You are here: Resources > FIDIS Deliverables > HighTechID > D3.3: Study on Mobile Identity Management > 

D3.3: Study on Mobile Identity Management

Freiburg Privacy Diamond  Study on Mobile Identity Management
 Privacy Risk of User Agent Systems in WAP based Systems


Privacy in mobile ad hoc Networks


Mobile ad hoc networks can be defined as mobile platforms or nodes that can move freely and establish ephemera wireless networks without central entities to control it. At a first glance, mobile ad hoc networks may not seem directly related to mobile identity management. However, identity management does not necessarily imply a client-server structure where a user is communicating with a server. Also peer-to-peer scenarios in which users communicate directly with other users are of interest in the context of mobile identity management. As seen in the scenarios later described in this chapter, mobile ad hoc networks constitute a technical infrastructure that could provide a base for both traditional client-server applications as well as peer-to-peer applications.

Mobile ad hoc networks are a fundamental building block for ubiquitous computing (also referred as pervasive computing or ambient intelligence, see sections 2.6 and 2.7) and sensor networking, two major technologies that will have a great impact in several areas, such as environmental control, surveillance, advertisement, marketing, business modelling, etc. However, these two technologies will have a huge impact on privacy as they can be used to track people and also monitor their behaviour. A general definition for ubiquitous computing is a computing infrastructure for getting information everywhere, at any time, being accessed through invisible interfaces. Instead of data being input via conventional interfaces such as a keyboard or a mouse, it enters the system via ubiquitous sensors in the user’s environment. Ubiquitous computing has a large spectrum of potential applications and highly futuristic fully networked environments can be imagined. Sensor networks are a special kind of computer networks composed of several nodes that communicate using wireless interfaces and are spread in a determined geographical area. They have as goal to collect environmental information through embedded sensors and transmit it back to one or more computers, called sinks. Sensor network applications include among others: environmental data acquisition, surveillance and embedded sensors in vehicles, for instance.

As discussed above, these new technologies make promises of revolutionary applications that may change our way of living. However, the other side of the coin is that these technologies can harm people’s privacy. Mobile ad hoc networks, sensor networks and ubiquitous computing can be used for tracking people and their habits. In addition, profiles can be built with the acquired data and real big brother scenarios can be foreseen.

Introduction to scenarios

The concept of mobile ad hoc networks provides many challenges to privacy. Vast amounts of potentially sensitive data are being transmitted among the mobile devices in the network, where some of these data may be highly sensitive data about for example the owners of the devices. 

In order to illustrate different potential privacy problems in the mobile ad hoc domain, two different usage scenarios have been defined. In the first scenario (the mobile Internet scenario) a user (called John Smith in the scenarios) in a mobile ad hoc domain makes use of services on the mobile Internet through the mobile ad hoc network. In the second scenario (the intra ad hoc scenario) the user Jim wants to communicate to another user within the mobile ad hoc network.

These scenarios are presented in two different versions; firstly one version where privacy problems have not been fully considered and secondly one “privacy-enhanced” version where the privacy needs of the user are embraced. The initial version of the scenarios is used to illustrate a number of imaginable privacy problems for the user. In the second version of the scenarios, anonymity technologies are introduced in the technical environment as a countermeasure to these privacy problems. These technical solutions aim at providing anonymity for the users by offering non-linkability of transactions. Thus, this section does not describe a full-fledged identity management solution. However, in order to offer identity management applications, anonymity is needed as an underlying base. The technical solution presented in this section could provide a base for a more advanced identity management application. 

Initial usage scenarios

Scenario one – the mobile Internet Scenario 

In this scenario John Smith is visiting a pub in an area often populated by people interested in new technologies. At the pub, John is participating in a mobile ad hoc network to which he is connected via his new mobile phone. Using Mobile IPv4, John is also connected to the mobile Internet via the mobile ad hoc domain. John is downloading streaming video from a WAP server on the mobile Internet which he views on his mobile phone. Since John is interested in stocks, he is downloading video material teaching him how to be a successful man on the stock market.

