On Mon, Mar 22, 2021 at 09:21:24PM +0000, Lisa Winter wrote:
I decided to do some own research, and it seems like the Tor Project has a long-standing relationship with Team Cymru (at least since 2012, and maybe even earlier):
https://blog.torproject.org/knock-knock-knockin-bridges-doors
Still, I'm slightly paranoid when organizations like these start spinning up many different relays, effectively getting to see a substantial portion of the network's traffic.
Yes, we've been interacting with Team Cymru folks for more than a decade now.
I even went to one of the conferences they organized a few years ago hosted by the Council of Europe, where they had an audience full of government and law enforcement people that I could teach about "what Tor actually is" and "how the internet actually works" from my perspective, because otherwise they'd just hear the "Tor is bad and the internet is full of bad people" myths and FUD from their colleagues. You can read more about that kind of outreach here: https://blog.torproject.org/trip-report-october-fbi-conference (different conference but same idea)
Also, their CEO is on Tor Project Inc's board currently, and I regard that as a great step because he can help with (among other things) oversight that we're running the business side of Tor properly: https://www.torproject.org/about/reports/
I think most of the infrastructure that Team Cymru has set up for Tor, we've asked them to do it. So that right there should help you look at it differently.
Another answer might be that I'm a lot more worried about the groups that *haven't* come forward to identify themselves, yet are trying to watch the internet or build datasets about internet users etc.
And a third answer could be that the goal of the Tor design is to distribute trust over multiple relays in your path, so the risk of any one of those relays trying to attack you isn't so bad. (This angle is a bit tricky of course, because even though that's true, having a lower probability of being attacked is still better.)
In summary, yes it makes sense to wonder about the various organizations that want to get involved in Tor, and understand their motives. But we need to design our systems so that they don't fall apart if a small piece of the network is trying to attack it. And at the same time we need to strengthen our *communities* so that they are robust and represent many different skills and interests and perspectives, because that's how you grow mainstream acceptance. So, it is a balance, and there are many ways in which we need to be doing that balance better, and I'd put this one pretty far down the list.
Hope that helps! --Roger