Technical ReportPDF Available

Integrating Privacy-Enhancing Technologies into the Internet Infrastructure



The AN.ON-Next project aims to integrate privacy-enhancing technologies into the internet's infrastructure and establish them in the consumer mass market. The technologies in focus include a basis protection at internet service provider level, an improved overlay network-based protection and a concept for privacy protection in the emerging 5G mobile network. A crucial success factor will be the viable adjustment and development of standards, business models and pricing strategies for those new technologies.
arXiv:1711.07220v1 [cs.CR] 20 Nov 2017
Integrating Privacy-Enhancing Technologies into
the Internet Infrastructure
David Harborth1, Dominik Herrmann2, Stefan opsell3, Sebastian Pape1,
Christian Roth4, Hannes Federrath2, Dogan Kesdogan4, and Kai Rannenberg1
1Goethe-University Frankfurt am Main
2University of Hamburg
3TU Dresden
4University of Regensburg
Abstract. The AN.ON-Next project aims to integrate privacy-enhancing
technologies into the internet’s infrastructure and establish them in the
consumer mass market.
The technologies in focus include a basis protection at internet service
provider level, an improved overlay network-based protection and a con-
cept for privacy protection in the emerging 5G mobile network. A crucial
success factor will be the viable adjustment and development of stan-
dards, business models and pricing strategies for those new technologies.
1 Introduction
Despite an increasing public perception of the matter of data protection, nowa-
days anonymization services like Tor and JonDonym have not yet achieved wide
everyday and mass appeal. Although a user base of tens of thousands (Jon-
Donym) to several hundreds of thousands (Tor) users is a decent result, their
share is vanishing small compared to the total number of internet users [20].
As a result, most internet users today leave extensive digital traces that can
be used to build detailed personal profiles by internet service providers (ISP)
or third parties without the users’ knowledge and possibility of intervention.
This threat to the right of informational self-determination gains in importance
through the pervasion of everyday’s life by the internet. In particular, the in-
creasing use of portable devices leads to the possibility of an even more detailed
profiling and thus allows a deeper intrusion in the users’ privacy.
Otherwise, one important reason for the low prevalence of privacy-enhancing
technologies (PETs) is the lack of usability. Privacy played no significant role
in the design of today’s internet’s infrastructure. Thus, actual anonymization
services are organized as separate overlay networks. End users typically need to
install additional components on their system. This results in a massive effort to
use those programs which in turn leads to an overburdened user. Additionally,
the usability of Tor and JonDonym is limited to stationary personal computers
and comparable software for mobile devices is not available for the consumer
mass market yet. On the other hand, many PETs cause a high overhead and
2 Authors Suppressed Due to Excessive Length
cannot be activated by default (e.g. by the ISP). The loss of comfort by far
outweighs the benefits of privacy and is thus unacceptable for many users.
The underlying assumption that guides the project is that PETs are only
able to reach the mass market when they are standardized and usable without
any action of the user (“zero-effort”) and work so efficiently that they do not
cause any noticeable limitation on the quality of service (especially regarding
latency and bandwidth). This is particularly important considering the privacy
attitudes and behaviors of regular users [1, 4]. To reach this g oal, PETs need to
be firmly integrated in the internet’s infrastructure.
Therefore, the AN.ON-Next5project’s vision is to integrate PETs in the in-
ternet’s infrastructure. By pilot projects with industry representatives the con-
cepts will be tested, optimized and shown that efficient data protection is possi-
ble and can be the basis for new business models. Up to now there are no such
solutions, partly because of the lack of suitable cooperation between research
and industry. This led repeatedly to missed opportunities regarding a possible
incorporation of strong privacy protecting technologies in new telecommunica-
tions’ and internet’s standards. In order to establish PETs in the mass market,
therefore corresponding business models also have to be regarded.
The project aims at working on three overarching goals. First, design more
efficient PETs. Second, allocate the anonymization service into the internet’s
infrastructure and create a transparent anonymization experience for end-users.
Third, improve the traceability of protection level achieved for each participant.
The remainder of this paper is organized as follows: Sect. 2 provides an
overview of related work. The goals for the three tackled technical areas of ISP-
based, network overlay-based, and 5G network anonymization techniques are
presented in Sect. 3 to Sect. 5. The development of business models is discussed
in Sect. 6. We conclude the sketch of our project idea in Sect. 7.
2 Related Work
The planned work on ISP-sided anonymization will be built on existing work by
the pro ject partners [9, 12]. This work will be expanded, optimized and tested
based on a prototype in order to develop usable solutions.
