76 comments

[ 2.7 ms ] story [ 151 ms ] thread
Anonymity online, one of the most important problems of the coming decades. Even if you don't think it's important to be anonymous to the eyes of the government, being anonymous to the eyes of drive-by troll litigants is almost undoubtedly a good thing. (And I think drive-by litigation powered by increasingly easy access to information is only going to be getting worse.)
"Anonymity online, one of the most important problems of the coming decades"

...and a solved problem. We have numerous technologies for this.

It's not really "solved" as long as the technologies are too complicated to use for the regular user.

It's good that the legal framework allowing anonymity is already in place in some countries (like Germany and... Even the EU seems to be going in this direction) but technically it's complicated.

I don't expect regular people to know how to connect to free public WiFi hotspots and then to use Tor and browser(s) able to dodge Panopticlick-like detection anytime soon.

This may come at one point but we're not there yet and we probably won't be there anywhere soon seen that there are big governments out there determined to crush for fun and profit the very notion of anonimity.

Germany is still a complicated case since, even though they value anonymity and privacy, they're by and large quite happy to prosecute for infringement. And the threshold for that infringement is still a bit murky. That's not to say, I condone piracy, but we have far too many cases of people being punished for fair use and/or disproportionately.

Using Tor has now become fairly straightforward with the Browser Bundle and I expect similar packages to be available for mobile devices soon.

Another big obstacle is that there is no way to run tor on iOS without a jailbreak.
This is absolutely false. There is no good way to cheaply host a high-traffic site anonymously right now.
Much less use it to make money anonymously.
How do you figure? Hosting providers exist out there that accept bitcoin right now.

With that one crucial link between you and the hosting provider severed, i.e. who's paying for it, what's left to link the server to your identity?

Bitcoin is not anonymous. Too many people make this wrong assumption. It's the least anonymous currency/payment system I've ever seen. After all every single transaction is public.

Of course it depends on who is trying to get the data about you. If it's the hoster then yea, he wont get it. But if it's the authorities/government then they'll get it. Plus theres a chance of you by accident exposing all your payments with your name...

Anonymity is different though. Every single transaction is public, yes, but that only leads you to a bitcoin address, which is trivial to change. Perhaps there's a way to unmask them (even if you are smart about changing your "bitcoin identity"), but it is far more anonymous than many other options.
If you open a new wallet, it has no money. Any transfer you make from your old wallet to the new one is public and trivially traceable. It's not anonymous to anyone who puts 5 minutes work into tracing you.
It just depends on where you get your bitcoins from. You could:

- Mine bitcoins.

- Steal bitcoins (i.e. hack an exchange)

- Pay cash for bitcoins[1]

- Pay for bitcoins with stolen credit card info.

- Pay for bitcoins with anonymous pre-paid credit cards[2]

Of course, that just gets you a bitcoin wallet that isn't necessarily tied to you. Now you have to figure out a way to spend them without leaking personal information.

[1] The person that you pay could identify you, but if you give false information, and aren't picked up on surveillance (CCTV, etc), then it becomes a difficult to track down link.

[2] Same issue as [1]. Your weak link is the point-of-sale for the pre-paid credit card.

You missed a biggy, which is "Receive bitcoins as payment".

You could set up a bitcoin gambling website, sell some sort of SaaS for bitcoins or, perhaps the most popular and profitable route right now, sell some drugs for bitcoins. Hypothetically, depending on your state/country, you could acquire weed legally and then (illegally) send the weed through the post in exchange for bitcoins.

You would have to provide it as a Tor hidden service though, otherwise all of your expenses in running the site would open the way for your anonymity to be breached (i.e. your domain name, your hosting provider, etc).

Basically if you're providing a service to someone, then there is a possibility of said service revealing who you are. E.g. if you're sending drugs to people, then maybe the packages are traced to a source.

Okay, maybe I'm not understanding something.

Since you can generate unlimited wallets, lets say I have two, A and B.

Wallet A is known to belong to me. Coins I buy off of Mt. Gox end up in this wallet.

I create wallet B, and then send coins to it.

