[tor-relays] Legal status of operating Tor exit in UK?

Thomas White thomaswhite at riseup.net
Tue Sep 8 23:33:30 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry to respond to this late, but some advice I received from my
legal team not long ago might help on this. I apologise in advance
that I won't be able to disclose the whole letter of it but some of
the stuff contained within it is legally privileged and very sensitive.

- From the analysis of my solicitor, there is never a compulsion element
as others have explained - no person other than a court of law may
ever arbitrarily force anything upon you. However, of course some
things do conflict with contractual agreements and whatnot which can
jeopordise service. For example payment - nobody can force you to pay
for a service but they can cease to uphold their end of an agreement
and ask the court to order owed payments be made.

The danger my legal team found from ISP level monitoring of this kind
is that by retaining or "sniffing" traffic from a public service like
Tor, you are putting yourself under the legislations of commercial
enterprises such as the Data Protection Act and so forth, and it is an
industry recommendation that in such cases you hold appropriate
insurance and in some cases, require authorisation in advance from the
ICO to do so since there would be a conflict with the article 8 rights
in the EU Human Rights convention.

Furthermore, to retain or otherwise collect possibly sensitive or
personal information, there must be informed consent and the burden of
proof would be on you to therefore prove you obtained consent to take
such data. Thus there is no way within the Tor protocol to obtain such
consent, therefore under UK and EU law you might be lining yourself up
for very severe civil and criminal fallout by retaining the data.

This may sound quite extreme, but the short answer from my legal team
who investigated this quite extensively was do not ever retain the
data unless you can prove you had consent, or you may one day find
yourself at the sharp end of a very big legal stick. If your ISP wants
you to retain data, it is probably worth asking if they can reimburse
your insurance expenses and any further legal expense incurred when
seeking independent (and qualified) legal advice.

Lastly, I am not a legal professional, I am merely relaying
information provided to me from my own legal team - so don't rely on
this too much since there are too many factors that could be at play
and not accounted for when I mention the above. That said, I hope it
is a useful starting point for you.

