Transport layer data leaks metadata unintentionally -- such as who communicates with whom. While tools for strong transport layer privacy exist, they have adoption obstacles, including performance overheads incompatible with mobile devices. We posit that by changing the objective of metadata privacy for $\textit{all traffic}$, we can open up a new design space for pragmatic approaches to transport layer privacy. As a first step in this direction, we propose using techniques from information flow control and present a principled approach to constructing formal models of systems with metadata privacy for $\textit{some}$, deniable, traffic. We prove that deniable traffic achieves metadata privacy against strong adversaries -- this constitutes the first bridging of information flow control and anonymous communication to our knowledge. Additionally, we show that existing state-of-the-art protocols can be extended to support metadata privacy, by designing a novel protocol for $\textit{deniable instant messaging}$ (DenIM), which is a variant of the Signal protocol. To show the efficacy of our approach, we implement and evaluate a proof-of-concept instant messaging system running DenIM on top of unmodified Signal. We empirically show that the DenIM on Signal can maintain low-latency for unmodified Signal traffic without breaking existing features, while at the same time supporting deniable Signal traffic.

翻译：传输层数据会无意泄露元数据——例如谁在与谁通信。尽管存在强传输层隐私保护工具，但其应用面临障碍，包括与移动设备不兼容的性能开销。我们提出通过改变针对“所有流量”的元数据隐私目标，可为传输层隐私的务实方案开辟新的设计空间。作为该方向的第一步，我们提议采用信息流控制技术，并提出了构建具有“部分”可否认流量的元数据隐私系统形式化模型的规范化方法。我们证明可否认流量能抵御强敌手的元数据隐私攻击——据我们所知，这首次桥接了信息流控制与匿名通信领域。此外，我们设计了一种新型“可否认即时通讯”（DenIM）协议（Signal协议的变体），表明现有最先进的协议可扩展以支持元数据隐私。为验证方法有效性，我们在未修改的Signal协议上实现并评估了运行DenIM的概念验证即时通讯系统。实验证明，DenIM协议在保持未修改Signal流量低延迟且不破坏现有功能的同时，可支持可否认性Signal流量。