On your permanent record

Anonymity, pseudonymity, ephemerality & bears omfg!

Anonymity seems to be all the rage in Silicon Valley and startups lately.

Recently Whisper raised another $30 million (supposedly at a $200 million valuation) bringing its total fundraising to $54 million. Secret announced that it had raised $8.6 million. Then there is YikYak, Shrtwv, Banter, Blink.

But despite the recent investor interest in anonymous apps, some investors like Marc Andreessen have pointed out that just because something is profitable doesn’t mean it is socially redeeming or moral.

Techcrunch summarized the Twitter conversation and some of the recent problems that have emerged with the anonymity apps that are causing discussion amongst venture investors. Sam Altman of YCombinator writes about his view on anonymity here. Mark Suster writes about his thoughts on Secret here.

Marc started his thread with,


I agree with Marc it is an important topic to discuss, but I guess I don’t feel the same need not to criticize startups.

I’m a CEO of a startup again myself and I’ve retired from being a VC (although I remain a limited partner & advisor at Real Ventures). I feel entirely comfortable criticizing this crop of anonymity applications.

Who am I to criticize?

On this topic, I’m not just another voice in the crowd. Despite the astounding $54 million Whisper has raised to build a better TMZ, I still hold the record for the most amount of money ever raised for a company building anonymity systems.

Between 1999 ($5 million series A) & March 2001 ($22 million series C) I raised $77 million for Zero-Knowledge Systems, a company I founded with my brother & father, in addition to putting in $1+million of my own money as seed capital. (I’d like to point out that the last Series C was almost a year after the March 2000 Nasdaq peak of 5,048.62 which would be the start of the crash and was the worst time to raise venture capital in history and was seen as a miracle at the time.)

In our time I was the champion of anonymity. I fought the NSA, FBI, Interpol over digital civil liberties. I was on 60 minutes as the advocate of citizens rights to be anonymous. We build TOR before there was TOR (called the Freedom Network).

In our day I was the chief defender of anonymity & privacy and was referred to as the ‘Enemy of the State’ in media articles more than once.

We fought and contributed to the recall of the Intel Pentium Serial Number chipset (a half baked idea to do internet authentication based on a unique serial number of your chip shared with websites).

All this to say that I know a thing or two about anonymity, pseudonymity, ephemerality and the social implications of the decisions we imbue our products with.

Imbue: to permeate or influence as if by dyeing <the spirit that imbues the new constitution>

The choices we make in our product development and technologies shape the world and create emotional reactions in our users. This is more true in social software then most other sectors.

Positive Roles for Anonymity, Pseudonymity & Selective Identity Disclosure

There are very important roles for anonymity systems if they are properly designed and implemented.

NETWORK ANONYMITY: TOR provides critical network anonymity for a number of very important uses. Bitcoin wallets are looking to use it to protect users from the lack of privacy in the blockchain and the fact that users are literally broadcasting their bitcoin wealth and IP addresses when transacting effectively putting up a ‘come rob me’ sign on their network. This is just one example of the need for network anonymity. Our former Chief Scientist Dr. Ian Goldberg as chair of the TOR foundation ensures that the threat model & implementation of TOR provides the protection that users expect. Attacks against the TOR system are discussed openly continuing a cypherpunk & Zero-Knowledge tradition of not subscribing to security through obscurity.

Human rights workers, citizens seeking anti-censorship techniques, counter-surveillance uses are all among the many benefits of TOR and were the original use cases we envisioned for our Freedom Network.

CRYPTOGRAPHIC PSEUDONYMS: Despite this network layer of anonymity, we never offered anonymous identities. We offered cryptographically assured pseudonymous identities that came with email addresses, public keys and we spent millions developing cryptographic limited disclosure identity credentials that would allow someone to prove they were over 18, or a citizen or member of a group set without ever revealing their real identity.

The reason we never offered anonymous identities or communication, was a basic understanding of iterated prisoners’ dilemma. Conversations, communities, relationships and strong emotional bonds are formed through a social form of iterated prisoners’ dilemma.

When a participant in iterative prisoners’ dilemma has no identity or feels free from the responsibility of their actions in social interactions communities quickly degenerate into a race to the bottom. This is when trolls, abusers and the worst part of our humanity starts to become a strategic advantage in seeing your actions get more attention by continuing to push the envelope of acceptable behaviour.

We chose cryptographic pseudonyms for a reason. So our users could go to Usenet and develop relationships, share their stories, engage in two way communication while having total privacy.

We chose pseudonyms so that we could enforce anti-abuse provisions of shutting down identities that violated our service agreements (such as threatening someone or POTUS which happened more then once). We hired Dr. Adam Back to implement his cryptographic anti-abuse system Hashcash to ensure that pseudonyms were following the network rules.

