[tor-talk] Tor and Google error / CAPTCHAs.

Alec Muffett alec.muffett at gmail.com
Mon Oct 3 07:09:55 UTC 2016


On 3 October 2016 at 01:40, <bancfc at openmailbox.org> wrote:

While outreach and cooperation with some companies may work, do you not
> consider that a sizable number of sites will always block anonymous traffic
> simply because they can not monetize it with targeted ads?



Ah! That delightful old argument.

I've heard it a lot, and I am afraid that it is all of groundless,
incorrect and demonstrably silly.  :-)


In three bullets:

1) If less than 0.1% of the people who use your site do so "anonymously",
the amount of ad-revenue associated with them is negligible. There are
bigger leaks to plug.

2) In my experience the "blocking" that companies do to Tor (and similar)
is 100% grounded in the threats from spam, scraping, testing phished
credentials, and other forms of bad behaviour.

3) I would bet a substantial amount of beer that anonymous proxy networks
are negligible threats to advertising revenue in comparison to "People on
the Clearnet who use AdBlock+".


My perspective:

I've always felt that the "It must be because we are a threat to advert
revenue!" argument is a perfect example of the kind of conspiratorial or
religious-oppression-like rationalisation that I discussed in an earlier
post.

For clarity - though I hope my work to date does not mean that I NEED to
say this - I am NOT saying that people who use anonymity proxy networks are
unimportant.

What I am saying is that anonymous users are, from the perspective of
revenue, negligible in number, and thus arguments that they get blocked for
revenue reasons are utterly specious - i.e.: plausible, but actually wrong.

I will observe that occasionally someone who is responsible for "compliance"
will worry about anonymity proxy networks.

e.g.: the banking industry have this obligation called Know Your
Customer[1] which would make them really fret about Tor, because the
regulator might spank them for recklessness, or something.

People who are responsible for compliance are really good to get "on your
side" if you are trying to make better affordance for Tor within a company:
if you can build a system for them that says:

    "This connection is coming from a Tor exit node, That connection is
not."

...and can surface that distinction to the internal compliance-enforcing
code, they can decide what to do with connections that come from Tor.

This sort of "tagging" of Tor connections may sound counterintuitive to the
Tor community, but the point is that by building such a system you are:

1) enabling measurement[2] of how many people access your site over Tor,
and...

2) for the compliance people you are turning the fact someone is using Tor
from an amorphous "ZOMG DARKWEB MURKINESS SOMEWHERE OUT THERE ON THE
NETWORK" - into a simple boolean signal which they can factor into their
decision matrix, so that they get to keep their jobs when the regulator
asks them "what they are doing about the darkweb which [the regulator] read
about in Wired two months ago..."

Having built this thing for your compliance people, you've also had an
opportunity to explain how important Tor is for people who _really_ need to
access your site, so it could turn into a huge "Block Tor!" thing, but it's
more likely to turn into "let's just switch off the stuff we're worried
about, for compliance reasons" - when someone accesses the site over Tor.

This latter is the kind of "Graduated Access" thing which Grarpamp was
arguing in favour of, yesterday.

    - alec


[1] See: https://en.wikipedia.org/wiki/Know_your_customer

[2] For why this is important, read this:
https://www.facebook.com/notes/alec-muffett/how-to-get-a-company-or-organisation-to-implement-an-onion-site-ie-a-tor-hidden-/10153762090530962


-- 
http://dropsafe.crypticide.com/aboutalecm


More information about the tor-talk mailing list