Enhancing Privacy for Mobile Networks: Examples of Anonymity Solutions and Their Analysis

(1)

Karlstad University Studies

ISSN 1403-8099

ISBN 91-7063-025-9

Division for Information Technology Department of Computer Science

Karlstad University Studies

2005:53

Christer Andersson

Enhancing Privacy

for Mobile Networks

Examples of Anonymity Solutions and Their Analysis

C

hrister Andersson

Enhancing Privacy for M

obile N

etw

orks

Enhancing Privacy

for Mobile Networks

Internet and mobile communications have had a profound effect on today’s society. New services are constantly being deployed, in which an increasing amount of personal data is being processed in return for personally tailored services. Further, the use of electronic surveillance is increasing. There is the risk that honest citizens will have their privacy invaded for “the greater good”. We argue that it is of uttermost importance to retain the individuals’ control over their personal spheres.

One approach for enhancing the users’ privacy is to deploy technical measures for safeguarding privacy, so-called Privacy-Enhancing Technologies (PETs). This thesis examines a set of PETs for enabling anonymous communication, so-called anonymous overlay networks, which eliminate the processing of personal data altogether by allow-ing the users act anonymously when communicatallow-ing in a networked environment.

This thesis focuses mainly on mobile networks. These are of great interest because on the one hand they lay the groundwork for new innovative applications, but on the other hand they pose numerous novel challenges to privacy. This thesis describes the implementation and performance evaluation of mCrowds – an anonymous overlay network for mobile Internet that enables anonymous browsing. It also describes the ongoing investigation on how to design anonymous overlay networks in order to make them suitable for mobile ad hoc networks, a required building block for ambient intelligence.

(2)

Karlstad University Studies 2005:53

Christer Andersson

Examples of Anonymity Solutions and Their Analysis

Enhancing Privacy

for Mobile Networks

(3)

Christer Andersson. Enhancing Privacy for Mobile Networks

– Examples of Anonymity Solutions and Their Analysis.

Licentiate thesis

Karlstad University Studies 2005:53 ISSN 1403-8099

ISBN 91-7063-025-9 © The author Distribution: Karlstad University

Division for Information Technology Department of Computer Science SE-651 88 KARLSTAD

SWEDEN +46 54-700 10 00 www.kau.se

(4)

Abstract

Internet and mobile communications have had a profound effect on today’s society. New services are constantly being deployed, in which an increasing amount of personal data is being processed in return for personally tailored services. Further, the use of electronic surveillance is increasing. There is the risk that honest citizens will have their privacy invaded for “the greater good”. We argue that it is of uttermost importance to retain the individuals’ control over their personal spheres.

One approach for enhancing the users’ privacy is to deploy technical measures for safe-guarding privacy, so-called Privacy-Enhancing Technologies (PETs). This thesis examines a set of PETs for enabling anonymous communication, so-called anonymous overlay net-works, which eliminate the processing of personal data altogether by allowing the users act anonymously when communicating in a networked environment.

This thesis focuses mainly on mobile networks. These are of great interest because on the one hand they lay the groundwork for new innovative applications, but on the other hand they pose numerous novel challenges to privacy. This thesis describes the implementation and performance evaluation of mCrowds – an anonymous overlay network for mobile In-ternet that enables anonymous browsing. It also describes the ongoing investigation on how to design anonymous overlay networks in order to make them suitable for mobile ad hoc networks, a required building block for ambient intelligence.

Keywords: privacy, anonymity, pseudonymity, identity management, mobile Internet,

lo-cation based services, mobile ad hoc networks

(5)

(6)

Acknowledgments

First, many thanks to Simone-Fischer H¨ubner for being such a good and helpful supervi-sor. Also, thanks to my other co-authors Reine Lundin and Leonardo A. Martucci, and to my second supervisor Thijs J. Holleboom. Moreover, thanks to my other colleagues in the PRISEC research group, especially Albin Zuccato for giving helpful advices and providing constructive critisism, as well as to my colleagues at the Department of Computer Science for making it such a friendly and inspiring workplace. Last but not least, many thanks to my family and beloved friends for all the support throughout the years.

My research has partly been funded by the EU 6th Framework project PRIME (Privacy

and Identity Management in Europe) and the FIDIS (Future of Identity in the Information Society) Network of Excellence, respectively.

Multitudes of thank you!

Karlstad, November 2005 Christer Andersson

(7)

(8)

List of Appended Papers

This thesis is comprised of the following four papers. References to the papers will be made using the Roman numbers associated with the papers such as Paper I.

I. Simone Fischer-H¨ubner and Christer Andersson. Privacy Risks and Challenges for

the Mobile Internet. In Proceedings of the IEE Summit on Law and Computing, London, UK, 2 Nov 2004.

This paper presents some results that was also reported in:

• Simone Fischer-H¨ubner and Christer Andersson, editors. PRIME Public

de-liverable D14.0.a - Framework V0, 9 Jun 2004. Also available as http://www. prime-project.eu.org/public/prime products/deliverables/pub del D14.0.a ec wp14.0 V4 final.pdf.

• Simone Fischer-H¨ubner, Christer Andersson, and Thijs J. Holleboom, editors.

PRIME Public deliverable D14.1.a - Framework V1, 13 Jun 2005. Also avail-able as http://www.prime-project.eu.org/public/prime products/deliveravail-ables/ fmwk/pub del D14.1.a ec wp14.1 V4 final.pdf.

II. Christer Andersson, Simone Fischer-H¨ubner, and Reine Lundin. Enabling

Ano-nymity in the Mobile Internet Using the mCrowds Approach. In Penny Duquenoy, Simone Fischer-H¨ubner, Jan Holvast, and Albin Zuccato, editors, Proceedings of the IFIP WG 9.2, 9.6/11.7 Summer School on Risks and Challenges of the Network So-ciety, volume 2004:35, pages 178 – 189. Karlstad University Studies, 4 – 8 Aug 2003.

III. Christer Andersson, Reine Lundin, and Simone Fischer-H¨ubner. Privacy Enhanced

WAP Browsing with mCrowds – Anonymity Properties and Performance Evaluation of the mCrowds System. In Hein Venter, Jan Eloff, Les Labuschagne, and Mariki Eloff, editors, Proceedings of the ISSA 2004 Enabling Tomorrow Conference, Gal-lagher Estate, Midrand, South Africa, 30 Jun – 2 Jul 2004.

IV. Christer Andersson, Leonardo Martucci, and Simone Fischer-H¨ubner. Requirements

for Privacy-Enhancements in Mobile Ad Hoc Networks. In Armin B. Cremers,

Rainer Manthey, Peter Martini, and Volker Steinhage, editors, Proceedings of the 3rd

German Workshop on Ad Hoc Networks (WMAN 2005), pages 344–348, Gesellschaft f¨ur Informatik (GI), Bonn, Germany, 19–22 Sep 2005.

(9)

The paper summarizes results reported in:

• G¨unter M¨uller and Sven Wohlgemuth, editors, FIDIS Deliverable 3.3: Study on

Mobile Identity Management, 9 May 2005. Also available as http://www.fidis. net/fileadmin/fidis/deliverables/fidis-wp3-del3.3.study on mobile identity ma nagement.pdf.

