How anonymity technology could save free speech on the Internet.
Eugen Leitl
eugen at leitl.org
Fri Apr 24 11:52:27 UTC 2009
http://www.technologyreview.com/printer_friendly_article.aspx?id=22427&channel=computing§ion=
May/June 2009
Dissent Made Safer
How anonymity technology could save free speech on the Internet.
By David Talbot
"Sokwanele" means "enough is enough" in a certain Bantu dialect. It is also
the name of a Zimbabwean pro-democracy website whose bloggers last year
published accounts of atrocities by Robert Mugabe's regime and posted
Election Day updates describing voter intimidation and apparent ballot
stuffing. You can visit Sokwanele's "terror album" and see photographs: of a
hospitalized 70-year-old woman who'd been beaten and thrown on her cooking
fire (she later died, the site says); of firebombed homes; of people with
deep wounds carved into their backs. You can find detailed, frequently
updated maps describing regional violence and other incidents. You will be
confronted with gruesome news, starkly captioned: "Joshua Bakacheza's Body
Found."
Because this horrific content is so readily available, it is easy to overlook
the courage it took to produce it. The anonymous photographers and
polling-station bloggers who uploaded the Sokwanele material remain very much
in danger. In a place like Zimbabwe, where saying the wrong thing can get you
killed or thrown in prison on treason charges, you take precautions: you're
careful about whom you talk to; you're discreet when you enter a clinic to
take pictures. And when you get to the point of putting your information on
the Internet, you need protection from the possibility that your computer's
digital address will be traced back to you. Maybe, at that point, you use
Tor.
Tor is an open-source Internet anonymity system--one of several systems that
encrypt data or hide the accompanying Internet address, and route the data to
its final destination through intermediate computers called proxies. This
combination of routing and encryption can mask a computer's actual location
and circumvent government filters; to prying eyes, the Internet traffic seems
to be coming from the proxies. At a time when global Internet access and
social-networking technologies are surging, such tools are increasingly
important to bloggers and other Web users living under repressive regimes.
Without them, people in these countries might be unable to speak or read
freely online (see "Beating Surveillance and Censorship"). Video
Unlike most anonymity and circumvention technologies, Tor uses multiple
proxies and encryption steps, providing extra security that is especially
prized in areas where the risks are greatest. Paradoxically, that means it's
impossible to confirm whether it's being used by the Zimbabwean bloggers.
"Anyone who really needs Tor to speak anonymously isn't going to tell you
they use Tor to speak anonymously," says Ethan Zuckerman, cofounder of Global
Voices, an online platform and advocacy organization for bloggers around the
world. "You can't tell if it's happening, and anyone who is actively evading
something isn't going to talk about it." That said, the Sokwanele
journalists "are extremely sophisticated and use a variety of encryption
techniques to protect their identity," he says.
Anonymity aside, Internet users in dozens of countries--whether or not they
are activist bloggers--often need to evade censorship by governments that
block individual sites and even pages containing keywords relating to
forbidden subjects. In 2006, the OpenNet Initiative--a research project based
at Harvard and the Universities of Toronto, Oxford, and Cambridge that
examines Internet censorship and surveillance--discovered some form of
filtering in 25 of 46 nations tested, including China, Saudi Arabia, Iran,
and Vietnam.
In a new and still-evolving study, OpenNet found that more than 36 countries
are filtering one or more kinds of speech to varying degrees: political
content, religious sites, pornography, even (in some Islamic nations)
gambling sites. "Definitely, there is a growing norm around Internet content
filtering," says Ronald Deibert, a University of Toronto political scientist
who cofounded OpenNet. "It is a practice growing in scope, scale, and
sophistication worldwide."
Tor can solve both problems; the same proxies that provide anonymous cover
for people posting content also become portals for banned websites. When it
officially launched five years ago, the Tor network consisted of 30 proxies
on two continents; now it has 1,500 on five continents, and hundreds of
thousands of active users. And its developers are trying to expand its reach,
both abroad and in the United States, because digital barriers and privacy
threats affect even the free world. In the United States, for example,
libraries and employers often block content, and people's Web habits can
be--and are--recorded for marketing purposes by Internet service providers
(ISPs) and by the sites themselves. "The Internet is being carved up and
filtered and surveilled," says Deibert. "The environment is being degraded.
