Forget Bitcoin — Is 'Tor' the Best Way to Anonymize Digital Payments?

The concept of making anonymous online transactions is in the spotlight because of the prominence of the digital currency Bitcoin, but most consumers remain uneasy with the cryptocurrency's instability and risk. An alternative for the privacy-minded might sprout from Tor, or The Onion Router.

The Tor system redirects Web traffic to conceal the end user's physical location and IP address. Tor was originally a U.S. Naval Research Laboratory-sponsored project and first became popular in the mid-2000s a way to protect "whistleblowers" and journalists in unsafe areas.

In payments, Tor could enable consumers to make purchases online with bank-issued cards or with systems such as PayPal, while also hiding their location. Consumers might do this to avoid price discrimination, but they would not be completely anonymous.

"With Bitcoin, you're making sure there's no record kept and nothing tied to your name, while with Tor you'd still be using some type of identifying information," says Dave Kaminsky, senior analyst at Mercator Advisory Group.

This allows Tor to be a compromise for online shoppers who want to regain control of some of their personal data without concealing all of it.

"The industry allows all kinds of information to be captured about us individually," says Patricia McGinnis, director of the commercial and enterprise payments group at Mercator Advisory Group. Companies frequently transmit that data "to unauthorized third parties … without our permission or authority and without us even knowing," she says.

This phenomenon is made clear in The Wall Street Journal's "What They Know" series, McGinnis says. The series shows how consumers expose an unexpected amount of data as they surf the Web, as they drive, as the use Facebook and through other normal daily activities.

"There's too much data around and too few controls," she says.

People that use Tor are "just freaked out by the amount of data collected and the amount of information they give up on a daily basis," says Andrew Lewman, executive director with The Tor Project.

There is certainly a drive for more anonymity in payments. Notably, the popular blogging system WordPress began accepting Bitcoin payments in November to facilitate access for bloggers in regions where payments might be blocked for political reasons or due to a high fraud rate.

So what's holding Tor back? For one, it shares many of the stigmas Bitcoin does. Just as Bitcoin has earned a reputation as a tool of drug dealers and other illegal activities, Tor is used to conceal illegal online activity.

Most Tor users, Lewman says, use the service to search sexually taboo material, medical reports or for hacking and gambling.

Another major strike against Tor is it goes up against anti-money laundering rules and Know Your Customer legislation, says David Fish, a senior analyst at Mercator Advisory Group.

"As acceptors of a card-not-present or customer-not-present [payment], merchants make business decisions based on risk and perceived legitimacy," he says. "There needs to be a balance between privacy and security, and each of the stakeholders has their own definition."

Tor's role in payments remains small because merchants and processors typically need to identify the shopper's computer and its location, McGinnis says.

"Tor seems to be universally punished because of a few bad actors," Lewman says. "The fact that people want privacy doesn't make them suspect."

In 2012, Tor was downloaded 30 million times, says Lewman.

iOvation is one of the companies that examines a computer's IP address to try and combat fraud.

"Location is a big deal in fraud mitigation," says Scott Waddell, chief technology officer at iOvation. Transactions that come in through Tor are "15 times more likely to result in a denied transaction" over the other transactions the company sees, he says. iOvation sees more than 10 million transactions per day.

Tor "could really impinge on fraud detection capabilities that financial institutions have invested in to protect their customers," says Shirley Inscoe, senior analyst with the Aite Group. "Often things are created with good intentions and then they're subverted … and used by people with bad intentions."

Lewman says merchants and payments companies could allow consumers to choose their own level of protection.

"How do you opt out of fraud [protection]?" Lewman says. "I don't need another parent; I need a payment processor."

Correction: An earlier version of this article provided an incorrect title and employer for Patricia McGinnis. 

For reprint and licensing requests for this article, click here.
Technology Law and regulation Analytics Credit Cards Payment processing Retailers ISO and agent
MORE FROM AMERICAN BANKER