The desperate search for online privacy

Bloomberg NewsSeptember 15, 2013 

It has been a rough couple of months for the folks at the Tor Project.

Tor -- it stands for "The Onion Router" -- camouflages its users' Web communications with encryption and by bouncing signals around server nodes in different parts of the world so that it's all but impossible for either governments or advertisers to track them to their origins. Its fans hail Tor as a vital tool for those who live under repressive governments.

But Tor has suffered a series of public embarrassments -- embarrassments that teach important lessons about the increasingly desperate search for online privacy.

Last month, we learned that the anonymity protocols that are Tor's reason for existence had been hacked, apparently by the FBI, which was investigating an alleged purveyor of child pornography. Then, we were reminded that some 60 percent of the budget of the Tor Project comes from the federal government, including a whopping 40 percent from the Department of Defense. (Tor responded in an email published in the Washington Post that these are research grants, and the U.S. government does not control its research or software.)

Now, most unkindly of all, Technology Review is piling on. Last week, the popular technology site reported a study by the same researchers at the University of Luxembourg who earlier in the year found a major security flaw at Tor. In their new study, the researchers have unpeeled a few layers of Tor's celebrated onion of anonymity, releasing a tabulation of the most popular among Tor's "hidden services" -- that is, sites that can be accessed only via Tor itself.

The news wasn't good.

For a site whose glory has long been the image of the courageous freedom fighterr, the results were depressing: "Of the top twenty most popular Tor addresses, eleven are command and control centres for botnets, including all of the top five. Of the rest, five carry adult content, one is for Bitcoin mining and one is the Silk Road marketplace. Two could not be classified." It gets even worse: "The FreedomHosting address is only the 27th most popular address," according to Technology Review.

In other words, the anonymity of Tor appeals principally to botnets, commonly used by spammers; those who peddle or seek pornography; and those who use a marketplace that has been called "Amazon.com for illegal drugs."

So what are the lessons of Tor's long summer? Principally this: We are unlikely ever to be able to ensure our privacy through technical means alone.

Just last week, we learned that the National Security Agency may have developed either decryption capabilities or secret backdoors that enabled it to break most Internet encryption.

Nor can we protect privacy online through laws and court orders. The NSA, we are now told by a federal judge, for three years "frequently and systematically" breached the limits placed on database searches by the Foreign Intelligence Surveillance Court.

Privacy is best understood not so much as a collection of discrete constitutional rights but as a shared sense that it is possible for us to go about the business of daily life protected by a government that neither knows nor cares how we spend the bulk of our time.

But in a world ruled by the Web, privacy in this traditional sense seems so ... 1990s. "There's nothing you or I can do to put the genie back in the bottle," writes security analyst Neil J. Rubenking. "The best we can hope for," he writes, "is to keep the government in check by electing sane, sensible candidates."

That won't be enough. The government's appetite for information isn't going to wane under either party. The bad guys will always be drawn to the shadows. Those who chase them will always find this an adequate reason to ban darkness.

So yes, as Tor users have lately learned, privacy in the traditional sense is most certainly dead. But the killer isn't the NSA. It's the Internet itself -- or, more to the point, our entire reliance on it, our naive belief that we can spend hours each day sending signals into the ether and nobody will pluck them out.

If we don't want anyone to know what we're buying, we'll have to visit brick-and-mortar stores and pay cash. If we don't want those who are sworn to protect us reading our e-mail and listening to our calls, we'll have to meet our friends in person. It's our growing unwillingness to take those time-consuming steps that's killing our privacy.

Stephen L. Carter, is a Bloomberg View columnist and a professor of law at Yale University. He is the author of "The Violence of Peace: America's Wars in the Age of Obama."

Bradenton Herald is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service