Privacy and AnonymityAdrian Yanes

Aalto University - School of Electrical EngineeringDepartment of Communications and Networking (ComNet)

Challenged Networks S-38.3455 Padrian.yanes@aalto.fi

Abstract—Since the beginning of the digital area, privacy andanonymity have been impacted drastically (both, positively andnegatively), by the different technologies developed for communi-cations purposes. The broad possibilities that the Internet offerssince its conception, makes it a mandatory target for those entitiesthat are aiming to know and control the different channels ofcommunication and the information that flows through.In this paper, we address the current threats against privacy andanonymity on the Internet, together with the methods appliedagainst them. In addition, we enumerate the publicly knownentities behind those threats and their motivations. Finally, weanalyze the state of the art concerning the protection of theprivacy and anonymity on the Internet; introducing future linesof research.

I. INTRODUCTION

Despite the familiarity of the concepts, privacy andanonymity are commonly misunderstood within the digitalcontext. In this paper, we refer to these concepts as foundationsof the Common Criteria for Information Technology SecurityEvaluation (CC) standard [13]. Therefore, we strictly refer tothe implications of these concepts within the technologicaljargon, with a deep emphasis on the Internet. We make thefollowing contributions:

1) We provide a precise definition of the research terms,privacy and anonymity, and their implications.

2) We analyze the main threats against privacy andanonymity and their originators.

3) We share a resume of the state of art in terms of theprotection of the privacy and anonymity on the Internet.

The remainder of the paper is organized as follows. InSection 2 we analyse the main threats against privacy andanonymity and their originators. In Section 3, we show thecurrent methodologies applied to gain control over the pri-vacy and anonymity of the users. We enumerate the currenttechnologies available to protect privacy and anonymity onthe Internet in Section 4. In Section 5 we introduce theproposed improvements over the state of the art. We presentour conclusions in Section 6.

A. Privacy

In the past few decades there have been several debatesabout the precise definition of privacy. The Universal Declara-tion of Human Rights [12] in both article 12 and 19, referencesthe concept as a human right:

Article 12: No one shall be subjected to arbitrary interfer-ence with his privacy, family, home or correspondence, nor toattacks upon his honour and reputation [...]

Article 19: Everyone has the right to freedom of opinionand expression; this right includes freedom to hold opinionswithout interference and to seek, receive and impart informa-tion and ideas through any media and regardless of frontiers.

Other authors refer to privacy as “the claim of individuals,groups, or institutions to determine for themselves when, how,and to what extent information about them is communicatedto others.” [25]

According with the CC standard [13], privacy involves“user protection against discovery and misuse of identity byother users”. In addition, the CC standard [13] defines thefollowing requirements in order to guarantee privacy:

• Anonymity• Pseudonymity• Unlinkability• UnobservabilityThus, we consider the definition of privacy as a framework

of requirements that prevents the discovery and identity of theuser.

B. Anonymity

As stated before, anonymity is intrinsically present in theconcept of privacy. Nevertheless, anonymity refers exclusivelyto the matters related to the identity. The CC standard [13]defines “[anonymity] ensures that a user may use a resourceor service without disclosing the users identity. The require-ments for anonymity provide protection of the user identity.Anonymity is not intended to protect the subject identity. [...]Anonymity requires that other users or subjects are unableto determine the identity of a user bound to a subject oroperation.” [13] [21]

Accordingly, we consider the definition of anonymity as theproperty that guarantees user’s identity from being disclosedwithout consent.

C. Other concepts involved in privacy & anonymity

1) Pseudonymity: Notwithstanding, the use of anonymitytechniques can protect the user from revealing their realidentity. Most of the time there is a technological require-ment necessary to interact with an entity, thus, such entityrequires to have some kind of identity. The CC [13] claims[pseudonymity] ensures that a user may use a resource or

1

arX

iv:1

407.

0423

v1 [

cs.C

Y]

1 J

ul 2

014

service without disclosing its user identity, but can still beaccountable for that use.

2) Unlinkability: In order to guarantee a protection of theuser’s identity, there is a need for unlinkability of the user’sactivities within a particular context. This involves the lack ofinformation to distinguish if the activities performed by theuser are related or not.

