EPIC - EPIC v. BBG

EPIC v. BBG - Tor

Top News |
Background |
Legal Documents|
Freedom of Information Act Documents |
Related Cases and Documents |
News Items

Top News

NSA Attacked Tor, a Privacy Enhancing Network: The NSA and GCHQ have attempted to break the privacy protections of the Tor anonymity network, according to a series of documents published in The Guardian today. The documents describe the efforts of the NSA to de-anonymize Tor users by compromising their computers and Tor software with viruses. The NSA also relies on Doubleclick advertising cookies to identify Tor users. Despite their efforts, the documents reveal that the intelligence community has had limited success compromising the Tor network. One presentation, titled "Tor Stinks," concludes that they will "never be able to de-anonymize all Tor users all the time." In May 2013, EPIC filed a FOIA request seeking evidence of government interference with the Tor network. In 2000, EPIC had also filed a complaint with the FTC about Doubleclick's efforts to merge users' browsing activity with personally identifying information. And in 2007, EPIC objected to Google's acquisition of Doubleclick, warning that it would place at risk the privacy of Internet users. For more information, see EPIC v. BBG; EPIC: Privacy? Google/Doubleclick Merger. (Oct. 4, 2013)
EPIC FOIA Request Reveals No Evidence of NSA Interference with Tor Network: In response to a FOIA request to the BBG, EPIC has received 74 pages of documents that reveal no efforts by the NSA to undermine the security or reliability of the Tor network. Recent news reports show a concerted effort by the National Security Agency to compromise cryptographic standards set by the NIST as well as Android, iPhone, and BlackBerry encryption. The NSA and FBI have also targeted the communications of Tor users. EPIC will continue to pursue FOIA requests that shed light on the efforts of the intelligence community to undermine cryptographic standards. For more information, see EPIC v. BBG. (Sep. 25, 2013)
EPIC Files FOIA Suit to Determine If Tor Is Compromised: EPIC has filed a Freedom of Information Act lawsuit against the Broadcasting Board of Governors, a federal agency that oversees all U.S. civilian international media. EPIC seeks information about the federal government's interest in the Tor network. Tor is a program designed to allow encrypted, anonymized online browsing and is used by many human rights organizations. Recent news reports indicate that the National Security Agency has targeted the communications of Tor users. In a related matter, EPIC has asked the Supreme Court to halt the NSA collection of domestic telephone records. For more information, see EPIC: EPIC v. BBG - Tor. (Sep. 9, 2013)

Background

EPIC v. BBG is a Freedom of Information Act case in which EPIC is seeking documents related to the Broadcasting Board of Governor's (BBG's) surveillance of internet traffic traveling through The Onion Router (Tor).

Tor is software currently maintained by The Tor Project, Inc. and the Tor Solution Corporation. Internet users around the world use Tor to maintain anonymity and circumvent Internet restrictions. It works by encrypting Internet data and routing it through a series of "nodes" hosted by volunteers to create a secure relay between the user and their destination. This obscures both the origin and destination of the user. Tor is used by academics, political dissidents, law enforcement, journalists, whistleblowers, NGOs, the U.S. Navy, and everyday individuals. Tor adheres to a policy of openness and transparency in its own management while working to protect the anonymity of its users. To that end, Tor publishes its list of sponsors, its open-source software, its financial reports, documentation, and lists of projects. Tor provides an invaluable tool for encrypted web use.

The NSA's Involvement in Cryptography

The National Security Agency (NSA) developed the cryptographic algorithm, known as Skipjack, underlying the Clipper Chip, a cryptographic device purportedly intended to protect private communications while at the same time permitting government agents to obtain the "keys" upon presentation of what has been vaguely characterized as "legal authorization." The "keys" are held by two government "escrow agents" and would enable the government to access the encrypted private communication. While Clipper would be used to encrypt voice transmissions, a similar chip known as Capstone would be used to encrypt data.

EPIC, along with other privacy organizations and technologists, challenged the proposal. In addition to subjecting the public to increased surveillance, the design of the Clipper Chip was classified, and therefore the strength of its algorithm could not be evaluated by the public. By 1996, following intense public opposition, the Clipper Chip was defunct.