For network overlay-based anonymization technologies exist already prac-
tically usable solutions, namely Tor and JonDonym (former JAP). The main
problems of these existing services are massive performance limitations6[7, 21]
and a lack of compatibility with existing application software. How to improve
the performance is already discussed in numerous papers [2, 11, 13, 16, 24].
The majority of research considers only the design of anonymization protocols
for the application layer. Relevant preliminary work of the project partners are
methods for protecting the location of mobile subscribers [8], the gMix frame-
work, with which anonymization protocols can be evaluated realistically in a
short time [11, 27], proposals for lightweight anonymization protocols [13], as
Integrating Privacy-Enhancing Technologies into the Internet Infrastructure 3
well as the assessment of the effectiveness of different attack techniques [23] in
order to make effective protection mechanisms and to explore their limits.
There is a rich strand of literature that deals with the development and
adaption of business models to the ever changing environment companies have
to deal with [25]. The groundwork in that area was laid by Staehler [26] who
proposed an approach where a business model consists of three elements: value
proposition, value chain (value creation architecture) and revenue model. Other
fundamental work on business models was done by Wirtz and Osterwalder and
Pigneur [22, 29, 30]. Furthermore, the application of business mo del approaches
to anonymization and identity management services is considered [1 7–19,28].
3 ISP-based Anonymization
One objective in AN.ON-Next is to study light-weight mechanisms that increase
the baseline protection for ordinary users. With existing approaches like Tor or
I2P users have to install and run a client software on their own. In contrast, we
are interested in unobtrusive techniques that minimize effort for the user. We
have observed that many users are willing to accept the fact that their ISP can
analyze their surfing behavior, while they object to tracking performed by ad
networks and profiling services.
Existing protection techniques, such as deleting cookies and preventing browser
fingerprinting, are ineffective, if the traffic of a user is coming from the same IP
address over long periods of time. In this case third parties could link a user’s
activities solely based on the IP address. However, obtaining a new IP address
from the ISP is a cumbersome task at the moment. Typically, one has to man-
ually force the broadband router to perform a reconnect, which terminates all
active connections. The situation will worsen in the future, if ISPs decide to
assign a long-lasting IPv6 prefix to residential customers.
In principle, ISPs could offer basic privacy protection with little cost. To
this end, ISPs would only assign very short-lived IP addresses (or IPv6 prefixes)
to their customers. This measure would complement defenses that are already
implemented in major browsers by ensuring that they are not bypassed with
IP-based tracking efforts. However, network protocols used during dial-up (e. g.,
DHCP and PPPoE) have not been designed with short-lived addresses in mind.
Additionally we will investigate to which extent it is feasible to have short-
lived IP addresses not only on a per device base but on a per connection base,
i.e. utilizing different source IP addresses per packet flow.
Therefore, we will look into various design alternatives to deploy short-lived
IP addresses and study their feasibility. For instance, ISPs could employ carrier-
grade network address translation in order to rewrite the traffic of a customer on
their own, resulting in zero effort for the user. Alternatively, ISPs could assign
multiple IPv6 prefixes to the customer’s broadband router at a given point in
time [9, 12]. In this case, the customer would still have some control about the
anonymization process, because now it is the broadband router that decides
which IPv6 prefix should be used for a particular outgoing connection.
4 Authors Suppressed Due to Excessive Length
4 Network Overlay-based Anonymization
The main problems of the existing network overlay-based anonymization services
are the weak performance, missing protection against strong attackers, and the
high effort for users to install and use such systems.
The developed anonymization service will be based on the concept of cascades
instead of free sequences. A cascade is a fixed sequence of connected interme-
diate stations (mixes). The user will only be able to decide which cascade he
wants to use. The use of cascades instead of free sequences aims to avoid some
disadvantages of Tor associated with the selection of Tor nodes in a route.
In addition, transparency about the hosts of the mixes is not always given.
Thus, the new anonymous protocol will be designed and integrated into a test
cascade of the anonymization service JonDonym. The protocol should provide
reliable protection against much stronger attackers than the ISP-based solution
and the usability and compatibility should significantly improve compared to Tor
and the current JonDonym service. A high level of transparency will be achieved
by providing reliable information on the operator of each mix and other relevant
data to the user. Thus, the user can decide if it is the appropriate mix cascade.
The basic idea of the proposed protocol is a paradigm shift compared to cur-
rent anonymization services. The solutions in focus strive to receive user data
at the IP layer (instead of the application layer) over a virtual private network
(VPN) connection. Therefore one interface to the new anonymization service
will be a user operated JonDonym-client acting as a VPN server on a com-
puter in his own home, for example on a wireless router. The JonDonym-client
passes the communication through the (redesigned) JonDonym mix cascade for
the purpose of anonymization and for example for recursive encryption and de-
cryption. Another approach will be to run the JonDonym-client directly on the
(mobile) device of the end user and let the JonDonym-client additionally act as
a VPN-service. Being a VPN-service implies that the JonDonym-client will be
responsible for handling the IP traffic of the mobile device which the JonDonym-
client will tunnel utilizing the anonymization service (instead of a usual VPN
(e.g. IPSec based) as an ordinary VPN service would do).
