Thanks to Bruce Schneier for linking to this interesting article on using patterns in language to identify the author of emails.

While the technique would not allow them to identify your anonymous emails in an ocean of others, that is rarely the real world threat scenario.

In many cases there is a relative hand full of likely authors of a given email or group of emails. It is often possible to gather large samples of emails known and acknowledged to be from the likely authors. In that case this technique has a small group of targets and excellent training materials which allow for very high levels of accuracy (the authors of the paper claim 80% – 90%). That is probably enough to get a warrant to search your home and computers.

Unless you have been unusually careful, the gig is probably up by then. Remember, this might not be for criminal matters. It many cases this would come up in whistle blowing or other non-criminal situations.

Amid unrest, a hard new look at online anonymity | The Social – CNET News:

This article takes an interesting look at the issues with Facebook’s true name policy and the impact it has on activists and dissidents in repressive countries. It quite rightly talks about the fact that for most of the history of the Internet use of “screen names” was the default.

The odd thing about this debate is that there is basically no authentication of the names used. Many people assume that since most users are under true name that all of them are. It is trivial to set up a new account with a plausible name which can not be traced back to the real user.

I would hope that dissidents, activists and others at risk would take advantage of this simple capability to protect themselves. Yes, this is in violation of the terms of service, but I think it is for a much greater good.

If you choose to do this, take care with who you friend under this alias. If the social network you create matches your real one, or that of another account, it may be very easy to unmask your identity.

A reader of this blog recently emailed me to ask:

What s/w do you recommend to keep anonymous while using Gmail, IE, Outlook, and Facebook on a laptop?

This is actually a very tricky question because the nature of all of these tools, except Internet Explorer (IE), is to be associated with a visible and discoverable account and identity in the “cloud”. I will discuss IE last and separately.

Gmail ties to your gmail and other Google accounts. Outlook ties to some existing email account at some email provider. Facebook is tied to your Facebook account and is explicitly designed for making your information public.

The profound question here is, what do we even mean by being anonymous using these services? I would argue that the best one can manage is to be pseudonymous; that is to maintain a persistent and visible pseudonym / alias which, while discoverable, is not associated with your true identity.

Fortunately Gmail and Facebook are free and typically do not require any real credentials to set up an account, and many of the free email providers work similarly. Using Anonymizer Universal (AU), and a browser with no history or cache to set up the accounts would ensure they were not connected to your real identity. It is important that the accounts never be accessed in any way except through AU, or they will be forever after associated with your real IP address. Furthermore, it is critical that the browser used is never used for any activity connected to your real identity, or the cookies and other digital detritus in your browser may allow these sites (or other folks) to tie the pseudonym to your other real name accounts.

IE is in many ways the easiest because there is no underlying account, but all the same rules apply. You need to ensure that you isolate your anonymous or pseudonymous activity from your real name activity.

For all of this activity a virtual machine can be a very effective tool. For example, if you use a Mac you can use a virtual machine running Windows or Linux for all of your alias activities and use the normal operating system for your real name activities. Similar tools exist for other operating systems.

In this post from early 2008 I talked about a technique for detecting what sites you had visited. Almost 3 years later about 66% of users are still vulnerable to this attack according to a study (paper here) from the University of California, San Diego published in October 2010.

This study further showed that this vulnerability is being widely and actively exploited. Of the top 50,000 sites (based on Alexa ranking) 485 access information that could be used to discover browser history and 46 were confirmed to be actually performing this attack. One of those 46 was in the top 100 websites on the Internet (youporn.com).

On December 2, 2010 two Californians filed suit against youporn.com alleging that they are using this technology to exploit a browser vulnerability to gather private data without disclosing that they were doing so. They are seeking class action status for this suit.

If this succeeds it would set an interesting precedent and open a new path to enforcing privacy rights in the absence of specific legislation.

The WSJ reports on a recent FTC report endorsing the concept of a universal “do not track” registry similar to the “do not call” list. Predictably the advertising companies are unhappy, and privacy advocated are cheering.

I think that some kind of outside regulation is necessary and inevitable. Self regulation has not worked, and is very unlikely to work in the future. The self interest of the targeted marketers is too diametrically opposed to the principles of transparency and personal control.

The WSJ quotes Rob Norman, chief executive of WPP PLC’s GroupM North America, which buys ads on behalf of corporate clients as whining ”FTC endorses ‘do not track’; an emotional goodbye to free content so kindly funded by advertisers.” Lets be clear, there is no “kindly” about it. This is all about making money for the advertiser. The “free content” is simply a delivery vehicle for ads.

Right now the exchange of information and access to the viewer is implicit. This proposal makes it explicit. I see no reason why sites could not, or should not, be set up to require users to opt in to be able to access the content. I would then have the ability to choose to opt out, go elsewhere, or pay to be free of tracking.

The rapidly increasing use of “evercookies” and other very hard to remove tracking techniques shows just how resistant to user control these companies really are. Where the tools and standards exist for users to delete tracking information, the marketing companies are creating new tools to make your choices ineffective.

As if more proof were needed, the marketing companies suggest opting out through their about ads website. Of course, if you want to opt out, you must enable third party cookies on your browser, which simultaneously exposes you to much more effective and intrusive monitoring.

Anonymizer will continue to innovate with new technologies to stay ahead of this arms race with tools like our new “Nevercookie” plugin.