Strengthening anonymity in messaging systems

The content of online communications can be made secret through the use of encryption. However, traditional encryption systems do not protect the confidentiality of the meta-data of communications, such as who-is-talking-to-whom, the time and duration of communications, the volume of messages over time, the location and nature of the devices used, user address books and friendship networks. The addresses of web-resources accessed and public files downloaded also constitutes meta-data, that may be inferred despite the use of encryption. Such meta-data, far from being inconsequential, reveal a lot of information about individuals and organizations, their intentions, state of mind and sensitive attributes such as health, sexual practices and preferences, religious affinities and political beliefs and associations.

This research project aims to advance the state of the art in building communication systems, commonly called "anonymous communication" systems, which protect the confidentiality of meta-data. Such systems are already well researched, but there remain important open questions about the feasibility of protecting meta-data cheaply against adversaries that may eavesdrop a large fraction of a network, or may corrupt a number of infrastructure routers. Our project aims to design and evaluate anonymous communications systems that blend different types of traffic, so as to obscure the exact traffic patterns of any of them, and as a result make tracing of who is talking to whom and other meta-data of the channel harder to infer. A difficult problem is achieving this property without resorting to introducing an excessive amount of "cover traffic", overly delaying messages, or dropping messages.

Another key challenge that our project aims to resolve is resistance to long term statistical attacks that have been shown to defeat the anonymity of previous systems. We hope that by delaying the delivery of some types of traffic we will be able to fool attacks that assume communications may not occur unless both parties are on-line. We also aim to support secure group communications that hide from observers who is in a communicating group, and what roles different participants have. Finally, an anonymous channel, like any other network protocol, needs to implement a control system that ensures reliable communications, and prevents congestion. Such control systems are currently leaking sensitive information, and are not secure against adversary manipulations. It is an aim of our project to understand the theory of secure and private control, and implement a secure control system for our channel.

When building security systems it is important to be able to evaluate their security, something that is currently hard and computationally expensive for anonymous communications. The final aim of our project is to develop techniques to measure anonymity that may be scaled to understand the anonymity properties of larger systems. Advances in measuring the anonymity of complex systems will benefit the whole field.

This project directly contributes to our understanding of privacy enhancing technologies, and in particular the field of anonymous communications. The outcomes of the project will inform the design, analysis and evaluation of privacy technologies.

There are 3 types of beneficiaries of such research:

(1) The academic community working on privacy enhancing technologies will benefit from a deeper understanding of the design space of secure anonymous communications, as well as better security analysis techniques. This is an established field in computer security, and the project addresses important open problems, such as support for heterogeneous traffic patterns, defenses against long term statistical attacks, secure group communications, better evaluation methodologies, and secure & private control systems.

(2) Policy makers will benefit from an understanding of the possibilities and limits of technical protections for privacy. Online privacy is an active topic of policy debate, and our research will elucidate the extent to which we can build network systems that resist pervasive meta-data monitoring. We are in direct dialog with data protection authorities (such as the EU EDPS), the EU's network security agency (ENISA), and civil society organizations such as Privacy International who will directly benefit from the understanding of privacy technologies resulting from the project. Similarly, national security authorities, critical infrastructure protection authorities, and law enforcement will directly benefit from understanding the limits, or possibilities, of secure and private communications.

(3) Civil society and business stakeholders will benefit directly from the outcomes of this research project, through the possible development of tools that strengthen the privacy of communications and protect them against pervasive surveillance. We are in direct contact with a number of stakeholders that provide private communication services to end-users, and a number of our research questions are designed to address open problems in developing such technologies. This project's partner, the LEAP Encryption Access Project, designs, implements and operates a number of private communication services internationally, and have a direct interest in integrating the privacy mechanisms developed through our research into their systems. Similarly, we are in contact with the Electronic Frontier Foundation (EFF) in the US, which has in the past sponsored the operation of anonymous communications systems. Finally, we are in contact with the designers of the Tor anonymizing service, as well as the maintainers of the off-the-record messaging service, to integrate the outcomes of our project into their systems.