Backlit header graphic

Before You Use Tor... The Odds of Surveillance

"When irrepressible stalkers are paying for, and even promoting a system that claims to prevent them from stalking us, we would be absolute idiots to believe it's not a trick. It is a trick."

Have you ever given Tor browser a reality check and thought... "Nah. Doesn't add up". I mean, here is a tool that supposedly protects the anonymity of its users, happily existing in a world where surveillance oligarchs will censor and/or block anything that cuts off their gravy train. Indeed, Tor is actively promoted by the EFF - whose financial support got it off the ground in the first place. And as anyone who's researched Big Tech lobbying shops knows, if it's endorsed and bankrolled by the EFF, it is DEFINITELY endorsed by Google. Tor's list of funders is telling indeed, albeit twisted to look as though the public are the primary donors.

The public are not the primary donors. They barely cast a drop into the ocean. The onion router's proxying relay mechanism is predominantly funded by the US authorities. In 2015, Surveillance Valley author Yasha Levine confirmed through Freedom of Information requests that Tor "was almost 100% funded by three U.S. national security agencies: the Navy, the State Department and the BBG". But currently, Tor also receives support from Google and Fastly. I mean, come on... These are surveillance capitalists. And they're not people who chuck cash or resources at a project unless they have a massive agenda.

"If, when you look at this, you don't see the phrase "surveillance stitch-up", you've read too many fairytales."


SEEMS LEGIT...

So what is the agenda? Well, the US Bureau of Democracy, Human Rights and Labor claims it's to...

  • Empower communities in the Global South to bypass censorship.
  • Rapidly expand access to the open internet.
  • Make the Tor network faster and more reliable for users in the Global South.
  • Measure and respond to internet censorship.

These points do sound valid, because they can essentially be summed up as "Loop around foreign propaganda and make sure American propaganda can be accessed in all countries of the world". This intention was shown as a central theme in Levine's FOIA dossier. But it doesn't necessarily mean your usage of Tor is subject to Big Tech and government surveillance.

Indeed, because of the way Tor works, as a bank of thousands of nodes which anyone is theoretically able to run, it appears the mechanism would be near impossible to mobilise as an organised surveillance tool. The encrypted system means that only the people running entry nodes get the user's real IP address, while only the people running exit nodes can discover the user's destination. And there's an intermediate relay between entry and exit point too. Thus, a real IP address cannot, we're told, be linked with a destination. But to accept this at face value would be to grossly underestimate the incentive for suveillance capitlaists and governments to surveil.


WHERE THERE'S A WILL...

I'll never forget, many years ago, watching a crime documentary in which a precious item had been stolen from a house. It baffled the police, and changed the way I thought about how incentive reinvents possibility. All doors and windows at the house were locked shut, and the locks had not been tampered with. No access points had been forced and there were no signs at all of breakage or repair. It was a mystery no one could have solved...

Until a neighbour's CCTV recording was discovered and played back, showing a very small burglar entering through the cat flap. Even with the burglar actually standing in front of the door, you still didn't consider that they'd try to squeeze through such a tiny space - let alone succeed. That's when I realised that incentive dramatically changes our perception of what's possible.

"It's fair to say that an ordinary member of the public would have to be a masochist to run a Tor node."

When something requires a lot of thinking, planning and/or effort, people without any incentive will not make those investments. And when we won't do the thinking or make the effort, we're unable to conceive that the possibility exists. Conversely, those with a strong incentive will think and work hard and fast, and they quickly realise that the impossible is in fact straightforwardly doable.

Let's start thinking about the workings of Tor with a look at an interesting Web page. That's DuckDuckGo not only advising us to use Tor, but also telling us it's running an "exit enclave". Which is what, exactly?

Well, I couldn't get anything useful to load on torproject.org's current JavaShit trashfire of a wiki page, so I'll have to send you to an old archived version for reliable reference. You may find DDG CEO Gabriel Weinberg's explanation more useful, while noting that Weinberg's original post is now deleted, and that this had to be recovered via the archive too.

To summarise, if you access a site via Tor, and the site runs an "exit enclave", it can direct you to an exit node which is controlled by that site. And we see in the coding example on the archived wiki page that the process is technically very simple.

