HisTorε: Differentially Private and Robust Statistics Collection for Tor

Author(s): Akshaya Mani, Micah Sherr

Download: Paper (PDF)

Date: 27 Feb 2017

Document Type: Reports

Additional Documents: Slides Video

Associated Event: NDSS Symposium 2017

Abstract:

A large volume of existing research attempts to understand who uses Tor and how the network is used (and misused). However, conducting measurements on the live Tor network, if done improperly, can endanger the security and anonymity of the millions of users who depend on the network to enhance their online privacy. Indeed, several existing measurement studies of Tor have been heavily criticized for unsafe research practices.

Tor needs privacy-preserving methods of gathering statistics. The recently proposed PrivEx system demonstrates how data can be safely collected on Tor using techniques from differential privacy. However, as we demonstrate in this paper, the integrity of the statistics reported by PrivEx is brittle under realistic deployment conditions. An adversary who operates even a single relay in the volunteer-operated anonymity network can arbitrarily influence the result of PrivEx queries. We argue that a safe and useful data collection mechanism must provide both privacy and integrity protections.

This paper presents HisTor , a privacy-preserving statistics collection scheme based on ( ;  )-differential privacy that is robust against adversarial manipulation. We formalize the security guarantees of HisTor  and show using historical data from the Tor Project that HisTor  provides useful data collection and reporting with low bandwidth and processing overheads.