Tor's First Crowdfunding Campaign

When we launched this first crowd funding campaign, we weren’t sure what would happen. We knew we wanted to diversify our funding sources; crowd funding gives us flexibility to do what we think is most important, when we want to do it. It allows us to fund the development of powerful new privacy tools. Or make the ones we have stronger and more resilient. Or pay for things we need like a funded help desk or an Arabic version of our web site.

But we didn’t know if people who like Tor would actually invest in our independence.

Now we do.

Together, our community has contributed $205,874 from 5,265 people to support Tor in this first crowdfunding campaign. We are so excited.

What we’ve seen, we think, is our community in action—our whole community finding ways to support us—by making a donation, or by sending us a bug bounty as GitHub hackers did. By making a matching donation, or just pinging their friends to help out.

Following our theme "This Is What a Tor Supporter Looks Like," you sent in photos of yourselves in Tor t-shirts doing back bends or teaching your daughters how to use Tor browser, or covering your face to preserve your anonymity but trumpet your support for Tor.

You sent fundraising notes to giant email lists. You tweeted screenshots of your donations. You bragged about your Tor relays (thank you) to inspire others. Some of you pointed out that Tor has saved your life.

The international Tor community rose up to support Tor’s independence in every way it could think of. And independence is power. Power to defend the rights of human rights activists. Power to defend the privacy of all of us.

Even though we’re a privacy organization, we found out what a Tor supporter looks like. It's someone who takes action to support their right to privacy.

Thank you.

Our deepest thanks to Tor’s wonderful champions, who put on the T-shirt first and took the plunge to support Tor in our first-ever campaign:

Laura Poitras

Roger Dingledine

Amanda Palmer and baby Anthony

Nick Merrill

Andy Bichlbaum

Molly Crabapple

Rabbi Rob and Lauren Thomas

Shari Steele

Cory Doctorow

Ben Wizner

Daniel Ellsberg and Patricia Marx Ellsberg

Alison Macrina

Edward Snowden

Giordano Nanni

Susan Landau

Ethan Zuckerman

Jacob Appelbaum

By Kate Krauss, for Tor's fundraising team:

Isabela Bagueros, Juris Vetra, Leiah Jansen, Mike Perry, Shari Steele, Sue Gardner, Katherine Bergeron, Nima Fatemi, Sebastian Hahn, Roger Dingledine, Nick Mathewson, Ben Moskowitz, Jacob Appelbaum, Katina Bishop, Colin Childs, and Kate Krauss.

Anonymous

January 21, 2016

Permalink

I attempted to donate to Tor via your bitcoin donation page (using Tor). First i got a server timeout page when trying to access the Tor donation page, i refreshed and it appeared, i was given the default option of donating via paypal (no thanks) and went to see what these "other" options were, saw the Bitcoin donation form, upon clicking the bitcoin button i was redirected to cloudflare's obnoxious MiTM captcha page, then after completing that i was redirected to bitpay and was served a 404 - Page not found.

Come. The. F. On.

Yes indeed. This is an example of something we'd like to clean up for future funding campaigns. This one was a great experiment, and also it turned out really well, but there is plenty of room for making things smoother next time.

Another big one was that sometimes Paypal would just give you a blank white page, if you were coming over a few particular Tor exit relays. You could change your circuit and it would work, but a) you have to know to do that, and b) it's super easy to decide to just stop there. I'd like to have more options than just Paypal, or heck, eventually just have our own payment receiving mechanism.

Why not just provide a Bitcoin address in plaintext, instead of all the extra hoops? I was unable to donate at all with Javascript disabled and the project's choice to use a Bitcoin processor that uses Cloudflare.

A good example, by the way, of why it is so important that Tor supporters be somewhat aware of the political/legal realities of trying to create a user-supported NGO on US soil. Many problems are created by USG, not by what some insist on trying to interpret as TP ineptitude (which is usually absurd).

Anonymous

January 22, 2016

Permalink

Been trying to access a torrent site (pirate bay) included to download a 'linux distro' but can't get passed the evil 'Cloudfare'! What on earth possessed the pirate bay to host on this evil entity!?

