A guide about using Tor ("the onion router") to read, verify and process leaked data, which might come with a risk.
Using Tor to investigate sensitive leaks
Upon glimpsing a mysterious light at the far end of a dark alley, say, or hearing one's name whispered from around a corner, one could be forgiven for trying to sneak a peek before charging ahead. Unless you are are a grizzled investigative journalist with a well-known publication, a fearless editor, a stable of lawyers, a well litigated shield law, a stack of Pulitzers and a fresh backup of your hard drive, you can probably imagine a lead to which you might respond with similar caution. Citizen investigators looking to remain near the middle of the cat spectrum — somewhere between scaredy and killed-by-curiosity — must occasionally dip a toe in before taking the plunge.
Highly sensitive leaks sometimes fall into this category. Leaked data could contain malware. Or they could have been obtained illegally. Or the lead itself could be a spear phishing attack. Or it could be bait. And the act of possessing those data could be illegal until you are able to demonstrate their relevance to the public interest. Or it it could remain illegal regardless. Or you might be the wrong audience. And even if you know someone who could accomplish more with the information, you might be less comfortable sharing a leak than you are receiving one. At least publicly.
This all depends on context, of course. But it also depends on the data themselves. Which you haven't seen yet. At this point, the leak is still down the alley and around the corner.
This guide is about Tor ("the onion router"). Tor is a piece of software that can help you hide your interest in something until and unless you decide to make that interest — or that something — public. To be clear, there is no purely technical solution to these challenges. There is very little that software can do to help address social, political and ethical issues related to the investigation, verification, analysis and publication of sensitive leaks.
So, yes. Experience, legal advice and trusted relationships are almost certainly more important than anonymity when it comes to shielding your sources, protecting yourself and bolstering your investigation. But using Tor is something you can do right now. And unless Tor is criminalised where you work, it is unlikely to hurt, likely to help, and easier than you might think.
The structure of this guide
This guide contains two main sections. First, we will discuss how Tor can be used — through the Tor Browser or Tails — to avoid leaving a trail from your own Internet address to those of the websites you visit.
In the second section, we will look at onion services (also known as Tor hidden services), which can only be accessed through Tor. Onion services are designed to hide their own physical locations and to ensure that all visitor traffic is more fully encrypted and more reliably anonymised. They are widely used by whistle blowing platforms like SecureDrop to protect the identity of anonymous sources, but this section will focus on OnionShare, which allows individuals to exchange files without exposing the connection between them.
Tor and Tails
The Tor Browser — an up-to-date, free and open-source, privacy optimised version of Mozilla Firefox — is the most reliable way to use Tor. And Tails is the safest way to use the Tor Browser. Tails is a Linux operating system (OS) that can be run from a USB stick without affecting the OS or the data that normally live on whatever computer you happen to be using. It relies on the Tor Browser for web traffic, but it routes other Internet traffic through the Tor network as well. It also ensures that anything you save to disk is encrypted.
Everything in this guide applies both to the Tor Browser and to Tails.
The Tor network is made up of several thousand servers that are scattered all over the world and run by volunteers. Every time the Tor Browser makes a new connection, it selects three of these Tor relays and connects to the internet through them. It encrypts each leg of this journey in such a way that the relays themselves do not know the full path through which it sends and receives data.
When you request a website using the Tor Browser, your request will appear to come from a different IP address, often in a different country. As a result, the Tor Browser hides your network location from the websites you visit while also hiding the websites you visit from others who might be monitoring your traffic. It also ensures that no single Tor relay can figure out both your location on the internet and the websites you visit (though some of them will know one or the other).
Because Tor hides the connection between you and the websites you visit, it allows you to browse the Web anonymously and avoid online tracking. It can also help you circumvent online filters in order to access content from — or publish content to — a website that would otherwise be blocked by your ISP, your employer, your government or some other would be censor.
A basic Tor connection
The steps below illustrate a request from Alice, who is using the Tor Browser, for a website running on Bob's server. You might also want to have a look at this YouTube video about Tor, which was created by the Centre for Investigative Journalism to explain how the anonymity network operates.
Step 1 Obtaining a list of Tor relays
Alice's Tor Browser requests a list of Tor relays ([1]) from the Tor directory server (Dave).
Step 2: Choosing a path
Alice's Tor Browser picks a mostly random path through Tor network. All connections inside Tor network are encrypted (green [3]). In this example, the last connection is not-encrypted (red [2]). It would be encrypted if Alice were visiting an https website.
