Rangzen: Anonymously Getting the Word Out in a Blackout
Adam Lerner, Giulia Fanti, Yahel Ben-David, Jesus Garcia, Paul Schmitt, Barath Raghavan
RRangzen: Anonymously Getting the Word Out in a Blackout
Adam Lerner Giulia Fanti Yahel Ben-David Jesus Garcia Paul Schmitt Barath Raghavan University of Washington UIUC UC Berkeley UCSB ICSI
Abstract
In recent years governments have shown themselveswilling to impose blackouts to shut off key commu-nication infrastructure during times of civil strife, andto surveil citizen communications whenever possible.However, it is exactly during such strife that citizensneed reliable and anonymous communications the most.In this paper, we present Rangzen, a system for anony-mous broadcast messaging during network blackouts.Rangzen is distinctive in both aim and design. Ouraim is to provide an anonymous, one-to-many messag-ing layer that requires only users’ smartphones and canwithstand network-level attacks. Our design is a delay-tolerant mesh network which deprioritizes adversarialmessages by means of a social graph while preservinguser anonymity. We built a complete implementation thatruns on Android smartphones, present benchmarks of itsperformance and battery usage, and present simulationresults suggesting Rangzen’s efficacy at scale.
Over the past decade, the balance of power between citi-zens and governments has tilted inexorably in the latter’sdirection. Though there was once a perception of theInternet as a land of radically free communication andactivism, it has become clear that like any key infrastruc-ture, the Internet exists under centralized control [65].While this has proved to be a boon to the average userunder placid conditions—large companies are able to de-liver efficient and reliable services and governments areable to police networks for criminal activity—in times ofunrest, this has proven dangerous to those who would usethe Internet as a forum to speak out.Indeed, during societal unrest, centralized infrastruc-ture can be easily co-opted. In recent years, authoritiesin Egypt, Iran, and Syria, among others, have shut downtheir already heavily-surveilled Internet access duringtimes when citizens were questioning those very author-ities’ political legitimacy [13, 20, 64]. However, it is ex- actly in such moments that citizens need the ability tocommunicate without restriction and risk of retribution.In particular, in such a scenario, not only is anonymityimportant, but also the resilience of the communicationsystem to network-level censorship (at multiple layers).To address this need we built Rangzen, an anonymouslarge-scale messaging system robust to network attacks.We built a complete implementation of Rangzen for theAndroid platform utilizing Bluetooth and WiFi Direct tocommunicate from pocket to pocket between stock, non-rooted, Android version 4.x, 5.x, and 6.x devices. Ourimplementation consists of over 17,000 lines of Java andanother 4,000 lines of unit tests; our implementation ispublicly available [53].The literature contains a wide range of work on anony-mous communication systems. However, most exist-ing work targets point-to-point communication over ded-icated infrastructure (e.g., over the Internet, which isunavailable in a blackout context), such as Tor [22].Another, less-well-known branch of research focuseson point-to-point anonymous communication in the ab-sence of dedicated infrastructure [37]. In addition, somewidely-promoted free apps such as FireChat also aimto provide point-to-point communication without infras-tructure, but fail to provide anonymity or any mecha-nisms to withstand attacks by adversaries [29, 55].Rangzen differs from prior work by focusing on one-to-many , anonymous communication without dedicatedinfrastructure while providing resilience to network levelattacks, meeting a need which has arisen with surpris-ing regularity around the world in recent years ( § a r X i v : . [ c s . N I] D ec sers—dissidents and activists with whom we have beenin contact—in medium-risk contexts.Two main challenges characterize this context: a) alack of functioning infrastructure (neither Internet norcell networks) and b) adversaries intent upon widespreadinterference. We address the first challenge by broadcast-ing messages over a delay-tolerant, smartphone-based,mobile mesh network. This architecture enables resilientalbeit high-latency communication. We address the sec-ond challenge with a decentralized, novel social trust-based prioritization algorithm. Counterintuitively, ourprioritization approach allows Rangzen to rank the trust-worthiness of messages without knowing their origin orauthor; this property preserves author anonymity. In thisdecentralized setting it is not possible to entirely elimi-nate adversarial messages, as there exists no trusted au-thority that can authenticate users or messages. However,as a result of Rangzen’s ranking algorithm, adversarialmessages arrive with low scores that enable easy filter-ing, and propagate more slowly through the network.We have worked with activists in countries withwidespread censorship and political repression to en-sure Rangzen represents a realistic system that addresseschallenges real people face in the modern world. As aresult, it was key for Rangzen to work on unmodified modern mobile devices; a previous generation of mobilemesh protocols using smartphones typically required theability to craft custom layer-2 frames [47,66], somethingonly available on rooted phones; ordinary users seldomhave rooted phones, so this significantly limits deploy-ability. To work around network stack limitations, wedeveloped a hybrid protocol ( §
5) that uses a combinationof WiFi Direct and Bluetooth and works on unmodifiedAndroid devices without needing user interaction.Our experimental results show Rangzen is practical:devices in proximity for under 10 seconds can find oneanother, perform cryptographic social-trust prioritiza-tion, and exchange several hundred messages ( § § The design of a communication system for use duringnetwork blackouts and similar settings is a complex un-dertaking. Social and political dynamics constrain bothuser desires and adversarial actions. On one hand, itwould be na¨ıve to design technology to respond to cen-sorship or blackouts in countries or regions with extremelevels of repression (e.g., North Korea), as far more thana technological solution is required [69]. On the otherhand, places with relatively low levels of risk and repres-sion (e.g., Hong Kong) generally do not require special-ized solutions such as Rangzen. Thus in this work wetarget medium-risk regions (e.g., Kazakhstan). In suchmedium-risk environments, while there exist harsh re-strictions on free speech and public protest, especiallyin Internet-based communication, authorities do not typ-ically resort to open violence or mass arrest.In this work we have been in contact with dissidentsand activists in medium-risk contexts, and this has helpedus gain a better understanding of their needs and has in-formed our design choices. Understanding these con-straints is crucial to designing and building a system thatis realistic in its aims and limits. In this section wepresent an abridged analysis of this context and its im-plications for Rangzen.
Technology’s role in the spread of dissent is complex.In most recent political movements, smartphone- andInternet-based organizing was prevalent across social de-mographics [7, 11, 25, 33, 46, 74, 81]. Governments re-sponded by leveraging the same communications net-works not only to surveil [28] but also to intimidate cit-izens [77]. Although such technology certainly enablesthe spread of information, in many cases that very infor-mation has helped governments to target activists to anunprecedented degree; this targeting ranges from identi-fying dissenters online to harassing citizens who possessout-of-the-ordinary communication hardware [26].
Implication: During periods of social unrest, commu-nication systems should protect individuals from be-ing directly linked to objectionable content.
The communications blackouts that motivate our workare not accidents, and are due to a desire to stem thetide of public discontent. Nevertheless, the means bywhich blackouts have been implemented and their de-gree of totality have varied considerably. Some black-outs have involved BGP route withdrawals [16], whileothers have been more severe cuts [67]. In addition, totalblackouts are made easier for governments to impose bya non-diverse network infrastructure with few providersand/or heavy government control. During these black-2 ommunication ModelOne-to-one One-to-many One-to-many(secure) (non-secure) (secure) I n f r a s t r u c t u re M e s h Threshold-pivot [37], ALAR [48] Firechat [55]
Rangzen I n t er n e t Tor [22], Crowds [63], LAP [35],VPNs [3, 59], HORNET [10], Aqua [42],Tarzan [30], Rome [60], Herd [41],Cashmere [84], Free Haven [21] Twitter [73],Whisper [78, 79] DC Nets [8], Dissent [15]Table 1: Design space of relevant mesh and anonymous communication systems, with canonical examples. We omitinsecure one-to-one communication in this comparison due to its ubiquity.outs, governments are likely to try to thwart any tempo-rary workarounds used by the population. A robust net-work need not ensure connectivity for every single per-son (as individuals can be targeted) but for the masses.
Implication: The cause or mechanism of a blackoutshould not impact the subsequent operation of thesystem, and the system should resist unilateral, globalshut-down or takeover.
Recently, political theorists have studied the imperma-nence of so-called “Twitter revolutions”, commenting onthe absence of slow, steady community organizing andin-person contact that has led to lasting political move-ments in the past [72]. The determining factor in theoutcomes of such crises is largely an enigma, though thestrength of the underlying movements has been a crucialfactor [34]. While only history will adjudicate the im-pact of modern communications tools in these settings,our conversations with activists and the historical recordsuggests that rapid communication is not crucial.
