Important note. In some parts of the world, the mere fact that you are using Tor could arouse suspicion, trigger surveillance, or provoke a bad response from the authorities. Likewise, on the office network, your IT team might not like it because it stops them meeting their own legal obligations of keeping the digital workplace safe. So, even though we’re saying, “Try Tor today,” make sure you have thought about any negative outcomes. If in doubt, treat this as a thought experiment.
Today is Data Privacy Day, so we thought we’d try something a bit different; a bit “out there.”
So, here it is.
Why not make today the day you try out Tor?
Tor is short for The Onion Router, and, in its own words, this is what it does:
Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.
Tor comes as an easily-installed software bundle that includes a privacy-conscious version of Firefox, together with the low-level component that connects the browser into the part of the Tor network that bounces your communications around.
(Your regular browser and all your other internet-connected applications behave as they did before – they are unaffected by installing Tor.)
💡 LEARN MORE: How Tor works ►
As you can imagine, that’s made Tor rather controversial, not least because Tor makes it harder to track people who do undeniably nasty or dangerous things online.
Again, in Tor’s own words:
[Tor is] an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.
STATE SECURITY
State security, of course, isn’t just a sea of negative issues such as oppression, surveillance, censorship, totalitarianism and the suppression of personal rights and freedoms.
Our security as a state, at least for most of us in most developed countries, depends at least in part on effective law enforcement.
That applies all the way from the local council taking action against illegal dumping, through the prosecution of reckless and dangerous drivers, to the investigation and active disruption of serious offences such as human trafficking and terrorism.
Unfortunately, this has led to some difficult tensions in how to regulate the internet.
One significant problem is that if we make it too easy for law enforcement to find out who’s doing what online, we make it correspondingly difficult for the rest of us to stay secure, even (or perhaps especially) when the law says that we need to take proper care of the data we collect about other people.
💡 60 SECOND COMPLIANCE CHECK: Taking proper care of data in the EU ►
Remember that this dilemma exists independently of how much protective regulation there is around how law enforcement gets permission to investigate in the first place.
The police typically need warrants, work under oversight, are responsible to regulatory bodies, and much more.
The problem is that crooks, hackers, industrial spies and terrorists don’t, and aren’t.
TRACKING, LOGGING AND MONITORING
Another problem is being tracked, logged, monitored and then pitched with ads by companies that go out of their way to keep their eyes on our online behaviour.
Again, this problem exists even with websites where we are happy to receive personalised ads, or where we willingly agree to the ads as our way of “paying” for a free service that would otherwise require a monetary subscription.
It’s not so much that a specific company has amassed data about us so that it can access and use the information easily.
It’s the risk that someone else, anyone else, might be able to do the same thing for no purpose other than to commit crimes against us.
💡 LEARN MORE: When legitimate ads go rogue ►
Unfortunately, in a world of data breaches, cryptographic blunders, desultory patching – loosely speaking, in a world of security-can-wait-until-tomorrow – the only reliable way to avoid making it too easy for the crooks…
…is not to let all this trackable data get collected all the time.
And that brings us to Tor.
Tor doesn’t actually provide you with an instant, private, untraceable, anonymous presence online, and Tor itself strongly advises that you read up on what it can and can’t do.
But it is a way to make the data that’s collected about you much less useful to crooks who might get hold of it in the future.
BUT IT’S TOO SLOW
We’re aware that a lot of people to whom we’ve suggested the Tor Browser have retorted that “it’s too much trouble to try because it’s so slow.”
Indeed, it isn’t as fast as a regular connection because of the bit about “bouncing your communications around,” which is necessary to obscure what you are doing and how.
On the other hand, lots of people don’t bother encrypting their laptops “because it’s slow,” only to find out, when they try it, that they can’t tell the difference.
Tor may not be for you, but we still think it’s a worthwhile exercise to try it, to learn what it can do, and to think about why anonymity and privacy online are desirable for everyone, not just for activists, reactionaries, spies and crooks.
And, after all, if you have nothing to hide…
…then there is no need for anyone to keep an eye on you, is there?
Martin
Why no mention of using TAILS to access TOR?
