Tor usage doubles in August. New privacy-seeking users or botnet?

Filed Under: Featured, Privacy

The anonymising service Tor has seen a huge surge in use this month with the number of daily directly connecting users shooting up from a fairly consistent average of 550,000 over the last year to over 1,200,000 in August.

Directly connecting users year

The number beats the network's previous peak in January 2012 by a long way, when it recorded around 975,000 daily users.

With privacy concerns growing in the US and UK, the Register reports that at the start of August around 90,000 Americans and 16,000 from the UK were connecting to Tor daily, but that the figure has now grown to around 150,000 daily users in the US and 35,000 in the UK.

India too saw a large increase in Tor usage as the average number of daily users leapt from 7,500 to 32,000 and China registered around 400 Tor users - significant given the country's internet controls via what's often referred to as the 'Great Firewall of China'.

Even Tor's Roger Dingledine is not sure what's going on.

Dingledine said "It's easy to speculate" as to what could be behind this surge in usage of Tor which anonymises internet traffic through a complicated network of connections and redistribution points around the world.

Recent revelations from Edward Snowden about the NSA's PRISM program being used to track global internet activity is an obvious starting point when looking for causes.

TorOther significant events that may have led to an increase in Tor usage during August include the sudden and voluntary closing of secure email providers Lavabit, used by Snowden, and Silent Circle on 8 August.

Lavabit owner Ladar Levison closed his service down, saying that a government investigation would force him to "become complicit in crimes against the American people."

In an interview with The Guardian Levison said, "We are entering a time of state-sponsored intrusion into our privacy that we haven't seen since the McCarthy era. And it's on a much broader scale."

Then, on 10 August, the Pirate Bay file-sharing site released Pirate Browser - a web browser that uses Tor to aid users in circumventing government censorship of specific sites such as torrent networks and other file-sharing sites. (Note: readers concerned with their privacy and considering the Pirate Browser should understand that, unlike Tor, it does not anonymise its users.)

Later in the month the partner of Glenn Greenwald, the journalist who has broken a series of stories about Edward Snowden, was detained for nine hours at Heathrow airport. The upturn in Tor usage can be clearly seen a couple of days after David Miranda's arrest on 18 August.

But there is something a bit odd about all of this. The chart is actually remarkable for how much it doesn't change throughout these seismic events.

Usage is determinedly unchanging despite a multitude of reasons for it to increase and then suddenly, inexplicably, it doubles from a year-long plateau in the space of a week.

Directly connecting users AugustThe folk on the tor-talk mailing list are suspicious too. The last exchange on the subject reflects a feeling among some that the growth is unnatural:

grarpamp: Too big a double in under a week for me to believe it's natural growth ... I'd guess it got included in some app. A botnet fits perfect ... Or its some sort of analysis/attack/flood against the dirs.

Paul Syverson: Or somebody's research experiment gone awry, or behaving predictably but that they didn't think a concern worth mentioning, or...

Malicious stuff happens, but most of the time these things are incompetence or similar rather than malicious intent.

Whether it's a botnet, a research experiment or something else altogether, the jury is out on the cause of the increase in Tor usage.

What's your theory? Let us know in the comments below.


You might like

18 Responses to Tor usage doubles in August. New privacy-seeking users or botnet?

  1. atarifrosch · 774 days ago

    That guy's name is _Roger_ Dingledine, not Richard. Or have I missed something? ;-)

    I guess it's both, bots and more users. I've seen an increasing number of spam comments in my blogs from Tor exits in the last few months (remarkable: almost all of them copy-and-paste-spam using comments from other blogs/forums/etc.). So there are surely (more) bots using the Tor network to spread spam.

    • markstockley · 774 days ago

      Yes, of course it is. I've corrected the article.

  2. Richard Snaffoo · 774 days ago

    Maybe there's a bug in the telemetry system?

  3. Marty G · 774 days ago

    If they are primarily exit nodes, I'd guess that someone is trying to commandeer exit nodes to reduce anonymity.

  4. Mr Hawken · 774 days ago

    Surely the Pirate Bay's new browser, based on Vidalia's TOR client and released this month, has caused a significant increase in TOR traffic. Your post mentions the significant increase in the UK, where the Pirate Bay is subject to an ISP ban. The browser is specifically designed as a workaround to this ban.

    • markstockley · 774 days ago

      This is discussed at length on the tor-talk mailing list (see the link in the article and go through the thread).

      Personally I don't buy it - all of the publicity for the Pirate Browser broke on August 12 and it will have peaked in the news cycle that day or the following day. But there is absolutely no movement in Tor usage on that day, the day after or the day after or the day after that... in fact the surge happens a week later.

      Did a half a million people all agree in total secrecy to not use Pirate Browser for seven days for absolutely no reason and then all start using it at exactly the same time? I doubt it. It had been downloaded 100,000 times by August 15th - where are those users on this chart?

      Also the adoption curve looks all wrong to me - I'm not a mathematician but I've looked at enough charts that reflect human behaviour to know that it just doesn't look right.

