Upon glimpsing a mysterious light at the far end of a dark alley, say, or hearing one's name whispered from around a corner, one could be forgiven for trying to sneak a peek before charging ahead. Unless you are are a grizzled investigative journalist with a well-known publication, a fearless editor, a stable of lawyers, a well litigated shield law, a stack of Pulitzers and a fresh backup of your hard drive, you can probably imagine a lead to which you might respond with similar caution. Citizen investigators looking to remain near the middle of the cat spectrum — somewhere between scaredy and killed-by-curiosity — must occasionally dip a toe in before taking the plunge.
Highly sensitive leaks sometimes fall into this category. Leaked data could contain malware. Or they could have been obtained illegally. Or the lead itself could be a spear phishing attack. Or it could be bait. And the act of possessing those data could be illegal until you are able to demonstrate their relevance to the public interest. Or it it could remain illegal regardless. Or you might be the wrong audience. And even if you know someone who could accomplish more with the information, you might be less comfortable sharing a leak than you are receiving one. At least publicly.
This all depends on context, of course. But it also depends on the data themselves. Which you haven't seen yet. At this point, the leak is still down the alley and around the corner.
This guide is about Tor ("the onion router"). Tor is a piece of software that can help you hide your interest in something until and unless you decide to make that interest — or that something — public. To be clear, there is no purely technical solution to these challenges. There is very little that software can do to help address social, political and ethical issues related to the investigation, verification, analysis and publication of sensitive leaks.
So, yes. Experience, legal advice and trusted relationships are almost certainly more important than anonymity when it comes to shielding your sources, protecting yourself and bolstering your investigation. But using Tor is something you can do right now. And unless Tor is criminalised where you work, it is unlikely to hurt, likely to help, and easier than you might think.
This guide contains two main sections. First, we will discuss how Tor can be used — through the Tor Browser or Tails — to avoid leaving a trail from your own Internet address to those of the websites you visit.
In the second section, we will look at onion services (also known as Tor hidden services), which can only be accessed through Tor. Onion services are designed to hide their own physical locations and to ensure that all visitor traffic is more fully encrypted and more reliably anonymised. They are widely used by whistle blowing platforms like SecureDrop to protect the identity of anonymous sources, but this section will focus on OnionShare, which allows individuals to exchange files without exposing the connection between them.
The Tor Browser — an up-to-date, free and open-source, privacy optimised version of Mozilla Firefox — is the most reliable way to use Tor. And Tails is the safest way to use the Tor Browser. Tails is a Linux operating system (OS) that can be run from a USB stick without affecting the OS or the data that normally live on whatever computer you happen to be using. It relies on the Tor Browser for web traffic, but it routes other Internet traffic through the Tor network as well. It also ensures that anything you save to disk is encrypted.
Everything in this guide applies both to the Tor Browser and to Tails.
The Tor network is made up of several thousand servers that are scattered all over the world and run by volunteers. Every time the Tor Browser makes a new connection, it selects three of these Tor relays and connects to the internet through them. It encrypts each leg of this journey in such a way that the relays themselves do not know the full path through which it sends and receives data.
When you request a website using the Tor Browser, your request will appear to come from a different IP address, often in a different country. As a result, the Tor Browser hides your network location from the websites you visit while also hiding the websites you visit from others who might be monitoring your traffic. It also ensures that no single Tor relay can figure out both your location on the internet and the websites you visit (though some of them will know one or the other).
Because Tor hides the connection between you and the websites you visit, it allows you to browse the Web anonymously and avoid online tracking. It can also help you circumvent online filters in order to access content from — or publish content to — a website that would otherwise be blocked by your ISP, your employer, your government or some other wouldbe censor.
The steps below illustrate a request from Alice, who is using the Tor Browser, for a website running on Bob's server. You might also want to have a look at this YouTube video about Tor, which was created by the Centre for Investigative Journalism to explain how the anonymity network operates.
Alice's Tor Browser requests a list of Tor relays () from the Tor directory server (Dave).
Alice's Tor Browser picks a mostly random path through Tor network. All connections inside Tor network are encrypted (green ). In this example, the last connection is not-encrypted (red ). It would be encrypted if Alice were visiting an
If Alice later visits a website on another server (Jane), her Tor Browser will select a different random path. (In practice, that first hop will typically stay the same for a while. These entry guards help prevent a malicious relay operator from "getting lucky" and gaining control over your first and last relays at the same time.)
