Practical Vulnerabilities of the Tor Anonymity Network

Onion routing is a technology designed at the U.S. Naval Research Laboratory to protect the security and privacy of network communications. In particular, Tor, the current widely-used onion routing system, was originally designed to protect intelligence gathering from open sources and to otherwise protect military communications over insecure or public networks, but it is also used by human rights workers, law enforcement officers, abuse victims, ordinary citizens, corporations, journalists, and others. In this article our focus is less on what Tor currently does for its various users and more on what it does not do. Use of Tor for law enforcement and the national security applications that motivated it faces more significant adversaries than most other uses. We discuss some of the types of threats against which Tor currently offers only limited protection and the impacts of these on all classes of users, but especially on those most likely to confront them. We have designed and built the Tor anonymity network [3] to secure cyberspace and empower cybercitizens. It is thus squarely in the middle of this volume’s concerns. But in law enforcement, the first thought that often comes to mind when one says “anonymity” is of a roadblock against pursuing the source of an attack or other crime. Although this is sometimes the first image that comes to mind, it is not generally the first encounter law enforcers have with anonymity. Typically law enforcers themselves have begun using anonymity long before they observe any criminal activity, and they may even use it to prevent a crime from occurring at all. As a simple mundane example of anonymity technology used by law enforcers, consider unmarked vehicles. These are used precisely to avoid obvious distinguishability from other cars around them. This might be to avoid alerting a criminal to the presence or location of law enforcement, or to help protect someone being discretely transported, or for various other reasons. Anonymity is an essential part of law enforcement. Note that unmarked cars are effective, not just because unmarked law-enforcement vehicles are not immediately identifiable as law-enforcement vehicles, but also because most vehicles used by others are similarly anonymous. You can’t be anonymous by yourself, and the