Following on from my post about posts across the web on identity, James Davis, Jisc’s Information Security Manager provided the following blog post which expands on the topic.
With increased awareness of state surveillance schemes, people are looking towards cryptographic technologies such as tor and bitcoin as a perceived means to regain a degree of anonymity and privacy online.
These technologies may be readily accessible, but understanding the protection they provide your identity is a little harder to grasp.
Perhaps this is because anonymity seems to be such an intuitive idea, whereas in reality the workings of cryptographic systems, peer-to-peer networks and online identity are much more complex. Different technologies provide different types of anonymity, identity and privacy.
Bitcoin is often promoted as an anonymous alternative to mainstream currencies, but the system is far from anonymous. Bitcoin addresses, from and to which the currency can be transferred actually represent identities within the system. Not only that – every single transaction is broadcast over the bitcoin network and can be viewed publicly. In some respects it’s a less anonymous system than cash based transactions. Bitcoin users are encouraged to retain some anonymity by generating new addresses for each transaction, but even then, managing and maintaining those identities is the only thing that allows you to assert that you own your bitcoins.
Tor (the onion router) provides a means for hiding the source of web traffic, by wrapping it in multiple layers of encryption and routing it through several intermediate systems. What’s often overlooked is that tor doesn’t protect you from disclosing your identity within the contents of your communications. It can take significant discipline to avoid doing this. Here’s a recent blog post that reveals how even tor hidden services can frequently be deanonymised through this type of mistake.
As well as providing different types of anonymity and identity, these privacy enhancing tools are valuable to society. This could pose some interesting questions for institutions of the future: is control of a bitcoin address sufficient to identify a student enrolled on a MOOC if all you wanted to know is that they were the same student you taught the prerequisite courses to? Would future regulation of cryptocurrencies necessitate that these types of identity be tied to a “real world” identity?