So, if it's that easy for any random website to determine the exit route, might it not also be similarly easy for a privileged actor at the entry point to determine the ENTIRE route through Tor, meaning they get both the user's IP address and their destination? Let's turn our attention to the entry nodes, or entry guards, as they're otherwise known...


TOR ENTRY NODES OR ENTRY GUARDS

Unlike the exit nodes, Tor entry guards cannot be run by just anyone who wants to run one, and the people who do run them see the real IP address of each user.

If you look at the general promotional literature emanating from Tor and its digital entourage, random parties are encouraged to run exit nodes or intermediate relays. But not the entry guards. That's because the parties running entry guards must be strictly selected. By whom? By Tor.

I know what you bright, tech-savvy people are gonna say...

"But this is all open source! We can audit the software and show that the selection of entry guards is random!"

And you're right. But there are still criteria for the selection process. In order for a node to get what's known the "guard flag" (a selection marker for entry nodes), it must attain a high level of performance. This makes it most likely that servers run by professional providers will become entry guards. And professional providers are almost invariably a well-connected facet of the surveillance industry. It also means that if Big Tech or government agencies do jump into the circuit, the chances of their nodes becoming IP-address-seeing entry guards are extremely high.

By insisting on the highest performance for entry guards, even a completely transparent selection system can be made to favour the tech industry - which these days is interchangeable with the term "surveillance industry" - over and above the small, home "IndieWeb" operator.

There are actually a few thousand Tor nodes with the "guard flag", so it doesn't, at a glance, appear that monopolising the entry point to the Tor network would be a trivial task. But there's also a volume preferencing algorithm within Tor, which means that not only are the highest performing nodes more likely to become entry guards - they're also likely to get much more traffic when they get there.

This comes from a discussion I'll explain in more detail in a moment. It presents stats showing just how profoundly the fastest nodes would tend to monopolise traffic...

"Based on the guard probabilities at compass.torproject.org:

-there's a 50% probability of using one of the 84 fastest relays with the guard flag
-there's a 25% probability of using one of the 26 fastest relays with the guard flag"

Whoa!... So now we really are seeing that those with big money to spend on server performance can oversee a huge chunk of entry point traffic. Based on those figures, if surveillance capitalists controlled just the top 84 performers of the thousands of entry guards, they would see half of the entire Tor traffic. And it's even worse at the exit. The phenomenon is what Tor boss Roger Dingledine described as load-balancing, whilst admitting that 80% of traffic exiting the Tor network goes through the fastest 40-50 nodes.

It's not that many servers for a big surveillance power to monopolise. And imagine how much it would cost to handle the required volume of traffic. As long ago as 2007, the hacker Dan Egerstad famously remarked that the bandwidth necessary for the highest-performing Tor nodes would cost $thousands per month, and reached the immortal conclusion...

"Who would pay for this and be anonymous?"

Who indeed. When you take into account the effect of load balancing, monopolising the Tor system doesn't seem quite such a big leap.


GUARD PERSISTENCE

The story doesn't end there. Did you know that one entry guard is assigned to a client - that's your specific Tor browser - for at least a number of months in continuum. Every time you fire up Tor, THE SAME PARTY, whoever they may be, knows you fired up Tor.

If that doesn't strike you as very decentralised, that's because it isn't. Due to the way the Tor entry guard system is allotted, by default you get one, single party watching your entire Tor usage frequency, over the long haul. And Tor has for long wanted to dispense with the rotation of entry nodes altogether, giving each user a single entry guard for life. If, when you look at this, you don't see the phrase "surveillance stitch-up", you've read too many fairytales.

Roger Dingledine produced an elaborate spin for a shift towards persistent guards in a 2013 post. The comment we saw earlier quoting stats for fast nodes, came in response to Dingledine's post.

So where are we with this now?... You have the same party logging your usage and IP address every time you use Tor. Due to the performance requirements of the selection criteria and load balancing, that party is most likely to at least involve a professional service provider. And based on an old stat, which may or may not still be valid, you'd have an 80% chance of passing through an exit node which at least involves a similarly high-investing provider. We know from the clearnet that the level of collusion between professional tech companies is phenomenal. There's virtually no instance in which they're not selling or exchanging data back and forth. So whichever one we get, there's a good chance the rest will know about it.

