Hiding in Plain Sight: Narratives of Contemporary Online Anonymity

(1)

Hiding in Plain Sight

Narratives of Contemporary Online Anonymity

Lieke Kersten 22 June 2016

Lonneke van der Velden Stefania Milan

MA: New Media and Digital Culture

Abstract

This research combines social studies and software studies to analyse how anonymity manifests itself within the internet today. To this end, the concept of anonymity and its successor online anonymity are historically analysed by means of literature which is subsequently deployed as a framework for the analysis of Tor Browser, Signal, and Retroshare. (Online) anonymity has identity empowering qualities, adds to personal

freedoms and has been a protective measurement for centuries. Overall it adds to the agency of individuals. This research examines how the encrypted browser, encrypted messenger, and encrypted social networking platform narrate online anonymity through their support- and about-pages, and interfaces. Alexander Galloway’s definition of the interface plays a central role for the latter. An examination of the architectures and interfaces of Tor Browser, Signal, and Retroshare demonstrates that the medium specific characters of anonymity enhancing tools add new layers to the concept of online anonymity. The way these tools structure information is influenced by cryptographic ideals, trust and

functionality. While being effected by the latter, Tor Browser, Signal and Retroshare show that a different online culture can be established in which the individual’s anonymity plays a central role.

Keywords

(2)

INTRODUCTION

Information gathering seems one of the defining characters of civilized societies today. Information technologies are ubiquitously present in everyday life and the ability to store huge amounts of data has dramatically increased over the years. Almost all online activity is being recorded: for marketing purposes by companies, and security purposes by law

enforcement agencies, but also for research purposes. Therefor, it has become increasingly difficult to achieve relative forms of anonymity. Yet, as the availability of the many anonymity enhancing tools shows, there seems to be a need for online anonymity. One can browse the internet using an encrypted browser, search the internet using a search engine which doesn’t track its users or communicate on the internet using an encrypted messenger. Moreover, users can overcome online tracking by installing privacy enhancing browser extensions or by installing private networks. Anonymity enhancing tools are often based on encryption technology. Encryption technologies can provide strong forms of anonymity by securing information with mathematical protocols. While the options for achieving forms of online anonymity are manifold, it is often put down as being obscure or even dangerous. American government officials accuse encryption of having created a “zone of lawlessness” (Koebler n.pag) and go as far as wanting to ban internet anonymity (McCarthy n.pag). Moreover, in 2015 the British prime minister intended to ban communication services with strong encryption methods if those services didn’t open up their data to the UK government (Kravets n.pag). In the year after, French lawmakers backed a plan to impose penalties on technology executives denying access to encrypted data during a terrorist investigation (Fouquet and Mawad n.pag). Clearly, the concept of online anonymity is controversial. Not for nothing in 2015 technology magazine Wired dubs anonymity as “the internet’s next big battleground” (Card n.pag). I will stay away from the “battleground”, but will address the problem of online anonymity from a different perspective. I will add to the debate on anonymity by analyzing how online anonymity is narrated by three tools which enhance anonymity, namely Tor Browser, Signal and Retroshare. Tor Browser is a preconfigured web browser which focusses on protecting the user’s anonymity; Signal is an encrypted calling and messaging application which anonymizes the user’s communication; and Retroshare is an alternative social networking platform which focusses on offering secure communication and

(4)

file sharing. The beta versions of these tools already date back to respectively 2002, 2010 and 2006, but the ideals they pursue are still very relevant.

In the tradition of Geert Lovink and Miriam Rasch, and following their example also Robert Gehl, this research focusses on alternative new media forms. Lovink and Rasch believe that while new media create and expand the social spaces through which people interact, play and politicize themselves, these media are owned by a few companies which have phenomenal power to shape the architecture of these interactions (10). Therefor Lovink and Rasch advocate for research on alternatives to these closed and centralized environments (10). While they focus on social networking sites alone, I am expanding beyond social networking platforms. In doing so this research will focus on the juncture between the technical and the social against the background of new media studies. More specifically, by focusing on the software and the interfaces of anonymity enhancing tools, it adds to the field of software studies. Without falling into easy dichotomies this research will focus on what (online) anonymity has offered societies in the past and can offer societies in the present. I will do so through the following question: In what manner do anonymity enhancing tools

create a narrative of anonymity, focusing on its functions for society? To answer this

question, I will start by analysing the concept of anonymity from a historical perspective. This meta-narrative exposes several functions of anonymity before the existence of the internet and shows how the internet has changed the concept of anonymity. It shows that anonymity has been beneficial to personal freedoms and has functioned as a protective measurement throughout history. Hereafter, I will analyse online anonymity in practice within online environments today by means of Tor Browser, Signal and Retroshare. I will do so by analysing the documentation accompanying these tools and the interfaces of these tools. Influenced by Alexander Galloway I will approach their interfaces as zones of activity which produce effects and at the same time are themselves effects of the larger forces causing them (1). Tor Browser, Signal and Retroshare all present an alternative idea on information and communication technologies. I will analyse what new forces are important for online anonymity as seen from these tools. It will become clear that the medium specificity of anonymity enhancing tools has changed the concept of online anonymity to some extent. Instead of the prevailing paradigm of datafication at the expense of privacy, these tools show how a different online culture can be established in which the individual user’s anonymity is being considered.

(5)

1. ANONYMITY THROUGH HISTORY

With this historical analysis of the concept of anonymity I am not aiming at giving a complete history of the concept, but am merely contextualizing the concept for the purpose of my research. I will start this history of the concept of anonymity with the emergence of the city as anonymity is often seen as a defining character of urbanity (Lofland; Garber). Then I will focus on anonymous authorship throughout history. This chapter will show that both can be seen as precursors of online anonymity. It will become apparent that features of both are visible within the concept of online anonymity while at the same time having its own

characteristic features. I will show that anonymity is a concept which had social and cultural value in the past, but has changed with the coming and maturing of the internet. It will become clear that past and present come together within the concept of anonymity, in Marcy North’s words: “It facilitates the appropriation of past conventions and encourages

experimentation with the standards of the present” (4). Anonymity functions to combine the old and the new.

1.1 Anonymity and urbanity

Anonymity has been inherently linked to urbanity and a vital characteristic of urbanity, namely publicity (Garber 19). In 1973 sociologist Lyn Lofland describes the difference

between the city and the small town as following: “The city, because of its size, is the locus of a peculiar social situation: the people to be found within its boundaries at any given moment know nothing personally about the vast majority of others with whom they share this space” (Lofland 3). For most part of human history human beings lived their lives in small isolated worlds like villages or towns. The one characteristic all these different kind of little worlds shared was the absence of anonymity (Lofland 4). Cities changed this fact and instead of strangers being the exception, strangers became the rule. Because of this, Lofland describes the city as a world of strangers (4). Likewise, Judith Garber describes that traditionally anonymity is viewed as the defining attribute of urbanity (19). She describes urban publicity as unobtrusive in the sense that people are not required to reveal any more about themselves than they choose (Garber 19). In this sense urban anonymity shows that anonymity

contributes to individual freedom and diversity. Within the city anonymity is available for everybody wishing to take advantage of it1. Urban public space allows people to interact

1 _{At least for those whose appearance is able to hide identity. Skin colors or disabilities for instance are more}

(6)

socially without any knowledge of someone’s background other than visible in his

appearance. People can meet others with widely different backgrounds and standards without the usual social restraints of his environment. Garber explains: “Because of its accessibility to all sorts of groups, anonymity is used to signify the kinds of ideal geographical, social, and civic spaces in which identity differences are accepted instead of being subsumed into the mainstream or repelled” (Garber 20). Therefore, anonymity holds concrete appeal in terms of security for groups that live under scrutiny and threat (Garber 20). In this way anonymity can hold relevance for anyone who differs from the norm. Minority groups differing from the social norm could find anonymity in the city. Anonymity in this sense is connected to identity.