Oh yeah, and torrent sites are blocked at the IPS level so not like there is any choice... ;)

Anonymous

January 22, 2016

Permalink

I, too, had problems donating bitcoin. Through some relentless attempts, I finally managed to give you some money. But the payment processor has anti-Tor technology in place that rather ironically prevented many people, I think, from donating to Tor while using Tor.

Next time around, it would be wonderful if the whole setup, soup to nuts, was set up in a way that would not frustrate users of Tor. Better yet, accept payments through a hidden service. It would be neat to see a breakdown of how much money got donated through a hidden service, how much got donated from an IP that was a known exit node at the time, etc.

I agree -- it would be wonderful to set up a payment system that is Tor-friendly rather than Tor-unfriendly.

I'm actually not sure how easy this will be -- we've seen instance after instance of the payment companies doing exactly the opposite. One option would be to take the credit card numbers, etc ourselves, and not use third parties that end up doing silly things when they don't know an IP address.

All of this said, the "whole setup, soup to nuts" is exactly one of the things that Shari is hoping to improve for the next campaign. And having her want to do that is exactly one of the reasons why we're so excited to have her as our new exec dir. So we are heading in the right direction for sure!

> it would be wonderful to set up a payment system that is Tor-friendly rather than Tor-unfriendly.

This is indeed another one of those missing items of critical infrastructure which really needs to happen, with TP encouragement.

It is also a good example of the kind of thing which would have so many applications (and be so stoutly resisted by the powerful governments and megabanks which hate individual freedom/wealth for ordinary folk) that it would better be done as a separate project.

I agree with you except for one point -- I think it would be much easier to set up a Tor-friendly way to get money to the Tor Project, than it would be to set up a Tor-friendly way to get money to anybody. And this is for exactly the reasons you state -- it would be much less threatening to the global money mafia.

Sound promising. But what will be the practical requirements for the system you envision? If there are hidden assumptions which exclude anonymously converting cash (in various currencies) into international Tor donations, I fear many potential anonymous contributors may be excluded.

@ arma:

Can you address the rumors that FVEY and the global money mafia (including the usual suspects among those banks considered "too big to fail") are very excited about the prospect of associating blockchains with everything (webpages, internet transactions, personal devices, government services, public and private database records), in order to build even more intrusive real-time identity/geolocation-aware dragnet surveillance systems?

Blockchains appear to hold promise for giving back some measure of control over our own "data exhaust", but I am concerned that we may not be giving enough thought to how Google/Citibank/NSA could subvert them for evil purposes. Bear in mind that James Comey and his Chinese/Russian/FVEY counterparts will be screaming for backdoors in blockchains, while NSA will no doubt attempt to "influence" which hash algorithms are adopted by standards organizations.

I am concerned that many cypherpunks may not realize the extent to which the financial elite and governments are determined to wrest back control of future implementations of blockchains from the individual citizen.

From a recent high profile report urging ubiquitous blockchains, which accentuates the (not entirely disingenuous) positive possibilities:

Distributed Ledger Technology: beyond block chains
Mark Walport
Chief Scientific Adviser to HM Government
Dec 2015
gsi.gov.uk

> The key message is that, by fully understanding the technology, government and the private sector can choose the design that best fits a particular purpose, balancing security and central control with the convenience and opportunity of sharing data between institutions and individuals.
> ...
> The challenge is to strike the balance between safeguarding the interests of participants in the system and the broader interests of society whilst avoiding the stifling of innovation by excessively rigid structures.

I think the way Walport frames the issues are about as good as we can expect, but I worry that the unofficial definition of "stakeholders" in the US (where TP is based) tends to mean "the ruling elite", and "protecting the broader interests of society" tends to mean "protecting the personal interests of the ruling elite".

In the UK and US it is increasingly true that a sizable fraction of the population (I think well over half) are receiving some kind of government benefits. So as usual the first targets of the lastest dragnet surveillance innovations will be the poorer people. But they'll soon come for the middle class too. These same governments are very interested in replacing the dollar and the Euro with NSA-designed cryptocurrencies which could be used by the intelligence agencies to track in real time every economic transaction of every person.

Since most future Tor supporters are drawn from the ranks of the 99%, this could quickly become a very serious threat. Especially bearing in mind the fact that China is rushing to openly introduce personal "citizenship scores" similar to those FVEY is using in secret.