The advantage is that the concept produces compatibility with all VPN en-
abled devices including the installed software. The user only has to add the
JonDonym-client as a VPN server to his terminal, which is supported by all
major smartphone platforms already. This will reduce the configuration effort to
a minimum and creates compatibility with devices and applications which was
not achieved by previous solutions.
5 Anonymization Techniques for the 5G Network
Mobile networks experienced an exponential increase of mobile data traffic and of
the number of connected devices over the last decade [6]. However, this explosion
together with the high demand for extremely low latency real-time applications,
e.g., the so-called tactile internet, video streaming, and vehicular ad hoc net-
works (VANETs [31]), impose new challenges on the current mobile networks.
Integrating Privacy-Enhancing Technologies into the Internet Infrastructure 5
For instance, in VANETs, each vehicle periodically sends, receives, and broad-
casts information to the vehicular network in order to increase traffic safety.
The communication between the vehicles and the network as well as among the
vehicles themselves rely on very accurate and up-to-date information about the
surrounding environment. This in turn requires the underlying network architec-
ture and communication protocols to provide robust connectivity and ensure fast
delivery of information to all the vehicles. The next generation of mobile telecom-
munication, namely 5G, is therefore desirable to fulfill these requirements.
From the technical point of view, small cells are crucial in 5G networks in
order to address the huge amount of data capacity. Concurrently, the deployment
of small cells allows 5G networks and hence malicious attackers to localize mobile
devices easier and more precisely, which renders 5G more vulnerable to location
privacy threats. It is therefore pivotal to revisit the problem of location privacy
in the 5G environment under the consideration of stronger adversary models.
From the architectural point of view, the conventional centralized cloud-
based architectures for mobile networks may no longer be suitable to provide
the 1 millisecond round trip delay that is typically a crucial requirement for
many real-world scenarios such as VANETs. This challenge motivates the use of
various local clouds in the design of 5G architectures. Thereby, mobile devices
are strongly coupled with their local computing resources, i.e., the clouds, which
allows users’ location information to be distributed and replicated in the cloud
databases. Due to this massive amount of data and redundancies, effectively
managing location privacy in such architectures is a non-trivial task.
In this project, we are aiming to address two challenging privacy problems
in 5G networks, namely location privacy and privacy management.
For location privacy, we are looking for different anonymization techniques
ranging from lightweight anonymity protections, e.g, frequently changing the
pseudonyms of mobile devices, to more advanced privacy protection techniques
against stronger attacker models, e.g., mix-zones [5, 10]. It is worth noting that
there is a conflict between the level of location privacy protection and the op-
timization of service quality. In particular, service providers often require users
to provide more personal data such as their birthdays or their current locations
in order to support the users better. At the same time, disclosing too much in-
formation puts the users at more potential privacy risks. We therefore take this
trade-off into account while looking for good location privacy protections.
We tackle the problem of privacy management in 5G from two directions.
The first approach is to investigate mechanisms to specify privacy policies that
prevent unauthorized access to raw location data. One possible solution could be
to extend the state-of-the art techniques, e.g., EPA and EPAL [3,14] to the con-
text of 5G. In the second approach, we exploit different transparency enhancing
techniques (see [15] for an overview) that provide users with information on how
their data is being processed, stored, disclosed, and so forth. These techniques
enable users to protect their own privacy by choosing appropriate actions.
Additionally due to the high demands regarding latency, bandwidth, number
of users per cell etc. many of the existing PETs cannot be simply adopted to
6 Authors Suppressed Due to Excessive Length
the 5G setting. Anonymous communication via distributed solutions like Tor or
JonDonym with the aim of end-to-end latency not higher than 1ms implies that
the anonymization servers (mixes) have to be physically located within a 150km
radius from the mobile device (because of the speed of light).
6 Business Models for Privacy-Enhancing Technologies
in the Internet Infrastructure
The success of the developed technologies depends heavily on the wide distri-
bution in the consumer mass market. This can only be achieved by creating a
suitable business model that evolves around the technologies and regards the
interests of all relevant stakeholders. Therefore, the business model generation
is one important step in this research.
Based on related work, it will be investigated whether there are ways to adapt
existing business models. The prevalent goal is to create profitable and sustain-
able ways for implementing and operating the developed anonymization services
in order to incentivize ISPs to engage in this business. This is the condition for
ensuring a rapid and wide spread of the technologies.
