All posts by Lawrence Christopher Skufca, J.D.

My name is Lawrence Christopher Skufca. I am currently a civil rights activist and pro bono legal advocate in the Camden, New Jersey area. I hold a Juris Doctor in Law from Rutgers School of Law – Camden; a Bachelor of Arts in Political Science from Furman University; and an Associate of Arts in Social Sciences from Tri-County Technichal College.

Black Lives Matters Ousts Prosecutors who Refused to Indict In McDonald and Tamir Rice Cases

Chicago prosecutor loses her fight with Black Lives Matter

Demonstrators calling for an end to gun violence and the resignation of Chicago Mayor Rahm Emanuel march through downtown on December 31, 2015 in Chicago, Illinois.Image copyrightGetty Images

While most of the focus of Tuesday night’s primaries was on the battle for the White House, something extraordinary occurred in two local elections. Both Chicago’s Cook County State’s Attorney Anita Alvarez and Timothy McGinty, the Cuyahoga Prosecuting Attorney in Ohio, lost their bids for re-election.

In Alvarez’s case, it was a blow-out – she lost to her opponent almost 2-1.

As the so-called “top cops” in their respective jurisdictions, Alvarez and McGinty made key prosecutorial decisions in the controversial killings of unarmed African Americans by police officers. For Alvarez, it was the death of Laquan McDonald, shot 16 times by former officer Jason Van Dyke in 2014. In Cleveland, McGinty recommended that a grand jury not charge the officers who shot and killed 12-year-old Tamir Rice in a public park.

These are not the first prosecutors who recently failed to secure another term on name recognition and a “tough on crime” platform as the need for criminal justice reform gathers steam across the country. But they are the first ones to have faced off directly against the Black Lives Matter movement and lost.

“Black youth kicked Anita Alvarez out of office,” the Chicago activist group Assata’s Daughters wrote in a triumphant statement last night. “Just a month ago, Anita Alvarez was winning in the polls. Communities who refuse to be killed and jailed and abused without any chance at justice refused to allow that to happen.

Anita AlarezImage copyrightGetty Images

“We did this for Laquan.”

According to the widely disseminated original account of the shooting of Laquan McDonald, the teenager had lunged at officers with a knife when he was shot. But dash camera footage of the incident – which was obtained by local journalists – showed he was moving away from police when Van Dyke opened fire, striking the 17 year old multiple times as he lay on the ground.

Though Alvarez ultimately charged Van Dyke with first-degree murder, she did it more than a year later, just before the camera footage was to be made public by a judge’s order. The timing gave the distinct impression that a cover-up had barely been averted, and that Alvarez was more interested in protecting the jobs of officers than she was in justice.

Alvarez ignored calls for her resignation and always maintained that she waited more than 400 days because she believed that a federal investigation needed to be completed before charges were brought against Van Dyke.

“I don’t believe any mistakes were made,” she insisted during the campaign.

A coalition of activists – members of Black Youth Project 100, Assata’s Daughters and Black Lives Matter Chicago – did not endorse Alvarez’s challenger, Kim Foxx. Instead they joined forces to oppose Alvarez.

Their protest and canvassing efforts culminated in the hashtag campaign #ByeAnita, words which could be seen fluttering on a huge banner trailing behind an airplane flying over downtown Chicago on election day. Alvarez started the day with a lead in the polls, but without key endorsements from former allies and the local media.

In the Rice case, McGinty encouraged a grand jury not to charge the two officers who opened fire on Rice after less than two seconds on the scene. After they obliged, McGinty said evidence showed it was indisputable that Rice was reaching to pull out his pellet gun when he was shot, despite differing expert testimony.

Tim McGintyImage copyrightGetty Images
Image captionTim McGinty

This was seen as a knee-jerk response to protect police, and Black Lives Matter Cleveland showed up with members of Rice’s family to picket McGinty’s home during the campaign. As Cleveland Scene editor in chief Vince Grzegorek sees it, nothing but public outrage can explain McGinty’s fall.

“It’s hard not to see the vote as anything but a referendum on McGinty’s handling of Tamir Rice and other police use-of-force cases,” he wrote in an email to BBC News.

The Black Lives Matter movement has been criticised for its lack of focus, aversion to a hierarchical structure, and inability to translate rage from street protests into tangible political goals. They have not coalesced behind a presidential candidate, and have disrupted both Democrats Bernie Sanders and Hillary Clinton at campaign events.

Aislinn Pulley, cofounder of Black Lives Matter Chicago, declined a recent invitation to the White House, deriding it as a “photo opportunity”. For those reasons, the movement has often been dismissed as an aimless and empty social media campaign.

Police officers push back demonstrators who continue to protest the fatal police shooting of Laquan McDonald as they attempt to disrupt holiday shoppers along Michigan Avenue December 24, 2015 in Chicago, Illinois.Image copyrightGetty Images
Image captionBlack Lives Matter protesters in Chicago tried to shut down holiday shopping to draw attention to the Laquan McDonald case

But last night’s results answered those criticisms with definitive proof of the movement’s real political clout. The fact that the focus has shifted from police officers to prosecutors is significant, and these races prove that activists’ message resonates with voters. Prosecutors and politicians are now on alert – ignore their concerns at your own professional peril.

“For an evolving movement – youth-driven – to discover that it has this sort of electoral power, I can’t predict what will flow from that,” says Jamie Kalven, founder of the Invisible Institute, a non-profit journalism outfit on the south side of Chicago. “It’s really something.”

Where this newly discovered political might goes next remains to be seen. Chicago Mayor Rahm Emanuel, who like Alvarez denied that he was slow to act or that he was part of a cover-up, has already survived a re-election campaign – one that took place before the tape’s release and just days before the city settled a civil lawsuit brought by McDonald’s family. He’s been called “political poison” by the Chicago Tribune – Sanders tried to hurt Clinton in the Illinois primary by pointing out her ties to Emanuel.

Police stand outside the house of Prosecutor Timothy McGinty as people protest in reaction to Cleveland police officer Michael Brelo being acquitted of manslaughter charges after he shot two people at the end of a 2012 car chase in which officers fired 137 shots May 23, 2015 in Cleveland, OhioImage copyrightGetty Images
Image captionLast year people protested outside of McGinty’s house in response to another officer being acquitted of manslaughter

“I’m quite sure he would concede the point that if he were on the ballot yesterday he would have been voted out emphatically,” says Kalven.

The morning after the primaries, another prosecutor – this one in Minneapolis, Minnesota – announced that he would not use a grand jury in order to decide whether to charge two officers in the shooting death of Jamar Clark in late 2015. Local Black Lives Matter activists celebrated the decision as a victory for transparency, proving once again that the movement now has prosecutors’ attention.

The new generation of prosecutors will not have a moment to rest easy. Michael O’Malley, McGinty’s successor, has demurred when asked how he would have handled the Rice case differently. Likewise, a vote for Foxx was really a vote against Alvarez, as Assata’s Daughters pointed out in their statement.

“We won’t stop until we’re free and Kim Foxx should know that as well,” they wrote.

Philip Zimbardo: The Psychology of Heroic Imagination

Philip Zimbardo explains what conditions lead good people to behave badly by sharing insights and photos from the Abu Ghraib trials. He also discusses the flip side: how easy it is to behave heroically, and how we can rise to the challenge.


The Most Militarized Universities in America: A VICE News Investigation

By William M. Arkin and Alexa O’Brien

November 6, 2015 | 7:15 am

An information and intelligence shift has emerged in America’s national security state over the last two decades, and that change has been reflected in the country’s educational institutions as they have become increasingly tied to the military, intelligence, and law enforcement worlds. This is why VICE News has analyzed and ranked the 100 most militarized universities in America.

Initially, we hesitated to use the term militarized to describe these schools. The term was not meant to simply evoke robust campus police forces or ROTC drills held on a campus quad. It was also a measure of university labs funded by US intelligence agencies, administrators with strong ties to those same agencies, and, most importantly, the educational backgrounds of the approximately 1.4 million people who hold Top Secret clearance in the United States.

But ultimately, we came to believe that no term sums up all of those elements better than militarized. Today’s national security state includes a growing cadre of technicians and security professionals who sit at computers and manage vast amounts of data; they far outnumber conventional soldiers and spies. And as the skills demanded from these digital warriors have evolved, higher education has evolved with them.

The 100 schools named in the VICE News rankings produce the greatest number of students who are employed by the Intelligence Community (IC), have the closest relationships with the national security state, and profit the most from American war-waging.

National security-related degree programs cater not just to new technologies and education needs, but also to the careers of a regimented workforce, offering distance learning, flexible credits, and easy transfers to accommodate frequent deployments, assignment changes, and shift work.