Implication: The system need not enable rapid com-munication, but it should enable trustworthy and ro-bust communication.
In Table 1 we categorize the design space of relatedanonymous communications systems. A number of cryp-tographic, anonymous broadcast protocols exist [6, 9, 15,45], but it is unclear whether such protocols are well-suited for large-scale adoption in resource-starved envi-ronments. The problem is particularly challenging in ablackout, which prevents the use of online trust mech-anisms, such as Bitcoin-based protocols [52]. On theother hand, much of DTN security research has focusedon one-to-one communication [4, 24, 27]; our problemis more related to filtering content in a distributed andprivacy-preserving manner. Any solution in this settingmust be lightweight so as to function during short op-portunistic encounters. Many practical and academic anonymity systems attempt to resolve this tension us-ing pseudonymous reputation systems [37, 68], but us-ing pseudonyms increases susceptibility to side-channelcorrelation attacks [19, 54, 62].Our approach relates to Sybil defense [58, 76, 80, 82]through our use of social graph structure to distinguishusers. Similarly, our approach builds on a rich cryp-tography literature on distributed, privacy-preservingtrust [31, 36, 70], and more specifically, private setintersection over social data to achieve privacy andanonymity [43,44,71]; we explore our application of thisin the next section.
Each aspect of Rangzen’s design is based on the prin-ciples we discussed in §
2. The prevalence of smart-phones and their use in community organizing enablesthe basic architecture: a mesh composed entirely ofsmartphones. The communication model is delay toler-ant ( § Rangzen provides anonymity ( § Real-time networks over meshes are difficult and potentially frag-ile, while our delay tolerant system is both robust and is sufficiently fastto enable community organization (messages propagating in minutes tohours, depending on user density and mobility). .1 Threat Model Our adversary is a state-level actor capable and willingto disable infrastructure such as cellular networks andISP networks providing links to the Internet. The ad-versary’s goals are to disrupt communication and to in-ject false information (i.e., propaganda ). Such an adver-sary shares similarities to those considered in Sybil de-fense work—although the adversary may be physicallydistributed and possess significant technological and fi-nancial resources, its weakness is an inability to sociallyinfiltrate its enemies at scale. The adversary’s Sybilswill nearly always have fewer friendships with honestnodes than the honest nodes have among themselves. This is a common assumption in the Sybil defense lit-erature [76, 82]. A worst-case adversary might violatethis assumption by recruiting spies from the general pop-ulation. However, even the most heavy-handed adver-saries in history—such as the Stasi—used only 2% ofthe citizenry as informants [39]. Moreover, if there areno characteristics distinguishing adversaries from regularcitizens, the Sybil detection problem cannot be solved inthe first place [23].
Non-Goals.
We assume that the adversary has the re-sources to single out individual users and perform severe,targeted, violent or social attacks against them. We donot protect against such targeted attacks. Rangzen aimsto make it infeasible for the adversary to scale their at-tacks, making it impossible for them to deceive a largepercentage of the population, or to disrupt communica-tions on a large scale. We consider preventing the scaling of attacks beyond a small percentage of citizens to be afundamental win, as have some privacy scholars [32].While phone-to-phone exchanges are private, messagecontent itself is not private in Rangzen. As with a pub-lic system like Twitter, messages are public. By contrast,authorship is confidential and protected. Further, the useof Rangzen is detectable by an attacker. The attackercan participate in the system. Rangzen does not seekto hide the fact that Rangzen is being used. Instead, itrelies on decentralization to protect it from attack. Hid-ing the identities of devices from a local eavesdropperis orthogonal to our goals; while Rangzen does not bydefault hide the device’s identifiers (e.g., Bluetooth andWiFi MAC addresses) as this requires rooting, users withrooted phones can randomize their MAC addresses. Inaddition, we assume that an attacker cannot easily per-form man-in-the-middle attacks at scale against phoneexchanges as it would require anticipating and suppress-ing each pair of phones’ physically more proximate com-munications while injecting false messages during con-nection establishment. We also do not consider zero-day In Rangzen these friendships must be made in person, making at-tacks against friend establishment difficult to scale. attacks against Rangzen and PSI-Ca; while these mayoccur, there is no plausible method for preventing them,and the best remedy is that we have built the system in amodular fashion to enable rapid re-engineering of com-promised modules.More generally, our goal is to enable anonymous androbust communication in situations where the majority ofphones are in use by honest users and cellular/Internet in-frastructure is not working. As we have learned from ourdiscussions with users in these contexts, real-time com-munication in these settings is largely needed for dissem-inating live information to the outside world and satelliteis ideal for this; within the blackout region itself, for themajority of users, asynchronous and moderate-speed in-formation dissemination is sufficient.
Delay-Tolerant Mesh Network.
Rangzen forms a mo-bile, ad-hoc, delay-tolerant network of smartphones.The network propagates microblogs—broadcasted, pub-lic datagrams, much like Tweets—which are passed op-portunistically between devices in physical proximity.Messages will spread rapidly through a crowd of peo-ple who have Rangzen installed on their phones over thecourse of tens of seconds or minutes. Messages neednot spread in real time; they are stored on devices andforwarded opportunistically when another device run-ning Rangzen is encountered. Users need not activelyparticipate in forwarding messages, as Rangzen runs inthe background, periodically searching for nearby de-vices and sending and receiving messages to and fromthose devices. Thus messages will also spread over timethrough a city or region as people move, passing on thestreet, riding transit, or spending time together.
Prioritization Based on Mutual Friendships.
Rangzennodes trust messages forwarded to them by other nodeswith whom they share mutual friends . Each node storesa priority value in [ , ] with each message, which isdisplayed to users and used to order messages in theUI. Low-priority messages are displayed to the user atthe bottom of the feed, or not at all. When two usersmeet and exchange of messages, low trust messages arethe last to be forwarded. Low trust messages may bedeleted from storage by Rangzen nodes. It is importantto note that message spread in Rangzen does not dependupon users sending messages directly (and only) to theirfriends; instead, two users who have never met beforecan exchange messages and the trust calculated (but notthe communication) depends upon their mutual friends.As such, the communication graph can effectively bemore richly connected than the friendship graph.Nodes determine the trust to put in each messagebased upon their trust of the device which forwarded themessage. Since Rangzen is a fully anonymous system,4o authorship information is stored in messages. Trustmust be based entirely upon relationships between thenodes, who store and forward the messages. Trust be-tween devices is based upon mutual friendships. WhenAlice receives messages from Bob, Alice assigns trustto those messages proportional to the number of friendsthey have in common.These friendships are real-life relationships, and theymust be formed in person through the exchange of secretsbetween the friends’ smartphones. These friend estab-lishments can be made at user’s leisure before a blackouthappens, or during a blackout. Each device uses a securesource of randomness, available via the crypto library,to generate a random 128-bit identifier upon first launchof Rangzen; we assume due to the size of the IDs thatthey are unique. During friend establishment, Rangzendisplays on the screen a QR code containing a hash ofthe user’s Rangzen random ID, which can be scannedby another user to form a friendship. When two de-vices communicate, they use the PSI-Ca protocol, learn-ing the number of friends they have in common withoutrevealing who their friends are, or even which friendsare shared. Each node then assigns trust to messages re-ceived in the exchange based on the number of commonfriends. Suppressing Propaganda via the Friend Graph.
Friendships in Rangzen can be viewed as forming a trustgraph in which each user is a node, and graph edges rep-resent real-life trust relationships between people. Weleverage this trust graph to suppress the adversary’s pro-paganda. Since the adversary cannot form friendshipswith real users on a widespread basis ( § Rangzen’s mesh communication is achieved vialightweight, pairwise message exchanges. Here we de-fine the protocol two peers use when they encounter oneanother to propagate messages, intersect friend sets, andfinally how each uses the information it has received toquantify social trust and discriminate between messages.
Lightweight Protocol.
The Rangzen protocol islightweight and simple. Peers establish an encryptedphone-to-phone communication channel; we describe indetail in § et al. [17], which is ideal because it only reliesupon standard assumptions and Diffie-Hellman groupoperations that are available in standard Android cryptolibraries. Our implementation of this protocol is about400 lines of Java. This enables two nodes to compute thecardinality of the mutual friend set, but not the identityof those friends. The client message includes not onlyPSI-Ca information but also the set of messages andpriorities that the device knows of. Social Trust Metric.
