How anonymity overshadows real online privacy

How anonymity overshadows real online privacy

Let's imagine that today you visited several places in a heavily video-surveilled city, while wearing a mask. Nobody knew your name or your real identity, but everyone knew what you did, in all its details. Given the unusual period, not a medical mask, but more of a full, old-school mask – to keep it trendy, let's say one of those plastic "V for Vendetta" masks from your local bazaar.

Privacy and anonymity are great buzzwords in the online age. They drive clicks, boost sales and have an irresistible ethical-rebellious twist that makes them both things worth fighting for - "we value your privacy", every ultra-nosey webpage you visit will say. And then proceed to show you two hundred default-enabled switches to toggle manually, with an evil grin.

The thing is, the two concepts are tremendously different on the inside. The GDPR legal corpus targets privacy, but certainly not anonymity. The TOR project, ironically born as a US defense project, promises both by fuzzing your data and using custom-tailored extensions in their own Browser, which are thought to contemporarily anonymize users and disable trackers unless you willingly unmask your identity through the navigation. Bitcoin and other cryptos, on the other hand, is fully anonymous, but not "private" in itself, since transactions are tracked by design. Purism, the famous Librem5 maker, reveals a SIM card that promises anonymity, yet not necessarily "privacy" from a purely technical point of view.

A definition of online privacy and anonymity is difficult to state, given the fluidity of the two concepts. In how I perceive those, however, a "lossy approximation" could be as easy as the following. Privacy is respected when whatever you do online is kept exclusively between you and your interlocutor, be it a website, a person or whatever else. That means, not potentially spied in the middle (so encrypted), not sold or visible to any third party (including possibly, in case of interpersonal communication, the platform itself!) and not gathered, stored and tracked in a sequence, as happens with most analytics services, just to build a personalized profile out of your activities and preferences.

Anonymity, on the other hand, is a much weaker concept. It means disconnecting your online persona from your physical one, so hiding your real identity without changing the way the flow of information and personalized profile is built, with the related nasty commercial dynamics of the underlying network. And while it is not uncommon for modern privacy implementations, such as the abovementioned TOR, to have an eye on granting anonymity as well, the opposite ("anonymous" services being respectful of privacy) is a far more uncommon, and often shady matter.

A popular, now debunked myth claims that ostrichs would bury their heads in the sand when willing to hide. This is an intuitive representation of "shallow" anonymity: our faces, that is our real identity, is not visible, yet anything else is. (Photo: BBC Science Focus)

An unbiased example of privacy-respectful infrastructure without anonymity can be the Signal platform, which is one of the most numerically successful examples of communication that respects their users through end-to-end encryption (that is, with users fully owning the keys to their messages). Anonymity is not preserved per se, since phone numbers are associated to profiles for transparency reasons and to avoid spam and malicious activity, or, as in every P2P encrypted chat platform, the IP addresses of both ends of a call are presumably known to each other.

On the other hands, if we were to kick a hornet's nest, platforms like Telegram seem to follow an almost opposite philosophy. While this may seem like a bold claim, usernames, internal IDs and phone numbers are associated in internal databases in clear, in potentially known associations to the internal company, and most of the communication (with the exception of the not-default-enabled, and borderline impractical, Secret Chats) is stored almost unencrypted on the company servers. Yet Telegram is known as one of the main platforms by privacy-conscious users, for a very simple reason: their company has always denied, for the sake of users' privacy, to reveal the contents of the databases to law enforcements or third parties yet. Almost all of its data is clear, internal associations and analysis could be made, or this could be accessed at any time. Yet the company promises to keep them secret, and succeeded at doing so in all these years. The same goes for most Apple services, who also promise privacy in spite of not implementing end-to-end cryptography on most of those, and so being "trusted keepers" of sensitive data rather than external and agnostic carriers of "sealed letters" as in the case of Signal, most Matrix or TOR nodes among others.

An extreme example, which is also becoming relevant to the field of Linux phones and privacy activists, are so-called anonymous SIMs. These cards operate like regular cards on regular networks, with just one big difference: instead of being personal, they are all named after a single entity, which is the company offering them (and thus, in most legislations, also being legally responsible), often charging a hefty premium for this service. In other words, the phone number remains the same (or may even change in very expensive plans) and the services used with them are the same as before, but the user has the burden of trusting a private, often very shady (e.g. openly linked to criminality) company not to reveal the identity of their buyers, or in some countries never knowing it. In other words, these are just the evolution of the old-fashioned concept of "front man" (after whom private property of mafia bosses is officially named) that has been part of many criminal subcultures of the last centuries.

