Blogs

Tor at the Heart: Qubes OS

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

Qubes OS

by Michael Carbone and Andrew David Wong

Qubes OS is a security and privacy-oriented free and open source operating system that provides you with a safe platform for communications and information management. Its architecture is built to enable you to define different security environments (or "qubes") on your computer to manage the various parts of your digital life, including safely using Tor.


"If you're serious about security, @QubesOS is the best OS available today. It's what I use, and free. Nobody does VM isolation better."
--- Edward Snowden


Qubes OS allows you to safely manage the different communications, data, and identities in your digital life in securely compartmentalized qubes. All of these qubes are integrated into a single desktop environment with unforgeable colored window borders so that you can easily identify applications and windows from different security environments.

Some features of Qubes OS include:

Safer anonymous browsing

Qubes incorporates Whonix to provide a safer way to use Tor Browser, by compartmentalizing the Tor Browser and Tor process in separate qubes. This means that if the Tor Browser is exploited, the attacker still cannot discover your real IP address, because the Tor Browser and its qube do not know your real IP address. Moreover, that compromise cannot spread from Tor Browser to the Tor process, since they are isolated in different qubes, so any other Tor-related activities you have in other qubes remain secure and private.

Enforce Tor use for non-Tor-aware applications

Once a qube is set to use the Tor network, all network traffic that leaves it is forced to go through Tor. This means that no matter which applications you use, they will not be able to leak your real IP address, even if they are not Tor-aware.

All software and OS updates through Tor

Qubes allows users to download all software and OS updates through Tor, which means that network attackers can't target you with malicious updates or selectively block you from receiving certain updates. In addition, downloading all updates through Tor preserves your privacy, since it prevents your ISP and package repositories from tracking which packages you install.

Robust and safe networking

In addition to easily running non-Tor-aware programs through the Tor network, you can -- at the same time -- have other qubes go through VPNs or be non-networked, for instance to enable easily accessible but offline storage of sensitive information like your password manager. Common attack vectors like network cards are isolated in their own hardware qube while their functionality is preserved through secure networking and firewalls.

Secure communications

Qubes is integrated with existing secure communications tools like Pretty Good Privacy (PGP) to provide security-in-depth and reduce user error. With Split-GPG functionality, a compromise of your email client does not enable an adversary to access your private PGP key.

Safely interact with untrusted media

You can open an untrusted attachment from your email client, and any potential malicious payload in the document is isolated to a separate disposable, non-networked qube. No information from that session can be sent to the attacker, since it is not connected to the internet, and after the document has been read, the entire domain is deleted. You can convert the PDF to a “trusted PDF” that is known not to be malicious, which you could then share with colleagues or save in an offline Documents qube for later reference. In the same way, a potentially malicious DOC file can be opened in a disposable qube that enables the user to edit the file, save it, and send it without providing an opportunity for potential computer compromise.

Windows integration

Many users still rely on Windows-based programs for their work. Qubes enables them to do so securely.

Physical security

Qubes also protects your computer against some physical attacks. If an adversary plugs a malicious USB device into your computer while you're not watching, it isn't game over. Qubes isolates the entire USB stack from the rest of the system. And if you want to dual-boot, or if your computer is seized at the border and then returned, you can tell whether a malicious bootloader was installed, so you know not to input your decryption password.

Smooth integration of qubes

Integrated file and clipboard copy and paste operations make it easy to work across various qubes without compromising security. The innovative Template system separates software installation from software use, allowing qubes to share a root filesystem without sacrificing security (and saving disk space).


There are many different ways to contribute to Qubes, including creating artwork, reporting bugs, editing documentation, making financial contributions and more. If your company would like to license Qubes, please contact the Qubes team.

Tor at the Heart: Whonix

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!


Whonix

Whonix is a privacy ecosystem that utilizes compartmentalization to provide a private, leak-resistant environment for many desktop computing activities. Whonix helps users use their favorite desktop applications anonymously. A web browser, IRC client, word processor, and more come pre-installed with safe defaults, and users can safely install custom applications and personalize their desktops with Whonix.

