Wading into social waters

by phobos | August 23, 2012

Recently, we've been introduced to two "Tor Project" Facebook Org pages. Neither of which are run by us at Tor, yet. There was also a Google+ page for a while, too. We currently use a few social media methods, such as mailing lists, pgp web of trust, internet relay chat, Identi.ca, and Twitter. Some people are very upset Tor is seemingly supporting Facebook, Google+ and others.
We're expanding into Facebook, Google+, Reddit, and others because our users are asking for it. There are existing Tor communities in many places, and we don't need to formally be at them all. It's great when individuals step up to the challenge and represent Tor in positive ways. However, as people join these communities, they are looking for a real discussion with us. For many people, these platforms are the primary means of communication.
We do have some concerns about social media sites. Let's enumerate these concerns.

  1. Current social media solutions don't respect user privacy, however it's all we have today. With buttons like "+1", "Like", and "Tweet this" strewn about websites, tracking your normal web activity, Tor is at least one solution to help you stop this global tracking. We believe you should be fully in control of your own data and metadata.
  2. The users are currently using these systems in very unsafe ways. We can join the system and set up a presence with details about how to use these systems more safely--or if they cannot be used safely at all. The goal is to educate people.The EFF has an explanation of these risks as well.
  3. We can get our message out to people and have a discussion with them, where they are, even though we don't control the medium and risk getting kicked off the system.
  4. Some are impersonating us now, and not at the quality level we want to see. A bad answer or impression from a fake Tor is worse than no answer at all.

Why don't we write our own?
Writing and deploying our own social media system is beyond the scope of our mission. However, tor can provide an anonymous base for such a system. We have hope for systems like Diaspora, tent, and FreedomBox.

Comments

Please note that the comment area below has been archived.

August 24, 2012

Permalink

Social media is plain poison. GRU 2.0 in a passive state. But it can be made active quite easy and the simplest thing would be to start injecting „information”. Most people I know are not aware of what the other users see when one is doing some action, say like a certain „old Chinese proverb”. So it can be possible the network can make the user say and endorse things the user never intended. They already try that by asking for the ability to use profile pictures in third party advertisments.

Also they are terribly dangerous in a more subtle way. Sure, I use Tor and hide the place I am writing from. I pass page after page that asks me whether I want or not to support a certain cause. If I fall into the trap, say tell the world I love TorProject, my history would also be revealed as these buttons are working only when logged in. And even if I resist the temptation to give TorProject a like some site would offer me the ability to log in via FaceBook, or Twitter, or Google, or whatever. And the result is the same.

As for writing a social media pack the competition is high. While the popularity of twitter clones is almost zero and all they have to do is show 140chars, Social Media means hosting limitless pictures and mails and multimedia. The load would be great. The interface would look like FaceBook's granddad. And the cost would get higher and higher. At the same time investors would get interested in the stored information. And running costs plus people willing to pay in exchange for a peek at the data turn the project into a silly clone.

Another argument would be to take a look at the evolution of Evolution, the Gnome Outlook clone. To get a half baked solution took a few years. And a mail client is far less demanding than social media and all the crossed rights to see something.

Yet, your 4th point points out to a more practical need: have a bridge to those popular media pointing back to the site. A nice bridgehead, but rather static. Otherwise you'd need a small army to answer the same thing on each network. The discussion on the MList with the TorBrowser shows a need to protect the name in order to avoid confusion. The name and not the code.

Nope. #4 could be easily and thoroughly addressed by an unequivocal statement from the TorProject that it has no official presence in social media, has no plans to establish such a presence, does not endorse any social media presence connected with Tor, and that any entity claiming to represent TorProject on social media is an imposter. Nothing could be easier. Neither is there a contradiction between that posture and educating users on the safe(r) use of social media. Unfortunately that will not happen because some here are apparently unable to acknowledge the concept that Tor simply cannot embrace every internet whimsy that comes along and remain robustly anonymous. There is the real conflict.

