How Tor improves usability without compromising user privacy
Isabela and a colleague at the Tor Project table at LibrePlanet 2019.
The Tor Project is a nonprofit whose mission is to advance human rights and freedoms by creating and deploying free software anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.
We are the developers of the Tor network and Tor Browser. The Tor network protects the privacy of 2.5 million users every day via “onion routing,” which directs Internet traffic – email, instant messages, online posts, Web form visits, and more – through a multilayered network that obfuscates who the user is, concealing their identity and location. It can be accessed through Tor Browser or integrated into third-party applications and Web sites, to protect users against network traffic analysis, government censors, and network attacks.
Users depend on Tor for matters of huge importance like circumventing censorship, protecting democracy, and even protection from violence. It’s extremely important that our tools are easy to use.
However, because our design prioritizes privacy, our tools gather very little information about our users, which makes it difficult for us to communicate with users and determine what their needs are. Our metrics portal has some usage data about which countries users connect from, and if the user connected directly to the network or had to use any circumvention tool. We also meet users at conferences and training sessions. And we utilize research published by the academic and research communities, which have always collaborated with Tor.
So until recently, we did not have a systematic and proactive way to involve users and integrate their use cases and feedback into development cycles. This is why, early in 2018, we began our User Research Program, where our team meets users face to face. This meant building a digital security training program for partners in the Global South who are working on human rights struggles within minority communities in the region. We incorporated user research as part of our trainings by doing interviews and collecting user feedback on the tools we taught participants.
During every training, we carry out a threat model exercise that will influence the content of the training. We created courses with different modules that can be put together according to the needs of the participants. Along with Tor Browser, we teach about other tools that improve security: for instance, in trainings customized for journalists, we talk about ways to securely share sensitive information using OnionShare.
So far, this program has reached an audience of over 800 people in countries like Brazil, Colombia, Mexico, India, Indonesia, Kenya, and Uganda. We collected and mapped real user stories, identified the patterns across them, and created five “personas,” to help our teams understand who is using their tools and what their needs are. These are just a small reflection of user needs, and are not real individuals. The personas are:
Jelani, the human rights defender: Jelani lives in Uganda, and is a human rights defender who publishes information related to the LGBTQ+ community. He wants to minimize risk of arrest for doing this in a country where LGBTQ+ people are criminalized.
Aleisha, the privacy-seeker: Aleisha is facing domestic violence from her husband and is looking for a safe way to seek help.
Fernanda, the feminist activist: Fernanda is another activist, a feminist who also wants to publish information online without fear of surveillance and arrest.
Fatima, the censored user: Fatima is looking for a way to circumvent censorship safely, so she can do research online.
Alex, the fearless journalist: Alex wants to chat and receive information securely without compromising his sources.
Since we started this program, every stable release of Tor Browser has been influenced by the feedback collected in the program. Tor Browser 7.5 had our first iteration on Tor Launcher. At 8.0 we launched new user onboarding to help explain how Tor Browser works, plus a new circuit display, our first step towards eliminating Torbutton and integrating Tor Browser’s features where they would normally exist in the browser. With this release, we also launched Moat, an easier way for censored users to request a bridge.
Our 8.5 release marked an important milestone by bringing Tor to mobile. The people we met in our research primarily used mobile devices to connect to the Internet, so this was a necessary step to expand access to the people who need Tor the most. Based on that, we decided to create Tor Browser for Android, back in May 2019. As of this writing, now, our app has more than 10 million installs!
On 9.0, we finally killed Torbutton, which users didn’t find intuitive enough: previously, our security level settings, were in a pop-out window that you would open through Torbutton. Now, these settings are accessed through a shield icon close to the URL bar, which indicates which level of security you are using; when you click on the shield, there is a door-hanging message with a button that takes you to the “Privacy and Security” settings of the browser. This is a closer match to where users expect to find these settings in the browser, and we now have more space to include better descriptions so users can make the best choice for the security option they need.
