Hiding in Plain Sight Narratives of Contemporary Online Anonymity
Abstract This research combines social studies and software studies to analyse how anonymity manifests itself within the internet today. To this end, the concept of anonymity and its successor online anonymity are historically analysed by means of literature which is subsequently deployed as a framework for the analysis of Tor Browser, Signal, and Retroshare. (Online) anonymity has identity empowering qualities, adds to personal freedoms and has been a protective measurement for centuries. Overall it adds to the agency of individuals. This research examines how the encrypted browser, encrypted messenger, and encrypted social networking platform narrate online anonymity through their support- and about-pages, and interfaces. Alexander Galloway’s definition of the interface plays a central role for the latter. An examination of the architectures and interfaces of Tor Browser, Signal, and Retroshare demonstrates that the medium specific characters of anonymity enhancing tools add new layers to the concept of online anonymity. The way these tools structure information is influenced by cryptographic ideals, trust and functionality. While being effected by the latter, Tor Browser, Signal and Retroshare show that a different online culture can be established in which the individual’s anonymity plays a central role.
Keywords online anonymity, encryption, interface, Tor, Signal, Retroshare
Lieke Kersten 22 June 2016 Lonneke van der Velden Stefania Milan MA: New Media and Digital Culture
TABLE OF CONTENTS
INTRODUCTION ...... 3
1. ANONYMITY THROUGH HISTORY ...... 5 1.1 Anonymity and urbanity ...... 5 1.2 Anonymous authorship...... 7 1.3 The changing landscape of online anonymity ...... 8 1.4 Encryption and anonymization ...... 11
2. METHOD ...... 13 2.1 Objects of study ...... 13 2.2 Approach ...... 14
3. TOR...... 16 3.1 Tor Browser ...... 17 3.2 Interface ...... 19
4. SIGNAL ...... 23 4.1 Encryption and Network ...... 24 4.2 Interface ...... 27
5. RETROSHARE ...... 31 5.1 Encryption method and network topology ...... 32 5.2 Interface ...... 34
6. FUNCTIONS OF ONLINE ANONYMITY ...... 39 6.1 Identity ...... 39 6.2 Integrity ...... 40 6.3 Protection ...... 42
7. SHAPING CONTEMPORARY ONLINE ANONYMITY...... 45 7.1 Cryptographic ideals ...... 45 7.2 Technological trust ...... 46 7.3 Functionality ...... 48
CONCLUSION ...... 49
REFERENCES ...... 51 Tool documentation ...... 54
2
INTRODUCTION
Information gathering seems one of the defining characters of civilized societies today. Information technologies are ubiquitously present in everyday life and the ability to store huge amounts of data has dramatically increased over the years. Almost all online activity is being recorded: for marketing purposes by companies, and security purposes by law enforcement agencies, but also for research purposes. Therefor, it has become increasingly difficult to achieve relative forms of anonymity. Yet, as the availability of the many anonymity enhancing tools shows, there seems to be a need for online anonymity. One can browse the internet using an encrypted browser, search the internet using a search engine which doesn’t track its users or communicate on the internet using an encrypted messenger. Moreover, users can overcome online tracking by installing privacy enhancing browser extensions or by installing private networks. Anonymity enhancing tools are often based on encryption technology. Encryption technologies can provide strong forms of anonymity by securing information with mathematical protocols. While the options for achieving forms of online anonymity are manifold, it is often put down as being obscure or even dangerous. American government officials accuse encryption of having created a “zone of lawlessness” (Koebler n.pag) and go as far as wanting to ban internet anonymity (McCarthy n.pag). Moreover, in 2015 the British prime minister intended to ban communication services with strong encryption methods if those services didn’t open up their data to the UK government (Kravets n.pag). In the year after, French lawmakers backed a plan to impose penalties on technology executives denying access to encrypted data during a terrorist investigation (Fouquet and Mawad n.pag). Clearly, the concept of online anonymity is controversial. Not for nothing in 2015 technology magazine Wired dubs anonymity as “the internet’s next big battleground” (Card n.pag). I will stay away from the “battleground”, but will address the problem of online anonymity from a different perspective. I will add to the debate on anonymity by analyzing how online anonymity is narrated by three tools which enhance anonymity, namely Tor Browser, Signal and Retroshare. Tor Browser is a preconfigured web browser which focusses on protecting the user’s anonymity; Signal is an encrypted calling and messaging application which anonymizes the user’s communication; and Retroshare is an alternative social networking platform which focusses on offering secure communication and
3 file sharing. The beta versions of these tools already date back to respectively 2002, 2010 and 2006, but the ideals they pursue are still very relevant. In the tradition of Geert Lovink and Miriam Rasch, and following their example also Robert Gehl, this research focusses on alternative new media forms. Lovink and Rasch believe that while new media create and expand the social spaces through which people interact, play and politicize themselves, these media are owned by a few companies which have phenomenal power to shape the architecture of these interactions (10). Therefor Lovink and Rasch advocate for research on alternatives to these closed and centralized environments (10). While they focus on social networking sites alone, I am expanding beyond social networking platforms. In doing so this research will focus on the juncture between the technical and the social against the background of new media studies. More specifically, by focusing on the software and the interfaces of anonymity enhancing tools, it adds to the field of software studies. Without falling into easy dichotomies this research will focus on what (online) anonymity has offered societies in the past and can offer societies in the present. I will do so through the following question: In what manner do anonymity enhancing tools create a narrative of anonymity, focusing on its functions for society? To answer this question, I will start by analysing the concept of anonymity from a historical perspective. This meta-narrative exposes several functions of anonymity before the existence of the internet and shows how the internet has changed the concept of anonymity. It shows that anonymity has been beneficial to personal freedoms and has functioned as a protective measurement throughout history. Hereafter, I will analyse online anonymity in practice within online environments today by means of Tor Browser, Signal and Retroshare. I will do so by analysing the documentation accompanying these tools and the interfaces of these tools. Influenced by Alexander Galloway I will approach their interfaces as zones of activity which produce effects and at the same time are themselves effects of the larger forces causing them (1). Tor Browser, Signal and Retroshare all present an alternative idea on information and communication technologies. I will analyse what new forces are important for online anonymity as seen from these tools. It will become clear that the medium specificity of anonymity enhancing tools has changed the concept of online anonymity to some extent. Instead of the prevailing paradigm of datafication at the expense of privacy, these tools show how a different online culture can be established in which the individual user’s anonymity is being considered.
4 1. ANONYMITY THROUGH HISTORY
With this historical analysis of the concept of anonymity I am not aiming at giving a complete history of the concept, but am merely contextualizing the concept for the purpose of my research. I will start this history of the concept of anonymity with the emergence of the city as anonymity is often seen as a defining character of urbanity (Lofland; Garber). Then I will focus on anonymous authorship throughout history. This chapter will show that both can be seen as precursors of online anonymity. It will become apparent that features of both are visible within the concept of online anonymity while at the same time having its own characteristic features. I will show that anonymity is a concept which had social and cultural value in the past, but has changed with the coming and maturing of the internet. It will become clear that past and present come together within the concept of anonymity, in Marcy North’s words: “It facilitates the appropriation of past conventions and encourages experimentation with the standards of the present” (4). Anonymity functions to combine the old and the new.
1.1 Anonymity and urbanity Anonymity has been inherently linked to urbanity and a vital characteristic of urbanity, namely publicity (Garber 19). In 1973 sociologist Lyn Lofland describes the difference between the city and the small town as following: “The city, because of its size, is the locus of a peculiar social situation: the people to be found within its boundaries at any given moment know nothing personally about the vast majority of others with whom they share this space” (Lofland 3). For most part of human history human beings lived their lives in small isolated worlds like villages or towns. The one characteristic all these different kind of little worlds shared was the absence of anonymity (Lofland 4). Cities changed this fact and instead of strangers being the exception, strangers became the rule. Because of this, Lofland describes the city as a world of strangers (4). Likewise, Judith Garber describes that traditionally anonymity is viewed as the defining attribute of urbanity (19). She describes urban publicity as unobtrusive in the sense that people are not required to reveal any more about themselves than they choose (Garber 19). In this sense urban anonymity shows that anonymity contributes to individual freedom and diversity. Within the city anonymity is available for everybody wishing to take advantage of it1. Urban public space allows people to interact
1 At least for those whose appearance is able to hide identity. Skin colors or disabilities for instance are more difficult to hide.
5 socially without any knowledge of someone’s background other than visible in his appearance. People can meet others with widely different backgrounds and standards without the usual social restraints of his environment. Garber explains: “Because of its accessibility to all sorts of groups, anonymity is used to signify the kinds of ideal geographical, social, and civic spaces in which identity differences are accepted instead of being subsumed into the mainstream or repelled” (Garber 20). Therefore, anonymity holds concrete appeal in terms of security for groups that live under scrutiny and threat (Garber 20). In this way anonymity can hold relevance for anyone who differs from the norm. Minority groups differing from the social norm could find anonymity in the city. Anonymity in this sense is connected to identity. Furthermore, anonymity does not have to be the same as invisibility, but rather depends on dynamics of revealing. Within urban territory people can practice widely divergent identities which makes anonymity dependent on citizens who display or hide various roles or identities within the city (Garber 28). In 1973 David Karp explains that hiding is essential for anonymity. It allows persons to engage in unconventional behaviour without displaying oneself as unconventional. In doing so anonymity gives persons the ability to engage in social actions without committing their identities to those actions (447). In this sense an anonymous situation is a situation where persons are hiding certain of their identities from one another (Karp 447). One can be one person at work, but can hide that role at home and take on another identity in the streets, in bars and so on. Understood like this, anonymity is less about strictly being unidentified or unrecognized, but more about revealing oneself or one’s group identity only within parts of the city (Garber 33). Within this understanding of the concept, anonymity seeking is heavily intertwined with identity seeking, making of anonymity a social concept. Karp explains:
The anonymous situation is made a very social one because each participant is aware of and feels constrained to respect the faqade of anonymity that each other participant is producing. It is, in this sense especially, that the collective venture of anonymity can be described as possessing a normative force. (447)
Karp sees anonymity as a collective venture in socially awkward situations, for instance in a pornographic bookstore or a waiting room. He shows that within those situations social standards apply even though anonymity is the norm. A collective anonymous situation is thus by definition a social situation.
