‘Is It Compromised?’ Is the Wrong Question about US Government Funding of Tor

In many ways, the most surprising thing about Yasha Levine’s powerful reporting on US government funding of Tor at Pando Daily has been the response to it. From the trolling attacks and ad hominem insults by apparently respectable, senior digital privacy activists and journalists, to repeated, climate-denialist-style “I’m rubber you’re glue”-type (or, as I like to call them, “You’re a towel”), evidence-free insinuations about Levine and Pando’s possibly covert funding sources and intelligence world connections, almost none of the response has had the measured and reasonable tone, let alone the connection to established facts, that Levine’s own reporting has.

Much of this response tries to turn Levine’s reporting into a conspiracy theory, which it then pretends to defuse by positing even wilder conspiracy theories. The conspiracy theory is that funding from the State Department, BBG, and all the various CIA and other intelligence agency cut-outs means that the Tor developers are covert agents or assets, secretly doing something very different from what they say they are doing; and that Tor is deliberately compromised in ways that these leaders are not revealing.

This turns into the question: “If the CIA is funding Tor, where are the vulnerabilities they are secretly planting in it? Why haven’t they been found via the classic principle that ‘all bugs are shallow when many eyes are looking for them’?”

For example, here are two comments to Levine’s “Internet Privacy, Funded by Spooks: A Brief History of the BBG”:

User “SpryteEast” writes: “this article could be great if it had proof. Most of modern-day cryptography technology was funded by US government at some point. Does it mean that they can break into everything?”

User “grumpykocka” writes: “Simple question: do you have proof that these systems have been compromised in any way? Technically, wouldn’t these open systems be incredibly hard to compromise without us knowing it? Perhaps they could be cracked, but you are implying much more than that, intentional back doors built into the code. But again, how would that go undetected in these open source solutions?”

This is from Tor & First Look staffer Micah Lee’s mean-spirited and defensive “Fact-Checking Pando’s Smears Against Tor,” responding to Levine’s earlier pieces:

If there were evidence of an intentional design flaw in the Tor network, similar to NSA’s sabotage of encryption standards through their BULLRUN program, that would be a huge deal. Pando didn’t find anything that wasn’t published on torproject.org.

This is the wrong question.

It’s a question so wrong and so enticing that it often derails the conversation we really should be having. It’s asked so often that it has the appearance of a party line, talking points that those involved issue with a remarkable persistence and uniformity. We don’t need to ask whether that party line is dictated by someone; what is more interesting is the party line itself.

a 1977 New York Times story about CIA’s propagandistic use of the press (from Yasha Levine’s most recent Pando story)

CIA, like other intelligence agencies (and for whom I’ll use it as a shorthand for the time being), is not a mind control supervillain. It does not “own” assets (in the spy lingo, “agents” usually refers to actual employees, whereas “assets” are others who may in some way or another contribute to intelligence agency efforts on an ad-hoc basis) and prescribe every aspect of their behavior. Rather, it looks for assets whose interests may align with its own. At times it may nudge them in the direction it wants; only with some of those most closely tied in does it directly give orders. When CIA operates through cutouts those cutouts typically appear to have full autonomy, and many in the cutout may well have that autonomy: that’s what gives cutouts credibility and what makes them useful. If everyone could have easily seen that Life magazine was a CIA front, people would have taken it much less seriously than they did.

CIA uses cutouts and assets for a much subtler purpose: because those apparently “regular” people and organizations, in doing what they do anyway, align with US state interests. They advance CIA’s interests just by being themselves. CIA has no need to control, direct, or even directly influence these assets: in certain ways, this would be less productive than remaining in the background.

From this perspective, the wrong question is to ask what CIA and State and so on are doing to “mess” with the Tor Project. The right question is to ask: how does the development of Tor, and in a parallel fashion the promotion of “internet freedom,” align with the interests of CIA, the State Department, USAID, and so on?