As you might imagine from looking at these diagrams, there is a trade-off between anonymity and speed. Tor provides anonymity by bouncing your traffic through volunteer servers in various parts of the world. It will almost always be slower than a direct connection to the Internet.
There are three things you should keep in mind when using Tor:
1. HTTPS still matters:
As mentioned above, Tor encrypts traffic into and throughout its network, but this protection does not extend all the way to the website itself unless you are using https encryption. The Electronic Frontier Foundation (EFF) has created an interactive diagram that helps illustrate this. Toggle the Tor and [HTTPS] buttons to see who can learn what at various points along the way.
2. Using Tor does not hide the fact that you are using Tor:
The list of regular Tor relays is public information. This is why your access to the Tor network can be blocked, but it also means that anyone who is monitoring your Internet connection can probably tell that you are using Tor. You will have to determine the significance of this risk based on your own particular circumstances.
If this is a real concern for you, but you still need to access websites through Tor, you might consider using a Tor Bridge, which is an "unlisted" relay that tries to resemble something else. Even Bridges are not guaranteed to disguise the fact that you are using Tor, however. And, while they are quite easy to use with the Tor Browser, configuring Tails to connect through a Bridge requires that you keep track of something awful like the following and type it in each time you restart Tails:
obfs4 220.127.116.11:54697 Ae391F63BBF490978992E2A89DC7B2AB35598904 cert=zR96h0xiR4F902kf2qkfjfunczfpl1H423yuPM1wdB74IUarBC63+80hpYzm3M8j6p9gcb iat-mode=0
The alternative, then, would be to give up on Tor, find a trusted Virtual Private Network (VPN) provider and make do with that. Just remember that even if you find a VPN that you trust — and that is genuinely less "conspicuous" than Tor — it will not allow you to access onion services or use OnionShare, as discussed below.
3. Where possible, use the Tor Browser:
The description above is from the perspective of someone who wants to browse content on a regular website while remaining anonymous. You can use Tor to access other publicly accessible online services, as well. This includes email providers, instant messaging servers and WHOIS registries, among other examples.
When used in this way, Tor works pretty much the same as it does for websites, with one caveat. The Tor Browser does more than just route your traffic through Tor. It goes to great length to hide your identity in other ways, and you should be cautious about trusting other applications to do the same. In general, the most reliable way to use other software through Tor is to do so from within Tails.
If Tails is not an option, you may have to do some research. Look for trusted "add-ons," such as Torbirdy for the Thunderbird email client, or alternative software like the Tor Messenger chat application.
There are a great many websites that offer useful services for investigators. If you need to visit one of them through the Tor Browser, or while working in Tails, you might want to test it out first. Some of these websites will require that you solve a CAPTCHA (or many CAPTCHAS) each time Tor chooses a new exit relay. And some of them simply refuse to work at all when accessed through Tor.
The table below summarises the level of Tor compatibility (and HTTPS support) for a few examples. As described in more detail below, the VPN over Tor guide suggests one possible way around this sort of blocking.
|DuckDuckGo||Privacy aware search engine||yes||yes|
|Tin Eye||Reverse image search (Blocks Tor users)||yes||no|
|AI's YouTube data viewer||Reverse image search for video frames. (Broken HTTPS)||yes||yes|
|Picodash||Time- and location-based Instagram search. ($8/mo)||yes||yes|
|Jeffrey's metadata viewer||Displays embedded metadata in images and other documents||no||cap|
|Foto Forensics "Lab"||Find evidence of tampering in image files ($5/10 images)||yes||no|
|WHOIS lookup||Domain name ownership database||yes||cap|
|Opencorporates||Public information on companies. (Blocks Tor users)||yes||no|
|Opencorporates viz||Network visualisation of various financial companies||yes||yes|
|FlightRadar24||Live aircraft tracking. (Sattelite view only through Tor)||yes||cap|
|Search engine. (CAPTCHAs are often unsolvable Tor)||yes||cap|
|Google Translate||Machine translation of text||yes||cap|
|Google Image Search||Find images by uploading a similar image (or URL)||yes||cap|
|YouTube||Post or search for videos on YouTube||yes||yes|
Unlike investigative "cloud services," such as those listed above, repositories of leaked data almost never block access through through Tor. The table below includes a few examples.
