Two months after FBI debacle, Tor Project still can’t get an answer from CMU

Shari Steele, Executive Director of the Tor Project

Credit: EFF

It's been quite a few months for the Tor Project. Last November, project co-founder and director Roger Dingledine accused the FBI of paying Carnegie Mellon computer security researchers at least $1 million to de-anonymize Tor users and reveal their IP addresses as part of a large criminal investigation.

The FBI dismissed things, but the investigation in question is a very high-profile matter focused on members of the Silk Road online-drug marketplace. One of the IP addresses revealed belonged to Brian Farrell, an alleged Silk Road 2 lieutenant. An early filing in Farrell's case, first reported by Vice Motherboard, said that a "university-based research institute" aided government efforts to unmask Farrell.

That document fit with Ars reporting from January 2015, when a Homeland Security search warrant affidavit stated that from January to July 2014, a “source of information” provided law enforcement “with particular IP addresses” that accessed the vendor-side of Silk Road 2. By July 2015, the Tor Project managed to discover and shut down this sustained attack. But the Tor Project further concluded that the attack resembled a technique described by a team of Carnegie Mellon University (CMU) researchers who a few weeks earlier had canceled a security conference presentation on a low-cost way to deanonymize Tor users. The Tor officials went on to warn that an intelligence agency from a global adversary also might have been able to capitalize on the vulnerability.

As this high-stakes situation continued to play out, the Tor Project was also looking for help. Faced with an increased demand and more government scrutiny in the wake of the Snowden leaks, 2015 saw Tor engage in a five-month search for a new executive director, someone who could "be the face and voice of the organization, to educate the public about privacy and encourage wider adoption of its tools, and could court donors to help sustain the organization and fund development of its tools," as Wired put it. And in December, Tor ended its year by hiring Shari Steele, previously the EFF executive director for 15 years.

As Steele prepares for her first year leading the Tor Project, she was kind enough to sit down last month in San Francisco with Ars for an extended chat on everything from the CMU situation and funding to the Tor community at large. What follows is the transcript of our conversation that has been lightly edited for clarity (or heavily edited, in the case of any of our clumsy questions).

Ars: You are a longtime person in the world of privacy and surveillance. How is Tor going to change now that you're at the helm?

Steele: One of the big things that Tor is looking to do is change its public perception and also to be able to be responsive to the things that the Tor Project itself thinks are the most important things to be working on rather than what its funders think are important.

The two biggest things I want to work on: First is to build up an infrastructure and second is to build up the reputation of the organization and bring in money from alternative sources. A significant amount of the money right now is coming from various US government grants. That's great that there's money coming in, but most of that is restricted money, and you have to work on the specific things that are talked about in the proposal and the grant issuance. So we're looking to find some additional funding sources. There's a big crowdfunding going on right now to get individual donations.

I noticed Laura Poitras at the top of my Tor Browser the other day.

Yes, Laura was the first champion that we had out there, but you should be paying attention. There's all sorts of really interesting people that have been released and are going to be released as champions, all wearing our “This is what a Tor champion looks like” shirts.

Credit: Tor Project

You mentioned changing the public perception of Tor. I feel like in journalist, academic, activist circles that we roll in, it's great. It's a tool for privacy, for anonymity, for making sure the government isn't tracking what you're doing and making sure miscreants writ large are not tracking you. But I feel like that's—I don't want to say divorced from—but maybe separate from the perception the public at large has. Many have only heard of Tor because that's how you access Silk Road or the deep, dark, scary Web. Is that the perception you mean?

That's exactly what I mean. And it's kind of crazy. I'm going to take off my Tor hat for a second. As someone who has observed Tor for years and years from the outside, it's actually kind of mind-blowing, the difference between what the project is actually about, the service, and how essential it is to the infrastructure of freedom versus the public's reaction to it is and how it has been received in papers. That really is one of the things that I'm hoping to change.

These are brilliant technologists who are doing the work of the angels, and they are doing important stuff. If you talk to any of them, I don't recall a single solitary person I've met who is in this for the Dark Net. Everyone here wants to make the world a better place and sees this as an essential freedom tool; [Tor technologists] think of themselves as freedom fighters. It's really weird that the public perception is so completely out of touch with what this project is really about.

So how do you change that?

