Invizbox (hands-on): Another flawed Tor "privacy" router debuts
Do you trust this little box to keep your identity and information safe and protected?
Invizbox aims to do exactly that. The project follows in the footsteps of Anonabox, the crowdsourced effort that raised hundreds of thousands of dollars to bring a router that anonymizes Internet traffic to market, but was later pulled by Kickstarter after its custom hardware claim came under scrutiny.
The Invizbox's team, a three-person team based in Dublin, Ireland, took the Anonabox idea (and even the hardware) and modified it to create their new product. It's their hope that they can make a better product by fixing the technical issues and that their mantra of honesty and openness can make the project a success, unlike its unassociated predecessor.
And it seems to have worked -- at least, so far. More than 500 Invizbox routers have been shipped to date, accounting for thousands of dollars in the project developer's coffers.
Its sole purpose is to be a technical middleman, by scrambling every bit of your Internet traffic through the Tor network, widely considered the best anonymity service available. That would theoretically make it almost (if not entirely) impossible for governments, companies, and other people to track what you're doing.
The trouble is, it's flawed. That's because the Invizbox fixes only a section of the privacy process, without accounting for browser, computer, and mobile device security.
Invizbox's developers wanted to fix the issues with Anonabox's weak security and locked-down approach. The "privacy" router was marketed as a device that can skirt censorship in oppressive regimes, and evade China's "great firewall." But the project was overwhelmed with critique it wasn't prepared for, including allegations that it misrepresented its "custom" hardware. August Germar, the project's creator later reinvented the project on a different crowdsourcing site Indiegogo, but raised only a fraction of what it generated on Kickstarter.
But there's a problem the Invizbox team couldn't fix.
For the average user running the Invizbox, you still use your standard browser, like Internet Explorer, Firefox, or Chrome. Based on recent figures from the US government's analytics page, more than one-third of all visitors to its pages are running Chrome.
When a user is signed in (as many are) Chrome records your web history and stores it in the cloud. Even if you're using Invizbox, Chrome may keep a history of your searches and visited websites. In one browsing session using the Invizbox wireless connection, Google's History still recorded everything that was being searched based on the signed-in account. (Firefox also has a similar capability, and accounts for about one-in-ten browsers accessing government sites.)
Even if you turned off Google's search and browsing history "feature," the vast number of plugins in your browser can undermine Tor's protections. The FBI has been known to exploit weaknesses in plugins like Flash to unmask users who have gone on to face prosecution for their illegal activities on the network. (Chrome comes with Flash preinstalled, and updates automatically when fixes become available.)
That's a fundamental design flaw with both products -- one that Invizbox can't fix overnight -- that undermines the very point of the product.
The bottom line: Without Tor, I could not do my job. Activists, journalists, and government agents alike (yes, the government uses Tor, too) would be putting their sources at risk.
And yet the irony is the ones who really need a true anonymizing box aren't the ones who will go out to buy it. They will be using custom configurations -- notably Tor's own modified browser (which comes with a number of in-built features to further minimize the user from being identified) to harden their defenses.
Tor's browser bundle is by far the most common (and probably the most user-friendly) way to access the anonymity network. It's familiar to even new users -- at least to most browser users, but especially those who use Firefox.
Offering a router or device that falls considerably short of something that's already the industry-wide standard for the sake of a few bucks for each device is irresponsible.