Strength in Numbers: The Final Count Is In

One of the Tor Project’s ongoing goals has been to diversify our funding sources. We are pleased to announce that in 2018, we raised over $460,000 from individuals like you who use Tor for your personal privacy and who understand the importance of making Tor available to everyone. Together, we raised more donations from individuals than ever before.

Almost half of our total income from individuals in 2018 was raised during our year-end campaign. There truly is strength in numbers. Every donation--whether it is $2 or $1,000--supports us on the ground speaking with activists, journalists, and internet users in countries all over the world, teaching them about Tor and online security, and supports Tor’s development, helping us keep Tor the world’s strongest tool for privacy and freedom online. Thanks to Mozilla’s generous match, each gift made between October 23 and December 31 was matched.

In addition to Mozilla’s match, a generous anonymous donor offered to match all new donor contributions up to $20,000. This challenge was met in less than 20 days and, throughout the entire campaign, we received gifts from 2,029 new donors who gave more than $97,000.

Tor users are from all over the world, and so are our donors. In 2018, people from 115 countries came together to take a stand against tracking, surveillance, and censorship on the web by supporting the Tor Project.

During the campaign alone, we gained 100 new monthly donors! Sustaining gifts provide the Tor Project with steady, reliable income that is essential to our ability to respond quickly to unexpected challenges and threats.

Beyond raising the income we need to carry out our work, this year-end campaign was an opportunity to reflect on the ways in which people have come together to fight for privacy. We featured stories about how Tor Project staff members work directly with librarians, Tor users in at-risk communities, human rights defenders in communities experiencing internet censorship, and developers of applications that rely on Tor’s technology. We wrote about how we are constantly working to diversify the Tor network to increase sustainability and ensure users are more secure. We wrote about our efforts to localize our tools and resources, moving closer to our overarching goal of making Tor accessible to everyone.

We are so grateful to everyone who financially supported the Tor Project in 2018. As Isabela Bagueros said in her first blog post as Executive Director, donations from individuals allow us to “easily allocate resources to whatever important events that requires our response, and reorder our priorities whenever needed. This is extremely important for any software development organization, especially one that provides essential safety to people in volatile locations like Tor.” And your support counts all throughout the year, not just during our campaign.

Some big tech companies rely on invasive practices to gather, and subsequently sell, your data--and that's how they generate their revenue. By donating to the Tor Project, you are supporting an alternative model, where personal privacy is of utmost importance.

You make a difference. You make a better internet possible. Thank you.

Sincerely,
The Tor Project Fundraising Team

 

Anonymous

January 10, 2019

Permalink

> One of the Tor Project’s ongoing goals has been to diversify our funding sources.

It is very important to stick to that goal, and very good news that Tor Project is making strong progress towards achieving it!

> As Isabela Bagueros said in her first blog post as Executive Director, donations from individuals allow us to “easily allocate resources to whatever important events that requires our response, and reorder our priorities whenever needed.

That's a good point. TP needs to be flexible in the face of so many technical, political and legal threats all around the world.

Another development worthy of celebration is that some mainstream publications have become more willing to urge ordinary citizens to use "Tor for everything", for example

https://www.wired.com/story/tor-anonymity-easier-than-ever/
Tor Is Easier Than Ever. Time to Give It a Try
Lily Hay Newman
1 Jan 2019

Second only to the onion concept itself, the single biggest advance in "Tor for the people" was the introduction of Tor Browser, and I had hoped that Tor Messenger would be the next great thing which would make Tor usage explode worldwide. S was very transparent about the technical difficulties he was facing and it was tragic that others with the necessary knowledge did not step in to offer ideas and coding help. I hope that TP will try hard to create software which does for chat what Tor Browser did for websurfing, despite the formidable technical obstacles and severe political threats which can be inferred from USIC/Mossad-sourced scare stories about alleged terrorists using scary chat programs.

(Some of these mainstream media scare stories do not lie per se, but do wildly exaggerate the extent of the threat to US citizens while entirely neglecting to mention the many benefits of strong civilian cryptography. I worry that if unanswered by TP, such stories will be used by FBI to build popular support for their "Going Dark" insanity, which directly threatens the very existence of the Tor community. Scare stories in far right venues often do present false statements as factual.)

I worry that USG will threaten TP if you attempt to resurrect TM (which will probably require starting from scratch with a larger team). or even serve you with another (?) NSL, which presumably would cause you to shut down the project rather than comply under duress with an unacceptable USG demand for free access to Tor user chats via TM. If you do try to resurrect TM--- in my view nothing would do more to increase Tor usage worldwide than software which does for chat what Tor Browser did for browsing--- you will need to have a plan for media outreach and so on. While this is easy for me to say, I urge you to consider the possibility of having a designated legal target who will call a press conference and say "TP received an NSL with a gag order which I am violating by giving you copies of the NSL", but I remind you that in every case where people have simply defied a gag order, USG has backed down, for example by saying that they only including a gag order by mistake.