One of the ways is to teach the members of the organization themselves that they have nothing to be defensive about. I think when these kinds of attacks happen, the community gets extremely defensive and tends to blow up negative stories in ways. They should just let that stuff slide and put some positive stories out there and be able to talk about how it's helping journalists do their jobs and it's helping activists in parts of the world where their governments would kill them if they knew who they were. So, it really starts by talking to reporters like you who are going to get the story out there.

Is it just a marketing issue? Does there just need to be more Tor stickers on buses? What does that look like?

In a way it's a reputational kind of thing. The reality is that to the people who are working on Tor, is great. It is a freedom-enhancing project. The people who are working on it, they understand that is their mission. That is what they're about. So it really is a perception thing; we have to change the perception.

I don't think stickers on buses is the way to do it, but I think coupling ourselves to stories that are positives stories—about revolution and about personal privacy and about people using Tor for medical research and for all sorts of ways that Tor is being used for positive ways. Let's talk about that more instead of talking about the Dark Net.

So you are the new head of the Tor Project, how much do you use Tor in your regular non-work life?

Personally, I use it maybe 10, 20 percent of the time. I know that there are people out there that are using it a lot of the time. But for me as much as I might hate Flash, there are times that I need to watch something on YouTube. I can't do 100 percent of the things that I need to do on Tor. Even Craigslist blocks a lot of Tor access, so I have to shuffle circuits to hit one that will work. How much do you use it for yourself in day to day life?

There's a sort of fantasy—how will Tor grow, what would that look like if we had unlimited resources, and how would we make that more accessible—and the fantasy is that maybe someday it's built-in to a privacy option on regular apps that you use. You wouldn't normally have it turned on, and instead when you do your Google search, you would click a switch and say “I would like to browse privately now”—that would be Tor. That's kind of the way we're thinking about it.

Before I came to Tor, I wasn't a big Tor user, but I was a big Tor supporter. I don't know if you know, but there was a time early in Tor's career that EFF actually sponsored Tor, so I always recognized the importance of it. But like you, most of my communications aren't deeply private. Most of my communications, I don't think of it that way. There are lots of people in the Tor community that do private things all of the time. But this very week, they've been giving me all kinds of new tools that I've never used before.

Like what?

Signal and Mumble. So I'm getting set up with all these new tools because the way that the community talks to itself is through private channels. I think it's a good thing for me to get up to speed, though I'm not so sure that in my non-Tor life I will use private communications. But I'm learning, I'm a newbie, and I'm learning and I think it's good for me to come in from this perspective.

There were two big Tor incidents that happened in this past year that I'd love to hear your thoughts on. There's a whole situation involving setting up a Tor node in New Hampshire, in a library, and both the police and DHS freaking out.

Basically there are these librarian activist types who wanted to set up Tor relay in libraries. But when this library tried to do it, the local police freaked out a little bit. Then Homeland Security Investigations read it on Ars and freaked out a little bit. The library board ended up voting to restore it, but there was a little chaos beforehand.

It sounds like—and this it the first time I'm reading it, I haven't read it deeply—this was one of those cases where the local law enforcement didn't understand what Tor was and how it was being used. They had that immediate knee-jerk reaction of: “Oh my God, it's private, it must be evil.”

Let's talk more about the other situation—the CMU thing. Researchers possibly in cahoots with the government in some way actively tried to break Tor for law enforcement purposes. That sent a lot of shock waves amongst our readership and amongst the Tor usership I would imagine. Now that some time has passed, are you able to say more about what has happened, and what, if anything, Tor can do about it?

With the recent story, the frustrating part about it is that CMU isn't talking to Tor. Tor isn't getting the actual facts of what happened. The FBI clearly got information from CMU that helped with the arrest. That part of it, we know. Whether that happened through legal process or not, we don't know. CMU came out after the story hit and said they there was a subpoena, and they were responding to a subpoena. So that may or may not be true.

Clearly CMU takes federal money in order to do research that is attacking Tor, and Tor knows about that. So how deeply was CMU involved? Whether CMU actually did the searches for the FBI, or provided the FBI with the vulnerability, we don't know the details.

Can you talk about what you just said a moment ago, that CMU and Tor don't talk to each other?

They always used to talk to each other. With this particular event, CMU is not talking to Tor. Tor has tried on multiple occasions, particularly when the abstract for the paper first got published, to find out, 'what's the vulnerability, let's get it plugged!' But CMU, they are not talking. Obviously there are individuals at CMU who are friends of ours that we still talk to, but the researchers who are involved in this have not been returning our phone calls.

