
Fact-checking the Tor Project's government ties - kyleblarson
https://surveillancevalley.com/blog/fact-checking-the-tor-projects-government-ties
======
dustinmoorenet
I don't see this as a controversy. The Signal protocol is funded in the same
way.

[https://arstechnica.com/tech-policy/2016/04/whatsapp-is-
now-...](https://arstechnica.com/tech-policy/2016/04/whatsapp-is-now-most-
widely-used-end-to-end-crypto-tool-on-the-planet/)

~~~
nabla9
It almost looks like governments have two conflicting interests. Keep things
secure and break the security.

~~~
jerheinze
> It almost looks like governments have two conflicting interests. Keep things
> secure and break the security.

That's because governments aren't a monolith, the projects and interests of
the NSF or the OTF do not necessarily overlap with those of the NSA or CIA.

~~~
nabla9
Even a monolith like NSA has this same conflict.

~~~
acct1771
Publicly stated conflict.

Seems they've made their decision on that long ago.

------
anovikov
What's bad about it? A good tool to remove hostile regimes, and something
which probably can't be used to do much harm to the U.S.

If Tor is a CIA invention, it is one of their best inventions ever.

~~~
asd3asd3
Tor is a US Navy invention.

~~~
jerheinze
But the implementation isn't.

------
rmrfrmrf
Tor's US government roots have been public knowledge since its inception. Why
is this suddenly trying to be a scandal?

~~~
friendlydude12
Desperate for book sales.

------
sschueller
From the document header: "The Tor Project, a private non-profit that
underpins the dark web and enjoys cult status among privacy activists, is
almost 100% funded by the US government. In the process of writing my book
Surveillance Valley, I was able to obtain via FOIA roughly 2,500 pages of
correspondence — including strategy and contracts and budgets and status
updates — between the Tor Project and its main funder, a CIA spinoff now known
as the Broadcasting Board of Governors (BBG). These files show incredible
cooperation between Tor and the regime change wing of the US government. The
files are released to the public here. —Yasha Levine"

~~~
eli
Isn't secure private communication that can't be intercepted often aligned
with the goals of regime change?

------
ChrisSD
This seems hyperbolic. Did anyone truly think TOR was some grassroots tech?
I'm only casually interested and even I was aware of its links to US
government.

Digging past all the hyperbole the more interesting "revelation" is that the
TOR project is friendly with Broadcasting Board of Governor (BBG), an
independent agency of the US Government.

------
armitron
Yasha Levine likes to spin these grand conspiracies but comes off as
completely clueless, technically (not sure if deliberate but it doesn't really
matter). Completely absent from his work are any sort of technical advisors or
rigorous technical writing.

Result being that less than _1_ minute of looking into his latest "scoop" from
someone with a technical background is enough to see through Yasha's bullshit.
The code of TOR is not only there for everyone to examine, the incentives are
so big that serious protocol issues would have come to the surface many times
over, esp taking the number of security experts who are constantly looking
there (meaning this goes way beyond "many eyes => bugs are shallow").

I used to read him when he was at Exile (together with Taibbi and Mark Ames),
he was good for a few laughs (and Exile was full of black humor and sarcastic
writing).

At some point, he started seeing himself as a serious journalist and hilarity
ensued. Stick to being a clown Yasha!

------
jerheinze
Oh please, not this FUD spreader again.

The Tor Project finances and IRS Form 990 are openly and publicly available:
[https://www.torproject.org/about/financials.html.en](https://www.torproject.org/about/financials.html.en)

Yes, a sizeable portion comes from the US government, and from the NSF, from
the Open Technology Fund (OTF) ..et cetera and over the years the number of
donations that they receive has been increasing, especially with the campaign
last year where Mozilla matched donations:
[https://blog.torproject.org/powering-digital-resistance-
help...](https://blog.torproject.org/powering-digital-resistance-help-mozilla)
(they reached 400k$ with Mozilla grants IRC)

The way it works is that there's a set of deliverables or goals that must be
fulfilled and that get a funding from Sponsor X. And there's a wiki page with
all the Sponsors and the set of deliverables

[https://trac.torproject.org/projects/tor/wiki/org/sponsors](https://trac.torproject.org/projects/tor/wiki/org/sponsors)

For example for SponsorV
[https://trac.torproject.org/projects/tor/wiki/org/sponsors/S...](https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorV)

> Timeline

> October 2015 - September 2018 (...)

