Brainstorming about Tor, Germany, and data retention
lexi at i4.informatik.rwth-aachen.de
Wed Oct 8 14:20:02 UTC 2008
On Wed, Oct 08, 2008 at 03:12:01PM CEST, Roger Dingledine wrote:
> Now, part of the challenge here is that there's so much misinformation
> (and lack of information) floating around. Some questions we need
> 1) Will ISPs be required to log connection timing information of their
> users? What exactly will the information be -- destination IP address,
> port, timestamp of beginning of connection, timestamp of end? Or more
> than that? Or less?
Less. The logging is rather strict for e-mail and VoIP, but for any other
purpose only the user's real identity and his IP-address has to be logged.
No logging of TCP connections, no logging of HTTP, no logging of IP packets.
> 2) Are there ISPs that plan to not log? If so, how many?
I wondered about this one, too - there are some ISPs how filed law-suites
because logging costs them really a lot of money. There has been recently a
case in Berlin where the ISP won this law suit.
> 5) Will Tor relays be required by law to log "stuff" too? If so, is it
> the same stuff as in question #1?
The Jondos people are investing a huge amount of time and effort into gaining
a legal clearing or the situation. I suggest to join them in order to
avoid double work and have a better stand against governmental agencies.
I think the current bottomline is that the effect of the law will be delayed
for anonymizing nodes for some more time.
> 6) Are there Tor relays that plan to not log? E.g. CCC or Foebud or GPF?
> Is fighting a law by not following it even a normal way of fighting a
> law in Germany? :)
The problem ist that following: if you think that a law is not justified you
can file a law suit against it. But up you still have to adhere to the law
until you won the law suit you filed against it. BTW, there is already a class
act suit against the data retention law on-going (the biggest in German
> The first defense that comes to mind is to never set the Guard flag on
> German Tor relays.
The problem is that you'd have to avoid setting flags on nodes *operated* by
germans. Because the (german) law is valid for nodes operated by germans even
if the nodes are outside germany. Of course - physical location might
> Note that German users contacting German websites are always going to
> have a problem; we can't do anything about it if the ISP of the user
> and the ISP of the website both log, and later compare notes.
Taking into account the law, I don;t
> If we truly believed that the databases these ISPs build will be kept
> secure against all attackers, and we truly believed that the databases
> would never be used for trawling (see question #3 at the top), then it
> might not be so bad. But that's a lot to ask.
The databases at the ISPs will IMHO not harming the anonymity of Tor users
a huge big lot. It looks differently if nodes were forced to log, though.
> Speaking of which, there's another lesson we can learn from the distant
> past. Once upon a time, in my first congress talk about Tor back in
> 21c3, the Wikipedia people stood up and asked how they were supposed to
> deal with anonymous users. My answer at the time was basically "there
> are effectively anonymous users on the Internet already, sorry, you'll
> just have to deal." Their eventual answer was to build a big list of
> anything ever associated with Tor, and block edits from it. If we had
> worked with them from the start, we could have saved a lot of grief by
> giving them precise lists of current exit IP addresses, etc. The lesson
> here is that we need a better answer for both German Tor relay operators
> and for German law enforcement than "sorry, you'll just have to deal",
> since otherwise they *will* come up with answers that we don't like.
I totally agree with this one. IMHO a huge part of the blamingshould not only
be done to the politicians (poor people, they know nothing about technology),
but rather the privacy people -- if they suggested a trade-off which would
have been acceptable to both sides, we were better off right now. Proposing
"any logging is eavil" was for sure destined to bring us the current laws.
> That said, my first reaction is still "Tor relays must not log, even in
> Germany. If you're planning to log, please shut down your relay instead."
> Is there some approach we can take that doesn't result in 1/3 of the Tor
> network disappearing in January?
Hm, making them to middle men nodes and hope that law enforcement will never
show up and ask for some data? Hm, no....
> One thing I missed in the analysis is Internet connections that traverse
> Germany, for example the connection from an Austrian Tor user to a Danish
> Tor entry guard. I don't know how common these paths are, and I don't know
> whether such connections are proposed to be logged under the proposed law.
The DE-CIX in Frankfurt is the second biggest point of data
exchange in Germany => http://en.wikipedia.org/wiki/DE-CIX
If you want to avoid Germany, you'd effectively cancel out 1/2 of Europe or
But as I said: there will be no logging of single TCP-connections - hence I
don't think that passing Germany is a big problem.
More information about the tor-dev