Step 3: Subsequent requests {#step-3-subsequet-requests}
If Alice later visits a website on another server (Jane), her Tor Browser will select a different random path. (In practice, that first hop will typically stay the same for a while. These entry guards help prevent a malicious relay operator from "getting lucky" and gaining control over your first and last relays at the same time.)
As you might imagine from looking at these diagrams, there is a trade-off between anonymity and speed. Tor provides anonymity by bouncing your traffic through volunteer servers in various parts of the world. It will almost always be slower than a direct connection to the Internet.
Additional concerns
There are three things you should keep in mind when using Tor:
- HTTPS encryption still matters,
- Using Tor does not hide the fact that you are using Tor, and
- Where possible, use the Tor Browser rather than configuring other software to use Tor.
1. HTTPS still matters:
As mentioned above, Tor encrypts traffic into and throughout its network, but this protection does not extend all the way to the website itself unless you are using https encryption. The Electronic Frontier] Foundation (EFF) has created an interactive diagram that helps illustrate this. Toggle the Tor and [HTTPS] buttons to see who can learn what at various points along the way.
2. Using Tor does not hide the fact that you are using Tor:
The list of regular Tor relays is public information. This is why your access to the Tor network can be blocked, but it also means that anyone who is monitoring your Internet connection can probably tell that you are using Tor. You will have to determine the significance of this risk based on your own particular circumstances.
If this is a real concern for you, but you still need to access websites through Tor, you might consider using a Tor Bridge, which is an "unlisted" relay that tries to resemble something else. Even Bridges are not guaranteed to disguise the fact that you are using Tor, however. And, while they are quite easy to use with the Tor Browser, configuring Tails to connect through a Bridge requires that you keep track of something awful like the following and type it in each time you restart Tails:
obfs4 27.8.147.18:54697 Ae391F63BBF490978992E2A89DC7B2AB35598904
cert=zR96h0xiR4F902kf2qkfjfunczfpl1H423yuPM1wdB74IUarBC63+80hpYzm3M8j6p9gcb
iat-mode=0
The alternative, then, would be to give up on Tor, find a trusted Virtual Private Network (VPN) provider and make do with that. Just remember that even if you find a VPN that you trust — and that is genuinely less "conspicuous" than Tor — it will not allow you to access onion services or use OnionShare, as discussed below.
3. Where possible, use the Tor Browser:
The description above is from the perspective of someone who wants to browse content on a regular website while remaining anonymous. You can use Tor to access other publicly accessible online services, as well. This includes email providers, instant messaging servers and WHOIS registries, among other examples.
When used in this way, Tor works pretty much the same as it does for websites, with one caveat. The Tor Browser does more than just route your traffic through Tor. It goes to great length to hide your identity in other ways, and you should be cautious about trusting other applications to do the same. In general, the most reliable way to use other software through Tor is to do so from within Tails.
If Tails is not an option, you may have to do some research. Look for trusted "add-ons," such as Torbirdy for the Thunderbird email client, or alternative software like the Tor Messenger chat application.
Finally, thanks in large part to the Guardian Project, there are number of Android applications that can be configured to use OrBot, the Android version of Tor. Examples include:
- The Tor browser for Android,
- The CameraV privacy oriented camera tool, and
- The ChatSecure instant messaging app.
Security-in-a-Box includes more detailed guides on how to use the Tor Browser with Windows and Linux. These guides cover:
- Installing the Tor Browser,
- Using Tor Bridges when your access to the Tor network is blocked, and
- Using obfuscated pluggable transports when your access to the Tor network is really blocked.
Tor compatibility
There are a great many websites that offer useful services for investigators. If you need to visit one of them through the Tor Browser, or while working in Tails, you might want to test it out first. Some of these websites will require that you solve a CAPTCHA (or many CAPTCHAS) each time Tor chooses a new exit relay. And some of them simply refuse to work at all when accessed through Tor.
Online investigative resources and Tor compatibility
The table below summarises the level of Tor compatibility (and HTTPS support) for a few examples. As described in more detail below, the VPN over Tor guide suggests one possible way around this sort of blocking.
