TOR, VPN and How To Be Anonymous on the Internet
Part 3 of a series: INFORMATION SECURITY FOR ACTIVISTS
I had a quick question for you—one of our assessors said that he’s been using TOR, and my journalist friend also says he always uses it. We’re planning to send out the advice on how to secure your web browser, but I noticed TOR isn’t on there. Do you have any thoughts on TOR—any reason we should not add it as another thing people can use?
Good question. TOR is an acronym for The Onion Router. An “onion router” is a hacker term for a shifting network of servers that can be used to disguise the origin of online communications.
TOR is a way to bounce your Web page requests (“Send me page XYZ, please”) around the net so that a third party (the bad guys) can’t learn the point of origin. This helps prevent local spying, such as your hotel, Internet cafe, employer, seeing into what you do online. It also means you can talk to a Web application without it tracing that conversation back to your location. Without TOR or something like it, every page you visit can track your activity by IP address, which can often be narrowed down to an area a few blocks wide. So TOR is good for people who need privacy from powerful adversaries.
TOR is pretty slow, so no one is using it unless they have a good reason to. This means a good percentage of TOR traffic is interesting to security services. That’s not so good: using TOR is different, and maybe different is a bad thing to be in some situations.
TOR has a limited number of exit points — the interface between the network of TOR bouncing-servers and the rest of the ‘net. Because TOR is a magnet for undesirables (that’s us!) the exit nodes are carefully watched by security services. In some cases, it’s best to assume the security services themselves are running those exit nodes, because it’s a volunteer network and TOR needs more servers to keep up with demand.
What does this mean for you? It means that TOR provides good anonymity… until you send identifying information through the pipe. You must act anonymously, in addition to turning on the technical solution. For instance, if you turn on TOR, and then log into something with an unencrypted username, you are completely identifiable to the exit point of TOR. You also need to be very wary of cookies, plugins and other browser crap that will leak identifying information (“Hi, I’m a browser widget that wants to sync bookmarks for user firstname.lastname@example.org”).
So, TOR is way to declare yourself sketchy, but might not provide anonymity unless you’re very careful. This is a bad outcome. The good people at TOR know this, and have built the TOR Browser to help — it’s a version of Firefox full of security and privacy plugins to prevent that kind of information leakage.
Update: Jillian C. York, also at the EFF, points out that this post is discouraging for potential TOR users. So I’d like to expand: We want lots of folks using TOR, because it helps create noise around the activist signal. If TOR and services like it become normal, the Web becomes safer for folks who really need it, like the researchers at Transparency International UK working to challenge defense ministry opacity. So using TOR, becoming familiar with it and maybe even a little evangelical about it is a useful action that anyone can take.
Alternatives to TOR
For activists doing work outside of the West, you can get many of the benefits of TOR (protection from local spying, more-anonymous browsing) by using a Virtual Private Network (VPN) service hosted in a neutral country, like Sweden.
A VPN is similar to TOR, but it provides a single anonymizing link (instead of TOR’s many bounces), preferably to a neutral country with strong privacy protections. VPNs are incredibly common — most Western corporations require them for traveling staff — which means that it is not incriminating in itself. The downside is that you have to trust the VPN provider, and everyone can see which VPN provider you use. This is bad for pirates but might not be so bad for activists doing anti-corruption or human rights work, particuarly if you pick a VPN with a healthy “go eff yourself” attitude towards people who mess with activists.
Some VPNs advertise that they do not log (meaning, make permanent records of user activity), which is a good thing.
If possible use a VPN with a Swedish exit point — their privacy laws are better, and the exit point’s laws govern how much information the VPN provider has to give up to the lawmen. The idea of bureaucratic incompatibility can help here: if you’re working the US, use a Russian VPN. If you’re working in China, use a Swedish VPN, because you want governments that cannot work well together so they can’t grab your data. And if that seems unworkable, maybe you should be using full blown TOR, which doesn’t require trusting a VPN provider to protect you.
So, if you do human rights or anti-corruption work, I would offer to pay for a VPN service for your staff that wants it. For individuals, you can pay the $10 a month for a VPN, or use you can use TOR. Alternatively, I’ve used AnchorFree Hotspot Shield, which is an ad supported but free VPN based in the US. Allegedly they do not log their free accounts.
Two VPNs based in Sweden with strong reputations for defending users and not logging:
I haven’t used either, so your milage may vary.
Some more commonly used VPNs: http://lifehacker.com/5759186/five-best-vpn-service-providers