On Tuesday, a federal judge in Washington released a court order arguing that users of the digital anonymity tool Tor do not have a reasonable expectation of privacy for their IP address while using the service. The order is part of a case against Brian Farrell, a former employee of digital black market Silk Road.
The Justice Department linked Farrell’s IP address to drug dealing on Silk Road using evidence it obtained through a 2014 subpoena of Carnegie Mellon University’s Software Engineering Institute. CMU researchers were investigating Tor vulnerabilities that could be exploited to de-anonymize users. (Tor has since patched these particular bugs.)
Judge Richard Jones wrote in the court order:
It is the Court’s understanding that in order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed toward their destinations. Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers. … Such a submission is made despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous. Under these circumstances Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network. In other words, they are taking a significant gamble on any real expectation of privacy under these circumstances.
Motherboard points out that district Judge Robert J. Bryan used similar logic earlier this month in a case where the FBI had gathered evidence from Tor. But since Tor is explicitly an extra privacy measure, his reasoning wasn’t persuasive to everyone. At the time Motherboard wrote,
This makes no sense to anyone with a basic understanding of how Tor works. Just like with any website or service, Tor users do reveal their IP address to an ISP when initially connecting to the Tor network, through an entry point called a guard node. But since Tor bounces data between random nodes located around the world, neither the ISP nor anyone intercepting traffic can correlate which IPs are accessing which sites.
But others see support for this line of reasoning. Orin Kerr, a law professor at George Washington University, directed Ars Technica to a case from 1992 in which the 1st U.S. Circuit Court of Appeals found that shredding documents doesn’t necessarily create an expectation of privacy, even though the action is a safeguard expressly meant to guard privacy. In that case, law enforcement found shredded paper in the garbage and went through the labor-intensive process of piecing the shreds together, which led to discovery of evidence.
Electronic Frontier Foundation staff attorney Mark Rumold disagrees with this interpretation of precedent, though, and told Ars that, “The expectation of privacy analysis has to change when someone is using Tor.”
Expectation of privacy in the digital realm has become a mainstream issue as Apple attempts to resist a court order demanding it unlock the iPhone of one of the San Bernardino shooters. Though Tor is not the only anonymity option out there, it is certainly a bellwether of privacy services.