Tor Technology: The Onion Router’s Offensive and Defensive Use in the Ambiguous International Context

The initial setup of the universal global network – the Internet – did not foresee the ample threats to privacy that it’s ubiquitous application 50 years later would generate. Openly sharing data on the user, its destination, the origin and the content was no concern as the few involved followed the motto: “Why hide if everyone knows everyone?”. While people started feeling uncomfortable to openly share their digital activity as the Internet surged, basic Internet protocols and the corresponding norms and conventions remained largely untouched.


Throughout the years, the skyrocketing need for privacy developed into a race between those who sought for anonymity and those who have a profound interest to see through the privacy barriers. One famous instrument in the privacy toolbox is the decentralized, layered encryption approach of the “The Onion Router”, widely known as “Tor”. This paper will briefly explain the concept of the Tor network and browser, outline its offensive and defensive use with special regard to the (international) application context and close with remarks on the need for a less ambiguous stance on Tor from liberal democracies.


The Onion Router – Network, Browser and Project


Described as “one of the best privacy tools currently in existence” (Quintin, 2014, p. 1) by the Electronic Frontier Foundation, the basic idea behind Tor has not changed since its initial release in 2002: Tor provides a decentralized, encrypted network and high stealth browser that allow users to stay anonymous when visiting a website or communicating online (Glater, 2006). On the technical level, the combination of encrypting data packages in several onion-like layers and its randomized routing via at least three nodes creates a highly sophisticated, (close-to) impenetrable Transmission Control Protocol (TCP) communication. As connection-oriented protocol, TCP awaits a response once a package is sent; Tor establishes a protective tunnel where package and response are routed through and thereby prevents any references to the location or network access of the user. The complicated travel of the data packages results in a lower latency that users experience by, e.g., longer waiting times until a called website responds. In this sense, the Tor browser trades-off anonymity for latency but is still a low threshold privacy tool as it comes as a ready-to-use product without the need for a technical background. In addition to accessing the “clear web” (i.e., websites that can be open with regular browsers), Tor users can also reach hidden, Tor-specific websites ending on “.onion” – often referred to the (Tor) darknet. As described in the following, these deeper parts of the Internet are notorious for their (partially) illegal content and applications, but the traffic generated for onion pages is comparatively low (approx. 3-6 % of overall Tor traffic) (Moore & Rid, 2016). As a response to the mal-intend with which Tor is partially used, several Internet services, in particular websites, are not accessible via Tor. Usually by flagging the prominent exit nodes IP address, websites such as google.com, twitter.com or bestbuy.com are denying Tor users access (CISA & FBI, 2020).


Risks & Decision Calculus of Using Tor


Because of its technical proficiency, (partially) illegal application and wide-spread use, the Tor network and browser have been attacked on several vectors: Until its substitution by HTML5, Flash Active Content based on the Internet media format Adobe Flash produced severe security issues for regular browsers and Tor in particular. By directly addressing the destination server instead of tunneling data packages through the network, user ran into the risk of disclosing personal information when executing accidentally or purposefully mal-designed Flash content (Abbott, Lai, Lieberman, & Price, 2007). The Tor-specific transmission of TCP data via a randomized entry, one or more middle and an exit node make entry and exit nodes high-value targets for compromising (Aamir, 2012): Statistical analysis when measuring entry and exit time of data packages provide insight into the potential route taken; JavaScript code might contain personalized trackers that exploit sensitive user data; or automatically requested, forged image tags in HTML code can be logged by a compromised entry node (Wang, Luo, Yang, & Ling, 2011). Due to the profound technical setup, an attack on Tor requires high technical proficiency and sufficient resources. Among the few documented attacks is the 2014 report of German hacktivists and investigative journalists that disclosed that the NSA had repeatedly attacked (and potentially penetrated) Tor nodes as part of the XKeyscore Deep Packet inspection program (Appelbaum et al., 2014). Despite certain protection measures[1] to avoid the compromise of personal data – even when Tor entry or exit nodes has been affected – “nothing is foolproof, not even Tor” (Quintin, 2014, p. 2).


