Identity Management

Is Anonymity Good or Bad?

Today it is easy to picture a two-tier system where nefarious individuals are deliberately choosing to remain anonymous, whilst the rest are carefully policing their online identity.  But is the truth a bit more complicated? In part one of a two part special, we investigate the current state of anonymity and online identity.

This week a 45-day old anonymous gossip app called “Secret” raised $8.6m in funding. The app, which launched in late January for the US and Canadian market on iPhone, is not yet available on Android but has already proved monstrously popular with Silicon Valley insiders. This is because it allows users to share information anonymously via social networks, based on their phone’s contacts.

Valley Wag describes Secret as “like Whisper, but with a little more intimacy,” and goes on to add that it “lends itself well to all of the catty, gossipy, faceless maligning we love so much.”  Whisper, which has a two year head start on Secret having launched in 2012, has already raised $54 million and sat firmly at the forefront of the funding rumour mill earlier this month.

The interesting thing about the rise of apps such as these is they seem to point to wider trends associated with the general march online. This encompasses the whole concept of anonymity; because on the one hand we all deserve certain levels of anonymity. Whilst on the other, the desire for anonymity often stems from less than savoury motivations…. and really does bring out the very worst in people.

This can be seen in harmless fun like Secret and Whisper, which after all, still run the risk of rapidly degenerating, into libellous slander. But it can include spiteful trolling, which is basically school yard bullying shifted into a far larger anonymous forum. And it can stretch to large global hacktivist networks like ‘Anonymous’, where members wear Guy Fawkes masks in public and appear unsure if their anonymity should be a cloak for pranking, entertainment or more serious political activism.

As Dr Guy Bunker, Senior Vice President – Products at Clearswift puts it though: “We should all be allowed to be anonymous, unless we do something wrong – and then we need to find the individual as quickly as possible. This is a real catch-22 situation. Provide the greatest anonymity and all the ‘wrong’ people will use it – to the detriment of everyone else.”

Matt Middleton-Leal, Regional Director, UK & Ireland at security firm CyberArk, explains: “Anonymity is an issue both online and in any IT functions, because individuals need to be accountable for their actions. The biggest challenge organisations face, with regards to anonymity, is the initial vetting and registration process of new users. After all, I suspect many organisations routinely grant new employees shared access to critical applications, without any background checks occurring.”

The dangers are manifest. “Increasingly cybercriminals are launching attacks that revolve around manipulating people online into taking some action or sharing some sensitive information, and this is fuelled by online anonymity, the ease of misrepresenting yourself, and a related false sense of confidence on the internet,” says Lee Weiner, SVP of Products and Engineering at Rapid7.

“Most internet users share information that exposes them to risk, often without being aware they have done so. The challenge is that there is no real way to know that people are who they claim to be, and frequently information is made available not only to those you regularly interact with, but any other eavesdropper,” he continues.

“How many times have you been asked for information when registering online, and decided to put in an incorrect value – because, they really don’t need to know that piece of information?” quantifies Bunker. “The answer for many, especially in the millennials, is most of the time. There is now an expectation ‘to lie’ on the internet – not an encouraging start... and then you add in other anonymity enhancing web solutions, like TOR, and it becomes a cyber-criminal’s/cyber-terrorist’s haven.”

The flipside to all this is the role of identity and its management, both of which are becoming increasingly important as every aspect of life moves into the online arena.  The UK government for example has been running a high profile campaign about keeping your online identity safe with a website and series of other advertising materials.

Guy Bunker believes the biggest concern surrounding online identity is “privacy, and then it is security around the information you want to ‘guard’ as being private. With an individual controlling their identity and the pieces of information they want to share (attributes), there is less likelihood of inappropriate sharing of information. You wouldn’t give the postman your bank account details, but you would expect him to have access to your address.”

“Security is a huge concern surrounding online identity,” agrees Middleton-Leal, “but the risk it actually poses depends on the identity being stolen. For example, an online banking user is likely to find the financial losses and identity fraud that can be caused by an attack on a bank’s systems, rather painful. However, from a corporate perspective, this is a less of a risk than an internal privileged account being compromised, which is likely to cause the bank much more of a headache. There are other implications of an online identity breach too, such as brand and reputational damage.”

Weiner on the other hand suggests that: “The biggest concern is that businesses and people lack visibility and insight into when a user's credentials may have been stolen or compromised. The reason for this is that it is becoming quite common for attackers to exploit the fact that individuals have many identities and few passwords, so if an attacker can deceive a user into giving them their credentials even if just for one account, that could be replayed to get access to many other services including cloud services, corporate networks and more.”

“Once credentials are compromised,” he continues. “An attacker can gain access to information and systems oftentimes undetected. Attackers can effectively impersonate a real user while engaging in criminal activity. Corporations must focus on discovering and analysing user activity such that they can detect when someone's credentials have been compromised to help manage and mitigate these attacks.”

Perhaps it is inevitable that anonymity will become increasingly attractive as identity becomes ever more important? 


Read part two tomorrow, which looks at where the Identity Management industry is going next.


Kathryn Cave is Editor at IDG Connect


« What is the Future of Identity Management?


Liquid Telecom's Plans to Take Over Africa »


Do you think your smartphone is making you a workaholic?