Anonymity and Privacy in Electronic Services

This thesis presents information theoretic anonymity metrics and various analysis of anonymous communication nodes. Our contributions are a step towards the understanding of anonymity properties and the development of robust anonymous communications. Anonymous communications are an essential building block for privacy-enhanced applications, as the data available at the communication layer may leak critical private information. One of the main contributions of our work is the degree of anonymity, a practical information theoretic anonymity metric. Entropy-based anonymity metrics can be applied to measure the degree of anonymity provided by an anonymous service to its users. In particular, these metrics can be applied to systems which leak probabilistic relationships between the anonymous subjects and their transactions. We present a taxonomy of the two main building blocks used to implement anonymous communication networks, which are anonymous communication nodes (called mixes) and cover traffic policies (called dummy traffic). We propose a model for describing anonymous communication nodes which extends design possibilities and facilitates the analysis of anonymity properties. We identify the parameters which must be taken into account in the design and analysis of mix-based anonymous communication networks. In order to show the practical applications of information theoretic anonymity metrics, we have applied the metrics to evaluate the anonymity properties of various nodes for anonymous communication which have been proposed in the literature. We analyze the anonymity provided by these nodes when subject to passive and active attacks, while considering scenarios with and without cover traffic techniques. We have analyzed two working implementations of anonymous email in real traffic conditions. The tools used for the analysis are information theoretic metrics and our model for anonymous communication nodes. We show that anonymous email traffic patterns are hard to predict and no assumptions on them should be made. We find that the two studied designs offer very different trade-