In general, using Tor has an ample effect on the cost-benefit calculation of identifying someone’s online activity. Irrespective of persecutors trying to identify an internet user for legitimate (when, e.g., investigating cybercrime) or illegitimate reasons (when, e.g., censoring freedom of speech), Tor dramatically increases the costs of such an identification for two reasons: First, the technological and organization setup of Tor requires extensive resources to penetrate the network and trace users (if at all successful). Second, the wide-spread use of Tor allows individuals to disappear in the masses. Both factors render a low- to medium-value target safe when using Tor. Even for high-value targets, where persecutors are willing to invest vast resources for their detection, Tor dramatically shifts the cost-benefit calculation in the Tor-user’s favor. Followingly, there is little to no risk of actors – both, on the offense and defense – to use Tor. The browser fulfills its goal: Assure privacy on the Internet.


In addition to the rather small risk of compromising their identity, Tor user face a trade-off between performance and accessibility on one side, and anonymity and untraceability on the other. The trade-off here is exemplified on three levels: First, even though Tor provides extensive protection against commercial data collection on the internet, users have more performant tools available to avoid tracking. Blocking cookies, using tab containers or elaborate script blockers like “uBlock Origin” provide better online performance and avoid being complete locked out of websites and social media platforms, like Twitter or Google, that are not accessible from Tor Browser. Second, if the need for anonymity increases, possibly because of illegal activity, users still don’t need to drastically cut down performance. Less elaborate privacy solutions like well-protected VPN (Virtual Private Networks) provider in non-disclosure countries like Switzerland might already suffice to disguise one’s identity to an Internet Service Provider and law enforcement agencies respectively. Third, if users engage in heavily persecuted activity (e.g., foreign intelligence, investigative journalism) or fear extensive investigations into their doings, Tor is a comprehensive and easy tool to provide high-level privacy. The Tor’s anonymity comes at the price of performance – a trade-off that privacy-savy users are readily willing to make.


On a last note: The decision calculus for using Tor falls against the backdrop of knowing or “guesstimating” the trade-off factors, such as the willingness of persecutors to invest resources to identify a user. If, for example, an Iranian dissident is uncertain of the government’s scrutiny in her online activity, the level of risk aversion or risk affinity will drive her decision making. If performance detriments are accepted, there are little reasons to speak against a Tor use even with the mildest privacy concerns. On the contrary: The Tor Project encourages a use of its tool for daily Internet activity – to make Tor use less suspicious and protect those that depend on it.


Offensive and Defensive Application of Tor


Tor is by definition a defensive technology – intended to provide anonymity and privacy, in fact, defending users against the involuntary disclosure of their private data. Tor becomes only then offensive when used in combination with other offensive technology, such as a botnet or an illegal market place. Security agencies, governments and legal adversaries are regularly criticizing Tor for its ample possibilities to use anonymity in an offensive way: Tor is infamously known as a safe haven for cyber actors that exploit the anonymity feature for secretive, possibly illicit use cases such as black-market trading, disguising botnet structures or spying.


The anonymity of Tor allows its user to host illegal website that would be seized immediately when hosted on the clear web. A 2016 study showed that of 2,700 active Tor darknet site, 1,500 contained illicit content with drugs, financial services and extremist content ranking among the top three (Moore & Rid, 2016). One of the most renown examples of illegal websites on the Tor networks are the different versions of the “Silk Road” – a Tor-based Black market where users buy and sell drugs, weapons, child pornography or offer illegal services, such as forged documents, “cyberattacks as a service” or hitman jobs. “Silk Road 1.0” generate sales of approx. $180 million from its founding in February 2011 until its seizure in July 2013 (McCoy, 2017) but comprehensive details of dark web markets become only visible after counter-action, such as the recent pan-European “DisrupTor” operation or the famous, large-scale 2014 takedown of 400 .onion addresses in an global action against illicit use of the Tor network (Ikeda, 2020; U.S. Department of Justice, 2014).


Beyond its market function, the Tor technology of encrypted and randomized nodes to obfuscate the path of TCP packages has been used hide command and control (C2) structures in cyberattacks. C2 servers are the most vulnerable counter-attack points for botnets, which are using infiltrated machines under their control to launch cyberattacks, such as a Distributed Denial of Service attack (DDoS) (CISA & FBI, 2020; Puri, 2003; Sabanal, 2016). A prominent example for the use of Tor in a botnet setting is a later version of the notorious “Gameover Zeus” botnet that relied on Tor’s randomized node structure to hide its communication channels (Graff, 2017; Krebs, 2014).


As a third example of its offensive potential, Tor has been extensively used by the U.S. military to clandestinely collect intelligence on foreign government or maintain contact with, e.g., informants where neither side wants to be disclosed (CISA & FBI, 2020). The interest of U.S. security and intelligence agencies in Tor is obvious as the Tor Project was predominantly (and still is partially) funded by the U.S. government (Levine, 2014; Tor Project, 2020).