A now-defunct Dutch firm openly targeted criminal audiences, leasing modified Android smartphones stripped of cameras, GPS and sensors for over $3k a year.

To clarify this difference further, guaranteeing real privacy, rather than "shallow" anonymity, means that the platform provides their users a totally private and safe way to communicate between each other - let's say, an algorithmically insulated and tamper-evident sealed room to talk into, with you owning the only key to this room, being able to store your data in a "vault" with the almost perfect certainty that nobody else will ever get the key to it without visible theft.

Anonymity without privacy is predictably much easier to promise. It means going to a seller, who usually knows you personally, and buying from them a "mask" with their signature on it (the cheap Vendetta one from above will work fine, except that, unlike in the complex realms of Internet protocols, this would include no IP address or easy service-specific fingerprint), they sell you it so that you can go around with it on, then, once done, you go back to return it to them in exchange of getting your real identity back. No matter what you do, the history or your activity is transmitted on a "leaky" wire exactly as it was before, and the service provider is still free to reveal who you are at any time - and is usually forced to, once legally threatened. Every single business knows you, and often your disguised "fingerprint", through the sequence of tracked transactions. They know your mask, and you are expecting the seller of the anonymization service to be kind enough not to reveal your identity to others. You still act the same, and speak the same way - mask your voice, but it will still be that one specific masked voice, even though you may change IP in time. This is the case of VPNs, anonymous SIMs, proxy servers, and many so-called "privacy oriented" services, which however fail to even consider the root of the problem.

In fact, being an "anonymity provider" is extremely easy: get a good lawyer, then buy a laptop or smartphone and borrow it to so many strangers that it will be known that all its activity is not imputable to you directly. Alternatively, sell "masks" - authorize people to use your IP as proxy for their activity. You will provide them anonymity, which some will not be able to distinguish from privacy, and you will make easy profit.

What we are trying to achieve through decentralized free software and Linux phones, however, is real privacy. That is, companies not closing the "walled garden" to those applications that fit their financial needs, profiting on very sensitive data, or tracking long sequences of activities, GPS positions and preferences for the sake of personalized advertising. Or more simply to prevent people from knowing our very own business - calls, emails, etc. - until they (technically) need or we want them to. We are not necessarily seeking to build an alternative "online persona" for ourselves, to have a real tracked profile hidden behind false name and data.

If this may sound absurd, we could argue that almost all privacy activists are not afraid to use their real identity (name, e-mail, PGP keys and often personal pictures and phone number) online to communicate with people, as long as the means of communication they use respects the privacy between them and their interlocutors. All of this while the aforementioned trend of "anonymity being marketed as privacy" seems to be the direction we are going slowly towards.

Overview of Signal's Double Ratchet algorithms (source)

The thing is, real privacy is much more difficult to achieve, or even promise. Firstly because genuine commitment to privacy means killing the temptation of profiting from the main source of Internet income, that is, your personal data. Secondly, because real privacy needs decentralized and encrypted storage, which has a tendency to be much more expensive and architecturally complex than traditional, centralized storage models.

Privacy is a human right. Anonymity, on the other hand, is not necessarily. Independently from whether this is "good" or "bad" by itself, people are conventionally treated by most societies as legally responsible of their actions, which makes anonymization extremely confusing to achieve in real life for any modern society - and arguably not essential for freedom. Once conversations are kept private from indiscrete ears, and actions are known only to the involved parties - meaning no platforms, intermediaries or political forces, there is arguably no need for forced hiding of our true personas.

But as usual, it depends. Neither of the two concepts is bad by itself, and both can be widely abused in different ways - as commonly, with such (extraordinary) cases of abuse being used as an excuse to forbid the legit use as well. For example, in the light of terrorist attacks, putting a ban on end-to-end encryption (E2EE) - that is, having users own the keys to their messages - has been proposed several times to the European Union, and is still dangerously close to being applied.

In conclusion, having a clear conceptual distinction between privacy and anonymity is the only way to have a clear view of the path towards real (both technical and legal) protection of personal data and achievement of freedom from unwanted surveillance. In fact, care should be taken in always pushing "privacy" rather than simplicistic anonymization, since, as stated before, the latter will never solve the former.

Cover picture: Masked couple at the Carnevale in Venice, Frank Kovalchek (CC BY 2.0)

Notice to the readers: This is an opinion article, entirely meant to reflect the personal views of the writer. As such, the contents are open to debate.
Our articles are commonly discussed in our semi-official subreddit, r/tuxphones