Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Face Jail Risk For Tor Snooping Study

Posted by CmdrTaco on from the learning-is-dangerous-business dept.

An anonymous reader writes "A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project (PDF) in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act. The researchers neither sought legal review of the project nor ran it past their Institutional Review Board. The Electronic Frontier Foundation, which has written a legal guide for Tor admins, strongly advises against any sort of network monitoring."

6 of 121 comments (clear)

  1. Correct link to study by miraboo · · Score: 5, Informative

    The link to the study is borked. Correct link: http://www.cs.washington.edu/homes/yoshi/papers/Tor/PETS2008_37.pdf

    1. Re:Correct link to study by Anonymous Coward · · Score: 4, Informative

      I don't wonder that the Tor people are upset by this study, because it makes some credible-looking claims that Tor does not adequately provide the anonymity it claims to. Amongst other things, the researchers warn that the design of the network can allow different actions by the same user to to be associated.

      They also warn about things that have led many to doubt the project from the start: that (in their language) 'misbehaving' nodes can be set up that could take a range of actions detrimental to users.

      Lest this be thought to be a hypothetical threat, consider this from their conclusion:

      >we developed a method for detecting malicious
      >logging exit routers, and provided evidence that
      >there are such routers that
      >speciïcally log insecure protocol exit traïfc

      They also note that while they ran their node, they received numerous accusations of illegal activity, traced to their node's IP address. This has always been a danger for node operators - this test confirms it is a real threat.

      Frankly, a reader of this report would be wise to reconsider Tor usage.

  2. Re:They can't be stupid. by faloi · · Score: 4, Informative

    It sounds like, from the very cut down version of the story that's available at the link, they didn't want to go to the effort to find out. They probably figured (correctly) it'd be a huge hassle to go through all the hurdles to get the approvals they might need. Rather than dig into it, they talked amongst themselves and decided it wasn't a big deal. Regardless of FAQ containing legal advice to the contrary. They sought minimal outside advice, and may or may not have provided enough information for the third party to make a determination, but didn't pursue it.

    When engaging in activities that might be legal, but might be a felony...I'll go for safe over sorry any day.

    --
    "It is a miracle that curiosity survives formal education." -Albert Einstein
  3. Re:OT factoid... by Anonymous Coward · · Score: 5, Informative

    Nope. Slashdot banned tor openly, as do most online discussion systems that don't want to be flooded by endless bots.

    You either ban all tor users or you allow all tor users, since any one user can just reconnect through every tor node to evade ip bans(allowing them to create new accounts if their old one was banned). Most places would rather be able to ban users, so they disallow tor exit nodes.

  4. They have more than the law to worry about . . . by matantisi · · Score: 2, Informative

    Failing to submit this study to the Institutional Review Board is a *huge* professional no-no! One of the major functions of the IRB is to ensure that research doesn't violate subjects rights -- particularly confidentiality and privacy rights (which could, I suppose, be why they didn't submit it). Even if the government decides to the let them slide (unlikely with a case of wiretapping), this has ramifications for the Universities. It can lead to the US Dept. of Education shutting down *all* of their research activities. They will be extremely unpopular where they are, and they'll have the devil's own time getting hired anywhere else.

  5. Re:You can't jail them@ by skinfaxi · · Score: 1, Informative

    TFA explains that Tor itself doesn't do encryption. If you are using protocols that send name/pwd in clear text (like, FTP, POP, etc.), then Tor cheerfully passes those along. The most interesting thing they did IMO is seed the Tor traffic with honeypot clear text username/pwd combos and then watch for attempts to log in using those credentials, which happened almost immediately. There are hackers out there that are scooping up logins, taking advantage of the fact that people don't know (or don't care) how Tor works.