THE ANONYMITY NETWORK Tor has long been the paranoid standard for privacy online, and the Tor Browser that runs on it remains the best way to use the web while revealing the least identifying data. Now the non-profit Tor Project has officially released another piece of software that could bring that same level of privacy to instant messaging: a seamless and simple app that both encrypts the content of IMs and also makes it very difficult for an eavesdropper to identify the person sending them.
On Thursday the Tor Project launched its first beta version of Tor Messenger, its long-in-the-works, open source instant messenger client. The app, perhaps more than any other desktop instant messaging program, is designed for both simplicity and privacy by default: It integrates the “Off-the-Record” (OTR) protocol to encrypt messages and routes them over Tor just as seamlessly as the Tor Browser does for web data. It’s also compatible with the same XMPP or “Jabber” chat protocol used by millions of Facebook and Google accounts, as well as desktop clients like Adium for Mac and Pidgin for Windows. The result is that anyone can download the software and in seconds start sending messages to their pre-existing contacts that are not only strongly encrypted, but tunneled through Tor’s maze of volunteer computers around the world to hide the sender’s IP address.
“With Tor Messenger, your chat is encrypted and anonymous…so it is hidden from snoops, whether they are the government of a foreign country or a company trying to sell you boots,” Tor public policy director Kate Krauss wrote to WIRED in a Tor Messenger conversation. She emphasized that despite those features, the program’s use of a pre-existing chat protocol means users won’t need to rebuild their network of contacts. “You can use your Jabber address and your old contacts–you aren’t reinventing the wheel–but wow, much safer.”
Popular IM programs like Pidgin and Adium have long had the option to switch on OTR for encrypted messaging and even send their messages over Tor for anonymity. But for Pidgin, that required downloading an OTR plugin, and neither app encrypted messages by default. Using those programs to route messages over Tor took an even more finicky manual setup, and required running Tor separately. Tor Messenger integrates both features and has them turned on by default. It even launches with logging disabled, so that users are encouraged to communicate with privacy-friendly, ephemeral messages—though logging can be enabled if users want a record of their chats. “For a conversation that is supposed to be ‘off the record’…you do not want to leave any trace,” says Sukhbir Singh, one of the Tor developers who built the program. “It’s as if the conversation didn’t even happen.”
Tor Messenger’s IM anonymity isn’t perfect. It shares the user’s contact info and contact list with the server connecting him or her to anyone on the other side of a conversation—its developers describe this as a necessary compromise to make the program compatible with other XMPP clients. That could allow an eavesdropper to learn some identifying metadata, despite the fact that Tor’s anonymity network hides the user’s IP address. Services likePond and Ricochet, by contrast, don’t reveal that contact metadata. But unlike Tor Messenger, those programs also require the recipient of a message to be using Pond or Ricochet, too, limiting the size of their network of users.
“Please note that this release is for users who would like to help us with testing the product but at the same time who also understand the risks involved in using beta software,” writes Singh, quoting the Tor Project’s blog post about the release. “As such, don’t rely on this product for strong anonymity just yet.”
Now that Tor Messenger is in beta, however, its developers are welcoming the outside world to scrutinize the software for bugs. After some auditing and bugfixes, the program is set to become a powerful and popular tool for instant, idiot-proof, and surveillance-resistant communication.