Speaking of NSLs, it seems that Cindy Cohn (your board member from EFF) is involved in a case in which EFF is seeking permission from a US court to reveal one or more NSLs which an unnamed organization has been fighting in the courts. I believe that oral arguments were heard late last year which should mean that a decision will come down in the next few months. I encourage EFF and the unnamed organization to continue the legal battle, and even to consider simply violating the gag order if that is what it takes to get favorable media attention and funding for appealing all the way to SCOTUS.

On the topic of increasing Tor usage: I and perhaps others could use some advice in changing hearts and minds of ordinary citizens who have a strong negative emotional reaction to Tor and to encryption generally. In addition to donating money to TP, I've tried to help the Tor community by encouraging people to use Tor, but results have been poor. If any Tor employees or volunteers have enjoyed success in persuading ordinary citizens (especially vulnerable citizens) to use Tor Browser and other Tor enabled tools, I'd like to hear your tips! Maybe TP can post an essay in this blog?

One US-centric obstacle I have faced, going back the earliest days of Tor, is the deeply entrenched mistaken belief that USG will let you pursue your possibly radical or dissident political beliefs unhindered, provided that you do not use Tor or even encryption. Anyone who has studied the documents leaked by Snowden and others, or read the books by authors such as Tim Wiener and James Bamford, know that this belief is not only the direct opposite of the truth, but also extremely dangerous to those who act upon it.

Another phenomenon I have observed, which is somewhat distressing to a progressive, is that the far right is far more receptive to using Tor and encryption than the left. I think this may have something to do with the assumption, common among leftists, that strong belief in the virtues of transparency (in the sense of open government)--- a belief which I share--- is inconsistent with using encryption or Tor. I see no contradiction: one can be transparent about who you are, what your goals are, and in general what your methods are, while still using encryption and Tor to communicate sensitive data, perform sensitive on-line research, and for discussions which should not be public (one obvious example being discussing emergency measures to mitigate a just discovered security flaw in your network). It seems to me that this unthinking resistance to trying to protect your group from cyberespionage and too easy open-source surveillance is one of the principal reasons why grassroots progressive movements, foreclosure/eviction protests, pipeline protests, land seizure protests, etc, are so easily stymied by the financial/corporate elite and their loyal servant, the USIC, while the far right grows stronger every day.

Leftists have complained for years that FBI regularly attempts to surveil leftist political advocacy groups, while ignoring far more dangerous rightist groups, and many leaked documents suggest that there is considerable truth to this. One reason might be that FBI's biggest goal has always been to enhance it's own public image, which means FBI tends to focus its energies on actions where it expects easy success (such as spying on leftists) rather than on actions where it expects to encounter technical difficulties (spying on cybersecurity-aware rightwing groups) or physical danger (spying on the Proud Boys) or even PR disaster (Ruby Ridge).

Until the outcome of the 2016 election shocked the Democratic Party elite into examining some of the reasons for their Big Fail, I found that these people were also astonishingly resistant to the suggestion that they were guaranteeing failure by insisting (incorrectly as everyone now knows) that no-one would dare to cyberattack them, because "NSA is on the job", snort, but that was more a case of the kind of self-destructive arrogance to which powerful people so often fall prey. That at least is one thing Tor Project leadership probably need not worry about--- TP is still very far from being as influential in US politics as a Pelosi or a Podesta!

Any suggestions?

As a right wing person, Tor user and advocate myself (libertarian rather than republican) I think I agree that more people on the right use Tor. Though not looking for 'Tor users' at the time, I have met people who are indeed regular users of Tor and get clear benefits from its use. For them it's about practical solutions to real problems. I think it remains true that anonymity loves company whatever your political alignment - though some things I find a little puzzling to see.

> it's about practical solutions to real problems. I think it remains true that anonymity loves company whatever your political alignment

Exactly. I always encourage everyone to use Tor, and I do not inquire about their political beliefs before I urge them to try to protect themselves better from electronic snooping.

Because anonymity loves company, whenever we persuade anyone else--- regardless of gender, nationality, religion, ethnicity, sexuality, or political beliefs--- to use Tor for everything, we are helping everyone, including ourselves.

In a world in which so much separates so many so far, one thing at least unites us all--- we all need Tor for everything we do.

Wow, you just made my day!

One bit of advice: TP says (and I agree) that new users of Tor Browser should read

https://www.torproject.org/download/download-easy.html.en#warning

so that you know what Tor Browser can and cannot protect you against.

