Privacy-enhancing technologies for the Internet

Ian Goldberg David Wagner Eric Brewer

University of California, Berkeley
fiang,daw,[email protected]

Abstract ing privacy issues on the Internet, and Section 3 provides

some relevant background. We then discuss Internet pri-
The increased use of the Internet for everyday activi- vacy technology chronologically, in three parts: Section 4
ties is bringing new threats to personal privacy. This pa- describes the technology of yesterday, Section 5 explains
per gives an overview of existing and potential privacy- today’s technology, and Section 6 explores the technology
enhancing technologies for the Internet, as well as moti- of tomorrow. Finally, we conclude in Section 7.
vation and challenges for future work in this field.
2. Motivation
1. Introduction The threats to one’s privacy on the Internet are two-fold:
your online actions could be (1) monitored by unauthorized
Recently the Internet has seen tremendous growth, with parties and (2) logged and preserved for future access many
the ranks of new users swelling at ever-increasing rates. years later. You might not realize that your personal infor-
This expansion has catapulted it from the realm of academic mation has been monitored, logged, and subsequently dis-
research towards new-found mainstream acceptance and in- closed; those who would compromise your privacy have no
creased social relevance for the everyday individual. Yet incentive to warn you.
this suddenly increased reliance on the Internet has the po- The threat of long-term storage and eventual disclosure
tential to erode personal privacies we once took for granted. of personal information is especially acute on the Internet.
New users of the Internet generally do not realize that It is technically quite easy to collect information (such as
every post they make to a newsgroup, every piece of email a compendium of all posts you have made to electronic
they send, every World Wide Web page they access, and ev- newsgroups) and store it for years or decades, indexed by
ery item they purchase online could be monitored or logged your name for easy retrieval. If you are looking for a job
by some unseen third party. The impact on personal privacy twenty years from now, do you want your employer to
is enormous; already we are seeing databases of many dif- browse through every Usenet posting you’ve ever made? If
ferent kinds, selling or giving away collections of personal you are like most people, you have probably said some-
data, and this practice will only become more common as thing (however minor) in your past you would prefer to
the demand for this information grows. forget—perhaps an incautious word from your indiscreet
All is not lost. While the Internet brings the danger of youth, for instance. Long-term databases threaten your abil-
diminished privacy, it also ushers in the potential for ex- ity to choose what you would like to disclose about your
panding privacy protection to areas where privacy was pre- past.
viously unheard of. This is our vision: restoration and revi- Furthermore, in recent years great advances have been
talization of personal privacy for online activities, and bet- made in technology to mine the Internet for interesting in-
terment of society via privacy protection for fields where formation. This makes it easy to find and extract personal
that was previously impossible. We want to bring privacy information about you that you might not realize is avail-
to the Internet, and bring the Internet to everyday privacy able. (For instance, one of your family members might have
practices. listed information about you on their web page without your
The purpose of this paper is not to present new results, knowledge; Internet search engine technology would find
but rather to encourage further research in the area of Inter- this easily.) Did you know your phone number, email ad-
net privacy protection, and to give an overview (necessar- dress, and street address are probably listed on the Web?
ily brief in a short paper such as this) of privacy-enhancing Or that your social security number is available on any of
technologies. Section 2 explores some motivation for study- several for-pay electronically-searchable databases? Most
people probably do not want to make it easy for salesmen, vacy just as effectively as if you had kept the phone number
telemarketers, an abusive ex, or a would-be stalker to find completely secret. Many applications of online anonymity
them. follow the common theme of “physical security through
In these ways, the Internet contributes to the “dossier ef- anonymity”. For instance, political dissidents living in to-
fect”, whereby a single query can compile a huge dossier talitarian regimes might publish an exposé anonymously on
containing extensive information about you from many the Internet to avoid harassment (or worse!) by the secret
diverse sources. This increasingly becomes a threat as police.
databases containing personal information become elec- In contexts other than the Internet, anonymous social
tronically cross-linked more widely. A recent trend is to interaction is both commonplace and culturally accepted.