Minor editorial changes have been made to some of the papers.

Comments on my Participation

Concerning Paper I, my primary contributions are sections 2 and 6.1, as well as partly section 6.2. The scenarios in section 2 are based on previous work by the authors and other contributors in the PRIME Framework V0 [41].

Regarding Papers II and III, I am responsible for most of the written material, except sections 2.2 and 2.3 in Paper II which were written by Simone Fischer-H¨ubner. The un-derlying idees constitute a collective effort between myself and Reine Lundin. Section 3.2 in Paper II is based on an analysis of the performance properties in Crowds/mCrowds by Reine Lundin. The implementation of the prototype described in these papers was mainly done by myself, although Reine Lundin contributed with ideas. During the writing of these two papers, Simone Fischer-H¨ubner mainly served as a supervisor (by contributing to the ideas, approaches and outline of the papers).

Concerning Paper IV, I am responsible for most parts of the written material. The underlying ideas stem from a collective effort by myself and Leonardo A. Martucci, while Simone Fischer-H¨ubner mainly served as a supervisor (by discussing the project and paper with us). As input to the analysis, a previous analysis by Leonardo Martucci was used (see [47] for more information).

(10)

CONTENTS CONTENTS

5 Conclusions and Outlook 76 Paper IV: Requirements for Privacy-Enhancements for Mobile Ad Hoc Networks 79 1 Introduction 81 2 A Possible Solution: Using Anonymous Overlay Networks 82 3 Requirements for Anonymous Overlay Networks 83 4 An Evaluation of State-of-the-Art Anonymous Overlay Networks 83 5 Conclusions & Outlook 85

(13)

(14)

(15)

(16)

1. Introduction 3

1 Introduction

Internet and mobile communications have had a profound effect on society and the way we are living. Nowadays, at least in the developed nations, a majority of the population has access to Internet either via desktop computers or powerful mobile devices. Additionally, novel kinds of services are currently being deployed, in which an increasing amount of personal data is being passed to service providers in return for value-added services. One example is Location Based Services (LBS), where data about users’ locations are passed to service providers in return for services such as traffic navigation or friend finders (see Pa-per I for additional usage scenarios). Another hot topic is the Ambient Intelligence (AMI) paradigm, in which applications are based on ubiquitous computing devices and sensors seamlessly gathering data about the surrounding environment and people in the where-abouts. If the more futuristic AMI scenarios become a reality, the electronic surveillance society outlined by George Orwell over 55 years ago in his novel “1984” might become, at least, a technical possibility. Moreover, the use of various means for electronic surveil-lance by law enforcement agencies is constantly increasing. Although this might have positive consequences, such as helping law enforcement agencies to prevent crime, there is the risk that the vast majority of honest citizens will have to tolerate to have their privacy invaded for “the greater good”. As discussed in Paper II, we do not think that banning anonymity technologies is the right solution for preventing crime. Instead, we strongly think that it is critical for our society and for democracy to retain and maintain the individ-uals’ control over their personal spheres. Furthermore we believe that it should be possible to strike a balance between enabling law enforcement agencies to detect misuse of infor-mation and communication technologies, and respecting the privacy of the great majority of well-behaving users.

The gradual loss of privacy in today’s society outlined above has caused an increasing amount of attention among the public and in the media during the last years. Numerous surveys point out the users’ wish for privacy (e.g., [1]). Regarding media attention, one example is the 27 pages article “Watching You: The World of High-Tech Surveillance” in the National Geographic’s November 2003 issue [2]. Here one can read that “the future is here, where cameras can film you wherever you go, where your cell phone can signal exactly where you are, where one glance can reveal exactly who you are”.

Warren and Brandeis defined privacy already in 1890 as “the right to be let alone” [3]. In the context of information and communication technologies Westin [4] states that privacy can be further divided into informational and spatial privacy. Informational privacy implies that a person can control how, when, and to what extent information about him or her is being communicated by others. This relates to any personal information such as name, age and credit card number. Spatial privacy, on the other hand, means that a person has control over what information is presented to his senses, that is, what information enters his personal sphere. One example of a threat to spatial privacy in the context of mobile networks is (mobile) spam. Also many proposed AMI scenarios would introduce severe

(17)

4 Introductory Summary

implications for the spatial privacy of the everyday citizen due to the pervasive nature of the AMI paradigm.

Two common means for ensuring online privacy are technology and legislation. The former approach mainly refers to technical measures that are integrated into information systems or networks (such as the Internet) in order to eliminate or minimize the collection of personal data, or, in cases where personal data have already been collected, technically enforce legal privacy requirements regarding that data. Such measures are collectively labeled Privacy-Enhancing Technologies (PETs). One example of a PET, which is dis-cussed in this thesis, is anonymous overlay networks that aim to eliminate the processing of personal data altogether by permitting the users act anonymously. Another example is systems for privacy-enhanced Identity Management (IDM) that enforce informational self-determination by, among other things, allowing the users act under pseudonyms and controlling the release of their personal data. Legislative measures for enhancing privacy, on the other hand, refer to data protection legislation restricting the collection and usage of personal data by the data processing agency. Two examples, which are further discussed in Papers I and II, are the EU Directives 95/46/EC [5] and 2002/58/EC [6]. Nowadays, it is commonly believed that privacy is most successfully protected by a holistic solution that combines both technological and legislative efforts.

This thesis mainly discusses how to enhance privacy in mobile networks. Mobile net-works are of great interest because on the one hand they lay the groundwork for new inno-vative applications that may facilitate life for the everyday citizens, but on the other hand they pose numerous challenges to privacy. Regarding possible solutions, the main focus is on an approach specifically tailored for enabling anonymous communication: anony-mous overlay networks. Alone, anonyanony-mous overlay networks do not constitute a panacea for all privacy problems in mobile networks. However, they offer a possible solution for those cases where it may be desirable or appropriate for users to be anonymous. Moreover, anonymous overlay networks constitute an underlying building block for more advanced solutions, such as tools for privacy-enhancing Identity Management.

One goal of this thesis is to analyze the privacy risks present in mobile networks, and, building on this, elicit both technical and legal requirements for solutions developed to address these privacy risks. Given that performance plays an important role in, often het-erogeneous, mobile networks (especially mobile ad hoc networks, see Paper IV), another goal of the thesis is to examine how privacy could be enhanced in mobile networks by technical means with a reasonable trade off between privacy protection and performance loss.

The remainder of this introductory summary is constructed as follows. Section 2 pro-vides the theoretical background to this thesis. As this thesis examines how privacy could be enhanced in mobile networks by enabling anonymity through the use of anonymous overlay networks, this section includes a subsection that defines anonymity and related terms (section 2.1), as well as subsections that introduce anonymous overlay networks (section 2.2), and mobile networks (section 2.5), respectively. Furthermore, in order to

(18)

2. Background 5

examine how anonymity could be enabled in mobile networks we need to know how to quantify anonymity. This is discussed in section 2.4. Also, Paper III discusses how to measure anonymity – here in relation to performance loss. Section 3 explains the research questions underlying this thesis and the research methodology employed to answers these questions. Section 4 on related work discusses existing PETs for enhancing privacy in mo-bile networks. Section 5 outlines the contributions of this thesis while section 6 summarizes the four papers included in this thesis. Finally, section 7 summarizes the main conclusions and gives an outlook to future research.