Whonix is designed to run inside a VM and to be paired with Tor. Whonix is composed of two or more virtual machines that run on top of an existing operating system. The primary purpose of this design is to isolate the critical Tor software from the risk-laden environments that often host user-applications, such as email clients and web browsers. Whonix consists of two parts: the first part solely runs Tor and acts as a gateway for a user's Internet traffic, called Whonix-Gateway. The other, called Whonix-Workstation, is for a user's work and is located on a completely isolated network. Even if the user's workstation is compromised with root privileges, it cannot easily reveal IP addresses or leak DNS requests or bypass Tor, because it has neither full knowledge nor control over where and how its traffic is routed. This is security by isolation, and it averts many threats posed by malware, misbehaving applications, and user error.

One of Whonix's core strengths is its flexibility. Whonix can run on Linux, MacOS, or Windows. It can torrify nearly any application's traffic running on nearly any operating system, and it doesn't depend on the application's cooperation. It can even isolate a server behind a Tor Hidden Service running on a separate OS. It can route traffic over VPNs, SSH tunnels, SOCKS proxies, and major anonymity networks, giving users flexibility in their system setups.

Whonix was originally built around compatibility-focused Virtualbox, then time-tested KVM was added as an option. Now Whonix is shipped-by-default with the advanced, security-focused virtualization platform QubesOS. Whonix even supports Qubes' DisposableVMs.

Whonix has a safe default configuration that includes a restrictive firewall, privacy-enhanced settings for Debian, AppArmor profiles, and pre-configured and stream isolated applications.

The Whonix team is currently focused on improving usability for new Whonix users. A Quick-Start Guide will be available shortly to allow users to install and try Whonix on most existing systems.

Whonix is based in Germany but has users and developers from around the world. Like many open-source projects, Whonix depends on the donations and contributions of supporters. It's easy to get involved!

Tor at the Heart: NetAidKit

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

by Menso Heus

The NetAidKit is a USB-powered router that connects to your wired or wireless network and helps you increase your privacy and beat online censorship for all your devices. Acting as a friendly man-in-the-middle, the NetAidKit is able to send all your network traffic over a VPN or Tor connection without needing to configure any of your devices. This also means that if you have specific hardware devices that are unable to run Tor, you can simple connect them to the NetAidKit to make all the traffic go over Tor anyway.

Free Press Unlimited and Radically Open Security developed the NetAidKit specifically for non-technical users, and the NetAidKit comes with an easy to use web interface that allows users to connect to Tor or upload OpenVPN configuration files and connect to VPN networks.

The NetAidKit transparently routes traffic over Tor. We believe this is a great (and free) way to circumvent censorship, but it obviously does not provide the same anonymity benefits that the Tor Browser Bundle provides. This is something we warn users about specifically every time they connect to Tor, recommending they also the Tor Browser Bundle if they wish to remain anonymous.

At the same time, by routing all traffic over Tor, NetAidKit provides a tool for users' e-mail, social media clients and other network applications to run over Tor as well, providing Tor's benefits to applications other than a browser.

The NetAidKit runs on OpenWRT and uses the OpenWRT tor client. Current challenges include getting the obfuscating protocols to work on the NetAidKit since it has a limited storage capacity. We hope that in 2017 we can improve Tor support further by collaborating with the Tor Project.

For more information and links to our Github repository, visit https://netaidkit.net/

Tor at the Heart: Tahoe-LAFS

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

Overview

Tahoe-LAFS is a free and open source decentralized data storage system, with provider-independent security and fine-grained access control. This means that data stored using Tahoe-LAFS remains confidential and retrievable even if some storage servers fail or are taken over by an attacker.

Using a Tahoe-LAFS client, you turn a large file into a redundant collection of shares referenced via a filecap. Shares are encrypted chunks of data distributed across many storage servers. A filecap is a short cryptographic string containing enough information to retrieve, re-assemble and decrypt the shares. Filecaps come in up to three variants: a read-cap, a verify-cap and (for mutable files) a write-cap.