In addition, it will be ensured that the achieved technical solutions are fea-
sible from an economical perspective by developing business models together
with the PETs in an iterative way. The focus will be on the design of business
models that enable the ISP-sided anonymity for all customers of the ISPs. It
is investigated whether there are ways of cutting costs in the operation of the
anonymization service infrastructure (an example could be the direct operation
of Mix servers on the Internet backbone).
In a next steps, various tariff plans are examined to determine to what extent
they are suitable for refinancing the concepts and to estimate which stakehold-
ers must carry economic risks in certain scenarios. Tariff models have several
different properties with different characteristics that all must be considered for
the project. For example:
Billing models: one-off payments, flat fees, consumption-based pay, financing
by advertisement or consumption-related charges
Quality levels of service: differentiation in terms of speed or different privacy
protection levels
These analyses are carried out on a target scenario compared to the status quo
for all different technologies. Those results are also discussed iteratively with the
developers of the technologies to identify optimization potential.
The customer acceptance and understanding of tariff models determines cru-
cially how successful a business model will be. Therefore possible tariff models
are investigated with regard to usability, i.e. whether the end user understands
the tariff and whether it is possible for the end user to choose an appropriate
tariff in line with his needs. The main research problem in this area is how end
users perceive the various service features with regard to the associated prices
of the services.
Integrating Privacy-Enhancing Technologies into the Internet Infrastructure 7
7 Conclusion
We sketched three different areas of PETs along with proposals how to improve
their usability and/or performance. Additionally, we described ideas how to in-
tegrate business models into technological research when integrating the PETs
in the internet infrastructure. We assume, that all fields of activity (usability
and performance improvement, business models) are needed to achieve our goal
to bring PETs in the consumer mass market for internet access.
8 Acknowledgements
The project is funded by the German Federal Ministry of Education and Re-
search (BMBF) via the program “self-determined and secure in the digital world”.
1. A. Acquisti and J. Grossklags. Privacy and rationality in individual decision mak-
ing. IEEE Security and Privacy Magazine, January/February(1):24–30, Jan 2005.
2. Mashael AlSabah and Ian Goldberg. PCTCP: Per-Circuit TCP-over-IPsec Trans-
port for Anonymous Communication Overlay Networks. In Ahmad-Reza Sadeghi,
Virgil D. Gligor, and Moti Yung, editors, CCS’13, pages 349–360. ACM, 2013.
3. Michael Backes, Birgit Pfitzmann, and Matthias Schunter. A toolkit for managing
enterprise privacy policies. In Computer Security - ESORICS 2003, 8th European
Symposium on Research in Computer Security, Proceedings, pages 162–180, 2003.
4. Bettina Berendt, Oliver Guenther, and Sarah Spiekermann. Privacy in e-commerce.
Communications of the ACM, 48(4):101–106, Apr 2005.
5. Alastair R. Beresford and Frank Stajano. Location privacy in pervasive computing.
IEEE Pervasive Computing, 2(1):46–55, 2003.
6. Cisco visual networking index: Global mobile data traffic forecast update, 2015-
2020. networking-index-vni/mobile-white-paper-c11-520862.pdf .
7. Roger Dingledine and Steven J. Murdoch. Performance Improvements On Tor Or,
Why Tor Is Slow And What We’re Going To Do About It. Technical report, Tor
Project, March 2009.
8. Hannes Federrath. Sicherheit mobiler Kommunikation. DuD Fachbeitr¨age. Vieweg,
Wiesbaden, 1999.
9. Florent Fourcot, Laurent Toutain, Stefan opsell, Fr´ed´eric Cuppens, and Nora
Cuppens-Boulahia. Ipv6 address obfuscation by intermediate middlebox in coor-
dination with connected devices. volume 8115 of LNCS, pages 148–160, 2013.
10. Julien Freudiger, Reza Shokri, and Jean-Pierre Hubaux. On the optimal placement
of mix zones. In Privacy Enhancing Technologies, 9th International Symposium,
PETS 2009, Seattle, WA, USA, August 5-7. Proceedings, pages 216–234, 2009.
11. Karl-Peter Fuchs, Dominik Herrmann, and Hannes Federrath. Introducing the
gMix Open Source Framework for Mix Implementations. In Sara Foresti, Moti
Yung, and Fabio Martinelli, editors, ESORICS’12, volume 7459 of LNCS, pages
487–504. Springer, 2012.
12. Dominik Herrmann, Christine Arndt, and Hannes Federrath. Ipv6 prefix alteration:
An opportunity to improve online privacy. CoRR, abs/1211.4704, 2012.