Furthermore, anonymity does not have to be the same as invisibility, but rather depends on dynamics of revealing. Within urban territory people can practice widely divergent identities which makes anonymity dependent on citizens who display or hide

various roles or identities within the city (Garber 28). In 1973 David Karp explains that hiding is essential for anonymity. It allows persons to engage in unconventional behaviour without displaying oneself as unconventional. In doing so anonymity gives persons the ability to engage in social actions without committing their identities to those actions (447). In this sense an anonymous situation is a situation where persons are hiding certain of their identities from one another (Karp 447). One can be one person at work, but can hide that role at home and take on another identity in the streets, in bars and so on. Understood like this, anonymity is less about strictly being unidentified or unrecognized, but more about revealing oneself or one’s group identity only within parts of the city (Garber 33). Within this understanding of the concept, anonymity seeking is heavily intertwined with identity seeking, making of

anonymity a social concept. Karp explains:

The anonymous situation is made a very social one because each participant is aware of and feels constrained to respect the faqade of anonymity that each other participant is producing. It is, in this sense especially, that the collective venture of anonymity can be described as possessing a normative force. (447)

Karp sees anonymity as a collective venture in socially awkward situations, for instance in a pornographic bookstore or a waiting room. He shows that within those situations social standards apply even though anonymity is the norm. A collective anonymous situation is thus

(7)

1.2 Anonymous authorship

The previous paragraph has showed how anonymity can be understood as a social concept. This is also visible here, I will focus more on the cultural functions of anonymity. A lot has been written about anonymous speech and authorship throughout history. Along these lines anonymity is described as a textual function holding cultural value. North shows that anonymity was not a stable quality through literary history, but could be acquired and lost, chosen and rejected, desired and denied, accumulated and borrowed, and on a larger scale was dependent on fashion and genre (43). Within the medieval and pre-print legacy anonymity was often a convention of humility and discretion (North 55). While still visible in print cultures, print brought its own rules and technological possibilities. For one thing it changed the role of the author, as print made books more of a commodity. To advertise a new book an appealing title page was needed in which the author’s name became an expected

typographical feature (North 60). Where in books readers usually expected to find an author or some kind of signature for other forms of anonymously composed texts anonymity was – and still is - understood to be normal. Readers of for instance advertisement texts, pamphlets or reviews rarely think about the absence of an author’s signature “because by custom and tradition they do not expect one to appear in the first place” (Starner and Traister 2). These anonymous texts were ubiquitous and in deference to its content it did not matter who had written the text. Though also within book culture Robert Griffin describes that in the

eighteenth and nineteenth centuries a large number of books were written anonymously (882). Griffin argues that anonymity during that period was at least as much a norm as signed

authorship and therefor he describes anonymity as a centuries-long cultural practice (Griffin 882-883). As a textual function anonymity could shift the focus from the author to the text itself and in doing so create distance and intimacy (North 4). Susan O’Mally adds tot this that by not signing authors had more space to play or improvise because they were not locked into a specific authorial persona (130). As such anonymity was just as much a literary convention as naming or other methods of text presentation with which authors could introduce and frame the literature they produced (North 3).

Moreover, anonymous authorship holds social value through its ability to guarantee integrity. On the one hand signing guaranteed integrity –accountability could not be escaped- and an opportunity to gauge the weight of an opinion by knowing its source; while on the other hand anonymity guaranteed integrity since it liberated writers from social and political pressures (Griffin 884). Likewise, Lyrissa Lidsky and Thomas Cotter describe how

(8)

otherwise hesitant speakers more willing to speak. It can help speakers in feeling less

vulnerable to retaliation “and thus may be more apt both to speak truthfully and to engage in tortious or harmful speech” (Lidsky and Cotter 1539). Lidsky and Cotter saw that many American court decisions on anonymous speech were based upon the assumption that citizens have the ability to decide for themselves where truth lies in public discourse (1602). In most cases citizens were able to discount anonymous information and protect themselves from its possible harm (Lidksy and Cotter 1602)2. From this perspective the benefits of anonymity would way higher than its downsides.

Leaving aside the question if anonymity or signed authorship was more advantageous, authors had widely varying motives for publishing anonymously of which most show a function of protection. Griffin mentions the following motives: “an aristocratic or a gendered reticence, religious self-effacement, anxiety over public exposure, fear of prosecution, hope of an unprejudiced reception, and the desire to deceive” (885). John Mullan describes several other reasons of why authors have chosen anonymity within the history of English literature. He found eight reasons which he describes extensively in his book Anonymity: A Secret

History of English Literature (2007), namely: mischief, modesty, women being men, men

being women, danger, reviewing, mockery and devilry, and confession. Some of these

reasons, like women being men, men being women and danger, show how anonymity has the ability to encourage people to speak about subjects which they might not speak about if there was any chance of it being traced back to its origin. So, anonymity has the ability to protect the author from retaliation. This is why Griffin, while in a speculative sense, suggests that one of the dominant functions of anonymity over the centuries has been protection (891).

Society’s acceptance of anonymous writing from the seventeenth until the first half of the nineteenth century shows that it recognized that people had a right to speak their minds without fear of retaliation –or at least making retaliation difficult (Griffin 891). From this point of view anonymous writing was a liberating factor for society.

1.3 The changing landscape of online anonymity

With the emergence of the internet a new dimension was added to the concept of anonymity. The coming of the internet around the mid-1980s meant availability to vast amounts of information for individuals around the world. From its origins and onwards the internet grew increasingly; in 1993 it was linking at least three million computers (Long 1180). To

(9)

elaborate, at that time most universities offered some form of internet access to students, as did government agencies (Long 1180). The architecture of the early internet permitted relative anonymity when browsing the internet. Lawrence Lessig sees this as the big difference

between real space and early cyberspace. While in real space anonymity had to be created, in cyberspace it was the given (45). One could escape the norms of his environment without physically leaving this environment. Therefore, the experience of the internet suggested anonymity (Lessig 45). At the same time, because of the rapid growth of computers connected to the internet, information published online had an increasingly vast reach. While in this sense being a democratizing medium, this rapid and widespread information dissemination made invasion of one’s privacy a concern. Unauthorized circulation of private information could now happen on a much bigger scale. Lessig explains: “Anyone anywhere could publish to everyone everywhere. The network allowed publication without filtering, editing, or, perhaps most importantly, responsibility” (19). Because of the internet’s relative anonymity one could separate himself from his words, making it easier to speak without thoroughly thinking words through.