We assume that a) people trustand want to see messages from people socially wellconnected to them, and b) adversarial nodes cannotinfiltrate the social graph at scale. To capture theseideas, each pair of nodes computes a social trust scoreduring each opportunistic encounter. We let T ( a , b ) denote how much a trusts b : T ( a , b ) = max (cid:18) F ( a ) ∩ F ( b ) F ( a ) , ε (cid:19) where F ( a ) denotes the set of a ’s friends, and ε isa small positive constant that ensures that ordering ispreserved—even if the nodes share no mutual friends.We expect users to have around 30 trusted friends, andlimit the number of friends that can be submitted to anyPSI interaction accordingly, since we consider the trustbetween people with, for example, 30 and 70 commonfriends to be similar. This restricts numbers of commonfriends to small integers, reducing the extent to whichcommon friend degree can distinguish unique users. Mapping from trust to priority.
After receiving mes-sages from Bob, Alice’s node must decide where to in-sert those messages in her feed. In our implementation,she simply multiplies the priority score of each messageaccording to the sender by her trust of the sender. Thesemechanisms may be more effective for ensuring messagepropagation and the effective filtering of propaganda; wealso consider the use of a distorted function that assignsmore trust to senders with a threshold number of mutualfriends. Additionally, to give message authors increaseddeniability, each sender adds noise to each message’s pri-ority score before sending it to a new node. We show in § a receives a message from b withpriority 0 ≤ p o ≤
1, then a will insert the message intoher queue with a priority that is a sigmoidal function ofthe trust score: Tr [( p b , a ( T ( a , b )) × p o ) + z a ] , z a ∼ N ( µ , σ ) is additive Gaussian noise usedto improve message propagation, Tr [ x ] is a thresholdforcing x to be in the range [ , ] , and p b , a ( T ( a , b )) = + exp {− ρ ( T ( a , b ) − τ ) } . (1)In essence this means a will trust b fully if the ratio ofmutual friends is greater than τ . We used ρ =
13 and τ = . [ , ] . If a device runs out of storage, the lowest-prioritymessages get dropped first.
Rangzen presents users with an ordinary microbloggingmessaging interface. The local user writes new mes-sages, which are initialized to have priority 1. If a userparticularly likes a message from another node, she canchoose to upvote the message. Note that since mes-sages are anonymous, upvoting a message to priority 1is equivalent to reauthoring it. Users should avoid re-vealing their identities through message content; unfor-tunately, this is difficult to prevent with technological so-lutions alone, and as with all anonymous communicationsystems, user education is critical. Finally, Rangzen de-cays the priority of messages over time so that out-of-date content gradually leaves the system. Low prioritymessages are shown last, and those below a threshold canbe hidden; this ensures that even those adversarial mes-sages that do get propagated do not affect normal users.
An attacker spreading propaganda must do so via theRangzen protocol because nodes only accept Rangzenprotocol messages. A Rangzen node will only store anew message if the message is authored by the node it-self or received during a peer encounter. Attackers thatdo not corrupt the Rangzen software itself must thereforeattack the peer encounter protocol to spread messages.
Unique device identifiers.
An attacker may attempt toidentify individual devices and their owners that are us-ing Rangzen. Rooted devices can randomize the device’sMAC addresses on each exchange. Propaganda spread.
Rangzen nodes reject messagesfrom peers that do not complete PSI-Ca. If the attackerperforms PSI-Ca then their success at spreading propa-ganda (messages with high priority scores) depends uponthe ability to form friendships with real users ( § This noise parameter helps unpopular nodes spread content by ran-domly increasing (or decreasing) priority scores, but it also improvesauthor anonymity. We show this in § These constants would need to be tuned in a real deployment basedon real mobility and friendship patterns. Physical-layer device-unique characteristics are more difficult todetect but also harder to conceal on unmodified commodity devices. numbers of real users, and as a result their messages willbe penalized by the trust score calculation when propa-gated. The bottleneck between real users and attackersin the trust graph has been used in other application do-mains, such as Bazaar [58], for a similar purpose.
Attacking friend addition.
Rangzen only adds friendIDs via in-person exchanges, and these IDs are randomand private. Thus attackers must either capture devicesor socially engineer targets to befriend users. An attackerwho learns friend IDs can store them, forming directededges in the graph. We rely upon standard device secu-rity to ensure the safety of friend IDs on phones them-selves. We also designed but did not implement a dis-tributed ID revocation protocol. These enhancements areorthogonal to our design and could be implemented insettings that require them.
Attacking trust computation.
We place very few de-mands on the PSI protocol, and our choice of algorithmrelies only upon standard (Diffie-Hellman) assumptions.Should the PSI algorithm succumb to cryptanalysis inthe future, our modular implementation and design en-ables its easy replacement. Thus Rangzen is safeguardedagainst future cryptanalytic breakthroughs.
Chosen-Input Attack . Adversaries can learn socialgraph edges only by submitting IDs to the PSI protocolper encounter, posing as a normal user. The adversarymust first acquire such an ID, which is only available toa user’s real friends, through another type of attack (e.g.,device confiscation). If the attacker includes one ID andthe intersection is cardinality 1, the attacker learns thattheir communication partner is friends with that ID. Wecall this a chosen-input attack on the trust computation.If an adversary can confiscate significant numbers of de-vices from users in an intact state, unlock those devices,and extract friend IDs, and then use these IDs to performa chosen-input attack against peers it meets, this wouldat most allow the adversary to gradually learn the socialgraph, as we consider in Appendix B. It is unclear thatthis is the most efficient way for any adversaries to learnsocial connections between people; they might insteadexamine online social media. Given that there is no di-rect defense of this attack (since the Rangzen setting isone in which there is no trusted authority, so there is noway to prevent Sybil attacks), we enable users to ratelimit encounters to reduce information leaked throughthis channel depending on their level of risk tolerance.
Denial of Service.
Attackers may attempt to launch de-nial of service attacks by overwhelming the system with An out-of-band social-media based attack is always possible inany system that leverages person-to-person connections. However withRangzen such attacks are harder because ubiquitous surveillance ofRangzen user exchanges is highly unrealistic. Also note that an ex-ternal social graph cannot be used to forge identities in Rangzen, asRangzen IDs are random. § We implemented Rangzen as an Android app. In build-ing Rangzen, we had several goals, including that it beeasy for users to use correctly, efficient in terms of bat-tery life, and able to propagate messages quickly and ata distance. Unmodified smartphone platforms have limi-tations that make this a challenge; in this section we dis-cuss some of those difficulties and our engineering ef-forts to overcome them. To enable peer exchanges with-out user interaction, we take a novel approach that com-bines several technologies available on Android phonessince OS version 4.0 (Ice Cream Sandwich): WiFi Direct(known as Wifi P2P in Android) and Bluetooth. Our im-plementation consists of over 17,000 lines of Java. Ourtest suite additionally contains over 4,000 lines of Java.In our conversation with activists, it is customary inmedium-risk countries that users who do not have ac-cess to an app store will side-load the Rangzen app andshare the apk with other interested users through phone-to-phone file sharing. We expect the common case to bethat activists who are concerned about privacy will side-load the app after downloading it via Tor, while thosewho are less concerned will install it from an app store.We ran Rangzen on 7 models of Android devices: ANexus 5, a first-generation Nexus 7, a second-generationNexus 7, a Nexus 4, a Samsung Galaxy S4, a SamsungGalaxy S5, and an HTC One X. These devices were run-ning stock Android 5.0, stock Android 4.4.4, stock An-droid 4.4.2, Cyanogenmod 11, a Verizon build of An-droid 4.3, and an AT&T build of Android 4.0.3 at vari-ous points in the testing process. These older phones arereflective of devices often in use in countries of interest.
We assumed modern but not cutting-edge devices andoperating systems for the users of Rangzen, as this re-flects the distribution of devices in countries of inter-est. Our prototype functions on any version of Androidwhich supports WiFi Direct (4.0 and greater). Android4.0 was released in 2012 and our target versions includeover 97% of Android devices operating today [2].We assume that requiring users to root their deviceswould be an unacceptable burden; similarly, we aimedto not require user input to enable passive message for-warding. Thus we rejected approaches which burdenedthe user in any of these ways.
We found that it was difficult to implement mesh net-working capabilities in Android. The hardware supportsa variety of protocols which in principle offer convenientpeer-to-peer capabilities, including Bluetooth, BluetoothLow Energy (BLE), ordinary WiFi, hotspot mode WiFi,and WiFi Direct. However, the OS limits the wayswe can use these technologies. Here we discuss theselimitations before we describe our hybrid solution.
Ad-hoc WiFi Requires Root.
Ad-hoc WiFi, a classicapproach for peer-to-peer communication over WiFienabled devices, requires a rooted phone. We opted notto require the user to root their phone for the sake ofdeployability.
Bluetooth Discoverability Requires User Input.