Four categories of institutions of higher education dominate the VICE News list of the 100 most militarized universities in America: schools whose students attain their degrees predominantly online; schools that are heavily involved in research and development for defense, intelligence, and security clients; schools in the Washington, DC area; and schools that are newly focused on homeland security.

Twenty of the top 100 schools that instruct people working in intelligence agencies, the military, and the worlds of law enforcement and homeland security — including their private contractor counterparts — are effectively online diploma mills. Twelve are for-profit companies; several didn’t exist before 9/11. The schools have become so important that two of them, American Military University (No. 2) and the University of Phoenix (No. 3), rank near the top of the list based on the sheer number of their graduates working in the Top Secret world.

Seventeen of the 100 top schools are in the Washington, DC area, reflecting the concentration of all things national security around the nation’s capital. The University of Maryland handily outranks all other schools at number one, while Georgetown University (No. 10), George Washington University (No. 4), and American University (No. 20) — all considered among the country’s 10 best schools for the study of international relations — rank among the top 25 most militarized schools. But post-9/11 growth in homeland security and a high demand for cyber training boost schools as diverse as George Mason (No. 5), Northern Virginia Community College (No. 16), and Strayer University (No. 8), a predominantly online school headquartered in Herndon, Virginia.

Seventeen powerhouse research universities traditionally supporting the oft-cited military-industrial complex rank in the top 100, including Johns Hopkins (No. 7), Penn State (No. 15), Georgia Tech (No. 26), and the Massachusetts Institute of Technology (No. 47). Ten of these schools account for $2.05 billion in national security research and development funding, which is two-thirds of the approximately $3 billion VICE News calculates the federal government gave to the top 100 schools last year. Yet rather than traditional weapons systems, what these schools mostly research — often in classified laboratories — is intelligence technologies, cyber security, and big data analytics, challenging the common view of what militarization means.

More than 250 schools now offer certificates and degrees in homeland security, a relatively new discipline combining emergency management, physical security, and information security. Meanwhile, intelligence courses are a growing prerequisite for criminology and law enforcement education, a transformation reaching beyond federal agencies into local police. With new programs and increasing government and private sector funding, the top homeland security schools include Texas A&M (No. 14), Louisiana State (No. 96), Duke (No. 66), the University of Minnesota (No. 76), and Rutgers (No. 73).

The rankings rely on a unique dataset of more than 90,000 individuals who have worked in and around the IC since 9/11. The sample represents approximately 6 percent of all the people in the US with a Top Secret clearance, and includes military and law enforcement personnel, government civilian employees, and contractors at the federal, state, and local levels.

The rankings were initially calculated based on how many people in the IC had degrees and certificates from each school, then adjusted using 51 additional factors, running the gamut from federal funding amounts to a designation as an Intelligence Community Center of Academic Excellence to participation in federal domestic security task forces.

The affiliations revealed in the resumes of Top Secret workers offer unprecedented insight into the make-up of the national security state. Many of the schools that rank in the top 100 are virtually unknown outside government — schools like Cochise College (No. 6), Excelsior College (No. 13), and Central Texas College (No. 18). Each of these institutions tend to serve a specific constituency: military intelligence at Cochise, Army personnel at Central Texas College, and law enforcement at the predominantly online Excelsior, headquartered in Albany, New York.

Only three traditionally conservative schools (as determined by outside rankings), Texas A&M (No. 14), Liberty University (No. 42) and Brigham Young University (No. 84), are in the top 100, indicating that conservative social or political ideology plays little role in how schools are militarized.

Several elite schools on the list — such as Harvard (No. 32), Duke (No. 66), Stanford (No. 60), Northwestern (No. 80), and Cornell (53) — rank highly because of federal funding and specialized graduate programs. Harvard, for example, boasts a massive executive education program geared toward mid-career and senior federal employees; few Harvard-affiliated Top Secret workers obtained a bachelor’s degree at the school. That trend is repeated at other elite schools. In fact, of the top 100 ranked liberal arts colleges in America, none appear on our list of the nation’s 100 most militarized institutions.

The 20 predominately online schools on our list are akin to defense and intelligence contractors. The post-9/11 government expansion in national security and law enforcement increased the availability of tuition assistance and benefits for veterans and soldiers. For-profits have received the largest share of military education benefits, amounting to roughly 42 percent of post-GI Bill benefits between 2013 and 2014 and half of Department of Defense Tuition Assistance benefits.

In general, there are a wide range of reasons why schools end up ranking on our list. The business school at Villanova University (No. 22) educates a large number of managers and contract administrators for the classified black budget, a phenomenon only identifiable when looking at the resumes of hundreds of its graduates. West Virginia University (No. 72) is the lead academic partner of the FBI and the military for the study of biometrics, and is located near intelligence centers established after 9/11 that specialize in “identity intelligence.” The University of Central Florida (No. 50), a simulations research and curriculum specialist, is located near an Orlando-based federal training cluster and consortium that focuses on everything from war gaming to immersive training environments of the future.

A half-dozen schools in the top 100 had national security degree programs throughout the Cold War: George Washington University (No. 4), Johns Hopkins (No. 7), Georgetown (No. 10), Harvard (No. 32), MIT (No. 47), the University of Denver (No. 93), and Missouri State University (No. 95), formerly known as Southwest Missouri State. These schools continue to be well represented in the broader national security community, though national security credentials from those schools are less common in Top Secret workers minted after 9/11.

Strategic and intelligence studies programs that emerged after 9/11 at two universities are also prevalent in the educational backgrounds of the national security workforce: Duke (No. 66) and Mercyhurst University (No. 88). But fewer than 400 people out of 90,000 contained in our dataset have actual degrees in national security studies. Less than 5 percent of the total dataset have majors or advanced degrees in political science. International relations appears even less frequently, at 2 percent of the overall workforce.

Fewer than 100 people have graduate degrees in Middle Eastern studies. Less than 1 percent (fewer than 1,000 people) describe themselves as Arabic linguists. Of those, 60 percent are contractors, predominantly Arab-American citizens working for private companies under contract with national security–related agencies.

The Most Common Academic Concentrations in Top Secret Workers
1. Information Systems and Technology
2. Information Technology
3. Systems Engineering
4. Business Administration
5. Criminal Justice and Criminology
6. Computer Science
7. Political Science
8. Electrical Engineering
9. General Studies
10. Mechanical Engineering

Of the 10 most common academic concentrations present in the data, information systems, management, and systems engineering rank highest. Emergency management and disaster preparedness, which once fell under the rubric of public administration or urban and regional planning, is now largely subsumed under homeland security education alongside counter-terrorism. Degrees in intelligence-related criminal justice studies account for twice as many degrees as those in political science and international relations combined, even among military personnel.

Based on the most recent data for 2013, twenty-seven percent of those employed in the IC are civil service workers, that is, regular competitive civilian employees of the US government. Another 54 percent are military personnel, working directly for military intelligence agencies or seconded to other agencies. And 18 percent are private contractors — largely workers who were formerly members of the first two groups.

A frenzy of hiring following 9/11 after years of relative stagnation in the 1990s left the IC “dominated by senior and junior personnel, with shortfalls in the midcareer workforce,” according to a 2013 Rand Corporation study entitled Workforce Planning in the Intelligence Community. That frenzy brought in an enormous influx of junior personnel, overwhelming the formal training establishment at a time when the demand for non-traditional training shifted educational needs from military arts and sciences to information skills.

The world of drones, networks, geographic information systems, and big data were emerging and demanding new skill sets. Tens of thousands of analysts were needed to operate software-intensive intelligence systems. Much of their certification was simply outsourced to the schools on our list.

Outside of the military and intelligence communities, the situation was even more challenging. The new Department of Homeland Security (DHS) was created; in fact, more security personnel were hired by the DHS’s Transportation Security Administration in the first five years of its existence than the entire CIA, NSA, and State Department together employed. Online programs flourished, but skills training took over from any reliance on a liberal arts education.

On-the-job training has also influenced the educational styles of higher education institutions serving this constituency. They rely on more hands-on training and more college credits granted for experiential skills. Whether education quality has been sacrificed remains an open question, but there is no disputing that different types of workers and schooling has emerged, and that in the IC during the information era, education has often been overtaken by training.

As early as 2007, a crisis in national security education and training was already being observed. The Senate Select Committee on Intelligence reported its concerns about the uncontrolled growth and significant shortcomings in the composition and skills of the Top Secret workforce as part of its unclassified report on the classified budget. Inadequate lead times in hiring practices, the excessive use of contractors, ineffective training, and the absence of language proficiency were just some of the deficiencies they identified.

The IC and its law enforcement counterpart is consumed with acquiring an ever-increasing flood of information — like targeting and biographical data — and then processing it, moving it, analyzing it, storing it, and networking it for later retrieval. The system to do so has grown so complex that the quest to develop significant regional or cultural expertise about the lands or peoples whom we are fighting has fallen by the wayside. The education backgrounds and the areas of academic concentration show that the national security community has transformed into an information age army more consequential than traditional warriors.

