Risks of using Tor? Or am I paranoid?

I am transitioning from exposed normality to privacy. (thanks pg + techlore for assistance). I got a new Linux laptop and am using only new private accounts on it, and if I need to check my old gmail or social media I use my old laptop. I want to keep the new laptop as untraceable from my old laptop as possible.

However my old laptop is on the verge of total collapse, and I am concerned I will not be finished downloaded my data and closing my accounts before it is broken.

I know I can just sign into these accounts through Tor on my new laptop, and also download my data. But I am afraid I will undo much of my hard-work to keep things separate. But am I really undoing anything? Shouldn’t I have nothing to worry about if Tor is as private as they say it is.

Additionally, I strangely feel more monitored when I use Tor. The exit nodes are often blocked by websites, and I often wonder how much resources state agencies put into monitoring these exit nodes, decrypting the traffic (including my emails), combined with advanced analysis, and de-anonymizing all the users.

So question recap.

  1. Does Google/Facebook know what device I am using if I login through Tor?
  2. Is it plausible that Tor traffic is heavily surveilled, with its relative obscurity outweighing it’s secure technology?

Hope my questions are not too silly.

1 Like

Assuming you mean Tor Browser, no, not if you don’t resize the window. Of course, if you use the mobile version they’ll know that, at least, and they may actually be able to fingerprint your device based on display resolution because the mobile Tor Browser doesn’t seem to standardize display resolution.

Are there attempts made to surveil Tor traffic? Absolutely. Do said attempts negate Tor’s utility? No. It’s practically impossible to break Tor’s routing. The best a powerful adversary can reasonably hope to do is monitor exit nodes. To succeed in that, they need to control many nodes, get lucky enough to have your connection exit through their node, and somehow de-anonymize your anonymized data.

3 Likes

Just to be clear, TOR is a tool used to enable something approaching anonymity if used correctly. Anonymity is adjacent and often overlaps with the concept of privacy, but they are not the same, one does not give you the other (usually), and people who need privacy won’t necessarily need or benefit from anonymity tools (and vice versa).

If (pre-privacy-aware) you has created a bunch of personal accounts, there is probably nothing to be gained by switching to accessing those accounts via TOR now. Because TOR can’t retroactively make them anonymous, nor can it make you anonymous if you are signing into accounts that are already tied to your identity or IP address.

Additionally, I strangely feel more monitored when I use Tor.

I feel the same. TOR is a legitimate tool, that should not be stigmatized. That said, by using it, you definitely make yourself more interesting, and more of a threat to a lot of different actors.

It isn’t just “plausible” that TOR is heavily surveilled, it is absolutely heavily surveilled, but that’s not the important question to ask. But TOR is designed around this assumption. The important question to ask is whether TOR’s design model is robust and secure enough to achieve its goal even if it is being heavily surveilled by motivated and well funded adversaries.

But an even better question to ask is why are you using TOR in the first place to do things like log in to your Google or Facebook accounts? What are you hoping it achieves? (obviously if you’ve given Facebook your real name, photos, contacts, personal info, you cannot be anonymous in that context regardless of whether you use TOR or not)

2 Likes

It is Tor. :slight_smile:

You must normalize it, just start using it for everything you can.

  • Watching YouTube? Tor.
  • Listening to podcasts? Tor.
  • Downloading offline maps? Tor.
  • Looking up a manual or recipe? Tor.
  • Reading Wikipedia and news? Tor.
  • Shitposting on Reddit or other forums? Tor.
  • Accessing your own self hosted services? Tor.
  • etc.

I’ve been using Tor since 2008 and have had my phone entirely through Tor for ~8 years now.

If anything you’re more suspicious if you only use Tor occasionally.

Say no to VPNs, use Tor.

I’ve seen this a lot recently people stating logging into accounts over Tor being useless. Except for sites especially like Facebook where they have trackers on numerous other websites, using Tor does provide real benefit by not letting them tie those visits on other platforms to you.
Facebook even has an onion service to provide even greater integrity: https://www.facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion/

See also: Tor Is Not Just for Anonymity – pastly@home

2 Likes

Tor Browser on desktop has letterboxing for years now, feel free to resize it all you want.

2 Likes

Could you share your phone’s Tor setup?

@Lukas
Just Orbot for all of main profile.

1 Like

Did you change any settings in Orbot? Such as enabling the Isolate Destination Address option?

@Lukas
Yes, all of the isolation options, no other changes. I’m the one who added them.

1 Like

As stated in OP, my objective is to make my new laptop(and new email/accounts) untraceable from my old laptop and accounts. My question is, would the use of Tor on my new laptop to login to old accounts be in any way a hindrance to this objective. For example, Facebook/Google would know I not only stopped using and eventually deleted my account, but they may know I am using a new specific device which they somehow know is tied to my new accounts. Or would the only thing they could know is that I logged in through Tor, which could just as well be Tor on my old device?

edit: I feel I may not be entirely understanding your goal/question correctly. If this is the case, I apologize.

