EPIC v. BBG is a Freedom of Information Act case in which EPIC is seeking documents related to the Broadcasting Board of Governor’s (BBG’s) surveillance of internet traffic traveling through The Onion Router (Tor).
Tor is software currently maintained by The Tor Project, Inc. and the Tor Solution Corporation. Internet users around the world use Tor to maintain anonymity and circumvent Internet restrictions. It works by encrypting Internet data and routing it through a series of “nodes” hosted by volunteers to create a secure relay between the user and their destination. This obscures both the origin and destination of the user. Tor is used by academics, political dissidents, law enforcement, journalists, whistleblowers, NGOs, the U.S. Navy, and everyday individuals.Tor adheres to a policy of openness and transparency in its own management while working to protect the anonymity of its users. To that end, Tor publishes its list of sponsors, its open-source software, its financial reports, documentation, and lists of projects. Tor provides an invaluable tool for encrypted web use.
The NSA’s Involvement in Cryptography
The National Security Agency (NSA) developed the cryptographic algorithm, known as Skipjack, underlying the Clipper Chip, a cryptographic device purportedly intended to protect private communications while at the same time permitting government agents to obtain the “keys” upon presentation of what has been vaguely characterized as “legal authorization.” The “keys” are held by two government “escrow agents” and would enable the government to access the encrypted private communication. While Clipper would be used to encrypt voice transmissions, a similar chip known as Capstone would be used to encrypt data.
EPIC, along with other privacy organizations and technologists, challenged the proposal. In addition to subjecting the public to increased surveillance, the design of the Clipper Chip was classified, and therefore the strength of its algorithm could not be evaluated by the public. By 1996, following intense public opposition, the Clipper Chip was defunct.
Despite losing the public debate over the Clipper Chip, the NSA has introduced vulnerabilities into many of the encryption technologies used by Internet consumers. These vulnerabilities have allowed the NSA to defeat the encryption that protects the personal data and communications of individuals. The agency has accomplished this through collaboration with technology companies, covert influence in encryption standard-setting processes, and brute-force decryption using supercomputers.
The NSA’s Attempts to Undermine Tor
On October 4, 2013, The Guardian published a set of PowerPoint slides from GCHQ, the British counterpart to NSA. The slides reveal that the NSA and GCHQ have attempted to find ways to break the Tor privacy network. The documents reveal that the agencies run Tor nodes, exploit vulnerabilities in the Tor/Firefox bundle, and host secret servers to redirect users to malware-injecting websites that allows the NSA to compromise individuals’ computers. They also use Doubleclick advertising cookies to try to identify Tor users.
Despite the efforts of the NSA and GCHQ, the documents reveal that the intelligence community has had limited success compromising the Tor network. The NSA has only been successful in identifying Tor users on an individual basis, often by exploiting a weakness in the user’s web browser. The anonymity provided by the Tor network allows NSA can differentiate between Tor users and non-Tor users, since the former all look the same and the latter are individually identifiable. Technologist Bruce Schneier explained in The Guardian, “The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.” A slide in one of the presentations, titled “Tor Stinks”, concludes that the intelligence community will “never be able to de-anonymize all Tor users all the time.”
Since the June 2013 revelations of NSA surveillance of electronic communications, there has been a dramatic increase in interest for anonymity and encryption tools. On September 5, 2013, it was revealed that the NSA had compromised many of the encryption technologies used by consumers and citizens on the Internet. Through covert partnerships with internet providers and software developers, the NSA has built in secret “backdoors,” or deliberate network vulnerabilities, that allow the agency to surveil, decrypt, collect, and even control the flow of user data. According to top-secret NSA documents published in The Guardian, The New York Times, and ProPublica, “For the past decade, NSA has lead an aggressive, multi-pronged effort to break widely-used Internet encryption technologies… Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.” The Washington Post noted that sixty percent of Tor’s funding comes from the Department of Defense, prompting the paper to ask whether the network suffered from similar backdoors and vulnerabilities. That story was followed quickly by a report that Tor was being used to spread malware that could identify Tor users. As of October 2013, the slides published by The Guardian confirm that the NSA is playing an active role in trying to undermine Tor’s cryptographic standards. By hosting exit nodes, the intelligence community is attempting to monitor and control segments of Tor traffic. Additionally, the NSA is working to de-anonymize Tor users.
EPIC’s interest in the federal government’s attempts to undermine the Tor network reflects EPIC’s longstanding concern about the role of the NSA in the creation and control of cryptographic standards. Last year, Tor’s major funders were the BBG, Department of State, and Department of Defense – which houses the NSA. While Tor has published the details of its interactions with the BBG, EPIC’s FOIA request seeks to discover whether the BBG controls other records which could shed light on the extent of the federal government’s interest in the public’s ability to encrypt.