One of the first technologies to change the relative anonymity while browsing was the cookie. Within the early internet there was no simple way for websites to know which

machines had accessed it. Within the web as originally built there was no way to remember the user from one page to another (Lessig 48). This changed in 1994 with the cookie, a small identifying piece of information put on one’s machine (Elmer 117). This meant that

computers could authenticate a machine as the same machine that accessed a particular website earlier. User data disclosed to a site could be embedded in a cookie, making it easy to build a profile on users by tracking their preferences and made choices. Cookies provided a relatively stable platform for interaction between users and websites (Elmer 118). Within its early days the cookie transmitted a relatively small amount of information. This changed over time as the information in the cookie was being linked with server data collection and

diagnosis techniques (Elmer 119). While knowing the user’s computer didn’t necessarily mean that any information about the user was revealed, it did change anonymity. One’s behaviour could now be traced and together with one’s IP-address – a virtual address or device identifier - this could reveal a great deal of information about a person when analysed. While the IP-address always existed as a protocol to transfer data from on computer over another within the network (Galloway, Protocol 84), without the cookie it was very hard to link an identity to an IP-address. The cookie is an early example of an identifying technology and “as the internet has matured, the technologies for linking behaviour with an identity have

(10)

increased dramatically” (Lessig 46). This increase correlates with the coming of the

information economy relaying on consumers who exchange demographic and psychographic information for commodities and services (Elmer 4). With this information consumer profiles are being build to anticipate consumers’ future needs and wants based on aggregated past choices and behaviors (Elmer 5). With aggregated user data advertisements have become targeted and customized. By voluntarily surrendering data, individuals become calculable subjects and additionally “acts of participation or self-communication themselves become data, the entirety of our everyday life practices subject to, and constituted by, perpetual calculation” (Raley 126). So, in this datafied information society everything one does online is being recorded and processed into calculable and measurable data.

Another derogation of online anonymity emerged with the launch of major social network sites. Nicole Ellison shows how major social network sites already launched from 1997 and on (212). Within such networks users created profiles based on a series of questions whose answers mostly included age, location, interests and a profile photo (Ellison 213). The big difference between social network sites and earlier forms of online communities was the fact that social network sites were primarily organized around people instead of interest (Ellison 219). In 2008 Shanyang Zhao, Sherri Grasmuck and Jason Martin describe that within social networking sites the concept of identity production changed as individuals on the internet could interact in a fully disembodied text mode, revealing nothing about their physical characteristics (1817). By withholding information about one’s personal background relative anonymity could be maintained within social networking sites (Zhao, Grasmuck and Martin 1817). Disembodiment enables individuals to hide undesired physical features and anonymity allows individuals to re-create their biography and personality; together these features allow people to reinvent themselves online, increasing their identity empowerment (Zhao, Grasmuck and Martin 1818). However, also within social network sites linking “real” identity to a computer user became more and more the norm. To elaborate, Friendster, launched in 2002, already actively deleted fake profiles and genuine user-profiles whose photos were non-realistic (Ellison 216). Thus, people were being encouraged to represent their “real” self within their online profile. This goes beyond social networking sites as account registration isn’t only embedded within social networks, but is visible all over the internet, from e-mail registration to streaming services and news outlets. Once log-in credentials are required a data trail is created. The encouragement of realness grows as the internet grows, for instance visible in so called real name policies. Facebook is one of the

(11)

about their real name policy: “Facebook is a community where people use their authentic identities. We require people to provide the name they use in real life”. And: “Pretending to be anything or anyone isn't allowed” (Facebook, Help n.pag). People nowadays aren’t only encouraged to represent their “real” self, but also obliged3_{. Persistent identity has become the} mainstream. While many social networks require real names Lilian Edwards and Derek McAuley explain how the arguments against real names policies are manifold and that

“public regulators and private companies advocating real names policies, ostensibly to protect the vulnerable online, fail to note the many reasons why real names are as likely to imperil these users” (3). Examples could be pseudonymity for political speech, repression and exposing victims to malevolence.

1.4 Encryption and anonymization

Thus, the more the internet matured towards the internet as it is now, the less anonymous one could be online. This change in architecture of the internet could make anonymity more wanted because, as Michael Froomkin already puts it in 1996: “Anonymity may be the primary tool available to citizens to combat the compilation and analysis of personal profile data (…)” (Flood Control n.pag). In this manner anonymity is a way to control the

dissemination of one’s personal information. However, to achieve relative forms of online anonymity extraordinary steps are needed, ranging from disabling cookies to installing privacy software. Likewise, Seda Gürses, Arun Kundnani and Joris van Hoboken describe encryption technologies as the dominant theme in counter-surveillance initiatives (7).

Encryption helps to prevent high-tech eavesdropping by disguising messages and in doing so increases anonymity. It can be described as the process of encoding information in human-readable media into an illegible condition, so that only those with a secret decryption key can access its content (Gürses, Kundnani and Van Hoboken 7). According to Long, tools for encryption, like anonymous posting services for posting anonymous messages and

anonymous remailers for disguising a message’s origins, already existed as early as 1988 and onwards (Long 1185).

With the internet encryption became more readily available to the masses instead of being tightly controlled by states and their intelligence agencies (Gürses, Kundnani and Hoboken 8). The so called ‘cypherpunks’ – officially founded in 1992, but already dating back to the mid-1988 - have played an important role in the availability of advanced

3

(12)

cryptography for civilian use (Gürses, Kundnani and Hoboken 8). At its founding meeting in 1992 Tim May explains that profound crypto technologies already existed in theory for a decade, but were only just practically realizable because of sufficient speed (n.pag). He starts his talk with the following: “A specter is haunting the modern world, the specter of crypto anarchy” (May n. pag). The cypherpunks embody a technocratic view on the world advocating equality by means of encryption. In A Cypherpunk’s Manifesto (1993) Eric Hughes expresses the following about the cypherpunks opinions on encryption in relation to online anonymity: “An anonymous system empowers individuals to reveal their identity when desired and only when desired; this is the essence of privacy” (n.pag). And: “We the

Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money” (Hughes n.pag). The cypherpunks see encryption as the only way to ensure privacy and therefor encryption should be as a common good (Hughes n.pag).

Comparable to the functions of anonymity within the city, Hughes sees privacy as the power to selectively reveal oneself to the world by means of anonymity (n.pag). While the

cypherpunks take on quite an idealistic and maybe extreme point of view, encryption can have a role to play for ensuring privacy. However, oppositely technological innovation, like cheap computation and data storage, but also economic and social forces have created a demand for privacy-destroying technologies (Froomkin, The Death 1465). According to Froomkin in 1996 it was relatively easy to achieve anonymity in electronic communication over the internet (Flood Control n.pag). It is mainly because of privacy-destroying

technologies that today complete anonymity by means of encryption isn’t necessarily easily achievable.

