IWT Strategische Technologieën voor Welzijn en Welvaart APES Anonymity and Privacy in Electronic Services Deliverable 2 - Requirement study of different applications FINAL VERSION 11/05/2001 Stefaan Seys Claudia Diaz Bart De Win Vincent Naessens Caroline Goemans Joris Claessens Wim Moreau Prof. Bart De Decker Prof. Jos Dumortier Prof. Bart Preneel APES Deliverable D2 – Requirement study [FINAL VERSION] 2 Executive summary For applications such as electronic voting and electronic payments, anonymity and privacy are strictly necessary. In a democratic society public elections will be held anonymously and citizens have a fundamental right to privacy, for example when buying goods or subscribing to services. However, current technologies such as databases, on- line connections, mobile communications, may lead to an increased erosion of privacy. For the time being no widespread communications and payment technologies are available to provide on-line shopping without giving away a substantial amount of personal information. Applications like email, publishing and web browsing are widely accepted without anonymity properties. This document describes the anonymity requirements of a variety of applications in which anonymity and privacy play an important role: (1) anonymous connections, which can be used for all applications; (2) email; (3) web publishing; (4) web browsing; (5) on- line payments; (6) on-line elections and finally (7) on-line auctions. In this document we provide a general model that can be used to describe the anonymity properties of the these applications we studied. Firstly the notions of anonymity and privacy are briefly set out. Secondly, an abstract and application independent terminology is derived for the different entities that actively participate in the application. Finally different types of anonymity (for example one-time anonymity and persistent anonymity) are described. The remainder of the document describes in detail the anonymity requirements for the selected applications. For all these applications we start with a short overview of their functionality and the different entities that participate in that application, together with a mapping of these entities to the abstract roles described in the model. Secondly, the anonymity related requirements and properties of the application are described in more detail. Each application has its own specific requirements and, at first glance, a general solution for all applications seems unlikely. This provides the justification for providing the abstract model. If the entities in different applications map to the same abstract roles in the model, it is likely that the solutions for these applications will be similar. Finally, a short overview is presented of the existing solutions to provide anonymity and privacy to these applications. The last chapter contains a number of possible legal issues that will be further examined in the deliverable on legal aspects of anonymity. APES Deliverable D2 – Requirement study [FINAL VERSION] 3 APES Deliverable D2 – Requirement study [FINAL VERSION] 4 Table of Contents EXECUTIVE SUMMARY __________________________________________ 3 1. APPLICATION OVERVIEW_____________________________________ 9 2. MODEL USED TO DESCRIBE ANONYMITY PROPERTIES __________ 10 2.1. Privacy - Anonymity - Identity - Pseudonymity. _________________________________ 10 2.1.1. Privacy_______________________________________________________________10 2.1.2. Anonymity____________________________________________________________11 2.1.3. Identity ______________________________________________________________12 2.1.4. Pseudonymity__________________________________________________________12 2.2. Entities and roles__________________________________________________________ 13 2.2.1. Entities_______________________________________________________________13 2.2.2. Roles ________________________________________________________________14 2.3. Anonymity characteristics __________________________________________________ 15 2.3.1. Types________________________________________________________________15 2.3.2. Degrees ______________________________________________________________17 3. ANONYMOUS CONNECTIONS_________________________________ 19 3.1. Description of the system____________________________________________________ 19 3.2. Different entities in the system _______________________________________________ 20 3.2.1. Entities involved in the application__________________________________________20 3.2.2. Entities involved in the anonymous communication _____________________________20 3.2.3. Possible attackers_______________________________________________________20 3.3. Anonymity requirements/properties___________________________________________ 21 3.3.1. Requirements related to anonymity__________________________________________21 3.3.2. Other requirements______________________________________________________21 3.4. Short overview of existing solutions ___________________________________________ 21 4. ANONYMOUS E-MAIL________________________________________ 22 4.1. Description of the system____________________________________________________ 22 4.2. Different entities in the system _______________________________________________ 22 4.2.1. Entities involved in the communication ______________________________________22 4.2.2. Entities involved in the anonymous communication _____________________________23 4.2.3. Possible attackers_______________________________________________________23 4.3. Anonymity requirements/properties___________________________________________ 24 4.3.1. Properties unrelated to anonymity___________________________________________24 4.3.2. Requirements