Clearing the air around Tor
[Editor's note: Following Pando's recent reporting on the financial links between some senior Tor developers and the US Government, a fierce -- and at times deeply unpleasant -- debate has erupted between Tor supporters and critics. This guest post by journalist Quinn Norton was commissioned following an email discussion between Norton and Pando writer Yasha Levine. In the interests of open and fair debate, Pando has not edited the text of the post, beyond adding hyperlinks. - PBC]
There's been a lot of debate over Tor in recent months, and much of it has been unproductive and uncivil. This is my attempt to clear the air, for the journalists, the activists, the developers, and most of all, Tor's users. I'm a long-time supporter of the project, and have taught people around the world about Tor, and how to use it to keep themselves safe and bypass censorship.
I want to say immediately that when Yasha Levine went looking at the project's funding, he was following a tradition of vital and good journalism. "Follow the money" is a maxim of investigation that will rarely lead you wrong, especially in matters of political policy. There are only a few places where funding can't influence the contents of the outcome – maybe fundamental physics, and math, and not much else. Math is as far from policy as human endeavor gets. Math either works or it doesn't work, and that is true for everyone in this galactic cluster, at the very least. What makes Tor different from the usual thesaurus-full of government projects is that Tor is essentially a very elaborate math trick, using layers of math puzzles to create a network-within-the-network. That math is being implemented in front of a global audience of millions of sophisticated watchers. It is likely the most examined codebase in the world. It has been subjected to multiple public audits. The math, well known and widely standardized, will work for everyone, or it will not, whoever pays the bills.
I began talking to Roger Dingledine back in 2005 or 06, after Tor was already well on its way but not yet well known. What Roger sought to do, and did quite brilliantly, was build a multi-purpose tool anyone could use to accomplish the same basic technical goals. Doing it on the government dime didn't matter as Roger saw it, because how it worked could not be politically controlled any more than π could be legislated to equal 3. Tor acts like a piece of infrastructure, and governments naturally fall into paying for infrastructure they want to use. I've long interpreted the government funding in that light, given the nature of the project itself.
Without an understanding of the technology behind Tor, I can see why the connection to the US Government feels important. In fact, this shouldn't be a question we ask only about Tor, but about the whole internet. Not only was it an ARPA/DARPA project to begin with -- to a degree it remains a US Government project to this day, with tons of federal money sustaining and supporting the infrastructure and the lion's share of internet governance dominated by Americans and American interests. And I do ask this question – having an internet that connects everywhere is to some degree about having an American internet that obeys American laws and runs American protocols. This is part of what makes the net neutrality debate so vital: America sets the precedent for the world, almost assuredly more than it should. A non-neutral net is likely to represent a terrible prior restraint on speech, not just in America, but globally.
But at the same time, we all have a sense of why this doesn't mean the internet is a pure US ploy, or at least not a very successful one if it is. The government certainly hasn't managed to control what the net has become, and tends to spend their time reacting to it with shock and confusion, while still funding and maintaining parts of it.
There are places where math says we can safely parley with our opponents. In public key encryption you and I can exchange keys without needing to trust each other or the network we're using, yet we can trust that our communication will remain private on the internet, and that we're still always talking to the same possessor of the key. Not because politics or policy has said so, but because the math is solid. For an explanation of key exchange without the heavy math, this series is excellent.
Tor uses this kind of process to create several layers of encryption, a new layer as it passes through each node of the Tor network, until it decrypts the data at the exit node. This math trick is not unique to Tor. This ability to create a network-within-a-network using encryption is similar to commercial VPNs, encryption schemes used in malware (Including the malignantly brilliant design of Regin), and so on. One of the benefits of Tor is that it can't be blocked easily because it is just more layers of encryption, which is common on the internet.
The incoherent frothing-at-the-mouth support for the fundamentals of Tor don't arise from a set of politics, or money, or a particular arrangement of social trust like a statute or constitutional law. The support comes from an appeal to the fundamental laws of the universe, which not even the most vigorous of black budget ops can break. We have seen here that the math works. The math that Tor is based on, among them one form of math called elliptic curve cryptography, allows for encoded data to be shared between points on the Tor network without them having to trust each other, the government, or the Tor developers. We know how hard it is to break something like elliptic key, and that is very hard indeed for anyone, even the NSA.
Occasionally the stars align between spooks and activists and governments and anarchists. Tor, like a road system or a telephone network or many pieces of public infrastructure, is useful to all of these people and more (hence the debate on child pornographers and drug markets), because it's just such a general architecture of encryption. The FBI may want Tor to be broken, but I promise any spies who are counting on it for mission and life don't. Once again, math makes the final call -- a bug in Tor exposes the US Government users as surely as it does a Silk Road-style site. A "backdoor" could get concealed in code or in the particular implementation of the cryptographic math, but there's no way it could only be a backdoor for the US Government, and there's no way anyone using such a flaw could ever know if it was being used by someone else. A clever "backdooring" of Tor as a tool for spies would make it useless for use by those selfsame spies, who would hopefully know better than to use it – they'd be just as stuck without a safe network tool as the rest of us. Any backdoor would risk discovery as well, because all of the code is done in the open. It would have to look like an accident, or the malicious programmer would get caught out. And even if a backdoor did manage to look like a bug, it would get fixed as a bug and the backdoor would vanish. For the government to keep a backdoor in a system like Tor would be a genuinely hard problem. The only way to keep Tor broken would be to make a closed version, or if people lost interest in it, at which point it would be irrelevant anyway.