| Archive | Description | HTTPS | Tor |
|---|---|---|---|
| DuckDuckGo | Privacy aware search engine | yes | yes |
| Tin Eye | Reverse image search (Blocks Tor users) | yes | no |
| AI's YouTube data viewer | Reverse image search for video frames. (Broken HTTPS) | yes | yes |
| Picodash | Time- and location-based Instagram search. (\$8/mo) | yes | yes |
| Jeffrey's metadata viewer | Displays embedded metadata in images and other documents | no | cap |
| Foto Forensics "Lab" | Find evidence of tampering in image files (\$5/10 images) | yes | no |
| WHOIS lookup | Domain name ownership database | yes | cap |
| Opencorporates | Public information on companies. (Blocks Tor users) | yes | no |
| Opencorporates viz | Network visualisation of various financial companies | yes | yes |
| FlightRadar24 | Live aircraft tracking. (Sattelite view only through Tor) | yes | cap |
| Search engine. (CAPTCHAs are often unsolvable Tor) | yes | cap | |
| Google Translate | Machine translation of text | yes | cap |
| Google Image Search | Find images by uploading a similar image (or URL) | yes | cap |
| YouTube | Post or search for videos on YouTube | yes | yes |
Example leak repositories
Unlike investigative "cloud services," such as those listed above, repositories of leaked data almost never block access through through Tor. The table below includes a few examples.
| Archive | Date range | Type | Platform | Size | Tor |
|---|---|---|---|---|---|
| Swiss HSBC leaks | to 2007 | Excerpts | ICIJ website | Based on 60k docs | yes |
| Offshore Leaks | to 2007 | Searchable archive | ICIJ website | 500k company profiles | yes |
| Offshore Leaks DB | to 2007 | csv,neo4j | ICIJ website | 500k company profiles | yes |
| Cablegate | to 2010 | Searchable archive | Wikileaks | 250k cables | yes |
| Stratfor leaks | to Dec 2011 | Searchable archive | Wikileaks | 5M emails | yes |
| Clinton emails | to Aug 2014 | Searchable archive | Wikileaks | 30k emails | yes |
| Vault 7 projects | to 2015 | Exceprts | Wikileaks | 50 documents | yes |
| Panama Papers | to 2015 | Excerpts | DocumentCloud | 150 of 11.5M docs | yes |
| HackingTeam leaks | to Jul 2015 | Searchable archive | Wikileaks | 1 million emails | yes |
| Vault 7 | to Feb 2016 | Archive | Wikileaks | 8k pages, 1k docs | yes |
| DNC leaks | to May 2016 | Searchable archive | Wikileaks | 44k emails, 17k docs | yes |
Note: Exposing the Invisible makes no claim as to the validity or usefulness of these archives. At the very least, however, they include lots of content that you can use to practice analysing leaked emails, documents and data sets. Just remember, if you're not comfortable walking around with illegally disclosed files sitting in plain sight on your laptop, consider the following:
- Make sure you have a handle on the level of risk associated with using Tor wherever you are,
- Use Tails when searching or downloading leaked content,
- Choose a strong passphrase when you configure Persistence on your Tails USB stick, and
- Think twice before crossing a border with that USB stick.
Routing a VPN over Tor
As shown in the first table above, there are some useful web services that reject Tor users as a matter of policy. If you need anonymous access to these sites — or if you need to access them at all while using Tails — your requests will need come from somewhere that is not a known Tor exit relay. One way to achieve this, while still enjoying most (but not all) of the anonymity provided by Tor, is to add a VPN "hop" after the exit relay at the end of your Tor circuit.
This method is often called "VPN over Tor" to distinguish it from "Tor over VPN" configurations, which work in the opposite direction. (Routing Tor over a VPN adds a VPN hop before your Tor entry relay and is sometimes used to reach the Tor network from locations where it is blocked. We will not be discussing this technique in detail because Tor bridge relays are generally considered a better way to access Tor under such conditions.)
For a technical guide on how and why (and when not) to configure a VPN-over-Tor connection on Tails, have a look at the VPN-over-Tor guide.
Onion services
Tor can also be used by those who want to offer an online service anonymously. They can do so by setting up an onion service. Once again, we will focus primarily on websites here, but it is possible to configure lots of server software in this way. For example, Riseup makes its email and instant messaging servers available as onion services.
Onion sites are probably the most widely known example of what some people insist on calling "dark web" content. There are two clear signs that you are visiting an onion site. First, it won't work unless you are using Tor. Second, the Web address will include a lot of gibberish followed by .onion. Below are a few examples:
http://expyuzz4wqqyqhjn.onion/download/download-easy.html.en#warningis a Tor Project help pagehttp://dcdoialeklnkb6fg.onionis a SecureDrop run by International Consortium of Investigative Journalistshttps://3g2upl4pq6kufc4m.onion/is the DuckDuckGo privacy aware search engine
All traffic to and from an onion service — even a non-https site like the first two listed above — will be fully encrypted. This is because your connection never leaves the Tor network. In fact, from a visitor's perspective, this is one of the most important virtues of an onion site. There is no exit relay, so the only link in the chain capable of observing your traffic is the website itself (which was going to have that ability regardless).
