Anonymity versus privacy

Anonymity versus privacy

Let's imagine that today you visited several places in a heavily video-surveilled city, while wearing a mask. Nobody knew your name or your real identity, but everyone knew what you did, in all its details. Given the unusual period, not a medical mask, but more of a full, old-school mask – to keep it trendy, let's say one of those plastic V for Vendetta ("Anonymous") masks from your local bazaar.

Privacy and anonymity are great buzzwords in the online age. They drive clicks, boost sales and have an irresistible ethical-rebellious twist that makes them both things worth fighting for. We value your privacy", every ultra-nosey webpage you visit will say. And then proceed to explain how they really need to sell your data to hundreds of shady companies.

The thing is, these two concepts are tremendously different. The GDPR legal corpus targets privacy, but certainly not anonymity. The TOR project, ironically born as a US defense project, promises both by fuzzing your data and using custom-tailored extensions in their own Browser, which are thought to contemporarily anonymize users and disable trackers unless you willingly unmask your identity through the navigation. Bitcoin and other cryptos, on the other hand, is fully anonymous, but not "private" in itself, since transactions are tracked by design. Purism, the famous Librem5 maker, reveals a SIM card that promises anonymity, yet not necessarily "privacy" from a purely technical point of view.

A definition of online privacy and anonymity is difficult to state, given the fluidity of the two concepts. In how I perceive those, however, a "lossy approximation" could be as easy as the following. Privacy is respected when whatever you do online is kept exclusively between you and your interlocutor, be it a website, a person or whatever else. That means, not potentially spied in the middle (so encrypted), not sold or visible to any third party (including possibly, in case of interpersonal communication, the platform itself!) and not gathered, stored and tracked in a sequence, as happens with most analytics services, just to build a personalized profile out of your activities and preferences.

Anonymity, on the other hand, is a much weaker concept. It means disconnecting your online persona from your physical one, so hiding your real identity without changing the way the flow of information and personalized profile is built, with the related nasty commercial dynamics of the underlying network. And while it is not uncommon for modern privacy implementations, such as the abovementioned TOR, to have an eye on granting anonymity as well, the opposite ("anonymous" services being respectful of privacy) is a far more uncommon, and often shady matter.

An unbiased example of privacy-respectful infrastructure without anonymity can be the Signal platform, which is one of the most numerically successful examples of communication that enables real end-to-end encryption (that is, with users fully owning the keys to their messages). Anonymity is not preserved per se, since phone numbers are associated to profiles for transparency reasons, e.g. to avoid spam and malicious activity. Or, as in every opaque P2P encrypted chat platform, the IP addresses of both ends of a call are known to each other.

If we were to kick a hornet's nest, platforms like Telegram seem to follow the opposite philosophy. Usernames, internal IDs and phone numbers are stored in clear  in internal databases, in potentially known associations to the internal company, and most of the communication is stored almost unencrypted on the company servers. The exception, so-called Secret Chats, must be enabled every time, are device-specific with no possibility of key transfer, and essentially discouraged by the otherwise so smooth UX workflow of the app.

Not implementing end-to-end cryptography, services become "trusted keepers" of sensitive data rather than external and agnostic carriers of sealed letters.

Yet Telegram is known as one of the main platforms by privacy-conscious users, for a very simple reason: their company has often denied, for the sake of users' privacy, to reveal the contents of the databases to law enforcements or third parties. Almost all of its data is clear, internal associations and analysis could be made, or this could be accessed at any time by a sysadmin or any agent hiding behind the opaque back-end. Yet the company promises to keep them secret, and allegedly succeeded at doing so in all these years. The same goes for most Apple services, who also promise privacy in spite of not implementing end-to-end cryptography, and so being "trusted keepers" of sensitive data rather than external and agnostic carriers of sealed letters as in the case of Signal, Matrix or TOR protocols among others.

An extreme example of anonymity without privacy, which is also becoming relevant to the field of Linux phones and privacy activists, are so-called anonymous SIMs. These cards operate like regular cards on regular networks, with just one big difference: instead of being personal, they are all named after a single entity, which is the company offering them (and thus, in most legislations, also being legally responsible), often charging a hefty premium for this service. In other words, the phone number remains the same between calls, or may even change in very expensive plans, and the services used with them are the same as before, but the user has to trusting a private, often very shady (e.g. openly linked to criminality) company not to reveal the identity of their buyers, or in some countries never knowing it. In other words, these are just the evolution of the concept of "front man" (after whom the private property of, say, mafia leaders is officially named) that has been part of many criminal subculture of the last centuries.

