Opinion: Levels of Safety Online

The Mozilla All-Hands this week gave me the opportunity to explore an exhibit about the “Mozilla Worldview” that Mitchell Baker has been working on. The exhibit sparked some interesting and sometimes heated discussion (as direct result of my decision to express unpopular-sounding opinions), and helped me refine my opinions on what it means for someone to be “safe” on the internet.

Spoiler: I think that there are many different levels of safety that someone can have online, and the most desirable ones are also the most difficult to attain.

Obligatory disclaimer: These are my opinions. You’re welcome to think I’m wrong. I’d be happy to accept pull requests to this post adding tools for attaining each level of safety, but if you’re convinced I’m wrong, the best place to say that would be your own blog. Feel free to drop me a link if you do write up something like that, as I’d enjoy reading it!

Safety to Consume Desired Information

I believe that the fundamental layer of safety that someone can have online is to be able to safely consume information. Even at this basic level, a lot of things can go wrong. To safely consume information, people need internet access. This might mean free public WiFi, or a cell phone data plan. Safety here means that the user won’t come to harm solely as a result of what they choose to learn. “Desired information” means that the person gets a chance to find the “best” answer to their question that’s available.

How could someone come to harm as a result of choosing to learn something? If you’ve ever joked about a particular search getting you “put on a watch list”, I’m sure you can guess. I happen to hold the opinion that knowledge is an amoral tool, and it’s the actions that people take for which they should be held accountable – if you believe that there exist facts that are inherently unethical to know, we’ll necessarily differ on the importance of this safety.

How might someone fail to get the information they desired? Imagine someone searching for the best open source social networking tools on a “free” internet connection that’s provided and monitored by a social networking giant. Do you think the articles that turn up in their search results would be comparable to what they’d get on a connection provided by a less biased organization?

Why “desired information”, and not “truth”? My reason here is selfish. I enjoy learning about different viewpoints held by groups who each insist that the other is completely wrong. If somebody tried to moderate what information is “true” and what’s “false”, I would probably only be allowed to access the propaganda of at most one of those groups.

Sadly, if your ISP is monitoring your internet connection or tampering with the content you’re trying to view, there’s not a whole lot that you can do about it. The usual solution is to relocate – either physically, or feign relocation by using an onion router or proxy. By building better tools, legislation, and localization, it’s plausible that we could extend this safety to almost everyone in the world within our lifetimes.

Safety to Produce Information Anonymously

I think the next layer of internet safety that people need is the ability to produce information anonymously. The caveat here is that, of course, nobody else is obligated to choose to host your content for you. The safety of hosting providers, especially coupled with their ability to take financial payment while maintaining user anonymity, is a whole other can of worms.

Why does producing information anonymously come before producing information with attribution? Consider the types of danger that accompany producing content online. Attackers often choose their victims based on characteristics that the victims have in the physical world. Attempted attacks often cause harm because the attacker could identify the victim’s physical location or social identity. While the best solution would of course be to prevent the attackers from behaving harmfully at all, a less ambitious but more attainable project is to simply prevent them from being able to find targets for their aggression. Imagine an attacker determined to harm all people in a certain group, on an internet where nobody discloses whether or not they’re a member of that group: The attacker is forced to go for nobody or everybody, neither of which is as effective as an individually targeted attack. And that’s just for verbal or digital assaults – it is extremely difficult to threaten or enact physical harm upon someone whose location you do not know.

Systems that support anonymity and arbitrary account creation open themselves to attempted abuse, but they also provide people with extremely powerful tools to avoid being abused. There are of course tradeoffs – it takes a certain amount of mental overhead, and might feel duplicitous, to use separate accounts for discussing your unfashionable polticical views and planning the local block party – but there’s no denying how much less harm it is possible to come to when behaving anonymously than when advertising your physical identity and location.

How do you produce information anonymously? First, you access the internet in a way that won’t make it easy to trace your activity to your house. This could mean booting from a LiveCD and accessing a public internet connection, or booting from a LiveCD and using a proxy or onion router to connect to the sites you wish to access in order to mask your IP address. A LiveCD is safer than using your day-to-day computer profile because browsers store information from sites you visit, and some information about your operating system is sometimes visible to sites you visit. Using a brand-new copy of your operating system, which forgets everything when you shut down, is an easy way to avoid revealing those identifying pieces of information.

Proof read anything that you want to post anonymously to make sure it doesn’t contain any details about where you live, or facts that only someone with your experiences would know.

How do you put information online anonymously? Once you have a connection that’s hard to trace to your real-world self, it’s pretty simple to set up free accounts on mail and web hosting sites under some placeholder name.

Be aware that the vocabulary you use and the way you structure your sentences can sometimes be identifying, as well. A good way to strip all of the uniqueness from your writing voice is to run a piece of writing through http://hemingwayapp.com/ and fix everything that it calls an error. After that, use a thesaurus to add some words you don’t usually use anywhere else. Alternately, you could run it through a couple different translation tools to make it sound less like you wrote it.

How do you share something you wrote anonymously with your friends? Here’s the hard part: You don’t. If you’re not careful, the way that you distribute a piece of information that you wrote anonymously can make it clear that it came from you. Anonymously posted information generally has to be shared publicly or to an entire forum, because to pick and choose exactly which individuals get to see a piece of content reveals a lot about the identity of the person posting it.

