Tor Stinks re Traffic Analysis and Sybil (as do other networks)

Fri Nov 29 12:25:38 PST 2019

https://medium.com/@virgilgr/tors-branding-pivot-is-going-to-get-someone-killed-6ee45313b559

Tor’s Branding Pivot is Going to Get Someone Killed
Aka, human rights activism meets the Cobra Effect
Virgil Griffith
Sep 4, 2016 · 7 min read

"Three weeks ago, The Tor Project, Inc. published their Tor Social
Contract. The media covered the contract but focused on the policy not
to backdoor their own software (as though that were surprising?).
Regrettably, the media missed a real story lying in plain sight... a
large portion of Tor is so drunk on self-righteousness they can’t
recognize they are wantonly increasing their users’ risks."

Three weeks ago, The Tor Project, Inc. published their Tor Social
Contract. The media covered the contract but focused on the policy not
to backdoor their own software (as though that were surprising?).
Regrettably, the media missed a real story lying in plain sight — the
first bullet:

    1. We advance human rights by creating and deploying usable
anonymity and privacy technologies.

This bullet is a continuation of Tor’s new mission statement adopted
in August 2015 which reads:

    “To advance human rights and freedoms by creating and deploying
free and open anonymity and privacy technologies, supporting their
unrestricted availability and use, and furthering their scientific and
popular understanding.”

Collectively, these two policy documents pivot The Tor Project, Inc.
from an organization that was foremost about privacy technology to an
organization that is foremost about human rights (HR) where privacy
technology is the chosen means to the end.

Naïve observers may see little difference, but this pivot has deep
ramifications. In western liberal democracies (where Tor is
overwhelmingly based, and by raw numbers, largely serves) human-rights
advocacy has better optics than privacy. But the opposite is true in
the regions that Tor aims to serve. Privacy empowers the individual.
Empowering the individual naturally dovetails with human rights, so
it’s plausible that greater human rights is a natural byproduct of
privacy advocacy. However, Tor’s pivot from “Privacy Enthusiasts” to
“Human Rights Watch for Nerds” substantially increases the risk of
imprisonment to those operating a Tor relay or using the Tor Browser
Bundle from less HR-friendly regions.

For example, in Singapore (where I live), the government absolutely
does not care for what they term “Western human rights” and views
them, at best, as a handicap in maximizing GDP, and at worst, as
cultural imperialism. But despite their dim view of human rights,
Singaporean authorities top-to-bottom are fanatical about reducing
corruption. Most importantly, Singapore’s love of anti-corruption
exceeds its apprehension about human-rights-laden privacy enhancing
technologies. Tor’s rebranding from privacy to HR activism takes
exactly the same activity — using Tor or running a Tor node — and
makes it vastly easier for an enterprising authority to stretch it to
be liable for indefinite detention without trial. Singapore’s attitude
here is representative of the cultural terrain from China to
Indonesia, which constitutes, I kid you not, about 1/3 of the world
population.

The Internet’s core protocol, TCP/IP, was created for “message
passing”, not “message passing for human rights”. Personally, if I
were branding Tor, I would brand it along the lines of,
“privacy-enhanced TCP/IP”, and then downplay any specific
applications. This is a branding even China could support.

Pigeonholing a generic technology like Tor into the human rights
category makes it immensely harder to justify using Tor as part of
generic (non-human-rights related) communications. For example, say
you’re a sysadmin at a local business wishing to further secure its
comms. You propose running a Tor node or using Tor internally. This
was just something you could do (if perhaps a bit overzealous), but if
asked you justifiably reply defense against corporate espionage
matters. After Tor’s pivot, you now have to justify why the company is
using software explicitly designed for banned HR activism — why is
this worth drawing the government’s ire? Using Tor is now an
additional mild liability for all non-HR users.

In profound irony, Tor’s pivot especially hurts local users who would
use Tor for human rights. Say you’re an Asian HR activist — choosing
one, would you prefer:

    A poignant mission statement and social contract saying Tor,
unsurprisingly, supports your noble cause.
    A larger local anonymity set by including non-HR users, faster
performance via local relays, and greater plausible deniability, so
that your mere use of Tor is less suspicious?

To my surprise, Tor management believes (1) is more valuable than (2).
Call me an idealist, but I believe that, for infrastructure like Tor,
the greater efficacy of (2) takes priority over the emotional
self-satisfaction of (1). Demonstrating how complete the
transformation is within Tor, arguing this is deemed VERY SUSPICIOUS.
And, I kid you not, that suspicion yields Tor management’s thumbs-up.
In terms of Tor’s sustainability, it is as the local Wushu Sifu say,
the greatest enemy is within. (No offense to Roger!)

As a born-and-bred American, I get the human-rights motivation — I
really do. But the “Human Rights Watch for Nerds” branding gives
decidedly-unfriendly-and-opportunistic-authorities full license to do
as they please with Tor operators or anyone who uses Tor (regardless
of whether their usage is HR related!). Yet a large portion of Tor is
so drunk on self-righteousness they can’t recognize they are wantonly
increasing their users’ risks. Here’s a more familiar analogy
illustrating the regional equivalent of what Tor has done. Imagine Tor
canonized a new policy document stating:

    “The Tor Project proudly advances drug-use by creating and
deploying usable anonymity and privacy technologies so people around
the world can circumvent local drug laws.”

