FOSDEM '10 is a free and non-commercial event organized by the community, for the community. Its goal is to provide Free and Open Source developers a place to meet. No registration necessary.


Interview: Andrew Lewman

Andrew Lewman will give a talk about Tor at FOSDEM 2010.

Could you briefly introduce yourself?

I'm Andrew Lewman, the Executive Director of the Tor Project. I was a volunteer helping with packaging, website and blog maintenance, advocacy, and running relays for five years until quitting my day job and joining The Tor Project full-time in 2009.

What will your talk be about, exactly?

A general overview of why online privacy is needed, what Tor does, and why we need help from developers, technical writers, graphic artists, and researchers.

What do you hope to accomplish by giving this talk? What do you expect?

I hope more people will hear about Tor, understand how it works, and be excited to join us in growing the Tor software and network.

What's the history of the Tor project? How did it evolve?

Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. We applied onion routing to the Internet in 2001, called it Tor for "Tor's onion routing" or "The onion router".

The original idea was to allow online users to gain control over their information automatically collected, collated, and processed by ad networks, ecommerce sites, and their own ISP. Many academic researchers are working with us to devise attacks against online anoymity, as well as derive solutions to these attacks.

Over time, we've been introduced to many more uses than originally envisioned; from governments worried about traffic analysis, private citizens worried about identity theft, protecting children online, and recently as a circumvention tool to bypass Internet censorship.

How big is the Tor developer community?

The Tor developer community is 19 core developers, with another 5-10 committers. There are others developing completely independent control applications for Tor like TorK, developing accessory apps to Tor, such as Tor Weather, arm (anonymizing relay monitor) for Tor relays, and entire privacy-enhanced live CDs like Incognito and anonymOS.

Do you have statistics about the number of Tor users?

We run an anonymity and privacy network, so getting detailed statistics is difficult and would be contrary to our goals. We do statistical sampling of the number of clients and country or origin. All of our data and processes are found at the Tor Metrics Portal. We've recently opened up the Mozilla Torbutton portal, so users can see what Firefox is recording about them, and make the appropriate changes.

Roughly, we have between 300,000 and 500,000 daily users, with tens of millions of downloads over the years. We believe the typical use case is that someone turns on Tor when they need it. This implies we have a large installed base, but smaller daily userbase.

Can you tell us about some success stories of users?

People generally don't want their names attached to their success stories. We have a list of actual stories collected from users. Soon, we will also have a list of personal interviews with users willing to go on the record.

While it seems reasonable for activists, journalists and bloggers to use Tor, the first class of users that is mentioned on Tor's website are "normal people". To me it seems that these people don't care about the level of anonimity that Tor offers. And even if they care, they have to change their browsing habits dramatically, which is not trivial and probably not worth the effort for them. So is Tor really suitable for "normal people"?

The vast majority of people that tell us they use Tor are regular people. Some use it to circumvent their company firewall to get to GMail to check their calendar to see when they need to pick up their kid from soccer practice. Others use it because their country blocks access to their favorite news or comic website. Some people are worried about what ad networks may know about their browsing habits, and others about what their ISP or their favorite coffee shop owner knows about them.

We've tried to make using Tor as easy as possible, and integrated into how people use the Internet now. The Firefox extension called Torbutton is one way. Simply toggle it on or off as needed.

Part of what makes Tor secure is the number of people using it, but it is also a danger, because some of these people don't have good intentions and use Tor to conceal their illegal activities. For example, there was this story of a person running a Tor end node, who got a visit by the police because someone used Tor (and his exit node) to surf to child porn. And this was not the first time. This makes me wonder if the Tor architecture is scalable on the human level? It needs enough exit nodes to offer anonimity, but with more people using Tor, the more people will abuse it, and more people will stop running exit nodes because of the risk that they will be taken responsible for it.

Yes, jerks exist on the Internet and they sometimes use Tor as well. Tor's legal protections vary by country. In most countries, Tor is considered an ISP or "common carrier" where relay providers aren't responsible for the content they pass. In other words, Tor is considered a phone company. This legal status provides plenty of protections to relay operators. We've recently rolled out a legal directory to help relay operators to better work with law enforcement and to protect their rights.

Everyone remembers the sensational stories, but no one thinks that for every one investigation there are literally months of traffic, in the petabytes, passing through the Tor network without issue. The world press only focuses on the negative experiences of relay operators. The news from China and Iran have helped counter the negative press about Tor.

Tor is an infrastructure tool on the Internet. Botnets, phishing schemes, zombie computers, and viruses all exist too.

All technology has dual purposes. We promote the good, work with law enforcement where needed, and continue to develop Tor to help those want to protect their privacy and anonymity online. We've been at this for 9 years, as lives move online, privacy and anonymity online continue to grow more important.

What new functionality will we see in Tor this year?

We're working on dramatically increasing the performance of Tor, getting Tor into mobile devices, integrating Tor into a "private browsing mode" of either Firefox or Chrome, and continuing to research new attacks and solutions to online privacy and anonymity.

Have you enjoyed previous FOSDEM editions?

This is my first time.

Creative Commons License
This interview is licensed under a Creative Commons Attribution 2.0 Belgium License.