3) Unobservability: The CC standard [13] refers to thisconcept as “[unobservability], requires that users and/orsubjects cannot determine whether an operation is beingperformed.”. Other authors claim that unobservability shouldbe differentiated from the undetectability [21]. The reasoningbehind this, claims that something can be unobservable, butcan still be detected. In this paper we refer to unobservabilityas the property that guarantees the impossibility to distinguishif something exists or not.

II. BACKGROUND

Historically, the control of the communications and theflow of information, are mandatory for any entity that aimsto gain certain control over the society. There are multipleentities with such interests: governments, companies, indepen-dent individuals, etc. Most of the research available on thetopic claims that the main originators of the threats againstprivacy and anonymity are governmental institutions and bigcorporations[16]. The motivations behind these threats arevaried. Nevertheless, they can be classified under four cate-gories: social, political, technological and economical. Despitethe relation between them, the four categories have differentbackgrounds.

A. Social & political motivations

The core of human interaction is communication in anyform. The Internet has deeply impacted in how social inter-action is conducted these days. The popularity and facilitiesthat the Internet offers, makes it a fundamental asset for thesociety. Currently, it is estimated that there are more than 2.7billion individuals users of the Internet in the world[24].

Fig. 1: 460 Million IPv4 addresses on world map (2012)[5]

Any entity that gains any level of control over this massiveexchange of information, implicitly obtains two main advan-tages: the capability to observe the social interaction withoutbeing noticed (hence, being able to act with certain prediction),

and the possibility to influence it. Privacy and anonymity arethe core values against these actions. Nevertheless, severalauthoritarian regimes implemented diverse mechanisms for thedismissal of both, privacy and anonymity.

Many of the authors highlight that the foundations of thesethreats are most often motivated for ideological reasons[16],thus, in countries in which free of speech or political freedomare limited, privacy and anonymity are considered an enemyof the state. In addition, national defense and social “morality”are also some of the main arguments utilized when justifyingactions against privacy and anonymity[8].

According to the OpenNet Initiative[1], there are at least61 countries that have implemented some kind of mechanismthat negatively affects privacy and anonymity. Examples ofthese countries are well-known worldwide: China[26], Iran[2],North Korea and Syria, among others. In addition, recentmedia revelations1 shown that several mechanisms that arenegatively affecting privacy and anonymity have been imple-mented in regions such as the U.S. and Europe.

B. Technological issues

There are some cases in which the threats against privacyand anonymity occur due to the lack of proper technology.Sometimes these threats can occur unintentionally. An ex-ample of this are bugs in software that are not discoveredand somehow reveal information about the identity or data ofthe users. Also, misconfigured Internet services that do notuse proper encryption and identity mechanisms when offeringinteraction with their users. Certain techniques utilized by theISPs can lead to situations in which the user’s data and identitygets compromised even if the ISPs’ intentions are focused onbandwidth optimization. Finally, non-technological educatedusers can be a threat to themselves by unaware leaking theiridentity and data voluntarily but unaware of the repercussions(e.g. usage of social networks, forums, chats, etc).

C. Economical motivations

As stated previously, the impact and penetration of theInternet in modern society affects almost every aspect of it,with a primary use of it for commercial/industrial purposes.There are multiple economical interests that are related directlyto the privacy and anonymity of the users. Several companieswith Internet presence take advantage of user’s identity inorder to build more successful products or to target a morereceptive audience. Lately, the commercialization of user’sdata has proven to be a profitable business for those entitiesthat have the capability of collecting more information aboutuser’s behavior. In addition, due to the popularity of Internetfor banking purposes, the privacy and anonymity of the usersare a common target for malicious attackers seeking to gaincontrol over user’s economical assets.

1Global surveillance programs: PRISM(UK), Tempora(NSA), Muscular(NSA)

2

III. MECHANISMS USED TO INTERFERE PRIVACY ANDANONYMITY

In the past few decades, a big technological and economicalinvestment has been made by some entities seeking to gainsome control over the privacy and anonymity on the Internet.Nevertheless, there are not too many commercial technolo-gies developed with this particular purpose[16]; forcing thedevelopment of custom solutions adapted to the particularuse case/target. Depending of the originator, the technologyutilized can have different types of targets, the most com-mon being nodes and individual users on the Internet. Thecategorization of the technology falls in two areas: hardwareand software solutions. The devices utilized for these targetsare commonly denominated Deep Packet Inspection (DPI)devices. Their main use is the classification of the networktraffic, together with the inspection of packet headers andpayloads. Note that most of these devices are not manufacturedto directly target the privacy and anonymity of the users.Instead, they have a generalist purpose (commonly associatedto routing and QoS purposes). Nevertheless, these devices canbe configured in ways that the privacy and anonymity getaffected.

