http://www.technologyreview.com/printer_friendly_article.aspx?id=22427&channel=computing§ion= May/June 2009 Dissent Made Safer How anonymity technology could save free speech on the Internet. By David Talbot "Sokwanele" means "enough is enough" in a certain Bantu dialect. It is also the name of a Zimbabwean pro-democracy website whose bloggers last year published accounts of atrocities by Robert Mugabe's regime and posted Election Day updates describing voter intimidation and apparent ballot stuffing. You can visit Sokwanele's "terror album" and see photographs: of a hospitalized 70-year-old woman who'd been beaten and thrown on her cooking fire (she later died, the site says); of firebombed homes; of people with deep wounds carved into their backs. You can find detailed, frequently updated maps describing regional violence and other incidents. You will be confronted with gruesome news, starkly captioned: "Joshua Bakacheza's Body Found." Because this horrific content is so readily available, it is easy to overlook the courage it took to produce it. The anonymous photographers and polling-station bloggers who uploaded the Sokwanele material remain very much in danger. In a place like Zimbabwe, where saying the wrong thing can get you killed or thrown in prison on treason charges, you take precautions: you're careful about whom you talk to; you're discreet when you enter a clinic to take pictures. And when you get to the point of putting your information on the Internet, you need protection from the possibility that your computer's digital address will be traced back to you. Maybe, at that point, you use Tor. Tor is an open-source Internet anonymity system--one of several systems that encrypt data or hide the accompanying Internet address, and route the data to its final destination through intermediate computers called proxies. This combination of routing and encryption can mask a computer's actual location and circumvent government filters; to prying eyes, the Internet traffic seems to be coming from the proxies. At a time when global Internet access and social-networking technologies are surging, such tools are increasingly important to bloggers and other Web users living under repressive regimes. Without them, people in these countries might be unable to speak or read freely online (see "Beating Surveillance and Censorship"). Video Unlike most anonymity and circumvention technologies, Tor uses multiple proxies and encryption steps, providing extra security that is especially prized in areas where the risks are greatest. Paradoxically, that means it's impossible to confirm whether it's being used by the Zimbabwean bloggers. "Anyone who really needs Tor to speak anonymously isn't going to tell you they use Tor to speak anonymously," says Ethan Zuckerman, cofounder of Global Voices, an online platform and advocacy organization for bloggers around the world. "You can't tell if it's happening, and anyone who is actively evading something isn't going to talk about it." That said, the -Sokwanele journalists "are extremely sophisticated and use a variety of encryption techniques to protect their identity," he says. Anonymity aside, Internet users in dozens of countries--whether or not they are activist bloggers--often need to evade censorship by governments that block individual sites and even pages containing keywords relating to forbidden subjects. In 2006, the OpenNet Initiative--a research project based at Harvard and the Universities of Toronto, Oxford, and Cambridge that examines Internet censorship and surveillance--discovered some form of filtering in 25 of 46 nations tested, including China, Saudi Arabia, Iran, and Vietnam. In a new and still-evolving study, OpenNet found that more than 36 countries are filtering one or more kinds of speech to varying degrees: political content, religious sites, pornography, even (in some Islamic nations) gambling sites. "Definitely, there is a growing norm around Internet content filtering," says Ronald Deibert, a University of Toronto political scientist who cofounded OpenNet. "It is a practice growing in scope, scale, and sophistication worldwide." Tor can solve both problems; the same proxies that provide anonymous cover for people posting content also become portals for banned websites. When it officially launched five years ago, the Tor network consisted of 30 proxies on two continents; now it has 1,500 on five continents, and hundreds of thousands of active users. And its developers are trying to expand its reach, both abroad and in the United States, because digital barriers and privacy threats affect even the free world. In the United States, for example, libraries and employers often block content, and people's Web habits can be--and are--recorded for marketing purposes by Internet service providers (ISPs) and by the sites themselves. "The Internet is being carved up and filtered and surveilled," says Deibert. "The environment is being degraded. So it's up to citizens