Some of the most interesting security debates involve anonymity and privacy.  Everyone seems to have a different idea about what those words mean.  For example, some people think anonymity is a binary thing – you’re either anonymous or you’re not.  But when I think of anonymity I think of two axis.

The first is how much or little someone knows about you.  For example, if you know what I look like, I don’t feel completely anonymous.  But I feel more anonymous than if you also know my name.  Perhaps that’s because I’m a 6’7” bald guy and if you went around Ottawa asking security professionals if they knew a tall bald security/writer/photographer guy chances are that my name would come up pretty quick.  Or, perhaps, it’s because my name is only part of my identity.

The other axis is how difficult it is to breach someone’s anonymity. For example, it might not be too hard to get the clerk at a small-town store to tell you the name of the customer that was in front of you in line.  But getting information from other sources is more difficult.

So, when I think of anonymity, I picture a quadrant.  In the upper right corner you know nothing about me and it would be really hard to find out who I am.  In the lower left corner my name, address, telephone number and photo are on the front page of the Ottawa Sun.

Privacy is even more complex because it is hard to define.  For example, it has been defined as:

• The right to be left alone;
• The right to exercise control over one’s personal information; and,
• A set of conditions necessary to protect our individual dignity and autonomy.

When it comes to telemarketers, the right to be left alone appeals to me. I’d also like to stop businesses from selling my name to other businesses (or telemarketers). And I’d prefer some privacy when I’m in the washroom too, thank you very much!

Anonymity and privacy are obviously related. But the interesting debate is whether anonymity is required to achieve privacy.  In some cases it certainly helps: When I buy a coffee from Starbucks and pay cash, I have a relatively high level of anonymity, at least until they install cameras with face recognition software that links back to that one time I pulled out my debit card. (Of course if it expedited my mocachino with an extra shot of espresso I might not feel too violated.) But other privacy controls exist, including legislation, corporate policy and the desire to avoid negative publicity.

The problem with such privacy mechanisms is that they are outside the control of the individual.  When I surf the net, I have no way of knowing what companies do with that data. I don’t know for a fact that Google isn’t building a database of every search request from my IP address and that some point in the future they’re not going to acquire (or be acquired by) companies and link my IP address to my credit card information or Facebook profile.  And there are online advertising companies that make it their business to track users across multiple Web sites using cookies of the not-so-tasty variety.

Whether this matters to you or not really depends on who you are and what you do online. You may not care and it might not matter. Or, you might prefer that the only people who have your personal information are those you give it to.

As more people understand these issues, the anonymous Web surfing services will continue to gain popularity.  For example, one of the best known is Anonymizer, started by astrophysicist Lance Cottrell in 1995. He was concerned about online privacy and as an early Internet user saw first-hand how much information could be captured.  And his company was recently acquired by a larger firm that provides anonymous Internet access to corporations, governments and law enforcement agencies.

But before you rush out and buy, it’s important to consider the big picture. Anonymous proxies hide your real IP address, and are a great first-line defense of your online privacy. But, to be effective, you also must control cookies and carefully consider what personal information you give to businesses, including social networking sites. Remaining anonymous on the Internet to protect your privacy requires much more than hiding your IP address.  It requires that you also think before you type.