We will analyze the different threats using the OSI model[7]as reference, highlighting the most common compromises onterms of privacy and anonymity across the different layers.

A. Physical Layer

Any possible threat on the physical layer implies directaccess to the hardware involved in the network. Most commonartifacts utilized are known as network taps: devices thatprovide access to the data flow of the network once they areattached to it. These devices can be used either to monitor thenetwork silently (sniffing) or to redirect the full traffic of thenetwork to a different node. Implicitly, any observation of thenetwork traffic involves the possibility of affecting the privacyand anonymity of the traffic.

B. Data link layer

Most of the hardware solutions targeting the data link layerfocus on the media access control (MAC) sublayer. It is inthe MAC sublayer that certain filters can be implemented.The addressing of the destinations occurs in this layer, whichare unique. This is the first control point for those entitiesthat are aiming to obtain some information concerning user’sidentity, data flows and destinations. Note, the property ofuniqueness of the MAC address and the current standard 2,allows the categorization of the devices present in the network.This can lead to a premature identification of the user (bymanufacturer/model).

C. Network layer

Due to the nature of the Internet protocol suite, and the useof Internet Protocol (IP) as its core; the network layer plays acrucial role while interfering with the privacy and anonymity

2Referring here to the assignation of MAC address schemes by manufac-turer

of the network traffic. Most of the DPI hardware focused onthe network layer targets the inspection of the IP packets. TheIP packets contain all of the relevant information required forrouting purposes. Therefore, it is a mandatory target whenaiming to reveal the identities of the users. The analysis isperformed mainly on the IP header; more specifically, on thesource address, destination address and protocol type. Thisdata can be utilized with different malicious purposes; theanalysis and processing of IP headers can lead to the directidentification of the user involved in the communication.

Fig. 2: IPv4 header fields commonly targeted (red)

Furthermore, statistical analysis can be performed to deter-mine the population of users even if they are using encryptedprotocols over the IP[6]. Finally, the identification of theprotocol utilized, provides enough information to performfurther analysis of the data that the IP packet is transporting.This makes the network layer a critical asset for inspecting thenetwork traffic. It is in this layer where some of the entitiespreviously mentioned implement heavy traffic analysis and/orfiltering.

D. Transport layer

The Transport Control Protocol (TCP) is the most popularprotocol on the transport layer on the Internet protocol suite.There is an agreed assumption that TCP remains to be the maintransport protocol on the Internet, thus it is the most targetedwhen interfering with the privacy and anonymity of the users.A TCP header contains (among other data) the source port anddestination port. This information makes it possible to identify(in most cases) what type of application is being used overTCP; therefore allowing it to determine the kind of inspectionrequired to capture the data transmitted in the TCP segment.

Despite, the fact that some applications can use TCP portsout of range of well-known ports, most of the Internet trafficis based on protocols such as HTTP, SMTP, POP3, IMAP,etc; for which TCP ports and protocol states are easilyrecognized while using DPI techniques/solutions. Therefore,this facilitates the task of targeting a particular network trafficand its processing for further analysis. The biggest concerns,in terms of privacy and anonymity, is that the current tech-nology allows inspection of every single TCP segment and its

3

content. Despite encryption gaining in popularity, in both theimplementation of application protocols and as user practice,most of the Internet traffic is still unencrypted. Hence, anytraffic analysis that is performed over the transport layer onunencrypted data reveals the content of the transmission, thus,eliminating any kind of privacy.

In addition, due to TCP’s architecture, the inspection real-ized over the data flows is granular and accurate, mainly dueto the possibility to identify sources and destinations, togetherwith the content of the payload. There is still a possibility inwhich the transport layer gets compromised but not the identityof the source and destinatary. Nevertheless, an observer cangather enough information to conclude over time, the finalidentity of the parties involved, in the case that the payloadcontains sensitive data about their identity.

E. Application Layer

The DPI solutions utilized over the application layerare varied, and sometimes protocol specific[16]. DPI tech-niques/technologies focused on the application layer providethe possibility to capture and recompose the data of thetransmission. This generates high-risk threats of the privacyand anonymity of the users exposing the data of a particularapplication that the user is using. Examples include the in-discriminate analysis of the web traffic that some entities areperforming[16]; resulting in the compilation of user profiles,type of content visiting, frequency, location, etc. The possi-bility to cross-reference the analysis of different applicationprotocols utilized for the same user; building user profiles thatcontain all kinds of personal and behavioral information thatgets stored and categorized without the user’s consent.

