Head Of Computer Security Firm Says Anonymity Is The Enemy Of Privacy

Say That Again

from the you-lost-me dept

Thu, Oct 31st 2013 8:25am — Tim Cushing

We've seen it argued that privacy is a bad thing. People like former DHS official Stewart Baker have argued that the privacy-protecting efforts of civil liberties activists are the reason we're forced to be fondled and de-shod at TSA checkpoints. Not only that, he's tried to blame the 9/11 attacks on "rise of civil libertarianism." Unbelievably, we've also had a politician recently claim that your privacy isn't violated if you don't notice the violation.

We've also seen attacks on anonymity by (anonymous) police officers and a whole slew of pundits and politicians who believe the only thing online anonymity does is provide a shield for trolls, bullies and pirates to hide behind. Efforts have been made to outlaw online anonymity, but fortunately, very few laws have been passed.

Now, try wrapping your mind around this argument being made by Art Coviello, executive chairman of RSA Security and the head of EMC's security division. According to him, anonymity and privacy are at odds with each other.

A dogmatic allegiance to anonymity is threatening privacy, according to Art Coviello, executive chairman of RSA.

Coviello cast anonymity as the "enemy of privacy" because it gives "free reign to our networks to adversaries" with "no risk of discovery or prosecution."

On one hand, anonymity is slowing down the pursuit of online criminals. On the other hand, companies are increasingly wary of subjecting their employees to intrusive security software.

Customers are caught in a Catch-22. They're afraid to deploy technology for fear of violating workers' privacy" even though security intelligence tools are ultimately the best way to protect personal information, Coviello argued.

How Coviello arrives at the conclusion that anonymity is damaging privacy isn't exactly clear. It may be the enemy to security (or at least, unhelpful to retributive actions), but the online anonymity shielding crooks doesn't threaten users' privacy, at least not directly. Indirectly it could, but it wouldn't be anonymity's "fault." If Coviello wants attackers to be stripped of anonymity, there's little doubt he'd like to see clients' employees stripped of their privacy. Both would make his companies' jobs easier. Attackers would be easily identified and clients would received (arguably) better protection (thanks to more, non-anonymized data gathering). Win-win for security. Not so much for those who cherish privacy and anonymity.

This isn't exactly new ground for Coviello. He did some complaining about privacy at last year's RSA conference as well.

RSA executive chairman Art Coviello has criticised privacy advocates for basing their arguments on “dangerous reasoning”, comments that have already earned him a tongue lashing from Big Brother Watch and the Open Rights Group.

Coviello, whilst noting the need for privacy, lambasted privacy groups’ “knee jerk” reactions to public and private sector attempts to improve people’s security, pointing to the “insanity” of the situation, in a keynote to open the RSA 2012 conference in London this morning.

In Coviello’s view, privacy advocates are over-reacting to measures designed to protect online identities, preferring to live in a world of danger: “Because privacy advocates don’t realise that safeguards can be implemented, they think we must expect reasonable danger to protect our freedoms,” Coviello said.

“But this is based on dangerous reasoning, a knee jerk reaction, without understanding the severity and scope of the problem.

“Where is it written that cyber criminals can steal our identities but any industry action to protect us invites cries of Big Brother.”

Not for nothing has someone noted that RSA is only a letter away from the United States' most notorious intelligence agency.

Coviello's arguments here aren't that much different than the government's opinions on the "liberty vs. security" balance. And like other defenders of intrusive programs, Coviello refers to the statements of critics as an "over-reaction." But is it? He bristles at being compared to Big Brother but his thought processes roughly align with the government's foremost proponents of intrusive programs. According to both, people just don't understand how bad things actually are, and in our unenlightened state, we're making the wrong choice between security and liberty.

Additionally, the "knee jerk reaction" he sees in privacy activists is, in reality, no different than the knee jerk reactions he fails to see in security and intelligence entities. While privacy activists are focused on retaining what's remaining and make small pushes for more, security/intelligence agencies leverage every tragedy or attack to expand their scope and dial back privacy protections.