A now-defunct Dutch firm openly targeted criminal audiences, leasing modified Android smartphones stripped of cameras, GPS and sensors for over $3k a year.

To clarify this difference further, guaranteeing real privacy rather than empty anonymity for the platform means ensuring users a totally private and safe way to communicate between each other - let's say, an algorithmically insulated and tamper-evident sealed room to talk into, with you and the interlocutor as sole owners of the key, being able to store your data in a "vault" with the almost perfect certainty that nobody else will open it without key theft.

Anonymity without privacy is predictably much easier to promise. It means going to a seller, who usually knows you personally, and buying from them a "mask" with their unique signature on it (the cheap Vendetta one from above will work fine, except that, unlike in the complex realms of Internet protocols, this would include no IP address or easy service-specific fingerprint).

So, you will go around with it as your only certainty, and then, once done, you return it to them and, essentially, receive your real identity back. No matter what you do, the history or your activity is transmitted on a "leaky" wire exactly as it was before, and the service provider is still free to reveal who you are at any time - and is usually forced to, once legally threatened. Every single business knows you, and often your disguised "fingerprint", through the sequence of tracked transactions.

They know what your exact mask looks like, and you are expecting the seller of the anonymization service to be kind enough not to reveal your identity to others. This is the case of VPNs, anonymous SIMs, proxy servers, and many so-called "privacy oriented" services, which however fail to even consider the root of the problem.

In fact, being an "anonymity provider" is extremely easy: get a good lawyer, then buy a laptop or smartphone and borrow it to as many strangers as profit allows, so that it will be known that all its activity is not imputable to you directly. Alternatively, sell "masks" - authorize people to use your IP as proxy for their activity. You provide them anonymity, which most non-technical people will hardly distinguish from privacy, and make easy profit.

However, what we are trying to achieve through Internet decentralization, open source and - ultimately - Linux phones is privacy. That is, escaping companies that restrict their ecosystems exclusively to software that fits their financial needs and views of the world, getting rid of the ubiquitous software trackers profiting on sensitive data that our phones got us accustomed to for the sake of personalized advertising. Or more simply to prevent people from knowing our very own business - calls, emails, etc. - until we want them to. This is not necessarily seeking to build an alternative "online persona" for ourselves, or to have a real (tracked) profile hidden behind a fake IP address or allegedly safe non-encrypted server.

In fact, all privacy activists I interacted with were not afraid to use their real identity (name, e-mail, PGP keys and often personal phone number) online to communicate with people, as long as the means of communication they used respected the privacy between them and their interlocutors. But still, the trend of marketing anonymity as privacy seems to be the direction we are going slowly towards.

Overview of Signal's Double Ratchet algorithms (source)

The thing is, real privacy is much more difficult to achieve, or even promise. Firstly because genuine commitment to privacy means killing the temptation of profiting from the main source of Internet income, that is, your personal data. Secondly, because real privacy needs decentralized and encrypted storage, which has a tendency to be much more expensive and architecturally complex than traditional, centralized storage models.

Privacy is a human right. Anonymity, on the other hand, is not necessarily. Independently from whether this is "good" or "bad" by itself, people are conventionally treated by most societies as legally responsible of their actions, which makes anonymization extremely confusing to achieve in real life for any modern society - and arguably not essential for freedom. Once conversations are kept away from prying ears, and known only to the involved parties - meaning no platforms, intermediaries or political forces, there is arguably no need for forced cancellation of our true persona.

But as usual, it depends. Neither of the two concepts is bad by itself, and both can be widely abused in different ways - as commonly, with such (extraordinary) cases of abuse being used as an excuse to forbid the legit use as well. For example, in the light of terrorist attacks, putting a ban on end-to-end encryption (E2EE), or not allowing users to own the keys to their messages, has been proposed several times in the European parliament, and still looks dangerously close to being applied.

In conclusion, having a clear conceptual distinction between privacy and anonymity is the only way to have a clear view of the path towards real (both technical and legal) protection of personal data and achievement of freedom from unwanted surveillance. In fact, care should be taken in always pushing "privacy" rather than simplicistic anonymization, since, as stated before, the latter will never solve the former.

Cover picture: Masked couple at the Carnevale in Venice, Frank Kovalchek (CC BY 2.0)

Notice to the readers: This is an opinion article, entirely meant to reflect the personal views of the writer. As such, the contents are open to debate.
Comments
Our articles are commonly discussed in our semi-official subreddit, r/tuxphones