Short version: Cor and other mesh networking protocol cannot provide you anonymity. Use Tor if you want that and be aware of its limitations.
Long version: Anonymity is typically defined by the number of people you are hiding with. If your adversary learns something about you (e.g. your language + style) or the network (e.g. by surveillance), your anonymity will get lower. To avoid it getting too low, you want a big network which is as much outside your adversary's reach as possible. Mesh networks cannot provide either. They are often small and even if they are not, you will have to use a local internet uplink if you want good performance. Mesh networks are also radio based which makes them easy to monitor.
Also notice that:
- The entire network you see may be fake. Your adversary could DoS the real network and present you a fake one under his control.
- Basic countermeasures against this attack like artificial delays, padding and dummy traffic are not implemented in cor. This is basically because I think this situation is completely hopeless. Implementing them will probably achieve nothing except slowing everything down and giving users a false sense of security.
- Your services are not hidden. Finding your location is only a matter of looking where the signal comes from. Trying to protect against this is rather pointless because of the reasons listed above.
When you are connected to a mobile phone network, the network operator knows your location. Cor tries to make it hard for others to track your location. The theory is rather simple: You do not need to authenticate yourself. Then you need to prevent information leaks, which is hard:
- Fingerprinting radio device: The radio device is an analog circuit which does not produce an absolutely clean signal. Even if you only send 100% random data, your radio may still leave a fingerprint.
- MAC address of the network interface: Network interfaces like your wifi interface have a static address which is added to every packet. This address can be changed periodically. But this will still not prevent you from being tracked. An observer of this change will see a device go and a new device appear and can correlate these two devices. Being able to receive the signal of either your device or any device you are communicating with will be enough.
I had planned for "clients" to use a different MAC address to talk to each neighbor. The problem is that at least wifi interfaces are "intelligent" and have a layer below ethernet which leaks the device MAC address.
- Layer 3 address: Cor allows you to run your device without a layer 3 address. The limitation is that you will not be able to receive incoming connections. This also means that you will not be able to forward traffic for others.
- Data traffic seen by eavesdroppers near you: When you or any (background) application connects to the internet to do something, a local eavesdropper will see that and may be able to identify you. Encryption will not prevent this, because metadata like the destination IP may be enough. One way around that would be to use Tor. But even if you do, the local eavesdropper may still see traffic patterns.
- Destination host on the internet sees your uplink IP: One way around that would also be to use Tor. But information about your connection speed and disconnects will still leak. When you are e.g. commuting on a train you may be leaking a sequence of this connectivity data. This might be enough for tracking and deanonymising you. Using e.g. an instant-messanger might be enough for that.
- Software on your device: If your device has GPS or other means of detecting your location, this data can easily leak. This may be caused by either bad programs spying on you or accidentally by e.g. having GPS coordinates embedded into pictures.
- Other: You could be watched by CCTV-cameras/drones/satellites which are equipped with face-recognition. You might be carrying an RFID tag (or something else) with you without knowing it. Or you might be tracked in any other way.