Compliance Management, Network Security, Privacy

Who goes there?: Tor Project

Quick! When someone mentions Tor, what are the first impressions that come to mind? If you say drug dealers and criminals traveling the dark, seedy underbelly of the internet, anonymously and up to no good, then you wouldn't be alone. As Tor advocates try to legitimize the browser quite possibly the biggest obstacle to mainstreaming Tor is the perception within the general populations that it's a tool used only by criminals, says Runa Sandvik, an independent privacy and security researcher focusing on technology, law and policy; a core contributor to the Tor Project; and a technical adviser to the Freedom of the Press Foundation and the TrueCrypt Audit project. After all, there are many, many reasons that legit internet travelers would like to work behind the cloak of anonymity – journalists, whistleblowers, anyone wanting to avoid unwarranted surveillance.

At its core, Tor is an anonymity network designed to defend users against network surveillance and traffic analysis. The free Tor Browser Bundle contains a modified version of Firefox and when the browser (currently on version 4.5) is used, web traffic is directed through thousands of relays, making internet tracking nearly impossible. 

Tor also gives users access to parts of the World Wide Web that are not traditionally indexed by standard search engines – the so-called deep web or dark web where nefarious businesses or black markets, like the infamous (and now defunct) Silk Road, set up shop. Any website only accessible via Tor, referred to as a Tor hidden service, can typically be reached using an onion address, or pseudo top-level domain not part of the Domain Name System (DNS).

OUR EXPERTS: Anonymity matters

Jacob Appelbaum, security researcher; developer; core member, Tor Project

Jasper Graham, SVP of cyber technologies and analytics, Darktrace; former NSA technical director

Kate Krauss, director of communications, Tor Project

Cooper Quentin, staff technologist, Electronic Frontier Foundation

Runa Sandvik, independent privacy and security researcher; core contributor to the Tor Project; technical adviser, Freedom of the Press Foundation and the TrueCrypt Audit project

Although awareness of Tor has jumped in recent years, largely due to whistleblower Edward Snowden's use of the browser to correspond with journalists as he leaked documents related to NSA surveillance, as well as the takedown of the Silk Road underground marketplace, the tool has not yet garnered mainstream appeal. While many users do see the potential for widespread growth, Tor remains a niche tool with even many in the information security industry unaware of not only the browser's full potential but even of its very existence.

At RSA Conference 2015, a random verbal survey of about 20 attendees found that only half a dozen had heard of it and just one had used it. However, nearly everyone questioned had heard of the deep web or dark web. Those who had heard of Tor, were not completely convinced that it was secure to the extent that they could browse using Tor and maintain the anonymity that it is designed to provide. When asked if Tor is predominately used by “good” or “bad” users, two came down in favor of the former, while four claimed the latter. Another four said “both,” with the remainder unable to say for sure and unwilling to even hazard a guess.

More to Tor

The idea that Tor is primarily being used by criminals and other types of “bad guys” is a big – and potentially damaging – misconception, according to Sandvik, that stems from more people reading about drug dealers using Tor than about students using the tool for added privacy while conducting research. 

“When Tor was initially created, the overall thought was that it would help you preserve your privacy when browsing online,” Sandvik says, explaining that journalists, for example, had a tool that they could use to investigate and communicate – without fear of someone prying. “Later on, in 2006, it became clear that Tor could also be used for censorship circumvention,” she says. This is particularly useful to individuals in countries, such as China, where the internet is highly regulated and many people – including some journalists – are serving jail time for various activities, including signing online petitions and speaking out against corruption. 

Another use for Tor is data privacy, says Jacob Appelbaum, a security researcher and developer and a core member of the Tor Project. When organizations can determine from web searches if, say, a woman is pregnant, they can develop highly targeted focused advertising, he explains, adding that data gleaned from searches for illnesses and other conditions could cause insurance companies to bump premiums. “We're quickly moving into a future where all quantified data is going to come back and haunt you,” Appelbaum says. So, in that respect, Tor can offer a measure of protection not yet found on the broader Internet.

Tor also can stand guard for the twin towers of safety and privacy. “Domestic violence survivors use Tor so that their abusers can't find them,” says Kate Krauss (left), director of communications for the Tor Project. “Lawyers use Tor so that local police can't snoop on their private communications.” 

However, not everyone is convinced that Tor is being used with mostly innocent intentions in mind. Jasper Graham (right), SVP of cyber technologies and analytics at Darktrace, a cyber threat defense company, says that people using Tor typically fall into three camps. In addition to those who simply want to remain anonymous and feel that they should have the freedom to do so and those who are being repressed and use Tor as a way of getting their message out and asking for help, another faction is involved in illegal activities and using Tor as a way to hide their activities.

