[tor-project] Launching Ethics Guidelines

Matthew Finkel matthew.finkel at gmail.com
Thu May 12 07:34:43 UTC 2016

On Thu, May 12, 2016 at 01:08:36AM +0000, isis wrote:
> Virgil Griffith transcribed 2.7K bytes:
> > Here's the line about unacceptability of crawling .onion:
> > 
> > "For example, it is not acceptable to run an HSDir, harvest onion
> > addresses, and do a Web crawl of those onion services."
> > 
> > https://trac.torproject.org/projects/tor/wiki/org/meetings/2015SummerDevMeeting/ResearchEthicsNotes
> > 
> > So, this can indeed be an official policy.  But it was the first I had
> > heard of it.  And currently at least 3-4 tor2web nodes in
> > good-standing explicitly permit crawling of .onion .

Hi Virgil,
I think it's time we have another conversation, privately.

> Perhaps, more explicitly, what we'd like to eliminate is people like you,
> Virgil.

This is harsh, but sadly quite true based on what we've heard and were told.
I'm sorry it's taken this long - and required Isis saying something.

> You've admitted publicly, in person, to several of our developers
> We do not tolerate people within our community cooperating with any parties,
> including law enforcement and government agencies, to deanonymise real world
> users of the Tor network.  Full stop.

We shouldn't, but it seems like we do. We've significantly improved monitoring
the Tor network for malicious relays and encouraging directory authorities
reject them, but we're still struggling with how we handle people within our
community who are potentially acting passively malicious. I hope we will act
swiftly and decisively when we know a community members is actively acting
malicious. That's to be determined, I suppose.

The easy and usually correct answer is "reject first and ask questions later".
We started there but then stopped after some fruitful conversations. It's time
we reassess this. However, that being said, it's difficult because we don't
actually have a good method for kicking out a person from the community - if
that is the chosen course of action. In addition, we don't have the resources
available for mentoring or "rehabilitation" (or whatever that would be called),
but still non-action is the worst possible default.

> Your previous behaviours were absolutely abhorent, unethical, unacceptable,
> and cowardly.  They are now covered by the official ethical guidelines.

Virgil, I hope this is clearly understandable for you. If not, and for anyone
else reading this thread, then to the best of our abilities, we should not and
must not implicitly allow someone to actively harm Tor users. If you are an
active participant in this community, then it is implicitly assumed you are not
malicious. Any actions by you that are contrary to this are not acceptable.

> Tor2web similarly should be killed with fire as being a blatant and disgusting
> workaround to the trust and expectations which onion service operators place
> in the network.

Personally, I have varying opinions about Tor2Web's use, but at this point I do
not support it. Despite it's inherent problems, I think it was a useful tool
when it was initially designed and implemented. Now I believe it is actively
harming (potential) Tor users. There is nothing we can do that will prevent
people from using it, but the Tor2Web gateways are designed so they can easily
be used instead of linking directly to an onion site. As a result, it provides
websites with the privilege of both forcing the user to leak the onion service
address to the Tor2Web gateway and (possibly) leaking the Tor user's IP address
when they request the onion site, without the user's consent. If the Tor2Web
gateways were not available then the user would either use Tor Browser or not
visit the site - both are more preferable than leaking the client's IP address
to the Tor2Web gateway.

I don't know how we can undo the damage from this. I'm open to suggestions for

Essentially, as I see it, we must take a strong stance against people who are
harming Tor users. I don't care if the users are using Tor in TAILS, Tor
Browser, ricochet, or they're connecting via a Tor2Web-backed website - these
are all Tor users. There's something to be said for malicious Tor users and
creepy/sick/crazy Tor users who are hurting other people, but those are edge
cases they should be handled uniquely (and maybe not by the Tor community at
all) without affecting the millions of people who use Tor for their own


More information about the tor-project mailing list