Pseudonyms had a cost on purpose. Not only to provide us with revenue (which never amounted to a fraction of what the network cost to operate) — but to create a disincentive to use pseudonyms as throw away identities to anonymously harass or abuse people.

Did we have issues of abuse? of course. But the decisions we made imbued our product with a sense of being able to feel totally private & safe from prying eyes on the Internet. We saw thousands of more positive uses of our technology than ever negative.

We felt that the benefits of protecting users from profiling, national security mass snooping and hackers was critical to civil liberties on the Internet. We may have been 14 years too early (or Snowden was 14 years too late) but it was a worthy mission and we considered the consequences of every decision, security architecture and identity decision we made carefully.

We imbued our product, company and marketing with the goal of making the world a better place. We faced the potential issues of abuse ahead of time with strong technology development. We took time to have careful consideration of each policy, technical and operational decision.

TEENAGE IDENTITY EXPERIMENTATION & PRIVACY: I’m the proud uncle of 5 nieces (one nephew). My sister kept my older nieces off facebook and closely monitored their activities to insulate them from predators and some of the social issues affecting young women (and boys) online. My oldest niece is in high school and still does not have a Facebook account.

I’m also the ‘adopted’ uncle to my best friends’ daughter who is a beautiful 13 year old girl who looks like she could be 17. She has hundreds of friends on Facebook. She like many teenagers face new social pressures to establish her identity online mainly through Facebook. She also has been proposed numerous times by predators and child molesters attempting to get her to engage her in numerous age-inappropriate activities.

I’m her friend on Facebook and with her parents we often discuss the social pressure of positive affirmations that her peers provide to do things like selfies. Teens today engage in social exchange by posting selfies and conduct their much of their social lives online. I had to pull her technology challenged parents aside and suggest that they remove snapchat from her phone. She now understands the dangers of snapchat after one of her friends had age-inappropriate photo’s that were suppose to be ephermeral and dissapear captured and shared at school to her shame. I’ve had discussions with her (as have her parents) on how to find the right balance of interacting with her peers while being social and thinking of the long term consequences of her activities being searchable / archived forever.

When Moot (i.e. Chris Poole) spoke at the TED conference a few years ago he we had a great conversation about the value of anonymity in creative experimentation of identity as we develop into adults. I’m a big fan of Chris and the 4Chan community. There is a known expectation of silliness, anonymity, culture hacking and also identity free collaboration that allows that community to work. Personally it’s not my type of community but I think it’s important in that it’s elective. People choose to hangout there and the messages and discussions are ephemeral with their own version of pseudonymity.

A couple of weeks ago Chris sent me this link where he talks about our conversation and some of the nuances of identity and anonymity recently.


(note: Chris missed some details of the full goals of our design for Zero-Knowledge — but the conversation still holds true & to be fair, we had more than a few users who used our service to explore erotica)

The whole concept of how teenagers interact with identity, privacy and pseudonymity is an open problem set. I dislike like the current social default whereby activities are going on their permanent records without any privacy. The expansion of Facebook to younger teenagers I think was premature and I wish a greater thought went into providing them permission to have more selective identity disclosure, but this is not an easy problem.

COMMERCE: I won’t go into the problems that the payments industry (especially bitcoin) face with lack of privacy and anonymity, but this is a huge industry that needs to be remade to provide users with more information self determination while engaging in commercial transactions. The lack of consumer empowerment to be able to authenticate payment validity while not revealing identity information is ridiculous given how long the technologies of privacy have existed. This is true for credit cards, book entry account based payment systems (Paypal etc) and is even more true for bitcoin where the public ledger provides less privacy & selective disclosure control then banking.

Aside from consumer information self determination in commerce, the entire financial products industry will face huge competitive intelligence issues when their trading activities can be data mined on the public blockchain.

DATING: I think there is a huge opportunity to do selective permission based disclosure for the entire dating sector. There is a huge group of people who may not be comfortable throwing themselves out there on Tinder and may want to reveal identity details in stages. I have yet to see someone do a smart, secure and trusted system to encourage staged selective disclosure of identity for a huge sector like dating.

These are just a few quick examples of areas where I think the default behaviour of pseudonymity or anonymity have a huge value. There are many others.

Now How I Really Feel — Criticisms

Recently a reporter (who I really like) wrote about a story I told during a panel discussion I participated in at Montreal’s FailCamp. He commented,

For those who haven’t had the pleasure of meeting Hill, he’s quite a likeable and bright tech geek. When he does public speaking engagements there’s a comfortable air of confidence in his tone, one that I’ve always perceived as “not-giving-a-shit.” This is probably because he’s built so many companies, encountered so much personal and work-related success and failure, made so much money and dealt with so many different people throughout his career.