make more databases accessible from the Internet; with to- For example, the Federalist papers were penned under the
day’s powerful search engine and information-mining tech- pseudonym Publius; many other well-known literary works,
nology, this is one of the ultimate forms of cross-linking. such as Tom Sawyer, Primary Colors, etc. were also writ-
(For instance, phone directories, address information, credit ten anonymously or under a pseudonym. Today, home HIV
reports, newspaper articles, and public-access government tests rely on anonymous lab testing; police tip lines provide
archives are all becoming available on the Internet.) The anonymity to attract informants; journalists take great care
“dossier effect” is dangerous: when it is so easy to build a to protect the anonymity of their confidential sources; and
comprehensive profile of individuals, many will be tempted there is special legal protection and recognition for lawyers
to take advantage of it, whether for financial gain, vicarious to represent anonymous clients. The US Postal Service ac-
entertainment, illegitimate purposes, or other unauthorized cepts anonymous mail without prejudice; it is well-known
use. that anonymous voice calls can be easily made by step-
Government is one of the biggest consumers and produc- ping into a payphone; and ordinary cash allows everyday
ers of dossiers of personal information, and as such should people to purchase merchandise (say, a copy of Playboy)
be viewed as a potential threat to privacy. The problem anonymously. In short, most non-Internet technology today
is that today’s governments have many laws, surveillance grants the ordinary person access to anonymity. Outside
agencies, and other tools for extracting private information of the Internet, anonymity is widely accepted and recog-
from the populace [6]. Furthermore, a great many govern- nized as valuable in today’s society. Long ago we as a so-
ment employees have access to this valuable information, ciety reached a policy decision, which we have continually
so there are bound to be some workers who will abuse it. reaffirmed, that there are good reasons to protect and value
There are many examples of small-scale abuses by officials: anonymity off the Internet; that same reasoning applies to
a 1992 investigation revealed that IRS employees at just one the Internet, and therefore we should endeavor to protect
regional office made hundreds of unauthorized queries into online anonymity as well.
taxpayer databases [2]; employees of the Social Security There are many legitimate uses for anonymity on the In-
Administration have been known to sell confidential gov- ternet. In the long term, as people take activities they’d nor-
ernment records for bribes as small as $10 [22]; highly mally do offline to the Internet, they will expect a similar
confidential state records of AIDS patients have leaked [3]. level of anonymity. In fact, in many cases, they won’t even
Finally, there is very little control or oversight, so an cor- be able to imagine the extensive use this data could be put
rupt leader could easily misuse this information to seize to by those with the resources and incentive to mine the in-
and maintain power. A number of cautionary examples are formation in a less-than-casual way. We should protect the
available: FBI Director Edgar Hoover had his agency spy ordinary user rather than requiring them to anticipate the
on political dissidents, activists, and opponents; the NSA, various ways their privacy could be compromised. More-
a secret military surveillance agency, has a long history of over, the nature of the Internet may even make it possible to
spying on domestic targets [5]; President Clinton’s Demo- exceed those expectations and bring anonymity to practices
cratic administration found themselves with unauthorized where it was previously nonexistent. In the short term, there
secret dossiers on hundreds of Republican opponents in the are a number of situations where we can already see (or
“Filegate” scandal. confidently predict) legitimate use of Internet anonymity:
Anonymity is one important form of privacy protection support groups (e.g. for rape survivors or recovering alco-
that is often useful. holics), online tip lines, whistleblowing, political dissent,
We observe that anonymity is often used not for its own refereeing for academic conferences, and merely the pursuit
sake, but primarily as a means to an end, or as a tool to of everyday privacy of a less noble and grand nature. As the
achieve personal privacy goals. For example, if your un- New Yorker magazine explained in a famous cartoon, “On
listed telephone number is available on the web, but can’t the Internet, nobody knows you’re a dog”[23]—and this is
be linked to your identity because you have used anonymity perhaps one of the greatest strengths of the Internet.
tools, then this might be enough to fulfill your need for pri- On the other hand, illicit use of anonymity is all too
common on the Internet. Like most technologies, Internet recipient-anonymity, where we wish to enable replies to a
anonymity techniques can be used for better or worse, so persistent persona.
