ANONYMITY on the INTERNET
Compiled by L. Detweiler

ANONYMIZING

===========

<1.1> What are some known anonymous remailing and posting sites? Currently the most stable of anonymous remailing and posting sites is anon.penet.fi operated by julf@penet.fi for several months, who has system adminstrator privileges and owns the equipment. Including anonymized mail, Usenet posting, and return addresses (no encryption). Send mail to help@anon.penet.fi for information. Hal Finney has contributed an instruction manual for the cypherpunk remailers on the ftp site soda.berkeley.edu (128.32.149.19): pub/cypherpunks/hal's.instructions. See also scripts.tar.Z (UNIX scripts to aid remailer use) and anonmail.arj (MSDOS batch files to aid remailer use). Standard cypherpunk remailers allow unlimited chaining by including `::' characters in the message to denote nested headers. The intermediate host strips this from the message body and uses fields (particularly the to: destination) in the new message header. See the Finney manual for more information. ebrandt@jarthur.claremont.edu ----------------------------- Anonymized mail. Request information from above address. elee7h5@rosebud.ee.uh.edu ------------------------- Experimental anonymous remailer run Karl Barrus , with encryption to the server. Request information from that address. hal@alumni.caltech.edu ---------------------- Experimental remailer with encryption to server and return addresses. Request information from above address. hh@soda.berkeley.edu hh@cicada.berkeley.edu hh@pmantis.berkeley.edu ---------------------- Experimental remailer. Include header `Request-Remailing-To'. nowhere@bsu-cs.bsu.edu ---------------------- Experimental remailer allowing indefinite levels of chaining. Run by Chael Hall. Request information from above address. phantom@mead.u.washington.edu ----------------------------- Experimental remailer with encryption to server. `finger' site address for information.

Notes:

=====

- Cypherpunk remailers tend to be unstable because they are often running without site administrator knowledge. Liability issues are wholly unresolved. Generally don't support return addresses.

- So far, all encryption is based on public-key cryptography and PGP software (see the question on cryptography).

- Encryption aspects (message text, destination address, replies) vary between sites.

- Multiple chaining, alias unlinking, and address encryption are mostly untested, problematic, or unsupported at this time.

_____ <1.2> What are the responsibilities associated with anonymity?

Users

-----

- Use anonymity only if you have to. Frivolous uses weaken the seriousness and usefulness of the capability for others.

- Do not use anonymity to provoke, harass, or threaten others.

- Do not hide behind anonymity to evade established conventions on Usenet, such as posting binary pictures to regular newsgroups.

- If posting large files, be attentive to bandwidth considerations. Remember, simply sending the posting to the service increases network traffic.

- Avoid posting anonymously to the regular hierarchy of Usenet; this is the mostly likely place to alienate readers. The `alt' hierarchy is preferred.

- Give as much information as possible in the posting (i.e. references, etc.) Remember that content is the only means for readers to judge the truth of the message, and that any inaccuracies will tend to discredit the entire message and even future ones under the same handle.

- Be careful not to include information that will reveal your identity or enable someone to deduce it. Test the system by sending anonymized mail to yourself.

- Be aware of the policies of the anonymous site and respect them. Be prepared to forfeit your anonymity if you abuse the privilege. Be careful that you can trust the system operator.

- Be considerate and respectful of other's objections to anonymity.

- ``Hit-and-run'' anonymity should be used with utmost reservation. Use services that provide anonymous return addresses instead.

- Be courteous to the system operator, who may have invested large amounts of time, be personally risking his account, or dedicating his hardware, all for your convenience.

Operators

--------- - Document thoroughly acceptable and unacceptable uses in an introductory file that is sent to new users. Have a coherent and consistent policy and stick to it. State clearly what logging and monitoring is occurring. Describe your background, interest, and security measures. Will the general approach be totalitarian or lassaiz-faire?

- Formulate a plan for problematic ethical situations and anticipate potentially intense moral quandaries and dilemmas. What if a user is blackmailing someone through your service? What if a user posts suicidal messages through your service? Remember, your users trust you and use your service to protect their identities.

- In the site introductory note, give clear examples of situations where you will take action and what these actions will be (e.g. warn the user, limit anonymity to email or posting only, revoke the account, 'out' the user, contact local administrator, etc.)

- Describe exactly the limitations of the software and hardware. Address the bandwidth limitations of your site. Report candidly and thoroughly all bugs that have occurred. Work closely with users to isolate and fix bugs. Address all bugs noted below under ``(in)stability of anonymity''.