Starting with version 1.12.0, Tahoe-LAFS has added Tor support to give users the option of connecting anonymously and to give node operators the option of offering anonymous services.

Data Storage

At the lowest level, Tahoe-LAFS is essentially a key-value store. The store uses relatively short strings (around 100 bytes) called capabilities as the keys and arbitrary binary data (up to "dozens of gigabytes" and beyond) for the values.

On top of the key-value store is built a file storage layer, with directories, allowing you to share sub-trees with others (without, for example, revealing the existence or contents of parent directories).

A "backup" command exists on top of the file storage layer, backing up a directory of files to the Grid. There is also a feature called "magic folder" built on top of the filesystem layer which automatically synchronizes a directory between two participants.

Encryption

When adding a value, the client first encrypts it (with a symmetric key), then splits it into segments of manageable sizes, and then erasure-encodes these for redundancy. So, for example, a "2-of-3" erasure-encoding means that the segment is split into a total of 3 pieces, but any 2 of them are enough to reconstruct the original (read more about ZFEC). These segments then become shares, which are stored on particular Storage nodes. Storage nodes are a data repository for shares; users do not rely on them for integrity or confidentiality of the data.

Ultimately, the encryption-key and some information to help find the right Storage nodes become part of the "capability string" (read more about the encoding process). The important point is that a capability string is both necessary and sufficient to retrieve a value from the Grid -- the case where this will fail is when too many nodes have become unavailable (or gone offline) and you can no longer retrieve enough shares.

There are write-capabilities, read-capabilities and verify capabilities; one can be diminished into the "less authoritative" capabilities offline. That is, someone with a write-capability can turn it into a read-capability (without interacting with a server). A verify-capability can confirm the existence and integrity of a value, but not decrypt the contents. It is possible to put both mutable and immutable values into the Grid; naturally, immutable values don't have a write-capability at all.

Sharing Capabilities

You can share these capabilities to give others access to certain values in the Grid. For example, you could give the read-capability to your friend, and retain the write-cap for yourself: then you can keep updating the contents, but your friend is limited to passively seeing the changes. (They need to be connected to the same Grid).

To delete a value, you simply forget (i.e. delete) the capability string, after which it is impossible to recover the data. (Storage servers do have a way to garbage-collect unreferenced shares).

System Topology

In a Tahoe-LAFS system (usually called a Grid) there are three types of nodes: an Introducer, one or more Storage nodes and some number of Client nodes. A node can act as both a Storage and Client node at the same time.

An Introducer tells new clients about all the currently known Storage nodes. If all of the Introducers fail, new clients won't be able to discover the Storage servers but the Grid will continue to function normally for all existing users. Client nodes connect to all known Storage servers. It's also possible to run a Grid without any Introducers at all, by distributing a list of Storage servers out-of-band.

These connections use TLS via an object-capability system called Foolscap which is based on the ideas of the E Language. The important two things about this are: the transport is encrypted, and it does not rely on Certificate Authorities for security.

The storage redundancy also happens to enable faster downloads! Because the values are redundantly-stored across several Storage servers, a Client can download from many Storage servers at once (kind of like BitTorrent). For example, a "2-of-3" encoding means you need 2 shares to recover the original value, so you can download from 2 different Storage servers at once.

Tor Connections

Recently, Tahoe-LAFS has added full Tor support. This means the ability to make client-type connections over Tor -- for example, a Client connecting to an Introducer or a Client connecting to a Storage server and also the ability to listen as an Onion service for Introducer and Storage nodes is now possible! This allows for a fully Tor-ified Tahoe-LAFS Grid, where all network connections are done via Tor and the network locations of all participants are kept hidden by Tor.

One immediate advantage of using Tor is for users behind NAT (Network Address Translation) routers, such as most home users. Making a Storage node available over a Tor Onion service means users don't have to change firewall rules (or similar techniques, like STUN) in order for other users to connect to their Storage node. This is because all Tor connections are made out-bound to the Tor network.

While the Foolscap URIs used internally by Tahoe-LAFS already have integrity-assurance, the use of Onion services also provides benefits in the form of self-certifying network addresses: instead of, for example, relying on DNS and Certificate Authorities, a user receiving an Onion URI from a trusted source can be assured they're connecting to the intended service.

