What Does Anonymity Mean in Context of a Collaboration Platform?

Anonymous: Without any name acknowledged, as that as author, contributor, or the like.

At TruSTAR we spend lots of time thinking about anonymity and what it means in the context of cyber collaboration. One of the fundamental tenets of our approach is that anonymity is essential to make collaboration at scale a reality. But anonymity is a loaded concept that has several connotations within cyber security. Here we want to step through how we think about practical anonymity and the role it plays in our solution architecture.

For us in particular, anonymity is the ability for a company to provide threat indicators and security measures to other member firms without the ability of other companies, government, or TruSTAR itself to determine who transmitted the information from either technical means or by reviewing the content of a report.

We also want to be clear that we’re not using anonymity and privacy as interchangeable concepts. In general, we see privacy as having even more stringent criteria than anonymity. In simplistic terms anonymity is about hiding who has performed certain actions, and privacy - in addition to anonymity, is about hiding what actions have been performed.

Conceptually we distill anonymity into three distinct pillars:

1. Content Anonymity — is about removing attributable information from a message or document to mask the author’s identity. For example, redacting company names, employee names, addresses, company IP addresses, URLs, and product names or services. We have built client-side redaction tools that allow users to remove information that matches a customizable redaction library. We do not have access to these individual customer redaction libraries. Additionally we use natural language processing to identify probable sensitive & personally identifiable information to prevent members from inadvertently transmitting data which may contain attributable content (e.g., “Oops, I forgot to take out Bill’s email!”). This capability highlights sensitive information and allows the user to validate and further redact potentially attributable information.
2. Communication Anonymity — refers to the inability to link a sender with having sent a specific message, or the recipient having received a specific message. Technologies exist, like Tor and other proxy/routing solutions, that provide full one-way, sender anonymity. One of the fundamental benefits of joining the TruSTAR community is that it is a vetted network; once you are part of the community we provide the mechanism to anonymously interact with other vetted members. Being able to satisfy this requirement is a two part problem. First you have to be able to anonymously authenticate to ensure you are a member of the community without revealing any attributable information. Secondly, you need to be able to communicate with other members of the community without revealing your identity. We use a combination of public domain anonymous authentication protocols that are built on asymmetric key encryption techniques. Andrew Lindell has published an excellent paper on this topic, which includes mathematical proofs of verifiability.
3. Administrative Anonymity — is about understanding our users’ motivations and designing the right policies and operational controls to preserve anonymity. Technology by itself is not sufficient in addressing concerns regarding anonymity. Machine generated log and protocol data can contain information potentially identifiable to a device, a network, an application, or a location. We have controls that define the type of data we choose to collect and retain during a user’s session on our platform. All of our policies and controls are designed to minimize collection of telemetry that can link a session or transactions to a specific user.

We do not claim to have cracked the problem of “perfect anonymity”, and we would challenge anyone to point us towards such a scheme that can work in a real world solution. The inevitable electronic trail of machine generated data by infrastructure, even if not all of it is recorded and stored, makes complete anonymity very difficult or impossible to achieve. Our solution architecture takes some big steps towards the ideal of perfect anonymity, while maintaining usability of the platform and benefits that members expect when joining the TruSTAR community. Our goal is to provide a pragmatic solution for enterprise cyber security teams that want to collaborate and address incidents that are affecting multiple companies and across different sectors. As always, we’re interested in your comments and thoughts so please don’t hesitate to start a dialogue!