I’d like to make sure I understand what you mean by “untraceable” in this context. Am I correct that your goal is to prevent your new accounts from being associated with your old accounts? Can you also clarify if these are personal social media and email accounts? And if with the new accounts your goal is to not associate your true identity with these accounts?

For the very specific/limited objective of using the Tor Browser on your new laptop, to login to your old accounts, and download your data from those old accounts in a way that prevents these services from knowing the specific details of your new device: I think Tor could be the right tool for that very specific job (using Tails, Whonix, or Tor in a VM would provide higher assurances)

But beyond that specific objective, its not clear to me whether that approach would be successful overall or not because I still don’t understand all the details or the big picture of what you are trying to achieve what sort of accounts we are talking about.

It very much depends on what you mean by “untraceable” if you could define (1) more specifically in what context you want to be untraceable (2) what you want to be untraceable (just your laptop or yourself or something else?) (3) untraceable in the context of who/what adversary?

Without further details/context, I can think of a range of ways that you could be de-anonymized, Tor if used correctly would help protect against 2 of them (mask your IP Address, and make browser fingerprinting more difficult).

But staying anonymous while voluntarily using services like Google/FB who’s whole business model is centered on knowing as much about you as possible, tracking and data harvesting, is a really difficult position to put yourself in. It puts you in a really precarious where a single slip up could undermine that.

Self discipline, really good operational security, and knowledge would be critical. And of course if you repost content or photos from your old facebook to your new facebook, or recreate the same or similar social graph (‘friends list’ / email address book), or if any of your email contacts refer to you by true name or save you in contacts using real name (or any identifier that was linked to your old accounts) that is a problem. If at all possible, moving away from these invasive services would be better than simply creating new accounts through TOR on a new device.

2 Likes

Thanks for you feedback. And don’t worry about not entirely understanding my objective - I have not made it clear.

I simply want to abandon Meta/Google, move to private services (and maximize anonymity except when my identity is needed, such as some emails and gov services), and minimize the extent to which Meta/Google know about my transition and internet activity now that I have left them.

Given my limited knowledge, I played it safe by getting a new private laptop, with new accounts - and have kept all old accounts on old laptop. I am not yet ready to delete the old accounts, but I will likely lose my old laptop.

Meaning if I want to login to my old accounts, mainly to download data and delete them (when I know I am ready), I will likely need to use Tor on my new laptop.

Since I put a lot of effort into making my new laptop a blank slate - this makes me feel uncomfortable. But I can’t find a reason logging in and downloading things through Tor on new laptop will undermine my blank slate. I am posting here to confirm if this is correct, as people here know much more than me. If Google/Meta are so powerful that logging in through Tor will allow them to know more about my new setup than the fact that I am using Tor, then I may rush my download/closure of these accounts.

1 Like

Hi plonkeyt
I am starting to take a ‘Privacy First’ approach for my Internet use. I have been using only Linux for the better part of 15+ years. I had used many commercial Unix prior to that like Solaris on Sun hardware.
I have arrived, slowly, to a point where I wish to take charge of my Data and any Identifying Information for most of my time online. I have, mostly for convenience, started using a Password Manager. I have a bifurcated in-home system of Routers that I use. My ISP one is for TV and my wife’s devices and another one for my sole use. I have taken a commercial Router and flashed a DD-WRT Firmware onto it totally replacing the existing system.
I have acquired a VPN service which I have added to this second router and thereby all traffic through it goes through a Secure Tunnel. I use the same VPN service through an app on my cell phone and it is running when my phone is running.
I will not use any ‘apps’ from any institutions like banks, insurance and that type of thing. I do all my ‘money transactions and payments’ through a desktop wired Linux. I only have one browser installed on this just mentioned unit and that is ‘BRAVE’. Within BRAVE I have only three extensions installed and they are my Password Manager, Gnome Shell Extensions and uBlock origin. I use only the BRAVE search engine and remove all the others that I can.
I only allow my sites to run Javascripts, which I can control through uBlock and BRAVE search, to the extent necessary for comfortable use. Once these are established, as working for me, they remain in effect over stops and starts of the BRAVE browser. I keep no history and have tweaked the BRAVE settings to clear all cookies, etc when I close any Tab and clear everything when I close the browser.
I am only getting started but I have a lot less ‘popups’ and other annoying things already. I have TOR running on all my Linux boxes and use it once in awhile.
I have no delusions of ever having what was once thought to be ‘Privacy’, but I am trying. I am doing this stuff for fun and not for profit. I have avoided belonging to any social media sites, as my wife handles all that stuff. I have only joined this group recently but have been pursuing Privacy, in these and other ways for sometime.
To me it seems that the large tech has conflated Security with Privacy and then offered to make all your data and information Private, with the famous phrase. Just trust ME! I don’t!
Google is the worst interloper of the bunch. If you have an Android cell phone. which I do, it is almost impossible to get them out of your private affairs. (Apple is likewise, for those that are a member of their cult).
By the way it is not ‘paranoia’, if you are correct. There is no software out there that is without bugs and I can handle that. But when the purpose of a program is not as stated that is the worst bug of all.
Have a smooth journey on your quest for a stop to ‘tech overreach’.

1 Like