That said, you should keep in mind that anyone can mirror anyone else's website through an onion service. If you are accessing a public website through an alternative onion address, make sure it is the real alternative. If in doubt, search around until you find an https website, hosted at the proper domain, that lists the official .onion alternatives.
By way of example, below are:
- A list of Tor Project onion sites
- An official pointer to the ICIJ SecureDrop
- An
httpswebsite for SecuriLeaks that automatically redirects to their onion address if you are using Tor. Both of these addresses can be found on the GlobalLeaks directory, and thehttpsredirect at least means that whoever currently controls the the first address wants you to end up at the second.
On the other side of things, those who operate onion services enjoy certain benefits as well.
- They do not have to register (and pay for) a domain name, which is challenging to do anonymously
- They do not have to configure an SSL certificate
- They can make their website available from inside a home or office firewall
- It is more difficult for someone to correlate their website with their physical location
In most cases, communication with an onion site will be even slower than a normal Tor connection. This is because the path to an onion service requires six relays rather than three. It also takes some work to establish that path. For a brief but somewhat dizzying explanation of how this works, take a look at the Tor Project's breakdown of the Hidden Services protocol. Or continue reading. Or, if you are not interested in the protocol itself, feel free to skip down to the section on whistle blowing platforms below.
Any device with an Internet connection, a properly configured Tor installation and a non-public website can make that website available as an onion service. Doing so involves two steps:
- It randomly selects a few Tor relays to serve as introduction points. It connects to them anonymously and gives them the information required (a public key) to send it encrypted messages in the future.
- It then randomly generates an onion address like the ones listed above. (16characterslong.onion, say.) It then publishes this address along with a descriptor that includes its public key (the same one given to the introduction points) and a list of those introduction points. This descriptor is available to anyone who knows the onion address and is capable of connecting to the Tor network.
That part is pretty straightforward. But to visit an onion service, a device with an Internet connection, a working installation of Tor and the correct onion address must take four additional steps:
- It downloads the descriptor by referencing the onion address. (Thanks to some very cool math, Tor relays can return information about any running onion service without being able to produce a list of those addresses.) Then the visitor's device randomly selects a Tor relay to serve as a rendezvous point, connects to that relay anonymously and gives it a randomly generated secret code.
- It then connects anonymously to one of the introduction points (which it learned about from the descriptor obtained above) and hands off a message that is encrypted so that only the device running the onion service can read it. This message contains the location of the rendezvous point and the secret code.
- The introduction point connects anonymously to the onion service and hands off that encrypted message, at which point the onion service decrypts it, connects anonymously to the rendezvous point and presents the secret code.
- Finally, the rendezvous point verifies the secret code, connects anonymously to the visitor's device and confirms that everything worked properly. At this point, the visitor' device can request web content from the onion service, without knowing its internet address, by relaying messages through the rendezvous point that only the onion service can read. But doing so requires three hops to reach the rendeavous, then another four to reach the actual webserver.
Whistle blowing platforms based on onion services
There are at least two widely deployed whistle-blowing platforms that use onion services to protect the anonymity of sources:
- SecureDrop (guide for sources, guide for investigators)
- GlobalLeaks (partial list of deployments)
Setting them up and maintaining them properly requires significant technical effort, however. And flooding someone else's database of leaks with "Testing testing..." spam is a bit rude, so we will discuss them in detail another time. Fortunately, there is a much simpler piece of software called OnionShare that also demonstrates the usefulness of onion services.
Exchanging files with OnionShare
For most of us, the level of technical knowledge required to setup a whistle blowing platform like SecureDrop or GlobalLeaks is a bit out of reach. As is the amount of work required to maintain one properly. Unless you are confident that your system administration skills are sufficient to protect those whose safety might depend on them, you should probably avoid taking on the responsibility.
Fortunately, if you just need to exchange documents with a particular source or colleague, while hiding the fact that this exchange took place, there is an easier way. OnionShare is a free and open-source, cross-platform tool that greatly simplifies the process of creating ad hoc onion services for the specific purpose of sharing files. It allows you to:
- Make files available, from within your own network firewall, to any Tor user who knows the correct onion address;
- Make sure those transfers are encrypted, end-to-end, and carried out entirely within the Tor network; and
- Use a simple, graphical user interface to activate the onion services (and the webserver) that make all this possible.
OnionShare was not designed as a whistle blowing platform. It lacks most of the security features that are built into a proper a SecureDrop deployment, so it might not be appropriate for extremely sensitive data or if either participant is directly targeted by a well resourced adversary. More generally, it does not allow other people to send you files. In order to receive a leak through OnionShare, your source must not only know that it exists, she must have a way to get you the correct onion address without exposing the connection between you.
