Oct 28, 2014 · 1 minute

We've known for a while that Tor isn't the digital panacea it's often thought to be. Now, a security researcher has revealed that a person operating one of the "exit nodes" used by the service to anonymize Internet browsing has used the device to add malware to any downloads made through it, including those gotten from Microsoft's update service, and advised Tor users to check their connections and devices.

This isn't the first problem Tor users have encountered, and it won't be the last. As it turns out, trusting people to bounce an Internet connection around the world to evade surveillance is also a good way to open a device up to risks like those described above. (Operating those nodes also happens to be a good way to be held responsible for others' activities, as one Tor operator learned when he was charged for child porn sent over his servers.)

Tor doesn't just leave a device open to malware, either. It also undermines one of its primary use-cases: evading government surveillance.

German investigators found in July that the National Security Agency targets people who attempt to anonymize their browsing histories with the software. I called it a "devil's bargain," a choice between hoping the NSA never checks your browsing history by leaving it vulnerable to surveillance, or painting a target on your back by attempting to secure it with software like Tor.

Despite these set-backs, people interested in keeping their digital activities secret are often told to use Tor. Activists are advised to use it to avoid government censorship. Journalists are using it to secure their communications with their sources to avoid the Obama administration's war on leaks. Downloading Tor is considered Digital Security 101 by many of its proponents.

But people should be aware of the risks associated with Tor in addition to being told of its benefits. Their connections are being shuttled through devices they don't control, and in at least one case, this has left countless devices vulnerable to malware that would otherwise have been avoided. They've also attracted the NSA's attention, which might be the exact opposite of what they wanted. Tor is an important tool, and it has its benefits, but it's not anywhere near perfect.

[illustration by Brad Jonas]