The CIA Sets Up Shop on Tor, the Anonymous Internet

Credit to Author: Lily Hay Newman| Date: Tue, 07 May 2019 14:06:25 +0000

The anonymity service Tor has grown in popularity around the world over the past few years, but it has also long been a tool for intelligence agencies and clandestine communications—not to mention endless cat-and-mouse games between law enforcement and criminals. But now, the CIA is staking out a more public presence there.

On Tuesday, the CIA announced its own Tor "onion service," so that people around the world can browse the agency's website anonymously—or, you know, send history-altering tips. Tor is an anonymity network that you access through a special browser, like the Tor Browser, and that uses its own URLs. The service protects your IP address and browsing online by encrypting the traffic and bouncing it around a series of waypoints to make it very difficult to trace.

Over the years, several organizations have made so-called onion sites—a dedicated version of their website that they configure and host to be accessible through the Tor anonymity network. Also called an onion service, Facebook launched one in 2014, and The New York Times added one in 2017. The National Police of the Netherlands even has an onion service related to its dark-web criminal takedown operations. But the CIA is the first intelligence agency to make the leap.

"Our global mission demands that individuals can access us securely from anywhere," CIA director of public affairs Brittany Bramell told WIRED ahead of the launch in a statement. "Creating an onion site is just one of many ways we’re going where people are."

Everything from the CIA's main website is available on its onion site, including instructions for how to contact the CIA and a digital form for submitting tips. There are also job listings, the agency's archival material including its World Factbook and, of course, the Kids' Zone. The main reasons to actually access the CIA's site through Tor seem to be sending information to the agency with more robust anonymity protection or quietly applying for a job there.

The CIA's site is a Version 3 onion service, meaning it has the improved cryptographic algorithms and stronger authentication the Tor Project launched at the end of 2017. In general, it works the same as Version 2 onion sites except it has a longer address. Instead of something like "nytimes3xbfgragh.onion," you reach the CIA's onion site at "ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion."

Tor was largely created through funding from the United States government in the 1990s and early 2000s, including from the Naval Research Lab and the Defense Advanced Research Projects Agency. The anonymity service has been open source since its public release in 2002, and it transitioned to being overseen by a nonprofit, dubbed the Tor Project, in 2006.

It can seem confusing at first that the US government would fund the creation of a tool that has since been used by criminals and foreign governments to conduct secret operations. But the US government can benefit from using the anonymity service in the same way these groups do. Still, stories and investigations abound about Tor's origins, including one persistent rumor that the CIA funded Tor's creation through covert channels. The Tor Project says that it has always been transparent about its funding sources and that it has no past or present connection to the CIA.

"We make free and open source software that’s available for anyone to use—and that includes the CIA," says Stephanie Whited, communications director for the Tor Project. "We don’t choose who uses our software. We want to see onion services adopted more frequently, and we think there’s a trend moving in that direction."

The CIA could have ulterior motives for establishing an onion site, but perhaps the agency is in fact simply trying to offer more ways for people to contact it and interact with its public resources. If nothing else, the project's tagline pokes fun at its inherent ambiguity: "Onions have layers, so do we."

https://www.wired.com/category/security/feed/