8 Authors Suppressed Due to Excessive Length
13. Dominik Herrmann, Karl-Peter Fuchs, Jens Lindemann, and Hannes Federrath.
EncDNS: A Lightweight Privacy-Preserving Name Resolution Service. In ES-
ORICS’14, volume 8712 of LNCS, pages 37–55, 2014.
14. Enterprise Privacy Architecture: Securing returns on e-business.
15. Milena Janic, Jan Pieter Wijbenga, and Thijs Veugen. Transparency enhancing
tools (tets): An overview. In Third Workshop on Socio-Technical Aspects in Secu-
rity and Trust, STAST 2013, New Orleans, LA, USA, June 29, 2013, pages 18–25.
IEEE Computer Society, 2013.
16. Csaba Kir´aly and Renato Lo Cigno. IPsec-Based Anonymous Networking: A Work-
ing Implementation. In ICC’09, pages 1–5. IEEE, 2009.
17. S. Koschinat, G. Bal, M. Hegen, and K. Rannenberg. H6.1.2 - Towards an Economic
Valuation of Identity Management Enablers, Public Deliverable of EU Project
PrimeLife. , 2010.
18. S. Koschinat, G. Bal, K. Rannenberg, and M. Hegen. D6.1.2 - Economic Valuation
of Identity Management Enablers, Public Deliverable of EU Project PrimeLife., 2011.
19. Sascha Koschinat, okhan Bal, Christian Weber, and Kai Rannenberg. Privacy by
sustainable identity management enablers. In Privacy and Identity Management
for Life, pages 431–452. 2011.
20. Mark Graham and Stefano De Sabbata. Information Geogra-
phies at the Oxford Internet Institute The anonymous Internet. , 2015.
21. Sebastian uller, Franziska Brecht, Benjamin Fabian, Steffen Kunz, and Dominik
Kunze. Distributed Performance Measurement and Usability Assessment of the
Tor Anonymization Network. Future Internet, 4(2):488–513, 2012.
22. Alexander Osterwalder and Yves Pigneur. Business Model Generation - A Hand-
book for Visionaries, Game Changers, and Challengers. Wiley, New York, 2010.
23. Dang Vinh Pham, Joss Wright, and Dogan Kesdogan. A practical complexity-
theoretic analysis of mix systems. volume 6879 of LNCS, pages 508–527, 2011.
24. Joel Reardon and Ian Goldberg. Improving Tor using a TCP-over-DTLS Tunnel.
In USENIX Sec’09, pages 119–134. USENIX Association, 2009.
25. Patrick Spieth, Dirk Schneckenberg, and Joan E Ricart. Business model innovation
state of the art and future challenges for the field. R&D, 44(3):237–247, 2014.
26. Patrick St¨ahler. Geschftsmodelle in der digitalen konomie - Merkmale, Strategien
und Auswirkungen., Lohmar, oln, 2. aufl. edition, 2002.
27. The gMix Project. gMix: A Generic Open Source Framework for Mixes., 2015.
28. F. Veseli and W. Tesfay. Privacy-ABC Technologies, Personal Data Ecosystem,
and Business Models A feasibility study report. Technischer Bericht, ABC4Trust
Project, 2015.
29. Bernd W. Wirtz. Electronic Business. Springer-Verlag, Berlin Heidelberg New
York, 2. aufl. edition, 2001.
30. Bernd W. Wirtz. Business Model Management - Design - Instrumente - Erfolgs-
faktoren von Geschftsmodellen. Gabler Verlag, Wiesbaden, 3. aufl. edition, 2013.
31. Sherali Zeadally, Ray Hunt, Yuh-Shyan Chen, Angela Irwin, and Aamir Hassan.
Vehicular ad hoc networks (VANETS): status, results, and challenges. Telecom-
munication Systems, 50(4):217–241, 2012.
... Future work could also investigate PETs that are integrated into regular services, e. g., the use of machine learning to help users with the privacy preferences [42], integration of PETs into physical services such as payment and shipment for e-commerce [56], or the integration of PETs into the Internet infrastructure eliminating the users' effort to set up PETs themselves [22]. However, this would raise additional challenges as it needs to be clearly investigated if users refer to the PET part of the service or the traditional part. ...