6 1.2 Anonymous authorship The previous paragraph has showed how anonymity can be understood as a social concept. This is also visible here, I will focus more on the cultural functions of anonymity. A lot has been written about anonymous speech and authorship throughout history. Along these lines anonymity is described as a textual function holding cultural value. North shows that anonymity was not a stable quality through literary history, but could be acquired and lost, chosen and rejected, desired and denied, accumulated and borrowed, and on a larger scale was dependent on fashion and genre (43). Within the medieval and pre-print legacy anonymity was often a convention of humility and discretion (North 55). While still visible in print cultures, print brought its own rules and technological possibilities. For one thing it changed the role of the author, as print made books more of a commodity. To advertise a new book an appealing title page was needed in which the author’s name became an expected typographical feature (North 60). Where in books readers usually expected to find an author or some kind of signature for other forms of anonymously composed texts anonymity was – and still is - understood to be normal. Readers of for instance advertisement texts, pamphlets or reviews rarely think about the absence of an author’s signature “because by custom and tradition they do not expect one to appear in the first place” (Starner and Traister 2). These anonymous texts were ubiquitous and in deference to its content it did not matter who had written the text. Though also within book culture Robert Griffin describes that in the eighteenth and nineteenth centuries a large number of books were written anonymously (882). Griffin argues that anonymity during that period was at least as much a norm as signed authorship and therefor he describes anonymity as a centuries-long cultural practice (Griffin 882-883). As a textual function anonymity could shift the focus from the author to the text itself and in doing so create distance and intimacy (North 4). Susan O’Mally adds tot this that by not signing authors had more space to play or improvise because they were not locked into a specific authorial persona (130). As such anonymity was just as much a literary convention as naming or other methods of text presentation with which authors could introduce and frame the literature they produced (North 3). Moreover, anonymous authorship holds social value through its ability to guarantee integrity. On the one hand signing guaranteed integrity –accountability could not be escaped- and an opportunity to gauge the weight of an opinion by knowing its source; while on the other hand anonymity guaranteed integrity since it liberated writers from social and political pressures (Griffin 884). Likewise, Lyrissa Lidsky and Thomas Cotter describe how anonymous speech, despite the risk of it being harmful, was a social good as it makes
7 otherwise hesitant speakers more willing to speak. It can help speakers in feeling less vulnerable to retaliation “and thus may be more apt both to speak truthfully and to engage in tortious or harmful speech” (Lidsky and Cotter 1539). Lidsky and Cotter saw that many American court decisions on anonymous speech were based upon the assumption that citizens have the ability to decide for themselves where truth lies in public discourse (1602). In most cases citizens were able to discount anonymous information and protect themselves from its possible harm (Lidksy and Cotter 1602)2. From this perspective the benefits of anonymity would way higher than its downsides. Leaving aside the question if anonymity or signed authorship was more advantageous, authors had widely varying motives for publishing anonymously of which most show a function of protection. Griffin mentions the following motives: “an aristocratic or a gendered reticence, religious self-effacement, anxiety over public exposure, fear of prosecution, hope of an unprejudiced reception, and the desire to deceive” (885). John Mullan describes several other reasons of why authors have chosen anonymity within the history of English literature. He found eight reasons which he describes extensively in his book Anonymity: A Secret History of English Literature (2007), namely: mischief, modesty, women being men, men being women, danger, reviewing, mockery and devilry, and confession. Some of these reasons, like women being men, men being women and danger, show how anonymity has the ability to encourage people to speak about subjects which they might not speak about if there was any chance of it being traced back to its origin. So, anonymity has the ability to protect the author from retaliation. This is why Griffin, while in a speculative sense, suggests that one of the dominant functions of anonymity over the centuries has been protection (891). Society’s acceptance of anonymous writing from the seventeenth until the first half of the nineteenth century shows that it recognized that people had a right to speak their minds without fear of retaliation –or at least making retaliation difficult (Griffin 891). From this point of view anonymous writing was a liberating factor for society.
1.3 The changing landscape of online anonymity With the emergence of the internet a new dimension was added to the concept of anonymity. The coming of the internet around the mid-1980s meant availability to vast amounts of information for individuals around the world. From its origins and onwards the internet grew increasingly; in 1993 it was linking at least three million computers (Long 1180). To
2 Written in 2006, Lidsky and Cotter add that the internet challenges this argument.
8 elaborate, at that time most universities offered some form of internet access to students, as did government agencies (Long 1180). The architecture of the early internet permitted relative anonymity when browsing the internet. Lawrence Lessig sees this as the big difference between real space and early cyberspace. While in real space anonymity had to be created, in cyberspace it was the given (45). One could escape the norms of his environment without physically leaving this environment. Therefore, the experience of the internet suggested anonymity (Lessig 45). At the same time, because of the rapid growth of computers connected to the internet, information published online had an increasingly vast reach. While in this sense being a democratizing medium, this rapid and widespread information dissemination made invasion of one’s privacy a concern. Unauthorized circulation of private information could now happen on a much bigger scale. Lessig explains: “Anyone anywhere could publish to everyone everywhere. The network allowed publication without filtering, editing, or, perhaps most importantly, responsibility” (19). Because of the internet’s relative anonymity one could separate himself from his words, making it easier to speak without thoroughly thinking words through. One of the first technologies to change the relative anonymity while browsing was the cookie. Within the early internet there was no simple way for websites to know which machines had accessed it. Within the web as originally built there was no way to remember the user from one page to another (Lessig 48). This changed in 1994 with the cookie, a small identifying piece of information put on one’s machine (Elmer 117). This meant that computers could authenticate a machine as the same machine that accessed a particular website earlier. User data disclosed to a site could be embedded in a cookie, making it easy to build a profile on users by tracking their preferences and made choices. Cookies provided a relatively stable platform for interaction between users and websites (Elmer 118). Within its early days the cookie transmitted a relatively small amount of information. This changed over time as the information in the cookie was being linked with server data collection and diagnosis techniques (Elmer 119). While knowing the user’s computer didn’t necessarily mean that any information about the user was revealed, it did change anonymity. One’s behaviour could now be traced and together with one’s IP-address – a virtual address or device identifier - this could reveal a great deal of information about a person when analysed. While the IP-address always existed as a protocol to transfer data from on computer over another within the network (Galloway, Protocol 84), without the cookie it was very hard to link an identity to an IP-address. The cookie is an early example of an identifying technology and “as the internet has matured, the technologies for linking behaviour with an identity have
9 increased dramatically” (Lessig 46). This increase correlates with the coming of the information economy relaying on consumers who exchange demographic and psychographic information for commodities and services (Elmer 4). With this information consumer profiles are being build to anticipate consumers’ future needs and wants based on aggregated past choices and behaviors (Elmer 5). With aggregated user data advertisements have become targeted and customized. By voluntarily surrendering data, individuals become calculable subjects and additionally “acts of participation or self-communication themselves become data, the entirety of our everyday life practices subject to, and constituted by, perpetual calculation” (Raley 126). So, in this datafied information society everything one does online is being recorded and processed into calculable and measurable data. Another derogation of online anonymity emerged with the launch of major social network sites. Nicole Ellison shows how major social network sites already launched from 1997 and on (212). Within such networks users created profiles based on a series of questions whose answers mostly included age, location, interests and a profile photo (Ellison 213). The big difference between social network sites and earlier forms of online communities was the fact that social network sites were primarily organized around people instead of interest (Ellison 219). In 2008 Shanyang Zhao, Sherri Grasmuck and Jason Martin describe that within social networking sites the concept of identity production changed as individuals on the internet could interact in a fully disembodied text mode, revealing nothing about their physical characteristics (1817). By withholding information about one’s personal background relative anonymity could be maintained within social networking sites (Zhao, Grasmuck and Martin 1817). Disembodiment enables individuals to hide undesired physical features and anonymity allows individuals to re-create their biography and personality; together these features allow people to reinvent themselves online, increasing their identity empowerment (Zhao, Grasmuck and Martin 1818). However, also within social network sites linking “real” identity to a computer user became more and more the norm. To elaborate, Friendster, launched in 2002, already actively deleted fake profiles and genuine user-profiles whose photos were non-realistic (Ellison 216). Thus, people were being encouraged to represent their “real” self within their online profile. This goes beyond social networking sites as account registration isn’t only embedded within social networks, but is visible all over the internet, from e-mail registration to streaming services and news outlets. Once log-in credentials are required a data trail is created. The encouragement of realness grows as the internet grows, for instance visible in so called real name policies. Facebook is one of the mayor social networks with a strict real name policy. In 2016 Facebook states the following
10 about their real name policy: “Facebook is a community where people use their authentic identities. We require people to provide the name they use in real life”. And: “Pretending to be anything or anyone isn't allowed” (Facebook, Help n.pag). People nowadays aren’t only encouraged to represent their “real” self, but also obliged3. Persistent identity has become the mainstream. While many social networks require real names Lilian Edwards and Derek McAuley explain how the arguments against real names policies are manifold and that “public regulators and private companies advocating real names policies, ostensibly to protect the vulnerable online, fail to note the many reasons why real names are as likely to imperil these users” (3). Examples could be pseudonymity for political speech, repression and exposing victims to malevolence.
1.4 Encryption and anonymization Thus, the more the internet matured towards the internet as it is now, the less anonymous one could be online. This change in architecture of the internet could make anonymity more wanted because, as Michael Froomkin already puts it in 1996: “Anonymity may be the primary tool available to citizens to combat the compilation and analysis of personal profile data (…)” (Flood Control n.pag). In this manner anonymity is a way to control the dissemination of one’s personal information. However, to achieve relative forms of online anonymity extraordinary steps are needed, ranging from disabling cookies to installing privacy software. Likewise, Seda Gürses, Arun Kundnani and Joris van Hoboken describe encryption technologies as the dominant theme in counter-surveillance initiatives (7). Encryption helps to prevent high-tech eavesdropping by disguising messages and in doing so increases anonymity. It can be described as the process of encoding information in human- readable media into an illegible condition, so that only those with a secret decryption key can access its content (Gürses, Kundnani and Van Hoboken 7). According to Long, tools for encryption, like anonymous posting services for posting anonymous messages and anonymous remailers for disguising a message’s origins, already existed as early as 1988 and onwards (Long 1185). With the internet encryption became more readily available to the masses instead of being tightly controlled by states and their intelligence agencies (Gürses, Kundnani and Hoboken 8). The so called ‘cypherpunks’ – officially founded in 1992, but already dating back to the mid-1988 - have played an important role in the availability of advanced
3 While “authentic identity” is quite a subjective notion, which I would argue isn’t attached to a name.
11 cryptography for civilian use (Gürses, Kundnani and Hoboken 8). At its founding meeting in 1992 Tim May explains that profound crypto technologies already existed in theory for a decade, but were only just practically realizable because of sufficient speed (n.pag). He starts his talk with the following: “A specter is haunting the modern world, the specter of crypto anarchy” (May n. pag). The cypherpunks embody a technocratic view on the world advocating equality by means of encryption. In A Cypherpunk’s Manifesto (1993) Eric Hughes expresses the following about the cypherpunks opinions on encryption in relation to online anonymity: “An anonymous system empowers individuals to reveal their identity when desired and only when desired; this is the essence of privacy” (n.pag). And: “We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money” (Hughes n.pag). The cypherpunks see encryption as the only way to ensure privacy and therefor encryption should be as a common good (Hughes n.pag). Comparable to the functions of anonymity within the city, Hughes sees privacy as the power to selectively reveal oneself to the world by means of anonymity (n.pag). While the cypherpunks take on quite an idealistic and maybe extreme point of view, encryption can have a role to play for ensuring privacy. However, oppositely technological innovation, like cheap computation and data storage, but also economic and social forces have created a demand for privacy-destroying technologies (Froomkin, The Death 1465). According to Froomkin in 1996 it was relatively easy to achieve anonymity in electronic communication over the internet (Flood Control n.pag). It is mainly because of privacy-destroying technologies that today complete anonymity by means of encryption isn’t necessarily easily achievable. Another way to still provide some form of online anonymity is by means of anonymization. Mass scale data collection has changed the relatively anonymous online persona of an individual towards a highly visible though often anonymized online persona. Within the internet as it is today enormous amounts of data about individuals are being collected by companies for marketing purposes and by governments for security purposes. Often data is being anonymized, meaning that personal identifiers, such as name, address, date of birth and credit card number, are stripped out of the datasets (Mayer-Schonberger and Cukier 243). Anonymization seems to have replaced anonymity. Individuals are being profiled by means of the data produced around them into what Richard Ericson and Kevin Haggerty call ‘data doubles’, “our virtual/informational profiles that circulate in various computers and contexts of practical application” (4). Through processes of disassembling and
12 reassembling, information about individuals is broken down into a series of discrete informational flows which are captured through series of classification criteria (Ericson and Haggerty 4). This implicates that somebody’s data double can’t be connected to him and thus still offers a sense of anonymity. However, the increase in quantity and variety of information facilitates re-identification (Mayer-Schonberger and Cukier 244). Instead of individuals actively and consciously offering their personal information, data is passively and automatically being integrated into proprietorial databases (Elmer 56). The capturing and combining of large data sets has made it easy to identify anonymized data and because of the ease of re-identification – or de-anonymization – Rita Raley claims that perfect anonymity is impossible (128). If anonymity was an inherent character of the city, now within the internet “life becomes a village composed of parallel processors, accessible at any time to reconstruct events or track behavior” (Lessig 203). Likewise, if anonymity was an inherent character of urban publicity, now when moving around in the public space of the internet one isn’t anonymous. Relative anonymity is no longer permitted in the architecture of the internet.
2. METHOD
As an answer to the ascending derogation of online anonymity, tools offering anonymity by means of encryption have become widespread. There are many different types of tools which all offer anonymity in one way or another. I have selected three types of anonymity enhancing tools to analyse contemporary online anonymity, namely Tor Browser, an encrypted browser; Signal, an encrypted text messenger; and Retroshare, an encrypted social networking platform.
