Identity Primer: Privacy (The Tor Browser)

NOTE: This is a reprint of an article originally published by Alex Kilpatrick in June 2017 on a different blog. We are reposting them on the Blink Identity blog because these issues are important and we want to keep our writing on these issues in one place.

When I was in the Air Force I mostly worked in research & development and we were always looking for opportunities to transition technology from the military to the private sector. If tax dollars pay for military tech AND improve the rest of the country that is a good thing. There are many examples of this, but one of the most famous is probably the Global Positioning System (GPS) which is so useful it helps the whole world, including our enemies.

However, there is another example of military technology transition that is not widely known - The Onion Router (Tor). Tor was invented by the US Navy research lab to mask intelligence communications, but was eventually released as open-source software. Basically, Tor allows for anonymous browsing. You may be familiar with "incognito mode" in Chrome/Firefox. That mode prevents your browser from recording you history. But it isn't really anonymous. If you are connected to Google they could still be recording your history, and your Internet Service Provider (ISP) will likely be recording your history as well. It is impossible to be truly anonymous with a regular internet connection, but Tor solves that.

Tor is complex, but here is a simple analogy. Let's assume you are worried that your postman is keeping track of who you are mailing. You are Alice, and you want to mail something to Eddie. So you put your item in a combination lock box with the combination only known to Eddie. Then you put that box in a combination lock-box known only to Dave. And that box goes into a box known only to Charlie, and so on until you get to your outer box. So the path will be Alice->Bob->Charlie->Dave->Eddie. You postman will only see that you are mailing to Bob. And Bob doesn't know anything either, except to forward the package to Charlie. And so on. The "onion" part comes from the fact that you peel away each layer as the package moves through the steps. This is isn't a perfect analogy, because with Tor you don't (and can't) know all the intermediate people. Perhaps this diagram makes it more clear.

No?  I didn't think so. But all you have to know is that when you use Tor your browsing activities are anonymous. Your ISP doesn't know who you are connecting to, nor does any shadowy government agency. However, like all things related to security I have to throw in a few caveats because nothing is 100% guaranteed. You are almost certainly anonymous unless the NSA controls more than 51% of the Tor network, or if there is an unknown vulnerability in Tor, or if the NSA can somehow break strong encryption. All of those things are possible, but highly improbable. In any case, Tor is really the only option for anonymity online right now.

Accessing Tor has been made very easy via the Tor foundation. You simply download a special browser, which is just a modified version of Firefox. It is already configured and you can start browsing the web anonymously. However, things will be a lot slower because of how the Tor network works. And since you are anonymous, some sites will block you because they don't want anonymous users. Also, since Javascript is generally bad for anonymity, many sites won't look or act right. You can use the Tor browser for the regular Internet, but you can also use it to access the so-called darknet, which is composed of sites that want to remain anonymous typically because they are hosting illegal activity. Darknet URLs end in ".onion" so they are different from the regular "clearnet." Note that browsing the clearnet with Tor is not illegal in most countries, nor is browsing the darknet, or even browsing things like drug marketplaces. Basically, looking is legal, acting is not.

Anonymity always raises the question of "What do you have to hide?" and Tor is no exception. The most obvious people who have something to hide are criminals, and Tor does facilitate criminal activity. It is hard to get real data on Tor activity because it is anonymous, but judging from the volume on online discussions the majority of Tor activity involves buying and selling of drugs. Of course it also includes other nefarious activities like child porn, weapons sales, terrorist communication and murders for hire. Anonymity breeds bad behavior, and this has been discussed all the way back to the time of Plato. However, we have to be careful that we don't engage in the contrapositive fallacy. All criminals want to be anonymous, but not all who want to be anonymous are criminals. Or, put another way:

Arguing that you don’t care about privacy because you have nothing to hide is like arguing that you don’t care about free speech because you have nothing to say. -- Eric Snowden

There are many non-criminal reasons to want privacy online. Some of the most common are that you live in an oppressive country where simply browsing a website can get you arrested, or you live in a "free" country where the government monitors everything in the interest of combating terrorism, or you don't want to be tracked by corporations trying to sell you things. The Tor foundation has an exhaustive list of non-criminal uses of Tor. However, you don't really need a reason. Simply wanting privacy is enough.