Reported on Hackread yesterday, this worrisome story of police supposedly breaking Tor in an arrest by deanonymizing Tor users in 2021 (but the story was only revealed now)
As usual, methods were not revealed by the German police and the Tor Project stated that it had not received proof of concept (PoC) or documents independently verifying these claims from German authorities.
So at this time, nobody knows what happened exactly, if this is real or infox; and if we should all panic and stop using Onions…
Sources and methods are always going to be the most safeguarded details. I have not kept up with Tor in recent years but know that there have been limitations in the past. Nothing is perfect, and exploits are always being written toward targets of primary interest.
It’s not impossible to deanonymize onion traffic (in theory) but it’s more likely that it was done using some other weakness (like users doing something they shouldn’t, forcing traffic outside onion etc.). This case is not first time dark web has been made a bit less shady.
As an American user, my primary concern is to ensure that law enforcement follows procedures to obtain a search warrant to acquire user information from computer systems (e.g. they have sufficient reason that they are conducting a search, making it a non-trivial, documented event.) I don’t think of using VPNs, Tor, etc. as an impenetrable defense. It’s better than security-through-anonymity for sure, but given enough computing power, it’s essentially equivalent.
All of these encryption methods definitely provide a measure to prevent casual law-enforcement searches—they can’t simply call an ISP or Google and say, “this is the police, give us all the data you have on user X,” to which the party could simply comply. I think that cracking encryption would fall solidly under the 4th Amendment protections, counting as wire-tapping, and requiring a search warrant, whereas “collecting metadata” or whatever they call it is not.
“But we would like to share that the number of exit nodes has significantly increased over the past two years, with over 2,000 now available”
What we need is more nodes and more people using it.
Concerned about Law and Constitution of your country being abused, I would recommend this excellent essay from Harvard University PhD Shoshana Zuboff “The Age of Surveillance Capitalism”
My guess is that it would depend on what one uses onions for. Dark Web Deep Web, whatever - isn’t all about doing things illegally, tho I find that illegal is still the main use.
The plus for Deep/Dark web that I think should be left alone and well guarded is for whistle blowers to drop data in to a box anonymously to a chosen news wire service, NGOs, smuggled news from behind dictators walls. There are a few well known MSM drop-boxes as well as the wires.
But the govt police were after Child Sexual Abuse Material (CSAM), so I have no qualms over any police force that targets that stuff. I can’t think of why I’d argue against that.
In the end, I think they should treat the CEO’s of Google and Microsoft’s Bing the same as they treat every other CSMA offenders.
Here is why.
The problems are, no one wants to talk about it, and Bing and Google are too big.
Yet Bing and Google can search and scrape CSMA off the net and have been able to, but don’t or won’t (see the New York Times article #1 above… Why? The problem is bigger than you might think.