Tor's Response to Prism Surveillance Program

by kelley | June 11, 2013

Due to several requests received today from members of the press community and others we felt it was in the best interest of time and consistency to provide a statement regarding today's developments and stories surrounding the NSA Prism surveillance program.

The Tor Project is a nonprofit 501(c)(3) organization dedicated to providing tools to help people manage their privacy on the Internet. Beyond our free, open source technology and extensive research we actively foster important conversations with many global organizations in order to help people around the world understand the value of privacy and anonymity online. As a result, members of the core Tor team and the greater Tor community are out in the world sharing knowledge and insights with countless individuals every day - many times handing out free Tor stickers; with no donation requested or expected. Edward Snowden, like tens of thousands of people, put Tor stickers on their devices. He likely got it at a conference from one of us in the past year.

Today, as always, the team at Tor remains committed to building innovative, sustainable technology solutions to help keep the doors to freedom of expression open.

For more on our view on this situation visit also our blog post:
https://blog.torproject.org/blog/prism-vs-tor.

For further questions please contact us at execdir@torproject.org.

Comments

Please note that the comment area below has been archived.

June 10, 2013

Permalink

as google, facebook, yahoo,... and TOR says: "we are innocents, we don't spy you" :P

June 10, 2013

Permalink

Hi, i'm using Tor bundle x86_64-2.3.25-8-dev-en-US
I'm unable to download these 2 files via Tor:
live.debian.net/cdimage/release/stable+nonfree/amd64/iso-hybrid/SHA512SUMS.sign

live.debian.net/cdimage/release/stable+nonfree/amd64/iso-hybrid/SHA512SUMS

i wasnt able to download SHA512SUMS* files from debian.net / debian.org server via Tor also ~1 month ago. (This problem has nothing to do with PRISM. I hope)

I enter one of these 2 links and Tor FREEZES until the connection timeouts. I cant get these files via Tor ! But i can connect everywhere else via Tor.
Maybe the responses i 've received were manipulated in the road from server (debian.org/debian.net) to the exit node in a precise way to freeze Torbrowser?

i can get the files using direct connection (my ISP without Tor), but obviously those files are useless if i cant compare them with the same files downloaded from an encrypted & anonymous connection.

I've read about the PRISM case and the leaker says that "they're planting bugs in PCs" ...

1)Is it possible that my ASUS pc is bugged by NSA?
2)Is it possible it makes itself recognize when my traffic exit the Tor network (after the Exit node) ? How does it works, does the bug inject a "padding-pattern" in the TCP data of my traffic to make it detectable once it exit the Tor Network?
3) how can i avoid it? altering data before it get transmitted to Tor so i can disrupt that pattern.... but HOW can i do this?

I noticed this problem the first time ~ on 15th May 2013

June 10, 2013

Permalink

(still me)

Starting Torbrowser in a Debian-wheezy_Russian_version VM i still couldn't connect to get the 2 SHA512SUM* files.
So i tried using the Iceweasel (10.0.12) that comes in the VM installation, setting 9150 @ localhost as proxy config for the browser and it worked.

I remember that the Debian's SHA512SUM problem is not only for the latest Torbundle version, i tested many (old) version 1 month ago and the result was the same.

So, since iceweasel + Torbundle (used as proxy) worked, it means that the problem could be a bug in the Firefox used for the Torbundle: Some Firefoxs cant handle files named SHA512SUM if the server hosting these files is debian.org or debian.net.

Worth of note is the fact that the problem is only about these 2 files and only if they are from debian's servers. I still can browse debian.org / debian.net servers , but i cant download those 2 files... strange o.O

In years of Tor use i NEVER had any sort of problem.
Then ... 1 month ago i need to do a debian installation and i noticed this problem.
Previous installation was not more than 2 or 3 month before, when i had no problem getting the files.

i hope there'll be a fix

keep the good work ;)

Tor rocks!!

June 10, 2013

Permalink

strange blog posting. a response to the prism program is actually about giving out stickers. this article is lacking real information. i would have expected a different statement on this topic.

See the previous post on this blog for a more technically substantive discussion.

Yeah, I realize that the sticker issue is kind of ridiculous, but I hear that's what the press was asking about all day Monday.

