Intro to TOR: how you can be an anti-censorship activist in your sleep

Here's a nice little introductory article on TOR, The Onion Router, a privacy-enhancing technology that helps you to circumvent national, corporate and school firewalls and enhance your anonymity. Originally developed by the US military to help communications get in and out of countries that heavily filter their networks, TOR is free/open software and is maintained by many volunteers around the world, including the Electronic Frontier Foundation.

TOR works by passing your traffic through several (theoretically) unrelated computers all over the Internet, using cryptography to keep the origin, destination, and intermediary steps secret from each computer it passes through.

You can run TOR on your own computers and they'll become part of this array of intermediary hosts all over the net, making your network connection into a tool for privacy and free access to information.

Bill McGonigle, of Lebanon, New Hampshire, decided to become a Tor volunteer when he learned that people in Iran were protesting the results of their June Presidential election. They were using the Internet to organize their meetings. The Iranian government was trying to censor their messages to one another. "I have a soft-spot for people trying to gain liberty for themselves," he wrote in an email, "especially against tyrannical regimes. It became known that they were using Tor to get around the censorship, so at that point I put up a relay....The people I'd like to help are those living under violence-based oppression, most commonly orchestrated by dangerous and corrupt individuals posing as legitimate governments. I'd like to see an end to oppression wherever it exists."
Volunteer Your Computer for Global Privacy (Thanks, Rhona!)


  1. God knows we need people to stand up and provide TOR exit nodes. But that seems like a legally suicidal move in the USA, where any local-yokel prosecutor merely has to say “OMG Kiddy Porn” in order to lock you up for 50 years.

    I notice TOR exit nodes tend to be in continental Europe. I don’t think I’ve ever seen one in the USA. There has to be a reason for that; I’m guessing that America’s use of “terror” and “children” as root passwords to the Constitution is to blame.

    1. @Kerov, Are there any precedents of cases such as the hypothetical scenario presented in your post? In which an unsuspecting TOR volunteer host has been charged with kiddie porn possession? In the Wikipedia entry there is mention of a German (note. continental Europe, not U.S.) datacenter which was busted for kiddie porn, and happened to be utilizing TOR.

      To draw that connection without presenting evidence seems to be an unwarranted bit of F.U.D. spreading.
      This technology becomes more effective as more people use it, and with any luck will become more widely known and accepted and harder to marginalize.

    2. Running a Tor Exit Relay in the US is actually not suicide. It’s one of the best countries in the world for such an action. We have lots of legal protections for relay operators in the United States.

      Additionally, the Tor network has Exit relays all over the world. The top three (in order) countries are the USA, Germany and Sweden.

  2. There’s already been a case of someone in the US being harassed by law enforcement for running a TOR exit node. Unless you like having your computer confiscated and worse, don’t run one in the US.

  3. To be clear, I know of no US prosecution of a TOR node, and the EFF gives reasonable assurances that they might help out if an overeager prosecutor comes after a TOR node operator.

    The last thing I want to do is spread FUD for FUD’s sake. It’s just that I have zero confidence that (e.g.) the Jefferson Davis County Sheriff’s Office, prosecutor, judge, and jury will act in a reasonable manner when an HTTP request comes from a TOR node to the child-pornography web site they just busted.

    There may not be any history of TOR-related prosecutions, but there are volumes upon volumes of insanely unreasonable US child-pornography prosecutions.

    1. Regardless of what you’re attempting to do, you are in fact spreading Fear, Uncertainty, and Doubt. Give it a rest, please.

  4. Putting the hypothetical legal issues aside, what of the moral issues?

    What if the node I run is utilized in the transmission of kiddy porn? Terrorist communications? What if tyrannical governments use my tor node in the oppression of their peoples? Or if their spies use it send national secrets home?

    I expect that those who support complete, absolute freedom of communication are few and far between. Most of us find some sort of communication unacceptable (that which directly facilitates evil); we accept some limits to our freedom of speech.

    Let’s face it: it’s well known that there’s a sizable population that uses tor to distribute kiddy porn. Children are abused to produce it. And if you run a tor node, you may be aiding that distribution.

    I don’t object to the Tor project itself. But I couldn’t personally run a node, knowing that my resources may be used for evil.

    1. (Disclaimer: I’m a Tor Developer)

      I run a number of relays (see here), including a Directory Authority and not including many bridge nodes.

      I think it’s perfectly moral to run these machines. I think that I wouldn’t be able to sleep at night unless I did. They’re the only way that normal people can have privacy with any hope of anonymity or traffic analysis resistance on the internet.

  5. @5: 100% of kiddie porn is produced using cameras — by producing digital cameras, aren’t CE companies all complicit in its production? Most abductions involve cars — what about the auto industry?

    The fact that there’s “a sizable portion” of child porn conveyed via Tor does not mean that Tor is primarily used for child porn, nor that child porn would diminish if it were abolished.