Using wallet B, I then send coins to a hosting company's wallet for for a server.

The fact that I sent coins from Wallet A to Wallet B is public information. The fact that I own wallet B is not public information.

If I was a government type trying to trace someone down, how would I prove who owns wallet B?

Let's assume I generate a new wallet every time I pay for hosting when the bill comes due. The path is even murkier.

If I was really paranoid, I could create wallet B, hop on Tor, make a post on a bitcoin board somewhere selling some kind of non existent goods, posting my Wallet B address for payment, regenerate my Tor circuit, post as another account on the same board indicating interest in these goods and post my wallet A address.

How does this look to any observer like anything but some guy sending coins to some other guy who ends up using those coins to buy hosting, or any other good or service?

If someone buys something illegal, and the cops look up the transaction in the bitcoin network, it narrows things down to just a few wallets where the funds might possibly have originated. If they look back a few links in the chain and the find bitcoin exchange where you initially got the money, they now know that you exchanged just the right amount of money to make the illegal purchase. It doesn't take much work to put 2+2 together.
>it narrows things down to just a few wallets where the funds might possibly have originated.

This can be defeated, either manually or via a tumbling service to make the link chain so huge as to be useless for evidence purposes.

Again, it's easy to link me to wallet A assuming I just buy from a service with links into the traditional financial system. It's significantly harder to prove I own any of the wallets I send money to.

>If they look back a few links in the chain and the find bitcoin exchange where you initially got the money, they now know that you exchanged just the right amount of money to make the illegal purchase.

This could be defeated by sending more than the amount required when you fund the second wallet.

Again, nobody knows that I own wallet B. Given a sufficiently plausible public exhibition on a trading site, it may look entirely like it's owned by another person outright, and if your goal is to avoid legal scrutiny, so much the better.

Looks like we have a classic case of not understanding the currency.

Bitcoin can be anonymous because you can create wallets and transact between them without any proof of ownership of the wallets.

Put another way, yes, they can see that one coin that you originally owned eventually made it to a specific party, but they can't prove that you were the parties in between.

tldr; Don't make assertions about stuff you don't understand.

Sure you can spread out your money across many addresses but at some point they are going to merge at least a bit again when you want to make a payment. Unless you split the money in big enough chunks to make payments from them.

Example: you have 10 BTC, spread it to 3 addresses (A: 2 BTC, B: 5 BTC, C: 3 BTC) and want to make a payment over 6 BTC. Now you will have to either create a new address which gets money from B + (A || C), then transfers it to the seller or transfer from said combination directly to the seller. Since one can see B and one other address working together, one could assume they both belong to the same owner.

This is just one example of how you can still track address owners with varying chances of success. One can with great care probably make Bitcoin anonymous but the average user wont.

> tldr; Don't make assertions about stuff you don't understand.

Yes, that pretty much covers your comment. It's not like they won't just investigate all wallets intermediate to major exchanges/merchants as leads. It's not like FinCEN doesn't have decades of experience tracking mass flows. It's not like they won't invoke guilt by association for any of the four horsemen.

Please, take a look at the properties of Brands's blinded signatures for an example of an actually anonymous currency (it has other problems though).

Bitcoin is traceable. This means that it does not provide privacy. Note that cash is also traceable in edge cases thanks to serial numbers.

Bitcoin is definitely anonymous. Consider: a wallet has no PII attached to it, beyond what you give it via transactions. Contrast this with a credit card, which typically has PII as an integral part of the way it operates.

A bitcoin wallet without transactions is useless[1]. Transactions are how you put bitcoins into it, and how you use bitcoins to pay for things. If you create a wallet, but never use it to transact anything, it doesn't do you much good.

[The exception here being mining. I don't believe that you release PII as a miner, yet you bring in bitcoins.]

This is true. There are ways to transact which don't compromise your identity. They are a pain; it's a trade-off.

To your point at [1], I am not aware of any way which mining can compromise PII.

The transactions are public, the actors are not.

This makes it anonymous.