So it's up to citizens to build technologies to [counter these trends]. And
that is where I see tools like Tor coming into play. It preserves the
Internet as a forum for free information."
Neutral Nodes The product of a small nonprofit organization with eight paid
developers and a few dozen volunteer security professionals around the world,
Tor takes advantage of the fact that Internet traffic consists of two-part
packets. The first part contains data--pieces of a Web page you are viewing,
or of the photo file or e-mail you are sending. The other consists of the
Internet protocol (IP) address of the sending and receiving computer (plus
other data, such as the size of the file). Tor uses the latter portion--the
addressing information--to build a circuit of encrypted connections through
relays on the network (see "Dodging Spies, Data Miners, and Censors" next
page). The requisite relays (which collectively serve as proxies) are
operated on a volunteer basis at universities such as Boston University and a
few corporations, and by computer-security professionals and free-speech
advocates around the world. (Many Tor users also use existing technologies,
such as HTTPS--a protocol for encrypting and decrypting a user's page
requests and the pages that are returned--to protect the content they are
sending and receiving.)
Tor, like the Internet itself, emerged from military research--in this case
at the U.S. Naval Research Laboratory in Washington, which built a prototype
in the mid-1990s. The military interest was clear: without a way to make
Internet traffic anonymous, an agent's cover could be compromised the minute
he or she visited .mil domains using the Internet connection of, say, a
hotel. Even if the data were encrypted, anyone watching traffic over the
hotel network could quickly figure out that the guest might be associated
with the U.S. military. And the problem is hardly limited to hotel networks;
IP addresses can be linked to physical locations by a variety of means (ISPs
correlate such data with phone numbers, data miners can piece together clues
from Internet traffic, and someone outside your house can confirm that you
are the source of specific kinds of Internet traffic by "sniffing" data
traveling over Wi-Fi). As a Tor presentation puts it, chillingly, what might
an insurgent group pay to get a list of Baghdad IP addresses that get e-mail
from a .gov or .mil account?
The navy project never emerged from the lab, but it attracted the interest of
Roger Dingledine, a cryptographer concerned about a different aspect of
Internet privacy: the way ISPs and websites amass databases on people's
browsing and search history. In 2000, at a conference where he was presenting
his MIT master's thesis on anonymous distributed data storage, he met a Naval
Research Lab mathematician, Paul Syverson. The two men saw that tools for
protecting military agents and tools for protecting Web surfers' privacy
could be one and the same, and together they revived the project with funding
from the Defense Advanced Research Projects Agency (DARPA) and the navy.
The first public version of Tor, which came out in 2003, was available for
anyone who cared to install it. But it worked only on open-source operating
systems, and using it required at least some technical knowledge. The
Electronic Frontier Foundation, the digital civil-liberties organization,
funded development of a version for Windows, and soon a wider variety of
users emerged. "Originally one ofocks many websites--including Facebook,
YouTube, and Skype--from all Web users in the nation. I spoke about Syrian
censorship with another blogger, Anas Qtiesh; he sat in an Internet café in
Damascus as I messaged him from my living room. Qtiesh isn't worried that
he'll be tracked down, because he tends to blog about pan-Arab politics, not
about criticisms of the regime. But he wants access to more of the Internet
than the government permits, so the Firefox browser on his laptop sports the
Torbutton. Click the button, and presto--the same Internet that everyone in
America sees. To access blocked sites, his computer negotiates a series of
proxies, eventually connecting to an IP address somewhere else in the world.
This intermediary fetches the blocked material. "Tor brings back the
Internet," he wrote.
