Skip to main content

NSA Has Trouble with Tor, Snowden Documents Show

A detail of an NSA presentation slide showing how Tor anonymizes Internet traffic.

A detail of an NSA presentation slide showing how Tor anonymizes Internet traffic.

UPDATED 9:45 am ET Monday (Oct. 7) with comments from Director of National Intelligence James Clapper.

The National Security Agency can't crack Tor.

That's the upshot of new PowerPoint slides provided by NSA leaker Edward Snowden and released by the British newspaper The Guardian today (Oct. 4). The documents show that the NSA and its British counterpart, GCHQ, have had little success breaking into the Tor Internet anonymizing protocol.

"We will never be able to de-anonymize all Tor users all the time," reads a PowerPoint presentation entitled "Tor Stinks" and meant to be shown to NSA and GCHQ personnel. "With manual analysis, we can de-anonymize a very small fraction of Tor users."

MORE: 13 Security and Privacy Tips for the Truly Paranoid

Cryptography expert Bruce Schneier, who is assisting The Guardian with examination of the Snowden files, wrote in a piece on the newspaper's website that NSA and GCHQ have fallen back to attacking flaws in the software and computers running Tor.

"The NSA attacks we found individually target Tor users by exploiting vulnerabilities in their Firefox browsers," Schneier wrote, "and not the Tor application directly."

Tor, originally an acronym for "The Onion Router," was initially developed by the U.S. Navy. It is now an open-source project maintained by volunteers, but U.S. government agencies still provide much of its funding.

Tor users install special software that strips identifying information from Internet data packets and sends email, Web pages and other Internet traffic through a hidden network of servers.

DOWNLOAD: Tor Browser Bundle for Windows

Tor has "hundreds of thousands of users," states another purported NSA presentation, classifying those users into "dissidents," "terrorists" and "other targets." (The U.S. State Department advises dissidents in other countries to use Tor to communicate secretly.)

Earlier this week, the U.S. Justice Department took down the Silk Road, a drug-dealing website accessible only through Tor, and arrested a man alleged to be its owner and operator.

The "Tor Stinks" presentation dates from June 2012 and was apparently intended for a two-week "joint NSA/GCHQ counter-Tor workshop."

"Week one at MHS focus on analytics," reads one slide, possibly referring to the GCHQ/NSA radio listening post at Menwith Hill in northern England.

"Week two at GCHQ focus on exploitation," the slide continues, presumably referring to GCHQ's main facility outside Cheltenham in southwestern England.

The slides detail various failed attempts to identify Tor users through wayward browser "cookies," timing of sent messages and other methods.

For a time, another PowerPoint presentation details, it seemed the NSA was able to spy on Tor users who were using a specific build of the Firefox Web browser, but the flaw that permitted the spying was fixed in later versions of Firefox. (The flaw was different from one that the FBI used to catch child-pornography suspects who used Tor.)

The NSA programs that spied on Firefox were called "ERRONEOUSINGENUITY," "EGOTISTICALGOAT" and "EGOTISTICALGIRAFFE."

Other programs, some perhaps not real, mentioned in the documents included "ONIONBREATH," "QUANTUMCOOKIE," "RONIN," "QUICKANT," "GREAT EXPECTATIONS" and "EPICFAIL." 

Ultimately, according to one presentation, the best way to target possible Tor users may be to simply infect their computers with traditional spyware, such as keyloggers or Web-traffic diverters.

"Tor stinks ... but it could be worse," concludes one presentation. "Will never get 100 percent, but we don't need to provide true IPs [Internet Protocol addresses] for every target every time they use Tor."

UPDATE: On his office's Tumblr blog Friday evening, U.S. Director of National Intelligence James R. Clapper posted a statement addressing the revelations in the Guardian story, which were mirrored in a separate Washington Post story.

"The articles fail to make clear that the Intelligence Community's interest in online anonymity services and other online communication and networking tools is based on the undeniable fact that these are the tools our adversaries use to communicate and coordinate attacks against the United States and our allies," Clapper wrote.

"The articles fail to mention that the Intelligence Community is only interested in communication related to valid foreign intelligence and counterintelligence purposes, and that we operate within a strict legal framework that prohibits accessing information related to the innocent online activities of U.S. citizens," he said.

"In the modern telecommunications era, our adversaries have the ability to hide their messages and discussions among those of innocent people around the world," the director of national intelligence stated. "They use the very same social networking sites, encryption tools and other security features that protect our daily online activities."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.