Anonymity ensures that a subject may use a resource or service without disclosing its user identity.
User notes
The intention of this family is to specify that a user or subject might take action without releasing its user identity to others such as users, subjects, or objects. The family provides the PP/ST author with a means to identify the set of users that cannot see the identity of someone performing certain actions.
Therefore if a subject, using anonymity, performs an action, another subject will not be able to determine either the identity or even a reference to the identity of the user employing the subject. The focus of the anonymity is on the protection of the users identity, not on the protection of the subject identity; hence, the identity of the subject is not protected from disclosure.
Although the identity of the subject is not released to other subjects or users, the TSF is not explicitly prohibited from obtaining the users identity. In case the TSF is not allowed to know the identity of the user, FPR_ANO.2 could be invoked. In that case the TSF should not request the user information.
The interpretation of "determine" should be taken in the broadest sense of the word. The PP/ST author might want to use a Strength of Function to indicate how much rigour should be applied.
The component levelling distinguishes between the users and an authorised user. An authorised user is often excluded from the component, and therefore allowed to retrieve a user's identity. However, there is no specific requirement that an authorised user must be able to have the capability to determine the user's identity. For ultimate privacy the components would be used to say that no user or authorised user can see the identity of anyone performing any action.
Although some systems will provide anonymity for all services that are provided, other systems provide anonymity for certain subjects/operations. To provide this flexibility, an operation is included where the scope of the requirement is defined. If the PP/ST author wants to address all subjects/operations, the words "all subjects and all operations" could be provided.
Possible applications include the ability to make enquiries of a confidential nature to public databases, respond to electronic polls, or make anonymous payments or donations.
Examples of potential hostile users or subjects are providers, system operators, communication partners and users, who smuggle malicious parts (e.g. Trojan Horses) into systems. All of these users can investigate usage patterns (e.g. which users used which services) and misuse this information.