Traffic Analysis

Traffic analysis is the technique of inferring information about communications without reading the content. Volume, timing, source, destination, frequency, duration patterns, and packet sizes can reveal who is talking to whom, when, about what category of subject, and (in some cases) what specific service they are using. The discipline goes back to military signals intelligence; the modern academic literature on traffic-analysis attacks against Tor, VPNs, and messaging apps is extensive.

What it means in practice

Traffic analysis defeats encryption that protects content alone. A Signal conversation is end-to-end encrypted, but an observer who controls a relay or a network choke point can see that you connected to Signal’s servers, when, how often, and (with enough data) can correlate your packet timing with a contact’s receive-side timing to infer that you are messaging that specific person. Tor’s threat model explicitly excludes “global passive adversary” attacks, where an actor with visibility into both ends of the network can correlate timing despite three-hop routing. The defenses are layered: padding (insert dummy traffic so volume does not give pattern), batching (delay messages so timing does not give pattern), mix networks (intermediate relays that batch and shuffle, used by Mixmaster historically and by some modern messaging research projects).

Where it shows up

Most relevant for: high-target operators whose adversaries have nation-state SIGINT capability (the academic literature is full of attacks against Tor by simulated NSA-equivalent adversaries; the real-world equivalent is not hypothetical), researchers at Citizen Lab who explicitly defend against this threat tier, and journalists working on stories where the source’s operational security depends on the relationship not being inferable from timing alone. Less relevant for: most users, whose threat model does not include adversaries with the resources to run global traffic analysis. The risk is overestimating threat: a freelancer whose worst adversary is a small competitor wastes effort hardening against traffic analysis when the actual threats are credential reuse and SMS 2FA.

What you can change today

If your threat model justifies it, the structural mitigation is multi-hop routing and padding. Use Tor over Mullvad (Mullvad to gain entry-guard plausible-deniability, then Tor for the three-hop network), or Tor over Proton VPN. For messaging that must defeat traffic analysis, look at Briar (peer-to-peer mesh, no servers to observe) or experimental projects like Nym (mix network in production beta). For most operators: traffic analysis is the fourth or fifth concern after credentials, content encryption, metadata minimization, and identity separation. Solve those first.

Related articles