IC

August 24, 2012

Permalink

I think it's important to realise and understand that no restrictions have ever existed which prevents users from browsing Facebook or Twitter and making use of either of these resources, nor do I understand criticism of The Tor Project because of its decision to do so; but I'm not an apologist either. If users decide to use Facebook or Twitter whilst they're also using Tor, it's their decision and their responsibility to do so safely, nobody else is at fault.

August 24, 2012

Permalink

> for many people, these platforms are the primary means of communication.

Bad for them. No reason to support these anti-social networks.

August 24, 2012

Permalink

Isn't it against Facebook's user agreement to create an account there under a false name? If so, why would anyone use it via Tor?

August 24, 2012

Permalink

There are existing Tor communities in many places, and we don't need to formally be at them all.

I think this says it all. Facebook and Google plus are both contrary to tor's mission, and what will happen is the discussion will move to those forums, since more people may be there,forcing the "core" tor users to register to join, lowering their anonymity. Not just lowering their anonymity--far worse. Giving data to facebook directly on who is a tor user, as creating profiles for both facebook and google plus tend to require a lot of verification.

This is a capitulation, and I even suspect conspiriacy or trap. Wake up. From the past two posts, this one and arma's exit relay funding post, it is becoming clear tor's sponsers are partisans, and are wanting to fund solely the use case of the censored user in china/iran, who is unable to connect to what is essentially propaganda and consumerist crap from western nations, and are affecting the neutrality of the project.

My eyebrows were raised when I read a few years ago of the sponsers pushing specific functional agendas, rather then sound science and research determining agendas based on the initial functional requirements, which still are not met.

The technique to move groups to facebook destroys real discussion. This is clearly a move in the wrong direction.

If you want more advertising, buy a tv commercial, or other normal advertising methods. Seriously.

Excellent comment, I couldn't agree more. Facebook, Twitter, Google+ and other such "services" are in the business of data mining and they sell/leak information to commercial and government agencies. Their convenience and their friendly looking front ends are designed to lure in the gullible, who unfortunately seem to make up the majority of the computer using public. Such "services" fly in the face of everything the Tor project stands for. Why on earth would a project that advocates anonymity of Internet communications let itself in with organizations that systematically violate every last bit of its objectives?

I also agree with what you said/suspected about Tor's sponsors. Why is it that on these pages we always hear about Internet censorship in places like China and Iran but never about Internet censorship in places like Saudi Arabia, Bahrain or Qatar, whose dungeons are full of people who have dared to voice protest in the streets or on the Internet? Is it because the governments of China and Iran have been targeted by the U.S. government for corruption or removal, while the governments of Saudi Arabia, Bahrain and Qatar are U.S. allies who host U.S. military bases and the worlds largest military fleet? I think there's an obvious bias in the Tor project's response to real or perceived Internet censorship, depending on where it occurs. It is also not that far fetched to suspect that this bias may have to do with the influence that one or more sponsors exert on the project. But, alas, there's no way to find out more about this because the Tor project's sponsors page ...

https://decvnxytmk.oedi.net/about/sponsors.html.en

... is quite useless, as it does not publish a complete list of the corporate, institutional and individual donations it has received ... no names, no dates, no figures, nothing. There's an entry referring to the donation(s) of "An anonymous North American NGO". But this makes matters only worse. Why this intransparency? Why would would an NGO making a generous donation want to remain anonymous? So, we'll probably never know whether George Soros or some devious Washington think tank believes Tor to be a useful tool to fomenting dissent in China and Iran, or to trigger a colour revolution in Belarus.

I am not blaming the project's staff for any of this. Interesting and decently paid IT jobs that allow for occasional travelling are hard to come by these days and, for all I know, technically they're doing a great job in developing and maintaining Tor. But I think, the projects origins, its political bias and the intransparency regarding its sponsors really stinks.

A few brief answers (sorry the blog isn't a good discussion platform):

A) We talk about China and Iran a lot because they're the most advanced DPI-based censors currently. We actually don't talk about China as much as a lot of users would like, because they're doing pretty well at blocking anything they want to block, including Tor (see my other blog posts here for details).

