When free-software communities unite for privacy

At DebConf25 in Brest, France, the talk "When Free Software Communities Unite: Tails, Tor, and the Fight for Privacy" was delivered by a man who introduced himself only as intrigeri. He delivered an overview of the Tor Project, its mission, and the projects under the umbrella. He also spoke about how the organization depends on Debian, and plans for the software it delivers.

It is entirely fitting that a talk on protecting user privacy and anonymity would be given by a speaker who does not reveal their full name in person or online. The Tor Project is a non-profit organization with a global community of volunteers who work together to produce "a lot of software", intrigeri said.

He did not cover all of the software produced by the organization, and when one says "Tor" some disambiguation is necessary. Tor may refer to several things. It could refer to the organization itself, or the Tor network, which is the overlay network that runs through Tor network relays operated by volunteers, using a technique known as onion routing. Internet traffic is routed through Tor relays to obfuscate a user's location and destination to deter network surveillance or traffic analysis from determining what a user is doing online.

It could also refer to the Tor software used to connect to the Tor network or the software to set up and run Tor relays.

The project also provides the Tor web browser and Tails, which is a Debian-based operating system meant to be run from a USB thumb drive. Intrigeri has been a Debian developer for many years and runs the Tor Project's Tails team. The project's GitLab instance hosts all of the software it provides.

The problem that Tor is trying to solve with all of this software is that internet service providers (ISPs), commercial interests, or governments are able to identify and track users' activity on the internet. Encryption alone is not enough, he said, to provide anonymity. It does not hide who is talking to whom or who is visiting a web site; encryption only masks the content of communications, not the participants.

Tor tries to provide ways for users to communicate and use the internet anonymously, without fear that they'll be spied upon. For some users—such as whistleblowers, victims of domestic abuse, and dissidents in oppressive countries—the preservation of anonymity is not only about protecting one's rights on principle, it is a matter of safety.

ISPs or government entities like the US National Security Agency (NSA) can figure out who is visiting a site or which users are talking to one another if those connections are made directly over the internet. Even when communications are encrypted, a user's "social graph" may be exposed via metadata. Here he displayed a slide that quoted former NSA director Michael Hayden, who said: "We kill people based on metadata."

In practice, people rarely care about anonymity, he said, so it is necessary to position Tor appropriately for the audience. If he talks to a private citizen, he says "I work on privacy software". If he is speaking to a business, on the other hand, he says that Tor works on network security. When talking to governments, he describes Tor as providing "traffic-analysis resistance", and for human-rights activists, "Tor provides reachability". Here intrigeri used the example of people in Iran or Russia trying to communicate with people in other countries.

If Tor only worked for one of the use cases, such as user anonymity, then "the other three would try to fight it". By addressing the interests of individuals, businesses, governments, and human-rights activists, "all of these people who would not be aligned, or would be adversaries, have some interest in working together".

Evil relays

Many people use commercial virtual private networks (VPNs), which relay traffic through a remote server in an attempt to provide online privacy. But there is the possibility, he mentioned, of an "evil relay"—such as a VPN provider that tracks users or provides information to other parties. Even if the VPN provider is trustworthy, he said, observers can use timing analysis to determine who is connecting to what.

Tor solves this by using multiple relays. One relay knows who is connecting, but "no single relay has all the information" about users and their connections. Even then, he said that using Tor at the network level only hides a user's IP address; there is still information in the network packets that can leak information the user does not want leaked that can uniquely identify them. "As soon as you're unique, you're traceable." That is why the Tor Project provides the Tor Browser, which is Firefox-based and tries to ensure that it does not send information that can uniquely identify a user by fingerprinting their browser.

Some users may think that is what Chrome's incognito mode or Firefox's private browsing mode do; it is not. "That does not do much, it leaves fewer traces on the hard drive, that's about it", he said. For the threat model Tor considers, "it does nothing at all". To emphasize the point, he put up a slide with a cartoon mocking a Chrome user trying to use incognito mode to hide their browsing habits.

Tails and Tor

Of course, some internet activities take place outside the web browser. Users who need anonymity beyond web browsing can look to Tails. Intrigeri said that Tails provides a digital-security toolbox with safe defaults for working with sensitive documents and more. He described it as "amnesia by default" since Tails is meant to be run from a USB stick and leave no traces on the system it runs on.

Tails was first announced in 2009 under the name Amnesia, but the project was not part of the Tor organization until last September. The announcement said that talks began between the two organizations in 2023 because Tails had "outgrown its existing structure". Intrigeri said that the Tails team can now focus on improving Tails and leaves fundraising and running the organization to the Tor Project. "I'm glad. I was not very good at it." Tails is now more sustainable and able to focus on its core mission thanks to combining efforts.

He is happy with the merger, and not just because he has been able to leave fundraising behind. He said that being part of the Tor organization means that the collective is now better equipped to react to censorship and decide what piece of the software stack is best to help solve the problem. Some problems may be best solved with improvements to the Tor Browser, some with Tails, and some at the Tor network level. There are also better training and outreach opportunities now that the organizations have combined.

Thanks, Debian

He noted that speaking at DebConf was a natural fit for Tails and Tor because the organization owes so much to Debian; in addition to being the base distribution for Tails, Debian is the base for Tor's infrastructure as well. Currently, Tor has more than 100 hosts running Debian, and he wanted to say "thank you".