it should not be surprising to find some unfavorable uses In contrast to “message-oriented” services, we have “on-
of anonymity. For instance, sometimes anonymity tools are line” services. In these services, which include the World-
used to distribute copyrighted software without permission Wide Web, online chat rooms, phones, videoconferences,
(“warez”). Email and Usenet spammers are learning to take and most instances of electronic commerce, we wish to
advantage of anonymity techniques to distribute their mar- enable two parties to communicate in real time, while al-
keting ploys widely without retribution. Denial of service lowing one or both of them to maintain their anonymity.
and other malicious attacks are likely to become a greater The added challenges for online services stem from the in-
problem when the Internet infrastructure allows wider sup- creased difficulty involved in sending low-latency informa-
port for anonymity. The threat of being tracked down and tion without revealing identity via timing coincidences; to
dealt with by social techniques currently acts as a partial support these online services, we want to erect a general-
deterrent to would-be intruders, but this would be eroded if purpose low-level infrastructure for anonymous Internet
they could use Internet tools to hide their identity. We have communications. In addition, certain specific applications,
already seen one major denial of service attack [10] where such as private electronic commerce, require sophisticated
the attacker obscured his IP source address to prevent trac- application-level solutions.
ing. Widespread availability of anonymity will mean that
site administrators will have to rely more on first-line de- 4. Past
fenses and direct security measures rather than on the de-
terrent of tracing. Providers of anonymity services will also
In past years email was the most important distributed
need to learn to prevent and manage abuse more effectively.
application, so it should not be surprising that early efforts
These topics are discussed at greater length in later sections.
at bringing privacy to the Internet primarily concentrated
on email protection. Today the lessons learned from email
3. Background privacy provide a foundation of practical experience that is
critically relevant to the design of new privacy-enhancing
technologies.
A few definitions are in order. Privacy refers to the
The most primitive way to send email anonymously in-
ability of the individual to protect information about him-
volves sending the message to a trusted friend, who deletes
self. Anonymity is privacy of identity. We can di-
the identifying headers and resends the message body under
vide anonymity into two cases: persistent anonymity (or
his identity. Another old technique for anonymous email
pseudonymity), where the user maintains a persistent on-
takes advantage of the lack of authentication for email head-
line persona (“nym”) which is not connected with the user’s
ers: one connects to a mail server and forges fake headers
physical identity (“true name”), and one-time anonymity,
(with falsified identity information) attached to the message
where an online persona lasts for just one use. The key con-
body. (Both approaches could also be used for anonymous
cept here is that of linkability: with a nym, one may send
posting to newsgroups.) Of course, these techniques don’t
a number of messages that are all linked together but can-
scale well, and they offer only very minimal assurance of
not be linked to the sender’s true name; by using one-time
protection.
anonymity for each message, none of the messages can be
The technology for email anonymity took a step forward
linked to each other or to the user’s physical identity.1 For-
with the introduction of anonymous remailers. An anony-
ward secrecy refers to the inability of an adversary to re-
mous remailer can be thought of as a mail server which
cover security-critical information (such as the true name of
combines the previous two techniques, but using a com-
the sender of a controversial message) “after the fact” (e.g.
puter to automate the header-stripping and resending pro-
after the message is sent); providers of anonymity services
cess [4, 16, 17, 24]. There are basically three styles of re-
should take care to provide forward secrecy, which entails
mailers; we classify remailer technology into “types” which
(for instance) keeping no logs.
indicate the level of sophistication and security.
Some of the more obvious uses of persistent anonymity
The anon.penet.fi (“type 0”) remailer was perhaps
are in “message-oriented” services, such as email and news-
the most famous. It supported anonymous email senders
group postings. Here, the two major problems to be
by stripping identifying headers from outbound remailed
solved are those of sender-anonymity, where the origina-
messages. It also supported recipient anonymity: the user
tor of a message wishes to keep his identity private, and of
was assigned a random pseudonym at anon.penet.fi,
1 Users of anonymity services should keep in mind that messages writ- the remailer maintained a secret identity table matching up
ten by the same person tend to share certain characteristics, and that this the user’s real email address with his anon.penet.fi
fact has been used to identify the authors of anonymous works in the past. nym, and incoming email to the nym at anon.penet.fi
was retransmitted to the user’s real email address. Due the chain. Second, type II remailers use constant-length
to its simplicity and relatively simple user interface, the messages, to prevent passive correlation attacks where the
anon.penet.fi remailer was the most widely used re- eavesdropper matches up incoming and outgoing messages
mailer; sadly, it was shut down recently after being harassed by size. Third, type II remailers include defenses against
by legal pressure [18]. sophisticated replay attacks. Finally, these remailers offer
The disadvantage of a anon.penet.fi style (type improved message reordering code to stop passive correla-
0) remailer is that it provides rather weak security. Users tion attacks based on timing coincidences. Because their se-
must trust it not to reveal their identity when they send curity against eavesdropping relies on “safety in numbers”
email through it. Worse still, pseudonymous users must (where the target message cannot be distinguished from any
rely on the confidentiality of the secret identity table—their of the other messages in the remailer net), the architecture
anonymity would be compromised if it were disclosed, sub- also calls for continuously-generated random cover traffic
poenaed, or bought—and they must rely on the security of to hide the real messages among the random noise.
