This is not my story. It was written by a person who would like to remain anonymous.
Recently, I was communicating with them about my views on anonymity on blogs. They told me this story about how their shield of anonymity had been breached. They explained they wanted to warn others, but didn’t want to put it under their own identity – because of the very breach they were warning about. I offered them a forum here, so it could be posted anonymously. – Julian
Secure Email is Hard
Ever since Phil Zimmerman wrote an application called PGP way back in the pre-bubble times, it has been the most obvious, and sometimes only, choice for encrypting email conversations.
Since then it has matured, been sold off, commercialised, re-implemented by the GNU project as the GNU Privacy Guard, and is still in wide use. However, the main barrier to its success have always been the limitations imposed by the nature of secure communications. In order for me to encrypt mail to you I need to know that you are who you say you are. This is where the complexity comes in.
The GNU Privacy Handbook is an attempt to distil down the most basic theory and practice of the tool without sacrificing security. It is absolutely essential reading for users of the GNU Privacy Guard, and a pretty good introduction to the world of secure email communication.
One thing that the GNU Privacy Handbook does not discuss is the limitations of the tool in maintaining independent identities. This is what I want to address here.
GnuPG Identity Management
When you create a keypair (used for encrypting and signing things in GnuPG), you associate to it one or more “user IDs”. These are basically email addresses with an optionally associated real name and comment. As they put it:
Only one user ID is created when a key is created, but it is possible to create additional user IDs if you want to use the key in two or more contexts, e.g., as an employee at work and a political activist on the side. A user ID should be created carefully since it cannot be edited after it is created.
User IDs can be signed to indicate that other people attest to your identity.
Normally, a user ID collects signatures that attest that the user ID describes the person who actually owns the associated key. In theory, a user ID describes a person forever, since that person will never change. In practice, though, elements of the user ID such as the email address and comment may change over time, thus invalidating the user ID.
The implications here may not be obvious. They certainly weren’t to me, anyway, so I’ll spell it out.
User IDs are irrecoverably bound to each other.
In the example given, namely of an employee and political activist, it is quite likely that the GnuPG solution of having two user IDs for the same keypair is actually not what the person (let’s call him Bob) wants. It is more likely that they want two separate keypairs to correspond to the two separate digital identities. Bob probably doesn’t want anyone to know that bob@halliburton.com is the same person as bob@socialist-alliance.org.
This highlights the difference between privacy and anonymity. Privacy applies to the communication between two parties, and anonymity applies to the identity of a single party.
(Anonymity is a somewhat undesirable term here because it implies, through colloquial usage, a disposable identity which is not capable of strong authentication. Perhaps a better general term is independent digital identity.)
GnuPG gives you privacy of communication, but it does not (automatically) give you independent digital identities. The distinction is sometimes subtle and easy to forget. It was brought home forcefully to me recently, courtesy of GnuPG.
A Cautionary Tale
I maintain an online identity which until recently was more-or-less separate from my real life identity. It had an email address which I used to keep separate from my other email addresses. It was not associated with my surname so that I could not be identified that way either.
All that changed when I added my online identity to my GnuPG keypair. At the time I didn’t fully appreciate what I was doing (perhaps lulled into a false sense of security by the wording of the GNU Privacy Handbook quoted above). All of a sudden my online identity was irrevocably bound to my real life identity. I only realised this after uploading the public key to the public keyserver network.
I couldn’t undo it either. I could remove the problematic user ID from my public key, but according to the privacy handbook this doesn’t do any good:
By default, when a user imports your updated public key it will be merged with the old copy of your public key on his ring if it exists. The components from both keys are combined in the merge, and this effectively restores any components you deleted. To properly update the key, the user must first delete the old version of your key and then import the new version. This puts an extra burden on the people with whom you communicate. Furthermore, if you send your key to a keyserver, the merge will happen regardless, and anybody who downloads your key from a keyserver will never see your key with components deleted.
The public key which now contained all of my email addresses was now the means by which my previously independent online-only identity could be connected to my real life identity. Which meant that through the PGP keyservers you could go from my online identity to my real name, to my current and previous employers.
This is why I agreed with Julian to publish this anonymously. I can’t publish it using my online identity for obvious reasons. However I don’t believe it is a well-understood limitation of GnuPG (and other PGP-alikes) that one and only one identity is supported. So I am writing this to explain the situation and hopefully prevent others from “leaking” anonymity in the way that I did.
Maintaining separate digital identities is hard. There are lots of ways in which you can accidentally leak one identity into another. Hopefully after reading this you will be on guard against at least one of these.
Comment by Sunny Kalsi on January 30, 2006
It’s interesting that you mention the inability of something that’s supposed to verify your identity to anonymise you. I guess it’s the implication of privacy that gives people the impression that what they do is secret, and hence nobody knows who they are. Even if you understand the technology, I think there’s sometimes an underlying “feeling” of privacy which overlaps anonymity and secrecy.
However, take two separate websites that work co-operatively. They both leave cookies on your machine (say, to track your buying habits). You could log in under two usernames and those two usernames would also be linked, merely from the act of logging in using the same web browser. This is similar to what you’re talking about, except the information is not available to everyone.
In any case, I’m thinking you could probably invalidate both keys (or really just the one) and claim that you were h4x0r3d. People could still see the invalidated key, but they’d probably (correctly) assume that they could no longer trust the identity, even if it contains both emails.