Java Anon Proxy, also known as JAP or JonDonym, is a proxy system designed to allow browsing the Web with revocable pseudonymity. It was originally developed as part of a project of the Technische Universität Dresden, the Universität Regensburg and Privacy Commissioner of Schleswig-Holstein. The client software is written in the Java programming language.
Cross-platform, free and open-source, it sends requests through a cascade and mixes the data streams of multiple users in order to further obfuscate the data to outsiders.
JonDonym is available for all platforms that support Java. Furthermore, ANONdroid is a JonDonym proxy client for Android.
The JonDonym client program allows the user to choose among several Mix Cascades (i.e. a group of anonymization proxies) offered by independent organizations. Users may choose by themselves whom of these operators they will trust, and whom they won’t. This is different from peer-to-peer based anonymity networks like Tor and I2P, whose anonymization proxies are anonymous themselves, which means the users have to rely on unknown proxy operators. However, it means that all the relays used for JonDonym-mediated connections are known and identified, and therefore potentially targeted very easily by hackers, governmental agencies or lobbying groups. This has for example led to the issues mentioned below, where court orders essentially gave all control over the whole system to the German government. As discussed below, solutions like international distribution of the relays and the additional use of Tor can somewhat mitigate this loss of independence.
The speed and availability of the service depend on the operators of the Mixes in the cascades and therefore varies. More users on a cascade improve anonymity, but a large number of users might diminish the speed and bandwidth available for a single user.
Cost, name change and commercial service
Use of JonDonym has been (and still is) free, but since financial backing of the original research project ran out on 22 June 2007, a startup, Jondos GmbH, was founded by members of the original project team. Jondos GmbH has taken over development and continues to work on an improved blocking resistance function that would make it easier for users from restrictive countries to get a connection to the system. To cover costs of running mix cascades and increase speed as well as anonymity, Jondos and other Internet firms launched a commercial version of the anonymizing proxy.
As a consequence, the JAP client has been renamed to JonDo and the service itself from AN.ON to JonDonym. JonDonym mix cascades are mostly operated by SMEs in multiple countries and mix cascades always include three mix servers for advanced security. As contractors of Jondos GmbH must ensure sufficient throughput of their mixes, anonymous web browsing at standard DSL speeds is possible. The cost-free Cascades are still in operation, although they do not offer the low latency, multiple Mixes per Cascade or guaranteed bandwidth the commercial ones do.
The online activities of the user can be revealed if all Mixes of a cascade work together by keeping log files and correlating their logs. However, all Mix operators have to sign a voluntary commitment not to keep such logs, and for any observer, it is difficult to infiltrate all operators in a long cascade.
In July 2003, the German BKA obtained a warrant to force the Dresden Mix operators to log access to a specific web address, which was hosting child pornography. AN.ON then decided to introduce a crime detection function in the server software in order to make this possible. The feature was made transparent by publishing the changed source code on August 18, 2003, and subsequently criticized by many users. For the Dresden Mix, the feature continues to be part of their software until today. Tracing activities back in the past is still technically not possible for the operators, but anonymity now extends only to the time point that a surveillance court order is issued. It was pointed out though that the new feature was covered by the AN.ON threat model and not a security leak by itself.
As a reaction to the threat from local authorities, the system has spread internationally. If the Mixes of a cascade are spread over several countries, the law enforcement agencies of all these countries would have to work together to reveal someone’s identity. AN.ON publishes every year the number of successful and unsuccessful surveillance court orders. Further research is being done by AN.ON to make the crime detection functionality more privacy-friendly. These features are still in an early stage and only available in the beta version of the software.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.