Tor is preparing for the fight against relay blocking by creating a system of “bridge nodes”–a constantly changing list of IP addresses through which people can reach the main network of relays. A user can simply send an e-mail asking for a bridge address. Of course, an Iranian censor could also request and block such addresses, but the idea is to defeat such efforts by generating ever more bridges, donated by a wide range of Internet users. And Jonathan Zittrain, a Berkman cofounder and Harvard Law School professor, envisions going even further. “The next big moment that the Tor people haven’t implemented–something in the background, something that would be huge–would be if your use of Tor, by default, makes you a Tor node yourself,” he says. “At that point, it totally scales. The more people use it, the more people can use it.”
As part of a three-year effort to improve the software and expand its use, Tor’s staff and volunteers will step up appeals for Tor users to let their computers serve as bridges to individual users elsewhere. But taking the next step–becoming a relay, or node, potentially available to any Tor traffic–would massively increase the traffic flowing through a user’s computer. If users became nodes by default, it could defeat the purpose of using Tor to remain low key: once a user wandered into a cybercafé to blog anonymously, that terminal would soon stand out as a hub of Internet traffic. What’s more, such a system “sets off an arms race with all the network providers and network administrators,” says Andrew Lewman, Tor’s executive director. “It increases traffic, and we become something they might block, because that’s their job.” Tor would ultimately like to find safe ways to enlist distributed help, but for now, developers are pursuing intermediate goals, such as limiting bulk data transfers and improving the flow among existing Tor relays.
One criticism leveled against Tor is that it can be used not only for good purposes but for bad–protecting distributors of child pornography, for example. Dingledine’s response is that Tor’s protections help law enforcement catch criminals, too, while criminals may find it more effective to use neighbors’ or public Wi-Fi links, or hacked computers, to mask their identities.
Another concern is that circumvention tools–especially those that only use a single proxy, which holds information about who is talking to whom–can create privacy and security worries of their own. Earlier this year, Hal Roberts discovered that certain tools used widely in China–DynaWeb Freegate, GPass, and FirePhoenix–appeared to be offering to sell users’ browsing histories. While there’s no evidence that any individual’s privacy was compromised, the point was made: in many cases, using anonymity or circumvention systems still means trusting an organization with your information–and trusting that its privacy policies can and will be honored. (With Tor, it’s a bit different; since no single relay ever holds the information about the complete route, you must trust the integrity of algorithms that obscure connections between origins and destinations.) “I don’t doubt the dedication of the people hosting these tools, but what I’m concerned about is whether they will protect your data,” Roberts says. “The biggest takeaway is: they have that data.”
Dingledine thinks events will push people to seek the protections that Tor and other tools provide. In 2006, for example, AOL gave away millions of users’ search terms for research purposes. Although the searchers were identified only by random numbers, bloggers and reporters were quickly able to identify individual users from clues based on the search terms. (Since Tor uses a different router pathway for each user each time, it’s impossible to amass such aggregate data about even an anonymously identified Tor user.) Dingledine reasons that each time a national censor blocks news sites and YouTube, or an ISP or website loses or sells or gives away user data, people will seek solutions. “The approach we’ve taken so far is to let the bad guys teach people about it,” he says. “Let the AOLs and the China firewalls screw up. Let everybody read about why they want privacy on the Internet.” More and more people might just decide that enough is enough.
David Talbot is Technology Review’s chief correspondent.