Bluetooth offers the ability to discover other Bluetoothdevices, connect to them, and exchange messages. To bediscovered, a device must become discoverable , a statein which it broadcasts its presence. For security and userexperience reasons, the developers of Android choseto require direct user input any time a device wishesto become discoverable. This model would preventRangzen from operating without user intervention.While we ended up using Bluetooth for data transfer, wedo not use it to discover peers.
WiFi Direct Data Requires User Input.
WiFi Directis a peer-to-peer protocol using WiFi chips that enablesdevices to discover peers, connect, and exchange data.Unlike Bluetooth, Android’s WiFi Direct implementa-tion does not require user intervention for devices todiscover one another. However, it does require user inputto connect and transfer data with a newly discoveredpeer. Thus while other devices can be discovered overWiFi Direct, a data connection cannot be formed withoutuser input.
Bluetooth Low Energy Not Universal.
While BLEprovides means for interaction-free communication, itis not universally supported; it requires Android 5+ andspecial support from phone vendors, and as such is onlyavailable on a small number of phone models. WiFi Direct enables us to discover other devices withoutuser intervention, while Bluetooth allows connectionsand data transfer without user input. To work aroundthese limitations, we use both stacks in combination to The reason for this difference between user input in WiFi Directand Bluetooth is unclear to us. It may be intentional or accidental.From our perspective as developers, differences like these significantlyincreased development time, since they are undocumented. We implemented a prototype BLE stack, but do not rely upon it forour experiments. name field, and it is settable in softwarevia a hidden API. We set this name to be the
Bluetooth
MAC address of the local device. Thus we use WiFiDirect discovery to communicate a small amount ofinformation—the Bluetooth MAC address—which isrequired to bootstrap a Bluetooth connection. Clientsnow can bypass the discovery portion of the Bluetoothstack; no user interaction is required if the BluetoothMAC address of the remote device is already known.Thus devices can discover each other and communicatewithout any user interaction and without rooting thedevice. WiFi Direct has greater range than Bluetooth,but our effective range is limited by Bluetooth since wemust be in range for both technologies.
Table 2 depicts our benchmarks of our implementation.The
Total row represents the total time for an exchangeplus the time to locate a peer. Each other row representsa small experiment we did to measure individual factorsthat contribute to the full time in an exchange. The
Other row represents time measured in a full exchange not ac-counted for by our measurements of individual factors.
All network benchmarks were performed at a 10 meterdistance between a Nexus 5 and a Nexus 7. For eachmeasurement we performed at least 100 trials.
Measuring an entire exchange.
We measured thetime from the beginning to end of an exchange betweentwo devices, after peer discovery. The devices werepreloaded with 100 messages (140 bytes each) and 30friends, which resulted in the transmission of approxi-mately 23.5 KB of data in each direction. In Table 2, weadd the peer discovery time to these values to form our“Total” row.
Cryptographic Operations.
We measured the runtimeof the computations performed for the PSI-Ca protocol.Initialization of the PSI-Ca protocol takes 350ms on av-erage. This can be done offline, but we have not im-plemented this optimization. The online portion takes260ms on average.
Peer Discovery.
We measured the wallclock time be-tween calling the Android API that starts a peer-findingscan until the time our application located a nearby peer. We found that even using Bluetooth, Rangzen can operate betweendevices at distances of 40-50 meters; we limited our experiments to 10meters since we believed that approximated average distances commu-nicating devices were likely to experience.
Step Avg StdDev Med 90th%
Peer Discovery
BT Connect Delay
BT Latency
Data Tx
Crypto
Other
Total (measured)
Table 2: Breakdown of the time spent during a Rangzenexchange between two peers in seconds.
Delay of Bluetooth Socket Connection.
After peer dis-covery, the devices involved are aware of each others’presence but must form a Bluetooth RFCOMM connec-tion before transmitting data. We measured the time be-tween requesting such a connection and being informedby the OS that the connection was ready.
Latency of the Bluetooth Data Channel.
We measuredthe round-trip time between two devices which were al-ready connected over Bluetooth. We sent an integernonce (4 bytes) back and forth over the channel a singletime, counting the time between the measuring node’stransmission and its receipt of the echo.
Bandwidth of the Peer-to-Peer Channel.
We measuredthe raw bandwidth of peer-to-peer Bluetooth links, whichcan be viewed primarily as a limiting factor on the num-ber of broadcast datagrams we can transmit in a singleencounter between peers. These speeds were measuredover a payload size of 150KB. We measured a median of15.09 KB/s. The 90th percentile lowest bandwidth was13.41 KB/s. In Table 2 above, we converted these band-widths into the amount of time required to send 23.5 KBat that bandwidth. This corresponds to the amount ofdata sent in our integrated benchmark for 100 messagesand 30 friends.
A key adoption concern is power drain. We measuredthe additional battery load imposed on a device, as re-ported by Android’s battery manager. These tests wereperformed on a Nexus 5. We found that Rangzen con-sumed 5.5% of the device’s battery per hour when com-municating nearly continuously (by initiating communi-cation with a nearby device every 10 seconds). This rep-resents the worst case for battery usage, since it involvesconstant communication. We believe that this is reason-able battery drain given that during a blackout there arefew other means of communication, and thus Rangzen isa more valuable app in those circumstances.8 .3 Discussion
Bluetooth’s bandwidth constraint and connection delayaccount for about 1/3rd each of the duration of an ex-change. Nevertheless, nodes can discover peers andcommunicate hundreds of messages in opportunistic en-counters of less than 10 seconds. As such, even passers-by on a street will be in range long enough to permit anexchange.
Our experiments indicate that Rangzen can dissemi-nate messages quickly at the device level. In this sec-tion, we evaluate the anonymity and message-spreadingproperties of Rangzen at the network level. Rangzen’sanonymity and reliability depends on large-populationstatistics; we conducted several tests with dozens of usersover several weeks, but such small-scale experimentswith real subjects are not indicative of performance atscale. Therefore, we have simulated Rangzen operatingat city-scale over real mobility traces. We also deriveanonymity properties theoretically, and evaluate our ex-pressions for the datasets considered. Due to the lack oflarge public datasets containing both social and mobil-ity data, we have used a large-scale mobility dataset andimposed a social graph using known methods.For simulating message spread, we used real-worlddatasets, including mobility traces (EPFL Cabspot-ting [57], St. Andrews Locshare [5], University of Mi-lano PMTR [51], and Technicolor SIGCOMM [56]) andsocial graphs (two subgraphs of the Facebook socialgraph [50,75]). We also tested our algorithms on datasetsof mobility and social connections [5,12], which in prin-ciple is what we want, but we found the datasets to betoo sparse in time (Gowalla) and space (St. Andrews) foreffective evaluation, though our results with them weresubstantially similar to those we report here.Our simulator consists of 2100 lines of Java code builtupon MASON [49], a discrete-event multiagent sim-ulation library. Our simulator accepts social networkgraphs or can generate scale-free random social graphsas needed [1]. The simulator supports various mobilitydatasets. It replays agent locations over time and agentswithin 20 m are made to encounter one another withsome small probability (our simulations use 0.05). Thisis meant to simulate unreliable message exchanges forworst-case evaluations.Nodes can also be adversarial, which causes them toperform physical/MAC layer attacks. We model these at-tacks in a worst-case analysis by assuming that all nodeswithin range of the attacking node are unable to com-municate at all. We do not allow honest nodes to up- We found that BLE provides no better performance. Our prototype is able to communicate at ranges up to 40-50m, andsometimes farther. vote messages, to ensure that simulation results are lowerbounds on message propagation speed.
Our results indicate that Rangzen could, despite net-work attacks, continue to deliver predominantly legiti-mate messages during an Internet blackout while protect-ing the anonymity of message authors.
Message propagation.
In simulation, Rangzen deliv-ered messages from honest nodes to over 80 percent ofthe population within 24-48 hours, depending on the pri-oritization noise parameters (Figure 1). Figure 3 indi-cates that messages from individual popular nodes mayspread up to 33 percent more than those from an entireadversarial coalition of nodes, and those adversarial mes-sages have low priority enabling end-device filtering.
Robustness of the network.
Figure 4 indicates thatRangzen is robust to jamming attacks even when 10 per-cent of the population is an attacker using jammers withranges up to 1.3 km. We believe such an attack to be be-yond the capabilities of a likely adversary. At the proto-col level, Figure 3 indicates that coalitions of adversarialnodes cannot dominate network resources as they havefew friends. A coalition of 6 adversarial nodes in a net-work of 400 nodes performed only marginally better onaverage than individual honest nodes selected uniformlyat random.
Protection for users.