to build technologies to [counter these trends]. And that is where I see tools like Tor coming into play. It preserves the Internet as a forum for free information." Neutral Nodes The product of a small nonprofit organization with eight paid developers and a few dozen volunteer security professionals around the world, Tor takes advantage of the fact that Internet traffic consists of two-part packets. The first part contains data--pieces of a Web page you are viewing, or of the photo file or e-mail you are sending. The other consists of the Internet protocol (IP) address of the sending and receiving computer (plus other data, such as the size of the file). Tor uses the latter portion--the addressing information--to build a circuit of encrypted connections through relays on the network (see "Dodging Spies, Data Miners, and Censors" next page). The requisite relays (which collectively serve as proxies) are operated on a volunteer basis at universities such as Boston University and a few corporations, and by computer-security professionals and free-speech advocates around the world. (Many Tor users also use existing technologies, such as HTTPS--a protocol for encrypting and decrypting a user's page requests and the pages that are returned--to protect the content they are sending and receiving.) Tor, like the Internet itself, emerged from military research--in this case at the U.S. Naval Research Laboratory in Washington, which built a prototype in the mid-1990s. The military interest was clear: without a way to make Internet traffic anonymous, an agent's cover could be compromised the minute he or she visited .mil domains using the Internet connection of, say, a hotel. Even if the data were encrypted, anyone watching traffic over the hotel network could quickly figure out that the guest might be associated with the U.S. military. And the problem is hardly limited to hotel networks; IP addresses can be linked to physical locations by a variety of means (ISPs correlate such data with phone numbers, data miners can piece together clues from Internet traffic, and someone outside your house can confirm that you are the source of specific kinds of Internet traffic by "sniffing" data traveling over Wi-Fi). As a Tor presentation puts it, chillingly, what might an insurgent group pay to get a list of Baghdad IP addresses that get e-mail from a .gov or .mil account? The navy project never emerged from the lab, but it attracted the interest of Roger Dingledine, a cryptographer concerned about a different aspect of Internet privacy: the way ISPs and websites amass databases on people's browsing and search history. In 2000, at a conference where he was presenting his MIT master's thesis on anonymous distributed data storage, he met a Naval Research Lab mathematician, Paul -Syverson. The two men saw that tools for protecting military agents and tools for protecting Web surfers' privacy could be one and the same, and together they revived the project with funding from the Defense Advanced Research Projects Agency (DARPA) and the navy. The first public version of Tor, which came out in 2003, was available for anyone who cared to install it. But it worked only on open-source operating systems, and using it required at least some technical knowledge. The Electronic Frontier Foundation, the digital civil-liberties organization, funded development of a version for Windows, and soon a wider variety of users emerged. "Originally one ofocks many websites--including Facebook, YouTube, and Skype--from all Web users in the nation. I spoke about Syrian censorship with another blogger, Anas Qtiesh; he sat in an Internet cafi in Damascus as I messaged him from my living room. Qtiesh isn't worried that he'll be tracked down, because he tends to blog about pan-Arab politics, not about criticisms of the regime. But he wants access to more of the Internet than the government permits, so the Firefox browser on his laptop sports the Torbutton. Click the button, and presto--the same Internet that everyone in America sees. To access blocked sites, his computer negotiates a series of proxies, eventually connecting to an IP address somewhere else in the world. This intermediary fetches the blocked material. "Tor brings back the Internet," he wrote. Qtiesh has plenty of company: Tor was always of interest abroad, but word of mouth and the introduction of the easy-to-use Torbutton have helped accelerate its global spread. Zuckerman has been actively promoting Tor through his Global Voices network. So have other advocates of online free speech in Asia, China, and Africa. And these efforts have been working. Wendy Seltzer, who teaches Internet law at American University and founded Chilling Effects, a project to combat legal threats against Internet users, saw that firsthand when she traveled to Guangzhou, China, for a blogger conference last year. China is generally acknowledged as the most sophisticated Internet filterer in the world; it employs a variety