Was the search at Zwiebelfreunde a misunderstanding of Tor, or a deliberate attack on the network?
In June, a significant data breach fell under the radar and out of the headlines after German police stormed the office of a non-profit privacy group.
The association in question, Zwiebelfreunde, which handles donations to digital anonymity projects and privacy-enabling tools such as the Tor network, found itself caught in the middle of an investigation due to its link to Krawalltouristen – a far-left blog whose authors were wanted for questioning by authorities.
Four months on from the incident, and after the raid was ruled unlawful by a high district court in Munich, more questions are brought into the frame, such as was the police response reflective of a simple misunderstanding?
Or, more likely, was it an intimidation tactic?
“We can say that every donor was potentially affected,” said Jens Kubieziel, a Zwiebelfreunde board member, speaking to The Daily Swig recently about how his organization has recovered from the state intrusion.
“The police took all documents we had since our [Zwiebelfreunde] founding,” he said. “So in theory, they could have looked into that data.”
According to Kubieziel, Bavarian authorities seized between 50 and 70 devices from six individuals at Zwiebelfreunde on June 20. These included laptops, mobile phones, USB sticks, external hard drives, and desktop computers.
“They only had a few days to look into those documents,” said Kubieziel, explaining that lawyers representing Zwiebelfreunde demanded that the confiscated devices be sealed in the event that police had exercised an overreach of power.
“After this point in time they were not allowed to analyze the data and, as far as I can tell, they didn't do it,” said Kubieziel.
The seized hardware was given back following the court’s ruling in favor of Zwiebelfreunde, with the association now left to discuss improvements to its operational security in time for the next inevitable raid.
“We are fortunate enough that we have thought about this scenario and prepared for it,” Moritz Bartl, another Zwiebelfreunde board member, told The Daily Swig.
“Most organizations would have had a much harder time, and also more data would have been exposed than in our case.”
Police raids on left-wing organizations are thought to have increased since the 2017 G20 summit in Hamburg, when the website Indymedia Linksunten was infamously shut down under claims that it was inciting violence during the two-day meeting of world leaders.
That event, and ongoing tensions between left and right fractions within a country already battling Islamic extremism, has appeared to serve as a springboard for new police powers, giving authorities surveillance capabilities when they believe “imminent danger” is present.
The left-wing blog Krawalltouristen had posed such a threat, and therefore brought police to the door of Zwiebelfreunde in hopes that they would locate the authors of the website – except Zwiebelfreunde only managed donations to the site’s email provider, Riseup, and had never heard of the blog before.
“There’s either been a misunderstanding about what the organizations do and how Tor works, or it’s just deliberately malicious and designed to intimidate organizations that have anything to do with helping Tor raise funding,” Eva Galperin, head of cybersecurity at the Electronic Frontier Foundation, told The Daily Swig in the aftermath of the raid on Zwiebelfreunde.
“There are some things that you can do if you ascribe this [police] behavior to stupidity,” she said. “Which is to go out and educate the people who are involved in law enforcement about what Tor is, how Tor works, and how these other organizations relate to Tor, so they don’t end up inadvertently harassing.”
Galperin added: “There’s not much you can do if the harassment is deliberate.”
While encrypted drives and a lawyer’s number on speed dial are obvious protections used by any privacy-focused organization, the reality of practicing sensible security hygiene on a daily basis can be too costly for even the most digitally savvy non-profit.
“We have to be realistic about additional measures since we operate on a volunteer basis,” said Bartl. “We need to keep a balance between better security and the ability to continue what we do.”
Shutting down machines, GNuPG SmartCards, Yubikeys, and storing documents in a safe in another location are other defenses and lessons learned from the raid.
“From a technical point of view, one should have a remote backup,” said Kubieziel. “All local devices should be encrypted, and it also seems helpful to tag devices. While this is not a 100% guarantee, it can be helpful.”