TAILS adds an additional layer of security, by booting from a flash drive, thus leaving no record of activity on your computer’s hard drive.
Paul Ducklin
One step at a time, eh ;-)
We’re just asking people to think about whether they want the trail they leave “in the cloud” to be collected all the time, on the grounds that if it isn’t collected, it can’t be breached.
Topics like anti-forensics, data encryption on your own device, choice of network provider, operating system configuration, and much more *could* have been added to the article. There are lots of things you can do instead of, or as well as, trying out Tor…but this article isn’t a HOW-TO, it’s more of a THINK-ABOUT.
(Also, TAILS means running Linux, an X-like window manager, and a rather different desktop with a different look-and-feel. That’s a much bigger ask if all you want to do is try the Tor browser in your usual Windows or Mac environment to see how it goes.)
Anon
Tails did at one time offer two UIs. A Windows like UI and a typical Debian UI so one could pretend to be using the ubiquitous Windows.
But, quite right, one step at a time.
Mahhn
Since we know that exit nodes are heavily monitored by the NSA and other evil acronyms, I see using TOR as primarily making yourself a target for BS of these eager to justify their own jobs. I won’t bother to use it.
Paul Ducklin
A well-worth-considering point.
To explain, if you browse across the Tor network out into the regular internet, the last hop in the Tor chain needs to unscramble your “bounced-around” data for the last time, back to its regular form. Therefore these so-called exit nodes can keep some sort of an eye on Tor traffic, especially if you are browsing over HTTP so that the regular form of your data is “unscrambled.”
Therefore exit nodes are a weak link:
https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-tors-exit-nodes/
Of course, the same sort of organisations are also claimed to carry out heavy monitoring on the regular internet, so you could argue that they’ve got your measure anyway, and therefore Tor at least provides a convenient way of doing some of your browsing more safely. (E.g. so you can be sure that your Facebook session is no longer connected; your cookies have gone; and you aren’t showing up as the exactly same customer who visited earlier on.)
In other words, to see it from my side: if you can choose between getting tracked by 5 certain organisations instead of those 5 plus another 55, maybe the former is better?
Or, to see it from your side: maybe getting tracked by a certain 5 organisations in a way that makes it clear you are deliberately avoiding the other 55 actually makes it worse for you.
I’m not quite sure how to solve that dilemma ;-)
Mahhn
Exactly. I don’t mean to knock Tor itself, I think it is very useful for whistleblowers and reporters to keep them safe from those they are reporting on. Then on the other end,,
(If it’s inappropriate to link to another news source, I’ll understand if this doesn’t get posted.)
“To be brutally blunt, they love it. Why? Because using detectable encryption technology like PGP, Tor, VPNs and so on, lights you up on the intelligence agencies’ dashboards. Agents and analysts don’t even have to see the contents of the communications – the metadata is enough for g-men to start making your life difficult.”
WizardofCOR
I would consider Mahhn correct on all counts. Unfortunately, I must disagree with the author, when Mr. Ducklin states, “Of course, the same sort of organisations are also claimed to carry out heavy monitoring on the regular internet, so you could argue that they’ve got your measure anyway, and therefore Tor at least provides a convenient way of doing some of your browsing more safely.”
This is a false equivalency, as the monitoring state organizations in question are concentrating much more heavily upon traffic to non-US IP hosts, rather than simple domestic traffic. For the latter, they could simply obtain ISP logs if/when flagged activity warrants. Hiding in plain site assuredly is better than using a beacon to make yourself a target. Succinctly, domestic traffic takes a backseat to monitoring conduits to foreign hosts, using a finite (and heavily monitored) number of exit nodes, with an application known to push traffic that is against their interests.
If you must push traffic anonymously, there are other ways.
Paul Ducklin
If I am reading this correctly, you are using the word “domestic” as a synonym for “the USA,” but that’s only true for a small minority of the world’s population.
JR
It is amazing how many clock cycles of our powerful CPUs, and how many performance-sucking hoops we must jump through in the name of security and privacy… anti-virus, malware protection, ad blocking, tracker blocking, encryption, proxies…
Explain why my computing experience is just as slow, if not slower, than it was with my first Windows 95 computer.
