A dissident versus Carnegie Mellon

A long time ago, in an authoritarian country far far away, I was once a cyber dissident. I used Tor, I tried to be careful, and apparently I stayed safe. Safe in the sense that I am still free and alive rather than dead or in jail. No thanks to Carnegie Mellon, who apparently endangered my life by interfering with live Tor connections in the wild.

“If you do that, and they’re recording this, they can retroactively go back, find people and kill them. In Syria [. . .] we met a person who told us that they had friends who were cut up into little pieces and mailed to their families in boxes”

I still remember the first video I ever watched about Tor on Youtube. It was Jacob Appelbaum and Roger Dingledine talking about the actions of governments to stop Tor. Alongside an interesting technical discussion of DPI and port blocking, was a frankly chilling description of what oppressive governments do to their critics when they can find them. People are “cut up into little pieces and mailed to their families in boxes”. Someone had a death squad sent to his house and was killed because he criticised the Assad regime on Facebook.

The Carnegie Mellon “researchers”, recklessly — but apparently at the behest of the FBI, marked the traffic of Tor users in a bid to correlate the sites they visit with their real world identities. They did it in a way that defeats the Perfect Forward Secrecy properties of Tor. We know there are regimes in the Middle East that have or do record every byte going in and out of their countries. The NSA for example pays special attention to anything, particularly including Tor, that is encrypted. Combine this permanent marking of Tor traffic with state actors who record every byte and you have a recipe for disaster. They might not be able to decrypt it now, but if they can today, or if they ever can in the future, then quite a few people may be getting an unwelcome knock on the door in the middle of the night.

You probably don’t know what it is like to live in fear. Truth be told, the regime I lived under was not one of the worst in the world. I probably would have only been beaten and jailed rather than tortured or murdered if my identity had been found out. If you are a writer, you probably want your blog posts to go viral. When mine did, I panicked. Instead of hundreds or maybe a few thousand readers, I might suddenly have twenty thousand in one day. Had I been too strident? Would I now be a target? I often wondered, does Tor really work? What if they know who I am, but I only get away with it because no one has noticed me? Will there be a knock on the door? I couldn’t sleep. I would go on long walks in the middle of the night, and hope that no one was waiting by my door when I came back. What is that car parked outside my building? Not knowing if your safety is real or illusionary is a constant and insidious fear. One which gradually, day by day, wears down the mind with a constant drip of worry. It is something I never completely managed to cope with when using Tor. A simple mathematical bug that probably you could never hope to understand yourself might be what gives up your name and address to those who would chop you up and put you into a box.

This permanent marking of Tor traffic, when we know there are countries who sniff it, watch it, record it and try to crack it, is extraordinarily reckless. It condemns hundreds, thousands, maybe many more dissidents not just to worry, but potentially to death. What if they managed to decrypt my connection tomorrow? What if they can see this permanent record of the websites I visited last week, last month, last year? Will the secret police come for me? It beggars belief that a prominent university in the United States of America could conduct such “research” whilst remaining so ignorant of the huge moral and ethical issues around their activities. As usual, they will say it was to keep people safe from drugs or pedophiles or some other bogeymen, but the reality is they have recklessly endangered many completely innocent people, in what is little more than an experiment on unwilling human subjects.

Alexander Volynkin and Michael McCord are the “academics” at CMU implicated in this negligent disregard for internet security. The question of how they got ethical approval for their actions remains open. One wonders if they understand that Tor is very widely used in authoritarian countries by ordinary people trying to stay safe, and how those “researchers” feel, knowing that they have contributed to undermining that safety.

To quote Jacob Appelbaum again, when it comes to online anonymity,

“Real people’s lives are really on the line”