The gloomy result is that the academy (and by extension the philanthropic world) has failed to establish a post-9/11 academic program to cultivate the next generation of scholars who can offer a genuinely civilian counter-narrative to the national security state similar to the civilian arms control community created during the Cold War. Even at the most elite schools that rank in the top 100, the many centers and research institutes focusing on warfare and terrorism are predominantly adjuncts of the national security state.

The IC has also become more isolated and self-perpetuating. This phenomenon is evidenced by two categories of schools that dominate the rankings: Firstly, the set of 20 online universities that subsist as the quasi-outsourced training establishment for the military and homeland security, subsidized largely by the departments of Defense and Veterans Affairs. Second, the set of 17 Washington, DC-area schools that provide certification and post-undergraduate professional training for the inside-the-Beltway crowd.

According to the Chronicle of Higher Education, veterans brought more than $19.5 billion to colleges and universities through the GI Bill from August 2009 to September 2014. Nearly $8 billion of that went to for-profit colleges, according to data from the Department of Veterans Affairs.

It has been 14 years since 9/11, but many of the national security alliances now in place with higher education institutions have emerged in the past three years. Classified research on campuses, once highly controversial, is making a comeback. College and university administrators and campus police are increasingly being enlisted in homeland security, counter-terrorism, and counter-intelligence.

Internally since 9/11, the government has initiated an abundance of programs to improve institutional understanding of the cultures and languages in the regions where we are fighting: The Pentagon has created a program of “Afghan-Pakistan (AFPAK) hands” specializing in mentoring and training. The military has developed female engagement teams to work in the Muslim world, specifically in Afghanistan. The Army lauded its human terrain system, enlisting social scientists in network analysis and (disastrously) in interrogations. In government, there have also been reorganizations galore to face the challenges of national and international security, from the creation of DHS to the establishment of the military’s US Africa Command.

Yet there is no indicator of any significant advance in foreign language expertise or regional specialty, or indeed of any greater capacity to understand or think critically about the state of domestic or international affairs. The international order is no more stable today than it was a decade and a half ago. The homeland is not safer. The threats, both internationally and domestically, are ever increasing despite all of these efforts.

An overwhelming avalanche of intelligence information, a looming threat to cyber security, the echo chamber of Washington, DC, the outsourcing of basic training to educational contractors — these are the realities of the national security state that are exerting a tremendous influence on higher education in America. As a result, what is too often being taught at these schools is not the art of war or peace, nor the capacity to understand the costs or benefits of either.

Follow William M. Arkin ( on Twitter: @warkin

Follow Alexa O’Brien ( on Twitter: @carwinb

Camden Civil Rights Project Endorses Bernie Sanders in 2020

Bernie Sanders has a consistent thirty year track record of advocating for social justice and economic empowerment of the middle and working classes…..



Camden Civil Rights Project supports Sanders’ racial justice, women’s rights, LGBT equality, single payer healthcare, tuition free higher education, minimum living wage and corporate reform proposals


On the Issues

The American people must make a fundamental decision. Do we continue the 40-year decline of our middle class and the growing gap between the very rich and everyone else, or do we fight for a progressive economic agenda that creates jobs, raises wages, protects the environment and provides health care for all? Are we prepared to take on the enormous economic and political power of the billionaire class, or do we continue to slide into economic and political oligarchy? These are the most important questions of our time, and how we answer them will determine the future of our country.

























Former Porn Star Lisa Ann Says Increased Demand for Abuse Porn Tends to ‘Break You Down as a Woman’

Former adult actress says extreme scenes are harming amateur actresses 

A retired adult film star has warned the growing appetite for ‘abuse’ porn is damaging amateur female performers, who are expected to take part in increasingly extreme scenes.

Lisa Ann left the industry in 2014 and now hosts a Fantasy Football show on Sirius XM radio. Unlike most performers whose careers within the industry often span just months or a few years, Ann appeared in adult films for two decades and has witnessed the industry’s trajectory towards more hardcore films.

Speaking to The Guardian, she claimed the difficulties some actresses face after leaving the adult industry often relate to the growing demand for extreme porn, and performers abusing drugs.

“There were times on set with people where I was like, ‘This is not a good situation. This is not safe. This girl is out of her mind and we’re not sure what she’s going to say when she leaves here,’” she said. “Everyone’s a ticking time bomb, and a lot of it is linked to the drugs. A lot of this new pain comes from these new girls who have to do these abusive scenes, because that does break you down as a woman.”

The demand for abuse scenes was addressed in the documentaryHot Girls Wanted, which included disturbing footage from a scene constructed to make a sex act appear forced on a female performer.

In an industry where pay rates have continuously declined, extreme acts also pay more, with the most radical commanding up to $2,500 per scene.

Rashida Jones, a producer on Hot Girls Wanted, described the cycle young women face when they start making amateur porn that she says encourages them to participate in more extreme scenes during an interview with Vice.

“Generally if you’re 18 and go to Miami, you’re done in a year, because there’s not enough amateur jobs for you. You can get some other jobs, but the niche stuff pays more, and the niche stuff is harder on your body,” she said.

“The pay can be $800, $1000 a shoot, but they still have to pay for hair and nails and make-up and travel and clothes – plus, they’re trying to live in a lavish way, so it ends up not being cost-effective. It’s not worth it.

“Then you have to make further negotiations with yourself, like, ‘Will I do torture porn? Will I do fetish porn? Will I do […] forced blowjobs?’ and things that you never expected to do.”

In 2010, a study conducted by Adult Video News reportedly found most of the scenes from 50 top-rented porn films involved the female performer appearing to be physically or verbally abused.


Rashida Jones Warns Young Women About ‘Physical Cost’ of the Porn Industry

The actor produced the film Hot Girls Wanted and cautioned young women against joining the industry

by Helen Nianias

Rashida Jones has spoken out against the “pornification” of culture, arguing that young women are exploited by the industry as it makes them believe the work is glamorous.

Speaking to Vice, Jones explained: “I have no problem with porn – also, it doesn’t matter if I have any kind of problem with porn, because it’s here to stay.

“I personally have no problem with porn as adult entertainment. I think it’s great that we have the freedom to explore our sexual fantasies, and that there’s tools to do that. The problem with me is that there’s no regulation in the industry – the average age someone watches their first porn is 11.

“For someone to learn about sex from porn, I think is really dangerous, and I think it happens a lot.”

Jones has spoken out in the past against the pop culture climate for extreme sexualisation, and described it as: “Here is the bottom of my ass”.

She has previously spoken out against the industry, saying that “because [porn is] performative, women aren’t feeling joy.”

Her documentary Hot Girls Wanted examines how young women are lured into working in pornography with the promise of being famous, only to end up in cities such as Miami expected to make “amateur porn”.

Jones explains that this genre – which is still fully scripted and operated like a regular film – focuses on plots that are “sort of like catching young, innocent girls off guard”.

She explains: “Generally if you’re 18 and go to Miami, you’re done in a year, because there’s not enough amateur jobs for you. You can get some other jobs, but the niche stuff pays more, and the niche stuff is harder on your body. The pay can be $800, $1000 a shoot, but they still have to pay for hair and nails and make-up and travel and clothes – plus, they’re trying to live in a lavish way, so it ends up not being cost-effective. It’s not worth it.”

Jones argues that the struggle for cash means women end up doing more extreme stuff.

The Parks and Recreation actor adds that her experience while making the documentary shows that the women who make this type of porn have generally only just turned 18 and may not understand the impact of the work.

“[There’s the] psychological, emotional, physiological – the physical cost of having sex for a living. [You’re] thinking about the fame part of it, so you might not be the best candidate to make a decision for yourself.”

Liz Curran of anti-violence charity Women’s Support Project argues that pornography is inherently harmful and there’s no way women can gain respect from it.

She told The Independent: “In a society where we want young women to be equal – accepting porn undermines the equality and independence of these young women.

“Women who need any support after commercial sexual exploitation should get in touch with the Object campaign or UK Feminista and they will put you in touch with the right people.”

Curran argued that “healthy relationships based on respect and consent is such a contrast to pornography.”


EFF Joins ACLU in Amicus Brief Supporting Warrant Requirement for Cell-Site Simulators



EFF, ACLU, and ACLU of Maryland filed an amicus brief today in the Maryland Court of Special Appeals in the first case in the country (that we know of) where a judge has thrown out evidence obtained as a result of using a cell-site simulator without a warrant.

In the case, Baltimore Police used a Hailstorm—a cell-site simulator from the same company that makes Stingrays—to locate Kerron Andrews, the defendant. The police not only failed to get a warrant to use the device, they also failed to disclose it to the judge in their application for a pen register order. And it appears they even failed to tell the State’s attorney prosecuting Mr. Andrews’ case.

