Pseudonymity means real privacy

09.10.2012 by Dave Kearns

In my last posting, I stated that “privacy is not anonymity”. I received a few questions about that, so today I want to elaborate on the subject.

Let’s get something out of the way right off the bat – there is not, nor can there be, true “anonymity” on the internet – or almost anywhere else, for that matter. Someone, or something, knows who you are – even if they don’t know your “real” name.

Here’s an illustration from real life.

A man walking his dog, we’ll call him “Mr. A”, gets into an altercation with another man (Mr. B) and knocks him down, then runs away. Speaking to the police, Mr. B describes his attacker as six feet tall, reddish hair, goatee wearing a denim jacket and carrying a Starbucks cup, and his dog was a black Labrador.

The police head to the nearest Starbucks and ask if someone matching that description had been in that morning. “Oh sure,” the barista answers, “he comes in most mornings.” But he always pays cash so the Barista doesn’t know his name or where he lives. “But he calls the dog “swarzie” and has an accent. The brighter police officer recognizes the term as possibly “schwarze,” German for black. He instigates a house-to-house search looking for a German immigrant with a black Labrador and is told that “the man in the first floor apartment speaks German and has a black Lab.”

So without ever knowing the suspect’s name, the police can track him down because a relatively unique set of attributes (description, dog, accent, etc.) identifies the individual who committed the crime. What, on the face of it, would be considered an “anonymous attack” was, in reality, anything but.

On the internet, every computing device that’s connected is identified by a unique number – it’s IP (Internet Protocol) address. This number must be unique so that data can find the device, whether it’s a web page, an email, a tweet or some other form of transaction. Not all IP addresses are fixed for all time, though. Most of us connect through an Internet Service Provider (ISP) who gives us a locally unique IP address which can change every time the connection is renewed. Here’s an example: the router I connect to at my ISP’s site has an IP address of 22.33.44.55, and this is the address it shows to the internet. My connection is given the locally unique identifier of 192.123.45.2 and the router knows my device and can correctly route traffic coming from the internet to that device without actually revealing my (locally unique) IP address. But that router does know that address and – more importantly – who it was assigned to at a given time.

But suppose I don’t use MY computing device – there’s internet cafes, public libraries, and other places. But each of those has other people around who can “identify” me (i.e., give a complete description) or require me to use some form of ID token (credit card, library card, etc.). Using a smartphone or tablet is tracked by the service provider so I can be billed properly. In those instances where I don’t have to be identified by name, the same scenario as the dog-walking Starbucks customer cited above still works.

There really is no true anonymity.

There is, though, relative anonymity or pseudonymity. Pseudonyms have a long history, especially among writers (where they may be known as “pen names” or “noms de plume”). The English author we call George Elliott (“The Mill on the Floss,” “Silas Marner,” “Middlemarch”) was actually a woman named Mary Ann Evans. She used the pen name because, at that time, it was nearly impossible for a woman to be published. The mystery author Ellery Queen was actually a collaboration between two men, Frederic Dannay and Manfred Lee. Even stranger, both of those names are pseudonyms: Dannay was actually Daniel Nathan and Lee was legally Manford Lepofsky!

On the internet, pseudonyms are normally referred to as personas or “digital identities” and people can have many of them. Why? Here’s a scenario:

Samantha Smith teaches first grade at the Houston Christian Day School. As such, she’s agreed to behave in such a way as to not reflect badly on the school. But Ms. Smith does like to flirt and does like to read and write “adult” material. So she has joined an on-line forum for folks with similar tastes where she is known by the handle “NaughtyGirl”. No one on the forum knows her real name and no one at the school knows about her on-line persona. NaughtyGirl is just as much a real identity as Samantha Smith. Whenever NaughtyGirl posts to the forum all the other users recognize her as that user – she’s authenticated herself in order to access the forum.

Now it is still possible for someone (probably in law enforcement) to trace the postings by NaughtyGirl back to Samantha Smith’s computer. But – unless she breaks some law – the likelihood of that is exceedingly small.

