With privacy concerns and the threat of surveillance from the likes of the NSA, more and more people are turning to the dark web and Tor. The anonymous, encrypted network has become a haven for not just illegal activity, but also for those who simply don’t want what they do online to be tracked and traced.
But now the Tor Project has voiced concerns that CDN and DDoS protection service CloudFlare is monitoring Tor traffic by introducing CAPTCHAs and cookies. CloudFlare is not alone: similar accusations are levelled at Google and Yahoo which are described as 'larger surveillance companies'. Concerns about interference with Tor traffic have been raised by project administrators in a ticket entitled "Issues with corporate censorship and mass surveillance".
Following instances of malicious traffic originating from the Tor network, CloudFlare introduced CAPTCHAs to ensure that visits to certain sites were being instigated by humans. This has not only proved irritating, but also unreliable. CAPTCHAs have been found to frequently fail, and appear multiple times. But more concerning that it opens up the potential for users to be " tagged, tracked and potentially deanonymized".
In a post on the Tor Project website, user ioerror says:
There are concerns about CloudFlare's apparent lack of transparency, although an employee for the company did get involved in the discussion. ioerror continues:
There are no denials that the Tor network - thanks largely to the anonymity it offers - is used as a platform for launching attacks, hence the need for tools such as CloudFlare. As well as the privacy concerns associated with CloudFlare's traffic interception, Tor fans and administrators are also disappointed that this fact is being used as a reason for introducing measures that affect all users.
Ideas are currently being bounced around about how best to deal with what it happening, and one of the simpler suggestions that has been put forward is adding a warning that reads "Warning this site is under surveillance by CloudFlare" to sites that could compromise privacy.