Full-text available
This chapter provides information about acceptance factors of privacy-enhancing technologies (PETs) based on our research why users are using Tor and JonDonym, respectively. For that purpose, we surveyed 124 Tor users (Harborth and Pape 2020) and 142 JonDonym users (Harborth Pape 2020) and did a quantitative evaluation (PLS-SEM) on different user acceptance factors. We investigated trust in the PET and perceived anonymity (Harborth et al. 2021; Harborth et al. 2020; Harborth and Pape 2018), privacy concerns, and risk and trust beliefs (Harborth and Pape 2019) based on Internet Users Information Privacy Concerns (IUIPC) and privacy literacy (Harborth and Pape 2020). The result was that trust in the PET seems to be the major driver. Furthermore, we investigated the users’ willingness to pay or donate for/to the service (Harborth et al. 2019). In this case, risk propensity and the frequency of perceived improper invasions of users’ privacy were relevant factors besides trust in the PET. While these results were new in terms of the application of acceptance factors to PETs, none of the identified factors was surprising. To identify new factors and learn about differences in users’ perceptions between the two PETs, we also did a qualitative analysis of the questions if users have any concerns about using the PET, when they would be willing to pay or donate, which features they would like to have and why they would (not) recommend the PET (Harborth et al. 2021; Harborth et al. 2020). To also investigate the perspective of companies, we additionally interviewed 12 experts and managers dealing with privacy and PETs in their daily business and identified incentives and hindrances to implement PETs from a business perspective (Harborth et al. 2018).
... Users do not make use of privacy enhancing technologies, because their use is too complicated and/or takes too much effort [69]. Earlier research found also that it is important to "understand the target population" and research suggesting zero-effort privacy [87,97] by improving the usability of the service and removing obstacles to reduce the user's necessary effort. We could notice a similar behavior when we investigated energy providers. ...
Full-text available
In order to address security and privacy problems in practice, it is very important to have a solid elicitation of requirements, before trying to address the problem. In this thesis, specific challenges of the areas of social engineering, security management and privacy enhancing technologies are analyzed: Social Engineering: An overview of existing tools usable for social engineering is provided and defenses against social engineering are analyzed. Serious games are proposed as a more pleasant way to raise employees’ awareness and to train them. Security Management: Specific requirements for small and medium sized energy providers are analyzed and a set of tools to support them in assessing security risks and improving their security is proposed. Larger enterprises are supported by a method to collect security key performance indicators for different subsidiaries and with a risk assessment method for apps on mobile devices. Furthermore, a method to select a secure cloud provider – the currently most popular form of outsourcing – is provided. Privacy Enhancing Technologies: Relevant factors for the users’ adoption of privacy enhancing technologies are identified and economic incentives and hindrances for companies are discussed. Privacy by design is applied to integrate privacy into the use cases e-commerce and internet of things.
Full-text available
One way to reduce privacy risks for consumers when using the internet is to inform them better about the privacy practices they will encounter. Tailored privacy information provision could outperform the current practice where information system providers do not much more than posting unwieldy privacy notices. Paradoxically, this would require additional collection of data about consumers’ privacy preferences—which constitute themselves sensitive information so that sharing them may expose consumers to additional privacy risks. This chapter presents insights on how this paradoxical interplay can be outmaneuvered. We discuss different approaches for privacy preference elicitation, the data required, and how to best protect the sensitive data inevitably to be shared with technical privacy-preserving mechanisms. The key takeaway of this chapter is that we should put more thought into what we are building and using our systems for to allow for privacy through human-centered design instead of static, predefined solutions which do not meet consumer needs.
Full-text available
Mobile computing devices have become ubiquitous; however, they are prone to observation and reconstruction attacks. In particular, shoulder surfing, where an adversary observes another user’s interaction without prior consent, remains a significant unresolved problem. In the past, researchers have primarily focused their research on making authentication more robust against shoulder surfing—with less emphasis on understanding the attacker or their behavior. Nonetheless, understanding these attacks is crucial for protecting smartphone users’ privacy. This chapter aims to bring more attention to research that promotes a deeper understanding of shoulder surfing attacks. While shoulder surfing attacks are difficult to study under natural conditions, researchers have proposed different approaches to overcome this challenge. We compare and discuss these approaches and extract lessons learned. Furthermore, we discuss different mitigation strategies of shoulder surfing attacks and cover algorithmic detection of attacks and proposed threat models as well. Finally, we conclude with an outlook of potential next steps for shoulder surfing research.
Full-text available
Users should always play a central role in the development of (software) solutions. The human-centered design (HCD) process in the ISO 9241-210 standard proposes a procedure for systematically involving users. However, due to its abstraction level, the HCD process provides little guidance for how it should be implemented in practice. In this chapter, we propose three concrete practical methods that enable the reader to develop usable security and privacy (USP) solutions using the HCD process. This chapter equips the reader with the procedural knowledge and recommendations to: (1) derive mental models with regard to security and privacy, (2) analyze USP needs and privacy-related requirements, and (3) collect user characteristics on privacy and structure them by user group profiles and into privacy personas. Together, these approaches help to design measures for a user-friendly implementation of security and privacy measures based on a firm understanding of the key stakeholders.
