In July I noted that a company calling itself Ninjastik had popped up selling what looked to be essentially the Tor Browser Bundle on an 8 Gig stick for $56.95 or a 16 Gig stick for $69.95. As I expected, we have now seen one or two more companies attempting to sell products which leverage Tor – in effect they are trading, or attempting to trade, on the Tor reputation. The first such product to gain prominence is the so-called “safeplug” which appears to be made by the pogoplug guys. Roman Mamedov over at the tor-talk mail list suggested that someone might like to buy one of these and run a tear-down to check it out. No-one has yet owned up to spending the requisite $49.00, but that has not stopped a lively discussion about the value or otherwise of an “off-the-shelf” commodity device which purports to offer “complete anonymity and peace of mind”. As some commentators have said, that looks like dangerous advice. Tor is a complex system. It does not, and cannot offer complete anonymity if you don’t know what you are doing. Selling access to Tor in such a fashion looks like the actions of opportunistic snake oil salesmen.
This brings us to the second new device to pop up on the radar, the Open Router Project, or ORP. Here we have a crowd-sourcing plea for funds to develop what, on the face of it, looks to be an interesting device. The developers claim that ORP1 will offer:
a high performance networking router that allows you to run a firewall, IPSec VPN (virtual private network) and a TOR server for your home network.
Its easy-to-use web interface will make encrypted and anonymised communications for your entire network easier to set up and manage. Now you don’t need to be a geek to be able to ensure that every device you use at home uses the internet with privacy, whether it’s your home PC, smartphone or tablet.
It’s that “you don’t have to be a geek” bit I worry about, particularly coupled with the promise of an “easy to use web interface”. Unfortunately, you /do/ have to be at least a little geeky to ensure that you remain anonymous when using Tor (or even VPNs, especially IPSEC VPNs). And read the “Stretch Goals” bit on the indiegogo site. That looks decidedly geeky, and is indeed described as such.
But we have a genuine problem here. All Tor users and evangelists want to see greater use of network level encryption in general and Tor in particular. Getting foolproof consumer devices which offer that into the hands of a much larger population of users must be a good thing. The devil, however, is in the detail. As some commentators on the tor-talk list pointed out, most people attempting to use such devices will become frustrated by the limitations Tor imposes (no scripts, no flash, blocks on many websites, odd language problems etc.). In the face of such difficulties, and without understanding why these happen, there is a danger that Tor becomes branded as unusable. In the worst case scenario, the poor unsuspecting user can actively but unwittingly de-anonymise him or herself whilst continuing to use the consumer device in the belief that it is still offering protection.
That said, I would love to see a foolproof consumer device which I could give to my kids in the knowledge that it would offer them the kind of privacy and anonymity they need and deserve. But I just /know/ I’d get lots of “support” calls.