“Unfortunately, the scale is probably tipped toward people using it for nefarious things,” says Graham. But that imbalance likely has to do with sheer numbers, he says, pointing out that those who use Tor for nefarious purposes may have greater access to the internet and technology, while those who are being oppressed may not have the same capabilities at their fingertips. 

While he is quick to support Tor as a tool for users to avoid punishment by oppressive governments, Graham, a former NSA technical director, is certain extremists are using services like Tor to communicate with each other. “And they're using it as a way to do harm,” he says. “For law enforcement, like the NSA, it's something they are always struggling with. Sometimes it's hard for the general public to really understand that there is a dark side to the web.”

But illegal activities aren't just confined to the dark corners, Sandvik emphasizes, adding that plenty of people are carrying out the same types of nefarious activities on the “regular” web.

Still, research seems to back up claims that Tor, if not a seething den of iniquity, is still the dominion of those up to no good. Results of a study from the University of Portsmouth in the U.K., released in December, show that more than 80 percent of Tor's hidden services traffic was to child abuse sites containing pedophilia material. The study, whose findings were highly contentious, sparked a blog post from Nick Mathewson, Tor's chief architect, researcher and director, explaining how the data possibly tells more about the surfing habits of a particular group of Tor users, rather than the reality of the network's overall traffic.

Curtail illegal activities

Despite who might be using Tor, and its potential for legitimacy going forward, law enforcement must still address illegal activities. One solution, Graham suggests, is for Tor users to do a better job of self-policing by reporting people using the tool for illicit activities so that law enforcement can stay ahead of potential threats.

But, Cooper Quentin (left), staff technologist with the Electronic Frontier Foundation (EFF), says that one potential side effect from taking down any Tor hidden service is that it will weaken the anti-censorship properties of Tor as a whole. An even bigger problem, he adds, is if the day comes when government requires a backdoor, or method to gain unauthorized remote access to a computer, which he believes is certainly a possibility.

“It would definitely undermine the purpose of Tor,” Sandvik says. “There is no way you can create a backdoor that can only be used by law enforcement. If you were to put in a backdoor, you'd have no way to control how it's being used or who is using it. Essentially, you cannot ensure the anonymity of users by adding it.”

Quentin (left) warns that there is no such thing as a backdoor that cannot be used by anyone who finds out about it. Appelbaum is adamant that one will never see the light of day in Tor. 

But, even without a backdoor, Tor users are still not entirely safe from being exposed – or “deanonymized.” While Tor is not known to have any widely abused vulnerabilities that are putting users at critical risk, the network is constantly expanding and improving, and researchers, law enforcement and even criminals are always discovering new ways to identify users. 

In some instances, deanonymization techniques already may have been used to assist in law enforcement investigations. For example, in August 2013, an FBI extradition request coincided with the disclosure of a vulnerability in older versions of the Firefox web browser included in the Tor Browser Bundle. If exploited, the vulnerability could enable the collection of the hostnames and MAC addresses of victim computers. Many at the time were convinced that the FBI, NSA and others in U.S. law enforcement had used the bug. 

Vulnerabilities aren't just a concern in Tor – they're exploited in nearly every internet-connected technology with the general consensus being that Tor is ultimately secure and does provide the anonymity it aims to deliver.

“I believe that Tor is secure, but I also believe that the steps you need to take to remain fully anonymous online involve more than just clicking a couple of buttons and using a piece of software,” Sandvik says. Tor alone may not be sufficient if a bigger plan to uncover an identity is afoot, she adds. 

Still, for the average privacy-seeking individual, Tor should be more than sufficient. “The main thing is that I want you to install the Tor Browser and see how easy it is,” Appelbaum says.

He concedes, though, there are challenges, including getting Tor on all devices by default and finding new ways for the Tor Project to receive funding.

Kraus adds, “We are working to get the word out about Tor to more people in more countries.” She points out another obstacle to wider acceptance: the fact that the Tor website is in English at present, though the software downloads are in many languages. “We hope t​o make our website more accessible, so that when you visit us, you are welcomed in your native language.”

For Sandvik, usability is important, which she says has grown tremendously in the more than a decade Tor has been around, and continues to improve with the release of Tor Browser v4.5. For the future, she would like to see continued research with the community on how to improve Tor and continued collaboration with members of the Tor Project to ensure that any issues are addressed and enhancements implemented.

She realizes, though, the biggest challenge continues to be one of public relations, for as long as people still view Tor negatively and as a tool for criminals, it will have difficulty gaining mainstream acceptance.

But, if negative perceptions can be overcome, then Tor could very well become something that everyone wants, she says. After all, arguably, it has already become – in light of the Snowden disclosures and enterprise marketers' growing hunger for data – a tool that everyone needs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.