Anonymous Communication for Messengers via “Forced” Participation

Thu 23Nov2017

David Sommer, ETH Zurich

From 12.00 until 13.30

At CNB/F/110 (Lunch) + CNB/F/100.9 (Seminar), ETH Zurich

Universitätstrasse 6, 8092 Zurich


Anonymous communication networks (ACNs) are basic building blocks for obtaining or exchanging data in a privacy-preserving manner. ACNs suffer from a bootstrapping problem: having few users leads to a small anonymity set, which renders the ACN unattractive.  We propose a system, CoverUp, that tackles the bootstrapping problem for ACNs. The key idea is to draw in non-ACN users from a collaborating website to connect to an ACN (after an informed consent), thereby “forcing” them to passively participating. Additionally, the traffic of non-ACN users is indistinguishable from (intentional) ACN-users. We protect “forced” participants from incriminating information by ensuring that the information from the broadcast can only be extracted with an additional application. For ACNs with broadcasting applications in mind, CoverUp achieves this indistinguishability against global network-level attackers that control everything except for the user’s machine.  In addition, as long as ACN-users do not change their surfing behavior on these websites due to CoverUp, they do not leak the time at which they use the ACN, which counters intersection and statistical disclosure attacks.  CoverUp achieves a downlink rate of 50 to 150 Kbit/s.  As “forcing” participation raises ethical and legal concerns for the collaborating websites and the “forced” users, we discuss these concerns and describe how they can be addressed.  We extend CoverUp to bi-directional point-to-point communication (e.g., messengers), for ACNs with constant-rate traffic. For ensuring the indistinguishability in the presence of an uplink, we need to ensure that the way we “force” non-ACN users to connect to the ACN is unaltered, for which we use a trusted party.  We give evidence that with a latency of 2 seconds (including the random delays) the timing leakage is undetectable, even after a year of continual observation. As long as the timing leakage is undetected, CoverUp for bi-directional communication achieves the same properties as for broadcasts, against a network-level attacker that controls everything except for the user’s machine and the trusted party. 

Download Event to Calendar