Authorship deniability.
Users can deny authorship of anymessage with non-negligible probability ( § Device Capture.
If an adversary captures b ’s device, b ’sfriend IDs are password-protected. Without input from b , an adversary can only learn mutual friends via thechosen-input PSI-Ca attack. Even with b ’s password,friend IDs are not stored—only hashes are. Trust Graph Extraction.
A resource-limited adversarycannot learn a significant portion of the trust graph. Thiseffect can be amplified by randomly adding and deletingfriends in PSI interactions, and limiting the maximumnumber of friends that can be fed to the PSI-Ca protocol.
Our metrics of success for message propagation are a)the time required for a message to reach 90 percent ofthe honest population, and b) the fraction of honest nodesthat have received a message by a given time. These met-rics are chosen for use cases like protest organization,in which mobilization depends on a large portion of thepopulation cooperating. All plots are averaged over 40runs. We use epidemic propagation over infinite-storagedevices as an upper bound on the spread rate since amesh DTN cannot disseminate content faster than flood-ing if storage is unconstrained. Since mobility is harderto model than social relations, we used the Cabspotting9
10 20 30 40 50 60 7000.10.20.30.40.50.60.70.80.91
Time (Hours) P r opo r t i on o f node s w i t h m e ss age Infinite storage (best case)Finite storage, mean=0.5, var=0.1Finite storage, mean=0.3, var=0.1Finite storage, mean=0.0, var=0.1Finite storage, No noise
Nonzeronoise
Figure 1: Impact of the Rangzen protocol on legitimatemessage propagation without an adversary. The additiveGaussian noise in priority scores clearly improves prop-agation, but may hamper the system’s ability to filter outadversarial messages.mobility dataset [57] with a randomly-generated Albert-Bar`abasi social graph [1]. The Albert-Bar`abasi genera-tive model lets us create arbitrarily-sized social networks,and it displays common properties of social networkslike high clustering-coefficient, power-law degree distri-bution, and short path lengths between nodes. Figure 1 shows the propagation of legitimate messageswith no adversary. The curves represent different dis-tributions of the noise parameter z i in our trust metric.Figure 1 suggests that even using random social graphs, Rangzen can reach at least 80 percent of the popula-tion within 24 hours and 90 percent of the population20 hours after infinite-storage epidemic routing does so . Next, we demonstrate the performance of Rangzen un-der a passive adversary, which deploys devices that fol-low the Rangzen protocol, but may also disseminate theirown content. Distinct groups of friends may wish to em-phasize their own content internally without directly at-tacking others’ communications. A node with few con-nections to a social graph cluster can therefore be con-sidered a passive adversary; its goal is not explicitly tohinder message propagation within the cluster, but mes-sages from more popular nodes in the cluster should beprioritized. This is not a key part of our threat model,but it relates nonetheless to reducing spam in broadcast However, it does not capture other properties of social graphs suchas community development. Also, true social graphs are typicallysomewhat correlated with mobility patterns.
Time (Hours) P r opo r t i on o f node s w i t h m e ss age Popular author, µ =0.5, σ =0.1Unpopular author, µ =0.5, σ =0.1Popular author, µ =0.3, σ =0.1Unpopular author, µ =0.3, σ =0.1Popular author, µ =0.0, σ =0.1Unpopular author, µ =0.0, σ =0.1 Figure 2: Popular nodes can spread messages faster thanunpopular nodes. This effect is more pronounced whennodes add less noise prior to transfers (e.g. lower µ ). Weexpect adversarial nodes to be unpopular.networks. Figure 2 shows the effects of node popular-ity on propagation speed. Here, (un)popular nodes wereselected randomly from the 5 percent worst- or best-connected nodes in the social network. The figure showsthat messages from popular nodes reach 90 percent of thepopulation as much as 40 hours earlier than messagesfrom unpopular nodes, for certain noise levels . Thismodel of communication is consistent with natural hu-man communication patterns, which tend to favor peoplewith more social connections. Next we consider an active adversary that controls a nodecoalition. Adversaries have few friends but they canshare friend IDs. The adversarial coalition spreads onlyits own messages. It can create Sybils, but this is of lim-ited use since Sybils do not help befriend honest nodes.We used noise parameters µ = . σ = . The figure shows that the adversar-ial coalition can spread messages a little bit better thanaverage nodes, but at least 30 percent worse than indi-vidual popular nodes . At very small scales (50 nodes),we observed that average and unpopular honest nodesactually performed better than the adversarial coalitionfor the first 48 hours. This suggests that Rangzen can At its height, the Stasi employed 0.6% of the East German popula-tion as agents and another 0.9% of the population consisted of “infor-mal collaborators” [39].
20 40 60 80 100 12000.10.20.30.40.50.60.70.80.91
Time (hours) P r opo r t i on o f node s w i t h m e ss age Popular authorAverage authorUnpopular authorAdversarial coalition, 1.5% of nodes
Figure 3: Adversary propaganda spread.be used by anyone within tighter social circles, thoughone should be well-connected to communicate at a largescale, just as is often the case in other social networks.If an adversary were to corrupt popular nodes it couldinfiltrate a given social circle. Even offline, this is impos-sible to prevent. Here we must rely on nodes to gradu-ally unfriend corrupted nodes. Similarly, if the adversarycorrupts a significant fraction of the population, Rangzencannot defend against it. We believe that this will be trueof any decentralized, mobile-mesh-based solution.
For a worst-case estimate of physical or MAC-layer at-tack effects, we first consider a physical-layer attacker(e.g., a jammer). We model it as a point source of omni-directional radiation in one of the WiFi frequency bands(20 MHz bands at either 2.4 GHz or 5 GHz), as a best-case for the attacker. We assume the attacker targets WiFiDirect rather than Bluetooth, as Bluetooth employs adap-tive frequency hopping and channel assessment to avoidinterference. To be conservative, we assume the signalfollows the path loss formula: P R = P T (cid:18) c π d f (cid:19) where c is the speed of light, f is the signal frequencyin Hz, d is the distance traversed, and P T and P R are thetransmitted and received power, respectively (we assumeequal antenna gains). We ignore factors like diffractionand absorption, which would significantly weaken a jam-ming adversary. It is the inverse square factor of path lossthat hampers jamming at scale. We estimate the transmitpower of a smartphone to be 251 mW (correspondingto average output power over the 5.4 GHz band), andwe estimate the maximum output power of a stationaryjammer to be 20 W in the same WiFi band (based on Attacker Radius (m) P r opaga t i on l e v e l a ft e r hou r s Mobile incidental jammer [Rangzen]Stationary incidental jammer [Rangzen]Stationary adversarial jammer [Rangzen]Mobile incidental jammer [Epidemic]
Figure 4: Propagation impact of physical/MAC attacks.military-grade commercial jammers). Under these as-sumptions, a jammer would need to be within 180 m ofthe receiver, with line-of-sight, to jam transmissions be-tween nodes 20 m apart. This 180 m attack range is inline with advertised ranges of commercial jammers.
