[tor-project] Ethics Guidelines; crawling .onion

Tim Wilson-Brown - teor teor2345 at gmail.com
Mon Jul 25 13:43:50 UTC 2016

> On 25 Jul 2016, at 19:25, Virgil Griffith <i at virgil.gr> wrote:
>  I don't know if I'd trust you to be in a position where you see client
> > requests.
> > I'm not sure I'd even trust you to run a Guard node, and Tor2web admins see
> > far more than a Guard node does.
> This is interesting.  Because I actually consider a Guard node to have more private information than a Tor2web node.
> I claim two things:
> (1) Whereas people use TBB for *things that matter* and have an expectation of privacy.  I claim that tor2web users are interested in convenience and have little expectation of privacy.  I see negligible difference between what onion.link does and what Twitter does when they write URLs to goto t.co so they can record on the clicks.
> To put it another way, I do not consider Tor2web users to be "Tor users".

I disagree with you, and therefore think that keeping detailed logs is unethical, particularly for commercial or capability demonstration purposes.
And when the name of the service is "Tor2web", it's hard to dissociate it from Tor.

And I would put it to you that the ethics guidelines, and various other community standards, aim to protect user privacy in general, not just for Tor Browser users, and not just when users expect privacy.

If you want a different standard, where we're allowed to keep identifiable information about some users of some tools accessing them via some methods, then you really need to make a strong argument for it. Otherwise, the overarching principle applies.

> (2) Using the same logic as (1), I would argue Tor2web sees *less* private information than a Tor guard node.  A guard node is half of the map to users who have explicitly said, "I wish my traffic to be unlinkable".  Violating this would obviously be an "attack on Tor users".  Offerring logs for a guard node would be zomg a violation of expectation of privacy and a damage to the network.  I am 110% on board here.  I wholly support banning anyone from the community who sells logs from TBB users.

Guard nodes don't see what sites users are accessing.
Tor2web nodes do.
So it's possible to create logs with user IP addresses and the onion sites they've accessed (as you've demonstrated).
A guard can't do that.

> -----
> As an aside:
> > You might want to enable automatic redirects from http://onion.link to
> > https://onion.link.
> Already do it.  I also recently enabled DNSSEC because some european ISPs were doing DNS poisoning and I wanted to stop them from doing that.

It didn't work for me when I tried it before sending my last email. Now it does.

> > Normally I'd be concerned you use Google Analytics rather than a local
> > analytics solution.
> I've removed the Google Analytics.  It'll go out in the next weekly release.

Thanks again, but the search is still Google, so user IPs and onion sites not only go to onion.link, but also Google.

> ===========
> The other issues you cited are worth discussing, and I welcome having them.  But I want to resolve the comparatively easy robots.txt discussion first.  I was asked to wait a month, and I did so.  Can now we have that discussion?  Or does it have to postpone another month?  To kickstart the discussion, I gave the three vidws I've heard:
> > (A) isis et al: robots.txt is insufficient
> > --- "Consent is not the absence of saying 'no' — it is explicitly saying 'yes'."
> >
> > (B) onionlink/ahmia/notevil/grams: we respect robots.txt
> > --- "Default is yes, but you can always opt-out."
> >
> > (C) onionstats/memex: we ignore robots.txt
> > --- "Don't care even if you opt-out." (see https://onionscan.org/reports/may2016.html)
> >
> >
> > Isis did a good job arguing for (A) by claiming that representing (B) and (C) are "blatant and disgusting workaround[s] to the trust and expectations which onion service operators place in the network." https://lists.torproject.org/pipermail/tor-project/2016-May/000356.html
> >
> > This is me arguing for (B): https://lists.torproject.org/pipermail/tor-project/2016-May/000411.html
> >
> > I have no link arguing for (C).
> I am imploring for there to be discussion arguing (A), (B), (C), or (D) other.  Thus far we've gotten an argument for (A) from Isis and an argument for (B) from Juha.`

You seem to be trying very hard to make this conversation happen on your schedule.
But maybe it's going to take time and thought and even research and experiments for this conversation to develop.
Perhaps you'll have to live with the uncertainty for a while.

I'm not going to repeat what I said previously about client authentication, but I do have something new to add:
Some recent US legal judgements require explicit permission to access every website for the wider Internet: without permission, it's illegal to access any website. So that's is one reason to be wary of using explicit permission to access as our standard - we'd likely oppose it when applied to non-onion websites.

Then again, maybe our expectations of the wider Internet and .onion sites are different, and should be different.


Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
OTR 8F39BCAC 9C9DDF9A DF5FAE48 1D7D99D4 3B406880

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20160725/96282b59/attachment.sig>

More information about the tor-project mailing list