By volunteering his own servers to route traffic for the Tor Project, Dan Egerstad -- a Web developers and security professional based in Malmo, Sweden -- was able to collect the unencrypted data sent through the network. The e-mail messages seen by Egerstad included discussions of military and national-security issues between embassies and sensitive corporate e-mail messages, he said.

"I found big companies -- Fortune 500 companies -- I mean really big companies doing this," Egerstad said. "Only a couple of users were using (Tor), but that is enough to compromise communications."

In total, Egerstad collected the e-mail credentials of more than 1,500 government workers, corporate employees and private individuals using the Tor network, he said. Because the technique is already known, Egerstad decided that fully disclosing the list of e-mail accounts and passwords for 100 of the government accounts was the best way to bring more attention to the issue.

"This is a not a problem with Tor," Egerstad said. "This problem is that people who use Tor are using it incorrectly."

The Tor Project's software routes data through a distributed network, where each computer only keeps track of enough information to send incoming data to one of its peers. Such a system, commonly called onion routing, hides the data's source if at least three independent servers are used to route the traffic. The final server, known as the exit node, decrypts the data and sends the information to its destination on the Internet.

It's those final servers that allowed Egerstad to eavesdrop on some of the traffic that traversed the Tor network. The security professional loaded the Tor software onto three servers in Sweden, one in the U.S. and one in Asia and volunteered the systems as exit nodes.

"You download the software from the Web site, and you put in your settings," he said.

While he controlled only five servers out of an estimated 1,000 exit nodes, he still collected a great deal of information, he added.

The problem is known to both the Tor Project, which advises everyone to use end-to-end encryption, and to security researchers.

"If the last hop were not in the clear, there would be no way for the web server to understand the encrypted data," Shava Nerad, director of development for The Tor Project, said in a statement issued over the weekend. "We warn about this on our web pages, but in the case of people with truly sensitive data, such as embassy staff, someone should be educating these folks as to basics of never giving a password to an http (unencrypted Web) page."

This is not the first security problem to be pointed out on the Tor network. Earlier this year, a security researcher proposed a way to track people who download or exchange child pornography using Tor.

The eavesdropping experiment started as a smaller project designed to find out whether Tor users were encrypting their messages and Web traffic.

While encrypting communications is a necessary step on the network to ensure security, most users -- more than 90 percent, Egerstad estimates -- were browsing the Web and downloading e-mail through the network without any sort of encryption to hide their information from prying eyes.

Three months ago, with the statistic he wanted, Egerstad prepared to shut down his experiment. Then, a subject line on one of the e-mail messages caught his eye.

"Right before I was about to shut it down, by accident, I saw an e-mail about the Australian military -- sent between two embassies," Egerstad told SecurityFocus. "I only saw the subject line, but it raised questions."

The knowledge that governments, political groups and corporations were passing sensitive data over the Tor network with no encryption convinced Egerstad that he needed to broaden the experiment, he said. With his five exit servers in place, he filtered out everything but e-mail traffic and searched for messages containing keywords, such as "military," and coming from certain domains, he said. He then proceeded to collect data for more than two months.

In August, Egerstad attempted to contact some of the governments and corporations whose e-mail credentials he had sniffed, but he got back few responses, he said.

Following the posting of the information to his Web site, a few countries did respond. India, Iran and Uzbekistan were friendly and supported the manner in which he disclosed the issue, he said. China filed a criminal complaint over the posting, while U.S. authorities complained to his Texas Web provider and had his original Web site taken down, Egerstad said.

The Federal Bureau of Investigation could not immediately comment on the allegations.

Egerstad argued that, while his revelations may be embarrassing, others groups with less benevolent motives are also likely eavesdropping on the network. He pointed to exit nodes run by hacking groups as potential ways of getting information for identity fraud, while massive nodes located in Washington D.C. and at the Space Research Institute in Russia are possible intelligence gathering tools for the U.S. and Russian governments, respectively.

Egerstad stressed that its impossible to prove intentions, but that users should assume the worst.

"We found this kind of information on thousands of users, some of them being Fortune 500 companies and Nasdaq and New York-noted companies," he said on his Web site. "The information we gathered is not worth millions -- it’s worth billions in the right hands."

If you have tips or insights on this topic, please contact SecurityFocus.