Anonymity, privacy and onions: How Tor might impact online retailers

With all the talk recently of the privacy and anonymity that Bitcoin affords its users, not much has been said about the anonymous network that is the backbone for what The Economist called "a dark corner of the web." Tor, which was previously an upper-case acronym for The Onion Router, is a combination of a special browser and a network of several thousand volunteer servers. By using the Tor browser, a user's Internet activity is routed and re-routed through machines on the network, making it supposedly impossible to retrace the "layers" of the path.

In the words of The Tor Project, "it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked."

Tor is the method that customers used to access the online black market Silk Road, which was shut down by the FBI in October. Edward Snowden used Tor for all of his communications with The Guardian. Originally a product of the U.S. Navy, the technology is now a darling of the community advocating for better privacy rights.

So what do online retailers need to know about Tor? We posed these questions to Wendy Breakstone, Director of Marketing for Service Objects, a contact and data validation company. They recently published the white paper "Tor: The Good, The Bad, The Anonymous."

Retail Customer Experience: Tor is a very complex subject. If you wanted to simplify it to just the basics that retailers need to know, how would you explain it to them?

Wendy Breakstone: The Tor Network, and other anonymous proxy services, hide the location of the computer that is being used, allowing the computer user to conceal his or her location and identity.

Story continues below...

How Travelocity Increased Conversion by 5x
Find out how Travelocity uses Jumio's credit card scanning and validation tool, Netswipe to increase conversion rates and engagement on their mobile applications.
Access the 30-minute webinar

RCE: Are any major retailers doing anything specifically in regards to Tor — that is, monitoring for its usage, particularly with e-commerce transactions? Or would you say it's not on the radar of most retailers yet?

WB: While we can only speculate the number of retailers with Tor on their radar, we can say that most major retailers use a variety of data and contact validation tools to detect the accuracy and legitimacy of the transaction they receive. IP address validation is an important step in the detection and prevention of fraud entering your system because it informs you of a user's location, which is a key piece of information to protect against real-time fraud. Along with IP address validation, retailers use SMS/phone verification and address validation to verify orders and improve shipping times.

RCE: Is IP address validation being used very widely?

WB: We have experienced an uptick in IP validation service usage since Silk Road and other nefarious activity using IP anonymity have recently been exposed. Internet retailing will continue to grow exponentially, which means that fraudsters will continue to find opportunities to commit fraud. This also means that as a data quality company focused on reducing waste and fraud, we will continue to strive to arm companies with validation tools for prevention.

While each IP validation service varies by provider, in a nutshell, our IP address validation allows you to geographically pinpoint the location of a computer user. IP address validation offers global coverage with 99.8 percent country-level accuracy. Various flags and message codes are presented including the IP location, ISP, proxy server detection (i.e. private, public, anonymous/Tor), and a certainty score is provided that helps weigh the likelihood of fraud.

For example, if a customer's IP is determined to be coming from a Tor exit IP, and the retailer runs a secondary validation test that also returns a warning, this is a good indication of potential fraud and the transaction should be evaluated further.

Another example is when an IP address doesn't match the billing or shipping address inputted by the customer. For instance, the IP is in Nigeria and the customer's info is an Oregon address. The retailer should take a good look at this order before processing.

We believe that the most effective way to use IP validation is in real-time — that is to say the customer's IP is checked immediately upon submission into the system. Integrating IP validation via an API is the best method for real-time validation checking. A web developer would assist the retailer with the API integration for an online form or e-commerce checkout.

RCE: What about consumers who are concerned about their privacy ... or perhaps they are concerned about price discrimination, based on where they live. Are their concerns legitimate? 

WB: Privacy is a valid concern and a very hot topic for consumers and retailers alike. It's important to note that we are not suggesting that all Tor users are inherently bad. Tools like IP validation simply empower the retailer to make educated decisions about potentially fraudulent transactions.

RCE: Your company has said that someone using the Tor browser to shop online is like someone shopping a physical store with a stocking over their face — not technically against the rules, but suspicious. Is it really that suspicious?

WB: When we first launched the update to our IP address validation to include Tor checking, a few lively discussions cropped up on a popular forum (Slashdot). In the discussion, someone noted "Making a credit card purchase online via Tor is like going into a shop to buy something using a credit card with a stocking over your face."

The fact is that Tor masks identity. We leave it up to the retailers to determine their level of suspicion. However, for those that want to prevent fraud, IP validation is a highly accurate check. For instance, if a company detects an anonymous proxy, they may perform a secondary check, e.g., telephone verification, which sends a code via SMS to validate the customer's inputted phone number.

RCE: Are there valid reasons why someone would insist on using Tor to shop?

WB: In certain countries, where surveillance is commonplace, simple web browsing on Facebook, Yahoo and online shopping sites can be cause for alarm to prying eyes. For these users, the anonymity provided by Tor may be their only option.

Related Content

User Comments – Give us your opinion!
  • Brenda Bell
    "In the discussion, someone noted "Making a credit card purchase online via Tor is like going into a shop to buy something using a credit card with a stocking over your face."" Given that brick-and-mortar customers retain their cards during transactions, that many don't sign their cards for fear of theft (I still don't understand THAT one!), and that we don't check receipt signatures to card signatures (if indeed there is a physical signature receipt), anybody can walk into any store and buy anything with a stolen credit card, and unless the card has been reported in AS stolen, it won't trigger any alarms. (Where I work, it would seem that parents frequently give their children their credit cards to buy school supplies.)
Products & Services

PeopleMatter HIRE™


SoloHealth Station® Kiosk


Cell Phone/Mobile Charging Station




PCI Compliance Managed Network Services


Black Box DVI-D Extender with Audio and EDID


Slabb X8E Interactive Digital Signage




RoninCast® Software


Olea Metro 22 Kiosk


CONNECT 2014 Mobile Innovation Summit
Request Information From Suppliers
Save time looking for suppliers. Complete this form to submit a Request for Information to our entire network of partners.