But where his argument against privacy (and anonymity) ultimately falls apart is in his belief that collecting and storing large amounts of private data is the best solution for all involved.

To “suggest the only way to protect against cyber crime is to sacrifice privacy and civil liberties is absurd,” Nick Pickles, director of privacy campaign group Big Brother Watch, told TechWeekEurope. “It is a simple fact that if data has not been collected, it cannot be stolen, lost or misused. The best safeguard for consumers and businesses is for data not to be collected unless it is absolutely essential, and then deleted as soon as it is no longer required.”

As for his complaints about anonymity? It's pretty much all or nothing. You can't whip up statutes and laws that allow anonymity and their privacy protections unless you're a criminal. Either you take the good with the bad or you eliminate it for everybody. No one's going to agree with that last one, so security groups and companies will just have to deal with the fact that their adversaries will be cloaking their identities. Cops may wish robbers wouldn't wear masks when committing crime, but that's the way it goes. You can't ban the sale of masks simply because someone holds up a bank wearing one.

I'm sure he understands this, but he's in a field where security is valued over privacy. But that's the expected mindset for someone is his position. The problem is that those with his mindset expect others to come to the same conclusion -- and when they don't, they're portrayed as part of the problem.

To be fair, Coviello at least had this to say about the jargon being deployed by government security officials and advisors.

"I absolutely hate the term 'Cyber Pearl Harbor'," he said. "I just think it's a poor metaphor to describe the state we are really in. What do I do differently once I've heard it? And I've been hearing it for 10 years now. To trigger a physically destructive event solely from the internet might not be impossible, but it is still, as of today, highly unlikely."

Coviello may not like this particular FUD, but claiming anonymity and privacy are standing in the way of security isn't that far removed from the panicky assertions of the "cyber Pearl Harbor" types.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: anonymity, art coviello, privacy, security
Companies: emc, rsa

31 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

pegr, 31 Oct 2013 @ 8:40am

Of course!
Of course he says things like this. His biggest customer is Uncle Sam, in spite of RSA FAILING at basic OPSEC by losing root key material for the MOST WIDELY USED two-factor authentication system in the world!

They should be tarred and feathered for their arrogant disregard for the security of their CUSTOMERS! I wouldn't believe a word he said for the rest of his life.

To be clear, RSA is UNTRUSTWORTHY FOREVER.
[ link to this | view in chronology ]
- Anonymous Coward, 31 Oct 2013 @ 8:43am
  
  Re: Of course!
  You're absolutely right, of course.
  
  In re the substance of his comments, let me quote Enrico Fermi: "That is not even good enough to be wrong."
  [ link to this | view in chronology ]
The Real Michael, 31 Oct 2013 @ 8:42am

Coviello should lead by example and live in a glass house.

He knows that his argument is illogical on its face.
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 31 Oct 2013 @ 8:47am

So? The new Google privacy policy is: You have no privacy."
Google CEO Schmidt Predicts End of Online Anonymity

"According to Schmidt, true transparency and anonymity on the Internet will become a thing of the past because of the need to combat criminal and 'anti-social' behavior."

http://tech.slashdot.org/story/10/08/06/0224255/google-ceo-schmidt-predicts-end-of-online- anonymity

Excerpt from Schmidt's book: �Within search results, information tied to verified online profiles will be ranked higher than content without such verification, which will result in most users naturally clicking on the top (verified) results. The true cost of remaining anonymous, then, might be irrelevance.�

"But Schmidt doesn't stop there. He essentially predicts that privacy will cease to exist online. Governments, he says, will find it "too risky" to have thousands of citizens "anonymous, untraceable and unverified" online, suggesting they will want to require verification of all online accounts at some level of government."

http://searchenginewatch.com/article/2241704/Eric-Schmidt-Google-Will-Give-Higher-Rankin gs-to-Content-Tied-to-Verified-Profiles

Similar abound. So why don't you EVER mention creepy Schmidt's comments on same subject? When Schmidt is in position to make his predictions true?
Google defenders are much like NSA defenders: basically blind to privacy, just insist over objections to being spied on: "we're only helping and you should be grateful!".

