How the NSA Is Trying to Sabotage a U.S. Government-Funded Countersurveillance Tool

The “Five Eyes” are watching you

Photo by KAREN BLEIER/AFP/Getty Images

The NSA called it “the king” of Internet anonymity.  But while the privacy-protecting Tor browser has proven to be a serious burden to the spy agency, that hasn’t stopped it trying to secretly subvert the popular counter-surveillance tool.

On Friday, newly released documents leaked by former NSA contractor Edward Snowden revealed the extent of the agency’s attempts to monitor Tor users’ Internet activity. Top-secret slides shed light on how the NSA has worked to infiltrate the Tor anonymity network in apparent cooperation with allied agencies in Britain and the other members of the “Five Eyes” network—Australia, New Zealand, and Canada. But the spies’ efforts to infiltrate Tor have not been entirely successful, which will come as welcome news to privacy advocates. One NSA slide notes: “we will never be able to de-anonymize all Tor users all the time.”

Tor works by masking users’ IP addresses, bouncing their connection through a complex network of computers. Each day, the tool is used by about 500,000 people, many of whom are pro-democracy activists in authoritarian countries, journalists, human rights advocates, and others whose work can be compromised by government surveillance or censorship. But the software can also be used by criminal groups and terrorist plotters, which makes it of particular interest to spy agencies.

According to the leaked slides published Friday by the Guardian, the NSA has devised a way to identify targeted Tor users, and it has the capacity to covertly redirect targets to a set of special servers called “FoxAcid.” Once identified as a target, the spy agency can try to infect a user with malware by preying on software vulnerabilities in the Mozilla Firefox browser. This capability was hinted at in a report by Brazilian TV show Fantastico in September. As I noted at the time, the British spy agency GCHQ appeared to be monitoring Tor users as part of a program called “Flying Pig.”

Notably, the leaked Snowden files on Tor may shed light on some of the tactics used by the U.S. government to identify the recently outed alleged mastermind of the Silk Road online drug empire. Silk Road operated on a hidden Tor server, which was tracked down by the feds and shut down. Back in August, the feds also managed to shut down a Tor server allegedly used to host images of child abuse. In a malware attack that was linked by researchers to the NSA, the FBI reportedly exploited a Mozilla vulnerability to target users—similar to the spy methods described in the Snowden documents.

Going after Tor users is clearly not easy for the spies, however, and they appear to have considered sabotaging the anonymity tool because it has proven difficult to infiltrate. One NSA presentation titled “Tor Stinks” shows the agency considering whether it would be possible to “deny/degrade/disrupt Tor users.” One option for degrading the stability of Tor posed by the NSA, the 2012 presentation states, could be to set up a “relay” used by Tor users to access the service, but deliberately making it frustratingly slow in order to destabilize the network. Other slides suggest British spooks at GCHQ set up clandestine Tor “nodes” used to monitor users, with Australia’s Defense Signals Directorate also assisting in GCHQ’s efforts.

Somewhat ironically, the Tor Project was originally borne out of a U.S. Navy program to protect government communications. The initiative still receives a large portion of its funding from the U.S. government: In 2012, for instance, the State Department and the Defense Department wrote checks to the Tor Project worth more than $1.2 million. This means that the U.S. government is publicly investing in keeping Tor strong—while at the same time, in secret, the NSA is trying to weaken it.