|Swiss HSBC leaks||to 2007||Excerpts||ICIJ website||Based on 60k docs||yes|
|Offshore Leaks||to 2007||Searchable archive||ICIJ website||500k company profiles||yes|
|Offshore Leaks DB||to 2007||csv,neo4j||ICIJ website||500k company profiles||yes|
|Cablegate||to 2010||Searchable archive||Wikileaks||250k cables||yes|
|Stratfor leaks||to Dec 2011||Searchable archive||Wikileaks||5M emails||yes|
|Clinton emails||to Aug 2014||Searchable archive||Wikileaks||30k emails||yes|
|Vault 7 projects||to 2015||Exceprts||Wikileaks||50 documents||yes|
|Panama Papers||to 2015||Excerpts||DocumentCloud||150 of 11.5M docs||yes|
|HackingTeam leaks||to Jul 2015||Searchable archive||Wikileaks||1 million emails||yes|
|Vault 7||to Feb 2016||Archive||Wikileaks||8k pages, 1k docs||yes|
|DNC leaks||to May 2016||Searchable archive||Wikileaks||44k emails, 17k docs||yes|
Note: Exposing the Invisible makes no claim as to the validity or usefulness of these archives. At the very least, however, they include lots of content that you can use to practice analysing leaked emails, documents and data sets. Just remember, if you're not comfortable walking around with illegally disclosed files sitting in plain sight on your laptop, consider the following:
As shown in the first table above, there are some useful web services that reject Tor users as a matter of policy. If you need anonymous access to these sites — or if you need to access them at all while using Tails — your requests will need come from somewhere that is not a known Tor exit relay. One way to achieve this, while still enjoying most (but not all) of the anonymity provided by Tor, is to add a VPN "hop" after the exit relay at the end of your Tor circuit.
This method is often called "VPN over Tor" to distinguish it from "Tor over VPN" configurations, which work in the opposite direction. (Routing Tor over a VPN adds a VPN hop before your Tor entry relay and is sometimes used to reach the Tor network from locations where it is blocked. We will not be discussing this technique in detail because Tor bridge relays are generally considered a better way to access Tor under such conditions.)
For a technical guide on how and why (and when not) to configure a VPN-over-Tor connection on Tails, have a look at the VPN-over-Tor guide.
Tor can also be used by those who want to offer an online service anonymously. They can do so by setting up an onion service. Once again, we will focus primarily on websites here, but it is possible to configure lots of server software in this way. For example, Riseup makes its email and instant messaging servers available as onion services.
Onion sites are probably the most widely known example of what some people insist on calling "dark web" content. There are two clear signs that you are visiting an onion site. First, it won't work unless you are using Tor. Second, the Web address will include a lot of gibberish followed by .onion. Below are a few examples:
http://expyuzz4wqqyqhjn.onion/download/download-easy.html.en#warningis a Tor Project help page
http://dcdoialeklnkb6fg.onionis a SecureDrop run by International Consortium of Investigative Journalists
https://3g2upl4pq6kufc4m.onion/is the DuckDuckGo privacy aware search engine
All traffic to and from an onion service — even a non-
https site like the first two listed above — will be fully encrypted. This is because your connection never leaves the Tor network. In fact, from a visitor's perspective, this is one of the most important virtues of an onion site. There is no exit relay, so the only link in the chain capable of observing your traffic is the website itself (which was going to have that ability regardless).
That said, you should keep in mind that anyone can mirror anyone else's website through an onion service. If you are accessing a public website through an alternative onion address, make sure it is the real alternative. If in doubt, search around until you find an
https website, hosted at the proper domain, that lists the official
By way of example, below are:
httpswebsite for SecuriLeaks that automatically redirects to their onion address if you are using Tor. Both of these addresses can be found on the GlobalLeaks directory, and the
httpsredirect at least means that whoever currently controls the the first address wants you to end up at the second.
On the other side of things, those who operate onion services enjoy certain benefits as well.
In most cases, communication with an onion site will be even slower than a normal Tor connection. This is because the path to an onion service requires six relays rather than three. It also takes some work to establish that path. For a brief but somewhat dizzying explanation of how this works, take a look at the Tor Project's breakdown of the Hidden Services protocol. Or continue reading. Or, if you are not interested in the protocol itself, feel free to skip down to the section on whistle blowing platforms below.
