Privacy Preserving Web-Based Email

  • Kevin Butler
  • William Enck
  • Jennifer Plasterr
  • Patrick Traynor
  • Patrick McDaniel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4332)


Recent web-based applications offer users free service in exchange for access to personal communication, such as on-line email services and instant messaging. The inspection and retention of user communication is generally intended to enable targeted marketing. However, unless specifically stated otherwise by the collecting service’s privacy policy, such records have an indefinite lifetime and may be later used or sold without restriction. In this paper, we show that it is possible to protect a user’s privacy from these risks by exploiting mutually oblivious, competing communication channels. We create virtual channels over online services (e.g., Google’s Gmail, Microsoft’s Hotmail) through which messages and cryptographic keys are delivered. The message recipient uses a shared secret to identify the shares and ultimately recover the original plaintext. In so doing, we create a wired “spread-spectrum” mechanism for protecting the privacy of web-based communication. We discuss the design and implementation of our open-source Java applet, Aquinas, and consider ways that the myriad of communication channels present on the Internet can be exploited to preserve privacy.


Virtual Channel Message Authentication Code Covert Channel Application Provider Email Account 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    BBC News. Chinese man ‘jailed due to Yahoo’ (February 2006),
  2. 2.
  3. 3.
    Butler, K., Enck, W., Plasterr, J., Traynor, P., McDaniel, P.: Privacy Preserving Web-based Email. Technical report, Technical Report NAS-TR-0009-2005, Network and Security Research Center, Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA (June 2005)Google Scholar
  4. 4.
    Clarke, I., Sandberg, O., Wiley, B., Hong, T.W.: Freenet: a distributed anonymous information storage and retrieval system. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 46–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Costales, B., Allman, E.: Sendmail, 2nd edn. O’Reilly & Associates, Inc, Sebastopol (1997)Google Scholar
  6. 6.
    Dingledine, R., Freedman, M.J., Molnar, D.: The Free Haven Project: Distributed Anonymous Storage Service. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 67–95. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Electronic Frontier Foundation,
  8. 8.
    Ellison, C.M., Schneier, B.: Ten Risks of PKI: What You’re Not Being Told About Public-Key Infrastructure. Computer Security Journal 16(1), 1–7 (1999)Google Scholar
  9. 9.
    Goldschlag, D., Reed, M., Syverson, P.: Onion routing for anonymous and private Internet connections. Commun. ACM 42(2), 39–41 (1999)CrossRefGoogle Scholar
  10. 10.
    Henry, P., Luo, H.: Off-the-record email system. In: Proceedings of IEEE INFOCOM 2001, Anchorage, AK, USA, April 2001, pp. 869–877 (2001)Google Scholar
  11. 11.
    Jordan, E., Becker, A.: Princeton officials broke into Yale online admissions decisions (July 25, 2002),
  12. 12.
    Kent, S.T.: Internet privacy enhanced mail. Commun. ACM 36(8), 48–60 (1993)CrossRefGoogle Scholar
  13. 13.
    Marc Waldman, A.D.R., Cranor, L.F.: Publius: A robust, tamper-evident, censorship-resistant, web publishing system. In: Proc. 9th USENIX Security Symposium, August 2000, pp. 59–72 (2000)Google Scholar
  14. 14.
    Mcarthur, R.L.: Reasonable expectations of privacy. Ethics and Inf. Tech. 3(2), 123–128 (2001)CrossRefGoogle Scholar
  15. 15.
    Palen, L., Dourish, P.: Unpacking “privacy” for a networked world. In: CHI 2003: Proceedings of the SIGCHI conference on Human factors in computing systems, pp. 129–136. ACM Press, New York (2003)Google Scholar
  16. 16.
    Peppers, D., Rogers, M.: The One to One Future: Building Relationships One Customer at a Time. Doubleday (1993)Google Scholar
  17. 17.
    Ramsdell, B.: S/MIME version 3 message specification. RFC 2633, IETE (June 1999)Google Scholar
  18. 18.
    Reiter, M.K., Rubin, A.D.: Crowds: anonymity for Web transactions. ACM Transactions on Information and System Security 1(1), 66–92 (1998)CrossRefGoogle Scholar
  19. 19.
    Reporters Without Borders. Information supplied by Yahoo! helped journalist Shi Tao get 10 years in prison (September 2005),
  20. 20.
    Rivest, R.L.: Chaffing and Winnowing: Confidentiality without Encryption. RSA CryptoBytes 4(1) (Summer 1998)Google Scholar
  21. 21.
    Roger, W.: Surfer beware: Advertiser’s on your trail, DoubleClick tracks online movements. USA Today, p. 01.B (January 26, 2000)Google Scholar
  22. 22.
    Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.: Stronger Password Authentication Using Browser Extensions. In: Proceedings of the 14th USENIX Security Symposium (2005)Google Scholar
  23. 23. SAFe-Mail features (May 2005),
  24. 24.
    Saunders, G.: Samizdat: Voices of the Soviet Opposition. Pathfinder Press, Atlanta (1974)Google Scholar
  25. 25.
    Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)MATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    SNOW. The SNOW Home Page,
  27. 27.
    The Anonymizer,
  28. 28.
    Zimmermann, P.R.: The official PGP user’s guide. MIT Press, Cambridge (1995)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Kevin Butler
    • 1
  • William Enck
    • 1
  • Jennifer Plasterr
    • 1
  • Patrick Traynor
    • 1
  • Patrick McDaniel
    • 1
  1. 1.Systems and Internet Infrastructure Security LaboratoryThe Pennsylvania State UniversityUSA

Personalised recommendations