Some Grid operators may want assurance that all clients are using Tor to access their service. Setting up the Grid to listen only via Tor Onion Services provides such assurance. Of course, users running a Client can also choose to use Tor at their own option for connections to the Grid regardless of whether the Grid itself is using Tor onion services. This can help clients who are in hostile network environments reach their data in a secure way.

The Tahoe-LAFS Project is actively working towards an easy to use data- storage system that respects the user and Tor is a great compliment to that mission.

More Information

This short article only provides a brief overview of the Tahoe-LAFS system. We are always interested in attention to our cryptographic protocols or code! You can reach us on https://tahoe-lafs.org or on GitHub at https://github.com/tahoe-lafs/tahoe-lafs and the IRC channel #tahoe-lafs on freenode.

Thanks to Chris Wood, Brian Warner, Liz Steininger and David Stainton for feedback on this post.

Tor at the Heart: OnionShare

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!


By Micah Lee


In August 2013, David Miranda was detained for nine hours and searched at Heathrow Airport in London while he was trying to board a plane back home to Rio de Janeiro. Working on a journalism assignment for the Guardian, he was carrying an encrypted USB stick that contained classified government documents. When I first learned about this story, I knew there must be safer ways to move sensitive documents across the world than physically carrying them, one that didn’t involve putting individual people at risk from border agents and draconian “terrorism” laws that are used to stifle award-winning journalism.

Here’s how I would have done it: In Berlin (where the secret files originated), I would set up a local web server on my computer, that isn’t accessible from the internet. The only thing on the website would be a download link to an encrypted file that contained the secret documents. Then I would setup a Tor onion service -- one of the coolest and most under-appreciated technologies on the internet, in my opinion -- to make this simple website accessible from a special “.onion” domain name. I would send my colleague in Rio (in this case, Glenn Greenwald) the URL to the onion service. He would open it in Tor Browser and download the encrypted file. As soon as he finished the download, I would stop the local web server and remove the onion service, so it would no longer be on the internet at all.

Of course, the problem is that while this may be simple for seasoned nerds like myself, it’s not for many journalists, activists, or lawyers who run into similar problems on a regular basis. Inspired by this idea, I developed a simple and user-friendly open source tool called OnionShare that automates this process. You open OnionShare, drag some files into it, and click the “Start Sharing” button. After a moment, OnionShare gives you URL that looks something like http://4a7kqhcc7ko6a5rd.onion/logan-chopin. You send this URL to someone you’d like to share files with, and they load it using Tor Browser and download the files directly from the web server running on your computer. The moment the download is complete, OnionShare shuts down the web service, the URL no longer works, and the files you shared disappear from the internet. (Since OnionShare runs a server directly on your computer, this also means that your computer needs to be online for the URL to work -- if you suspend your laptop, for example, the URL won’t work until you get back online.)



Onionshare server side



Onionshare client side

I’m the developer of OnionShare, but I have no idea how many users it has. I consider this a feature. It’s completely decentralized, anonymous, and private. I don’t run a central service -- instead, every user runs their own short-lived service, often only for a few minutes, and that service disappears as soon as they finish sharing their files.

However, I do know that people use it. I use it on a regular basis myself while working on sensitive journalism projects with my colleagues at The Intercept. Sources use it to send me and other journalists documents. I’ve heard from digital security trainers that OnionShare is used by the Movement for Black Lives in the United States, and by activists in Latin America. A European human rights lawyer told me that their client in Africa used it to send them sensitive files.


What OnionShare protects against:

  • Third parties don't have access to files being shared. The files are hosted directly on the sender's computer and don't get uploaded to any server. Instead, the sender's computer becomes the server. Traditional ways of sending files, like in an email or using a cloud hosting service like Dropbox or Google Drive, require trusting the service with access to the files being shared.