Thereafter, anytime an authority sees anything Tor, any enterprising
officer has full-authority to proceed for investigating a drug-crime
whereas before ze did not. I do not know how to make this more clear.

During my undergraduate years (2002–2007), I admired Tor’s skillful
treading on the tightrope separating three groups who rarely got
along:

    the military-industrial complex among its funders
    the anarcho-capitalist cypherpunks among its early operators
    the potpourri of left-wing activists among its most dedicated users

I’m sure it was a difficult balance—but I argue this uneasy balance
was the secret sauce of Tor’s success, as Tor was perhaps the only
thing these disparate groups could agree on! Unfortunately, modern Tor
has firmly rejected the first group, rebuffed the second, and filled
the resulting vacuum with one of the worst aspects of the third —
purity politics and prioritizing virtue statements over mission
efficacy.

Tor’s branding pivot is misguided, damaging for global privacy, and
ironically, harmful to Asian human rights. Anonymity requires not just
company, it requires diverse company, yet Tor has increased the
barrier-to-entry for all local non-HR Tor users. This something Tor
has brought upon itself, and they are knowingly throwing their most
vulnerable users under the bus.

After seven years of proud service to Tor including: founding Tor2web,
Roster, and Toroken, as well as writing a Tor Tech Report and running
several high-performance relays, I am resigning because:

    Given my residency in Southeast Asia, Tor’s pivot creates
nonnegligible risk for me personally.
    I do not trust an organization which prefers reaping modest public
relations benefits within comparably cozy jurisdictions over the
security of its neediest users taking the majority of the risk.

Tor is carefully positioning itself away from the efficacious privacy
promotor it used to be. 💔
Addendums
1. Theory for the Pivot

In discussing this post, one of my colleagues opined that, from a
management perspective, the pivot towards human rights is actually
great for fundraising in the West. With modern Tor Project placing
getting off defense-industrial funding at top priority, new funding
must come in. And if a byproduct of that new funding demands throwing
the most vulnerable users under the bus…well, that’s just the price
for those users to pay.
So, lets take a step back. The primary reason for Tor to distance from
defense money is so it’s not perceived to be a puppet of the West. The
optics will look better to casual observers, but dropping defense
funding for building products and pivoting towards human rights grants
will, ideologically speaking, surprisingly have the opposite effect.
2. Keep using Tor? Yes please.

Togg_ remarks my argument is akin to,
Fair point!

To which I can only respond,

The claim is that Tor is recklessly endangering the most disadvantaged
users — not that you shouldn’t use Tor. If strong human rights
advocacy is kosher in your jurisdiction, Tor is your jurisdictional
privilege to preferentially enjoy; so please do enjoy it!
3. “Following The Users” vs “Serving the Neediest”

Alec Muffet articulates a level-headed, sensible argument for the
HR-pivot by asserting it’s an adaption to better serve Tor’s existing
user base. And when breaking down the user counts, this means Tor
should adapt to serve: United States, Russia, Germany, France, United
Kingdom, Brazil, Japan, Italy, Span, and Canada. Aggregating across
these jurisdictions, a pivot from “foremost Privacy” to “foremost
Human Rights” is an immense win. So while yes, this pivot does
shortchange Asia, but on the total number of users it’s a win. So deal
with it.

To which I can only respond,

“Following the users” is a wholly satisfactory long-term strategy —
but it is incompatible with Tor’s rhetoric of “serving the neediest in
non-HR-friendly jurisdictions”, which may be okay! However, I take
Tor’s rhetoric at face value, and I perhaps naïvely, presumed others
do as well. If Tor wishes to follow its rhetoric, this pivot is likely
to do long-lasting harm.
4. Can Tor still care about human rights? YES.

Dr. Bryan Ford and Kragen Sitaker opine:
Indeed.
Does Tor have to be completely mum about valuing of human rights? No!

Two responses:

    The goal is to get world-wide deployment, not protest The Man. If
TCP/IP had been branded as “robust communications for human rights
activists”, it would have never been deployed outside the West and
failed in greater unifying the world.
    Empirically speaking, in Asia, being foremost “Privacy” (of which
HR is invariably a component!) has largely worked. But making human
rights the utmost thing Tor foremost does hands officers full license
to attack with prejudice, and moreover invokes the already established
top-down incentives for officers to do so.

In short, no pretending required. Tor just needs to have a larger,
louder, message (e.g., “Privacy”) which can encompass HR as component.
This is what Tor had, and they are actively throwing it away.
Updates

    I changed the final sentence from: “Anyone want to establish a
foundation for the efficacious promotion of privacy? Because Tor is no
longer it.” to “Tor is carefully positioning itself away from the
efficacious privacy promotor it used to be. 💔”. The former was said
out of frustration, and the latter better captures my true feelings.
    Added subtitle: “Aka, human rights activism meets the Cobra Effect”
    Removed the opening stanza, “There’s never been a better time to
leave Tor. After a few weeks of unsuccessfully waiting for my views to
mellow, I add my voice to the exodus.” This removal is in direct
response to Meredith Patterson’s, and especially Alec Muffett’s
feedback.

I might have a crush on Alec.
This whole editorial is me seeking external pressure before Tor
immensely diminishes their efficacy toward their stated raison d’etre.

    Privacy
    Human Rights
    Tor
    Asia

Virgil Griffith

Written by
Virgil Griffith
Special Projects @ Ethereum Foundation
See responses (16)