Evaluating Statistical Disclosure Attacks and Countermeasures for Anonymous Voice Calls

Abstract

Assuming a threat model of a global observer, statistical disclosure attacks have been proposed to efficiently de-anonymize communication relationships in text-based mix networks over time. It is commonly assumed that such attacks are also able to disclose call relationships in anonymous communication networks (ACNs) that support voice calls. One straightforward countermeasure is to expect users to permanently send and receive packets that mimic a Voice over IP (VoIP) call. However, this is not practical in real world scenarios, like on mobile devices. In this article, we adapt one specific statistical disclosure attack (Z-SDA-MD) to voice calls and quantitatively study less resource-intensive countermeasures. As base countermeasure, we evaluate a round-based communication model, corresponding to a timed mix. A simulation study of this scenario shows that the Z-SDA-MD is not well suited for a general disclosure of call relationships because of too many false positives. Nevertheless, the attack is able to correctly identify the most frequent relationships. Still, the accuracy in that regard may significantly be decreased by increasing the duration of one round, by decoupling actions (call setup and teardown) of caller and callee by a random number of rounds, and by occasional fake calls to a fixed set of “fake friends”. Overall, our study shows that anonymous voice calls may be implemented with an acceptable trade-off between anonymity, call setup time, and bandwidth overhead.