related to anonymity__________________________________________24 4.4. Short overview of existing solutions ___________________________________________ 25 4.4.1. Type 0 Remailer: Penet __________________________________________________25 4.4.2. Type 1 Remailer: CyberPunk______________________________________________25 4.4.3. Type 2 Remailer: MixMaster______________________________________________25 5. ANONYMOUS PUBLISHING___________________________________ 26 5.1. Description of the system____________________________________________________ 26 5.2. Different entities in the system _______________________________________________ 26 5.2.1. Entities involved in web publishing _________________________________________26 5.2.2. Entities involved in anonymous web publishing________________________________26 APES Deliverable D2 – Requirement study [FINAL VERSION] 5 5.2.3. Possible attackers_______________________________________________________27 5.3. Anonymity requirements/properties___________________________________________ 27 5.3.1. Properties unrelated to anonymity___________________________________________27 5.3.2. Properties related to anonymity_____________________________________________28 5.4. Short overview of existing solutions ___________________________________________ 28 5.4.1. Eternity ______________________________________________________________28 5.4.2. Publius_______________________________________________________________29 5.4.3. TAZ Servers___________________________________________________________29 6. ANONYMOUS BROWSING____________________________________ 31 6.1. Description of the system____________________________________________________ 31 6.2. Different entities in the system _______________________________________________ 31 6.2.1. Entities involved in the web browsing________________________________________31 6.2.2. Entities involved in the anonymous web browsing ______________________________31 6.2.3. Possible attackers_______________________________________________________32 6.3. Anonymity requirements/properties___________________________________________ 32 6.3.1. Properties unrelated to anonymity___________________________________________32 6.3.2. Properties related to anonymity_____________________________________________33 6.4. Short overview of existing solutions ___________________________________________ 33 6.4.1. LPWA_______________________________________________________________33 6.4.2. Web Mixes____________________________________________________________33 6.4.3. CROWDS ____________________________________________________________34 7. ELECTRONIC PAYMENTS ____________________________________ 35 7.1. Description of the system____________________________________________________ 35 7.1.1. Introduction___________________________________________________________35 7.1.2. Different steps in an electronic payment______________________________________35 7.2. Different entities in the system _______________________________________________ 35 7.2.1. Different parties in any payment system______________________________________35 7.2.2. Possible attackers_______________________________________________________36 7.3. Anonymity requirements/properties___________________________________________ 36 7.3.1. Anonymity related requirements:___________________________________________36 7.4. Short overview of some existing solutions_______________________________________ 38 7.4.1. Blind signatures________________________________________________________38 7.4.2. CAFE________________________________________________________________38 7.4.3. NetCash______________________________________________________________39 7.4.4. Anonymous accounts____________________________________________________39 7.4.5. Pseudonyms___________________________________________________________40 7.4.6. Gemplus model ________________________________________________________40 7.4.7. Mix-based electronic payments ____________________________________________40 7.4.8. Proton system__________________________________________________________41 7.4.9. CEPS________________________________________________________________41 7.4.10. Micropayments ________________________________________________________41 7.4.11. Summary _____________________________________________________________42 8. ELECTRONIC VOTING _______________________________________ 44 8.1. Description of the system____________________________________________________ 44 8.1.1. Introduction___________________________________________________________44 8.1.2. Voting phases _________________________________________________________44 8.2. Different roles/entities in the system___________________________________________ 44 8.2.1. Attackers _____________________________________________________________45 8.3. Anonymity requirements/properties___________________________________________ 45 APES Deliverable D2 – Requirement study [FINAL VERSION] 6 8.3.1. Anonymity related requirements____________________________________________45 8.3.2. Other requirements______________________________________________________45 8.3.3. Requirements of the implementation_________________________________________46 8.4. Short overview of existing systems ____________________________________________ 47 8.4.1. SafeVote _____________________________________________________________47 8.4.2. VoteHere _____________________________________________________________48 8.4.3. CyberVote ____________________________________________________________51 9. ELECTRONIC AUCTIONS_____________________________________ 53 9.1. Description of the system____________________________________________________ 53 9.1.1. Different auction properties _______________________________________________53 9.1.2. Auction types__________________________________________________________54 9.1.3. Different steps in an auction process.