EPIC v. BBG - Tor
- NSA Violated Law Thousands of Times and Intercepted American Communications: An internal audit has revealed that the NSA violated both legal rules and privacy restrictions thousands of times each year since 2008, leading to the unauthorized surveillance of American communications. According to the 2012 report, there were 2,776 violations in the previous 12 months alone. A "large number" of calls placed from Washington DC were intercepted when its area code was confused with that of Egypt. Another document shows how NSA analysts are trained to avoid giving "extraneous information" to their "FAA overseers" when they want to target an individual. In 2006, EPIC wrote to the Senate Judiciary Committee regarding instances of intelligence gathering misconduct by the FBI that were uncovered through EPIC's Freedom of Information Act requests. EPIC is currently petitioning the NSA to suspend its domestic surveillance program pending a public comment period. EPIC has also filed a petition with the U.S. Supreme Court challenging the legal authority of the FISA Court to authorize the NSA's program. (Aug. 19, 2013)
- EPIC Files Supreme Court Petition, Challenges Domestic Surveillance Program: EPIC has filed a Petition with the U.S. Supreme Court, asking the Court vacate an unlawful order by the Foreign Intelligence Surveillance Court that enables the collection of all domestic phone record by the NSA. The order, directed to Verizon, requires the production of all "call detail records" for calls made "wholly within the United States, including local telephone calls." EPIC said "It is simply not possible that every phone record in the possession of a telecommunications firm could be relevant to an authorized investigation. . . . Such an interpretation of [the law] would render meaningless the qualifying phrases contained in the provision and eviscerate the purpose of the Act." For more information, see In re Electronic Privacy Information Center. (Jul. 8, 2013)
- EPIC Seeks Details on New Government Crypto Regulations: EPIC has sent Freedom of Information Act (FOIA) requests to the Department of Justice, the Federal Bureau of Investigation, and the National Security Agency for information about a proposal to expand Internet surveillance and deploy weakened security standards. The proposal would require Internet companies to develop network services to enable government access to private communications, including those on peer-to-peer networks. In 1996, the National Resource Council concluded that such technical standards make network communications more vulnerable to cyber attack. For more information, see EPIC: Cryptography Policy. (Sep. 29, 2010)
EPIC v. BBG is a Freedom of Information Act case in which EPIC is seeking documents related to the Broadcasting Board of Governor's (BBG's) surveillance of internet traffic traveling through The Onion Router (Tor).
The Broadcasting Board of Governors (BBG) is an independent U.S. executive agency responsible for non-military overseas broadcasting. The BBG was created in 1999, when the now-defunct United States Information Agency split. The United States Information Agency's broadcasting functions were assigned to the new BBG, and its information exchange functions were assigned to the U.S. Department of State. The Board consists of eight members, nominated by the president, as well as the Secretary of State. Its most well-known broadcasting projects include Voice of America, Radio Free Asia, and Radio Free Europe.
Tor is software currently maintained by The Tor Project, Inc. and the Tor Solution Corporation. Internet users around the world use Tor to maintain anonymity and circumvent Internet restrictions. It works by encrypting Internet data and routing it through a series of "nodes" hosted by volunteers to create a secure relay between the user and their destination. This obscures both the origin and destination of the user. Tor is used by academics, political dissidents, law enforcement, journalists, whistleblowers, NGOs, the U.S. Navy, and everyday individuals.
The BBG has been a sponsor of Tor since 2006, and has contributed over $1m in funding since then. Additional Federal funders include the Department of Defense, the State Department, and the National Science foundation. In total, the Federal government's contributions account for 60% of Tor's annual $2 million budget.
On July 24th, 2012, Tor announced in a blog post that it was implementing a new program that paid people to host "fast exit" nodes. Exit nodes mediate between the encrypted Tor network and the desired final destination of a Tor user's connection. A "fast" exit node is essentially an exit node with a large amount of bandwidth. The July blog post said that the BBG was TOR's first funder for the project to create more "fast exit" nodes, and wanted to sponsor at least 125. News media sources indicate that the BBG has already given an "undisclosed amount" of funding for the project.
In its 2012 Technology, Services, & Innovation Annual Performance Report, the BBG wrote that "[t]hanks to a substantial increase in funding for Internet AntiCensorship (IAC) activities . . . the IAC group [was able] to expand anti-censorship circumvention software, servers and bandwidth (Ultrasurf, TOR, and Psiphon)." The same report says Iranian-based Internet access has been made possible by "additional investment in the (The Onion Router) TOR system."
In its May 2013 Internet Anti-Censorship Fact Sheet, the BBG wrote that "[t]he BBG is working with the Tor Solutions Group to significantly increase the number of high-speed Tor exit relays and bridges to improve the speed of the Tor network. IAC is also developing several enhancements to the Tor software to improve its usability and performance for users subject to Internet censorship."
The NSA's Involvement in Cryptography
The National Security Agency (NSA) developed the cryptographic algorithm, known as Skipjack, underlying the Clipper Chip, a cryptographic device purportedly intended to protect private communications while at the same time permitting government agents to obtain the "keys" upon presentation of what has been vaguely characterized as "legal authorization." The "keys" are held by two government "escrow agents" and would enable the government to access the encrypted private communication. While Clipper would be used to encrypt voice transmissions, a similar chip known as Capstone would be used to encrypt data.
EPIC, along with other privacy organizations and technologists, challenged the proposal. In addition to subjecting the public to increased surveillance, the design of the Clipper Chip was classified, and therefore the strength of its algorithm could not be evaluated by the public. By 1996, following intense public opposition, the Clipper Chip was defunct.
