Metadata Privacy Beyond Tunneling for Instant Messaging

TL;DR

This paper introduces a new approach to metadata privacy in instant messaging by enabling deniable traffic, using formal models and extending existing protocols like Signal to support low-latency, deniable communication.

Contribution

It presents a formal framework for metadata privacy with deniable traffic and extends the Signal protocol to support deniable instant messaging, bridging information flow control and anonymous communication.

Findings

Deniable traffic achieves metadata privacy against strong adversaries.

The DenIM protocol extends Signal to support deniable instant messaging.

The proof-of-concept maintains low latency and feature compatibility.

Abstract

Transport layer data leaks metadata unintentionally -- such as who communicates with whom. While tools for strong transport layer privacy exist, they have adoption obstacles, including performance overheads incompatible with mobile devices. We posit that by changing the objective of metadata privacy for $\textit{all traffic}$, we can open up a new design space for pragmatic approaches to transport layer privacy. As a first step in this direction, we propose using techniques from information flow control and present a principled approach to constructing formal models of systems with metadata privacy for $\textit{some}$, deniable, traffic. We prove that deniable traffic achieves metadata privacy against strong adversaries -- this constitutes the first bridging of information flow control and anonymous communication to our knowledge. Additionally, we show that existing state-of-the-art protocols can be extended to support metadata privacy, by designing a novel protocol for $\textit{deniable instant messaging}$ (DenIM), which is a variant of the Signal protocol. To show the efficacy of our approach, we implement and evaluate a proof-of-concept instant messaging system running DenIM on top of unmodified Signal. We empirically show that the DenIM on Signal can maintain low-latency for unmodified Signal traffic without breaking existing features, while at the same time supporting deniable Signal traffic.