EPIC v. BBG is a Freedom of Information Act case in which EPIC is seeking documents related to the Broadcasting Board of Governor’s (BBG’s) surveillance of internet traffic traveling through The Onion Router (Tor).
Tor is software currently maintained by The Tor Project, Inc. and the Tor Solution Corporation. Internet users around the world use Tor to maintain anonymity and circumvent Internet restrictions. It works by encrypting Internet data and routing it through a series of “nodes” hosted by volunteers to create a secure relay between the user and their destination. This obscures both the origin and destination of the user. Tor is used by academics, political dissidents, law enforcement, journalists, whistleblowers, NGOs, the U.S. Navy, and everyday individuals.Tor adheres to a policy of openness and transparency in its own management while working to protect the anonymity of its users. To that end, Tor publishes its list of sponsors, its open-source software, its financial reports, documentation, and lists of projects. Tor provides an invaluable tool for encrypted web use.
The NSA’s Involvement in Cryptography
The National Security Agency (NSA) developed the cryptographic algorithm, known as Skipjack, underlying the Clipper Chip, a cryptographic device purportedly intended to protect private communications while at the same time permitting government agents to obtain the “keys” upon presentation of what has been vaguely characterized as “legal authorization.” The “keys” are held by two government “escrow agents” and would enable the government to access the encrypted private communication. While Clipper would be used to encrypt voice transmissions, a similar chip known as Capstone would be used to encrypt data.
EPIC, along with other privacy organizations and technologists, challenged the proposal. In addition to subjecting the public to increased surveillance, the design of the Clipper Chip was classified, and therefore the strength of its algorithm could not be evaluated by the public. By 1996, following intense public opposition, the Clipper Chip was defunct.
Despite losing the public debate over the Clipper Chip, the NSA has introduced vulnerabilities into many of the encryption technologies used by Internet consumers. These vulnerabilities have allowed the NSA to defeat the encryption that protects the personal data and communications of individuals. The agency has accomplished this through collaboration with technology companies, covert influence in encryption standard-setting processes, and brute-force decryption using supercomputers.
The NSA’s Attempts to Undermine Tor
On October 4, 2013, The Guardian published a set of PowerPoint slides from GCHQ, the British counterpart to NSA. The slides reveal that the NSA and GCHQ have attempted to find ways to break the Tor privacy network. The documents reveal that the agencies run Tor nodes, exploit vulnerabilities in the Tor/Firefox bundle, and host secret servers to redirect users to malware-injecting websites that allows the NSA to compromise individuals’ computers. They also use Doubleclick advertising cookies to try to identify Tor users.
Despite the efforts of the NSA and GCHQ, the documents reveal that the intelligence community has had limited success compromising the Tor network. The NSA has only been successful in identifying Tor users on an individual basis, often by exploiting a weakness in the user’s web browser. The anonymity provided by the Tor network allows NSA can differentiate between Tor users and non-Tor users, since the former all look the same and the latter are individually identifiable. Technologist Bruce Schneier explained in The Guardian, “The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.” A slide in one of the presentations, titled “Tor Stinks”, concludes that the intelligence community will “never be able to de-anonymize all Tor users all the time.”
Since the June 2013 revelations of NSA surveillance of electronic communications, there has been a dramatic increase in interest for anonymity and encryption tools. On September 5, 2013, it was revealed that the NSA had compromised many of the encryption technologies used by consumers and citizens on the Internet. Through covert partnerships with internet providers and software developers, the NSA has built in secret “backdoors,” or deliberate network vulnerabilities, that allow the agency to surveil, decrypt, collect, and even control the flow of user data. According to top-secret NSA documents published in The Guardian, The New York Times, and ProPublica, “For the past decade, NSA has lead an aggressive, multi-pronged effort to break widely-used Internet encryption technologies… Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.” The Washington Post noted that sixty percent of Tor’s funding comes from the Department of Defense, prompting the paper to ask whether the network suffered from similar backdoors and vulnerabilities. That story was followed quickly by a report that Tor was being used to spread malware that could identify Tor users. As of October 2013, the slides published by The Guardian confirm that the NSA is playing an active role in trying to undermine Tor’s cryptographic standards. By hosting exit nodes, the intelligence community is attempting to monitor and control segments of Tor traffic. Additionally, the NSA is working to de-anonymize Tor users.
EPIC’s interest in the federal government’s attempts to undermine the Tor network reflects EPIC’s longstanding concern about the role of the NSA in the creation and control of cryptographic standards. Last year, Tor’s major funders were the BBG, Department of State, and Department of Defense – which houses the NSA. While Tor has published the details of its interactions with the BBG, EPIC’s FOIA request seeks to discover whether the BBG controls other records which could shed light on the extent of the federal government’s interest in the public’s ability to encrypt.
EPIC’s Freedom of Information Act Request and Subsequent Lawsuit
On May 31, 2013, EPIC submitted a FOIA request to the BBG requesting:
All agreements and contracts concerning BBG funding or sponsorship of The Tor Project, Inc., Tor Solution Corporation, and Tor Solutions Group;
Technical specifications of all BBG computers running Tor nodes;
All reports related to BBG’s modification of the Tor software; and
All agreements and contracts between the BBG and The Tor Project, Inc., Tor Solution Corporation, and Tor Solutions Group regarding features or capabilities in the Tor software.