Concerning Yasha Levine’s ‘Fact-checking the Tor Project’s Government Ties’

Please understand that this subject is far, far outside my wheelhouse, as I wouldn’t be able to parse a TorOnion (although I’ve been trying to take a crash course) from a Linux anonymizing tool, but it seems to me in these days of the current almost total lack of online privacy, this Tor information war is crucial, as in: potentially a Very Big Deal.   Given how many days it’s taken me to dig into it, I was ready several time to give it all up in surrender.  So Consider this another PSA, if you will; and feel free to weigh in with your opinions and expertise.  I’ll bring links to Levine’s detractors, all written before he’d received his FOIAed documents; so yes, he must have called out ‘Tor’s deeply conflicted ties to the regime change wing of the U.S. government’ many times earlier.  Both are long, long reads, and as this is so long already, I won’t feature what seem to be the pithiest parts, but invite you to read them instead.  Levine’s invited journalists and historians of all stripes, I assume, to dig into the documents to see what they find documented in them.

Given that Yasha’s twitter account contains most of what he’s cited in this exposé beginning on Feb. 28 and earlier: @yashalevine Feb 28: ‘Today, I am releasing my full cache of FOIA files on Tor and the BBG to the public. They show collaboration between the federal government, the Tor Project and key members of the privacy and Internet Freedom movement on a level that is hard to believe”, all of which are considered to be ‘in the commons’, I’m going to include most all of what he’s written on these two pages.

On the same day, without any fanfare, Julian Assange had tweeted the link:

@JulianAssange ‘Tor – US Broadcasting Board of Governors (BBG) FOIA https://www.documentcloud.org/public/search/projectid:37206-The-Tor-Files-Transparency-for-the-Dark-Web …

Below it, this: @_whitneywebb Mar 1  ‘this is interesting since Tor is a major part of SecureDrop which is being touted as a “new” WikiLeaks by your friends at the Freedom of the Press Foundation’

…reminding me that when J. Asaange had responded to the FPF threw WikiLeaks off their safe island of funneling contributions to the group anonymously one of the group’s claims was that they were busy creating SecureDrop:

“Much had changed since the foundation was formed. Today it has a $1.5 million annual budget and a staff of 15. Taking donations for WikiLeaks and other groups has become only a tiny part of the foundation’s work. In 2013, for example, the foundation took over development of SecureDrop, an open-source tool designed to make it safer for whistleblowers to submit information to reporters. Under the foundation’s stewardship, SecureDrop today is running in dozens of newsrooms, including The New York Times, The Washington Post, the Associated Press, and Bloomberg.

[wd here: ah, yes, scribes to the Imperial Project’s #ProporNot.]

“Through a Daily Beast article by “Kevin Poulsen”, who interviewed former FPF board member Xeni Jardin, I learned that the board’s weakening resolve is due to a Micah Lee initiative asking his fellow board members to “cut ties” with WikiLeaks.”, etc.

Yeppers, this is the War and Peace-length tome finally now launching forth:

From the blog tab on Levine’s website on his new book, surveillancevalley.com on Feb. 27, 2018: Fact-checking the Tor Project’s government ties’ Feb 27, 2018

“The Tor Project, a private non-profit that underpins the dark web and enjoys cult status among privacy activists, is almost 100% funded by the US government.

In the process of writing my book Surveillance Valley, I was able to obtain via FOIA roughly 2,500 pages of correspondence — including strategy sessions and contracts and budgets and status updates — between the Tor Project and its main funder, a CIA spinoff now known as the Broadcasting Board of Governors (BBG), an agency that oversees America’s foreign broadcasting operations like Radio Free Asia and Radio Free Europe.

(See the full set of documents here.)

I obtained the documents in 2015. By then I had already spent a couple of years doing extensive reporting on Tor’s deeply conflicted ties to the regime change wing of the U.S. government. By following the money, I discovered that Tor was not grassroots. I was able to show that despite its radical anti-government cred, Tor was almost 100% funded by three U.S. national security agencies: the Navy, the State Department and the BBG. Tor was military contractor with its own government contractor number — a privatized extension of the very same government that it claimed to be fighting.

This was a shocking revelation.

For years, the Tor Project — along with other government-funded crypto tools like Signal — has been seen in almost religious terms by the privacy community as the only way to protect people from government spying online.

