Betteridge's law of headlines states: "Any headline that ends in a question mark can be answered by the word no."
This post is no different.
By itself, using Tor or a Tor Browser is not enough to protect your privacy and anonymity online.
Read on to find out why.
There are many reasons users consider using Tor (the network) or a Tor-enabled browser. Maybe you're a journalist who needs to protect their sources. Maybe you want to spelunk through the 'hidden services' available only on the network. Maybe you're simply someone who cares a lot about not having their activity tracked online. In any event, the primary reason most folks use Tor is because they are concerned with their online privacy and anonymity.
Leaving Tor-enabled browsers aside (they have their own host of issues that will be covered in a later post), why isn't using the Tor network alone enough to protect your privacy and anonymity? Let's run through the reasons:
When you use the Tor network, your Internet traffic gets sent through a series of 'relays' before entering the broader Internet. The last relay in this series is called an 'exit node' -- the point where your traffic leaves the Tor network. When using Tor, your traffic is really only as secure as your exit node, and a HUGE number of Tor exit nodes are compromised.
There are currently around 900 active exit nodes in the network, and a large percentage of those are compromised (meaning bad actors are sitting on the other side, listening to your traffic). By some estimates, 1 in 9 Tor exit nodes is compromised.
This means that, all else being equal, you have an 11% of having your traffic exposed every time you use the Tor network. If you use Tor for an extended period of time, this quickly trends towards 100% (Basic math tells us that using Tor just 10 times gives us a 65% chance of being exposed; by 20 times, 90%).
The first node in a Tor series is called a 'guard' node. Similarly, a guard node can be used to compromise your privacy and anonymity. While a guard node can't necessarily see the contents of your traffic or its destination, it can see your IP address. When you refresh your Tor connection, only your relay and exit nodes change; your guard node stays the same for 2-3 months at a time. While an IP address isn't everything, combined with outside information (GeoIP lookup, etc.) it can be enough to pinpoint an individual Tor user.
When you use Tor, while your ISP might not be able to tell exactly what it is that your encrypted traffic contains, they can certainly tell that you are using Tor. Since all guard node IP addresses are publicly available (and especially since there aren't that many and they don't change that frequently -- there are only about 3000 guard servers total), your ISP can see every time you connect to the Tor network.
Additionally, over time, a focused actor (ISP, or other three-letter-agency) with access to your (encrypted) traffic data may still be able to figure out what services or websites you are connecting to through an advanced network analytics technique known as 'traffic shaping', even without being able to see the destinations or contents (tl;dr: they do it through pattern matching the flow of data to your IP address).
Aside from all of the above, it matters what you're actually doing on the Tor network. If you ever reveal your email address, a password, a PayPal account, a Bitcoin wallet address, or your IP address, you can be compromised. All the technology in the world can't prevent against simple human errors like these.
As mentioned above, the longer you use Tor, the greater your exposure. The longer and more frequently you use the network, the higher the probability you encounter a compromised guard or exit node, your ISP takes note, or that you yourself slip up and expose personally identifying information.
If you want to stay protected online -- if you want your privacy and anonymity to be preserved -- you should use a network that solves many of the problems of Tor.