Despite losing the public debate over the Clipper Chip, the NSA has introduced vulnerabilities into many of the encryption technologies used by Internet consumers. These vulnerabilities have allowed the NSA to defeat the encryption that protects the personal data and communications of individuals. The agency has accomplished this through collaboration with technology companies, covert influence in encryption standard-setting processes, and brute-force decryption using supercomputers.

The NSA's Attempts to Undermine Tor

On October 4, 2013, The Guardian published a set of PowerPoint slides from GCHQ, the British counterpart to NSA. The slides reveal that the NSA and GCHQ have attempted to find ways to break the Tor privacy network. The documents reveal that the agencies run Tor nodes, exploit vulnerabilities in the Tor/Firefox bundle, and host secret servers to redirect users to malware-injecting websites that allows the NSA to compromise individuals’ computers. They also use Doubleclick advertising cookies to try to identify Tor users.

Despite the efforts of the NSA and GCHQ, the documents reveal that the intelligence community has had limited success compromising the Tor network. The NSA has only been successful in identifying Tor users on an individual basis, often by exploiting a weakness in the user's web browser. The anonymity provided by the Tor network allows NSA can differentiate between Tor users and non-Tor users, since the former all look the same and the latter are individually identifiable. Technologist Bruce Schneier explained in The Guardian, "The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US." A slide in one of the presentations, titled “Tor Stinks”, concludes that the intelligence community will “never be able to de-anonymize all Tor users all the time.”

EPIC's Interest

Since the June 2013 revelations of NSA surveillance of electronic communications, there has been a dramatic increase in interest for anonymity and encryption tools. On September 5, 2013, it was revealed that the NSA had compromised many of the encryption technologies used by consumers and citizens on the Internet. Through covert partnerships with internet providers and software developers, the NSA has built in secret "backdoors," or deliberate network vulnerabilities, that allow the agency to surveil, decrypt, collect, and even control the flow of user data. According to top-secret NSA documents published in The Guardian, The New York Times, and ProPublica, "For the past decade, NSA has lead an aggressive, multi-pronged effort to break widely-used Internet encryption technologies... Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable." The Washington Post noted that sixty percent of Tor's funding comes from the Department of Defense, prompting the paper to ask whether the network suffered from similar backdoors and vulnerabilities. That story was followed quickly by a report that Tor was being used to spread malware that could identify Tor users. As of October 2013, the slides published by The Guardian confirm that the NSA is playing an active role in trying to undermine Tor's cryptographic standards. By hosting exit nodes, the intelligence community is attempting to monitor and control segments of Tor traffic. Additionally, the NSA is working to de-anonymize Tor users.

EPIC's interest in the federal government's attempts to undermine the Tor network reflects EPIC's longstanding concern about the role of the NSA in the creation and control of cryptographic standards. Last year, Tor's major funders were the BBG, Department of State, and Department of Defense - which houses the NSA. While Tor has published the details of its interactions with the BBG, EPIC's FOIA request seeks to discover whether the BBG controls other records which could shed light on the extent of the federal government's interest in the public's ability to encrypt.

EPIC's Freedom of Information Act Request and Subsequent Lawsuit

On May 31, 2013, EPIC submitted a FOIA request to the BBG requesting:

All agreements and contracts concerning BBG funding or sponsorship of The Tor Project, Inc., Tor Solution Corporation, and Tor Solutions Group;
Technical specifications of all BBG computers running Tor nodes;
All reports related to BBG's modification of the Tor software; and
All agreements and contracts between the BBG and The Tor Project, Inc., Tor Solution Corporation, and Tor Solutions Group regarding features or capabilities in the Tor software.

Legal Documents

EPIC v. BBG, No. 13-01326 (D.D.C. Sep. 9, 2013)

EPIC's Complaint, (Sep. 9, 2013)
Joint Stipulation Of Dismissal With Prejudice

Freedom of Information Act Documents

EPIC's FOIA Request (May 31, 2013)
EPIC's FOIA Appeal (July 26, 2013)
BBG Request Reponse (July 26, 2013)
BBG Appeal Response (Aug. 2. 2013)
BBG Document Production (Aug. 12, 2013)

Related Cases

Computer Professionals for Social Responsibility v. NSA, C.A. No. 93-1074-RMU (D.D.C. 1993)
In re EPIC - NSA Telephone Records Surveillance, No. 13-58 (2013)
EPIC NSA Petition, last updated Aug. 23, 2013