Welcome to “Ask a security trainer,” the column where the digital security training team at Freedom of the Press Foundation (FPF) answers your burning questions at the intersection of journalism and security. Submit yours here! Let’s jump right into this week’s question.

Dear DST,

I was told in a previous training session that the Tor Browser can be used for risky research. However, I keep hearing that Tor users are being closely monitored by the government or internet service providers. Is this something I should be concerned about? I am concerned that doing so might make me look suspicious.

Signed,

Paranoid Onion

Hi Paranoid Onion,

Great question; it’s one that we get a lot. First, it’s important to point out: There’s nothing illegal about using the Tor anonymity network in the United States. It’s not only used by dozens of reputable news outlets around the world, but government actors also depend on it — for example, the CIA hosts a website within Tor.

In many (but not all) cases, Tor is great for circumventing censorship, conducting risky research, and even receiving files anonymously. These features allow journalists to receive leaked files through services like SecureDrop and OnionShare. With it, your confidential sources can be protected from identification.

However, there are a few things to keep in mind, depending on where you are using it from.

Imagine the Tor network as a massive crowd of people. With over 2 million users worldwide, it is incredibly difficult to identify any one individual’s network traffic. This is because Tor randomly routes your connection through several volunteer-run “relays” — or servers. To an observer, your connection would appear to originate from the last relay instead of your computer’s IP address. Since Tor also encrypts network traffic, the government has quite the challenge of discerning any individual from other Tor users. This concept is called network anonymity.

Because of network anonymity, you should not worry too much about being flagged as a Tor user. While using Tor will encrypt and tunnel your traffic around the world, shielding it from intermediaries such as your internet service provider, your ISP can nonetheless know that you’re using Tor, even if they can’t tell exactly what you’re doing. This means Tor users in regions where there are few users can be more readily identified by the ISP, so it’s likely safest to use it in places where there are lots of Tor users. In the anonymity of the crowd of Tor users, your browsing habits are kept hidden from a potential observer.

If you are on a network or in a region where there are little to no Tor users at all, it may change the equation a bit. An ISP or government will still not be able to see what you’re doing on Tor, but if you are the only user (or one of very few users) in your given area, you may be at more risk. This has backfired in specific scenarios before.

You can check Tor’s website to see Tor traffic in your own country here. Also, only use SecureDrop in places where there are more than 10,000 daily SecureDrop users.

To maximize your security when using Tor Browser, go into your settings > “Privacy & Security” and set “Security level” to “Safest.” This may prevent certain webpage elements from loading but helps defend against attacks on your anonymity.

Other than that, stick with the default settings in Tor Browser (e.g., avoid adding unique browser extensions). Likewise, think about which websites you’re about to visit and how unique they might be. Why? Network anonymity can’t hide someone who has visibly unique characteristics. Fingerprinting occurs when a Tor user leaves behind identifiable characteristics through their browsing habits — kind of like actual fingerprints! It is possible for third parties to collect personally identifiable information over time to build a profile. Similarly, if you log into a website tied to you, such as your favorite social media site, you will look unique to that website, so consider whether you really need to log into a website when using Tor and if you’re OK with this.

The Tor Browser has anti-fingerprinting features that prevent some information from being revealed, like website fonts or screen resolution size. Unfortunately, certain attributes, like your language and operating system, cannot be entirely hidden. If this remains a concern, you may want to look into privacy-focused operating systems like Tails, Whonix, and Qubes for stronger fingerprinting protection.

It’s true that the intelligence community has attempted to conduct some surveillance of Tor users (for instance, between December 2010 and February 2012 and likely longer), so if you have concerns there, you’re not just being paranoid. But remember: You’re not doing anything wrong. Tor helps guard your web traffic, so don’t let any of this prevent you from downloading the Tor Browser. This is not only good for your anonymity, but also that of others, as we all collectively grow the crowd by using it regularly. I encourage you to look at the Tor Project’s support page to learn how you can protect yourself.

Stay safe,

Kevin Pham