[tor-project] notes from usdoj panel talk

Roger Dingledine arma at mit.edu
Tue Sep 19 22:12:33 UTC 2017

Hi folks,

Last week I was on a panel with a bunch of US Department of Justice
prosecutors who specialize in child exploitation cases. I wrote notes
for all the things I wanted to say, and of course my plan didn't stay
intact once the panel discussions began, but here are the notes for
posterity. Maybe they will be useful next time I (or you!) find ourselves
in this situation.


Three points as general Tor intro:

* Tor's history, including funding -- NRL, EFF, State Dept, Darpa, NSF
* Two pieces to the "metadata security" that Tor provides:
  the core Tor component that hides your IP address, and Tor Browser
  which deals with application-level fingerprints.
* Millions of users use Tor every day -- ordinary people, activists,
  censored people, militaries and law enforcement. That variety is part
  of what makes it safe to use for all of them. [Story about Dutch cop
  anonymity system if we want it.]

Follow-up question: The core Tor part? Why is Tor different from a
standard proxy or VPN?
* Distributed trust -- privacy by design, not privacy by promise.
* Relays are run by community, 100gbit of traffic on average
[Story about anonymizer if we want it]
* Transparency for Tor is key: design docs, specs, source code, but
also global engagement as real human beings. (It's not a contradiction
for privacy people to believe in transparency. Privacy is about choice,
and we feel that choosing to be transparent is the best way to establish
and grow trust with our communities.)

* Ok, so what are hidden services? Most people use Tor to reach websites
and other services safely. Onion services (aka hidden services) are
special addresses inside Tor that flip that around: people can reach
*you* safely.
- better security built-in
- can be faster since not competing with exit traffic
- reduced vulnerability surface area
- mobility

* We measured what fraction of Tor traffic has to do with onion services: 3%.
- Something like 7000 onion service websites up at a given time
- Compare to 2.5M-or-more users *each day*

(That's not nothing, but it is tiny. If you find somebody trying to
scare you with huge numbers and pictures of icebergs, make sure you
understand their business model before buying their product or believing
their claims.)

* Some examples of interesting onion services?

[Pause while we get distracted by other panelists]

"Securedrop" is a tool for people to communicate securely with journalists
-- the New York Times, the Guardian, the Washington Post, Toronto Globe
and Mail, the AP, etc all run onion sites.
(Compare to the FBI's tipline, where they pay Cloudflare to mitm it.)



* The biggest website that has an onion service? Facebook. In April
of last year they posted that 1 million people accessed Facebook over
Tor in that month. That's .1% of their user base!
* Onion services protect different metadata than https, and it's about
giving the users choice.

onion services features:
- stronger security, built-in:
  - encryption
  - authentication, so no dependency on the crappy CA model
  - authorization, so untrusted people can't even reach the webserver
- can be faster since not competing with exit traffic
- reduced vulnerability surface area
- mobility

Surprising (to this audience) users of onion services:
Facebook mobile
Debian updates
IoT operators
Activist blogger platform example
Govt and law enforcement


Child exploitation sites/users are bad for Tor! They're bad for society
in general, but they're bad for Tor in particular. We don't want them
as users. See also the discussion at the end of

What are onion services "most" used for? It depends how you count:
Internet Watch Foundation annual report has hidden services listed as
"<1%" of the problem:
Terbium Labs "dark web" report concludes the majority of onion service
content is legal:
I hear bad people use google drive and dropbox for better bandwidth.
But all that said, I don't want to say there is no problem.

* What are some ways of screwing up your security while using Tor?
Opsec mistakes; metadata fingerprinting; browser exploits; traffic analysis.

NSA/GCHQ quote about Tor: King of low-latency anonymity systems

UN HR report endorsing Tor.


Contradictions for the audience to think about:

- If Tor works, you don't hear about it. So it's easy to overlook or
undercount the "good" users.
- Sometimes investigators have to choose between being able to discover
victims vs being able to bust people.
- If there is some approach that is able to compromise bad people, the
same approach can compromise good people.
- Often, the bad guys work harder on their security than the good guys.
- If we make Tor stronger, we make it stronger for all.
- There are many ways to be bad on the Internet, and fewer ways to be safe.

Central to Tor is the topic of power imbalances: those who have power are
less in need of Tor's protections than the most vulnerable populations.

Matt Blaze's great quote about politicians who ask for crypto backdoors:
"You can put a man on the moon, so surely you can put a man on the sun!"


Problems with "govt hacking" as a solution to "bad people":
- 1) Secrecy: we as society need to have an informed discussion, and
     if governments won't tell us what they do, how can society make
     a good decision?
  - NSA's goals, the existence of other countries makes this even harder.
- 2) The Feds lose their zero-days, and that hurts everybody. Cf
     "Shadow brokers".
- 3) When mass surveillance becomes the cheapest and easiest option for
     fighting any crime...

"Well sure, maybe you trust the people in power now... but what if the
people in power change?"
I bet US govt people are especially sensitive to this argument this year.

In many ways this is the same as the Apple encryption discussion, and
the "https everywhere" discussion.

More information about the tor-project mailing list