[The following was largely spawned by a Cyberspace Law class last night, and the repeated suggestions that we must authenticate users before we allow them to "use the Internet" so that we may track down evildoers.]

Are we really heading toward the end of a (relatively) anonymous Internet? I don't think so.

To properly answer this, it's important to consider how the Internet is constructed. Sure, you'll often read accounts of your data traveling across the Internet's "backbone." The problem is, there isn't a single backbone. The internetwork that is the Internet is comprised of numerous independent network backbones that interconnect. For any one node on any one of those backbones to identify with any certainty the sender of a packet would require a vast identity infrastructure that simply is nowhere near existence. However, it's possible that this extreme example of the impossibility of defeating anonymity is more than what some consider necessary. In fact, I know it is, based on class discussion.

Let's take another popular example that has been used: all users must authenticate their identities before they are allowed to "connect to the Internet." The obvious first question I have to ask is "To whom must they authenticate?" This is not an easy question to answer.

Is the answer the user's Internet Service Provider? If so, who's going to mandate that? If it's the ISP who mandates this, what other limitations of service will the ISP then have to place on the user to enforce this authentication? A user who wishes to remain anonymous will simply tunnel traffic through an anonymizing conduit, whether this is an application like TOR, or wilder approaches like tunneling one application layer protocol through another.

This raises another problem: who authenticates the conduit? Not all Internet "users" are discrete individuals. Many are servers providing services, remote access devices providing connectivity, or bots gathering and processing data. Who authenticates every process that connects to the Internet? Who do these processes authenticate to?

Finally, are users going to be expected to authenticate to every peer process? This suggests that every process and every user on the Internet will use a single authentication mechanism, or sufficient federation will have to exist for these authentications to take place. Who's going to write the software that allows the millions of autonomous servers, routers, switches, and other devices connected to the Internet to be able to carry out these authentications so that anonymous actors may eventually be identified?

My point is this: until everything authenticates, there is no forced, universal authentication to "connect" to the Internet. As long as unauthenticated systems exist, and as long as owners of some of those systems prize anonymity, a step as limited as forcing users to properly authenticate to an ISP before using the Internet (a concept that has still more questions) will not kill one's ability to act anonymously, nor will it lead to discoverable identification of anonymous sources.