I hope you find Tor Browser as fab as I do! If so, you might want to try Tails also for even more anonymity/security:

tails.boum.org

Tails Project is based in Europe but is closely allied with Tor Project, which is based in the US. Both projects are to some extent global. Tails is an "amnesiac" OS you use to boot your computer (PC, laptop, tablet, notebook with 64 bit CPU) from a USB, which comes with Tor Browser installed and immediately usable with extra security/anonymity enhancements, plus email, chat, LibreOffice (open source Microsoft Office clone), video editing software, printing, and much more. The general idea is to use your device (PC, laptop, tablet, notebook) without leaving traces of your activity on the hard drive, while still being able to surf the web, view videos, download things (more safely), and to work offline preparing documents or editing videos.

In particular, if you often download and read PDF documents, these often contain embedded links which can deanonymize you. That is why Tor Project recommends reading PDFs you downloaded via Tor Browser offline (after you disconnect from the internet). Tails offers additional protections which will probably protect you against this.

If you use email a lot and want to protect yourself against being deanonymized and tracked by 1x1 gifs or link shimming, reading email using Tails is possibly safer. See also

eff.org
(Don't) Return to Sender: How to Protect Yourself From Email Tracking
Sydney Li and Bennett Cyphers
9 Jan 2019

All new users of Tails should read

https://tails.boum.org/doc/about/warning/index.en.html

so that you know what Tails can and cannot protect you against.

I wonder if there's a way to use the Signal protocol (already built and working well obviously) but instead of it going through Signal's server it is routed through TOR relays? Or if you must use Signal's server then make it into a hop/gateway server? Excuse the n00b mistake if that's not possible.

Personally I still use the old TorChat, works fine: https://www.softpedia.com/get/Internet/Chat/Instant-Messaging/TorChat.s…

I don't think Signal is suited for this. Nor do I think the people behind Signal would be interested to extend Signal with such capabilities.

However, there is Briar, for instance, that works rather well using Tor's onion services for message exchange rather than using a centralized server.

A big problem here: if you want to blow the whistle on a harmful practice and have obtained relevant documents which you want to offer safely to a reporter, you will probably begin by using Tor Browser to look for good reporters who have a history of reporting on similar issues in the past. If you're lucky, one of them might use encrypted chat, which can be a way of making initial contact. In that case, most likely, they use Signal, not Briar. As already noted, Signal suffers from potential issues.

This comes back to the point above about why Tor Messenger was so promising--- just as Tor Browser was a big win because it can be used on almost any laptop or desktop, TM aimed to be usable on most mobile devices.

One cannot help noticing that the most promising potential solutions to the problem of providing amnesiac, anonymous and secure messaging/chatting, are shut down, possibly by NSLs accompanied by eternal gag orders. The one's which do not get such attention too often seem to be the ones which are unsafe or unworkable for various reasons, or which almost no one you might need to reach (reporters, activists) is using.

Anonymous

January 11, 2019

Permalink

I would like to again urge TP to develop political, legal, and technical strategies to counter the latest FVEY attempt to obtain legally mandated backdoors into all encryption technology.

As noted in a comment late last year in this blog, GCHQ leaders have been advocating what they call "the ghost", essentially a transparent (in sense of "invisible to user") downgrade upon secret command from some government spycentre from strong end-to-end encryption to no encryption or to easily broken encryption, a scheme which would clearly be particularly disastrous if it were mandated for Tor circuits. See

eff.org
Give Up the Ghost: A Backdoor by Another Name
Nate Cardozo
7 Jan 2019

As Cardozo says, GCHQ's scheme is completely bonkers from the POV of cybersecurity, and they know that as well as we do.

TP has been utterly silent on the issue of backdoors, or at least on the crucial point of how TP defines the meaning of the word "backdoor" (a too narrow definition offers a security hole to the spooks and to criminal hackers, through which the menacing hordes will hardly hesitate to enter), which is quite worrisome.

Please recall that the Democratic Party mainstream has already begun a huge media campaign intended to build support for the candidacy of Joe Biden in 2020. As I hope everyone here knows, back during the First Crypto War, Joe Biden was a U.S. Senator and the leading NSA shill promoting "key escrow", NSA's first attempt to disguise a backdoor under a harmless sounding name. GCHQ's "ghost" is technically different, but just as insecure if not more so. But politicians are not likely to understand this.

TP needs to be prepared for legal mandates which would break everything which makes Tor useful to ordinary people, with a better plan than simply shutting down the Tor network entirely when unacceptable demands are served upon TP by FBI agents.

At the very least, TP should start an open discussion with its users about whether they (the users) would be willing to continue to use Tor even if USG mandates a backdoor (which naturally NSA will promise will be used only sparingly, a promise which anyone would be very foolish to believe), or would prefer TP to shut down the network if they receive a legal demand accompanied by a gag order (c.f. Lavabit).

