Putin's Next Pursuit: Exposing Tor Network
The Russian Interior Ministry is offering $114,000 to anyone who can help it unmask users of Tor, the Web's most popular online privacy and anti-censorship tool. Coincidentally, a Russian researcher at Carnegie Mellon University has apparently discovered a way to reveal the identities of Tor users, but the university stopped him from presenting his findings at a conference.
It would not be much of an exaggeration to call Tor the backbone of the Dark Web, where communication is encrypted, users are anonymous and sites are not indexed by search engines. Developed originally with the help of the U.S. Navy, Tor is now supported, like many open-source software projects, by a nonprofit foundation, and is a thorn in the side of intelligence services everywhere. Tor is a distributed network in which encrypted information bounces between servers run by thousands of volunteers, making the data hard to track. The layered structure explains the original name, The Onion Router, now shortened to Tor. Despite the system's complexity, nontechnical people can easily download and use Tor software.
National Security Agency leaker Edward Snowden revealed the NSA's attempts to crack Tor. A top-secret NSA presentation titled "Tor Stinks" said the agency would "never be able to de-anonymize all Tor users all the time," though "manual analysis" allowed it to find out the identities of a small fraction of users. In the U.S., 309,000 people use Tor daily, and that's just 13 percent of the network's global population. These people are a mixed bunch, from drug dealers, terrorists and pedophiles to civic activists and censorship-busting journalists.
Russian President Vladimir Putin's police, secret and otherwise, have had a keen interest in everything Internet since the Arab Spring and the failed protests against Putin's authoritarianism and election rigging in 2011 and 2012: Social networks played an important role in organizing the protests. "In just two years, the government has done a gigantic amount of apparently expensive work to fix its oversights," Fyodor Krasheninnikov wrote in the daily Vedomosti. Tough laws have been passed and anti-government sites are often blocked. Starting in August, popular bloggers will have to register with the government and follow the same rules as Russia's increasingly censored media.
Where there's censorship, there's Tor; and Russian users of the anonymity network have been increasing:
That would explain the Interior Ministry's interest, expressed in a recent tender announcement. Bidders have until Aug. 13 to "Study the feasibility of receiving technical information about the users (user equipment) of the Tor anonymous network."
On habrahabr.ru, a popular Russian tech forum, users speculated that, as often happens, the ministry already had a winner in mind and was obliged to announce the tender to abide by window-dressing anti-corruption rules.
Meanwhile, a Carnegie Mellon University researcher appears to have cracked Tor, and he has a Russian name -- Alexander Volynkin. He was due to give a presentation titled "You Don't Have to Be the NSA to Break Tor: De-anomymizing Users on a Budget" at Black Hat, a Las Vegas hacker conference scheduled Aug. 6-7. His talk was canceled because, according to a notice on the conference website, the university had "not yet approved" the research for public release.
Much speculation followed in the tech community and beyond: Volynkin had promised to explain how anyone with $3,000 could reveal Tor users. He declined to answer my questions, but it appears that he has shared some points with the Tor Project, which maintains the software. "We were informally shown some materials," Tor Project co-founder Roger Dingledale wrote on his blog. He added he still had questions for Volynkin.
A Russian cybersecurity specialist living in the U.S. is more likely to help Tor than to assist Putin's police -- or even the NSA, whose interest may well be the reason Carnegie Mellon axed Volynkin's talk. Software such as Tor is one of the last bastions of online anonymity, a pillar on which the very idea of Internet communication once rested. Now, bureaucrats claim to defend privacy by demanding that search engines erase data; that, though, has nothing to do with true protection.
The growing electronic intrusiveness of governments is turning web anonymity into a game of hide and seek. Dingledale is optimistic that Tor will fix the vulnerability discovered by Volynkin, but someone with the same skills and fewer scruples may well discover a new one and sell it to the Russian Interior Ministry. People may feel invisible using the Dark Web; that may be a false sense of security.
This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.
To contact the author on this story:
Leonid Bershidsky at firstname.lastname@example.org