[tor-bugs] #14762 [Ooni]: Redesign how we inform the user of the risks of running ooniprobe and get informed consent from them

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Feb 6 14:53:59 UTC 2015 

#14762: Redesign how we inform the user of the risks of running ooniprobe and get
informed consent from them
---------------------+-------------------------
 Reporter:  hellais  |          Owner:  hellais
     Type:  defect   |         Status:  new
 Priority:  normal   |      Milestone:
Component:  Ooni     |        Version:
 Keywords:           |  Actual Points:
Parent ID:           |         Points:
---------------------+-------------------------
 This is a topic that has been widely discussed on the ooni-dev mailing
 list: https://lists.torproject.org/pipermail/ooni-
 dev/2014-December/000205.html as well as on other more specific mailing
 lists that deal with ethics of network measurements.

 Dan O'Huiginn has written a draft of proposed improvements to the
 ooniprobe README document and warning message when running the software
 (https://lists.torproject.org/pipermail/ooni-dev/2015-January/000208.html)
 that I quote here:

 {{{
 A) THE SHORT VERSION

 WARNING: Running OONI may be illegal in your country, or forbidden by
 your ISP. By running OONI you will connect to web services which may be
 banned, and use web censorship circumvention methods such as Tor. The
 OONI project will publish data submitted by probes, possibly including
 your IP address or other identifying information. In addition, your use
 of OONI will be clear to anybody who has access to your computer, and to
 anybody who can monitor your internet connection (such as your employer,
 ISP or government).

 [link to long version]



 B) THE LONG VERSION

 LEGALITY

 OONI does several things which may be illegal in your country, and/or
 banned by your ISP.

 OONI's http test will download data from controversial websites,
 specifically targeting those which may be censored in your country.
 These may include, for example, sites containing pornography or hate
 speech. You can find a list of sites checked at
 https://github.com/citizenlab/test-lists

 Even where these sites are not blocked, it may be illegal to access
 them. It may also be illegal to bypass censorship, as OONI attempts by
 using Tor.

 In the most extreme case, any form of network monitoring could be
 illegal or banned, or even considered a form of espionage.

 [Include link to some resource on relevant laws globally. Someone like
 the EFF must have one of these; does anybody have a link?]

 PRIVACY

 OONI IS NOT DESIGNED TO PROTECT YOUR PRIVACY. It will reveal information
 about your internet connection to the whole world. Particular groups,
 such as your ISP and web services used by the ooni tests, will be able
 to discover even more detailed information about you.

 THE PUBLIC will be able to see the information collected by OONIprobe.
 This will definitely include your approximate location, the network
 (ASN) you are connecting from, and when you ran ooniprobe. Other
 identifying information, such as your IP address, is not deliberately
 collected, but may be included in HTTP headers or other metadata. The
 full page content downloaded by OONI could potentially include further
 information, for example if a website includes tracking codes or custom
 content based on your network location.

 You can see what information OONI releases to the public at
 https://ooni.torproject.org/reports/. You should expect this information
 to remain online PERMANENTLY. [include details of retention policy, once
 we have one]

 THE OONI PROJECT will also be able to see your IP address [What other
 info do we get?]

 ORGANIZATIONS MONITORING YOUR INTERNET CONNECTION will be able to see
 all web traffic generated by OONI, including your IP address, and will
 likely be able to link it to you personally. These organizations might
 include your government, your ISP, and your employer.

 ANYBODY WITH ACCESS TO YOUR COMPUTER, now or in the future, may be able
 to detect that you have installed or run ooni

 SERVICES CONNECTED TO BY OONI will be able to see your IP address, and
 may be able to detect that you are using OONI
 }}}

 I suggest we use this as a starting point and discuss additions,
 improvements etc. on this via this ticket.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14762>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list