Privacy-Preserving Tor Measurements


This project (in collaboration with researchers at University of New South Wales and the U.S. Naval Research Lab) conducts a detailed privacy-preserving measurement study of Tor, to better understand how the network is being (mis)used.

The Tor network is difficult to measure because, if not done carefully, measurements could risk the privacy (and potentially the safety) of the network's users. Recent work has proposed the use of differential privacy and secure aggregation techniques to safely measure Tor. We significantly enhance two such tools—PrivCount and Private Set-Union Cardinality (PSC)-in order to support the safe exploration of three major aspects of Tor usage: how many users connect to Tor and from where do they connect, with which destinations do users most frequently communicate, and how many onion services exist and how are they used.

Measurement action bounds

We determine a set of action bounds to use during our Tor measurements. As described by Jansen and Johnson [0], these describe the maximum amount of network activity that our privacy techniques will protect (i.e. the amount of activity to which our differential privacy guarantee will apply). These bounds apply to users of the Tor network, which include both Tor clients and onion services.

AS Client Connection Count

The data (of our findings) for the per-AS client connection count using PrivCount[0] can be found here.

Tor Research Safety Board Feedback

We have incorporated the feedback from the Tor Research Safety Board into our methodology.


For more details about the experiments, refer:

  Understanding Tor Usage with Privacy-Preserving Measurement
  ACM Internet Measurement Conference (IMC), October 2018
  Akshaya Mani*, T Wilson Brown*, Rob Jansen, Aaron Johnson, and Micah Sherr (* co-first authors)

[0] Rob Jansen and Aaron Johnson, "Safely Measuring Tor", ACM CCS 2016.

[1] Routeviews Prefix-to-AS mappings (pfx2as) for IPv4 and IPv6.