Maybe it is time to dump the current infrastructure and begin anew. ;)
But seriously, we were warned of the situation when the whole world was looking to consolidate on the single platform of TCP/IP and Ethernet… but we ignored it because it was so simple and elegant. Those guys touting IPX/SPX, Token Ring, etc., weren’t wrong.
I know… if that makes me sound like a dinosaur… so be it.
ken
I use a VPN, CyberGhost does that not do the same job as TOR? and without the severe slowing down (ok there is SOME speed issues but not as bad as TOR)
Vess
A VPN is a single point of failure. Your connection is as snooper-proof as the VPN business is resistant to warrants, hacking, etc.
Paul Ducklin
A VPN is sort of like Tor where there is just one relay that is always both your entry and your exit node – your traffic doesn’t get bounced around and made to have what appears to be a regularly-changing source location on the internet.
So, no, it doesn’t do the same job as Tor.
Jack
Thanks Paul, nice to see you guys talking about important things, your publication has gotten a little too law enforcement friendly in recent times and those people are sadly some of the criminals we need to get a handle on, their “official” nature only makes them more dangerous.
I don’t think that simply using Tor is going to have the “g-men” after you, and the more normal people that use tor, the less it’ll be practical for them to monitor anyone who does, since so many pedestrian people do, so there’s a significant benefit to us all having some fun with tor so I heartily agree, give it a whirl.
Paul Ducklin
You talk about being “law enforcement friendly” as though that were a criticism; as though we would deserve more credit if we were anti-cop.
But we are not, as ought to be obvious from our positive comments about how law enforcement helps us enjoy secure lifestyles, at least in many developed countries.
Using Tor doesn’t have to be about sticking it to the man. It can just as well be about sticking it to the crooks by making it tougher for them to make money illegally out of our data.
Alan Robertson
I use Tor all the time in the form of Orbot on Android. I don’t use it on desktops as I don’t see the point as you are in control of your own network. If your own network is insecure then you ought to be managing it better. However, the same cannot be said for public wifi – hackers paradise, and you have no control over how it is set up: “What’s that certificate warning I’m seeing….”
Orbot will encrypt your internet connection and ensure that your communications (at least until the exit node) are secure. To be honest I’m not bothered if the exit nodes are monitored as I’m not doing anything illegal – if you are concerned then just make sure the site is using https. However, I do care whether the guy next to me in the coffee shop using his laptop is up to no good with my phone! Begone foul Firesheep and who gave you the right to Nmap my phone? I mean Android users regularly get over the air updates from their carriers, right??? Oh dear! “Stage Fright”, nuff said… Orbot and a decent firewall stops that (or more so than the other easier pickings on the same wifi).
As for Tor being slow, well, it depends. Put it this way: You can stream Youtube over Tor if you want. It works. I don’t do it though because it hogs a lot of bandwidth and I respect the fact that someone is going to great lengths to protect my privacy. See, not all Tor users are bad! Some of us just respect privacy.
As far as the “Darkweb” goes, I just don’t go there – just regular websites. Some whine *cough* Cloudfront and the usual captcha pest turns up, but Cloudfront have mellowed a bit and it’s usually just numbers to type in rather than the illiterate spider scrawl.
Orbot works well with Chat Secure – check out “The Guardian Project”. Their intentions are honourable and privacy focussed. There’s some really good apps there. Heck, even Facebook is starting to get on the bandwagon with Tor support in their latest app – now that’s irony!
As for VPN’s, well you really have to trust them. Yes your ISP is blind to the content, but what makes the VPN provider any more trustworthy than your ISP? They still have to abide by the laws of the countries they operate in. Tor doesn’t have this issue.
As for all the bad press about Tor, it’s exaggerated. Let’s face it you could use a telephone to good and bad, so why not ban all telephones? Doesn’t make sense.
At the end of the day we all have a right to privacy and we shouldn’t be made to feel like monsters just because we secure our internet access. I mean you don’t leave your door unlocked just in case the police might want to search your house. Some bad guy might steal your stuff otherwise!
Bob
As Sherlock Holmes said, the safest place to leave an important letter is on your desk.
There’s the issue of some websites prohibiting access if you are using TOR, a VPN, or proxy of any kind.