Full-text available
A variety of methods and techniques are used in usable privacy and security (UPS) to study users’ experiences and behaviors. When applying empirical methods, researchers in UPS face specific challenges, for instance, to represent risk to research participants. This chapter provides an overview of the empirical research methods used in UPS and highlights associated opportunities and challenges. This chapter also draws attention to important ethical considerations in UPS research with human participants and highlights possible biases in study design.
Full-text available
Augmented reality (AR) has found application in online games, social media, interior design, and other services since the success of the smartphone game Pokémon Go in 2016. With recent news on the metaverse and the AR cloud, the contexts in which the technology is used become more and more ubiquitous. This is problematic, since AR requires various different sensors gathering real-time, context-specific personal information about the users, causing more severe and new privacy threats compared to other technologies. These threats can have adverse consequences on information self-determination and the freedom of choice and, thus, need to be investigated as long as AR is still shapeable. This communication paper takes on a bird’s eye perspective and considers the ethical concept of autonomy as the core principle to derive recommendations and measures to ensure autonomy. These principles are supposed to guide future work on AR suggested in this article, which is strongly needed in order to end up with privacy-friendly AR technologies in the future.
Full-text available
Today’s environment of data-driven business models relies heavily on collecting as much personal data as possible. One way to prevent this extensive collection, is to use privacy-enhancing technologies (PETs). However, until now, PETs did not succeed in larger consumer markets. In addition, there is a lot of research determining the technical properties of PETs, i.e. for Tor, but the use behavior of the users and, especially, their attitude towards spending money for such services is rarely considered. Yet, determining factors which lead to an increased willingness to pay (WTP) for privacy is an important step to establish economically sustainable PETs. We argue that the lack of WTP for privacy is one of the most important reasons for the non-existence of large players engaging in the offering of a PET. The relative success of services like Tor corroborates this claim since this is a service without any monetary costs attached. Thus, we empirically investigate the drivers of active users’ WTP of a commercial PET - JonDonym - and compare them with the respective results for a donation-based service - Tor. Furthermore, we provide recommendations for the design of tariff schemes for commercial PETs.
Full-text available
In times of ubiquitous electronic communication and increasing industry pressure for standard electronic authentication, the maintenance of privacy, or "the right to be left alone" becomes a subject of increasing concern. The possibility of a "transparent human," whose vital information is up for grabs, can most easily be envisioned in the realm of e-commerce, due in part to the large amounts of data available, and in part to the high payoffs expected from using this data for marketing purposes.
Full-text available
While the Internet increasingly permeates everyday life of individuals around the world, it becomes crucial to prevent unauthorized collection and abuse of personalized information. Internet anonymization software such as Tor is an important instrument to protect online privacy. However, due to the performance overhead caused by Tor, many Internet users refrain from using it. This causes a negative impact on the overall privacy provided by Tor, since it depends on the size of the user community and availability of shared resources. Detailed measurements about the performance of Tor are crucial for solving this issue. This paper presents comparative experiments on Tor latency and throughput for surfing to 500 popular websites from several locations around the world during the period of 28 days. Furthermore, we compare these measurements to critical latency thresholds gathered from web usability research, including our own user studies. Our results indicate that without massive future optimizations of Tor performance, it is unlikely that a larger part of Internet users would adopt it for everyday usage. This leads to fewer resources available to the Tor community than theoretically possible, and increases the exposure of privacy-concerned individuals. Furthermore, this could lead to an adoption barrier of similar privacy-enhancing technologies for a Future Internet.
Full-text available
Business model innovation is receiving increased attention in corporate practice and research alike. We propose in this article a role-based approach to categorize the literature and argue that the respective roles of explaining the business, running the business, and developing the business can serve as three interrelated perspectives to present an overview of the current business model innovation field and to accommodate the selected contributions of this special issue. We refer to contributions from entrepreneurship, innovation and technology management, and corporate strategy to explicate the three elaborated perspectives and to summarize the main contents of the special issue articles. We conclude by reflecting on main theoretical challenges for studies on business model innovation which stem from the uncertain boundaries of the phenomenon, and we propose some theoretical stances and analytic levels to develop future avenues for research.