LOL
you dont even know what you're talking about.
Tor nodes are run by volunteers.
You too can start a Tor node. You only need to run the program and enable it as relay node or exit node or entry/bridge node.

Consider this:
The Tor software used by all those volunteers is provided to all of us as a free download. I wonder then, how many of you have inspected the code to see if it has support code for NSA and DHS snooping? You talk in theories and conjecture, but do not really have any idea about the code itself.
Startpage did the right thing: the denounced the unconstitutional and immoral spying on the people, and clearly stated they would not let themselves be used for it.
Why didn't the TOR folks do the same thing? My understanding is that TOR accepts money from the US government. I read that in a TOR description article. If that is true, what do you think are the chances a little arm-twisting has been going on?
I want a clear statement from TOR that they do NOT allow 1)spy code inserted in their build and 2)they do not provide ANY data or access to anybody directly or indirectly associated with the US government. Let's hear it.

and btw, NSA has access to all ISP datas, in the US, and EU (through corporations &/or governments cooperation).

Tor is specially good if you're using it from China/Russia/Iran to connect to an EU/US server (protects you from CN/RU/IR eavesdroppers)
Or from EU/US if you're connecting to a Chinese or Russian or Iranian server (protects you from EU/US eavesdroppers)

Are you saying Americans who use Google's gmail ( has a HTTPS option ) should use yandex.ru ( also an HTTPS option )? Instead of going to a Google server in the US, your email should go to a server in Russia?

Yes, Americans should use Yandex.mail, Russian servers. If Facebook gives you the willies, use QQ International, Chinese servers. Maybe you trust Russian and Chinese security services more than US.

I wouldn't do that. Russian security can be slow because of bureaucracy but they get what they want - no one wants to stand in their way - too easy to lose a business.

I think he means that if you live in a Western/NATO jurisdiction it may be better to have a Russian/SCO free https email account as Russia doesn't cooperate much with American Intelligence (unless you're an international drug smuggler or Islamic extremist that is), and vice versa if you're living in a Russian jurisdiction. Clearly, it would only be very stupid for someone living in the West to operate a google email account nowadays.

Anybody in the world can run a tor exit node. Tor can't do anything about it because they have designed their application this way. It is possible to play with blocking or allowing exit nodes by the country they're located in, maybe it could be done with specific nodes, idk, it's all open source so maybe if you're a programmer, but it would run counter to the whole idea of the service- global network across different jurisdictions. It is widely believed that intelligence services of various countries run tor exit nodes. That's way tor stress that people use ssl if possible to connect to websites to prevent eavesdropping.

June 11, 2013

Permalink

Is this post some kind of joke? It's completely content free. You guys have been known to cooperate with (that is, work for) the US government. You don't have anything more interesting to comment on apart from stickers??

Tor has no data on its users. That's the whole point of the network. The nodes are run by volunteers, and the data that runs into the network is encrypted. The project itself has no capacity or interest in monitoring exit node traffic, but it may happen -- even so, the purpose of the network is to foil an attacker identifying the origin (not the content) of traffic. To identify the origin the attacker would have to have huge resources (someone such as the NSA) be lucky, determined, and paying very close attention probably to multiple parts of the network all at once.

Otis possible, but the whole point is to make it hard while making the system useable for regular people.

-- Shava Nerad *not* speaking for the project, former staff, longtime volunteer

June 12, 2013

Permalink

This is open source, I already know that.

Google is telling a LIE. Also Facebook. And Obama.

Hey tor,
Are you really sure that your software hasn't a backdoor to NSA?
That's because when I use NSA IP Blocklist, I got a bunch of Blocking alerts.

I think that Most of Tor Relay are already on hand of NSA.
Please add tor nodes ONLY NSA-CLEAN. thank you.

Just FYI, this is the NSA IP List I found from reddit:
http://www.reddit.com/r/WTF/comments/1g61nv/national_security_agencynsa…

It does not matter only NSA can controkl exit nodes theese are not needed for onion routes.
You dont understand tor , its like bitcoin creators can not control the network...

June 12, 2013

Permalink

How can TOR protect us from ISP-level eavesdroppers if all data including cipher passwords passes via ISP?

