Tor is a Web tool intended to help you navigate the Web undetected. Government officials have reportedly been using bugs in the system to root out the devious activity of criminals, stop whistleblowers, or just invade your privacy.

But Andrew Lewman, executive director of The Tor Project, believes that some employees at the National Security Agency (NSA) and GCHQ, its U.K. counterpart, are secretly informing Tor about vulnerabilities within its system to prevent their colleagues from using it to spy.

In an interview with BBC News, Lewman said Tor has received bug reports from security agencies on a monthly basis. But he acknowledged that Tor's security controls make it impossible for him to know exactly who sent the data - or if the NSA and GCHQ are actually behind it. "It's a hunch," he told the BBC.

"You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software," he said. "And the fact that we take a completely anonymous bug report allows them to report to us safely."

Tor is a free network of tunnels for routing Web requests and page downloads. It's supposed to make it impossible for the site you access to figure out who you are, and was once an acronym for "The Onion Router," the implication being there are many layers of security offered.

"I think that at some point there will always be attacks, there will always be software bugswe are human, we will always make mistakes, but with many eyes trying to help us we seem to be getting better," Lewman told the BBC.

The report comes about a month after a presentation at the Black Hat conference about weaknesses within the Tor network was canceled. Alexander Volynkin, a researcher with CERT/Carnegie Mellon, was scheduled to give a talk titled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget" at the hacker conference, but CERT pulled the plug and said "the materials that [Volynkin] would be speaking about have not yet [been] approved by CMU/SEI for public release."

The U.S. is not the only one with an interest in the data flowing through Tor. Last month, Russia offered up $100,000 to anyone who could hack it.

Further Reading

Security Reviews