This is a question that it is very hard for cyberlibertarians even to put to themselves. They are so convinced of the righteousness of “internet freedom” and of Tor, so sure of its purpose and its politics that many of them appear not even to be able to bear to ask whether these beliefs might be fallacious. That “internet freedom,” a slogan without a clear referent, might be a policy the US promotes for specific geostrategic reasons, in part because so many people hop on board without understanding that the “internet freedom” agenda is not what it sounds like. That Tor serves some very specific US interests.

Despite the conspiratorial accusations levied at Levine, his piece makes this focus very clear:

The BBG was formed in 1999 and runs on a $721 million annual budget. It reports directly to Secretary of State John Kerry and operates like a holding company for a host of Cold War-era CIA spinoffs and old school “psychological warfare” projects: Radio Free Europe, Radio Free Asia, Radio Martí, Voice of America, Radio Liberation from Bolshevism (since renamed “Radio Liberty”) and a dozen other government-funded radio stations and media outlets pumping out pro-American propaganda across the globe.

This does not mean, of course, that it’s uninteresting whether some people involved with Tor—perhaps especially those close to and/or funded by the OTF, as Levine points out—might be “assets” in some way or another, but we are likely never really to know the truth about covert shenanigans like that. It also doesn’t mean that questions about Tor being compromised are unimportant. It’s interesting to note that Micah Lee asks Levine to provide evidence of an “intentional design flaw in the Tor network”: evidence of intentionality would consist of communicative documentation that is only likely to turn up in unusual circumstances. But there is plenty of evidence of design flaws per se in the Tor network: they are found all the time, often by the Tor developers themselves. How did they get there? Who knows. But that is one reason why “is it compromised” is such a misguided question: we know Tor is compromised or has been compromised at times, and undoubtedly will be again. We don’t know who is responsible for its vulnerabilities: often they emerge from parts of the system nobody appears to have thought about, but sometimes nobody, not even those in the Tor community, knows their source.

But these are questions about which we can’t do much more than speculate. They are outweighed in importance by the central question about the ideology behind Tor. If you are asking how government funding compromises Tor and “internet freedom,” you are asking the wrong question. The right question is: how do Tor and “internet freedom” serve the interests of those who fund them so generously—and have virtually no history of funding (especially on an ongoing basis) projects that are contrary or even irrelevant to their interests? Why do major factions within the US Government so steadfastly promote an internet project whose supporters routinely insist that “the government sure does hate the Internet”?

We don’t have to look far or think that hard to develop answers to these questions. Just the other day, Shawn Powers and Michael Jablonski, authors of the new and fascinating-sounding book, The Real Cyber War: The Political Economy of Internet Freedom (University of Illinois Press, 2015), announced the publication of their book by writing:

Efforts to create a universal internet built upon Western legal, political, and social preferences is driven by economic and geopolitical motivations rather than the humanitarian and democratic ideals that typically accompany related policy discourse. In fact, the freedom-to-connect movement is intertwined with broader efforts to structure global society in ways that favor American and Western cultures, economies, and governments.

The inability of many Tor and “internet freedom” and even super-encryption supporters to understand (or at least, to talk as if they understand) this point of view is part of what is so disturbing about this whole situation. “Internet freedom” and “internet privacy” and even “Tor” have become like articles of religious faith: creeds whose fundamental tenets cannot be questioned, even if they also cannot be stated in anything like the clarity with which “freedom of the press” can be stated. The critique we need to consider is not merely that major powers are “paying lip service” to the idea of internet freedom; it is that the idea itself is bankrupt: it is a propagandistic slogan in search of a meaning, a set of meaningful-sounding (but meaningless) words, like “right to work,” that exists only to serve a powerful and disturbing agenda (which is one direction that the outsize “internet freedom” funding provided by the US State Department, and Google’s triumphalist support for the idea, should raise questions for everyone). Indeed, if the putative freedom of information on which “the internet” (and Tor, and “internet freedom,” etc.) is supposedly based is going to mean anything–if it at least entails the “freedom of speech” and “freedom of the press” that in my opinion it does not eclipse in especially legible ways–it has to mean being willing always to question our fundamental assumptions, making it beyond ironic that its fiercest champions work so hard to prevent us from doing just that.