of techniques, including blocking IP addresses, domain names (the text name of a website, such as www.google.com), and even Web pages containing certain keywords (Falun Gong, for example). According to one report, Chinese security forces have arrested several hundred Internet users and bloggers in the past 10 years. Seltzer says that many bloggers she met in Guangzhou were using Tor. And when she went to an Internet cafi there, she reports, the computers were automatically configured to run the software. In China, Tor is one weapon in wo years ago, Turkey piled on, with particular zeal for stamping out criticism of the nation's founding father, Kemal Atat|rk. Tor is preparing for the fight against relay blocking by creating a system of "bridge nodes"--a constantly changing list of IP addresses through which people can reach the main network of relays. A user can simply send an e-mail asking for a bridge address. Of course, an Iranian censor could also request and block such addresses, but the idea is to defeat such efforts by generating ever more bridges, donated by a wide range of Internet users. And Jonathan Zittrain, a Berkman cofounder and Harvard Law School professor, envisions going even further. "The next big moment that the Tor people haven't implemented--something in the background, something that would be huge--would be if your use of Tor, by default, makes you a Tor node yourself," he says. "At that point, it totally scales. The more people use it, the more people can use it." As part of a three-year effort to improve the software and expand its use, Tor's staff and volunteers will step up appeals for Tor users to let their computers serve as bridges to individual users elsewhere. But taking the next step--becoming a relay, or node, potentially available to any Tor traffic--would massively increase the traffic flowing through a user's computer. If users became nodes by default, it could defeat the purpose of using Tor to remain low key: once a user wandered into a cybercafi to blog anonymously, that terminal would soon stand out as a hub of Internet traffic. What's more, such a system "sets off an arms race with all the network providers and network administrators," says Andrew -Lewman, Tor's executive director. "It increases traffic, and we become something they might block, because that's their job." Tor would ultimately like to find safe ways to enlist distributed help, but for now, developers are pursuing intermediate goals, such as limiting bulk data transfers and improving the flow among existing Tor relays. One criticism leveled against Tor is that ior good purposes but for bad--protecting distributors of child pornography, for example. Dingledine's response is that Tor's protections help law enforcement catch criminals, too, while criminals may find it more effective to use neighbors' or public Wi-Fi links, or hacked computers, to mask their identities. Another concern is that circumvention tools--especially those that only use a single proxy, which holds information about who is talking to whom--can create privacy and security worries of their own. Earlier this year, Hal Roberts discovered that certain tools used widely in China--DynaWeb Freegate, GPass, and FirePhoenix--appeared to be offering to sell users' browsing histories. While there's no evidence that any individual's privacy was compromised, the point was made: in many cases, using anonymity or circumvention systems still means trusting an organization with your information--and trusting that its privacy policies can and will be honored. (With Tor, it's a bit different; since no single relay ever holds the information about the complete route, you must trust the integrity of algorithms that obscure connections between origins and destinations.) "I don't doubt the dedication of the people hosting these tools, but what I'm concerned about is whether they will protect your data," Roberts says. "The biggest takeaway is: they have that data." Dingledine thinks events will push people to seek the protections that Tor and other tools provide. In 2006, for example, AOL gave away millions of users' search terms for research purposes. Although the searchers were identified only by random numbers, bloggers and reporters were quickly able to identify individual users from clues based on the search terms. (Since Tor uses a different router pathway for each user each time, it's impossible to amass such aggregate data about even an anonymously identified Tor user.) Dingledine reasons that each time a national censor blocks news sites and YouTube, or an ISP or website loses or sells or gives away user data, people will seek solutions. "The approach we've taken so far is to let the bad guys teach people about it," he says. "Let the AOLs and the China firewalls screw up. Let everybody read about why they want privacy on the Internet." More and more people might just decide that enough is enough. David Talbot is Technology Review's chief correspondent.