Collaboration

Will Tor usher in the age of true anonymity on the Internet?

According to Jonathan Yarden, true anonymity on the Internet is a myth. But an anonymous Internet communication system dubbed Tor is bringing that myth closer to reality. Find out how Tor helps users remain unidentified, and get Jonathan's take on the potential ramifications of this tool.

Computer users often fall into the trap of believing in anonymity on the Internet. On the Web, aliases and usernames abound, and you can be whoever you want to be. Whatever the motivation is behind it, the ability to communicate without any form of monitoring or tracking interests many people. But true anonymity on the Internet is really a myth, a topic I've written about before.

In my opinion, anonymity is technically impossible—communication leaves some record of Internet activity. And it's not necessary to intercept and decode any actual data. Sometimes, just knowing the source and destination IP addresses is enough evidence of communication.

Remember, you don't need to know what the data is to determine if communication has occurred. This is the simplest form of Internet traffic analysis; it's very simple to do, and it happens all the time. And while intercepting data streams and reconstructing them into a useful form is indeed another matter, it's also generally possible.

Security vs. anonymity

However, it's important to make a clear distinction between communicating anonymously and communicating securely. Both relate to privacy, but they are not the same.

For example, if you regularly communicate over the Internet using strong encryption, you may feel pretty protected—the bulk of Internet traffic doesn't use encryption. But, although encryption offers secure communication, it doesn't ensure anonymity.

When looking at e-mail server logs, I can plainly view both the sender and the recipient are of a PGP-encrypted e-mail. I may not be able to read the contents of the message, but it's clear that communication has taken place.

Whether it's by monitoring e-mail system logs or looking at NetFlow traffic logs, I can see digital "footprints," which tell me that communication has occurred; sometimes I can even determine the protocol the sender used. It's important to remember that secure communication doesn't imply that the communication is anonymous.

Enter Tor

And yet, for a rather small subset of Internet users, truly anonymous Internet communication is quite appealing. For those few, Tor, a free anonymous Internet communication system, goes a long way toward providing both secure and pseudo-anonymous Internet communication.

The Electronic Frontier Foundation, an organization known for its strong support of privacy and digital rights for all Internet users, currently supports Tor. Its developers have designed Tor precisely to interfere with—but not make impossible—the tracking and monitoring of Internet activity.

In addition to data encryption, Tor routes data packets through a network of relay servers—called onion routers—in a pseudo-random manner that obscures both the source and destination IP addresses from both the source and destination as well as other onion routers. It's very cool technology, and many have touted its benefits for Internet users. But remember: One person's benefit is often another person's headache.

Cause for concern?

In these days of massive identity theft, credit card abuse, and global terrorism, the writers of Tor likely had the best intentions but not necessarily foresight. For all the technological benefits Tor offers, its ability to obscure Internet communication highlights its potential for abuse.

The current concerns about terrorism put technology such as Tor in an unfavorable light. And it probably won't be long before worms and Trojans emerge that use the Tor network to hide their communications. While it's always possible that malicious users won't take advantage of Tor for their own benefit, time will tell.

Any technology that makes it easier to transfer Internet data that isn't traceable will always find its way into malicious use. So, as much as I admire Tor's technical ability to evade detection, I cringe at the potential for abuse that it presents.

Of course, I can say the same for any advanced technology in the wrong hands. Keep in mind that the writers of malicious software and people who infiltrate computer networks don't need any more ways to hide their activities—they already have plenty at their disposal.

How anonymous is anonymous?

Regardless of my concerns about Tor, the technology is available, and people will indeed use it for whatever purposes they choose. More important is the fact that it's not truly anonymous Internet communication—truly anonymous communication would leave no trace of any manner of communication anywhere.

I can still determine at least some information, even with an encrypted data stream, and that means it's not really anonymous. However, finding this information isn't the easiest task either.

So, while it's technically impossible to communicate truly anonymously over the Internet, Tor is essentially invisible to most users, including those with security skills. As with any security and privacy tool, the real value of Tor will depend entirely on the user's intent.

Miss an issue?

Check out the new Internet Security Focus Archive, and catch up on the most recent editions of Jonathan Yarden's column.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.

Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.

Editor's Picks

Free Newsletters, In your Inbox