Article Lead Image

How the NSA identifies Tor users in 6 easy steps

Here's a step-by-step breakdown of how the NSA attacks and attempts to identify users of the anonymous online network Tor.


Joe Kloc


Posted on Oct 8, 2013   Updated on Jun 1, 2021, 4:42 am CDT

In a recent article in the Guardian, security expert Bruce Schneier reported that the U.S. National Security Agency attacks users of the online anonymity network, Tor. Schneier’s article, based on the leaked documents of former intelligence contractor Edward Snowden, comes only days after the creator of Silk Road, a black market for anonymous online drug sales on Tor, was identified and arrested by the FBI.

Here is a breakdown of how the NSA leverages its massive spy operations—which include brokering deals with major telecoms and tapping directly into the backbone of the Internet—in order to identify Tor users:

1. Scan Internet traffic. The NSA uses programs like Stormbrew, Fairview, Oakstar, and Blarney. These programs were all categorized as “upstream” data collection programs on previous slides released by Snowden. Through them, the agency brokers deals with major telecoms and taps into the fibreoptic backbone of the Internet.

2. Mark Tor requests. As the NSA monitors the world’s Internet traffic, it creates what Schneier refers to as “fingerprints” of requests from Tor users to various servers. It stores these requests in searchable databases like XKeyscore, through which the NSA monitors emails, browsing histories, and Facebook chats, the latter in real time.

3. Sift out marked traffic. The NSA uses automatic sifting programs to separate marked Tor users from the pool of all Internet traffic. As Schneier wrote, “The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the Internet, makes it easy to differentiate Tor users from other web users.”

4. Send users to NSA servers. The NSA brokered deals with major telecom companies in order to redirect Tor users to a system of secret servers dubbed FoxAcid. Through these deals, the agency places what it calls Quantum servers at key points along the fibre optic infrastructure of the Internet. These servers pretend to be the legitimate server that the Tor user is trying to access. They then redirect the users to the FoxAcid system.

5. Attack users’ computers. Through the NSA controlled FoxAcid system, the agency launches attacks on Tor users. These attacks—which Schneier said exploits weaknesses in the Firefox browser—insert long-term eavesdropping applications onto the targeted computers.

6. Identify Tor users. After infiltrating a Tor user’s computer, the NSA spies on the user’s various activities, presumably collecting both metadata and content from their Internet use. From this information, they attempt to identify the user.

Despite these efforts, the NSA has apparently had little success identiying specific Tor users at will, and has been unable to peel back the veil of anonymity that protects the network as a whole.

“We will never be able to de-anonymize all Tor users all the time. With manual analysis we can de-anonymize a very small fraction of Tor users,” reads one slide from a leaked NSA presentation on anti-Tor initiatives. 

The agency has had “no success de-anonymizing a user in response” to a specific request.

 Photo by Ashtyn Renee/Flickr

Share this article
*First Published: Oct 8, 2013, 5:19 pm CDT