The risks of malicious trackers.
I’m assuming by “built-in tracking device” you mean that someone has actually added a hardware device of some sort to your laptop.
Such a device would share all the capabilities of malware and perhaps even more.
Become a Patron of Ask Leo! and go ad-free!
As a general rule, malicious software, or hardware, can do anything, at any time, as you use your computer. Malicious hardware, specifically, can evade detection and persist no matter what you do, until the hardware itself is removed. Running tools like Tor adds no value, as malicious hardware could potentially see every keystroke you type, everything displayed on your screen, and access any and all information kept on your computer, including your browsing history.
Malware can do anything
Once malware is on your machine, it can do anything. That’s one of the reasons prevention is so critical.
The addition of hardware to your machine is no different. Be it a physical keystroke logger or a device that monitors your CPU activity in some way, it has the exact same capability: it can do anything.
Chances are it could do more than traditional malware. I can envision a tracking device installed on your laptop that is relatively impervious to detection, for example. Anti-malware tools don’t look for rogue hardware, so it would be unlikely to be found.
Using Tor on your computer
- The sites you visit have no idea who you are or where you come from (unless, of course, you explicitly tell them).
- The path that data travels between your computer and that site is also impervious to detection, cementing your inability to be located.
What Tor doesn’t do, however, is hide your activity from your own computer. When you think about it, that makes no sense — to use Tor at all implies using your computer to do so.
Can your ISP track you on Tor?
In general, no, your ISP cannot track you on Tor. It will see only that you are connecting to a node in the Tor network. Anything that happens across Tor is opaque and unseeable to anyone with the ability to snoop on your connection, including your ISP.
Traditional bypasses are ineffective
One of the traditional approaches to using Tor (or any privacy and security-centric solution), is to never assume that the installed operating system is trustworthy. Instead, one might boot from an optical disc that can’t be compromised, or a USB device you’re certain has not been. The result is to run a custom, perhaps single-purpose, operating environment.
For example, if you’re concerned about malware on your machine, you might boot from such a disk in order to perform online banking.
If you have malicious hardware installed on your machine, however, that approach is ineffective: the hardware is still there. It can continue to do — and monitor — anything.
It’s rare, but…
Now, you might think that someone actually going through the trouble to install malicious hardware on your laptop or desktop computer is highly unlikely.
And, unless you’re some kind of high-value target, it almost certainly is.
This is one reason I’ll never use a shared computer (such as at an internet cafe or a library) for anything even remotely personal. One of the simplest devices to install would be a malicious keystroke logger. It would be virtually undetectable.
If you can’t trust the hardware, don’t use it
And that’s the bottom line: if for some reason you have cause not to trust the hardware, don’t use it. That’s the only pragmatic way to avoid the risk you seem to be concerned about.
Since this type of compromise requires physical access to your computer, the only step to prevent this from happening at all is to always and completely physically secure your machine when it’s not in your possession.
Assuming you think this is likely to happen to you, of course. Maybe you are a “high-value target” to someone after all.