2 Background

This section introduces the term anonymity and measures for achieving anonymity. A taxonomy of mobile networks, in which measures for achieving anonymity could be de-ployed, is also presented. Furthermore, an introduction to anonymous overlay networks is provided, as well as a basic taxonomy of attackers and their capabilities.

2.1 Definition of Anonymity and Related Terms

Probably, most people have their own notion of what it means to be “anonymous”, like for example blending into the crowd or not sticking out. In this thesis we adopt a somewhat more formal definition introduced by Pfitzmann and Hansen [7]:

“Anonymity is the state of being not identifiable within a set of subjects, the anonymity set”.

The anonymity set, which is determined by the current knowledge of the attacker1_{, includes}

all possible subjects in a given scenario, such as all possible senders of a message. When communicating over a communication network, for example the Internet, the anonymity set can be divided into two subsets: the sender and recipient anonymity sets. These sets may be disjoint, overlap, or be the same (see Figure 1). The size of these sets may vary over time, since new knowledge may allow an attacker to exclude a number of members from one of either sets (see Figure 2).

Being anonymous could both imply preserving the confidentiality of a user’s personal data, as well as hiding with whom a user is communicating. In the former option, anonymity is said to be provided on the data level, while in the latter option anonymity is provided on the communication level. Anonymous overlay networks (see section 2.2) are normally used to achieve anonymity on the communication level, while, for instance, systems for pseudonymous communication or filtering proxies (e.g. Privoxy [8]) can be used for

(19)

Figure 1: Sender and receiver

anonymity sets, and message set.

Figure 2: The number of possible senders in the anonymity set is narrowed down to three.

achieving anonymity on the data level. Often, techniques for achieving anonymity of the communication and data level, respectively, are combined. For example, mCrowds (see Pa-pers II and III) combines a filtering approach, which ensures anonymity on the data level, with an anonymous overlay network, which assures anonymity on the communication level. For the purposes of this thesis, the main focus lies on PETs that enable anonymity on the communication level.

Related to anonymity is unlinkability, which implies that, from an attacker’s point-of-view, two or more items of interest (e.g., senders, receivers, or messages) are no more and no less related than they are concerning the a-priori knowledge of the attacker. Unlink-ability between a message and a sender is illustrated in Figure 3. If, on the other hand, a message can be linked to a sender (or a receiver), as illustrated in Figure 4, there is no unlinkability.

Figure 3: Sender unlinkability. Figure 4: No sender unlinkability.

Anonymity from the perspective of the sender and receiver, respectively, can be defined in terms of unlinkability. Sender anonymity means that a particular message cannot be linked to the origin sender, while receiver anonymity implies that a certain message cannot be linked to the receiver of that message. Finally, relationship anonymity, which was in-troduced in [7], means that it not possible to determine who is communicating with whom, that is, it is impossible to link a sender to a recipient.

(20)

2. Background 7

Also related to anonymity is unobservability, which implies that messages sent between senders and receivers in a communication network must not be discernible from random noise. In a system providing anonymity for both senders and receivers, it may still be possible to observe that messages are being sent, albeit these messages cannot be linked to any sender and receiver. For a system to provide unobservability, it must not even be possible to observe the mere fact that messages are being sent.

Finally, pseudonymity implies the usage of pseudonyms as identifiers [7]. As defined in [9], pseudonymity can ensure that a user may use an application without disclosing his or her identity while still being accountable for the usage of the application. Anonymity is often used as an underlying building block when implementing pseudonymity.

2.2 Introduction to Anonymous Overlay Networks

An overlay network is a virtual network of nodes and logical links that is built on top of an existing network with the purpose to implement network services not available in the existing network. The purpose of an anonymous overlay network is to provide anonymous communication services to users in a particular network, such as the Internet or mobile ad hoc networks, where such services normally are lacking.

Figure 5: A virtual path.

Most anonymous overlay networks are so-called source-rewriting networks, that is, networks which establish virtual paths consisting of one or more in-termediary nodes, along which packets are transmit-ted (see Figure 5). Using various approaches de-scribed in this section, source-rewriting networks try to hide the correlation between the sender and the receiver in order to achieve anonymity on the communication level.

The aforementioned intermediary nodes are often so-called mixes, which were intro-duced by Chaum in [10]. Chaum’s original mixes used three basic techniques to blur the relationship between a mix’s incoming and outgoing traffic: reordering of messages, intro-duction of unpredictable timing delays in the message flow, and changing of the outlook of messages. The reordering and introduction of timing delay could be seen as a kind of “mixing” of messages, hence the term “mixes”. For reasons mentioned later in this section,

not all anonymous overlay networks perform this mixing of traffic2_{. We will instead use the}

more general term anonymity proxy for the nodes throughout the introductory summary3_.

2_{Examples of anonymous overlay network that does not perform mixing are Crowds [11], Tor [12], Tarzan} [13], MorphMix [14], and mCrowds (see Papers II and III).

3_{In Papers II and III the intermediary nodes in mCrowds are referred to as “jondos”, borrowing the notation} from the original Crowds system [11].

(21)

The topology of an anonymous overlay network can be classified as being either cen-tralized (dedicated anonymity proxies operated by, for instance, companies or universities), or P2P-based (distributed anonymity proxies operated by the users themselves). Tradition-ally, most approaches have had a centralized topology. An advantage with centralized topologies is that the reliability can be expected to be superior since centralized anonymity proxies are often run on powerful computers that are operated by security experts. How-ever, since all traffic passes through a limited set of proxies, there is an upper limit on the available bandwidth. Furthermore, since centralized proxies constitute single points of attack, they may attract additional attention from attackers.

In recent years, however, an increasing number of P2P-based anonymous overlay

net-works have become available4_{. One advantage with P2P-based topologies lies in the very}

nature of P2P communication itself, namely that centrally administrated services are not needed. This may be a prerequisite for some application areas (for instance, mobile ad hoc networks, see Paper IV). Another advantage is that the scalability properties are superior to those of centralized topologies since the network capacity increases with the number of users. It may on the other hand be difficult to make strong claims about the reliabil-ity of P2P-based topologies. This is because they are made up by a theoretically unlimited number of users, all equipped with a varying degree of technical skills and bandwidth

capa-bilities5. Pros and cons with centralized and P2P-based topologies, respectively, are further

elaborated in [16].

Figure 6: Modification and mixing in an

anonymity proxy. fc in the figure denotes

a cryptographic function.

Independently of whether an anonymous overlay network employs a centralized or a P2P-based topology, the anonymity prox-ies constituting the network can be general-ized to having three central functionalities, which are described below: (1) to modify the outlook of messages, (2) to mix traffic, and (3) to construct virtual paths. See also Figure 6.