Due to the fact that it is in this layer where the datagets originated, other techniques get in place that can affectthe privacy and anonymity. Other popular protocols such asthose dedicated to e-mail, are common targets due to thesensibility of information that they usually transmit. In thiscase, the threats against privacy and anonymity does notnecessarily happen in the transmission, but in the softwareitself. Certain entities have implemented control mechanismsover the software utilized to handle e-mail, such as desktopclients and webmails.

Several applications make heavy use of encryption tech-niques in order to secure the communication on the layersbelow. Nevertheless, there is a possibility that the methodsutilized by the application protocol to encrypt the communi-cation are being compromised even before the transmissionbegins. Examples of this include possible backdoors recentlyclaimed[23] on some of the cryptographically secure pseudo-random number generators (CSPRNG) utilized to generateencryption keys. If this is the case, certain entities coulddecrypt traffic that is thought to be secure by the users,leading again to an attack of their privacy and anonymity,even when the users think they are using proper mechanisms toprotect themselves. These recent events open several questionsabout how reliable a protocol can be if the cryptographicassumptions utilized are somewhat misleading.

IV. MECHANISM TO ENFORCE BETTER PRIVACY ANDANONYMITY

In the previous section we enumerate the different tech-nologies utilized in order to establish certain controls over theprivacy and anonymity of the users. As it is common whenany mechanism of oppression is enforced, several alternativesare created in order to avoid those mechanisms. Privacy andanonymity have been a big concern since the beginning ofthe Internet. In addition to those entities that are aiming toestablish the above mentioned controls, there are also severalcompanies, organizations and individuals, that are spendingtime and resources developing mechanisms of defense againstthe mentioned threats. We introduce the state of art concerningthe enforcement of privacy and anonymity on the Internet.

A. Technological principles behind the privacy and anonymity

The majority of the techniques utilized to guarantee privacyare related to a combination of encryption and anonymitytechniques. The vast majority of anonymity techniques rely onprotecting the real identity through a combination of methodsthat are difficult to trace the origin and destination of the com-munication channel. Despite the complexity that encryptionmechanisms can involve, most of the modern and popularapplication protocols provide the possibility to establish theconnection through secure channels; either through the use ofthe Transport Secure Layer (TLS), or through the configurationof proxies or socket secure (SOCKS) mechanisms.

There are certain methods to measure the grade of privacyand anonymity. The degree of privacy is mostly linked to thetype of encryption utilized and computational capacity avail-able. Different encryption algorithms are currently available,offering certain guarantees for the users. Several protocols inthe application layer rely on these algorithms as the core ofprivacy enforcement. Some examples of this is the use ofpublic-key cryptography[4] and the use of algorithms such asRSA[14] and DSA[20]. In addition, and due to recent mediarevelations, some applications are moving to new cryptographyschemes based on the use of elliptic curve cryptographysuch as Elliptic Curve Diffie-Hellman (ECDH), IntegratedEncryption Scheme (IES) or Elliptic Curve Digital SignatureAlgorithm (ECDSA). The main argument behind the useof new cryptography schemes, is the suspected evidencesconcerning the pseudo-random number generators utilized forthem, and the possibility of broken cryptography[23]. Further-more, the possibility to encapsulate the connections through aSOCKS interface allows the use of routing techniques throughanonymous networks, that are difficult to trace.

B. Proxy server

One of the oldest technologies used to enforce privacyand anonymity has been the use of proxy servers. Perhapsdue to the simplicity in their functioning, together with theirpopularity in the early days of the Internet, proxy servers stillare one of the main technologies in use when enforcing privacyand anonymity. The function of a proxy server consists mainlyin masking the client requests, providing a new identity, i.e. a

4

different IP address possibly located in a different geographicallocation. There is a vast number of proxy servers publiclyand privately currently available such as www.anonymizer.ru,provides integrated proxy solutions within the web browser. Inaddition, several lists of free proxies are published daily acrossthe Internet3, offering all kind of proxies located in differentcountries, with different levels of anonymity. Notwithstanding,proxys servers cannot be considered a reliable method toguarantee privacy and anonymity by definition. The mainreason being that the proxy server knows the origin anddestination of the requests, therefore, if it is compromised, itcan expose the identity of the users behind its use[17]. Also,although the proxy server can keep the identity secret, there isno guarantee that the content of the requests is not being mon-itored. Therefore, proxy servers cannot guarantee any propertyrelated to plausible deniability and true anonymity/privacy,thus they should be avoided as method to guarantee privacyand anonymity as defined in this paper.