Intrigeri also described Tails as a "gateway to free software". Many users of Tails have never used Linux before they reach for the distribution; "before they were just using macOS or Windows". After experiencing Tails, he said, users may want something similar for day-to-day usage when anonymity is not required. It is not a one-way street, however. "A bunch of people become contributors in free software through Tails", and the Tails project contributes back to Debian as well. For example, members of the Tails team help to maintain AppArmor in Debian, as well as the puppetserver package, and others.

What have you done for me lately?

Lately, Tor has been working on a number of new projects or enhancing existing ones. He said that Tor has been focusing on a "comprehensive approach to anonymity and privacy protections", which includes meeting users where they are. For example, many users' primary method of connecting to the internet is via their phone, not a desktop or laptop. In countries with heavy censorship, where the Tor network itself is blocked, users can connect to relays via bridges, which are Tor relays that are not listed in the Tor directory and use obfuscation to make it hard to detect as a relay.

Until recently, though, connecting to a bridge on a mobile phone was difficult and cumbersome. In April, Tor announced the addition of Connection Assist for Android in Tor Browser 14.5. This feature made it possible for Android users to more easily connect to Tor bridges, something that had only been available on the desktop version of Tor Browser.

He also discussed some of the anti-censorship tools from the project that had been introduced or improved lately, including WebTunnel and Snowflake. WebTunnel, which was announced last March, mimics encrypted web traffic (HTTPS) to fool observers into thinking that a user is simply browsing the web. In reality, it acts as a secret bridge to the Tor network. Users visit the get bridges for Tor page, copy the bridge information, and then use that to configure the Tor Browser to use WebTunnel to hide the fact that they are using the Tor network.

Snowflake is another technology to help "give censorship the slip" where Tor is blocked. Users who cannot connect to Tor ordinarily can use Snowflake to connect via WebRTC; to observers it appears as if the user is simply making a video call. Users whose internet access is uncensored use the Snowflake extension to act as a Tor relay, with the inbound connection coming via WebRTC, allowing Snowflake users to piggyback on their connection. Last year, Tor added a Snowflake extension for Chrome browser users that allows users to share their connection with other users; extensions were already available for Firefox and Microsoft Edge.

The organization also spends a fair amount of time trying to optimize its services and evade not only censorship but attempts to infiltrate the networks. Intrigeri mentioned that one of the ways that users in Russia get information about Tor bridges is via Telegram and the Tor Project realized that there was an unusual amount of new accounts on Telegram requesting bridge information. The purpose of this was likely to find Tor bridges and block them. To prevent that, the project started to send new accounts to one set of bridges and direct older Telegram accounts to a different set.

After the talk I spoke with intrigeri briefly. He said that the project has to be conservative in its response to new tactics in the arms race between Tor and its opponents in order to keep an upper hand. If the project pushes out several new features or practices to thwart censorship before they are needed, its opponents can start trying to subvert them immediately. By waiting, the project can extend the lifetime of its defense.

On the financial front, intrigeri mentioned that the Tor Project had worked to "align with a new set of funders globally", with a mix of funding coming from individual giving, international grants, and "value-aligned companies". There was a bit of applause in the room when he added that the organization was now receiving 20% of its funding from the US government; that was down from 50% at one point. That meant that "the last ten months have been less stressful for Tor than for other organizations".

Keeping data safe

Even though Tails is designed to leave no data behind on the computer it runs on, users still need to store documents and other data. Tails is meant to be a "safe for sensitive material", but there is a challenge: an operating system that runs from a USB stick is especially prone to data loss because USB sticks tend to fail. Cheaper USB sticks, which are often all that is available to lower-income users globally, fail faster. It is also not safe to assume that users have substantial technical education or access to backups.

That means that the project has been working on, and has outstanding goals for, additional safeguards of user data. For example, with the 6.0 release, Tails added error detection for reading and writing to USB sticks. The project also has documentation for data recovery. He said that there is work toward warning users about the dangers of unplugging the USB stick before shutting down Tails and a plan to add a better data-backup feature.

Like it or not, he said, "people use smartphones", and they use messaging apps on smartphones. The project has conducted interviews with a variety of users—digital-security trainers working with human-rights organizations, journalists investigating state surveillance, environmental activists, and others—as a result it realizes that there is a need to provide messaging applications in Tails for communicating with people who only use smartphones. "'Install this app so we can talk' is not ideal; a stumbling block to have a conversation can be a problem." There is no one-size-fits-all solution, but Signal is the "top priority" application to support, as well as Wire and WhatsApp.

As he came to the end of his allotted time, he reminded the audience that its support matters and encouraged people to provide support in the form of running Snowflake proxies, Tor relays, monetary donations, and keeping Debian great.

During the question period, I asked whether the Tor Project provided any legal resources to those who ran Tor proxies, since it was possible that there is some legal risk in doing so. He said that the real risk is in running an exit node—the one that connects directly to whatever sites or resources that Tor users are connecting to. It is possible to operate a Tor relay that is not an exit node, so users concerned with legal risk can opt not to run an exit node. In answer to the direct question, he said that Tor does not provide any legal resources, but there are groups that "bring people together and pool resources, including legal ones", that might be available to support Tor users and proxy operators.

As Q&A time wound up a plane passed overhead rather loudly. As the noise subsided, he deadpanned that it was odd: "usually it's a black helicopter". It's hard to imagine a better exit line than that for a talk on Tor and its assorted projects.

[Thanks to the Linux Foundation, LWN's travel sponsor, for funding my travel to Brest for DebConf25.]