OnionShare comes pre-installed on Tails. To use it on any other platform, you will have to install it. You will also have to install (and launch) the Tor Browser. Once Tor and OnionShare are up and running, you can follow the steps below to exchange a file anonymously. These screenshots were taken on Tails, but OnionShare is nearly identical on other Linux distributions (and very similar on Windows and Mac OS X).
Step 1: The sender tells OnionShare what to share
Launch OnionShare and select the content you want to make available:
- Click [Add files] or [Add folder]
- Navigate to the file or folder you want to share and click it once
- Click [Open]
- Repeat the previous three steps to add additional files or folders
In the example below, we will add a file called exchanging_the_inscrutible.pdf and a folder called data, both of which are currently in a directory at /home/amnesia/Persistent/tmp
Step 2: The sender creates an onion service
In this step, all selected files and folders will be compressed into a single .zip file and made available through a new onion service:
- Decide if you want OnionShare to stop sharing after the first time this content is downloaded. If so, leave the Stop sharing automatically box checked. If not, uncheck it.
- Click [Start Sharing]
- Your onion service is ready when the large dot in the lower, left-hand corner turns green
- You can see your onion address toward the lower, left-hand corner. You can copy it to your clipboard by clicking [Copy URL]
- Safely give this onion address to the person with whom you would like to share the selected data
Remember, one of the main reasons to use OnionShare, or any other onion service, is to prevent those who might be monitoring your online activity from seeing a connection between you and the recipient. If either of you are concerned about this, you might have to get creative rather than just sending an email. The safest way to do so will depend heavily on your particular circumstances. Memorising onion addresses turns out to be exactly as difficult as it looks. But writing them down and exchanging them in person might be perfectly reasonable.
Step 3: The recipient downloads the shared content
Once the recipient has the onion address, he just has to browse to it using the Tor Browser. The recipient does not have to install OnionShare unless he intends to share content of his own.
- Visit the onion address using the Tor Browser
- Click [onionshare_gibrsh.zip] to begin the anonymous transfer
- Click [Save File]
- If you are using Tails, the Tor Browser will only let you save files
into one of two folders. It does this to help protect you from
malware. These folders are called
Tor Browser, which is the default, andTor Browser (persistent). Everything in theTor Browserfolder will disappear when you shutdown or restart your Tails system. In this example, we select theTor Browser (persistent)folder instead. If you choose not to (or if you did not enable Persistence at all), you will probably want to copy the data somewhere else before you shutdown. - Select the appropriate folder and click [Save].
- That folder should now contain a
.ziparchive. The files and folders that were shared are inside this archive.
The recipient can now extract the contents of the .zip archive.
Step 4: The sender's OnionShare may disable this share after the transfer is complete
In the example above, our "sender" left the Stop sharing automatically box checked, so the onion service will be disabled as soon as the recipient has downloaded the content:
Step 5: The recipient extracts the contents of the .zip archive
Right-click the .zip archive you downloaded and select Extract Here. The extracted folder should contain whatever files and folders were shared with you.
Unless you know and trust the person who gave you that onion address, you should be careful with these files. The fact that you received them securely and anonymously does not, of course, mean they are safe. If they were sent to you by a stranger, but you have to inspect them anyway, consider taking the following steps first:
- Create an encrypted USB stick with a strong passphrase
- Copy the files onto that USB stick
- Restart your Tails system
- Do not enable Persistence and disable all network access
- Plug in your encrypted USB stick and enter your passphrase
- Launch the appropriate application (such as LibreOffice Writer, LibreOffice Calc or Document Viewer)
- Open the files using that application's
File > Openmenu
None of this rules out the possibility of malware, but it gives you a chance to notice if the files are garbage — or if your system behaves strangely after you open them — without giving them the ability to modify your files or connect to the Internet.
Conclusion
The tools and techniques described in this guide are meant to give you more control over what you reveal about your investigation and when you reveal it. The Tor Browser is quite easy to install and even easier to use. The same is true of OnionShare, which allows you to exchange files with sources and colleagues without creating evidence of that interaction. Undetstanding how these tools work and knowing how to use them will help you determine for yourself when it might be appropriate to take advantage of the anonymity they provide.
Header image: [Still Life with Leeks](https://commons.wikimedia.org/wiki/File:Serr_1986-_Still_Life_With_Leeks_57_low_res_CC.jpg) by Jan Serr - Creative Commons Attribution (_CC-BY-3.0)