2.1 Objects of study Tor Browser, Signal and Retroshare all provide different forms of online anonymity and can because of their differences show how anonymity is being shaped within the diverse areas of the internet. As explained before these tools provide an alternative to mainstream media, in this case like Google’s browser Chrome, Facebook’s messenger WhatsApp and social networking site Facebook. One frequently expressed concern regarding mainstream media focusses on the politics and rights of the users, often touching upon the lack of privacy for the user (Langlois 51). A way alternative media address problems alike, arising from the accumulation of power on the part of mainstream media, is through decentralization (Gürses 348). In 2012 Arvind Narayanan et all. have researched alternative decentralized architectures and one conclusion they drew was that decentralized personal data architectures have seen
13 little adoption (n. pag). In 2016 this isn’t necessarily the case anymore. To elaborate, Signal for Android alone has been installed between one and five million times (Google Play n.pag) and the estimated number of directly connecting users of Tor is over 1.5 million (The Tor Project, Tor Metrics n.pag). Retroshare on the other hand has seen little adoption. I have still selected Retroshare as it, just like Tor Browser and Signal, presents an interesting decentralized architecture. Retroshare has implemented its own Friend-to-Friend network, Tor Browser is based on onion routing, and Signal too doesn’t use one single server. The three case studies present interesting architectures for effectuating relative forms of anonymity. While all presenting a decentralized architecture it will become apparent that they accommodate different politics, making them interesting case studies for this research.
2.2 Approach Combined with an analysis of the support- and about pages of the websites accompanying Tor Browser, Signal and Retroshare I will be conducting an interface analysis. Due to the scope of this research I think this is the most feasible manner of analysing these tools. A review of user studies could be interesting, but when searching for literature it became clear that user studies of Signal and Retroshare don’t exist. Analysing the interface and support- and about pages allows me to look at the front end as well as the back end of these tools. The interface provides an interesting lens of looking at new media objects. As Lev Manovich explains, the interface imposes its own logic on users and “(…) by organizing computer data in particular ways, the interface provides distinct models of the world” (65). It brings with it a strong message of its own (Manovich 65). Part of this is the fact that an interface always has a particular design which determines user interaction. In Galloway’s words: “The interface asks a question and, in so doing, suggests an answer” (The Interface 30). So, interfaces consist of areas of choice. Rather than being a thing, Galloway understands the interface as an effect always in process and translation (The Interface 33). He sees the interface as a process evoking transition moments in which the user is evoked to act so that processes inside the software can take place (Galloway, The Interface 32). Hence I approach the interface as a zone of activity whose effects bring about transformations in material states (Galloway, The Interface 7). So, the interfaces of the three tools I am studying can offer an understanding of how these tools operate and the effects they produce. Moreover, by means of analyzing their support- and about pages I will analyze what kind of encryption these tools offer and learn the philosophy behind their organizations by the discourses they carry forward. In doing so I will
14 analyze what kind of purposes the tools serve and what new objects and actors play a role in their versions of contemporary online anonymity. I will focus on the previously described functions of anonymity in the past and examine the visibility of these functions within the three anonymity enhancing tools. The previous chapter described several functions of anonymity before the internet and showed how the internet changed the concept of anonymity and its functions. Firstly, within the city anonymity functioned as a social tool to help people seek identity. Hence it contributed to diversity and individual freedom. Secondly, within authorship anonymity functioned as literary convention. Also, it functioned as a stimulator for integrity by liberating writers from social and political pressures. Mostly, it functioned as a protective measure against powerful entities. Lastly, within the internet anonymity functions as a way for combating user profiling and preventing high-tech eavesdropping. I will analyse if and how these functions are manifested within anonymity enhancing tools and which of the functions are emphasized. Importantly, I will seek for “new” functions and analyse what these tools add to the functions discussed in the literature. To illustrate, see Figure 1.
Anonymity as.. In Tor? In Signal? In Retroshare? A social tool for identity seeking A literary convention A stimulator for integrity A protective measure A tool for combating user profiling for marketing purposes A tool for preventing high-tech eavesdropping New Functions of anonymity
Figure 1: Anonymity and its functions as found in chapter one.
Hence I will look at how the interface articulates anonymity and connect what I see to the previous chapter. After having connected this to claims within the support pages I will have developed a profound understanding of the three tools and their organizations. I will end by critically discussing and comparing the three tools and their versions of anonymity.
15 3. TOR Tor – The Onion Router - is an anonymous network that distributes the user’s actions over several places on the internet to disconnect him and his destination (The Tor Project, Tor Project). Tor Project’s monetization system is based on sponsorship and volunteer work – individuals coding, testing, documenting, educating, researching, and running relays (The Tor Project, Sponsors). All Tor’s software is maintained and developed by the Tor Project as free and open source software. For this analysis I will primarily focus on web browsing through Tor Browser. However, in order to understand the browser, I need to understand the workings behind Tor’s onion routing network. Onion routing was developed around mid-1990 by Michael Reed, Paul Syverson, and David Goldschlag for the US Naval Research Laboratory for the purpose of protecting government communications (Reed, Syverson and Goldschlag 1). In easiest form Reed, Syverson and Goldschlag describe onion routing as an infrastructure for private communication over a public network (1). It works through a process of layering:
Before sending data over an anonymous connection, the initiator's onion router adds a layer of encryption for each onion router in the route. As data moves through the anonymous connection, each onion router removes one layer of encryption, so it arrives at the receiver as plaintext. (Reed, Syverson and Goldschlag 2)
So, encrypted data is being transmitted through a virtual circuit of relays in which each relay shortly decrypts an encryption-layer by using a so called onion key, only to reveal the next relay in order to pass the remaining encrypted data on. The data passed along the connections appears different at each relay so that the data can’t be tracked when in transit (Reed, Syverson and Goldschlag n.pag). The first version of Tor was released by Roger Dingledine as a pre-alpha version in 2002 to people within the Free Haven-mailing list, asking them to voluntarily start a relay (Dingledine n.pag). After the first 40 relays came into existence Roger Dingledine together with Nick Mathewson and Paul Syverson officially introduced Tor in 2004 at the USENIX Security Symposium. Here they describe Tor’s main goal as frustrating attackers from linking communication partners or linking communication to a user (Dingledine, Mathewson and Syverson n. pag). All connections in Tor are encrypted by TLS –Transport Layer Security - link encryption. The TLS protocol authenticates and verifies the server before enabling a connection and encrypts the communication between two parties by means of encryption
16 keys. Furthermore, Tor has a low-latency design which anonymizes interactive network traffic through a variety of protocols (Dingledine, Mathewson and Syverson n. pag). Low- latency anonymity systems are vulnerable to end-to-end traffic confirmation (Dingledine, Mathewson and Syverson n. pag). This means that Tor is vulnerable to attacks by means of end-to-end traffic analysis. A low-latency system like Tor doesn’t guarantee perfect anonymity “because of the conflict between preventing traffic analysis on the flow of packets through the network and delivering packets in an efficient and timely fashion” (Abbott et al. 184). For practices such as browsing it is important that data moves fast so there is no time lag between the user and the website he wants to access. Within the current design of the web addressing the vulnerability to end-to-end traffic analysis would mean sacrificing substantial functionality (Abbott et al. 198). On its website Tor warns users for this in the following way: “Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks” (The Tor Project, Tor Project). In a defending manner Tor explains their made design choices: because of functionality reasons Tor offers anonymization rather than anonymity.
3.1 Tor Browser Individuals can make use of the Tor network through Tor Browser, a pre-configured version of Firefox (The Tor Project, FAQ n.pag). By accessing Tor through Tor Browser installing any software isn’t needed. According to Tor’s website accessing the Tor network using other browsers is “dangerous and not recommended” (The Tor Project, FAQ n.pag). Webpages visited through Tor Browser will be sent via Tor and after closing the browser the list of web pages the user has visited along with placed cookies will be deleted (The Tor Project, Tor Browser n.pag). Thus also within Tor Browser cookies and browser history exist. The difference with most default browsers is the fact that Tor doesn’t give this data away by default, instead the user can choose how much information he wants to reveal for each connection (The Tor Project, FAQ n.pag). Likewise, the user controls if he provides log in credentials to websites like Facebook or Google. When a user logs into certain platforms, his location is still being hidden, but because he logged into a platform his identity is revealed to these platforms. Third party browser plugins operating independently from Firefox aren’t recommended to be installed on Tor Browser as they can compromise anonymity, for instance by browser fingerprinting and bypassing proxy settings (The Tor Project, FAQ n.pag). However, because the browser is open source users can modify its software any way they like. For most users
17 this probably won’t be an option because of a lack of technical knowledge. Moreover, because of the onion routing process one’s geolocation data is messed up which changes some of the personalized experiences one is used to in other browsers, like language preferences. Changing settings on for instance search engines to English is a way of fingerprinting the browser, but might be necessary for the user to understand searches. Moreover, when explaining its browser Tor warns the user again for possible traffic analysis: “If you are communicating sensitive information, you should use as much care as you would on the normal scary Internet — use HTTPS or other end-to-end encryption and authentication” (The Tor Project, Tor Browser n.pag). With this statement the organization constructs meaning by opposing Tor against other “scary” browsers. Moreover, the reader is assumed to have some sort of technical knowledge on encryption as HTTPS and end-to-end encryption are being proposed. This is something visible within most of the pages within Tor’s website. On the one hand, the technicality on Tor’s website increases transparency on its tools as all the technical details, design decisions and development processes are being shared within its website and documents shared on its website. On the other hand, this makes it more difficult for the ‘ordinary’ individual to interact with the website. Within a document explaining the design and implementation of Tor Browser Mike Perry, Erinn Clark and Steven Murdoch explain the philosophical positions about technology which guided the technology decisions about Tor Browser (n.pag). The number one position reads: “Preserve existing user model” (Perry, Clark and Murdoch n.pag). Perry, Clark and Murdoch explain that the Tor browser should work in the same way a user expects a browser to work, because otherwise the user will be confused, make mistakes which reduces his privacy or may stop using the browser assuming it is broken (Perry, Clark and Murdoch n.pag). Here, the average Tor user isn’t described as one having much technological knowledge at all. So, the Tor project constantly seems to be juggling to address the average technical anile user as well as the technical fledged user.
18 3.2 Interface Before Tor Browser opens the browser has to connect to the Tor network. The user has to wait until a connection is established, which isn’t the case in other browsers. The connection window gives the option to ‘Open Settings’. When clicking this button, the window visible in Figure 2 pops up.
Figure 2: A screenshot of Tor Network Settings, as taken from MacOS on 8 April 2016.
Apparently anonymity works differently for users who are being censored. A user whose connection is being censored could still configure a bridge or local proxy to connect to Tor and browse anonymously. Bridges are Tor relays which aren’t listed in a public list. They can be used quite easily. One simply clicks the “configure” button, has to answer some questions about his internet connection and then connects with one of the provided bridges. A user can also enter a custom bride. The latter is quite an advanced option. Tor recommends to first try to connect to Tor without a bridge or local proxy which will work in most cases. Whatever the user acts upon will change his connection, mediating between the user and the browser. Here, the user is given the option to change the network to fit his need. If the user’s computer isn’t censored, he wouldn’t click the Network Settings and thus not see this menu. Through disruption, namely a non-working network, traces of Tor Browser’s inner working are revealed. Next, Tor Browser opens, see Figure 3. I added numbers to all the visible objects and actors I’m going to discuss further.
19
Figure 3: A screenshot of Tor Browser. The red numbers are added to indicate the features I’m going to discuss further. Screenshot taken on 8 April 2016 from MacOS.
