How a Pentagon Program and a Hacker Assisted a Revolution

When the Arab Spring protests in Egypt (above) and Yemen began last December, Tor's user base skyrocketed Ron Haviv/VII/Corbis

When Jacob Appelbaum spoke at a workshop for Arab bloggers in Beirut in 2009, he knew his audience would pay special attention. The 26-year-old American programmer had spent the previous year in Egypt, Jordan, Syria, Tunisia and Hong Kong training communities and activists how to use an increasingly popular program called Tor to evade government attempts to track their movements online. Around the world, regimes have been cracking down on online activism—the human-rights group the Committee to Protect Journalists reports that authorities in the Middle East and China imprisoned at least 100 bloggers last year—so anonymity was a matter of personal safety. “Tor allows people to do things on the internet without leaving a trace,” Appelbaum said at the workshop. For software that undermines the power of the state, Tor’s lineage is remarkably establishment: it grew out of the U.S. government.

In 1995 three programmers at the Naval Research Laboratory were looking for a way for soldiers and spies to communicate via the civilian internet without revealing their location or identity. They developed a technique called onion routing, which conceals the origin and destination of individual packets of information by routing it randomly through three participating users’ computers, called nodes. At each node, a layer of encryption is removed (or peeled back, hence “onion”). By the time the three layers have been removed and the information has finished plotting its random course, it is very difficult to figure out where it came from, and who sent it (see How It Works below).

The packets could still be tracked back to the network as a whole, though, and the Navy developers soon realized that their network would be more secure if they extended it to a larger group of users. Indeed, the larger the network (the more users), the more difficult it would be to trace a packet of information back to its point of origin. So in 2006, the Tor project launched as a nonprofit and the program became available to the public as a free download.

A year later, Tor hired Appelbaum as a developer. He had already gained notoriety for hacking Apple’s encryption software, and at first seemed a strange fit for an ex-DOD organization. But Tor is an odd hybrid. Much of its funding still comes from the federal government, but the remaining money comes from the likes of Google and Human Rights Watch. In the five years since Tor went public, its base has grown considerably. Users downloaded the software 36 million times last year.

Tor’s rise has brought it, and Appelbaum, uncomfortable attention, sometimes from the same government that funded its creation. After the activist group WikiLeaks used Tor to upload classified U.S. military documents to its servers in Sweden, the Department of Homeland Security deemed Appelbaum a “person of interest.” On June 14, he was detained by DHS officials and questioned about his association with WikiLeaks. “I refuse to let them stop me from living my life as I choose,” he wrote on Twitter immediately after the encounter.

Recently Appelbaum returned to Egypt to see firsthand the fruits of his travels through the region in 2009. “During the Arab spring protests, we saw a huge increase in the use of Tor,” he says. Tor downloads grew fivefold in the days before January 27, when Egypt switched off its Internet. But this return trip wasn’t a vacation. He was busy answering questions from activists about the country’s not-yet-ratified bill of rights. “They wanted some advice on privacy issues,” he says.

How It Works: Onion Routing

Computers running the program Tor route encrypted information randomly, making it difficult to trace. Above, when a user on the upper left sends a packet of information [M], it travels a roundabout route through nodes—other computers in the Tor network. As it travels, layers of encryption are peeled away [3, 2, 1], until it arrives unencrypted.