June 12, 2013

Permalink

For some poeple the fear of NO CONTROL , is the biggest fear it self , creating paranoia , the fact that control can be avoided this easy makes them so fearfull that there MUST be a big brother and great leader!
And cant deal with it if ther is none , only your self.

June 12, 2013

Permalink

Cool. But I have a question. Its just out of curiosity I am asking. When You guys have kept the services free, no donation expected than where do funds for so much extensive program and such arrangements is managed? Is it owing to some Trust members or so?

June 13, 2013

Permalink

That's the problem Tor nodes can be operated by anyone. A criminal, a cop, the NSA. It would be so easy for the government to have a bunch of exit nodes set up to see all the communication and data being passed back to the receiver. Tor was created by the military industrial complex to begin with. Trustworthy they're not.

June 13, 2013

Permalink

As said above, how is one to know if TOR is not giving out user info/data to the ----n-xxx-s-xxx-a----- Please provide more proof that TOR is not on the Gov's side.

June 13, 2013

Permalink

02:39 14/06/2013

I feel very uncomfortable that TOR was used or developed for the US navy. If there is a "back door" to the NSA, then it just makes their job easier in collecting information. It seems a bit naive to me that there is anything much that can be hidden from certain governments.
I'll stick with my sledgehammer tactics of having 10 computers and many throwaway PAYG Sims, and 723 email addresses to keep my privacy. If I want a bit of privacy - in no way assured - then I'll use my proxy servers and some other undiscussed methods to help with my privacy. I don't care if I only want to talk about what I'm getting my girl for her birthday, the government - our servants - have no right to this, and this smokescreen about anti terrorism is just an excuse to spy on us. George Orwell was just a few years too early, but all soothsayers are.

I think that Tor is just another tool for the government to spy. The time will come when all the common people will rise up against all governments and overthrow them. US government violates rights of its people just like any other country

The basis of my ignorance was taught to me in grade school. Further pushed into my brain in a christian middle school; and halfway soldered to my brain in the the first year of a christian high school (which i was kinda booted/left because i refused to tuck in my shirt and they tried to charge my parents 30 dollars more a day to hold me for an extra hour in detention , due to my breaking the tucked in shirt law)

I was taught that America is number 1 and basically everywhere else is third world. Until recently i didn't think much of it. China was literally all red and you couldn't do anything really without being publicly executed (and they had a village of midgets and a big wall that we should model and build between mexico and usa) . Russia, was drunk red and horrible, but better then China and everyone carried Kalashnikov derivatives . England had bad teeth they secretely hated us for being terrorists and revolting against their opressive rule.

shiit i forgot my point.

Tor's code is open source and constantly under review by the most tin-hat privacy experts in the world internationally. You or I might not find a back door in the code, but other people much more clever than I am, certainly, at the Chaos Computer Club and so on, consider it a sacred trust and a game to comb software such as Tor for faults. Nothing is perfect, but I should expect a backdoor in the code here.

My understanding is that Navy intelligence wanted a tool they could use on the open net to hide operatives. If only MI used it, they'd be identifiable by fingerprint of the software. So we are just chaff for the NSA, under that theory, to hide them hiding what they wish to keep hidden themselves. Tor users may be the only secrets left safe, if the NSA hasn't built better yet. ;)

Spot-on comment, friend. We are living in Orwellian times. We have found the enemy, and it is us (U.S.). A government that won't trust it's People definitely cannot be trusted. Period. Only a fool would see it otherwise.

June 14, 2013

Permalink

How do you know that Edward Snowden has Tor stickers on his devices? And why would the media be asking about that topic? I would like to see some pictures.

June 14, 2013

Permalink

Nothing is secure. If the Tyranny wants information they will get it. If we tear down this tyranny another will sprout to replace it unless WE limit the ability to do so. (That's what the Constitution was meant to do)

"Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves." William Pitt, Nov. 18, 1783

Some solutions to consider:
Stop supporting multinational corporations, end ALL campaign finance and the farce which has become the US national campaigning race, replace all of the government/civil servants with people that aren't funded by those corporations and if one gets out of line act like any other free countrymen would, take to the streets and throw them out, put term limits on the senate and congress and all other local offices. No more career politicians. WE ARE ALL THE GOVERNMENT.