________________________________________56 9.2. Different entities in the system _______________________________________________ 56 9.3. Anonymity requirements/properties___________________________________________ 57 9.3.1. Requirements unrelated to anonymity________________________________________57 9.3.2. Anonymity related requirements____________________________________________58 9.4. Short overview of existing solutions ___________________________________________ 59 10. LEGAL ISSUES ____________________________________________ 61 10.1. Introduction ___________________________________________________________ 61 10.2. Possible legal issues______________________________________________________ 61 10.2.1. General information requirement ___________________________________________61 10.2.2. Specific transparency requirements for commercial communications ________________62 10.2.3. Pre-contractual information requirement______________________________________62 10.2.4. Liability of on-line service providers ________________________________________62 11. FUTURE WORK____________________________________________ 64 APES Deliverable D2 – Requirement study [FINAL VERSION] 7 APES Deliverable D2 – Requirement study [FINAL VERSION] 8 1. Application overview As discussed in the project proposal, the first task and the goal of this deliverable is to define a number of application areas and to analyze the state-of-the art in these areas. In this scope we have chosen to focus on applications that are popular and/or have interesting anonymity characteristics. The result of this selection phase is the following list of applications domains: • Anonymous connections • Anonymous e-mail • Anonymous browsing • Anonymous publishing • Electronic payments • Electronic voting • Electronic auctions In the rest of this document we will discuss each of these application domains by first describing their basic functionality. Based on this description we will then elaborate on the different settings by which anonymity is provided. For each of them we will also briefly discuss existing applications. Other applications that could be interesting, but are currently not part of our research include software agents, wireless communication, anonymous data-retrieval, applications in the mobility area, video-on-demand, etc. They could become the subject of future research if we notice that they provide us with interesting case studies. APES Deliverable D2 – Requirement study [FINAL VERSION] 9 2. Model used to describe anonymity properties In order to describe and compare different applications, strict consensus on a common terminology must be available. In this scope, this section will try to provide clear definitions for several important issues. After first briefly touching upon some general remarks, we will list and define different entities/roles that could be involved in a typical system. Afterwards, various anonymity properties will be described. The title of this project is “Anonymity and Privacy in Electronic Services”, which suggests that anonymity and privacy are different concepts. Indeed, the former only concentrates on hiding the identity of someone, while the latter is more extended. Privacy concerns all information about the identity, which includes personal information (e.g., his way of living), network traffic, content of this communication, other statistics, etc. Despite the fact that most of the anonymity services focus on anonymity, it is important not to neglect privacy concerns. In the scope of this project it is also important to realize the distinction between an application and the extra service introduced to augment the anonymity/privacy properties of that application. Their dependency relation is strictly one-way: the application as such remains functional without the anonymity service, be it less secure. However, an anonymity service without an application does not serve any purpose. In this report we will often use the term application when we actually mean the combination of both. 2.1. Privacy - Anonymity - Identity - Pseudonymity. As stated in the introductory remarks, it seems necessary to focus on a number of concepts before tackling on application requirements for anonymity services. In this subsection we will consider briefly the concepts of privacy, anonymity, identity and pseudonymity as explored at this stage of the research. 2.1.1. Privacy The concept of privacy is a broad notion, open to interpretation as it is differently perceived depending on the individual and on the type of society. It also involves competing interests. The Webster's New Collegiate Dictionary defines privacy as “the quality or state of being apart from company or observation”. The Cambridge International Dictionary of English formulates privacy as “the freedom from unauthorized intrusion or the right to keep personal matters and relationships secret”. Consequently, privacy could be defined as “the interest that individuals have in sustaining a personal space, free from interference by other people and organizations” [47]. Elements of the above mentioned definitions are summarized in a frequently cited definition given by the American author Thomas Cooley and laid down in a legal document dd. 1879, in which he describes privacy as “the right to be left alone”. Privacy is not only a broad notion, as made clear in the above mentioned definitions, but can also appear under various dimensions, such as privacy of the person, privacy of APES Deliverable D2 – Requirement study [FINAL VERSION] 10
Description: