Civil Liberties

Tor Browser Anonymity Compromised, Maybe by the Feds


Well now what?

The Tor Project allows its users to do things like send emails or surf the web anonymously, without fear of surveillance. In the wake of the NSA surveillance revelations, Reason's Ron Bailey suggested it as a tool to keep the government from spying on you, and Nick Gillespie interviewed the development director of the project.

But over the weekend, discovery of some malware suggests user anonymity may be at risk, and the prime suspect is the federal government. Via Wired:

Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network.

The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal "drive-by" hack attack, but nobody's calling in the FBI this time. The FBI is the prime suspect.

"It just sends identifying information to some IP in Reston, Virginia," says reverse-engineer Vlad Tsyrklevich. "It's pretty clear that it's FBI or it's some other law enforcement agency that's U.S.-based."

If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI's "computer and internet protocol address verifier," or CIPAV, the law enforcement spyware first reported by WIRED in 2007.

Wired reporter Kevin Poulsen notes that the discovery coincides with the arrest in Ireland of Eric Eoin Marques, believed by the FBI to be the largest facilitator of child porn on the Internet, and the geographic location of child porn sites have been hidden via Tor's anonymity tools.   

Below, watch Reason TV's interview with Tor's Karen Reilly:

Follow this story and more at Reason 24/7.

Spice up your blog or Website with Reason 24/7 news and Reason articles. You can get the widgets here. If you have a story that would be of interest to Reason's readers please let us know by emailing the 24/7 crew at, or tweet us stories at @reason247.