At first glance Tor browser looks like any other browser, not complicated and pretty straightforward. Simultaneously Tor Browser propagates anonymity in several ways. At first instance Tor states the following: “You are now free to browse the Internet anonymously” (Figure 3 no. 3). However, as seen in the previous chapters, only using Tor isn’t enough. Tor emphasizes this again on the Tor Browser homepage with a big sized warning (Figure 3 no. 6). One can click this warning to get additional tips on how to stay anonymous online. Next to the warning Figure 3 no 7. depicts several options for how the user can help Tor in growing and getting more anonymous. Figure 3 no 8. emphasizes Tor’s dedication to online anonymity and privacy again. With the option ‘Test Tor Network Settings (Figure 3 no. 4) the user can check if his browser is configured to use Tor and see the IP address assigned to him. Moreover, from the homepage straightaway it is visible that there are at least three external features build into the browser by default, namely Disconnect Search (Figure 3 no. 5), NoScript (Figure 3 no. 1) and Torbutton (Figure 3 no. 2). All these features are added to enhance the user’s anonymity. Disconnect Search is a specialized VPN that offers secure search through a layer on top of the search engines Bing, Yahoo and DuckDuckGo. It doesn’t log searches, IP addresses, or other personal information (Disconnect n.pag). So, it isn’t actually a search engine, but as visible in Figure 3 no. 5 it does look exactly like other search engines. When clicking the NoScript add-on, the advised option is to ‘Forbid Scripts Globally’, but one can also advance his settings, see Figure 4.
20
Figure 4: A screenshot of the advanced settings of NoScript, as taken on 8 April 2016 from MacOS.
NoScript is an extra protection layer on top of the browser which only allows plugins like Java and Javascript on trusted domains. It is based on whitelisting and protects the user from exploitation of security vulnerabilities. It is specifically mentioned that no functionality will be lost because of NoScript (NoScript n.pag). The NoScript Options are manifold, but by default the user is send to the advanced options. Without background information the user probably won’t know what all the options do or enable. However, from its interface it becomes clear that scripts decrease anonymity. When for instance clicking the XSS button, some lines of code are displayed. Results matching the code will not be protected against XSS – a bug in the security of web applications which an attacker can misuse. The user can add code himself. Here the user is specifically involved in the normally invisible space behind the interface. Torbutton gives the user several options for enhancing his anonymity, see Figure 5.
Figure 5: A screenshot of the Tor Button options (left), when browsing a website one can see the taken circuit (right). Screenshots taken on 8 April 2016 from MacOS.
Torbutton takes care of application-level security and privacy concerns (The Tor Project, Torbutton n.pag). The user can manually change the taken circuit or change the used identity.
21 Moreover, the Tor Project explains that for keeping the user safe Torbutton disables types of active content (Torbutton n.pag). Among others it disables plugins, clears cookies and manages history. In this way the button discourages fingerprinting. Moreover, when clicking Torbutton when browsing, the user can see the taken circuit and used IP addresses for the site he is visiting (Figure 5). This makes the concept of onion routing a bit less abstract by showing exactly which route is taken when browsing. It is possible to set up a new circuit which might be necessary for overcoming certain country restrictions – for instance on websites as Netflix. When clicking “Tor Network Settings” the same window appears which is visible in Figure 2 and already is discussed before. Figure 6 depicts the possible privacy and security security settings within Torbutton.
Figure 6: A screenshot of the (default) Privacy Settings, as taken on 8 April 2016 from MacOS.
The chosen settings are the default settings. As visible one’s security level isn’t on “high” by default, which one might expect from a secure browser. One’s security level is low by default because of usability. The higher one sets his security level, the more changes are applied making the browser more difficult in use. However, one’s privacy settings are on high by default, all possibilities are enabled. These possibilities directly enhance one’s anonymity, for instance by not recording data like cookies and browsing history. The last feature on Tor Browser’s homepage I want to discuss in more length is its setting menu. Just like every other browser Tor Browser has a general menu with setting options. The menu-options are very similar to the regular Firefox options, with exception of HTTPS Everywhere, see Figure 7.
22
Figure 7: A screenshot of Tor Browser’s menu showing the default add-on HTTPS Everywhere, as taken on 8 April 2016 from MacOS.
HTTPS Everywhere is an add-on which activates HTTPS on a selection of common websites which would otherwise use HTTP. HTTPS is a protocol for transferring data which encrypts the dataflow –the ‘s’ stands for secure. HTTPS does not make a website anonymous, but rather ads a security layer. Its functioning is invisible and its presence only visible within the Tor Browser settings. All in all, Tor Browser is a layered browser with different formats working through each other on different surfaces. These different media layers within the interface reveal quite some of the workings behind the techniques that enhance anonymity within the browser. The user is given the choice to passively use the proposed default settings or to change them to his liking or needs. Changing the default settings could result in more anonymity, for instance by changing his “security level” (Figure 6) to high, but could also result in less anonymity. A user could for instance disable HTTPS Everywhere and NoScript, could choose to use Google instead of Disconnect Search or could login to online profiles. These choices will have profound meaning for the usability of the browser. Enhancing anonymity will in many cases mean decreasing the usability of the browser, and the other way around. The actions the user partakes evoke transition moments within the working of Tor Browser, changing the inside processes which either enhance or decrease his level of anonymity.
4. SIGNAL
Signal is a free private messaging and calling application for iPhone and Android developed by Open Whisper Systems. Signal was released in 2014 for iPhone and in 2015 for Android
23 as a descendant of two earlier software projects RedPhone, an encrypted calling application, and TextSecure, an encrypted texting application4. Before Signal existed on Android, iPhone users could communicate with Android users via TextSecure (Marlinspike, Signal n.pag). All communication within Signal is encrypted in transit as well as end-to-end encrypted. Open Whisper Systems derived from Whisper Systems, a company co-founded by Moxie Marlinspike – a pseudonym - and Stuart Anderson in 2010 for developing mobile security software (Marlinspike, A New Home n.pag). In the same year the company started Whisper System released the beta versions of RedPhone and TextSecure. In 2011 Twitter acquired the company resulting in Marlinspike working for Twitter’s security team. According to an article in VentureBeat neither of the two companies disclosed the financial terms of the deal (Cheredar n.pag). After Twitter acquired the company, RedPhone as well as TextSecure were released as open source software (Garling n. pag). Open Whisper Systems emerged in 2013 when Marlinspike left Twitter to continue on the work of Whisper Systems (Marlinspike, A New Home n.pag). While Whisper Systems started out as a company, Open Whisper Systems is a non profit organization supported by donations, grants and government funding (Open Whisper Systems n.pag). Open Whisper Systems doesn’t clarify exactly who its sponsors are and what kind of grants it receives, but does explain how individual donations are being made and what they are spend on. In a blogpost written in 2013 Marlinspike explains a self written service called BitHub that “accepts Bitcoin donations and allocates them into a single pool of funds” and “distributes the Bitcoin donations from that pool to anyone who commits to our repositories”. (Marlinspike, BitHub n.pag). Meaning that anyone is able to use donations to contribute time to Open Whisper Systems projects and that donators can watch the commits his donation is paid out on (Marlinspike, BitHub n.pag). A contributor has the option to opt out of receiving payment and contribute voluntarily.
4.1 Encryption and Network As mentioned before Signal was launched as a successor of RedPhone and TextSecure. Therefor, I will start by explaining both application’s individual encryption methods. RedPhone was introduced as a mobile application for low latency end-to-end encrypted voice calls, meaning that the call can’t be intercepted. RedPhone’s environment existed of the caller, the responder, the master RedPhone server and the relay RedPhone server (Whisper
4 As of April 2016 Signal is also available for desktop, but because of the scope of this research I will only focus on Signal’s mobile application.
24 Systems, RedPhone Architecture n.pag).5 The master servers setup call requests and authenticate if callers and responders are who they claim to be; the relay servers are responsible for so called NAT Traversal, which efficiently receives and passes on encrypted packets from one device to another (Whisper Systems, RedPhone Architecture n.pag). So, a phone conversation is set up as follows: The caller contacts a master server which signals the request to the responder. The responder receives an encrypted signal and connects to the master server. When answering his information is received and passed on through the relay server (Whisper Systems, RedPhone Architecture n.pag). Moreover, the communication between clients and servers makes use of the TLS protocol to authenticate and verify servers and establish a key exchange between the caller and the responder (Whisper Systems, RedPhone Encryption n.pag). TLS makes sure a secure connection is made through the internet. Subsequently the actual call is encrypted using SRTP – Secure Real-time Transport Protocol - which provides confidentiality, message authentication and protection to the traffic. (Whisper Systems, RedPhone Encryption n.pag). For establishing SRTP on a phone call ZRTP – Zimmerman Real-time Transport Protocol – is implemented (Whisper Systems, RedPhone Encryption n.pag). The latter establishes sessions for VoIP – Voice over IP. It secures media sessions which include a voice media stream by means of negotiating encryption keys between the caller and responder (Zimmermann, Johnston and Callas n.pag). The ZRTP protocol provides confidentiality, protection, and authentication (Zimmermann, Johnston and Callas n.pag). So, through these protocols all transmitted data within a phone call is being encrypted while in transition from the caller to the responder. TextSecure was designed as a general purpose SMS/MMS client, encrypting conversations with other TextSecure users (Marlinspike, Simplifying n.pag). In 2015 Open Whisper Systems ended support for SMS and MMS due to security flaws (Marlinspike, Saying Goodbye n.pag). So, after 2015 TextSecure only supported messaging over an internet connection. The TextSecure protocol was originally a derivative of the OTR – Off-the-Record - messaging protocol (Marlinspike, Advanced n.pag). The general idea of key exchange within OTR works as follows: when starting a conversation an unauthenticated key exchange institutes an encrypted channel, where after the communication partners are authenticated inside the channel (Cypherpunks n.pag). OTR is not a protocol for hiding that communication took place, but rather hides the content of the communication. In 2013 one of OTR’s primary
5 As the RedPhone wiki page was deleted after the coming of Signal, I used the archived version from the Internet Archive of September 2015 to access the information on RedPhone.
25 features was deniable authentication, making absolutely sure someone is who he says he is (Marlinspike, Simplifying n.pag). This means that only the intended receiver can identify the true source of a given message and at the same time the receiver can’t prove the source of the message to a third party (Lee, Wu and Tsaur 1376). Over the years TextSecure has altered the OTR protocol by simplifying and improving it (Marlinspike, Advanced n.pag). Users themselves don’t have to involve in difficult key management because of the implementation of these algorithms and, importantly, the servers can’t decrypt their messages. Signal implements both encryption methods of RedPhone and Textsecure in one application. The application is encrypted by a full messaging protocol named Signal Protocol which combines RedPhone and TextSecure (Marlinspike, Signal n.pag). Signal’s general goal is making encryption more convenient for the user in not having to use two applications (Marlinspike, Signal n.pag). On its website, Signal encloses a privacy policy – the other two analysed tools do not have a privacy policy. Notably, Signal’s privacy policy is extremely short compared to for instance those of WhatsApp or Facebook. It only contains two headers, namely “Information we have” and “Information we may share” (Open Whisper Systems, Privacy n.pag). While Signal’s servers don’t store content information, they do store the following data about the user: the phone number or identifier a user registers with; randomly generated authentication tokens to set up a call or transmitting a message; and profile information, for instance a name or an avatar, the user submits (Open Whisper Systems, Privacy n.pag). This information is only kept as long as necessary for placing a call or transmitting a message and not used for other purposes (Open Whisper Systems, Privacy n.pag). Open Whisper Systems can’t decrypt or otherwise access the content of a call or a message, but “IP addresses may be kept in memory for rate limiting or to prevent abuse”. IP addresses are being stored, meaning that someone’s location could potentially be intercepted. Moreover, contact information from one’s device may be cryptographically hashed and transmitted to the server in order to determine if the user’s contacts are registered (Open Whisper Systems, Privacy n.pag). By means of hashing, a numeric value is given to the contact information. It is not a tight system as hashed telephone numbers can easily be traced back. In a blogpost regarding this issue Marlinspike explains the difficulty of private contact discovery (The Difficulty n.pag). The blogpost was written at the beginning of 2014, but as Signal’s privacy policy shows the problem is still unresolved today.
26 4.2 Interface As visible in Figure 8 Signal’s home screen interface looks like every ordinary messenger application.
Figure 8: A screenshot of Signal’s home screen on iPhone, as taken on 14 April 2016.
Because of Signal’s similarity to other messenger applications its interface is very intuitive. Signal’s home screen interface is very simple showing few options for change. There are no signs of anonymity or encryption visible. Almost all traces of Signal’s inner working are hidden. Signal’s interface only displays the user’s conversation inbox, an archive, a setting menu and a menu for adding friends. When clicking the settings, the screen in Figure 9 pops up.
