Monday, April 11, 2005

 

Disclaimer: There is no such thing as anonymous blogging

anonymous:
1 : not named or identified
2 : of unknown authorship or origin
3 : lacking individuality, distinction, or recognizability

I first became aware of/interested in computer privacy issues after driving to Houston for a computer law forum I found out about through Usenet done by EFH (which I understand later merged with EFF-Austin). Over the years since then, many people have pegged me as slightly paranoid. Whatever.

The Electronic Freedom Foundation (EFF) recently published the article "How To Blog Safely (About Work or Anything Else)"

The general intent of the article seems honorable, but there appears to be some problems with it. Grave problems. The first problem is that there's no disclaimer. In fact, consider how the article sums itself up in the last sentence:

As long as you blog anonymously and in a work-safe way, what you say online is far less likely to come back to hurt you.

I can possibly be hurt if I'm blogging anonymously? If I can be hurt because of something I've blogged, that means that I really was not anonymous in the first place.

There is no such thing as anonymous blogging.

To speak of "anonymous blogging" only gives one a false sense of security. The article should have had a big fat disclaimer. Even if you're using TOR, as the article suggests, it is still pretty straightforward to connect you to your blog. This can be done by analyzing your writing style or by sneaking a keylogger on to your away-from-the office computer.

The article considers that your hosting service is in a position to capture your IP address:

If you are worried that your blog-hosting service may be logging your unique IP address and thus tracking what computer you're blogging from, you can...

But anyone can capture your IP address! I don't blog anonymously because I know it's impossible. I obviously use blogger.com. When someone replies to a post of mine, I get an email notification. The first thing I do, of course, is to read it. Suppose it includes a link to a website. I click on it. I have just given away my IP address, my browser and operating system and a lot of software configuration on my system that can be read by javascript. Busted. Now, someone at my office sends me a separate email directly and has me click on another link and they simply compare the results. Even if I'm logging in from my laptop with a different IP address, the other information will be the same. Of course, they can also do a lexical comparision and/or attach a keylogger to my computer.

Like anything, it depends on the costs. If you're not saying anything on your blog to piss anyone off, then you're safe. Nobody is going to spend any effort. But, if you say something that pisses someone off who has the resources to do it, your false sense of security may come back to bite you.

Comments:
But sometimes I use 'anonymous' simply so that other readers of a particular blog won't know who I am. If I blog anonymously as I am doing right now, I am smart enought to know that *you* know who I am because we are friends and I know all about your extraordinary geek superpowers! :) If I blog anonymously on some stranger's blog and never return as the 'real' me, then how will that person ever know my true identity?
 
If the stranger is hosting his own blog, then it is simple. The stranger can compare the ip address (and your browser and operating versions and some other software configs) of the anonymous visit to the non-anonymous visit.

However, if the stranger is using someone else's server/service (typepad.com, blogger.com, etc), then the stranger will generally not have access to that information.

Again, one must not underestimate the stranger's ability to analyze writing style. For instance, if the anonymous user uses the *word* for emphasis, that would be a signature to tie to the non-anonymous account.
 
Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?