Hang With Your Buddies to Resist Intersection Attacks

Some anonymity schemes might in principle protect users from pervasive network surveillance - but only if all messages are independent and unlinkable. Users in practice often need pseudonymity - sending messages intentionally linkable to each other but not to the sender - but pseudonymity in dynamic networks exposes users to intersection attacks. We present Buddies, the first systematic design for intersection attack resistance in practical anonymity systems. Buddies groups users dynamically into buddy sets, controlling message transmission to make buddies within a set behaviorally indistinguishable under traffic analysis. To manage the inevitable tradeoffs between anonymity guarantees and communication responsiveness, Buddies enables users to select independent attack mitigation policies for each pseudonym. Using trace-based simulations and a working prototype, we find that Buddies can guarantee non-trivial anonymity set sizes in realistic chat/microblogging scenarios, for both short-lived and long-lived pseudonyms.Comment: 15 pages, 8 figure

Conscript Your Friends into Larger Anonymity Sets with JavaScript

We present the design and prototype implementation of ConScript, a framework for using JavaScript to allow casual Web users to participate in an anonymous communication system. When a Web user visits a cooperative Web site, the site serves a JavaScript application that instructs the browser to create and submit "dummy" messages into the anonymity system. Users who want to send non-dummy messages through the anonymity system use a browser plug-in to replace these dummy messages with real messages. Creating such conscripted anonymity sets can increase the anonymity set size available to users of remailer, e-voting, and verifiable shuffle-style anonymity systems. We outline ConScript's architecture, we address a number of potential attacks against ConScript, and we discuss the ethical issues related to deploying such a system. Our implementation results demonstrate the practicality of ConScript: a workstation running our ConScript prototype JavaScript client generates a dummy message for a mix-net in 81 milliseconds and it generates a dummy message for a DoS-resistant DC-net in 156 milliseconds.Comment: An abbreviated version of this paper will appear at the WPES 2013 worksho

Privacy, Visibility, Transparency, and Exposure

This essay considers the relationship between privacy and visibility in the networked information age. Visibility is an important determinant of harm to privacy, but a persistent tendency to conceptualize privacy harms and expectations in terms of visibility has created two problems. First, focusing on visibility diminishes the salience and obscures the operation of nonvisual mechanisms designed to render individual identity, behavior, and preferences transparent to third parties. The metaphoric mapping to visibility suggests that surveillance is simply passive observation, rather than the active production of categories, narratives, and, norms. Second, even a broader conception of privacy harms as a function of informational transparency is incomplete. Privacy has a spatial dimension as well as an informational dimension. The spatial dimension of the privacy interest, which the author characterizes as an interest in avoiding or selectively limiting exposure, concerns the structure of experienced space. It is not negated by the fact that people in public spaces expect to be visible to others present in those spaces, and it encompasses both the arrangement of physical spaces and the design of networked communications technologies. U.S. privacy law and theory currently do not recognize this interest at all. This essay argues that they should

TARANET: Traffic-Analysis Resistant Anonymity at the NETwork layer

Modern low-latency anonymity systems, no matter whether constructed as an overlay or implemented at the network layer, offer limited security guarantees against traffic analysis. On the other hand, high-latency anonymity systems offer strong security guarantees at the cost of computational overhead and long delays, which are excessive for interactive applications. We propose TARANET, an anonymity system that implements protection against traffic analysis at the network layer, and limits the incurred latency and overhead. In TARANET's setup phase, traffic analysis is thwarted by mixing. In the data transmission phase, end hosts and ASes coordinate to shape traffic into constant-rate transmission using packet splitting. Our prototype implementation shows that TARANET can forward anonymous traffic at over 50~Gbps using commodity hardware

Missing Privacy Through Individuation: the Treatment of Privacy Law in the Canadian Case Law on Hate, Obscenity, and Child Pornography

Privacy is approached differently in the Canadian case law on child pornography than in hate propaganda and obscenity cases. Privacy analyses in all three contexts focus considerable attention on the interests of the individuals accused, particularly in relation to minimizing state intrusion on private spheres of activity However, the privacy interests of the.equality-seeking communities targeted by these forms of communication are more directly addressed in child pornography cases than in hate propaganda and obscenity cases. One possible explanation for this difference is that hate propaganda and obscenity simply do not affect the privacy interests of targeted groups and their members. In contrast, this paper suggests that this difference in approach reflects the adoption of an individualistic approach to privacy that may unnecessarily place it in tension with equality. In so doing, it sets the stage for an exploration of more social approaches to privacy that may better enable exploration of privacy\u27s intersections with equality and its collective value to the community as a whole

The fair information principles: a comparison of U.S. and Canadian Privacy Policy as applied to the private sector

U.S. consumers are worried about their privacy and their personal information. High profile cases of identity theft involving companies losing the private information of hundreds of thousands of customers have only served to elevate the mistrust consumers have for companies that collect and share their personal information. The Federal Trade Commission (FTC) is charged with protecting U.S. consumers from fraud, deception, and unfair business practices in the marketplace; a task made difficult by an overarching need to balance the rights of the individuals against the security needs of the country and the free flow of information required by a free market economy. The FTC has asked U.S. companies to follow the Fair Information Practices developed by the U.S. government in 1973, but does not require adherence to those standards. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) was passed in 2000 to address the similar privacy concerns of their consumers. PIPEDA is based on the Fair Information Principles and requires that companies implement those principles. The Privacy Policy Rating System (PPRS) has been developed for this thesis as a method of rating company privacy policies for how they compare to the Fair Information Principles. Using both the PPRS content analysis technique and a standard stakeholder analysis technique, company privacy policies in both countries are examined to address the question of which government\u27s privacy policy is doing a better job of achieving the Fair Information Principles. The lessons learned in this comparison are used to formulate policy recommendations to improve U.S. privacy policy for better adherence among U.S. companies to the Fair Information Principles

Anonymous reputation based reservations in e-commerce (AMNESIC)

Online reservation systems have grown over the last recent years to facilitate the purchase of goods and services. Generally, reservation systems require that customers provide some personal data to make a reservation effective. With this data, service providers can check the consumer history and decide if the user is trustable enough to get the reserve. Although the reputation of a user is a good metric to implement the access control of the system, providing personal and sensitive data to the system presents high privacy risks, since the interests of a user are totally known and tracked by an external entity. In this paper we design an anonymous reservation protocol that uses reputations to profile the users and control their access to the offered services, but at the same time it preserves their privacy not only from the seller but the service provider