Can anonymizing techniques make you less anonymous?

Question

There's a recent report in the news of a Harvard student who emailed in a bomb threat so as to postpone year-end exams. According to the report, he carefully covered his tracks using the best technology he knew about: he used a throw-away email account, and only accessed it over Tor.

It turns out that this last point -- using Tor to send his email -- is what made him easy to find. Officials simply searched Harvard's logs for anyone who had recently accessed the Tor network, which led them directly to the culprit.

Arguably his critical mistake was using Harvard's WiFi for his Tor access; going down the street to a coffee shop would possibly have prevented his identity from being tied to his Internet activity. But in that case, Tor would probably have been unnecessary. And in fact, the interesting point is that his use of Tor completely failed at its primary purpose of providing anonymity, but instead simply provided him a completely false sense of security.

This principle easily extends to other anonymity tools and techniques as well; encryption, proxies, and others: if the tools are not popular, then the fact that you're using them alone makes your activity suspicious, making you an immediate target for investigation, interrogation, etc.

So how do you deal with this? Can you really trust Tor and other anonymity tools to make you anonymous? Would layering these tools help? Or would it just compound the problem?

Answer 1

If you are in a crowd and you wear a mask, but nobody else in the crowd does, then you tend to attract attention...

If you want to remain anonymous, then you must use only tools which do not single you out as a potential miscreant, i.e. tools that everybody uses. A good example is when you pay in cash: this is a mostly traceless payment system, and yet sufficiently many people use it so that paying with cash does not appear suspicious (unless you use cash to pay for, say, a big car).

To a large extent, this illustrates a tendency to miss the point, which is unfortunately often encountered in circles dealing with anonymity: it is what I would call the "game fantasy". When using Tor, PGP or whatever, the wannabe anonymous sometimes feel that he is playing some game with informal rules, in particular a definite and finished scope. The Tor user tends to believe that his adversaries will meet him only in a network-related way. As rumour has it, one of the first reactions of Kevin Mitnick upon his being arrested was to say that Tsutomu Shimomura had "cheated" by calling the cops, instead of trying to defeat him through technical skills alone.

So let there be a lesson: if you want to be anonymous, don't concentrate on the tools. Instead, focus on the big picture. Layering anonymity gimmicks on top of each other does not address the actual problem.

In fact it can be argued that no layering can help Tor in any way, since the point of Tor is to randomize the network path so that sender and recipient cannot be correlated with each other; if something else is needed then sender and recipient were correlated with each other, and the actual use of Tor came to naught. This is a property of anonymity through absence of correlation: it is all-or-nothing. You cannot get anonymity incrementally; you have it all in one go, or you have none. This answers one of your questions: layering does not ultimately help.

To really be anonymous, you have to blend in the background. You achieve perfect anonymity by doing nothing. However, as soon as you try to act, if only to send an email, then you begin to leave traces of many kinds. For instance, when you use a WiFi access from a coffee shop, then you are physically in the coffee shop, so you are in range of CCTV cameras, you leave fingerprints and DNA traces on the premises,...

Answer 2

I essentially agree - using Tor from within Harvard's own WiFi network was a big mistake.

Note that in this case, the perpetrator did not have the nerve to stay silent in the face of police questioning. His confession is what made the case against him airtight.

Had he "lawyered" up, the police would have:

• Evidence that he used Tor around the time the emails were sent

The police would not have:

• Information about what websites or services he accessed using Tor
• Information about the content that he transmitted and received via Tor
• Any residual information on his laptop (if he had used something like TAILS)

The Tor network performed exactly as designed - the weakness was a PEBCAK issue.

At a guess, a tired, sleep-deprived student, under considerable parental and cultural pressure to perform, made the biggest mistake of his life.

Answer 3

I think that the concept here would be dividing data from metadata. In the case of the Harvard student what caught him (well as far as reported facts go) was meta-data rather than the content of his communications. Some privacy techniques (e.g. encryption) just hide the content of the communication they don't hide the fact that the communication has taken place.

In terms of anonymity tools making you less anonymous, I'd say that doing things that make you stand out make you a potential target. So if you start using a VPN and Tor and taking burner laptops to coffee shops to connect to the Internet, someone observing your activity is likely to conclude that you have something to hide, which could in turn cause you to be placed under investigation. This of course depends on the idea of someone observing the metadata, which is what happened in the Harvard case.

Better OPSEC practice is to try not to stand out from the crowd, so if you're one of a large number of people using Tor in a location, you don't stand out from a metadata perspective, and Tor may protect the content of the communication.

So to answer the question, I'd say that anonymity tools have a place in an overall OPSEC regime, but if misused they can be counter-productive.

Answer 4

As others have observed, he made two major mistakes: 1) he publicly used a tool (Tor) that singled him out as a suspect; and 2) he confessed under interrogation by the police.

If he had accessed Tor through a plain-vanilla VPN service, popular among his peers, he would not have been so readily targeted. But even that wouldn't have saved him, unless he had routinely used that VPN service for torrenting or streaming.

Confessing under police interrogation was his fatal (career-wise, anyway) mistake. As foolish as that may seem, police are well-trained in psychology to read guilt. They're also well-trained in manipulating suspects into confessing. There's the classic "good cop, bad cop" dynamic, where the "bad cop" scares the [redacted] out of the suspect, and the "good cop" then promises to protect them from the "bad cop". That's also a classic torture routine.

Most people have no clue how to deal with that. It's not so bad for the innocent. They can just be natural. But, for the guilty, it's far harder. It takes skill to convincingly feign innocence, and to resist the temptation to bargain. In an interrogation, there is no bargaining, only evidence collection. If there's any bargaining to be done, the lawyers will handle that, at the appropriate time.

In this video http://www.youtube.com/watch?v=6wXkI4t7nuc, a "law school professor and former criminal defense attorney tells you why you should never agree to be interviewed by the police." Calmly requesting a lawyer is an appropriate answer for everyone undergoing police interrogation.