Figure 9: A screenshot of Signal’s settings on iPhone, as taken on 14 April 2016.
Again, there are not many options for the user to click on and again there are no signs of anonymity or encryption visible. There are privacy settings, but this isn’t a distinctive feature of Signal as many other messenger applications like WhatsApp and Facebook Messenger also
27 have privacy settings. Moreover, as visible in Figure 9, it is very easy to delete one’s account. When deleting the account all data is removed from the server. When clicking “Geavanceerd” 6 (advanced) the options aren’t actually advanced: the user can only choose to enable a debug log or not. The about-section portrays Signal’s version number, a Twitter sharing button and a link to the Open Whisper Systems website for help or questions. When clicking the privacy settings, the first sign of anonymity becomes visible with the option “vingerafdruk” (fingerprint), see Figure 10.
Figure 10: A screenshot of Signal’s privacy settings on iPhone, as taken on 14 April 2016.
However, one does need some background knowledge to know this has to do with encryption, as just ‘fingerprint’ probably won’t speak for itself. The user’s fingerprint is a unique key that verifies his identity. When clicking the fingerprint, the user has the option to copy his fingerprint or change it. By copying the fingerprint, the user can share it with his contacts. Another sign of anonymity becomes visible when clicking “notificaties” (notifications), see Figure 11.
Figure 11: A screenshot of Signal’s notification settings on iPhone, as taken on 14 April 2016.
Here one can choose to not show a name or message when receiving a notification of a new message. In doing so, users can enhance the anonymity within a conversation as when the
6 As I downloaded Signal from the Netherlands my language settings were automatically set to Dutch. Within the Signal application there is know easy way to change them into English.
28 phone is locked no meta-information on the conversation is visible on his phone. WhatsApp or Facebook Messenger do not have this option. The senders’ name and message are visible by default, probably because of functionality reasons; users are used to seeing a name and the message from other messenger applications. When starting a chat conversation, the same applies as for the home screen interface: a conversation within Signal looks like any other conversation within other messengers and there are no signs of anonymity visible, see Figure 12.
Figure 12: A screenshot of Signal’s conversation interface on iPhone, as taken on 14 April 2016.
One can send photos, videos or voice messages and can use emoticons. While not visible in first instance, signs of secure messaging are visible in a chat conversation by means of verification. When holding a contact’s name in a conversation one can compare the earlier discussed fingerprints, see Figure 13.
Figure 13: Comparing fingerprints within Signal. Screenshot taken from iPhone on 14 April 2016.
By comparing fingerprints users verify their identity. Whenever the sender’s fingerprint – or identity key – changes, the receiver obtains a notification asking him to accept the new fingerprint, see Figure 14.
29
Figure 14: Notification within Signal asking the receiver if he accepts the sender’s changed identity key. Screenshot taken from iPhone on 14 April 2016.
So, within a chat conversation one isn’t anonymous in the sense of hiding his identity, rather the content of his conversation is hidden. By means of verification and authentication one can be sure to be talking with the person he aims to talk with, making high-tech eavesdropping impossible. However, of course sender or receiver can choose to reveal a conversation by showing it to others or sharing it with others by means of taking screenshots. A conversation can be anonymous by using Signal, but in combination with trust. When starting a telephone call, again the screen looks just like other calling application and is very simple. Just as the case with the message interface, the interface of a phone call only shows signs of anonymity by means of verification, see Figure 15.
Figure 15: Screenshot of a phone call within Signal, as taken from iPhone on 14 April 2016.
Figure 15 shows the random words “eyetooth Medusa” which the caller can say out loud. If the receiver’s phone shows the same words, one can be sure that there is nobody intercepting the phone call. However, the user needs some background knowledge to understand what the words are for. Moreover, of course receiver or sender can choose to reveal the phone call by letting other people listen in, for instance by using speakerphone.
30 Concluding, especially within Signal it becomes clear that the interface isn’t just a transparent window for the user to interact with the software. Signal’s interface is a perfected version of what’s behind, not showing all the “ugly” workings, but rather showing a heavily simplified and flawless version. Its interface is designed to keep the user from having to think about the interface. Or in Galloway’s words: “to implant in the viewer [user] the desires they though they wanted to begin with (…)” (36). Signal erases almost all traces of its own functioning. In doing so it doesn’t represent the changeability of its software. For the user there are only few options to change settings, while the software itself can be changed in many ways. As seen in the previous chapter the encryption protocols behind Signal are difficult and manifold, but nothing of this is visible in the interface. Being mediated through Signal there are very few transformations which the user is involved in, making user interaction with Signal tightly structured.
5. RETROSHARE
Retroshare was founded in 2006 by drbob – of course a pseudonym (Retroshare n.pag). It was set up as a social platform providing secure communication and file sharing (Retroshare n.pag). Nowadays Retroshare is described as a cross-platform in which users can securely chat, share photo’s and video’s, send e-mails and visit (video) channels and forums (Retroshare n.pag). The software behind the platform is open source. In 2012 drbob explains that Retroshare’s core design is about decentralization and privacy. He describes Retroshare as “a decentralised Friend-2-Friend network, which allows you to share stuff … not with the whole world… but with people you know and trust” (drbob07, Ideals n.pag). The platform’s anonymity is based on encryption together with trust. This means that intruding and monitoring from an external point of view is made difficult, ensuring that government monitoring or prosecution are impossible “beyond the will of Retroshare users” (drbob07, Ideals n.pag). The people a user is connected with, his friends, know who he is, what his IP address is and which files he shares (Retroshare, FAQ n.pag). No one else besides the user’s friends can see this information. To make Retroshare worthwhile it is recommended to start with a group of about five people, but for anonymity it doesn’t matter how many individuals use Retroshare as it is a private network (Retroshare, FAQ n.pag). The network will function well with a couple of friends or with a lot of friends. Users can communicate with each other via a private chat or via a chat lobby to chat with several friends at once. These chat lobbies can be private, only joinable for those with an
31 invitation, or public, joinable for all one’s friends. Moreover, some forums are completely anonymous where no one can tell who posted something and where users can share files anonymously with people who aren’t his friends (Retroshare, FAQ n.pag). A user can only subscribe to forums or channels where at least one of his friends is subscribed to. Therefor, as one’s friend list becomes bigger the amount of material and network availability improve. Because of the width of Retroshare’s services some services are more private than others. To exemplify, public chat lobbies, anonymous forums and channels are publicly visible within the network (drbob07, Privacy n.pag). Messages send from these locations are potentially accessible to other Retroshare users, but aren’t associated with the sender and aren’t accessible from the outside of the network (drbob07, Privacy n.pag). So, one is anonymous in a sense, but as drbob explains: “to make this decentralised network it is necessary to share some information publicly. The default settings of Retroshare are designed to achieve a good balance between connectivity and privacy” (Privacy n.pag). For an outsider one is relatively anonymous, but for the sake of user experience within the network the user isn’t necessarily. Nevertheless, Retroshare presents an idea of what social networking could be when the individual’s anonymity is considered. It opposes itself to social network sites dependent on corporate systems and centralized servers like Myspace and Facebook (Retroshare n.pag).7 In this way Retroshare offers an alternative to mainstream social networks. Robert Gehl explains: “To be an alternative, the specific mix of power/freedom in any social media alternative must be different from mainstream SNSs” (2). This is for instance visible in Retroshare’s decentralized architecture and encryption methods with which the platform distances itself from the power mainstream social media networks have over content.
5.1 Encryption method and network topology Retroshare is encrypted by a combination of the TLS8 protocol for secure communication and the PGP – Pretty Good Privacy - standard for authentication and encryption. TLS is employed to encrypt communication between friends, to encrypt configuration files and to identify friends’ locations (Cyril, Cryptography n.pag). PGP is employed for encrypting the SSL passphrase on disk, for signing SSL certificates and for signing forum posts (Cyril, Cryptography n.pag). When downloading Retroshare and getting started with the platform, a
7 Contradictory to this opposition, there are Twitter and Facebook share buttons on Retroshare’s blog pages. 8 The blogposts I’m referring to are written in 2012 and explain Retroshare’s encryption by means of SSL. Nowadays, Retroshare is encrypted by its successor TLS. I will therefor refer to TLS notwithstanding the referred blogposts.
32 TLS passphrase is chosen randomly and a TLS certificate is created which is encrypted by the user’s own chosen PGP password (Cyril, Cryptography n.pag). To get started the user has to create a profile by inserting a name – which doesn’t have to be a real name – and creating a PGP password. When logging in the TLS passphrase is decrypted to initialize the TLS session, but the user’s certificate stays encrypted (Cyril, Cryptography n.pag). Users start their social network by adding new friends through exchanging certificates. The actual connections between friends are encrypted using TLS (Cyril, Cryptography n.pag). Users can only become friends when both users have added each other’s TLS encrypted certificates. In order to provide a web of trust users can make direct connections with other users by means of authentication through PGP. As one needs friends to make Retroshare worthwhile identities are important. The user’s identity is represented by his PGP key which acts as a signature for TLS certificates for validating his identity. To locate friends Retroshare employs a distributed hash system which allows users to find and connect with users (drbob07, Privacy n.pag). Within this system the user’s IP information is posted to a DHT – Distributed Hash Table – which users can query to find fiends to make a connection (Retroshare, FAQ n.pag). However, as Signal’s Marlinspike has argued hashing is not an airtight system (The Difficulty n.pag). Moreover, Retroshare shares friend lists with other friends, a system similar to “Add Friends” features on social networks like Facebook (drbob07, Privacy n.pag). So, in order to get started with Retroshare it is deemed necessary to reveal some information. There is a way to get around this, but “probably only suitable for advanced users” (drbob07, Privacy n.pag). Since the latest and considered final v0.6.0 it is also possible to create hidden nodes by means of the I2P overlay network (Cyril, Release n.pag). Retroshare’s network is decentralized, meaning that there is no central server or single company who can access all the data (drbob07, Ideals n.pag). Moreover, it has a F2F – Friend-to-Friend - design, meaning that when sharing something only friends, and optionally friends of friends, can receive (source) information (drbob07, Ideals n.pag). Retroshare describes F2F as “the new paradigm after P2P” –Peer-to-Peer (Retroshare, FAQ n.pag). Within a P2P network users connect with random peers all over the world without verification, rather than with “trusted friends”. Péter Kasza, Péter Ligeti and Ádám Nagy describe the difference as following: “Unlike other kinds of private P2P networks, the users in a friend-to-friend network cannot find out who else is participating beyond their own circle of friends, so F2F networks can grow in size without compromising their users’ anonymity” (2). Files are being transferred by means of a F2F routing algorithm. Every transfer within the
33 network travels over a chain of “trusted” nodes as each friend added to one’s network becomes a new node. These nodes are chained together to “provide secure and anonymous file-transfer tunnels across the whole Retroshare network, using a turtle router” (Cyril, Retroshare’s Anonymous n.pag). This routing model allows non direct friends to exchange data anonymously using tunnels (Cyril, Retroshare’s Anonymous n.pag). When a user wants to exchange data a tunnel request is sent with two numbers; the request id and its half-id. The former indexes the tunnel request and the latter is a hash of the client TLS id and a hash of the file for which the tunnel will be used (Cyril, Retroshare’s Anonymous n.pag). When a user responds to a tunnel request, both half-id’s will merge to obtain the final non symmetrical tunnel id and a connection is made (Cyril, Retroshare’s Anonymous n.pag). One can have multiple tunnels for a single download. Using these tunnels will compromise download speed, but in Retroshare’s words: “(…) this is the price to pay for 100% privacy” (Cyril, Retroshare’s Anonymous n.pag). So, Retroshare is willing to compromise functionality in order to achieve better privacy for the individual.
5.2 Interface Before the user can make use of Retroshare he has to create a profile, see Figure 16.
Figure 16: Creating a Retroshare profile. Screenshot taken from MacOS on 25 April 2016.