- Document the stability of the site---how long has it been running? What compromises have occured? Why are you running it? What is your commitment to it?

- Include a disclaimer in outgoing mail and messages. Include an address for complaints, ideally appended to every outgoing item. Consult a lawyer about your liability.

- Be committed to the long-term stability of the site. Be prepared to deal with complaints and `hate mail' addressed to you. If you do not own the hardware the system runs on or are not the system adminstrator, consult those who do and are.

- Be considerate of providing anonymity to various groups. If possible, query group readers.

- Keep a uniformity and simplicity of style in outgoing message format that can be screened effectively by kill files. Ensure the key text `Anon' is somewhere in every header.

- Take precautions to ensure the security of the server from physical and network-based attacks and infiltrations.

Readers

------- - Do not complain, attack, or discredit a poster for the sole reason that he is posting anonymously, make blanket condemnations that equate anonymity with cowardice and criminality, or assail anonymous traffic in general for mostly neutral reasons (e.g. its volume is heavy or increasing).

- React to the anonymous information unemotionally. Abusive posters will be encouraged further if they get irrationally irate responses. Sometimes the most effective response is silence.

- Notify operators if very severe abuses occur, such as piracy, harassment, extortion, etc.

- Do not complain about postings being inappropriate because they offend you personally.

- Use kill files to screen anonymous postings if you object to the idea of anonymity itself.

- Avoid the temptation to proclaim that all anonymous postings should be barred from particular groups because no `possible' or `conceivable' need exists.

References

---------- This article is an excerpt from an issue of FIDONEWS on individual privacy and the use of handles. It accepts the need of a system operator to know the name of a user; but suggests that the use of a handle is analogous to a request to withhold the name in a letter to the editor. The article concludes with a set of guidelines for preserving the right to be anonymous.

Why is anonymity such a problem?

--------- Anonymity so far has tended to further polarize existing distinctions in existing Usenet traffic. For example, serious uses such as sexual abuse counseling in newsgroups have increased. One psychotherapist reportedly objected to restrictions on anonymity because he was in the process of exploring it as a theurapeutic tool for his patients, and criticized people seeking restrictions on its availability. Many previously obscure aspects of Usenet and the internet have come under sharp scrutiny with the introduction of new capabilities for anonymity.

Harrassment & Censorship

------------------------ Frivolous and harassing cases have increased with the introduction of widespread and accessable anonymity. Usenet readers seem to become most agitated and enraged when people use these services to post messages aimed at insulting or offending specifically the members of groups where they are posted. For example, a poster might describe ways of attacking cats on the cat-lovers group. (note however that these messages appeared long before the services through forging, but the servers tend to make it easier and almost encourage it). These instances tend to live on in the memories of the readers long after the original poster has been silenced from complaints (either simply leaving or being censored by local administrators in response to negative email). In this way, the services are particularly attractive to `sociopaths'. Perhaps somewhat unexpectedly, the most vocal public opposition is against anonymous posting, and anonymous remailing has generally avoided much controversy to date.

Foreign Sites

------------- Although every global anonymous posting site to date has come under extremely severe fire from hordes of network administrators, i.e. enough to shut them down (semi-) permanently, still the longest running one (anon.penet.fi, located in Finland) is foreign, a situation which D. Clunie notes as particularly ironic in that foreign countries appear to be embracing a medium for freedom of speech more enthusiastically than and contrary to the general conservatism and opposition at U.S. sites. Another oft-noted irony (or to some, hypocrisy) arises with people who complain about news posters and anonymous sites, who generally prefer to do so `behind the scenes'; i.e. anonymously. In fact, the death of major sites (e.g. the Clunie and Helsingius servers) has left the operators concealing the identities of their attackers.

Intrinsic Popularity

-------------------- The existence and popularity of anonymous servers suggest they are filling a definite vacuum. Future news software may incorporate some of their mechanisms for untraceability. In fact, the proliferation of these servers can be interpreted as a remedying a deficiency in news software to easily post anonymous messages. The idea of routing messages to an intermediate, distant host simply to remove identifying headers and preserve anonymity, under fragile trust of the site operator, is clearly awkward, unwieldy, and unnecessary. That such tortuous paths are taken regularly by many users and maintained by dedicated and conscientious operators, despite enormous costs, chores, and headaches, suggests that the demand is strong, persistent, and permanent---a definite `need'.

