A civil liberties group has filed suit against the United States government, demanding access to information that could determine if the government’s financial backing of Tor, a popular online anonymizing software, has led that system to become fundamentally and intentionally compromised.
“[We have] a strong interest in the integrity of the Tor network, as it is a primary tool for Internet users to maintain privacy and anonymity in an increasingly monitored world,” wrote the Electronic Privacy Information Center (EPIC), the group that filed the suit, in a post on its website.
Originally short for “The onion router” and initially developed in conjunction with contracts with the Department of Defense and the National Science Foundation, Tor is a free, universally accessible system maintained by the non-profit Tor Project. Tor users’ Internet activity is routed through a series of "nodes" hosted by volunteers around the world, and then spit out at random—ideally making it impossible for an external observer to determine the information's origin.
“Tor is part of an ecosystem of software that helps people regain and reclaim their autonomy,” explained computer security researcher and Tor Project member Jacob Appelbaum in an interview with The Verge. “It helps to enable people to have agency of all kinds; it helps others to help each other and it helps you to help yourself. It runs, it is open and it is supported by a large community spread across all walks of life.”
It’s also a doorway into the Dark Web, a term used to describe hidden—and sometimes illegal—services that are only accessible to those who anonymize their browsing with Tor.
A division of the U.S. State Department most notable for producing Voice of America, Radio Free Asia and Radio Free Europe, the Broadcasting Board of Governors has been one of the largest sponsors of The Tor Project in the years since 2006. In conjunction with donations from the Department of Defense and the National Science Foundation, the federal government currently accounts for well over half of the Tor Project's overall funding.
This close relationship between Tor and the government has given EPIC cause for concern. “Some government agencies, like the Broadcasting Board of Governors, have a strong pro-privacy agenda,” explained EPIC’s Open Government Coordinator Julia Horwitz. “We just wanted to see if the Broadcasting Board of Governors was being undermined by…[other forces within the government like] the NSA or FBI.”
Earlier this month, it was revealed that the National Security Agency had managed to circumvent much of the encryption software employed throughout the Internet by covertly installing backdoors to monitor data in networks users previously thought to be secure. It’s possible that, using its leverage as the project's primary funding source, government spy agencies could have installed similar backdoors into a program that's quickly becoming the Internet's go-to standard for supposedly secure and anonymous communication.
To that end, EPIC filed a Freedom of Information Act request in May asking for the Broadcasting Board of Governors to disclose all written agreements and contracts regarding Tor as well as tech specifications for government-operated computers through which Tor data is routed.
In a lawsuit filed earlier this month, EPIC alleges that the Broadcasting Board of Governors has "failed to comply with its statutory deadline [to produce the documents] and has failed to disclose a single record."
Broadcasting Board of Governors spokesperson Letitia King countered that the agency is, “confident that we have complied with the requirements of FOIA and our regulations concerning any FOIA request that we may have received from EPIC.”
For its part, Tor insists its system is secure. The FAQ section of Tor’s website asserts, "there is absolutely no backdoor in Tor. Nobody has asked us to put one in," adding that the organization would fight any attempt to do so in court.
Tor Executive Director Andrew Lewman said in an interview with the Washington Post's The Switch blog that, because Tor is open-source, anyone can dig into its code and search for backdoors themselves. However, there’s still the possibility that a some agency could have inserted an exploit that's thus far flown under the radar.
However, even without a custom-built backdoor, some cyber-security experts have cast doubt on Tor users' ability stay completely anonymous. Ars Technica reports that penetration testing firm Errata Security recently theorized that the NSA could likely break most of the encryption keys employed by Tor. Additionally, the FBI recently admitted to taking control of the servers on which a massive malware attack against the Tor network aimed at identifying users was launched.
“We’re not interested in going after Tor,” explained Horwitz. “We’re generally supportive of Tor and all encryption technologies. We are interested in the government’s undermining of cryptographic standards.”
The government has until early November to respond to EPIC’s lawsuit.
UPDATE: In an email, Tor Project Executive Director Andrew Lewman added, "In general, we're also interested to see what documents result from a FOIA query.
Photo by Porsche Brosseau/Flickr