The necessary requirements for creating a profile are a name (which can be any name), a password and a node. By clicking the advanced options one can create a hidden node and change the length of his PGP key. Already from the creating of the profile the user is confronted with the fact that Retroshare is an anonymity enhancing social network. He is
34 confronted with technical terms like “PGP” and “nodes” and before a profile can be created he has to use his cursor to create arbitrariness. Moreover, it shows that the Dutch version of Retroshare is far from perfect. The used Dutch isn’t quite right and at the same time a lot of English is used. After the form has been filled in, the user has to wait until a PGP pair is created and before he can start he has to fill in his PGP key, see Figure 17.
Figure 17: Logging in on Retroshare with PGP. Screenshot taken from MacOS on 25 April 2016.
This PGP pair solely protects the user locally. Again the user is being confronted with the technology behind the workings of Retroshare. He is specifically asked to fill in his PGP password to generate a key to use Retroshare. For the workings of Retroshare, the system could have just asked for a password without specifically referring to PGP. When logging in afterwards the user can choose to remember the password. While enhancing the ease of use this will compromise his anonymity in the case if somebody logs into the user’s computer. After having logged in the user can start using Retroshare, see Figure 18.
Figure 18: Retroshare’s home screen interface. Screenshot taken from MacOS on 25 April 2016.
When looking at the home screen a few things stand out immediately. Firstly, the look of Retroshare is very retro. Past conventions of interface design are still visible in Retroshare. Secondly, there are a lot of options to choose from and buttons to click. Understanding the
35 parts of the interface as areas of choices, a lot of choices can or have to be made when using Retroshare. Moreover, the interface is filled with technical details. Encryption protocols like NAT and DHT are visible through a NAT and DHT indicator; to invite friends the user is asked to send an invitation with his ID Certificate; and at the top Retroshare is explained as a secure decentralized communication platform. To understand these terms, the user has to have done some background research or at least know about encryption. Retroshare does look like a social network in the sense that it is all about making friends and visiting different forums, chat portals, channels and so on for communicating and sharing with each other. Moreover, like most social network platforms there is a news feed filled with the actions of friends within the network. The News Feed displays the last events on a user’s network sorted by time. This could be connection attempts, channel and forum posts and new channels and forums the user can subscribe to. There is no advertising within the News Feed and the user has the option to change what he sees and in what order he sees it. So, the user is given quite some agency to change the network to his liking. Moreover, notable is the “bestanden delen” (file sharing) section. Within Retroshare it is possible to share files with friends, and friends of friends anonymously. File sharing is an important feature of Retroshare. Files can be shared through most communication channels within the social network, for instance through chat, forums, channels and messages. All downloaded files are visible under the “bestanden delen” (file sharing) section. When clicking “opties” (options), the screen visible in Figure 19 pops up.
Figure 19: Retroshare Options. Screenshot taken from MacOS on 24 April 2016.
The options are extremely manifold. In the options home screen there are already a lot of different sections to alter and when clicking those sections, a lot of new option and setting
36 screens appear. Among others the user can change Retroshare’s interface itself (like colors, language and style), but also its workings (like changing forum options or file transfer options), and level of anonymity (like changing what information others can see about him or changing his network status). Everything is extremely detailed and many of Retroshare’s inner workings are revealed, to clarify see Figure 20.
Figure 20: Retroshare’s Network options (top) and Retroshare’s statistics (bottom). Screenshots taken from MacOS on 5 May 2016.
The user can personally alter his network configurations, can alter IP Filters and can configure a hidden service. Moreover, he can see statistics about the protocols behind Retroshare like the Turtle router, DHT and more. Within the turtle router section, the user can see the technical workings behind tunnels, anonymous tunnels and authenticated tunnels For using Retroshare it is essential to add friends. Users can invite friends to start using Retroshare by email or add friends already using Retroshare by copy/pasting his PGP certificate, see Figure 21.
37
Figure 21: Adding friends already using Retroshare (left) or inviting friends through email (right). Screenshots taken from MacOS on 25 April 2016.
Again the emphasize lays on the PGP certificate. Adding friends already using Retroshare isn’t too difficult. The user only has to copy/paste a password. Two users become friends when both have added each other’s certificates. While the certificates look like lines of code and aren’t what users are expected to see from other social network platforms, it is pretty straightforward. Inviting friends through email seems to be a bit more difficult. Again the Dutch in the email is far from perfect, using English and Dutch interchangeably and the PGP certificate looks unusual within the text of an email. Together, these two facts make the email look a bit spammy. Probably, for a friend to respond to the email he has to have heard from Retroshare in a different way as well. So, starting a friend network within Retroshare isn’t an easy job, but is necessary for Retroshare to be worthwhile. Retroshare’s interface doesn’t erase all traces of its inner working. Rather oppositely to many other interfaces, Retroshare discloses much of its inner workings to the user. The changeability of its software is visible through the options the user can choose from. Retroshare seems still experimental, languages aren’t perfected and its design is old fashioned. The interface is difficult to work with and full of technicalities. Retroshare offers much agency to the user. However, at the same time it presents sort of an elite network as for fully understanding Retroshare’s interface and benefitting from increased agency and anonymity a user must be technical fledged and have friends who are as well.
38 6. FUNCTIONS OF ONLINE ANONYMITY
Here I will reflect back to the functions of anonymity as found in chapter one. Just as anonymity encourages experimentation with the standards of the present all three anonymity enhancing tools are experimenting with these standards. At the same time past conventions are still very much present in these tools: functions of anonymity which were already visible years ago are still visible in these online anonymity enhancing tools today. Though, the medium specificity of these tools has changed these functions in one way or another and added a new function. Of course these functions aren’t separated entities, but are very much interconnected. To exemplify, some form of protection might be visible in all the discussed functions. Anonymity for the sake of identity seeking, for offering integrity by liberating the user from environmental pressures, and for offering protection were most prominently visible and will discussed in more depth here.
6.1 Identity The first mentioned function, anonymity as a social tool for identity seeking, is especially visible within Retroshare. While Signal also focusses on sociality, within the messenger the user isn’t anonymous, but rather his communication is. Identity seeking is visible within Tor, but the social perspective isn’t emphasized. Identities within Tor Browser refer to one’s location. The user can change his identity when using the browser, meaning a new Tor circuit will be set up. Both tools don’t emphasize identity seeking. Anonymity within Retroshare on the other hand is very much about revealing and hiding identities. This makes sense as Retroshare is a social networking platform and identity construction has been found a vital part of social networking sites (Zhao, Grasmuck and Martin 1817). Zhao, Grasmuck and Martin have found that identity construction within anonymous online environments differs from non-anonymous situations – offline and online (1830). Identity is therefor a social product performed differently in various contexts depending on the environment in which people find themselves (Zhao, Grasmuck and Martin 1831). Retroshare’s anonymous environment thus influences identity construction. In Retroshare it is essential to have a strong identity so users can authenticate their friends (drbob07, Ideals n.pag). Though, the user can have different identities. He can switch from being completely anonymous within an anonymous forum to being completely known in a private chat with a friend. He can anonymously download files from friends’ friends or reveal himself to his friends’ friends by adding them to his network. Moreover, since 2015 users have the possibility to create pseudo-
39 anonymous identities which they can use to sign forum posts, talk in chat lobbies and send distant messages (Cyril, Version 0.6 n.pag). A user can manage his own identities and have as many pseudo-identities as he wants complete with different avatars and names (Cyril, Version 0.6 n.pag). As Cyril explains: “This decorrelates the identities form the actual nodes of the Retroshare network” (Version 0.6 n.pag). Just as visible within the early city the possibility of having different identities gives Retroshare users the possibility to be different persons within the different spaces within Retroshare. In doing so the user can engage in social interaction without committing his identity to those actions. An identity within Retroshare does not have to be the user’s real identity. He can choose for himself if he wants to insert a real name or a pseudonym. This freedom of choice increases one’s agency and isn’t available in many mainstream social network platforms. As shown before, on social network sites real-world identities are being encouraged as well as being obliged via real name policies. This discourse of the use of real-world identities within social networking is also visible in the lack of journalists covering of social networking within the dark web: “For journalists covering the dark web, the idea of dark web users engaging in social networking in the generic forms we now recognize –for example, friending, following, liking, posting– seems to be unimaginable (Gehl 6). I found this to be true when looking for coverage on Retroshare. There was almost no journalistic coverage of Retroshare – in contrast to Tor and Signal. Social networking which emphasizes anonymity remains outside of the mainstream. This might be explained by the fact that the use of real- world identities on social media has fostered the idea of being safe (Gehl 7). Retroshare presents the opposite idea of anonymously social networking not only being possible, but also being safer as one’s used identities can’t be traced back to the user. All agency about how much of his identity the user wants to reveal lays in the hands of the user. Retroshare is in this sense an identity empowering platform as individuals can distance themselves from environmental constraints. This doesn’t have to mean that the anonymous situation within Retroshare represents a “dreamland for deviant behaviors” (Zhao, Grasmuck and Martin 1831). As Karp explained also within anonymous collective ventures social standards apply (447). Because there are no social standards imposed by Retroshare, these standards lay in the hands of the community itself.
6.2 Integrity All three tools refer to integrity in the form of liberating users from social and political pressures. The forms of free expression these tools offer stimulate integrity. In a blogpost of
40 2015 on Tor’s blog the following is said about the relation between anonymity and liberating the users: “In the protection of free expression, anonymity technology is (…) a necessary counterpart to encryption, giving the individual the ability to choose both what to say and to whom to reveal that she is saying it” (Wseltzer n.pag). Tor’s relative anonymity facilitates opinions and free forms of expression online. Anonymity can in doing so liberate the user from his environment – in the sense of country wide restrictions, but also community wide restrictions about what is accepted and what not. From the point of view of liberating people from governmental restrictions, censorship is a big theme within these tools. Eric Jardine explains that many people use anonymity enhancing tools to circumvent censorship: “In highly repressive regimes, people need to protect their identities online to circumvent censorship and to avoid surveillance. As a result, people in such contexts tend to use a lot of anonymity-granting technologies” (2). Circumventing censorship, for instance by accessing websites which are blocked by national firewalls, is visible within many examples of people using Tor (The Tor Project, Tor Users n.pag). It can for instance be important for activists, bloggers, journalist and militaries (The Tor Project, Tor Users n.pag). Therefor, the Tor Project is committed to provide Tor to countries where its services are blocked. One can download Tor Browser on mirrors of the website and get Tor through email in case of blocking or censoring of the official website (The Tor Project, FAQ n.pag). Retroshare also refers to censorship. Within its homepage the organization states the following reason for using its social network: “Freedom of speech, no censorship” (Retroshare n.pag). For circumventing censorship, Retroshare is advised to be downloaded from the Tor network (Retroshare n.pag). Signal doesn’t refer to free speech and avoiding censorship specifically, but as Signal encrypts and decentralizes its data, it can decrease users’ fear of retaliation for expressing an opinion. This only applies for avoiding governmental censure, as one is using his “real” offline identity within Signal, meaning that social pressure or censure still applies. In Retroshare’s case freedom of speech and avoiding censorship goes beyond censorship by governments and firewalls. Many social networks, like Facebook and Instagram, have community standards which result in the blocking and deleting of content. In Facebook’s case these standards are set up to make people feel safe when using Facebook (Facebook, Community n.pag). Therefor some types of sharing aren’t allowed and can be removed. One standard often critiqued is the forbidding of nudities – and specifically the female nipple.9 On
9 For more information on this look for the #freethenipple, or the following article: http://www.theguardian.com/lifeandstyle/2015/apr/06/free-the-nipple-liberation-photos-breasts
41 Retroshare such community standards aren’t available. Retroshare can’t even remove content as its decentralized model counteracts the central authority to remove content (drbob07, Ideals n.pag). Next to Retroshare also Tor Browser and Signal make use of decentralization techniques. Anonymity through decentralization ensures free speech by circumventing censorship and by letting go of the authority to remove content by not having one central server. Moreover, decentralization makes it less likely that communication can be traced back to a user. In this sense it can make speakers feeling less vulnerable and more willingly to speak freely.