At this moment we are teetering on an edge and which side we fall on will determine whether we regain our freedom (long ago lost) or become more enslaved. If you think this is hyperbole then you should reevaluate how free you really are.

Just a thought.

You are right, but you stopped way short.

Stop sending your money to those who ASSIST in this tyranny. Why do you all keep Gmail accounts, and Facebook accounts, knowing full well these traitors have handed over full unfettered illegal access to a "secret court" in DC? If we accept secret courts, we have already shown that we will accept all of it: secret trials, secret convictions, secret executions, torture of US Citizens for the slightest infringements of a legal system gone beserk.

Cancel your "smart phone." It tracks you, and can be converted to bug you even with it turned off. Verizon betrayed us. Switch to prepaid phones and stop sending them $200 a month for playtoys. This is serious business here. We are all going to have to make some sacrifices if we are to regain our freedom.

When did you last hear a politician say he was a "servant of the People?" They are emboldened, rash, unapologetic and megalomaniacs. Take the power back.

Drop out of Facebook and Gmail and Yahoo mail and Hotmail. Use the little guy. Use Startpage or DuckDuckGo for searches. Let's all get smart here. At least give the traitors and tyrants some financial pain to have to think about, show them there are no free shots. Start your own ISP, like we did in 1998.

June 15, 2013

Permalink

I just read that Tor is 80% funded by the US Government, mainly through the State Department. He who has the gold, makes the rules.

Signing off Tor now.

June 15, 2013

Permalink

Some say TOR can\t be trusted. Some say you trust TOR with great risk at hand of course. Wouldn\t it be better when in doubt leave it out

Why don\t people just go back to using traditinal pen and paper letter writing, sent by postal service. You can use security envelopes that will visually obscure note content if placed through a high luminosity scanner.

We\ve doent his before the internet. Why can\t we do it theses days
Are we too lazy

If you have to talk with someone about something very confidential, don\t use a telephone. Just make your call to the person you want to disclose sensitive information and state you want to meet, face to face and talk over coffee. You can always whisper the secret info in the persons ear. The italian mafia has been doing it since the advent of mafia.

You people make it too easy for government surveillence.

I know we need the internet, but it\s merely a
convenience. Getting your data to destination instantly.

Besides, can you really trust something made by the same government that spies on you.

Caution with everything. Trust nobody. Never make your life an open book on the internet. Facebook users are silly, ignorant, attention whore, wannabe net celebrities. Is your self importance that great, that you need to have 15,000 friends and a million likes_

If you want some information about you to be known forever, then process it on the internet. As long as the internet lives and storage devices operate, your personal data is in cyberspace permamently.

In my opinion, the internet should die. It has done more to harm humanity than help because now that all the truth is out there about corruption the governments are beating the piss out of people to silence them. Money, connections, political clout, military equate to power. If you have none of those in significant quantity you can do nothing to stop the forces that want to control you. Only solution is live in the Himalayan mountains. Nobody will bother to come after you or track you. Government wont even waste a drone strike on you.

If your letter crosses US border, either incoming or outgoing, US Customs can open your envelope and read your letter to see if it contains national security information. In the old days, US Customs would place green tape with a stamped code on the tape, on the back of your envelope to reseal your envelope.

"meet, face to face and talk over coffee."

A little difficult to do that when the person you want to talk with lives halfway around the globe...

June 16, 2013

Permalink

Being in Cybersecuirty many on-point responses are laser focused. However NSA, IRS and other agencies use TOR to mask (notice I did not say hide, mask is the head, hide is all) but I digress. The tails are good, if you want email that is gone, .guerrilla mail works great, BUT your other party better be able to get in <59 minutes or POOF. Fact is, this whole system is run by U.S., even Skype once thought to be secure.. Negative Ghost Rider.. Pattern is Full. I will stay with Uncle Phil Zimmerman and cut cookies on the fly. Not that I am hiding any bad behavior, my choice for people coming to my party. If anyone wants to go off the grid, well move VERY far up north and pay by gold. When you have ISP's, Telco's running fiber straight to Big Bro servers... well.. DAH! I have used a lot of proxies, this one is the quickest and they got rewarded for that.. if people do use this.. support them even if it is 1X, do not be a leach!