the anon.penet.fi site to resist intruders who would Another new technology is that of the “newnym”-style
steal the identity table. Furthermore, more powerful attack- nymservers. These nymservers are essentially a melding
ers who could eavesdrop on Internet traffic traversing the of the recipient anonymity features of a anon.penet.fi
anon.penet.fi site could match up incoming and out- style remailer with the chaining, encryption, and other se-
going messages to learn the identity of the nyms. curity features of a cypherpunk-style remailer: a user ob-
Cypherpunk-style (type I) remailers were designed to tains a pseudonym (e.g. [email protected])
address these types of threats. First of all, support for from a nymserver; mail to that pseudonym will be delivered
pseudonyms is dropped; no secret identity table is main- to him. However, unlike anon.penet.fi, where the
tained, and remailer operators take great care to avoid keep- nymserver operator maintained a list matching pseudonyms
ing mail logs that might identify their users. This dimin- to real email addresses, newnym-style nymservers only
ishes the risk of “after-the-fact” tracing. Second, type I re- match pseudonyms to “reply blocks”: the nymserver op-
mailers will accept encrypted email, decrypt it, and remail erator does not have the real email address of the user, but
the resulting message. (This prevents the simple eavesdrop- rather the address of some type I remailer, and an encrypted
ping attack where the adversary matches up incoming and block of data which it sends to that remailer. When de-
outgoing messages.) Third, they take advantage of chain- crypted, that block contains the address of a second re-
ing to achieve more robust security. Chaining is simply mailer, and more encrypted data, etc. Eventually, when
the technique of sending a message through several anony- some remailer decrypts the block it receives, it gets the real
mous remailers, so that the second remailer sees only the ad- email address of the user. The effect is that all of the re-
dress of the first remailer and not the address of the origina- mailers mentioned in the reply block would have to collude
tor, etc. Typically one combines chaining with encryption: or be compromised in order to determine the email address
the originator encrypts repeatedly, nesting once for each re- associated with a newnym-style pseudonym.
mailer in the chain; the advantage is that every remailer in a Another simple technique for recipient anonymity
chain must be compromised before a chained message can uses message pools. Senders encrypt their mes-
be traced back to its sender. This allows us to take advan- sage with the recipient’s public key and send the en-
tage of a distributed collection of remailers; diversity gives crypted message to a mailing list or newsgroup (such as
one a better assurance that at least some of the remailers are alt.anonymous.messages, set up specifically for this
trustworthy, and chaining ensures that one honest remailer purpose) that receives a great deal of other traffic. The re-
(even if we don’t know which it is) is all we need. Type I cipient is identified only as someone who reads the mailing
remailers can also randomly reorder outgoing messages to list or newsgroup, but onlookers cannot narrow down the
prevent correlations of ciphertexts by an eavesdropper. In identity of the recipient any further. A “low-tech” variant
short, type I remailers offer greatly improved security over might use classified advertisements in a widely-read news-
type 0, though they do have some limitations which we will paper such as The New York Times. Message pools provide
discuss next. strong recipient anonymity, but of course the huge disad-
vantage is that they waste large amounts of bandwidth and
5. Present pollute mailing lists with bothersome noise.
With the increasing sophistication in remailer technol-
The newest and most sophisticated remailer technology ogy, we find that modern remailers have been burdened
is the Mixmaster, or type II, remailer [7, 11]. They ex- with a correspondingly complicated and obscure interface.
