arXiv:1711.07220v1 [cs.CR] 20 Nov 2017
Integrating Privacy-Enhancing Technologies into
the Internet Infrastructure
David Harborth1, Dominik Herrmann2, Stefan K¨opsell3, Sebastian Pape1,
Christian Roth4, Hannes Federrath2, Dogan Kesdogan4, and Kai Rannenberg1
1Goethe-University Frankfurt am Main
2University of Hamburg
4University of Regensburg
Abstract. The AN.ON-Next project aims to integrate privacy-enhancing
technologies into the internet’s infrastructure and establish them in the
consumer mass market.
The technologies in focus include a basis protection at internet service
provider level, an improved overlay network-based protection and a con-
cept for privacy protection in the emerging 5G mobile network. A crucial
success factor will be the viable adjustment and development of stan-
dards, business models and pricing strategies for those new technologies.
Despite an increasing public perception of the matter of data protection, nowa-
days anonymization services like Tor and JonDonym have not yet achieved wide
everyday and mass appeal. Although a user base of tens of thousands (Jon-
Donym) to several hundreds of thousands (Tor) users is a decent result, their
share is vanishing small compared to the total number of internet users .
As a result, most internet users today leave extensive digital traces that can
be used to build detailed personal proﬁles by internet service providers (ISP)
or third parties without the users’ knowledge and possibility of intervention.
This threat to the right of informational self-determination gains in importance
through the pervasion of everyday’s life by the internet. In particular, the in-
creasing use of portable devices leads to the possibility of an even more detailed
proﬁling and thus allows a deeper intrusion in the users’ privacy.
Otherwise, one important reason for the low prevalence of privacy-enhancing
technologies (PETs) is the lack of usability. Privacy played no signiﬁcant role
in the design of today’s internet’s infrastructure. Thus, actual anonymization
services are organized as separate overlay networks. End users typically need to
install additional components on their system. This results in a massive eﬀort to
use those programs which in turn leads to an overburdened user. Additionally,
the usability of Tor and JonDonym is limited to stationary personal computers
and comparable software for mobile devices is not available for the consumer
mass market yet. On the other hand, many PETs cause a high overhead and
2 Authors Suppressed Due to Excessive Length
cannot be activated by default (e.g. by the ISP). The loss of comfort by far
outweighs the beneﬁts of privacy and is thus unacceptable for many users.
The underlying assumption that guides the project is that PETs are only
able to reach the mass market when they are standardized and usable without
any action of the user (“zero-eﬀort”) and work so eﬃciently that they do not
cause any noticeable limitation on the quality of service (especially regarding
latency and bandwidth). This is particularly important considering the privacy
attitudes and behaviors of regular users [1, 4]. To reach this g oal, PETs need to
be ﬁrmly integrated in the internet’s infrastructure.
Therefore, the AN.ON-Next5project’s vision is to integrate PETs in the in-
ternet’s infrastructure. By pilot projects with industry representatives the con-
cepts will be tested, optimized and shown that eﬃcient data protection is possi-
ble and can be the basis for new business models. Up to now there are no such
solutions, partly because of the lack of suitable cooperation between research
and industry. This led repeatedly to missed opportunities regarding a possible
incorporation of strong privacy protecting technologies in new telecommunica-
tions’ and internet’s standards. In order to establish PETs in the mass market,
therefore corresponding business models also have to be regarded.
The project aims at working on three overarching goals. First, design more
eﬃcient PETs. Second, allocate the anonymization service into the internet’s
infrastructure and create a transparent anonymization experience for end-users.
Third, improve the traceability of protection level achieved for each participant.
The remainder of this paper is organized as follows: Sect. 2 provides an
overview of related work. The goals for the three tackled technical areas of ISP-
based, network overlay-based, and 5G network anonymization techniques are
presented in Sect. 3 to Sect. 5. The development of business models is discussed
in Sect. 6. We conclude the sketch of our project idea in Sect. 7.
2 Related Work
The planned work on ISP-sided anonymization will be built on existing work by
the pro ject partners [9, 12]. This work will be expanded, optimized and tested
based on a prototype in order to develop usable solutions.
For network overlay-based anonymization technologies exist already prac-
tically usable solutions, namely Tor and JonDonym (former JAP). The main
problems of these existing services are massive performance limitations6[7, 21]
and a lack of compatibility with existing application software. How to improve
the performance is already discussed in numerous papers [2, 11, 13, 16, 24].