Despite losing the public debate over the Clipper Chip, the NSA has introduced vulnerabilities into many of the encryption technologies used by Internet consumers. These vulnerabilities have allowed the NSA to defeat the encryption that protects the personal data and communications of individuals. The agency has accomplished this through collaboration with technology companies, covert influence in encryption standard-setting processes, and brute-force decryption using supercomputers.
The NSA's influence over encryption technology has raised questions about the integrity of the Tor network, 60 percent of which is funded by the Department of Defense, which houses the NSA.
EPIC's Freedom of Information Act Request and Subsequent Lawsuit
On May 31, 2013, EPIC submitted a FOIA request to the BBG requesting:
- All agreements and contracts concerning BBG funding or sponsorship of The Tor Project, Inc., Tor Solution Corporation, and Tor Solutions Group;
- Technical specifications of all BBG computers running Tor nodes;
- All reports related to BBG's modification of the Tor software; and
- All agreements and contracts between the BBG and The Tor Project, Inc., Tor Solution Corporation, and Tor Solutions Group regarding features or capabilities in the Tor software.
EPIC has a strong interest in the integrity of the Tor network, as it is a primary tool for Internet users to maintain privacy and anonymity in an increasingly monitored world. Tor is an essential tool not only for everyday private browsing, but for journalists, activists, and human rights organizations that rely on Tor as a means to communicate and organize. The anonymity provided by Tor facilitates the activities that rely the most on electronic privacy, such as whistleblowing, requests for humanitarian aid in censored regions, and self-defense against online stalking and harassment.
As far back as 1993, EPIC (then the Computer Professionals for Social Responsibility) iniated FOIA litigation regarding the National Security Agency (NSA)'s use of the "Clipper Chip", an encryption "unscrambler" that was developed to ensure government access to encrypted information. The NSA, as the Executive's cryptographic expert and technical advisor to U.S. Government agencies concerning the use of encrypted communications, developed the technical basis for the Clipper Chip. The NIST Federal Register notice regarding the Clipper Chip in 1994 stated that the Clipper Chip allowed "for the widespread use of encryption technology while affording law enforcement to access encrypted communications under lawfully authorized conditions." 59 Fed. Reg. 5998, 5999-6000 (February 9, 1994).
Since the June 2013 revelations of NSA surveillance of electronic communications, there has been a dramatic increase in interest for anonymity and encryption tools. On September 5, 2013, it was revealed that the NSA had compromised many of the encryption technologies used by consumers and citizens on the Internet. Through covert partnerships with internet providers and software developers, the NSA has built in secret "backdoors," or deliberate network vulnerabilities, that allow the agency to surveil, decrypt, collect, and even control the flow of user data. According to top-secret NSA documents published in The Guardian, The New York Times, and ProPublica, "For the past decade, NSA has lead an aggressive, multi-pronged effort to break widely-used Internet encryption technologies... Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable." Recently, the Washington Post noted that sixty percent of Tor's funding comes from the Department of Defense, prompting the paper to ask whether the network suffered from similar backdoors and vulnerabilities. The story follows a report that Tor was being used to spread malware that could identify Tor users.
BBG's requests for the installation of "fast exit" nodes in the Tor software parallel the NSA's interest in installing "backdoors" in secure networks. Internet users who previously believed their secure networks to provide them with privacy and anonymity must now conduct their internet activities knowing that their encrypted data could be collected, unencrypted, and monitored by the NSA. Through its FOIA request and litigation with the BBG, EPIC seeks to discover whether the BBG has introduced similar vulnerabilities into the Tor network, and to inform all affected users.
EPIC v. BBG
- EPIC's FOIA Request (May 31, 2013)
- EPIC's FOIA Appeal (July 26, 2013)
- BBG Request Reponse (July 26, 2013)
- BBG Appeal Response (Aug. 2. 2013)
- Computer Professionals for Social Responsibility v. NSA, C.A. No. 93-1074-RMU (D.D.C. 1993)
- In re EPIC - NSA Telephone Records Surveillance, No. 13-58 (2013)
- EPIC NSA Petition, last updated Aug. 23, 2013
- The Tor Project, About Tor, 2013.
- The Tor Project, Tor Sponsors, 2013.
- Broadcasting Board of Governors, 2012 Technology, Services, & Innovation Annual Performance Report, January 2013.
- Broadcasting Board of Governors, Internet Anti-Censorship Fact Sheet, May 2013.
- Brian Fung, The feds pay for 60 percent of Tor's development. Can users trust it?, Washington Post (Sep. 6, 2013)
- James Ball, Julian Borger, and Glen Greenwald, Revealed: how US and UK spy agencies defeat internet privacy and security, The Guardian (Sep. 5, 2013)
- Nicole Perlroth, Jeff Larson, and Scott Shane, N.S.A. Able to Foil Basic Safeguards of Privacy on Web, New York Times (Sep. 5, 2013)
- Brian Fung, We've all practically given up on internet privacy. Here's how not to, Washington Post (Sep. 5, 2013)
- Andrea Peterson, A bunch of Tor sites spread malware. Was the FBI behind it?, Washington Post (Aug. 5, 2013)
- Rodger Dingledine, Rodger's status report, The Tor Project (Jan. 10, 2013)
- Cory Doctorow, Tor project considers covering costs for exit nodes, Boing Boing (Jul. 26, 2012)
- Darren Pauli, Tor Project mulls $100 cheque for exit relay hosts, SC Magazine (July 25, 2012)
- Turning funding into more exit relays, The Tor Project (July 24, 2012)