There is an insurmountable technical problem with high-traffic anonymity: the volume of traffic makes you stand out. The only good solution is to use something like Freenet, a peer-to-peer system where no single node is responsible for large amounts of data. The existence of Web-Freenet gateways helps a lot for dealing with people who are not running the Freenet software:

http://www.df5ea.dds.nl/pw2fgp.html

You can also not keep logs at all, so there is nothing to subpoena.
Unless publishing the documents is what you need to be wary of. That was the whole idea behind Tor hidden services: to give people living in repressive countries the ability to run blogs etc. anonymously.
No, but law enforcement can force you to log information with warrants, national security letters (US-only), etc. So they won't have records in the past, but once they are focused on looking for something, they can get information going forward.
You don't have to log traffic, your bandwidth provider can do that without your permission.
(comment deleted)
That's like saying that drunk driving is a solved problem because we have breathalyzers, seat belts and airbags.
Why is anonymity online so important?

We have never had the amount of anonymity we do today. Being able to communicate to large numbers of people while remaining anonymous was something that was just not that practical before the internet. Society functioned just fine then. So why is it so important now?

Not that I support what this troll is doing of course. But I fail to see why a start of affairs that basically only existed for a small group of people from 1970-2000 is so crucial to civilization now that the internet is just an extension of real life and not a playground for the technological elite.

I take it you have been fortunate enough to never have to deal with online stalking/harassment that made the jump to meatspace.

Perhaps it is that experience that has rendered the status quo unable to satiate. "The needs of society" can kindly go stuff itself, I need anonymity.

Anonymity has always been easier than it is now. Before sophisticated record keeping, you were anonymous to any stranger or new acquaintance. Moving to a new town was an opportunity to become a new person. Anything you published could be pseudonymous or anonymous. Letters and phone calls were essentially anonymous, unless you specifically announced your identity.

With modern technology, all that is slipping away, or already gone.

I am wondering if you ever lived in a small town. There was no real anonymity.
This misses his point entirely. Sure, everyone in a small town knows each other, but it used to be that when you moved to a NEW small town (or anywhere else for that matter), almost nothing followed you. You could re-invent yourself, move past old failures. Now you have a constant and easily accessible record of your life online, which anyone can look up. There is no space you can go to that people can't easily find records of who you used to be. THAT is a loss of anonymity.
I take your response as "no" to the question if you have lived in a small town.

I grew up in a small town and my Dad knew everybody in the county and the next one, whether they were in town or in the countryside. And likely a couple of generations back. Several families moved to California, and the social network reached there.

A cousin of mine had a brother that fled home. He eventually tracked him down using old shoe leather techniques.

My experience and that of my family does not match this theory of "loss of anonymity."

Now, modern suburbs are more likely to be anonymous, and perhaps that is where this theory comes from, but it does not come from small towns.

Yes... your dad knowing people in the county next door is exactly the same as having your online history available to everyone on the other side of the globe.
I've never lived in a small town, but if literary accounts are to be believed, it was hell for precisely this reason.
You fail to see the importance of anonymity because you're set on proving that anonymity is of little use or harmful.

A historical comparison is irrelevant and fallacious - we didn't have modern surgery hundreds of years ago and despite people dying society ticked on. If all you see is the forest you can pretend the pain of the trees doesn't matter.

And the internet is just a playground for the technological elite too (you need a computing device after all) so I suppose you see no need for it either.

> And the internet is just a playground for the technological elite too

The internet is not a playground for the technological elite, not any more. It's a place where my mother in law trades baby pictures with my mother.

As internet use becomes ubiquitous in the real world, and the boundaries between "meat space" and internet space evaporate, the anarcho-idealism of the technological elite that got onto the internet early is evaporating too.

This is to an extent lamentable, but you can't expect the "wild west" to continue to exist after the land stops being the frontier. That isn't to say that anonymity isn't important, it is, but it's just one concern to be balanced against many.

>This is to an extent lamentable, but you can't expect the "wild west" to continue to exist after the land stops being the frontier.

The internet has never been the wild west. Twenty years ago it was a bunch of middle class scientists and mathematicians discussing philosophy and writing code. It's about as far away from any kind of real danger as you can possibly imagine.