U.S. Taboos

----------- The anonymous server software itself can be run anywhere, but apparently extremely few system operators have the latitude to run anonymous services from their connection providers, and the atmosphere arising from U.S. agency policies and actions may be generally hostile to these services. These restrictions are generally somewhat informal and concealed, and fall mostly in the form ``if a lot of people complain then you aren't allowed to do it.'' The Internet started as a research network and the tension between 'serious' scientific aims and informal ones has raged endlessly since its inception. A global patchwork of network jurisdictions tends to favor both sides. Pressure can be applied to local sites that generally are weak in opposition to admonishments. On the other hand, messages can reach a given destination over a wide variety of paths where only one is necessary.

Authentication Trends

--------------------- However, the trend in some news software development has moved toward increasing user validation, suggesting a fundamental disparity in evolved designer and user expectations. In fact, Usenet reader and news administrator opinions have been consistently divided on the issue with those in the former category largely in favor of the services and unlimited use, while those in the latter often demanding limited availability or gradual, formal approaches to introduction (newsgroup readers vote on acceptance). New proposals to facilitate the use distinctions of `serious, authenticated articles' and `informal, unverifiable posts' have emerged, and future Usenet software may integrate these complementary uses more harmoniously by differentiating them more explicitly.

What is the history behind anonymous servers?

The functions of anonymous posting vs. anonymous remailing are closely intertwined but on the Internet followed independent lines of historical development. Anonymous mailing has always been intrinsic to the internet SMTP mechanisms (Simple Mail Transfer Protocol). Formalized anonymous remailer functions, including encryption mechanisms, apparently originate with the Cypherpunk group started in mid-1992. The function of anonymous remailers has been compared to a device called the `cheesebox' that was invented during the Prohibition era in the U.S. Phil Karn writes: ``The `cheesebox' was a popular means to thwart telephone call tracing. It connected two lines in the back of an uninvolved business. It was the conceptual predecessor of today's anonymous email remailer.'' Originally anonymous posting/reply services (also called Anonymous Contact Service, ACS), were introduced for individual, particularly volatile newsgroups, where anonymity is almost the preferred method of communication, such as talk.abortion and alt.sex.bondage. One of the first was one by Dave Mack started in ~1988 for alt.sex.bondage. Another early one was wizvax.methuen.ma.us run by Stephanie Gilgut (Gilgut Enterprises) but was disbanded due to lack of funds. The system provided anonymous return addresses. n7kbt.rain.com (John Opalko) took up the functions of this server, including reinstating the anonymous alias file. The group ``alt.personals has been chewing through servers like there's no tomorrow.'' (K. Kleinpaste) With the introduction of the Clunie and Helsingius servers, the complementary functions of remailing and posting were unified into single servers. The idea of pseudonymous posting (the capability for not just one-way communication but responses and two-way dialog) carried naturally over to email. The history of anonymous servers on the internet is strewn with characters and casualties, particularly with the unprecedented globally-serving type, which are revolutionary in some aspects and merely evolutionary (or even stationary) in others. Subsequent questions address specific aspects of the history of this type of anonymous server.

HISTORY

======= Spurred by the disappearance of `wizvax' and interested in researching the idea, Karl Kleinpaste developed his own system from scratch in six hours. By this time the idea of extending the server to new, more `mainstream' groups was starting to emerge, and he explored the possibility partly at the specific request by multiple users for anonymity in other groups. ``The intended advantage of my system was specifically to allow multiple group support, with a single anon identifier across all. This was arguably the single biggest deficiency of previous anon systems.'' K. Kleinpaste posted a message on rec.nude asking users whether an anonymous service would be welcome there, and judged a consensus against it. K. Kleinpaste introduced what he calls a ``fire extinguisher'' to `squelch' or `plonk' abusive users in response to complaints, and used this in three cases. Nevertheless, after a few months of intense traffic he was eventually overwhelmed by the abuses of his server. ``Even as restricted as it was, my system was subjected to abuses to the point where it was ordered dismantled by the facilities staff here. Such abuses started right after it was created.''K. Kleinpaste reestablished his server in ~April 1993 with a very large usage policy forbidding many uses. Mr. Kleinpaste frequently Refers to `abusers' publicly and his guidelines for their removal or exposure.

What happened with the Clunie anonymous server?

