Rebel NSA and GCHQ agents are actually helping make Tor more secure
For anyone looking to stay anonymous online, Tor seems like an obvious option. At the same time, it could lull users into a false sense of security -- after all, this is a network that was, at least in the past, funded by the military and US government -- and conspiracy theories abound that Tor is nothing more than a honey trap to catch the kind of people who have a need for anonymity because of their nefarious activities. The network has evolved over the years and now agencies such as the NSA in the US and GCHQ in the UK are actively seeking out vulnerabilities so they can crack the network. But the relationships are actually far more complex than that.
According to Andrew Lewman, chief of operations at Tor, the same agencies that are trying to break Tor are also posting tips anonymously about the vulnerabilities that have been found -- giving a chance for them to be patched. Talking to the BBC Lewman said:
There are plenty of people in both organizations who can anonymously leak data to us to say -- maybe you should look here, maybe you should look at this to fix this. And they have.
It’s a story that’s somewhat reminiscent of the Edward Snowden story. The NSA worker became so disillusioned with the activities of the agency that he blew the lid off the kind of surveillance that was, and is, taking place. The heightened awareness of web users’ online visibility that followed led to an increase in the number of people taking steps to preserve their privacy. The likes of Tor have long been used to protect the identities of individuals online, and while there are countless entirely innocent users, it is often also used as a gateway to the "dark web” where rather less legal activities take place.
It is the organized crime, paedophilia, and drug dealing that takes place on the dark web that piqued the interest of the NSA and GCHQ. Understandably keen to find a way to catch the criminals making use of the anonymizing capabilities of the network, the agencies set about trying to crack Tor so individuals of interest could be identified. But Lewman has a "hunch" that, just as was the case with Snowden, not everyone working at the agencies is happy about how it is being approached.
As such, the Tor team receives tip-offs from what he believes to be security agency workers on a just about monthly basis. Because Tor is designed to be anonymous, he cannot prove the identity of those providing hints about vulnerabilities that have been detected, but Lewman is convinced:
Obviously we are not going to ask for any details ...You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don't get to see in most commercial software … The fact that we take a completely anonymous bug report allows them to report to us safely.
Another NSA whistleblower, William Binney, has informed Lewman that the tips are probably coming because agency workers are unhappy that American citizens are being spied on by their own government. Of course, both the NSA and GCHQ have refused to comment on the suggestions, but this is yet another intriguing twist in the ever more complicated tale of online surveillance and the cat-and-mouse games that are underway.