tend the techniques used in a type I remailer to provide To deal with this unfriendly mess, client programs have
enhanced protection against eavesdropping attacks. First, sprung up to provide a nicer interface to the remailers. Raph
one always uses chaining and encryption at each link of Levien’s premail [21] is the archetypical example. Even
so, using remailers still requires some knowledge; for even depends on seeing widespread adoption by a large number
greater user-friendliness, we need this support to be inte- of customers and merchants; but so far it has merely a rel-
grated into popular mail handling applications. atively small user base. Also, it currently offers only one-
One could reasonably argue that the problem of anony- way anonymity—namely, anonymity for payers but not for
mous email is nearly solved, in the sense that we largely un- payees—so parties who wish to sell services or information
derstand most of the principles of building systems to pro- anonymously are currently not served well by DigiCash’s
vide email anonymity. However, email is not the only im- ecash. Nonetheless, improvements are still being made, and
portant application on the Internet. More recently, we have DigiCash is a important pioneer in this crucial area.
begun to see privacy support for other services as well.
The “strip identifying headers and resend” approach 6. Future
used by remailers has recently been applied to provide
anonymity protection for Web browsing as well. Commu- The first author has made significant progress on work-
nity ConneXion has sponsored the Anonymizer [9], a web ing around the limitations of DigiCash’s ecash. His en-
proxy that filters out identifying headers and source ad- hancements attempt to stimulate growth in the user base
dresses from the web browser. This allowing users to surf by making it easy to use ecash without signing up for an
the web anonymously without revealing their identity to account at a participating bank (thus eliminating paper-
web servers. However, the Anonymizer offers rather weak work). Additionally, he developed support for currency
security—no chaining, encryption, log safeguarding, or for- trading and e-cashiering, where service providers may offer
ward secrecy—so its security properties are roughly analo- to buy or sell DigiCash ecash in exchange for other forms
gous to those of type 0 remailers. Other implementations of payment. His improvements also include bi-directional
have since appeared based on the same approach [12, 15]; anonymity to support change-making and anonymous mer-
but technology for anonymous web browsing remains rela- chants, and a Netscape plug-in to make payment more trans-
tively unsophisticated and underdeveloped. parent. These improvements are compatible with Digi-
Finally, anonymous digital cash is another state-of-the- Cash’s system—users can take advantage of his enhance-
art technology for Internet privacy. As many observers have ments without any changes to the bank’s software.
stressed, electronic commerce will be a driving force for the When attempting to design anonymity support for
future of the Internet. Therefore, the emergence of digital web traffic, interactive text/voice/video chatting, remote
commerce solutions with privacy and anonymity protection telnet connections, and other similar services, we
is very valuable. DigiCash’s ecash [8] has the strongest pri- quickly see that what we need is an infrastructure to
vacy protection of any deployed payment system—it uses provide bi-directional anonymity protection for general-
sophisticated cryptographic protocols to guarantee that the purpose low-latency interactive Internet traffic. Wei Dai has
payer’s privacy is not compromised by the payment pro- described an architecture that would provide this protection
tocol even against a colluding bank and payee. Thus, Digi- based on a distributed system of anonymizing packet for-
Cash’s ecash has many of the privacy properties of real cash; warders, analogous to today’s remailer network; he called
most other deployed payment systems have only about as it “Pipenet” [13]. We will use the generic term pipenet for
much privacy as checks or credit cards. any architecture built along these lines.
Of course, the DigiCash protocols only prevent your No complete pipenet design, much less implementation,
identity from being revealed by the protocols themselves: is available yet. Several authors have independently at-
if you send the merchant a delivery address for physical tempted to build a system with similar features [26], but
merchandise, he will clearly be able to identify you. Sim- because they were unaware of the work of Wei Dai [14]
ilarly, if you use pay using ecash over a non-anonymized and other cypherpunks, their design remains vulnerable to
IP connection, the merchant will be able to deduce your IP a number of attacks. Due to space limitations, we can-
address. This demonstrates the need for a general-purpose not give a full list of threats and attacks in this paper; we
infrastructure for anonymous IP traffic, as discussed later. will merely confine ourself with observing that pipenet must
(The other option is to pay by email, with which you can protect against all of the attacks against remailers discussed
use the existing remailer infrastructure, to preserve your pri- above, as well as some others specific to low-latency long-
vacy.) In any case, security is only as strong as the weakest lived connections. A future paper will discuss these threats
link in the chain, and we need strong anonymity (such as in detail and give a number of possible countermeasures.
provided by DigiCash’s protocols) in our payment system We hope that the great applicability of a general-purpose
as well as strong anonymity in our data transport infrastruc- infrastructure for anonymized Internet traffic will motivate
ture. and stimulate new research in this area.