We simulate message propagation in a jamming attackscenario. For simplicity, we model a “perfect” jammer(i.e., node pairs located within an attack radius are unableto propagate messages no matter their distance from theattacker). To be conservative we consider jammers withan order of magnitude greater range than we estimatedfor commercial jammers above, as an attacker might ex-tend this range with MAC-layer attacks (e.g., by sendingmessages that cause other nodes to not transmit).We consider mobile and stationary adversaries, bothoptimally and non-optimally placed. We model mo-bile, non-optimal adversaries as nodes in the mobilitytrace. Stationary non-optimal attackers are placed uni-formly within the simulation area. We used a simulatedannealing algorithm to place optimal, stationary adver-saries [38]. An optimal mobile attacker would have toknow the entire population’s location at every instant intime (without the benefit of cell-based location tracking),and solve an NP-hard problem [38]; regardless, we donot believe such adversaries pose a greater risk than at-tackers traversing popular routes regularly.Figure 4 shows the impact of such geography-basedjamming attacks on message propagation; we find that even when physical/MAC-layer attackers have omnidi-rectional ranges up to 1000 m, the system propagates atleast 80 percent as well as it does in a best-case non- Although many military-grade products advertise high overallpower output, the bandwidth of such products is typically high andnon-configurable; 20 W in the WiFi band is typical. Confidence Level S i z e o f A non y m i t y S e t ( no r m a li z ed ) µ = 0.7, σ = 0.3 µ = 0.7, σ = 0.1 µ = 0.7, σ = 0.01 µ = 0.5, σ = 0.1 µ = 0.3, σ = 0.1 µ = 0.1, σ = 0.1 µ = 0.0, σ = 0.1No noise Figure 5: Anonymity set size (fraction of nodes) as afunction of the estimator’s confidence level. A point ( . , . ) indicates the smallest set of nodes includingthe author with probability 0.5 contains at least 20% ofthe nodes. jamming scenario . While such an attack is unlikely, thishighlights Rangzen’s robustness to localized attacks. Next we evaluate Rangzen’s anonymity properties andits resistance to message author identification and socialtrust graph extraction.If the adversary receives a high-priority message froman honest node, Rangzen should enable the sender toplausibly deny authorship. For this analysis, we derivea distribution for the anonymity set , which is the setof nodes that could have plausibly authored a particu-lar message. Specifically, we estimate how many hopsa message took since inception, and then estimate howmany nodes are that many hops away for a fixed confi-dence level. Recall that random noise is added to mes-sage priority scores before each transmission. This noiseenlarges the anonymity set.We compute the pmf of the number of hops a mes-sage traversed before reaching a target node, given thepriority score seen. Suppose node A receives a messagefrom B . Let N be the number of hops the message tra-versed before reaching B . S ∈ [ , ] denotes the prioritywith which A receives the message from B (before con-sidering their mutual friends). Ω denotes the event thatthe message is observed by a randomly-selected node(in this case, A ). For a worst-case analysis, assume that A receives the message with priority S =
1. We want P ( N = n | Ω , S = ) = P ( S = | N = n , Ω ) · P ( N = n | Ω ) . We present our modeling of P ( N = n | Ω ) and P ( S = | Ω , N = n ) in greater detail in Appendix A. Using thesemodels, we estimate P ( N = n | Ω , S = ) as a function of n . Combining this with mobility data, we numericallyestimate the anonymity set size for a given trace.Figure 5 shows the size of the author’s anonymityset as a function of the estimator’s confidence level—the probability that the true author is in the anonymityset—for the SIGCOMM dataset [56]. Using µ = . σ = .
1, the 90% confidence anonymity set con-tains 80% of network nodes. More noise significantly in-creases the anonymity set size. Anonymity is necessarilydata-dependent because it is always possible to constructpathological mobility and social trust models in whichthe adversary can easily identify the source of messages.The correct noise parameters should be selected empiri-cally to balance anonymity with message propagation.We also consider an adversary who aims to learnglobal information about the Rangzen trust graph, suchas which pairs of nodes are friends. This information canlead to deanonymization through correlation with othersocial graphs (e.g., Facebook, Twitter) [54]. In AppendixB, we show analytically that due to Rangzen’s node IDprotection, this is a difficult attack to scale.
Since the advent of the Internet and the rise of democ-ratized communication there has been a tension betweenthe communication wants and needs of the many and theprerogatives of the few in control of the means of com-munication. Our aim has been to evade this tension bydesigning and building a robust, anonymous communica-tion substrate to evade the shutdown of communicationsinfrastructure. We did this by designing a lightweight,anonymous communications protocol; by implementingthat protocol in Android; and by examining the behav-ior of the protocol and of our implementation in a seriesof benchmarks and simulations, showing that Rangzen ispractical and robust at scale. How this tension evolves re-mains to be seen. An arms race naturally follows the useof circumvention technology like Rangzen. We believethat Rangzen provides both a useful means of commu-nication that is difficult to shut down or co-opt and pro-vides sufficient protection to the average user to preventretribution by an adversarial government.
Acknowledgements
We thank Ron Steinherz and Liran Cohen for their con-tributions to the design and implementation of the userinteraction of Rangzen. We also thank the activists andscholars working on anonymity systems we spoke withfor their insights.12 eferences [1] A
LBERT , R.,
AND B ARAB ´ ASI , A.-L. Statistical mechanics ofcomplex networks.
Reviews of modern physics 74 , 1 (2002), 47.[2] Android platform versions. https://developer.android.com/about/dashboards/index.html .[3] Anonymizer. .[4] A
SOKAN , N., K
OSTIAINEN , K., G
INZBOORG , P., O TT , J., AND L UO , C. Applicability of identity-based cryptography fordisruption-tolerant networking. In Proceedings of the 1st inter-national MobiSys workshop on Mobile opportunistic networking (2007), ACM, pp. 52–56.[5] B
IGWOOD , G., R
EHUNATHAN , D., B
ATEMAN , M.,
AND B HATTI , S. CRAWDAD data set st andrews/sassy (v.2011-06-03). Downloaded from http://crawdad.org/st_andrews/sassy/ , June 2011.[6] B
ONEH , D.,
AND H AMBURG , M. Generalized identity basedand broadcast encryption schemes. In
Advances in Cryptology-ASIACRYPT 2008 . Springer, 2008, pp. 455–470.[7] B
UCKLEY , C.,
AND D ONADIO , R. Buoyed by Wall St. Protests,Rallies Sweep the Globe.
New York Times (October 16, 2011).[8] C
HAUM , D. The dining cryptographers problem: Unconditionalsender and recipient untraceability.
Journal of cryptology 1 , 1(1988).[9] C
HAUM , D. L. Untraceable electronic mail, return addresses,and digital pseudonyms.
Communications of the ACM 24 , 2(1981), 84–90.[10] C
HEN , C., A
SONI , D. E., B
ARRERA , D., D
ANEZIS , G.,
AND P ERRIG , A. Hornet: high-speed onion routing at the networklayer. In
Proceedings of ACM CCS (2015).[11] Chinese Web Censors Struggle With Hong Kong Protest.
NewYork Times (September 30, 2014).[12] C HO , E., M YERS , S.,
AND L ESKOVEC , J. Friendship and Mo-bility: Friendship and Mobility: User Movement in Location-Based Social Networks. In
ACM KDD (2011).[13] C
HULOV , M. Syria shuts off internet access across the country.
The Guardian (November 29, 2012).[14] C
LAUSET , A., S
HALIZI , C. R.,
AND N EWMAN , M. E. Power-law distributions in empirical data.
SIAM review 51 , 4 (2009).[15] C
ORRIGAN -G IBBS , H.,
AND F ORD , B. Dissent: accountableanonymous group messaging. In
Proceedings of ACM CCS (2010).[16] C
OWIE , J. Egypt Leaves the Internet.
Renesys (Jan-uary 2011). .[17] D E C RISTOFARO , E., G
ASTI , P.,
AND T SUDIK , G. Fast andprivate computation of cardinality of set intersection and union.In
Cryptology and Network Security . Springer, 2012, pp. 218–231.[18] D
EHMER , M.,
AND M OWSHOWITZ , A. A history of graph en-tropy measures.
Information Sciences 181 , 1 (2011).[19] D
IAZ , C., T
RONCOSO , C.,
AND S ERJANTOV , A. On the impactof social network profiling on anonymity. In
Proceedings of PETS (2008).[20] D
IAZ , J. Iran Shuts Down Google, Will Completely Cut CitizensOff the Internet.
Gizmodo (September 24, 2012).[21] D
INGLEDINE , R., F
REEDMAN , M. J.,
AND M OLNAR , D. Thefree haven project: Distributed anonymous storage service. In
Designing Privacy Enhancing Technologies (2001).[22] D
INGLEDINE , R., M
ATHEWSON , N.,
AND S YVERSON , P. Tor:The second-generation onion router. In
Proceedings of USENIXSecurity (2004). [23] D
OUCEUR , J. R. The sybil attack. In
Proceedings of IPTPS (2002).[24] E L D EFRAWY , K., S
OLIS , J.,
AND T SUDIK , G. Leverag-ing social contacts for message confidentiality in delay tolerantnetworks. In
Computer Software and Applications Conference,2009. COMPSAC’09. 33rd Annual IEEE International (2009),vol. 1, IEEE, pp. 271–279.[25] F
AHIM , K. Violent Clashes Mark Protests Against Mubarak’sRule.
New York Times (January 26, 2011).[26] F
ANTZ , A. Son: Iranian dad arrested for my facebook posts.
CNN (July 12, 2012).[27] F
ARRELL , S.,
AND C AHILL , V. Security considerations in spaceand delay tolerant networks. In
Space Mission Challenges forInformation Technology, 2006. SMC-IT 2006. Second IEEE In-ternational Conference on (2006), IEEE, pp. 8–pp.[28] F
ASSIHI , F. Iranian Crackdown Goes Global.
Wall Street Journal (December 3, 2009).[29] FireChat warns Iraqis that messaging app won’t protect privacy.
