Enlisting ISPs to Improve Online Privacy: IP Address Mixing by Default #
This paper proposes the address hiding protocol (AHP), a relatively simple mechanism that is meant to improve Internet users’ privacy. The protocol is meant to be deployed by ISPs, and works by substituting the IP address:port pairs of clients. The size of an ISP’s address pool becomes the anonymity set for its clients. AHP is meant to be a pragmatic middle ground between next-generation Internet architectures and overlay anonymity networks. Clients don’t need to support AHP—it works transparently for them. If the security properties are not strong enough for clients, they can also layer another anonymity network on top of AHP. It’s great to see that the authors thought about real-world deployment. They discuss incentives for ISPs and practical issues such as long-lived flows and supporting P2P applications.
I like that the paper talks about incentives. Why would ISPs deploy AHP? The paper mostly talks about legal requirements of U.S. ISPs; in particular the ability to identify customers if law enforcement shows up with a “hidden” address. While that’s important, I missed a discussion of incentives beyond legal requirements. In some paragraphs, the authors suggest that the mere existence of a privacy-preserving feature would make the ISP attractive to customers, and hence be the primary reason to adopt AHP. I’m not convinced that it is that easy.
A lot has happened since the paper was written in 2009. Most importantly, my feeling is that the tracking business has moved from IP addresses to upper layers, and uses cookies and device fingerprinting. I think there is also quite a bit more IP address mobility since 2009. People often own multiple devices and connect to numerous networks throughout the day, especially with smart phones. While AHP might have been attractive to ISPs in 2009, I am not sure if that is still the case, especially given that AHP is unable to defend against attacks such as device fingerprinting. The authors correctly argue that anonymity systems such as Tor can be layered on top of AHP, but that point seems a bit moot.