DigiCash’s anonymous ecash does have a few limita- Another great challenge that faces future researchers in
tions. Like the telephone or the fax machine, its success Internet privacy technology is the problem of abuse. As
tools and infrastructure for anonymity become available, ments and other powerful parties, but the design has not
some will abuse these resources for illicit purposes. been implemented and deployed yet. Many cryptographers
We have some experience with handling abuse from the have studied the problem of electronic voting, and crypto-
deployed remailers. Abuse only accounts for a small minor- graphic protocols abound [25]—but more practical experi-
ity of remailer usage, but it is typically much more visible. ence with building and deploying large voting systems is
One of the most common abuses of remailers is junk email, needed. The need for more application-specific privacy-
where senders hide behind anonymity to send vast quan- respecting systems will no doubt arise as the Internet con-
tities of unsolicited email (usually advertising) to a large tinues to grow.
number of recipients who find it unwelcome. Remailers to- Perhaps the most important challenge facing Internet pri-
day include simplistic alarms when they encounter a large vacy advocates is to ensure that it sees widespread deploy-
volume of mail in a short time; then remailer operators can ment. The issues include educating users about the need
delete the spammed messages and source block the spam- for special privacy protection to restore the privacy lost
mer (i.e. blacklist the sender). Harassment of a targeted in- in an online world, building privacy software that is inte-
dividual is another common abuse of anonymous remailers. grated with popular applications, winning over those who
One countermeasure is to have targeted individuals install fear anonymity, and building systems that meet the needs of
mail filtering software. (Remailers could also provide desti- real users. It is important that this technology reaches the
nation blocking services, but this raises many thorny issues; users who most need it.
the right solution is for the recipient to filter their email.)
The effect of this abuse is to place tremendous political 7. Conclusion
and legal pressure on the remailer operator [18]. Of course,
remailer operators receive no benefit themselves from pro-
viding anonymity services to the world, which makes it all We have surveyed a number of privacy technologies cur-
the harder to justify spending much time, money, or effort rently available to the Internet user. We have also listed a
to defend one’s remailer. Each incident of abuse generates a number of challenges and directions for future research.
number of complaints to the remailer operator, his ISP, and We wish to see a variety of means by which users
others who might be in a position to pressure them. This can protect their privacy, preferably by putting privacy-
situation has become so acute that one of the greatest dif- enhancing technology directly into their own hands. Where
ficulties in setting up a new remailer is finding a host who the cooperation of others is necessary to ensure personal
will not give in to the political pressure. privacy, the system should not be easily subverted by the
Undoubtedly the magnitude and severity of abuse will in- mere collusion or compromise of a few participants.
crease when more infrastructure (such as pipenet) becomes We conclude with an important piece of wisdom from
available, and we will need to know how to deal with this the cypherpunks [19, 20]. The cypherpunks credo can be
problem. For instance, pipenet potentially allows malicious roughly paraphrased as “privacy through technology, not
hackers to break into a remote site untraceably. We can bor- through legislation.” If we can guarantee privacy protec-
row some techniques from today’s remailers. For instance, tion through the laws of mathematics rather than the laws
intrusion detection software at the last hop in a pipenet of men and whims of bureaucrats, then we will have made
chain may detect some attacks, but it also has some seri- an important contribution to society. It is this vision which
ous limitations; we can also use source blocking to shut guides and motivates our approach to Internet privacy.
out known trouble-makers. New techniques will probably
be needed too. For example, some have suggested that re- References
quiring a small payment for the anonymity services would
reduce spam, harassment, and denial of service attacks by
[1] Ross Anderson, “The Eternity Service,” PRAGOCRYPT 96.
making it too expensive to send large volumes of data; also,
ftp://ftp.cl.cam.ac.uk/users/rja14/
the resulting revenue might make it easier and more eco-
eternity.ps.Z
nomical for providers of anonymity services to handle abuse
[2] Gary Anthes, “IRS uncovers bogus access to tax records (In-
and stand up to political pressure. In any case, abuse man- ternal Revenue Service’s Atlanta office investigation),” Com-
agement and prevention is likely to remain a central chal- puterworld, vol. 27 no. 32, 9 Aug 1993, p. 15.
lenge for future anonymity technology. [3] Associated Press, 19 Sept 1996.
