Field study: Evaluation of the possible impact of intersection attacks on the AN.ON/JonDonym-System

Study goals

So-called intersection attacks are known to be in theory very powerful attacks on anonymisation services, such as AN.ON/JonDonym. At the moment, we consider this attack to be quite difficult to mount. This might drastically change in 2009 with the advent of the new German Telecommunications Act which includes the obligation of data retention, beyond others. The purpose of our study is to evaluate how effective intersection attacks could be in practice when data retention is enforced by the new law.

Background

The idea behind intersection attacks is quite simple: An adversary observes both ends of an anonymisation service with the goal to assign website requests to senders. For single observations, the anonymisation service hides the sender within the set of all users which are currently logged in. We call this set of users the anonymity set. The problem is that the adversary will watch the anonymisation service over a longer period of time, for instance six months. Thus, he will be able to learn that two requests are caused by the same user, if the requests contain an identifier, for instance a username for the web service. Mounting an intersection attack would mean to take observations from two (or more) events where the same sender requested websites, and intersect the corresponding anonymity sets. This leads to the sets of users which were logged in at the time of the events. This will quickly narrow down the anonymity set to a singleton and thus reveal the identity of the sender.

Because of the German Telecommunications Act, service providers of anonymisation services might be required to log more data than we do at the moment. We consider intersection attacks as the most likely option that could be mounted with the possession of the logged data. The act will probably take effect in January 2009.

Study details

We intend to study the relevance of intersection attacks for AN.ON/JonDonym in practice. For that, we, the researchers at the Chair of Privacy and Data Security at TU Dresden, intend to simulate intersection attacks and thus need to re-recognise users as they log in. This is not possible in normal operation of AN.ON/JonDonym: the situation that one and the same user logs in several times is indistinguishable for us from the situation that several different users logged in. Thus, we adapted JAP/JonDo such that a random number is generated as identifier for each user who is willing to support our study. Note that no identifier will be generated and the operation of JAP/JonDo will be as usual, unless you grant us permission to acquire the identifier. In case of permission, the identifier will be transmitted to the first Mix whenever the user logs in. This would allow us to recognise users beyond sessions. In contrast to realistic attacks, our simulation will not include the linking from users to their Web requests. Thus your Web-Surfing remains anonymous. Besides, the study will only affect the free cascades. Commercial cascades do not participate in our study.

Users can withdraw their consent to participate in the study at any time. This is possible by means of a button "Withdraw Participation" in the options dialog under "Study". This would make JAP/JonDo to delete the random number and thus disable identification. In that case, the user will not be asked again to participate in the study and no identifier will be generated.

The identifier, that is random number, will be saved in the file jap.conf. This is an XML file and can be viewed with an ordinary text editor. In order to locate the identifier, you need to search for the