Privacy International Protects Partners With Its Onion Address

by steph | May 29, 2018

This guest post is written by Ed Geraghty, Technologist, Privacy International.

No one shall be subjected to arbitrary interference with [their] privacy, family, home or correspondence, nor to attacks upon [their] honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

- United Nations Declaration of Human Rights (UDHR) 1948, Article 12

The right to privacy is a qualified, fundamental human right.  We at Privacy International (PI) work hard with our network of partners to ensure this fundamental right is protected - it is essential to autonomy, the protection of human dignity, and is the foundation upon which many other human rights are built.

This is becoming ever-more important in an age of ubiquitous, indiscriminate mass surveillance, especially as more and more aspects of our daily lives - interactions with friends, family, companies, and the state - are dependent upon technology. In order for individuals to fully participate in the modern world, developments in law and technologies must strengthen and not undermine the ability to freely enjoy this right.

We challenge governments' powers by advocating and litigating for stronger protections. We lead research and investigations to shine a light on powers and capabilities, and to instigate and inform debate. We advocate for good practices and strong laws worldwide to protect people and their rights. We equip civil society organisations across the world to increase public awareness about privacy. We raise awareness about technologies and laws that place privacy at risk, to ensure that the public is informed and engaged.

Tor is an important tool in our arsenal - a technology which allows people to communicate, use the internet, and browse the web in a manner which evades censorship.

Many of our partners work in challenging environments, with massive state surveillance and/or ongoing censorship programmes. Giving them an ability to securely browse the web (both clear and onion) in a way which allows them to evade dragnet surveillance also allows them to conduct investigations securely.

Running an onion address provides our community with an additional set of cryptographic protections to traffic than are available on the clear web, both in terms of security as well as assurance that when they visit privacyintyqcroe.onion they are communicating with the *genuine* PI website (serving content to the onion address is cryptographic proof that the server side possesses the corresponding private key).

We at PI offer an onion address for people to visit our website who would otherwise not wish to flag themselves as "an activist" or someone 'interested in surveillance capabilities', perhaps because of where they're based, or the work they do.

Our setting up an onion service with automated redirection if a exit node is detected has also shown Tor's popularity if the option is organically given; over 1/5th of traffic by bandwidth to our website is conducted using our onion address.
                   
The process for setting up an onion address for PI was, all in all, a fairly painless process.  The part which took the longest amount of time was generating our "vanity" address of privacyintyqcroe.onion.

We did this in the same way as Facebook using Scallion - randomly generating addresses until we generated one starting with "privacyint".  Although not a required step by any measure, we also then applied for, and received, an Extended Validation (EV) SSL certificate, so people visiting the onion address of our website could be sure that they were talking to the real PI.

Since then, we have refined our infrastructure, taking advantage of OnionBalance to provide some load balancing in order to remove single points of failure, as well as taking advantage of the additional security provided by keeping the private key on a separate machine from the onion service. In addition, we now check if someone visiting our clearnet address is coming from a known Tor exit node, and then seamlessly redirect them to our onion address so they can benefit from the extra protections offered by the network.

We have rolled this code into our configuration and auditing platform, Thornsec, basing this part (albeit loosely) on Alec Muffett's Enterprise Onion Toolkit.

As the web becomes ever-more mined, censored, and surveilled, offering a .onion alternative for privacy-conscious users is something which should be welcome, and we recommend more organisations do so. Although since most websites' business model seems to be mining data without their users' knowledge (as we've seen with GDPR alerts), we know that this will require some prodding. That's what PI's here for.

---
*Privacy International is a registered charity based in London that works at the intersection of modern technologies and rights.*

 

Comments

Please note that the comment area below has been archived.

May 30, 2018

Permalink

No v3 onion service???????????????????????????????????????????????????????????????????????????????????????? When will OnionBalance support v3???????//////////??????/////????????////???//???//??//??///??//???/???//?????///

I don't see it as a big deal; v3 onions are still very new and far from being default. There's no need to hurry, and it will get support whenever someone steps up and writes the code. It's not developed by The Tor Project, though, so it can't be of much help.

