Strengthening anonymity in messaging systems

Lead Research Organisation: University College London
Department Name: Computer Science

Abstract

The content of online communications can be made secret through the use of encryption. However, traditional encryption systems do not protect the confidentiality of the meta-data of communications, such as who-is-talking-to-whom, the time and duration of communications, the volume of messages over time, the location and nature of the devices used, user address books and friendship networks. The addresses of web-resources accessed and public files downloaded also constitutes meta-data, that may be inferred despite the use of encryption. Such meta-data, far from being inconsequential, reveal a lot of information about individuals and organizations, their intentions, state of mind and sensitive attributes such as health, sexual practices and preferences, religious affinities and political beliefs and associations.

This research project aims to advance the state of the art in building communication systems, commonly called "anonymous communication" systems, which protect the confidentiality of meta-data. Such systems are already well researched, but there remain important open questions about the feasibility of protecting meta-data cheaply against adversaries that may eavesdrop a large fraction of a network, or may corrupt a number of infrastructure routers. Our project aims to design and evaluate anonymous communications systems that blend different types of traffic, so as to obscure the exact traffic patterns of any of them, and as a result make tracing of who is talking to whom and other meta-data of the channel harder to infer. A difficult problem is achieving this property without resorting to introducing an excessive amount of "cover traffic", overly delaying messages, or dropping messages.

Another key challenge that our project aims to resolve is resistance to long term statistical attacks that have been shown to defeat the anonymity of previous systems. We hope that by delaying the delivery of some types of traffic we will be able to fool attacks that assume communications may not occur unless both parties are on-line. We also aim to support secure group communications that hide from observers who is in a communicating group, and what roles different participants have. Finally, an anonymous channel, like any other network protocol, needs to implement a control system that ensures reliable communications, and prevents congestion. Such control systems are currently leaking sensitive information, and are not secure against adversary manipulations. It is an aim of our project to understand the theory of secure and private control, and implement a secure control system for our channel.

When building security systems it is important to be able to evaluate their security, something that is currently hard and computationally expensive for anonymous communications. The final aim of our project is to develop techniques to measure anonymity that may be scaled to understand the anonymity properties of larger systems. Advances in measuring the anonymity of complex systems will benefit the whole field.

Planned Impact

This project directly contributes to our understanding of privacy enhancing technologies, and in particular the field of anonymous communications. The outcomes of the project will inform the design, analysis and evaluation of privacy technologies.

There are 3 types of beneficiaries of such research:

(1) The academic community working on privacy enhancing technologies will benefit from a deeper understanding of the design space of secure anonymous communications, as well as better security analysis techniques. This is an established field in computer security, and the project addresses important open problems, such as support for heterogeneous traffic patterns, defenses against long term statistical attacks, secure group communications, better evaluation methodologies, and secure & private control systems.

(2) Policy makers will benefit from an understanding of the possibilities and limits of technical protections for privacy. Online privacy is an active topic of policy debate, and our research will elucidate the extent to which we can build network systems that resist pervasive meta-data monitoring. We are in direct dialog with data protection authorities (such as the EU EDPS), the EU's network security agency (ENISA), and civil society organizations such as Privacy International who will directly benefit from the understanding of privacy technologies resulting from the project. Similarly, national security authorities, critical infrastructure protection authorities, and law enforcement will directly benefit from understanding the limits, or possibilities, of secure and private communications.

(3) Civil society and business stakeholders will benefit directly from the outcomes of this research project, through the possible development of tools that strengthen the privacy of communications and protect them against pervasive surveillance. We are in direct contact with a number of stakeholders that provide private communication services to end-users, and a number of our research questions are designed to address open problems in developing such technologies. This project's partner, the LEAP Encryption Access Project, designs, implements and operates a number of private communication services internationally, and have a direct interest in integrating the privacy mechanisms developed through our research into their systems. Similarly, we are in contact with the Electronic Frontier Foundation (EFF) in the US, which has in the past sponsored the operation of anonymous communications systems. Finally, we are in contact with the designers of the Tor anonymizing service, as well as the maintainers of the off-the-record messaging service, to integrate the outcomes of our project into their systems.

