Tor and Tails Team Up for Better Online Privacy Protections

The merger of two popular open-source communities could sharpen the focus on bolstering online privacy and web-surfing anonymity.

The Amnesic Incognito Live System, or Tails, and the anonymity network Tor Project, short for The Onion Router, announced in late September a merger to unite operations and resources from both software communities into a single entity. The merger started in late 2023 when the Tails leadership needed a solution to having maxed out operational funds. Both entities decided to share the common goal of online anonymity.

A joint statement explained that the merger solved expansion and operational issues for both parties. Tails developers could avoid independently expanding operational capacity by combining with the Tor Project’s “larger and established operational framework.”

“By joining forces, the Tails team can now focus on their core mission of maintaining and improving Tails OS, exploring more and complementary use cases while benefiting from the larger organizational structure of The Tor Project,” according to the announcement.

The merger is significant as it unifies two similar projects, enhancing resources and efficiency in developing robust online privacy tools, according to Jason Soroko, senior fellow at Sectigo, a comprehensive certificate lifecycle management firm. He views this merger as substantially impacting privacy concerns by improving tools that better protect users from surveillance and data misuse.

“Increased focus on internet privacy is essential, and open-source projects should lead in providing transparent, collaborative solutions to safeguard personal data,” he told LinuxInsider.

Aligns Similar Project Goals

Tor and Tails are most often used together, noted Soroko. Tails is a live Linux operating system that routes all internet traffic through the Tor network by default. Tor routes traffic through multiple volunteer-operated nodes, making it much harder to trace.

Tails, a free live operating system, ensures that no data is stored on the device after use, providing a secure environment that leaves no traces. This security measure is essential for users in high-risk situations, such as journalists, activists, or whistleblowers who need to protect their identities and activities from surveillance and censorship, he explained.

Both organizations aim to protect users from surveillance and censorship over the internet. Tails already used the Tor network to enhance online privacy. The free Tor browser, a tool frequently used to navigate the dark web, remains hidden from visited websites to avoid third-party trackers and ads.

Tor is an independent web browser that connects users to the internet through a proxy server, enabling anonymous connections from IP addresses that cannot be linked to a specific service or individual.

Casey Ellis, founder and advisor at crowdsourced cybersecurity firm Bugcrowd, agreed that this is an interesting move that makes a lot of sense. Sharing the business infrastructure will free up the Tails team, and the core group will have the time and opportunity to focus on the evolving needs of a privacy-focused OS like Tails.

“This merger involving an operating system such as Tails was long-awaited … Hopefully, this move broadens awareness of and contribution to the maintenance and improvement of both projects,” he told LinuxInsider.

Could Put Enterprise and Personal Needs at Odds

In enterprises that approve web traffic monitoring for security and use of unapproved software and operating systems, this definitely will have privacy concerns. However, for legitimate and privacy-focused users, this will be a boon, offered Mayuresh Dani, manager of security research for the Threat Research Unit at Qualys.

“Protection against the abuse of personal data should definitely be one of the topmost pillars in protecting enterprises,” he told LinuxInsider.

In today’s interconnected world, everyone has an app for everything. All these apps share data with their creators as analytics to improve their services or products.

“Most of us are not aware of the information being collected at all. If a threat actor gains access to this personalized information, then a lot of attacks are possible,” he added.

Factors Driving Interest in Preserving Online Privacy

Growing concerns about internet data abuse are impacting both consumers and enterprises, suggested Arjun Bhatnagar, co-founder and CEO of privacy company Cloaked.

“The demand for privacy as a response to a growing abuse of personal data is rapidly becoming one of the most important issues of our time,” he told LinuxInsider.

Strong interest is mounting in understanding how to tackle the abuse of data. This is prevalent with consumers actively disengaging by deactivating online accounts to businesses facing potential bankruptcy (e.g., 23andMe) due to reputation loss after a data breach.

This growing privacy concern is rooted in high-profile data breaches, manipulative AI algorithms, misuse of data for targeted advertising, unethical data-sharing practices, and intrusive surveillance by governments and corporations, which are entering daily discourse among individuals, Bhatnagar detailed.

He agreed that the merger, by uniting two trusted privacy tools, could strengthen efforts to protect users from surveillance and data exploitation.

“With shared resources, the merged entity can offer an integrated, more robust defense against surveillance and data abuse,” he said.

Balancing Privacy Responsibilities in Data Collection

According to Bhatnagar, the privacy focus should be on ensuring transparency, accountability, and robust security practices, regardless of the model. As privacy threats increase, both open-source and proprietary solutions must commit to prioritizing user data protection.

“Ultimately, the priority should be creating solutions that empower users to maintain control over their data while minimizing the risks of exploitation and abuse,” he urged.

While some in the business and technology industries push for software developers to take an active role in safeguarding online privacy, others in the software development field argue that resolving the abuse of personal data on the internet is above their pay grade.

Decisions about personal data collection are typically made by product managers, who determine what data to collect, guided by relevant laws and guidelines.

However, they are incentivized to collect as much as possible, argued Brian Behlendorf, a technologist, computer programmer, and leading figure in the open-source software movement. He also is the general manager of the Open Source Security Foundation (OSSF).

“Other business roles inside a typical company decide with whom and how to share data and then direct engineers to implement,” he told LinuxInsider.

Software Devs Not Part of Privacy-Stealing Machine

Behlendorf argued that, in most cases, software developers are not usually empowered to create software that minimizes the collection or sharing of personal data. Their convictions about this might not outweigh their employers’ designs and mandates; he offered as a personal opinion.

He emphasized that his comments do not represent OSSF (which is hosted by The Linux Foundation) nor affiliations with Mozilla or the Electronic Frontier Foundation (EFF).

“On a personal level, software developers I know are as angry as average citizens are about the ways their data is being used today,” Behlendorf continued.

Developers are even more sensitive to what happens beneath the user interface layer and the potential for that abuse, he added.

Expanding Privacy Access and Awareness

Tor helps ensure your web traffic is difficult for anyone, including nation-state actors, to trace. Tails helps lock down your local computing environment in ways that make it difficult for even government-sponsored actors to hack.

Behlendorf noted that these are tools that average consumers could use, and the more consumer usage they get, the better. The most compelling use cases are for users engaged in sensitive work.

People in the human rights and journalism communities already know about Tor, but a much smaller number know about Tails.

“Hopefully, this merger helps that crowd with intense needs also start to use Tails and benefit from its security promises and reassures them that the organizations behind these two pieces are better resourced,” he offered.

“More broadly, among the consumer public, I don’t see as much impact, though I hope it creates positive pressure among the more popular social network apps to be more secure by default.”