EPIC’s Freedom of Information Act Request and Subsequent Lawsuit
On May 31, 2013, EPIC submitted a FOIA request to the BBG requesting:
- All agreements and contracts concerning BBG funding or sponsorship of The Tor Project, Inc., Tor Solution Corporation, and Tor Solutions Group;
- Technical specifications of all BBG computers running Tor nodes;
- All reports related to BBG’s modification of the Tor software; and
- All agreements and contracts between the BBG and The Tor Project, Inc., Tor Solution Corporation, and Tor Solutions Group regarding features or capabilities in the Tor software.
EPIC v. BBG, No. 13-01326 (D.D.C. Sep. 9, 2013)
- EPIC’s FOIA Request (May 31, 2013)
- EPIC’s FOIA Appeal (July 26, 2013)
- BBG Request Reponse (July 26, 2013)
- BBG Appeal Response (Aug. 2. 2013)
- BBG Document Production (Aug. 12, 2013)
- Computer Professionals for Social Responsibility v. NSA, C.A. No. 93-1074-RMU (D.D.C. 1993)
- In re EPIC – NSA Telephone Records Surveillance, No. 13-58 (2013)
- EPIC NSA Petition, last updated Aug. 23, 2013
- The Tor Project, About Tor, 2013.
- The Tor Project, Tor Sponsors, 2013.
- Broadcasting Board of Governors, 2012 Technology, Services, & Innovation Annual Performance Report, January 2013.
- Broadcasting Board of Governors, Internet Anti-Censorship Fact Sheet, May 2013.
- Lauren Kirchner, Why journalists can still trust Tor, Columbia Journalism Review (Oct. 8, 2013)
- James Ball, Bruce Schneier and Glenn Greenwald, NSA and GCHQ target Tor network that protects anonymity of web users, The Guardian (Oct. 4, 2013)
- Bruce Schneier, How the NSA Thinks About Secrecy and Risk, The Atlantic (Oct. 4, 2013)
- Bruce Schneier, Attacking Tor: how the NSA targets users’ online anonymity, The Guardian (Oct. 4, 2013)
- Bruce Schneier, Why the NSA’s attacks on the internet must be made public, The Guardian (Oct. 4, 2013)
- Kate Tummarello, NSA tried, largely failed to crack Tor network, The Hill (Oct. 4, 2013)
- Charles Arthur, Major US security company warns over NSA link to encryption formula, The Guardian (Sep. 21, 2013)
- Ryan Gallagher, Cryptographers Attack NSA’s Secret Effort to Subvert Internet Security, Slate (Sep. 18, 2013)
- The NSA and cryptography: Cracked credibility, The Economist (Sept. 14, 2013)
- Kevin Poulsen, FBI Admits It Controlled Tor Servers Behind Mass Malware Attack, Wired (Sep. 13, 2013)
- Greg Thomas, Pirates In Germany Dodge the NSA’s Watchful Gaze, The Atlantic (Sep. 10, 2013)
- Ryan Gallagher, New Snowden Documents Show NSA Deemed Google Networks a “Target”, Slate (Sep. 9, 2013)
- John Biggs, The NSA Can Read Some Encrypted Tor Traffic, Tech Crunch (Sep. 7, 2013)
- Dan Goodin, Majority of Tor crypto keys could be broken by NSA, researcher says, Ars Technica (Sep. 6, 2013)
- Brian Fung, The feds pay for 60 percent of Tor’s development. Can users trust it?, Washington Post (Sep. 6, 2013)
- Matthew Green, On the NSA (blog post), A Few Thoughts on Cryptographic Engineering (Sep. 5, 2013)
- James Ball, Julian Borger, and Glen Greenwald, Revealed: how US and UK spy agencies defeat internet privacy and security, The Guardian (Sep. 5, 2013)
- Nicole Perlroth, Jeff Larson, and Scott Shane, N.S.A. Able to Foil Basic Safeguards of Privacy on Web, New York Times (Sep. 5, 2013)
- Brian Fung, We’ve all practically given up on internet privacy. Here’s how not to, Washington Post (Sep. 5, 2013)
- Andrea Peterson, A bunch of Tor sites spread malware. Was the FBI behind it?, Washington Post (Aug. 5, 2013)
- Rodger Dingledine, Rodger’s status report, The Tor Project (Jan. 10, 2013)
- Cory Doctorow, Tor project considers covering costs for exit nodes, Boing Boing (Jul. 26, 2012)
- Brad Chacos, Tor Project Considers Paying Users $100/mo. For Operating High-Speed Tor Relays, Maximum PC (Jul. 25, 2012)
- Darren Pauli, Tor Project mulls $100 cheque for exit relay hosts, SC Magazine (July 25, 2012)
- Turning funding into more exit relays, The Tor Project (July 24, 2012)