Enlisting ISPs to Improve Online Privacy: IP Address Mixing by Default #
This paper proposes the address hiding protocol (AHP), a relatively simple mechanism that is meant to improve Internet users’ privacy. The protocol is meant to be deployed by ISPs, and works by substituting the IP address:port pairs of clients. The size of an ISP’s address pool becomes the anonymity set for its clients. AHP is meant to be a pragmatic middle ground between next-generation Internet architectures and overlay anonymity networks. Clients don’t need to support AHP—it works transparently for them. If the security properties are not strong enough for clients, they can also layer another anonymity network on top of AHP. It’s great to see that the authors thought about real-world deployment. They discuss incentives for ISPs and practical issues such as long-lived flows and supporting P2P applications.
I like that the paper talks about incentives. Why would ISPs deploy AHP? The paper mostly talks about legal requirements of U.S. ISPs; in particular the ability to identify customers if law enforcement shows up with a “hidden” address. While that’s important, I missed a discussion of incentives beyond legal requirements. In some paragraphs, the authors suggest that the mere existence of a privacy-preserving feature would make the ISP attractive to customers, and hence be the primary reason to adopt AHP. I’m not convinced that it is that easy.