Luckily Mr. Andrews’ intrepid defense attorney suspected the police might have used a stingray and sent a discovery request asking specifically if they had. The prosecution stalled for months on answering that request, but, on the eve of trial, one of the investigators responsible for Baltimore PD’s stingrays finally testified in court not only that he’d used the device to find Mr. Andrews, but that he’d specifically not disclosed it in any report filed about Andrews’ arrest. The judge concluded the police had intentionally withheld information from Mr. Andrews—a clear violation of his constitutional rights.

This August, another Baltimore judge granted the defense’s request to suppress all evidence the police were able to get as a direct result of using the stingray. The judge held the use of the device without a warrant violated Andrews’ Fourth Amendment right to be free from unlawful searches and seizures. Unsurprisingly, the government appealed.

Cell-site simulators, also commonly known as IMSI catchers or stingrays, masquerade as legitimate cell phone towers, tricking phones nearby into connecting to the device instead of the tower operated by the phone company. This allows police to log the identifying numbers of mobile phones in the area and to pinpoint their locations. Police often use cell-site simulators when they are trying to find a suspect and know his phone’s identifying information.

As we learned from USA Today, the Baltimore PD has been using cell-site simulators extensively (and secretly) for at least the last eight years. A detective testified that Baltimore officers had used cell-site simulators more than 4,300 times since 2007. Like other law enforcement agencies around the country, Baltimore has used its devices for major and minor crimes—everything from trying to locate a man who had kidnapped two small children to trying to find another man who took his wife’s cellphone during an argument (and later returned it). And, like other law enforcement agencies, the Baltimore PD has regularly withheld information about Stingrays from defense attorneys, judges, and the public.

Stingrays are especially pernicious surveillance tools because they collect information on every single phone in a given area—not just the suspect’s phone—this means they allow the police to conduct indiscriminate, dragnet searches. They are also able to locate people inside traditionally-protected private spaces like homes, doctors’ offices, or places of worship—in Mr. Andrews’ case the investigators used the Stingray to pinpoint his location to within a specific apartment. Stingrays can also be configured to capture the content of communications.

This is why it’s imperative that police not only obtain a warrant based on probable cause before using a cell-site simulator but also commit to minimization procedures, including immediately deleting information about all phones not covered by the warrant and limiting the time period during which the device is used. These are not novel or onerous requirements—the Wiretap Actrequires similar procedures. And in fact, both the Department of Justice and the Department of Homeland Security recently committed to following similar procedures whenever their agents use stingrays.

We hope the Maryland Court of Special Appeals will agree that the warrantless use of a stingray is unconstitutional and uphold the lower court ruling suppressing the evidence.

How Secure Are You Online: The Checklist

Think you do enough to secure your passwords, browsing, and networking? Prove it.

Not all computer security is about tin foil hats and anonymous browsing. Everyone who uses a computer has a horse in the security race. For the purpose of this post, we’re breaking down online security into four essential parts: passwords, browsers, at-home Wi-Fi and networking, and browsing on public Wi-Fi. Within those categories we’ll give you a checklist of everything you should do, from the bare minimum to the tin-foil-hat best.

Think you’ve done your due diligence with your security? Jump to any of the four sections below to see how you stack up (and boost your security where you may be lacking):

Password Security Checklist

How Secure Are You Online: The Checklist

Password security has been popping upa lotin the news recently, but how much you should care is entirely dependent on what you do online.

The Bare Minimum of Password Security

Just because you don’t use a lot of online services doesn’t mean you can neglect basic password security. Sure, you don’t need to take any complicated measures, but everyone should at least do a couple things.

  • Pick strong passwords: Regardless of what your password is for, it’s always good to pick a strong, random password. Don’t use your child’s name, or a birthday.
  • Use unique passwords for every site:Don’t ever reuse the same email and password combo on multiple services. It might seem like it doesn’t matter, but if a hacker gets your account information on one site, that means they can use that login information on every other site you’re registered at. Keep all your passwords different.
  • Use Should I Change My Password? to track security breaches: If you don’t keep up with tech news you probably don’t see most minor security breaches. To help out, the webapp Should I Change My Password? notifies you when a major service is hacked.

That’s the minimum you should do if you want to play it safe and secure with your passwords. But you can do better than that. Let’s step up your game.

Level Up: You’re a Password Pro

If you’re the type to conduct a lot of work online, then you need more complicated security measures. With that in mind, you should do the steps mentioned above, and a few other things.

  • Use two-factor authentication whenever possible: Two-factor authentication is a simple way to lock your computer to an account so you have to verify your identity when you log onto a different computer. Not all services have it, but Google, LastPass, Facebook, Dropbox, and more all do. Use it.
  • Use a password manager: We get it, you have a lot of passwords and you don’t want to remember them all. Instead of reusing the same junky password, a password manager is a simple way to save them all securely. We like LastPass, but KeePass, and 1Password are equally solid solutions.
  • Shut down and unlink services you don’t use: If you’re the type to try out a lot of different webapps or mobile apps then you probably have a ton of passwords scattered around everywhere. When you decide you don’t want to use a service anymore, remember to delete your account. This way, if the service is hacked you don’t have to fumble around trying to remember your login information. For added protection, make sure you clean up your app permissions on Facebook and Twitter.
  • Use misleading password hints: Finally, don’t answer password hints truthfully. Instead, you can use word association, or just pick a random response (that you’ll remember).

If you’re doing all of the above, your passwords are about as safe as they can get. Nice work, and stay vigilant!

Browser Security ChecklistHow Secure Are You Online: The Checklist

With all your passwords in check it’s time to ensure your browsing is both secure and private. Of course, many people don’t care about privacy, but security—even after your passwords are in order—is still important.

The Bare Minimum of Browser Security

Password security is just part of the battle. You also want to make sure your browser is secure. This is what everyone should be doing:

  • HTTPS Everywhere: You likely know by now that you should never hand over personal info unless you’re doing so over a secure connection (HTTPS in the browser URL). The HTTPS Everywhere browser extension highlights secure sites, and ensures you’re always on HTTPS whenever it’s available (including on social networks, shopping sites, and more).
  • Log out of your accounts: If you’re sharing a computer in a house full of people, or you do most of your browsing on a public computer, always remember to logout of any account you use. It’s a simple, obvious step, but it’s worth repeating to yourself until you remember. When you don’t log out of an account, you’re giving authorization to snoop.
  • Understand the basics of online fraud: Phishing scams, malware, and other nasty things are all easy to detect if you keep a cautious eye on what your browser is doing at all times. Be skeptical of odd emails, brush up on the FTC’s guide to identity theft, and don’t trust your personal information to any website that doesn’t use HTTPS.

The basics of browser security are great for most people, but if you want to keep advertisers and The Man off your back, you need to take a few more measures.

Level Up: Keep Everyone from Tracking You

We know that pretty much everyone is tracking your every move on the web. The data collected from your browsing is used for ads, targeted coupons, and plenty more. Let’s put a stop to that.

  • Adblock Plus: Adblock Plus isn’t just an ad blocking extension, it also helps keep the likes of Twitter, Facebook, and Google+ from transmitting data about you.
  • Ghostery: Ghostery is an extension that’s all about eliminating tracking cookies and plug-ins used by ad networks. With Ghostery installed, no advertiser can snoop on what you’re doing online.
  • Do Not Track Plus: Do Not Track is an extension that eliminates sites with Facebook and Google+ buttons from tracking you. By default, a data exchange happens when you visit a site with one of these buttons, even if you don’t click on them. Do Not Track stops that from happening.

The above extensions and measures can ensure you have a private and secure browsing experience. But if you really want to keep your browsing away from prying eyes, you have to go anonymous.

Next Level: Go Anonymous

Completely anonymous browsing isn’t for everyone, nor is it for every situation. However, it can come in handy when you’re torrenting, when you don’t want to give away your location, and if you just plain don’t like somebody watching over your shoulder. Here’s what you’ll need.

  • Tor Browser: Tor is the easiest to use anonymous browser. When you use Tor for browsing, you don’t get plugins, your traffic is automatically encrypted, and your browsing is always anonymous.
  • Use VPN services to secure everything you do: VPN services are a great way to create secure connections across the internet. Using a VPN means you’re encrypting all the data transferred online. We like Hamachi becauseit’s incredibly easy to use, but any of these five will do the trick.
  • Use BTGuard for anonymous torrenting: Peer-to-peer file sharing is great, but since it’s often used for piracy you might want to keep your downloads private. BTGuard does just that through a proxy server (which helps keep you anonymous). The service is $59.95 a year, but it’s worth it to avoid throttling from your Internet Service Provider.

Home Network Security Checklist

How Secure Are You Online: The Checklist

Once your internet data is secure it’s time to secure your data on your home computer. This means backing everything up, and keeping your network safe from prying eyes.

