The IT Law Wiki
Register
Advertisement
Anonymity is the inescapable 'default position' on the internet. . . .[1]

Definitions[]

Anonymity (from the Greek word anonymia) is

the condition of having one's name or identity unknown or concealed. It serves valuable social purposes and empowers individuals as against institutions by limiting surveillance, but it is also used by wrongdoers to hide their actions or avoid accountability.[2]
[the a]bility to allow anonymous access to services, which avoid tracking of user's personal information and user behavior such as user location, frequency of a service usage, and so on.[3]
[the] condition in identification whereby an entity can be recognized as distinct, without sufficient identity information to establish a link to a known identity.[4]

Overview[]

"To enable anonymity of an individual, there must exist a set of individuals that appear to have the same attribute(s) as the individual. To the attacker or the observer, these individuals must appear indistinguishable from each other. The set of all such individuals is known as the anonymity set, and membership of this set may vary over time.

"The composition of the anonymity set depends on the knowledge of the observer or attacker. Thus, anonymity is relative with respect to the observer or attacker. An initiator may be anonymous only within a set of potential initiators — its initiator anonymity set — which itself may be a subset of all individuals that may initiate communications. Conversely, a recipient may be anonymous only within a set of potential recipients — its recipient anonymity set. Both anonymity sets may be disjoint, may overlap, or may be the same."[5]

Online anonymity[]

Anonymity as a virtue reflects the ideology of the internet pioneers that government threatens rights rather than protect them and that anonymity is essential for the exercise of freedom of speech.[6]

Internet users, both individuals and organizations, often want or need anonymity for a variety of legitimate reasons. Communications privacy laws,[7] health privacy regulations[8] and financial privacy laws[9] all prohibit disclosure of some analog to "personally identifiable information." However, defining "personally identifiable information" is not simple. In some cases, a single piece of information could be enough to identify an individual; in other cases, multiple facts might be required. For example, some claim that an aggregate of gender, ZIP code and birth date are unique for about 87% of the U.S. population.[10]

The right to speak anonymously has a long and respected history in First Amendment jurisprudence.[11]

The right to speak anonymously without fear of government reprisal is protected by a number of laws, including federal whistleblower laws[12] and the First Amendment.[13] The protections for anonymous speech are broad. People who are actually engaging in expressive or political speech are afforded even fuller protections.[14] As a result, anonymity is a complex issue.

Unfortunately, criminals also take advantage of online anonymity as a safe haven from which to launch attacks on Internet users. The challenge is to balance the apparently conflicting needs of privacy and security.

Anonymity vs. security[]

[T]he United States requires strong intelligence, forensics, and indications and warning capabilities to reduce anonymity in cyberspace and increase confidence in attribution.[15]

"Anonymity, in a country that provides for freedom of speech, can have an anti-democratic effect. The effect of anonymity in democratic states can be to cut the link between citizen and personal responsibility, damaging the essential communal nature of politics. Anonymity can allow the expression of opinions without fear of retaliation, such as an employee revealing misdeeds by an employer. In a country that provides freedom of speech, it can also undermine the legitimacy of democratic institutions and, as a result, weaken the protections they provide for civil liberties."[16]

Anonymity vs. privacy[]

Privacy and anonymity are not the same.

The distinction between privacy and anonymity is clearly seen in an information technology context. Privacy corresponds to being able to send an encrypted e-mail to another recipient. Anonymity corresponds to being able to send the contents of the e-mail in plain, easily readable form but without any information that enables a reader of the message to identify the person who wrote it. Privacy is important when the contents of a message are at issue, whereas anonymity is important when the identity of the author of a message is at issue.[17]

"Security dictates that one should be able to detect and catch individuals conducting illegal behavior, such as hacking, conspiring for terrorist acts, and conducting fraud. . . . Legitimate needs for privacy (such as the posting of anonymous bulletin board items) should be allowed, but the ability to conduct harmful anonymous behavior without responsibility and repercussions — in the name of privacy — should not."[18]

References[]

  1. The Significance of the Frontier: Why Privacy and Cybersecurity Clash, at 7.
  2. Framework for Privacy Analysis of Programs, Technologies, and Applications, at 7 n.3.
  3. NSTAC Report to the President on Identity Management Strategy, at C-1.
  4. ISO/IEC 24760-1:2011.
  5. Privacy Considerations for Internet Protocols, at 19.
  6. The Significance of the Frontier: Why Privacy and Cybersecurity Clash, at 8.
  7. See 47 U.S.C. §§222, 531.
  8. See generally 45 C.F.R. Part 164, Subpart E (Privacy of Individually Identifiable Health Information).
  9. See 15 U.S.C. §6809 (defining "nonpublic personal information").
  10. Wendy Davis, "Court: IP Addresses Are Not Personally Identifiable Information," Mediapost, July 6, 2009 (full-text).
  11. Jaynes v. Commonwealth, 48 Va. App. 673, 689, 634 S.E.2d 357, 364 (2006) (full-text).
  12. See, e.g., 18 U.S.C. §1514A (protecting employees who blow the whistle on publicly traded companies); 42 U.S.C. §7622 (protecting employees who disclose possible violations of the Clean Air Act); 49 U.S.C. §31105 (protecting employees who disclose possible violations of safety regulations for commercial motor vehicles); see also WhistleBlowerLaws (full-text).
  13. See, e.g., McIntyre v. Ohio Elections Commission, 514 U.S. 334, 357 (1995) (full-text) ("Anonymity is a shield from the tyranny of the majority.").
  14. Reno v. ACLU, 521 U.S. 844, 870 (1997) (full-text).
  15. The DoD Cyber Strategy, at 11.
  16. The Significance of the Frontier: Why Privacy and Cybersecurity Clash, at 8.
  17. Engaging Privacy and Information Technology in a Digital Age, at 46.
  18. Critical Information Infrastructure Protection and the Law: An Overview of Key Issues, at 70.

See also[]

Advertisement