04:46:28[f-117-1]
[ link to this | view in chronology ]
- Anonymous Coward, 31 Oct 2013 @ 8:59am
  
  Re: So? The new Google privacy policy is: You have no privacy."
  Why does anti-social behavior need combated?
  [ link to this | view in chronology ]
Anonymous Coward, 31 Oct 2013 @ 8:57am

Dear Mr. Coviello,

Please go to the windows of your home and open all of the curtains. Remove all of the locks from your door and leave them open wide. After this is done, post your address so we can all come by and watch you. You can now feel secure since you have given up all privacy and anonymity.

Me
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 31 Oct 2013 @ 9:22am

Here's a relevant item just popped up, though a bit "partisan" slant:
"The NSA affair has definitely spurred new thinking, but more needs to be done. Conservatives must begin to scrutinize the nexus between tech companies, such as Google, and the federal government. There is no longer a wall between the private sector and government surveillance."

http://www.politico.com/story/2013/10/privacy-is-a-conservative-cause-99137.html

Seems to me like everyone but Techdirt worries about The Google...
[ link to this | view in chronology ]
- Rikuo (profile), 31 Oct 2013 @ 11:59am
  
  Re: Here's a relevant item just popped up, though a bit "partisan" slant:
  How many times do we have to say here: WE ARE NOT WORRIED ABOUT GOOGLE. If (and more than likely when, you'll notice I'm not really disagreeing with you that the G is heading in that direction) they try and remove anonymity from their services, the vast majority of people will simply move to a different service. I'm already using DuckDuckGo for example.
  
  No matter how much information Google has on you, they can't do anything worse with it than sell ads. It's government agencies, the men with guns, handcuffs, drones and jails, that we here on Techdirt and elsewhere are worried about.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 31 Oct 2013 @ 12:53pm
    
    Re: Re: Here's a relevant item just popped up, though a bit "partisan" slant:
    Well, I do "worry" about Google spying. But where I differ from Blue is that I think that governmental surveillance is a far larger and actually dangerous threat, and my reaction to my "worry" is not to just shake my fist and scream at everyone around me, but to actually avoid and block Google's intrusiveness.
    
    That, in my mind, is the huge difference: I can do something to stop Google from spying on me, so i don't get enraged about it. I can't do anything about the government spying, so it pisses me off.
    [ link to this | view in chronology ]
Andrew F (profile), 31 Oct 2013 @ 9:54am

How Coviello arrives at the conclusion that anonymity is damaging privacy isn't exactly clear. It may be the enemy to security (or at least, unhelpful to retributive actions), but the online anonymity shielding crooks doesn't threaten users' privacy, at least not directly.

I don't entirely agree with him, but the point he's trying to make is pretty straight-forward actually: Anonymity decreases security. Without security, criminals (or the NSA) can break in and access your private information. That's bad for privacy.
[ link to this | view in chronology ]
- JEDIDIAH, 31 Oct 2013 @ 10:02am
  
  A total fantasy.
  Lack of anonymity doesn't protect my private data. All this does is prevents me from shielding myself and my identity. The problem of protecting my privacy is much easier if I am not forceed to constantly leave breadcrumbs lying around.
  
  No. Anonymity protects my privacy.
  
  The problem with Coviello's line of thinking is that he thinks all "real names" are actually valid. There's really no reason to believe that. It's pure fantasy.
  
  If I say that I am Frank Abagnale, you have no reason to trust that any more than a pseudonym I've used for 20 years.
  [ link to this | view in chronology ]
  - Andrew F (profile), 31 Oct 2013 @ 10:25am
    
    Re: A total fantasy.
    Again, I don't entirely agree with his line of thinking, but it's not about "real names". Suppose, as a matter of network security, you were analyzing packets entering or leaving your network and comparing them against historical records of network data. This would enable you to detect security anomalies but also raises privacy concerns.
    