Modification is primarily employed to hide bitwise correlation between individual in-coming and outgoing messages at the proxies. One common approach for achieving this is so-called layered encryption. Here, each message is “telescope encrypted” by the first proxy on the virtual path. This means that this proxy first determines the virtual path and then wraps the message in multiple encryption layers – one for each intermediary proxy along the path, starting with the last proxy. These encryption layers are thereafter peeled off (by decryption), one by one, at each subsequent proxy on the path. On the way back

4_{For example, see Crowds [11], P}5_{[15], Tarzan [13] and MorphMix [14]. Also mCrowds, which is described} in Papers II and III, adheres to a P2P-based topology.

5_{Furthermore, there is no lower limit on the number of the users. This may result in a sparsely populated} anonymity set. However, this is also true for centralized approaches.

(22)

2. Background 9

from the receiver, this process is reversed. Link-to-link encryption is another (less secure, since each intermediary node get to know the content of each message) approach for mod-ification. For reasons explained in Papers II and III, mCrowds only employs end-to-end encryption, and therefore, does not perform any modification between individual proxies.

Regarding mixing, it is usually combined with modification to make it more difficult for an attacker to trace individual messages through a network. Chaum’s original anonymity proxies [10] mixed traffic according to the following algorithm (where every iteration is called a “round”): first, collect n messages, second, reorder them randomly, and finally, flush all messages. Then start over again. During the years, some extensions have been proposed to this model. For example, instead of flushing all messages at each round, some approaches keep a subset of the messages in the anonymity proxy until next round. A different strategy is proposed by Kesdogan et al. in [17], where individual messages instead are being delayed for a randomly chosen amount of time.

Concerning the establishment of the virtual paths, two relevant questions are:

1. Which entity is responsible for selecting the proxies in the path?

This is decided by the path construction algorithm of a given anonymous overlay network. One approach is to let the first proxy decide the whole path. Alternatively, intermediate proxies could decide their respective successor. The proxies making up the path could either be chosen according to some pre-defined criterions, or randomly chosen.

2. Which proxies are available for selection during the path construction?

This depends on the topology of the given anonymous overlay network. Centralized topologies are often divided into cascades and free route networks. In a cascade, all messages are sent through a fixed and static path of intermediate anonymity proxies. In free route networks, users can choose which proxies to use from a pre-defined set of centrally administrated proxies.

P2P-based topologies, on the other hand, are usually divided into free route networks and restricted route networks. In a P2P context, free route networks imply that every proxy must know about the existence of every other proxy. One example of a free route network is mCrowds (see Papers II and III). For restricted route networks, every proxy knows only about a limited set of other proxies.

Anonymous overlay networks can be further classified depending on whether a strong degree of anonymity is sought for, possibly at the cost of performance (high-latency net-works), or whether they seek to provide a (from the point of the user) reasonable trade-off between anonymity and performance (low-latency networks). High-latency networks are used when there are no tight constraints regarding the latency. High-latency networks usually achieve a high degree of anonymity by using expensive functionalities in terms of performance, such as mixing and dummy traffic (see below). As can be seen in [18],

(23)

messages can be delayed for hours. Obviously, such delays are not realistic when, for example, browsing the Internet. One common application area for high-latency networks is anonymous email [19–21]. Low-latency networks, on the other hand, are targeted for applications with “real-time” constraints, such as web applications. For performance rea-sons, many low-latency networks omit complex functionalities such as traffic mixing and dummy traffic (see below), possibly at the cost of the degree of anonymity they provide. Most approaches for anonymous communication on the Internet, such as [11, 12, 22, 23], are low-latency networks.

A technique often applied in anonymous overlay networks is dummy traffic (also called cover traffic). Dummy traffic is made up by “fake” messages (i.e. messages lacking any meaningful content) passed around in the network. The primary purpose of dummy traffic is to hinder an attacker form succeeding with traffic analysis (see section 2.3). As men-tioned above, dummy traffic is most often utilized only in high-latency networks, since dummy traffic introduces extra traffic overhead, and, thus, degrades performance. For this reason, dummy traffic is not utilized in mCrowds (see Papers II and III). Dummy traffic may also be used as a mechanism for achieving unobservability (see section 2.1). In anonymous overlay networks that implement unobservability it is not possible for an eavesdropper to differentiate between a real message and random noise, or even infer that a message has been sent in the first place. One example of such a system is Pipenet [24]. Unfortunately, due to the large amount of extra traffic that must be generated to maintain a constant traffic load, these systems are generally not practical.

As mentioned earlier, besides the majority of anonymous overlay networks that are based on source-rewriting, other approaches exist. For example, a number of approaches rely on broadcasting as an underlying technique for providing anonymity. In order to achieve both sender and receiver anonymity these systems generally combine broadcasting with other means of achieving anonymity, such as encryption and dummy traffic. A well known example is the so-called Dining Cryptographer networks (DC-Nets) proposed by Chaum [25]. DC-Nets provide “perfect anonymity” by implementing unobservability (see section 2.1); the fact that someone is sending is hidden by a one-time pad while the fact that someone is receiving is hidden by broadcasting. On the other hand, few implemen-tations exist since DC-Nets consume vast amounts of bandwidth. Two other examples of

anonymous overlay networks based on broadcasting are the P2P-based approaches P5_[26]

and Herbivore [27]. In P5_{, the anonymity proxies transmit messages to all other proxies}

in the network at a constant rate. When the proxies do not have any real messages to sent, they transmit dummy traffic. Generally, such an approach would scale poorly due to the

great amount of traffic generated. P5 _{tries to address these problems by grouping users}

into a tree-structure of broadcast groups. Herbivore [27] is based on the earlier mentioned concept of DC-Nets. Herbivore tries to address the efficiency problems of DC-Nets by grouping users into smaller broadcast groups.

(24)

2. Background 11

2.3 A Taxonomy of Attackers and Their Possible Attacks

In the context of this thesis, an attacker is an entity that deliberately tries to compromise the anonymity of one or more users of a computer network, such as an anonymous overlay network. Attackers can be classified according to which kind of attacks they are capable of launching (see Figure 7). Attackers can be either passive or active. An active attacker can modify the traffic in a network, while a passive attacker (also called eavesdropper) is restricted to observing the traffic. Attackers can further be classified as either local or global attackers. Local attackers launch their attacks in a subset of the network while global attackers launch their attacks on the whole network.

Figure 7: A taxonomy of attackers.

The general strategy of an attacker is to ob-tain probabilistic relationships between input and output messages of an anonymity proxy to be able to narrow down the set of possible senders or recipients (as in Figure 2). The re-sult of an attack could be that one sender ap-pears to be the originator of a message with a high probability. If the attacker succeeds in reducing the size of the anonymity set into a singleton, the sender is unambiguously iden-tified.

Regarding passive attacks, two general strategies are traffic analysis and traffic con-firmation. When conducting traffic analysis the aim of the attacker is to observe traffic patterns in order to trace particular messages through the network. On the other hand, the strategy of traffic confirmation attacks is to link messages by using so-called side informa-tion, such as timing patterns, that is leaked when a message enter or leaves an anonymous overlay network.

