Anonymous communication over social networks

1. Anonymous communication over social networks Shishir Nagaraja Security Group Computer Laboratory

2. What is anonymity? • You can’t tell who did what. Who wrote this blog post? Who is accessing this website?!! Who drew this cartoon?

3. More formally, it means indistinguishability from an “anonymity set”. a b d User1 c The attacker can’t tell who User1 is talking to! f e n

4. What anonymity is not • It isn’t cryptography. User1 User x Attacker [Random content]

5. Anonymity Network User 1 User a User 2 User 3 User b User n User c Attacker What anonymity is not • It isn’t steganography.

6. So what does anonymity mean, again? • Unlinkability: Hide the connection between the senders and the recipients. • Untraceability: Hide the connection between actions of the same sender. • Unobservability: Hide the fact that the user is talking. • Sender and Recipient anonymity. • High Latency vs Low Latency systems.

7. Introducing …mix-networks! Source: R. Dingledine, Mixminion, PET 2003.

8. Anonymity with Mix networks Source: R. Dingledine, Mixminion, PET 2003.

9. Basic aim • We present a mix network topology that is based on social networks • We would like to analyze the anonymity such networks provide under a high-latency assumption.

10. Why is this a good idea? • Unlike encryption, it’s not enough for just a few users to want anonymity. The infrastructure must participate! • Systems need cover traffic. (to attract high-sensitivity users one needs low sensitivity users) • Why should a mix server process your traffic? • Do you talk a lot to your friends? – then you need less cover traffic • It is much more difficult to block communication with your friends than well known mix nodes on the Internet.

11. A plausible setting – High latency mix network • Consider the live-journal network of friendship ties. • Assume that sometime in the future, users have a live-journal client that can run a mix. • Users running mix nodes publish their mix keys on their area. • Users discover mixes with random walks. • Senders select routes from this topology.

12. Measuring Anonymity • We use the information theoretic metric of Danezis and Serjantov (2003) “Anonymity of a system may be defined as the amount of information the attacker is missing to uniquely identify an actor’s link to an action”. Α=Ε(i)

13. theoretical anonymity bounds in this case? • Path selection is abstracted as a random walk. • Mixing rate on scale-free graphs – steps in which the random walk converges to the Markov chain stationary distribution.

14. Applying results from spectral graph theory of BA scale-free networks (Mihail et.al. 2005) we find that conductance is a constant for all scalefree graphs with dmin>=2.

15. Example • Consider an expander graph of size 1000 with 40links per node (gives you good expansion properties) • The fundamental limit of how quickly a network can mix depends on 2>=0.3122 • In a social network using a BA-scalefree model we have for 1000 nodes with 4 edges per node 2 >=0.6363229 • 4-6 steps for expander vs 8-10 for a scalefree graph.

16. Convergence

17. Corrupt nodes Anonymity Network Mix1 User 1 User a Mix1 Mix1 User 2 User 3 User b Mix1 Mix1 User n User c Attacker

19. Conclusions • RW on social networks based on BA scalefree graphs will take longer to converge, but you’ll get there. • We have applied results from graph theory of skewed degree topologies to throw light on how anonymity on these networks may be analyzed. • Further evaluation of anonymous communication over social networks should be exciting!

20. Definitions