What is anonymity?

In the context of Privacy Enhancing Technologies (PET) [PET], what people usually mean by anonymity is unlinkability, which is still vague cause does not specify what with respect to who is unlinkable.

More specific terms related unlinkability, ie. who is talking to who with respect some adversaries with certain capabilities [AnonTerms].

  • sender anonymity
  • receiver anonymity
  • location anonymity
  • third party anonymity

Even more specific:

  • sender unobservability : whether the sender is talking at all
  • receiver unobservability

To be able to define the desired “properties” in “anonymous” communication systems, threat models should be specified.


Passive adversary

Adversary observing both ends

Can link sender and receiver by timing and volume patterns

Global Passive adversary

Active adversary

Adversary observing both ends

Confirmation attacks: Adversary can link sender and receiver by inducing timing signatures on the traffic to force distinct patters

Rogue operators

Malicious node operators. Passive or active.

Threat models

Which adversaries a system protect or does not protect against?

For instance, in Wikipedia edits:

  • Sysadmins can link one user unregistered edit to another by the IP
  • If editing in a company, the company can see the amount of data at a
    certain time which can match an be seen the public Wikipedia edit.

The following is based on [ApplicationThreatModeling] and [ThreatModelingOutputs]


What are we building?

  • architecture diagrams
  • dataflow transitions
  • data classifications

What can go wrong?

[STRIDE] and other structures can help.



Some data flow (eg. SMTP transmission of message from N1 to N2) Some data (eg. message being transmitted) Threat (eg. headers not encrypted, information disclosure), status (eg. open), severity (eg. high) Mitigation (eg. link encryption with TLS)