Tor Project

Just because the National Security Agency hasn't cracked the anonymizing service Tor doesn't mean that people who use the service are free from surveillance.

The NSA has been able to use ad networks like Google's, and The Onion Router's own entry and exit nodes on the Internet, to follow some Tor users, according to a new report based on documents leaked by whistleblower Edward Snowden and obtained by security researcher Bruce Schneier with the Guardian. Tor is primarily funded by the US State Department and the Department of Defense, home of the NSA.

Tor promotes itself as helping people "defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security."

Robert Hansen, a browser specialist at the security firm White Hat Security, said that Tor access node tracking is not new.

"A couple of years ago a hacking group published exactly 100 embassy passwords from Tor exit nodes. One hundred is too round of a number," he said. "Just logically there must be more. If you get enough exit nodes and entrance nodes, they can be correlated together."

Director of National Intelligence James Clapper criticized reporters and denied that his office was doing anything illegal, citing the threat of "adversaries."

The articles fail to mention that the Intelligence Community is only interested in communication related to valid foreign intelligence and counterintelligence purposes and that we operate within a strict legal framework that prohibits accessing information related to the innocent online activities of US citizens.

The system that the NSA uses to locate and identify Tor users begins, at least sometimes, with the buying of ads on networks like Google's AdSense.

"Just because you're using Tor doesn't mean that your browser isn't storing cookies," said Jeremiah Grossman, a colleague of Hansen's who also specializes in browser vulnerabilities.

As Grossman described the procedure to CNET, the NSA is aware of Tor's entry and exit nodes because of its Internet-wide surveillance.

"The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the Internet, makes it easy to differentiate Tor users from other Web users," he wrote.

The NSA buys ads from ad display companies like Google and seeds them around Tor's access points.

"The NSA then cookies that ad, so that every time you go to a site, the cookie identifies you. Even though your IP address changed [because of Tor], the cookies gave you away," he said.

This is not some complicated or even an unusual trick, Grossman said. It's how tracking ads were intended to function.

"That's the Web by design, not a hack," he said.

The NSA, he said, is not spending much money on it since Internet ads are so cheap. Grossman speculated that an ad campaign would only cost around $1,000 to seed ads with the NSA's cookies around the Web.

"$50,000 would be overkill," he said.

Because the NSA is essentially using how the Web functions to spy on its users, tools like Tortilla that take the burden of Tor usage away from Firefox wouldn't prevent the NSA's tracking ads from finding people.

It wouldn't be feasible for Google to block ad buys from the NSA, and if the company did, he said, "they could just buy through a proxy."

Google did not respond to a request for comment.

Both Tor itself and Schneier noted that the NSA has not been able to track every Tor user this way. "They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the Internet backbone," Schneier said.

Grossman speculated that the NSA could be using spam e-mail campaigns as it's been using display ads, though he cautioned that he didn't have evidence that this was actually happening.

"On the off chance that [the spam recipient] renders the HTML or clicks a link, [the NSA] can connect your e-mail address to your browser," he explained, which the NSA would have already connected to an IP address. "Using Tor or any proxy wouldn't prevent it."

Not all Tor installations are created equal, added Hansen, who has an unusual pedigree in the browser vulnerability field because he's also a veteran of the ValueClick ad network, which was later bought by DoubleClick, which subsequently was purchased by Google.

"It depends on whether you're using Tor Button or Tor Browser," he said. "The Tor Button tends to be more secure because as you jump in and out of the Tor Browser, it tracks cache and cookies."

However, since the Tor Project now includes a patched version of Firefox, it recommends not using the Tor Button and only using the standard Tor Browser Bundle instead.

More secure than either, Hansen said, was to run Tor on a virtual machine so that cookies and cache are dumped when the machine is closed, and the kind of man-in-the-middle and man-on-the-side attacks described by Schneier are avoided.

"If you don't take the critical steps to protect your privacy, you will be de-cloaked if you're doing something interesting," Hansen said.