FBI Director James Comey said on Thursday that criminals who think they can evade law enforcement using the “dark web” and the Tor Network, which is designed to conceal the Internet addresses of the computers being used, are “kidding themselves.”
Comey was asked about criminal use of the so-called dark web — parts of the Internet walled off from ready access — at a House Intelligence Committee hearing on cybersecurity on Thursday. His answer referenced Tor, which was originally known as “the onion router.”
Speaking in particular of people who view child pornography, Comey said: “They’ll use the onion router to hide their communications. They think that if they go to the dark web … that they can hide from us. They’re kidding themselves, because of the effort that’s been put in by all of us in the government over the last five years or so, that they are out of our view. ”
Comey’s statement could be read as an assertion that U.S. law enforcement has found a way to routinely thwart Tor’s system for providing anonymity to users. If that’s Comey’s intended implication, and if it’s true, it would would represent an enormous expansion of the U.S. government’s known abilities, as well as a significant blow to privacy advocates.
But online security experts consulted by The Intercept cast doubt on that possibility. And Comey could simply have been referring to the kind of specifically targeted attacks that have been known to be successful in the past.
For instance, a 2013 story based on documents leaked by NSA whistleblower Edward Snowden described how the National Security Agency had developed attacks against people using Tor, by identifying Tor users and then attacking vulnerable software on their computers. But one top-secret presentation, titled “Tor Stinks,” stated: “We will never be able to de-anonymize all Tor users all the time.”
Micah Lee wrote in The Intercept in July about leaked emails from spyware maker Hacking Team indicating that the company had sold the FBI a way to monitor Tor Browser traffic from a target already infected with Hacking Team malware.
And the FBI famously unmasked and arrested the operator of the Tor-enabled drug marketplace Silk Road not by cracking Tor but by chasing other clues, including the sloppy re-use of aliases, and by physically surveilling the operator as he logged in and out of his dark-web site.
But Comey seems to be implying that the FBI has some sort of across-the-board ability to see who is looking at what on the Tor network.
Cryptography expert Bruce Schneier said Comey’s statement should not be taken at face value. Given previous false public statements by intelligence officials, “the truth value is irrelevant,” he said.
“We certainly know that Tor has been broken in the past” using specific exploits, he said. “Do they have a blanket attack? Or is it posturing? Who knows?” He added, “It’s certainly good posturing.”
Chris Soghoian, chief technologist for the American Civil Liberties Union, told The Intercept that Comey is not credible. “The FBI director continues to ignore the consensus of the computer security community when we say there is no way to build a secure backdoor for the government,” Soghoian wrote in an email. “If he continues to ignore experts on this issue, why should we believe what he has to say on something as equally technical as the security of the Tor network? He has every incentive to bluff.”
Comey has recently been making headlines for alleging — also without evidence — that he is increasingly unable to track criminal conduct online due to end-to-end encryption. He has been insisting that tech companies come up with a system that’s secure to everyone except law enforcement — something that tech experts say is flatly impossible.
Soghoian notes that the Tor Browser’s new automatic security updates feature means the FBI can no longer reliably hack large numbers of Tor users with public security exploits for which patches exist.
“Tor is not perfect, for sure,” he wrote. “But it is one of the best tools we have to protect privacy online, largely because researchers have been beating it up, finding and fixing flaws in it for a decade. Much of this research was supported by the U.S. government.”
(The Tor Project, which helps develop Tor and Tor Browser, has received money from the Omidyar Foundation, co-founded by Pierre Omidyar, who funds The Intercept’s parent company, First Look Media.)