Comment on this feature |
View comments |
Email this feature |
News :: Technology
New privacy tool tolls the birth of cypherspace
Email: JonBoston (nospam) gmail.com
23 Apr 2005
Information is power. Pervasive access to the internet in libraries, schools, homes, and cafés has put a great deal of power into the hands of the people. Governments are just beginning to react to this and are reacting much as they did to the invention of the printing press, with a heavy and intrusive hand. In recent cases the government has shown a pattern of intimidating those who would provide access to this new high-tech soap box. A new anonymity program, TOR, provides some help for both users and service providers.
Privacy and the Birth of Cypherspace -- (or why I love TOR)
Some recent cases:
* Sherman Austin, young west coast anarcho-activist given 1 year in federal prison and 3 years of extremely restrictive probation for third party content on his web server over which he exercised no editorial control.
* FBI seizes IndyMedia servers in the UK it's still not clear (to me at least) what they were looking for or how the FBI has any jurisdiction in the UK. [Editors note- it was never confirmed that this was carried out by the FBI, only that it was a US agency]
* FBI digs for IP addresses at flag.blackened.net
What's it to you?
First, what is an IP address and why should you care about yours? IP addresses identify where computers can be found on line, and can easily be used to find the computer's physical location. In the internet as commonly understood both parties in a conversation need to know the other's IP address so they know where to send requests or responses.
Servers typically log the IP addresses of people who connect and what information they have requested. Someone with access to a servers log files can see who has read what pages or uploaded submisions, when they did it, and where they came from.
What does this mean to you? Thats difficult to say at this point, and largely dependent on who you are and what you do. Clearly running servers that disseminate dissident opinion is a bit risky. I haven't seen much information on what's been done with the information taken from these servers, except in the Sherman Austin case, in which the person who was responsible for the allegedly illegal content was known and nothing was done. Perhaps the government's strategy is to strangle the information outlets rather than the authors. That way there are fewer necks to squeeze.
IndyMedia has a policy against recording IP addresses in log files, so your identity is safe right? Not quite, lack of logging doesn't really matter as much a one might hope. Agencies with coercive force, legal or otherwise, can see where you're browsing from by looking at your internet service provider (ISP), the website's ISP or possibly from breaking into the webserver and covertly monitoring traffic. This means that sites that don't log IP's do prevent retroactive searches, but do nothing to avoid covert realtime monitoring.
What about websites who track your web browsing patterns through the ads on pages all over the web? Each of those adds calls home every time it's loaded telling what page the ad was on and the IP address of the computer requesting that page -- your computer. Those with the slightest inclination toward conspiracy can imagine many more sinister possibilities than targeted marketing.
Enter Cypherspace...and TOR
Cypherspace is a term I use to describe the growing current of cryptographic communication systems being developed in response to these security concerns. A search of the web shows a dizzying array of products and services that attempt to shield web surfers from prying eyes.
Regardless of your views on the politics of free software, it's vitally important from security and anonymity perspectives that the source code for the program be available for review.Even if you can't read the code there are a lot of people out there who can. Trust me, geeks are a paranoid lot.
If there's a back door or secret logging it will be found. If you get a commercial product which doesn't come with source code, it's much harder to detect this type of trap.
I've found that TOR provides one of the best solutions for online privacy. The basic idea is that your web requests are encrypted and bounced through a number of computers all over the world before going to their final destinations. The encryption keeps any of these computers from being able to read your data. The random bouncing prevents anyone from using traffic analysis to find out where you are coming from. More details are available on the TOR web site.
The idea of having intermediaries (proxy servers) between users and sites they want to look at is nothing new. There are caching proxies, used to speed web requests, content filtering proxies, used to remove ads or block other "objectionable" material, and other anonymizing proxies as well.
Anonymizer is one such anonymizing proxy service. The weakness with this system is that you need to trust a single entity and you can't verify that they're not secretly logging your actions. TOR on the other hand only requires one of the systems your request goes through to be "honest". Even if the others are trying to see who you are or what you're doing they can't.
TOR provides privacy to the extent that even your ISP can't see what web sites you're looking at, nor can the site you're viewing see where you're coming from. Unless your browser tells them, that is! Browsers can send quite a bit of identifying information along with a request for a web page, and Java script can get even more. Privoxy is designed specifically to anonymize these requests and also integrates nicely with TOR.
These provide a great deal of protection for web users, but TOR goes a step further and and provides the ability to run a hidden service. You can run a web server on a machine without advertising to the world where that machine is physically located.
Normally to run a public service like a web server you need to publish a name (like boston.indymedia.org) that translates to an IP address (like 18.104.22.168). Hidden services, build out a chain of rendezvous points. The server and your computer negotiate a place to meet through intermediaries. Neither of you need know where the other lives, since the intermediaries do know if they got the information from the source or another intermediary.
Hidden services are in their infancy. They are currently only reachable if you're running the TOR client, if you are running TOR you can visit The Hidden Wiki which provides a place for people to publish links to their hidden services.
Sound too good to be true?
Quite a bit of TOR's goals are being met with the current release, and new and much improved versions are coming out frequently, which is encouraging, but it's not 100% there yet.
TOR is in early development and warns quite explicitly that it is experimental software and not to be used if you need "strong anonymity". This seems to mean that if a major world government decides it really wants to know which web sites you're visiting they are going to find out.
However, if you're not already on the radar screen TOR might keep you off, since any sort of "routine" internet traffic monitoring would be confounded.
Since TOR bounces your traffic all over the world, performance suffers a bit. The fact that the machines it passes through are volunteered by users of the system means that quite a few are on cable modem or DSL connections, which means an even bigger performance hit for people with very high speed connections at work or school.
How can I help TOR?
Install TOR and use it. More traffic generated by more people with more diverse reasons and interests creates more cover and better anonymity for everyone. It may not be perfect yet (so don't trust it too far), but running it provides a fair ammount of anonymity and helps with the on going research to make it even better.
Join the mailing list. TOR, like most free software, is a volunteer based community effort and community involvement is needed for continued improvement. Even, perhaps especially, if you're not a geek, you can help find problems that need to be addressed with the user interface, configuration, or documentation.
Setup a server. If you have a home broadband connection or better and a bit of computer savvy you can increase your anonymity and increase the available anonymous bandwidth for everyone.
(need to have TOR installed for that last one to work)
This work licensed under a
Creative Commons license.
Re: New privacy tool tolls the birth of cypherspace
by Jon Pennycook
jpennycook (nospam) bcs.org.uk (unverified)
06 Nov 2005
On my website, I describe how to set up TOR for best results (and Freenet as well) - see:-