Scenario two – the intra ad hoc Scenario

In the second scenario John feels a bit lonely. Since the pub is crowded with people, he uses his mobile telephone to find out if any of the people in the pub are using “Instant Mobile Dating”, a popular mobile dating application in this scenario. When going online, he immediately finds a matching profile in the pub and therefore spontaneously initiates a chat session. John and his chatting partner share many similar interests and after some minutes of virtual conversation, they decide that they have built up enough mutual trust to join tables and continue their discussion in person. 

Privacy problems in the scenarios

There are many concerns for privacy in the scenarios described above. In the first scenario John feels a bit uneasy about letting other people know about his interest in the stock market. He is a bit worried that someone would use this knowledge to deduce that John is a wealthy man and therefore follow him and later rob him. Also, John does not really trust the company hosting the video streams that he is downloading. John fears that the company will gather profile information about him and later possibly sell this information to other companies so that he will eventually be flooded with vast amount of unwanted commercial information.  

In the second scenario, John also worries about his privacy. He does not want other people at the pub to know that he is feeling lonely and depressed. Therefore he does not want other people to know that he is participating in the mobile dating service. Also, he is a bit afraid that his chatting partners at the pub may be pranksters that will figure out the identity and physical location of John and then make fun out of him. John wants to be completely anonymous when using the dating application until John himself decides otherwise. 

One additional issue also concerns John - the issue of location privacy. In MobileIP, the concept of a home agent is used to allow users to be reachable when they are travelling to other locations, like John is doing in the scenarios. The home agent (often operated by the Internet service provider) is a static part of the infrastructure that always keeps track of the user’s whereabouts when roaming. It has been pointed out that location data within this kind of traffic data, even though it is less precise, can also contain sensitive information about the “relative positioning” and “co-located displacements” of mobile nodes and thus also require special protection (Escudero-Pascual, Holleboom and Fischer-Hübner, 2002). The home agents in mobile nodes’ home networks keep track of the mobile nodes’ care-of addresses in order to tunnel datagrams for delivery to the mobile nodes when they are away from home. They are thus critical aggregation points that can possibly store and compare communication profiles of mobile nodes. Thus, John’s home agent is building up a user profile of John that includes his travelling habits. John is concerned by this and he want to be able to roam among different foreign networks without being constantly localised by his Internet service provider (or whatever entity that operates the home agent). The issue of locations privacy are dealt with separately in section 3.2.6. 

Privacy-enhanced usage scenarios

Scenario three – privacy-enhanced Internet scenario 

Based on the discussion in the previous section, the privacy-enhanced version of the mobile Internet scenario aims at (1) stopping other visitors at the pub eavesdropping on the communication between John and the WAP server and (2) hinder the WAP server to pool information about John in order to create an extensive user profile about him and to trace John’s locations. 

To address the privacy problems mentioned above, John and other visitors at the pub are jointly participating in an anonymous overlay network that resides on top of the existing mobile ad hoc network. An overlay network is a virtual network of nodes and logical links which is built on top of an existing network and which implements network services not available in the existing network. In this case, the purpose of the anonymous overlay network is to provide anonymous communication for the members of the network. Since static infrastructure is not available in ad hoc networks, every member in the overlay network constitutes of a node in the network themselves and communication is routed along these nodes according to the rules of the protocol in the overlay network. The logical links along which the communication in the overlay network is routed are called ‘virtual paths’. If John now downloads streaming media from the WAP server on the traditional Internet, as described in the first scenario, neither outsiders (people at the pub not participating in the anonymous network) nor insiders (participants of the anonymous network) can learn the fact that it is John that is downloading the streaming media.