Conference Paper
Privacy is a major concern on the current Internet, but transport mechanisms like IPv4 and more specifically IPv6 do not offer the necessary protection to users. However, the IPv6 address size allows designing privacy mechanisms impossible in IPv4. Nevertheless existing solutions like Privacy Extensions [20] are not optimal, still only one address is in use for several communications over time. And it does not offer control of the network by the administrator (end devices use randomly generated addresses). Our IPv6 privacy proposal uses ephemeral addresses outside the trusted network but stable addresses inside the local network, allowing the control of the local network security by the administrator. Our solution is based on new opportunities of IPv6: a large address space and a new flow label field. In combination with Cryptographically Generated Addresses, we can provide protection against spoofing on the local network and enhanced privacy for Internet communication. © 2013 IFIP International Federation for Information Processing.
Conference Paper
Recently, there have been several research efforts to design a transport layer that meets the security requirements of anonymous communications while maximizing the network performance experienced by users. In this work, we argue that existing proposals suffer from several performance and deployment issues and we introduce PCTCP, a novel anonymous communication transport design for overlay networks that addresses the shortcomings of the previous proposals. In PCTCP, every overlay path, or circuit, is assigned a separate kernel-level TCP connection that is protected by IPsec, the standard security layer for IP. To evaluate our work, we focus on the Tor network, the most popular low-latency anonymity network, which is notorious for its performance problems that can potentially deter its wider adoption and thereby impact its anonymity. Previous research showed that the current transport layer design of Tor, in which several circuits are multiplexed in a single TCP connection between any pair of routers, is a key contributor to Tor's performance issues. We implemented, experimentally evaluated, and confirmed the potential gains provided by PCTCP in an isolated testbed and on the live Tor network. We ascertained that significant performance benefits can be obtained using our approach for web clients, while maintaining the same level of anonymity provided by the network today. Our realistic large-scale experimental evaluation of PCTCP shows improvements of more than 60% for response times and approximately 30% for download times compared to Tor. Finally, PCTCP only requires minimal changes to Tor and is easily deployable, as it does not require all routers on a circuit to upgrade.
Telcos face an elementary change in their traditional business model. The reasons for this are manifold: Tougher regulations, new technology (most notably VoIP and open spectrum), matured core business markets (voice and messaging), new market entrants or advancing customer demands and expectations. A potential direction of this change is business models that concentrate on the exploitation and monetisation of the huge amount of customer data that results from the usage of traditional communication services (data, voice). Based on these data, telcos’ longstanding relationships to their customers, and infrastructural assets and capabilities, telcos are a reasonable candidate for assuming the role of identity management service providers (IdMSPs). This chapter describes a method to evaluate privacyenhancing IdM Services from the perspective of a telco acting as prospective IdM Service Provider. The basis for the evaluation method is formed by the concept of Identity Management Enablers, which are used to analyse and describe the services and scenarios on which the decision supporting method is based on.
translation and localization team and infrastructure; and spread understanding of Tor in a safe word-of-mouth way that stayed mostly under the radar of censors. In parallel to adding these features, we've also been laying the groundwork for performance improve- ments. We've been working with academics to write research papers on improving Tor's speed, funding some academic groups directly to come up with prototypes, and thinking hard about how to safely collect metrics about network performance. But it's becoming increasingly clear that we're not going to produce the perfect answers just by thinking hard. We need to roll out some attempts at solutions, and use the experience to get better intuition about how to really solve the problems. We've identified six main reasons why the Tor network is slow. Problem #1 is that Tor's congestion control does not work well. We need to come up with ways to let "quiet" streams like web browsing co-exist better with "loud" streams like bulk transfer. Problem #2 is that some Tor users simply put too much trac onto the network relative to the amount they contribute, so we need to work on ways to limit the eects of those users and/or provide priority to the other users. Problem #3 is that the Tor network simply doesn't have enough capacity to handle all the users that want privacy on the Internet. We need to develop strategies for increasing the overall community of relays, and consider introducing incentives to make the network more self-sustaining. Problem #4 is that Tor's current path selection algorithms don't actually distribute load correctly over the network, meaning some relays are overloaded and some are underloaded. We need to develop ways to more accurately estimate the properties of each relay, and also ways for clients to select paths more fairly. Problem #5 is that Tor clients aren't as good as they should be at handling high or variable latency and connection failures. We need better heuristics for clients to automatically shift away from bad circuits, and other tricks for them to dynamically adapt their behavior. Problem #6 is that low-bandwidth users spend too much of their network overhead downloading directory information. We've made a serious dent in this problem already, but more work remains here too. We discuss each reason more in its own section below. For each section, we explain our current intuition for how to address the problem, how eective we think each fix would be, how much eort and risk is involved, and the recommended next steps, all with an eye to what can be accomplished in 2009. While all six categories need to be resolved in order to make the Tor network fast enough to handle everyone who wants to use it, we've ordered the sections by precedence. That is, solving the earlier sections will be necessary before we can see benefits from solving the later sections.