Design and Evaluation of Anonymity Solutions for Mobile ...5144/FULLTEXT01.pdf · Last but not least, many thanks to my family, friends, and my beloved girlfriend Mari. My research

Faculty of Economic Sciences, Communication and ITComputer Science

DISSERTATION

Karlstad University Studies2007:48

Christer Andersson

Design and Evaluation of Anonymity Solutions for Mobile

Networks

Karlstad University Studies

2007:48

Christer Andersson

Design and Evaluation of Anonymity Solutions for Mobile

Networks

Christer Andersson. Design and Evaluation of Anonymity Solutions for Mobile Networks

DISSERTATION

Karlstad University Studies 2007:48ISSN 1403-8099 ISBN 978-91-7063-152-8

© The author

Distribution:Faculty of Economic Sciences, Communication and IT Computer ScienceSE-651 88 KarlstadSWEDEN+46 54-700 10 00

www.kau.se

Printed at: Universitetstryckeriet, Karlstad 2007

Abstract

Internet and mobile communications have had a profound effect on today’s society. Newservices are constantly being deployed, in which personal data are being processed in re-turn for personally tailored services. While mobile networks lay the groundwork for newinnovative services, at the same time they pose numerous privacy challenges. There is therisk that honest citizens participating in mobile communications will have their privacyinvaded for “the greater good”. We stress the importance of empowering individuals sothat they can retain control over their personal spheres. The goal of this thesis is to designand evaluateanonymous overlay networksadapted for mobile networks that allow users tocontrol which information leaves their personal spheres in a mobile communication.

By using a particular anonymity solution, an anonymous overlay network, users cancommunicate with their peers without disclosing their network identities. In this thesis, wepropose three different anonymous overlay networks tailored for mobile networks. First,two approaches are proposed for anonymous browsing on the mobile Internet, namelymCrowds and a Tor-based approach. By applying theoretical analysis and/or practicalexperiments, we show that these approaches offer an appropriate tradeoff between the of-fered degree of anonymity and performance loss. Second, an anonymous overlay networkfor use in mobile ad hoc networks – Chameleon – is suggested.

Besides the actual design of these anonymous overlay networks, this thesis providesnovel contributions in other essential areas of privacy protection and anonymous commu-nication. First, also non-technical aspects of privacy protection are thoroughly discussed,including legal, social, and user interface aspects. Second, we survey existing metrics forquantifying anonymity and also propose new ideas regarding anonymity metrics. Third,we review and classify existing mechanisms for anonymous communication in mobile adhoc networks. Lastly, we also propose a cryptographic technique for building up the userbase of an anonymous overlay network in a secure and privacy-friendly manner.

Keywords: privacy, anonymity, anonymous overlay networks, anonymity metrics, pseudo-nymity, identity management, mobile Internet, location based services, mobile ad hoc net-works.

Acknowledgments

First, many thanks to Simone-Fischer Hubner for being such a good and helpful supervisor.Also, thanks to my other co-authors, especially Reine Lundin and Leonardo Augusto Mar-tucci, and to my secondary supervisors Dogan Kesdogan and Thijs J. Holleboom. Manythanks also goes to my friends and (current or previous) office mates Leonardo “Augo”Martucci and Torbjorn Andersson: I have collaborated and discussed a lot with LeonardoA. Martucci, while Torbjorn Andersson deserves a big thank you for helping me settingup the experiment for Paper III. Moreover, thanks to my other colleagues in the PRISECresearch group, including friend and former colleague Albin Zuccato, for giving helpfuladvices and providing constructive criticism, as well as to my other colleagues at the De-partment of Computer Science for making it such a friendly and inspiring workplace. Alsothanks to all new friends I have met through Swedish IT Security Network for PhD Students(SWITS), especially from the information security groups at Chalmers Tekniska Hogskolaand Blekinge Tekniska Hogskola, and the Security and Privacy Research Group at RWTHAachen for being so good hosts during my stay in Aachen, Germany, in November 2006.As life is more than work, I also owe my hobbies – fishing and football – a big thank you.Last but not least, many thanks to my family, friends, and my beloved girlfriend Mari.

My research has partly been funded by the EU 6th Framework project PRIME (Privacyand Identity Management in Europe) and the FIDIS (Future of Identity in the InformationSociety) Network of Excellence, respectively.

Pluralities ofthank you!

Karlstad, November 2007 Christer Andersson

List of Appended Papers

The thesis is comprised of the following nine papers. References to the papers will be madeusing the Roman numbers associated with the papers such as “Paper I”.

I . Simone Fischer-Hubner andChrister Andersson. Privacy Risks and Challengesfor the Mobile Internet. InProceedings of the IEE Summit on Law and Computing,London, UK, 2 Nov 2004.

This paper presents some results that were also reported in:

• Simone Fischer-Hubner and Christer Andersson, editors.PRIME Public de-liverable D14.0.a - Framework V0, 9 Jun 2004. For more information seehttps://www.prime-project.eu/prime products/reports/fmwk/.

• Simone Fischer-Hubner, Christer Andersson, and Thijs J. Holleboom, editors.PRIME Public deliverable D14.1.a - Framework V1, 13 Jun 2005. For moreinformation see https://www.prime-project.eu/prime products/reports/fmwk/.

II . Christer Andersson and Reine Lundin. On the Fundamentals of Anonymity Met-rics. In Proceedings of the IFIP WG 9.2, 9.6/11.7 Summer School on Risks andChallenges of the Network Society, Karlstad, Sweden, 6 – 10 Aug 2007.

III . Christer Andersson, Reine Lundin, and Simone Fischer-Hubner. Privacy EnhancedWAP Browsing with mCrowds – Anonymity Properties and Performance Evaluationof the mCrowds System. In Hein Venter, Jan Eloff, Les Labuschagne, and MarikiEloff, editors,Proceedings of the ISSA 2004 Enabling Tomorrow Conference, Gal-lagher Estate, Midrand, South Africa, 30 Jun – 2 Jul 2004.

IV . Christer Anderssonand Andriy Panchenko. Practical Anonymous Communicationon the Mobile Internet using Tor. InProceedings of the 3rd International Workshopon the Value of Security through Collaboration (SECOVAL 2007), held in conjunc-tion with the 3rd International Conference on Security and Privacy in Communica-tion Networks (SecureComm2007), IEEE Xplore Digital Library, Nice, France, 17Sep 2007.

V. Christer Andersson, Leonardo Martucci, and Simone Fischer-Hubner. Require-ments for Privacy-Enhancements in Mobile Ad Hoc Networks. In Armin B. Cremers,Rainer Manthey, Peter Martini, and Volker Steinhage, editors,3rd German Workshopon Ad Hoc Networks (WMAN 2005), Proceedings of INFORMATIK 2005 - Infor-matik LIVE! Band 2, Gesellschaft fur Informatik (GI) Jahrestagung (2), volume 68of LNI, pages 344–348, Bonn, Germany, 19–22 Sep 2005.

The paper extends results also reported in:

• Gunter Muller and Sven Wohlgemuth, editors,FIDIS Deliverable 3.3: Study onMobile Identity Management,9 May, 2005. Also available as http://www.fidis.

net/fileadmin/fidis/deliverables/fidis-wp3-del3.3.studyon mobile identity management.pdf.

VI . Leonardo A. Martucci,Christer Andersson, Simone Fischer-Hubner. Towards Ano-nymity in Mobile Ad Hoc Networks: The Chameleon Protocol and its AnonymityAnalysis. Karlstad University Studies 2006:35, Karlstad University, Sweden, Aug2006.

The paper is an extended version of:

• Leonardo A. Martucci, Christer Andersson, Simone Fischer-Hubner. Cha-meleon and the Identity-Anonymity Paradox: Anonymity in Mobile Ad HocNetworks. InShort-Paper Proceedings of the International Workshop on Secu-rity (IWSEC 2006), pages 123–134, Kyoto, Japan, 23–24 Oct 2006.

VII . Christer Andersson, Leonardo A. Martucci, and Simone Fischer-Hubner. Privacy& Anonymity in Mobile Ad Hoc Networks. Book chapter in Yan Zhang, Jun Zheng,Miao Mia, editors,Handbook of Research on Wireless Security, Information ScienceReference, USA, to be published in Jan 2008.

VIII . Christer Andersson, Markulf Kohlweiss, Leonardo A. Martucci, Andriy Panchenko(alphabetic order). Self-certified Sybil-Free Pseudonyms: Introducing Privacy inInfrastructureless Wireless Networks.Submitted for publishing.

IX . Christer Andersson, Jan Camenisch, Stephen Crane, Simone Fischer-Hubner, RonaldLeenes, Siani Pearson, John Soren Pettersson, Dieter Sommer (alphabetic order).Trust in PRIME. InProceedings of the5th IEEE Int. Symposium on Signal Process-ing and IT, Athens, Greece, 18–21 Dec 2005.

Minor editorial changes have been made to some of the papers.

Comments on my Participation

• Paper I: My primary contributions are Sections 2 and 6.1, as well as parts of Section6.2. The scenarios in Section 2 are based on previous work by the authors and othercontributors in the public PRIME deliverable Framework V0;

• Paper II: Most of the paper writing was done by me, although Reine Lundin con-tributed with ideas for most sections. Especially, the underlying ideas in Section 4constitute a collaborative effort between Reine and myself;

• Paper III: I am responsible for most of the written material. The underlying ideasconstitute a collective effort between myself and Reine Lundin. Section 3.2 is basedon a previous analysis of the performance properties in Crowds/mCrowds by ReineLundin. The implementation of the prototype was mainly done by myself, althoughReine Lundin contributed with ideas. Simone Fischer-Hubner mainly served as asupervisor (by contributing to the ideas, approaches, and outline of the paper);

• Paper IV: The writing of the paper and conducting of the experiments were mainlydone by me, although Andriy Panchenko contributed with ideas regarding both thepaper content, outline of the paper, and experimental design;

• Paper V: I am responsible for most written material. The underlying ideas stemfrom a collective effort by myself and Leonardo A. Martucci, while Simone Fischer-Hubner mainly served as a supervisor (by discussing the project and paper with us).As input to the analysis, a previous analysis by Leonardo A. Martucci was used;

• Paper VI: Leonardo A. Martucci proposed the initial sketch for the protocol, whichwas later refined and described using state transition diagrams collectively by myselfand Leonardo. Leonardo A. Martucci was the main responsible for describing theprotocol while Christer Andersson was the main responsible for the theoretical anal-ysis and anonymity evaluation. Simone Fischer-Hubner took part in the discussionsregarding the protocol functionality and the theoretical analysis;

• Paper VII: Most material was written by me, except the section “On the Relationbetween Anonymity and Privacy” that was written by Simone Fischer-Hubner (whoalso contributed with ideas for the survey). Leonardo A. Martucci contributed withsome text for the section “Introduction” and with ideas for the section “Future Trends”;

• Paper VIII: The paper is a collaborative effort where I contributed significantly to allsections except the appendices. Leonardo A. Martucci formulated the initial researchproblem and Markulf Kohlwiess contributed most to the underlying cryptography;

• Paper IX: My primary contribution for this paper is being responsible for most textin Section 3, as well as co-editing the inputs from the other authors collectively withSimone Fischer-Hubner. The scenario in Section 3 is based on previous work by theauthors and other contributors in the public PRIME Deliverable Framework V1.

Other Work

In addition to the publication included in the thesis I have also authored, co-authored, orco-edited a number of additional publications.

• Christer Andersson, Simone Fischer-Hubner, Reine Lundin, mCrowds: Anonymityfor the Mobile Internet. In John Soren Pettersson, editor,Book chapter in HumanIT2003 - volymen, Karlstad University Studies 2003:26, Aug 2003.

• Christer Andersson, Simone Fischer-Hubner, and Reine Lundin. Enabling Ano-nymity in the Mobile Internet Using the mCrowds Approach. In Penny Duquenoy,Simone Fischer-Hubner, Jan Holvast, and Albin Zuccato, editors,Proceedings ofthe IFIP WG 9.2, 9.6/11.7 Summer School on Risks and Challenges of the NetworkSociety, pages 178 – 189. Karlstad University Studies 2004:35, 4 – 8 Aug 2003.