What he got wrong is that I do give a shit. In fact I care deeply about theses issues. I’ve been building the Internet and involved in online communities / entrepreneurship since 1990. The reason I told the story he wrote about is because I care what kind of companies entrepreneurs create. I view entrepreneurship as almost a religious calling. It is our privilege to look into the future and create another type of world. The reason I told that story at FailCamp is because it was turning point for me where I eventually decided that I wanted to build a future that I could be proud of. It’s the responsibility of an entrepreneur to think of the lasting impact of their service. So when I criticize these companies it’s not because I don’t give a shit. It’s because I care about these issues more than most.


I am going to focus my criticisms on the two well funded companies in this space, Whisper and Secret.

Some criticisms are similar to both companies and some are specific to the individual companies.

A Common Criticism & Their Collective Worst Sin

FALSE EXPECTATION OF ANONYMITY: The security model for both these applications is horrendous and irresponsible. They give the user an illusion of privacy, encourage users to say things without the burden of identity (both in good or bad cases) — but then provide no real anonymity or privacy is deceptive.

What happens when rumors of acquisitions are true and blow up a pending deal and destroy a company. What happens when the civil lawsuits and demands to disclose user information, IP address start to occur. What happens when a libel case, or a harassment case leads to a suicide and the lawsuits fly or criminal prosecution begins to reveal or force the retention of IP information of that user the next time they login. We will see both these companies and their users who thought they were anonymous dragged into court.

Think it won’t happen? Look at your history. From 1994-1996 Penet.fi was the default way to engage in discussions with some anonymity. In it’s third and final compromise the Church of Scientology sued (for the second time) to force the operator to turn over user information and Julf decided that since he couldn’t provide the anonymity users expected the responsible thing to do was shut down the service.

Neither of these companies have done the bare minimum to develop a security model that backs up their claims of anonymity and they both should be ashamed. It is the pinacle of irresponsibility to ignore basic security, cryptography, litigation and network design threat modelling but promote yourself as anonymous.

Criticisms of Whisper

I know that many consider these two companies and applications to be very similar but I don’t. I wrote this company off completely the minute they were celebrating the fact that they were the first to break the rumour that Gwyneth Paltrow was cheating.

Are you kidding me? Out of all the problems on our planet that need our skills as entrepreneurs, out of all the incredible opportunities to improve the lives of our customers or fellow human beings — we need to fund & waste engineering talent to build a better TMZ?

I do not doubt that voyeurism and rumour mongering are popular leading to profitability. It’s the reason why every grocery store check-out isle is packed with tabloid magazines and not Popular Science or The Economist. But really?

What a waste. If you’re an engineer at Whisper with any skills I suggest you recheck you goals & priorities and then start circulating your CV. There are so many worthy startups that are doing meaningful things. So many worthy ideas that need engineering, design or attention. I know Whisper is funded. I know they probably have aspirations of a massive exit. But if you are an engineer at Whisper try never reading anything but InTouch magazine & TMZ for your entire tenure at the company and then decide if that’s how your skills are best utilized.

As for the investors in the company, I’m at a loss. I learned during my time as a VC that VC partnerships are like marriages. It’s impossible to judge any individual one unless you are part of it. I’ve made my fair share of mistakes and compromises in VC partnership meetings where we decided on funding deals, but I seriously question why $54 million in capital decided that of all the opportunities out there an improvement on TMZ was a worthy use of partner time and capital allocation.

Criticisms of Secret

I’ve heard the defenders of Secret reference the incredible PostSecret project a number of times. Amongst the many horrible messages on Secret there are also many heartwarming, funny and touching stories.

Certainly allowing people to open up to a community with messages like discussed in this message do show some redeeming values.

From this article, https://medium.com/p/4ffa1043a0ef
From the same article, https://medium.com/p/4ffa1043a0ef

I’m a huge fan of PostSecret. Meeting Frank Warren and hearing first hand some of the incredible stories that he’s collated and curated was a personal highlight of mine.

At the same time it should be pointed out that Frank after only 6 months and 2 million users voluntarily pulled the PostSecret app off the app store due to overwhelming and in some cases horrific abuse.


Pictures of maps with arrows claiming to point to dumped murdered bodies, harassment and bullying.

Upon the shutdown Frank made the following comment (via CNET article),

“Unfortunately, that absolute anonymity made it very challenging to permanently remove determined users with malicious intent,” Warren wrote on the PostSecret blog today. “99 percent of the secrets created were in the spirit of PostSecret. Unfortunately, the scale of secrets was so large that even 1 percent of bad content was overwhelming for our dedicated team of volunteer moderators who worked 24 hours a day 7 days a week removing content that was not just pornographic but also gruesome and at times threatening.”

