German data rentention law

Sven Anderson sven at anderson.de
Mon Oct 20 15:54:18 UTC 2008 

Am 20.10.2008 um 00:06 schrieb Roger Dingledine:


>> So it will be very interesting how this will continue, since it
>> is assumed by many, that the data retention law violates the German
>> constitution.
>
> Quite so. Good thing all the German laws are so clear. :)

As long as the constitution has the higher priority, I'm fine with  
it. ;-)

> And we do not want to see any Tor relays that log traffic  
> information. So
> should Tor's role for now be to simply say "the only risk from the  
> German
> data retention law is if its vague wording convinces Tor operators
> to install backdoors in their relays. If you think your new law is
> enforceable, and would like to backdoor your relay, please shut it  
> down
> instead.", and then wait to see how the people fighting the law fare?

Shouldn't we differentiate what is being logged before making such a  
statement? Regarding that a large amount of Tor bandwidth is provided  
by German nodes, it is IMHO too hasty to generally claim that no Tor  
node is better than a logging Tor node.

I claim, that even if a node follows the DR law it will almost not  
impair the security of the Tor users, since Tor is somehow "DR proof".  
The law-authors didn't have concepts like Tor in mind, when they wrote  
the specific stuff for anonymization services. They were thinking of  
simple one-hop anonymizers (if they were thinking at all).

So, what the law asks for, is that if you change any information,  
which has to be logged by another party because of the DR law, you  
have to log that change as well. Since Tor works on TCP level, the  
_only_ DR relevant information it changes is the source IP address  
(ports and destination are NOT DR relevant). So in order to fulfill  
the DR law you only have to log at which time you had incoming  
connections from which IP. Since the connections are persistent, these  
are a lot. For my node that would be 4000-5000 at any time. I'm happy  
to give the investigators a list of 5000 IP addresses for a given  
time, since they will not have the slightest chance to get any useful  
information out of this. Even if we assume perfect worldwide  
cooperation and they are able to get this data from any Tor node, they  
will end up with nothing more than a list of _all_ Guard nodes, and  
there are far easier ways of getting it, and as a result of that _all_  
Tor users at a given time. So even this unrealistic scenario would  
just reveal very useless information.

So if the german courts and prosecutors don't realize this beforehand,  
and really demand Tor logging, I'd just say: ok, do it. They will soon  
realize that they will not get any useful information out of this and  
drop the regulation for Tor again. It's "just" a cost issue for Tor  
operators (because of necessary HD space), but not really an privacy  
issue.

So even in the worst-case-scenario, please don't let the usability of  
Tor decrease even more by switching off the German nodes, just for a  
questionable and theoretical privacy improvement. But I still hope,  
that somebody will tell them before, and we will never have to log at  
all.

> Are there actually any design changes in Tor that are needed for now?
> Assuming ISPs don't suddenly start becoming logging stations, and  
> assuming
> not very many Tor relays become compromised, there really aren't any
> new threats for Tor users.

Exactly.


Regards,

Sven

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2415 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20081020/8e0b0903/attachment.bin>

More information about the tor-talk mailing list