Anonymous' anonymity problem

Anonymity can have its drawbacks.

If your movement has no defined leadership, no structure, no way for people to officially become members, and tries to make a positive about the fact that anyone can claim to be a part of it.. then it's very hard to define what's done in the name of the movement and what isn't.

I've spoken to countless journalists and security commentators who have a nightmare trying to report anything to do with Anonymous, because.. well.. how do you know that something was really done by Anonymous, and not just someone who has chosen to wave that flag?

Take last week's hack of Britain's largest single abortion provider, for instance, by a hacker who identified himself as being part of "Anonymous".

As we reported news of the hacker's arrest and subsequent confession in court, we were inundated with messages claiming that the hack had nothing to do with Anonymous.

But as Naked Security reader "Mrs W" commented, it's not easy to be so cut and dry about that:

If an organisation has no membership roles and no leader, then anyone can claim to be part of them. You can't arbitrarily decide they're acting independently just because you want to distance the group from the act that was committed.

It doesn't take a village to hack a website. No doubt other hacks in the name of Anonymous were perpetrated in similar solitary fashion.

This guy has ties to Anonymous, and he claims to be Anonymous. Isn't that about all you can say of any of them? And if that's not enough, what would someone need to do to prove they are acting on behalf of the group?

My hunch is that the majority of Anonymous supporters wouldn't have approved of the website hack, and certainly not the threat to release details of people who had contacted the British Pregnancy Advisory Service about terminating their pregnancies.

Anonymous hackers have done some pretty nasty stuff in the past, putting innocent individuals at risk and not caring about their welfare in their desire to embarrass or expose businesses or government organisations, but the attack against the abortion service doesn't seem to fit with the normal model.

But a movement which embraces chaos and lack of structure can't have it both ways.

If you're going to let anyone wave the Anonymous flag, if you have no structure that allows an "official" view to be communicated, then you have to accept that you have no more right than the BPAS hacker to decide what can and cannot be done in the name of your movement.

In short, Anonymous doesn't know who it is. And can't know who it is. Because it's made of countless different individuals, all of whom have their own opinions and beliefs about what Anonymous is and what it should be.

Sure, there are Twitter accounts and some websites that attempt to present themselves as semi-official channels for communication by the Anonymous collective, but ultimately they are controlled by a handful of individuals - and are unlikely to represent accurately the wide spectrum of viewpoints belonging to Anonymous participants.

Right now, any spod can buy his "V for Vendetta" mask, make a video in his back bedroom announcing that they're going to bring down Facebook in a month's time, distort their voice and upload it to YouTube.

There are some in the media who will report this as a genuine threat from Anonymous, planning to do something bad. But, frankly, it can't be taken seriously unless or until something actually happens.

Similarly, a tweet from an "official" Anonymous Twitter claiming a threatened attack isn't officially sanctioned should be similarly treated with derision. After all, in an anonymous movement, how can a semi-official Twitter account possibly know or not - with absolute certainty - if other supporters don't have such a plan.

Ultimately, you can't believe anything when it comes to Anonymous.

And I think that's something of a problem for the movement as it tries to communicate what it believes in, and what it wants to change about the world.

Graham Cluley is a senior technology consultant for Sophos and a writer for Sophos Security blog. You can see his profile and his other work here. 

More from Business Spectator