B) Why an NGO would like to remain anonymous? We leave that to the sponsor. If you're saying that wanting anonymity makes you suspicious, maybe you're using the wrong tool. :)

C) As for financial details and transparency, go to the sponsors page and click on "Financial reports":
https://decvnxytmk.oedi.net/about/financials.html.en

September 09, 2012

In reply to arma

Permalink

> If you're saying that wanting anonymity makes you
> suspicious, maybe you're using the wrong tool. :)

There's a world of difference between a private individual's need and right (!) to anonymity and the attempt of governments or large organizations (governmental or not) to hide their dealings from the public to whom they are accountable. Really, arma, I am surprised you don't seem to be familiar with even the basics of "right to anonymity" in every day use. Do you seriously believe that you and I and Erinn and Jacob and Goldman and Sachs and Procter and Gamble and Exxon should be seen as one big family with the same rights and obligations, or that "individuals" like Obama, Romney, Murdoch, Soros etc., whose little personas represent much larger interests, should be regarded the same as Joe or Jane Sixpack from upstairs? Why, do you think, do most countries in the world have laws in place to prevent shady behind-the-scenes dealings of large organizations and their representatives? Why, do you think, do most countries in the world have laws in place that regulate donations to political parties? For anyone with half a brain the answer to such questions should be obvious: shady behind-the-scenes dealings of governments and large organizations cause systemic corruption which is infinitely more harmful to the greater common good than anything a private individual could ever do ...

... and of course, it goes without saying, the same applies to large anonymous donations to the Tor project. There is absolutely no reason whatsoever why a million dollar donation of a "North American NGO" should be made anonymously unless, of course, the donor's name is an embarrassment to the project, which it would be if it was Hoover Institution, Soros Foundation, CSIS or other such organizations with a "mission". I know that your wages are paid from donations to the project. But wouldn't you be happier if you knew where the money is coming from and whether there are any strings attached to such a large donation? Most Tor users don't have the ability to verify the security of their clients or the functionality of the network. They have to trust the developers, the maintainers and the operators of nodes and bridges. The project has therefore a responsibility to demonstrate its integrity and trustworthiness by being transparent in its actions and completely open regarding its financial supporters.

You are not being FAIR to the Iranian and Chinese users. We like everyone else struggle for Freedom of Information. Just because we are more technically savvy than our ARAB brothers, it does not mean Tor is only selecting us as users...

You sound exactly like the Iranian Governemtn here :/

August 24, 2012

Permalink

Or, instead of reaching towards social media networks, you could establish your own official DISCUSSION BOARDS like we've been asking for for a LONG TIME now. Whether you host it on clearweb and/or .onion hidden service, OTHER PEOPLE HAVE MANAGED TO DO SO with unofficial forums, SO CAN YOU. Is running a forum brain surgery? Or do you prefer to keep in your quiet little corner serving the 1% on your mailing lists and bug tracker?

Visit some larger Linux discussion forums and notice how many people openly share with each other problems they are having with software, how some manage to help each other without involving developers and how people rally together and collect information to jointly PROVIDE to developers instead of the lone person.

You can do this you just have to WANT to do it. Or you can remain in the little corner of the 1% with the mailing lists and bug tracker.

Believe you me, if you make an official discussion forums, people will come in droves, you will see people collaborating with each other in discussions trying to work problem areas out. You'll see Tor blossom in ways you couldn't with the 1%. One person complained on the tor-talk mailing list about how problematic the Tails discussion forums are. The Tails discussion forum is nothing more than a modified wiki. The format sucks, the moderation sucks, the lack of attention to key problems sucks. The whole design, look, feel, experience sucks! They've tossed users a small, meatless bone, but at least it's something to chew on. Some of the more important questions are often ignored and allowed to age to be forgotten or even DELETED over there.

Don't make excuses, just make a forum so the thousands of Tor users can unite under an official umbrella of discussion. You'll discover people who will give of their time to help moderate and pass information to you. You'll discover the reward is well worth the cost and time of building and maintaining a discussion forum.

