AT&T's new approach to Web privacy enables incognito browsing without a disguise. Crowds, developed by research scientists Mike Reiter and Avi Rubin, works like its name implies: Your browsing is obscured by a Net-surfing group.
The system works by pulling its users into "crowds." Any request made by a member is randomly forwarded to someone in the crowd, so that the target server cannot tell if the requesting party is in fact the originator of that request.
A crowd member knows the identity of everyone else in the group, but their individual requests are secret. "Our claim is that the security of an individual is reduced to the anonymity of that crowd," Rubin said. "You know that a request comes from a crowd, but you don't know which member. If a list is big enough - say, in the extreme, it's everyone in the world - then that's zero information." Even small crowds offer protection, in that a message is equally likely to have originated from any member of the crowd.
This introduces the idea of degrees of anonymity, where a user's level of anonymity can be described on a scale from "probably exposed" - not anonymous at all - to "absolute privacy," where identity cannot be traced. "What we found is that many people had a very informal sense of what anonymity meant," said AT&T's Rubin. "They just sort of said [that] either you are anonymous or you're not, black and white. And our research shows that by viewing degrees of anonymity, we can better describe the security of our system."
To use it, you run a program on your machine called jondo - named for John Doe, the unknown user - that acts as your proxy to the Web. Your request then gets interpreted by jondo, which will encrypt and forward the request to a random jondo in your crowd - including itself. The request is then re-forwarded to either the final destination Web server or another jondo. To the target Web server, the request will have appeared to originate from the machine hosting the last jondo in the path.
"The only people that this wouldn't be right for," said Rubin, "are people that are really worried that they'll be associated with a crowd." While you are responsible for your own requests, you cannot control the requests of others, which might appear to the end server to have originated from your machine. "That's an inherent property of this kind of anonymity, that you're part of this crowd for better or for worse - nobody can pin anything on you, but you're going to participate in all the actions of the crowd," he said.
Finding a group of Crowd users to get lost in is up to you. While it's not inherent to the Crowds mechanism, AT&T has set up a "blender" app that allows you to join its publicly accessible crowd of users. Some form of access control is necessary, otherwise it would be open for abuse.
The AT&T crowd is currently limited to those with high-speed access - using it with a slow link to the Net will hurt the performance of other users. But new crowds could be established for other purposes, such as one formed exclusively for those with slow connections. "When people find that they have needs that are not compatible with a crowd, they'll form their own," said Rubin. "I can see 20 or 30 people meeting at a conference saying, 'Let's all provide each other anonymity. Let's form our own crowd and only let each other into it.'"
Of course, the larger the crowd, the better the anonymity - and research has found that as the crowd grows, it scales better, so performance also improves. "The thing is, you've got all these hops and everyone is participating in all these paths of all these requests," said Rubin. "If you have more users, you have more capacity in the system, so that your path can now be routed through more people - and that overshadows the extra work of having more people involved."
Another technology being used for anonymous browsing, Lucent Technologies' Lucent Personalized Web Assistant, acts as a standalone anonymous server, even generating anonymous user accounts for sites that require registration. While there is no formal relationship between AT&T's Crowds and Lucent's LPWA, researchers at the two companies have recently talked about the idea of combining the systems to get a dual functionality. "We worked on these systems independently of each other, and we came up with systems which are pretty complimentary," said Alain Mayer, one of LPWA's developers.
AT&T hopes that Crowds usage will continue to increase, but all the company stands to gain is publicity - the software is free, and even the source code is freely available upon request. However, the company is restricted by US export law in giving copies to non-US residents, and must first make sure that the requesting party is not on the National Security Agency's list of those forbidden to obtain crypto code. While this situation hasn't arisen yet, Rubin says AT&T is obligated to deny requests from any parties on this NSA-supplied list.
Crowds runs on several flavors of Unix, and plans are being made to port it - possibly in Java - to Windows. "I don't think until we get it out [on Windows] we could get mass global usage of this thing," said Rubin. In the extreme, he thinks AT&T could form a partnership with an ISP, or use its WorldNet service, to get it built into a browser by default. Users then could just click a button to join the crowd. "That's our vision, what we hope happens some day," he said.