• Simone Fischer-Hubner andChrister Andersson, editors. PRIME Public deliver-able D14.0.a - Framework V0, 9 Jun 2004. For more information see https://www.prime-project.eu/prime products/reports/fmwk/

• Simone Fischer-Hubner,Christer Andersson, and Thijs J. Holleboom, editors.PRIMEPublic deliverable D14.1.a - Framework V1, 13 Jun 2005. For more information seehttps://www.prime-project.eu/prime products/reports/fmwk/

• Ninni Danielsson,Christer Andersson, Introducing Users to Privacy and IdentityManagement in the Context of User Testing. In Anders G. Nilsson, Remigijus Gus-tas, Wita Wojtkowski, W. Gregory Wojtkowski, Stanislaw Wrycza, and Joze Zu-pancic, editors,Pre-Conference Proceedings of the Fourteenth International Confer-ence on Information Systems Development (ISD 2005), Karlstad University Studies2005:30, Karlstad, Sweden, pages 91–102, 15–17 Aug 2005.

• Leonardo A. Martucci,Christer Andersson, Wim Schreurs, and Simone Fischer-Hubner. Trusted Server Model for Privacy-Enhanced Location Based Services. InViiveke Fåk, editor,Proceedings of the 11th Nordic Workshop on Secure IT-systems(NordSec 2006), Linkoping, Sweden, 19–20 Oct 2006.

• Leonardo A. Martucci,Christer Andersson, Simone Fischer-Hubner. Chameleonand the Identity-Anonymity Paradox: Anonymity in Mobile Ad Hoc Networks. InShort-Paper Proceedings of the International Workshop on Security (IWSEC 2006),Kyoto, Japan, 23–24 Oct 2006.

CONTENTS CONTENTS

Contents

Abstract i

Acknowledgements iii

List of Appended Papers v

Introductory Summary 1

1 Introduction 31.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.3 Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Background 62.1 Definition of Anonymity & Related Terms . . . . . . . . . . . . . . . . . . 62.2 Anonymous Overlay Networks . . . . . . . . . . . . . . . . . . . . . . . . 72.3 Examples of Anonymous Overlay Networks . . . . . . . . . . . . . . . . . 102.4 Introduction to Anonymity Attacks . . . . . . . . . . . . . . . . . . . . . . 142.5 On Measuring Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3 Research Issues 163.1 Research Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.2 Research Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4 Related Work 194.1 Enabling Anonymity in Infrastructured Mobile Networks . . . . . . . . . . 194.2 Enabling Anonymity in Infrastructureless (Ad Hoc) Networks . . . . . . . 21

5 Contributions 22

6 Summary of Papers 23

7 Conclusions 26

Paper I: Privacy Risks and Challenges for the Mobile Internet 35

1 Introduction 37

2 Location Based Services 382.1 Introduction to LBS Applications . . . . . . . . . . . . . . . . . . . . . . . 382.2 Examples of LBS Applications . . . . . . . . . . . . . . . . . . . . . . . . 39

CONTENTS CONTENTS

3 Privacy Threats 403.1 Exposed Personal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403.2 Threats to Informational Privacy . . . . . . . . . . . . . . . . . . . . . . . 403.3 Threats to Spatial Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4 Legal Protection by the E-Communications Privacy Directive 2002/58/EC 424.1 Confidentiality of Communications . . . . . . . . . . . . . . . . . . . . . . 424.2 Traffic and Location Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 424.3 “Opt-in” for SPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5 Controversies around the E-Communications Privacy Directive 2002/58/EC 435.1 Data Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435.2 Sensitive Location Information in Traffic Data . . . . . . . . . . . . . . . . 445.3 Need for Internationalisation . . . . . . . . . . . . . . . . . . . . . . . . . 44

6 Privacy Enhancing Technologies 446.1 PETs for Anonymising or Minimising Location Data . . . . . . . . . . . . 456.2 PETs for User Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

7 Conclusions 48

Paper II: On the Fundamentals of Anonymity Metrics 51

1 Introduction 53

2 Preliminaries 542.1 Introduction to Crowds . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542.2 A Model for Anonymity Attacks . . . . . . . . . . . . . . . . . . . . . . . 552.3 Anonymity Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562.4 Measuring the Uniformness of Probability Distributions . . . . . . . . . . . 57

3 Evaluation of Anonymity Metrics 583.1 Anonymity Evaluations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583.2 Criteria for Anonymity Metrics . . . . . . . . . . . . . . . . . . . . . . . . 603.3 Evaluation of Anonymity Metrics against Criteria . . . . . . . . . . . . . . 61

4 The Scaled Anonymity Set Size Metric 624.1 Theoretical Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634.2 Numerical Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664.3 Evaluation against Scenarios and Criteria . . . . . . . . . . . . . . . . . . 684.4 Related Work on Quantifying Anonymity asA = 2H(P) . . . . . . . . . . . 68

5 Summary & Outlook 69

CONTENTS CONTENTS

Paper III: Privacy-Enhanced WAP Browsing with mCrowds 73

1 Introduction 75

2 Related Work 772.1 Crowds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772.2 mCrowds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

3 Theoretical Properties 793.1 Anonymity Properties in mCrowds . . . . . . . . . . . . . . . . . . . . . . 803.2 Performance Properties in mCrowds . . . . . . . . . . . . . . . . . . . . . 82

4 Performance Evaluation 844.1 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854.2 Test Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 854.3 Experimental Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864.4 Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

5 Conclusions and Outlook 88

Paper IV: Practical Anonymous Communication on the Mobile Internet using Tor 91

1 Introduction 93

2 Background 942.1 Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 942.2 Introduction to the Tor Network . . . . . . . . . . . . . . . . . . . . . . . 94

3 Proposed System Architecture 953.1 Mobile Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953.2 Tor Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963.3 The Wireless Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963.4 Filtering Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973.5 The Wired Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983.6 The Content Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

4 Evaluation Preliminaries 984.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

5 Anonymity Evaluation 995.1 Attacker Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005.2 The Crowds-Based Metric . . . . . . . . . . . . . . . . . . . . . . . . . . 1015.3 Anonymity Evaluation: Standard Tor Settings . . . . . . . . . . . . . . . . 102

CONTENTS CONTENTS

5.4 Anonymity Evaluation: Performance Settings . . . . . . . . . . . . . . . . 1055.5 Anonymity Evaluation: Proxy Settings . . . . . . . . . . . . . . . . . . . . 1055.6 Observations from Anonymity Evaluation . . . . . . . . . . . . . . . . . . 106

6 Performance Evaluation 1076.1 Experimental Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1076.2 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1086.3 Test Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096.4 Experiment one: fetching a file from the content server . . . . . . . . . . . 1096.5 Experiment two: application level throughput . . . . . . . . . . . . . . . . 1106.6 Observations from Performance Evaluation . . . . . . . . . . . . . . . . . 111

7 Evaluation of Other System Properties 1137.1 Mobile Tor Client Design Option . . . . . . . . . . . . . . . . . . . . . . . 1147.2 Tor Client on User’s Computer Design Option . . . . . . . . . . . . . . . . 1147.3 Third Party Tor Client Design Option . . . . . . . . . . . . . . . . . . . . 1157.4 Discussion on Evaluation of Other System Properties . . . . . . . . . . . . 115

8 Related Work 1158.1 Anonymous Overlay Networks for Mobile Internet . . . . . . . . . . . . . 1158.2 Approaches for Enhancing/Measuring the Performance of Tor . . . . . . . 116

9 Conclusion & Outlook 116

Paper V: Requirements for Privacy-Enhancements for Mobile Ad Hoc Networks 119

1 Introduction 121

2 A Possible Solution: Anonymous Overlay Networks 122

3 Requirements for Anonymous Overlay Networks 122

4 An Evaluation of State-of-the-Art Anonymous Overlay Networks 123

5 Conclusions & Outlook 125

Paper VI: Towards Anonymity in Mobile Ad Hoc Networks 127

1 Introduction 129

2 Definitions & Related Work 130

3 The Identity-Anonymity Paradox 132

CONTENTS CONTENTS

4 Chameleon: an Anonymous Overlay Network 1354.1 Protocol Basics and Assumptions . . . . . . . . . . . . . . . . . . . . . . . 1354.2 Detailed Protocol Description . . . . . . . . . . . . . . . . . . . . . . . . . 136

5 Theoretical Analysis 1425.1 Attacker Model of Chameleon . . . . . . . . . . . . . . . . . . . . . . . . 1435.2 Anonymity Analysis of Chameleon . . . . . . . . . . . . . . . . . . . . . . 144

6 Conclusions 148

Paper VII: Privacy & Anonymity in Mobile Ad Hoc Networks 157

1 Introduction 159

2 Background 1602.1 Definitions of Anonymity and Related Concepts . . . . . . . . . . . . . . . 1602.2 On the Relation between Privacy & Anonymity . . . . . . . . . . . . . . . 1622.3 On Measuring Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . 163

3 Anonymous Communication in Mobile Ad Hoc Networks 1643.1 Anonymous Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . 1653.2 Anonymous Overlay Networks . . . . . . . . . . . . . . . . . . . . . . . . 1653.3 Comparison between Anonymous Routing Protocols and Anonymous Over-

lay Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

4 Survey of Anonymous Communication Mechanisms 1674.1 Evaluation Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1674.2 Survey of Anonymous Routing Protocols . . . . . . . . . . . . . . . . . . 1684.3 Summary of Survey Results for Anonymous Routing Protocols . . . . . . . 1744.4 Survey of Anonymous Overlay Networks . . . . . . . . . . . . . . . . . . 1754.5 Survey Results for Anonymous Overlay Networks . . . . . . . . . . . . . . 1764.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

5 Future Trends 1785.1 The Sybil Attack in Mobile Ad Hoc Networks . . . . . . . . . . . . . . . . 1785.2 Mechanisms for Detecting the Sybil Attack in Ad Hoc Networks . . . . . . 179

6 Conclusions 179

Paper VIII: Self-certified Sybil-Free Pseudonyms 185

1 Introduction 187

CONTENTS CONTENTS

2 Related Work 1892.1 The Sybil Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1892.2 Identifiers in Mobile Ad Hoc Networks . . . . . . . . . . . . . . . . . . . 1902.3 Cryptographic Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 191

3 Self-certified Sybil-Free Pseudonyms 1913.1 E-Token Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1913.2 Instantiation based on E-Token Signatures . . . . . . . . . . . . . . . . . . 1933.3 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

4 Security Analysis 1954.1 The Sybil-Proof & Unlinkability Properties . . . . . . . . . . . . . . . . . 1954.2 Sharing/Theft of Membership Certificates . . . . . . . . . . . . . . . . . . 1964.3 Corrupt Domain Controllers and Partitioning Attacks . . . . . . . . . . . . 197

5 Application Scenario: Mobile Ad Hoc Crowds 1975.1 Scenario Walkthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1985.2 Security Properties of the Application Scenario . . . . . . . . . . . . . . . 200

6 Discussion 2016.1 On the Assumption of the Initial Sybil-free Domain . . . . . . . . . . . . . 2016.2 Other Sybil-Free Applications . . . . . . . . . . . . . . . . . . . . . . . . 202

7 Summary & Outlook 203

A Appendix 207A.1 Details on Cryptographic Construction . . . . . . . . . . . . . . . . . . . . 207A.2 Cryptographic Building Blocks . . . . . . . . . . . . . . . . . . . . . . . . 208A.3 Cryptographic Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Paper IX: Trust in PRIME 211

1 Introduction 213

2 PRIME Architecture 2152.1 Components and Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . 2162.2 Example Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

3 Example Scenario: Privacy-Enhanced E-Shopping 2203.1 Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2203.2 Negotiation and Purchase . . . . . . . . . . . . . . . . . . . . . . . . . . . 2213.3 Payment and Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

4 Trust From a Socio-Psychological Perspective 222

CONTENTS CONTENTS

5 HCI in PRIME and Trust 2245.1 Usability Tests and Problems Encountered . . . . . . . . . . . . . . . . . . 2245.2 Possible HCI Solutions for Enhancing Trust . . . . . . . . . . . . . . . . . 225

6 Conclusion 227

Introductory Summary

1. Introduction 3

1 Introduction

Internet and mobile communications have had a profound effect on society and the way weare living. Nowadays, at least in the developed nations, a majority of the population hasaccess to Internet either via desktop computers or powerful mobile devices. Additionally,novel kinds of services are currently being deployed, in which an increasing amount ofpersonal data is being passed to service providers in return for value-added services. Oneexample is Location Based Services (LBS), where data about users’ locations are passed toservice providers in return for services such as traffic navigation or friend finders. Anotherhot topic is the Ambient Intelligence (AMI) paradigm, in which applications are based onubiquitous computing devices and sensors seamlessly gathering data about the surroundingenvironment and people in the whereabouts. If the more futuristic AMI scenarios becomea reality, the electronic surveillance society pictured by George Orwell in his novel “1984”already in 1948 might become a reality. Moreover, the use of various means for electronicsurveillance by law enforcement agencies is constantly increasing. For example, the recentEU Directive 2006/24/EC [1] states that service providers must retain traffic and locationdata for the purpose of investigation, detection, and prosecution of serious crime, wherethese data must be retained for not less than six months and not more than two years fromthe date of communication. Although an increased data surveillance might have positiveconsequences, such as helping law enforcement agencies to prevent crime, there is the riskthat the majority of the everyday citizens will have to tolerate that their privacy is invadedfor “the greater good” (including people that believe that they have “nothing to hide” andthus nothing to fear [2]). We do not think that banning anonymity technologies is theright solution for preventing crime. Instead, we think that it is critical for our society andfor democracy to retain and maintain the individuals’ control over their personal spheres.Furthermore, we believe that it should be possible to strike a balance between enabling lawenforcement agencies to detect misuse of information and communication technologies,and respecting the privacy of the great majority of well-behaving users.