And some of the time, it's fair to assume, you WILL exit via the exact same provider through whom you entered. A provider who knows your IP address and has access to a full log of your entire usage pattern of Tor. Even if they don't control the intermediate relay, they can still use fingerprinting techniques such as network behaviour analysis[PDF] or clock discrepancy to identify the computer at both ends.

That burglar certainly now has his head and shoulders through the cat flap, wouldn't you agree?...


AREN'T THE GENERAL PUBLIC STILL A MAJORITY PRESENCE IN THE TOR NETWORK THOUGH?

I've been hard at work with keyword searches on social media, and it's clear that ordinary members of the public do run Tor nodes. Some care deeply about privacy, and want to help preserve a safe haven from nineteen eighty-four. Some support Wikileaks and want to help protect its flow of information. Some sympathise with citizens under censorship, or in the light of more recent developments, want to help protect women from "pregnancy-logging". There are many reasons an ordinary person might want to run a Tor node.

But their commitment really does have to run into serious overdrive. There's vastly more disincentive than incentive for a regular, law-abiding member of the public to run a Tor node. In fact, it's fair to say you'd have to be a masochist to do it.

Costs money, no return, massive waste of bandwidth, your IP address gets blocked from a big chunk of the Internet, you're banned from masses of UGC sites, can't even edit Wikipedia, you might get the odd cease and desist, and given the likely percentage of illegal activity passing through your IP address, there's a fair chance of a visit from the old bill. It's also notable that Tor servers can be seized by the police.

As a Tor user who's never considered running a node, some of the above didn't occur to me until I began searching for real people who have actually done it. You quickly realise that it's something that makes barely any sense at all for random members of the public, and an enormous amount of sense for the preds and the feds.

The truth is we don't know what the proportions are, and from the outside, there's no way of finding out. Tor the org will always try to spin an attractive picture, because there's a hell of a lot of money at stake. And it's true - the Tor network cannot be a monopoly whilst it's open for any member of the public to become a part of. But based on incentive, and even more particularly disincentive, it would be naive to imagine that it were not riddled to the core with organised surveillance.


FLIPPIN' THE CODE

We began this journey with a peep into the world of DuckDuckGo and the "exit enclave" which enables it to direct traffic to its own exit node. I posed a question asking whether anything similar could be done by a privileged power at the entry point.

The answer would appear to be no. Tech experts, remember, have access to the open source code and would have noticed by now if there were a way to simply specify a pre-determined path of choice through the rest of the circuit.

But as I mentioned in a recent Blogspot post about the Fediverse, open-sourcing is not only a strength. It's also a weakness...

Imagine you're a surveillance capitalist. You're in an industry where truth and transparency are alien concepts. No one even expects you to be honest. Your big, high-performing server has been selected as a Tor entry guard. You control other nodes in the system, but you can't guarantee that the traffic leaving your entry point will reach them.

You have the code for Tor, because it's openly published. You have a raft of developers bound by NDAs. Are you telling me that you would not at any point consider amending the code to which you have full and unrestricted access, to bypass the regular routing algorithms and push traffic straight to your own exit node(s), where you can match IP addresses to destinations? Recompile the software; who on the outside is to know? And if you're paying their wages, who, within Tor, is even to care?

The burglar is through the cat flap. The impossible is now a simple reality.


TOR IS TOO FAST

If there's a single element about Tor that caused me to question its integrity above any other, it's the consistency of speed. For a mechanism depending largely on random members of the public with their struggling little servers, Tor simply runs too fast to pass a reality check.

Why do we have CDNs and multi-origin Web pages? Well, from the webmasters' viewpoint it's because their sites can't deliver the pages quickly enough. And we're not even talking about small IndieWeb sites here. Even fairly strong websites struggle with speed of delivery. So how do we get through a triple-relay system, plus the destination site, without any Big Tech crutches like CDNs within Tor itself, at the speed Tor delivers pages? Tor is slower than direct access, but if you add in all the extra stages of transport, the delivery is still in keeping with Big Tech performance.

And if you are pretty consistently getting Big Tech performance, you probably pretty consistently getting Big Tech.


BUT IF IT'S A BIG TECH AND GOVERNMENT STITCH-UP, WHY DO BOTH BIG TECH AND GOVERNMENT SITES BLOCK USAGE VIA TOR?

We could turn that around and say: if it's not a Big Tech and government stitch-up, why do both Big Tech and the government pay for Tor? On OUR behalf?

