Eugene Kaspersky: My Thoughts on Internet Anonymity

Guest editorial by Eugene KasperskyThere seems to be quite a loud
response to what I thought was a rather simple idea. In this post, I am
going to go over the main points – somewhere when I have more time I’ll
share my ideas in detail so people could see exactly what I am
proposing.

There seems to be quite a loud response to what I thought was a rather simple idea. In this post, I am going to go over the main points – somewhere when I have more time I’ll share my ideas in detail so people could see exactly what I am proposing.

  1. Common users are NOT anonymous for police and governments. Today the authorities can find any person they are after easily. There is a wrong perception about Internet anonymity – very few people realize that it does not exist for ordinary users. But the worst part of the story is that the ones who are truly anonymous are professional cyber criminals, because they know what to do to hide their real identities in the Internet. That is why we have millions of malicious programs and successful network attacks every year, and we don’t know who’s behind them.
  2. When I say “no anonymity” I mean only “no anonymity for security control.” I don’t care about the way people behave on blogs, forums, social networks and pirate torrent portals. You may use nicks or real names as you want (as we do today). The only “no more anonymity” improvement – you MUST present your ID to your Internet provider when you are connecting online. It is only the provider who needs to know your real identity.
  3. Another way to go is dedicated anonymous networks and dedicated business/government networks – why not? But all LEGAL businesses/services will want to use secure networks, and unsecure networks will be probably limited to casual communication.
  4. When is it going to happen? Never… or in one-two generations. After some really serious IT incidents, which will have a serious impact on national and/or global economies. I am now talking not only about cybercrime, but also about cyberterrorist attacks. We already see the first signs of emerging cyberterrorism – and global anonymity is a really favorable factor for these people.Imagine that everyone flying in your plane is anonymous, so you don’t know who they are and what they’re up to – are you really going to approve of this? And the Internet is as critical and as vulnerable as the air transportation network. So why do we have different security standards
    for these two global networks?
  5. But we are already on the way – some European countries have introduced digital IDs, which they use for secure online banking and in some cases for online voting. National and municipal elections via the Internet are not a matter of science fiction – they are already here, and ID authentication is a vital part of such election systems.Another prototype of e-passports is the two-factor authentication we now use to access corporate networks. The only thing that is missing today is a common standard.

Anyway, I am happy to see that my ideas have raised so much discussion; I think that open public discourse and idea-sharing is the only way to make the Internet a safer and a better place.

Eugene Kaspersky is the founder and CEO of Kaspersky Lab, Threatpost’s corporate sponsor.

Suggested articles

Discussion

  • Paperghost on

    "There is a wrong perception about Internet anonymity – very few people realize that it does not exist for ordinary users. But the worst part of the story is that the ones who are truly anonymous are professional cyber criminals, because they know what to do to hide their real identities in the Internet."

    This almost makes it sound like people who do bad things online have some magical ability that differentiates them from "common users" online. For anyone that chooses to remain ignorant of why they might want to blend into the crowd a little better, too bad for them - when the time comes and their idea of what is "right" is suddenly at odds with their Government (for example), they're doomed.

    For every other "common user", it's the easiest thing in the world to learn how to use most (if not all) of the same methods deployed by bad actors to keep themselves a little more hidden. The REAL reason there are so many people out there getting away with virtual murder isn't because they're super smart at hiding; it's because for the longest time law enforcement across the globe either has no clue about these things, or don't have the resource, or are on the take, or a combination of all three.

    All it takes is a little bit of effort and more often than not, you can get away with pretty much whatever you feel like. This can be seen from script kiddies as young as 11 dealing in stolen credit cards right the way up to the illegal porn dealers tying their junk into malware installs. A little push in the right direction, and law enforcement are left scratching their heads. You couldn't even report cybercrime directly to tech crime units in the UK until recently - you had to go through a local station where you'd be met with confused looks and rolling eyes.

    This is the reality.

    "When I say "no anonymity" I mean only "no anonymity for security control." I don't care about the way people behave on blogs, forums, social networks and pirate torrent portals."

    We may not, but lots of dubious goverments the world over (including our increasingly antagonistic UK government) DO care. And they'll use the slightest reason for dumping you into a situation you'd rather not be in.

    I've lost too many good friends in China as a result of the above, and stripping away their attempts at anonymity in a place that NEEDS some to balance the odds is a terrible idea.

    "It is only the provider who needs to know your real identity."

    And yet a Government will easily take this info if it wants it. How is an ISP going to stop them?

    The moment you create a net passport like this, bad people will create a market for it, steal them, get around it, whatever. The ONLY people who will come off worse will be those "common users" you mention; the bad guys will be too busy pretending to be them and getting around the same system to care.

    Their income *depends* on getting around these kinds of systems; you really think they won't be able to do it?

    "Imagine that everyone flying in your plane is anonymous, so you don’t know who they are and what they’re up to – are you really going to approve of this?"

    Being anonymous on a plane is not a big deal. Assuming you manage to pull off an elaborate con job, grab someone elses plane info (and manage to ensure they don't arrive at the airport for their flight while you're pretending to be them) - in fact, scratch that - assuming you (very easily) manage to print out a fake name for your boarding card and (say) have a fake passport that matches the name - so what?

    Worst case scenario, you've ripped off someone elses ticket or managed to give yourself a fake ID for a plane flight. If you WERE a person into blowing up planes - you still have to go through security, screening, bag check, pat down, metal detector etc. Your assumed identity means nothing at that point.

    In short, whether the airline knows your real identity or not, you've not got any closer to doing something malicious onboard simply by having a fake identity. You can't blow something up with a name.

