Lightarti – a lightweight Tor library

The transmission of sensitive data through unsecured channels can pose many problems related to privacy and data protection, it is a fact; however, the reflection also arises for data that a priori do not seem to pose problems, such as usage statistics, whose metadata can be used for commercial purposes, or to track users.

Fortunately, over the last couple of years, there has been an outcry over all this data usage, which is often opaque to the end user. So a lot of apps, specifically government-funded apps, are looking for a way to gather data in a privacy-preserving, anonymous way.

An example of this is the SwissCovid app, which showed that it is possible to keep the anonymity of the users, while still offering a service. But even in SwissCovid, the ISPs could see that the app is connecting to the central server. And the central server needed to take extra steps to make sure it didn’t log the IP addresses of the users. This made it impossible to collect statistics about the app usage.

One existing solution is to use Tor to encrypt data on the network. The advantage of using Tor to transmit this sensitive data is that it allows traffic to be hidden from both the ISP and the destination server, by sending packets randomly across multiple nodes in the network.

However, one of the problems of using Tor is the high bandwidth usage to download the list of servers. This is not necessarily compatible for mobile use, as for example for SwissCovid. The Lightarti project, carried out by the C4DT development team, solves this by downloading this list only once a week. Its original purpose was to send send anonymous statistics for the SwissCovid project, using the Tor network.

Lightarti is a mobile library developed in Rust, in collaboration with the SPRING lab at EPFL, the Tor team, and the original Arti library team. Lightarti is based on the existing Arti library, but optimizes how the list of servers is downloaded. This list is needed to connect to the servers. The original Tor specifications require the update of this list every two hours. Lightarti pre-calculates the list and downloads it only once a week. Technically, security is reduced, as there is more time available to “corrupt” the network. If an application only wants to send some data in an anonymous way, this tradeoff is often acceptable.

The solution achieved reduces this data, while keeping security high. The result is a usable library for mobile applications, to use the Tor network, with minimal downloaded data required.

The library is currently the only one available that can run on both Android and iOS, with theoretically much lower bandwidth usage. Future goals are to make the package clean and easy to use, and eventually add the ability to use the Tor network directly. The team remains available to offer enhancements or integration for our partners.

For more information, and to obtain the application, you can consult this document.

Valérian “tharvik” Rousset has been versed in computer science since their childhood, where they started with drawing fractals and scripting every repetitive task. Finding a way to express mathematical beauty, creating a stable and reproducible universe was a true delight for them.

Christian Grigis has been captivated by computers since his childhood, when he decided to make it his career. His interest in all aspects of computing led him to pursue projects ranging from embedded systems to web services, in the mobile, pay-TV, IT, medical and avionics industries, with a growing focus on security features.

Linus “ineiti” Gasser likes the interface between the digital world and the human world. He thinks the digital world must be at the service of the human world. But the digital world can give tools that improve life together. For Linus, this includes respecting the private sphere: keeping the data in the hands of individuals, and not in the hands of companies or the state.

All three have worked together for six months to develop the Lightarti library as it is presented today.