Considering active attacks, a well known example of an active attack against anonym-ity proxies that apply mixing is the blending attack [28] (also called n − 1 attack), which may uniquely identify the receiver of a message. In such an attack, the attacker either blocks legitimate messages or insert fake messages in order to manipulate the batch of an anonymity proxy so that it contains only one legitimate message. This message can then be traced by the attacker when the proxy flushes its messages. Another example of an active attack, which is highly relevant to P2P-based anonymous overlay networks, is the sybil attack [29]. Here, one malicious users creates many identities to, for example, set up a large number of malicious anonymous proxies. One naive solution to this scenario is to assume that a large anonymity set solves this problem. All the same, this assumption does not hold against a powerful attackers. More sophisticated approaches against the sybil attack are employed in [13, 14].

(25)

2.4 On Measuring Anonymity

Anonymity is often perceived as a relative notion. That is, instead of viewing anonymity as something “binary” where a person is either anonymous or not anonymous, anonymity is often quantified on a relative scale. Thus, it is possible to be more or less anonymous. This section discusses models, so-called anonymity metrics, that can be applied to measure the “amount” of anonymity available in a certain scenario. Using coined terms, these models quantify the degree (or level) of anonymity of a given input scenario.

The attacker model, together with the properties of the studied technology (in this case, an anonymous overlay network), is then passed as input to the chosen anonymity metric, which in turn produces some kind of quantitative measure of the degree of anonymity. This process is illustrated in Figure 8. However, before evaluating the degree of anonymity in a given scenario, one must first define the abilities and limitations of the potential attackers in a given scenario (see section 2.3). Such a model is called an attacker model.

Figure 8: An informal process for measuring anonymity.

When applying anonymity metrics, the resulting degree of anonymity is a quantitative measure. However, it is important to take into consideration also the qualitative aspects of anonymity [30]. Qualitative aspects include, among others, the robustness against active and denial of service attacks, as well as the security of implementation of the given anony-mous overlay network (for instance, the quality of the implemented cryptographic primi-tives). Also, properties such as availability, usability, and performance affect the quality of anonymity. Ultimately, qualitative aspects of anonymity may (indirectly or directly) affect the provided (quantitative) degree of anonymity. The qualitative aspects of anonymity are sometimes referred to as the robustness of anonymity [7].

Initial anonymity metrics focused exclusively on the size of the anonymity set or the amount of messages sent through the anonymity proxies. The notion anonymity set was introduced by Chaum when modeling the security of the aforementioned DC-Nets [25]. Chaum argued that the size of the anonymity set is a good indicator of the degree of anonymity. This is true for DC-Nets, where all participants are equally likely to be the origin sender of a particular message (see Figure 9).

However, in most other anonymous overlay networks the probabilities of being the origin sender (or receiver) are not uniformly distributed. Instead, they may change dynam-ically depending on the current knowledge of the attacker. This is acknowledged by

(26)

Pfitz-2. Background 13

Figure 9: Probabilities for being the origin sender in a DC-Net.

mann and Hansen in [7]: “Anonymity is the stronger, the larger the respective anonymity set is and the more evenly distributed the sending or receiving, respectively, of the sub-jects within that set is”. Thus, the communication patterns within an anonymous overlay network also plays a key role when quantifying the degree of anonymity.

An example of a metric for measuring anonymity that does not solely focus on the size of the anonymity set is Reiter and Rubin’s analytical model for analyzing the degree of anonymity in Crowds [11]. This metric bases its analysis mainly on probabilistic commu-nication patterns within the Crowds network, although the resulting degree of anonymity is a static metric that is a function of the size of the anonymity set and the number of ma-licious Crowds users. Albeit the metric was primarily developed for analyzing Crowds, variants have since been used for analyzing other approaches (for instance, Hordes [15] and mCrowds, as described in Papers II and III).

Figure 10: Degrees of anonymity in Crowds [11].

The Crowds metric assumes a pre-defined attacker model that includes the web server, malicious Crowds members, and local passive attackers. The degree of anonymity pro-vided against these attackers is measured on a continuous scale ranging from “provably exposed” to “absolute privacy”. Absolute privacy means that the user is unobservable (see section 2.1), in addition to being anonymous. Between these two extremes, a number of intermediary points have been singled out (see Figure 10). For example, “probable

inno-cence” means that the likelihood that a particular user is the sender is less than 1₂, while

“beyond suspicion” implies that a user appears no more likely of being the sender than any other user in the system. For further information about the anonymity metric in Crowds, see Paper III .

(27)

Diaz et al. propose in [31] a generally applicable anonymity metric that is based on Shannon’s theories about information theory and entropy [32]. A similar metric was in-dependently developed in parallel by Serjantov and Danezis [33]. For the purpose of this thesis, we will treat these two metrics as one single metric. Before applying the metric, all users must be assigned with a certain probability of being the origin sender (see Figure 11). The metric produces a numerical value (≥ 0) which reflects the degree of anonymity provided against the given attacker model. This value is shared by all the users in the sys-tem. Both the size of the anonymity set and the probability distribution contributes to the resulting degree of anonymity (which is called the “effective size of the anonymity set” in [33]).

Figure 11: Probability distributions in the “information theory” based metric. The metric differs from Reiter and Rubin’s earlier described model in some important respects. For example, it takes into consideration new knowledge that an attacker may gain through successful attacks. Hence, the resulting degree of anonymity is dynamic; it may change depending on, for example, changes in the knowledge of the attacker. What is more, the model is not analytical; anonymity must be determined through, for instance, simulation or measurements on a real network. The resulting degree of anonymity does not constitute a general value representing a particular type of anonymous overlay network. Instead, it represents the current degree of anonymity offered in a particular anonymous overlay network given a particular attacker model and distribution of messages in the network.

The anonymity metric applied in this thesis for mCrowds (see Paper III) is based on Re-iter and Rubin’s earlier mentioned metric for Crowds [11]. The principal difference is that the attacker model has been adopted to also include attackers in the wireless domain. The choice of metric seemed a natural choice because (1) the underlying properties of mCrowds are largely based on Crowds, and (2) the purpose of the evaluation was to demonstrate that the degree of anonymity in mCrowds was comparable to that of Crowds.

(28)

2. Background 15

2.5 Mobile Networks

A mobile network can loosely be defined as a network in which wireless and mobile nodes communicate. Mobile networks can be classified as being either ad hoc or infrastructured networks, conditional on whether central infrastructure (e.g., base stations or wireless ac-cess points) is required or not. Moreover, mobile networks may also be classified depending on the distance between the nodes. A Wireless Personal Area Network (WPAN) is a small mobile network spanning approximately the size of a room. A Wireless Local Area Net-work (WLAN) is a medium sized mobile netNet-work spanning, for instance, an office building. Finally, a Wireless Wide Area Network (WWAN) is a mobile network spanning a large ge-ographical area. See Figure 12 for a basic taxonomy of mobile networks.