The Bare Minimum of Network Security

If you don’t use your computer for much more than browsing the web, creating a couple documents, and storing family photos, then you don’t need to do much to keep everything safe.

  • Keep your software up to date: Software updates aren’t just about adding new features, they’re often about patching security holes. Thankfully, the update process is very simple. On Windows, click the Start Menu > All Programs > Windows Update. On Mac, click the Apple menu, and choose Software Update. Both update programs run periodically on their own, but it’s always good to check for a new update if you hear about a security issue.
  • Change your router’s security settings: If you’re still running your router’s default settings, then pretty much anyone can get into your home network and peek in on your computers. It’s not hard to crack WEP passwords or WPA passwords, but you should at least enable a non-default password and network name on your router.
  • Backup your photos and documents: Perhaps you’re not all that worried about what would happen if your $200 computer dies because you don’t do that much with it. Still, chances are you have a resume or some vacation photos on the hard drive. Backing up those few important files is easy. Cloud storage like Dropbox, Box, and Skydrive take very little time to set up. Once you do, your few important documents will be saved online.
  • Prevent downloaded software from installing automatically: Malware often comes in the form of a download you don’t notice happening, but it’s easy to stop. On Windows, disabling AutoRun can stop around 50% of Malware threats, and all you need is the free software Disable Autorun. On Mac, downloads shouldn’t run automatically, but if you’re using OS X Mountain Lion you can set up GateKeeper (System Preferences > Security & Privacy > General) to only allow applications from the Mac App Store for added security.

These are just the basics. If your computer is your livelihood, you need to do a few more things to keep your data secure.

Level Up: You’re a Network Security Pro

Whether you work from home, or you’re simply on a work computer all day long, keeping your data secure and safe is important. On top of everything above, you also want to add a few more security measures.

  • Create automated backups with Crashplan: If your computer contains everything you need to work, then you need a solid full system backup solution. We like Crashplan because it’s cheap, automated, and works on every operating system.
  • Set folder specific permissions: If you’re sharing your computer with a household of people, but need to ensure your work documents are safe, then setting up permissions is the easiest way to do it. In Windows, right-click the folder, go to Properties, and open the Security settings. Then click the edit setting and select your user name to lock the folder to you. On Mac, right-click a folder, click Get Info, and change the settings under Sharing & Permissions. For extra security, you can easily set up encryption with Truecrypt.
  • Know how someone would break into your computer (and keep it from happening to you): It’s surprisingly easy to a Mac. Once you know how someone could get into your system, it’s relatively easy to prevent. On Windows, you can usually get away with a long password, and on Mac you can set up FireVault to secure your
    data (System Preferences > Security).
  • Upgrade your router’s security: As we mentioned above, hacking into a wireless network is incredibly easy. One way to secure your router is to upgrade its firmware with DD-WRT or Tomato. Upgrading your router cankeep you safe from at least one type of hack.

The above is more than enough for most people on their home network, but what about when you need to leave the house?

Public Wi-Fi Security Checklist

How Secure Are You Online: The Checklist

Using public Wi-Fi exposes everything you do online (and your computer itself) to anyone else on the network. We’ve shown you how people sniff out your passwords on public Wi-Fi before, and it’s suprisingly simple. Let’s stop that from happening to you.

Bare Minimum of Public Wi-Fi Security

Let’s say you occasionally check email on public Wi-Fi when your internet is down or you’re on vacation. You’re always tempting fate when you don’t completely lock down your computer, but here’s the minimum amount of effort you should always do.

  • Always use HTTPS: We mentioned HTTPS Everywhere above, but it’s worth repeating here. If you’re checking your email, or doing anything else with a password on a public network, always use HTTPS.
  • Turn off sharing: When you’re at home you might share your files with other people on your network. That’s great, but you don’t want that on public Wi-Fi. Disable it before you even connect. In Windows, open Control Panel, then head to Network and Internet > Network and Sharing Center. Then click Choose Homegroup and Sharing Options > Change Advanced Settings. Turn off file sharing, print sharing, network discovery, and the public folder. On Mac, open System Preferences > Sharing, and make sure all the boxes are unchecked.
  • Don’t connect to Wi-Fi unless you need it: This might seem like common sense, but if you’re not actually using the internet connection, turn it off. In Windows, right-click the wireless icon in the taskbar and turn it off. On a Mac, click the Wi-Fi button in the menu bar, and turn off Wi-Fi.

Doing these three things will keep most of your data secure when you’re just popping in to quickly check your email. If you’re using free Wi-Fi in a dorm or apartment building, you need a stronger solution.

Level Up: You’re a Public Wi-Fi Pro

If you’re on public Wi-Fi a lot, it’s best to really lock down and encrypt your data. In addition to the steps above (particularly turning off file sharing and HTTPS), you can lock out anyone pretty easily.

  • Encrypt everything with Hamachi and Privoxy: The easiest way to cut off outsiders from peeking into your private data when you’re on a public network is with the free VPN Hamachi, and the web proxy Privoxy. Setup isn’t much more complicated than a few clicks, and the end result is secure connections for all your browsing.
  • Encypt it further with an SSH SOCKS proxy: If you don’t want to use a VPN, another option is to roll your own SSH SOCKS proxy. This encrypts all your web browsing and redirects it through a trusted computer.

That’s all you really need to do when you’re on public Wi-Fi to keep your browsing encrypted and safe. However, you can take it another step and go completely anonymous.

Next Level: Grab Your Tin Foil Hat, We’re Going Untraceable

Perhaps you really don’t want anyone tracking what you’re doing on a public Wi-Fi network or worse, public computer. This sounds nefarious, but it’s handy for things like checking your bank account on a public computer.

The simplest way to go completely anonymous is with a custom build of Linux called Tails installed on a USB or CD. We’ve walked you through the setup process before and it’s very easy. With Tails you get a custom operating system with built-in anonymous browsing, encryption for email and chat, file encryption, and a ton of software. You can load Tails up on your own computer, or a public one. With Tails, you not only browse without leaving a trace, you also secure everything you do.

Security is important to everyone from the tech illiterate to the tech savvy. The precautions you decide to make are your own choice, but always keep in mind that you security online is just as important (if not more) than the security in your own home.



Browse Like Bond: Use Any Computer Without Leaving a Trace with Tails

If James Bond logs on to a computer, he doesn’t want to leave a bunch of files, cookies, or…Read more

The Pros and Cons of Using Tor

Camden Civil Rights Project

Researched, compiled and edited by L. Christopher Skufca

With the numerous methods incorporated by malicious hackers, the NSA, the FBI and even local law enforcement agencies to access your private data, Tor is the best alternative for anonymously surfing the internet. Fundamentally, Tor is secure; however, Tor itself can’t guarantee your privacy and security. Additional security measures must be taken to protect your anonymity. The experts at Information Security Stack Exchange provide guidance on best practices for preserving your online anonymity while using Tor.

 What is Tor and How Does it Work?

Tor is free software for enabling anonymous online communication. Tor is intended to protect the personal privacy of users, as well as their freedom and ability to conduct confidential communication, by keeping their Internet activities from being monitored. Tor protects anonymity by directing Internet traffic through a free, worldwide, volunteer network consisting of more than six thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. It is legally used by millions worldwide to circumvent censorship and to stay safe from online snooping.

What Is Tor and Should I Use It?

Tor is an acronym for The Onion Router, encryption technology which was  developed in the mid-1990s by United States Naval Research Laboratory for the purpose of protecting U.S. intelligence communications online. In 2004, the Naval Research Laboratory released the code for Tor under a free license, and in 2006 a Massachusetts-based 501(c)(3)  research-education nonprofit organization called The Tor Project was founded. Its stated purpose is the research and development of online privacy tools.

The routing method utilized by the Tor network disguises your identity by moving traffic across different Tor servers, and encrypting that traffic, making it difficult to trace communications back to the original source. In an onion network, like that used by Tor, electronic data, including the destination IP address, is encapsulated in layers of encryption, analogous to layers of an onion. The encrypted data is then transmitted through a series of network nodes called onion routers, each of which “peels” away a single layer, uncovering the data’s next destination. Each relay decrypts a layer of encryption to reveal only the next relay in the circuit in order to pass the remaining encrypted data on to it. The sender remains anonymous because each intermediary knows only the location of the immediately preceding and following nodes. The final relay decrypts the innermost layer of encryption and sends the original data to its destination without revealing, or even knowing, the source IP address.

Anyone who tries to identify the user would see traffic coming from random nodes on the Tor network, rather than the source computer. Because the routing of the communication is partly concealed at every hop in the Tor circuit, this method eliminates any single point at which the communicating peers can be determined through network surveillance that relies upon knowing its source and destination.