C. Onion routing

Onion Routing is a general purpose infrastructure forprivate communication over a public network[10]. The corearchitecture of onion routing is the implementation of mixednetworks, i.e. nodes that are accepting messages from differentsources and routing them randomly to other nodes withinthe network. The messages transmitted between them areencrypted, and different layers of encryption get removed inthe process of routing while traveling across the nodes[10].This increases the difficulty of monitoring the traffic (thusrevealing the identity). In addition, onion routing is not node-dependent, therefore, the compromising of a router does notcompromise the network itself (although can facilitate the traf-fic analysis). Nevertheless, onion routing has some weaknesseswhile protecting the privacy and anonymity of its users.

Recent research[6] shows that even if the traffic is encryptedand hard-traceable, there are still possibilities to conclude thepopulation of users and their geographical location. Further-more, intersection attacks and timing analysis[22], can revealuser’s behavior within the onion routing network, leading tofurther identification of the sources or destinations. Despitethese issues, onion routing is still considered one of the bestalternatives when aiming to guarantee privacy and anonymity.

D. TOR

TOR, previously known as The Onion Router[9], is amongthe most popular solutions used these days to protect privacyand anonymity on the Internet. The main goal of TOR itis to provide a circuit-based low-latency anonymous com-munication service[9].TOR’s core architecture is based onthe same principles as onion routing. TOR contains severalimprovements over traditional onion routing, including: “per-fect forward secrecy, congestion control, directory servers,integrity checking, configurable exit policies, and a practicaldesign for location-hidden services via rendezvous points”[9].

3anonymousproxylists.net, fresh-proxy-list.net, free-proxy-server-list.com,freeproxy.ru, nntime.com, etc

Some nodes within the TOR network act as discovery servers,providing “trusted” known routers, that are available for theend users. TOR routers have different roles and they can beclassified as:

• Middle-relay: receive traffic and passes it to another relay• Bridges: publicly listed and their main goal is to provide

an entry point on networks under heavy surveillance andcensorship

• Exit-relay: the final relay before reaching the destinationand are publicly advertised

Fig. 3: TOR functioning. (Source: EFF)

TOR has won popularity across the most common Internetusers. The main reason (in addition to its enforcement ofprivacy and anonymity) is due to the fact that the it is free-software and there are multiple cross-platform clients avail-able. In addition, several extensions/add-ons are available forthe most popular web-browsers, making TOR a very suitablesolution. In addition, because TOR is configurable in mostof the applications through a SOCK interface, TOR can beused for a broad number of protocols, facilitating anonymityin different type of services[9].

The success of TOR does not rely only on its core tech-nology and principles, but on the network of volunteers thatmaintain the nodes. Due to TOR’s design, anyone with enoughbandwidth can provide a new router, allowing this to expandTOR worldwide. Nowadays, TOR network is composed ofmore than 5000 routers.

Furthermore, TOR user’s population has been fluctuatingover time. Recent media revelations concerning global surveil-lance programs, allowing TOR to win even more popularityacross common users, making the network grow considerable,both on relays and users, in the past months, reaching peaksof more than 5 million daily connections to the network.

Despite its popularity, TOR is subjected to a certain degreeof the techniques mentioned in Section 3. TOR architecturedoes not prevent statistical analysis over its traffic. Someauthors highlight the possibility to interfere in nodes withhigh traffic, being able to perform traffic analysis with enoughaccuracy that can affect the anonymity of the network[19].In addition, and due to the publicity of the exit-relays, theseparticular nodes can be targeted either for traffic interception

5

Fig. 4: TOR relays & bridges available

Fig. 5: TOR user population

or Denial of Service attacks (DoS), affecting the functionalityof the network. Finally, TOR relay advertisement leads to thegeneration of blacklists by ISPs and governmental organiza-tions that are aiming to control mechanisms enforcing privacyand anonymity, making it difficult for the end users to useTOR. In Section 5 we introduce the possible improvements todo in order to comply with the definitions stated in this paper.

