The Russian government has issued a bounty of nearly 4 million rubles ($100,000) to be awarded to anyone who can deanonymise users of the Tor network, according to an apparent tender from the Interior Ministry uncovered by Global Voices.
The competition is only open to Russian researchers, it seems, with a Google translate version of the announcement reading, “In order to ensure the country's defense and security of the State Government of the Russian Federation establishes a prohibition on the admission of works carried out by foreigners.”
Curiously, a log on the page shows that changes were made to the tender this morning and there is now little direct reference to Tor. But according to Simon Sharwood at the Register, the original version was seeking researchers to "study the possibility of obtaining technical information about users (user equipment) TOR anonymous network," before the wording was changed.
Global Voices writer Kevin Rothrock suggested via tweet that Tor is still mentioned in the updated version of the document, but was written as "TOP," with the "p" representing a Cyrillic "r."
I've reached out to the contact listed on the page to ask why the change was made and to verify details of the tender, and will update if I get confirmation. Meantime, Rothrock has tweeted an image of the original tender, with the word 'TOR' in the right-side image:
The Tor network was originally a project of the US Navy to assist political dissidents in countries such as Iran. It's now maintained by a non-profit, although it still receives the majority of its funding from the US government. By routing a user's internet traffic through different points around the planet and hiding their IP address, it provides a high degree of anonymity for browsing the internet and communicating securely.
I asked Andrew Lewman, executive director of the Tor Project, what he thought about the announcement. “We haven't talked to the Russian Police, but we can guess that like all police forces, they wish for a magic button to find criminals online. Such a magic button doesn't exist, but it won't stop them from wishing for it,” he told me over email.
Others suggested that cracking Tor might not just be a way to catch crooks.
“The Russian Federation has for many years been quite keen on restricting the activities of activists, journalists and NGOs,” Smári McCarthy, a software developer and founding member of the Icelandic Pirate Party, told me. “With Tor getting a lot of well deserved attention, precisely because it is secure, more and more people will want to use it, which creates more and more difficulty for totalitarian governments.”
Indeed, usage of Tor in Russia spiked recently after the introduction of a new anti-blogging law, and last year the FSB tried to ban Tor all together. McCarthy pointed out that plenty of those who use Tor are not criminals or terrorists. “It's governments, law enforcement, and military, it's NGOs, activists and journalists, it's doctors, lawyers and social workers, it's everybody who has, for any reason, anything they'd like to not have exposed to the entire world.”
Image: Tor Metrics
But the leader of Russia's Pirate Party Stanislav Sharikov told Global Voices that this attempt might be more to do with child pornography than anything else, because the money is being offered by the Interior Ministry, and not an intelligence agency.
Nevertheless, if someone were to find a way into Tor, it could affect all users.
“The problem is this: when governments start to fund the erosion of information security, they do so for everybody, including themselves,” McCarthy continued. “By issuing such a bounty they are effectively supporting the extant buyers market in electronic weapons which the US, UK, Israel, Pakistan, India, and various other countries have been driving for many years. This is literally a case of tax money being used against the citizens of the countries in question, and the rest of the human population. It is entirely unacceptable by any measure.”
Tor was in the headlines again this week because of an axed talk at the upcoming Black Hat security conference. The researchers touted that they could reveal a Tor user's identity with gear as cheap as $3,000, but the talk was cancelled because of legal pressure from the researchers' institution. In their case, however, the details were going to be made public knowledge, so that the Tor Project could work on fixing the issues raised. Presumably, Russia has other plans.
Nevertheless, in a strange way, the bounty could make the network even stronger. Lewman from Tor continued, “What the Russian's have really done is effectively offer a bug bounty program for Tor. We assume many other national police forces are doing the same thing, just not publicly. We have a good track record of reverse engineering attacks and fixing the attack, even when we're not told the details. There are some talented people in Russia who will likely try to get some funding for finding bugs. It will be interesting to see if they find anything; and if they do, if the bugs are around design or more standard software vulnerabilities.”