a cash transaction, but clearly there are other respects in which it is much less so.

Pete Rowley said...

All good stuff, but I think it is unwise to down play anonymity in the digital world. We put up with shortcomings in systems in the real world when we have to bow to greater requirements, like physics. The danger is to mistake cases of acceptance of those requirements for what would be desireable even when those requirements no longer apply. Real world examples of pseudonimity often fail the "would it be even better if it were anonymous?" test. So, yeah, just enough, but as you mention, sometimes the just enough will be anonymous.

Conor P. Cahill said...

I don't mean to "play down" anonymity, but rather caution that expecting it and/or forcing it everywhere is probably the wrong thing to do as well.

Anonymity has a cost (not being able to figure out "who did that?") which is an acceptable cost in some cases, but not in many other cases, especially if the transaction is part of a non-anymous relationship between the parties.

Conor P. Cahill said...

(Responding to Robin's comment)...

The lost of some level of anonymity could also come from someone tracking the serial numbers on the bills (yeah, I don't know of any real case of this being done regularly either) and or trace physical evidence. (note that in general, with a cash transaction, they don't get to know your name unless you give it to them (like when they ask for your phone number at checkout).

For the pin transaction, the store typically gets an authorization token that is used to prove to the bank they should get the $$ and could be used between the store and the bank to collude about the user (I would call that a traceable transaction).