In figure 3-3 below, the privacy-enhanced version of the mobile Internet scenario is illustrated. The numbers in the figure 3-3 corresponds to the members of the anonymous network. Since MobileIP v4 is used to interconnect the mobile ad hoc domain and the wired domain, each member has a home agent residing at his home link / network. When John (the user denoted “3” in the figure 3-3) communicates with the WAP server, the communication is first routed along the virtual path in the left part of figure 1 that was built up in the anonymous overlay network for this session. Then, after passing the access point (denoted AP) and the foreign agent (denoted FA), the request eventually reaches the WAP server. On the way back, the reply also passes the home agent of the last node in the virtual path (denoted HA4). This is necessary in order to find the foreign network hosting the mobile ad hoc network.

Figure 3-3: The privacy-enhanced Internet scenario 


Scenario four – privacy-enhanced intra ad hoc scenario 

The goal of the privacy-enhanced version of the intra ad hoc scenario is to (1) stop other participants in the mobile ad hoc network learning that John is using a mobile dating server and (2) stop them from knowing with whom he is communicating. Furthermore, (3) he wants to be anonymous against his chat partner until he decides the level of mutual trust is high enough to reveal his identity.

To fulfil these privacy needs, John participates in the same anonymous overlay network as the one described above in the privacy-enhanced mobile Internet scenario. Figure 3-4 below illustrates the privacy-enhanced version of the intra ad hoc scenario. In this figure, the node “J” represents John and the node “C” represents his chatting partner. Besides guaranteeing anonymity towards his chatting partner, John also has the possibility to be anonymous towards both outsiders and insiders.

Figure 3-4: The privacy-enhanced intra ad hoc scenario 


Ensuring location privacy in mobile ad hoc networks

If John does not want the home agent to know about his location in the first scenario, some additional technical means to protect location privacy have to been introduced in the wired domain. It is not possible to solve the location privacy problem in the mobile ad hoc domain, since the problem originates from the concept of the home agents in MobileIP. One possible solution is to combine the anonymous overlay network in the mobile ad hoc domain with an Internet-based solution that protects location data in MobileIP.

One solution is the Flying Freedom System (Escudero-Pascual, Heidenfalk and Heselius, 2001), where a set of protected extensions in the mix-based Freedom System architecture were introduced to permit a mobile node to seamlessly roam among IP subnetworks and media types while remaining untraceable and pseudonymous. This solution is illustrated in figure 3-5 below. Now, when a user is roaming among different foreign networks, the home agent only knows that it is forwarding messages to the Flying Freedom server (FF in the figure). After passing an anonymous communication network based on Chaumian Mixes, the request is eventually forwarded to the foreign agent (denoted FA). 

Figure 3-5: Using the Flying Freedom System to achieve location privacy 


Finally, another (probably more ungainly) solution would be to require the user to operate his / her own home agent that is under his / her own control. 

Future Work

New developments of anonymity technologies are needed to adapt existing solutions to the new challenging area of mobile ad hoc networks. For example, the scenarios assumed a sound anonymous overlay network in the mobile ad hoc domain that both provides strong anonymity and fits the characteristics of mobile ad hoc networks. A number of solutions for anonymous communication on the traditional Internet already exist today, such as Chaumian Mixes (Chaum, 1981), Crowds (Reiter and Rubin, 1997) and Tor (Dingledine, Mathewson and Syverson, 2004). However the special nature of mobile ad hoc network makes these anonymity technologies infeasible (see section 5.3). Even peer-to-peer based solutions like Tarzan (Freedman and Morris, 2002) and MorphMix (Rennhard and Platter, 2002) do not fully meet the requirements for mobile ad hoc networks. Thus, in order to guarantee privacy in mobile ad hoc networks, new anonymity technologies have to be developed that fully meets the needs for mobile ad hoc network environments or existing ones need to be updated. Karlstad University is currently developing an anonymous overlay network suited for mobile ad hoc networks.


Freiburg Privacy Diamond  fidis-wp3-del3.3.study_on_mobile_identity_management.final_04.sxw  Privacy Risk of User Agent Systems in WAP based Systems
15 / 36