Figure 12: Basic taxonomy of mobile networks.

Mobile infrastructured networks have been available commercially for a number of years. Examples of standards are Bluetooth for WPANs, IEEE 802.11 for WLANs, and General Packet Radio Service (GPRS) or Universal Mobile Telecommunications System (UMTS) for WWANs. In the context of mobile infrastructured networks, we limit the scope of this thesis to two technologies for WWANs: mobile Internet and LBS. Mobile Internet is further described Papers II and III, while LBS are discussed in Paper I.

In mobile ad hoc networks the nodes both act as hosts and routers. Mobile ad hoc networks are often regarded as a required building block for ubiquitous applications. How-ever, with the possible exception of the “ad hoc” mode in the IEEE 802.11 standard for WLANs, commercially available standards are yet to be deployed. Nevertheless, mobile ad hoc networks constitute an interesting research area and it is commonly believed that they will provide a backbone for future AMI applications. Mobile ad hoc networks are further discussed in Paper IV.

(29)

3 Research Issues

In this section, the underlying research questions and the research methodology utilized to address these questions are discussed.

3.1 Research Questions

The overall research questions for this thesis are:

1. What privacy risks are present in mobile networks, and, furthermore, what technical

and legal requirements can be elicited for PETs for mobile networks developed to address these risks?

The first part of the question about the privacy risks is dealt with in Papers I and II. The second part of the question is addressed in Paper I (mostly legal requirements) and Paper IV (technical requirements), respectively. Such a list of suitable legal and technical requirements also serve as “evaluation criteria” according to which PETs for mobile networks can be evaluated, as partly done in Papers III and IV.

2. How can privacy be enhanced in mobile networks by technical means with a

reason-able trade off between anonymity protection and performance loss?

This question is further investigated in Papers III and IV. In order to approach an answer we need metrics for quantifying both anonymity (see section 2.4) and perfor-mance (see section 3.2). As a rule of thumb, a stronger degree of anonymity results in lower performance, and, thus, lower usability. Naturally, pocket-size mobile devices offer computational capabilities inferior to those of desktop computers or laptops. This imposes an upper limit on the amount and complexity of the operations a PET running in a mobile device can execute while still providing acceptable performance.

3.2 Research Method

The first research question posed in section 3.1 has chiefly been addressed by the means of a combined literature study and theoretical analysis. We have generally applied two approaches for finding the privacy risks: first, we studied exposed personal data in certain given application scenarios, and, second, we defined possible misuse cases for these sce-narios. Concerning requirements, the European legal framework has been scrutinized for legal requirements that apply in mobile network environments (Papers I and II). Moreover, technical requirements for mobile ad hoc networks and anonymity technologies have been derived from literature (Paper IV).

(30)

3. Research Issues 17

When looking into the second research question posed in section 3.1, we have primarily applied experimental research. This research method relies on the underlying philosophical assumption that the world works according to a number of casual laws. The goal is to establish these cause-and-effect laws by performing experiments.

The type of of experiment considered in this thesis is a performance evaluation. A per-formance evaluation is conducted to analyze a system’s (the studied entity, for instance an anonymous overlay network) performance (see e.g. [34]). During a performance evalua-tion various aspects of a system’s performance are scrutinized to, for example, compare two systems, fine tune system parameters, identify performance bottlenecks, or characterize the workload of a system. Before designing a performance evaluation, the researcher must de-cide which evaluation technique to use. Four common evaluation techniques are generally distinguished, namely analytical modeling, simulation, emulation, and live measurement (these aforementioned techniques are further described in [34]).

• An analytical model can be explained as a mathematical expression describing the

performance of a system. The modeled system’s performance can be predicted under a range of conditions by varying the input parameters of the model.

• In the same manner as analytical modeling, a simulation uses an abstract

represen-tation of the system. The abstraction is created by a computer program called the simulation tool. Compared to analytical modeling, it is easier to incorporate more details in a simulation, and, thus, simulations often produce more realistic results. Information about simulation in the context of performance evaluation can be found in [35].

• During an emulation measurements are performed on a real implementation of a

system running on real hardware. However, some aspects of the system are ab-stracted through an emulation tool. Emulation combines advantages with simulation (controlled and reproducible environment) and live measurement (more realistic test environment).

• In a live measurement an operational system is studied (for instance, a computer

network). One obvious advantage is that since real code are being tested in a real en-vironment, eventual doubts whether the modeled system represents the real systems are obviated, since in this case they are the same. However, when complex systems are tested it is generally hard to produce controlled and reproducible experiments. Paper III describes the performance evaluation of our research prototype, mCrowds (see Papers II and III), which was conducted by the means of emulation. One advantage with using emulation instead of simulation was the possibility to compare the case where a WAP request was sent through a virtual path in mCrowds to a (real) WAP server with another case where the WAP request was sent directly to the same WAP server. This was done in the second experiment in Paper III. On the other side of the coin, one reason for

(31)

not choosing a live measurement was that in this case it would have been more difficult to produce a controlled and repeatable experiment. For example, during our emulation we used Dummynet [36] to impose an artificial propagation delay between the nodes in mCrowds to emulate a large geographical distance between the nodes.

Finally, two or more evaluation techniques are often combined to validate the results from a performance evaluation. In our case, as a complement to the emulation approach, we applied analytical modeling (albeit in an elementary form) in Paper III in order to examine

what impact the system-wide probability constant pf in mCrowds had on performance and

anonymity, respectively. It was also employed to validate the emulation results from the first experiment in Paper III (see Figure 5b in Paper III).

4 Related Work for Anonymity and Pseudonymity in

Mo-bile Networks

In this section, PETs for protecting privacy in mobile networks are studied. Depending on which strategy is being employed for safeguarding privacy, PETs can basically be classified into one of the two categories described below. For the purpose of this thesis, we restrict the scope of this section to include only the first category.

1. PETs for enabling anonymity or pseudonymity: This category refers to techniques

that protect privacy by avoiding, or at least minimizing, the collection of personal data in order to provide anonymity or pseudonymity. A legal requirement for anony-mous system design can be derived from Art. 6 in the EU Directive 95/46/EC [5], which requires that all collected personal data must be: (Art. 6c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or fur-ther processed; (Art. 6e) kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the data is collected or for which they are further processed.

2. PETs for enforcing legal requirements: This category refers to PETs that

techni-cally control that personal data are only used according to legal privacy provisions (as required by, for instance, Art. 17 EU Directive 95/46/EC [5]). In particular, this cat-egory includes also PETs that support informational self-determination by enabling users to control the release and usage of their personal data.

The remainder is this section is divided into two sections that study related work in the context of mobile infrastructured networks and mobile ad hoc networks, respectively.