In fact, the gradual loss of privacy in today’s society outlined above has caused anincreasing amount of attention among the public and in the media in the last years. Someexamples of recent privacy breaches are given in [3]. Numerous surveys point out the users’wish for privacy (e. g., [4]). Regarding media attention, one comprehensive example datingback to 2003 is the 27 pages article “Watching You: The World of High-Tech Surveillance”in the National Geographic’s November 2003 issue [5]. Here one can read that “the futureis here, where cameras can film you wherever you go, where your cell phone can signalexactly where you are, where one glance can reveal exactly who you are”. Another morerecent subject of controversy among the media and the public is Google (the providersof, among many services, their massively used Internet search engine), which has beenaccused of being a threat to privacy due to the massive amounts of personal data they storeand process (see, e.g., [6]). In a recent consultation report from 2007, Privacy Internationalranks Google as “hostile to Privacy”, due to, among other things, their vague and unclearprivacy and data retention policies [7].

4 Introductory Summary

Warren and Brandeis defined privacy already in 1890 as “the right to be let alone” [8].In the context of information and communication technologies Westin [9] introduced theconcept of informational privacy, which implies that a person can control how, when, and towhat extent information about him or her is being communicated by others. This relates toany personal information such as name, age, interests, and credit card number. Spatial pri-vacy, on the other hand, means that a person has control over what information is presentedto his senses, that is, what information enters his personal sphere (see [10], page 28). Oneexample of a threat to spatial privacy in the context of mobile networks is (mobile) spam.Also many proposed AMI scenarios would introduce severe implications for the spatialprivacy of the everyday citizen due to their pervasive nature. Finally, in order to capturethe multidimensional nature of privacy, Daniel J. Solove recently proposed a comprehen-sive taxonomy of privacy, including four categories (information collection, informationprocessing, information dissemination, and invasion) and sixteen subcategories [3].

Two common means for ensuring online privacy are technology and legislation. Theformer approach – commonly denoted Privacy-Enhancing Technologies (PETs) – mainlyrefers to technical measures that are integrated into information systems or networks toeliminate or minimize the collection of personal data, or, in cases where personal datahave already been collected, technically enforce legal privacy requirements regarding thatdata. One example of a PET is anonymous overlay networks that aim to eliminate theprocessing of personal data altogether by permitting the users act anonymously. Anotherexample is systems for privacy-enhanced Identity Management (IDM) that enforce infor-mational self-determination by, among other things, allowing the users act under pseudo-nyms and controlling the release of their personal data. Legislative measures for enhancingprivacy, on the other hand, refer to data protection legislation restricting the collection andusage of personal data by the data processing agency. Two examples are the EU Directives95/46/EC [11] and 2002/58/EC [12] that for instance regulates the usage of collected per-sonal information. Nowadays, it is commonly believed that privacy is most successfullyprotected by a holistic solution that combines both technological and legislative efforts.

1.1 Scope

Below, we discuss the scope of the thesis (application domain and types of solutions):

• We have mainly studiedmobile networks, in which wireless and mobile nodes par-ticipate in communications. Mobile networks are of great interest as they on theone hand lay the groundwork for new innovative applications that may facilitate ev-eryday life for citizens, but at the same time they pose many challenges to privacy.Mobile networks can be classified as being eitherad hoc networksor infrastructurednetworksconditional on whether or not they can function without the aid of a centralinfrastructure. Regarding infrastructured mobile networks, they are often intercon-nected with wired networks to enable access to services on, for instance, the Internet.In this thesis, we have studied LBS applications and anonymous WAP browsing. Inthese scenarios, the client is situated in a Public Land Mobile Network (PLMN)while the service provider is situated in the (wired) Internet.

1. Introduction 5

• The type of anonymous communication mechanism mainly studied in this thesisis anonymous overlay networks, which enable anonymity in the layer between thecommunication and application layers, usually by constructing virtual paths alongwhich messages are forwarded during communications between different communi-cation partners in a network. Alone, anonymous overlay networks do not constitutea panacea for all privacy problems in mobile networks. However, they offer a pos-sible solution for those cases where it is desirable or appropriate for users to beanonymous. Moreover, anonymous overlay networks constitute an underlying build-ing block for more advanced solutions, such as tools for privacy-enhancing IdentityManagement. Anonymous overlay networks are further described in Section 2.2.

1.2 Objective

One goal of this thesis is to analyze the privacy risks present in mobile networks, and,building on this, elicit both technical and legal requirements for solutions addressing theseprivacy risks. We moreover aim to develop a set of solutions based on these elicited require-ments. Given that performance plays an important role in (often heterogeneous) mobilenetworks such as ad hoc networks, another main goal is to analyze the degree of privacyprotection and performance loss these solutions offer. In this context, we are especiallyinteresting in finding a reasonable tradeoff between these two aspects. Finally, we are alsointerested in finding out how privacy could be protected by an interdisciplinary approachincluding not only technical aspects, but also, for instance, legal and social aspects.

1.3 Structure

The remainder of this introductory summary is constructed as follows. Section 2 providesthe theoretical background for the thesis. This section includes a subsection that definesanonymity and related terms (Section 2.1), as well as subsections that introduce anonymousoverlay networks (Section 2.2) and examples of such networks (Section 2.3). Furthermore,Section 2.5 examines how to quantify anonymity while Section 2.4 provides an introduc-tion to anonymity attacks. Then, Section 3 explains the research questions underlying thisthesis and the research methodology employed to answer them. After this, Section 4 dis-cusses existing PETs for enhancing privacy in mobile networks, while Section 5 outlinesthe contributions of this thesis. Thereafter, Section 6 summarizes the papers in the thesis.Finally, Section 7 summarizes the main conclusions and gives an outlook to future research.


2 Background

2.1 Definition of Anonymity & Related Terms

Many people have their own notion of what it means to be “anonymous”, like blending intothe crowd or not sticking out too much. In this thesis, we adopt a somewhat more formaldefinition introduced by Pfitzmann and Hansen [13]: “Anonymity is the state of being notidentifiable within a set of subjects, the anonymity set”. The anonymity set includes allpossible subjects in a given scenario, such as the possible senders of a message. Whencommunicating over a communication network, the anonymity set can be divided into twosubsets: thesenderandrecipientanonymity sets. These sets can be disjoint, overlap, or bethe same (see Figure 1). The size of these sets may vary over time, as new knowledge mayallow an attacker to exclude members from one of either sets (see Figure 2).

Figure 1: Sender and receiver ano-nymity sets, and message set.

Figure 2: The number of possible senders inthe anonymity set is narrowed down to three.

Anonymity involves both preserving the confidentiality of user data in the applicationlayer (data level anonymity) and hiding the network identifiers of the communication part-ners in the network layer (network level anonymity). Anonymous overlay networks areoften used to achieve network level anonymity, while pseudonymous applications (e.g.,Idemix [14] or blind signatures [15]) and filtering proxies (e.g., Privoxy [16]) are commontechniques for enabling data level anonymity. Often, techniques for achieving anonymityof the network and data level are combined as there is no real anonymity on the data levelwithout anonymity on the network level. The main focus of this thesis lies on network levelanonymity, although we also touch upon data level anonymity.

Related to anonymity isunlinkability, which implies that – from an attacker’s point-of-view – two or more items of interest (e.g., senders, receivers, or messages) are no more andno less related than they are given the a-priori knowledge of the attacker [13]. Unlinkabilityis an issue even when a user’s identity is kept secret, as linkability between different actionsof an anonymous user may still enable an attacker to profile the user based on his actions.Unlinkability between a message and a sender is illustrated in Figure 3. If, however, amessage can be linked to a sender (or a receiver), as in Figure 4, there is no unlinkability.

2. Background 7

Figure 3: Sender unlinkability. Figure 4: No sender unlinkability.

Anonymity from the perspective of the sender and receiver can be defined in terms ofunlinkability [13]. Sender anonymitymeans that a message cannot be linked to its originsender, whilereceiver anonymityimplies that a message cannot be linked to the receiver ofthat message. Lastly,relationship anonymitymeans that it not possible to determine whois communicating with whom, that is, it is impossible to link a sender to a recipient.

Also related to anonymity isunobservability, which implies that messages sent betweensenders and receivers in a communication network must not be discernible from randomnoise. In a system providing anonymity for both senders and receivers, it may still bepossible to observe that messages are being sent, albeit these messages cannot be linkedto any sender and receiver. For a system to provide unobservability, it must not even bepossible to observe the mere fact that messages are being sent.

Finally, pseudonymityimplies the usage of pseudonyms as identifiers [13]. As definedin [17], pseudonymity can allow a user to use an application without disclosing his identitywhile still being accountable for the application usage. Anonymity on the network level isoften used as an building block when implementing data level pseudonymity.

2.2 Anonymous Overlay Networks

An overlay networkis a virtual network of nodes and logical links built on top of an exist-ing network with the purpose to implement network services not available in the existingnetwork. The purpose of ananonymousoverlay network is to provide anonymous commu-nication services to users in a particular network, such as the Internet or an ad hoc network,where such services normally are lacking. An anonymous overlay network is comprisedof the following three basic components or a subset of them: anonymous communicationclients, anonymity proxies, and information servers. These entities are introduced below.


2.2.1 Anonymous Communication Clients

From the users’ perspective, the anonymous communication clients constitute entry pointsto an anonymous overlay network with which the users can communicate anonymouslywith their communication partners (which both may or may not be anonymous commu-nication clients themselves). An anonymous communication client can be generalized tohaving two basic functionalities – thegroup buildup functionand thehiding function1:

• The purpose of thegroup buildup functionis to provide the anonymous communi-cation client with an accurate view of the user base (the anonymous communicationclients) and the group of anonymity proxies. In the case of Peer-to-Peer (P2P) basedtopologies (see below), these two groups generally overlap. Having an accurate viewof the group of anonymity proxies is essential regarding the buildup of virtual paths;if an attacker succeeds to get control over one or more anonymity proxies in a givenpath, he may compromise the anonymity properties of the network. One examplemeans to secure the group buildup function is the anonymous authentication tech-niques in Paper VIII that empower the clients with the possibility to ensure that eachnetwork identifier in the user base correspond to exactly one underlying logical iden-tity. Alternatively, if the locations of the anonymity proxies are fixed, clients couldtake into consideration also the proxies’ geographical locations. In this way, theclient’s hiding function (see below) can construct widespread paths spanning severalcontinents. The latter strategy is used in Tor, see Paper IV;

Figure 5: A virtual path.

• The purpose of thehiding functionis to establish virtual paths, comprised of one ormore intermediary proxies (see next section), along which packets are transmittedanonymously (see Figure 5). Using various approaches described in this section, thehiding function ensures that the correlation between the sender and the receiver ishidden to achieve network level anonymity. Depending on which algorithm is beingused for path setup, the client may be fully responsible for deciding the path, or itmay only be responsible for initiating path setup. If the algorithm is based on onionrouting or related approaches, the client decides the full path. In this case,layeredencryptioncan be used (messages are wrapped in several layers of encryption, seePapers IV or VII). An alternative approach is used in, for instance, Crowds, wherethe client only selects its successor in the path (see Paper III).