Even better, I hope TP will reach out to EFF and like minded advocacy groups, seeking to set up meetings with US lawmakers in order to try to ensure that key members of Congress understand the problems with backdoors.

Critical talking points include:

o the tools used by government spooks are often also used by adversary government spooks (c.f. the latest DNS hijacking nightmare), by cybercriminals, and by vindictive cyberstalkers (c.f. the flourishing and unregulated and largely US-based stalkerware industry),

o the state-stolen data is often not transmitted securely or stored securely,

o insiders with "legitimate" access may expose it to political manipulation groups, criminals, or adversary nations (USIC has millions of employees, which suggests hundreds are likely have a side business their employer doesn't know about),

o no one can trust US spooks, least of all their nominal political overseers--- they lie constantly to their own bosses and their bosses lie to Congress; some examples of this are well known, others have never been made public, but members ought to appreciate the lesson of those stories which concern NSA spying on Congress itself (remember how mad was Angela Merkel when she learned that her ally was spying on her personal cell phone? how SCOTUS handed down a rare anti-surveillance decision after litigants showed them they themselves could be tracked?),

o NSA raised one heck of stink about Kaspersky, no doubt because in contrast to US-based malware hunting firms, Kaspersky published excellent reports on Equation Group (which turned out to be an NSA hacking group), but to my knowledge they have never breathed a word to Congress about the Russian firm upon which they rely for their vast voice recognition programs, just one of many examples which show that spooks are in the profession of manipulation and they never forbear to employ their well practiced skills of misdirection and deception against their putative political leaders,

o who would be sending the downgrade commands, humans or software? the proposed system appears designed to be easily scaled at the turn of a key to an even more massively invasive dragnet surveillance system than such troubling examples as Hemisphere and Prism,

o how are the downgrade commands transmitted? Certainly adversaries will figure out how to hijack them to attack their own targets,

o for quite some time, the world has enjoyed the benefits of strong encryption, and the world has not in fact in consequence come to a flaming end; USIC has never allowed an independent audit or a rational cost-benefit of its dragnet and targeted surveillance, and in my view the reason is clear: they know the Surveillance-Military-Industrial-Complex is built on wildly exaggerated claims about the allegedly horrific threat of spooks/cops not being able to open mail at will, listen to phone calls at will, read emails and messages at will, etc. Ben Franklin (first head of the US postal service) understood that the government itself is a greater threat to the citizens than any potential external threat, or any potential internal conspiracy, when it yields to the temptation to construct a police state.

Some suggestive stories from just the last few days:

arstechnica.com
A DNS hijacking wave is targeting companies at an almost unprecedented scale
Clever trick allows attackers to obtain valid TLS certificate for hijacked domains.
Dan Goodin
11 Jan 2019

wired.com
A Worldwide Hacking Spree Uses DNS Trickery to Nab Data
Security researchers suspect that Iran has spent the last two years pilfering data from telecoms, governments, and more.
Lily Hay Newman
11 Jan 2019

(shows yet another way in which "security enhancements" can be broken; this and other examples should suggest to lawmakers how stupid it is to break your own security before adversaries have a go)

theintercept.com
For Owners of Amazon’s Ring Security Cameras, Strangers May Have Been Watching Too
Sam Biddle
10 Jan 2019

(another example of how things like backdoors which are peddled as "security enhancements" often make everything even more unsafe)

eff.org
The Federal Government Offers a Case Study in Bad Email Tracking
Bennett Cyphers and Sydney Li
9 Jan 2019

(another example of how USG fouls up just every thing they try in the cyber realm--- see also the initial Obamacare sign-up sites, FBI's enormously expensive failed attempts to upgrade its networks, NSA's numerous enormously expensive cyberfailures).

Lawmakers need to understand that willfully self-destructive acts of stupidity are just plain stupid, no matter how good you think your intentions might be. Particularly when the alleged threat to which the massively self-destructive act is allegedly responding is vastly overstated.

Anonymous

January 11, 2019

Permalink

Hi, this comment may not be in the appropriate place i apologize in advance. There seems to be a little bug when trying to export noscript configuration, i get the download dialog but nothing downloads as far as i'm concerned. Not sure if it is a noscript or a torborwser bug. May i be directed to the appropriate place to fill the bug. I had successfully exported the config in a previous torbrowser version (can't remember which) btw and the bug was there in older version if a remember correctly. Thank you so much for your work guys, looking to improve a little.

Anonymous

January 12, 2019

Permalink

Ya I agree with ^ , we are the ones who should be thanking and I'm glad WE are! Would love to do more, kind of new around here but am learning more everyday :) **Tor Project**

Anonymous

January 17, 2019

Permalink

Tor is working unacceptably slow.
I propose to raise money (сrowd funding) and completely rewrite its architecture.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

4 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.