But to answer the question in the subheading, Tor doesn't guarantee any one party a reliable surveillance regime. If I go to Tor to use Google, and Microsoft is running both entry guard and exit node, Microsoft becomes a man-in-the-middle, collecting my data, then submitting me to Google as an anon. Even if Google is running its own entry guards and exit enclave, it still only gets a percentage of user identifications for visits to its own sites. Therefore, it blocks Tor, forcing all users to go direct and preventing Microsoft, or whoever else, from hijacking its data.

Tor nevertheless provides the surveillance industry with some of the most valuable data there is. A heavy proportion of the people using Tor are completely off the grid, and up to no good. Although Big Tech loves us to believe our data is only used to help us shop easier, the biggest individual payouts in the data industry relate to intelligence. Tor, with its rep for anonymity, is a goldmine. Tech companies will mine that gold, but they won't sacrifice any of their data entitlement in order to do so. Hence, we see the classically hypocritical BIg Tech scenario of Google funding Tor, whilst simultaneously blocking it.

And Google, it's been remarked, has other reasons for supporting Tor. As a company that heavily profits from piracy, Google has a vested interest in maintaining a tool that lets thieves upload stolen content without being caught. Tor is the final piece of the safe harbour jigsaw, that renders copyright unenforceable. If a copyright owner can't sue a safe-harboured platform because of DMCA 512, and can't sue the actual thief because they anonymised themselves using Tor, then Google has its ultimate desired outcome of an open floodgate on intellectual property.


SO I SHOULDN'T USE TOR THEN?

For some legitimate applications, Tor is very useful. Perhaps vital if you need to bypass censorship. And it's a good choice if you know that the owner of a small site is watching you with ulterior motives. The fact that you're passing before the eyes of the surveillance industry may not matter provided your identity is hidden from your destination site. In those instances, Tor is fine.

But we should not take the spin surrounding Tor at face value. When irrepressible stalkers are paying for, and even promoting a system that claims to prevent them from stalking us, we would be absolute idiots to believe it's not a trick. It is a trick. It's built to favour people who are prepared to spend £thousands per month without any return beyond data - and we all know who they are.


IS A VPN THE BEST ALTERNATIVE?

VPNs are worse. The sheer number of brands now desperately lobbing them into the market shows they're nothing but a data-mining tool. Among the #privacy tags, VPNs are now second only to crypto in Twitter shill volume. You're giving your entire Web usage history to someone who knows who you are and has you encased in a little box. You WILL be sold as the product whether or not you're paying. The idea that a VPN provider will not sell your data because they make "enough" money from subscription fees is just delusional. In capitalism, there is no such word as "enough". And they don't have to tell you they're selling your data if they hash it first.

In this Tweet, Snowden describes VPNs as a "single point of failure".

And here's a beautiful and super-short anecdote for anyone who thinks law enforcement are not all over VPNs fishing the caches. What a triumph for privacy that was!

Oh, and see what you make this tweet from a VPN provider hoping for a guard flag (permission to run an IP address-accessing entry node) on Tor.


SO HOW DO I PROTECT MY PRIVACY?

I know this is not the answer people want to hear, but if you're not doing anything wrong and you just want to make yourself difficult for Big Tech to stalk while randomly browsing and researching, then DISABLE JAVASCRIPT, block all cookies, and use uBlock Origin, custom-set to disallow all third party content. Use an unproxied browser that does not phone home - the obvious choice being Ungoogled Chromium.

This will still present your IP address to sites you visit, but without JavaScript, a login, or any third-party page content, the relentless stalkers will not be able to reach you away from their own properties, and any data they do get will remain plausibly deniable. Which normally means it's not worth data brokers buying.


ROOTS IS ROOTS

Used for its true core purpose, Tor is a means for law enforcement agents to conceal their identity in investigations, at the expense of the people who run the nodes - which will undoubtedly sometimes be the law enforcement groups themselves.

But here in 2022, I would bet that the majority powerbase within the Tor network is held by surveillance capitalists, and not the police. And given that Google's pet puppet the EFF essentially brought Tor into the world, it's probably been that way since the mid 2000s.

To all intents and purposes, we can no longer use Google via Tor. But Google can sill very much use us via Tor, and I would not doubt for a single second that it does.