The result of the "wild west" metaphor is to imply that we need to have some cowboys come in with blankets and other "gifts" for all those wild Indians who once occupied it so that they can hurry up and die out and make room for Walmart and Cable TV and upstanding members of the Chamber of Commerce.

But the internet isn't a dangerous place. It isn't even a place. It's just a thing that lets computers and users all over the world communicate with one another. About the worst thing that the average person is even capable of doing with it is to lie to someone else or infringe copyright, or maybe (if we're the sort of people with an interest in keeping our comrades compliant members of The Party) they could distribute or gain access to some "subversive propaganda" from the likes of Jane Fonda or Adam Smith or whoever we don't like this year in this part of the world.

The internet isn't the dangerous thing, it's the rest of the world -- the dangerous thing is an internet without anonymity. Because if people know who you are then saying the wrong thing or reading the wrong thing can get you killed (or fired or harassed or wrongfully imprisoned). And all not knowing who said something really does is the same thing as the First Amendment: It requires you to respond to speech with speech instead of with punishment.

>Being able to communicate to large numbers of people while remaining anonymous was something that was just not that practical before the internet.

Come on now. That's only because for the average person being able to communicate to large numbers of people at all was something that was just not that practical before the internet. And to the extent you could communicate, it wasn't that hard to do it anonymously: Sit down in a public phone booth to make your phone calls. Write a letter to the editor under a pseudonym or write letters to as many people as you like and drop them into a public mailbox. Post a message on a bulletin board at the local library while nobody is watching. Provide a recording for broadcast to a journalist with a reputation for protecting sources.

The novelty is being able to trace the source of a communication through the corporate intermediary that carries it and back to the actual speaker. And even that is a lot of hand wavy hocus pocus that makes poor assumptions about the relationship between paying for an internet connection and being the one responsible for what gets sent through it.

Because for the first time in history, every action you take in fundamental aspects of your life--your communications with others (email), what you read (everything online), what you watch (Hulu, etc.), what you listen to (Pandora, etc.), and so on--can and will be traced and recorded, perhaps indefinitely. (See Room 641A, the NSA's Utah data center, etc.) People could go back and see exactly what you did online for years and possibly judge/punish you for it should laws or social mores change in a decade or two, which is not entirely out of the question--just look how things changed in a decade after 9/11. Things like Guantanamo Bay or open extra-judicial assassination of US citizens would have been unimaginable to us before that event, and yet here we are today.

Worse, it could be done on a massive automated scale. Before if an agency wanted to find a potential criminal, they'd have to expend time and manpower looking things up. In the coming years a computer could data-mine your online activity going back a decade, including email, to decide if you were a threat or not. Perhaps it's not possible today, but someday, it will be--and this stuff is being recorded now.

Laws and societies change. The hard information on your history kept in easily-processable racks in vast data centers doesn't. That's the big worry for me.

<rant>

Just the other day, I was googling for something in the library. I can't see so well, so I crank up the text size. It's quite readable to others sitting a few feet behind me.

On a whim, a stranger walks up behind me, addresses me by name, and tries to strike up a conversation. He wanted to know where the bathroom was or whatever, but he addressed me by name. I never saw him before.

"Wait wait wait. How'd you know my name?" I ask. "Who are you?"

"Oh, don't you see? It's right there in the corner of your browser window."

I looked, and sure enough, if you're signed in to Google Plus, Google will grace all of its web pages -- all of them, including gmail, search results, etc -- with your first and last name, as decided by your profile's display name. It's right there in the corner.

Since then, I learned my lesson: stay signed out of Google + when I'm browsing in pulbic places unless I want strangers to walk up to me and know who I am.

Sometimes I prefer to remain anonymous. Sometimes I feel like the increasing pressure to always use real names for services isn't a good thing, especially when those companies turn around and expose that valuable information in odd ways like Google is doing.

The option to exercise anonymity is one of the best defenses I have against these kinds of events.

That or I can simply stay signed out all the time...which is equivalent to not using the service.

I know its torrentfreak, so I should expect it, but there is way too much hyperbole in this article.

