I think that most Internet users with an interest in privacy have heard of Tor, the system of what is called onion routing.
Onion routing is a technique for repeatedly encrypting and forwarding data through several network nodes called onion routers. Each router removes a layer of encryption to uncover routing instructions, then sends the message to the next router where this is repeated. Intermediary nodes are prevented from knowing the origin, destination, and contents of the message. (Exit nodes know both the destination and the contents.)
So, Tor is a very clever technology, and it is free, so why isn’t it used more? And why then, should anyone pay for an anonymity service?
There reason is that Tor has some rather severe limitations:
- Tor is slow. Routing through an unpredictable path takes time, and varying lengths of time.
- Tor is free. Yes, this is a serious problem. When someone owns something and generates income from it, they almost always take care of it, and usually work hard to improve it. No such efforts are routinely applied to free things. Fixing a problem at a Tor node may or may not happen; upgrading is done strictly when convenient.
- Tor may include malicious nodes. When anyone can run a node, it’s not always nice people who do so. Think of it from a crook’s standpoint: Here we have lots of data traffic that people are trying to protect; it must be of some value. Anyone can open a node and gather information, with no path back to us – we’re just random people on the Internet, posing as humanitarians. Why not do it? When everyone (even groups like the CIA) can run a tor node anonymously and without any accountability, they can act badly and get away with it. And, in fact, several leaks of data through malicious Tor exit nodes have been confirmed.
- Tor is only for web browsing. For example, at my last check, no one was allowing email to run over their Tor node; it is simply too problematic. There are a lot more things to protect than surfing.
- Tor requires all the software on your computer that accesses the internet to be cooperative. Many programs, however, (whether created by shady marketers, governments, crooks, or just poorly written) are not cooperative, but bypass Tor and give away your network identity.
- For most people, Tor is to hard to use regularly. This makes security errors and leaks much more likely.
THE BETTER ANSWER
Since I am involved with a professional anonymity network, you might expect me to prefer my own product. And, in fact, I do. We built the system because it needed to be built. If Tor had been sufficient, we wouldn’t have undertaken the job.
A professionally operated anonymity network has multiple advantages over Tor, which I will list below. Bear in mind, however, that I think Tor is a very cool technology; it just isn’t one that I think can be trusted, or that is simple enough for serious daily use.
The reasons to pay for and use a professional network, rather than to use Tor for free, are these:
- Speed. A good anonymity network will always slow you down (this diagram illustrates why), but not by an excessive amount, and not by an erratic amount. While the speed may not be of the “blow your doors off” variety, it is quite manageable for daily use.
- Maintenance. If something goes wrong at Cryptohippie (my company), we jump to fix it. After all, we have paying customers, and we want to keep them happy. We have every incentive to fix things and keep them at top performance.
- Accountability. If Cryptohippie were to turn malicious, our users would know who to blame and who to avoid. The down-side to us would be the loss of our business, and then some. The malicious Tor node, on the other hand, simply drops out; the operators may never be known.
- Our system works for almost all Internet communication including Skype and chat. Once it is running, everything you do is protected and you use your computer as you always have.
- We include a private email system.
- Cryptohippie runs in the background. Connect then forget it – all your traffic will be protected. User errors are reduced and there are no side channel leaks. It is much easier, and for most users, that matters a lot.
HOW MANY HOPS?
I will also mention the one technical advantage that Tor has over us: They provide more server-to-server hops than we do.
Number of hops is a crucial factor for protecting Internet traffic. In the 1990s, lots of free proxies were used. These were all single-hop proxies (one server between you and the Internet), but they were fairly effective for the time. Since then, however, the data thieves have greatly improved their techniques. By watching data from two points, the protection provided by the single-hop proxy is mostly negated. (Many single-hop proxies still exist, having the one advantage that they are cheap.)
Tor provides more hops than anyone else, and that is a good thing. Sure, all the problems listed above remain, but – credit where credit is due – Tor does provide a lot of hops. Our network, on the other hand, provides a minimum of two, multi-jurisdictional hops. That means that our servers are located in geographically distant places (none in the US or UK) and in places subject to different legal administrations.
YOU GET WHAT YOU PAY FOR
The truth is that the “get it free!” meme is a dangerous one. Free is never without cost, even though that cost may not appear on a balance sheet.
Both Tor and Cryptohippie provide effective anonymity, but they both come with a catch. Tor forces you keep thinking and to remain on your toes; Cryptohippie costs you money.
Tor is a very cool technology, and its creators deserve credit. It remains a useful tool for people who know how to use it properly. It is not, however, a simple solution for Internet security. For that, you will have to pay. And, it could hardly be otherwise: Criminals make a lot of money stealing Internet traffic; they will keep adapting and developing new attacks. The only way to counter them is to have professionals on your side. And such people require payment.
Paul is the CEO of Cryptohippie USA. If you’d like more information on Cryptohippie, just email them: firstname.lastname@example.org