\documentclass[landscape]{slides} \usepackage{color} \pagecolor{blue} \color{yellow} \newif\ifpdf \ifx\pdfoutput\undefined \pdffalse \else \pdfoutput=1 \pdftrue \fi \newenvironment{tightlist}{\begin{list}{$\bullet$}{ \setlength{\itemsep}{0mm} \setlength{\parsep}{0mm} % \setlength{\labelsep}{0mm} % \setlength{\labelwidth}{0mm} % \setlength{\topsep}{0mm} }}{\end{list}} \begin{document} \ifpdf \pdfcompresslevel=9 \pdfpagewidth=\the\paperwidth \pdfpageheight=\the\paperheight \fi \newcommand\slidetitle[1]{\begin{center} \huge #1 \end{center}} \begin{slide} \begin{center} \Huge On the Economics of Anonymity\\ \vspace{1in} \begin{tabular}{ccc} \large Alessandro Acquisti &\hspace{.2in} & \large Roger Dingledine \\ \large SIMS, UC Berkeley &\hspace{.2in} & \large The Free Haven Project\\ \\ \multicolumn{3}{c}{\large Paul Syverson} \\ \multicolumn{3}{c}{\large Naval Research Lab} \end{tabular} \end{center} \end{slide} \begin{slide} \large \slidetitle{Paper overview} \begin{tightlist} \item Motivation \item Social/economic difficulties deploying anonymous (traffic analysis resistant) communication systems \item An economic framework \item Types of agents \item Concluding remarks \end{tightlist} \end{slide} \begin{slide} \large \slidetitle{Many people need anonymity} \begin{tightlist} \item Individuals are tracked and profiled daily. Imagine what they'll have in your dossier in twenty years. \item (If that doesn't scare you, think of your kids.) \item Political dissidents in oppressive countries \item Governments want to do operations secretly. \item Corporations are vulnerable to traffic analysis,\\ corporate espionage -- VPNs, encryption don't help \end{tightlist} \end{slide} \begin{slide} \slidetitle{Anonymity is hard for economic/social reasons too} \large \begin{tightlist} %\item Small space problem --- no place to hide\\ % often trying to hide among only a few \emph{known} items \item Anonymity requires \emph{inefficiencies} in computation, bandwidth, storage \item Unlike encryption, it's not enough for just one \\person to want anonymity --- the infrastructure must participate \end{tightlist} \end{slide} \begin{slide} %\slidetitle{\emph{Other people} provide your anonymity (noise)} \slidetitle{Hide users with users} \large \begin{tightlist} \item Anonymity systems use messages to hide messages (the more noise, the more anonymous something in that noise is) \item Senders are consumers of anonymity, and providers of cover traffic that creates anonymity for others \item Users might be better off on crowded systems, even if those systems have weaker anonymity designs % \item You're always better off going where the noise is \end{tightlist} \end{slide} \begin{slide} \slidetitle{More users is good} \large \begin{tightlist} \item High traffic $\Rightarrow$ better performance (with same anonymity) \item Better performance $\Rightarrow$ high traffic \item Attracts more users: faster \emph{and} more anonymous \end{tightlist} \end{slide} \begin{slide} \slidetitle{But trust bottlenecks are dangerous} \large \begin{tightlist} \item Nodes with more traffic must be more trusted \item Adversary can give good service $\Rightarrow$ see more traffic\\ (and knock down other good providers) \item Performance and efficiency metrics \emph{cannot} \\distinguish bad guys from good guys \end{tightlist} \end{slide} \begin{slide} \slidetitle{Strong anonymity requires distributed trust} \large \begin{tightlist} \item An anonymity system can't be just for one entity\\ (even a large corporation or government) \item You must carry traffic for others to protect yourself \item But those others don't want to trust their traffic to just one entity either \end{tightlist} \end{slide} \begin{slide} \slidetitle{Can we fund it by offering service for money?} \large \begin{tightlist} \item Freedom taught us that end-users won't pay enough for strong anonymity \item (Ok, ok, it's more complicated than that.) \end{tightlist} \end{slide} \begin{slide} \slidetitle{Can we get volunteers to run nodes?} \large \begin{tightlist} \item Liability, especially for exit nodes \item Having lots of nodes might work, but \ldots \item Make an example of a few well-chosen nodes $\Rightarrow$\\ scare everybody \item We can allow nodes to set individual exit policies \item Remains an open problem \end{tightlist} \end{slide} \begin{slide} \slidetitle{Pseudospoofing: volunteers are a danger too} \large \begin{tightlist} \item Are half your nodes run by a single bad guy? \item Global PKI to ensure unique identities? No. \item Decentralized trust flow algorithms? Not yet. \item Still a major open problem for dynamic \\decentralized anonymity systems \end{tightlist} \end{slide} \begin{slide} \slidetitle{Customization and preferential service are risky} \large \begin{tightlist} \item We'd like to let users pay (or pay more) for\\ preferential treatment, e.g., stronger anonymity\\ parameters \item But the hordes in the coach seats are better off anonymity-wise than those in first class. \item Those who want first class anonymity have\\ incentive to encourage free riders \end{tightlist} \end{slide} \begin{slide} \slidetitle{It would seem we're screwed} \large \begin{tightlist} \item Inefficiency costs that propagate back to the users chase users away \item Usability is a \emph{security} objective: anonymity \\systems are nothing without users. \item It's critical that we integrate privacy into the \\systems we use to interact. \item But it's hard enough to build a killer app. \\ It's going to be really really hard to solve all the factors at once. \end{tightlist} \end{slide} \begin{slide} \center{\slidetitle{Multiplayer Strategic agents}} \begin{tightlist} \large \item ``Public good with free-riding'' (Tragedy of the commons) % \begin{tightlist} \item Collectively agents produce good (anonymity) \item But individuals may free ride % \end{tightlist} \item Under which conditions will a system with many players not implode? \end{tightlist} \end{slide} \begin{slide} \center\slidetitle{{Highly sensitive agents actually want some level of free-riding, to provide noise.}} \large \begin{tightlist} \item But, just enough free-riding for benefits to dominate costs. \item Right distribution of valuations $\Rightarrow$ equilibria:\\ agents with the highest valuations become nodes, others provide traffic. \end{tightlist} \end{slide} \begin{slide} \center{\slidetitle{Alternative node incentive mechanisms}} \bf{ \begin{tightlist} \item Usage fee. \begin{tightlist} \item Market support for low overhead services (Anonymizer) \item Inadequate market for strong (high cost) anonymity \item Hybrid: Larger incentive for high sensitivity volunteers to run nodes \end{tightlist} \item Altruistic agents. --- Motivated by public good. \begin{tightlist} \item Governments, Public service entities \end{tightlist} \item Public rankings and reputation. \begin{tightlist} \item High reputation attracts more cover traffic \item Reward in itself \end{tightlist} \end{tightlist}} \end{slide} \begin{slide} \center{\slidetitle{Conclusions}} \bf{\begin{tightlist} \item Systems need cover traffic (many low-sensitivity users) to attract the high-sensitivity users \item Most users do not want (know they want) anonymity \begin{tightlist} \item Weak security (small mix batch, no-delay proxy)\\ $\Rightarrow$ more users\\ $\Rightarrow$ possibly \emph{stronger} anonymity \end{tightlist} %\item Reputation has a complex but critical influence on node %participation. We must investigate its role more thoroughly. \item High-sensitivity agents have incentive to run nodes \begin{tightlist} \item so they can be certain first node in their routes is trusted \item to attract cover traffic for their messages \end{tightlist} \item There can be an optimal level of free-riding. \item Key open problem: exit node liability %\item The deployment of a completely decentralized system might %involve coordination costs which make it unfeasible. A central %coordination authority to redistribute payments may be more %practical. \end{tightlist}} \end{slide} \begin{slide} \center{\slidetitle{QUESTIONS?}} \end{slide} \end{document} \begin{slide} \slidetitle{Synchronous systems} \large \begin{tightlist} \item Each message has a deadline by which the node must pass it on \item Length of paths is fixed, paths might even be public \item Anonymity is now based on size of batch at widest point, even for free-route systems \item Improves flooding/trickle attacks \item But harder to synchronize, especially for low-latency systems \end{tightlist} \end{slide} \begin{slide} \slidetitle{Privacy Enhancing Technologies workshop} \large \vspace{1in} \begin{center} March 26-28, 2003\\ Dresden, Germany\\ http://petworkshop.org/ \end{center} \end{slide} \begin{slide} \begin{center} An example: Directory servers \end{center} \begin{tightlist} \item Distribute location, capabilities, key info, performance stats \item A single directory server is a point of failure \item Redundant directory servers: must be (provably!) \\synchronized to avoid partitioning attacks \item Can distinguish between clients that use static lists and clients that update frequently \end{tightlist} \end{slide} \begin{slide} \begin{center} Directory servers (2) \end{center} \begin{tightlist} \item But even if client information is uniform, nodes can still do trickle attack: hold message until other clients have different information. \item Introducing reputation means adversary has new avenue to manipulate client information \item Tension between giving clients accurate timely information, and preventing adversary from manipulating client behavior \end{tightlist} \end{slide} \begin{slide} \begin{center} \slidetitle{Myopic agent: Simplest Case} \end{center} \begin{tightlist} \item Does not consider affect of its choices on others \item High sensitivity agents: probably accept trade-off of becoming nodes because they risk a lot by losing their anonymity, and because acting as nodes significantly increases their probabilities of remaining anonymous. \item Very Low sensitivity agents: cost/hassle of sending through the system too high. \end{tightlist} \end{slide} \begin{slide} \begin{center} \slidetitle{Strategic agents, one-on-one interactions} \end{center} \begin{tightlist} \item Considerations: \begin{tightlist} \item Other agent's sensitivity known (high? low?) or unknown \item Other agent honest or dishonest. \end{tightlist} \item This case can have equilibria with free-riding even when the other agent's type is unknown (cf. Palfrey and Rosenthal 1989). \item If you care enough about your anonymity, you may not care if the other guy freeloads. \end{tightlist} \end{slide} \begin{slide} \begin{center} \slidetitle{The model} \end{center} \begin{tightlist} \item Agent tries to minimize costs of sending messages and risks of being tracked. Consider: \item $$ u_{i}=-v_{a_{i}}\left( 1-p_{a}\left( n_{s},n_{h},n_{d},a_{i}^{h}\right) \right) -c_{s}a_{i}^{s}-c_{h}\left( n_{s},n_{h},n_{d}\right) a_{i}^{h}-c_{n} $$ \item Prob(anonymity loss, given number senders, honest/dishonest nodes, and self action), weighted by disutility $v_{a_i}$ of message exposure. \item Costs of sending a message through the mix-net, acting as a node given $n_{s}$ agents sending messages over $n_{h}$ and $n_{d}$ nodes, and sending messages through a non-anonymous system. \item Each period, a rational agent can compare the utility coming from each of these three one-period strategies: \textbf{1) act as node, 2) act as user, 3) do not send message}. \end{tightlist} \end{slide} Cut stuff about dummy traffic Free riding is a good thing and that's economically unique Cut types of agents discussion \begin{slide} \slidetitle{Need to manage incentives} \large \begin{tightlist} \item Users have incentive to run a node, to get more anonymity. That's a good start. %\item Equilibrium where people who need anonymity run nodes, and others %use them? %\item Dummy traffic can help maintain anonymity -- but why should others %send dummy traffic to help \emph{your} anonymity? \item If anonymity for all requires each user doing similar things, how do we deal with users who don't want as much anonymity? \end{tightlist} \end{slide} \begin{slide} \begin{center} \slidetitle{Analytic Framework} \end{center} \begin{tightlist} \item Agents are \emph{sensitive} to (value) their anonymity. \item Sensitivity to anonymity randomly distributed in model. \item Focus is sender (communication initiator) anonymity. \item Agents' actions: \begin{enumerate} \item Act as a sender of the anonymity system. \item Act as an honest node. \item Act as a dishonest node. \item Send ``around'' anonymity system or simply do not send. \end{enumerate} \end{tightlist} \end{slide} \begin{slide} \begin{center} \slidetitle{Benefit from Sending through Anonymity System} \end{center} \begin{tightlist} \item Anonymous sending benefit, function of: \begin{itemize} \item Subjective value of agent for message arriving. \item Subjective value of keeping her identity anonymous. \item The perceived level of anonymity in the system. \item The perceived level of reliability in the system. \item Factors affecting above probabilities: number of senders in system, number acting as a node, honest, dishonest, etc. \end{itemize} \end{tightlist} \end{slide} \begin{slide} \begin{center} \slidetitle{Benefit from Being a Node} \end{center} \begin{tightlist} \item Trusted entry point to anonymity system. \item Better cover traffic for your own messages. \item Possible reward (money or service) for carrying traffic/making dummies. \color{magenta} \item \color{yellow} Being a bad node \color{magenta} \begin{tightlist} \item \color{yellow}Disrupt service. \color{magenta} \item \color{yellow}Obtain traffic information. \color{magenta} \item \color{yellow}Possibly reward without providing service. \color{magenta} \end{tightlist} \end{tightlist} \end{slide} \begin{slide} \begin{center} \slidetitle{Costs of Using Anonymity System} \end{center} \begin{tightlist} \item Sender cost:\\ Delay/uncertainty of delivery vs.\ sending directly to recipient \item Node cost: \begin{tightlist} \item Bandwidth/processing cost of providing service \item Possible cost of creating/sending/terminating dummies \item Liability for actions using your node (especially exiting). \color{magenta} \item \color{yellow}Dishonest node: penalty if caught. (expulsion, legal, etc.) \end{tightlist} \end{tightlist} \end{slide} \begin{slide} \center{\slidetitle{Types of Agents}} \large \begin{tightlist} \item Myopic agent: Does not consider affect of its choices on others \item One-on-one Strategic Agent \item Multiplayer Strategic Agent \end{tightlist} \end{slide} \begin{slide} \slidetitle{Conclusion 2: more research remains} \large \begin{tightlist} \item Our current directions aren't going to work, from an incentive and usability perspective. We need to rethink. \end{tightlist} \end{slide} %Some slides added by Alex \begin{slide} \center{\slidetitle{Major Open Problem}} \bf{\begin{tightlist} \item Cuts both ways \begin{tightlist} \item Liability for traffic leaving anonymity system at your node \item Hiding/deniability of traffic entering anonymity system at your node \end{tightlist} \item Legal climate depends on (perception of) technology \item YACEP: \begin{tightlist} \item Widespread anonymous system use\\ $\Rightarrow$? Deniability for traffic leaving system at your node\\ $\Rightarrow$? Widespread anonymous system availability \end{tightlist} \end{tightlist}} \end{slide}