Federal Agents Pierce Tor Web-Anonymity Tool
Child-Pornography Investigation Gets Around Browser Designed to Mask Identities
By Andrew Grossman
March 31, 2014
WASHINGTON--Law-enforcement agencies are increasingly finding ways to unmask users of a popular Web browser designed to hide identities and allow individuals to exist online anonymously.
To keep their identities secret, users and administrators of a recently shuttered child-pornography website used a browser called Tor that obscures the source of Web traffic, authorities said in March. Agents from Homeland Security Investigations tracked many of them down anyway, largely because of mistakes that even some of the most sophisticated users eventually make.
Tor and other programs designed to hide users' identity online have grown in popularity as people try to protect their privacy in an age of digital surveillance. When paired with bitcoin or other virtual currencies that don't use the banking system, Tor can help hide the identities of people behind financial transactions. Such programs also have become a tool for those seeking to evade the law, including child-pornography traders, hackers and other criminals, creating challenges for law enforcement.
But officials are becoming more confident that Tor's shield of anonymity isn't impenetrable.
"There's not a magic way to trace people [through Tor], so we typically capitalize on human error, looking for whatever clues people leave in their wake," said James Kilpatrick, one of the HSI agents who is part of Operation Round Table, a continuing investigation into a Tor-based child-pornography site that has so far resulted in 25 arrests and the identification of more than 250 victims, all children.
A typical browser sends data along a direct route, making it relatively easy to figure out who is visiting a website, sending messages or downloading material. Tor, which stands for "the onion router," sends data through layers of intermediary computers that can't be peeled back, making it nearly impossible for law enforcement and private companies to track Internet browsing.
"Two years ago...if they ran into Tor, they said, 'It's hopeless,' " said Andrew Lewman, executive director of the nonprofit group that oversees Tor, called Tor Project. But after meetings with agencies including the Federal Bureau of Investigation and the Department of Homeland Security, he noticed their perception started changing. "They finally realized Tor's not this impenetrable thing. Users make mistakes."
Law-enforcement officials are reluctant to talk about specific techniques they use to identify Tor users, but researchers and court documents provide some clues.
Some of the mistakes are old-fashioned: The administrator of the child-pornography site at the center of Operation Round Table was first identified by postal inspectors because he was "sending sex objects through the mail to juveniles," said Mr. Kilpatrick. That site administrator pleaded guilty last week to federal charges that come with a prison sentence of at least 20 years.
Digital forensics were crucial to catching other people allegedly involved in the site, which involved individuals posing as young girls in order to convince boys in their early teens to make sexually explicit videos. In one case, law-enforcement officials said they were able to catch an Australian man who logged into his fake Facebook profile and his real profile once without using Tor or other anonymizing tools.
That man, Mark Warren, is charged in Manhattan federal court with production and receipt of child pornography and extortion, and he is in Australia pending extradition. Information about his lawyer couldn't be obtained.
"Most people don't have the discipline to not make a mistake," Mr. Kilpatrick said. "The average person is too worried about doing their business to never make a mistake."
Tor relies on a large set of relay servers between an end user and the site he is trying to visit. Data takes a constantly shifting path between a few of those servers on its way to and from the user's computer, masking the unique Internet protocol, or IP, address law enforcement needs to match a virtual identity to one in the real world.
Some law-enforcement officials and security researchers say the shakiness of that network itself, which relies on volunteers to use their machines to route data, presents opportunities for authorities to trace users.
Tor Project tries to fix any technical vulnerabilities, but it said staffers have briefed law enforcement on the software, helping them better understand its limitations.
--Devlin Barrett contributed to this article.
Write to Andrew Grossman at firstname.lastname@example.org