  • Network eavesdroppers can't spy on files in transit. Because connections between Tor onion services and Tor Browser are end-to-end encrypted, no network attackers can eavesdrop on the shared files while the recipient is downloading them. If the eavesdropper is positioned on the sender's end, the recipient's end, or is a malicious Tor node, they will only see Tor encrypted traffic.

  • Anonymity of sender and recipient are protected by Tor. OnionShare and Tor Browser protect the anonymity of the users. As long as the sender anonymously communicates the OnionShare URL with the recipient, the recipient and eavesdroppers can't learn the identity of the sender.

  • If an attacker enumerates the onion service, the shared files remain safe. There have been attacks against the Tor network that can enumerate onion services. If someone discovers the .onion address of an OnionShare onion service, they still cannot download the shared files without knowing the full URL, and OnionShare has rate-limited to protect against attempts to guess the URL.



What OnionShare doesn't protect against:

  • Communicating the OnionShare URL might not be secure. The sender is responsible for securely communicating the OnionShare URL with the recipient. If they send it insecurely (such as through an email message, and their email is being monitored by an attacker), the eavesdropper will learn that they're sending files with OnionShare. If the attacker loads the URL in Tor Browser before the legitimate recipient gets to it, they can download the files being shared. If this risk fits the sender's threat model, they must find a more secure way to communicate the URL, such as in an encrypted email, chat, or voice call. This isn't necessary in cases where the files being shared aren't secret.

  • Communicating the OnionShare URL might not be anonymous. While OnionShare and Tor Browser allow for anonymously sending files, if the sender wishes to remain anonymous they must take extra steps to ensure this while communicating the OnionShare URL. For example, they might need to use Tor to create a new anonymous email or chat account, and only access it over Tor, to use for sharing the URL. This isn't necessary in cases where there's no need to protect anonymity, such as coworkers who know each other sharing work documents.



You can find the source code for OnionShare here, and you download it from its website here.

Tor at the Heart: OONI Highlights from 2016

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

In this post we provide some highlights from OONI, a project under The Tor Project.

The Open Observatory of Network Interference (OONI) is a free software project under The Tor Project that aims to uncover internet censorship around the world. Recently we published an overview of OONI which can be found here.

Today we are providing some OONI highlights from 2016. These include our research findings in collaboration with our partners, and the new features we have developed and released to meet our users’ needs.

Research findings

As part of the OONI Partnership Program we collaborate with various local and international non-profit organizations around the world on the study of internet censorship. Below we provide some highlights from our research findings this year.

Censorship during elections

  • Uganda: Facebook and Twitter blocked during 2016 general elections. In collaboration with DefendDefenders we examined the blocking of social media in Uganda during its 2016 general elections and when the country’s President was inaugurated. View our findings here.
  • Zambia: Internet censorship events during 2016 general elections. OONI monitored internet censorship events during Zambia’s 2016 general election period in collaboration with Strathmore University’s Centre for Intellectual Property and Information Technology Law (CIPIT). A full report of our study can be found here.
  • The Gambia: Internet shutdown during 2016 presidential election. We attempted to examine whether websites were blocked during the Gambia’s 2016 presidential election. Instead, we came across a country-wide internet blackout. View our findings here.
  • Venezuela: Blocking of sites during elections. IPYS conducted a study of internet censorship in Venezuela through the use of ooniprobe. Their full report can be found here.

Censorship during other political events

  • Ethiopia: Deep Packet Inspection (DPI) technology used to block media websites during major political protests. OONI joined forces with Amnesty International to examine internet censorship events during Ethiopia’s wave of protests. We not only detected DPI filtering technology, but we also found numerous sites - including news outlets, torproject.org, LGBTI and human rights sites - to be tampered with. Now Ethiopia is in a state of emergency. Our report can be found here.
  • Turkey: Internet access disruptions during attempted military coup. In collaboration with RIPE Atlas we examined the throttling of social media in Turkey during the attempted military coup in July. View the findings here.
  • Ethiopia: Internet shutdown amidst political protests. Ethiopia’s government pulled the plug on the internet in the middle of heavy protests in August. We examined the internet shutdown in collaboration with Strathmore University’s Centre for Intellectual Property and Information Technology Law (CIPIT) and published our findings here.