I again urge Shari to make it a top priority that TP and well as ACLU and EFF are on the USG list of "stakeholders" as the USG in particular asks the question it always asks about everything which seems beneficial on the surface: "how can we exploit this to further our national security and economic policies?"

GCHQ, HMRC, CESG, DWP, Bank of England, and Barclays are among the entities which provided input for the cited whitepaper.

Barclay's has a "VP for Blockchain".

The level of interest in the US-based megabanks is also very high.

An analogous USG whitepaper is said to be in the works, and TP should make it a priority to get a seat at the table (which will no doubt mean rubbing shoulders with NSA people, but you are used to that).

"...the unofficial definition of 'stakeholders' in the US (where TP is based) tends to mean 'the ruling elite', and 'protecting the broader interests of society' tends to mean 'protecting the personal interests of the ruling elite'."

That's very Chomskyesque, but stakeholders is generally accepted to mean affected people.

I have a stupid question about the Electrum client in Tails 2.0. Read the documentation twice and still have no idea whether or not Electrum is somehow supposed to enable me to use Tails running on some device to actually generate 0.001 bitcoins which I can then use to donate to Tor or Tails Projects, or whether I must use some other way to convert local currency into bitcoins before I can try to use Electrum.

Does anyone know the answer? I hope my question is clear. I have never used electronic currency.

Anonymous

January 22, 2016

Permalink

The Truth About The Tor Project.

Right, fsck it, I don't have any other medium to disclose this so I am chucking it into the ether.

There is such an obvious Tor privacy attack going on an no-one is talking about it. This attack on Tor is facilitated part by the pushers of the Tor browser bundle, and part by CloudFlare.

Any Tor user knows that in the last month, Tor has become unusable on 99% of CloudFlare secured websites. Users are presented with an impossible captcha, or even when they are presented with a solvable one, it is interpreted as incorrect. When an audio challenge is given, one number is deliberately unintelligible, or in the event of a solvable audio captcha, you are still taken to another captcha.

The help box on the Captcha often says "to stop seeing these requests, enable Javascript". So for you to access most quality/normal content, you now need to enable Javascript. Also to access almost anything that could be DDoS'ed or Spamed you need to solve a captcha, and thus, to use most of the internet requires you to be running Javascript if you are a Tor user. Remember CloudFlare was the go to response for almost any free-speech tor platform that has felt the brunt of DDoS or spam. Combine this with the fact that the Tor browser bundle now comes with NoScript DISABLED globally (this wasn't always the case), so JavaScript is default on.

The problem with this, is that javascript facilitates STUN requests (https://github.com/diafygi/webrtc-ips). How do people not see this?!. With 30 lines of javascript I can decloak your real IP address (and your internal IP address) and it is totally invisible to you.

The NSA/GCHQ don't fucking need browser exploits or 0days to decloak people anymore, they have just used their leverage with CloudFlare to make most websites unusable to Tor users unless they put themselves at risks of Tor requests. CloudFlare also openly admit performing SSL MITM (Man-In-The-Middle) to function as a caching proxy. So this one company forces you to become vulnerable to STUN requests, and decrypts all the content of your communications. Does this not ring alarm bells?.

How can you not see this?! How can the Tor community not see this?! Why is no one talking about this?!

Please Retweet This.

#CloudFlareFuckedTor

A) "Combine this with the fact that the Tor browser bundle now comes with NoScript DISABLED globally (this wasn't always the case)" -- no, sorry, you're mistaken. It has always been the case. Tor Browser uses NoScript as a defense-in-depth way to disable plugins like Flash:
https://www.torproject.org/projects/torbrowser/design/
https://www.torproject.org/docs/faq#TBBJavaScriptEnabled
(That said, with the addition of the "security slider", some of the higher security settings disable more or all of JavaScript. This is still true now.)

B) Your webrtc-ips example doesn't work against Tor Browser, because it explicitly removes (not just disables, but actually removes) that functionality for exactly the reason you describe. See
https://trac.torproject.org/projects/tor/ticket/8178
https://www.torproject.org/projects/torbrowser/design/#proxy-obedience

C) If you do have attacks that work to deanonymize Tor Browser users, whether using JavaScript or css or libpng or whatever, we'd love to hear about them! In fact, there is an upcoming bug bounty program to pay people for exactly these sorts of finds. You can hear more about it in our 32c3 talk this year:
https://media.ccc.de/v/32c3-7307-state_of_the_onion

D) You are absolutely right that Cloudflare is a pain for Tor users these days. They say they care, but at the same time they won't implement even simple fixes to make things better for most users most of the time. This is very sad. We could use your help in encouraging them to improve things. See also
https://blog.torproject.org/blog/call-arms-helping-internet-services-ac…
in case you want a paid fellowship to work on the problem.

