[liberationtech] Tor, Anonymity, and the Arab Spring: An Interview with Jacob Appelbaum by Ingmar Zahorsky

[Moritz Bartl]

http://www.monitor.upeace.org/innerpg.cfm?id_article=816

Tor, Anonymity, and the Arab Spring: An Interview with Jacob Appelbaum
Ingmar Zahorsky
August 01, 2011

The recent revolution in Egypt that ended the autocratic presidency of
Hosni Mubarak was a modern example of successful nonviolent resistance.
Social Media technologies provided a useful tool for the young activist
to orchestrate this revolution. However the repressive Mubarak regime
prosecuted many activists and censored a number of websites. This made
their activities precarious, making it necessary for activists to hide
their identity on the Internet. The anonymity software Tor was a tool
used by some bloggers, journalists and online activists to protect their
identity and to practice free speech. Jacob Appelbaum, Tor developer,
independent computer security researcher, and co-founder of the the San
Francisco hackerspace Noisebrige has conducted a number of Tor trainings
in the Middle East. In this comprehensive interview, Appelbaum explains
the concept of Tor and how it was used by the people of Egypt.
Furthermore he discusses the possibilities and limitations of anonymity
on the internet and explains why he believes an anonymous person can be
a credible source of information.

What does Tor do and who uses it?

In brief, Tor is an anonymity network that allows people to use the
internet in a way that avoids traffic analysis. So that means that
people who live in an area where there is extensive Internet censorship
can circumvent that Internet censorship using Tor. If people simply wish
to not be profiled online or watched on the Internet, then they can use
Tor as well. It serves as many things because anonymity at the core
means that you have resistance to very serious deep packet inspection in
most cases. Unless Tor itself is blocked, it isn't really possible for
someone to easily distinguish what you are doing with Tor – that is sort
of the purpose of Tor. People use it for all sorts of different reasons.
People in Egypt used it to get around the censorship that was occurring
there, and people use it all over the place for non-censorship reasons.
Police officers use Tor to do investigations, people in countries where
there is no Internet censorship but extensive corporate surveillance use
it – those corporations often look at your IP address, Tor hides your IP
address, and so people often use it to avoid this kind of corporate
profiling.

You might be looking at Tor from a particular perspective – maybe you
are interested in any of those properties or maybe you simply want to be
able to browse the web and see what it looks like to use Google from
Germany, that is also a possibility. In some cases, such as in Egypt,
people get very excited about it, because they think it is a technology
that has this possibility for revolution. I think it is nice that Tor
was probably used by some number of people, although it might have only
been one, it could have been several thousand, who knows. What I think
is nice is that Tor is one of the sort of disruptive technologies that
the Internet makes possible. Such a thing wouldn't be possible without
the Internet and I think that it [the Internet] deserves the credit not
Tor necessarily, not Facebook necessarily although each different
platform that is built on top of the Internet obviously does have a
reason for existing and does deserve some credit to some extent.

Tor is just a network and its a dual use technology - people use it for
good things and they use it for bad things. Ultimately, free speech is
the core of anonymity. There are no payments, there are no logins or
passwords or anything like that. It is just free software that you
download – and we don't just mean free as in beer, we mean free as in
the free network that is available for people to use without cost. The
source code that connects to the network is available for people to
read, to study, to modify, to change, and to distribute their changes.
We are a non-profit that is dedicated to promoting and helping with
anonymity online and the Tor network is one of the things that we
produce. We also produce other software that interfaces with it, so Tor
in a nutshell is quite a lot of things, used by quite a lot of people
and it is in fact made up of those people that use it.

Can you give a concrete example how Tor was used during the revolution
in Egypt?

Because Twitter and other websites were blocked, people in Egypt
actually used Tor as a proxy for their web browser. They knew that they
could install Tor and they would be able to get past the Internet
censorship in their country, which was their primary concern. You know,
Tor is only as secure as the protocols you send across it, except in
certain cases such as this one where you know that the problem is
directly between you and the Internet. In that case, Tor is extremely
secure and no matter what you are doing over Tor you are almost
certainly better off than the government that might arrest you for
behavior you do on the Internet or for other things that they would be
able to detect and log and then later analyze. Using Tor is probably not
a very big deal in these types of investigations, but if they are
looking, for example, for a person posting a photograph to a particular
website at a certain time, if they had that in a log,that could be very
dangerous. If everybody using Tor, you know, is in trouble, that's a lot
more people than just one person at one particular time-frame doing a
particular thing.