1These terms are inspired by the termsgroup functionandembedding functionthat was introduced in [18].However, we use these terms in a more general manner than in [18], which mainly considers mixes (Section2.3.2). For instance, in [18] “embedding function” refers to the blending of real messages and dummy traffic.

2. Background 9

2.2.2 Anonymity Proxies

In general, an overlay network in which the anonymous communication clients functionas entry points is comprised of severalanonymity proxies. As mentioned, these proxiescollectively make up the paths along which the clients’ messages are routed. The maintask of an anonymity proxy is to participate in the implementation of the hiding function(see above). This may involve sending dummy traffic and/or delaying and reordering(mixing) incoming messages. In all cases, it involves setting up virtual paths on behalf ofthe anonymous communication clients. This is done both in cooperation with the clientsand other anonymity proxies according to the protocol of the given anonymous overlaynetwork. Regarding the topology of the proxies, a topology can be classified as beingeither centralized, (partly) distributed, or P2P-based (completely distributed):

• In a centralizedtopology, the anonymity proxies are operated by organizations suchas private companies or universities. The number of proxies is normally limited fora centralized topology. Traditionally, most approaches have adhered to this topol-ogy. Examples of centralized approaches are JAP [19] and Chaumian Mixes [20](see Sections 2.3.1 and 2.3.2). An advantage with centralized topologies is that thereliability can be anticipated to be superior as centralized anonymity proxies can beexpected to be run on powerful computers that are operated by experts. However,as all traffic passes through a limited set of proxies, there is an upper limit on thebandwidth. Further, as centralized proxies constitute single points of attack, theymay attract additional attention from attackers.

• In a distributedtopology, anonymity proxies operated by end users rather than or-ganizations2. In recent years, an increasing number of distributed approaches havebeen proposed or even deployed (most notably: Tor [21]). One advantage with dis-tributed topologies is that the required amount of centrally administrated services canbe minimized (for instance, in Tor merely the information servers could be labeled asa central service). This is a prerequisite for some application areas. Another advan-tage is that the scalability properties are superior to those of centralized topologies asthe more the users that use the system, the more the users can be expected to act asanonymity proxies. It is on the other hand more difficult to make strong claims aboutthe reliability of distributed topologies, as they are made up by proxies running oncomputers with heterogenous bandwidth and computational capabilities. The latterwas clearly observed in the performance evaluation described in Paper IV.

• Finally, aP2P-basedtopology is a completely distributed topology where all userscollectively perform the different network roles. That is, the users both constitutethe anonymous communication clients, the anonymity proxies, and the informationservers (see next section). This places hard requirements on the protocols used insuch topologies regarding, for instance, trust management and scalability.

2Of course, also a private person could set up a centralized mix server, such as a JAP node. But in this case therequirements on e.g. performance, trust, and availability are higher compared to a node in a distributed network.


The advantages and disadvantages of centralized and distributed topologies, respec-tively, are further elaborated in [22]. In the context of this thesis, mCrowds (Paper III) andthe mobile Tor approach proposed in Paper IV can be classified as a distributed topology,while Chameleon (Paper VI) is a P2P-based approach.

2.2.3 Information Servers

Basically, the task of an information server (or a hierarchy of servers) is to announce thenetwork addresses of the anonymity proxies (possibly together with other information, suchas location, bandwidth, or node reliability) to all anonymous communication clients. Asimple solution is to let the information server flood this information to the clients. How-ever, in practical scenarios the clients and the information server usually communicateusing a dedicated communication protocol, such as the directory protocol in Tor [23].

A distinction can be made between overlay networks where the information serverneeds to provide the clients with a full view of the network and systems that provide onlya partial view. Infree route networks, every anonymous communication client must knowabout the existence of every anonymity proxy, while in arestricted route network, eachclient needs to know only about a limited set of proxies. Examples of free route networksare Tor and Crowds, while Tarzan [24] and MorphMix [25] are restricted route networks.

Another issue is to decide which entity in the network that should perform the role ofan information server. In a partly wired network, the best solution is probably to let theinformation server run on some dedicated hardware in the wired domain (as being done ine.g. Tor). However, in a distributed network, such as a mobile ad hoc network, a subset ofthe end users must perform this role. For example, in Chameleon (Paper VI), a subset of thenetwork nodes acts as directory servers, while in Paper VIII the temporal group manager,which can be an untrusted end user, acts as an information server.

Lastly, note that the information server partakes in the provisioning of a secure groupbuildup function. It is fundamental from a security and anonymity perspective that theinformation server provides the clients with an accurate view of the network topology,otherwise the network is prone to a range of attacks, including Sybil and partitioning attacks(see Section 2.4).

2.3 Examples of Anonymous Overlay Networks

2.3.1 Low-Latency Anonymous Overlay Networks

Low-latency anonymous overlay networks seek to provide a (from the user’ point of view)reasonable trade-off between anonymity and performance, and, hence, they can be used toanonymize interactive network traffic, such as Internet traffic. This section introduces someof the most prominent low-latency approaches: Crowds, Tor, Jap, and Onion Routing.

2. Background 11

Crowds [26] is a partially P2P-based approach for anonymous web browsing providinganonymity against web servers and network nodes. To achieve anonymity, a user’sactions are hidden within the actions of many users in acrowd that issues requeststo web servers on behalf of its members. The crowd is built up by many proxies– denotedjondos– through which the traffic is routed. The degree of anonymity inCrowds towards a web server is “beyond suspicion”, meaning that the sender appearsno more likely to be the origin sender than any other crowd member [26]. Below, webriefly discuss the hiding and group buildup functions in Crowds.

• The Group Buildup Function. The directory server in Crowds is denoted theblender. It periodically distributes the membership list to all crowd members(e.g., IPs, ports), including information about newly added jondos. In a practi-cal scenario, the functions of the blender should be distributed, or else it wouldlikely constitute a performance bottleneck. No explicit approaches are imple-mented in the blender to protect against Sybil attacks (see Section 2.4). In PaperVIII, we discuss how to augment the blender in a mobile ad hoc scenario withSybil attack protection by using self-certified Sybil-free pseudonyms.

• The Hiding Function. Each jondo is a local application running on a member’scomputer, and due to the P2P-based nature of Crowds, each jondo serves bothas an anonymous communication client to which the user’s web browser canpass HTTP requests and as an intermediary anonymity proxy serving the otherusers in the crowd. The algorithm for path setup briefly functions as follows(link encryption is used between intermediary jondos): the sender selects itssuccessor randomly. In turn, this jondo flips a biased coin (where the bias isdetermined by the “probability of forwarding”,pf ) to decide whether it shouldend the path and connect to the web server, or extend the path to a new randomjondo. The coin flipping is repeated until a jondo decides to connect to the webserver. Owing to this algorithm, neither of the intermediary jondos can deducewith certainty that the preceding jondo is the origin sender. If certain charac-teristics are met, a succeeding malicious jondo cannot attribute its predecessoras the sender with a probability of1

2 or more [26]). Yet, various research, in-cluding [27, 28], have described attacks that may enable an attacker in the pathto point out its predecessor as the sender with a much higher probability.

In this thesis, Crowds is further discussed in Papers III, VI, and VIII.

The Tor Network To this day, Tor [21] is the largest distributed overlay network for anony-mizing network traffic. The anonymous communication clients in Tor are calledTorclients, the anonymity proxies are denotedTor servers(or Tor nodes), while the in-formation servers are calleddirectory servers. As Tor has a distributed topology, theTor servers are often operated by private users. The Tor network is the successorto Onion Routing [29]. It was launched in 2004 and has been growing since. Cur-rently, Tor has more than 200 000 users (clients), and the numbers of Tor servers areapproaching 1000 [30]. Below, we discuss Tor’s hiding and group buildup function.


• The Group Buildup Function. In Tor, thedirectory serversare responsible forproviding the group buildup function. Directory servers are divided into twocategories: first and second level servers. The Tor client first contacts one ofthe first level servers and requests a so called network status document that in-cludes the list of active Tor servers and the addresses of the secondary serverswhere the descriptors of single Tor servers can be downloaded3. The fact thatTor is a geographically widespread network spanning all continents can be usedto enable partial Sybil attack protection in Tor. The transcontinental nature ofTor also improves resistance against traffic analysis, although on the other handrecent research has shown that Internet Exchange Points (IXPs) constitute idealpositions from which traffic analysis can be conducted [31]. In OnionCoffe – aJava version of the Tor client developed in the PRIME project4 – the default set-tings require Tor servers to be situated in different countries and subnetworks.

• The Hiding Function. The Tor client decides upon the full path, which underdefault settings consists of three Tor proxies. During path construction, the pathis extended iteratively, one hop at the time. That is, the client first extends thepath to the first Tor proxy. After receiving an acknowledgement, the client thenrequests the first proxy to extend the path to the second proxy, and so on. Thisiterative method for path setup is sometimes referred to as “telescope encryp-tion”. After completion, the client shares symmetric keys with each Tor proxyin the path (through the use of Diffie-Hellman key exchange [32] during pathsetup), and therefore layered encryption can be used during message transfer.Due to the properties of the hiding function, only the first Tor proxy knowsthe identity of the sending Tor client, while only the last Tor proxy knows theidentity of the receiver (but not the sender). An intermediary Tor proxy in thepath knows neither the sender nor the receiver. The authentication protocol dur-ing path construction Tor was proven secure in [33]. Recently, there has beena great deal of research regarding Tor, including papers that try to make thepath construction process more efficient [34, 35], as well as papers that analyzesecurity of Tor and propose subsequent enhancements [30, 35–37].

In this thesis, Paper IV uses the Tor network as a building block.

Onion Routing [29] is a bi-directional overlay network for real-time anonymous com-munication that builds on layered encryption. Onion Routing was the predecessorof the Tor network (see above). A variant of Onion Routing called the FreedomNetwork [38] was commercially deployed between 1999 and 2001. However, itthereafter had to be shut down due to lack of financial resources.

3See http://tor.eff.org/svn/trunk/doc/spec/dir-spec.txt for more information on Tor’s directory server protocol.4For more information about the OnionCoffe prototype, see http://www.prime-project.eu/prototypes/anon.

2. Background 13

JAP [19] is an anonymous communication client enabling access to a selection of de-ployed and widely usedcascadesof anonymity proxies (a cascade is basically a staticand centralized virtual path). The anonymity proxies in the cascades apply mixingof data streams. JAP was a candidate for being used in the experiments in Paper IV,but finally Tor was preferred due to its distributed and growing nature. Recently, acommercial (i.e., not free) variant of JAP called JonDonym [39] was launched, whichgives access to a commercial proxy cascade with higher bandwidth properties.

2.3.2 High-latency Anonymous Overlay Networks

Although this thesis mainly focuses on low-latency mechanisms, we include a section onhigh-latency anonymous overlay networks for the sake of completeness. High-latency ap-proaches seek to provide a strong degree of anonymity at a possibly increased performancecost. Usually, they aim to defeat even a global eavesdropper capable of observing the wholenetwork. High-latency approaches are used when there are no tight constraints regardingthe latency, as they usually make use of expensive functionalities in terms of performance,such as mixing and dummy traffic (see below). As can be seen in [40], messages can bedelayed for hours. Obviously, such delays are not realistic when, for example, browsingthe Internet. However, one common application area for high-latency networks where largedelays can be tolerated is anonymous email, and proposals in this arena include [41–43].

In a seminal proposal belonging to this category, David Chaum proposed in 1981 toanonymize network traffic by sending the traffic through a series of dedicated anonymityproxies called mixes [20]. Chaum’s original mixes destroyed the correlation between in-coming and outgoing traffic in the following manner: first, collectn messages, second,reorder them randomly, and, finally, flush all messages. Then start over again. During theyears, some extensions have been proposed to this model. For example, instead of flushingall messages at each iteration, some approaches keep a subset of the messages in the proxyuntil next round [44]. A different strategy is proposed by Kesdoganet al. in [45], whereindividual messages instead are being delayed for a randomly chosen amount of time.