6.3 Protection Just like Griffin suggested that protection has been one of anonymity’s dominant functions over the centuries, protection still seems to be the dominant function of online anonymity. Anonymity as a protective measure can be seen as a meta function. Protection is for instance also visible within circumventing censorship, surveillance, and online profiling. Anonymity’s protective function is strongly visible in Tor Browser, Signal and Retroshare. Tor for instance, was originally developed for the purpose of protecting government communications (Reed, Syverson and Goldschlag 1). In 2016 Tor’s protective mandate is still one of the most prominently visible functions on Tor’s website. The website states the following slogan advocating online anonymity: “Protect your privacy. Defend yourself against internet surveillance and traffic analysis” (Tor n.pag). Tor’s protective function is being centralized. In this sense all three tools profile themselves as counter-surveillance tools, against government surveillance and high-tech eavesdropping. Within Signal protection isn’t necessarily being centralized, but the use of Signal helps securing someone’s information and thereby keeps one’s communication safe (Open Whisper Systems n.pag). Retroshare’s slogan reads: “Secure communication for everyone” (Retroshare n.pag). Retroshare is all about offering security. Just like anonymity, security can offer protection to harm. Anonymity within Retroshare is a mechanism for offering security and thereby protection. On Whisper Systems’ archived website from 2010 it reads the following in capital letters: “UNTAP YOUR PHONE” (Whisper Systems, Home n.pag). This indicates that RedPhone and TextSecure were developed for avoiding high-tech eavesdropping by means of phone tapping. In 2013, when RedPhone and TextSecure were being revived, Marlinspike states: “In an environment of increasingly pervasive surveillance, we want to make it as easy as possible for anyone to be able to organize and communicate securely” (A New Home, n.pag). So, already from its founding circumventing surveillance was an important goal. When introducing
42 Retroshare on its website the following is stated: “Retroshare creates encrypted connections to your friends. Nobody can spy on you” (Retroshare n.pag). And: “Hide information from intelligence agencies and spying companies” (Retroshare n.pag). The social network goes beyond mentioning surveillance by using the stronger verb ‘spying’ which appeals to the imagination. The relation between governments and anonymity enhancing tools in relation to protection is ambiguous. On the one hand surveillance by law enforcement is a reason for people to use anonymity enhancing tools, but on the other hand law enforcement agencies make use of for instance Tor for conducting online surveillance (Schneier n.pag). The US government’s ambiguous relation with Tor is an example of this. Tor’s core encryption principle was developed for protecting government communication and still today one sponsor behind Tor is the US Department of State Bureau of Democracy, Human Rights, and Labor, which has donated from 2013 and will do so until the end of 2016 (The Tor Project, Tor Sponsors n.pag). At the same time in 2013 Edward Snowden revealed that Tor was a high-priority target for the National Security Agency (Schneier n.pag). So, opting out of government surveillance and profiling by means of using anonymity enhancing tools can thus have an opposite effect. While Tor Browser, Signal and Retroshare can be seen as a counter- surveillance tools, the very fact of using them might be an invite for even more profound suspicion and surveillance. The last function of anonymity I want to discuss here is anonymity for the sake of whistleblowing. Tor states that “(…) whistleblowers working for governmental transparency or corporate accountability can use Tor to seek justice without personal repercussions” (The Tor Project, Who Uses Tor n.pag). The medium specificity of Tor – and other encryption tools – offers a platform for sharing information which subsequently can be shared with the world without it being traced back to its origin. Whistleblowing existed long before the internet, but just like the internet and browsing revolves around circulating information. In this sense Tor Browser functions as a distribution model laying between two communication partners. Whistleblowing is a function of anonymity which seems to get a lot of attention today as a thread in popular coverage on anonymity platforms (Gehl 5). Whistleblowing is an issue which is very much connected to online anonymity. I didn’t find information on the relation between anonymity and whistleblowing while looking for historical literature on anonymity before the existence of the internet. Anonymity was described as a protective measurement against retaliation and as a liberator of social and political pressure, but was not specifically mentioned in relation with whistleblowing. I will therefor see whistleblowing as a new
43 function of anonymity. However, Arvind Narayanan argues that the role of anonymity enhancing techniques for whistleblowing shouldn’t be overstated (76). One reason is that protection for whistleblowers is often not offered by these techniques, but by foreign countries and their specific laws. Having said so Narayanan adds: “cryptographic anonymity does seem to be a factor in some whistleblowers’ decisions to take that step” (Narayanan 76). While not being a new phenomenon, whistleblowing seems like a modern issue inherently connected to online anonymity. Tor Browser and Retroshare for instance both offer a platform specifically suited for circulating sensitive information, connecting whistleblowing to online anonymity in a way it wasn’t before the launch of such tools.
To get an overview of the above mentioned functions and their presence in Tor Browser, Signal, and Retroshare, see Figure 22.
Anonymity as.. In Tor Browser? In Signal? In Retroshare?
A social tool for identity seeking A literary convention
A stimulator for integrity A protective measure A tool for combating user profiling for marketing purposes
A tool for preventing high-tech eavesdropping
New Function of anonymity
A tool for whistleblowing
Figure 22: Functions of anonymity within Tor Browser, Signal and Retroshare.
It has become clear that almost all of the discussed functions are manifested in the narratives conveyed by anonymity enhancing tools. Though, anonymity as a literary convention isn’t visible in the tools from the viewpoint of my research. I wouldn’t necessarily say that anonymity as a literary convention can’t be related to online anonymity enhancing tools as I haven’t researched the tools’ users or specific content spread by means of the tools. An ethnographic approach or a more content driven approach might have shown the use of anonymity as a literary convention as visible in anonymous authorship throughout the centuries. All other functions are being narrated through these tools. The functions have the
44 common characteristic of adding to the user’s agency. Online anonymity is narrated as an empowering concept giving the user more possibilities for opposing himself to the status-quo, might it be in the form of seeking and expressing his identity, combating the use of his personal data or combating powerful entities by means of whistleblowing, and so on. While adding to the user’s online agency, these tools are no neutral entities here to bring agency to the user. Anonymity enhancing tools themselves are being shaped by different factors specific to their medium.
7. SHAPING CONTEMPORARY ONLINE ANONYMITY
While analysing Tor Browser, Signal and Retroshare I found three factors which heavily shape the way users can retrieve relative forms of online anonymity. In Galloway’s tradition this makes sense as “interfaces are themselves the effects of other things, and thus tell the story of the lager forces that engender them” (The Interface 1). In shaping these tools these factors shape the concept of online anonymity. Just as the internet as a whole changed the concept of anonymity, so does the medium specificity of Tor, Signal, and Retroshare. Cryptographic ideals, trust, and functionality play a specifically big role within the working of the analysed tools. I will explain their role for contemporary online anonymity further in this chapter.
7.1 Cryptographic ideals As seen before, ideas on cryptography and encryption software are around since the beginning of the internet. The cypherpunk movement has embodied, and still embodies, strong opinions on the importance of encryption for free functioning societies. Tor browser, Signal and Retroshare have adopted some of these cypherpunk ideas in proposing their alternatives to the internet’s status quo. As a Wired article from 1993 – just after the cypherpunk founding meeting- states: “Anyone who decides to spread personal crypto or its gospel is a traveler in the territory of Cypherpunk” (Levy n.pag). All three tools are in cypherpunk territory. Signal’s Moxie Marlinspike and Tor’s Roger Dingledine and Jacob Appelbaum are even specifically mentioned as “noteworthy cypherpunks” (Crofton 8). While Moxie Marlinspike is mentioned as noteworthy for the spread of personal crypto, Signal is not a specifically ideological application. Narayanan explains that: “For cypherpunks, crypto was at the core of a vision of how technology would cause sweeping social and political change, weakening the power of governments and established institutions” (76). Signal does not carry this discourse on its website, but rather focusses on simple secure communication by offering encryption
45 without compromising the functional mandate of a messaging application (Open Whisper Systems n.pag). In doing so the application doesn’t oppose itself to corporate systems, but rather collaborates with companies like WhatsApp and Google to offer “consumer-facing software” (Marlinspike, Reflections n.pag). Signal focuses on addressing the consumer and in doing so in spreading encryption itself, rather than its ideological meaning, as wide as possible. Retroshare is more involved in spreading the ideological meaning of encryption. The tool describes to have designed its platform “for the people”, increasing their agency in deciding about their own privacy and in doing so creating more individual freedom at the expense of corporations and governments (Retroshare n.pag). Tor’s ideology seems especially similar to the cypherpunk ideology in taking on a rather activist point of view. Its view seems comparable with the cypherpunks’ technocratic view on the world in implementing technology for societal problems. In Tor’s own words: “The Tor project is based on the belief that anonymity is not just a good idea some of the time — it is a requirement for a free and functioning society” (The Tor Project, Tor Users n.pag). Cryptographic anonymity is found to be fundamental for a free society. By offering anonymity Tor Browser, Signal and Retroshare have established platforms in which users can potentially refrain from government power. While these ideologies might support an overly technologically deterministic view, according to Narayanan “crypto and other technological tools have a role to play in keeping power in check, whether in protecting those resisting authoritarian regimes or in bringing more transparency to democratic ones” (76). The cryptographic ideals behind Tor Browser, Signal and Retroshare show a narrative of anonymity which is inextricably connected with technology.
7.2 Technological trust For establishing these technologies, trust has been found to be important. Through Tor Browser, Signal and Retroshare trust is explicitly effectuated by means of technology. Tor Browser, Signal and Retroshare create different layers of trust. Tor Browser separates the users’ actions from his destination. User data is being distributed over several relays. If needed, in case of censorship for instance, an extra layer of trust can be created through a bridge which isn’t listed in public. Signal encrypts messages when in transition by a key management system and doesn’t keep user data on a central server. Retroshare encrypts communication and also keeps its data on a decentralized network. By means of these measures the tools function like distribution platforms for anonymous communication. Because the tools and their servers aren’t able to decrypt data they are deemed to be trusted.
46 As the Tor Project puts it, in other cases “you have to trust the provider isn't watching your traffic” (The Tor Project, FAQ n.pag). Signal deepens into the question of trust as well. One of its frequently asked questions reads: “Is it private? Can I trust it?” (Kolenkina n.pag). The question is answered by mentioning the fact that Open Whisper Systems doesn’t have access to the content of messages. So, in these tools the factors which enhance one’s anonymity are also the factors which create trust, namely decentralization and encryption. In the answer to the question “Can I trust it [Signal]?” another layer of trust becomes visible. Next to the fact that Open Whisper Systems doesn’t have access to user data and communication, Signal answers the question by stating that Signal’s complete source code is available on code hosting platform GitHub (Kolenkina n.pag). Tor and Retroshare are also open source. Open source ensures that these applications encrypt user data as promised by making its code publicly available and thereby publicly verifiable. Moreover, it adds another layer of anonymity by the fact that anyone could anonymously help building, verifying and improving the software projects. Anonymity is widely accepted in open source culture. To exemplify, for using GitHub one could easily use a pseudonym. Moreover, the creator of Signal remains anonymous by means of his pseudonym Moxie Marlinspike, and so does the creator of Retroshare, drbob. In the case of open source, it doesn’t matter if a person is “trustworthy” as long as the software he produces is, which can be easily found out as all the code is freely available. This makes open source an interesting model for anonymity. However, this model is difficult to employ in other environments than software development as verifying trustworthiness in most environments is more abstract than the checking of lines of code. While creating a layer of trust, Galloway argues that “open source does not mean the unvarnished truth, but rather a specific communicative artifice like any other” (9). For this reason, for Galloway the question isn’t if a system is more open or less open in comparison with other systems of knowledge, but rather how open source shapes these systems (9). From this point of view encryption as a transmitter of information is shaped by open source. To exemplify, messaging application Viber’s announcement of an own end-to-end encryption update in April of this year was met with critique because the used code wasn’t open source. As technology platform The Next Web wrote: “Without an independent audit, we really have no choice but to trust the company when it says our messages are secure” (Clark n.pag). TechCrunch adds: “Online messages are only as secure as the encryption used to protect them, and it can be difficult to build trust in a product if its maker isn’t transparent about security” (Conger n.pag). Open source is deemed important because it establishes trust in the
47 company by making sure it can’t decrypt user data, but also in the used code by making sure it offers enough security. According to the narratives that Tor, Signal and Retroshare – but also media outlets – pursue therefor within open source lays truth. However, in essence open source is just a new way of structuring information and material resources (Galloway, The Interface 10). Galloway argues that open source was once an intellectual intervention, but is now part of the mechanical infrastructure, whereby critique is being co-opted as “fuel” for capitalism (The Interface 9). Open source structures encryption software and by doing so encryption as a system for transmission has become a system which strives for openness. However, according to Galloway open source media objects aren’t necessarily as open as applauded. He explains: “Open source software follows the principle of source concealment, just as proprietary software does. Hence it is not the ability to view the source that is at question, but whether or not the source is put front and centre as the medium itself” (The Interface 68). As the interface analyses of Tor Browser, Signal and Retroshare showed their sources weren’t put front and centre. From this point of view Retroshare is most “open”, but also in the case of Retroshare the code is not viewed as it is, but heavily cultivated to make it operable.