Still now?

Still now. And this is a little bit of a concern that this is going to affect CERT, because that comes out of CMU. So again, I'm still getting up to speed, but the normal way that I would want to respond to this: When we get first get wind that CMU is an active participant, I would immediately want to have that conversation with CMU and find out what they're doing and how they're doing it. Then I'd want to plug that vulnerability as soon as possible and not let the FBI be able to use it first before we figure out what's going on.

It's very frustrating because CMU is a friend, they should be a friend, we're all working in the same space and we should be all working together. It's very frustrating that our friends are actually attacking the network. The fact that they found people who are engaging in criminal activity, it feels slightly better, but not really because everybody was exposed. The vulnerability made it such that anyone who was using the network could have been identified. That's just not OK, and [CMU] should have realized that and should be appreciative of that.

I imagine that if I was in your shoes, I would be concerned that something like this would happen not just in the US, but it might happen in other countries as well. Correct me if I'm wrong, but I think it's a well-known known vulnerability that if you control enough nodes, you control the network. X number of the network wouldn't be that hard for a state actor, I assume.

Yes, that is a known vulnerability on Tor. We've always been watching that. But we now have some serious things in place to pay attention to when a bunch of new nodes are all showing up from the same location or from something similar. It could be disguised if we didn't identify when all the new nodes are coming from the same place, but there are alarms now that go off. In fact, the CMU stuff, they saw the new nodes coming on and it didn't see it as a threat at the time. Now it gets elevated to threat level. So today, hopefully we'll be able to catch at least that vulnerability. It's a cat and mouse game where we're constantly going to have to be vigilant about that.

But is something like that... of all of the things that keep you up at night, that worry you as the head of this important project, it would strike me that this would probably be at the top of the list. Is that an accurate understanding?

So I could certainly I can tell you that's what keeps Nick [Mathewson, Tor's co-founder] and Roger [Dingledine, Tor's director] up at night. I trust Nick and Roger. I'm not a technologist. So yes, vulnerabilities of the network would make me very, very upset. But that's not the area where I have expertise. So the stuff that's going to keep me up at night is making sure that none of the Tor developers are feeling like they're being beat up.

There's been a whole lot of negative trolling that's been happening, and I really want to make that stop. Making sure that the project has the money to do the work that they want to do. Making sure that there is the infrastructure so that Nick and Roger aren't approving each individual purchase of a roll of tape. That's the stuff I'm focused on.

You mentioned that the largest portion of funding comes from, correct me if I'm wrong, the State Department?

That is correct.

I think it was in The Washington Post that I read, which crystallized it in a way that I hadn't thought about before. They said that the State Department wants Tor for activists and people living in repressive regimes. And then you have another arm of the US government that's actively trying to break it, actively trying to surveil it, actively trying to infiltrate it, and do all kinds of nefarious things. So you have different arms of the government fighting each other.

Not even necessarily different arms, but within the State Department there is offensive and defensive. The same branch of the government can be both trying to defend the network and trying to go out there and attack other people. Yeah, it's pretty psychotic, actually.

So when you said you want to move away from government funding sources…

That's not exactly what I said. The first thing is to get alternative funding sources and to diversify the funding sources. It may be that at some point we say or we want to say, 'let's shed these funding sources.' But right now we've got a good stable network that has been been funded in this way. We're not throwing any of the funding sources away. We're looking to get additional funding sources.

But is the idea that you want to expand the pot, or is the idea that you don't want to be so reliant on a single source?

Yes. [Laughs.]

I guess what I was trying to drive at was if it was my job to promote Tor in Iran, in China, or in Russia, having it be attached to the State Department might be bad, might be a black mark on that. Because if I'm an activist living in Iran doing anything at all, in any way associated with the US government, that's viewed with a great deal of skepticism. Is that part of that equation?

It's part of the equation, but we have a funding model right now and you can't just drop it without losing all your funding. So the first step is to get additional funding sources and see how it goes.

You're right, I can't deny that there are lots of people within the Tor community, and lots of people who either are users of Tor or would be users of Tor, who are concerned about the fact that so much of the money—or any of the money—is coming from US government sources. But the reality is that is where the money is coming from. And the organization needs money in order to survive. So we're going to take this step-by-step and try to expand the funding sources and then there might be conversation about how we do things. But we're very, very grateful for our current funding sources.