Last week, we posted the story of how the Kilton Public Library in Lebanon, New Hampshire, had been pressured to turn off its Tor relay after the Department of Homeland Security (DHS) had reached out to the local police department to express concern over the library's decision, and freaking out because "criminals can use Tor." After being approached by the police, the library agreed to shut down the relay, while setting up a meeting to discuss if the library should turn it back on. Apparently, last week's press attention helped bring out lots of folks who very strongly supported turning Tor back on.
Boston librarian Alison Macrina, who runs the Library Freedom Project and helped the library set up Tor in the first place, was tweeting up a storm last night, and it sounded like a lot of people showed up to make it clear that (1) the DHS could go pound sand and (2) the library should turn its Tor node back on:
Multiple people apparently spoke about how this is absolutely the kind of project that libraries should support, and that protecting anonymous browsing was an important thing to have in the world. And, in the end, success:
Since Edward Snowden exposed the extent of online surveillance by the U.S. government, there has been a surge of initiatives to protect users' privacy.
But it hasn't taken long for one of these efforts — a project to equip local libraries with technology supporting anonymous Internet surfing — to run up against opposition from law enforcement.
In July, the Kilton Public Library in Lebanon, New Hampshire, was the first library in the country to become part of the anonymous Web surfing service Tor. The library allowed Tor users around the world to bounce their Internet traffic through the library, thus masking users' locations.
Soon after state authorities received an email about it from an agent at the Department of Homeland Security.
"The Department of Homeland Security got in touch with our police department," said Sean Fleming, the library director of the Lebanon Public Libraries.
After a meeting at which local police and city officials discussed how Tor could be exploited by criminals, the library pulled the plug on the project.
"Right now we're on pause," said Fleming. "We really weren't anticipating that there would be any controversy at all."
He said that the library board of trustees will vote on whether to turn the service back on at its meeting on Sept. 15.
Used in repressive regimes by dissidents and journalists, Tor is considered a crucial tool for freedom of expression and counts the State Department among its top donors. But Tor has been a thorn in the side of law enforcement; National Security Agency documents made public by Snowden have revealed the agency's frustration that it could only identify a "very small fraction" of Tor users.
The idea to install Tor services in libraries emerged from Boston librarian Alison Macrina's Library Freedom Project, which aims to teach libraries how to "protect patrons' rights to explore new ideas, no matter how controversial or subversive, unfettered by the pernicious effects of online surveillance." (The Library Freedom Project is funded by Knight Foundation, which also provides funding to ProPublica.)
After Macrina conducted a privacy training session at the Kilton library in May, she talked to the librarian about also setting up a Tor relay, the mechanism by which users across the Internet can hide their identity.
A special agent in a Boston DHS office forwarded the article to the New Hampshire police, who forwarded it to a sergeant at the Lebanon Police Department.
DHS spokesman Shawn Neudauer said the agent was simply providing "visibility/situational awareness," and did not have any direct contact with the Lebanon police or library. "The use of a Tor browser is not, in [or] of itself, illegal and there are legitimate purposes for its use," Neudauer said, "However, the protections that Tor offers can be attractive to criminal enterprises or actors and HSI [Homeland Security Investigations] will continue to pursue those individuals who seek to use the anonymizing technology to further their illicit activity."
When the DHS inquiry was brought to his attention, Lt. Matthew Isham of the Lebanon Police Department was concerned. "For all the good that a Tor may allow as far as speech, there is also the criminal side that would take advantage of that as well," Isham said. "We felt we needed to make the city aware of it."
Deputy City Manager Paula Maville said that when she learned about Tor at the meeting with the police and the librarians, she was concerned about the service's association with criminal activities such as pornography and drug trafficking. "That is a concern from a public relations perspective and we wanted to get those concerns on the table," she said.
Faced with police and city concerns, library director Fleming agreed to turn off the Tor relay temporarily until the board could reconsider. "We need to find out what the community thinks," he said. "The only groups that have been represented so far are the police department and city hall."
Fleming said that he is now realizing the downside of being the first test site for the Tor initiative.
"There are other libraries that I've heard that are interested in participating but nobody else wanted to be first," he said. "We're lonesome right now."
