[Popular Net anonymity service back-doored]

[Marc Rennhard]

On Thu, 21 Aug 2003, Roger Dingledine wrote:

> [This is an unfortunate precedent. -RD]

Now this story should trigger some discussions. The first thing that
came to my mind was if we can build systems that are resistant to
this legal attack. Systems with a clearly identifyable institution are
intuitively most vulnerable to the attack (JAP, Freedom, Anonymizer).
Peer-to-peer based approaches (Tarzan, MorphMix) are maybe the other
extreme, while open OR-like mix networks with relatively few but powerful
mixes are somewhere in between.

Looking at a big OR-like systems with nodes in
several countries and no really central organisation behind it, the
attack seems unlikely to be successful. Of course, German (or whoever) 
authorities can simply forbid its citizens to run a mix or request them
to turn over the logs. But unless most countries employ such measures and
circuits are selected carefully, there shoudn't be much damage. Peer-to-peer
systems should be even in a better position here because of the potentially
much larger number of nodes.

Closely related to the issue are exit policies. What if that web server
the German police is interested in is contacted through an OR-like system
and I'm the operator of the last mix? Similarly, what if I'm the last 
MorphMix node in a circuit to access that server? Am I responsible? 
What if a country simply says that the "owner" of the source address is
always the one requesting the web page to bring down such a system (at least
in the same country) because everybody will be afraid to run a mix/node?

I think we must discuss this issue and eventually find solutions. One
thing that comes to my mind is that if the "criminal" user repeatedly
accesses the same web server again and again, chances are he uses a 
different last mix/node every time, which "spreads" the responsibility
for having accessed the server among mixes/nodes and thereby individuals.
In the long run, every mix/node operator will have accessed several
web servers hosting "criminal" stuff and therefore has commited many
"crimes". Of course, the police can still accuse all of them, but its 
certainly much less practical than threatening a single institutions like 
the JAP team. But I don't think this enough to defend against all such
legal attacks. Black lists are also a solution that should partly work,
but suffers from the same problem as virus scanners in the sense that
they always miss the newest criminal sites. It seems this is very
challenging problem we must solve eventually.

I'm looking forward to your comments.

Marc
-- 
Marc Rennhard                    Swiss Federal Institute of Technology
Office: ETZ G61.1          Computer Engineering and Networks Lab (TIK)
Fon: +41 1 632-7005    ETH Zentrum / Gloriastrasse 35 / CH-8092 Zurich
Fax: +41 1 632-1035    PGP-KeyID: C783C736, PGP encrypted mail welcome