Just do it already.

August 26, 2012

Permalink

There was another unofficial Facebook page, and people were asking for tech support there. Then the page started deleting non-English posts. If people are under the impression that Tor doesn't care to communicate with people who speak other languages, despite the fact that the help desk is going to be offered in more languages, we fail in our outreach to at-risk users in countries where censorship and surveillance to suppress freedom of expression are widespread.

Even if the page is just a placeholder with information on how to contact the help desk and (when it exists) the forum, it is better than giving people the impression that an unofficial page is a good way to get in touch.

August 27, 2012

Permalink

"Isn't it against Facebook's user agreement to create an account there under a false name? If so, why would anyone use it via Tor?"

Seriously?
LOL

August 27, 2012

Permalink

http://cryptome.org/2012/08/tor-exits-usg-funds-02.htm

27 August 2012
USG Funding Tor Exit Nodes 2

Previous: http://cryptome.org/2012/07/tor-exits-usg-funds.htm

Some interesting research articles on Tor to go along with your posts on exit node funding:

Automated Exploitation Malware Targeting Tor Users
http://lanl.arxiv.org/abs/1208.2877
(PDF) http://lanl.arxiv.org/pdf/1208.2877v1
(Other formats) http://lanl.arxiv.org/format/1208.2877v1

How China Is Blocking Tor
http://lanl.arxiv.org/abs/1204.0447
(PDF) http://lanl.arxiv.org/pdf/1204.0447v1
(Other formats) http://lanl.arxiv.org/format/1204.0447v1

Effectiveness and detection of denial of service attacks in Tor
http://lanl.arxiv.org/abs/1110.5395
(PDF) http://lanl.arxiv.org/pdf/1110.5395v3
(Other formats) http://lanl.arxiv.org/format/1110.5395v3

Stealthy Traffic Analysis of Low-Latency Anonymous Communication Using Throughput Fingerprinting
http://lanl.arxiv.org/abs/1109.0597
(PDF) http://lanl.arxiv.org/pdf/1109.0597v2
(PostScript) http://lanl.arxiv.org/ps/1109.0597v2
(Other formats) http://lanl.arxiv.org/format/1109.0597v2

De-anonymizing BitTorrent Users on Tor
http://lanl.arxiv.org/abs/1004.1267
(PDF) http://lanl.arxiv.org/pdf/1004.1267v1
(PostScript) http://lanl.arxiv.org/ps/1004.1267v1
(Other formats) http://lanl.arxiv.org/format/1004.1267v1

August 29, 2012

Permalink

Why not just create a placeholder in those networks. Disable comments. Disable forums and so on. Just redirect them to the official support channels.

August 29, 2012

Permalink

When I go to Tor's Facebook page and try and navigate around I keep getting hit with this ridiculous "Not Logged In, Please log in to continue, Log In" message. Is this so that Zuckerburg and Co. can track me? Don't you just hate Facebook! Grrr....

August 29, 2012

Permalink

I've seen "real person" notifications on Twitter homepages of academics, celebrities, other "famous" "notables".
However, these are said to be true accounts, but I don't see any notice that they are real:
https://twitter.com/rupertmurdoch
https://twitter.com/KRuddMP

Facebok, Twitter, etc. need to generate a special html element containing site's "seal of genuine person account".
I suspect the sites resist placing these seals, because genuine persons use weak passwords. Then when somebody hijacks the genuine persons' "genuine" account, the genuine person fails to notice and report the hijacking for days (of mischief).

August 30, 2012

Permalink

If you are going to 'endorse' those platforms, you should also recommend P2P alternatives alongside them as well, such as I2P and Freenet. It'd be a small way to raise consciousness.

Check us out on Facebook! Visit us on Freenet! etc

August 31, 2012

Permalink

Wow! The comments posted are way beyond my knowledge. I do have a very simple question and hopefully someone can provide a very simple, step by step answer.

I want to join Facebook ONLY because the site where I want to post a comment now requires it come through Facebook. I want to remain totally anonymous (IP address, location, name, etc.)