Others have proposed some special-purpose applications [4] Andre Bacard, “Anonymous Remailer FAQ,” 1996.
for Internet privacy, though implementation experience is http://www.well.com/user/abacard/
somewhat lacking. The Eternity Service [1] is designed to remail.html
provide long-term distribution of controversial anonymous [5] James Bamford, The Puzzle Palace, Penguin Books, New
documents, even when the threat model includes govern- York, 1983.
[6] Douglas Barnes, “The Coming Jurisdictional Swamp of [26] Paul Syverson, David Goldschlag, Michael Reed, “Anony-
Global Internetworking (Or, How I Learned to Stop Worry- mous Connections and Onion Routing,” draft manuscript.
ing and Love Anonymity),” unpublished manuscript, 16 Nov http://www.itd.nrl.navy.mil/ITD/5540/
1994. projects/onion-routing/overview.html
http://www.communities.com/paper/
swamp.html
[7] David Chaum, “Untraceable Electronic Mail, Return ad-
dresses, and Digital Pseudonyms,” Communications of the
ACM, February 1981, vol. 24 no. 2.
http://www.eskimo.com/˜weidai/
mix-net.txt
[8] David Chaum, “Blind Signatures for Untraceable Payments,”
CRYPTO 82, Plenum, pp. 199-203.
[9] Community ConneXion, “Anonymous Surfing,” 1996.
http://www.anonymizer.com/
[10] Elizabeth Corcoran, “Hackers Strike at NY Internet Access
Company,” The Washington Post, 12 Sept 1996, p. D09.
[11] Lance Cotrell, “Mixmaster & Remailer Attacks,” 1995.
http://www.obscura.com/˜loki/
remailer/remailer-essay.html
[12] Ray Cromwell, “Welcome to the Decense Project,” 1996.
http://www.clark.net/pub/rjc/
decense.html
[13] Wei Dai, “PipeNet,” Feb 1995, post to the cypherpunks
mailing list.
[14] Wei Dai, personal communication.
[15] Laurent Demailly, “Announce: Anonymous Http Proxy (pre-
liminary release),” Usenet post.
http://www.lyot.obspm.fr/˜dl/
anonproxy.txt
[16] Arnoud Engelfriet, “Anonymity and Privacy on the Internet,”
19 Dec 1996.
http://www.stack.nl/˜galactus/remailers/
index.html
[17] C. Gulcu and G. Tsudik, “Mixing E-mail with Babel,” Proc.
Symp. Network and Distributed System Security, 1996, pp. 2–
16.
[18] Johan Helsingius, press release, 30 August 1996.
http://www.cyberpass.net/security/
penet.press-release.html
[19] Eric Hughes, “A Cypherpunk’s Manifesto,” 9 March 1993.
ftp://ftp.csua.berkeley.edu/pub/
cypherpunks/rants/.manifesto.html
[20] Steven Levy, “Crypto Rebels,” Wired, May/June 1993, vol. 1
no. 2, pp. 54–61.
http://www.hotwired.com/wired/1.2/
features/crypto.rebels.html
[21] Raph Levien, “premail”.
http://www.c2.net/˜raph/premail.html
[22] The Nando Times, 20 Nov 1996, New York, staff and wire
reports.
[23] The New Yorker, 5 July 1993, p. 61.
[24] Andreas Pfitzmann and Michael Waidner, “Networks with-
out user observability—design options,” EUROCRYPT 85,
LNCS 219, Springer-Verlag, pp. 245–253.
http://www.informatik.uni-hildesheim.de/
˜sirene/publ/PfWa86anonyNetze.html
[25] Bruce Schneier, Applied Cryptography, second edition, John
Wiley & Sons, 1996.