Wired (June 25, 2014).[30] F
REEDMAN , M. J.,
AND M ORRIS , R. Tarzan: A peer-to-peeranonymizing network layer. In
Proceedings of ACM CCS (2002).[31] G
ARMAN , C., G
REEN , M.,
AND M IERS , I. Decentralizedanonymous credentials. In
Proceedings of ISOC NDSS (2014).[32] G
RAY , D. C.,
AND C ITRON , D. K. The right to quantitativeprivacy.
Minnesota Law Review 98 (2013).[33] Greece protest against austerity package turns violent.
BBC News (June 28, 2011).[34] H
EDGES , C.
Death of the liberal class . Nation Books, 2010.[35] H
SIAO , H.-C., K IM , T.-J., P ERRIG , A., Y
AMADA , A., N EL - SON , S. C., G
RUTESER , M.,
AND M ENG , W. Lap: Lightweightanonymity and privacy. In
Security and Privacy, IEEE Sympo-sium on (2012).[36] I
SDAL , T., P
IATEK , M., K
RISHNAMURTHY , A.,
AND A NDER - SON , T. Privacy-preserving P2P data sharing with OneSwarm. In
Proceedings of ACM SIGCOMM (2010).[37] J
ANSEN , R.,
AND B EVERLY , R. Toward anonymity in delaytolerant networks: threshold pivot scheme. In
IEEE MILCOM (2010).[38] K
EUNG , G. Y., Z
HANG , Q.,
AND L I , B. The base station place-ment for delay-constrained information coverage in mobile wire-less networks. In Proceedings of IEEE ICC (2010).[39] K
OEHLER , J. O.
STASI: The untold story of the East Germansecret police . Basic Books, 1999.[40] K
OSSINETS , G.,
AND W ATTS , D. J. Empirical analysis of anevolving social network.
Science 311 , 5757 (2006), 88–90.[41] L E B LOND , S., C
HOFFNES , D., C
ALDWELL , W., D
RUSCHEL ,P.,
AND M ERRITT , N. Herd: A scalable, traffic analysis resistantanonymity network for voip systems. In
ACM SIGCOMM Com-puter Communication Review (2015), vol. 45, ACM, pp. 639–652.[42] L E B LOND , S., C
HOFFNES , D., Z
HOU , W., D
RUSCHEL , P.,B
ALLANI , H.,
AND F RANCIS , P. Towards efficient traffic-analysis resistant anonymity networks. In
ACM SIGCOMM Com-puter Communication Review (2013), vol. 43, ACM, pp. 303–314.[43] L I , M., C AO , N., Y U , S., AND L OU , W. Findu: Privacy-preserving personal profile matching in mobile social networks.In Proceedings of IEEE INFOCOM (2011).[44] L
IANG , X., L I , X., Z HANG , K., L U , R., L IN , X., AND S HEN ,X. Fully anonymous profile matching in mobile social networks.
IEEE JSAC (2013).
45] L
IBERT , B., P
ATERSON , K. G.,
AND Q UAGLIA , E. A. Anony-mous broadcast encryption: Adaptive security and efficient con-structions in the standard model. In
Public Key Cryptography–PKC 2012 . Springer, 2012, pp. 206–224.[46] Libya protests: 84 killed in growing unrest, says HRW.
BBCNews (February 19, 2011).[47] L IU , Y., B ILD , D. R., A
DRIAN , D., S
INGH , G., D
ICK , R. P.,W
ALLACH , D. S.,
AND M AO , Z. M. Performance and energyconsumption analysis of a delay-tolerant network for censorship-resistant communication. In Proceedings of the 16th ACM Inter-national Symposium on Mobile Ad Hoc Networking and Comput-ing (2015).[48] L U , X., H UI , P., T OWSLEY , D., P U , J., AND X IONG , Z. Anti-localization anonymous routing for delay tolerant network.
Com-puter Networks 54 , 11 (2010).[49] L
UKE , S., C
IOFFI -R EVILLA , C., P
ANAIT , L., S
ULLIVAN , K.,
AND B ALAN , G. Mason: A multiagent simulation environment.
Simulation 81 , 7 (2005).[50] M C A ULEY , J.,
AND L ESKOVEC , J. Learning to discover socialcircles in ego networks. In
Proceedings of NIPS (2012).[51] M
ERONI , P., G
AITO , S., P
AGANI , E.,
AND R OSSI , G. P.CRAWDAD data set unimi/pmtr (v. 2008-12-01). Downloadedfrom http://crawdad.org/unimi/pmtr/ , Dec. 2008.[52] M
IERS , I., G
ARMAN , C., G
REEN , M.,
AND R UBIN , A. D. Ze-rocoin: Anonymous distributed e-cash from bitcoin. In
Proceed-ings of IEEE Security and Privacy (2013).[53] Rangzen/Murmur Code. https://github.com/murmur-project/murmur .[54] N
ARAYANAN , A.,
AND S HMATIKOV , V. De-anonymizing socialnetworks. In
Proceedings of IEEE Security and Privacy (2009).[55] N
EEDLEMAN , R. Firechat network-free chat could be big. andnow it’s on android.
Yahoo News (April 3, 2014).[56] P
IETILAINEN , A.-K. CRAWDAD data set thlab/sigcomm2009(v. 2012-07-15). Downloaded from http://crawdad.org/thlab/sigcomm2009/ , July 2012.[57] P
IORKOWSKI , M., S
ARAFIJANOVIC -D JUKIC , N.,
AND G ROSS - GLAUSER , M. CRAWDAD data set epfl/mobility (v. 2009-02-24). Downloaded from http://crawdad.org/epfl/mobility/, Feb.2009.[58] P
OST , A., S
HAH , V.,
AND M ISLOVE , A. Bazaar: Strengthen-ing user reputations in online marketplaces. In
Proceedings ofUSENIX/ACM NSDI (2011).[59] Private Internet Access. .[60] P
UTTASWAMY , K. P., S
ALA , A., E
GECIOGLU , O.,
AND Z HAO ,B. Y. Rome: Performance and anonymity using route meshes. In
Proceedings of IEEE Infocom (2009).[61] R
ASHEVSKY , N. Life, information theory, and topology.
Thebulletin of mathematical biophysics 17 , 3 (1955).[62] R
EID , F.,
AND H ARRIGAN , M. An analysis of anonymity inthe bitcoin system. In
Security and Privacy in Social Networks .2013.[63] R
EITER , M. K.,
AND R UBIN , A. D. Crowds: Anonymity forweb transactions.
ACM TISSEC 1 , 1 (1998).[64] R
HOADS , C.,
AND F OWLER , G. Egypt Shuts Down Internet,Cellphone Services.
The Wall Street Journal (January 29, 2011).[65] S
CHNEIER , B. The Battle for Power on the Internet.
The Atlantic (October 24, 2013).[66] Serval Mesh. https://github.com/servalproject/batphone . [67] S
HACHTMAN , N. Syria’s internet blackout explained.
Wired (November 30, 2012).[68] Tavern. https://tavern.com/ .[69] T
OYAMA , K.
Geek heresy: Rescuing social change from the cultof technology . PublicAffairs, 2015.[70] T
RIFUNOVIC , S., K
URANT , M., H
UMMEL , K. A.,
AND L EG - ENDRE , F. Preventing spam in opportunistic networks.
ComputerCommunications 41 (2014), 31–42.[71] T
RIFUNOVIC , S., L
EGENDRE , F.,
AND A NASTASIADES , C. So-cial trust in opportunistic networks. In
INFOCOM IEEE Con-ference on Computer Communications Workshops, 2010 (2010),IEEE, pp. 1–6.[72] T
UFEKCI , Z. After the Protests.
New York Times (March 20,2014).[73] Twitter. .[74] Why is Ukraine in turmoil?
BBC News (February 22, 2014).[75] V
ISWANATH , B., M
ISLOVE , A., C HA , M., AND G UMMADI ,K. P. On the evolution of user interaction in facebook. In
Pro-ceedings of the 2nd ACM SIGCOMM Workshop on Social Net-works (August 2009).[76] V
ISWANATH , B., P
OST , A., G
UMMADI , K. P.,
AND M ISLOVE ,A. An analysis of social network-based sybil defenses. In
Pro-ceedings of ACM SIGCOMM (2011).[77] W
ALKER , S.,
AND G RYTSENKO , O. Text messages warnUkraine protesters they are ‘participants in mass riot’.
TheGuardian (January 21, 2014).[78] W
ANG , G., W
ANG , B., W
ANG , T., N
IKA , A., Z
HENG , H.,
AND Z HAO , B. Y. Whispers in the dark: analysis of an anonymous so-cial network. In
Proceedings of the 2014 Conference on InternetMeasurement Conference (2014), ACM, pp. 137–150.[79] Whisper. https://whisper.sh/ .[80] W
OLINSKY , D. I., S
YTA , E.,
AND F ORD , B. Hang with yourbuddies to resist intersection attacks. In
Proceedings of ACM CCS (2013).[81] W
ORTH , R.,
AND F ATHI , N. Violent Clashes Mark ProtestsAgainst Mubarak’s Rule.