The majority of research considers only the design of anonymization protocols
for the application layer. Relevant preliminary work of the project partners are
methods for protecting the location of mobile subscribers , the gMix frame-
work, with which anonymization protocols can be evaluated realistically in a
short time [11, 27], proposals for lightweight anonymization protocols , as
Integrating Privacy-Enhancing Technologies into the Internet Infrastructure 3
well as the assessment of the eﬀectiveness of diﬀerent attack techniques  in
order to make eﬀective protection mechanisms and to explore their limits.
There is a rich strand of literature that deals with the development and
adaption of business models to the ever changing environment companies have
to deal with . The groundwork in that area was laid by Staehler  who
proposed an approach where a business model consists of three elements: value
proposition, value chain (value creation architecture) and revenue model. Other
fundamental work on business models was done by Wirtz and Osterwalder and
Pigneur [22, 29, 30]. Furthermore, the application of business mo del approaches
to anonymization and identity management services is considered [1 7–19,28].
3 ISP-based Anonymization
One objective in AN.ON-Next is to study light-weight mechanisms that increase
the baseline protection for ordinary users. With existing approaches like Tor or
I2P users have to install and run a client software on their own. In contrast, we
are interested in unobtrusive techniques that minimize eﬀort for the user. We
have observed that many users are willing to accept the fact that their ISP can
analyze their surﬁng behavior, while they object to tracking performed by ad
networks and proﬁling services.
Existing protection techniques, such as deleting cookies and preventing browser
ﬁngerprinting, are ineﬀective, if the traﬃc of a user is coming from the same IP
address over long periods of time. In this case third parties could link a user’s
activities solely based on the IP address. However, obtaining a new IP address
from the ISP is a cumbersome task at the moment. Typically, one has to man-
ually force the broadband router to perform a reconnect, which terminates all
active connections. The situation will worsen in the future, if ISPs decide to
assign a long-lasting IPv6 preﬁx to residential customers.
In principle, ISPs could oﬀer basic privacy protection with little cost. To
this end, ISPs would only assign very short-lived IP addresses (or IPv6 preﬁxes)
to their customers. This measure would complement defenses that are already
implemented in major browsers by ensuring that they are not bypassed with
IP-based tracking eﬀorts. However, network protocols used during dial-up (e. g.,
DHCP and PPPoE) have not been designed with short-lived addresses in mind.
Additionally we will investigate to which extent it is feasible to have short-
lived IP addresses not only on a per device base but on a per connection base,
i.e. utilizing diﬀerent source IP addresses per packet ﬂow.
Therefore, we will look into various design alternatives to deploy short-lived
IP addresses and study their feasibility. For instance, ISPs could employ carrier-
grade network address translation in order to rewrite the traﬃc of a customer on
their own, resulting in zero eﬀort for the user. Alternatively, ISPs could assign
multiple IPv6 preﬁxes to the customer’s broadband router at a given point in
time [9, 12]. In this case, the customer would still have some control about the
anonymization process, because now it is the broadband router that decides
which IPv6 preﬁx should be used for a particular outgoing connection.
4 Authors Suppressed Due to Excessive Length
4 Network Overlay-based Anonymization
The main problems of the existing network overlay-based anonymization services
are the weak performance, missing protection against strong attackers, and the
high eﬀort for users to install and use such systems.
The developed anonymization service will be based on the concept of cascades
instead of free sequences. A cascade is a ﬁxed sequence of connected interme-
diate stations (mixes). The user will only be able to decide which cascade he
wants to use. The use of cascades instead of free sequences aims to avoid some
disadvantages of Tor associated with the selection of Tor nodes in a route.
In addition, transparency about the hosts of the mixes is not always given.
Thus, the new anonymous protocol will be designed and integrated into a test
cascade of the anonymization service JonDonym. The protocol should provide
reliable protection against much stronger attackers than the ISP-based solution
and the usability and compatibility should signiﬁcantly improve compared to Tor
and the current JonDonym service. A high level of transparency will be achieved
by providing reliable information on the operator of each mix and other relevant
data to the user. Thus, the user can decide if it is the appropriate mix cascade.
The basic idea of the proposed protocol is a paradigm shift compared to cur-
rent anonymization services. The solutions in focus strive to receive user data
at the IP layer (instead of the application layer) over a virtual private network
(VPN) connection. Therefore one interface to the new anonymization service
will be a user operated JonDonym-client acting as a VPN server on a com-
puter in his own home, for example on a wireless router. The JonDonym-client
passes the communication through the (redesigned) JonDonym mix cascade for
the purpose of anonymization and for example for recursive encryption and de-
cryption. Another approach will be to run the JonDonym-client directly on the
(mobile) device of the end user and let the JonDonym-client additionally act as
a VPN-service. Being a VPN-service implies that the JonDonym-client will be
responsible for handling the IP traﬃc of the mobile device which the JonDonym-
client will tunnel utilizing the anonymization service (instead of a usual VPN
(e.g. IPSec based) as an ordinary VPN service would do).
The advantage is that the concept produces compatibility with all VPN en-
abled devices including the installed software. The user only has to add the
JonDonym-client as a VPN server to his terminal, which is supported by all
major smartphone platforms already. This will reduce the conﬁguration eﬀort to
a minimum and creates compatibility with devices and applications which was
not achieved by previous solutions.
5 Anonymization Techniques for the 5G Network
Mobile networks experienced an exponential increase of mobile data traﬃc and of
the number of connected devices over the last decade . However, this explosion
together with the high demand for extremely low latency real-time applications,
e.g., the so-called tactile internet, video streaming, and vehicular ad hoc net-
works (VANETs ), impose new challenges on the current mobile networks.
Integrating Privacy-Enhancing Technologies into the Internet Infrastructure 5
For instance, in VANETs, each vehicle periodically sends, receives, and broad-
casts information to the vehicular network in order to increase traﬃc safety.
The communication between the vehicles and the network as well as among the
vehicles themselves rely on very accurate and up-to-date information about the
surrounding environment. This in turn requires the underlying network architec-
ture and communication protocols to provide robust connectivity and ensure fast
delivery of information to all the vehicles. The next generation of mobile telecom-
munication, namely 5G, is therefore desirable to fulﬁll these requirements.
From the technical point of view, small cells are crucial in 5G networks in
order to address the huge amount of data capacity. Concurrently, the deployment
of small cells allows 5G networks and hence malicious attackers to localize mobile
devices easier and more precisely, which renders 5G more vulnerable to location
privacy threats. It is therefore pivotal to revisit the problem of location privacy
in the 5G environment under the consideration of stronger adversary models.
From the architectural point of view, the conventional centralized cloud-
based architectures for mobile networks may no longer be suitable to provide
the 1 millisecond round trip delay that is typically a crucial requirement for
many real-world scenarios such as VANETs. This challenge motivates the use of
various local clouds in the design of 5G architectures. Thereby, mobile devices
are strongly coupled with their local computing resources, i.e., the clouds, which
allows users’ location information to be distributed and replicated in the cloud
databases. Due to this massive amount of data and redundancies, eﬀectively
managing location privacy in such architectures is a non-trivial task.
In this project, we are aiming to address two challenging privacy problems
in 5G networks, namely location privacy and privacy management.
For location privacy, we are looking for diﬀerent anonymization techniques
ranging from lightweight anonymity protections, e.g, frequently changing the
pseudonyms of mobile devices, to more advanced privacy protection techniques
against stronger attacker models, e.g., mix-zones [5, 10]. It is worth noting that
there is a conﬂict between the level of location privacy protection and the op-
timization of service quality. In particular, service providers often require users
to provide more personal data such as their birthdays or their current locations
in order to support the users better. At the same time, disclosing too much in-
formation puts the users at more potential privacy risks. We therefore take this
trade-oﬀ into account while looking for good location privacy protections.
We tackle the problem of privacy management in 5G from two directions.
The ﬁrst approach is to investigate mechanisms to specify privacy policies that
prevent unauthorized access to raw location data. One possible solution could be
to extend the state-of-the art techniques, e.g., EPA and EPAL [3,14] to the con-
text of 5G. In the second approach, we exploit diﬀerent transparency enhancing
techniques (see  for an overview) that provide users with information on how
their data is being processed, stored, disclosed, and so forth. These techniques
enable users to protect their own privacy by choosing appropriate actions.
Additionally due to the high demands regarding latency, bandwidth, number
of users per cell etc. many of the existing PETs cannot be simply adopted to
6 Authors Suppressed Due to Excessive Length
the 5G setting. Anonymous communication via distributed solutions like Tor or
JonDonym with the aim of end-to-end latency not higher than 1ms implies that
the anonymization servers (mixes) have to be physically located within a 150km
radius from the mobile device (because of the speed of light).
6 Business Models for Privacy-Enhancing Technologies
in the Internet Infrastructure
The success of the developed technologies depends heavily on the wide distri-
bution in the consumer mass market. This can only be achieved by creating a
suitable business model that evolves around the technologies and regards the
interests of all relevant stakeholders. Therefore, the business model generation
is one important step in this research.