Alternatively to mixing,broadcastingmay be employed as an underlying technique forproviding anonymity. To achieve both sender and receiver anonymity such systems gen-erally combine broadcasting with other means of achieving anonymity, such as encryptionand dummy traffic. A well known example is the so called Dining Cryptographer net-works (DC-Nets) proposed by Chaum [46]. DC-Nets provide “perfect anonymity” in theinformation-theoretic sense [47] by implementing unobservability (see Section 2.1); thefact that someone is sending is hidden by a one-time pad while the fact that someone isreceiving is hidden by broadcasting and implicit addressing [48]. Yet, DC-Nets consumevast amounts of bandwidth and are vulnerable to attackers causing deliberate collisionsduring transmissions (i.e., denial of service attacks), and thus only a few implementationsexist. If classified according to the entities and functions discussed in Section 2.2, we cannote that neither anonymity proxies nor information servers are actually required in DC-nets; instead, the network could be solely comprised of anonymous communication clientsimplementing the group buildup and hiding functions (e.g., in case of a ring topology).


A technique often applied in high-latency anonymous overlay networks isdummy traf-fic (also called cover traffic). Dummy traffic is made up by “fake” messages (i.e., messageslacking any meaningful content) passed around in the network. The aim of dummy trafficis to provide unobservability, and thereby making it harder for an attacker to extract in-formation from a traffic analysis attack (see Section 2.4). Dummy traffic introduces extratraffic overhead and, thus, degrades performance. Therefore, low-latency approaches suchas Tor and Crowds do not employ dummy traffic.

Dummy traffic may also be used as a mechanism for achieving unobservability (seeSection 2.1). In anonymous overlay networks that implement unobservability it is not pos-sible for an eavesdropper to differentiate between a real message and random noise, oreven infer that a message has been sent in the first place. One example of such a system isPipenet [49]. Unfortunately, due to the large amount of extra traffic that must be generatedto maintain a constant traffic load, these systems are generally not practical.

2.4 Introduction to Anonymity Attacks

In the context of this thesis, an attacker is an entity that deliberately tries to compromisethe anonymity of one or more users of a computer network, such as an anonymous overlaynetwork. Attackers can be classified according to which kinds of attacks they are capableof launching (see Figure 6). Several dimensions can to be considered when describing theabilities and deficiencies of a given attacker5. For example, attackers can be eitherpassiveor active. An active attacker can modify the traffic in a network, while a passive attacker(also called an eavesdropper) is restricted to merely observing the traffic. Attackers canfurther be classified as eitherlocal or global attackers. Local attackers launch their attacksin a subset of the network while global attackers launch their attacks on the whole network.

Figure 6: A taxonomy of attackers.

The general strategy of an attacker is to obtainprobabilistic relationships between input andoutput messages of one or several anonymityproxies in order to be able to narrow down theset of possible senders or recipients (as in Fig-ure 2). The result of an attack could be that oneuser appears to be the message originator witha high probability. If the attacker succeeds inreducing the anonymity set size into a single-ton, the sender is unambiguously identified.

Concerning attacks against the group buildup function, one example is theSybil at-tack [51], which entails an attacker controlling arbitrarily many user identities in a system.

5Other dimensions beyond those in Figure 6 are sometimes discussed in the context of attacker models. Forexample, a distinction can be made between internal and external attackers; an internal attacker controls one ormore internal entities in the system while an external attacker controls only communication links [50].

2. Background 15

This attack is very powerful as an attacker who can control arbitrarily many user identitiesis in a perfect position for breaking the security properties of most conceivable systems.Another example is thepartitioning attack[21], which implies an attacker that manages toconvey false or partial views of the network to other users. For instance, the attacker couldbe a malicious directory server only announcing rogue networks identities to honest users.

Regarding attacks against the hiding function, two general strategies aretraffic analy-sis [21] and traffic confirmation[21]. When an attacker conducts traffic analysis, he ob-serves traffic patterns in the network to trace particular messages through the network.Examples of such attacks are predecessor attacks [27, 28] and intersection attacks [52].Regarding traffic confirmation, this refers to an attacker seeking to confirm that he is con-trolling the endpoints in a system, such as the first and last node in a virtual path. There arenumerous viable strategies to do this, such as (passive) timing analysis or (active) trafficinjection/modification (for instance [30] describes a traffic confirmation attack).

Lastly, some of these aforementioned attacks are further discussed in Paper VIII, namelythe Sybil attack, predecessor attack, intersection attack, and partitioning attack.

2.5 On Measuring Anonymity

Anonymity is often perceived as a relative notion. That is, instead of viewing anonymity assomething “binary” where a person is either anonymous or not anonymous, anonymity isoften quantified on a relative scale. Thus, it is possible to be more or less anonymous. Socalledanonymity metricscan be applied to measure the “amount” of anonymity availablefor a user of for instance an anonymous overlay network. Using coined terms, these modelsquantify thedegree(or level) of anonymity of the given scenario.

However, before evaluating the degree of anonymity, one must first define the abilitiesand limitations of the potential attackers in a given scenario. Such a model is called anattacker model. The attacker model, together with the properties of the studied anonymitytechnology, is then passed as input to the chosen anonymity metric, which in turn producessome kind of quantitative measure of the degree of anonymity (see Figure 7).

Figure 7: An informal process for measuring anonymity.


The resulting output from an anonymity metric is usually a purely quantitative measure.However, it is important to take into consideration the qualitative aspects of anonymitytoo [53]. Qualitative aspects include, among other things, the robustness against variouskinds of active attacks (for instance, denial of service attacks), as well as the security ofimplementation of the given anonymous overlay network (for instance, the quality of theimplemented cryptographic primitives). Also, properties such as availability, usability, andperformance affect the quality of anonymity [54]. For instance, a low degree of perfor-mance or bad usability properties are likely to scare away potential users of an anonymitytechnology, which, in turn, will decrease the size of user base and, therefore, reduce thedegree of anonymity. Ultimately, the qualitative aspects of anonymity are very likely to(indirectly or directly) affect the provided (quantitative) degree of anonymity. The qualita-tive aspects of anonymity are sometimes referred to as the “robustness of anonymity” [13].

The subject of anonymity metrics is thoroughly treated in Paper II. Thus, we defer thereader to Paper II for examples of anonymity metrics. Finally, we can note that the metricsdiscussed in Paper II are mostlylocal anonymity metrics, that is, they quantify anonymitywith respect to a particular sender or a particular message. As an alternative, the degree ofthe system, including all current users and messages in the system, could be quantified byasystem-wideanonymity metric. Such a metric has recently been proposed in [55].

3 Research Issues

This section states the research questions we pose in this thesis, as well as the researchmethods we make use of to answer these research questions.

3.1 Research Questions

The overall research questions for this thesis are:

1. What privacy risks are present in mobile networks, and, furthermore, what technicaland legal requirements can be elicited for PETs for mobile networks developed toaddress these risks?

The first part of the question (about the privacy risks) is dealt with in Papers I andVIII. The second part is addressed in Paper I (mostly legal requirements) and Pa-pers II and V (technical requirements). Such a list of suitable legal and technicalrequirements also serve as “evaluation criteria” according to which PETs for mobilenetworks can be evaluated, as done in Papers IV, VI, and VII.

3. Research Issues 17

2. How can privacy be enhanced in mobile networks by technical means with a reason-able tradeoff between anonymity protection and performance loss?

This is a challenging question that we investigate further in Papers III–VIII. As arule of thumb, a stronger degree of anonymity normally results in lower performance(and, thus, lower usability). However, to approach an answer for this question weneed viable metrics for quantifying both anonymity (see Paper II) and performance(see Section 3.2). Regarding performance, pocket-size mobile devices usually of-fer computational capabilities inferior to those of desktop computers or laptops (forinstance, less memory, less processing power, and smaller screen size). These restric-tions imposes an upper limit on the amount and complexity of the operations a PETrunning in a mobile device can execute while still providing acceptable performance.

3. How can privacy be protected by a interdisciplinary approach, taking into accountnot only technical aspects by also social and legal aspects?

This research question is dealt with in Papers I and IX. Besides including technicalaspects these papers take an interdisciplinary approach: Paper I in addition focuseson legal aspects, while Paper IX discusses privacy from a socio-psychological view-point and also discusses Human Computer Interface (HCI) aspects related to privacy.

3.2 Research Method

Below, we describe the research method used to address the aforementioned questions.

First research question. The first question in Section 3.1 has mainly been addressedby the means of a combinedliterature studyandtheoretical analysis. Generally, we firststudied exposed personal data in certain application scenarios and then defined possiblemisuse cases for these scenarios. Concerning requirements, the European legal frameworkwas scrutinized for legal requirements that apply in mobile network environments (PaperI). Moreover, technical requirements for anonymity metrics and anonymity technologies inmobile ad hoc networks have been derived from literature (Papers II and V).

Second research question. For the second question (Section 3.1), we have primarilyappliedexperimental research. This method relies on the philosophical assumption thatthe world works according to a number of causal laws. The goal is to establish these cause-and-effect laws by performing experiments [56]. In the thesis, we conducted experimentsto assess the degree of performance and anonymity in the studied anonymity technologies:

• Regarding performance, we used the means of aperformance evaluation[57], inwhich various aspects of a system’s performance are scrutinized to, e.g., comparesystems, fine tune parameters, identify bottlenecks, or characterize the workload ofa system. Before designing a performance evaluation, the researcher must decidewhich evaluation technique to use. In [57], four common evaluation techniques aredistinguished – analytical modeling, simulation, emulation, and live measurement:


– An analytical modelis a mathematical expression describing the performanceof a system. The modeled system’s performance can be predicted under a rangeof conditions by varying the input parameters of the model.

– A simulationuses an abstract representation of the system that is created bya computer program called the simulation tool. Compared to analytical mod-eling, more details about the system can usually be included in a simulation,and, thus, simulations often produce more realistic results. Information aboutsimulation in the context of performance evaluation can be found in [58].

– During anemulationmeasurements are performed on a real implementationof a running system. Yet, some aspects of the system are abstracted throughan emulation tool. Emulation combines pros with simulation (controlled andreproducible environment) and live measurement (realistic test environment).

– In a live measurementan operational system is studied (e.g., a computer net-work). One obvious advantage is that since real code are being tested in a realenvironment, eventual doubts whether the modeled system represents the realsystems are obviate. However, when complex systems are tested it is generallyhard to produce controlled and reproducible experiments.

Paper III describes a performance emulation of the research prototype mCrowds.Here, Dummynet [59] was used to impose an artificial propagation delay to emulatea large geographical distance between the mCrowds nodes. In Paper IV, a live net-work evaluation of the performance of the Tor client OnionCoffe (see Section 2.3.1)– applied in a mobile setting – was conducted. In Papers VI and VIII, claims aboutperformance were also validated by analytical arguments. Further, several evaluationtechniques are often combined to validate the results from a performance evaluation.In our case, we for instance combined emulation with (elementary) analytical mod-eling in Paper III to examine what impact the system-wide probability constantpf inmCrowds had on performance and anonymity. Also, a follow-up paper to Paper VI isplanned, in which the analytical performance claims about the Chameleon prototypein Paper VI will be compared to the results from an ongoing simulation;

• Concerning anonymity, we have applied analyticalanonymity metrics(Section 2.5and Paper II) to quantify the degree of anonymity in a set of scenarios some of theincluded papers (see below). In general, anonymity metrics are often based on mathe-matics foundations such as probability theory. For example, several metrics are basedon Shannon’s theories on information theory and entropy [47, 50, 60]. In Paper III,IV, and VI we use the Crowds-based anonymity metric [26] to quantify the degree ofanonymity of the proposed systems. Further, in Paper II, we evaluate several exam-ple scenarios using a number of state-of-the-art anonymity metrics against a set ofcriteria. Finally, in Paper VII the degree of anonymity for a number of anonymouscommunication mechanisms for mobile ad hoc networks are analytically evaluatedagainst certain criteria regarding the protection level against different attackers.

4. Related Work 19

Third research question. This question has been dealt with in the interdisciplinaryand international PRIME project. In this context, the legal aspect of privacy has beenbe studied by reviewing European legislations, such as EU Data Protection Direc-tive 95/46/EC [11], EU Directive 2002/58/EC on privacy and electronic communi-cations [12], and EC Data Retention Directive 2006/24/EC [1]. In a similar fashion,user studies, Human Computer Interface (HCI) research, and socio-psychologicalresearch has been conducted to address these non-technical aspects of privacy.

4 Related Work

In this section, we describe related work for enabling anonymity or pseudonymity in mobilenetworks. The section is divided into one section about enabling anonymity in mobileinfrastructured networks (in, e.g., WAP or LBS scenarios over GSM/GPRS networks),and one section about enabling anonymity in mobile infrastructureless (ad hoc) networks.