New York Times (June 14, 2009).[82] Y U , H., K AMINSKY , M., G
IBBONS , P. B.,
AND F LAXMAN , A.Sybilguard: defending against sybil attacks via social networks.In
Proceedings of ACM SIGCOMM (2006).[83] Z
HANG , X., N
EGLIA , G., K
UROSE , J.,
AND T OWSLEY , D. Per-formance modeling of epidemic routing.
Computer Networks 51 ,10 (2007).[84] Z
HUANG , L., Z
HOU , F., Z
HAO , B. Y.,
AND R OWSTRON , A.Cashmere: Resilient anonymous routing. In
Proceedings ofUSENIX/ACM NSDI (2005).
A Anonymity Set Details
A message’s priority score S depends on the number ofhops the message took. In particular, we can define thereceived priority after N = n hops ( S n ) recursively as fol-lows: S n = p n · S n − + z n S = z i is the noise added by the i th node, and p i is thepriority score at the i th node. z i ’s distribution is designed,but priority scores p i depend on graph and mobility prop-erties.14 ε (Fraction of corrupted nodes) P r opo r t i on o f g r aph edge s l ea r ned Erdos−Renyi, p=0.5Scale−free, Barabasi−Albert ModelSNAP Facebook Dataset [McAuley]WOSN Facebook Dataset [Viswanath]
Figure 6: Proportion of graph edges learned by the ad-versary ( d ε ) as a function of ε (proportion of corruptednodes).This priority depends on p i , j , the scaling factor whenmessages pass from j to i , as defined in Equation 1. Em-pirical evidence shows that degree distributions in socialnetworks obey a power law [14]. We found that in theFacebook WOSN dataset [75], mutual degree distribu-tions also obey a power law, but the ratio p i j across allnode pairs appears to be better-modeled by a truncatedsum of exponentials. This trust metric is not heavy-tailed, so the fraction of nodes with highly overlappingfriend sets is very small. This motivates the sigmoid inequation 1, which assigns high trust even if nodes sharefew friends.We estimated P ( N = n | Ω ) empirically from severaldatasets. For every pair of nodes in the dataset ( i , j ) ,we measured the minimum number of times a messagewould need to be forwarded before reaching target j fromsource i . This measurement gives an estimated lowerbound on how many hops in the (time-varying) connec-tivity graph separate an arbitrary message from its cre-ator. B Deanonymizing the Social Graph
We quantify what the adversary learns about the true so-cial graph through attacks on the private set intersectionprotocol. As we note in our discussion of non-goals, wedo not consider attacks in which the adversary has bothconfiscated large numbers of user devices and unlockedthem (something we are told is uncommon in medium-risk settings though common in high-risk settings) whilesimultaneously correlating the users’ friendship with ex-ternal social network data sources. Technically, this probability is only defined over rational values,but we approximate the function as having a continuous domain.
Here we assume the adversary knows the nodes V ofthe social graph. There are many definitions in the lit-erature for graph information content [18]. None of thedefinitions is clearly superior, so we use the proportionof common edges as a heuristic metric. That is, if theoriginal graph is denoted G = ( V , E ) and the subgraphis denoted G s = ( V , E s ) with E s ⊆ E , then our similaritymetric is d ε ( G , G s ) = | E s || E | .This metric is closely related to the definition of graphentropy by Rashevsky et al. [61] and was also shownto be strongly correlated with deanonymization successin [54]. Assuming the adversary can corrupt at most frac-tion ε of the nodes, we wish to upper bound d ε as a func-tion of ε . We show that the adversary will be unable tolearn more than 15% of the graph edges by corruptingup to 5% of the nodes, and this can be further limited byartificially adding and removing graph edges during PSI-Ca. Static graph.
We first assume the trust graph does notchange. As time tends to infinity, we assume the adver-sary can learn all edges emanating from nodes it has cor-rupted. This is a worst-case estimate, because it assumesthe adversary knows how to align its learned subgraphwithin the larger trust graph (or a similar social graphfrom a different domain). In practice, subgraph align-ment is difficult.Figure 6 illustrates the proportion of edges learned as afunction of the proportion of nodes corrupted. The SNAPdataset is a Facebook ego-social-circle dataset [50], andthe WOSN dataset contains social connections between55,000 nodes in the Facebook New Orleans network asof 2009 [75]. The figure suggests that as long as the ad-versary cannot corrupt more than about 5% of nodes, itcan learn at most 15% of the social graph. This esti-mate is worst-case; along with the subgraph alignment is-sues mentioned earlier, corrupting nodes is difficult, andwe expect trust establishment to be less promiscuous inRangzen than in Facebook.
Dynamic graph.
Next, we assume that the graph ischanging with time. Consider three bins: one with edgeslearned by the adversary ( L ), one with edges not learnedby the adversary ( U ), and one containing edges that arenot in the graph ( X )—i.e., pairs of nodes that are not con-nected. Each time a new trust relationship is created inthis subgraph, another edge is added to the U bin, andeach time an edge is deleted (i.e. a user “unfriends”someone) an edge is removed from the L or the U bin.For a worst-case estimate of privacy, we assume the ad-versary knows when edges are deleted. Edges move from U to L whenever the adversary learns another edge in thegraph. Thus we wish to characterize | L | / | L + U | . Re-call that with a static graph, the adversary could learn atmost a small fraction d ε of the total edges in the graph.15 Non ‐ Edges L LearnedEdges U UnknownEdgesAdversary
Learning Edge creationEdge deletion
Figure 7: Adversarial learning of a dynamic trust graph.As such, our dynamic model operates within a restrictedspace of nodes and edges. For instance, if the adver-sary corrupts 5% of network nodes, then N E = X + L + U equals the number of edges possible between the cor-rupted 5% of nodes and the rest of the network. Anyequilibrium value of d ε in our dynamic model shouldtherefore be multiplied by the results for the static graph.Our underlying model for this system is a continuous-time Markov chain with Poisson events. The state spaceof this chain grows exponentially in the number of totalpossible edges ( N E ), so we use a mean-field approxima-tion, much like [83]. Figure 7 illustrates our model ofthe system. α X is the rate of edge creation, β ( U + L ) the rate of edge deletion, and γ U the rate at which theadversary learns new edges.We know that X ( t ) = N E − L ( t ) − U ( t ) where N E describes the number of total possible edges. Letting V ( t ) = [ L ( t ) U ( t )] T , we have a nonhomogeneous time-invariant linear system: dV ( t ) dt = (cid:20) − β γ − α − ( α + β + γ ) (cid:21) V ( t ) + (cid:20) α N E (cid:21) (2) Observation B.1.
Let V ( t ) = [ L ( t ) U ( t )] T , with dynam-ics described in Equation 2. Then lim t → ∞ L ( t ) L ( t )+ U ( t ) = γγ + β .Proof. (Sketch) It is straightforward to show that dynam-ical system (2) is internally stable, with exact solution (cid:20) L ( t ) U ( t ) (cid:21) = αγ N ( α − γ +( β + γ ) e − ( α + β ) t − ( α + β ) e − ( β + γ ) t ) ( α − γ )( α + β )( β + γ ) α N ( β ( α − γ )+ − α ( β + γ ) e − ( α + β ) t γ ( α + β ) e − ( β + γ ) t ) ( α − γ )( α + β )( β + γ ) (3)We then consider L ( t ) U ( t )+ L ( t ) . Since the exponentialterms in (3) tend asymptotically to 0, the ratio of interestconverges precisely to γ / ( γ + β ) .Figure 8 illustrates our analytic results compared tosimulated results. The colored bands are inter-quartileranges over 40 trials. These results affirm our mean-field approximation, not the assumption of constant-ratelearning and social graph alterations. However, ourmodel does capture the observation that social graph Time (units) P r opo r t i on o f g r aph edge s l ea r ned Stochastic Simulation, γ / β =0.5Stochastic Simulation, γ / β =2.5Stochastic Simulation, γ / β =6.5Mean−field, γ / β =0.5Mean−field, γ / β =2.5Mean−field, γ / β =6.5 Figure 8: Adversarial graph learning, parameterized bythe adversary’s learning rate γ . Asymptotically, theleaked proportion of graph edges depends only on theadversary’s learning rate γ and the network-wide edgedeletion rate ββ