The recent proliferation of wireless local area networks (WLAN) has introduced new location privacy risks. An adversary controlling several access points could triangulate a client’s position. In addition, interface identifiers uniquely identify each client, allowing tracking of location over time. We enhance location privacy through frequent disposal of a client’s interface identifier. The described system curbs the adversary’s ability to continuously track a client’s position. Design challenges include selecting new interface identifiers, detecting address collisions at the MAC layer, and timing identifier switches to balance network disruptions against privacy protection. Using a modified authentication protocol, network operators can still control access to their network. An analysis of a public WLAN usage trace shows that disposing addresses before reassociation already yields significant privacy improvements.

Abstract. Mobile computing enables users to compute and communicate almost regardless of their current location. However, as a side effect this technology considerably increased surveillance potential for user movements. Current research addresses location privacy rather patchwork-like than comprehensively. Thus, this paper presents a methodology for identifying, assessing, and comparing location privacy risks in mobile computing technologies. In a case study, we apply the approach to IEEE 802.11b wireless LAN networks and location-based services, where it reveals significant location privacy concerns through link- and application-layer information. From a technological perspective, we argue that these are best addressed through novel anonymity-based mechanisms. 1

Packet-switched computer networks of all sizes are widely used for personal, professional, and governmental communication. However, the speed, versatility, and largely unregulated nature of computer networks coupled with the availability of affordable high-capacity storage makes it possible and even practical to routinely maintain detailed logs of communication without indication to the communication partners. Although the contents of messages can be protected by cryptography, the simple fact that the network carries an encrypted message from one party to another is a piece of intelligence not as easily protected. For example, the message's destination must be revealed at some level so the network can deliver it. In this two-part dissertation we investigate techniques for protecting the identities of communication partners from worst-case adversaries such as the network infrastructure itself, including routers, switches, and hubs. In the first part, we survey and compare the nature of ...

Abstract In Mobile IPv6, each packet sent and received by a mobile node contains its home address. As a result, it is very easy for an eavesdropper or for a correspondent node to track the movement and usage of a mobile node. This paper proposes a simple and practical solution to this problem. The main idea is to replace the home address in the packets by a temporary mobile identifier (TMI), that is cryptographically generated and therefore random. As a result, packets cannot be linked to a mobile node anymore and traffic analysis is more difficult. With our solution, an eavesdropper can still identify the IP addresses of two communicating nodes but is not able to identify their identities (i.e., their home addresses). Furthermore since a mobile node uses a new identifier for each communication, an eavesdropper cannot link the different communications of a given mobile node together. We show that HMIPv6 can also benefit from the proposed privacy extension. Keywords: Mobile IPv6, CGA, Privacy. 1.

Abstract — Although recent years provided many protocols for anonymous routing in overlay networks, they commonly rely on the same communication paradigm: Onion Routing. In Onion Routing a static tunnel through an overlay network is build via layered encryption. All traffic exchanged by its end points is relayed through this tunnel. In contrast, this paper introduces dynamic multipath Onion Routing to extend the static Onion Routing paradigm. This approach allows each packet exchanged between two end points to travel along a different path. To provide anonymity the first half of this path is selected by the sender and the second half by the receiver of the packet. The results are manifold: First, dynamic multipath Onion Routing increases the resilience against threats, especially pattern and timing based analysis attacks. Second, the dynamic paths reduce the impact of misbehaving and overloaded relays. Finally, inspired by Internet routing, the forwarding nodes do not need to maintain any state about ongoing flows and so reduce the complexity of the router. In this paper, we describe the design of our dynamic Multipath Onion RoutEr (MORE) for peer-to-peer overlay networks, and evaluate its performance. Furthermore, we integrate address virtualization to abstract from Internet addresses and provide transparent support for IP applications. Thus, no applicationlevel gateways, proxies or modifications of applications are required to sanitize protocols from network level information. Acting as an IP-datagram service, our scheme provides a substrate for anonymous communication to a wide range of applications using TCP and UDP. I.

Although recent years provided many protocols for anonymous routing in overlay networks, they commonly rely on the same communication paradigm: Onion Routing. In Onion Routing a static tunnel through an overlay network is build via layered encryption. All traffic exchanged by its end points is relayed through this tunnel. In contrast, this paper introduces dynamic multipath Onion Routing to extend the static Onion Routing paradigm. This approach allows each packet exchanged between two end points to travel along a different path. To provide anonymity the first half of this path is selected by the sender and the second half by the receiver of the packet. The results are manifold: First, dynamic multipath Onion Routing increases the resilience against threats, especially pattern and timing based analysis attacks. Second, the dynamic paths reduce the impact of misbehaving and overloaded relays. Finally, inspired by Internet routing, the forwarding nodes do not need to maintain any state about ongoing flows and so reduce the complexity of the router. In this paper, we describe the design of our dynamic Multipath Onion RoutEr (MORE) for peer-to-peer overlay networks, and evaluate its performance. Furthermore, we integrate address virtualization to abstract from Internet addresses and provide transparent support for IP applications. Thus, no applicationlevel gateways, proxies or modifications of applications are required to sanitize protocols from network level information. Acting as an IP-datagram service, our scheme provides a substrate for anonymous communication to a wide range of applications using TCP and UDP.

We describe and evaluate options for providing anonymous IP service, argue for the further investigation of local anonymity, and sketch a framework for the implementation of locally anonymous networks. 1 Introduction Anonymity is not the same as confidentiality. Existing systems such as IPSEC can ably protect the contents of IP-based communication [Atk95, Pos81b], making it impractical for network eavesdroppers to deduce the purpose of observed traffic. However, the fact of the traffic itself is not hidden; the sender and receiver of each packet is clearly visible in the packet headers even when the packet is end-to-end encrypted. Such information should sometimes be protected as well. Suppose that Alice, the CEO of Apricot, decides to buy out the publicly-traded firm Banananon. When other Apricot officers learn of the plans, the subsequent flurry of connections from the executive suite to the Banananon's web site could betray Alice's intent. If Alice's network administrator Eve react...

In Mobile IPv6, each packet sent and received by a mobile node contains its home address. As a result, it is very easy for an eavesdropper or for a correspondent node to track the movement and usage of a mobile node. This paper proposes a simple and practical solution to this problem. The main idea is to replace the home address in the packets by a temporary mobile identifier (TMI), that is cryptographically generated and therefore random. As a result, packets cannot be linked to a mobile node anymore and traffic analysis is more difficult. With our solution, an eavesdropper can still identify the IP addresses of two communicating nodes but is not able to identify their identities (i.e., their home addresses). Furthermore since a mobile node uses a new identifier for each communication, an eavesdropper cannot link the different communications of a given mobile node together. We show that HMIPv6 can also benefit from the proposed privacy extension. Keywords: Mobile IPv6, CGA, Privacy.