Based on related work, it will be investigated whether there are ways to adapt
existing business models. The prevalent goal is to create proﬁtable and sustain-
able ways for implementing and operating the developed anonymization services
in order to incentivize ISPs to engage in this business. This is the condition for
ensuring a rapid and wide spread of the technologies.
In addition, it will be ensured that the achieved technical solutions are fea-
sible from an economical perspective by developing business models together
with the PETs in an iterative way. The focus will be on the design of business
models that enable the ISP-sided anonymity for all customers of the ISPs. It
is investigated whether there are ways of cutting costs in the operation of the
anonymization service infrastructure (an example could be the direct operation
of Mix servers on the Internet backbone).
In a next steps, various tariﬀ plans are examined to determine to what extent
they are suitable for reﬁnancing the concepts and to estimate which stakehold-
ers must carry economic risks in certain scenarios. Tariﬀ models have several
diﬀerent properties with diﬀerent characteristics that all must be considered for
the project. For example:
–Billing models: one-oﬀ payments, ﬂat fees, consumption-based pay, ﬁnancing
by advertisement or consumption-related charges
–Quality levels of service: diﬀerentiation in terms of speed or diﬀerent privacy
These analyses are carried out on a target scenario compared to the status quo
for all diﬀerent technologies. Those results are also discussed iteratively with the
developers of the technologies to identify optimization potential.
The customer acceptance and understanding of tariﬀ models determines cru-
cially how successful a business model will be. Therefore possible tariﬀ models
are investigated with regard to usability, i.e. whether the end user understands
the tariﬀ and whether it is possible for the end user to choose an appropriate
tariﬀ in line with his needs. The main research problem in this area is how end
users perceive the various service features with regard to the associated prices
of the services.
Integrating Privacy-Enhancing Technologies into the Internet Infrastructure 7
We sketched three diﬀerent areas of PETs along with proposals how to improve
their usability and/or performance. Additionally, we described ideas how to in-
tegrate business models into technological research when integrating the PETs
in the internet infrastructure. We assume, that all ﬁelds of activity (usability
and performance improvement, business models) are needed to achieve our goal
to bring PETs in the consumer mass market for internet access.
The project is funded by the German Federal Ministry of Education and Re-
search (BMBF) via the program “self-determined and secure in the digital world”.
1. A. Acquisti and J. Grossklags. Privacy and rationality in individual decision mak-
ing. IEEE Security and Privacy Magazine, January/February(1):24–30, Jan 2005.
2. Mashael AlSabah and Ian Goldberg. PCTCP: Per-Circuit TCP-over-IPsec Trans-
port for Anonymous Communication Overlay Networks. In Ahmad-Reza Sadeghi,
Virgil D. Gligor, and Moti Yung, editors, CCS’13, pages 349–360. ACM, 2013.
3. Michael Backes, Birgit Pﬁtzmann, and Matthias Schunter. A toolkit for managing
enterprise privacy policies. In Computer Security - ESORICS 2003, 8th European
Symposium on Research in Computer Security, Proceedings, pages 162–180, 2003.
4. Bettina Berendt, Oliver Guenther, and Sarah Spiekermann. Privacy in e-commerce.
Communications of the ACM, 48(4):101–106, Apr 2005.
5. Alastair R. Beresford and Frank Stajano. Location privacy in pervasive computing.
IEEE Pervasive Computing, 2(1):46–55, 2003.
6. Cisco visual networking index: Global mobile data traﬃc forecast update, 2015-
2020. http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual- networking-index-vni/mobile-white-paper-c11-520862.pdf .
7. Roger Dingledine and Steven J. Murdoch. Performance Improvements On Tor Or,
Why Tor Is Slow And What We’re Going To Do About It. Technical report, Tor
Project, March 2009.
8. Hannes Federrath. Sicherheit mobiler Kommunikation. DuD Fachbeitr¨age. Vieweg,
9. Florent Fourcot, Laurent Toutain, Stefan K¨opsell, Fr´ed´eric Cuppens, and Nora
Cuppens-Boulahia. Ipv6 address obfuscation by intermediate middlebox in coor-
dination with connected devices. volume 8115 of LNCS, pages 148–160, 2013.
10. Julien Freudiger, Reza Shokri, and Jean-Pierre Hubaux. On the optimal placement
of mix zones. In Privacy Enhancing Technologies, 9th International Symposium,
PETS 2009, Seattle, WA, USA, August 5-7. Proceedings, pages 216–234, 2009.
