SwarmScreen - Privacy Through Plausible Deniability in P2P Systems

The short story

The main goal of this plugin is to make it harder for an attacker to figure out your downloading habits in BitTorrent. One of the reasons BitTorrent works so well is that it lets you download from large numbers of connections -- but these same connections offer multiple of opportunities for eavesdropping. Our recent study of the BitTorrent network shows that user connection patterns reveal strong communities that enable a guilt-by-association attack, where an entire community of users can be classified by monitoring one of its members. With P2P networks increasingly under surveillance from private and government organizations, SwarmScreen provides a practical and effective solution to disrupt these attacks.

SwarmScreen protects you by hiding your real BitTorrent traffic in a sea of connections to randomly selected torrents. So that you don't look suspicious, SwarmScreen carefully adjusts random connections to appear the same as your real ones. Won't this slow down my downloads? you ask. Of course: but SwarmScreen offers you an intuitive tuning knob to control the privacy/performance tradeoff -- higher privacy may result in some performance loss as some of your bandwidth is allocated to hide your real traffic. We call our tuning knob SPF (SwarmScreen Protection Factor) -- analagous to sunscreen, the higher the setting, the more privacy you get. Lower SPF values reduce privacy but give you better download performance, so you can pick the trade-off between privacy and performance.

Our SwarmScreen plugin, which seamlessly installs into the Vuze/Azureus BitTorrent client, can be downloaded from the bottom of this page.

Translators: If you're interested in translating SwarmScreen messages into another langauge, download the messages file, translate it and send it to This email address is being protected from spambots. You need JavaScript enabled to view it. . Update: We now have translations for the following languages: French, Italian, Portuguese, Slovakian, Russian, Polish, Chinese and Catalan. Thanks to all the volunteers who have submitted translations so far!

Updates

  • 4/15/2009: New version with lots of great translations is mainlined. Thanks everyone!
  • 3/9/2009: First version (0.2) released!

Why SwarmScreen

SwarmScreen gets its moniker from the fact that you use multiple swarms to hide your real traffic. It also kind of sounds like sunscreen, so SPF seemed like a good name for the feature that allows you to specify the performance/privacy trade-off.

For the technical crowd

Peer-to-peer computing has enabled a wide range of new and important Internet applications ranging from largescale data distribution to video streaming and telephony. The approach provides scalability, reliability and high performance by taking advantage of large-number of cooperative, interconnected hosts.

While much of the strength of the P2P model lies on the large numbers of connections among participating nodes, these same connections offer multiple of opportunities for eavesdropping. With P2P networks increasingly under surveillance from private and government organizations, there is an urgent need for privacy-enhancing systems that are both effective and practical. A number of efforts attempt to conceal connection data with private, trusted networks and variable levels of encryption. Although effective at restricting access to the content exchanged over a given connection, many existing approaches leave the existence of the connection itself visible. In our tech report, we show that these connections erode user privacy in a way that is ignored by most distributed systems and transparent to end users.

This work focuses on the BitTorrent file-sharing network where peers connect solely on the basis of common and concurrent interest in the same content, rather than on friendship, common language or geographic proximity. Using connection patterns gathered from BitTorrent users, we study the existence of communities -- collections of peers significantly more likely to connect to each other than to other random peers. We show that strong communities naturally form in BitTorrent, with users inside a typical community being 5 to 25 times more likely to connect to each other than with users outside. Historically, this ability to classify users has been abused by third parties in ways that violate individual privacy. We show how these strong communities enable a guilt-by- association attack, where an entire community of users can be classified by monitoring one of its members. Our study demonstrates that, through a single observation point, an attacker trying to identify such communities can reveal 50% of the network using only knowledge about a peer's neighbors and their neighbors (i.e., up to two hops away). Further, an attacker monitoring only 1% of the network can correctly assign users to their communities of interest more than 86% of the time.

To address this threat, we propose a new privacy-preserving layer for P2P systems that obfuscates user-generated network behavior. We show that a user can achieve plausible deniability by simply adding a small percent (between 25 and 50%) of additional random connections that are statistically indistinguishable from natural ones. Based on this result, we designed SwarmScreen, a system that generates such connections by participating in randomly selected torrents without appearing suspicious.

People

Publications

Resources

Frequently Asked Questions

  • Why not just use encryption? Or Tor? Encryption prevents eavesdroppers from inspecting your packet data, but our study shows that an attacker need only monitor your connection patterns -- not the data -- to classify you. Tor disguises the remote endpoint of your connections, but is not meant for P2P. Recent studies show that downloads slow by a factor of 10 when using systems like Tor. SwarmScreen provides privacy against classification while letting you set the slowdown factor.
  • If SwarmScreen downloads random torrents, won't this get me in trouble with the law? First, SwarmScreen does not download any torrents unless you tell it to. Even then, you must specifically tell it where to find content. In our Quick Start guide, we suggest how to set this up so that the content SwarmScreen chooses is safe. For high levels of privacy, we recommend using connection encryption to ensure that eavesdroppers cannot tell what content you are actually transferring.
    There is another question regarding the legality of caching and retransmitting of potentially copyrighted content. The short answer is that we are not lawyers, so we cannot give you advice. We'd like to point out, however, that the issue has been explored in the context of anonymizing proxy systems like Tor.
  • What is SPF? SPF is the SwarmScreen Protection Factor, an intuitive way to set your privacy level. Think of it as suncreen SPF: Anything above 50 is technically better for you, but is not required for protection. Use a value that is too small, however, and you might get burnt. SPF also controls how much overhead SwarmScreen will impose -- the lower the SPF, the more bandwidth is allocated to the torrents you want to keep.
  • Why use the Vuze/Azureus BitTorrent client? For one, it's probably the most popular client in terms of use, so targeting Vuze gives us the greatest potential impact. Additionally, Vuze is Java-based, meaning anyone can run their software (and ours). Finally, Vuze offers a convenient plugin feature, requiring no changes to your existing Vuze client. And once you're running SwarmScreen, it will automatically search for new versions and update itself for you!
  • Does this work with my operating system? In short, yes. SwarmScreen relies only on Vuze, so it should work anywhere that Vuze works. If you encounter a problem, please let us know!

Known Issues

  • All of my download rates suddenly drop to zero during the first few minutes of running Vuze. There appears to be some kind of file-allocation issue, at least for Windows, when starting many torrents at once. We are currently developing a workaround for this issue.