Another way to still provide some form of online anonymity is by means of anonymization. Mass scale data collection has changed the relatively anonymous online persona of an individual towards a highly visible though often anonymized online persona. Within the internet as it is today enormous amounts of data about individuals are being collected by companies for marketing purposes and by governments for security purposes. Often data is being anonymized, meaning that personal identifiers, such as name, address, date of birth and credit card number, are stripped out of the datasets (Mayer-Schonberger and Cukier 243). Anonymization seems to have replaced anonymity. Individuals are being

profiled by means of the data produced around them into what Richard Ericson and Kevin Haggerty call ‘data doubles’, “our virtual/informational profiles that circulate in various

(13)

reassembling, information about individuals is broken down into a series of discrete

informational flows which are captured through series of classification criteria (Ericson and Haggerty 4). This implicates that somebody’s data double can’t be connected to him and thus still offers a sense of anonymity. However, the increase in quantity and variety of information facilitates re-identification (Mayer-Schonberger and Cukier 244). Instead of individuals actively and consciously offering their personal information, data is passively and

automatically being integrated into proprietorial databases (Elmer 56). The capturing and combining of large data sets has made it easy to identify anonymized data and because of the ease of re-identification – or de-anonymization – Rita Raley claims that perfect anonymity is impossible (128). If anonymity was an inherent character of the city, now within the internet “life becomes a village composed of parallel processors, accessible at any time to reconstruct events or track behavior” (Lessig 203). Likewise, if anonymity was an inherent character of urban publicity, now when moving around in the public space of the internet one isn’t anonymous. Relative anonymity is no longer permitted in the architecture of the internet.

2. METHOD

As an answer to the ascending derogation of online anonymity, tools offering anonymity by means of encryption have become widespread. There are many different types of tools which all offer anonymity in one way or another. I have selected three types of anonymity enhancing tools to analyse contemporary online anonymity, namely Tor Browser, an encrypted browser; Signal, an encrypted text messenger; and Retroshare, an encrypted social networking

platform.

2.1 Objects of study

Tor Browser, Signal and Retroshare all provide different forms of online anonymity and can because of their differences show how anonymity is being shaped within the diverse areas of the internet.As explained before these tools provide an alternative to mainstream media, in this case like Google’s browser Chrome, Facebook’s messenger WhatsApp and social networking site Facebook. One frequently expressed concern regarding mainstream media focusses on the politics and rights of the users, often touching upon the lack of privacy for the user (Langlois 51). A way alternative media address problems alike, arising from the

accumulation of power on the part of mainstream media, is through decentralization (Gürses 348). In 2012 Arvind Narayanan et all. have researched alternative decentralized architectures and one conclusion they drew was that decentralized personal data architectures have seen

(14)

little adoption (n. pag). In 2016 this isn’t necessarily the case anymore. To elaborate, Signal for Android alone has been installed between one and five million times (Google Play n.pag) and the estimated number of directly connecting users of Tor is over 1.5 million (The Tor Project, Tor Metrics n.pag). Retroshare on the other hand has seen little adoption. I have still selected Retroshare as it, just like Tor Browser and Signal, presents an interesting

decentralized architecture. Retroshare has implemented its own Friend-to-Friend network, Tor Browser is based on onion routing, and Signal too doesn’t use one single server. The three case studies present interesting architectures for effectuating relative forms of anonymity. While all presenting a decentralized architecture it will become apparent that they

accommodate different politics, making them interesting case studies for this research. 2.2 Approach

Combined with an analysis of the support- and about pages of the websites accompanying Tor Browser, Signal and Retroshare I will be conducting an interface analysis. Due to the scope of this research I think this is the most feasible manner of analysing these tools. A review of user studies could be interesting, but when searching for literature it became clear that user studies of Signal and Retroshare don’t exist. Analysing the interface and support- and about pages allows me to look at the front end as well as the back end of these tools. The interface provides an interesting lens of looking at new media objects. As Lev Manovich explains, the interface imposes its own logic on users and “(…) by organizing computer data in particular ways, the interface provides distinct models of the world” (65). It brings with it a strong message of its own (Manovich 65). Part of this is the fact that an interface always has a particular design which determines user interaction. In Galloway’s words: “The interface asks a question and, in so doing, suggests an answer” (The Interface 30). So, interfaces consist of areas of choice. Rather than being a thing, Galloway understands the interface as an effect always in process and translation (The Interface 33). He sees the interface as a process evoking transition moments in which the user is evoked to act so that processes inside the software can take place (Galloway, The Interface 32). Hence I approach the interface as a zone of activity whose effects bring about transformations in material states (Galloway, The

Interface 7). So, the interfaces of the three tools I am studying can offer an understanding of

how these tools operate and the effects they produce. Moreover, by means of analyzing their support- and about pages I will analyze what kind of encryption these tools offer and learn the philosophy behind their organizations by the discourses they carry forward. In doing so I will

(15)

analyze what kind of purposes the tools serve and what new objects and actors play a role in their versions of contemporary online anonymity.

I will focus on the previously described functions of anonymity in the past and examine the visibility of these functions within the three anonymity enhancing tools. The previous chapter described several functions of anonymity before the internet and showed how the internet changed the concept of anonymity and its functions. Firstly, within the city anonymity functioned as a social tool to help people seek identity. Hence it contributed to diversity and individual freedom. Secondly, within authorship anonymity functioned as literary convention. Also, it functioned as a stimulator for integrity by liberating writers from social and political pressures. Mostly, it functioned as a protective measure against powerful entities. Lastly, within the internet anonymity functions as a way for combating user profiling and preventing high-tech eavesdropping. I will analyse if and how these functions are

manifested within anonymity enhancing tools and which of the functions are emphasized. Importantly, I will seek for “new” functions and analyse what these tools add to the functions discussed in the literature. To illustrate, see Figure 1.

Anonymity as.. In Tor? In Signal? In Retroshare?

A social tool for identity seeking A literary convention

A stimulator for integrity A protective measure

A tool for combating user profiling for marketing purposes

A tool for preventing high-tech eavesdropping

New Functions of anonymity

Figure 1: Anonymity and its functions as found in chapter one.

Hence I will look at how the interface articulates anonymity and connect what I see to the previous chapter. After having connected this to claims within the support pages I will have developed a profound understanding of the three tools and their organizations. I will end by critically discussing and comparing the three tools and their versions of anonymity.

