The executive director of the Tor Project told the BBC that U.S. and U.K. intelligence agencies are in an internal cat and mouse game, with one faction trying to break the anonymity network, and another one sharing bugs anonymously with Tor developers.
Andrew Leman, in an extensive question-and-answer interview with the network, said he suspects that people inside both agencies anonymously leak information about Tor vulnerabilities in order for the bugs to get patched.
“There are plenty of people in both organizations who can anonymously leak data to us to say maybe you should look here, maybe you should look at this to fix this,” Lewman said. “And they have.”
Lewman said the agency insiders take advantage of Tor’s mechanism for anonymous bug submissions—researchers are allowed to log into Tor’s bug track without an email address and most do so over Tor.
“They report these fantastic bugs that if you think through, someone with a lot of experience and a lot of time has researched this bug and said: ‘Maybe you should look here, maybe you should fix X, Y and Z,’” Lewman said. “Sometimes it includes a patch that says: ‘Here’s my code fix.’ And we look through all this stuff very carefully, and we’ve been totally impressed by the quality of bug reports that we get both on the software side, which is a coding error – sometimes very, very subtle – or on the design side, where you know you guys made a design decision here and maybe you want to consider some other use cases.”
Lewman concedes that his theory NSA and GCHQ agents are undermining their respective agencies’ missions through these reports is a hunch, but adds the qualifier that few operations have the expertise to point out the vulnerabilities being submitted.
“Many people – you have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months and find and elucidate these super-subtle bugs or other things that they probably don’t get to see in most commercial software,” he said. “And the fact that we take a completely anonymous bug report allows them to report to us safely.”
A round of Snowden documents released in October point out the NSA’s frustration with Tor, in particular its inability to de-anonymize users of the network. A slide from an internal NSA presentation called “Tor Stinks” says: “We will never to able to de-anonymize all Tor users all the time. With manual analysis, we can de-anonymize a very small fraction of Tor users.”
Lewman said Tor receives these insightful submissions on a monthly basis, based on conversations with another NSA whistleblower William Binney, Lewman surmises that there are insiders “upset” with the agencies’ spying on citizens and dragnet collection of phone call and Internet data.
“There’s a lot of groundswell of support as to what is going on, but at the same time there’s the other half of the organization that is: ‘You know what? People shouldn’t have privacy,’ and ‘Let’s go out and attack these things,’” Lewman said. “So there is always a balance between those who protect our freedom and liberty and those who don’t want you to have it.”