June 16, 2013

Permalink

Like I said before why not make a TAN The alternate Net to rival the internet. Yes the power resources is one major problem but we can use this net base on these combo that I think is the best;
1. Freenet for basic infrastructure for internal relay and net connection
2. Garlic routing look alike for additional encryption layer I suggest using more than 1 encryption layers and finally
3. Tor look a like that have the same ability of anonymous connection but with the above combo has more security.
I'm not a programmer nor a tech savvy but should I'm then this what I shall do. This TAN is also can coexist with the internet while their main infrastructure is a peerless and serverless therefore you cannot track them down. Just use the sharing bandwith with all the users, the more the user then the bigger the bandwidth. Every connection made to this network shall have to share each one bandwith, or should any one have better ideas feel free to share.

June 17, 2013

Permalink

The "you should not use Tor" messages are all over the net. I wonder what dictatorship pays for that.

June 17, 2013

Permalink

My post hopefully is above this one, if not, reference to Ghost Rider. For those that support Follywood, I suggest the following movies to watch for the content. Notice the date stamp of them and where we are today. For the thinking and logical your response should be.. how the....

Enemy of the State

Sneakers

The Recruit where oddly enough notice how the data was removed.

Makes you wonder if Follywood has some inside track or mole. As said before, if you use Tor pitch in some $, not that I have Tor stock but they are hands down the best we are allowed to use. You also need to learn these 3 letters, PGP. If you think VMWare, MSVM or others will keep out OWL eyes, NEGATIVE GHOST RIDER!

Lastly, this is all about YOUR privacy, do what is right, shore up what others have tried to break down and protect what is ours. When Utah goes on-line, Katie bar the door!

.

June 17, 2013

Permalink

Starting yesterday I started getting Bad IP notices when connecting to Facebook. Today I started getting logged off and would be unable to reconnect, getting this message: "Firefox has detected that the server is redirecting the request for this address in a way that will never complete." Any thoughts as to whether FB is blocking ToR?

June 17, 2013

Permalink

It would be interesting to know the % increase in Tor downloads after the Snowden story was published as compared to average # of Tor downloads before Snowden story.

If all new Tor users are client only, look for increased congestion on Tor network. Maybe some new users will choose to run relays or bridges if these options are noted by Tor project on the Download page as being the most anonymous ways to use Tor.

June 18, 2013

Permalink

Brainwashed yank fucked up hundreds years of democracy for The World Police State aka World Terrorist State.

June 19, 2013

Permalink

CNBC is reporting a 33% increase in DuckDuckGo search engine usage since the NSA story broke, I wonder how much of that 33% is because of TBB users?

If CNBC is publicly acknowledging DuckDuckGo, then I would not trust DuckDuckGo.
If any of the MSM's start publicly acknowledging Tor, then I will begin
to worry about Tor also.

June 22, 2013

Permalink

I have a quick question. I hope this is the right place to ask.
Please direct me elsewhere if I am in the wrong place.

When I use TOR browser bundle, I have noticed that my browser window
(when maximized) is reported to be of an unusual size that is some
small number of pixels less than my system screen resolution of
1600X1200. When I resize the TOR browser window, new size
information is transmitted to websites I visit. I see this by using
panopticlick.eff.org.

Panopticlick.eff.org indicates that this information on screen size
is causing my browser footprint to be fairly unique in that this
screen size is seen in only 1 out of every 1,500,000 browsers they
tested. Their test space was three million browsers tested.

On the ubuntu12.04LTS 64bit version of Firefox_21.0 I run which is
not TOR, the window size is seen by panopticlick as 1600X1200 no
matter what I resize the Firefox browser window to. This 1600X1200 setting is
used by 1 out of every 140 browsers they tested.

Transmitting this browser window/screen size information allows some
tracking of my internet use by the uniqueness of my browser footprint
when I use TOR bundle.

Is there a way for me to fix this on my end?

Thanks.

June 23, 2013

Permalink

People worried that Tor was developed by the US navy might be forgeting that the whole internet is based on the Advanced Research Projects Agency Network (ARPANET). And Advanced Research Projects Agency is now Defense Advanced Research Projects Agency - AKA DARPA.