Any device with an Internet connection, a properly configured Tor installation and a non-public website can make that website available as an onion service. Doing so involves two steps:
That part is pretty straightforward. But to visit an onion service, a device with an Internet connection, a working installation of Tor and the correct onion address must take four additional steps:
There are at least two widely deployed whistle-blowing platforms that use onion services to protect the anonymity of sources:
Setting them up and maintaining them properly requires significant technical effort, however. And flooding someone else's database of leaks with "Testing testing..." spam is a bit rude, so we will discuss them in detail another time. Fortunately, there is a much simpler piece of software called OnionShare that also demonstrates the usefulness of onion services.
For most of us, the level of technical knowledge required to setup a whistle blowing platform like SecureDrop or GlobalLeaks is a bit out of reach. As is the amount of work required to maintain one properly. Unless you are confident that your system administration skills are sufficient to protect those whose safety might depend on them, you should probably avoid taking on the responsibility.
Fortunately, if you just need to exchange documents with a particular source or colleague, while hiding the fact that this exchange took place, there is an easier way. OnionShare is a free and open-source, cross-platform tool that greatly simplifies the process of creating ad hoc onion services for the specific purpose of sharing files. It allows you to:
OnionShare was not designed as a whistle blowing platform. It lacks most of the security features that are built into a proper a SecureDrop deployment, so it might not be appropriate for extremely sensitive data or if either participant is directly targeted by a well resourced adversary. More generally, it does not allow other people to send you files. In order to receive a leak through OnionShare, your source must not only know that it exists, she must have a way to get you the correct onion address without exposing the connection between you.
OnionShare comes pre-installed on Tails. To use it on any other platform, you will have to install it. You will also have to install (and launch) the Tor Browser. Once Tor and OnionShare are up and running, you can follow the steps below to exchange a file anonymously. These screenshots were taken on Tails, but OnionShare is nearly identical on other Linux distributions (and very similar on Windows and Mac OS X).
Launch OnionShare and select the content you want to make available:
In the example below, we will add a file called
exchanging_the_inscrutible.pdf and a folder called
data, both of which are currently in a directory at
In this step, all selected files and folders will be compressed into a single
.zip file and made available through a new onion service:
Remember, one of the main reasons to use OnionShare, or any other onion service, is to prevent those who might be monitoring your online activity from seeing a connection between you and the recipient. If either of you are concerned about this, you might have to get creative rather than just sending an email. The safest way to do so will depend heavily on your particular circumstances. Memorising onion addresses turns out to be exactly as difficult as it looks. But writing them down and exchanging them in person might be perfectly reasonable.
Once the recipient has the onion address, he just has to browse to it using the Tor Browser. The recipient does not have to install OnionShare unless he intends to share content of his own.
Tor Browser, which is the default, and
Tor Browser (persistent). Everything in the
Tor Browserfolder will disappear when you shutdown or restart your Tails system. In this example, we select the
Tor Browser (persistent)folder instead. If you choose not to (or if you did not enable Persistence at all), you will probably want to copy the data somewhere else before you shutdown.
.ziparchive. The files and folders that were shared are inside this archive.
The recipient can now extract the contents of the
In the example above, our "sender" left the Stop sharing automatically box checked, so the onion service will be disabled as soon as the recipient has downloaded the content:
.zip archive you downloaded and select Extract Here. The extracted folder should contain whatever files and folders were shared with you.
Unless you know and trust the person who gave you that onion address, you should be careful with these files. The fact that you received them securely and anonymously does not, of course, mean they are safe. If they were sent to you by a stranger, but you have to inspect them anyway, consider taking the following steps first:
File > Openmenu
None of this rules out the possibility of malware, but it gives you a chance to notice if the files are garbage — or if your system behaves strangely after you open them — without giving them the ability to modify your files or connect to the Internet.
The tools and techniques described in this guide are meant to give you more control over what you reveal about your investigation and when you reveal it. The Tor Browser is quite easy to install and even easier to use. The same is true of OnionShare, which allows you to exchange files with sources and colleagues without creating evidence of that interaction. Undetstanding how these tools work and knowing how to use them will help you determine for yourself when it might be appropriate to take advantage of the anonymity they provide.