It's interesting to note that, from what I understand, people in Egypt,
some of them were in this situation where they were doing things on the
Internet, where they were either being censored or they were worried
that later they would get in trouble for the things that they were
posting, like truthful things that they had seen or witnessed, and so
they used Tor. Obviously I was not in Egypt during this January 25,
January 27th or any of this time this year in fact, so I can only speak
to this as a second hand or first hand relay experience and so having
not seen with my own two eyes what people are doing. Tor as a project as
a network has no idea, there is no way to know except with some
statistical analysis. We published those statistics on our website
(metrix.torproject.org) but other than that we have to rely on what
people tell us. What we have heard is that it is useful and that it has
been quite a help for some people. Many people use other things, virtual
private networks and so forth, but in general it works very well against
the kind of very specific censorship that the Egyptian regime deployed.

Do you believe that with a tool like Tor it is truly possible to be
anonymous on the Internet?

It is possible to do some things anonymously on the Internet. I think
about anonymity like the roots of a tree; if you have someone that is
digging around in the dirt and they run into a broken-off part of the
tree root, they don't realize it is attached with this big structure,
but if you were looking at the tree from above you would be able to look
at the root structures attached to the tree quite easily and you might
even be able to find pieces of the root that have been broken off and
you could see all of these things. So if we all carry cell phones, we
all carry tracking devices, and if we are all carrying tracking devices
one must ask the question how can we have privacy or anonymity? The
answer is when some of the actions you take are not directly attached to
the large data trail you create, some of your actions can be anonymous –
largely, though, they are not. The things that you do on a daily basis
they are all tracked. Your financial transactions, whether or not you
spend cash or credit cards, it doesn't make a difference. There are
different tracking methods for each of those things and so in this
regard privacy is in a lot of ways a very difficult thing to achieve.

When using Tor and the Internet, if you wanted to read the Wikipedia
about the conflict in Egypt but you didn't want anyone to know you were
doing that, Wikipedia would see someone from the Tor network. Your ISP
would not see anything about the Wikipedia, they would only see Tor and
Tor as a network would not know who you were and where you are coming
from; so if you are in Costa Rica, or you are in some other place, they
don't know where you are. The network is segmented in such a way; we
call it “privacy by design”.

There are a lot of cases when using Tor in which you can do things
online that are anonymous. When you use it correctly, you won't have a
thing we call “linkability”. One web browsing session to the next, no
one will know it was you that looked at that page about Egypt's conflict
and then you also looked at a comic book by Guy Delisle by the name of
Shenzhen, which is a well drawn comic about a travel log in China. They
wouldn't know that it was the same person. In that way it is very
anonymous but if you were to log onto the Wikipedia with your real name
and make a lot of edits you would start to leave behind a trail of where
you used Tor often. That would build a profile of you and no amount of
anonymity or security technology really changes the fact that if you say
“my name is Ingmar” – Tor will do its job and route that anonymously
somewhere, but if the other person really believes you are Ingmar, than
its going to be hard to convince them otherwise. No security or
anonymity will change that.

Privacy is really only as good as you make it. In some cases, you can
definitely take action that is hard to trace to you. You can consume or
read things, but if, for example, you were to write a blog post about a
conflict situation that you had seen in a war zone and you were to take
photographs and post it on a blog, your camera has a thing called meta
data, that it embeds into an image. Maybe that includes your camera's
serial number. So now you anonymously posted that photograph and you've
done a writeup. Well your words that you write down are susceptible to a
type of anonymity attack called "Stylometry", which is the idea that you
can characterize a person's writing style and positively identify them
from large bodies of text, so if you were also an experienced journalist
and there were many people that suspected it was you, they could use
these stylometry techniques to look and see if the person that wrote the
anonymous blog post was the same as the person that writes a weekly
column in the local newspaper. That can be a real threat to privacy, so,
you know, you have to be very careful about how you cross your “T”s and
dot your “I”s and of course, your serial number for your camera is also
in that post at the same time and you've even taken another photograph
and put it online somewhere else, so someone will be able to look at
that photograph and see that the serial number is the same so they don't
even have to go to the camera company, they already got you as a suspect.

