Tor Considered Harmful

Pat Gunn
18 July 2008
This paper is released into the public domain.

In this paper, I argue that tor, a piece of network software designed for anonymity, while very useful under some circumstances is also very antisocial and harmful to the internet community.

Tor was designed to provide a way for its users to access internet services without revealing the traditional information about themselves that normal internet communication reveals. Ordinarily, communication on the internet consists of packets with a known from and to address on both sides (the IP Address). Various tools (whois, nslookup, traceroute) can be used to get further information on an IP address, often identifying the rough location of the user (e.g. Bremen or North London) and their ISP (e.g. the University of Toronto or Comcast Cable). Running a tor client, traffic is passed through a network of volunteer servers (the "tor cloud", which uses encryption between these systems to prevent volunteers from comprimising the network), eventually reaching an "exit node" which communicates with the target system. This target system (be it a web server or something else) would thus see the exit node as being the source of the communication, not the original user's IP, and return communication would similarly pass through the tor cloud back to the original user.

Tor has been used for a number of purposes, many of them highly regarded. On networks which have a network policy prohibiting access to some sites, use of tor will allow users to connect to the sites. A highly celebrated use of this has been to circumvent national firewalls such as those in Saudi Arabia, Qatar, and China (which have been known to block access to pornography and anti-government sites, among other things). Likewise, people have been able to anonymously upload information to sites such as Wikileaks and FuckedCompany (both of which collect and publish exposes) with less fear of being identified. Finally, security advocates in general have felt more secure with casual webbrowsing and internet use, knowing that various forms of identification (from those tied to search engine and social sites to advertising networks) markers would be more difficult to make.

Internet practice has long had a certain amount of reliance on IP address reliability - features such as statistics, responsibility, and managability are all built on IP addresses being genuine. Services such as WHOIS rely on the requirement that domain registrars collect and publish information on people who have been allocated a domain - any owner of a domain is obligated to have email and contact information available, this being requestable through a WHOIS client. Similarly, ISPs typically provide DNS records for routers that provide some amount of location information. Sites often use these databases to learn patterns from visitor logs (e.g. 20% of our visitors come from Peru). The notion of being responsible for one's actions on the internet means responsibility for internet traffic that routes through one's system - if one, for example, makes death threats through email or stalks someone online, police can, with a subpoena, get connection records from the ISP that owns those IP addresses to identify the problem user. Finally, as a given user typically only has one (or a limited pool of) IP address they can use, those who run a service (e.g. an online game, a website, etc) have long had the option to throttle traffic or block it to troublesome users with only limited collateral damage by blocking an IP range (the use of technologies such as NAT somewhat widens the damage possible). Some high-traffic sites also attempt to be better network citizens by sending users to more network-nearby mirrors for high-bandwidth content, using IP addresses to do this (this is not strictly defeated with tor, depending on what protocols are used and whether exit nodes can switch between selection and beginning of content dispatch).

Most of these means and assumptions are broken by users of tor - because no information is provided about the actual origin of communication, automated and manual management of how users use services are prevented to site management. In an all-tor world, no meaningful statistics or information can be extracted from access logs, harmful acts cannot be tracked back to their source, problem users cannot easily be blocked, and efforts to reduce network usage based on IP are at least partially hampered. Those administering a network (public, like an ISP or coffeeshop, or private, like a business) cannot easily establish/enforce a network policy when tor is used. All of these are intrinsic problems, being necessarily tied to eliminating assumptions of responsibility/reliability for/of IP addresses. Tor is a bad internet citizen, being "all-elbows" in how it breaks all these internet traditions and making management of networks impossible. In practice, many prominent sites (like Wikipedia and many online games) partly or wholly block tor to the best of their ability, and occasionally computers have been impounded when they were used as an exit node for criminal acts (such systems are typically configured not to log traffic that passes through, although their involvement in the crime has not always protected them from this treatment).

The principle of network responsibility is too important to give up - while the benefits of tor are apparent and attractive, the results of an internet with no responsibility and no management are not acceptable. Those who run a system that is part of a tor cloud, because the network is designed to act as a block for such responsibility, should be considered partly complicit in any illegal or problematic acts that happen through their network (to a degree further than coffeeshops which provide free, anonymous internet, because there is no intent to obscure and some information is preserved, namely that the person in question was there). It would be impossible to stop development of software such as tor even given widespread condemnation of its goals, but just like with those providing impartial shelter to anyone (criminal or not), those that operate the network should expect to bear the consequences of their act. The benefits of tor are not detachable from their benefits, and reaching a comprimise that would not be routed around would be difficult at best. Unless society is willing to consider the internet part of reality that is truly lawless, the existing lack of liability in running tor must be breached.