(32)

4. Related Work for Anonymity and Pseudonymity in Mobile Networks 19

4.1 PETs for Mobile Infrastructured Networks

The scope of this section is limited to approaches aimed for WWANs (see section 2.5). To the best knowledge of the author, there are no existing proposals especially designed for anonymous WAP browsing besides mCrowds (see Papers II and III). However, mCrowds can also be used for providing anonymous LBS. For this reason, this section mainly covers PETs that enable anonymity or pseudonymity for LBS applications on the mobile Internet. Below, the most commonly proposed infrastructures for deploying LBS applications are concisely described, and, for each infrastructure, a number of PETs for enabling anonymity or pseudonymity are keyed out. Each LBS infrastructure incorporates at least three enti-ties: the mobile device, the mobile operator, and the LBS provider. The LBS provider is responsible for hosting one or more LBS applications. The mobile operator is providing the backbone for wireless communication among the entities. Most often, it is also respon-sible for localizing the mobile device on behalf of the LBS provider. See Figure 13 for an illustration of the different infrastructures.

(a) 1stinfrastructure. (b) 2ndinfrastructure. (c) 3rdinfrastructure. (d) 4thinfrastructure.

Figure 13: LBS infrastructures: MO = Mobile Device, LI = Location Intermediary, U = User, LBS = LBS provider.

• In the infrastructure depicted in Figure 13(a), a geographical positioning device is

embedded in the mobile device, such as a GPS (Global Positioning System) receiver. The users themselves can provide the location data to the LBS provider without first having to be localized by the mobile operator. This strategy empowers the users with the means of controlling the disclosure of their location information. However, embedded geographical positioning systems are still uncommon in mobile devices (especially in mobile phones). In [37], the authors propose a PET for this infras-tructure that employs so-called camouflaging techniques that blur the relationship between the users and their corresponding location by degrading the spatial and/or temporal resolution of the location information. The less accurate the spatial and temporal resolution of an LBS request, the larger the anonymity set, and, thus, (in most cases) the stronger the anonymity.

(33)

• In the infrastructure depicted in Figure 13(b), the mobile operator both localizes the

user and provides the LBS applications. It is generally difficult to protect privacy in this type of infrastructure since the mobile operator knows the identities of the users “by default”. One way to enhance privacy could be by letting two different subbranches of a mobile operator be responsible for the positioning and application hosting, respectively (given that they do not share their data).

• In the infrastructure depicted in Figure 13(c), LBS applications are offered by (3rd

party) LBS providers. The mobile operator is responsible for providing LBS providers with the users’ location data. Along with the previous infrastructure, this infrastruc-ture represents the state of the art of deploying LBS applications nowadays. Two examples of existing proposals for this infrastructure that implement pseudonymity are PRIVES [38] and Mix Zones [39]. PRIVES is intended for P2P-based LBS appli-cations such as friend finders. Regarding Mix Zones, they can be defined as spatial regions where a user can switch his or her pseudonym in an unobservable way to prevent long term tracking of pseudonyms. A third and recent proposal is [40]. This proposal enables pseudonymous communication by letting a trusted location server mediate all LBS requests from the users.

• In the infrastructure depicted in Figure 13(d), a new entity, the location

interme-diary, is deployed between the mobile operator and the LBS provider to mediate requests on behalf of the user (for instance, in order to enhance privacy). To the best knowledge of the author, no such solutions are available today. However, a research prototype of an LBS architecture involving a location intermediary is currently un-der development within the PRIME project [41]. In this proposal all involved entities communicate using an underlying anonymous overlay network which, in combina-tion with other privacy-enhancing funccombina-tionalities deployed at each respective entity, prevents the entities from colluding in order to pool their data (such as the location or the LBS request) about the users in order to create extensive user profiles. In order to validate the anonymity provided by the proposals keyed out above, the concept of k-anonymity is often used [37, 39, 40], which is based on the following idea: if k users “share” the same location (that is, their location data overlap when taking into account the spatial resolution of the data) and one of them issues an LBS request, it is not possible for the LBS provider to identify which one of them issued the request by merely studying the request. As described earlier in section 2.4, the size of the anonymity set is not the only deciding factor when quantifying the degree of anonymity. This is acknowledged in [40] which discusses how users can be re-identified by linking previously collected (possibly anonymous) location information.

Although not especially designed for LBS, mCrowds (see Papers II and III) can be used for enabling anonymous use of LBS applications for the first infrastructure outlined above. Approaches belonging to this category are generally independent of the mobile operator, and, thus, do not require changes in the infrastructure of the mobile operator.

(34)

4. Related Work for Anonymity and Pseudonymity in Mobile Networks 21

This is advantageous from the point of deployment. However, as earlier mentioned, such approaches require geographical positioning devices to be embedded in the mobile devices. Finally, mCrowds is optimized for achieving a reasonable trade-off between performance and the degree of anonymity in contrast to other approaches, such as [41], that primarily have maximum privacy protection as a design goal.

4.2 PETs for Mobile Ad Hoc Networks

Only newly, the research community seems to have acknowledged the importance of pro-viding anonymity or pseudonymity for mobile ad hoc networks in the form of a series of publications. In [42], Kong et al. analyze the need for anonymity protection in mobile ad hoc networks and conclude that the spectrum of needed anonymity protection include the following: (1) protection against disclosure of the senders’ (or receivers’) identities, (2) disclosure of the nodes’ locations and motion patterns, (3) so-called venue anonymity (see below), and (4) privacy of the topology of the mobile ad hoc network. A “venue” is defined in [42] as “an identifiable location that is defined by the one-hop receiving range of an adversarial analyst”. As multiple potential senders (or receivers) may be situated within a specific venue, a venue constitutes a location measure with low spatial accuracy. Venue anonymity implies that the venue of the sender (or receiver) should not be identifiable within the set of all venues.

In [42], Kong et al. further highlight the need for anonymous routing schemes in mo-bile ad hoc networks (which could constitute an underlying building block for application providing anonymous or pseudonymous communication in mobile ad hoc networks). A number of protocols for anonymous routing in mobile ad hoc networks have been proposed so far, including ANODR [43], MASK [44], and SDAR [45]. Instead of designing novel solutions, an alternative strategy is to adapt existing solutions for fixed or mobile infras-tructured networks to make them suitable for mobile ad hoc networks. In [46], Jiang et al. propose a number of adaptions in order to make Chaum’s mixes [10] suitable for mobile ad hoc networks.

All the aforementioned approaches state (either implicit or explicit) requirements that any proposal must adhere to in order to in order to be suitable for mobile ad hoc networks. These requirements are primarily focused on anonymity. For example, Kong et al. present in [42] a thorough investigation about what anonymity protection is needed in mobile ad hoc environments. In contrast, the requirements in Paper IV are more general in nature, also including other aspects essential for ad hoc networks, such as fairness. It uses these criteria in order to analyze whether existing P2P-based approaches for fixed or mobile infrastructured networks are also suitable for mobile ad hoc networks.

Finally, a significant difference between the anonymous routing protocols listed above and our proposal, outlined in Paper IV, is that our proposal operates above the transport layer in the OSI protocol stack, while the other protocols suggested so far operate below

(35)

the transport layer. One advantage with our proposal is that it is not dependent on any specific underlying ad hoc routing protocol. A possible disadvantage is that such a solution offers less control regarding what information are being disseminated on lower layers.