The Electronic Frontier Foundation held up Tor as the digital equivalent of the First Amendment. The ACLU backed it. Fight for the Future, the hip Silicon Valley activist group, declared Tor to be “NSA-proof.” Edward Snowden held it up as an example of the kind of grassroots privacy technology that could defeat government surveillance online, and told his followers to use it. Prominent award-winning journalists from Wired, Vice, The Intercept, The Guardian and Rolling Stone — including Laura Poitras, Glenn Greenwald and Andy Greenberg — all helped pump up Tor’s mythical anti-state rebel status. Even Daniel Ellsberg, the legendary whistleblower, was convinced that Tor was vital to the future of democracy. Anyone who questioned this narrative and pointed to Tor’s lavish government support was attacked, ridiculed, smeared and hounded into silence. I know because that’s what Tor supporters tried to do to me.

But the facts wouldn’t go away.

The initial evidence that I had gathered in my reporting left little room for doubt about Tor’s true nature as foreign policy weapon of the U.S. government. But the box of FOIA documents I received from the BBG took that evidence to a whole new level.

Why would the U.S. government fund a tool that limited its own power? The answer, as I discovered, was that Tor didn’t threaten American power. It enhanced it.

The FOIA documents showed collaboration between the federal government, the Tor Project and key members of the privacy and Internet Freedom movement on a level that was hard to believe:

The documents showed Tor employees taking orders from their handlers in the federal government, including hatching plans to deploy their anonymity tool in countries that the U.S. was working to destabilize: China, Iran, Vietnam, Russia. They showed discussions about the need to influence news coverage and to control bad press. They featured monthly updates that described meetings and trainings with the CIA, NSA, FBI, DOJ and State Department. They also revealed plans to funnel government funds to run “independent” Tor nodes. Most shockingly, the FOIA documents put under question Tor’s pledge that it would never put in any backdoors into their software. (See below.)

The documents conclusively showed that Tor is not independent at all. The organization did not have free reign to do whatever it wanted, but was kept on a short leash and bound by contracts with strict contractual obligations. It was also required to file detailed monthly status reports, giving the government a clear picture of what Tor employees were developing, where they went and who they saw.

I used many of these documents in my book, Surveillance Valley, to tell the story of how privacy technology evolved into a tool of military and corporate power. But now I’m going further: I’m releasing the full cache of FOIA files on Tor and the BBG to the public. I hope that journalists and historians will make use of this information to explore the close relationship between privacy technology, government power and Silicon Valley economic dominance.

In honor of this release, I’m putting together a little fact-checking primer on Tor’s government ties that’s based on these documents. I’ll be releasing a “fact-check” every few days, starting with the first:

CLAIM #1: Tor does not provide backdoors to the U.S. government
RATING: Moderately true.

While the documents do not show Tor employees providing backdoors into their software, they do reveal that they have no qualms with privately tipping off the federal government to security vulnerabilities before alerting the public, a move that would give the feds an opportunity to exploit the security weakness long before informing Tor users.

Take the incident involving “TLS normalization.”

In 2007, Tor developer Steven Murdoch wrote up a report on the problems and vulnerabilities connected to the way Tor encrypted its internet connection. Turned out that it did so in a very unique way, which made Tor traffic stand out from all the rest and made it easy to fingerprint and single out people who were using Tor from the background data noise of the internet. Not only did this encryption quirk make it easy for foreign countries to block Tor (at the time Tor’s efforts were targeted primarily at China and Iran), but in theory it made it much easier for anyone interested in spying on and cracking Tor traffic — whether the NSA, FBI or GCHQ — to identify and isolate their target.

In his email to Tor cofounder Roger Dingledine, Murdoch suggested they keep this vulnerability hidden from the public because disclosing it without first finding a solution would make it easy for an attacker to exploit the weakness: “it might be a good to delay the release of anything like ‘this attack is bad; I hope nobody realizes it before we fix it’,” he wrote.

(see document below; not a new window)

https://www.documentcloud.org/documents/4379303-Bbg-Tor-Emails-Stack-21.html#document/p1/a406621

Dingledine agreed. He didn’t tell the public. But he also didn’t keep the information private. He did something very much the opposite: he debriefed his backers at the BBG, an agency that had been spun off from the CIA and continues to be involved in covert change efforts around the world. (For my reporting on this history see: Surveillance Valley.) Roger forwarded his exchange with Steven to the BBG, making it clear that they would not be fixing this vulnerability anytime soon and that the public would be kept in the dark about this fact. He ended his email with “:)” — a smiley face.

How cute.

(see document below; not a new window)
https://www.documentcloud.org/documents/4379303-Bbg-Tor-Emails-Stack-21.html#document/p1/a406621

Privately tipping off a spooky federal agency deeply embedded in the U.S. National Security State to a vulnerability? No matter how slight the weakness being reported, you’d have to be naive to think that the U.S. government would not move to exploit it.

