Some websites turning law-abiding Tor users into second-class citizens
Tor users blocked or faced with CAPTCHA if IP address matches known exit node.
About 1.3 million IP addresses—including those used by Google, Yahoo, Craigslist, and Yelp—are turning users of the Tor anonymity network into second-class Web citizens by blocking them outright or degrading the services offered to them, according to a recently published research paper.
Titled "Do You See What I See? Differential Treatment of Anonymous Users," the paper said 3.67 percent of websites in the Alexa 1,000 discriminated against computers visiting with known Tor exit-node IP addresses. In some cases, the visitors are completely locked out, while in others users are required to complete burdensome CAPTCHAs or are limited in what they can do. The authors said the singling out was an attempt by the sites to limit fraud and other online crime, which is carried out by a disproportionately high percentage of Tor users. In the process, law-abiding Tor users are being treated as second-class Web citizens.
In many cases, the degraded experience is automatically carried out by content delivery networks, which help individual websites to distribute content and block malicious users. One of the best-known CDNs, CloudFlare, assigns a reputational score to visiting IP addresses and if it's too low will require end-users to complete a CAPTCHA designed to prove they're a human rather than a malicious script. On a support page, CloudFlare says it doesn't specifically target Tor users, but it goes on to say that "due to the behaviour of some individuals using the Tor network (spammers, distributors of malware, attackers, etc.), the IP addresses of Tor exit nodes generally earn a bad reputation." The paper's findings have touched off a long and often heated discussion between Tor advocates and representatives of CloudFlare.
Websites that use CloudFlare competitor Akamai, meanwhile, often block Tor users outright with a 403 error that can't be bypassed. While Google and Yahoo don't block Tor users outright, some of their pages or services aren't available to visitors using Tor IP addresses. One site that's not mentioned at all in the paper is Facebook. In 2014, the social network became available as a hidden service. Facebook also tweaked its fraud-detection algorithms to improve the experience of Tor users.
The paper exposes the tension between site security and access to information and anonymity, particularly by those in repressive countries that censor content or closely monitor citizens' Web browsing.