I am frustrated too, but I can't understand how anyone could possibly sincerely believe that TP is trying to sabotage the user experience of Tor users [sic].

Based upon my own experience as a regular user of Tor, I would imagine that it is probably true that just about every regular Tor user has encountered Cloudfare captchas more frequently in recent months, but I guess they suffer in silence for the same reason I do: we follow this blog and the archived tor-talk mailing list, so we know that the topic has been raised several times, and the answer has always been that TP is doing all it can, which is pretty much limited to

o emailing administrators and asking them to try to find a more Tor-friendly solution to whatever problem they are experiencing at their website which induced them to hire CloudFare,

o emailing CloudFare and asking them to avoid excluding Tor users from solving their captchas.

So we realize there is no point in asking the same question which has been asked before.

Ultimately, I think the solution is the same as the solution to many other problems which TP currently confronts: grow the user base by leaps and bounds. When a large fraction of Internet users use Tor often, Cloudfare will not be able to ignore the needs of Tor users.

The Comeyites, the Putinoids, the fifty centers, and other enemies of freedom will do anything they can to prevent this from happening, but we all will just have to overcome them by irresistible popular will.

"...enemies of freedom will do anything they can to prevent this from happening, but we all will just have to overcome them by irresistible popular will."

These enemies of freedom are a growing majority of all people.

Just don't use their services.. Their usage of CloudFlare or reCAPTCHA (the unsolvable captcha is reCAPTCHA, it is unsolvable in any other place too) or 'you must enable JavaScript in order to use this website' or 'please validate your mobile phone' or 'you must pay some amount of money to us to be able to sign up via Tor' means that they don't welcome anonymous users and that they are enemies of anonimity. Just don't use their services because it's dangerous to use the services controlled by an enemy.

Perfect example of this is the use of Tor Stack Exchange or lack of use. As usefull the site would be to Tor users with questions; the only way would be to turn on Javascript. It even says that in a big red bar on their splash page. The site is even burned into the bookmarks of Torbrowser....kinda ironic. Sometimes the captchas appear depending on the route you take to the site, sometimes they don't. Regardless, a perfect example of something useful, but could also be exploitable. I don't trust anywebsite these days. However, it would be callous to believe that Tor doesn't care.

@ Shari, Roger:

I'd spend some time trying to answer questions at a site like StackExchange, but it is impossible to use StackExchange without doing things which I consider very unsafe. So people are indeed being prevented from volunteering their time to help out by the anonymity problems with the mailing lists and StackExchange.

> I don't trust any website these days

It is our misfortune that we live at the dawn of the Age of Paranoia.

Yes indeed! As a proof of concept to see if the interest is there, this first funding drive was a wild success.

Of course, other organizations like EFF have much larger budgets, and raise a whole heck of a lot more funding this way. EFF brought in something like $13M last year (not all through small donations of course).

On the third hand, comparing ourselves to EFF doesn't necessarily make sense. We're a different organization, with a different angle on how to save the world. I mention them because their funding model shows that it's been done before.

And finally, lest you accuse me of not recognizing your sarcasm/cynicism, I'll send you to two other blog posts to read:
https://blog.torproject.org/blog/our-first-real-donations-campaign
https://blog.torproject.org/blog/transparency-openness-and-our-2014-fin…

> Pretty generous salaries for a "non-profit".

Actually, no.

If you are concerned with CEO salaries generally as a reflection of the general phenomenon of income inequality throughout the world, I share that concern, and urge you to vote for national and local political candidates who make it a priority to try to ameliorate that problem. (In the US that would be Sen. Sanders.)