Doing these things can enable you to produce a piece of information on the internet that would be a real nuisance to trace back to you in real life. It’s not impossible, of course – there are sneaky tricks like comparing the times when you use a proxy to the times when material shows up online – but someone would only attempt such tricks if they already had a high level of technical knowledge and a grudge against you in particular.

Long story short, in most places with internet access, it is possible but inconvenient to exercise your safety to produce information anonymously. By building better online tools and hosting options, we can extend this safety to more people who have internet access.

Safety to Produce Information Psuedonymously

An important thing to note about producing information anonymously is that if you step up and take credit for another piece of information you posted, you’re less anonymous. Add another attribution, and you’re easier still to track. It’s most anonymous to produce every piece of information under a different throwaway identity, and least anonymous to produce everything under a single identity even if it’s made up.

Producing information pseudonymously is when you use a fake name and biography, but otherwise go about the internet as the same person from day to day. The technical mechanics of producing a single pseudonymous post are identical to what I described for acting “anonymously”, but I differentiate psyedonymity from anonymity in that the former is continuous – you can form friendships with other humans under a psuedonym.

The major hazard to a pseudonymous online presence is that if you aggregate enough details about your physical life under a single account, someone reading all those details might use them to figure out who you are offline. This is addressed by private forums and boards, which limit the number of possible attackers who can see your posts, as well as by being careful of what information you disclose. Beware, however, that any software vulnerability in a private forum may mean its contents suddenly becomes public.

In my opinion, pseudonymous identity is an excellent compromise between the social benefits of always being the same person, and physical safety from hypothetical attackers. I find that behaving pseudonymously rather than anonymously helps me build friendships with people whom I’m not sure at first whether to trust, while maintaining a sense of accountability for my reputation that’s absent in strictly anonymous communication. But hey, I’m biased – you probably don’t know my full name or home address from my web presence, so I’m on the psuedonymity spectrum too.

Safety to Produce Information with Accurate Attribution

The “safety” to produce information with attribution is extremely complex, and the one on which I believe that most social justice advocates tend to focus on. It is as it sounds: Will someone come to harm if they choose to post their opinions and location under their real name?

For some people, this is the easiest safety to acquire: If you’re in a group that’s not subject to hate crimes in your area, and your content is only consumed by people who agree with you or feel neutrally toward your views, you have this freedom by default.

For others, this safety is almost impossible to obtain. If the combination of your appearance and the views you’re discussing would get you hurt if you said it in public, extreme social change would be required before you had even a chance at being comparably safe online.

I hold the opinion that solving the general case of linking created content to real-world identities is not a computer problem. It’s a social problem, requiring a world in which no person offended by something on the internet and aware of where its creator lives is physically able to take action against the content’s creator. So it’d be great, but we are not there yet, and the only fictional worlds I’ve encountered in which this safety can be said to exist are impossibly unrealistic, totalitarian dystopias, or both.

In Summary

In other words, I view misuse of the internet as a pattern of the form “Creator posts content -> attacker views content -> attacker identifies creator -> attacker harms creator”. This chain can break, with varying degrees of difficulty, at several points:

First, this chain of outcomes won’t begin if the creator doesn’t post the content at all. This is the easiest solution, and I point out the “safety to consume desired content” because even someone who never posts online can derive major benefits from the information available on the internet. It’s easy, but it’s not good enough: Producing as well as consuming content is part of what sets the internet apart from TV or books.

The next essential link in the chain is the attacker identifying the content’s creator. If someone has no way to contact you physically or digitally, all they can do is shout nasty things to the world online, and you’re free to either ignore them or shout right back. Having nasty things shouted about your work isn’t optimal, but it is difficult to feel that your physical or social wellbeing is jeopardized by someone when they have no idea who you are. This is why I believe that the safety to produce information anonymously is so important: It uses software to change the outcome even in circumstances where the attacker’s behavior cannot be modified. Perfect psuedonymity also breaks this link, but any software mishap or accidental over-sharing can invalidate it instantly. The link is broken with fewer potential points of failure by creating content anonymously.

The third solution is what I alluded to when discussing the safety of psuedonymity: Prevent the attacker from viewing the content. This is what private, interest-specific forums accomplish reasonably well. There are hazards here, especially if a forum’s contents become public unintentionally, or if a dedicated attacker masquerades as a member of the very group they wish to harm. So it helps, and can be improved technologically through proper security practices by forum administrators, and socially via appropriate moderation. It’s better, from the perspective that assuming the same online identity each day allows creators to build social bonds with one another, but it’s still not optimal.

The fourth and ideal solution is to break the cycle right at the very end, by preventing the attacker from harming the content creator. This seems to be where most advocates argue we should jump straight into, because it’s really perfect – it requires no change or compromise from content creators, and total change from those who might be out to harm them. It’s the only solution in which people of all appearances and beliefs and locations are equally safe online. However, it’s also the most difficult place to break the cycle, and a place at which any error of implementation would create the potential for incalculable abuse.

I’ve listed these safeties in an order that I regard as how feasible they are to implement with today’s social systems and technologies. I think it’s possible to recognize the 4th safety as the top of the heap, without using that as an excuse to neglect the benefits which can come from bringing more of the world its 3 lesser but far more attainable cousins.