June 05, 2018

In reply to steph

Permalink

Steph, what about the strange PKI cert for this blog? The problem has been confirmed by at least one other user.

May 31, 2018

Permalink

Great stuff! The onion works great for me and the PKI cert seems to make sense. Was able to DL and interesting report I had missed. Thanks to all for doing this!

Can TP help aclu.org to move to their own onion?

Best to have the entire site onionized to avoid deanonymizing hop-outs.

May 31, 2018

Permalink

===> Offtopic but important!

https://www.eurekalert.org/pub_releases/2018-05/spuo-ufm052418.php

"Defence against unwanted audio tracking by acoustic cookies"

"The SoniControl project of St. Pölten University of Applied Sciences has developed a mobile application that detects acoustic cookies, brings them to the attention of users and if desired, blocks the tracking. The app is thus, in a sense, the first available ultrasound-firewall for smartphones and tablets.

"The most challenging part of developing the app was to devise a method that can detect different existing ultrasound-transmission techniques reliably and in real time", said Matthias Zeppelzauer, Head of the project and Senior Researcher in the Media Computing research group of the Institute of Creative\Media/Technologies at St. Pölten UAS.""

not so off topic !
it is a matter of hardware unfortunately ... a controller (wifimax, 5g, cpu new generation e.g) is implemented as (also as backdoor) a sophisticated relay for a quick network.
i.r & long range are on the same area of 'work' like ultrasound because they explore a new communication zone for the xxi/xxii century : and what about a parabolic receptor & a spatial relay (antenna outdoor & implemented) for the satellites ?
this movement is a modern revolution in the world of communication which the leader could be intel & texas instrument from i read.
the purpose is for connecting the users in a short area (5 miles) & long area (25 miles) using relays disconnected of internet (except maybe one).
Remember that ultrasound is the favorite technical tip for spies : it is not a joke but a true story.
acoustic cookies must be a sophisticated tracker & the ultrasound firewall becomes a tool for spies or against according the point of view.

> it is not a joke but a true story.

This week marks the fifth anniversary of the initial Snowden leaks. Everyone here no doubt remembers them--- but how many details to you remember?

I encourage everyone to take a moment to visit https://www.eff.org/nsa-spying/nsadocs, pick a file at random, and study it. Just to slightly refresh your memory about the enormous scope and ambition of the dragnet.

"Collect it all.. exploit it all". And NSA means that quite literally. They want *all* of it. Everything in anyone's electronic device anywhere, whether connected to the Internet or not. Some teenager's late night call to a friend, your laundry list from April 1992, grandma's purchase last week of a birthday gift for your aunt... everything. Because anything and everything might perhaps prove in some way "useful" to them... someday.

But why do they snoop on such a scale? Because they can. Current technology makes enormously intrusive dragnets affordable. That is perhaps the most important lesson of the Snowden leaks.

It may not be a coincidence that today the stranger corners of the Internet were full of hysterical wide-eyed "reporting" based upon an odd incident from back in April:

popularmechanics.com
Government Accidentally Releases Documents on "Psycho-Electric" Weapons
David Grossman
19 Apr 2018

> The government has all kinds of secrets, but only a true conspiracy theorist might suspect that "psycho-electric weapons" are one of them. So it's odd that MuckRock, a news organization that specializes in filing Freedom of Information Act (FOIA) requests with state and federal government bodies, received mysterious documents about mind control, seemingly by accident. Journalist Curtis Waltman was writing to the Washington State Fusion Center (WSFC), a joint operation between Washington State law enforcement and the federal government to request information about Antifa and white supremacist groups. He got responses to the questions he asked, but also a file titled “EM effects on human body.zip.”

(EM = electromagnetic field.)

The zip contained several documents apparently written by at least three distinct people who were clearly afflicted by something--- but probably not something caused directly by the USG spy agencies--- plus an over the top "mea culpa" from a WSFC employee who made the mistaken(?) disclosure. As Grossman remarks, it was a pretty weird mistake. Yet in a way, a valuable if nonresponsive disclosure: those who wonder what WSFC employees do all day in their jobs "monitoring the Internet". A partial answer seems to be: not monitoring neonazi groups, but collecting anatomical diagrams from some poor lady who apparently believed the government was giving her "forced orgasms". American taxpayer dollars at work, woo hoo.