    1. I’m not convinced there’s a sizable portion of such content.

      Additionally, I know for a fact that some police agencies use Tor to _find_ child porn in order to _bust_ the people producing it. I think that’s a pretty moral reason to support Tor – personally and professionally!

      Context is everything. Sniffing all of the Exit Relays in the world won’t give you the context you’d need to understand who’s using Tor or why they’re using it.

      1. I’m not convinced there’s a sizable portion of such content.

        The actual traffic is there for anyone who cares to look.

        Additionally, I know for a fact that some police agencies use Tor to _find_ child porn in order to _bust_ the people producing it. I think that’s a pretty moral reason to support Tor – personally and professionally!

        The cops are well aware of where to go to find child porn. And what tools to use to convincingly pose as child pornographers. This should tell you something.

        It also puts the lie to the claim that TOR will allow you to avoid prosecution, as the authorities do know exactly where to go to find criminals, and – by your own admission – are using this information to bust people. If they can do it for child pornographers, they can do it for political malcontents as well. You can’t have it both ways.

        Context is everything. Sniffing all of the Exit Relays in the world won’t give you the context you’d need to understand who’s using Tor or why they’re using it.

        You know what the traffic is. So you’re left with the cry of everyone caught in flagrante delicto, “It’s not what it looks like! You don’t have the context!” No. It’s exactly what it looks like.

        1. If you have data, feel free to cite it as a source so we can discuss specific facts. If you don’t have data, stop saying data is available. I’m curious to see how you collect this data without becoming a felon.

          If you have data, how do you account for the flows that you see versus the flows that you don’t? Your statements sound like classic confirmation bias to me. You’re so sure that Tor is used for “bad bits” that you’re simply arguing without supporting data to back it up. You only know what you’d use it for and what you’ve heard, so you just assume that this is the majority of the traffic on the network.

          What do you think of all the encrypted (https/ssh/etc) traffic on the internet (and flowing through Tor)? Is that all bad or all good by your accounts? If you can’t see the payload inside the packets, how the heck do you know anything about it?

          Additionally, a key point is that if the police use a “Police Anonymity Network” for busting people, they obviously look like cops and can be treated as such. This is why some police officers (from various countries, actually) use Tor: a shared anonymity net is the only sure fire way to cover their tracks by design, rather than by policy. This is the same reason bloggers, journalists, IT workers, human rights defenders, and others use Tor. To suggest that the police use Tor to look like a criminal is beyond ridiculous. People use Tor to gain various kinds of anonymity. The police require location anonymity as it’s pretty obvious that you’re being investigated if you see in your log files!

          You mis-characterize or misunderstood my point about the police busting criminals. If someone runs a website and posts content, they can be busted by anyone who sees this. Tor obviously doesn’t protect people who don’t use it. But Tor does protect those websites from being able to know that it’s you rather than Officer Alice. The website won’t be able to know where you or Alice entered the network. Thus the website can’t treat you differently until you make some other distinguishing data point obvious. So when Officer Alice comes to download evidence, it’s harder for the website to block Officer Alice (say by blocking all of the ips owned by the FBI) without blocking everyone using Tor.

          Anyway, I look forward to your peer reviewed paper on Tor traffic submitted to PETS for 2010! We can discuss your confirmation bias in person over a coffee.

  6. Cory,

    I’m not too sure that analogy stands up. After all, I have no direct investment in either the camera or the car in your scenario. If I was a member of a car club and I knew that someone was using the car for abducting people on Tuesdays, that wouldn’t make me happier about paying to use it the other six days of the week.

    What you’re talking about is indirect economic support, and pretty arms-length support at that. Yes, if I buy a digital camera than I am helping support an industry that makes digital cameras that kiddy-fiddlers can buy. But that’s a very abstracted level of support; after all, by buying food at my local supermarket I am supporting the industry that allows these people to eat; by paying my taxes I am supporting the health system that they use (or the prison system that incarcerates them if they are caught).

    The difference with Tor is that I am directly facilitating their conduct, by loaning out use of my computer.

    Now this doesn’t mean that I think use of Tor is a bad thing. In fact I think it’s a very good idea. But you can’t arm-wave away the issue that helping to provide Tor gives direct – if unintentional – assistance to those who misuse it. I’d far rather deal with the issue by satisfying myself that the undoubted benefit of helping with Tor outweighs the problems arising from its misuse.

    Now you say that it’s a ‘fact’ that a sizeable portion of child porn is conveyed via Tor. Is this a fact? Is there any evidence? Of equal importance, is there any evidence at all what fraction of Tor’s capacity is taken up by such material?

    If 50% of Tor traffic is generated by Iranian dissisents and 0.05% by child porn merchants, I’d probably be content that the social benefit/cost ratio was in favour of me supporting it. If it was the other way round, I wouldn’t touch it with whatever the digital equivalent of a forty-foot bargepole is. Does anyone have any real idea what the true figures are?