For 9.5, we did a full revamp of our .onion services experience. We created the Onion Location feature for Web sites that have both normal domain addresses and .onion addresses, like the New York Times or BBC. If a user opens one of these sites on Tor Browser, a little button will open on the URL bar indicating that a .onion is available for the site. The user can click on it and be redirected to the more secure option, the .onion one. This spares users the task of keeping track of which site has a .onion address and what those addresses are, since they normally are long strings with random characters and numbers; instead, with this feature, the system automatically notifies them that they have this option.
We also built a prototype that aims to fix the usability issue of our long hash .onion addresses, Onion Names. In a partnership with SecureDrop and HTTPS Everywhere, we created human-readable addresses for SecureDrop instances. This solution helps users go to .onion sites that do not have a normal domain associated with them. Upon launch, Tor Browser retrieves a map of notable .onion addresses to human-readable aliases, called Onion Names, and keeps it up to date. For example, the onion name lucyparsonslabs.securedrop.tor.onion is mapped against the SecureDrop address for Lucy Parsons Labs, making it easier for sources and journalists to go to those SecureDrop sites.
Since the COVID-19 crisis started, we have seen certain use cases emerge with more frequency than before, since everyone was forced to go online for most of their communication and work activities. The “Aleisha” persona is now more relevant, since cases of domestic violence have increased due to the need to stay home to isolate. Some of our partners in the Global South are organizations who work with domestic violence and have asked for our help in providing special trainings for this type of situation.
We also composed a “remote work and personal safety guide” with some guidance for organizations that found themselves forced to be 100% digital and were worried about the security of their work. Since the pandemic started, we have moved our training operations to remote, and created new modules that are focused on the specific needs that have emerged.
Another initiative we created is an open, anonymous survey to collect Tor Stories. Through the testimonies shared with us, we heard for example how a father is protecting his kids and their friends with Tor. We also learned how Tor grants access to blocked resources online in Iran, as well as someone who is using Tor for research about being transgender and accessing a site blocked by their school network.
The diversity of use cases of Tor is enormous, and every time we have the opportunity to hear from people why they use our technology, we learn new motivations. Most recently, we ran the campaign #MoreOnionsPorFavor, asking folks to create an .onion address for their Web site and to add the Onion Location feature (launched as part of our 9.5 Tor Browser release). The result of this campaign showed different use cases of Tor from the .onion service provider side, and we were able to collect the needs of sysadmins so that we can build solutions that will make it easier for them to deploy a .onion site and to then monitor that instance.
These use cases included organizations as well as individuals. The onion service protocol uses the Tor network so that the client can introduce itself to the service, and then set up a rendezvous point with the service over the Tor network. Because of that, onion services can only be accessible via Tor, giving users all the security of HTTPS with the added privacy benefits of Tor Browser. Many service providers, like social media Web sites, news Web sites, and crypto wallets also want to add Tor as a feature to improve their users’ security and privacy, and offer them an easy solution against censorship.
Another interesting case that emerged was from a French criminal lawyer who created a .onion address for his firm just to promote Tor to other lawyers, who he said “often use encrypted message services but do not consider the matter of anonymity online.” The Deutsche Welle, a major newspaper from Germany, decided to “use Tor to reach people in censored markets who previously had limited or no access to free media,” and many other news organizations have done this as well.
As you can see, the Tor network is the foundation for other technologies and organizations to provide privacy, anonymity, and censorship circumvention for their users. As we move most of our lives online, these features are becoming more and more critical. During the United Nations (UN) General Assembly, a group of organizations delivered a letter to the president of the assembly, calling the UN to prioritize digital trust and security. We’re glad to see growing recognition of the importance of tools like Tor, and how it is possible to build technology that provides “trust and security” to its users.
Are you a Tor user? Your experiences count, and letting us know how you use Tor will help us make it even better. You can become a tester by joining our tor-qa mailing list. And if you’re not a Tor user, we encourage you to start today: you will gain protection from trackers and surveillance, increase your online security with strong encryption, and be able to access Web sites freely. And by becoming a Tor user, you will also be helping other Tor users: as we say, anonymity loves company! The more people use Tor, the more secure and anonymous all users can be.
Photo Copyright ©2019 Free Software Foundation, Inc., by Madi Mühlberg. This image is licensed under a Creative Commons Attribution ShareAlike 4.0 International license.