But if you were stating that you think Shari is overpaid, above and beyound the wider issue of CEO salaries generally, I would ask you to read carefully the comments on the following post, especially the three part (incomplete!) outline of challenges facing the new Executive Director:

https://blog.torproject.org/blog/greetings-tors-new-executive-director

Doesn't sound at all an easy job, does it? Very few people can take on a job this hard, and TP is damn lucky to have found someone. Especially since dramatically changing its funding model is possibly the most important change TP needs to make over the next few years, and Shari Steele is perfectly qualified to do that. It's going to happen, and it's going to be great!

"dramatically changing its funding model is possibly the most important change TP needs to make over the next few years"

I think TP should apply for any government grants they can get.

Anonymous

January 22, 2016

Permalink

I donated but never understood how to redeem a perk. I thought i would receive an email with some info. I even emailed donations@torproject.org to ask about it, twice, and did not receive a response.

Thank you for your donation!

We are still going through the backlog of donation emails, to mail people to thank them, to offer them the shirts/stickers/hoodies, etc.

Having a more smoothly working infrastructure for handling donations is one of the big steps we'd like to take before we do a second campaign.

Please be patient, and hopefully you'll get your responses soon.

Anonymous

January 22, 2016

Permalink

A onion site for bitcoin donations will be a great improvement of the donation process. Also add exite nodes to the onion network will be beautiful.

> I'm pretty sure that governments are more worried about these legitimate people than those pedos using tor.

Very true, sad to say.

Just one example of a horrid phenomenon which will become more and more common all over the world, in which anyone who opposes injustice will be persecuted by governments and other powerful entities:

http://www.theguardian.com/world/2016/jan/25/zhao-wei-mothers-search-fo…
The day Zhao Wei disappeared: how a young law graduate was caught in China's human rights dragnet
Tom Phillips
25 Jan 2016

Another very clear trend: following NSAs lead, governments and other actors are increasingly inclined to avoid "fact checking" their death-warrant-by-algorithm, so more and more uninvolved persons will be become a "collateral damage" statistic.

Anonymous

January 23, 2016

Permalink

@ all my fellow Tor users who donated:

Many thanks for helping to make the first fundraising drive a success!

I think the amount collected on the very first try shows that as Tor becomes more widely adopted the Project will indeed be able to move from a USG-academic/defense-research project funding model to the kind of user-supported funding model which is more typical of other NGOs in the civil rights/human rights arena such as EFF, Amnesty International, HRW, RSF, MSF, etc.

@ Tor fundraising team:

Thanks so much for all your working making this happen!

Good to see at least one tech news outlet reporting on the outcome of the funding drive:

http://arstechnica.com/business/2016/01/tor-project-raises-over-200000-…
Tor Project raises over $200,000 in attempt to “diversify” its funding
Cyrus Farivar
22 Jan 2016

> As a result of its recent crowdfunding campaign, the Tor Project announced Thursday that it had raised over $200,000 from more than 5,000 individuals over nearly two months.

Anyone know if The Register reported on this?

> Don't know - The Register is hosted on 'Cloudfare' :D

As in CDN (Content Delivery Network)?

Too bad, sounds like we'd all rather give up reading an important source for UK tech News rather than risking Cloudfare's mysterious antics with javascript, apparent font enumeration fingerprinting, and captcha's which we allegedly repeatedly fail.

"Don't know ...", "Give up ..."? Sigh.

A REMINDER to all Torists despairing of Cloudflare on how to circumvent Cloudflare in the meantime:

Use the StartPage search engine (paste the literal URL in for a direct hit), and click on 'Proxy'. Almost always works, an occassional "Error 403: Forbidden" can be overcome by retrying some minutes later. There might be loss of functionality (like cross-site javascript links*) because StartPage proxy strips out javascript, but you got reCAPTCHA'd by Cloudflare because you disabled javascript anyway, right?

In answer to whether El Reg reported on the Tor crowdfunding outcome: they didn't. Their last on that was 25th Nov 2015. Practice now with StartPage proxy!:

[geshifilter-code]http://www.theregister.co.uk/2015/11/25/tor_project_donations/[/geshifi…]

Happy to impart knowledge useful in acts of Torism. (Am I on a government watchlist now?)

* What's wrong with noscript refs, huh?

> In answer to whether El Reg reported on the Tor crowdfunding outcome: they didn't. Their last on that was 25th Nov 2015.

Strange. I wonder if HMG is pressuring the editors not to praise the security merits of Tor Browser.