Industry Observations-Web Application Security

Anonymity or Accountability?

Over a decade ago, when I was just starting in the computer security scene, I went to a conference for managed security services providers as the sole representative for my company. Near the end of the day-long conference there was a large discussion in which people were asked, “If you could change one thing with a magic wand to have the biggest impact on security, what would it be?”

When it finally got to me, I said the only thing that came to mind, “Attribution.” I explained, “If I had a magic wand and could change anything to have the largest impact on security, I’d make it so that everything on the Internet could be attributed to people so that we could have accountability. If you knew the packet you sent would be tagged with the information necessary for someone to track you down, you’d be extremely unlikely to commit any crimes using the Internet.”

I know it’s impossible to do that, but it was a magic wand after all. But that’s not the end of the story. Over the years I have become a privacy “guy” insomuch as I take people’s privacy seriously. However, I also have one foot squarely in the world of banking, finance, retail and so on – where attribution is hugely important for security, and also as an unintended consequence *ahem* marketing. So as much as I’d love to have people live in a free and open society, we all know what a bunch of jerks people can be when they know there’s nothing at risk when they break the law.

On the flip side, 100% attribution is terrible for privacy when you’re not doing anything illegal, or if you are a political dissident. The very last thing our forefathers wanted when they were talking amongst themselves in pubs on the East coast, considering creating a new nation, was attribution. They saw fit to write amendments to the constitution to limit unlawful search and seizures, and to allow freedom of speech.

So on one hand you have freedom and on the other hand you have safety. I have taken to asking people: “If you had to chose only one, which would it be? Accountability or Anonymity? Do you ever want there to be a way for you to do something anonymously or not? Do you ever want to be at risk of not finding someone who had committed a crime or not?”

I am somewhat surprised to find that when given only the choice between one or the other, it has been nearly an even split amongst people I talk to – usually at conference – about which they’d prefer. Right now, we teeter on the brink of having no anonymity at all. With enough vulnerabilities that allow full compromises of millions of machines, and enough listening posts all over the world, anonymity is slowly but surely getting harder and harder to get. Look at the most recent busts of various Tor hidden services like Silk Road 2 – people whose livelihoods and freedom depend on privacy still can’t manage it.

Most people would say that drug dealers and arms dealers deserve to be behind bars, so good riddance, regardless of how it happened. However, what about Colorado? Last year, being in possession of marijuana would land you in jail. This year it won’t. So are we as a society willing to indiscriminately put people in jail for breaking the law, even when the law later turns out to be unjust and/or bad for society?

Or worse yet, what if our government moves into a second age of McCarthyism – where they hunt down those who engage in civil disobedience with untold masses of siphoned information to decide whom to jail and whom to leave alone? What if adultery suddenly became a felony? Thought crimes could be punishable in such a dystopian world — not a pretty sight either. Though your banking passwords would be safe, certainly. (Except from the government.)

Perhaps releasing certain types of criminals or forgiving certain types of crimes, as California is about to do, might be a worthwhile exercise. A certain level of crime, while seemingly bad, is critical to allowing for a free society. It’s a complex issue, and of course there is always a middle-ground, but I think to properly understand the middle ground you have to explore the edges. What would a perfectly accountable Internet bring? It would bring with it a near zero cyber-crime rate but also limited freedoms. What would a perfectly anonymous Internet bring? It would bring unfettered cyber-crime but unlimited freedoms. It feels like you’d want some sort of middle ground, but there’s no such thing as “somewhat anonymous” when your life depends on it.

While my younger self would have said that “attribution” was the key to security, I would now tell my younger self to look beyond security, and really contemplate what a completely secure society would look like. Maybe a completely secure society with attribution for every act isn’t such a great idea after all, I would warn him. There are probably no easy answers, but it’s a conversation that needs to happen.

Assuming for a second that there was only one answer, if you had to chose one, which would it be: anonymity or accountability? And more importantly, why?