To access the Tor network, you simply need to download the Tor browser. Everything you do in the browser goes through the Tor network and doesn’t need any setup or configuration from you. One drawback of using Tor is that users experience a much more sluggish internet experience since their data is being transferred through multiple relays.

What Tor Is Good For

Tor is most useful for concealing internet browsing habits. Used in conjunction with additional security measures Tor can also be useful in protecting the anonymity of your communications with a third party. Tor has been utilized by researchers, journalists, whistleblowers, attorneys and even law enforcement officers hoping to conceal their IP address from detection.

There are several legitimate purposes for wanting to protect your online anonymity. Much of the Tor Project’s funding comes from federal grants issued by agencies, such as the U.S. State Department, that claim a vested interest in supporting safe, anonymous speech for dissidents living under oppressive regimes. It is used by human rights workers, activists, journalists and whistleblowers worldwide. Tor is also a useful tool for legal practitioners seeking to protect privileged attorney client communications and has been used as an effective tool for protecting the anonymity of undercover law enforcement officers and police informants.

However, in the wrong hands, Tor has also been used for more nefarious purposes. Tor’s technology can be utilized to provide anonymity to websites and other servers configured to receive inbound connections which are only accessible by other Tor users. These are called hidden services. Rather than revealing a server’s IP address (and thus its network location), a hidden service is accessed through its onion address. The Tor network understands these addresses and can route data to and from hidden services, even those hosted behind firewalls or network address translators (NAT), while preserving the anonymity of both parties. These hidden service sites create an opening for criminal activity, such as happened with the Silk Road exchange site caught which was shut down for trafficking illicit drugs. Tor’s hosting capabilities have also served as platforms for  child pornography and illegal arms trading.

The Limitations of Tor

Anonymity is not the same as security. While it is difficult to hack the encryption of the Tor network, a network is only as secure as the technology used to access the network.

Exploiting Applications

In a 2012 child pornography sting, the FBI utilized a hacking tool created by Metasploit called a “Decloaking Engine” to infect the servers of three different hidden Tor sites, which would then target anyone who happened to access them. The network investigative technique (NIT) used a Flash application that would ping a user’s real IP address back to an FBI controlled server, rather than routing their traffic through the Tor network and protecting their identity.

Again, in June 2013, network security analyst, Professor Alan Woodward of University of Surrey,  highlighted the danger of using JavaScript and other add-in applications:

“Be aware, a browser’s JavaScript engine, plug-ins like Adobe Flash, external applications like Adobe Reader or even a video player could all potentially “leak” your real IP address to a website that tries to acquire it. The Tor browser bundle has JavaScript disabled by default and plug-ins can’t run. If you try to download and open a file on another application the browser will warn you.  However, anyone who has spent any time browsing the web knows that there is a great temptation to install add-ins or enable JavaScript in order to access content. Don’t succumb to the temptation if you are serious about remaining anonymous.”

Woodward’s warning proved to be timely; in August 2013, the FBI was able to exploit  a security flaw in the modified Firefox 17 browser included with the Tor Browser Bundle, a collection of programs designed to make it easy for people to install and use the software. Representatives of Tor responded to the breach with the following statement:

“From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the Web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR [extended support release], on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.”

The good news is that they went for a browser exploit, meaning there’s no indication they can break the Tor protocol or do traffic analysis on the Tor network. Infecting the laptop, phone, or desktop is still the easiest way to learn about the human behind the keyboard.

Tor still helps here: you can target individuals with browser exploits, but if you attack too many users, somebody’s going to notice. So even if the NSA aims to surveil everyone, everywhere, they have to be a lot more selective about which Tor users they spy on.

Two months later, in October 2013, The Guardian released an NSA presentation,  provided by  whistleblower Edward Snowden, revealing an NSA program targeting Tor users by exploiting the Tor browser bundle. The NSA attacks were designed to identify Tor users and the hidden sites they visited.

As The Guardian reported, this type of “man-on-the-side” style attack on Tor users cannot be pulled off by just anyone because it requires the assistance of internet service providers (ISP’s):

“(man-on-the-side attacks)  are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a “race condition” between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack…

According to a top-secret operational management procedures manual provided by Snowden, once a target is successfully exploited it is infected with one of several payloads. Two basic payloads mentioned in the manual, are designed to collect configuration and location information from the target computer so an analyst can determine how to further infect the computer.

These decisions are made in part by the technical sophistication of the target and the security software installed on the target computer; called Personal Security Products or PSP, in the manual.”

Motherboard points to a 2013 FBI sting which utilized this method:

The FBI’s big child porn bust this summer also raised some suspicion from privacy advocates over how easy it is for the Feds to infiltrate Tor. The FBI managed to crack the anonymous network by injecting malware into the browser, in order to identify what it called “the “largest child porn facilitator on the planet.” In the process, the malware revealed the IP addresses of hundreds of users.

On January 05, 2016, Motherboard reported that the FBI conducted a network attack which targeted over a thousand computers and was was able to deanonymize visitors to a Tor hidden site called Playpen, allegedly one of the largest sites hosting child pornography on the Darkweb. According to the article, “the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4,” during which time, “the FBI deployed what is known as a network investigative technique (NIT), the agency’s term for a hacking tool.” According to the complaint filed by the FBI, “approximately 1300 true internet protocol (IP) addresses were identified during this time.”

Tor explicitly warns against installing or enabling browser plugins. The Tor Browser is configured to block browser plugins such as Flash, RealPlayer, and Quicktime, because they can be manipulated into revealing your IP address. Therefore, Tor does not recommend installing additional addons or plugins into their Browser, as these may harm your anonymity and privacy by bypassing network protocols.

End Node Decryption

Tor has a known weakness: The last node through which traffic passes in the network has to decrypt the communication before delivering it to its final destination. Someone operating that node can see the communication passing through this server.

In 2007, Swedish security researcher, Dan Egerstad was able to intercept passwords and email messages from government agencies by running Tor exit nodes. According to Egerstad, many who use Tor mistakenly believe it is an end-to-end encryption tool. As a result, they aren’t taking the precautions they need to take to protect their web activity. University of Surrey professor, Alan Woodward, cautions that Tor volunteers are anonymous and therefore, users “do not choose which exit node you use so you cannot guarantee who it is that is actually running that node.”  Woodward also remarked that Tor’s random routing between nodes makes it unlikely that anyone could target a specific individual in this way, unless they run a large proportion of the Tor nodes that are out there. Taking additional steps to encrypt data could also mitigate this risk.

Study on Traffic Correlation Attacks

In August 2013, Tor accounts increased by over 100%, leading many to suspect that Edward Snowden’s  June 2013 revelations of the vast NSA surveillance program had led more internet users to protect their privacy. However, the sudden uptick in Tor users may be better explained by a joint research project designed to identify the effectiveness of these type of end node relay attacks.

In November of 2013, the US Naval Research Laboratory and Georgetown University in Washington, D.C. issued a joint report entitled “Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries.”  The report focuses on traffic correlation attacks against Tor users,  by network adversariessuch as such as corporations, intelligence and law enforcement agencies, or governments.  

A network adversary is a network operator with ample network resources to observe a large portion of the underlying network over which Tor traffic is transported through controlling one or more autonomous systems or internet exchange points. Within the Internet, an autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the Internet. An Internet exchange point (IXP) is a physical infrastructure through which Internet service providers (ISPs) and Content Delivery Networks (CDNs) exchange Internet traffic between their networks (autonomous systems or ASes).

In layman’s terms, the study found that the more entrance and exit nodes a network adversary is capable of controlling, either through Tor exit relays or the destination servers themselves, the greater the probability the targeted communications will pass through a resource controlled by the attacker, exposing a Tor user (and their communications) to identification.

According to the report, “A network adversary leverages their position as a carrier of network traffic to correlate Tor traffic streams that cross their network at some point between the client and guard and exit and destination pairs.” As the researchers remark, “Tor does not currently implement any protection against adversaries who operate ASes or IXPs.”

In traffic correlation attacks, an adversary has the bandwidth capacity to run voluminous relays in the Tor network in order to deanonymize  an individual user. The researchers report:

“Onion routing is vulnerable to an adversary who can monitor a user’s traffic as it enters and leaves the anonymity network; correlating that traffic using traffic analysis links the observed sender and receiver of the communication. Øverlier and Syverson first demonstrated the practicality of the attack in the context of discovering Tor Hidden Servers. Later work by Murdoch and Danezis show that traffic correlation attacks can be done quite efficiently against Tor.”

Since network adversaries can monitor entrance and exit traffic on any of the routers they control, the more points within their control, the greater their ability to expose a Tor users’ identity. Researchers found that, “sending many streams over Tor induces higher rates of circuit creation, increasing the number of chances the adversary has to compromise one. Alternatively, the specific destination addresses and ports that users connect to affect the probability a malicious exit is chosen because allowed exit policies differ from relay to relay.”