> Overview

> Joint project with Georgetown and NRL focusing on research about resilience
> to attacks that reduce anonymity or that deny service.

> The grant also includes a "transition to practice" component, which means we
> should not only help with the research side, but also build and deploy the
> more promising solutions.

> Deliverables

> \+ Produce research papers

> \+ Release software (e.g. Tor) that includes fixes based on the research
> papers

> \+ Work with Micah Sherr and Rob Jansen

THIS IS ALL PUBLICLY AVAILABLE.

WHAT THE HELL IS SPOOKY ABOUT THIS? DO YOU KNOW OF AN OPEN SOURCE ORGANIZATION
THAT IS AS TRANSPARENT AS THE TOR PROJECT?

To Mr. Yasha Levine: Please point to a single alternative that offers the same
low-latency anonymity as Tor if you're serious.

And yes, Mr. Yasha Levine has a big history of pushing smears like this on the
Tor Project, see this for example: [https://micahflee.com/2014/12/fact-
checking-pandos-smears-ag...](https://micahflee.com/2014/12/fact-checking-
pandos-smears-against-tor/)

~~~
Passthepeas
Simple, there aren't any. Never, EVER, assume anonymity on the internet. Also
I'll add the fact that if you even so much as download Tor, you have made it
on a watch list; also exit nodes are a massive vulnerability. With those two
things plus government involvement, it is unwise to assume Tor is anything but
a honeypot. You want anonymity? Keep a low profile and try to hide in plain
sight, maybe check out some add-ons recommended on privacytools.io

~~~
mtgx
That's some bad advice all around.

If everyone thought like that we wouldn't even have HTTPS because "why would
you want to hide your internet traffic?!"

"Hiding in plain sight" doesn't work. At all. The NSA has automatic systems
that classify everything you do online and then it issues alerts if enough
"signals" are gathered. That also means that the more stuff you do in "plain
sight" the better it will know what you're doing, as the data will have very
high accuracy rates.

~~~
runeb
Thats not the only reason to use HTTPS though. It is just as important to be
able to ensure you are communicating with the server you think you are.

------
mwnivek
Larger discussion:
[https://news.ycombinator.com/item?id=16501330](https://news.ycombinator.com/item?id=16501330)

------
scottlocklin
Nobody tell Yasha where the internet came from.

------
tritium
Given TOR's U.S. Navy roots and the theme of TOR's origin story, I can't say
I'm particularly shocked at this. That TOR was a technology developed as part
of naval research that "no one wanted anymore" was kind of a flimsy veil,
since there weren't any names associated with the narrative.

Similar to bitcoin's story: no one knows who built it, but gee, it's _so_
useful... ~ _shrug!_ ~

~~~
bazzlexposition
Tor has no value as an espionage tool if only spies use it, so the "no one
wanted it" narrative doesn't make sense. They need people to use it in massive
numbers for it to be an effective tool.

------
torstenvl
Oooooh the government of the most benevolent and freedom-loving country in the
world is funding a tool to speak anonymously on the Internet! Such a plot
twist! And they're not even keeping it secret! How scandalous...

~~~
m12k
I think the surprising angle is more like "agency that among other things
specializes in monitoring people online sponsors program to make it easier for
people to avoid being monitored online". It's the regime change wing of the
CIA doing the sponsoring, so in the end it does make sense, but I can see why
this would be surprising to many.

