A new contract solicitation is seeking technologies to help use the internet anonymously. Maybe part of the government wants freedom from NSA spying??? A new SBIR contract does just that – AF141-058: Architecture for Enterprise Anonymization
OBJECTIVE: Develop innovative methods for ensuring privacy and operations security (OPSEC) for individual users across an enterprise while searching, browsing or chatting on the Web. DESCRIPTION: Consider the following scenario: An important meeting is held at an Air Force organization. Immediately afterward there is a spike in web searches coming from that organization. Identification of the topic and impact of that meeting will be a trivial thing for a search provider. Spikes in web traffic are regularly evaluated by search providers to identify trends or to give users more”personalized”search results. What else this data is (or could be) used for is left up to the imagination. In addition to search provider concerns, data aggregators also exist who work with many partners to discern a user”s Internet activity. In recent years the traditional threats to our industrial and military security have largely been replaced with the ubiquitous threats that come through the Internet. Physical and communications security is still important but the Web is an open channel for monitoring our organization”s interest and activities. This is also a threat that we do not know how to close or even minimize for rank-and-file members of large enterprises. In the Department of Defense, the need for privacy is embodied in our OPSEC program. The purpose of OPSEC is to identify critical information and analyze our actions with the intent to deny adversaries any indications of our operations and activities. In private industry, a similar concern is that of industrial espionage. Back as far as 1998, there was an estimate of $300 billion a year in potential loss to corporate America from theft of intellectual property. Current methods available to anonymize our Internet traffic fall far short of that which would be required to truly protect us. The Tor routing service provides a big step in this direction but, for enterprise use, there are issues with speed, scalability and concerns about loss of anonymity at entry and exit nodes. Tor also does not address machine fingerprinting, browser history analysis, cookies and auto fill data hijacking. Proxy servers can change the IP address of the specific user but the proxy rarely will cover the identity of the organization that this person belongs to. Even when networking parameters are completely obfuscated, the traffic is still subject to fingerprinting techniques that can identify a specific machine or user. This effort will develop architectures for privacy and OPSEC that will anonymize Internet search and browsing such that actions cannot be attributed to either an individual or organization. The solution shall be scalable across entire enterprises consisting of 1,000 or more client machines. It shall disrupt machine fingerprinting methods, all types of cookies, browser history analysis, form auto fill data hijacking, online behavior fingerprinting and network layer identity clues. The architecture can include a combination of currently available tools and appliances and/or new software, routing protocols or policy. The solution shall not rely on an outside entity to scrub our traffic since this would reveal our raw traffic to that entity. A demonstration of the technology shall be done such that the feasibility of this architecture for enterprise privacy/OPSEC can be verified. PHASE I: 1) Design notional architecture(s) for privacy and OPSEC during Internet search, browsing and chat that is scalable across a large enterprise. 2) Define alternate methods or components where diversity may provide a more robust solution. 3) Proof-of-feasibility demonstration of key enabling concepts. PHASE II: 1) Develop and demonstrate a prototype that implements the Phase I methodology, 2) identify appropriate performance metrics for evaluation, and 3) detail the plan for the Phase III effort. PHASE III DUAL USE APPLICATIONS: MILITARY USE: OPSEC for DoD and other government enterprises during Internet search and browsing requires innovative methods and a robust, scalable solution. COMMERCIAL USE: Successful private architectures should be readily adopted by industry concerned with industrial espionage.