Tor blocking

  • Egypt: Tor interference. Our community informed us that certain services were inaccessible in Egypt. We investigated the issue and also found Tor to be tampered with. View our findings here.
  • Belarus: Tor block. An anonymous cypherpunk helped us collect evidence of Tor blocking in Belarus. View the data here.

WhatsApp blocking and DNS censorship

  • Brazil: Blocking of WhatsApp. Thanks to Coding Rights who ran our newly developed WhatsApp test, we were able to detect and collect evidence of the blocking of WhatsApp in Brazil earlier this year. View the data here.
  • Malaysia: DNS blocking of news outlets, medium.com, and sites expressing political criticism. Following the 1MDB scandal, various news outlets were reportedly blocked in Malaysia. OONI joined forces with Sinar Project to examine and collect evidence of internet censorship events in Malaysia. Our report can be found here.

New releases

If you’ve known OONI for a while, you might be more familiar with ooniprobe as a command line tool. To meet our users’ needs, we developed a variety of features this year, including the following:

  • OONI Explorer: A global map to explore and interact with all of the network measurements that OONI has collected from 2012 to date.
  • Measurement API: Explore and analyze OONI’s data via its new API.
  • OONI web UI: Run censorship tests from your web browser!
  • WhatsApp & Facebook Messenger tests: Examine the reachability of WhatsApp and Facebook Messenger with OONI’s new tests!
  • Web Connectivity test: Examine DNS, TCP/IP, HTTP blocking of sites all in one test!
  • Lepidopter: Run ooniprobe from a Raspberry Pi!
  • OONI mobile: We have developed the beta version of ooniprobe for Android and iOS. Look out for ooniprobe’s mobile app in early 2017!

Over the last year, many non-profit organizations around the world have started running ooniprobe daily. The graph below illustrates the expansion of ooniprobe’s global coverage thanks to our users.


By supporting Tor, you’re also supporting the OONI project. Help us continue to increase transparency around internet censorship by donating to The Tor Project.

Written by Maria Xynou, OONI’s Research and Partnerships Coordinator.

Tor at the Heart: PETS and the Privacy Research Community

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom. Donate today!

So far in this blog series we've highlighted mainly software and advocacy projects. Today is a little different: I'm going to explain more about Tor's role in the academic world of privacy and security research.

Part one: Tor matters to the research community

Just about every major security conference these days has a paper analyzing, attacking, or improving Tor. While ten years ago the field of anonymous communications was mostly theoretical, with researchers speculating that a given design should or shouldn't work, Tor now provides an actual deployed testbed. Tor has become the gold standard for anonymous communications research for three main reasons:

First, Tor's source code and specifications are open. Beyond its original design document, Tor provides a clear and published set of RFC-style specifications describing exactly how it is built, why we made each design decision, and what security properties it aims to offer. The Tor developers conduct design discussion in the open, on public development mailing lists, and the public development proposal process provides a clear path by which other researchers can participate.

Second, Tor provides open APIs and maintains a set of tools to help researchers and developers interact with the Tor software. The Tor software's "control port" lets controller programs view and change configuration and status information, as well as influence path selection. We provide easy instructions for setting up separate private Tor networks for testing. This modularity makes Tor more accessible to researchers because they can run their own experiments using Tor without needing to modify the Tor program itself.

Third, real users rely on Tor. Every day hundreds of thousands of people connect to the Tor network and depend on it for a broad variety of security goals. In addition to its emphasis on research and design, The Tor Project has developed a reputation as a non-profit that fosters this community and puts its users first. This real-world relevance motivates researchers to help make sure Tor provides provably good security properties.

I wrote the above paragraphs in 2009 for our first National Science Foundation proposal, and they've become even more true over time. A fourth reason has also emerged: Tor attracts researchers precisely because it brings in so many problems that are at the intersection of "hard to solve" and "matter deeply to the world". How to protect communications metadata is one of the key open research questions of the century, and nobody has all the answers. Our best chance at solving it is for researchers and developers all around the world to team up and all work in the open to build on each other's progress.

