[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Wikipedia Manifesto

On Tue, Jan 25, 2005 at 01:38:57PM -0500, Geoffrey Goodell wrote:
> If Wikipedia wants to block Tor, then Wikipedia should go right ahead
> and do so.
> Wikipedia uses the popular but outmoded strategy of allowing anyone to
> wreak havoc on its resources, relying upon backups to recover content
> and audit trails based upon IP addresses to deter potential vandals and
> force Internet Service Providers to issue smackdown when necessary.
> The age in which IP addresses can be used as meaningful authenticators
> is doomed; the age in which authentication must be based upon end-to-end
> agreement is upon us.
> IP addresses were never intended to be used for anything other than
> routing.  But, as Stewart Brand might say, systems generally adapt to
> the convenience of their users.  People discovered that in many cases,
> the remote IP address of connections corresponded to either a specific
> user or a specific administrative realm who could reasonably be relied
> upon to take responsibility for the user.  Since the Internet is mostly
> hierarchical, both in terms of routing and in terms of addressing, this
> strategy usually worked without too much collateral damage, hence
> technologies like rlogin, hosts.equiv, content filters in the middle of
> the network, IP blacklists, abuse@domainname addresses, etc.

Nihil sub sole novum. Some of us have been making this point in print
and in our systems for a decade or more. The stated purpose of onion
routing right from the start in 1996 was to separate identification
from routing.  And supported applications have always included
authenticated connections over an anonymous channel.  Unfortunately I
don't think Geoff's perfectly valid points will of themselves have
much affect on Wikipedia for a long time to come, possibly a decade or
more. IP addresses are the SSNs of the internet, squishy
pseudo-authenticators that work adequately well for those who choose
to use them as such. (Canadians please substitute `SIN' wherever I say
``SSN'', and others from elsewhere do likewise.) And they really do
work: the primary cost of identity theft is born by the victim, not by
the financial, commercial, or other entities that accept the pseudo
authenticated transactions. It has taken billions of dollars of fraud
losses over years to prompt institutions to merely _supplement_ the
SSN as an authenticator (cf. my "The Paradoxical Value of Privacy").
Suppose that by blocking all Tor servers, Wikipedia cuts out ten
percent of their perceived anonymous abusers of the less resiliently
persistent type. (This is probably very generous even with the
qualifiers. I say ``perceived'' because we have directory
servers. There may not be more anonymous posts from Tor; it may just
be that `the light is better under Tor's streetlamp'.) That's still a
short-term win for them as Roger and Geoff have pointed out.  At
what cost?  There is little immediate visible cost to the Wikipedia
maintainers. (There is cost to the readers and posters, but that as I
said is separate and hard to measure.)

Instead of just throwing up our hands at ignorance, we should
recognize that until someone provides them with something that will do
the job that their current system does for them with something close
to the same cost/benefit advantage, they have no rational reason to
change. (Not just paper designs or vaporware, but stuff that really
works at least fairly well.) There may come a time when Tor or other
systems have grown to a point when many systems that would rather not
accept anonymous connections will have to, like it or not. (Hey I can
dream.) Or there may come a tipping point in the
IP-address-as-valid-identifier assumption. But given the persistence
of SSNs, even then we can assume a supplementation rather than
abandonment of IP addresses as identifiers. To get anonymous
connections more widely accepted in many places where there is
resistance, we need to point out the benefits and the costs of not
doing so. We are already doing that some. But we may also need to
develop authentication and authorization techniques that work with
anonymous channels that function (in practice not just theory) as well
as the squishy authentication and authorization techniques that are
used today.