So, depending on what people are doing, yeah, Tor will help you to be
anonymous in some cases, but that doesn't mean that you will be
perfectly private if the things that you are doing leak information
about you. You have to be very careful about the details and you really
have to take some time to realize that there is a process where
everything that you do might betray you. It is very easy to do this in
the real world, because in the real world we think about it. When you
walk you leave a footprint behind. When you use your credit card you
literally leave your name and number behind, and so, if you have these
situations, its easy you see it with your own eyes – you remember
putting your footprints down, you remember that your shoes have a
particular print on the bottom. You mostly understand this in general in
your own experience in your own life. People notice how you are dressed,
they see this identity that you put forward to the world. With
technology, it is often the case that the identity you put forward to
the world is hidden even from yourself in this way. I mean, the things
that you say are there but there are traits about you that are not
obvious that you are leaving behind. So, yes, Tor can help you to some
degree – it is a very powerful tool in service of your privacy and of
your anonymity – but it isn't a panacea, because you may still do things
that are threatening to your own privacy.

Can an anonymous person have credibility?

Well there are different types of anonymity. For example, location
anonymity means that if you connect to Twitter, Twitter doesn't know if
you are in Costa Rica or in Iran. Can someone who is posting online on a
regular basis on Twitter have credibility? I think so. Because location
anonymity and anonymity from Twitter means almost nothing in the context
of what they are saying. Unless they are saying they are at a particular
place, in which case the burden of proof lies with what they have said.
If what they have said is something that can be cited or is backed up in
some way, then absolutely, anonymous people can have credibility.

Additionally, it is possible that someone can post something a single
time and not sign it and that in itself is a record that brings
credibility by the mere existence of it. For example, a leaked document
is a great example of where an anonymous person speaks out and says this
is something that needs attention, let's look at this, and sure enough
other people will confirm the authenticity of the document. So, an
anonymous person for that moment, that action, sure seems like a
credible thing to me.

There are lots of other examples that are just like this where people
take time to write things down or write them up as it where, and when
they do that, they are able to do this a couple times in a row and in a
sense this is a kind of anonymity, but in another sense its a thing we
call "pseudonymity"; so if I were to write online and I was to say my
name is ioerror, that is the kind of anonymity. I am actually that
anonymous person but I claim to be a person called “ioerror” and that is
my nickname, my pseudonym, and you know, when I post on Twitter, people
see these things that I am posting online and there is some ability for
someone to read what I said or see what I said and to determine if it is
something that interests them and if it is verifiable, whether or not
they actually have seen my drivers license to know my real name or my
passport or my birth certificate; all that is kind of irrelevant.

We live in a world where for the most part we use our real names to
interface with people, but really what we do is we leave behind a bunch
of digital trails, like our preferred login name or a style of writing
or whatever. These are like facets of our identity that we leave behind,
little tiny pieces here and there and they make up the whole that we
experience and then we think of our own experience and say “oh we have
no privacy”, or “oh no, we have no anonymity”. When you look at just a
piece of someone else you might think, “how can you have credibility
there because they are just an anonymous person?”, but if you can sew a
thread together or if the thing that's said is factual, you can back it
up if there is something to it, and it seems likely and so forth, than
it is absolutely possible to have credibility.

At the same time, just because someone has said something that does not
make it credible and it doesn't mean that because they are anonymous
they have some noble goal or they have something they want to say that
really needs to be heard. It is important to note that there isn't some
amazing magical thing in itself that gives anonymity some value. The
things that need to be said probably still need to be vetted in some way.

Ingmar Zahorsky is a Master degree candidate in Media, Peace & Conflict
Studies. He is a German born international journalist with an interest
in social justice, new media activism and cultural explorations.

-- 
Moritz Bartl
https://www.torservers.net/