This is the identity distinction which baffled Google (and continues to baffle Facebook) known as the “nym wars”. The name on your birth certificate, your driver’s license, your national health card or even your passport isn’t the name that most people know you by. The best example is my friend Kaliya, better known as “Identity Woman”. Officially she is Kaliya Hamlin – her married name put on her official documents when she married her now ex-husband. But still legally her name. Some people know her by that name, a lot fewer by her birth, or maiden, name. Thousands upon thousands, though, know her as Identity Woman. Yet she had to fight, tooth and nail, with Google to use that identifier with Google+ who insisted that only “real names” could be used. I’d guess they’d only allow accounts for Daniel Nathan and Manford Lepofsky, rather than for Frederic Dannay and Manfred Lee – Ellery Queen wouldn’t stand a chance!

Facebook created a torrent of objections (what, again?) recently when they showed users a picture from a friend’s account and asked the user to verify the friends “real” name. As this story in Forbes notes:

“Like the bar Cheers of television fame, Facebook wants to be a place where everybody knows your name. Your real name. Not your nickname. Not a fake name you’ve created to protect your privacy. Not your Wiccan name. Your real name…  and has tried to force at least one prominent user — Salman Rushdie — to go by the name on his passport on the site.”

These so-called “social networks” don’t seem to understand that in real life (“meat space” as opposed to cyberspace) people do keep their social networks separate – work, home, school, church, activities (wine tasting, book clubs, sexual activity, volunteerism, etc.) – in large part from a wish to protect the privacy of their words and actions.

The bottom line is that I don’t believe true anonymity is available anywhere any longer (if it ever were available) but that pseudonymity is something to be desired, promoted, wished for and encouraged so that people feel safe and protected – and feel their privacy is protected – whenever they speak out. There’s a great marketing opportunity here for a new “social network” which preserves privacy but which can also be a commercial success. I’ll let you know if I find one.


  • Tom Wilson

    Great discussion of the distinction(s) between Privacy and Anonymity – and the concept of "pseudonymity", using pseudonyms and persona.

    While achieving true anonymity may be effectively impossible, one point you missed is the fact is that "hiding within the crowd" is easier for some than for others. As someone who possesses an extremely common Anglo-Saxon given name and surname, its frequently quite easy for me to disappear within a modest sized sample that nonetheless includes multiples – even if you include middle initial or name, and suffix. The resulting confusion means that even intersecting with other common identifiers, such as birth date or SSN, can still leave ambiguity with regards to true or "real" identity.

    Research suggests that most people are moderately comfortable if their identity cannot be uniquely identified below a level of about 1 in 10,000. Some prefer greater anonymity, and construct online pseudonyms or personas to partition their identity, while others are comfortable at much greater levels (1 in 1,000 or even 1 in 100) of identity exposure. Regardless, creating and maintaining that level of personal exposure that allows one to hide within the crowd at a desired level of granularity or resolution seems to be the key with respect to our online identities, and their intersection with real life (BTW, "meat space" sounds ghastly, like something out of the Walking Dead … )

    Lastly, we each take steps within our real, physical lives to maintain certain boundaries between different audiences – work, home, school, etc. – as you point out. However, even in real life those boundaries are porous, independent of our actions. Just ask any disgraced or discredited politician or other public figure. Because the online world is infinitely more porous, individuals need more and better tools which let them take better control over their personal information, and then understand, quantify and manage their exposure. These tools and services will be an essential part of the new and emerging personal data economy.

  • John Fontana

    Dave, Take a look at Sgrouples. https://sgrouples.com; re: “social network” which preserves privacy. This is Mark Weinstein's new gig. I wrote about them in Aug. http://www.zdnet.com/will-sgrouples-end-social-ne
    -john

  • Colin

    While I think pseudonymity *can* mean real privacy, it is not a binary/absolute. It depends how it is deployed. In a federated SSO use case, if you federate the same pseudonymous identifier across multiple services (or privacy domains) *and* in the absence of federation rules or national regulation that prohibit such information sharing, a way to eventually expose the real identity is open, coming back to the 'assailant and his dog' use case referred to in the opening post. In NZ's igovt (www.i.govt.nz) service we deploy pseudonymous key pairs for each user and site/resource instance.
    And there are many more aspects to privacy than just making the PII opaque – like minimalizing data collected, seeking explicit user consent when any PII is moved or exchanged in the course of delivering a requested service etc, to name just two..
    Cheers

Services
© 2014 Dave Kearns, KuppingerCole