11. Karl-Peter Fuchs, Dominik Herrmann, and Hannes Federrath. Introducing the
gMix Open Source Framework for Mix Implementations. In Sara Foresti, Moti
Yung, and Fabio Martinelli, editors, ESORICS’12, volume 7459 of LNCS, pages
487–504. Springer, 2012.
12. Dominik Herrmann, Christine Arndt, and Hannes Federrath. Ipv6 preﬁx alteration:
An opportunity to improve online privacy. CoRR, abs/1211.4704, 2012.
8 Authors Suppressed Due to Excessive Length
13. Dominik Herrmann, Karl-Peter Fuchs, Jens Lindemann, and Hannes Federrath.
EncDNS: A Lightweight Privacy-Preserving Name Resolution Service. In ES-
ORICS’14, volume 8712 of LNCS, pages 37–55, 2014.
14. Enterprise Privacy Architecture: Securing returns on e-business.
15. Milena Janic, Jan Pieter Wijbenga, and Thijs Veugen. Transparency enhancing
tools (tets): An overview. In Third Workshop on Socio-Technical Aspects in Secu-
rity and Trust, STAST 2013, New Orleans, LA, USA, June 29, 2013, pages 18–25.
IEEE Computer Society, 2013.
16. Csaba Kir´aly and Renato Lo Cigno. IPsec-Based Anonymous Networking: A Work-
ing Implementation. In ICC’09, pages 1–5. IEEE, 2009.
17. S. Koschinat, G. Bal, M. Hegen, and K. Rannenberg. H6.1.2 - Towards an Economic
Valuation of Identity Management Enablers, Public Deliverable of EU Project
PrimeLife. http://primelife.ercim.eu/results/documents/129-612h , 2010.
18. S. Koschinat, G. Bal, K. Rannenberg, and M. Hegen. D6.1.2 - Economic Valuation
of Identity Management Enablers, Public Deliverable of EU Project PrimeLife.
19. Sascha Koschinat, G¨okhan Bal, Christian Weber, and Kai Rannenberg. Privacy by
sustainable identity management enablers. In Privacy and Identity Management
for Life, pages 431–452. 2011.
20. Mark Graham and Stefano De Sabbata. Information Geogra-
phies at the Oxford Internet Institute – The anonymous Internet.
http://geography.oii.ox.ac.uk/?page=tor , 2015.
21. Sebastian M¨uller, Franziska Brecht, Benjamin Fabian, Steﬀen Kunz, and Dominik
Kunze. Distributed Performance Measurement and Usability Assessment of the
Tor Anonymization Network. Future Internet, 4(2):488–513, 2012.
22. Alexander Osterwalder and Yves Pigneur. Business Model Generation - A Hand-
book for Visionaries, Game Changers, and Challengers. Wiley, New York, 2010.
23. Dang Vinh Pham, Joss Wright, and Dogan Kesdogan. A practical complexity-
theoretic analysis of mix systems. volume 6879 of LNCS, pages 508–527, 2011.
24. Joel Reardon and Ian Goldberg. Improving Tor using a TCP-over-DTLS Tunnel.
In USENIX Sec’09, pages 119–134. USENIX Association, 2009.
25. Patrick Spieth, Dirk Schneckenberg, and Joan E Ricart. Business model innovation
state of the art and future challenges for the ﬁeld. R&D, 44(3):237–247, 2014.
26. Patrick St¨ahler. Geschftsmodelle in der digitalen konomie - Merkmale, Strategien
und Auswirkungen. Amazon.de, Lohmar, K¨oln, 2. auﬂ. edition, 2002.
27. The gMix Project. gMix: A Generic Open Source Framework for Mixes.
28. F. Veseli and W. Tesfay. Privacy-ABC Technologies, Personal Data Ecosystem,
and Business Models – A feasibility study report. Technischer Bericht, ABC4Trust
29. Bernd W. Wirtz. Electronic Business. Springer-Verlag, Berlin Heidelberg New
York, 2. auﬂ. edition, 2001.
30. Bernd W. Wirtz. Business Model Management - Design - Instrumente - Erfolgs-
faktoren von Geschftsmodellen. Gabler Verlag, Wiesbaden, 3. auﬂ. edition, 2013.
31. Sherali Zeadally, Ray Hunt, Yuh-Shyan Chen, Angela Irwin, and Aamir Hassan.
Vehicular ad hoc networks (VANETS): status, results, and challenges. Telecom-
munication Systems, 50(4):217–241, 2012.