Incongruent to the previous examples of an active use of Tor for offensive measure, Tor can also be used in a more passive but offensive way: The infamous Russian hacker group “Fancy Bear”, responsible for attacking dozens of high value targets such as the Democratic National Congress in 2016 and the German Parliament in 2015, compromised Tor exit nodes to deliver malware to users of these nodes (Department of Homeland Security, 2017).


To access censored information, online communication and partially social media platforms, Tor is the go-to tool of many dissidents, journalists and critics around the world. Facebook, for example, provides a Tor-facing “.onion”-domain (“facebookcorewwwi.onion”) to its platform to enable access from digitally sealed-off countries like China[2], Iran or Syria. Even if a website or service is not directly censored, government critics and journalists around the world use Tor to disguise their online activity in order to avoid reprisal. Assessing this use of Tor as offensive or defensive depends highly on the normative standpoint that either favors freedom of speech or perceives these doings as insurgent. Arguing from a human rights standpoint, Tor only provides defensive technology to enable freedom of expression and information (Article 19, UDHR) around the world. On the other side, Tor is perceived as so threatening (offensive) that it is banned in Mainland China, Belarus, Venezuela and other countries (MIT Technology Review, 2012).


Application of Tor in different contexts & international implications


The interpretation of dissidents using Tor as offensive or defensive hints towards the normatively-loaded role of a strong anonymization tool like Tor. Acknowledging the inadequacies of generalizing whole countries, the oversimplification of distinguishing countries into “supporting freedom of expression” and “suppressing freedom of expression” by means of, e.g., the World Press Freedom Index, can help understand the application of Tor technology in different contexts: In countries that severely undermine the right to free speech, such as China, Iran or Egypt, Tor provides a safeguard to the fundamental human right of freedom of expression and information and is therefore frequently used. In countries with little political repression such as Sweden, New Zealand and the US, the use of Tor is – strictly speaking – not needed to avoid direct political reprisal. Here, the frequent use of Tor arises from the more readily availability of the technology and is motivated by avoiding online tracking and suspected surveillance (Jardine, 2018).


The Tor Project and the privacy advocacy group “Electronic Frontier Foundation” frequently stress that Tor should not only be used when anonymity is strictly needed; on the contrary, the everyday use of the network protects repressed users not only by its technological means but also by hiding in the mass of unsuspicious Tor users. Analogously, both groups stress that the “I have nothing to hide” attitude of people enjoying freedom rights is dangerous: A persistent intrusion of privacy rights undermines liberal democracy in a way that its constitutions will eventually have something to hide (Galperin, Opsahl, & Kayyali, 2014; Quintin, 2014).


Outlook: Call for an unambiguous stance


With web-based applications and pandemic-infused internet dependency on the rise, privacy protection tools like Tor become indispensable for anyone who wants to move online without disclosing one’s identity. With a continuing focus on online development, the advancement of the internet also increases the complexity of assuring Browser security. This is why – from the technical and policy standpoint alike – the question of impenetrability of the Tor browser is imperative: Similar to encryption, there is no middle ground of a “semi-anonymity” – either a user is anonymous or not. In the past, liberal democracies like the US have taken an ambiguous stance towards Tor browser and its technology: While funding major shares of the project until today and applying the technology for intelligences purposes (Makuch, 2019), NSA’s XKeyscore program attacked and possible penetrated the Tor network to collection information on its users. Instead of threatening or even banning privacy tools, public agencies, private industry and civil society should accept the challenge to fight cybercrime by the wide variety of alternative means, value privacy as a much-needed balance to the pole of freedom and security and understand Tor as an indispensable, international tool to what former Secretary of State Hillary Clinton outlined in 2014: "The freedom to connect is like the freedom of assembly in cyberspace." (Galperin et al., 2014, p. 2)

This paper was submitted as final paper to the course "Cyber Risks and Vulnerabilities" at Columbia University's School of International and Public Administration (SIPA), lectured by Prof Natalie Vanatta and Prof Janee Potts.

[1] For example, disabling active content by Adobe Flash and JavaScript, using additional HTTPS encryption or monitoring abnormal traffic in the browser help to reduce the compromise risk.


[2] To use Tor in the People’s Republic of China (PRC) that uses the “Great Firewall” to block unwanted internet traffic more structurally, Tor provides so-called “bridges” that allow for a (partial) circumvention of Chinese censorship.



Write a comment

Comments: 0