As the government continues to play Whac-a-Mole with darknet drug bazaars, one of the Silk Road's leading darknet market replacements says it has temporarily suspended service over Tor vulnerability concerns. In an encrypted post to the site's buyers and dealers (copied over to PasteBin and over at the /r/darknetmarkets subReddit), Agora's administrators say the darknet market is nervous about law enforcement's ability to take advantage of recent Tor vulnerabilities, and as such are pulling the market offline for an undisclosed amount of time to protect the site:
"Recently research had come that shed some light on vulnerabilities in Tor Hidden Services protocol which could help to deanonymize server locations. Most of the new and previously known methods do require substantial resources to be executed, but the new research shows that the amount of resources could be much lower than expected, and in our case we do believe we have interested parties who possess such resources. We have a solution in the works which will require big changes into our software stack which we believe will mitigate such problems, but unfortunately it will take time to implement."
While the post doesn't specify which Tor vulnerability the market's responding to, a paper recently published by researchers from Qatar University and MIT (pdf) argued that it was possible to use a Tor vulnerability to identify Tor hidden services with as much as 88% accuracy. Tor director Roger Dingledine responded to these findings in a blog post back in July. Dingledine downplayed the ability of the vulnerability to be exploited in the wild, while pointing out that researchers have long over-estimated the ease of such fingerprinting methods in the real world.
To succeed in the fingerprinting process, the attacker needs to control the Tor entry point for the server hosting the hidden service, and have previously collected unique network identifiers allowing for the fingerprinting for that particular service. Still, Agora itself strongly hints that they've seen some (presumably law enforcement) behavior in the wild already attempting to take advantage of the vulnerability, and wasn't willing to take the risk:
"...We have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on and we decided to move servers once again, however this is only a temporary solution. At this point, while we don't have a solution ready it would be unsafe to keep our users using the service, since they would be in jeopardy. Thus, and to our great sadness we have to take the market offline for a while, until we can develop a better solution. This is the best course of action for everyone involved."
"We noticed the strange happenings early on. We KNOW that TOR devs are the best of the best. This is only theoretical paper from MIT students. TOR updates daily on a development level, they would fix any vulnerabilities from any theoretical paper. Emphasis: Theoretical Paper, Not Successful Tests. We have covered all bases."
While the Agora shutdown combined with dropping Bitcoin value (due to the potential forking of currency development by those concerned about scalability) have Bitcoin advocates and Darknet market users sweating a bit, Agora's shutdown would seem to be only a temporarily bump in the road to future darknet opsec skirmishes. Agora already had survived last November's Operation Onymous, which took down Silk Road 2 and 400 other websites. It's still debated whether those seizures were thanks to a Tor vulnerability or old-fashioned detective work (law enforcement obviously isn't keen on being illuminating).
Even if Agora doesn't return, there's a half-dozen or more already established Darknet markets happy to fill the void and satiate the globe's inexhaustible supply of drug buyers and dealers, those entertained by the endless game of opsec cat and mouse, and the government's insatiable need to fill its mole-whacking quota.
There have been plenty of discussions on the possible "risks" of running a tor exit node, where clueless law enforcement might confuse traffic that comes out of that node as being from the person who actually manages the node. And, indeed, last year we wrote about an absolutely ridiculous case in which a tor exit node operator in Austria was found guilty as an "accomplice" because someone used his node to commit a crime. Thankfully, it appears that the US isn't going quite down that road yet. It appears that a month and a half ago, of all places, the website Boing Boing received a subpoena concerning the tor exit node that the site hosts, demanding an appearance before a federal grand jury in New Jersey.
Except, Boing Boing's lawyer, Lauren Gelman, quickly shot off a note explaining "tor exit node" to the FBI... and the FBI understood what was going on and moved on. Really. Here's the note that Gellman sent:
Special Agent XXXXXX.
I represent Boing Boing. I just received a Grand Jury Subpoena to Boing Boing dated June 12, 2015 (see attached).
The Subpoena requests subscriber records and user information related to an IP address. The IP address you cite is a TOR exit node hosted by Boing Boing (please see: http://tor-exit.boingboing.net/). As such, Boing Boing does not have any subscriber records, user information, or any records at all related to the use of that IP address at that time, and thus cannot produce any responsive records.
I would be happy to discuss this further with you if you have any questions.
They didn't have any questions. They understood the situation and (one assumes) continued the investigation through other means. As Cory Docotorow writes:
The FBI agent did his homework, realized we had no logs to give him, and no one had to go to New Jersey. Case closed. For us, anyway. Not sure what went down with the grand jury.
We write plenty of stories about "clueless" law enforcement and politicians overreacting to things by not understanding the technology. Because that's newsworthy. But it is worthwhile, every once in a while, to remember that there are some in these jobs who do understand technology and are perfectly willing to understand what is happening and continue to do their jobs without going overboard.