One can ask whether a general piece of infrastructure is worth having when it enables anti-social behavior. That would be an interesting conversation to have, and I can see arguments on both sides. But I believe encryption as a part of public life does more good than harm, and as long as encryption is legal, nothing like Tor could be effectively outlawed -- a fact that countries who have tried to suppress Tor have run up against in frustration.
There's a lot of confusion about what Tor does and doesn't do, and it feeds into this misunderstanding and others. The Tor team and general information security community have not proven to be good at communicating with regular people. Tor is no magic bullet -- it does one thing, and sometimes that one thing is a struggle to do. Tor does not encrypt your traffic on the open internet. Tor does not prevent you from being attacked by malware from either a Tor hidden site or a non-Tor site, it will just make sure the malware is well-encrypted on its way to do you harm. Tor doesn't replace operational security. If you talk about your drug-selling website or your porn hub or your plan to fight the Iranian government, you're going to get caught because talking about such things is stupid, and Tor can't save you from doing something stupid. Tor just obfuscates your IP, allows you to route around some internet blocking mechanisms, and allows encrypted communication within the Tor network, and nothing else at all. It is good for using the net anonymously, reaching censored content, and communicating without disclosing your location.
I have been critical in the past, and still am, that the community which supports Tor hasn't told its story well enough to let naive users understand what it does and why its math is good. But at the same time, I appreciate that this is a damn hard thing to do. Within the Tor project itself, We're talking about a team of programmers in an organization without a strong PR structure. There is only so much they are going to be able to do, especially in an environment where few people have the technical literacy to follow the conversation. But this problem isn't limited to Tor -- it's a problem that permeates the tech world. We're still in the early days of the internet, and still figuring out how to educate people effectively on how the tools -- all of them -- do and don't work.
Being concerned about funding is understandable and valid. The highly technical nature of this project makes it hard to understand that it's a generalized piece of infrastructure, and in the end, the federal funding of it is about as spooky as federal funding for a highway bridge. There are, of course, plenty of questions to ask about funding priorities and corruption in just about all federal funding, but few people would ask if the bridge was a trick bridge that would drop undesirable cars into the water. Personally I see Tor as a tiny part of the State Department’s budget, a drop in the pail, which really does build a great piece of infrastructure for net freedom.
The brilliance of what Roger did is that he's remained neutral on every side and so has his code. He's advocated it to be as much a tool for law enforcement as rebellion, a tool that gets around corporate content filters, national firewalls, hostile surveillance, whatever. He's a roadbuilder who has remained agnostic about who drives on his road. The problem with Roger and the team he built, who are remarkable in many ways, is that they're terrible at communicating with the public, and this confusion about funding isn't the worst consequence of that. The worst consequence (to my mind) is the rogue exit node problem. A rogue node can spy on and collect all the Tor traffic going in of out of it, and probably a very high number of them do. This was allegedly how Wikileaks got its first drove of documents. It's not a flaw in Tor though, Tor is working fine through that whole process. It's a flaw in how people think about Tor, a flaw that has almost certainly cost people terribly by now.
It's important too explain why people have been so incoherently angry as Tor has been criticized. There's a genuine fear that this debate, or rather the miscommunication around it, puts people at risk. Most of the places people are using Tor their adversaries are not the US Government. They're using it not only to communicate but to sidestep censorship. Tor is literally a lifeline to the world for people, some of whom are my colleagues, and some my friends. I can't explain the mathematical architecture of Tor to them, but I can explain how to use it and the broad strokes of why to trust it. I will continue to do this, but for those I can't talk to, those who only hear "honey pot", they can be cut off and put at risk, likely to vanish one day. Some of this is journalists in shitty countries, but sometimes it's gay kids in shitty homes trying to get information and not feel so alone. Sometimes it's trolls, and sometimes it's people trying to communicate about a controversial topic without risking home and livelihood.
There's a valid criticism that journalists covering technical topics should invest time to understand the technology, and it's something I've said myself. But journalists learn many of the things they need to know through a practice of talking to people, and that's worked for hundreds of years. It shouldn't fail as badly with the community of online security and privacy as it does right now. Not just in terms of creating ill-will with the media, but also how the communication style affects attracting new people into creating and using the tools. There's a common trope in the debates around security tools: that "x kills people" -- bad encryption, bad implementation, over or underselling a piece of software, unaudited code, even the notoriously hard to use interfaces of security software. I'd like to turn that around on the community -- if you believe that security software saves lives, then the social toxicity around it is most likely killing people: people who don't want to go near that rhetoric, and therefore will never learn what tools like Tor can do to make them safer. Viewed this way, the Twitter wars, sarcastic conference talks, vicious blog posts, and all these other places where we soak the field in vitriole aren't just the word games that don't matter like code matters, they are the vipers that imprison the code and never let it slip out into the world.
The computer security and net freedom community have come up in the abusive environment of contemporary social media, and this has created a culture of constant combat and defensiveness. They take criticism with flame throwers on full throttle. But I believe all sides of this debate can be settled through clearer, gentler, and more candid communication.
In the end I’d love to turn Yasha and the other Pando reporters into Tor users, especially when they find themselves dealing with censorship, or trying to report from places where their traffic could be spied on. But I’d also like the community of Tor supporters and Tor developers to tell a better story, more true to what Tor is and does, so that we don’t run into these kinds of misunderstandings. And even more important, so that users at risk don’t misunderstand and misuse this powerful but specific tool.