Although it’s hardly a new technology, recent cyber-skirmishes and demands for better privacy online have put the anonymizing network the Tor Project in the spotlight, including a story earlier this month in The New York Times Magazine, a harbinger perhaps of mainstream adoption. Tor has been around for almost a decade, originally developed by the U.S. Naval Research Laboratory and now used by activists, dissidents, journalists, and well, anyone in order to protect the privacy of online activities.
According to the Tor Project’s metrics, the network has had between 100,000 and 300,000 users per day over the course of the past few months.
How Tor Works
Tor protects its users from surveillance known as “traffic analysis.” Even if you encrypt your data, as the Tor website notes, traffic analysis can still reveal “a great deal about what you’re doing and, possible, what you’re saying” as it focuses on the header used for routing – something that discloses the source, the destination, the date and time, and the size of what’s being send.
Tor obscures this traffic data. It works to anonymize your identity and activity by distributing your transactions over several places on the Internet, so that no single point can be linked to you or your destination – “a deliberately byzantine system of virtual tunnels that conceal the origins and destinations of data, and thus the identity of clients,” as The New York Times describes it. In other words, rather than taking a direct route from the source to destination, data on the Tor network takes a random pathway through several relays, so that no one can tell where the data came from, where it’s headed, or the complete path of the data. Each “hop” along the way is encrypted separately as well.
Tor doesn’t solve all privacy problems online. (It doesn’t try to.) It doesn’t anonymize your visits to websites, prevent cookies or other tracking mechanisms, for example. But it does protect the traffic of your data along the way.
Flaws in the System?
According to a report this week in Wired, researchers at the University of Regensburg have found some vulnerabilities in the Tor network. “The attack doesn’t quite make a surfer’s activity an open book,” writes Wired’s John Borland, “but offers the ability for someone on the same local network – a Wi-Fi network provider, or an ISP working at law enforcement (or a regime’s) request, for example – to gain a potentially good idea of sites an anonymous surfer is viewing.”
According to the research, someone could run the Tor network, monitor how certain sites appeared when accessed through Tor, and develop a database of this sort of “fingerprint.” Using pattern recognition software, it’s possible to glean a match (with about 55% certainty) between a source and destination.
The article does add that there are some ways to help mitigate against this and muddy any results: requesting multiple sites at once, for example, would complicate the analysis. And with increasing attention to privacy issues – from the prying eyes of advertisers and governments alike – it’s unlikely that this research will discourage people from using the Tor Network.