Our institution's response to the HEOA doesn't involve blocking anything so we haven't needed any exceptions to support TOR on our network. We view TOR as being covered by the "safe harbor" provisions for "transitory digital network communications". So far that hasn't causes us any problems in this area. That being said- tor is a *lot* slower than a direct connection (ie: bandwidth limited) and we do run a reduced exit policy on our exit node (ie: we block well-known P2P ports). That gives us two check marks in the 'technology-based deterrents' category. We have had law enforcement communicate with us many times due to varied nefarious uses of TOR. A few local level police departments have grumbled that we don't have logs (because they don't understand TOR) but the feds and state level ones usually stop pestering us right after we tell them the IP is a TOR exit node. We've never had any legal problem related to TOR on the civil side of the law beyond takedown notices (and we send those the canned TOR P2P response.) Internally when discussing TOR I've found it helps to point out that TOR receives funding from the US Government for its development and that the US State Department specifically and publicly called for technologies including TOR to be deployed by the US to assist the spread of democracy (such as in the "Arab Spring" revolutions. See "Promoting Global Internet Freedom: Policy and Technology", US State Department, May 2011) -- Timothy Hayes Rutgers, The State University of New Jersey Office of Information Technology, Information Protection & Security Voice: 848-445-7515 Fax: 732-445-8023 Email: thayes@rutgers.edu