    I think there's a number of very valid reasons for wanting to resist the obsession with collecting huge vats of data on individuals for the alleged purposes of "safety" - especially when tying that into (no doubt) "infallible" digital markers that will be used and abused with the "common users " coming out of it with the short end of the wedge.

  • Danny on

    I think paperghost has a number of valid points. Using the plane analogy, determining the ID of the perp isn't as important as preventing the crime from happening in the first place (i.e metal detectors, security, etc).

    In the case which the crime cannot be prevented, then tracking down the perp becomes the focus. Paperghost also has a good point here. Cybercriminals/terrorists are going to be very good presenting fake IDs and disappearing when those IDs are compromised. Regular users, however, stand to lose. Not only are massive amounts of data being collected on their personal lives, but they also stand to lose all this valuable data in one fell swoop if the ISP is compromised. Putting all your eggs in one basket, anyone?

  • Michael on

    Not addressing the whole thing, but Eugene's notion of the plane security does fit with his points as he indicates that it would be at the point of entry (ISP) where you are validated--just like at an airport.

  • swhx7 on

    The ISP already knows the IP assigned to the PC that gets online through the ISP's service, and potentially every connection it makes, up to the point where it connects to a proxy.

    So what would be gained by the "digital ID"? Well, maybe you hope to distinguish Alice from Bob when they both use the same IP. But how are you going to prevent them from using each other's credentials? The only possibilities are (a) motivating them by making their bank accounts or other values subject to compromise if they share their credentials, and (b) making the PC enforce the individual's approved logon with biometrics. With (a) you're only creating a new target for phishers and a new trap for technically naive users. With (b) you're doing the opposite of security, you're abolishing the possibility of security because the owner is no longer in control of the PC.

    The other evil effect would be placing everyone at the mercy of their oppressive governments, as paperghost points out. And what's it all for? Fighting malware? In that case you're solving the wrong problem. The cause of the malware pandemic is simply the prevalence of an unsecurable OS. And the solution is moving to default-secure, open-source software.

    Now I expect you don't want to see this answer, and this comment will disappear, because your company depends on the defects in the products of that noxious monopolist. But the truth is, computer security must be maintained on every endpoint device, and cannot be helped by mandates that compromise users' freedom.

  • JoeWied on

    This is not correct. Internet was never safe and will newer be safe. This is caused by the structure of the internet and the fact, that the IP-Protocoll has to be work on a decentral manner. It is correct,  that many companies in the financial sector try to secure their internet-transaction. But it is also no secret, that they are calculate a large amount of abuse in their business-plans. by example failed credit-card / eurocard transactions. In the reality: more saftey prevents us from simple rip-off, but against the real crimes or even terrorism, there is no chance to secure internet at all.

    And you, Mr. Kaspersky, you know that and you make your big money, with this lack of saftey.

  • Gallardo on

    You all attack him on this idea, and some of your points are true and I don't say you should not try to prove him wrong or whatever, but can't it be that he is not doing it for the money? Can it be this is really an ideal of his? And his intentions aren't bad at all, as he says he wouldn't want you to be monitored on what you say on blogs or download from pirate torrents, but if we take this idea without the idea of every government being able to get your data trough your ISP then (and they can already get this data anyway, with or without digital pasports) Then wouldn't it be a good idea... And thinking the internet will ever be safe, or if all people would use open-source OS's this will be solved for a great part is kind of naïve...

  • Anonymous on

    And i should give you the responsibility for my company's it-security?

    Goodbye, Kaspersky...

  • Leandro Silva on

    I'm brazilian and my english is not very good, but i will try...

    I think that ideia will damage only ordinary users, couse hackers will find a way to circumvent this so early that we can think.

    And ordinary users would be more restricted on de web.

    This war has no end. we need good and secure systems.

  • Anonymous on

    How ironic this is! I managed to post here as anonymous! Why?

    I don't agree with this idea, if to send a letter or a bomb by conventional mail you don't need to be identified. 
    What needs to evolve are the means of control, international law range effective.
  • Vosana on

    "But we are already on the way – some European countries have introduced digital IDs, which they use for secure online banking and in some cases for online voting. National and municipal elections via the Internet are not a matter of science fiction – they are already here, and ID authentication is a vital part of such election systems."

    and what happens if someone finds a way to get into that? malware writers as well as virus writers will use that to their advantage that you can almost guarantee on. if banking online were safe there wouldn't be the need for protection from identiry theft and Digital ids wouldn't be any different it may take a while but the results would be the same.

    "Imagine that everyone flying in your plane is anonymous, so you don’t know who they are and what they’re up to – are you really going to approve of this?"

    "I Highly doubt that the ones who Pilot the planes know everyone that is on them so yes they are anonymous."

  • Anonymous on

    Does kaspersky work for the NKVD?

  • born-in-ussr on

    Don't like this idea, agree with everything that paperghost said,

    but so far like your antivirus

  • Obijan on

    Imagine flying without ID? Not that hard to imagine.  In the US, you used to be able to.  Unused tickets used to be sold or traded.  I never led to any "terrorist attack".

    The airline companies where very happy to enforce the ID check because.... it makes them more money!   In the same way: Right after the TSA started banning liquids, the airlines are starting to charge for any onboard drinks.

    The age-old way of solving many problems is asking: "Who benefits?"

  • LinuxBaby on

    An ID to access the Internet - how convenient - for all those who don't believe in antiquated notions like Liberty Freedom, Independence, Individual Rights, etc. Strange days indeed!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.