5 Contributions

Below follows a summary of the main contributions of this thesis:

• We have identified and analyzed a number of possible privacy risks with mobile

net-works, especially in the area of mobile Internet. First, threats against informational and spatial privacy, in the context of WAP browsing and LBS applications, have been discussed (see Papers I and II). Second, possible privacy problems related to mobile ad hoc networks have been briefly discussed (Paper IV).

• We have elicited and described both technical and legal requirements for PETs for

mobile networks. First, legal requirements has been presented for the mobile Internet that can be derived from the EU Directives 2002/58/EC [6] and 95/46/EC [5] (see Paper I). Second, a number of technical requirements have been outlined to which an anonymous ad hoc network must adhere in order to be useful in mobile ad hoc environments (see Paper IV).

• We have implemented and evaluated a low-latency anonymous overlay network for

WAP browsing on the mobile Internet (mCrowds). First, a research prototype of mCrowds has been implemented in Java (see Paper II). Second, mCrowds has been evaluated by the means of a performance evaluation (see Paper III). Thirdly, the relationship between anonymity and performance in mCrowds has been examined by studying a system-wide security parameter of mCrowds (see Paper III).

• We have conduced a comparative study of existing P2P-based anonymous overlay

networks to assess whether they are suitable for mobile ad hoc environments. The subsequent conclusion is that none of the state-of-the-art approaches are fully suit-able for those environments (see Paper IV). The work of specifying and implement-ing an anonymous overlay network that are suitable for mobile ad hoc environments are left for future research.

6 Summary of Papers

(36)

6. Summary of Papers 23

Paper I – Privacy Risks and Challenges for the Mobile Internet

While the mobile Internet offers many useful services, it also poses new social risks and challenges that have to be addressed by law and technology. This paper presents trends for LBS applications and further discusses their privacy challenges and risks. It will discuss how far the EU Directive 2002/58/EC on privacy and electronic communications [6] can help to protect privacy in mobile environments and what are the Directive’s limitations and controversies. Finally, it outlines how PETs can help to technically enforce legal privacy requirements of the EU Directive 2002/58/EC.

Paper II – Enabling Anonymity for the Mobile Internet Using the

mCro-wds System

The mobile Internet is a fast growing technology that introduces new privacy risks. We argue that, since privacy legislation alone is not sufficient to protect the user’s privacy, technical solutions to enhance informational privacy of individuals are also needed. This paper introduces mCrowds, an anonymous overlay network that combines the concept of a Crowds-like system in a mobile Internet setting with a filtering functionality to enable anonymity towards the WAP servers.

Paper III – Privacy Enhanced WAP Browsing with mCrowds –

Ano-nymity Properties and Performance Evaluation of the mCrowds System

While the mobile Internet provides LBS applications and other useful services, it also in-troduces new privacy risks. This paper describes mCrowds, an anonymous overlay network developed at Karlstads universitet that is intended for the mobile Internet. mCrowds en-ables anonymous WAP browsing and can further be used to minimize the disclosure of personal information when using LBS applications. This paper discusses the degree of anonymity provided by mCrowds.

Performance is of key importance for mobile Internet technologies, and has for this reason been an important design goal during the development of mCrowds. This paper therefore also studies the theoretical performance properties of mCrowds and the tradeoff between anonymity and performance. Besides, it provides and discusses the results of a practical performance evaluation of mCrowds. These evaluation results are promising as the overhead in performance introduced by mCrowds is relatively small compared to the total response latency when fetching WAP pages via the mobile Internet.

(37)

Paper IV – Requirements for Privacy-Enhancements in Mobile Ad Hoc

Networks

In this paper, requirements are formulated for anonymous overlay networks that enhance the privacy of mobile ad hoc network users. Besides, existing P2P-based anonymous over-lay networks are analyzed and it is shown that none of them are compliant with those requirements. Finally, an ongoing design of an anonymous overlay network intended for mobile ad hoc environments is outlined in the paper.

7 Conclusions and Outlook

In this thesis, it has been investigated why privacy is needed and how it could be enhanced in mobile networks. Although the emphasis has been on the mobile Internet, mobile ad hoc networks have been studied as well.

It is pointed out in the thesis that the increasing deployment of mobile applications presents numerous privacy challenges. A number of privacy risks with mobile networks have been identified and analyzed. We have discussed that there are both novel privacy risks as well as “old” privacy risks inherited from the world of fixed networks (for instance, Internet). Based on this, we have concluded that there is a strong need for privacy protection in mobile networks, and, furthermore, that providing anonymous communication is the best starting point for safeguarding privacy. For this reason, we have elicited and described both technical and legal requirements for PETs in mobile networks. As a proof-of-concept, we have also implemented and evaluated a low-latency anonymous overlay network for WAP browsing on the mobile Internet (mCrowds) Moreover, we have illuminated the importance of taking into account the underlying infrastructure when designing and deploying PETs for providing anonymity. For example, we have conduced a comparative study of existing P2P-based anonymous overlay networks to assess whether they are suitable for mobile ad hoc environments. The subsequent results demonstrated that a functional solution developed for mobile infrastructured networks may still be inappropriate for use in mobile ad hoc networks.

As for future research, section 4 clearly showed that PETs are lacking for certain kinds of mobile networks, especially in the area of mobile ad hoc networks. For this reason, an area of future research will be to extend the efforts described in Paper IV to design an anonymous overlay network suitable for mobile ad hoc networks. Furthermore, it is planned to broaden the scope from focusing exclusively on solutions for anonymous com-munication to also include solutions for pseudonymous comcom-munication.

Enhancing Privacy for Mobile Networks: Examples of Anonymity Solutions and Their Analysis

Karlstad University Studies

Karlstad University Studies

Christer Andersson

Enhancing Privacy

for Mobile Networks

Examples of Anonymity Solutions and Their Analysis

Enhancing Privacy

for Mobile Networks

Christer Andersson

Examples of Anonymity Solutions and Their Analysis

Enhancing Privacy

for Mobile Networks

Abstract

Acknowledgments

Multitudes of thank you!

List of Appended Papers

Comments on my Participation

Contents

1

Introduction

2

Background

2.1

Definition of Anonymity and Related Terms

2.2

Introduction to Anonymous Overlay Networks

2.3

A Taxonomy of Attackers and Their Possible Attacks

2.4

On Measuring Anonymity

2.5

Mobile Networks

3

Research Issues

3.1

Research Questions

3.2

Research Method

4

Related Work for Anonymity and Pseudonymity in

Mo-bile Networks

4.1

PETs for Mobile Infrastructured Networks

4.2

PETs for Mobile Ad Hoc Networks

5

Contributions

6

Summary of Papers

Paper I – Privacy Risks and Challenges for the Mobile Internet

Paper II – Enabling Anonymity for the Mobile Internet Using the

mCro-wds System

Paper III – Privacy Enhanced WAP Browsing with mCrowds –

Ano-nymity Properties and Performance Evaluation of the mCrowds System

Paper IV – Requirements for Privacy-Enhancements in Mobile Ad Hoc

Networks

7

Conclusions and Outlook