Gmail security is a problem for Tor users

gmail knife cutting tor onion

This is not a dig at Google, but it is a problem.

It turns out Tor and Google aren’t always a great mix.

While working Monday morning, Gmail suddenly logged me out. After trying to get back in, I was told that my exit had been because of ‘unusual activity’ with my account.

This happens when Google automatically detects your IP address coming from geographically distinct areas in quick succession: a symptom of someone accessing your account without your permission elsewhere in the world. Or, perhaps because you’re using the popular anonymity tool Tor, which reroutes your traffic to make it appear as though you’re logging in from somewhere you’re not.

At the time, I was using Tor.

Runa Sandvik, technical advisor to Freedom of the Press Foundation and former Tor developer weighed in, saying that she has used the network and Gmail together for years, with no problems. 

Although I haven’t used Tor as much as Sandvik, I am a heavy user, running it both in order to work, and for personal privacy reasons. Appearing as if I was logging in from the U.K., followed by Russia and then the U.S., for example, is hardly new activity for my Gmail account.

It’s important to point out that Google didn’t lock my account explicitly for my use of Tor. Rather, the email service’s security system “thought” my account was being fiddled with by a third party, while I’m (pretty) sure it wasn’t. 

That alone would be a mere nuisance—not a problem worth mentioning. It’s what I had to do to regain access to my email that is a cause for concern: I had to register a telephone number to receive a verification code, which I then punched into my browser, unlocking my account.

Luckily, I do not live under an oppressive regime. But having to use a telephone to get back into an account could be worrisome for, say, a journalist or political dissident in a hostile country, especially one that utilizes interception technology, such as Syria or Iran. (Admittedly, if you are trying to remain undetected, you could send the code to a burner phone—but that requires quite a few more levels of forethought.)

Gmail is far from the only online service that fails to play nice with Tor. A recent blog post from the Tor Project lamented that many people have problems with popular websites when using the network. After mentioning that pressure from policy makers or Internet service providers can make it difficult for Tor to expand, the blog states: “We missed a third threat to Tor’s success: a growing number of websites treat users from anonymity services differently.” For example, “Slashdot doesn’t let you post comments over Tor, Wikipedia won’t let you edit over Tor, and Google sometimes gives you a captcha when you try to search.”

You could possibly add ‘Google locking the email accounts of people accessing their services over Tor.’ 

Google has not yet responded to our questions about the situation.

This is not a dig at Google. The company has been a sponsor of the Tor Project since 2007, according to a list maintained by the organization. But it does highlight that more work needs to be done to allow people to use Tor, while also accessing more mainstream services.  

Subscribe to the Daily Dot Politics newsletter here, and start following us on Twitter at @DotPolitics.

Photo via Ben Coombs/Flickr (CC BY SA 2.0) | Remix by Jason Reed

Joseph Cox

Joseph Cox

Joseph Cox reports on cybercrime and hacking for Vice's Motherboard site. He also maintains Spy Tech Exports on Medium, a repository for documents and data pertaining to surveillance technology. His work has also appeared on HuffPost, the MIT Technology Review, the Daily Beast, and Virus Bulletin.