Just give us the facts! </rant>

I found this article to be very pleasant and easy to read. Facts were there and presented swiftly in a humorous style, with references if you want the dry read.
Apparently, these folks (or is it 1 or 2 people?) have never heard of the idiom, "when you find yourself in a hole..."

This is by far the most surreal, almost TwilightZone-like, behavior of any legal entity I've ever seen. I'm tempted to almost take it as a desperate attempt to self-destruct in some spectactular way as to deflect any sort of punishment for the abuse of the justice system. But that would assume they actually knew what they were doing.

They have no standing to demand this information as visitors haven't conducted any sort of copyright infringement (we're not talking Viacom-YouTube stuff here) and second, among the visitors were journalists and (surely) representatives from the government. Someone had to research the trolls.

"The TL;DR is that there is going to be an unprecedented showdown in a Los Angeles court on Monday that could lead to someone associated with Prenda going to prison."

Uh, make that everyone, if there's any justice left. Except maybe that Cooper fellow who had his identity usurped as CEO.

I don't believe a court has ordered this, it's just Prenda Law's threat. Thus has zero meaning, other than more Prenda hilarity.
Here's the actual subpoena: https://dietrolldie.files.wordpress.com/2013/03/automatticwo...

It looks like they domesticated it to California, so they (wordpress) would need to file a motion to quash.

I like what you did there - I clicked on the link to read the doc and then slowly realised that my IP now falls within the scope of the requested information.
I found myself reluctant to open the links to FightCopyrightTrolls and DieTrollsDie. Even if there is no consequence to following those links (and smackfu has argued plausibly above that there could be) there is a chilling effect from this demand.
I want to do a "I am Spartacus" thing now.
Worse, because they almost certainly will look for some way to sue readers of those sites. On the other hand, it might give you not-so-free front row tickets should they be sanctioned by the judge.
I'm surprised the subpoena doesn't have anything on it that makes it seems like a judge read it. I understand that most subpoenas are just approved by the judge and issued without review, and that the opposition is expected to file a motion-to-quash if they don't like it, but this doesn't even seem to have a signature or anything from a judge.
Generally, an attorney can issue a subpoena without a judge's approval. It's when you ignore it or challenge it that a court gets involved.
>> "Defendants have published copious volumes of such false statements to many third parties, theoretically extending to every person on Earth through the Internet

...really swinging for the fences with this one.

It's really just the continued abuse of the courts by Prenda. They have no real interest in taking this libel suit anywhere. All they want are the IP addresses, so they can cross-reference it against their list of infringer IPs and names/addresses from other cases and then file individual copyright suits against those people as punishment.

It makes this a very high stakes game, since even if the court throws out the result of the subpoena for use in the libel case, Prenda gets what they want. You could argue that is why they filed three separate actions in three different courts, just to up the odds that one of them would get the desired information.

They've done very similar things before, where they filed a lawsuit against the same list of IP addresses / John Does in a dozen different venues, because they only needed one judge to allow the discovery request to go through to get what they wanted.

> ... the sites mentioned above have been keeping up to date, complimented [sic] brilliantly by ...

* sigh * ... the desired word is not "complimented", it's "complemented".

http://blog.oxforddictionaries.com/2011/04/compliment-or-com...

Upvote for correcting a common mistake, massive downvote for doing it with a remarkably patronising * sigh *.
Also, 'television' is not a word.
What?
It's a barbarism, a mixing of Greek and Latin roots into the same word. Barbarisms are errors in usage.

"'Television' is one of the most recent offspring of linguistic miscegenation." -- Leslie A. White, The Science of Culture, 1949

http://grammar.about.com/od/ab/g/barbarismterm.htm

It's in the OED, that's good enough for me!
It's sad that Torrentfreak gets to own this issue on HN instead of Popehat, an excellent blog run by former prosecutors turned First Amendment attorneys, and if you have the slightest inclination towards legal nerdery you owe it to yourself to read their (superior) coverage of the Prenda Law debacle.

Here's a starting point: http://www.popehat.com/2013/03/06/deposition-reveals-prenda-...

