Crowds: Anonymity for Web TransactionsMichael K. ReiterandAviel D. RubinAT&T Labs—ResearchIn this paper we introduce a system called Crowds for protecting users’ anonymity on the world-wide-web. Crowds, named for the notion of “blending into a crowd”, operates by grouping usersinto a large and geographically diverse group (crowd) that collectively issues requests on behalf ofits members. Web servers are unable to learn the true source of a request because it is equally likelyto have originated from any member of the crowd, and even collaborating crowd members cannotdistinguish the originator of a request from a member who is merely forwarding the request onbehalf of another. We describe the design, implementation, security, performance, and scalabilityof our system. Our security analysis introduces degrees of anonymity as an important tool fordescribing and proving anonymity properties.Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General—security and protection; C.2.2 [Computer-Communication Networks]: Network Protocols—applications; K.4.1 [Computers and Society]: Public Policy Issues—privacy; K.4.4 [Comput-ers and Society]: Electronic Commerce—securityGeneral Terms: SecurityAdditional Key Words and Phrases: anonymous communication, world-wide-web1. INTRODUCTIONEvery man should know that his conversations, his correspondence, andhis personal life are private. — Lyndon B. Johnson, president of theUnited States, 1963–69The lack of privacy for transactions on the world-wide-web, or the Internet ingeneral, is a well-documented fact [Brier 1997; Miller 1997]. While encrypting com-munication to and from web servers (e.g., using SSL [Hickman and Elgamal 1995])can hide the content of the transaction from an eavesdropper (e.g., an Internetservice provider, or a local system administrator), the eavesdropper can still learnthe IP addresses of the client and server computers, the length of the data beingexchanged, and the time and frequency of exchanges. Encryption also does littleto protect the privacy of the client from the server. A web server can record theInternet addresses at which its clients reside, the servers that referred the clients toit, and the times and frequencies of accesses by its clients. With additional effort,this information can be combined with other data to invade the privacy of clientseven further. For example, by automatically fingering the client computer shortlyafter an access and comparing the idle time for each user of the client computerwith the server access time, the server administrator can often deduce the exactuser with high likelihood. Some consequences of such privacy abuses are describedin [Miller 1997].In this paper we introduce a new approach for increasing the privacy of web2 ·transactions and a system, called Crowds, that implements it. Our approach isbased on the idea of “blending into a crowd”, i.e., hiding one’s actions within theactions of many others. To execute web transactions in our model, a user first joinsa “crowd” of other users. The user’s request to a web server is first passed to arandom member of the crowd. That member can either submit the request directlyto the end server or forward it to another randomly chosen member, and in thelatter case the next member chooses to submit or forward independently. Whenthe request is eventually submitted, it is submitted by a random member, thuspreventing the end server from identifying its true initiator. Even crowd memberscannot identify the initiator of the request, since the initiator is indistinguishablefrom a member that simply forwards a request from another.In studying the anonymity properties provided by this simple mechanism, we in-troduce the notion of degrees of anonymity. We argue that the degree of anonymityprovided against an attacker can be viewed as a continuum, ranging from noanonymity to complete anonymity and having several interesting points in between.We informally define these intermediate points, and for our Crowds mechanismdescribed above, we refine these definitions and prove anonymity properties forour system. We expect these definitions and proofs to yield insights into provinganonymity properties for other approaches, as well.An intriguing property of Crowds is that a member of a crowd may submitrequests initiated by other users. This has both negative and positive consequences.On the negative side, the user may be incorrectly suspected of originating thatrequest. On the positive side, this property suggests that the mere availabilityof Crowds offers the user some degree of deniability for her observed browsingbehavior, if it is possible that she was using Crowds. Moreover, if Crowds becomeswidely adopted, then the presumption that the computer from which a request isreceived is the computer that originated the request will become decreasingly valid(and thus decreasingly utilized).The anonymity provided by Crowds is subject to some caveats. For example,Crowds obviously cannot protect a user’s anonymity if the content of her web trans-actions reveals her identity to the web server (e.g., if the user submits her name andcredit card number in a web form). More subtley, Crowds can be undermined byexecutable web content that, if downloaded into the user’s browser, can open net-work connections directly from the browser to web servers, thus bypassing Crowdsaltogether and exposing the user to the end server. In today’s browsers, such ex-ecutable content takes the form of Java applets and ActiveX controls. Therefore,when using Crowds, it is recommended that Java and ActiveX be disabled in thebrowser, which can typically be done via a simple preferences menu in the browser.The rest of this paper is structured as follows. In Section 2, we more preciselystate the anonymity goals of our system and introduce the notion of degrees ofanonymity. This gives us sufficient groundwork to compare our approach to otherapproaches to anonymity in Section 3. We describe the basic Crowds mechanismin Section 4 and analyze its security in Section 5. We describe the performanceand scalability of our system in Sections 6 and 7, respectively. We discuss crowdmembership in Section 8, the system’s user interface in Section 9, and the obstaclesthat firewalls present to wide scale adoption of Crowds in Section 10. We concludein Section 11.· 3exposed provablyexposedabsoluteprivacybeyondsuspicionprobableinnocencepossibleinnocence
View Full Document
Unlocking...