Anonymity is clearly in demand. The online anonymity network Tor claims that 36 million people have used the system since it was first deployed about a decade ago.
The system conceals its users’ identities by encrypting communications and routing them at random through a set of servers. This ensures that the sender and recipient cannot be identified by an eavesdropper along the way. What’s more, the last node in the route always appears as the originator of the message, at least as far as the recipient is concerned.
That protects the location and identify of both the sender and receiver.
However, Tor has some limitations. The nodes in this network are maintained by volunteers running free client software. Each node periodically downloads a list of all other nodes so that it can route information accordingly.
This makes it vulnerable to certain types of attack. For example, attackers could set up a large number of their own nodes which modify the routing lists so that all the data stays within this malicious network. It’s then a simple job to track the route of every data packet that passes through it.
Today, Prateek Mittal at the University of California, Berkeley, and a few pals say they’ve worked out how to prevent his, or at least dramatically minimise the chances of it happening.
These guys say the problem of malicious nodes can be reduced by exploiting the ordinary social networks that people belong to. Their idea is that the best way to route data is along a random walk through a social network because ordinary people are unlikely to have strong relationships with malicious attackers.
Of course, attackers could attack such a system in various ways. For a start, every node in this system still needs to regularly download an updated list of nodes. Attackers could set up malicious nodes that re-write this list so that data is routed only to malicious nodes.
What’s more, these attackers could set up their own system of modes that looks like a social network and use this to route and track data.
But Mittal and co say they can prevent both these kinds of attacks. First, their protocol is designed so that neighbouring nodes must reciprocate links. So if a malicious node deletes information from the list about a neighbour, the neighbour will delete the details of malicious node. In this way, malicious nodes tend to become ghettoised so that they only connect to each other.
Mittal and co have another trick up their sleeve. Since malicious nodes must have lots of links to other malicious nodes, the protocol is biased against neighbours with lots of links.
That means nodes tend not to route data to other nodes with lots of links thereby helping to avoid malicious nodes.
Mittal and pals called their new system Pisces and have tested it using experimental networks designed to mimic social nets in which they claim it works well. “The overall anonymity provided by our system signiﬁcantly outperforms existing approaches,” they say.
However, there are a number of drawbacks. For a start, Pisces cannot prevent a targeted attack against a specific individual, since an attacker can always attempt to massively infiltrate a user’s social network and then monitor all outgoing information.
But a more serious problem is that the routing lists that Pisces distributes reveals the structure of the social network . In other worlds, it makes every user’s social contacts public to anybody who wants to see. “Pisces does not preserve the privacy of users’ social contacts,” admit Mittal and friends.
That’s a potential show-stopper. Just ask Google about its ill-fated Buzz network which suffered a similar flaw and had to be shut down as a result.
There are always trade offs in security. In this case, users trade anonymity of communication against the privacy of their social contacts.
Too much to pay? Answers in the comments section please.
Ref: arxiv.org/abs/1208.6326: Pisces: Anonymous Communication Using Social Networks