And, as Cory notes, perhaps this story of nothing actually happening will be useful in convincing a few more people that maybe the "risks" of running a tor exit node aren't quite as high as some have made them out to be. Yes, you may receive a subpoena, but hopefully it's from law enforcement willing to understand how tor actually works and what it means.
We have been tracking for some time the increasingly repressive measures that the Russian authorities have brought in to censor and control the Internet. Of course, Techdirt readers know that an easy way to circumvent both censorship and control is to use tools like VPNs and Tor. Unfortunately, the Russian authorities also know this, and are now calling for action against them, as TorrentFreak reports:
Speaking at Infoforum-2015, Russian MP Leonid Levin, who is deputy head of the Duma Committee on information politics, indicated that access to anonymization and circumvention tools such as TOR, VPNs and even web proxies, needs to be restricted.
Describing the Tor network as a "den of criminals" and "ghouls, all gathered in one place", Ampelonskogo said Roskomnadzor would find a solution to block anonymous networks if it was supported by a relevant regulatory framework.
What's troubling about this latest call for even tighter control is that it was entirely predictable. Once governments start blocking sites and restricting freedom of speech online, people inevitably respond by using VPNs and Tor to circumvent these measures. And that means that if governments want their laws to be effective, at some point they will take direct action against circumvention tools. That's why it's particularly worrying that Western governments have started down this road: it implies that they, too, might one day try to ban VPNs and Tor.
Anything that makes law enforcement's job slightly more difficult is swiftly turned into a pariah. And usually the worst kind of pariah: a child molestor.
Apple and Google both announced encryption-by-default going forward on their mobile phone operating systems. Law enforcement officials swiftly gathered to talk loudly about all of the dead and molested children that would result from this decision.
The same goes for Tor. The use of Tor can obscure criminal activity -- by hiding the perpetrator and the activity itself. There are plenty of legitimate reasons to use Tor (like many internet services and platforms hoovering up tons of data themselves), but because it makes chasing "bad guys" a little harder, it too must go.
The best way for government agencies to get rid of something they don't like is legislation. When a law enforcement official says something like the following, they're not hoping to sway the intelligent and informed members of the public. They're saying it to sway those who can actually do something about it: tech-clueless legislators and those who vote for them.
At the State of the Net conference in Washington on Tuesday, US assistant attorney general Leslie Caldwell discussed what she described as the dangers of encryption and cryptographic anonymity tools like Tor, and how those tools can hamper law enforcement…
“Tor obviously was created with good intentions, but it’s a huge problem for law enforcement,” Caldwell said in comments reported by Motherboard and confirmed to me by others who attended the conference. “We understand 80 percent of traffic on the Tor network involves child pornography.”
That's a scary number. And it's not even close to accurate.
Wired's Andy Greenberg explains how Caldwell took a statistic from Tor research and twisted it to further the government's agenda.
Which is a big difference. "Hidden services" is not just another term for "Tor traffic." Caldwell conflated the two to further the DOJ's push for the end of anything that presents an obstacle to easy access.
The real number is much lower. Greenberg says that most Tor traffic doesn't route to darknet sites. Only about 1.5% of Tor traffic accesses hidden services, and 80% of 1.5% is a number that wouldn't even trouble the most tech-addled Congressperson or the retirement community that repeatedly votes him or her back into office.
At most, a little over 1% of Tor traffic is related to child pornography. That very low number would seem resistant to improvement. How much money and effort should be thrown at 1% of a service in limited use? The answer would appear to be "not very much," but that doesn't tear down Tor's walls or approve budget requests. So, "80% of all Tor traffic" it is, according to the DOJ.
A Tor client makes a hidden service directory request the first time it visits a hidden service that it has not been to in a while. (If you spend hours at one hidden service, you make about 1 hidden service directory request. But if you spend 1 second each at 100 hidden services, you make about 100 requests.) Therefore, obsessive users who visit many sites in a session account for many more of the requests that this study measures than users who visit a smaller number of sites with equal frequency...
The greater the number of distinct hidden services a person visits, and the less reliable those sites are, the more hidden service directory requests they will trigger.
He breaks this down later with a hypothetical situation. 1000 people use Tor to access chat rooms while 10 conspiracy theorists use it to dig for information. Chat users may only log in once or twice a day and hang out at the same handful of venues. The ten conspiracy theorists may visit dozens of sites looking for more crazy, while entering and exiting multiple times. To an outside observer, this activity would appear to indicate that 10 conspiracy theorists make up a larger portion of Tor traffic than 1000 chat room users.