V. RELATED WORK AND FUTURE IMPROVEMENTS

In the previous sections, we have analyzed the differentmotivations, technologies and state of the art concerning thethreats and enforcement of privacy and anonymity on theInternet. All of the research available these days focusesmainly on two aspects related to privacy and anonymity: howto obtain secure and trustable encryption methods, and how toguarantee, real anonymous communications.

As of today, there is still no single solution available thatis complaint with the definitions of privacy and anonymityintroduced in Section 1. Nowadays, every communication donethrough the Internet that aims to be private and anonymousrequires the use of cryptography and hard-trace routing tech-niques. Proxies and TOR are among the most used anonymitytechnologies[17] and public-key cryptography is the mostpopular method aiming for privacy. Nevertheless, it is still

possible to perform different attacks over these techniques,leading always to some result that invalidate the requiredproperties for privacy and anonymity mentioned in Section 1.We introduce some of the possible improvements that currentlines of research are proposing in order to enforce betterprivacy and anonymity.

A. Possible solutions for traffic analysis

Traffic analysis (both active and passive), is one of theprimary techniques when targeting networks such as TOR.Recent research suggests that one way to achieve betterprivacy and anonymity over this kind of networks, will be thegeneration of random connections to achieve better plausibledeniability[6]. In addition, there are some proposals to obfus-cate TOR’s traffic, adding delays or artificial traffic, togetherwith package batching techniques[15]. Theoretically, thesetwo improvements, will guarantee true anonymity by makingthe traffic analysis hard-computable. Nevertheless, there is noempirical evidence yet, mainly because they have not beenimplemented within the production network (i.e. with a realpopulation of users).

B. Blacklisting techniques

Both proxy servers and TOR routers are suffering black-listing techniques. Because the implicit principles of bothtechnologies (available public nodes), it will require a modifi-cation of how they are used and discovered, in order to avoidblacklisting. The main proposals aim for using a rendezvousprotocol as the only way to distribute the address of thenodes[18]

C. Better encryption methods

There is a common effort within the cryptography commu-nity, to provide more robust and reliable encryption schemes.In the last year, there has been new contributions relatedto Elliptic curve cryptography, specially those not linkedto any corporation or standardization organization such asthe Curve25519[3]. It is expected that several well knownprotocols will start using these new cryptography schemes,thus avoiding the possible backdoors established in the cur-rent/popular schemes utilized.

D. ISP cooperation

It has been highlighted by some authors[11], that ISPs areplaying a crucial role in privacy and anonymity matters. Theyare the main entities responsible for implanting mechanismsthat can affect the privacy and anonymity of the users. Never-theless, there are not too many “friendly” ISPs in these matters.Some proposals involve the commitment of the ISP to providebetter quality relay-bridges for TOR[11]. Also, there have beenofficial requests to get more neutrality and protection from theISPs. Nevertheless, all of them are still subjected to the lawsthat sometimes conflict with the mechanisms for guaranteeingprivacy and anonymity.

6

VI. CONCLUSION

In this paper we introduced the definitions of privacy andanonymity according to the latest related standards of the field.We analyzed the main originators behind the threats againstthe privacy and anonymity on the Internet; we enumerate theirmotivations, together with the techniques and technologiesutilized to control the privacy and anonymity on the Internet.In addition, we gave an overview of the state of the artconcerning the enforcement of privacy and anonymity on theInternet, enumerating the most common technologies by theusers, together with their shortcomings. Finally, we introducedthe new lines of research together with their proposals. Weconclude that there is not yet available any method thatguarantees real privacy and true anonymity.

The author considers that despite the reasons given bygovernments and corporations, privacy and anonymity are ahuman right that must be preserved no matter the channelof communication used. It is a moral responsibility for thescientific community to research, develop and implementbetter technologies to guarantee our fundamental rights.

REFERENCES

[1] Opennet initiative. 2013.[2] Simurgh Aryan, Homa Aryan, and J. Alex Halderman. Internet Censor-

ship in Iran: A First Look. In Free and Open Communications on theInternet, Washington, DC, USA, 2013. USENIX Association.

[3] Daniel J. Bernstein. Curve25519: New diffie-hellman speed records.In Public Key Cryptography - PKC 2006, 9th International Conferenceon Theory and Practice of Public-Key Cryptography, volume 3958 ofLecture Notes in Computer Science, pages 207–228. Springer, 2006.