Don’t know about you, but I’d wager most Tor users wouldn’t be too happy knowing that this goes on at Tor. I’d wager they’d see it as nothing less than a total betrayal of trust. A double-cross. To them, Tor is not supposed to be giving advance warning to the U.S. government about it’s vulnerabilities. It’s supposed to be fighting on the other side: a rebel grassroots privacy tech outfit building tools that thwart the most powerful governments and intel agencies in the world. That’s the mystique and that’s the promise. That’s supposedly why Tor’s endorsed by the EFF and Edward Snowden, the most celebrated government whistleblower in recent memory. Some, like Ross Ulbricht, proprietor of the original Silk Road, staked their lives on their belief in Tor’s independence and anti-state nature. Maybe it’s not a surprise that Ulbricht is now spending life behind bars.

This brief interaction (and there are many many others on all sorts of topics) gives you a glimpse into the kind of friendly backroom relationship Tor has with the U.S. government. Fact is, Tor does not see the BBG as a threat. How can it see it that way? The BBG is a major benefactor, handing out over $6 million in contracts to the Tor Project from 2007 through 2015. The BBG is a friend and source of funds — and Tor management is eager to please. And of course the BBG isn’t Tor’s only friend in the U.S. government: the U.S. Navy and the State Department have also funneled millions into the project, and continue to do so today.

So…How long did it take for Tor to reveal this security weakness to the general public?

Well, it’s hard to say. But looking through Tor’s “tor-dev” mailing list it appears the document Roger initially shared with the BBG in 2007 was brought to the public’s attention only in 2011. That’s four years after the federal government was tipped off about it!

Note: The thing to remember is that Tor’s BBG correspondence only reveals a sliver of Tor’s full interaction with the feds. Much of the funding for Internet Freedom tech takes place under Radio Free Asia’s umbrella, a private government corporation that claims it does not fall under FOIA mandate and so refuses to comply with journalists’ FOIA requests. We also do not know what Tor reveals to its other two backers, the State Department and the U.S. Navy. Nor do we know what Roger Dingledine or other Tor managers reveal in their regular meetings with U.S. intelligence and law enforcement agencies. And there are many such meetings.

—Yasha Levine

Some Rebuttal:

Micah Lee responds to Levine’s smears against Tor in his ‘Fact-checking Pando’s smears against Tor’, micahlee.com

Pando.com allowed Quinn Norton, who now blogs at emptywheel.net to offer rebuttal in 2014. ‘Clearing the air around Tor’.

“[Editor’s note: Following Pando’s recent reporting on the financial links between some senior Tor developers and the US Government, a fierce — and at times deeply unpleasant — debate has erupted between Tor supporters and critics. This guest post by journalist Quinn Norton was commissioned following an email discussion between Norton and Pando writer Yasha Levine. In the interests of open and fair debate, Pando has not edited the text of the post, beyond adding hyperlinks. – PBC]

Okay, a bit from Q. Norton, at some medium website someone had called ‘make peace, not war’ or close:

“The problem with Roger and the team he built, who are remarkable in many ways, is that they’re terrible at communicating with the public, and this confusion about funding isn’t the worst consequence of that. The worst consequence (to my mind) is the rogue exit node problem. A rogue node can spy on and collect all the Tor traffic going in of out of it, and probably a very high number of them do. This was allegedly how Wikileaks got its first drove of documents. It’s not a flaw in Tor though, Tor is working fine through that whole process. It’s a flaw in how people think about Tor, a flaw that has almost certainly cost people terribly by now.” [snip]

“It’s important too explain why people have been so incoherently angry as Tor has been criticized. There’s a genuine fear that this debate, or rather the miscommunication around it, puts people at risk. Most of the places people are using Tor their adversaries are not the US Government. They’re using it not only to communicate but to sidestep censorship. Tor is literally a lifeline to the world for people, some of whom are my colleagues, and some my friends. I can’t explain the mathematical architecture of Tor to them, but I can explain how to use it and the broad strokes of why to trust it. I will continue to do this, but for those I can’t talk to, those who only hear “honey pot”, they can be cut off and put at risk, likely to vanish one day. Some of this is journalists in shitty countries, but sometimes it’s gay kids in shitty homes trying to get information and not feel so alone. Sometimes it’s trolls, and sometimes it’s people trying to communicate about a controversial topic without risking home and livelihood.

The computer security and net freedom community have come up in the abusive environment of contemporary social media, and this has created a culture of constant combat and defensiveness. They take criticism with flame throwers on full throttle. But I believe all sides of this debate can be settled through clearer, gentler, and more candid communication.”

Readers will decide, most especially those steeped in tech privacy encrypted anonymizing software issues,  but you might want to take a look at the documents Levine’s made public for the sake of additional scrutiny.

(cross-posted at caucus99percent.com)