      If I saw a chart like that in the course of looking at a customer's website and saw that usage had doubled in a week after holding steady at 500,000 for a whole year I'd say it's an error or monkey business.

  5. Nigel · 774 days ago

    There is insufficient data for me to form a credible hypothesis as to what might be the cause, let alone a theory. Folks who have greater expertise than I do would be more qualified. Any hypothesis would have to be corroborated with multiple observations before I'd be willing to call it a theory.

    Anyhow, here's my coarse-level hypothesis: Somebody is doing something on purpose. It seems unlikely that the number of folks who are smart enough to even be *inclined* to use Tor in the first place is not going to suddenly take such a huge jump upward in so short a time. That would require educability, and the number of people who are educable in any given subject doesn't usually show a positive second-order derivative (concave upward).

    In other words, the growth is not just increasing (first order derivative), it's accelerating (second order). Starting on August 18 through August 22, the second order function is positive. On August 23 it goes negative. It's unlikely that such behavior is an education-based phenomenon. Somebody is doing something. On purpose.

    As to who it is and why they're doing it, one speculation is as good as another. Perhaps it's a renegade group of time-traveling Ferengi manipulating Tor for their own devious purposes. ;-)

  6. Why can't we just fight against this "Prism" like we did sopa? The US doesn't own the Internet, and we need to show them that!

  7. spryte · 774 days ago

    I have to agree with Nigel. Something else is going on other than downloads from PB.

    My 2¢ is on the TLAs involved in the above mentioned PRISM thing.

    The Ferengi already know there is nothing of value left on earth, but perhaps Zaphod Beeblebrox is in orbit data mining. Seems metadata is valued highly here and may be worth something.

  8. ScottK · 774 days ago

    I'd honestly have my money on a botnet being managed via Tor. It makes sense, with all of the large botnets being taken out by corporate/government initiatives, a Tor botnet would be next to impossible to track, pin, or protect against. The curve of adoption, however, points to an existing botnet that got upgraded with this new functionality. It'd be more sloped and a gradual step up if this was a brand new infection that had to be distributed throughout the internet. The almost overnight adoption of all these clients sounds like an upgrade being pushed through a C&C server.

  9. foo · 774 days ago

    Linux Format included a DVD of Tails at the beginning of this month.

    Tails is a linux distro based on Debian Live 6.0.7. It can run from a DVD or from a flash drive.

    Tails forces all Internet traffic over TOR. Tails might account for a small fraction of the increased usage of TOR.

    The Register also covered the topic of the increase of TOR usage.

  10. We know that around the 19th of August it started. Even some of the smallest places had 5 users Tops before and then 40-50 users - that does not make sense--- I track the Tor Networks relays (Swear Not My Fault-) and on my chart - we also see an up-ticks on for that timeframe --// V2Dir, Named, Guard and even bad Exit relays jumped up during that timeframe. BUT process Cycle Processing TIme - stayed pretty even--//

    So we see a jump on the Tor-OR but not really enough to justify this very big jump in users- At least the Tor-infrastructure does not support these users with heavy user loads. --Maybe--A crazy experiment - Very Possible - another Tor-Bot Net- maybe-- and the mystery 2cents...//

  11. paztek · 773 days ago

    Or maybe the NSA anticipated a massive move of users to the TOR network and deployed hundreds of passive nodes to sniff on traffic.

  12. Richard · 773 days ago

    Maybe this surge of users is government computers aimed at consuming precious bandwidth and slowing the TOR network down to a crawl. That would force frustrated users out of TOR and onto their normal, unencrypted internet connections, which the government can easily monitor.

  13. zengator · 772 days ago

    So what was happening in late 2011 where there were similar (possibly) spikes?

    I say "possibly" because those were spikes: usage way up, usage back down. Whatever is happening in the here & now though hasn't yet proceeded to the usage dropping back down to "normal".

    for a high-level view from 2011-01-01 through 2013-09-01. Granted, 2011 was overall a somewhat chaotic period WRT usage, but it had settled down for about four or five months and then there were three spikes: mid-Oct, late-Nov, and Early-Jan, after which things settled down very nicely for the following 18-19 months. Even considering the "natural" sort of growth--albeit rapid--evident in the Aug through Oct 2012 timeframe.

    Close look at the three spikes here:

  14. Ben Dover · 766 days ago

    NSA is trying to map out the entire Tor network.
    Anonymity = lost.

    My 2 cents.

  15. Ryan Westbury · 753 days ago

    I honestly believe that the Deep Web has been exposed as a new exploration for anyone using the internet. There have been many new published posts about the deep web, and i believe no one knew about it until recently this year. This new part of the 'internet' called the deepweb has everyone very curious to see what it has to unveil.

    • Paul Ducklin · 753 days ago

      Well, we wrote an article giving a reasonably detailed overview of the Deep Web last year, so at least we knew about it earlier than you suggest :-)

      As @Mark Stockley suggests above, something that had made "everyone very curious to see" just wouldn't cause an uptake "curve" with that shape. It would be, well, more of a slope, and less of a cliff.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.