Deniable Upload and Download via Passive Participation

Downloading or uploading controversial information can put users at risk, making them hesitant to access or share such information. While anonymous communication networks (ACNs) are designed to hide communication meta-data, already connecting to an ACN can raise suspicion. In order to enable plausible deniability while providing or accessing controversial information, we design CoverUp: a system that enables users to asynchronously upload and download data. The key idea is to involve visitors from a collaborating website. This website serves a JavaScript snippet, which, after user’s consent produces cover traffic for the controversial site / content. This cover traffic is indistinguishable from the traffic of participants interested in the controversial content; hence, they can deny that they actually upor downloaded any data. CoverUp provides a feed-receiver that achieves a downlink rate of 10 to 50 Kbit/s. The indistinguishability guarantee of the feed-receiver holds against strong global networklevel attackers who control everything except for the user’s machine. We extend CoverUp to a full upload and download system with a rate of 10 up to 50 Kbit/s. In this case, we additionally need the integrity of the JavaScript snippet, for which we introduce a trusted party. The analysis of our prototype shows a very small timing leakage, even after half a year of continual observation. Finally, as passive participation raises ethical and legal concerns for the collaborating websites and the visitors of the collaborating website, we discuss these concerns and describe how they can be addressed.

[1]  Nicholas Hopper,et al.  Cover your ACKs: pitfalls of covert channel censorship circumvention , 2013, CCS.

[2]  Bryan Ford,et al.  Reducing Metadata Leakage from Encrypted Files and Communication with PURBs , 2018, Proc. Priv. Enhancing Technol..

[3]  Alessandro Acquisti,et al.  Nudging Privacy: The Behavioral Economics of Personal Information , 2009, IEEE Security & Privacy.

[4]  Srinath T. V. Setty,et al.  Unobservable Communication over Fully Untrusted Infrastructure , 2016, OSDI.

[5]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[6]  Ronald L. Rivest,et al.  All-or-Nothing Encryption and the Package Transform , 1997, FSE.

[7]  D. Artz,et al.  Digital steganography: hiding data within data , 2001 .

[8]  Vitaly Shmatikov,et al.  CloudTransport: Using Cloud Storage for Censorship-Resistant Networking , 2014, Privacy Enhancing Technologies.

[9]  Esfandiar Mohammadi,et al.  Tight on Budget?: Tight Bounds for r-Fold Approximate Differential Privacy , 2018, CCS.

[10]  George Danezis,et al.  The Loopix Anonymity System , 2017, USENIX Security Symposium.

[11]  Matthias Bauer New covert channels in HTTP: adding unwitting Web browsers to anonymity sets , 2003, WPES '03.

[12]  A. Houmansadr,et al.  : Using Live Streaming to Evade Internet Censorship , 2016 .

[13]  Vitaly Shmatikov,et al.  CovertCast: Using Live Streaming to Evade Internet Censorship , 2016, Proc. Priv. Enhancing Technol..

[14]  Nick Feamster,et al.  Infranet: Circumventing Web Censorship and Surveillance , 2002, USENIX Security Symposium.

[15]  Devavrat Shah,et al.  ARQ for network coding , 2008, 2008 IEEE International Symposium on Information Theory.

[16]  J. Dumortier Directive 98/48/EC of the European Parliament and of the Council , 2006 .

[17]  Dan Boneh,et al.  Riposte: An Anonymous Messaging System Handling Millions of Users , 2015, 2015 IEEE Symposium on Security and Privacy.

[18]  Paul Francis,et al.  Towards efficient traffic-analysis resistant anonymity networks , 2013, SIGCOMM.

[19]  Nick Mathewson,et al.  The pynchon gate: a secure method of pseudonymous mail retrieval , 2005, WPES '05.

[20]  Mayank Bakshi,et al.  Reliable deniable communication: Hiding messages in noise , 2013, 2013 IEEE International Symposium on Information Theory.

[21]  David Wolinsky,et al.  Dissent in Numbers: Making Strong Anonymity Scale , 2012, OSDI.

[22]  Volker Roth,et al.  A Secure Submission System for Online Whistleblowing Platforms , 2013, Financial Cryptography.

[23]  Susan Landau,et al.  Making Sense from Snowden: What's Significant in the NSA Surveillance Revelations , 2013, IEEE Security & Privacy.

[24]  Lem Ma,et al.  The Federal Constitution of the Swiss Confederation , 2016 .

[25]  Song Li,et al.  (Cross-)Browser Fingerprinting via OS and Hardware Level Features , 2017, NDSS.

[26]  Michel Beaudouin-Lafon,et al.  Designing interaction, not interfaces , 2004, AVI.

[27]  Dan Boneh,et al.  Evading Censorship with Browser-Based Proxies , 2012, Privacy Enhancing Technologies.

[28]  Mária Bieliková,et al.  Tabbed Browsing Behavior as a Source for User Modeling , 2013, UMAP.

[29]  Bryan Ford,et al.  Conscript your friends into larger anonymity sets with JavaScript , 2013, WPES.

[30]  Nickolai Zeldovich,et al.  Vuvuzela: scalable private messaging resistant to traffic analysis , 2015, SOSP.

[31]  Bernd Girod,et al.  Communications approach to image steganography , 2002, IS&T/SPIE Electronic Imaging.

[32]  Nikita Borisov,et al.  I want my voice to be heard: IP over Voice-over-IP for unobservable censorship circumvention , 2013, NDSS.

[33]  Vern Paxson,et al.  Blocking-resistant communication through domain fronting , 2015, Proc. Priv. Enhancing Technol..

[34]  Carmela Troncoso,et al.  PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval , 2011, USENIX Security Symposium.

[35]  Victor Boyko,et al.  On the Security Properties of OAEP as an All-or-Nothing Transform , 1999, CRYPTO.

[36]  Joseph Bonneau,et al.  Finite-State Security Analysis of OTR Version 2 , 2006 .

[37]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[38]  David M. Sommer,et al.  ETH Library Deniable Upload and Download via Passive Participation , 2018 .

[39]  Andrew S. Patrick,et al.  From Privacy Legislation to Interface Design: Implementing Information Privacy in Human-Computer Interactions , 2003, Privacy Enhancing Technologies.

[40]  Ling Ren,et al.  Path ORAM , 2012, J. ACM.

[41]  Nikita Borisov,et al.  SWEET: Serving the Web by Exploiting Email Tunnels , 2012, IEEE/ACM Transactions on Networking.

[42]  Mr.Pravin R. Kamble,et al.  Steganography Techniques: A Review , 2013 .