Can and how would I do that through Tor and would my anonymity remain safe?

Thanks for anyone's reply.

August 31, 2012

Permalink

Please don't have anything to do with FB etc.

Its is the nets virtual panopticon and a cancer that afflicts so many these days.

Surely there are other areas of the net that can be utilized or even created?

Tnx.

September 05, 2012

Permalink

Why not create pages in those networks and disable comments, forum? Just link to official support page.

September 06, 2012

Permalink

I live in a country where the State controls all mainstream media. In the last few years quite a few sites have sprung up online where people can discuss and criticise the government freely. This is a country not only where many people cannot speak out openly for fear of being harassed, sued etc; but more importantly the government's control of local and international media prevents any criticism or dissenting voices from being heard. The government have a long track record of silencing critics and the internet is the only method currently available for many to speak freely seek alternative view points.

Unfortunately, some of the sites that have sprung up recently have also subsequently been closed down by various means. Further, the government is itself moving online to drive the media agenda and attempt to win control over the last space where it's influence isn't near absolute. In light of other online sources being silenced, the majority of the debate has gravitated to Facebook; the government knows that to block access to Facebook would be political suicide and so it has now become a vital source of opposition / dissenting views.

I encourage the Tor team and anyone who supports its mission to see engagement through Facebook and other similar avenues not as in opposition but actually a fundamentally important part of its strategy!

September 18, 2012

Permalink

To hell with Facebook and twitter. Keep this safe otherwise we have 2 peepinunb g toms with big mouths that could ruin everything I realize people spend.money on your site just hit them off with thiiii25

September 19, 2012

Permalink

Listen, very carefully. Having an official TOR Project facebook presence will dramatically and rapidly spread and increase the awareness of the project, will educate people on how it works, and will make the entire network stronger as more people take part.

Honestly it's absurd to ignore this. It's a tool for spreading the word, use the tool, and spread the word. You're doing a diservice to the masses by not getting the word out there faster.

Whether you have a presence or not has no relevance to whether people should use it for their own security.

Also, the fact that there are already 2 (non official) pages on facebook representing the project is NOT good. I suggest taking action, NOW. Make an official presence.

-GavinSpaceFace

September 20, 2012

Permalink

I think a few of the commenters here are a bit confused.

The security/privacy issues in social networks, are not relevant to the security/privacy provided by the TOR Project itself. It's an entirely different area and they're not related. People seem to be confusing the privacy of social networks with TOR. If people are opting into social networks, that's their choice. They're obviously not trying to hide their privacy when they do that. MOST people share some information, but want to be able to 'be private' (use TOR) when necessary. Everyone should have the right to privacy WHEN they want it, and to help them obtain that right, we need to share the project in the best way possible - via social networking.

You don't use the TOR browser to go on facebook and log in, it defeats the purpose. A TOR Project facebook presence is about spreading the word to the masses via social networking. People will find out about it, read about it, and learn how to use it. Who cares what comments people post there? The key point of establishing a facebook presence is to a) spread knowledge of it's existence through people liking the page, sharing, others seeing people liking it and wondering "hey whats that about, I'll have a read" etc b) providing an avenue for pushing information out to people (if you want to use that)

I WANT to show my friends TOR. I know from experience that the best and quickest way to show them all would be to like and share it on my page. That immediately hits hundreds of people, and so the chain continues.I also want to be connected to the 'source' in my day to day activities (facebook), without having to explicitly go and seek it out.

I don't understand why people keep talking about TOR building its own forums etc - that's NOT THE POINT here. Whether TOR has forums for support/discussion is irrelevant to the question of whether the project should be marketed/spread on facebook.

Why are people saying things like "dont have anything to do with facebook", "to hell with facebook keep this safe", "facebook is contrary to the TOR mission" - RUBBISH - it's not contrary at all, it's a DIFFERENT AREA of security/privacy - it's not relevant. What you're effectively saying here is "don't allow the masses to be made aware of this tool for learning about privacy and a way to protect themselves" - how is that good for the project? It's not!