Unfortunately, it is a fact that criminals have also been using tor. In 2001, a major pedocriminal platform in Germany was taken down by the Federal Criminal Police Office of Germany (BKA). In September of this year, researchers showed that the successful investigation against the operator of this platform was only possible through a successful deanonymisation through traffic correlation analysis of the traffic produced by the platform leading members using the instant messaging software Ricochet. Using its own tor exit nodes, with high bandwidth and traffic correlation analysis of the Ricochet data traffic, the BKA could isolate the used entry node, which knows the source IP. The rest of the connection data can be found in the Internet providers’ log files. Fortunately, the investigation led to the arrest of four operators. In December 2022, they were sentenced to many years in prison. However, the verdict is not yet final.
Even if the successful fight against such platforms and organised crime is to be welcomed, this case also raises the question of whether the tor network is still safe for whistleblowers, regime critics, investigative journalists, etc. The first question someone with concerns about his security or anonymity should address is the threat model, which applies to him. Why do you want to stay anonymous, who wants to know your identity and what are the consequences if your identity is known? It is different if you want to prevent capturing your data traffic by an access point operator, overcome censorship during your travel, or be the “Enemy of the State“. Overcoming censorship and securing your data traffic from snooping is easy, but staying anonymous is difficult, requiring a change of habits. Tor developers were always candid about that point: “Tor can’t solve all anonymity problems. It focuses only on protecting the transport of data.” Even if it is not a reassuring statement, usually, it is behavioural errors that lead to a breach of anonymity.
In general, how big is the risk of being deanonymised through traffic correlation analysis? In the case mentioned above, some circumstances favoured the BKA, which is not the case today. In the last years, tor did address the problem that organisations with access to high bandwidth capacity could infiltrate the tor network with their own nodes. The requirement to be used as a tor node is higher today. The Tor Network Health team has flagged thousands of bad relays, which the Directory Authorities then voted to remove. Those included many that would come from a single operator or tried to enter the network on a large scale. The Network Health team has implemented processes to identify possible large groups of relays that are suspected to be managed by single operators and bad actors and not allow them to join the network. Also, the criminals used an old version of the long-retired application Ricochet, which has no protection against traffic correlation analysis. With Vanguard light, tor introduced this protection with tor version 0.4.7, which was first distributed as productional as version 0.4.7.7 end of April 2022 (we switched to that version with TorBox v.0.5.1. However, we added the Vanguard addon already with TorBox v.0.4.2 in August 2021). This protection exists in Ricochet-Refresh, a maintained fork of the long-retired project Ricochet since version 3.0.12 was released in June 2022.
Daniel Mossbrucker, who part of the team that revealed in September 2024 how users of the Tor network were identified, stated in an interview: “It cannot be assumed that every Tor user can be deanonymised by the authorities in the blink of an eye. So there is no reason to panic, the Tor browser is still a very secure means of communication. On the other hand, our research shows that even a user of Onion Services could be deanonymised by Tor, colloquially known as the ‘darknet’ – in the very part of the Tor network that was considered particularly anonymous and secure.” Coming back to the question of the risk of being deanonymised, we face again the threat model. Let’s say you used tor to download a copyright research paper from an Onion Site for your research; then you can be pretty sure that nobody will take the hurdle to de-mononymise you. However, again, if you are in the crosshair of resourceful national intelligence agencies or law enforcement authorities because of criminal activities, I would not rely on any promise of anonymity. Interestingly, Mossbrucker also mentioned in the interview that deanonymisation through traffic correlation is more likely with low data traffic. Let’s say a tor client is only using Ricochet and connecting only to another user through hidden services a correlation is logically much easier if all the client computer network traffic is going through tor and, at the same time, a busy chat with a lot of other people is connected.
More information: Isabela Bagueros and Pavel Zoneff, “Is Tor still safe to use?“, updated 10.10.2024.