June 24, 2006

Tor: Freedom for whom?

Author: David 'cdlu' Graham

Tor is a system designed to anonymise Internet connections for users concerned about their privacy. It's free, it's simple, it's effective -- and it facilitates troublemaking.

Proponents of Tor recommend reading renowned security expert Bruce Schneier's article on the value of privacy. Schneier makes a compelling argument in favour of the value of privacy. But use of Tor isn't just about privacy.

There are, fundamentally, two forms of freedom. There is the freedom "to," and the freedom "from." There is also the balance of freedoms: how one person's freedoms affect another's. Services like Tor address both the freedom "to" and the freedom "from," but deprive others of both freedom "to" and freedom "from."

Tor works by routing a user's Internet connection through a long and wholly undocumented and unlogged list of participating hosts. Theoretically, it is impossible to trace a connection back to its origin through this system. With the lack of logging, the only practical way is to monitor participating hosts and try and figure out who is doing what. The result is that anyone who uses Tor is anonymous to anyone whose services he is using. This provides the Tor user the freedom to privacy, and complete freedom from being identified.

This also takes away service providers' freedom to monitor access, and the freedom from abuse.

Bruce Schneier's argument, as twisted by Tor users, would appear to be that it is not a provider's right to know who is using its services. Tor users worry that providers are in a position of power, and power corrupts. The logic employed -- that if a provider knows who is using its services it will use that information for nefarious purposes -- is no more sensible than assuming that someone who is using a privacy service like Tor is necessarily doing so to facilitate trouble-making.

My fundamental problem with Tor is connected to my experience as an IRC operator. On IRC networks, Tor prevents freedom from abuse. If a hundred people use Tor, and one of them abuses his privileges on a provider's network, the only alternative for a provider (other than allowing the abuse to continue) is to block all 100 users, because there is no way to differentiate among them. Because blocking large groups of users often is not a practical solution, that one problematic user can continue being a problem without any limitations.

Privacy vs. freedom

Schneier states that the debate is wrongfully categorised as a debate between privacy and security. I agree -- it is not privacy versus security, it is privacy versus freedom. When one person's privacy restricts someone else's freedom, we have a problem.

In the real world, every country has a legal system with a set of rules by which everyone must live. If someone breaks one of those rules, a police force and judicial system exists to prevent them from continuing to do so. In some cases, the rules are unjust, but generally, rules are designed to protect the freedoms of others. Take the police force and judicial system out of the equation, and you end up with anarchy.

That's what Tor brings to the Internet. If everyone on the Internet used Tor, and no one could figure out where anyone was coming from anymore, the Internet would be a complete anarchy, even though most people would still attempt to continue their normal, honest behavior.

While IP-address-based restrictions may not be an ideal solution for managing services on the Internet, it is the best currently available. Tor in effect removes this system from the Internet.

Prior to Tor, similar problems existed through open proxies and hacked accounts, but these can be blocked, because there is no such thing as a legitimate user coming through these means.

Please understand, I'm not against the concept of privacy. What I am against is the concept of total anonymity. I would not object to Tor, or any other anonymising service, if it provided a way of uniquely identifying users. I don't care if connections can be traced back to actual end users, just that they can be managed separately. But making end users identifiable is contrary to the stated objectives of Tor.

Are there practical solutions? Yes. The simplest solution would be to require registration of Tor users, and have service providers implement a system to check users' registration status. Though it wouldn't eliminate problems, it could reduce them and make them more manageable. Unfortunately, it would remove the very anonymity Tor seeks to create.

Is there a way to balance the privacy of users with the propensity for bad apples to destroy the crop? If so, what is it?


  • Programming
Click Here!