Publications

10 25 50
publication icon
Bano S (2019) SoK

publication icon
Borisov N (2015) DP5: A Private Presence Service in Proceedings on Privacy Enhancing Technologies

publication icon
Brandão L (2015) Toward Mending Two Nation-Scale Brokered Identification Systems in Proceedings on Privacy Enhancing Technologies

publication icon
Hayes J (2015) Guard Sets for Onion Routing in Proceedings on Privacy Enhancing Technologies

publication icon
Hemi Leibowitz (2019) USENIX Security 2019

publication icon
Piotrowska Am (2017) The Loopix Anonymity System.

publication icon
Toledo R (2016) Lower-Cost ?-Private Information Retrieval in Proceedings on Privacy Enhancing Technologies

 
Description As part of this grant we studied how to better protect the privacy of communications on networks such as the internet. In particular, even when traditional encryption is used, meta-data about the communications, such as who is talking to whom, how often and the size of the messages they exchange can leak sensitive information about the nature of the communication. We developed a number of mechanisms such as the Loopix system and Miranda to enable communications that hide this meta-data, that are timely and efficient. We also looked at how user can store and query data items from a database without revealing which item they are accessing. The Anotify system does that, and uses an anonymity system as a building block to offer privacy of queries.
Exploitation Route The Nym Technologies start-up, with developers based in London, is using some of the techniques developed in the context of this project. In particular they are using the Loopix anonymity system we developed and the Miranda system. More information here: https://nymtech.net/
Sectors Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software),Government, Democracy and Justice,Security and Diplomacy

 
Description Our research and work on the Loopix anonymity system form the basis for a set of draft standards and an open source project, called Katzenpost. The standards are now being integrated and tested in email clients. We also developed extensions, such as Miranda, to ensure the anonymous communication channel is reliable despite dishonest relays. The startup https://nymtech.net/ is commercialising technology based on our research. In terms of academic impact the Loopix paper has received 53 citations since published, and Anontify 11.
Sector Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software),Government, Democracy and Justice,Security and Diplomacy
Impact Types Societal,Economic

 
Description Distributed ledger technology: Blackett review
Geographic Reach National 
Policy Influence Type Gave evidence to a government review
Impact This report sets out the findings of a review exploring how distributed ledger technology can revolutionise services, both in government and the private sector. It covers the: technology governance and regulation security and privacy disruptive potential applications in government global perspectives It recommends 8 actions for government to maximise the opportunities and reduce the risks of this new technology.
URL https://www.gov.uk/government/publications/distributed-ledger-technology-blackett-review
 
Description H2020-EU.3.7.
Amount € 4,543,662 (EUR)
Funding ID 653497 
Organisation European Commission 
Department Horizon 2020
Sector Public
Country European Union (EU)
Start 09/2015 
End 09/2018
 
Description Prof. Danezis (UCL) & Prof. Diaz (KU Leuven) 
Organisation University of Leuven
Department Computer Security and Industrial Cryptography Group
Country Belgium 
Sector Academic/University 
PI Contribution The respective teams of Prof. Danezis and Dr Tariq Elahi (KU Leuven) under the supervision of Prof. Diaz, have collaborated on the topic of the project -- anonymous communications -- to build the Loopix anonymity system, and follow-up work. Both partners integrated their teams to design, implement evaluate and document the Loopix system.
Collaborator Contribution The respective teams of Prof. Danezis and Dr Tariq Elahi (KU Leuven) under the supervision of Prof. Diaz, have collaborated on the topic of the project -- anonymous communications -- to build the Loopix anonymity system, and follow-up work. Both partners integrated their teams to design, implement evaluate and document the Loopix system.
Impact The Loopix anonymity system
Start Year 2017
 
Description UCL (Danezis) & Bar-Ilan (Herzberg) Collaboration 
Organisation Bar-Ilan University
Department Department of Computer Science
Country Israel 
Sector Academic/University 
PI Contribution As part of the EPSRC Project the UCL PI (Danezis) and the Bar-Ilan PI (Herzberg) as well as research collaborators held two meetings, one in Tel-Aviv and one in London, to collaborate on the engineering of anonymous communication channels.
Collaborator Contribution As part of the EPSRC Project the UCL PI (Danezis) and the Bar-Ilan PI (Herzberg) as well as research collaborators held two meetings, one in Tel-Aviv and one in London, to collaborate on the engineering of anonymous communication channels.
Impact This has now yet lead to outputs.
Start Year 2015
 
Title The Loopix anonymity system 
Description The implementation of the Loopix anonymity system, which can be used to evaluate the system or to extend it. 
Type Of Technology Software 
Year Produced 2017 
Open Source License? Yes  
Impact The software was used as the basis of the scientific evaluation of the Loopix anonymity system, and we now make it available to the scientific and wider community to validate our findings, and extend it. 
URL https://github.com/UCL-InfoSec/loopix
 
Title The sphinxmix library 
Description We implement a highly-performant state-of-the art library for encoding and decoding cryptographically messages within an anonymity system. The library has now been used to engineer a number of anonymity systems, including our very own Loopix. 
Type Of Technology Software 
Year Produced 2017 
Open Source License? Yes  
Impact The software package has now been used by multiple research and development projects building and studying anonymity systems. It was used as a reference implementation of the Sphinx anonymity packet format to draft its specification, as a draft standard. 
URL http://sphinxmix.readthedocs.io/en/latest/