Thoughts on Anonymous Communication, Privacy, and Accountability. Includes a discussion of the Dissent system described in her paper with Professor Bryan Ford at EPFL titled “Seeking anonymity in an internet panopticon.”
Professor Joan Feigenbaum: What’s out there now, by way of usable anonymous-communications tools, is Tor. Onion routing is very clever, and Tor is a very impressive system, but it is trying to be a perfectly general Internet substrate for all kinds of anonymous activity. Professor Ford and I both think that that’s probably not realistic. A lot of the intersection attacks and traffic-confirmation attacks – the ones that make Tor not quite as secure against de-anonymization attacks as people wish it were – are in some sense natural concomitants of perfect generality.
Remember the Harvard student who sent an “anonymous” bomb threat because he wanted to disrupt final exams? He used Tor to connect to Guerilla Mail, a service that provided temporary, disposable email addresses. So why was he caught? The Guerilla Mail headers revealed that the service had been accessed through Tor. Law-enforcement agents suspected that the threat had been sent by a Harvard student, given that it was timed to disrupt final exams. So they checked to see who was using Tor on the Harvard network at the time the threat was sent; that quickly led them to the culprit, who confessed when they confronted him.
That kind of intersection attack has foiled many Tor users. An application or service (in this case Guerilla Mail) is accessed through Tor and used for some suspect activity. The particulars of the act (in this case disruption of Harvard exams) indicate that the user was probably on a certain network or ISP at a certain time. The number of Tor users on that network at that time turns out to be small enough to enable human agents to investigate further and identify the one they want.
Vivek Gopalan: Is that similar to looking at the footprint of traffic? Is being on Tor an identifiable traffic pattern?
JF: No, intersection attacks are not about traffic patterns. They’re about the basic fact that the local network or ISP knows who’s using Tor at any given time. If the rest of the facts of the case narrow things down to few enough networks and a narrow enough window of time, there can be just a small number of users who need to be investigated.
VG: How does the Dissent system that you worked on with Prof. Ford work?
JF: Dissent uses very different techniques from Tor. Its basic approach is called group anonymity. An individual user must be part of a Dissent group. The (provable) anonymity property guaranteed by the Dissent protocol is that anyone who receives a message from a Dissent user can only figure out which Dissent group the message was sent from; from the recipient’s point of view, all individual members of the group are equally likely to be the sender. It is natural to think of a Dissent group as a community of authoritative figures who collectively bestow credibility and importance on whatever they wish to communicate but who could suffer negative consequences individually if identified as the source of a communication. For example, an entire government agency may wish to form a Dissent group in order to support whistle blowing. A group of senior investigative journalists could form a Dissent group in order to report on wrongdoing by powerful people. Unlike Tor, Dissent does not use onion routing. Its key technical ingredients are verifiable shuffles and dining-cryptographers (DC) nets. How widely useful Dissent can be will depend on whether we can devise protocols for group formation outside of the context of well defined organizations and professions.
VG: In your informational video for PriFi, you describe the parking lot attack. [PriFi is an anonymous communications platform co-developed by researchers at Yale and EPFL]. I think our expectations of privacy have changed even over the last ten years. In the early days of instant messaging, nearly everything was once plain-text. If you were on the same network as someone else you could theoretically eavesdrop whatever “Alice” was saying to “Bob.” But now we have encryption ..
JF: We have encryption, but there’s a lot of plaintext out there! In general, there’s still very little routine effort put into keeping things private. Even when using shared printers, as many of us do, people very rarely ask themselves “who is going to be able to view this document?” I would never print a highly sensitive document on a shared printer. Someone else could walk away with it by accident! (BTW, picking up someone else’s document by accident is something that actually happens – I once picked up someone else’s boarding pass along with my own long document that came out just before it. Fortunately, I was able to find the person and give her the boarding pass before she left for the airport!) And printers have memories; the contents of your document are stored for some time after you walk away with the paper copies. An attacker in your own organization could extract those bits from the printer after you use it and return to your office.
I know that sounds paranoid, but I’ve described a low-tech attack that’s quite doable and has no doubt been done many times. Just by living, you create a lot of “data exhaust” about exactly where you are, what you’re doing, and whom you’re communicating with at every minute of every day. Hiding it all requires a lot more effort than most people are willing to put in – even people who claim that they really care about privacy.
VG: I think my outlook is that I’m unimportant enough that it’s safe to assume nothing really bad will actually happen just to me.
JF: Yeah – the “strength in numbers” argument. People have been saying for many years “I don’t worry about my bank’s information security because, if there’s a breach of [Fill in the name of a major bank], I’m going to be one of many millions of people affected. Someone’s going to have to do something to repair the damage, and I don’t need to worry.” That may be a bit naive, but it isn’t crazy to feel that way.
Look, there have been a number of breaches that affected millions of people, but somehow the institutions breached and the government have been able to prevent massive individual losses. It’s just not safe to assume that that kind of damage repair will always be possible.