Tom

On 08/09/2015 23:54, Jonathan Baker-Bates wrote:
> The ISP is Jump Networks, with whom I have a co-location in their 
> Telehouse suite. I'd recommend them highly otherwise, but somewhat
> unexpectedly, they're using the bad traffic report as an
> opportunity to engage me in a rather philosophical debate about
> Tor. It's interesting to hear their opinions on topics such as how
> they think most Tor nodes are compromised to drop malware on
> clients that use them; that there is probably little privacy to be
> had using Tor because most exits are run by government agencies,
> and that in their view anyone using Tor to anonymise their traffic
> is being naive. But the main message I'm hearing is that they have
> a problem with Tor, not necessarily anything to do with legal
> issues in fact, come to think of it.
> 
> So it's a delicate situation really.
> 
> When you say ask for static IP, I have that - in fact the node runs
> on a dedicated VM that's on the physical server, and has suitably
> clear reverse DNS entry, etc. No SWIP though.
> 
> I think I might just get back to them and see if they can clarify
> their policy. I don't want to monitor traffic, if only because the
> Tor project warns again it. The ISP may of course say their policy
> is to shut down my exit, in which case, well ... I feel honoured to
> have contributed to Tor for the last six years.
> 
> Jonathan
> 
> 
> On 8 September 2015 at 23:24, Billy Humphreys
> <PokeAcer549 at outlook.com <mailto:PokeAcer549 at outlook.com>> wrote:
> 
> Which ISP is it? I'm a fellow UK person, but I don't use a UK
> VPS/ISP for this. Tell them that you are an advocate for
> anonyminity, and that you refuse to monitor traffic. No ISP can
> force you to do that (they have black boxes to do this shit anyway)
> - You can use https://exonerator.torproject.org/ to prove that you
> were an exit relay at the time. They want you to put Snort IDS on
> it because it QoS'es your internet, and Tor may cause a
> false-alarm. So you can tell them this, and ask if they'd consider
> a static IP, SWIP, and all that stuff so that you deal with the
> emails yourself, and you just send them the big template to stop
> them.
> 
> When I briefly ran one on my ISP network, we got no letters 
> complaining (I'm with British Telecom/BT), and they can't make you
> do anything, remember this. --Billy
> 
> On 08/09/2015 21:04, Jonathan Baker-Bates wrote:
>> I run an exit node with an ISP who initially indicated they
>> would not have a problem with Tor as long as I was transparent
>> about what I was doing, and ran a sufficiently reduced exit
>> policy.
> 
>> They have now sent me evidence of malicious traffic coming from
>> the exit. I don't think they've had any 3rd party complaints
>> about this traffic, but they have expressed various misgivings
>> about Tor in general. They now also want me to consider running
>> Snort IDS on the outgoing traffic.
> 
>> I don't intend to monitor my traffic. But it occurs to me I
>> don't know whether my ISP needs to be worried about it or not.
>> The last one wasn't, so why them?
> 
>> I've asked the EFF about the legal situation in the UK, who
>> passed me to the Open Rights Group. They've not replied to my
>> enquiry as of three weeks ago.
> 
>> So does anyone know of any reliable source of information on 
>> running Tor exits in the UK? What would happen if my ISP pressed 
>> me to monitor my traffic, and I refused on legal grounds? I'm
>> not suggesting I actually do that, or that there are even any
>> legal grounds to refuse. In fact right now I'm resigned to
>> closing down the node if my ISP turns up the heat. They probably
>> have me by the balls.
> 
>> But I'm at least curious, and can't immediately find any 
>> information about things like public carrier status, or traffic 
>> monitoring conducted by people like me when it's done in the 
>> context of onion routing.
> 
>> Thanks in advance for any help.
> 
> 
> 
> 
>> _______________________________________________ tor-relays
>> mailing list tor-relays at lists.torproject.org
> <mailto:tor-relays at lists.torproject.org>
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> _______________________________________________ tor-relays mailing
> list tor-relays at lists.torproject.org
> <mailto:tor-relays at lists.torproject.org> 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> 
> 
> 
> _______________________________________________ tor-relays mailing
> list tor-relays at lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJV73BIAAoJEIC+hZxcLl/km9kP/0jFnYQQmOqauuu65t7Yr40r
0tFc1jKivFXH2LuO4dhGvq1jLPVOE1O8CQAijMhDKKjLjx3zlqZglA6eFjwF4+ok
fin7xuTdZkqKHVdfNFXDPt7uc5CAmYm3Lt/XKVtyy1Cxt1HTF+Y+kN3lNEeaT03Y
0Ej1AUxj0X2FvYJWqDX0mDBmFfp3Du9FM3rEYJKb+r201DPXy7ec8w5I7FwHHe4b
pUKbKONi5JM+yrY21FxfVDq4fPofGFguBLT4p0LtKPI8+nwXSmQynpxvSY6nB1gn
h/IRw/+zjlAiqeHH0WYwL/64O2KX+7vm0SAgpOQuQimC+I8F5/K+loL1jd/Sl75X
AjIvtPW7TlUr9nsgDxWaBuo06rpGuN283TJuGAh53zsP7+x7pVM5vbP1CwltGWkm
btRIwzhwKhScB5jaAZmiJXxIAZqgVP1Sbrf5UHGR8ef4RJGG08Jk+2TJfy3tKlxF
hgXjImhsE5nkWb7lddqY1Gi/pIxXTjBXU2mQRCHj4wNig2aO/sfZOvFvQsVWy401
aRZTZAoKDT0XqG7+8xAtehhicrR7Blm7fZGrA/xdAK2KpcivpjTXCdnEBMIlGF11
DWe+6vyhpks0NQI/UTrqx4pc/nnPH7+JAuDbFhDp8QjPTTIXgaHbT2EI0CrVTIQ+
DpkoLoFB878k4TGfZGpa
=PN/4
-----END PGP SIGNATURE-----

More information about the tor-relays mailing list