This is important because information travels through the encrypted layers of the Tor network through Internet Exchange Points (IXPs) or autonomous systems (ASes) that control multiple routers, such as ISPs. Since attackers can theoretically see exit or entrance traffic on any of the routers they control, logically, the more points of control, the faster and easier it is to expose a Tor users’ identity. As Meghan Neal at Motherboard points out, “Hypothetically, a state-sponsored cyberattacker could control all of the routers in the country.” Therefore, US intelligence agencies which have innumerable routers at their disposal would have a tremendous advantage in deanonymizing users and tracking their communications across the Tor network.

The Tor Project, itself, openly acknowledges:

“Just using Tor isn’t enough to keep you safe in all cases. Browser exploits, large-scale surveillance, and general user security are all challenging topics for the average internet user. These attacks make it clear that we, the broader internet community, need to keep working on better security for browsers and other internet-facing applications.”

Therefore, it is highly recommended that Tor users always take additional security precautions by using an anonymous proxy tool, such as a  virtual private network (VPN) and HTTPS encryption whenever possible as added layers of protection.

If you are not already using a VPN or HTTPS, you should be. If a site offers HTTPS, just go to instead of just plain old http. To help ensure private encryption to websites, the Tor Browser includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website.

Using Tor Could Increase the Possibility that You are Targeted

Edward Snowden revealed in October 2013, the online anonymity Tor network is a high-priority target for the National Security Agency. In support, The Guardian released “Tor Stinks,” an NSA presentation (vintage June 2012) outlining current and proposed strategies for exploiting the network. The work of attacking Tor is done by the NSA’s application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world.” Therefore, someone like the NSA or FBI can tell if you’re a Tor user making them more likely to target you.

Furthermore, an NSA document obtained by the Guardian in June 2013, titled Minimization Procedures Used by the National Security Agency in Connection with Acquisitions of Foreign Intelligence, reveals that using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for US-based communications to be retained by the National Security Agency even when they’re inadvertently collected.

Of concern, the NSA Minimization Procedures provide no ascertainable guidelines for protecting against warrantless domestic surveillance. Section 5 clearly reveals domestic communications are being monitored en masse and allows for the collection and dissemination of information relating to “evidence of a crime” to law enforcement agencies, whether or not a warrant has been obtained or an individual is the target of a current investigation. The procedures make no distinction between suspected terrorist or non-terrorist activity, or violent and non-violent offenses.

In August 2013, Reuters reported that law enforcement officers have been instructed to mislead judges and prosecutors by recreating the investigative trail to effectively cover up where the information obtained through NSA surveillance originated. An internal Special Operations Division (SOD) document obtained by Reuters reads: “Remember that the utilization of SOD cannot be revealed or discussed in any investigative function.” The document specifically directs agents to omit the SOD’s involvement from investigative reports, affidavits, discussions with prosecutors and courtroom testimony. Agents are also instructed to use a deceptive technique known as parallel construction to misrepresent that the evidence provided by SOD was collected through “normal investigative techniques.”

Likewise, Section 4, which deals with attorney-client communications, provides scarce safeguards for protecting attorney client privilege. Section 4 specifies that an analyst must cease monitoring communications between a person “known to be indicted in the United States” and their legal representative. However, there is no such protection for suspects who have not yet been indicted and the instruction or for privileged communications in civil or commercial proceedings.

Finally, a 2014 report published by German security researchers revealed the NSA internet database program XKeyscore, contains a piece of source code with rules for automatically capturing information about people who used Tor and privacy-focused operating system Tails. One rule seems to “fingerprint” people who visit the Tor website, as well as people who search for information about Tails or visit places known to have information on it, including the Linux Journal, where anything in the “Linux” category of articles is flagged. Fingerprints are flags that allow NSA agents to identify and track users across the web.

Tor As a Tool for Journalists and Whistleblowers

In 2014, The Guardian launched a secure platform for whistleblowers to confidentially submit sensitive documents to the newspaper’s reporters. According to The Guardian:

The SecureDrop open-source whistleblowing platform provides a way for sources, who can choose to remain anonymous, to submit documents and data while avoiding virtually all of the most common forms of online tracking.

It makes use of well-known anonymising technology such as the Tor network and the Tails operating system, which was used by journalists working on the Snowden files.

The SecureDrop platform was initially developed by the US developer and open source activist, Aaron Swartz, who committed suicide in 2013 after facing criminal prosecution under the Computer Fraud and Abuse Act for downloading mass quantities of academic research articles. To Date, the SecureDrop directory includes such familiar media sources as The Guardian, The Intercept, The New Yorker, The Sun and the Washington Post.

Is Tor Simply a Honeypot Run by U.S. Intelligence and Law Enforcement?

There is a legitimate concern among privacy advocates that Tor may simply be a honeypot for identifying illicit activities due to its historical and financial ties with the U.S. intelligence and law enforcement communities. Onion routing was originally developed in the mid-1990s by United States Naval Research Laboratory for the purpose of protecting U.S. intelligence communications online. Yasha Levine of Panda points out:

“Tor’s original — and current — purpose is to cloak the online identity of government agents and informants while they are in the field: gathering intelligence, setting up sting operations, giving human intelligence assets a way to report back to their handlers — that kind of thing. This information is out there, but it’s not very well known, and it’s certainly not emphasized by those who promote it.”

In addition, Tor’s own website states, “A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently.” The site adds, “Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.”

Furthermore, Tor’s onion routing technology was originally funded by the Office of Naval Research and DARPA. Early development was spearheaded by Paul Syverson, Michael Reed and David Goldschlag — all military mathematicians and computer systems researchers working for the Naval Research Laboratory, located within the Anacostia-Bolling military base in Washington, D.C.

In 2004, the Naval Research Laboratory released the code for onion routing under a free license, and in 2006 a Massachusetts-based 501(c)(3)  research-education nonprofit organization called The Tor Project was founded. Since its inception, the vast majority of Tor Project funding has been provided by the Department of Defense and the US State Department:

  • In 2006, Tor was funded was through a no-bid federal contract awarded to Roger Dingledine’s consulting firm, Moria Labs;
  • In 2007, all of Tor’s funding came from the federal government via two grants.  $250,000 came from the International Broadcasting Bureau (IBB), a CIA spinoff that now operates under the Broadcasting Board of Governors,  and just under $100,000 came from Internews, an NGO aimed at funding and training dissidents and activists abroad. Tor’s subsequent tax filings show that grants from Internews were conduits for “pass through” grants from the US State Department;
  • In 2008, Tor received $527,000 from IBB and Internews, which represented 90% of its funding;
  • In 2009,  approximately 90% of Tor’s funding came from the State Department, through a $632,189 grant described in tax filings as a “Pass-Through from Internews Network International.” Another $270,000 came via the CIA-spinoff IBB. In addition, the Swedish government contributed $38,000, while Google provided another $29,000;
  • In 2010,  Tor received $913,000 from the State Department and $180,000 from IBB— representing 84% of Tor’s $1.3 million in total funds listed on tax filings.
  • In 2011, Tor received  $730,000  via Pentagon and State Department grants, $150,000 came from IBB and Swedish International Development Cooperation Agency (SIDA), Sweden’s version of USAID, gave Tor $279,000;
  • In 2012, Tor’s funding nearly doubled, as it recieved $876,099 from the DoD, $353,000 from the State Department, $387,800 from the IBB, $318,000 from SIDA and $150,000 from an RFA grant for Tor’s OONI Project.

The question is whether you can trust that a program which originated within the U.S. intelligence community, for use by US intelligence and law enforcement agencies and receives the majority of its funding from the Department of Defense and the State Department is sufficiently independent from these agencies to reasonable protect the privacy and anonymity of dissident journalists, activists and government whistle blowers.  Your level of trust is most likely commensurate with the severity of the penalty that exposure would bring about.

For those of you not involved in criminal activity, exposing high level corruption or seeking to disclose state secrets, the following recommendations submitted on an Answers forum for network analysts should suffice in protecting your privacy.


A Guide for Safe Tor Use

by Michael Hampton

As a very long time Tor user, the most surprising part of the NSA documents for me was how little progress they have made against Tor. Despite its known weaknesses, it’s still the best thing we have, provided it’s used properly and you make no mistakes.

Since you want security of “the greatest degree technically feasible”, I’m going to assume that your threat is a well-funded government with significant visibility or control of the Internet, as it is for many Tor users (despite the warnings that Tor is not sufficient to protect you from such an actor.

Consider whether you truly need this level of protection. If having your activity discovered does not put your life or liberty at risk, then you probably do not need to go to all of this trouble. But if it does, then you absolutely must be vigilant if you wish to remain alive and free.

I won’t repeat Tor Project’s own warnings here, but I will note that they are only a beginning, and are not adequate to protect you from such threats.

