While anonymity networks such as Tor provide invaluable privacy guarantees to society, they also enable all kinds of criminal activities. Consequently, many blameless citizens shy away from protecting their privacy using such technology for the fear of being associated with criminals. To grasp the potential for alternative privacy protection for those users, we design Seldom, an anonymity network with integrated selective deanonymization that disincentivizes criminal activity. Seldom enables law enforcement agencies to selectively access otherwise anonymized identities of misbehaving users, while providing technical guarantees preventing these access rights from being misused. Seldom further ensures translucency, as each access request is approved by a trustworthy consortium of impartial entities and eventually disclosed to the public (without interfering with ongoing investigations). To demonstrate Seldom's feasibility and applicability, we base our implementation on Tor, the most widely used anonymity network. Our evaluation indicates minimal latency, processing, and bandwidth overheads compared to Tor, while Seldom's main costs stem from storing flow records and encrypted identities. With at most 636 TB of storage required in total to retain the encrypted identifiers of a Tor-sized network for two years, Seldom provides a practical and deployable technical solution to the inherent problem of criminal activities in anonymity networks. As such, Seldom sheds new light on the potentials and limitations when integrating selective deanonymization into anonymity networks.

翻译：尽管Tor等匿名网络为社会提供了宝贵的隐私保障，但它们同时也助长了各类犯罪活动。因此，许多无辜公民因担心与犯罪分子产生关联而不敢使用此类技术保护自身隐私。为探索为这类用户提供替代性隐私保护的潜力，我们设计了Seldom——一种集成选择性去匿名化机制、能有效抑制犯罪活动的匿名网络。Seldom使执法机构能够选择性访问行为不端用户的匿名身份，同时通过技术保障防止这些访问权限被滥用。Seldom进一步确保透明度，因为每个访问请求都需经可信的中立实体联盟批准，并最终向公众披露（且不影响正在进行的调查）。为验证Seldom的可行性与适用性，我们基于目前使用最广泛的匿名网络Tor进行系统实现。评估结果表明，相较于Tor，Seldom仅产生极小的延迟、处理和带宽开销，其主要成本源于流量记录与加密身份的存储需求。对于一个规模与Tor相当的网络，保留两年加密标识符仅需最多636 TB的总存储量，这使Seldom为匿名网络中固有的犯罪活动问题提供了切实可行的技术解决方案。Seldom的研究为在匿名网络中集成选择性去匿名化机制的潜力与局限提供了新的见解。