Does this mean that attempting to try this again isn’t worthwhile? I’m not ready to go that far. Many things fail, only to succeed at a later time.

David Byttow the founder appears to be very aware of some of the challenges they face and willing to iterate, listen and improve. Putting my criticism about the false expectation of anonymity aside for a moment, here are some specific concerns I have about Secret.

  1. By tapping into people’s social graph and then equipping users of the app with the ability to spread secrets / rumours within a geographic or social graph circle you are upsetting the balance of power for information disclosure. I can easily choose to delete the app, yet a group of my friends (and their friends) can now harass or libel me without my participation. So those who participate and choose to be anonymous, have more power in the spreading of rumors or secrets about others then those who choose to opt out. I don’t know the answer to this, it’s a hard problem. I do believe that a strong cryptographic identity systems based on non-real identity are a big part of the answer. I suggest that the team at Secret start looking at things like “Attack-resistant trust metrics for public key certification”, and the work of it’s author Raph Levien on the Advagato trust metrics in social networks. Thesse systems would allow my friends or me to affect the reputation of a rumour monger. The app and the community could auto-magically filter out those users with negative reputations creating a social negative feedback system whereby the community could split amongst those who like to read trash (which I believe ends up being a small percentage if the community is nurtured properly) and those who enjoy some of the more positive uses of the app. When those who like to post & read trash see that their readership & comments are going down because of their reputation they have less incentive to engage in negative behaviour and there is in fact a cost associated with abuse.
  2. Provide a blinded or selective disclosure double spend identity token for cases of extreme abuse and advertise it prominently to users. Dr. David Chaum and Dr. Stefan Brands both have developed technology that allows for cryptographic anonymity that is reversible in certain situations. An abuse policy that clearly states that certain types of abuse will lead to the abuse team at Secret being able to obtain your phone number or Facebook ID would immediately offset the more extreme types of direct bullying, harrasement or clear violations of terms of service. Clear and obvious disclosure to users of these community guidelines and the conditions upon which their identity might be revealed must be a requirement of this type of system.
  3. For god sake, implement TOR in your app. If for no other reason then to protect yourself against having information that becomes the target of the civil, criminal or hacking attacks.
  4. Provide a clear automated way for users to report or flag abusive secrets and default to removing posts until your abuse team can review. Limit the amount of time a vicious rumor can be posted, or better yet — if a user develops a k/n negative reputation metric force a k/n social graph approval policy before a secret can be posted so that they have to earn back their right to post secrets. (The dangers of people blacklisting unpopular but non-abusive secrets need to be balanced here — you don’t want this system to be used for censorship. The devil are in the details.)

There are probably 15 more ways to improve Secret to allow the best parts of it to grow and pull out the weeds, but the team there will be facing some tough decisions on where they allocate some of their new resources and what kind of community they want.

Anonymity & Identity Matter, Great Communities aren’t Accidental

I’m a big fan of the lean startup model for web / app development but when you are playing in the identity, privacy, anonymity and trust area you need to plan far ahead.

The consequences of failure, the breach of trust and the type of community you build are all dependent on decisions you make that take a lot of time, effort and forethought to deploy.

If you want to build a web-based help desk software, ship early and often.

If you want to play in this space — talk to people who have done it before. Research and learn what has worked and failed before. Do your homework and tread carefully.

-Austin Hill

ps — (for anyone interested in what happened to Zero-Knowledge, we rebuilt the company & product during the midst of the dot.com crash and found a very profitable niche for our technology. Despite an obstructionist VC who made our lives difficult, under the leadership of my father & brother we grew the company to be profitable with more than $50million/year run rate by 2006 with 40% net margins. We did a management buyout of the VC we were saddled with, renamed the company Radialpoint and it still exists today. Although I left in 2007 to do VC, angel investing and another startup, the company did a private equity deal with TA Associates for $98 million that provided liquidity for the founders & employees who stuck with us through the up and downs. Radialpoint remains one of Montreal’s larger tech employers and is actively remaking itself again in new areas beyond security. but that is a story for another day)

pps — (if you are interest in some of our 2000 ideas about anonymity in networks, selective identity disclosure and what kind of future we wanted to build for eCash and private payments, I recently tracked down a copy of the keynote I gave at Computers, Freedom and Privacy in 2000.


— while somewhat embarrassed when I look back at parts of this, we were prophetic in many ways when predicting how privacy could potentially go wrong without a proper investment in infrastructure. Some of the messages in this speech are even more relevant today.)