Since starting Tor, I've done probably 100 Tor talks to university research groups all around the world, teaching grad students about these open research problems in the areas of censorship circumvention (which led to the explosion of pluggable transport ideas), privacy-preserving measurement, traffic analysis resistance, scalability and performance, and more.

The result of that effort, and of Tor's success in general, is a flood of research papers, plus a dozen research labs who regularly have students who write their thesis on Tor. The original Tor design paper from 2004 now has over 3200 citations, and in 2014 Usenix picked that paper out of all the security papers in 2004 to win their Test of Time award.

Part two: University collaborations

This advocacy and education work has also led to a variety of ongoing collaborations funded by the National Science Foundation, including with Nick Feamster's group at Princeton on measuring censorship, with Nick Hopper's group at University of Minnesota on privacy-preserving measurement, with Micah Sherr's group at Georgetown University on scalability and security against denial of service attacks, and an upcoming one with Matt Wright's group at RIT on defense against website fingerprinting attacks.

All of these collaborations are great, but there are precious few people on the Tor side who are keeping up with them, and those people need to balance their research time with development, advocacy, management, etc. I'm really looking forward to the time where Tor can have an actual research department.

And lastly, I would be remiss in describing our academic collaborations without also including a shout-out to the many universities that are running exit relays to help the network grow. As professor Leo Reyzin from Boston University once explained for why it is appropriate for his research lab to support the Tor network, "If biologists want to study elephants, they get an elephant. I want my elephant." So, special thanks to Boston University, University of Michigan, University of Waterloo, MIT, CMU (their computer science department that is), University of North Carolina, University of Pennsylvania, Universidad Galileo, and Clarkson University. And if you run an exit relay at a university but you're not on this list, please reach out!

Part three: The Privacy Enhancing Technologies Symposium

Another critical part of the privacy research world is the Privacy Enhancing Technologies Symposium (PETS), which is the premiere venue for technical privacy and anonymity research. This yearly gathering started as a workshop in 2000, graduated to being called a symposium in 2008, and in 2015 it became an open-access journal named Proceedings on Privacy Enhancing Technologies.

The editorial board and chairs for PETS over the years overlap greatly with the Tor community, with a lot of names you'll see at both PETS and the Tor twice-yearly meetings, including Nikita Borisov, George Danezis, Claudia Diaz, Roger Dingledine (me), Ian Goldberg, Rachel Greenstadt, Kat Hanna, Nick Hopper, Steven Murdoch, Paul Syverson, and Matt Wright.

But beyond community overlap, The Tor Project is actually the structure underneath PETS. The group of academics who run the PETS gatherings intentionally did not set up corporate governance and all those pieces of bureaucracy that drag things down — so they can focus on having a useful research meeting each year — and Tor stepped in to effectively be the fiscal sponsor, by keeping the bank accounts across years, and by being the "owner" for the journal since De Gruyter's paperwork assumes that some actual organization has to own it. We're proud that we can help provide stability and longevity for PETS.

Speaking of all these papers: we have tracked the most interesting privacy and anonymity papers over the years on the anonymity bibliography (anonbib). But at this point, anonbib is still mostly a two-man show where Nick Mathewson and I update it when we find some spare time, and it's starting to show its age since its launch in 2003, especially with the huge growth in the field, and with other tools like Google Scholar. Probably the best answer is that we need to trim it down so it's more of a "recommended reading list" than a resource of all relevant papers. If you want to help, let us know!

Part four: The Tor Research Safety Board

This post is running long, so I will close by pointing to the Tor Research Safety Board, a group of researchers who study Tor and who want to minimize privacy risks while fostering a better understanding of the Tor network and its users. That page lists a set of guidelines on what to consider when you're thinking about doing research on Tor users or the Tor network, and a process for getting feedback and suggestions on your plan. We did a soft launch of the safety board this past year in the rump session at PETS, and we've fielded four requests for advice so far. We've been taking it slow in turns of publicity, but if you're a researcher and you can help us refine our process, please take a look!

Tor at the Heart: Online Collaborative Projects

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom. Donate today!