(16)

3. TOR

Tor – The Onion Router - is an anonymous network that distributes the user’s actions over several places on the internet to disconnect him and his destination (The Tor Project, Tor

Project). Tor Project’s monetization system is based on sponsorship and volunteer work –

individuals coding, testing, documenting, educating, researching, and running relays (The Tor Project, Sponsors). All Tor’s software is maintained and developed by the Tor Project as free and open source software. For this analysis I will primarily focus on web browsing through Tor Browser. However, in order to understand the browser, I need to understand the workings behind Tor’s onion routing network. Onion routing was developed around mid-1990 by Michael Reed, Paul Syverson, and David Goldschlag for the US Naval Research Laboratory for the purpose of protecting government communications (Reed, Syverson and Goldschlag 1). In easiest form Reed, Syverson and Goldschlag describe onion routing as an infrastructure for private communication over a public network (1). It works through a process of layering:

Before sending data over an anonymous connection, the initiator's onion router adds a layer of encryption for each onion router in the route. As data moves through the

anonymous connection, each onion router removes one layer of encryption, so it arrives at the receiver as plaintext. (Reed, Syverson and Goldschlag 2)

So, encrypted data is being transmitted through a virtual circuit of relays in which each relay shortly decrypts an encryption-layer by using a so called onion key, only to reveal the next relay in order to pass the remaining encrypted data on. The data passed along the connections appears different at each relay so that the data can’t be tracked when in transit (Reed,

Syverson and Goldschlag n.pag).

The first version of Tor was released by Roger Dingledine as a pre-alpha version in 2002 to people within the Free Haven-mailing list, asking them to voluntarily start a relay (Dingledine n.pag). After the first 40 relays came into existence Roger Dingledine together with Nick Mathewson and Paul Syverson officially introduced Tor in 2004 at the USENIX Security Symposium. Here they describe Tor’s main goal as frustrating attackers from linking communication partners or linking communication to a user (Dingledine, Mathewson and Syverson n. pag). All connections in Tor are encrypted by TLS –Transport Layer Security - link encryption. The TLS protocol authenticates and verifies the server before enabling a connection and encrypts the communication between two parties by means of encryption

(17)

keys. Furthermore, Tor has a low-latency design which anonymizes interactive network traffic through a variety of protocols (Dingledine, Mathewson and Syverson n. pag). Low-latency anonymity systems are vulnerable to end-to-end traffic confirmation (Dingledine, Mathewson and Syverson n. pag). This means that Tor is vulnerable to attacks by means of end-to-end traffic analysis. A low-latency system like Tor doesn’t guarantee perfect

anonymity “because of the conflict between preventing traffic analysis on the flow of packets through the network and delivering packets in an efficient and timely fashion” (Abbott et al. 184). For practices such as browsing it is important that data moves fast so there is no time lag between the user and the website he wants to access. Within the current design of the web addressing the vulnerability to end-to-end traffic analysis would mean sacrificing substantial functionality (Abbott et al. 198). On its website Tor warns users for this in the following way: “Be aware that, like all anonymizing networks that are fast enough for web browsing, Tor does not provide protection against end-to-end timing attacks” (The Tor Project, Tor Project). In a defending manner Tor explains their made design choices: because of functionality reasons Tor offers anonymization rather than anonymity.

3.1 Tor Browser

Individuals can make use of the Tor network through Tor Browser, a pre-configured version of Firefox (The Tor Project, FAQ n.pag). By accessing Tor through Tor Browser installing any software isn’t needed. According to Tor’s website accessing the Tor network using other browsers is “dangerous and not recommended” (The Tor Project, FAQ n.pag). Webpages visited through Tor Browser will be sent via Tor and after closing the browser the list of web pages the user has visited along with placed cookies will be deleted (The Tor Project, Tor

Browser n.pag). Thus also within Tor Browser cookies and browser history exist. The

difference with most default browsers is the fact that Tor doesn’t give this data away by default, instead the user can choose how much information he wants to reveal for each connection (The Tor Project, FAQ n.pag). Likewise, the user controls if he provides log in credentials to websites like Facebook or Google. When a user logs into certain platforms, his location is still being hidden, but because he logged into a platform his identity is revealed to these platforms.

Third party browser plugins operating independently from Firefox aren’t recommended to be installed on Tor Browser as they can compromise anonymity, for instance by browser fingerprinting and bypassing proxy settings (The Tor Project, FAQ n.pag). However, because the browser is open source users can modify its software any way they like. For most users

(18)

this probably won’t be an option because of a lack of technical knowledge. Moreover,

because of the onion routing process one’s geolocation data is messed up which changes some of the personalized experiences one is used to in other browsers, like language preferences. Changing settings on for instance search engines to English is a way of fingerprinting the browser, but might be necessary for the user to understand searches.

Moreover, when explaining its browser Tor warns the user again for possible traffic analysis: “If you are communicating sensitive information, you should use as much care as you would on the normal scary Internet — use HTTPS or other end-to-end encryption and authentication” (The Tor Project, Tor Browser n.pag). With this statement the organization constructs meaning by opposing Tor against other “scary” browsers. Moreover, the reader is assumed to have some sort of technical knowledge on encryption as HTTPS and end-to-end encryption are being proposed. This is something visible within most of the pages within Tor’s website. On the one hand, the technicality on Tor’s website increases transparency on its tools as all the technical details, design decisions and development processes are being shared within its website and documents shared on its website. On the other hand, this makes it more difficult for the ‘ordinary’ individual to interact with the website. Within a document explaining the design and implementation of Tor Browser Mike Perry, Erinn Clark and Steven Murdoch explain the philosophical positions about technology which guided the technology decisions about Tor Browser (n.pag). The number one position reads: “Preserve existing user model” (Perry, Clark and Murdoch n.pag). Perry, Clark and Murdoch explain that the Tor browser should work in the same way a user expects a browser to work, because otherwise the user will be confused, make mistakes which reduces his privacy or may stop using the browser assuming it is broken (Perry, Clark and Murdoch n.pag). Here, the average Tor user isn’t described as one having much technological knowledge at all. So, the Tor project constantly seems to be juggling to address the average technical anile user as well as the technical fledged user.

(19)

3.2 Interface

Before Tor Browser opens the browser has to connect to the Tor network. The user has to wait until a connection is established, which isn’t the case in other browsers. The connection window gives the option to ‘Open Settings’. When clicking this button, the window visible in Figure 2 pops up.

Figure 2: A screenshot of Tor Network Settings, as taken from MacOS on 8 April 2016.

Apparently anonymity works differently for users who are being censored. A user whose connection is being censored could still configure a bridge or local proxy to connect to Tor and browse anonymously. Bridges are Tor relays which aren’t listed in a public list. They can be used quite easily. One simply clicks the “configure” button, has to answer some questions about his internet connection and then connects with one of the provided bridges. A user can also enter a custom bride. The latter is quite an advanced option. Tor recommends to first try to connect to Tor without a bridge or local proxy which will work in most cases. Whatever the user acts upon will change his connection, mediating between the user and the browser. Here, the user is given the option to change the network to fit his need. If the user’s computer isn’t censored, he wouldn’t click the Network Settings and thus not see this menu. Through disruption, namely a non-working network, traces of Tor Browser’s inner working are revealed.

Next, Tor Browser opens, see Figure 3. I added numbers to all the visible objects and actors I’m going to discuss further.

(20)

Figure 3: A screenshot of Tor Browser. The red numbers are added to indicate the features I’m going to discuss further. Screenshot taken on 8 April 2016 from MacOS.

