There's just no good choice is there? Blocked by government or tracked by corporations!

Which is exactly why tools like TOR needs to exist and needs to be supported. It's impossible to track people that use TOR.

I really, really hope TOR can survive (and improve, the speed is dismal) over the coming years. It's a vital tool for circumventing these horrible firewalls.

Well I know one deep-pocketed organization that's going to be very interested in purchasing this data.

at least its not a countries (possibly: UK) biggest ISP (possibly: British Telecom)tracking their users and then using that illegally gathered data during a "stealth" (possibly: we didn't tell the public because they weren't supposed to notice) deployment to build up a big database (possibly: OIX) to then enable a malware/rootkit purveyor (possibly: Phorm) to then pimp peoples web usage.

I cannot wait for the day that those responsible wake up to the fact that what they committed was essentially a mass wire tap in breach of both UK & EU law, I can almost hear the cell door slamming! :D

Good to see their shares scraping along the bottom too, just desserts for unethical investors, that said the real fun should kick off on Friday when the LSE suspends the shorting ban, then I'll bet we'll see Phorm take an even more dramatic fall! :D

Question about Tor:

As I understand it, the nodes on Tor are all anonymous.

What process is in place to ensure that none of those nodes are controlled by inappropriate people?

(Because if I worked for the CIA, or the FBI, or whomever, sniffing Tor traffic would be high on my list.)

Sam Hammett I dont work for any of those and Im still recording all traffic passing my TOR node

If I understand this correctly, this is a horribly immoral and potentially disastrous thing for these circumvention tools to be doing.

Should they sell this browsing information to the Chinese Government, what would prevent that information from being used to prosecute activists, journalists, and interested individuals?

What a betrayal of trust.

Sam, my understanding is that connections through the TOR network are made through several relays, and are encrypted -- except for the exit point (for normally unencrypted traffic).

Which is to say that if you operated a TOR node that was in the middle of someone's connection, all you'd observe is encrypted data being sent from X (the previous node) to Y (a subsequent node). If the node you're operating is the terminal node of a given path, you'll see unencrypted data being sent from X (some previous node) to Y (some website / thing on the internet).

So if you're a "bad guy" like Rasz ;), you can sometimes see unencrypted information, but shouldn't ever be able to tell who the originator of the data was (up to the data itself embedding information about the originator, or other sneaky attacks).

Ssshhh - don't talk about this, and maybe the government of The People's Republic of China won't notice that in exchange for a bit of hard currency they can find "persons of interest" in their own country...

A next step to research would be to contact them as a buyer and see what the review process is as well as the cost.

SAM HAMMETT - what makes you think government agencies aren't running "public" TOR or other annonymizer servers to keep tabs on what people think is worth keeping secret/hidden?

I hide my secret notes by mixing it in with a massive barrage of porn downloads, hoping the Gov't won't find my, uhm, needle in that particular haystack. That's my story and I'm sticking to it - especially if my wife asks ;^)

I know some people mentioned this in a round about way, but won't this just get a lot of people in the PRC arrested? The government of China must have found out about this particular reality already, so are they just waiting to act on it, or are they just going to selectively use it whenever they feel like it...

I could have answered my own question there.

@#5 and #10

Tor is an acronym for The Onion Router, named so because it uses onion routing. It is a great name because onions are exactly what is being routed: a message is encased in many layers of encryption that are peeled off.

As each router receives the onion, it peels off a layer -- the only layer it can peel off because that layer has been encrypted using that node's public key -- and passes the message along to the next addressed node, whose address was encrypted the current node's layer. This means that nodes in the middle don't know where the message originally came from, what the message was, or ultimately where the message was going. It only knows what two neighboring tor nodes it passed through.

So running non-exit nodes will not reveal information about users of Tor. Occasionally, they will be the first node in a route and will discover the IP address of a user, but they would know nothing of the message or of its destination.

Now, there are some theoretical attacks where a single entity controls both an entry node and exit node and takes careful timing measurements, but Tor is big enough that such an attack isn't practical. In short, I wouldn't worry about this.

If some organization really wanted to monitor Tor, they would run exit nodes. In fact, many exit nodes are monitored. You should assume this when you are using Tor and be careful when using passwords, personal or identifiable information, or accepting self signed certs. Fortunately, this all becomes moot if the user is using end-to-end encryption, such as https, otr, gpg, etc.

For example, you can safely access Gmail, which uses https, over Tor to anonymously send e-mail. Exit nodes would not be able to get the password or read the e-mail's content. No government agency could learn anything about the e-mail without a subpoena to Google, and, even then, if the Tor user used GPG the agency still couldn't see the message. The e-mail might even be received by an anonymous e-mail account and retrieved by another Tor user. There would be virtually no way for anyone else to discover the message cleartext, its origin, or its destination.

Tor is truly a thing of beauty.

So if you are careful with how you use Tor with regard to exit nodes, I wouldn't worry about organizations spying on your Tor traffic.

In the US the advertisers and corporations share the data they've collected on you directly with the US government.

Is anyone really surprised at this development? Making a buck off disadvantaged masses is old hat.

SAM - intermediate TOR nodes are anonymous and confidential, because the last layer of encryption isn't remove until the exit node. That's why it's called Onion Routing. All an intermediate node does is remove one layer so it can forward to the next node.

However, malicious TOR exit nodes can do whatever they want with your data. Embassies using TOR found that out the hard way. TOR merely randomizes your routing. Use good crypto to anonymize your data.

And yes, govts run TOR nodes. The US Navy Research Lab invented it!

Of course there will be people running TOR nodes that want to access other people's data. It doesn't matter, because it was designed with that in mind. All they will get is encrypted bits. Which someone like China could get anyway, by recording all data sent in/out of the country.

NOEN - Vice versa, even though it's only done every 10 years, the US Census is invaluable to demographics.

@ 14:

"Is anyone really surprised at this development? Making a buck off disadvantaged masses is old hat."

The capacity of human beings to put profit before the safety and well-being of others will never cease to surprise, shock and sadden me.

It's a morally reprehensible thing to do, and we should never become so jaded as to lose our sense of dismay or outrage at such behaviour.

WeightedCompanionCube - Not really sure where you're going with that. Yeah, census data is valuable. It's also true that advertisers collect their own data and they share it with the government. Not just data pulled off the internet, ALL data they have on you. Buying habits, purchases, credit card data, everything.

http://psiphon.ca/

I would assume that these services are selling information to the Chinese government. Chinese business is awesomely corrupt.

BTW, it's extremely unlikely that the NSA could not crack TOR if it made the effort.

I would assume that these services are selling information to the Chinese government.

Isn't it poor business practice to wipe out your client base?

WeightedCompanionCube:
>Embassies using TOR found that out the hard way

no they didnt, those accounts were hacked earlier, hacker was using TOR to read emails anonymously

that's OK, there'll be another generation along momentarily.

Leaving aside the breach of trust (although likely not a legal breach, as I'm sure those tools have the usual EULAs), I wonder about where the demand for this information comes from. My first order guess would be that the companies are required/pressured by the Chinese government to collect and hand over this information for free.

Ironically, maybe using those centralized tools makes it easier for users to be tracked by mid-sized entities (those that can buy the information), and not more difficult to be tracked by the large one (who can just demand the information).