Your Computer

To date, the NSA‘s and FBI’s primary attacks on Tor users have been MITM attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user’s computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised.

  1. Don’t use Windows. Just don’t. This also means don’t use the Tor Browser Bundle on Windows. Vulnerabilities in the software in TBB figure prominently in both the NSA slides and FBI’s recent takedown of Freedom Hosting.
  2. If you can’t construct your own workstation capable of running Linux and carefully configured to run the latest available versions of Tor, a proxy such as Privoxy, and a web browser (with all outgoing clearnet access firewalled), consider using Tails or Whonix instead, where most of this work is done for you. It’s absolutely critical that outgoing access be firewalled so that third party applications cannot accidentally leak data about your location.
  3. If you are using persistent storage of any kind, ensure that it is encrypted. Current versions of LUKS are reasonably safe, and major Linux distributions will offer to set it up for you during their installation. TrueCrypt might be safe, though it’s not nearly as well integrated into the OS. BitLocker might be safe as well, though you still shouldn’t be running Windows. Even if you are in a country where rubber hosing is legal, such as the UK, encrypting your data protects you from a variety of other threats.
  4. Remember that your computer must be kept up to date. Whether you use Tails or build your own workstation from scratch or with Whonix, update frequently to ensure you are protected from the latest security vulnerabilities. Ideally you should update each time you begin a session, or at least daily. Tails will notify you at startup if an update is available.
  5. Be very reluctant to compromise on JavaScript, Flash and Java. Disable them all by default. If a site requires any of these, visit somewhere else. Enable scripting only as a last resort, only temporarily, and only to the minimum extent necessary to gain functionality of a web site that you have no alternative for.
  6. Viciously drop cookies and local data that sites send you. Neither TBB nor Tails do this well enough for my tastes; consider using an addon such asSelf-Destructing Cookies to keep your cookies to a minimum. Of zero.
  7. Your workstation must be a laptop; it must be portable enough to be carried with you and quickly disposed of or destroyed.
  8. Don’t use Google to search the internet. A good alternative is Startpage; this is the default search engine for TBB, Tails, and Whonix. Plus it won’t call you malicious or ask you to fill out CAPTCHAs.

Your Environment

Tor contains weaknesses which can only be mitigated through actions in the physical world. An attacker who can view both your local Internet connection, and the connection of the site you are visiting, can use statistical analysis to correlate them.

  1. Never use Tor from home, or near home. Never work on anything sensitive enough to require Tor from home, even if you remain offline. Computers have a funny habit of liking to be connected. This also applies to anywhere you are staying temporarily, such as a hotel. Never performing these activities at home helps to ensure that they cannot be tied to those locations. (Note that this applies to people facing advanced persistent threats. Running Tor from home is reasonable and useful for others, especially people who aren’t doing anything themselves but wish to help by running an exit node, relay, or bridge.
  2. Limit the amount of time you spend using Tor at any single location. While these correlation attacks do take some time, they can in theory be completed in as little as a day. And while the jackboots are very unlikely to show up the same day you fire up Tor at Starbucks, they might show up the next day. I recommend for the truly concerned to never use Tor more than 24 hours at any single physical location; after that, consider it burned and go elsewhere. This will help you even if the jackboots show up six months later; it’s much easier to remember a regular customer than someone who showed up one day and never came back. This does mean you will have to travel farther afield, especially if you don’t live in a large city, but it will help to preserve your ability to travel freely.
  3. When you go out to perform these activities, leave your cell phone turned on and at home.

Your Mindset

Many Tor users get caught because they made a mistake, such as posting their real email address in association with their activities. You must avoid this as much as possible, and the only way to do so is with careful mental discipline.

  1. Think of your Tor activity as pseudonymous, and create in your mind a virtual identity to correspond with the activity. This virtual person does not know you and will never meet you, and wouldn’t even like you if he knew you. He must be kept strictly mentally separated.
  2. If you must use public internet services, create completely new accounts for this pseudonym. Never mix them; for instance do not browse Facebook with your real email address after having used Twitter with your pseudonym’s email on the same computer. Wait until you get home.
  3. By the same token, never perform actions related to your pseudonymous activity via the clearnet, unless you have no other choice (e.g. to sign up for a provider who blocks Tor), and take extra precautions regarding your location when doing so.
  4. If you need to make and receive phone calls, purchase an anonymous prepaid phone for the purpose. This is difficult in some countries, but it can be done if you are creative enough. Pay cash; never use a debit or credit card to buy the phone or top-ups. Never insert its battery or turn it on if you are within 10 miles (16 km) of your home, nor use a phone from which the battery cannot be removed. Never place a SIM card previously used in one phone into another phone. Never give its number or even admit its existence to anyone who knows you by your real identity. This may need to include your family members.

Hidden Services

These are big in the news lately, with the recent takedown of at least two high-profile hidden services, Silk Road and Freedom Hosting. The bad news is, hidden services are much weaker than they could or should be. The good news is, the NSA doesn’t seem to have done much with them (though the NSA slides mention a GCHQ program named ONIONBREATH which focuses on hidden services, nothing else is yet known about it).

In addition, since hidden services must often run under someone else’s physical control, they are vulnerable to being compromised via that other party. Thus it’s even more important to protect the anonymity of the service, as once it is compromised in this manner, it’s pretty much game over.

The advice given above is sufficient if you are merely visiting a hidden service. If you need to run a hidden service, do all of the above, and in addition do the following. Note that these tasks require an experienced system administrator; performing them without the relevant experience will be difficult or impossible.

  1. Do not run a hidden service in a virtual machine unless you also control the physical host. Designs in which Tor and a service run in firewalled virtual machines on a firewalled physical host are OK, provided it is the physical host which you are in control of, and you are not merely leasing cloud space.
  2. A better design for a Tor hidden service consists of two physical hosts, leased from two different providers though they may be in the same data center. On the first physical host, a single virtual machine runs with Tor. Both the host and VM are firewalled to prevent outgoing traffic other than Tor traffic and traffic to the second physical host. The second physical host will then contain a VM with the actual hidden service. Again, these will be firewalled in both directions. The connection between them should be secured with IPSec, OpenVPN, etc. If it is suspected that the host running Tor may be compromised, the service on the second server may be immediately moved (by copying the virtual machine image) and both servers decommissioned. Both of these designs can be implemented fairly easily with Whonix.
  3. Hosts leased from third parties are convenient but especially vulnerable to attacks where the service provider takes a copy of the hard drives. If the server is virtual, or it is physical but uses RAID storage, this can be done without taking the server offline. Again, do not lease cloud space, and carefully monitor the hardware of the physical host. If the RAID array shows as degraded, or if the server is inexplicably down for more than a few moments, the server should be considered compromised, since there is no way to distinguish between a simple hardware failure and a compromise of this nature.
  4. Ensure that your hosting provider offers 24×7 access to a remote console (in the hosting industry this is often called a KVM though it’s usually implemented via IPMI which can also install the operating system. Use temporary passwords/passphrases during the installation, and change them all after you have Tor up and running (see below). The remote console also allows you to run a fully encrypted physical host, reducing the risk of data loss through physical compromise; however, in this case the passphrase must be changed every time the system is booted (even this does not mitigate all possible attacks, but it does buy you time).
  5. Your initial setup of the hosts which will run the service must be over clearnet, albeit via ssh; however, to reiterate, they must not be done from home or from a location you have ever visited before. As we have seen, it is not sufficient to simply use a VPN. This may cause you issues with actually signing up for the service due to fraud protection that such providers may use. How to deal with this is outside the scope of this answer, though.
  6. Once you have Tor up and running, never connect to any of the servers or virtual machines via clearnet again. Configure hidden services which connect via ssh to each host and each of the virtual machines, and always use them. If you must connect via clearnet to resolve a problem, again, do so from a location you will never visit again.
  7. Hidden services must be moved regularly, even if compromise is not suspected. A 2013 paper described an attack which can locate a hidden service in just a few months for around $10,000 in cloud compute charges, which is well within the budget of even some individuals. It is safer, though not at all convenient, to move the hidden service at least monthly. Ideally it should be moved as frequently as possible, though this quickly veers into the impractical. Note that it will take approximately an hour for the Tor network to recognize the new location of a moved hidden service.


Anonymity is hard. Technology alone, no matter how good it is, will never be enough. It requires a clear mind and careful attention to detail, as well as real-world actions to mitigate weaknesses that cannot be addressed through technology alone. As has been so frequently mentioned, the attackers can be bumbling fools who only have sheer luck to rely on, but you only have to make one mistake to be ruined. We call them “advanced persistent threats” because, in part, they are persistent. They won’t give up, and you must not.



“If we desire respect for the law, we must first make the law respectable.” – U.S. Supreme Court Justice Louis D. Brandeis