Tor and the Illusion of Anonymity

Tor and the Illusion of Anonymity

So the story as it stands now seems to be that a certain Eric Eoin Marques is being accused of being the largest distributor of child pornography on the planet. Unfortunately (and allegedly), Mr. Marques leveraged Tor anonymity services to provide the mechanism for the illegal distribution. Also unfortunately, a number of other less offensive services such as TorMail were hosted on the same Freedom Hosting servers owned by Marques. The big story here is that in taking this guy down the feds (allegedly) not only grabbed whatever he was hosting but also exploited a vulnerability in the Tor browser bundle that allowed them to identify the true IP addresses an unknown number of Tor users.

Busting (alleged) creeps is always a good thing so why are security and privacy advocates freaked out? Well, there are legitimate uses for Tor ranging from simple privacy preferences to attempting to evade government surveillance in oppressive regimes. Any compromise of its security, however noble the cause, obviously doesn’t sit will with those users. What one government (allegedly) does to track down creeps could just as easily be done by another to track down, say, pro-democracy activists. So this is a problem. In some cases lives of non-creepy people could be at stake.

If there is an upside to this it’s that it should serve as a huge wake-up call to the legitimate users who rely on simplistic technical solutions for privacy. Tools are not perfect and in the case of widely used tools like Tor they are also incredibly high-profile targets. Intelligence and law enforcement agencies are in search of secrets and they will go wherever those are found. They will crack open those layers of secrecy whatever the cost. Privacy advocates and constitutional law scholars can debate the legitimacy of government activity in this space until the end of time but it will not change that reality. If you think you can subscribe to a VPN, fire up Tor, and take on a world power you are in for a very rude awakening.

Also, let’s not forget that there are countless other governments eyeing that prized data. And many of them are unencumbered by even the prospect of a public debate on the topic. Edward Snowden’s revelations have the global media and privacy advocates focused on the actions of the U.S. intelligence community. But while it may be the most capable and largest collector of this type of intelligence it is not alone. Not by a long shot. Using tools like Tor, and even simple email encryption, will place you squarely in the middle of a targeted user group with potentially multiple governments looking your way.

Online anonymity is still possible but it is not something within the grasp of the casual user and it is not available via a simple software solution. You have to work for it, you have to have technical expertise, you have to sacrifice time and online social interaction. You also have to manage your identity and your security perfectly – every single time. So the question is how do good people maintain their privacy on the internet? If your definition if privacy is absolute, meaning escaping all government collection, then forget it. The internet is not for you. You may keep your information out of the hands of hackers and corporations but you are unlikely to completely evade large governments. Seriously, just forget it.

However, if you are willing to work with a flexible definition of privacy (that sound you just heard was the exploding heads of a thousand privacy advocates) there are still valuable tools and practices that can be applied. My personal expectation of privacy does not include escaping government technical surveillance – direct or indirect through large data grabs. Could I achieve that with hard work and a ton of very uncomfortable behavioral changes? Sure, but it is not a price I’m willing to pay. Absolute privacy is not my goal. Instead a more reasonable and entirely personal definition is needed.

Perhaps the most that any average user could hope to achieve is to maintain the integrity of their accounts and any data that they’ve stored online. This is increasingly challenging but achievable though good password/account management and a basic understanding of common technical exploits. On top of some good old fashioned common sense it is possible to layer security tools that help identify vulnerabilities and suspicious activities. However,the most significant security-boosting measures are behavioral. By this I mean not pouring tons of sensitive private data into social media or other accounts with the expectation that it will remain private. What are you willing to feed the system in exchange for access and social interaction?

The bottom line is that we each need to think carefully about what we do online and adjust our personal security model accordingly. A lot of privacy advocates cringe at this and will say I’m “blaming the user” but you can not depend on laws or corporate policy or any thing or person outside of yourself to safeguard your privacy. The modern internet is built on a model that largely trades on user surveillance. It does so with those user’s full cooperation (well, sometimes) in exchange for free services or the promise of social interaction. Privacy starts with this understanding, an inventory of what you’ve already given away (in places like those terms of service agreements that none of us read), and the willingness to accept personal responsibility for what you put into the system.