Quantifying and Preventing Privacy Threats in Wireless Link Layer Protocols

The proliferation of mobile wireless devices enables or magnifies several privacy threats that traditional link layer confidentiality mechanisms, such as payload encryption, do not protect against: user tracking, profiling, and traffic analysis. For example, it is well known that the exposure of long-lived, unique device addresses can be used to track users over time. Although these addresses can easily be changed, more subtle features exposed in encrypted link layer traffic can be used to identify and profile users as well. These features, which we call implicit identifiers, include identifiers used for service discovery, characteristics that encryption does not obscure, and protocol information in unencrypted headers. These features can not be easily removed without loss of crucial network functionality. This thesis quantifies privacy threats posed by these features and presents solutions that prevent their exposure to third parties. In doing so, we make three primary contributions: (1) We identify implicit identifiers that are exposed in wireless link layer protocols such as 802.11 and quantify how accurately they can be used to identify and track users. (2) An important class of implicit identifiers are those exposed by service discovery and rendezvous protocols. We have designed and implemented a mechanism that enhances existing discovery protocols so that they are anonymous—that is, so that they only expose identities to authorized parties. (3) A second important class of implicit identifiers are those exposed by analyzing exposed characteristics of encrypted messages, e.g., message sizes and inter-arrival times. We propose a rule-based system that enables efficient masking of sensitive traffic characteristics as they are discovered, without modifying applications.