The longest document appears to be part of a 1992 civil suit against NSA, which was later reprinted (without permission?) by Nexus magazine, an Australian publication which specializes in nonstandard medical news and conspiracy theories. (There should probably be "scare quotes" around some of those words but I'll let the reader decide where to place them.)

The interesting thing about this document is that, while the author is clearly not an engineer and does not appear to be entirely sane, many of the detailed allegations he made--- in 1992, recall--- has been validated, in detail, by the 2013 Snowden leaks.

He also devotes much space to some allegations about "RNM" which appear rather implausible, based upon what is publicly known in 2018, but it is interesting that everything he discusses is in fact the subject of DARPA research (verging on pseudoscience, but DARPA prides itself on being willing to conduct pseudo scientific research with equal gusto as its more mainstream research). And in 2018 the fact that DARPA is doing this is hardly secret.

I suppose one conclusion we can draw from this story is that because so few people really know very much about current technological capabilities, very few people are really in a position to judge whether some "wild" claim about surveillance is plausible or not.

For example, how many ordinary citizens would have credited the claim, made before the recent Cambridge Analytics scandal made healines news, that an on-line personality survey was simply a way to trick sixty million ordinary citizens into giving up private information to a British "information action as a service" company with ties to Russian intelligence, which would later be sold to a US Presidential campaign? Before the Snowden leaks, how many ordinary citizens would have regarded as credible the claim that USG implanted sophisticated malware in data centers around the world? Intruded into telecom and banking networks around the world? Targeted scientists to steal their scientific data before publication?

In many ways, the world of government secrecy is not only stranger than we imagine, it is stranger than we *can* imagine. Unless we are shown the actual above top secret documents. Which is why the Snowden leaks were so important: Snowden showed us the documents, and suddenly no-one could deny anymore that the truth was not only far worse than we thought, it was far worse than hardly anyone could even have imagined.

Back to the spate of "stories" today trumpeting the claims made in this documents as if they were genuine government documents (which they clearly are not), it is possible, even plausible, to suspect that this represents the last disinformation campaign in which NSA attempts to persuade forgetful citizens that the Snowden leaks were all some kind of mass hysterical joke about some poor lady who apparently thought the government was giving her "forced orgasms".

But the Snowden leaks were no joke, the dragnet is very real, it is still very much with us, and its continued existence threatens us all. Snowden himself phrased it like this: the contents of the Utah Data Center amount to "databases of ruin". Those contents will come back to haunt all of us, if we cannot cause NSA to be deleted from the world.

hidden wifi function implemented in the cpu : does it work ? is it not a dead acoustic cookie reception/emission ?
i wonder why the person who alerts never give us the details of the chip/model/number & never explain who uses it & why and how an acoustic cookie could reveal something or someone..
by whom he is payed for ...

Yes, interesting!

For anyone who was wondering, WP says that St. Pölten University of Applied Sciences is in Austria. And the research

> was funded by the netidee initiative (http://www.netidee.at). The support campaign was organised and financed by the non-profit Internet Foundation Austria (IPA).

It is very encouraging to see university engineering students around the world taking up the cause of consumer privacy. More please!

June 01, 2018

Permalink

and what about the option (checked) :
query OCSP responders servers to confirm the current validity of certificates ?
is it not a measure for un-anonymizing the user ?

you can set ff for avoiding google but does tor run with google ?
avoid the site which provide a captcha pls (except few ones ; captcha could be required for registration e.g.).
report it on the google/mozilla mailing list
this blog runs a captcha for commenting/replying not for reading it (it is a measure against spammer).

