At a time when online privacy seems all but impossible, one refuge we’ve had for browsing the Internet anonymously has been Tor, the browser thats keeps your identity and location hidden. But with every passing week, it’s becoming harder to trust that Tor is perfectly secure—especially considering that not even the Tor Project can be sure of their security anymore.
Last week, European police bragged that an international sting — now called Operation Onymous — pulled down over 400 deep web services and put 17 people behind bars. In response, Tor put out this explanation on their blog of how these services were found and shut down:
We don’t know. In liberal democracies, we should expect that when the time comes to prosecute some of the seventeen people who have been arrested, the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical internet-facing services[…]
Unfortunately, the authorities did not specify how they managed to locate the hidden services.
The post goes on to list the many ways in which a hidden service might be discovered and shut down. Their position: Even if you use Tor, there are so many other ways that you can be found that we won’t know if Tor itself was compromised unless police come out and explicitly tell us so.
But the Tor team is also confident that the sting wasn’t nearly as effective as it was meant to be. Andrew Lewman, the Executive Director of the Tor Project, told the BBC that police have “way overblown” their crime-fighting prowess.
“They want to basically tell criminals, ‘We’re out there looking, and we will catch you’, to create this sort of omnipotent ability to break into things,” Mr. Lewman said, adding yet another layer of uncertainty to the truth surrounding Operation Onymous.