German data rentention law

Roger Dingledine arma at mit.edu
Fri Oct 31 05:03:51 UTC 2008


On Mon, Oct 20, 2008 at 05:54:18PM +0200, Sven Anderson wrote:
> >And we do not want to see any Tor relays that log traffic  
> >information. So
> >should Tor's role for now be to simply say "the only risk from the  
> >German
> >data retention law is if its vague wording convinces Tor operators
> >to install backdoors in their relays. If you think your new law is
> >enforceable, and would like to backdoor your relay, please shut it  
> >down
> >instead.", and then wait to see how the people fighting the law fare?
> 
> Shouldn't we differentiate what is being logged before making such a  
> statement? Regarding that a large amount of Tor bandwidth is provided  
> by German nodes, it is IMHO too hasty to generally claim that no Tor  
> node is better than a logging Tor node.
> 
> I claim, that even if a node follows the DR law it will almost not  
> impair the security of the Tor users, since Tor is somehow "DR proof".  
> The law-authors didn't have concepts like Tor in mind, when they wrote  
> the specific stuff for anonymization services.
[snip]
> So if the german courts and prosecutors don't realize this beforehand,  
> and really demand Tor logging, I'd just say: ok, do it.

There are at least four reasons why this would be a bad move.

First, Tor isn't actually that bulletproof against a distributed
attacker (see all the recent papers we've been adding to
http://freehaven.net/anonbib/ as well as the upcoming attack papers
we keep hearing rumors about), and we don't want to make the job even
easier by making each of these relays into a juicy data target.

Second, the rest of the Tor community would not easily believe that
trading off network security for network capacity in this way is a
tradeoff they want.

Third, if Tor tolerates this law because its network architecture resists
it, and we let the law survive, then the next iteration of the law will
be better adapted to Tor's threat model.

Fourth, we don't want to undermine the effort to make this data retention
law go away, by showing "oh, the law isn't so bad".

There are still people in Germany who run high profile Tor relays and
who say they will not log. I have no interest in adding logs to Tor.

I'm still surprised at all the people who think the choice is between
keeping their Tor relay without logs or adding logging. The choice is
to keep the relay running with no logs, or to shut down the relay.
Let's beat it here and now, rather than letting them gnaw us to death.

--Roger



More information about the tor-talk mailing list