relay tidbits...

Kyle Williams kyle.kwilliams at gmail.com
Mon Jun 2 18:23:24 UTC 2008 

On Sun, Jun 1, 2008 at 4:44 PM, <phobos at freeshell.org> wrote:

> On Sun, Jun 01, 2008 at 11:49:09PM +0100, luser456 at googlemail.com wrote
> 1.2K bytes in 29 lines about:
> > another reason is to provide a list of POP accounts (pop server IP and
> > username, no password is captured) being accessed via tor, just in case
> > any admins/users of these servers/accounts find it odd that they are
> > being accessed over tor.
>
> If in the United States,
> https://www.torproject.org/eff/tor-legal-faq.html.en#ExitSnooping
> pertains to you.
>

"Should I snoop on the plaintext that exits through my Tor
relay?<https://www.torproject.org/eff/tor-legal-faq.html.en#ExitSnooping>

*No.* You may be technically capable of modifying the Tor source code or
installing additional software to monitor or log plaintext that exits your
node. However, Tor relay operators in the U.S. can create legal and possibly
even criminal liability for themselves under state or federal wiretap laws
if they affirmatively monitor, log, or disclose Tor users' communications,
while non-U.S. operators may be subject to similar laws. Do not examine the
contents of anyone's communications without first talking to a lawyer.

"
I just read that again, and I feel I must say a few words about this.

First off, the facts.  Anyone who willing and knowingly sends their traffic
to some random routers on the Internet (encrypted traffic or not) just
waived their right to privacy. It is assumed that their traffic is protected
by encryption, which brings back their privacy, but even that (Debian SSL
bug) can come into question.  However, (s)he who uses Tor is still
*INTENTIONALLY* sending what would be private to you and/or your ISP out to
second and third parties.  To expect privacy when you are doing this is
retarded, unless everything you do is using SSL (again, not Debian's
derivative of SSL).  The best you are going to get is anonymity, but you
gain anonymity by throwing away your privacy (in most cases, not all
though).

Second, I as a 'service provider', whether free to the public or not, do
have the right to monitor what my service is being (ab)used for.  By sharing
my bandwidth, which I pay for (NOT YOU), I have the right to say what is
allowed and what is blocked.  As a Tor exit node, I get to choose which
services (by port) I want to support.  As a service provider (in the USA), I
have the right to watch *EVERYTHING* that goes through my service.  AT&T has
done this, Comcast is hiring right now for people to do this, and the list
goes on and on.  Where AT&T should be getting in trouble is they gave the
information to second and third parties, but I'm not going into that here.
The point is, as a service provider, you have the right to monitor your
services to make sure that they are not being abused or used for anything
which might be illegal.

As for monitoring and logging my traffic, I have that right.  Now if I
distribute those logs to other parties, then I should be in trouble.
Here is a very real example that has happened in Germany.
If someone used my node to make a bomb threat to local police, and the
police come to my house to take my computers, a couple of things could
happen.  But this is one possible take.
If I told them "Wait a minute, I run this great anonymity software called
Tor to help support people in oppressed countries, but I also logged
everything just incase something like this happened.  Since I like you guys
(the cops) so much, I'll give you guys full copies of my logs that I have
been keeping record of since I started my node.  You do have a search
warrent, right?"  I'm willing to bet that the (stupid) cops would be elated
by your cooperation, not threatening to throw you in jail.  As it seems to
be with all the data retention laws going into affect around the world, they
would be very happy to have such a detailed level of co-operation.

So to tell people that it "can create legal and possibly even criminal
liability for themselves under state or federal wiretap laws if they
affirmatively monitor, log, or disclose Tor users' communications" is a load
of crap, in my opinion.  The disclosure part is the only place I see that
would be crossing the line that would probably get you in trouble.

After last years PoC at DefCon and talking with the EFF and FBI about it, I
have a much different take on this.  The EFF attorney's were thinking worst
case scenario, but the FBI agents laughed and basically said "be careful".
I'm not in jail, nor was I ever arrested.  But at the same time, I didn't
exposed people/groups/agencies/etc either.

However the following weekend my house was broken into and someone obviously
was looking for something I no longer had, but that's another story for
another time.  (If that person(s) ever reads this, thanks for not breaking
all my stuff and leaving everything in more or less the way you found it,
minus your obvious calling card, which was kinda creepy and cool at the same
time.)

- Kyle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20080602/21807403/attachment.htm>

More information about the tor-talk mailing list