Research by Andrea Forte, Nazanin Andalibi and Rachel Greenstadt



Wikipedia blocks edits from Tor — how does this affect the quality and coverage of the "encyclopedia that anyone can edit?" How do captchas and blocking of anonymity services affect the experiences of Tor users when they are trying to contribute content? What can projects do to better support contributions from people who value their privacy?

We are a group of researchers from Drexel University studying these questions. Our initial study of privacy in open collaboration projects, entitled Privacy, Anonymity, and Perceived Risk in Open Collaboration: A Study of Tor Users and Wikipedians, was recently published in advance of its presentation at the ACM conference on Computer-Supported Cooperative Work and Social Computing (CSCW) in February. Our findings offer a rare look at why people turn to privacy tools like Tor and how they experience the Internet as a result. This work was inspired by a previous Tor blog post, A call to arms: Helping Internet services accept anonymous users.

We interviewed 23 people from seven countries ranging in age from 18-41; 12 Tor users who participate in online projects and 11 Wikipedia editors who use a variety of privacy tactics. The Tor Project and Wikimedia Foundation are organizations committed to similar ideals — a free global exchange of information in which everyone is able to participate. The study's central finding is that perceived threats from other individuals, groups of people and governments are substantial enough to force users below the radar and curtail their participation in order to protect their reputation, themselves, and their families.

In nearly all interviews, participants described being wary about how aspects of their participation in open collaboration projects would compromise their privacy or safety. Many participants described crisis experiences of their own or of someone they knew as antecedent to their model of threat in online projects.

Their reasons for guarding their privacy online ranged from concerns about providers obtaining and using their browsing history for targeted advertising to actual verbal abuse, harassment and threats of violence. The most common concern voiced by participants was a fear that their online communication or activities may be accessed or logged by parties without their knowledge or consent.

This threat, which became very real for many Americans after Snowden revealed the extent of the National Security Agency's surveillance and monitoring practices, has been ever-present for users in other countries for some time. According to one non-U.S. respondent "in my country there's basically unknown surveillance going on ... and I don't know what providers to use so at some point I decided to use Tor for everything."

For a political activist, dissident, or just someone who has expressed strong political opinions the threat is multiplied. One such participant who uses Tor said "they busted [my friend's] door down and they beat the ever living crap out of him...and told him, "If you and your family want to live, then you're going to stop causing trouble." This person's privacy strategies were quickly transformed after that experience.

Eleven of the study's participants were recruited from the ranks of Wikipedia editors who expressed concerns about maintaining their privacy. In comparison to political dissent, helping to add information to Wikipedia might seem innocuous, but especially editors who work on controversial topics are also being threatened and harassed. Wikipedia allows anonymous posting, but it does not permit users to mask their IP addresses and blocks Tor users — except in special cases. So wading into the controversial territory, even to present a fact-backed, neutral point of view, puts editors at risk. Some Wikipedians described threats of rape, physical assault, and death as reprisals for their contributions to the project.

Administrators of the site, who often spend their time on managerial tasks and enforcing policies, also reported being harassed or threatened with violence. "It's a lot of emotional work," said one study participant. "I remember being like 13 and getting a lot of rape threats and death threats and that was when I was doing administrative work."

Our analysis suggests that Wikipedia and other collaborative projects are losing valuable contributions to privacy concerns. If certain voices are systematically dampened by the threat of harassment, intimidation, violence, or opportunity and reputation loss, projects like Wikipedia cannot hope to attract the diversity of contributors required to produce "the sum of all human knowledge."

In response to this problem, our research agenda aims to support communities like Wikipedia in developing tools and norms that value and welcome anonymous contributions.

For more:

Andrea Forte will be speaking at the next WikiResearch showcase which will be live-streamed this Wednesday 12/21 at 11:30am PT / 7:30pm UTC.

Read the paper: "Privacy, Anonymity, and Perceived Risk in Open Collaboration: A Study of Tor Users and Wikipedians"

Watch the video from the 32c2 talk: What is the value of anonymous communication?

Syndicate content Syndicate content