At first glance Tor browser looks like any other browser, not complicated and pretty

straightforward. Simultaneously Tor Browser propagates anonymity in several ways. At first instance Tor states the following: “You are now free to browse the Internet anonymously” (Figure 3 no. 3). However, as seen in the previous chapters, only using Tor isn’t enough. Tor emphasizes this again on the Tor Browser homepage with a big sized warning (Figure 3 no. 6). One can click this warning to get additional tips on how to stay anonymous online. Next to the warning Figure 3 no 7. depicts several options for how the user can help Tor in growing and getting more anonymous. Figure 3 no 8. emphasizes Tor’s dedication to online anonymity and privacy again. With the option ‘Test Tor Network Settings (Figure 3 no. 4) the user can check if his browser is configured to use Tor and see the IP address assigned to him.

Moreover, from the homepage straightaway it is visible that there are at least three external features build into the browser by default, namely Disconnect Search (Figure 3 no. 5), NoScript (Figure 3 no. 1) and Torbutton (Figure 3 no. 2). All these features are added to enhance the user’s anonymity. Disconnect Search is a specialized VPN that offers secure search through a layer on top of the search engines Bing, Yahoo and DuckDuckGo. It doesn’t log searches, IP addresses, or other personal information (Disconnect n.pag). So, it isn’t actually a search engine, but as visible in Figure 3 no. 5 it does look exactly like other search engines.

When clicking the NoScript add-on, the advised option is to ‘Forbid Scripts Globally’, but one can also advance his settings, see Figure 4.

(21)

Figure 4: A screenshot of the advanced settings of NoScript, as taken on 8 April 2016 from MacOS.

NoScript is an extra protection layer on top of the browser which only allows plugins like Java and Javascript on trusted domains. It is based on whitelisting and protects the user from exploitation of security vulnerabilities. It is specifically mentioned that no functionality will be lost because of NoScript (NoScript n.pag). The NoScript Options are manifold, but by default the user is send to the advanced options. Without background information the user probably won’t know what all the options do or enable. However, from its interface it becomes clear that scripts decrease anonymity. When for instance clicking the XSS button, some lines of code are displayed. Results matching the code will not be protected against XSS – a bug in the security of web applications which an attacker can misuse. The user can add code himself. Here the user is specifically involved in the normally invisible space behind the interface.

Torbutton gives the user several options for enhancing his anonymity, see Figure 5.

Figure 5: A screenshot of the Tor Button options (left), when browsing a website one can see the taken circuit (right). Screenshots taken on 8 April 2016 from MacOS.

Torbutton takes care of application-level security and privacy concerns (The Tor Project,

(22)

Moreover, the Tor Project explains that for keeping the user safe Torbutton disables types of active content (Torbutton n.pag). Among others it disables plugins, clears cookies and manages history. In this way the button discourages fingerprinting. Moreover, when clicking Torbutton when browsing, the user can see the taken circuit and used IP addresses for the site he is visiting (Figure 5). This makes the concept of onion routing a bit less abstract by

showing exactly which route is taken when browsing. It is possible to set up a new circuit which might be necessary for overcoming certain country restrictions – for instance on websites as Netflix. When clicking “Tor Network Settings” the same window appears which is visible in Figure 2 and already is discussed before. Figure 6 depicts the possible privacy and security security settings within Torbutton.

Figure 6: A screenshot of the (default) Privacy Settings, as taken on 8 April 2016 from MacOS.

The chosen settings are the default settings. As visible one’s security level isn’t on “high” by default, which one might expect from a secure browser. One’s security level is low by default because of usability. The higher one sets his security level, the more changes are applied making the browser more difficult in use. However, one’s privacy settings are on high by default, all possibilities are enabled. These possibilities directly enhance one’s anonymity, for instance by not recording data like cookies and browsing history.

The last feature on Tor Browser’s homepage I want to discuss in more length is its setting menu. Just like every other browser Tor Browser has a general menu with setting options. The menu-options are very similar to the regular Firefox options, with exception of HTTPS Everywhere, see Figure 7.

(23)

Figure 7: A screenshot of Tor Browser’s menu showing the default add-on HTTPS Everywhere, as taken on 8 April 2016 from MacOS.

HTTPS Everywhere is an add-on which activates HTTPS on a selection of common websites which would otherwise use HTTP. HTTPS is a protocol for transferring data which encrypts the dataflow –the ‘s’ stands for secure. HTTPS does not make a website anonymous, but rather ads a security layer. Its functioning is invisible and its presence only visible within the Tor Browser settings.

All in all, Tor Browser is a layered browser with different formats working through each other on different surfaces. These different media layers within the interface reveal quite some of the workings behind the techniques that enhance anonymity within the browser. The user is given the choice to passively use the proposed default settings or to change them to his liking or needs. Changing the default settings could result in more anonymity, for instance by changing his “security level” (Figure 6) to high, but could also result in less anonymity. A user could for instance disable HTTPS Everywhere and NoScript, could choose to use Google instead of Disconnect Search or could login to online profiles. These choices will have

profound meaning for the usability of the browser. Enhancing anonymity will in many cases mean decreasing the usability of the browser, and the other way around. The actions the user partakes evoke transition moments within the working of Tor Browser, changing the inside processes which either enhance or decrease his level of anonymity.

4. SIGNAL

Signal is a free private messaging and calling application for iPhone and Android developed by Open Whisper Systems. Signal was released in 2014 for iPhone and in 2015 for Android

(24)

as a descendant of two earlier software projects RedPhone, an encrypted calling application, and TextSecure, an encrypted texting application4. Before Signal existed on Android, iPhone users could communicate with Android users via TextSecure (Marlinspike, Signal n.pag). All communication within Signal is encrypted in transit as well as end-to-end encrypted.

Open Whisper Systems derived from Whisper Systems, a company co-founded by Moxie Marlinspike – a pseudonym - and Stuart Anderson in 2010 for developing mobile security software (Marlinspike, A New Home n.pag). In the same year the company started Whisper System released the beta versions of RedPhone and TextSecure. In 2011 Twitter acquired the company resulting in Marlinspike working for Twitter’s security team.

According to an article in VentureBeat neither of the two companies disclosed the financial terms of the deal (Cheredar n.pag). After Twitter acquired the company, RedPhone as well as TextSecure were released as open source software (Garling n. pag). Open Whisper Systems emerged in 2013 when Marlinspike left Twitter to continue on the work of Whisper Systems (Marlinspike, A New Home n.pag).

While Whisper Systems started out as a company, Open Whisper Systems is a non profit organization supported by donations, grants and government funding (Open Whisper Systems n.pag). Open Whisper Systems doesn’t clarify exactly who its sponsors are and what kind of grants it receives, but does explain how individual donations are being made and what they are spend on. In a blogpost written in 2013 Marlinspike explains a self written service called BitHub that “accepts Bitcoin donations and allocates them into a single pool of funds” and “distributes the Bitcoin donations from that pool to anyone who commits to our

repositories”. (Marlinspike, BitHub n.pag). Meaning that anyone is able to use donations to contribute time to Open Whisper Systems projects and that donators can watch the commits his donation is paid out on (Marlinspike, BitHub n.pag). A contributor has the option to opt out of receiving payment and contribute voluntarily.

