[Cryptography] De-Anonymizing

[dan at geer.org]

Whether one or another kind of data can or cannot be anonymized is
fast becoming irrelevant.  The more things you are or carry that can
be a source of good information, the less the blinding of any one of
them diminishes the overall probability that you are identifiable.

We already understand that the field advantage in attacks goes to
the offense because the offense needs only one way in whereas the
defense needs to plug every way in yet discovered.  Applying that
dynamic to privacy, the surveiller needs only one solid match but
the person that wishes to be left alone must block or forego all
data emanations.

As with crypto itself, it is easy to drift towards "making the best
be the enemy of the good."  Nevertheless, baking RFID tags in the
microwave does not, in the end, do anything if one's cellphone, one's
Bluetooth gizmos, one's iris, one's auto registration, and so forth
are each and severally collected then, to the point, correlated.
We cannot, nor should we waste effort trying to, serially forbid
collections by name or by type.  We can only sabotage the process
and, for that, I see only two paths, both of which need labor now
or never:

   (1) changing liability law so substantially as to make casual
   data acquisition more akin to stockpiling lethal chemicals the
   combination of which grows exponentially dangerous as their
   varieties increase, and

   (2) requiring the public and private sectors alike to, in every
   detail, offer their services to persons whose technical highpoint
   is Lynx with neither cookies nor remote procedure calls (read, no
   Javascript, et al.), a kind of parallel to how we now require
   structural and procedural accomodations to handicapped persons.

Both (1) and (2) are as impossible as reaching the North Star, but
they must be that by which we navigate.

--dan