Child porn, like regular porn, is generally not one-stop shopping, unlike a favorite chatroom. Multiple site visits and multiple entrances/exits would inflate the percentage of child porn-related traffic relative to the (observable) whole.
Users who use it for obsessive behavior that spans multiple unreliable hidden services will be far overrepresented in the count of hidden service directory requests than users who use it for activities done less frequently and across fewer services. So any comparison of hidden service directory request counts will say more about the behavioral differences of different types of users than about their relative numbers, or the amount of traffic they generated.
In addition, law enforcement and anti-child porn agencies' own investigative efforts could very well be adding to this 1.2% figure.
Also, a very large number of hidden service directory requests are probably not made by humans! See bug 13287: We don't know what's up with that. Could this be caused by some kind of anti-abuse organization running an automated scanning tool?
So, there's a good chance that the non-scary 1.2% number is too high. Sure, the ideal would be 0.0% but law enforcement agencies should actually be pleasantly surprised the number is so low, rather than misquoting stats to make it appear as though anonymization services are child porn enthusiasts' playgrounds.
It isn't just child porn the government is after. There's a whole host of darkweb activities it wants to indict people for. But child porn "sells" better than drugs or prostitution or even the US's latest public enemy no. 1: terrorism. The number the DOJ is using to sell its attack on Tor is blatantly false, as anyone with a minimal amount of Google skills would quickly discover. But the DOJ doesn't care whether you or I believe it. It only needs enough people in Washington DC to believe it. The DOJ doesn't speak to the citizens. It only speaks to those who can assist it in stripping away what minimal personal data-shielding options we have left.
Late last week, the Tor Project blog posted a somewhat vague warning about the possibility of an upcoming attempt to disable the Tor network by going after and seizing specialized directory authority servers that are the key to making Tor work.
The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.
We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.
Given that, it seemed especially noteworthy that over the weekend a bunch of Tor exit nodes were apparently quietly seized, according to Thomas White, who ran those servers:
Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken.
While he initially suggested that the way it was done made it seem likely that law enforcement was behind it, he later toned down that suggestion, saying he thought it was less likely that law enforcement was involved than he originally believed. Update: And now the servers have been returned and while there's still some confusion, it looks like nothing nefarious happened here.
Tor, itself, isn't compromised -- and pretty much all experts agree that it remains safe -- but it's at least troubling to see that there's at least some possible attempt to compromise parts of the network.
As we mentioned in last week's post on the arrest of Blake Benthall, the alleged operator behind Silk Road 2.0, the arrest was actually part of a larger global effort to take down around two dozen "darknet" websites. While the Benthall indictment does talk about an undercover Homeland Security employee who infiltrated Silk Road 2.0 to gather evidence, a key part of the evidence gathering is left vague: how did officials find the actual servers that were supposedly hidden by Tor? In the past few days, a big effort has been undertaken by a bunch of folks, including key Tor developers to try to work out how all of this happened:
Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of Torservers.net disappeared and there is another report by an independent relay operator. If anyone has more details, please get in contact with us. If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network.
But, more to the point, the recent publications call the targeted hidden services seizures "Operation Onymous" and they say it was coordinated by Europol and other government entities. Early reports say 17 people were arrested, and 400 hidden services were seized. Later reports have clarified that it was hundreds of URLs hosted on roughly 27 web sites offering hidden services. We have not been contacted directly or indirectly by Europol nor any other agency involved.
Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targetting hidden services. Were these two events related?
The Tor post lists out a number of possible scenarios under which the hidden servers were located, including bad operational security (opsec), SQL injections (because, of course), Bitcoin deanonymization and attacks on the Tor network. That last one is getting a lot of attention for a variety of reasons. Kashmir Hill over at Forbes has an interesting post exploring the possible connection with the cancelled Black Hat talk from this summer about identifying Tor users, which was done by some Carnegie Mellon researchers. Around that time, Tor also revealed that its network had been compromised, and asked everyone to upgrade to patch vulnerabilities. Many assume these two things were connected.
If you control enough of the Tor network, it’s possible to get a kind of bird’s eye view of the traffic being routed through it. It was clear that Tor thought the Carnegie Mellon researchers were responsible. The researchers refused to talk to the press, but a conference spokesperson told Reuters the talk was canceled because the researchers hadn’t cleared the release of their work through their department, the Software Engineering Institute, which receives funding from the Defense Department. At the time, many assumed that the university pulled the plug on the talk because of academic ethics considerations and the gray legal zone it was in, with the researchers casually intercepting Web traffic. But maybe it got pulled because the researchers were revealing a law enforcement technique that the government did not want publicized. If nothing else, it’s highly likely the information the researchers collected about “drug dealers and child pornographers” made its way into law enforcement hands. McCord said he was “unable to comment on the matter.” Carnegie Mellon’s SEI declined comment about the canceled talk and about whether it had provided information from the research to law enforcement.