4.1 Encryption and Network

As mentioned before Signal was launched as a successor of RedPhone and TextSecure. Therefor, I will start by explaining both application’s individual encryption methods.

RedPhone was introduced as a mobile application for low latency end-to-end encrypted voice calls, meaning that the call can’t be intercepted. RedPhone’s environment existed of the caller, the responder, the master RedPhone server and the relay RedPhone server (Whisper

4

(25)

Systems, RedPhone Architecture n.pag).5 The master servers setup call requests and authenticate if callers and responders are who they claim to be; the relay servers are

responsible for so called NAT Traversal, which efficiently receives and passes on encrypted packets from one device to another (Whisper Systems, RedPhone Architecture n.pag). So, a phone conversation is set up as follows: The caller contacts a master server which signals the request to the responder. The responder receives an encrypted signal and connects to the master server. When answering his information is received and passed on through the relay server (Whisper Systems, RedPhone Architecture n.pag). Moreover, the communication between clients and servers makes use of the TLS protocol to authenticate and verify servers and establish a key exchange between the caller and the responder (Whisper Systems,

RedPhone Encryption n.pag). TLS makes sure a secure connection is made through the

internet. Subsequently the actual call is encrypted using SRTP – Secure Real-time Transport Protocol - which provides confidentiality, message authentication and protection to the traffic. (Whisper Systems, RedPhone Encryption n.pag). For establishing SRTP on a phone call ZRTP – Zimmerman Real-time Transport Protocol – is implemented (Whisper Systems,

RedPhone Encryption n.pag).The latter establishes sessions for VoIP – Voice over IP. It secures media sessions which include a voice media stream by means of negotiating

encryption keys between the caller and responder (Zimmermann, Johnston and Callas n.pag). The ZRTP protocol provides confidentiality, protection, and authentication (Zimmermann, Johnston and Callas n.pag). So, through these protocols all transmitted data within a phone call is being encrypted while in transition from the caller to the responder.

TextSecure was designed as a general purpose SMS/MMS client, encrypting conversations with other TextSecure users (Marlinspike, Simplifying n.pag). In 2015 Open Whisper Systems ended support for SMS and MMS due to security flaws (Marlinspike,

Saying Goodbye n.pag). So, after 2015 TextSecure only supported messaging over an internet

connection. The TextSecure protocol was originally a derivative of the OTR – Off-the-Record - messaging protocol (Marlinspike, Advanced n.pag). The general idea of key exchange within OTR works as follows: when starting a conversation an unauthenticated key exchange institutes an encrypted channel, where after the communication partners are authenticated inside the channel (Cypherpunks n.pag). OTR is not a protocol for hiding that communication took place, but rather hides the content of the communication. In 2013 one of OTR’s primary

5

As the RedPhone wiki page was deleted after the coming of Signal, I used the archived version from the Internet Archive of September 2015 to access the information on RedPhone.

(26)

features was deniable authentication, making absolutely sure someone is who he says he is (Marlinspike, Simplifying n.pag). This means that only the intended receiver can identify the true source of a given message and at the same time the receiver can’t prove the source of the message to a third party (Lee, Wu and Tsaur 1376). Over the years TextSecure has altered the OTR protocol by simplifying and improving it (Marlinspike, Advanced n.pag). Users

themselves don’t have to involve in difficult key management because of the implementation of these algorithms and, importantly, the servers can’t decrypt their messages. Signal

implements both encryption methods of RedPhone and Textsecure in one application. The application is encrypted by a full messaging protocol named Signal Protocol which combines RedPhone and TextSecure (Marlinspike, Signal n.pag). Signal’s general goal is making encryption more convenient for the user in not having to use two applications (Marlinspike,

Signal n.pag).

On its website, Signal encloses a privacy policy – the other two analysed tools do not have a privacy policy. Notably, Signal’s privacy policy is extremely short compared to for instance those of WhatsApp or Facebook. It only contains two headers, namely “Information we have” and “Information we may share” (Open Whisper Systems, Privacy n.pag). While Signal’s servers don’t store content information, they do store the following data about the user: the phone number or identifier a user registers with; randomly generated authentication tokens to set up a call or transmitting a message; and profile information, for instance a name or an avatar, the user submits (Open Whisper Systems, Privacy n.pag). This information is only kept as long as necessary for placing a call or transmitting a message and not used for other purposes (Open Whisper Systems, Privacy n.pag). Open Whisper Systems can’t decrypt or otherwise access the content of a call or a message, but “IP addresses may be kept in memory for rate limiting or to prevent abuse”. IP addresses are being stored, meaning that someone’s location could potentially be intercepted. Moreover, contact information from one’s device may be cryptographically hashed and transmitted to the server in order to determine if the user’s contacts are registered (Open Whisper Systems, Privacy n.pag). By means of hashing, a numeric value is given to the contact information. It is not a tight system as hashed telephone numbers can easily be traced back. In a blogpost regarding this issue Marlinspike explains the difficulty of private contact discovery (The Difficulty n.pag). The blogpost was written at the beginning of 2014, but as Signal’s privacy policy shows the problem is still unresolved today.

(27)

4.2 Interface

As visible in Figure 8 Signal’s home screen interface looks like every ordinary messenger application.

Figure 8: A screenshot of Signal’s home screen on iPhone, as taken on 14 April 2016.

Because of Signal’s similarity to other messenger applications its interface is very intuitive. Signal’s home screen interface is very simple showing few options for change. There are no signs of anonymity or encryption visible. Almost all traces of Signal’s inner working are hidden. Signal’s interface only displays the user’s conversation inbox, an archive, a setting menu and a menu for adding friends.

When clicking the settings, the screen in Figure 9 pops up.

Figure 9: A screenshot of Signal’s settings on iPhone, as taken on 14 April 2016.

Again, there are not many options for the user to click on and again there are no signs of anonymity or encryption visible. There are privacy settings, but this isn’t a distinctive feature of Signal as many other messenger applications like WhatsApp and Facebook Messenger also

(28)

have privacy settings. Moreover, as visible in Figure 9, it is very easy to delete one’s account. When deleting the account all data is removed from the server. When clicking “Geavanceerd” 6_{(advanced) the options aren’t actually advanced: the user can only choose to enable a debug} log or not. The about-section portrays Signal’s version number, a Twitter sharing button and a link to the Open Whisper Systems website for help or questions.

When clicking the privacy settings, the first sign of anonymity becomes visible with the option “vingerafdruk” (fingerprint), see Figure 10.

Figure 10: A screenshot of Signal’s privacy settings on iPhone, as taken on 14 April 2016.

However, one does need some background knowledge to know this has to do with encryption, as just ‘fingerprint’ probably won’t speak for itself. The user’s fingerprint is a unique key that verifies his identity. When clicking the fingerprint, the user has the option to copy his

fingerprint or change it. By copying the fingerprint, the user can share it with his contacts. Another sign of anonymity becomes visible when clicking “notificaties”

(notifications), see Figure 11.