    By way of analogy, it's sort of like saying, "I want to be able to access my grandma's e-mail to make sure she didn't reply to some identity theft scam." The goal isn't to find real names, but to detect unusual behavior. Creepy and paternalistic? Yes. But not about real names per se.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 31 Oct 2013 @ 10:36am
      
      Re: Re: A total fantasy.
      But that's not giving up anonymity for security, that's giving up privacy for security.
      [ link to this | view in chronology ]
      - Andrew F (profile), 31 Oct 2013 @ 3:05pm
        
        Re: Re: Re: A total fantasy.
        Give up sufficient privacy and you are no longer anonymous.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 31 Oct 2013 @ 3:10pm
        
        Re: Re: Re: Re: A total fantasy.
        Yes, but that only works one-way. It's possible to retain privacy and not be anonymous. They are two different, although related, concepts.
        [ link to this | view in chronology ]
        
        Andrew F (profile), 31 Oct 2013 @ 10:17pm
        
        Re: Re: Re: Re: Re: A total fantasy.
        Yes, but it only needs to go one-way for the argument to work. If you want to maintain anonymity, you cannot adopt certain security measures like analyzing each packet going in and out of your network. Without adopting those measures, you may be at greater risk of having private information accessed by third parties. That's the point being made by Art Coviello. If the right to anonymity trumps security, then other private information is at risk. Security analysis may be questionable, but the logical chain is fine.
        [ link to this | view in chronology ]
  - Anonymous Coward, 31 Oct 2013 @ 10:58am
    
    Re: A total fantasy.
    Well. The breadcrumbs will define your person more specifically than if people knew your name, address a.o. However, as long as none of the pi data are too obvious the commercial networks who use these informations probably won't bother squeezing their data for it!
    
    Protecting pi online is extremely hard already if the people researching you are thorough enough. Chaining of online aliases and pi is making Facebook/Google+ into an identity theft scam today.
    
    That problem would get infinitely worse if anonymity was removed from the rest of the internet! Also protection of whistleblowers/other blackballable persons would be near impossible, keeping trade secrets off scrupulous traders before the stock market is informed would be much harder (Making illegal spying on people from large companies infinitely easier online and giving a massively profitable advantage for stock-traders using it!) and it might either keep many people from regularly using sites like this if they are in any way part of the art industries, government or their companies have ties with those or make them massively more popular as a counter-reaction to removing anonymity!
    
    No, anonymity is a second layer of protection of privacy. Removing it would only make new vectors of attack on privacy, that much easier to pursue. The tradeoff is not worthwhile for many people.
    [ link to this | view in chronology ]
- Andrew F (profile), 31 Oct 2013 @ 10:29am
  
  Re:
  To act as devil's advocate (or advocate) to the point made in my own post, the concern would be that excessive security measures ultimately decrease security (and privacy). If we're using backdoors or analysis of centralized repositories of user data to detect attacks, not only are we hurting anonymity but we're making our network less secure (and private) as well.
  [ link to this | view in chronology ]
- Anonymous Coward, 31 Oct 2013 @ 11:39am
  
  Re:
  Security is not related to anonymity, but is related to the quality of software and how systems are set up. Lack of online anonymity increases the damage done by a security breach as people can be identified. Anti-social and trollish behaviour on-line is a different matter, and can ignore. Also unless government get involved, there is no way of ensuring that correct identities are used online, and government are already too dammed intrusive.
  [ link to this | view in chronology ]
  - Andrew F (profile), 31 Oct 2013 @ 3:08pm
    
    Re: Re:
    Sure it is. Intentionally nixing anonymity alone doesn't increase security, but certain security measures make it harder to be anonymous.
    [ link to this | view in chronology ]
Wolfy, 31 Oct 2013 @ 10:00am

When I read ANY gov't. officials' take on the NSA, I feel like I've woken up in a world where "new-think" and "new-speak" has run rampant. Black is the new white, up is really down, and the bad guys are really the good guys.