7.3 Functionality Software is made operable through the interface. To make the software operable the interface is made functional and easily usable. It is therefor not illogical that within Tor Browser, Signal and Retroshare functionality is an important factor. Simplicity within the interface is Signal’s main goal, and Tor is also struggling with the usability of its browser. In 2016 Open Whisper Systems’ mission states: “Making private communication simple” (Open Whisper Systems n.pag). By offering simple usability Signal tries to reduce the friction needed for ordinary people to make us of secure communication. Oppositely Retroshare’s interface isn’t simple, but offers many choices. While in this sense adding to the agency of the users who use Retroshare it is by far the least used anonymity enhancing tool of the three. In 2014 there were only approximately 5800 Retroshare users (Retroshare dev team, n.pag). Of course Retroshare’s difficult interface and its amount of users aren’t necessarily in cause and effect, but users are used to frictionless interfaces because of the widespread implementation of easy interfaces by mainstream media. Just as Galloway argues, it has become clear that the more traces of its own functioning are erased in the interface the more the system succeeds in its functional mandate (The Interface 25). To exemplify, as Tor Browser’s designers explained, if the interface doesn’t work in the same way users expect they might be confused, make
48 mistakes reducing their anonymity or stop using the tool (Perry, Clark and Murdoch n.pag). According to Galloway the functional mandate undercuts the ultimate goal: “the more intuitive a device becomes, the more it risks falling out of media altogether, becoming as naturalized as air or as common as dirt. To succeed, then, is at best self-deception and at worst self-annihilation” (The Interface 25). He argues that precisely operability induces inoperability, making this systemic relation a non-relation (Galloway, The Interface 26). If the interface works perfectly the relation between user and interface erases itself. The relation between user and interface only exists if the interface fails. So, when these tools don’t work as users expect they start to think about what is behind the interface. When for instance Tor doesn’t work because of a censored network, the user can click the network settings finding out that for Tor to work proxies and bridges are important. In another example the Tor Project mentions this non-relation when explaining language preferences: “If you really want to see Google in English you can click the link that provides that. But we consider this a feature with Tor, not a bug --- the Internet is not flat, and it in fact does look different depending on where you are. This feature reminds people of this fact” (The Tor Project, FAQ n.pag). As browsers automatically apply language preferences, this factor of browsers becomes naturalized for the user. When Tor Browser’s interface doesn’t automatically use the language the user prefers he is reminded to the fact that the internet is not natural or flat. When using Retroshare, because of all its flaws the user is being reminded to the relation between himself and the interface. This relation would thus according to Galloway’s argument still exist, while the relation between the user and Signal’s interface would be a non-relation. Anonymity within Signal is being naturalized, users aren’t necessarily aware of the levels of anonymity processed in the application. Anonymity is a natural component mostly working through Signal’s back-end. Anonymity within Tor Browser and Retroshare is less natural. The user is being confronted with many of the workings and ideals behind anonymity through the interface.
CONCLUSION
Online anonymity offers individuals a way out of specific historically imposed limitations of the internet. As an alternative, online anonymity challenges the current online status quo in which individuals are highly exposed and in which online privacy seems a concept crumbling away. By historically analysing the concept of online anonymity and deploying it as framework for examining the back end and front end of anonymity enhancing tools it became clear that online anonymity has the ability to offer society many purposes. Anonymity has a
49 long history of protecting the individual, adds to personal freedoms and empowers the individual in finding his identity. In doing so online anonymity adds to diversity in society. In the tradition of Lovink and Rasch, and Gehl this research has focussed on alternative media forms. The anonymity enhancing tools I studied haven’t been extensively researched, while these tools provide interesting insights on how online cultures could be organized differently. By turning away from powerful mainstream media platforms this research has examined how online anonymity can offer a meaningful addition to debates on the prevailing paradigm of datafication. Examining these tools from a social perspective provided a lens for exploring the narratives of online anonymity tools and the social implications of online anonymity. To this end, Tor Browser, Signal and Retroshare have served as useful case studies. They all present a slightly different model for effectuating online anonymity, but in accordance all distance themselves from the accumulation of power through centralization and the tracking of user data. By means of decentralization and encryption Tor Browser, Signal, and Retroshare address emerged problems in mainstream media regarding the user’s privacy, agency and safety. By doing so they protect their users from contemporary online issues as surveillance and profiling, and can empower them in finding and expressing identity. Tor Browser, Signal, and Retroshare showed that the functions anonymity served over the years didn’t necessarily change a lot, but rather that more dimensions and technical layers were added to the concept of anonymity, effecting online anonymity’s functions. This is visible in three forces which play a specifically big role in shaping contemporary online anonymity, namely cryptographic ideals, trust, and functionality. Online anonymity is almost inextricably connected to encryption, which often is idealistic from nature. Moreover, it is effectuated through technical trust mechanisms like open source, decentralization and encryption. Functional mandates highly structure the use of online anonymity enhancing tools. Galloway’s definition of the interface has shown that the interfaces of these tools are subject to definition and alteration according to a set of principles for action. These specific abstract definitions form online anonymity. These anonymity enhancing tools have presented models for browsing, messaging and social networking which have the ability to transform their mainstream versions. While these tools are all build upon donations and funds, and thereby aren’t presenting an alternative model easily workable for mainstream businesses, Signal shows that forms of anonymity can be consumer-based. One could argue that while Signal was once an alternative, has now become part of the status-quo of messaging. This shows that encryption can be become
50 common for the large public and be a part of everyday life – even naturalized. If the information economy keeps on growing towards more commodification of personal data and society keeps on growing towards more surveillance by means of personal data, online anonymity can become a much needed answer, not only as an alternative, but as a mainstream component of everyday life.
REFERENCES
Abbott, Timothy, et al. "Browser-based Attacks on Tor." Privacy Enhancing Technologies. Springer Berlin Heidelberg, 2007. Card, John. “Anonymity is the Internet’s Next Big Battleground.” The Guardian. 2015. 28 April 2016. < http://www.theguardian.com/media-network/2015/jun/22/anonymity- internet-battleground-data-advertisers-marketers>. Cheredar, Tom. "Twitter Acquires Android Security Startup Whisper Systems". VentureBeat. 2011. 14 April 2016.
51 Digital Cash, and Distributed Databases." Pittburgh Journal of Law and Commerce 15 (1996): 395. Froomkin, Michael. "The Death of Privacy?" Stanford Law Review (2000): 1461-1543. Galloway, Alexander. "Protocol, or, How Control Exists after Decentralization." Rethinking Marxism 13.3-4 (2001): 81-88. Galloway, Alexander. The Interface Effect. Cambridge: Polity Press, 2012. Garber, Judith. "Not Named or Identified: Politics and the Search for Anonymity in the City.” Gendering the City: Women, Boundaries and Visions of Urban Life (2000): 19-40. Garling, Caleb. "Twitter Open Sources Its Android Moxie". WIRED. 2011. 24 May 2016.
52 Dame Law Review 82.4 (2006): 1537-1604. Lofland, Lyn. A World of Strangers: Order and Action in Urban Public Space. New York: Basic Books, 1973. Long, George. "Who Are You? Identity and Anonymity in Cyberspace." Univesity of Pittsburgh Law Review 55 (1993): 1177. Lovink, Geert, and Miriam Rasch. Unlike us Reader: Social Media Monopolies and Their Alternatives. No. 8. Institute of Network Cultures, 2013. Manovich, Lev. The Language of New Media. MIT press, 2001. Mayer-Schönberger, Viktor, and Kenneth Cukier. Big Data: A Revolution That Will Transform How We Live, Work, and Think. Houghton Mifflin Harcourt, 2013. May, Timothy. ([email protected]), “The Crypto Anarchist Manifesto.” E-mail to: Cypherpunks of the World (Unknown). 22 November 1992. McCarthy, Kieren. “Ban Internet Anonymity – Says US Homeland Security Official.” The Register. 2016. 28 April 2016 < http://www.theregister.co.uk/2016/01/27/homeland _security_says_ban_internet_anonymity>. Mullan, John. Anonymity: A Secret History of English Literature. New Jersey: Princeton University Press, 2007. Narayanan, Arvind, et al. “A Critical Look at Decentralized Personal Data Architectures.” arXiv:1202.4503 (2012). Narayanan, Arvind. "What Happened to the Crypto Dream? Part 1." IEEE Security & Privacy 2 (2013): 75-76. North, Marcy. The Anonymous Renaissance: Cultures of Discretion in Tudor-Stuart England. University of Chicago Press, 2003. O’Malley, Susan Gushee. “Was Anonymous a Jokester?: The Anonymous Pamphlet Haec- Vir: Or The Womanish-Man”. Anonymity in Early Modern England:’Whats in a Name?’. Eds. Janet Wright Starner and Barbara Howard Traister. Ashgate Publishing, 2013. Pasquale, Frank. The Black Box Society: The Secret Algorithms that Control Money and Information. Harvard University Press, 2015. Raley, Rita. “Dataveillance and Countervailance”. Raw Data’ is an Oxymoron. Ed. Lisa Gitelman. Cambridge: MIT Press, 2013. 121-146. Reed, Michael, Paul Syverson and David Goldschlag. "Anonymous Connections and Onion Routing." IEEE Journal on 16.4 (1998): 482-494. Rottermanner, Christoph, et al. “Privacy and Data Protection in Smartphone Messengers”. Proceedings of the 17th International Conference on Information Integration and Web-based Applications & Services. ACM, 2015. Schneier, Bruce. "Attacking Tor: How The NSA Targets Users' Online Anonymity". The Guardian. 2013. 24 May 2016. < http://www.theguardian.com/world/2013/oct/04/tor- attacks-nsa-users-online-anonymity> . Solove, Daniel J. “Introduction: Privacy Self-Management and the Consent Dilemma.” Harverd Law Review. 126 (2012): 1880. Starner, Janet Wright, and Barbara Howard Traister, eds. Anonymity in Early Modern England:'What's in a Name?'. Ashgate Publishing, 2013. Zhao, Shanyang, Sherri Grasmuck, and Jason Martin. "Identity Construction on Facebook:
53 Digital Empowerment in Anchored Relationships." Computers in human behavior 24.5 (2008): 1816-1836. Zimmermann, Philip, Alan Johnston, and Jon Callas. ZRTP: Media Path Key Agreement for Unicast Secure RTP. RFC 6189. 2011.
Tool documentation Cyril. “Cryptography and Security in Retroshare”. Retroshare. 2012. 21 April 2016.
54 Marlinspike, Moxie. “Signal on the Outside, Signal on the Inside”. Open Whisper Systems. 2016. 12 April 2016. < https://whispersystems.org/blog/signal-inside-and-out/> Marlinspike, Moxie. “Simplifying OTR Deniability”. Open Whisper Systems. 2013. 12 April 2016. < https://whispersystems.org/blog/simplifying-otr-deniability/>. Marlinspike, Moxie. “The Difficulty of Private Contact Discovery”. Open Whisper Systems. 2014. 12 April 2016. < https://whispersystems.org/blog/contact-discovery/ >. Marlinspike, Moxie. “TextSecure, Now with 10 Million More Users”. Open Whisper Systems. 2013. 12 April 2016.
55 Archive_.
56