So if you use the logic that the US military made it then it is suspect then you should not use the internet for anything !!!!

June 24, 2013

Permalink

Now might be a bad time to unbundle Vidalia from Tor Browser, because now setting up a relay is harder. Also, we can try to convince P2P file sharers to donate their network capacity to Tor instead of some leech wanting the latest film for free.

June 26, 2013

Permalink

It doesn't matter who and/or where you are, the moment you connect 2 the internet your communications are in the hands of some secret agency or government. Big Brother is watching everyone!!
What surprises/wonders me is why these secret agency's/government's do nothing against:
- the distributors and collectors of child-pornography???
- banks & insurance-company's who are robbing our money and are at the base of the worldwide financial/economical crisis??
I guess that keeping our children save is no priority and that manufacturing and selling weapons is more provisional than stopping the crisis.
So War-on-Terror my ass, it's all about the money and the power!!!!

June 26, 2013

Permalink

NSA doesn't give a rat's ass about your girlfriends, porn surfing, or personal views. Do you really think they screen every packet that crosses every server, gleaning information about every person to build profiles on us all, so they can later use that information to control us? They and other government agencies sniff networks for packets containing specific words, phrases, and subject matter relating to national security. They have way too much data and much bigger fish to fry to worry about annonymous users passing stupid emails or downloading music and movies. Do some get caught? Sure they do. Should they be caught? The law says so. Piracy is illegal. If you're trying to get away with copyright infringement or espionage, you probably should be concerned, but if you think NSA, or any other federal agency is spying on everybody, you're just being paranoid.

Are tor and other annonymity tools valuable? Absolutely, but don't think you're protecting yourself from your own government. You're more likely to be a target of Microsoft, Google, or one of your geek buddies just wanti g to screw with somebody. If you don't break the law and don't conspire to do damage, the government isn't concerned with "spying" on you.

June 27, 2013

Permalink

nice timing for an update on macupdate. =0)

i'll cut it short.

surprising that all you commenters fail to see just a bit deeper and understand that tor and stuff is useful only as a filter of connections that ARE WORTH monitoring. ffs.

p.s.
because –#kitty tag doesn't always work

June 29, 2013

Permalink

I'm guessing that the NSA PRISM story has turned your blogs into a soapbox for privacy advocates. Maybe that's why you haven't posted any comments for awhile. I'm sure you receive comments and I'm sure you have reasons for not posting them.

July 01, 2013

Permalink

Because of prism and tempora a lot of users are starting to use tor now. I wonder if the tor network capacity could handle that. I just found this
http://igg.me/at/peermet
seems to be brand new, but looks promissing to me.

July 02, 2013

Permalink

Guess I have to read everything about PRISM. However, the Funny/Interesting thing that I can share is about bugs in computers. I put a Great amount of validity in this information because it was randomly told to me when I was looking for an apartment.
So, in a remote rural area, looking at apartments around Oct. 2005, talking to this older man (who owned them). He was a talker; I thought talking would increase my chances to haggle the rent price.
Somehow we get on the computer/internet subject and he tells me a Friend of his was recently in China for computer sales or something. And, this friend of his said the new computers he saw had extra Un-required items inside.
It isn't difficult to see...if one is online 1) your exact position is known 2) information can be tapped/captured/decoded 3) receivers can capture sound
Another misnomer (related here) 911 "service" is simply a pinpoint location of You. It is not in regard to your best interest. I've called my state several times about 911 change of address and get comical unbelievable answers for why.
A change of address is when you (the individual) changes your address. You are not obligated to put in a change of address...you didn't change your address. The state did; the state needs to put in all of the changes of addresses that They changed.

July 03, 2013

Permalink

i'm a little sceptical about tor because the same government which runs prism supports tor with 2m$ annually.

August 04, 2013

Permalink

What you *forgot* to say is, that Tor is financed by the US-government. What was it, CIA at first, Navy now? Uhhhhh And you say you are safe? Yeeaaah, right. I whish you were.

I need cookies to send a comment? Of course you also *forgot* cookies can be used for tracking?