4.1 Enabling Anonymity in Infrastructured Mobile Networks

This section describes related work for anonymous browsing on the mobile Internet andprivacy-enhanced LBS.

4.1.1 Approaches for anonymous browsing on the mobile Internet

To this date, we are only aware of one approach that is directly tailored for anonymousweb browsing on the mobile Internet (besides the approaches we propose in Papers III andIV): in [61], a framework for providing anonymity in mobile Internet is proposed. Theusers connect their mobile phones via a Security Provider (SP) to a deployed anonymousoverlay network, such as Jap or Tor. The SP acts as a Trusted Third Party (TTP) providingan interface between the user and the anonymous overlay network. The SP also helps usersby performing cryptographic operations on their behalf when setting up a virtual paths. Apotential problem is that the SP constitutes a single point of failure and trust. Compared tothe approaches in Papers III and IV, the framework in [61] neither presents an anonymityanalysis nor a performance evaluation.

4.1.2 Approaches for privacy-enhanced LBS

This section describes four infrastructures for deploying LBS [62] and gives examples ofexisting approaches for enhancing privacy in these infrastructures. They are comprised ofa subset of the following entities: the mobile device (U), the Telecom Service Provider(or Mobile Operator) (TSP), the LBS provider (LBS), and the location intermediary (LI).


The LBS provider hosts LBS applications, and the TSP provides the backbone for wirelesscommunication. Most often, it also localizes devices on behalf of the LBS provider.

Figure 8: Direct lo-calization scenario.

In the 1st infrastructure, a geographical positioning device isembedded in the mobile device, such as a GPS (Global Position-ing System) receiver, allowing users to control the disclosure oftheir locations. In an approach of this category [63], so calledcamouflaging techniques are used to blur the relationship be-tween the users and their corresponding locations by degradingthe spatial and temporal resolution of the location information.

Figure 9: Operator-portal scenario.

In the 2nd infrastructure, the TSP both localizes users and pro-vides LBS. It is difficult to protect privacy in this infrastructureas the TSP knows the identities of the users “by default”.

Figure 10: App.-provider scenario.

In the 3rd infrastructure, LBS are offered by (third party) LBSproviders. The TSP is responsible for providing LBS providerswith location data. One example of a proposal belonging tothis category is Mix Zones [64]: a mix zone is defined as aspatial region where users can switch their pseudonyms in anunobservable way to prevent long-term tracking of pseudonyms.Another example is [65], in which the author and others proposea privacy-enhanced model based on a mediating trusted TSP.

Figure 11:Interme-diary scenario.

In the 4th infrastructure, a so-called location intermediary is de-ployed between the TSP and the LBS provider to mediate re-quests on behalf of the user. A prototype of an LBS architectureinvolving an intermediary is currently being developed withinthe PRIME project [10, 62]. In combination with other privacy-enhanced functionalities, the location intermediary prevents theinvolved entities from colluding by pooling their data (e.g, userlocations) about the users to create extensive user profiles.

In this thesis, examples of LBS applications and related privacy risks are discussed inPaper I, while Paper IX describes the underlying architecture of the earlier referred PRIMEprototype based on the intermediary scenario (Figure 11). We can also note that althoughnot originally designed for LBS, mCrowds (Paper III) and the Mobile Tor approach (PaperIV) can be used for enabling anonymous use of LBS for the first infrastructure, as thiscategory not dependant on the choice of mobile operator.

4. Related Work 21

4.2 Enabling Anonymity in Infrastructureless (Ad Hoc) Networks

So far, mainly two strategies for enabling anonymous communication in mobile ad hoc net-works have been suggested, namely introducing anonymity in the routing layer, or placingan overlay network in between the routing/ transport layer and the application layer:

• Anonymous routing protocols: This approach suggests to replace the standard ad hocrouting protocol (e.g., AODV [66]) with a routing protocol that conceals the identitiesof the senders and/or recipients (depending on the sought anonymity properties) ofmessages from other nodes. The so far proposed anonymous routing protocols can begeneralized to having three essential phases in their provisioning of their anonymityproperties:(i) anonymous neighborhood authentication(establish trust relationshipswith neighboring nodes),(ii) anonymous route discovery(establishing an anonymouspath between the sender and receiver), and(iii) anonymous data transfer(sendingdata messages along the paths created during anonymous route discovery). A numberof anonymous routing protocols for ad hoc networks have been proposed so far,including: AnonDSR [67], ANODR [68], MASK [69], ARM [70], PPR [71], andSDAR [72, 73].

• Anonymous overlay networks: An alternative (and so far less common) strategy is tokeep the standard routing protocol and instead place an anonymous overlay networkeither on top of the transport protocol or on top of the routing protocol (in the ab-sence of a transport protocol). In any case, the anonymous overlay network can useservices from the routing protocol (e.g., finding a route to the next node in the path)or the transport layer (e.g., reliable data delivery). Anonymous overlay networks canbe generalized to being comprised of the following phases:(i) group buildup(pro-viding the nodes with accurate contact information about other participating nodes,i.e., securing the group buildup function),(ii) path construction(constructing ananonymous virtual path between the sender and receiver, i.e., ensuring the hidingfunction), and(iii) anonymous data transfer(sending data messages along the pathscreated during path construction). Regarding related work, Jianget al. have pro-posed a number of adaptations in order to make Chaum’s mixes [20] suitable formobile ad hoc networks [74]. The approach suggested in Paper VI – Chameleon –also belongs to this category.

The issue of enabling anonymous communication in mobile ad hoc networks is thor-oughly treated in Paper VII, including a review of current anonymous communicationmechanisms that includes the examples referred to above. Further, Paper V assesses whethera selection of P2P-based mechanisms originally developed for infrastructured networks aresuitable in mobile ad hoc networks. This paper provided the basis for Paper VI.


5 Contributions

Below follows a summary of the main contributions of this thesis:

• We have identified and analyzed a number of possible privacy risks with computernetworks, especially mobile networks.Threats against informational and spatial pri-vacy have been discussed in the context of WAP browsing and LBS (Paper I), as wellas in the context of mobile ad hoc networks (see Papers V – VII).

• We have elicited and described technical and legal requirements for PETs for mobilenetworks.First, we have derived legal requirements for the mobile Internet from theEU Directives 2002/58/EC [12] and 95/46/EC [11] (Paper I). Second, we have de-fined a set of criteria for anonymity metrics (Paper II). Finally, a number of technicalrequirements have been outlined to which anonymous communication mechanismsshould adhere to be useful in mobile ad hoc environments (Paper V).

• We have discussed how to quantify the degree of anonymity by using anonymity met-rics. First, we have evaluated existing anonymity metrics according to a set of cri-teria, and, based on this, proposed a new variant of an information-theoretic metric(Paper II). Second, we have applied the Crowds-based metric in a number of scenar-ios for anonymous communication in mobile networks (Papers III, IV, and VI).

• We have analyzed existing approaches for anonymous communication in mobile adhoc networks.We have conduced a comparative study of existing P2P-based anony-mous overlay networks to assess whether they are suitable for mobile ad hoc envi-ronments (Paper V). The conclusion is that none of the studied approaches are fullysuitable for those environments, and hence we proposed Chameleon (Paper VI). Sec-ond, we have assessed the most notorious state-of-the-art anonymous communicationmechanisms for mobile ad hoc networks against the same set of criteria (Paper VII).

• We have proposed low-latency anonymous communication mechanisms for mobilenetworks.First, we have implemented mCrowds – an anonymous overlay networkfor anonymous WAP browsing (Paper III). Second, we have proposed an applicationdesign for anonymous communication on the mobile Internet that use Tor as a build-ing block (Paper IV). Third, we have proposed Chameleon – an anonymous overlaynetwork for mobile ad hoc networks (Paper VI). In the context of these proposals, wehave evaluated their anonymity and performance properties, and, further, discussedhow to find an appropriate trade-off between anonymity and performance.

• We have proposed a mechanism for secure and privacy-friendly user base buildup:self-certified Sybil-free pseudonyms.First, we have discussed why applications needto base their anonymity properties on strong identifiers (Paper VI) In the light of thiswork, we have proposed a means for anonymous and Sybil-protected authenticationthat can enable the secure and privacy-friendly buildup of user bases (i.e., anonymitysets) on behalf of arbitrary anonymous applications (Paper VIII).

6. Summary of Papers 23

• We have discussed privacy aspects from an interdisciplinary perspective.We haveshown privacy is not only a technical or legal problem and in order to achieve trust-worthy PET solutions the problem needs to be tackled by an holistic approach. Wehave shown how this is done in PRIME by focusing on the following questions:what are the social-psychological factors influencing trust, what are the technicalsolutions, and how can this be mediated to the user via the user interface (Paper IX).

6 Summary of Papers

This section contains a short summary of the papers included in this thesis.

Paper I – Privacy Risks and Challenges for the Mobile Internet

While the mobile Internet offers many useful services, it also poses new social risks andchallenges that have to be addressed by law and technology. This paper presents trends forLBS applications and further discusses their privacy challenges and risks. It will discusshow far the EU Directive 2002/58/EC on privacy and electronic communications [12] canhelp to protect privacy in mobile environments and what the Directive’s limitations andcontroversies are. Finally, it outlines how PETs can help to technically enforce legal privacyrequirements of the EU Directive 2002/58/EC.

Paper II – On the Fundamentals of Anonymity Metrics

In recent years, a handful of anonymity metrics have been proposed that are either basedon (i) the number participants in the given scenario,(ii) the probability distribution in ananonymous network regarding which participant is the sender/ receiver, or(iii) a combi-nation thereof. In this paper, we discuss elementary properties of metrics in general andanonymity metrics in particular, and then evaluate the behavior of a set of state-of-the-artanonymity metrics when applied in a number of scenarios. On the basis of this evaluationand basic measurement theory, we also define criteria for anonymity metrics and show thatnone of the studied metrics fulfill all criteria. Lastly, based on previous work on entropy-based anonymity metrics, as well as on theories on the effective support size of the entropyfunction and on Huffman codes, we propose an alternative metric – the scaled anonymityset size – that fulfills these criteria.


Paper III – Privacy Enhanced WAP Browsing with mCrowds – Ano-nymity Properties and Performance Evaluation of the mCrowds System

While the mobile Internet provides LBS applications and other useful services, it also in-troduces new privacy risks. This paper describes mCrowds, an anonymous overlay networkdeveloped at Karlstads universitet that is intended for the mobile Internet. mCrowds en-ables anonymous WAP browsing and can further be used to minimize the disclosure ofpersonal information when using LBS applications. This paper discusses the degree ofanonymity provided by mCrowds.

Performance is of key importance for mobile Internet technologies, and has for thisreason been an important design goal during the development of mCrowds. This papertherefore also studies the theoretical performance properties of mCrowds and the tradeoff

between anonymity and performance. Besides, it provides and discusses the results of apractical performance evaluation of mCrowds. These evaluation results are promising asthe overhead in performance introduced by mCrowds is relatively small compared to thetotal response latency when fetching WAP pages via the mobile Internet.

Paper IV – Practical Anonymous Communication on the Mobile Inter-net using Tor

This paper proposes and evaluates several architectural designs for enabling anonymousbrowsing on the mobile Internet. These architectural designs make use of the Tor networkin a mobile setting for the provisioning of anonymity to mobile devices. We compareseveral architectural designs with respect to their anonymity and performance properties. Inparticular, we are interested in finding a trade-off between anonymity and performance. Wealso evaluate the architectural designs against other criteria such as practicality, usability,availability, and trust. We show that the most preferable option – given a powerful mobiledevice and some optimizations in the Tor protocol– is the option where the Tor client is rundirectly on the mobile device.

Paper V – Requirements for Privacy-Enhancements in Mobile Ad HocNetworks

In this paper, requirements are formulated for anonymous overlay networks that enhancethe privacy of mobile ad hoc network users. Besides, existing P2P-based anonymous over-lay networks are analyzed and it is shown that none of them are compliant with thoserequirements. Finally, an ongoing design of an anonymous overlay network intended formobile ad hoc environments is outlined in the paper.