------------------------ An innovative anonymous posting system with sophisticated functionality was set up in Oct. 1992 by D. Clunie that used PGP software for public-key cryptography in both directions (to/from) the server to achieve the highest degree of confidentiality seen so far. However, a major complaint originating from an unidentified but critical U.S. site (presumably one involved in the link) in ~Jan 1993 led to an ultimatum to D. Clunie, forcing him to shut down operation after only a few months. The letter alluded to a heavy volume of traffic associated with the anonymous server, potentially dominating the limited available communications bandwidth, and elevating its expense beyond the justifiable (the half circuit cost of the link is reportedly over $1 million per year). The pax.tpa.com.au site is based in Australia and the bandwidth of the AARNet Internet link for the entire continent at the time of the server operation was 500 megabits/sec, roughly half the capacity of local area network Ethernet connections. Nevertheless Mr. Clunie states that the ``small load on the server never approached `dominating the bandwidth','' branding that point of the complaint ``largely theoretical and unsupported by any statistics.'' A part of the letter is as follows (Mr. Clunie quotes the letter anonymously): They allow people all over the internet to send mail through a filter that replaces the user's real address with an anonymous address on their machine. This results in additional traffic (mail going from the US, to Australia, and back to the us, and one more time around for replies) on the Pacific link which is congested, and it's not clear what legitimate use an anonymous mail forwarding facility would have. In other words, it loads up the link, and hides people's identities so they can't be responsible for what they say. Not the best situation to have. Commenting on the letter, D. Clunie wrote ``I can't complain about the traffic issue, though I take exception to the criticism of anonymous mail forwarding. I was not in a position to argue ... as my feed site was threatened with disconnection if the service was not terminated.'' Mr. Clunie later released his software into the public domain, and comments on the Helsingius server: _____ <2.3> What happened with the Helsingius server (hiatus, shutdown)? In ~Nov 1992, Johan Helsingius set up the most controversial anonymous site to date. anon.penet.fi is based on scripts and C code written by K. Kleinpaste and supports anonymized mail, posting, and return addresses. He initially wanted to confine the service to Scandinavian users but expanded it to worldwide accessability in response to 'lots' of international requests. Mr. Helsingius comments: Due to the lawsuit-intensive climate in the US, many anonymous services have been short-lived. By setting up anon.penet.fi in Finland, I hoped to create a more stable service. J. Helsingius policy of allowing anonymous posting to every Usenet newsgroup has been met with strong and serious ideological opposition (e.g. by news adminstrators in news.admin.policy). Because of the relative newness and recent emergence of the medium, abuses by anonymous posters tend to have higher visibility than ``routine'' abuses. His total commitment to preservation of anonymity is also controversial. Despite piercingly irate and outraged complaints, and even the vocal opposition and verbal abuse of K. Kleinpaste and eminent news operators, J. Helsingius has largely avoided use of the ``fire extingisher'' and the ``group bouncer'' mechanisms that limit the scope of the service. As of ~March 1993 the anon.penet.fi site is best described as `inundated': it has registered over 13,000 users in its initial three months of operation, forwards ~3000 messages a day, and approximately 5% of all Usenet postings are anonymized through the site. The immense popularity is probably largely due to the capability for `global' anonymity which has allowed users to find creative uses in diverse areas not previously envisioned. Based on fast-moving dialogue and creative suggestions by members of the `cypherpunks' group, J. Helsingius has identified many security weaknesses and valuable new features for the service, and is currently in the process of code development and testing. He is planning on upgrading the IBM compatible 386 machine to a 486 soon to handle the voluminous load and is considering integrating a new system with very sophisticated functionality, including multiple email aliases, alias allocation control, public-key encryption, etc.

Week-long Hiatus

---------------- Johan Helsingius was subject to extraordinary pressure to dismantle his server in ~Feb 1993. At one point K. Kleinpaste threatened publicly to organize a sort of vigilante group of irate news operators to send out revocation commands on all messages originating from the site. I think I'm feeling especially rude and impolite. If it's good for Johan, it's good for me. After all, he didn't ask the greater Usenet whether universal anon access was a good idea; he just did it. ... Yes, I'm a seriously rude pain in the ass now, and I think I'll arm the Usenet Death Penalty, slightly modified, not for strategic whole-site attack, but tactical assault, just "an[0-9]*@anon.penet.fi" destruction. Only outside alt.*, too, let's say. There are 2 newsadmins ready to arm the UDP. They've asked for my code. I haven't sent it yet. Only one site would be necessary to bring anon.penet.fi to a screeching halt. Anyone can implement the UDP on their own, if they care to. Politeness and good sense prevents them from doing so. I wonder how long before one form of impoliteness brings on another form. J. Helsingius has also alluded to receiving threats of flooding the server. The server has crashed several times, at least once due to a saturation `mailbombing' through it by an anonymous user. Mr. Helsingius reports spending up to 5 hours per day answering email requests alone associated with the service's administration. In response to the serious threats such as that above he disabled global group access temporarily for one week and encouraged his users to defend the service publicly. But he has generally eschewed public debate on Usenet in general, preferring that his users publicize and defend it; and news.admin.policy in particular, stating that he considers it predominantly representative of the biased interests of news administrators interested in `centralized control'.

