[tor-talk] Tor and Google error / CAPTCHAs.

Alec Muffett alec.muffett at gmail.com
Sat Sep 24 14:21:54 UTC 2016


On 24 September 2016 at 13:07, <blobby at openmailbox.org> wrote:

>
> Question: what are these people actually doing with the exit node IP that
> upsets Google?


That's a good question; I don't know about Google specifically, but when I
was at Facebook the most common Tor-exit-node-related problem was called
"scraping".

Scraping was/is when people with bad intentions hid behind Tor in order to
disguise attempts to access and copy people's public pages, looking for
personal information (names, addresses, pet names, emails, anything...)
which could be correlated somehow and monetised, eg: via phone fraud or
phishing.

Tor is useful to these people because if they were making such access
attempts from a single IP address, or a single subnet, it would be easy to
track and stop them.

So "scraping", along with other/similar reasons, is why tor exit nodes have
such shitty "IP Reputation" in the tech industry.  The Tor exit nodes hide
a bunch of people who are doing scraping.

Of all the big companies in tech, Facebook probably has some of the
theoretically easiest challenges of addressing scraping - because quite a
lot of content is only available when one is "logged in" to Facebook, so
instead of blocking IP addresses Facebook instead can block _accounts_ that
scrape; however that is not a panacea and fighting scraping at Facebook is
still a _massive_ task.

By comparison Google may have a even harder challenge to combat scraping
because much of Google content is meant to be available without logging-in,
therefore Google rely more heavily upon IP-address as an identifier.

Continuing the spectrum - Cloudflare have an enormously harder challenge
than Google, because they are mostly supplying only "network-level"
services to their customers, so lack knowledge of username, userids, and
(most?) cookies that actual platform-providers might be able to use when
fighting scraping.

If you correlate this spectrum with "corporate friendliness towards Tor", I
think you will see a causative pattern emerge; Tor does great work in
enabling access to these services and platforms for people in need, but it
also serves to hide/enable scrapers and other malfeasance. To not recognise
this and instead (for example) to violently beat-up Cloudflare for
"blocking tor" serves only to entrench anti-Tor sentiment.

This is why a few months ago I wrote a blogpost[1] explaining how best I
believe to get more companies to be friendly towards Tor.

Because any amount of denial, public raging and placard-waving is not going
to help.  It needs outreach.  It needs mutual understanding and
communication of benefits.

    - alec


[1]
https://www.facebook.com/notes/alec-muffett/how-to-get-a-company-or-organisation-to-implement-an-onion-site-ie-a-tor-hidden-/10153762090530962

-- 
http://dropsafe.crypticide.com/aboutalecm


More information about the tor-talk mailing list