Well, I'm not Jeff, but I think he was referring to a setup like that
used by MIT's "Nightline" telephone counselling system (not to be
confused with the ABC TV program of the same name).
The social worker doesn't want the clients to remain anonymous,
since he/she has to either charge them (in the case of private
treatment) or justify to his/her superiors that he/she has a
suitable caseload (in the case of governmentally funded treatment)
and not just a bunch of anonymous email which he/she could have
easily generated.
This doesn't apply in this case, as Nightline's counsellors are
anonymous student volunteers, pledged to maintain the anonymity of the
folks they help out.
- Bill
OK, I think this is a fair example. However, allow me to take up the larger
issue, i.e., whether PEM is deficient in the area of anonymity.
This issue has been debated for years without general consensus, I being an
early participant who has dropped out of the discussion for various
reasons. Some time back, I believe while PEM was stilled being worked on
within the PSRG (and before that in the Task Force on Privacy), the issue
of anonymity arose, leading to the encorporation of Personna Certificates
into the PEM milieu. The discussions on anonymity have, in my view, always
generated more heat than light, with certain participants (certainly not
you and not all, and perhaps not even a majority) seemingly believing their
viewpoint is best presented through the medium of insult. This has led to
mistrust and party spirit (to use a phrase of the Victorian era).
As far as I can recall, no one I have talked to about this issue supports
the idea of a police state or that government is so benign as to warrant
our investing in it the power to extract all information about individuals
that it might choose. Conversely, I have not talked to anyone who, at least
publically, subscribes to the extreme anarchist notion that government is
so evil that it isn't entitled to any information about individuals.
Many are worried about the release of information about individuals to
persons or organizations other than the government. The point of these
concerns is that non-governmental individuals or organizations could make
use of this information in an injurious way. This is a legitimate point.
Finally, I don't believe anyone would argue that the release of information
about individuals to the government, other organizations or other
individuals without sufficient reason is desirable. Of course, there
probably is significant disagreement on what constitutes "sufficent
reason," but I don't think this is where the core of the disagreement lies.
Rather, I think it lies in how the proposed modifications to PEM to
support anonymity might ultimately lead to its disrepute. The arguments
addressing this issue arise from a systemic view of PEM, rather than from a
simply mechanistic viewpoint.
Various modifications to PEM for the purpose of anonymity have been
proposed, but most center on separating PEM's authentication and
confidentiality services. This in turn requires a key distribution
mechanism that securely delivers a key from one correspondent to another in
such a way that the identity of both is protected. Confidential messages
delivered under this key are not traceable to the individual and so the
correspondent deals with a stream of messages that are only guarenteed to
come from the same person (assuming the key has not been comprised in some
out-of-band way, e.g., someone steals the floppy disk or electronic
ignition key which holds it).
It is at this point where a systemic view is important. For, individuals
can use an anonymous confidential service in legitimate and illegitimate
ways. Jeff has proposed several legitimate uses. Here are some ways the
service could be misused.
Suppose you have AIDS, to borrow an example from someone who has
contributed to this discussion, and that I come to know of this. I now can
use the confidential and anonymous email service to blackmail you without
fear of exposing my identity. To protect myself from other channels of
exposure, I establish an anonymous Swiss financial account and require you
to directly deposit payments to it. What's more, my blackmail is effective,
because there is also a way for me to send a confidential email message to
anyone I chose without that person knowing from whom the message came. So
you, as the person being blackmailed, have reason to believe that I can
carry out my threat to expose your illness, without running the risk that I
will be caught or if caught leave evidence that might convict me.
Or suppose you work in a grade school or day care center and I, for
whatever reason (e.g., I am your spurned husband or wife; you received a
salary increase larger than mine), decide to attempt to get you fired. I
therefore send a confidential and anonymous email message to the parents of
all the children under your care claiming that you sexually abuse them.
Given that many parents worry about the welfare of their children, even if
there is no evidence of abuse, at least some of them are likely to demand
their children be supervised by someone else. Unless your school or center
is run by a strong and fair individual, there is a real possibility that
you will be let go.
Other examples are possible, but I think I have made my point. Confidential
and anonymous email can be used in both good and bad ways. However, once
used in a bad way, responsible people will want to find a remedy. As far as
I can determine (although, I may be missing something), once confidential
and anonymous email is supported, removing that support will be very hard.
Consequently, PEM will be viewed by some as the spawn of internet wizards
who have never read the Pandora myth. Ultimately, this could lead to its
diminished, if not discontinued, use.
Finally, one last comment. It is said that hard examples make bad law. It
is also true that hard examples make bad system designs. While I do not
dispute that PEM, suitably modified, could be legitimately used to address
some of the problems Jeff has raised, I think they are hard problems that
are best solved by other means. PEM does not require support for
confidential and anonymous messaging in order for it to provide a useful
and cogent service.
Regards,
Dan