Keeping Writers Safe Online: An Interview with the Tor Project
By: Deji Olukotun
This post first appeared on PEN Sweden’s Dissident Blog.
The human rights community has known for some time that digital technologies can be used to surveil and persecute dissidents. At PEN, we documented this rise through a 12 year analysis of our caselist, and found that the number of writers persecuted for their use of digital media has skyrocketed from about 6 percent of our caselist in 2000 to nearly 50 percent in 2013. The rapid development of new technologies suggests that this trend may continue as more writers express themselves on Twitter, Facebook—or whatever medium is dreamed up next.
In response to these threats, a variety of effective tools have been developed to help people use digital media securely and anonymously. These vary from mobile phone applications to web browsers, and they are being created all over the world in tech hubs as far afield as Tunisia, Thailand, Germany, Kenya, and the United States. Many of them rely upon open source code, which is available for the tech community to scrutinize and improve.
Writers are unique in that many of us seek to cultivate a readership, and becoming a public figure in a repressive regime can protect you from being killed. It would not really help, as one security researcher explained to me, if you disguised your identity online only to write a political screed in a style and voice that could only be attributed to you. You could be arrested all the same. Security tools may be more appropriate for dissident writers to conduct research, or to communicate safely about upcoming advocacy campaigns.
Perhaps foremost among the many tools that support digital safety is Tor. First developed through research funded by the U.S. Navy, Tor was then supported by the Electronic Frontier Foundation and Google. Tor works by sending data along a path with random checkpoints. At each checkpoint, which Tor calls “relays,” the data takes a new random path. Each relay only knows which relay came immediately before it, and no relay can trace the entire path of data from start to finish. What you’re uploading and downloading with Tor is encrypted, and the website you’re visiting is anonymized. (Here is a short video explanation at MIT.)
Since its founding, Tor has expanded its offerings to include tools that help non-technical users access the network relatively easily, such as the Tor browser. At the same time, other tools, such as TAILS, build upon the Tor platform to offer even more versatile packages that provide encryption and anonymous browsing. Indeed, Glenn Greenwald and Laura Poitras announced in April that they relied upon TAILS to break the Edward Snowden story about NSA spying, and Freedom of the Press Foundation kicked off a campaign to raise more money for the project and other tools.
I spoke with Andrew Lewman, Executive Director of the Tor Project, to learn more about how Tor can help writers, Tor’s current work, and plans for the future. Our conversation was unfortunately (and ironically) cut short several times by a bad phone connection, prompting jokes about eavesdropping. The following edited transcript was approved by Andrew.
PEN: What does Tor offer dissident writers?
ANDREW LEWMAN: The benefit that Tor gives you is local encryption from your desktop onto the Tor network. It helps journalists who are getting sources, doing research, and gathering data. What they gather and what they look at will be anonymized. At the core, it separates who you are from where you are going on the internet.
PEN: Can you tell us the difference between the Tor browser and TAILS?
LEWMAN: They serve different purposes. The Tor browser is an anonymous web browser that is simple and easy to use to surf the net. TAILS is a complete anonymous operating system designed to let you go into an internet café and work off a USB drive. Everything works anonymously through Tor, but TAILS includes an operating system and a full office suite with video and audio tools that can be operated without ever being online. The user can upload the material from a different location and no one would know where you were or who you are.
PEN: Does Tor support the development of TAILS?
LEWMAN: Yes, we support the development of Tails, both philosophically and financially. We partially funded Tails for many years. Tails is not a company. When people give money to Tails, they give it to a group of developers.
PEN: Would the Edward Snowden revelations about the NSA have happened without TAILS?
LEWMAN: I think it made it easier. It’s not clear that Snowden used Tails inside the NSA. But it’s clear that Laura Poitras and Glenn Greenwald used it.
PEN: What are the fundamental challenges that Tor is facing today?
LEWMAN: There are technical challenges and non-technical challenges. The technical challenges relate to cryptography, usability, and research about general anonymity on the internet. We’re currently working with the National Science Foundation and academic institutions all over the world to research anonymity, typically partnering with PhD candidates and their advisors who are looking at these issues. The main non-technical challenge is making people aware that the tool exists. We need to reach people who don’t know that there are strong privacy tools out there, including Tor.
PEN: A student named Eldo Kim allegedly emailed bomb threats at Harvard using Tor, presumably to get out of taking a final exam. One reason he was caught is that so few users were on Tor at the time and he had logged onto the Harvard network. Could writers be easily identified this way?
LEWMAN: Yes, it is a risk. But there were multiple things happening with that situation. Kim had logged into Harvard wifi, used Tor, and then used Guerrilla mail, which is a random anonymous mail account provider. He sent an email at the same time he was on the Tor network. The Harvard administrators were able to see who had logged into the wifi network, and cross-referenced this to find out who had used Tor. There were only a few users. Kim may not have used Tor before or used Guerrilla mail in the past. Most likely what had happened is that the Harvard police and the FBI went through a larger list of suspects, interrogated them, and waited for one of them to confess. Any real criminal would probably have denied it and maybe not been arrested. They weren’t necessarily able to identify Kim himself.
PEN: This begs the question: does Tor give a signal that someone is using it?
LEWMAN: Yes, it does. Someone monitoring web traffic can identify who is using Tor. But they generally will not know who you are. There are ways to hide the fact that you are using Tor and you would look like any other random website. We’re about to roll out a tool called “Pluggable transport” that can enable this, but it is in beta testing right now.
PEN: Tor is a dual use technology, meaning that dissidents can use it to promote free expression, but that criminals can also use it to hide their crimes. How should governments regulate dual use technologies?
LEWMAN: Governments should not regulate dual use technologies. They would have to regulate everything all the time. I’ve spent a lot of time talking to officials about what Tor does and does not do. If someone committed a crime with a crowbar and the government outlawed it, the criminal would just switch to a hammer. If the hammer is outlawed, the criminal would switch to a screwdriver. There is an unending amount of tools that can be used for good or bad. Right now, I’m working with victims of human trafficking and law enforcement to help understand how criminals are using technology.
PEN: Tor was originally funded by the U.S. Navy, then a combination of corporate, non-profit, individual, and government funders. Can we trust Tor?
LEWMAN: Yes, trust us, but you don’t have to trust us—look through our source code, look through our designs, have someone audit the code and tell us if it’s good or bad. Look at our 13-year track record and tell us what you think. We’re open and transparent about our funding. We also make the individuals working at Tor available for discussion to talk about our work.
PEN: Right now, security researchers and news media are concerned about the “Heartbleed” bug found in OpenSSL, a tool used to help websites safely encrypt their traffic. Banking, social media, and other information may have been affected. By the time this article prints, the story will be old news, but it could happen again. What is the long view of this?
LEWMAN: All software has bugs. Most bugs can be small. Some can be large and far-reaching. OpenSSL needs more auditing. As the internet grows, and you have huge scale, it’s clear that auditing and control will become even more important.
PEN: Anything else you’d like to add about Tor?
LEWMAN: Tor works to give people freedom and control of their identity online. We encourage the good uses, and anyone is welcome to come join us on our end.