6. Summary of Papers 25

Paper VI – Towards Anonymity in Mobile Ad Hoc Networks:The Chameleon Protocol and its Anonymity Analysis

This paper presents Chameleon, a novel anonymous overlay network for mobile ad hocenvironments. As far we know, Chameleon is the first low-latency anonymous overlay net-work applied in a mobile ad hoc setting. It was designed with the special characteristics ofmobile ad hoc networks in mind, such as limited battery lifetime, user mobility and vanish-ing nodes. In this paper, we also evaluate Chameleon against a number of requirements thatan anonymous overlay network should adhere to in order to be suitable for mobile ad hocnetworks. In particular, the anonymity properties of Chameleon are thoroughly analyzed.

Paper VII – Privacy and Anonymity in Mobile Ad Hoc Networks

Providing privacy is often considered a keystone factor for the ultimate take up and suc-cess of mobile ad hoc networking. Privacy can best be protected by enabling anonymouscommunication, and therefore this chapter surveys existing anonymous communicationmechanisms for mobile ad hoc networks. On the basis of the survey, we conclude thatmany open research challenges remain regarding anonymity provisioning in mobile ad hocnetworks. Finally, we also discuss the notorious Sybil attack in the context of anonymouscommunication and mobile ad hoc networks.

Paper VIII – Self-certified Sybil-Free Pseudonyms: Introducing Pri-vacy in Infrastructureless Wireless Networks

Accurate and trusted identifiers are a centerpiece for any security architecture. It is im-portant that devices are uniquely identified to guarantee the network’s security, especiallyagainst Sybil attacks. On the other hand, the complete disclosure of those identifiers toother network participants is not desirable from the user privacy perspective. The identi-ties of the network participants must be protected from privacy breaches such as profilingor digital stalking. Protecting against Sybil attacks in a privacy-friendly manner is a non-trivial problem in wireless infrastructureless networks, such as mobile ad hoc networks. Inthis paper, we introduceself-certified Sybil-free pseudonymsas a means to provide privacy-friendly Sybil-freeness without requiring continuous online availability of a trusted thirdparty. These pseudonyms are self-certified and computed by the users themselves fromtheir cryptographic long-term identities. Contrary to systems based on identity certificates,we preserve location privacy and improve protection against notorious attacks on anony-mous communication systems.


Paper IX – Trust in PRIME

The PRIME project develops privacy enhancing identity management systems that allowusers in various application areas such as e-commerce to regain control over their personalspheres. This paper introduces the PRIME technical architecture that also includes specialtrust-enhancing mechanisms, and shows how PRIME technologies can enhance privacyand trust of e-shopping customers. It also discusses the socio-psychological factors andHCI aspects influencing the end user’s trust in privacy enhancing identity management,and shows why HCI research, user studies, and socio-psychological research are necessaryefforts to accompany system design.

7 Conclusions

In this thesis, we have shown why privacy is needed in mobile networks and how to enhanceprivacy through the use of privacy-enhancing technologies and, in particular, anonymouscommunication mechanisms. Some of the main conclusions of this thesis are:

• The increasing deployment of mobile applications presents numerous privacy chal-lenges. Privacy risks with mobile networks in the context of WAP browsing, LBSapplications, and mobile ad hoc networks have been identified and discussed.

• It is possible to re-use and adapt existing anonymous communication mechanismsdeveloped for the traditional Internet in the context of mobile networks. This isespecially true for infrastructured mobile networks. This thesis has described twoimplementations of a scenario for anonymous browsing on the mobile Internet firstusing a Crowds-based approach (mCrowds) and second a Tor-based approach.

• There are open problems regarding the provisioning of anonymity and performancein mobile ad hoc networks. To address some of these open problems, an anony-mous overlay network for mobile ad hoc networks (Chameleon) has been proposedand existing mechanisms for anonymous communication in such networks have beensurveyed. Still, as there are many open problems regarding the design, implemen-tation, and deployment of ad hoc networks, naturally more research is needed oninvestigating how anonymity and performance could be provided in such networks.

• A secure and privacy-friendly user-base buildup is key in the context of anony-mous communication. Most research has so far been focused on the hiding func-tion (see group buildup function and hiding function in Section 2.2.1). Yet, if thegroup building function is insecure, an attacker may use for instance Sybil attacksto degrade the anonymity properties offered by any practical anonymous commu-nication mechanisms. The proposed self-certified Sybil-free pseudonyms constitutea privacy-friendly solution for securing the group buildup function, although futurework includes implementing and verifying the performance of these pseudonyms.

REFERENCES 27

• There are many options for quantifying anonymity, and depending on which optionis chosen different results may be obtained. To address the question of finding thebest way of measuring anonymity, existing anonymity metrics have been surveyedand, further, a slightly modified entropy-based anonymity metric has been surveyed.

• An interdisciplinary approach is needed to protect privacy in the digital world. De-ploying and running anonymity technologies in real networks is a well-known ma-jor challenge. Thus, the usability and practicality aspects of the proposed anony-mous communication mechanisms need to be further investigated before they aremature enough to be placed in the hands of end users. Finally, some of the re-search conducted in the PRIME project has been described, including legal, socio-psychological and HCI aspects of the developed PRIME software.

References

[1] Directive 2006/24/EC of the European Parliament and of the Council of 15 March2006 on the retention of data generated or processed in connection with the provisionof publicly available electronic communications services or of public communicationsnetworks and amending directive 2002/58/EC. Official Journal L No.105, 13 Apr2006.

[2] Daniel J. Solove. “I’ve Got Nothing to Hide’ and Other Misunderstandings of Pri-vacy”. San Diego Law Review, 44(289), 2007. GWU Law School Public Law Re-search Paper.

[3] Daniel J. Solove. A Taxonomy of Privacy.University of Pennsylvania Law Review,154(3), 2006. GWU Law School Public Law Research Paper.

[4] ComputerWorld. Gartner: Security Concerns to Stunt E-Commerce Growth, 24 Jun2005. See http://www.computerworld.com/printthis/2005/0,4814,102769,00.html.

[5] Watching You – The World of High-Tech Surveillance. InNational Geographic,number 11, pages 2–29. Nov 2003.

[6] Emin Islam Tatli. Google Hacking Against Privacy. InPre-Proceedings of the 3rd

IFIP WG 9.2, 9.6/11.7, 11.6 Summer School on the Future of Identity in the Informa-tion Society, Karlstad, Sweden, 6–10 Aug 2007.

[7] Privacy International. A Race to the Bottom: Privacy Ranking of Internet ServiceCompanies. Consultation report, 9 Jun 2007. See http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-553961.

[8] Samuel Warren and Louis Brandeis. The Right to Privacy.Harvard Law Review, 4(5),15 Dec 1890.


[9] Alan F. Westin.Privacy and Freedom. Atheneum, New York, NY, USA, 1967.

[10] Simone Fischer-Hubner, Christer Andersson, and Thijs J. Holleboom, edi-tors. PRIME Public Deliverable D14.1.a - Framework V1. 13 Jun 2005.See http://www.prime-project.eu.org/public/prime products/deliverables/fmwk/pubdel D14.1.aec wp14.1V4 final.pdf.

[11] Directive 95/46/EC of the European Parliament and of the Council of 24 October1995 on the protection of individuals with regard to the processing of personal dataand on the free movement of such data. Official Journal L No.281, 23 Nov 1995. Seehttp://www.cdt.org/privacy/eudirective/EU Directive .html.

[12] Directive 2002/58/EC of the European Parliament and of the Council concerning theprocessing of personal data and the protection of privacy in the electronic communica-tions sector, brussels. Official Journal L No.201, 31 Jul 2002. See http://www.etsi.org/public-interest/Documents/Directives/Standardization/DataPrivacyDirective.pdf.

[13] Andreas Pfitzmann and Marit Hansen. Anonymity, Unlinkability, Undetectabil-ity, Unobservability, Pseudonymity, and Identity Management - A ConsolidatedProposal for Terminology v0.29, 31 Jul 2007. See http://dud.inf.tu-dresden.de/Anon Terminology.shtml.

[14] Jan Camenisch and Anna Lysyanskaya. An Efficient System for Non-transferableAnonymous Credentials with Optional Anonymity Revocation. InProceedings of theInternational Conference on the Theory and Application of Cryptographic Techniques(EUROCRYPT 2001), volume 2045 ofLecture Notes in Computer Science, pages 93–118, Innsbruck, Austria, 2001. Springer-Verlag.

[15] David Chaum. Blind Signatures for Untraceable Payments. In David Chaum,Ronald L. Rivest, and Alan T. Sherman, editors,Proceedings of Advances in Cryp-tology - Crypto ’82, Lecture Notes in Computer Science, pages 199–203. Springer-Verlag, 1982.

[16] Privoxy - Home Page. See http://www.privoxy.org.

[17] ISO/IEC 15408, 1999. See http://www.clusit.it/whitepapers/iso15408-2.pdf.

[18] Dogan Kesdogan and C. Palmer. Technical Challenges of Network Anonymity.Com-puter Communications, 29(3):306–324, 1 Feb 2006.

[19] JAP – Anonymity & Privacy. See http://anon.inf.tu-dresden.de//index en.html.

[20] David Chaum. Untraceable Electronic Mail, Return Addresses and Digital Pseudo-nyms.Communication of the ACM, 24(2):84–88, Feb 1981.

[21] Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: The Second-GenerationOnion Router. InProceedings of the 13th USENIX Security Symposium, Boston, MA,USA, 27 Jun – 2 Jun 2004.

REFERENCES 29

[22] Rainer Bohme, George Danezis, Claudia Diaz, Stefan Kopsell, and Andreas Pfitz-mann. On the PET Workshop Panel “mix Cascades vs. Peer-to-Peer: Is One ConceptSuperior”. In David Martin and Andrei Serjantov, editors,Proceedings of the4th

Workshop on Privacy Enhancing Technologies (PET 2004), pages 243–255, Toronto,Canada, 26–28 May 2004.

[23] Tor Directory Protocol, Version 3. See http://tor.eff.org/svn/trunk/doc/spec/dir-spec.txt.

[24] Michael J. Freedman and Robert Morris. Tarzan: A Peer-to-Peer Anonymizing Net-work Layer. In Vijayalakshmi Atluri, editor,Proceedings of the 9th ACM Conferenceon Computer and Communications Security (CCS 2002), Washington, DC, USA, 18–22 Nov 2002.

[25] Marc Rennhard and Bernhard Plattner. Introducing Morphmix: Peer-to-Peer basedAnonymous Internet Usage with Collusion Detection. InProceedings of the Work-shop on Privacy in Electronic Society (WPES02), Washington, DC, USA, 21 Nov2002.

[26] Michael Reiter and Avi Rubin. Crowds: Anonymity for Web Transactions. InDI-MACS Technical report, pages 97–115, 1997.

[27] Matthew K. Wright, Micah Adler, and Brian Neil Levine. The Predecessor Attack:An Analysis of a Threat to Anonymous Communication Systems.ACM Transactionson Information and System Security, 7(4):489–522, Nov 2004.

[28] Andriy Panchenko and Lexi Pimenidis. Fundamental Limits of Anonymity Providedby Crowds. In8th International Symposium on System and Information SecuritySSI’2006, Sao Paulo, Brazil, 8-10 November 2006.

[29] David M. Goldschlag, Michael G. Reed, and Paul F. Syverson. Hiding Routing Infor-mation. In Ross J. Anderson, editor,Proceedings of the 1st International Workshop onInformation Hiding (IH 1996), volume 1174 ofLNCS, pages 137–150, Cambridge,UK, May 30 – Jun 1 1996. Springer-Verlag.

[30] Timothy G. Abbott, Katherine J. Lai, Michael R. Lieberman, and Eric C. Price.Browser-Based Attacks on Tor. InProceedings of the 7th Workshop on Privacy En-hancing Technologies (PET 2007)[75].

[31] Steven J. Murdoch and Piotr Zielinski. Sampled Traffic Analysis by Internet-Exchange-Level Adversaries. InProceedings of the 7th Workshop on Privacy En-hancing Technologies (PET 2007)[75], pages 167–183.

[32] Whitfield Diffie and Martin E. Hellman. New Directions in Cryptography.IEEETransactions on Information Theory, IT–22(6):644–654, Nov 1976.


[33] Ian Goldberg. On the Security of the Tor Authentication Protocol. InProceedingsof the 6th Workshop on Privacy Enhancing Technologies (PET 2006), Cambridge,United Kingdom, 28–30 Jun 2006.

[34] Aniket Kate, Greg Zaverucha, and Ian Goldberg. Pairing-Based Onion Routing. InProceedings of the 7th Workshop on Privacy Enhancing Technologies (PET 2007),volume 4776 ofLNCS, pages 95–112. Springer-Verlag, 2007.

