Data aggregation is a key aspect of many distributed appli-

cations, such as distributed sensing, performance monitoring, and dis-

tributed diagnostics. In such settings, user anonymity is a key concern of

the participants. In the absence of an assurance of anonymity, users may

be reluctant to contribute data such as their location or configuration

settings on their computer.

In this paper, we present the design, analysis, implementation, and eval-

uation of Anonygator, an anonymity-preserving data aggregation ser-

vice for large-scale distributed applications. Anonygator uses anonymous

routing to provide user anonymity by disassociating messages from the

hosts that generated them. It prevents malicious users from uploading

disproportionate amounts of spurious data by using a light-weight ac-

counting scheme. Finally, Anonygator maintains overall system scalabil-

ity by employing a novel distributed tree-based data aggregation pro-

cedure that is robust to pollution attacks. All of these components are

tuned by a customization tool, with a view to achieve specific anonymity,

pollution resistance, and efficiency goals. We have implemented Anony-

gator as a service and have used it to prototype three applications, one

of which we have evaluated on PlanetLab. The other two have been

evaluated on a local testbed.

In  ACM/IFIP/USENIX 11th International Middleware Conference

Details