Today's Opinions, Tomorrow's Reality 

New Era of Openness

By David G. Young

Washington, DC, August 6, 2013 --  

A cyberattack against the Tor privacy system highlights America's betrayal of internet freedom.

The green onion sticker photographed on the back of Edward Snowden's laptop1 is a great advertisement for an internet privacy system called Tor. The system provides an easy way to anonymously browse the internet free from the prying eyes of government agents. Or at least it did before U.S. agents reportedly attacked and compromised one of its key components last week.

On Thursday, the operator of Ireland-based Freedom Hosting was arrested under an extradition request to the United States.2 Freedom Hosting operates servers that run "hidden services" -- websites designed for anonymous access through the privacy-protecting Tor network. Hidden services on Freedom Hosting are widely believed to include child pornography sites -- the reason for the FBI arrest warrant against operator Eric Marques -- but Freedom Hosting is also known to serve legitimate sites like TorMail that provides anonymous email services to dissidents.

Shortly after the arrest, websites run on Freedom Hosting were replaced by a maintenance page built to attack the TorBrowser, a modified version of the Firefox web browser. The page used a previously unknown security hole in Firefox to execute malicious code on visitors' machines, transmitting the machines' unique IP and mac addresses to a server in the United States, which security researches believe is controlled by the FBI.3

If this were just about child pornographers, there wouldn't be a problem. But the attack also struck users of TorMail, a legitimate email service that allows people in repressive countries to communicate freely without fear of government eavesdropping and arrest. The TorMail users' identities -- or at least their actual computer addresses -- are now known to American agents. And because the addresses were transmitted to U.S. servers outside the Tor network, it is quite possible that foreign governments have logged the TorMail users' addresses as well. This could leave dissidents in places like China, Russia and the Middle East at risk of arrest, imprisonment or worse.

This is a huge turnaround for the United States. Just three and a half years ago, Secretary of State Hillary Clinton gave a policy speech on internet freedom, denouncing China's hacking of Google websites to obtain dissidents' email records. She then pledged to fund "new tools that enable citizens to exercise their rights of free expression [and circumvent] politically motivated censorship."4 After a slow start, the State Department in 2010 awarded $1.5 million to developers of FreeGate and UltraSurf, programs similar but less effective than Tor, allowing Chinese web users to circumvent their country's "Great Firewall."5

The Tor system itself also has received U.S. government funding, starting as a research project funded by the Naval Research Laboratory, and later by internet freedom groups including the Electronic Frontier Foundation, Human Rights Watch, and the National Science Foundation.6

Instead of funding privacy tools to protect dissidents against agents of government oppression, the Obama administration is now engaging in cyberattacks that expose dissidents. It now seems that the president's first day pledge of "a new era of openness"7 was really about opening up dissidents to government snooping.

If there is any good news it is that the exposure of dissident users of TorMail may have limited effectiveness. The U.S. attack reportedly worked only against Windows computers with a slightly outdated TorBrowser and with JavaScript enabled, and whose users continued to use the same TorBrowser after disconnecting from the Tor network. This all means the number of compromised users is probably small. And even though the identities of the TorMail users would be known to U.S. agents and any foreign agents who intercepted the transmission to American servers, the content of TorMail messages has not been compromised.

However limited the damage, the behavior of the American government remains inexcusable. It will no longer be able to profess the moral high ground when it comes to hacking and protection of internet freedoms. And with the National Securirty Agency continuing to eavesdrop on citizens' internet usage through its Prism program, this incident only reinforces the reasons for using systems like Tor. The big question is, can these systems be trusted? While the security hole was fixed in the latest TorBrowser even before the breach, nobody knows how many other vulnerabilities government agents have in their arsenals.

Related Web Columns:

Liberty Isn't Privacy,June 25, 2013

Mr. Hu, Tear Down This Firewall, January 26, 2010

Good Corp, Bad Cop?, December 25, 2007

Trolling Though Your Life
The Betrayal of Telecom Customers
, May 16, 2006


1. The Guardian, Edward Snowden, NSA Files Source: 'If They Want to Get You, In Time They Will', June 9, 2013

2. Wired, Feds Are Suspects in New Malware That Attacks Tor Anonymity, August 5, 2013

3. ibid

4. U.S. State Department, Remarks on Internet Freedom, January 21, 2010

5. Washington Post, U.S. Risks China's Ire With Decision to Fund Software Maker Tied to Falun Gong, May 12, 2010

6. Tor Project, Sponsors, as posted August 5, 2013

7. BBC News, Obama Pledges 'Era of Openness', January 21, 2009