My solution is to semantically invert the statements of the NSA supporters and I figure I ought to be close to being correct.
[ link to this | view in chronology ]
Anonymous Coward, 31 Oct 2013 @ 10:34am

Tell the people drafting these "free trade" agreements, to be less secretive.

Stop allowing corporations to hide behind "shell companies".

Stop allowing corporations and individuals who donate to political races, to be anonymous.

After all the above issues are corrected, then we'll start talking about deanonymizing average citizens.
[ link to this | view in chronology ]
s0beit, 31 Oct 2013 @ 11:07am

War is peace!
[ link to this | view in chronology ]
Anonymous Coward, 31 Oct 2013 @ 11:18am

cyber Pearl Harbor
We have had cyber pearl harbor and its the NSA.
[ link to this | view in chronology ]
ECA (profile), 31 Oct 2013 @ 11:24am

OLd interenet
PRIVACY??

1. WHOSE privacy?
With the current internet, you HAVE NONE, when a site can ASK your browser WHO/WHERE you are..

when SITES require this info just to display a page?
TRACKINg and proving the information they GET is the real thing...THATS HARD..(mostly)
[ link to this | view in chronology ]
ipgrunt (profile), 31 Oct 2013 @ 11:47am

Coviello's statements reek of law enforcement thinking, a mentality that believes freedom is a choice one makes to obey the law. People who think as he does put security cameras everywhere to catch anyone not conforming to society.

This is Big Brother thinking, and it is reinforced by this fallacy -- why would you care when someone is monitoring your behavior if you aren't doing anything wrong?

The old saw about preventing 9/11 -- I write this all the time -- Richard Clarke had the data on the terrorists in July of 2001, but couldn't get an appointment with Condoleeza and W to report the info. 9/11 happened because the people in charge weren't paying attention.

Of course Art believes anonymity to be an inconvenience to his job. He wants your name and your number in his log file. Whether or not he uses it, it is a comfort knowing it is there.

Call him a security worker, gatekeeper, or high-tech guard; he's simply a regulator and not a "privacy consumer" (yes, I hate it too.) Privacy slows his process and makes things harder for him. He wants it easy. I can agree with him on one thing -- I don't like the phrase Cyber Pearl Harbor, either.

We may always need cops, but we should never let them make the laws.
[ link to this | view in chronology ]
- John Fenderson (profile), 31 Oct 2013 @ 12:56pm
  
  Re:
  Call him a security worker, gatekeeper, or high-tech guard; he's simply a regulator
  
  I'd go even simpler: the guy is a straight-up authoritarian.
  [ link to this | view in chronology ]
That Anonymous Coward (profile), 31 Oct 2013 @ 4:54pm

RSA... didn't they try and use privacy to hide the fact they were hacked and their product became pointless?
[ link to this | view in chronology ]
Anonymous Coward, 31 Oct 2013 @ 7:10pm

there is an old saying about trees falling. if no one was there to hear it fall that doesn't mean that it didn't fall.
[ link to this | view in chronology ]
Ninja (profile), 1 Nov 2013 @ 2:43am

Yes, because criminals would totally keep using those services, authenticated, to commit their crimes. Seriously. That considering most criminal activities try to stay away from traceable routes already.
[ link to this | view in chronology ]
jay, 11 Nov 2013 @ 6:52am

James Madison said �If men were angels, no government would be necessary. If angels were to govern men, neither external nor internal controls on government'

Privacy is like this too. If we could fully trust businesses, government and others, perhaps we would not need anonymity that much. But we can't, hence anonymity provides the ONLY tool to provide some degree of privacy without having to depend on others.
[ link to this | view in chronology ]