With all the talk recently of the privacy and anonymity that Bitcoin affords its users, not much has been said about the anonymous network that is the backbone for what The Economist called "a dark corner of the web." Tor, which was previously an upper-case acronym for The Onion Router, is a combination of a special browser and a network of several thousand volunteer servers. By using the Tor browser, a user's Internet activity is routed and re-routed through machines on the network, making it supposedly impossible to retrace the "layers" of the path.
In the words of The Tor Project, "it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked."
Tor is the method that customers used to access the online black market Silk Road, which was shut down by the FBI in October. Edward Snowden used Tor for all of his communications with The Guardian. Originally a product of the U.S. Navy, the technology is now a darling of the community advocating for better privacy rights.
So what do online retailers need to know about Tor? We posed these questions to Wendy Breakstone, Director of Marketing for Service Objects, a contact and data validation company. They recently published the white paper "Tor: The Good, The Bad, The Anonymous."
Retail Customer Experience: Tor is a very complex subject. If you wanted to simplify it to just the basics that retailers need to know, how would you explain it to them?
Wendy Breakstone: The Tor Network, and other anonymous proxy services, hide the location of the computer that is being used, allowing the computer user to conceal his or her location and identity.
RCE: Are any major retailers doing anything specifically in regards to Tor — that is, monitoring for its usage, particularly with e-commerce transactions? Or would you say it's not on the radar of most retailers yet?
WB: While we can only speculate the number of retailers with Tor on their radar, we can say that most major retailers use a variety of data and contact validation tools to detect the accuracy and legitimacy of the transaction they receive. IP address validation is an important step in the detection and prevention of fraud entering your system because it informs you of a user's location, which is a key piece of information to protect against real-time fraud. Along with IP address validation, retailers use SMS/phone verification and address validation to verify orders and improve shipping times.
RCE: Is IP address validation being used very widely?
WB: We have experienced an uptick in IP validation service usage since Silk Road and other nefarious activity using IP anonymity have recently been exposed. Internet retailing will continue to grow exponentially, which means that fraudsters will continue to find opportunities to commit fraud. This also means that as a data quality company focused on reducing waste and fraud, we will continue to strive to arm companies with validation tools for prevention.
While each IP validation service varies by provider, in a nutshell, our IP address validation allows you to geographically pinpoint the location of a computer user. IP address validation offers global coverage with 99.8 percent country-level accuracy. Various flags and message codes are presented including the IP location, ISP, proxy server detection (i.e. private, public, anonymous/Tor), and a certainty score is provided that helps weigh the likelihood of fraud.
For example, if a customer's IP is determined to be coming from a Tor exit IP, and the retailer runs a secondary validation test that also returns a warning, this is a good indication of potential fraud and the transaction should be evaluated further.
Another example is when an IP address doesn't match the billing or shipping address inputted by the customer. For instance, the IP is in Nigeria and the customer's info is an Oregon address. The retailer should take a good look at this order before processing.
We believe that the most effective way to use IP validation is in real-time — that is to say the customer's IP is checked immediately upon submission into the system. Integrating IP validation via an API is the best method for real-time validation checking. A web developer would assist the retailer with the API integration for an online form or e-commerce checkout.
RCE: What about consumers who are concerned about their privacy ... or perhaps they are concerned about price discrimination, based on where they live. Are their concerns legitimate?
WB: Privacy is a valid concern and a very hot topic for consumers and retailers alike. It's important to note that we are not suggesting that all Tor users are inherently bad. Tools like IP validation simply empower the retailer to make educated decisions about potentially fraudulent transactions.
RCE: Your company has said that someone using the Tor browser to shop online is like someone shopping a physical store with a stocking over their face — not technically against the rules, but suspicious. Is it really that suspicious?
WB: When we first launched the update to our IP address validation to include Tor checking, a few lively discussions cropped up on a popular forum (Slashdot). In the discussion, someone noted "Making a credit card purchase online via Tor is like going into a shop to buy something using a credit card with a stocking over your face."
The fact is that Tor masks identity. We leave it up to the retailers to determine their level of suspicion. However, for those that want to prevent fraud, IP validation is a highly accurate check. For instance, if a company detects an anonymous proxy, they may perform a secondary check, e.g., telephone verification, which sends a code via SMS to validate the customer's inputted phone number.
RCE: Are there valid reasons why someone would insist on using Tor to shop?
WB: In certain countries, where surveillance is commonplace, simple web browsing on Facebook, Yahoo and online shopping sites can be cause for alarm to prying eyes. For these users, the anonymity provided by Tor may be their only option.