Qtiesh has plenty of company: Tor was always of interest abroad, but word of
mouth and the introduction of the easy-to-use Torbutton have helped
accelerate its global spread. Zuckerman has been actively promoting Tor
through his Global Voices network. So have other advocates of online free
speech in Asia, China, and Africa. And these efforts have been working. Wendy
Seltzer, who teaches Internet law at American University and founded Chilling
Effects, a project to combat legal threats against Internet users, saw that
firsthand when she traveled to Guangzhou, China, for a blogger conference
last year. China is generally acknowledged as the most sophisticated Internet
filterer in the world; it employs a variety of techniques, including blocking
IP addresses, domain names (the text name of a website, such as
www.google.com), and even Web pages containing certain keywords (Falun Gong,
for example). According to one report, Chinese security forces have arrested
several hundred Internet users and bloggers in the past 10 years. Seltzer
says that many bloggers she met in Guangzhou were using Tor. And when she
went to an Internet café there, she reports, the computers were automatically
configured to run the software.
In China, Tor is one weapon in wo years ago, Turkey piled on, with particular
zeal for stamping out criticism of the nation's founding father, Kemal
Atatürk.
Tor is preparing for the fight against relay blocking by creating a system of
"bridge nodes"--a constantly changing list of IP addresses through which
people can reach the main network of relays. A user can simply send an e-mail
asking for a bridge address. Of course, an Iranian censor could also request
and block such addresses, but the idea is to defeat such efforts by
generating ever more bridges, donated by a wide range of Internet users. And
Jonathan Zittrain, a Berkman cofounder and Harvard Law School professor,
envisions going even further. "The next big moment that the Tor people
haven't implemented--something in the background, something that would be
huge--would be if your use of Tor, by default, makes you a Tor node
yourself," he says. "At that point, it totally scales. The more people use
it, the more people can use it."
As part of a three-year effort to improve the software and expand its use,
Tor's staff and volunteers will step up appeals for Tor users to let their
computers serve as bridges to individual users elsewhere. But taking the next
step--becoming a relay, or node, potentially available to any Tor
traffic--would massively increase the traffic flowing through a user's
computer. If users became nodes by default, it could defeat the purpose of
using Tor to remain low key: once a user wandered into a cybercafé to blog
anonymously, that terminal would soon stand out as a hub of Internet traffic.
What's more, such a system "sets off an arms race with all the network
providers and network administrators," says Andrew Lewman, Tor's executive
director. "It increases traffic, and we become something they might block,
because that's their job." Tor would ultimately like to find safe ways to
enlist distributed help, but for now, developers are pursuing intermediate
goals, such as limiting bulk data transfers and improving the flow among
existing Tor relays.
One criticism leveled against Tor is that ior good purposes but for
bad--protecting distributors of child pornography, for example. Dingledine's
response is that Tor's protections help law enforcement catch criminals, too,
while criminals may find it more effective to use neighbors' or public Wi-Fi
links, or hacked computers, to mask their identities.
Another concern is that circumvention tools--especially those that only use a
single proxy, which holds information about who is talking to whom--can
create privacy and security worries of their own. Earlier this year, Hal
Roberts discovered that certain tools used widely in China--DynaWeb Freegate,
GPass, and FirePhoenix--appeared to be offering to sell users' browsing
histories. While there's no evidence that any individual's privacy was
compromised, the point was made: in many cases, using anonymity or
circumvention systems still means trusting an organization with your
information--and trusting that its privacy policies can and will be honored.
(With Tor, it's a bit different; since no single relay ever holds the
information about the complete route, you must trust the integrity of
algorithms that obscure connections between origins and destinations.) "I
don't doubt the dedication of the people hosting these tools, but what I'm
concerned about is whether they will protect your data," Roberts says. "The
biggest takeaway is: they have that data."
Dingledine thinks events will push people to seek the protections that Tor
and other tools provide. In 2006, for example, AOL gave away millions of
users' search terms for research purposes. Although the searchers were
identified only by random numbers, bloggers and reporters were quickly able
to identify individual users from clues based on the search terms. (Since Tor
uses a different router pathway for each user each time, it's impossible to
amass such aggregate data about even an anonymously identified Tor user.)
Dingledine reasons that each time a national censor blocks news sites and
YouTube, or an ISP or website loses or sells or gives away user data, people
will seek solutions. "The approach we've taken so far is to let the bad guys
teach people about it," he says. "Let the AOLs and the China firewalls screw
up. Let everybody read about why they want privacy on the Internet." More and
more people might just decide that enough is enough.
David Talbot is Technology Review's chief correspondent.
More information about the tor-talk
mailing list