This is a rare instance in which Torrentfreak may be covering a story accurately, although don't race to pat them on the back for that because this does seem to be a case in which copyrights are being prosecuted by parodically conceived comic book supervillains.

As Popehat reports it, what seems to have happened is this:

* A small law firm in Chicago, through a series of shell transactions, acquired the rights to some porn properties.

* The firm began running a variant of the movie studio lawsuit playbook on people it determined had shared those files over the Internet.

* The firm did not disclose to the court that it had a direct interest in the media properties, instead representing that it was counsel for 3rd party firms that owned the properties (this is technically true, but wait...).

* Another attorney, Morgan Prietz, began inquiries into these suits, smelled a rat, and started collecting evidence.

* Among the evidence discovered: one of the shell owners of the porn videos was an "Alan Cooper", who is evidently a former acquaintance of one of the Prenda attorneys with no actual relationship to the business and who has in effect had his identity stolen as a figurehead for the lawsuits.

* Prenda manages to bring a case in the court of Judge Otis Wright. Prietz reaches out to Judge Wright, filing a document that more or less directly accuses Prenda of fraud. Prenda replies to the filing by addressing ancillary issues in it without rebutting the core allegation. Judge Wright notices, and brings down the righteous legal hammer of a vengeful god down on Prenda, ordering them to his courtroom next week in person to either cough up a real Alan Cooper and a very compelling explanation of what they're up to or potentially face immediate incarceration.

I'm leaving out all sorts of fun details here, which is all the more reason you should be reading Popehat. For starters, you really need to dig into Popehat to see how one of Prenda's outside counsels explained the business relationship between the porn-video shell companies and Prenda itself.

[PS]

A big problem with Popehat vis a vis HN is that the blog titles are never congenial to this site, and the ethos on HN is now "don't mess with the titles". So it never seems productive to submit their articles. That's a shame, because Popehat legal coverage is everything Torrentfreak's and Techdirt's isn't: thoughtful, careful, technical, accessible, well-written.

You beat me to linking to that. Ars has great coverage of this as well, as in their most recent article on these clowns:

Porn trolling mastermind is the world’s most evasive witness Prenda-linked lawyer testifies for seven hours, gives no useful information.

http://arstechnica.com/tech-policy/2013/03/leading-porn-trol...

Anyhow, I get the feeling that these guys are being too clever by half and that the judge is about to make them answer for it. Thankfully, Ars has promised a reporter on the scene. Personally, I'm betting that they come up with some lame excuse for a no show, but we'll see.

>* A small law firm in Chicago, through a series of shell transactions, acquired the rights to some porn properties.

It seems like they originally did have proper contracts to sue on behalf of porn studios, with the porn studios getting a cut of the settlements. Then that well dried up, due to a combination of factors like very slow moving cases and a few nasty countersuits against the porn studio owners that had to be settled for cash going the wrong way.

It's only at that point where they decided they could just buy the copyrights to films directly, and get rid of the pesky clients.

Re: [PS]

HN needs subheads! They could be slightly more tolerant of pulling out salient details or interpretation, and even wiki-rewritable by users over a certain karma, with a version history. They'd make the 'original title' policy more tolerable, and be a massive timesaver for readers, when they provide the necessary counterbalance (in details or qualifications) for whatever sensational or dry choice was made in the title. (Popehat writeups could win with a good subhed; 'trick' titles would lose when the subhed offers the necessary clarification.)

How did I not know about this site...
You're awesome. Thanks for the link and the enlightenment about that site!
To be fair, they do link to Popehat and explain that it's an excellent rundown. I find it unskimmable compared with many blogs, so I'm glad these guys have rewritten the story and linked to others as well. Best of all, your summary: thank you hugely for the context!
> Our client is requesting all Internet Protocol addresses (including the date and time of that access in Universal Coordinated Time) that accessed the blogs located at diretrolldie.com and fightcopyrighttrolls.com between January 1, 2011 through the present.

>Please provide this information in an Excel spreadsheet.

Easy. Give them an Excel 97-2003 spreadsheet with the first 65,535 and tell them the format can't support any more.

Just print them out on paper in an unordered format.