~~~
vilhelm_s
Does the CIA do any monitoring of people online? I guess given that it's a
huge agency they probably do some because of mission creep, but I thought the
idea was that the NSA is supposed to be in charge of it.

~~~
m12k
Oh absolutely they do. NSA specializes in mass surveillance and cryptography
(both design thereof for national security and breaking thereof to spy on
others - they probably have way more cryptographers and mathematicians than
any other agency). But even then all the other intelligence agencies will do a
lot of online spying, hacking, and following of people of their own, in
alignment with their respective missions - that's just the world we live in
now, where there's no way to run an intelligence agency and not have a massive
online surveillance apparatus. FBI will do it nationally for federal
investigations, CIA will do it 'on foreign soil' (although this is extended to
nationally as well whenever there's a counterintelligence justification) and
they'll do it both to screen for and keep tabs on potential threats (e.g.
terrorists) and for knowing their plans, and maybe know where they will be at
a given time for e.g. drone strikes, rendition or special forces ops. The
regime change wing of the CIA will undoubtedly also be monitoring any regime
they want to overthrow and supplying insurgents with intel to help them, warn
them if they are hunted. On top of this there's the different army ones under
the Defense umbrella that will do similar things as the CIA but under a
'cyberwarfare' moniker and in coordination with their respective troops. And
finally there's agencies with State, Justice and Energy that will indubitably
also have their fair share of hackers - the full list of agencies is pretty
long:
[https://en.wikipedia.org/wiki/United_States_Intelligence_Com...](https://en.wikipedia.org/wiki/United_States_Intelligence_Community#Members)
I'm sure books could be written about the effort required to coordinate them
all and prevent too much redundancy, but you can be damn sure they all monitor
people online and don't just leave that to the NSA.

------
bazzlexposition
Tor wouldn't work without an abundance of users, it would have no value as an
espionage tool if the CIA was the sole party using it. This isn't news, the
CIA has a vested interest in keeping Tor anonymous, to protect their overseas
assets.

------
sol_remmy
Previously:
[https://news.ycombinator.com/item?id=16501330](https://news.ycombinator.com/item?id=16501330)

------
chipanddale
whether what the author said is true or not is irrelevant. not that i am on
any side. am i the only one that is noticing that TOR and Signal can be tools
which could be used to extend clandestine intelligence gathering abroad. they
are sort of like trojan horses, except they can be deployed remotely... why
chase when you can just create an ecosystem that attracts and then you can sit
back, watch and analyze then act.

------
gesman
Also - add here the most popular VPN services that claim they “don’t have
access logs” and are very stable without any legal problems.

~~~
jerheinze
There's no parallel here since, (1) Tor doesn't rely on the promises of "no
log" and that's why it uses a 3-hop design (and a 6-hop in the case of non-
single onion services), (2) the Tor Project isn't the one that operates the
entire Tor network.

------
qwerty456127
Use i2P, Luke!

~~~
jerheinze
> Use i2P, Luke!

Even zzz himself (the current lead developer of I2P) says that Tor is the way
to go for browsing the clearnet

> zzz: First of all I want to say that I have a tremendous amount of respect
> for Tor, Roger Dingledine and the other Tor developers, and what they have
> accomplished. I2P and Tor started at about the same time and have a lot of
> similarities.

> Tor has benefitted greatly from funding, academic analysis, and a large user
> base. We are exchanging ideas with Tor and I expect that both projects will
> benefit from that as well.

> The fundamental difference is that Tor is designed for "exit traffic" to the
> regular internet. I2P is designed for in-network traffic - what Tor calls
> "hidden services". Tor has 1000 "exit nodes". I2P has only one. Exiting from
> an anonymous network to the regular internet has serious potential
> vulnerabilities.

> As Roger Dingledine said in his talk at 25C3 (Dec. 29 2008), "Tor does not
> magically encrypt the internet". Neither does I2P. Accessing standard
> services through exit nodes can be done safely, but it takes great care.
> Snooping or worse by exit nodes, and blocking of exit nodes is problematic.
> That said, if your primary goal is anonymous access to the regular internet,
> Tor is the better solution.

I2P is great for torrenting and other such uses, there's no doubt about that.

[1] : [https://www.gulli.com/news/2913-i2p-an-anonymous-network-
int...](https://www.gulli.com/news/2913-i2p-an-anonymous-network-
interrogated-2009-03-09)