Figure 11: A screenshot of Signal’s notification settings on iPhone, as taken on 14 April 2016.

Here one can choose to not show a name or message when receiving a notification of a new message. In doing so, users can enhance the anonymity within a conversation as when the

(29)

phone is locked no meta-information on the conversation is visible on his phone. WhatsApp or Facebook Messenger do not have this option. The senders’ name and message are visible by default, probably because of functionality reasons; users are used to seeing a name and the message from other messenger applications.

When starting a chat conversation, the same applies as for the home screen interface: a conversation within Signal looks like any other conversation within other messengers and there are no signs of anonymity visible, see Figure 12.

Figure 12: A screenshot of Signal’s conversation interface on iPhone, as taken on 14 April 2016.

One can send photos, videos or voice messages and can use emoticons. While not visible in first instance, signs of secure messaging are visible in a chat conversation by means of verification. When holding a contact’s name in a conversation one can compare the earlier discussed fingerprints, see Figure 13.

Figure 13: Comparing fingerprints within Signal. Screenshot taken from iPhone on 14 April 2016.

By comparing fingerprints users verify their identity. Whenever the sender’s fingerprint – or identity key – changes, the receiver obtains a notification asking him to accept the new fingerprint, see Figure 14.

(30)

Figure 14: Notification within Signal asking the receiver if he accepts the sender’s changed identity key. Screenshot taken from iPhone on 14 April 2016.

So, within a chat conversation one isn’t anonymous in the sense of hiding his identity, rather the content of his conversation is hidden. By means of verification and authentication one can be sure to be talking with the person he aims to talk with, making high-tech eavesdropping impossible. However, of course sender or receiver can choose to reveal a conversation by showing it to others or sharing it with others by means of taking screenshots. A conversation can be anonymous by using Signal, but in combination with trust.

When starting a telephone call, again the screen looks just like other calling

application and is very simple. Just as the case with the message interface, the interface of a phone call only shows signs of anonymity by means of verification, see Figure 15.

Figure 15: Screenshot of a phone call within Signal, as taken from iPhone on 14 April 2016.

Figure 15 shows the random words “eyetooth Medusa” which the caller can say out loud. If the receiver’s phone shows the same words, one can be sure that there is nobody intercepting the phone call. However, the user needs some background knowledge to understand what the words are for. Moreover, of course receiver or sender can choose to reveal the phone call by letting other people listen in, for instance by using speakerphone.

(31)

Concluding, especially within Signal it becomes clear that the interface isn’t just a transparent window for the user to interact with the software. Signal’s interface is a perfected version of what’s behind, not showing all the “ugly” workings, but rather showing a heavily simplified and flawless version. Its interface is designed to keep the user from having to think about the interface. Or in Galloway’s words: “to implant in the viewer [user] the desires they though they wanted to begin with (…)” (36). Signal erases almost all traces of its own functioning. In doing so it doesn’t represent the changeability of its software. For the user there are only few options to change settings, while the software itself can be changed in many ways. As seen in the previous chapter the encryption protocols behind Signal are difficult and manifold, but nothing of this is visible in the interface. Being mediated through Signal there are very few transformations which the user is involved in, making user

interaction with Signal tightly structured.

5. RETROSHARE

Retroshare was founded in 2006 by drbob – of course a pseudonym (Retroshare n.pag). It was set up as a social platform providing secure communication and file sharing (Retroshare n.pag). Nowadays Retroshare is described as a cross-platform in which users can securely chat, share photo’s and video’s, send e-mails and visit (video) channels and forums

(Retroshare n.pag). The software behind the platform is open source. In 2012 drbob explains that Retroshare’s core design is about decentralization and privacy. He describes Retroshare as “a decentralised Friend-2-Friend network, which allows you to share stuff … not with the whole world… but with people you know and trust” (drbob07, Ideals n.pag). The platform’s anonymity is based on encryption together with trust. This means that intruding and

monitoring from an external point of view is made difficult, ensuring that government monitoring or prosecution are impossible “beyond the will of Retroshare users” (drbob07,

Ideals n.pag). The people a user is connected with, his friends, know who he is, what his IP

address is and which files he shares (Retroshare, FAQ n.pag). No one else besides the user’s friends can see this information. To make Retroshare worthwhile it is recommended to start with a group of about five people, but for anonymity it doesn’t matter how many individuals use Retroshare as it is a private network (Retroshare, FAQ n.pag). The network will function well with a couple of friends or with a lot of friends.

Users can communicate with each other via a private chat or via a chat lobby to chat with several friends at once. These chat lobbies can be private, only joinable for those with an

(32)

invitation, or public, joinable for all one’s friends. Moreover, some forums are completely anonymous where no one can tell who posted something and where users can share files anonymously with people who aren’t his friends (Retroshare, FAQ n.pag). A user can only subscribe to forums or channels where at least one of his friends is subscribed to. Therefor, as one’s friend list becomes bigger the amount of material and network availability improve. Because of the width of Retroshare’s services some services are more private than others. To exemplify, public chat lobbies, anonymous forums and channels are publicly visible within the network (drbob07, Privacy n.pag). Messages send from these locations are potentially accessible to other Retroshare users, but aren’t associated with the sender and aren’t

accessible from the outside of the network (drbob07, Privacy n.pag). So, one is anonymous in a sense, but as drbob explains: “to make this decentralised network it is necessary to share some information publicly. The default settings of Retroshare are designed to achieve a good balance between connectivity and privacy” (Privacy n.pag). For an outsider one is relatively anonymous, but for the sake of user experience within the network the user isn’t necessarily. Nevertheless, Retroshare presents an idea of what social networking could be when the individual’s anonymity is considered. It opposes itself to social network sites dependent on corporate systems and centralized servers like Myspace and Facebook (Retroshare n.pag).7 In this way Retroshare offers an alternative to mainstream social networks. Robert Gehl

explains: “To be an alternative, the specific mix of power/freedom in any social media alternative must be different from mainstream SNSs” (2). This is for instance visible in Retroshare’s decentralized architecture and encryption methods with which the platform distances itself from the power mainstream social media networks have over content.

5.1 Encryption method and network topology

Retroshare is encrypted by a combination of the TLS8 protocol for secure communication and the PGP – Pretty Good Privacy - standard for authentication and encryption. TLS is employed to encrypt communication between friends, to encrypt configuration files and to identify friends’ locations (Cyril, Cryptography n.pag). PGP is employed for encrypting the SSL passphrase on disk, for signing SSL certificates and for signing forum posts (Cyril,

Cryptography n.pag). When downloading Retroshare and getting started with the platform, a

7

Contradictory to this opposition, there are Twitter and Facebook share buttons on Retroshare’s blog pages.

8_{The blogposts I’m referring to are written in 2012 and explain Retroshare’s encryption by means of SSL.}

Hiding in Plain Sight: Narratives of Contemporary Online Anonymity