[35] Lasse Øverlier and Paul Syverson. Improving Efficiency and Simplicity of Tor CircuitEstablishment and Hidden Services. InProceedings of the7th Workshop on PrivacyEnhancing Technologies (PET 2007), volume 4776 ofLNCS, pages 134–152, Ottawa,Canada, 20–22 Jun 2007. Springer-Verlag.

[36] Lasse Øverlier and Paul Syverson. Locating Hidden Servers. InProceedings of the2006 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 21–24 May2006.

[37] Lasse Øverlier and Paul Syverson. Valet Services: Improving Hidden Servers witha Personal Touch. InProceedings of the 6th Workshop on Privacy Enhancing Tech-nologies (PET 2006), Cambridge, UK, Jun 2006. Springer-Verlag.

[38] Ian Goldberg and Adam Shostack. Freedom Network 1.0 Architecture and Protocols.Zero-Knowledge Systems Whitepaper, Nov 1999.

[39] JonDonym – Anonymity Online. See http://www.jondos.de/en/.

[40] Claudia Diaz, Len Sassaman, and Evelyne Dewitte. Comparison Between Two Prac-tical Mix Designs. InProceedings of the 9th European Symposium On Researchin Computer Security (ESORICS 2004), volume 3193 ofLNCS, Sophia Antipolis,French Riviera, France, 13–15 Sep 2004. Springer-Verlag.

[41] Ulf M oller, Lance Cottrel, Peter Palfrader, and Len Sassaman. Mixmaster Protocol. -Version 2. Draft, Jul 2003. See http://www.abditum.com/mixmaster-spec.txt.

[42] George Danezis, Roger Dingledine, and Nick Mathewson. Mixminion: Design of aType III Anonymous Remailer Protocol. InProceedings of the 2003 IEEE Symposiumon Security and Privacy, pages 2–15, Oakland, CA, USA, 11–14 May 2003.

[43] Geki Gulcu and Geni Tsudik. Mixing E-mail with Babel. InProceedings of the 1996Symposium on Network and Distributed System Security (SNDSS 96), pages 2–16.IEEE Computer Society, Feb 1996.

[44] Ulf M oller, Lance Cottrell, Peter Palfrader, and Len Sassaman. Mixmaster Protocol– Version 2. Draft, July 2003. See http://www.abditum.com/mixmaster-spec.txt.

REFERENCES 31

[45] Dogan Kesdogan, Jan Egner, and Rolan Buschkes. Stop-And-Go-MIXes ProvidingProbabilistic Anonymity in an Open System. In David Aucsmith, editor,Proceedingsof the 2nd International Workshop on Information Hiding (IH 1998), volume 1525 ofLNCS, pages 83–98, Portland, OR, USA, 14–17 Apr 1998. Springer-Verlag.

[46] David Chaum. The Dining Cryptographers Problem: Unconditional Sender and Re-cipient Untraceability.J. Cryptography, 1(1):65–75, 1988.

[47] Claude E. Shannon. A Mathematical Theory of Communication.The Bell SystemTechnical Journal, 27:379–423, Jul 1948.

[48] Andreas Pfitzmann and Michael Waidner. Networks without user observability –design options. InProceedings of EUROCRYPT 1985, volume 219 ofLecture Notesin Computer Science. Springer-Verlag, 1985.

[49] Wei Dai. Pipenet 1.1, Aug 1996. Usenet post.

[50] Claudia Diaz, Stefaan Seys, Joris Claessens, and Bart Preneel. Towards MeasuringAnonymity. In Dingledine and Syverson [76].

[51] John R. Douceur. The Sybil Attack. In P. Druschel, F. Kaashoek, and A. Rowstron,editors,Peer-to-Peer Systems: Proceedings of the 1st International Peer-to-Peer Sys-tems Workshop (IPTPS), volume 2429, pages 251–260, Cambridge, MA, USA, 7–8Mar 2002. Springer-Verlag.

[52] Jean-Francois Raymond. Traffic Analysis: Protocols, Attacks, Design Issues, andOpen Problems. In H. Federrath, editor,Proceedings of Designing Privacy EnhancingTechnologies: Workshop on Design Issues in Anonymity and Unobservability, volume2009 ofLNCS, pages 10–29. Springer-Verlag, July 2000.

[53] Claudia Diaz. Anonymity and Mixes. Published at First FIDIS PhD Event, Jan 2005.See http://www.cosic.esat.kuleuven.be/publications/article-573.pdf.

[54] Roger Dingledine and Nick Mathewson. Anonymity Loves Company: Usability andthe Network Effect. InProceedings of the 2006 Workshop on the Economics of In-formation Security in conjunction with the 6th Workshop on Privacy Enhancing Tech-nologies (PET 2006), 28 Jun 2006.

[55] Matthew Edman, Fikret Sivrikaya, and Bulent Yener. A Combinatorial Approachto Measuring Anonymity. InProceedings of the IEEE International Conference onIntelligence and Security Informatics (ISI-2007), New Brunswick, NJ, USA, 23–24May 2007.

[56] William Wiersma and Stephen G. Jurs.Research Methods in Education: an Introduc-tion. Allyn & Bacon, Jul 2004.


[57] Rai Jain.The Art of Computer Systems Performance Analysis: Techniques for Exper-imental Design, Measurement, Simulation, and Modeling. Wiley-Interscience, NewYork, NY, USA, Apr 1991.

[58] Mahbub Hassan and Raj Jain.High Performance TCP/IP Networking: Concepts,Issues, and Solutions. Pearson, Prentice Hall, Upper Saddle River, NJ 07458, USA,2004.

[59] Luigi Rizzo. Dummynet: A Simple Approach to the Evaluation of Network Protocols.ACM Computer Communication Review, 27(1):31–41, Jan 1997.

[60] Andrei Serjantov and George Danezis. Towards and Information Theoretic Metric forAnonymity. In Dingledine and Syverson [76].

[61] Emin Islam Tatli, Dirk Stegemann, and Stefan Lucks. Dynamic Mobile Anonymitywith Mixing. Technical Report TR-2006-007, Department for Mathematics and Com-puter Science, University of Mannheim, 27 Mar 2006.

[62] Tobias Kolsch, Lothar Fritsch, Markulf Kohlweiss, and Dogan Kesdogan. Privacy forProfitable Location Based Services. In Dieter Hutter and Markus Ullmann, editors,Proceedings of Security in Pervasive Computing: Second International Conference(SPC 2005), Boppard, Germany, 6–8 Apr 2005. Springer Verlag.

[63] Marco Gruteser and Dirk Grunwald. Anonymous Usage of Location-Based ServicesThrough Spatial and Temporal Cloaking. InProceedings of the 1st International Con-ference on Mobile Systems, Applications, and Services (MobiSys 2003), San Fran-cisco, CA, USA, 5–8 May 2003. USENIX.

[64] Alastair R. Beresford and Frank J. Stajano. Location Privacy in Pervasive Computing.IEEE Pervasive Computing, 2(1):46–55, January 2003.

[65] Leonardo A. Martucci, Christer Andersson, Wim Schreurs, and Simone Fischer-Hubner. Trusted Server Model for Privacy-Enhanced Location Based Services. InViiveke Fåk, editor,Proceedings of the 11th Nordic Workshop on Secure IT-systems(Nordsec 2006), pages 13–25, Linkoping, Sweden, 19–20 Oct 2006.

[66] Charles E. Perkins and Elizabeth M. Royer. Ad-hoc On Demand Distance VectorRouting. InProceedings of the 2nd IEEE Workshop on Mobile Computing Systemsand Applications (WMCSA’99), New Orleans, LA, USA, 25-26 Feb 1999.

[67] Ronggong Song, Larry Korba, and George Yee. AnonDSR: Efficient AnonymousDynamic Source Routing for Mobile ad-Hoc Networks. InProceedings of the 2005ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN 2005) in Conjunc-tion with the 12th ACM Conference on Computer& Communications Security (CCS2005), pages 32–42, Alexandria, Virginia, USA, 7–11 Nov 2005.

REFERENCES 33

[68] Jeijun Kong and Xiaoyan Hong. ANODR: ANonymous On Demand Routing withUntraceable Routes for Mobile Ad-hoc Networks. InProceedings of the 4th ACMInternational Symposium on Mobile Ad Hoc Networking and Computing (MOBI-HOC’03), pages 291–302, Annapolis, MD, USA, 1–3 Jun 2003. ACM Press.

[69] Yanchao Zhang, Wei Liu, and Wenjing Lou. Anonymous Communication in MobileAd Hoc Networks. InProceedings of the24th Annual Joint Conference of the IEEECommunication Society (INFOCOM 2005), Miami, FL, USA, 13–17 Mar 2005.

[70] Stefaan Seys and Bart Preneel. ARM: Anonymous Routing Protocol for Mobile AdHoc Networks. InProceedings of the International Workshop on Pervasive Com-puting and Ad Hoc Communications (PCAC06), held in conjuction with the 20th

IEEE International Conference on Advanced Information Networking and Applica-tions (AINA 2006), Vienna, Austria, 18–19 Apr 2006.

[71] Srdjan Capkun, Jean-Pierre Hubaux, and Markus Jakobsson. Secure and Privacy-Preserving Communication in Hybrid Ad Hoc Networks. Technical ReportIC/2004/10, EPFL-IC, CH-1015 Lausanne, Switzerland, 30 Jan 2004.

[72] Azzedine Boukerche, Khalil El-Khatib, Li Xu, and Larry Korba. A Novel Solutionfor Achieving Anonymity in Wireless Ad Hoc Networks. InProceedings of the 7th

ACM International Symposium on Modeling, Analysis and Simulation of Wireless andMobile Systems, pages 30–38, Venice, Italy, 4–6 Oct 2004.

[73] Azzedine Boukerche, Khalil El-Khatib, Li Xu, and Larry Korba. SDAR: A SecureDistributed Anonymous Routing Protocol for Wireless and Mobile Ad Hoc Networks.In Proceedings of the 29th Annual IEEE International Conference on Local ComputerNetworks (LCN’04), pages 618–624, Tampa, FL, USA, 2004.

[74] Shu Jiang, Nitin H. Vaidya, and Wei Zhao. A Mix Route Algorithm for Mix-net inWireless Mobile Ad Hoc Networks. InProceedings of the 1st IEEE InternationalConference on Mobile Ad Hoc and Sensor Systems (MASS2004), Fort Lauderdale,FL, USA, 24–27 Oct 2004.

[75] Proceedings of the 7th Workshop on Privacy Enhancing Technologies (PET 2007),Ottawa, Canada, 20–22 Jun 2007.

[76] Roger Dingledine and Paul Syverson, editors.Proceedings of the2nd Workshop onPrivacy Enhancing Technologies (PET 2002), volume 2482 ofLNCS, San Fransisco,CA, USA, Apr 2002. Springer-Verlag.

Karlstad University StudiesISSN 1403-8099

ISBN 978-91-7063-152-8

Design and Evaluation of

Anonymity Solutions for Mobile

Networks

While mobile networks lay the groundwork for new innovative applications, at the same time they pose numerous privacy challenges. Citizens participating in mobile communications risk to have their privacy invaded for “the greater good”. We stress the importance of empowering individuals so that they can retain control over their personal spheres. The goal of this thesis is to design and evaluate anonymity solutions for mobile networks allowing users to control which information leaves their personal spheres in a mobile communication.

By using a particular anonymity solution, an anonymous overlay network, users can communicate with their peers without disclosing their network identities. In this thesis, we propose three anonymous overlay networks tailored for mobile networks. First, two approaches for anonymous browsing on the mobile Internet (mCrowds and an approach based on Tor). By applying analysis and experiments, we show that these approaches offer a suitable tradeoff between anonymity and performance loss. Second, an anonymous overlay network for use in mobile ad hoc networks -- Chameleon -- is suggested.

Besides the actual design of anonymous overlay networks, this thesis provides novel contributions in other areas of privacy protection and anonymous communication. First, also non-technical aspects of privacy protection are discussed, including legal, social, and HCI aspects. Second, we survey existing metrics for quantifying anonymity and propose new ideas in this area. Third, we review and classify existing mechanisms for anonymous communication in mobile ad hoc networks. Finally, we propose a cryptographic technique for building up the user base of anonymity solutions in a secure and privacy-friendly manner.