Hill also quotes Nicholas Weaver with some thoughts on what happened:
“I am 95% certain that law enforcement did a mass de-anonymization attack on Tor hidden services,” says Nicholas Weaver, a researcher at the International Computer Science Institute. He called any link to the earlier research “circumstantial.” But he points out that the work the researchers did was expensive. A “back of the envelope estimate suggests that whoever was running the attack on Tor at the beginning of the year using [Amazon hosting services] spent at least $50,000 in computer time,” says Weaver. That’s not the kind of money an academic can spend on a hobby project.
Meanwhile, one of the (still free) operators of a Tor hidden site that was taken down by the feds, Doxbin, has stepped forward to release a bunch of log files and related information to potentially track down how it was discovered (he posted on a mailing list using the amusing subject line of "yes hello, internet supervillain here." This has resulted in much more speculation on what kind of attack was being run.
As it stands, no one (other than law enforcement) knows exactly how this came down, but I would imagine that it won't be long until people have figured out what likely happened, and fixes are put in place. This, of course, is the nature of any sort of anonymization effort. People will always break it for some reason or another, and then it's just an ongoing back and forth to fix holes and improve the system...
Just a couple months ago, we wrote about how the folks behind Tor were looking for ways to deal with the fact that much of the web treats Tor visitors differently. It's a tough problem to solve, as we noted, because for all the benefits that Tor provides by allowing people to be anonymous, it's also very much a tool that is abused by some for nefarious purposes, including spamming and attacks. For sites that have any sort of heuristic systems in place (including us at Techdirt), it often defaults to treating many, if not all, Tor users as second-class citizens. This isn't an easy problem to solve, by any means. We've done our best to train our systems to minimize the hassle for Tor users, and yet they are still more likely to run into issues than non-Tor users (sometimes because of upstream efforts). We're certainly watching this effort closely, in hopes that we can benefit from it as well.
However, it looks like Facebook has taken a rather bold move to help Tor users: setting up its very own Tor hidden service, effectively creating a special "hidden" Tor version of Facebook that is designed for Tor users. Yes, Facebook has joined the dark web. It may not seem as cool as various dark markets and such, but it actually is rather important in helping to validate the use of Tor and the fact that not everything on Tor hidden services are about selling drugs or hiring hitmen, as some reports seem to imply.
This is a pretty big move, because Facebook was rather aggressive in treating tor users badly in the past, sometimes accusing them of hacking their own account, kicking them out or just displaying stuff weirdly. Obviously, users logged into Facebook over Tor are identifying themselves to Facebook, but it does provide more security and privacy for others, and works more seamlessly for those who wish to use Tor regularly.
As Runa Sandvik also notes, this is the first time that a certificate authority has issued a legitimate SSL certificate for a .onion address (Facebook is at https://facebookcorewwwi.onion/ in case you were wondering). Having both of these things happen at once may, as Andy Greenberg jokes, feel sort of like when your parents joined Facebook, but it also, hopefully, is the beginning of more widespread recognition that the Tor hidden services can be useful -- and not just for questionable enterprises. Hopefully others follow Facebook's lead.
All last week, we saw law enforcement types freaking out about the news that Apple and Google were making phone encryption a default. While a good step in the right direction, this was really kind of a minor thing, only protecting a small bit of information -- and yet law enforcement folks went nuts.
So just imagine how crazy they'll go if Tor were embedded directly into Firefox as the default "private browsing mode," as was recently hinted at by Tor exec director Andrew Lewman. Even though private browsing mode still isn't even used that much, adding Tor automatically to it would be quite handy for those who wish to have greater control over their privacy, but haven't gone through the trouble of setting up Tor themselves. Lewman didn't name the browser that has been thinking about this, but did say it had 10 to 20% of the market, which suggests Firefox is the most likely partner. Though, frankly, it would be nice to see this as a feature on all browsers.
Still, I imagine that if that happens, we'll see a similar freakout from the FBI, DOJ, NSA and others, insisting that actually protecting user privacy is somehow better enabling criminals and terrorists. Of course, the truth is that most criminals and terrorists do plenty of other things to reveal themselves. Very, very, very few people are competently able to hide any and all behavior against even semi-competent detective and intelligence work. But what further expanding Tor can do is better protect perfectly legal and innocent behavior from being tracked and abused.