June 03, 2018

Permalink

Latest version of Tor infected... apologies if this is not correct place for this post

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 01/06/2018
Protection Event Time: 14:54
Log File: 532710be-65a3-11e8-9dde-ecf4bb17d8fe.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.365
Update Package Version: 1.0.5332
Licence: Trial

-System Information-
OS: Windows 10 (Build 17134.48)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Ransomware
Domain:
IP Address: 134.19.177.109
Port: [53957]
Type: Outbound
File: C:\Users\Main user\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe

June 05, 2018

Permalink

Debug or a high level of logging still present when using obfs4 bridges

Debug or a high level of logging still present in
/var/log/tor/log when using obfs4 bridges.

This is a reminder that this problem continues to exist in Tails 3.7.
(and several versions prior)

"[warn] Your log may contain sensitive information - you're logging more
than "notice". Don't log unless it serves an important reason. Overwrite
the log afterwards."

The logging is crazy and consumes several MB per session.

** I have not tested this with plain Tor and/or TBB outside of Tails.

** Nevertheless, this is being posted here just in case.
(and for historical purposes as the problem continues to exist in Tails!)

June 05, 2018

Permalink

> No one shall be subjected to arbitrary interference with [their] privacy, family, home or correspondence, nor to attacks upon [their] honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

It seems notable that Sun 3 Jun 2018 marked the fifth anniversary of the epochal Snowden leaks. It was marked by a nice interview (note that MacAskill is one of the trio of reporters who broke the Snowden leak story in the pages of The Guardian):

theguardian.com
Edward Snowden: 'The people are still powerless, but now they're aware'
Ewen MacAskill and Alex Hern
Five years after historic NSA leaks, whistleblower tells the Guardian he has no regrets
4 Jun 2018

> Edward Snowden has no regrets five years on from leaking the biggest cache of top-secret documents in history. He is wanted by the US. He is in exile in Russia. But he is satisfied with the way his revelations of mass surveillance have rocked governments, intelligence agencies and major internet companies...

> Other shifts in the technology sector show Snowden’s influence has in many ways been limited. The rise of the “smart speaker”, exemplified by Amazon’s Echo, has left many privacy activists baffled. Why, just a few years after a global scandal involving government surveillance, would people willingly install always-on microphones in their homes?
>
> “The new-found privacy conundrum presented by installing a device that can literally listen to everything you’re saying represents a chilling new development in the age of internet-connected things,” wrote Gizmodo’s Adam Clark Estes last year.

Freaky indeed. Two possible partial explanations:

o the Snowden leaks revealed a huge and complex ongoing operation; it is easier for Joe Average to forget all about it than to try to keep the existence of the dragnet in the forefront of his thoughts,

o some people enjoy attention and may feel flattered by the thought that someone is studying them--- which would be ratehr stupid since we are talking about back office Amazon software not a potential mate, and since Amazon intends to manipulate the person for profit, irrespective of their best interests.

But these are only suggestions, not a true explanation.

> Towards the end of the interview, Snowden recalled one of his early aliases, Cincinnatus, after the Roman who after public service returned to his farm. Snowden said he too felt that, having played his role, he had retreated to a quieter life, spending time developing tools to help journalists protect their sources. “I do not think I have ever been more fulfilled,” he said.

Exactly: fighting to eradicate NSA is so much more challenging and rewarding than working for NSA! Not to mention fighting NSA is the right thing to do; working for NSA would be very wrong.

Mark my words: many younger readers will live to see high schools named for Snowden, and even a White House ceremony in which he is awarded the Presidential Medal of Freedom. Unless of course Drump ends it all in a nuclear fireball, or USA otherwise ceases to exist, or Drump is succeeded by President for Live Barr, or NSA continues to exist...

June 06, 2018

Permalink

I can't log into twitter. I try to reset the password but nothing happens. It doesn't even say wrong password wrong username. It just stays as is. So I tried resetting the password on another browser using a VPN and it starts the process to reset my password but it didn't while using Tor. I'm using Windows, browser-based twitter web client. Not mobile.

June 07, 2018

Permalink

No one shall be subjected to arbitrary interference with [their] privacy, family, home or correspondence, nor to attacks upon [their] honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

- United Nations Declaration of Human Rights (UDHR) 1948, Article 12
i love this article but i live in a country (fr) where it is not applied since at least 50 years and the military complex (which nsa) does not help.