Tor Torches Online Tracking
05.17.05
Privacy tools can sometimes create strange bedfellows.
That's what has happened with an anonymizer system that was originally developed and funded by the U.S. Naval Research Laboratory to help government employees shield their identity online. It is now being co-funded and promoted by the civil liberties group Electronic Frontier Foundation.
The system, called Tor, allows users to surf the internet, chat and send instant messages anonymously. It works by transferring traffic three times through random servers, or nodes, on its way from sender to recipient to make it difficult for anyone to trace the data back to its source.
Tor has been completely rebuilt since the Navy initially designed it in the late '90s. The EFF has thrown its support behind the project
"There's an assumption that people working on government things and people working on EFF things can't possibly be working on the same things," said Roger Dingledine, one of Tor's developers. "But they both want the same sort of security."
Besides, Dingledine said, the Navy is happy to have the outside world using its designs because "it demonstrates that the Navy writes stuff that is useful."
The Naval Research Lab began developing the system in 1996 but handed the code over to Roger Dingledine and Nick Mathewson, two Boston-based programmers, in 2002. The system was designed as part of a program called onion routing, in which data is passed randomly through a distributed network of servers three times, with layers of security protecting the data, like an onion.
Dingledine and Mathewson rewrote the code to make it easier to use and developed a client program so that users could send data from their desktops.
"It's been really obscure until now and hard to use," said Chris Palmer, EFF's technology manager. "(Before) it was just a research prototype for geeks. But now the onion routing idea is finally ready for prime time."
Dingledine and Mathewson made the code open source so that users could examine it to find bugs and to make certain that the system did only what it was supposed to do and nothing more.
The two programmers wanted to guard against a problem that arose in 2003 when users of another open-source anonymizer system -- called JAP, for Java Anonymous Proxy -- discovered that its German developers had placed a backdoor in the system to record traffic to one server. The developers, who included researchers at Dresden University of Technology, said they were forced to install a "crime detection function" by court order.
Law enforcement authorities have long had an uneasy and ambivalent relationship with anonymizer services. On the one hand, such services allow law enforcement and intelligence agencies to hide their own identity while conducting investigations and gathering intelligence. But they also make it harder for authorities to track the activities and correspondence of criminals and terrorists.
Anonymizer services can help protect whistleblowers and political activists from exposure. They can help users circumvent surfing restrictions placed on students and workers by school administrators and employers. And they can prevent websites from tracking users and knowing where they're located. The downside is that anonymizer services can aid with corporate espionage.
One person who searched the website of a competing hardware company found that the site delivered a different page when he accessed it from his company computer than when he accessed it using Tor.
"The website looked at who was looking at it (based on the IP address) and gave them false information depending on who was visiting it," Dingledine said. "(The person was) quite surprised to find that (the site) was different."
Tor can be used to hide the identity of file swappers, although the system is not set up specifically for that purpose. Current default settings for the server software block ports typically used to transfer files over peer-to-peer clients, including BitTorrent and Kazaa. But server operators can change the settings manually, and some Tor servers have been set to accept peer-to-peer traffic. Nevertheless, Tor's encryption system slows down data-transfer rates for large files typically traded over peer-to-peer networks, according to Dingledine.
"We suspect they wouldn't be very happy with Tor because it slows down when you're transferring really large files," he said. "We can imagine a time one day when Tor is so large we can imagine a lot of people moving a lot of bytes around. But that's not the most pressing design problem we have to worry about right now ... and this isn't really the spin we're looking for. We're looking for helping human rights people and corporations and individuals get privacy and safety on the internet."
Tor works with Windows, Unix and Mac operating systems and differs from a similar service, by Anonymizer, in that the latter only allows users to surf the web anonymously and only sends data through a proxy server once. Anonymizer also sells its products, whereas Tor is free.
Tor builds an incremental encrypted connection that involves three separate keys through three servers on the network. The connection is built one server at a time so that each server knows only the identity of the server that preceded it and the server that follows it. None of the servers knows the entire path the data took.
The data gets encrypted with three keys, one for each server. As the data hits a server, it peels off one layer of encryption to reveal to the server where it should send the data next. When the data reaches the second randomly selected router or server, another layer of encryption is removed to reveal the next destination.
People or organizations can volunteer their systems to operate as servers or routers. Currently the system has about 150 servers operating around the world on every continent except Antarctica and Africa. Traffic is processing through the system at about 10 MB of data per second, depending on the time of day.
Because of the way the system is designed, there's no way to know how many users are on the system. At least there's no way to know now that Dingledine fixed a bug. In January, he discovered a design flaw that kept users connected to the system even after they finished sending data.
"(In this way) I calculated how many clients I had on my server and multiplied that by the number of servers," Dingledine said. He extrapolated the number to count about 20,000 users. A new release of the system keeps users connected for only about five minutes so they can't be counted.
The system's efficiency and privacy benefits will increase with the number of users and servers. Essentially, the more servers available through which to route traffic, the faster the traffic will fly and the less likely anyone will be able to determine the path that specific data took through the system.
Security will also increase as the system's user base becomes more diverse. With more and more users spread among government agencies, academia and the private sector, eavesdroppers will find it more difficult to determine the nature of the person who sent data through the system
That's why Dingledine said the Navy is happy to have more users on it. In addition to Navy users, the Independent Media Center runs some of the larger servers on the system and sends traffic through it. A diabetes support group in Germany carries a link to Tor on its website so that members can research their illness and communicate with other members without fear of eavesdropping. Dingledine also heard from someone at the CIA who said he uses the system regularly for intelligence gathering.
"You need a lot of diversity in the user base in order to make it secure," he said. But he acknowledged that adding more and diverse users can slow traffic, since traffic will inevitably cross continents and various kinds of servers, taking longer to arrive at its destination.
Because the data goes through three routers, there's protection against someone setting up a rogue server to track traffic. This doesn't, however, prevent someone from setting up numerous rogue servers to increase the chance of tracking data.
"It's a tricky design question -- how to scale the network without allowing the adversary to sign up a lot of servers. The answer we have right now is to have all new potential servers go through a manual process to sign up," Dingledine said. "We try to detect if one guy is signing up dozens of servers. I don't think we've had that happen yet."
