Characterising anonymity systems

Privacy is a value shared by most human societies. The work presented here is inspired by this value and is concerned with methods by which it may be achieved. In a world where we increasingly make use of information systems amenable to surveillance, privacy is no longer an inherent assumption; it has becomes a property that must be explicitly designed. In this thesis we examine the background and motivation for privacy and how this goal may be achieved by use of systems that provide anonymity. We examine the underlying features of such systems, the variety of strategies that may be employed to achieve this aim, and the limitations of these methods. We employ a definition of anonymity based on various applications of random choice to introduce unpredictability into the sequences of observable events created by the exchange of messages between actors in communicating systems. This leads to a characterisation of anonymity systems according to the fundamental mechanism that they employ to maximise this unpredictability. The characterisation that we propose leads us to identify four fundamental anonymity strategies, corresponding to known mechanisms that introduce randomness in communicating processes. These strategies form a classification applicable to all anonymity systems, which allows us to consider in isolation the separate strategies for achieving anonymity. Taking this approach we show that each fundamental strategy is individually sufficient to provide anonymity to communicating entities. We analyse the anonymity strategies identified in the model through a simulation-based approach, and employ an information theoretic quantification to compare the anonymity provided by each type of system. The fundamental strategies are simulated both individually and as part of larger networks, and are compared with respect to the effectiveness of each approach in confusing an observer’s ability to link communicating actors. Finally, we demonstrate that combining strategies in a single system can improve anonymity beyond that of individual strategies. Our results show the relative effectiveness of a range of anonymity systems