    1. you make good points. and i don’t know the numbers. but i do know that i take the good over the bad. i seriously doubt the figure for child port is 50%. i use tor to look up molecular structures. certain ones. just when i’m curious.

      and if i ever get busted for running an exit node in the us (which i have done and will do), i know which lawyers i’ll call. hint: they work for the eff.

      “better to let 1000 guilty men go free than to convict a single innocent man.”

    2. TOR is 99% Nigerian fraud and kiddie porn. Don’t take my word for it. Set up an exit node and sniff the traffic for five minutes. In my opinion TOR is a virus botnet that, rather than being spread by exploiting software vulnerabilities, is spread by exploiting vulnerabilities in the ideology of naive geeks. But it facilitates crime – the actual human exploitation kind of crime, not the victimless kind of crime – just as well as any other botnet.

  7. i’m with Simon. what are the facts here? and what’s the risk that i’m going to be prosecuted for disseminating child pornography/jihadist activities/treason, if my TOR bandwidth just happens to be used for that purpose?

  8. There are hundreds of Tor exit nodes based in the US (I have run one without incident for 6 months). You can easily reduce the risk of DMCA notices by restricting your exit policies.

    Here’s one man’s story, with technical help for anyone interested.

    You don’t even have to run your node as an exit. Setting it up just as an intermediate relay is also very helpful.

    There are currently only around 1.5 thousand Tor routers in the world (and about 400 bridges). You can make a real difference by setting one up.

  9. I tried setting up a tor relay node, maybe two or three years ago. I’m reasonably technically proficient, and it was a major pain in the ass to get it configured. Admittedly, I do more programming than IT, so maybe my networking skills aren’t ninja level.

    I think if you want more TOR nodes, the first thing to do is to make it as simple as possible for non-technical people to set them up.

    As to the moral argument – what TOR provides is not child porn. TOR provides privacy, and sometimes people use privacy to do some bad things. But to argue that therefore privacy is bad seems, well. . . republican? un-boing-ish?

    There are good applications for privacy. I would go so far as to say that the good applications of privacy outweigh the bad applications of privacy, in importance if not in bandwidth.

    A small number of people will continue to make child porn and cops will continue to bust them. Getting rid of TOR would not eliminate child porn any more than it would eliminate Iranian pro-democracy activism.

  10. I set up a tor bridge relay pretty recently on my home machine. If you have a directed wish to provide services to dissident groups in authoritarian regimes, running a bridge relay makes a lot of sense — these are relays that designed to aid groups where the Tor system itself is being blocked, and that’s usually in totalitarian regimes where even the possibility of anonymous speech is dangerous and banned.

  11. I use Tor for investigating online crime and malware.
    I know others in the security community do also.
    I’m not anyone’s idea of a programer, but setting up a relay was relatively painless, with the help of the Tor community.
    Freedom of speech is important for everyone. You should support it.

  12. Does anyone know of US (or other) case law where the legal standing of a person running an exit node was actually adjudicated? Seems like most cases thus far have involved police or prosecutorial action only … I’m curious if a Tor-related case has ended up in front of a judge.

  13. “dangerous and corrupt individuals posing as legitimate governments…” Ha ha ha, and which “legitimate government” does McGonigle live under? Happy hunting, man, by all means, find one! I’m afraid those “tyrannical regimes” are what we today call parliament and capital hill. Tor is a great tool, for use for anyone who lives under censorship.

  14. @joesan #22:

    Asis Internet Services v. Optin Global, Inc., C-05-05124, filed in the U.S. District Court for the Northern District of California is, as of this writing, apparently the only reported American case which contains an opinion that even obliquely refers to TOR (and that just in passing). There may be other U.S. cases with opinions which involve or discuss TOR, but if so, those opinions are filed under seal, or are non-appellate state court proceedings not available in Westlaw or Lexis.

  15. Morality is a difficult subject when we talk about third party responsibility, and it often boils down to this: Either we permit the possibility that people can do bad things, or we limit the infrastructure to prevent bad choices from happening. This is why some countries choose to censor people, limiting what they can access or do on the Internet, while other op to only punish those third parties who intentionally promotes a specific crime, and declare everything else as infrastructure and good for society as a hole. While no technology can take a stand on a issue, I think the TOR community and EFF has.

  16. I had just heard about TOR 2 days ago and was meaning to check into it. Now I come across this post. I am going to enter the TOR world and start being more anonymous just for fun. See what happens! Until recently I also did not realize that some countries sensor what people can look up on the Internet – I guess we are lucky here in the US.

  17. I’m curious to see how you collect this data without becoming a felon.

    “TOR traffic is innocuous and you can’t prove otherwise, because if you did collect the data, it would include things that would make you a felon.”

    When a service’s own defenders provide such an indictment, what more can I add?

  18. Is there any information about the proportion of TOR traffic that originates in totalitarian regimes as opposed to in democracies?

Comments are closed.