[4] J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer. OpenPGPMessage Format. RFC 4880 (Proposed Standard), November 2007.Updated by RFC 5581.

[5] Carna Botnet. Internet census 2012 — port scanning /0 using insecureembedded devices, March 2013.

[6] D. Choffnes, J. Duch, D. Malmgren, R. Guierma, F. E. Bustamante, andL. Amaral. Swarmscreen: Privacy through plausible deniability in p2psystems. Technical report, Northwestern University, March 2009.

[7] J. D. Day and H. Zimmermann. The OSI reference model. Proceedingsof the IEEE, 71(12):1334–1340, December 1983.

[8] Ronald J. Deibert, John G. Palfrey, Rafal Rohozinski, and JonathanZittrain. Access denied: The practice and policy of global internetfiltering. 2008.

[9] Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: Thesecond-generation onion router. In In Proceedings of the 13th USENIXSecurity Symposium, pages 303–320, 2004.

[10] David Goldschlag, Michael Reed, and Paul Syverson. Onion routingfor anonymous and private internet connections. Communications of theACM, 42:39–41, 1999.

[11] Amir Houmansadr, Giang T.K. Nguyen, Matthew Caesar, and NikitaBorisov. Cirripede: Circumvention infrastructure using router redirectionwith plausible deniability. In Proceedings of the 18th ACM Conferenceon Computer and Communications Security, CCS ’11, pages 187–200,New York, NY, USA, 2011. ACM.

[12] United Nations international community. The universal declaration ofhuman rights. 1948.

[13] Information technology Security techniques Evaluation criteria for ITsecurity, 2005.

[14] J. Jonsson and B. Kaliski. Public-Key Cryptography Standards (PKCS)#1: RSA Cryptography Specifications Version 2.1. RFC 3447 (Informa-tional), February 2003.

[15] Stevens Le-Blond, David R. Choffnes, Wenxuan Zhou, Peter Druschel,Hitesh Ballani, and Paul Francis. Towards efficient traffic-analysisresistant anonymity networks. In SIGCOMM, pages 303–314, 2013.

[16] Christopher S. Leberknight, Mung Chiang, and Felix Ming Fai Wong.A taxonomy of censors and anti-censors: Part i-impacts of internetcensorship. IJEP, 3(2):52–64, 2012.

[17] Bingdong Li, Esra Erdin, Mehmet H. Gunes, George Bebis, and ToddShipley. An overview of anonymity technology usage. ComputerCommunications, 36(12):1269–1283, July 2013.

[18] Patrick Lincoln, Ian Mason, Phillip Porras, Vinod Yegneswaran, ZacharyWeinberg, Jeroen Massar, William Simpson, Paul Vixie, and Dan Boneh.Bootstrapping Communications into an Anti-Censorship System. In Freeand Open Communications on the Internet, Bellevue, WA, USA, 2012.USENIX Association.

[19] Steven J. Murdoch and George Danezis. Low-cost traffic analysis of tor.In Proceedings of the 2005 IEEE Symposium on Security and Privacy,SP ’05, pages 183–195, Washington, DC, USA, 2005. IEEE ComputerSociety.

[20] National Institute of Standards and Technology. FIPS PUB 180-1:Secure Hash Standard. April 1995. Supersedes FIPS PUB 180 1993May 11.

[21] Andreas Pfitzmann and Marit Hansen. A terminology for talkingabout privacy by data minimization: Anonymity, unlinkability, unde-tectability, unobservability, pseudonymity, and identity management.http://dud.inf.tu-dresden.de/literatur/Anon Terminology v0.34.pdf, Au-gust 2010. v0.34.

[22] Vitaly Shmatikov and Ming-Hsiu Wang. Timing analysis in low-latency mix networks: attacks and defenses. In IN: PROCEEDINGSOF ESORICS, pages 18–33, 2006.

[23] D. Shumow and N. Ferguson. On the possibility of a back door in theNIST SP800-90 dual Ec prng. 2007.

[24] International Telecommunication Union. World telecommunication/ictindicators database, dec 2013.

[25] A.F. Westin. Privacy and Freedom. Bodley Head, 1970.[26] Philipp Winter and Jedidiah R. Crandall. The great firewall of china :

How it blocks tor and why it is hard to pinpoint. ;login:, 37(6):42–50,2012.

7