Global Shutdown

--------------- At the end of March 1993 Mr. Helsingius posted a solemn note on several newsgroups announcing the dismantling of anonymous posting service from his site (while retaining remailing features), stating that ``a very well-known and extremely highly regarded net personality managed to contact exactly the right people to create a situation where it is politically impossible for me to continue running the service.'' He also blamed a ``miniscule minority'' of ``immature and thoughtless individuals (mainly users from U.S. universities),'' for ``abuse of the network'' that ``caused much aggravation and negative feelings toward the service.'' He noted that at the time of shutdown the service was forwarding 3500 messages per day on the average from many thousands of users, with postings to 576 newsgroups, receiving complaints involving postings from 57 individuals. (anon.penet.fi statistics on number of actual users are controversial because of the site's `double-blind' system that automatically anonymizes replies to anonymous messages, possibly inflating the statistics with irregular or uncommitted users.) Mr. Helsingius voiced apologies to ``users on the network who have suffered from the abusive misuse of the server'' and the ``whole net community'' for ``keeping a far too low profile on the network, preferring to deal with the abuse cases privately instead of making strong public statements,'' regretting the lack of a ``publicly visible display of policy with regards to the abuse cases.'' At the same time, he noted that ``I am deeply concerned by the fact that the strongest opposition to the service... came from network Shortly after posting his public apology and shutdown notice Mr. Helsingius reported receiving over 350 messages of ``overwhelming support'' in favor of resuming the service and 6 against which have ``vastly improved my chances of resuming full operation''. Currently he has resumed service to a subset of newsgroups. He expressed his desire to re-establish the full service with sophisticated new features, commended efforts by other operators to start their own servers but warned of the policy of some to who ``feel the best way to deal with abusers is to expose them to the net'' in spite of his own stance that ``public stocks belong to the middle ages.'' Prominent system operator Jon Noring claimed to have traded email with the ``well-known and highly regarded net personality'' Mr. Helsingius cited as paramount in creating a politically hostile situation to the server. Mr. Noring posted some edited excerpts from `somebody': Despite what you may have heard, I did not play a "major" role -- I sent one mail message to Julf urging him to shut the service down. I did what any other person with knowledge of the net might do, too -- I cc'd the administrator of his service provider. The shutdown occurred because of some interaction between Julf and the admins -- probably aided by mail from other objectors. I played no active role in the events. I am drowning in a backlog of work, so I can't go into all the details here, nor am I particularly interested in entering into a long debate -- the bandwidth is too low and my time is too constrained. I do not believe we have the appropriate technology to make an anonymous service work on the net. Furthermore, I remain completely unconvinced that there is a legitimate need, nor is the level of maturity in the user population sufficiently level where it can be effectively used. It may only be a small percentage of people who cause the problems, but that is true of nearly everything in history. > I am a firm believer in privacy, but that is not the same thing as > anonymity. Anonymity can be used to violate another's privacy. > For instance, in recent years, I have had harassing anonymous > notes and phone calls threatening XXX beause of things I have > said on the net... I have seen neighbors and friends come under > great suspicion and hardship because of anonymous notes claiming > they used drugs or abused children. I have seen too many > historical accounts of witch-hunts, secret tribunals, and pogroms > -- all based on anonymous accusations. I am in favor of > defeating the reasons people need anonymity, not giving the > wrong-doers another mechanism to use to harass others. > > ... any such service is a case of willingness to sacrifice some > amount of privacy of the recipients to support the privacy of the > posters. You will not find the recipients of anonymous mail > being the supporters of such a proposal. If the only people who > would support the idea are those who might use it, is it proper? The identity of `somebody' has never been publicly revealed to date due to the anonymity preserved by Noring, Helsingius, and others.
Main Page