Slashdot Mirror
Researchers Face Jail Risk For Tor Snooping Study
An anonymous reader writes "A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project (PDF) in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act. The researchers neither sought legal review of the project nor ran it past their Institutional Review Board. The Electronic Frontier Foundation, which has written a legal guide for Tor admins, strongly advises against any sort of network monitoring."
...the researchers could also face up to 5 years in jail for violating the Wiretap Act.
I'm sure they'll be granted retroactive immunity for this. Seems to be the latest fad in Congress these days.
Apparently, US Telcos can snoop all they want and it's perfectly legal, now!
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Not unless they have millions to spend on lobbyists.
What is the difference between what they did and say leaving your wifi access point open to snoop on anybody that might connect to that? Either way, the other people chose to actively connect to YOUR equipment. If it is your equipment, you should have every right to monitor it in any way you see fit.
If the info is passing through their own network interface - by actual design of the Tor system, and not because they have done something devious - how is this analogous to wiretapping?
Illegal wiretapping surely involves breaking into private communications that you are not intended to be part of, through either physical means, or perhaps via software - but by its nature, Tor allows anyone to connect into the network, and people know that what they are sending/receiving is going to travel through other poeple's computers (but can be fairly confident that nobody can trace anything back to them easily).
I don't see how researching into the protocol and viewing the packets that pass through your own node are illegal, unless you accept some kind of contract not to snoop when you install Tor.
which is totally what she said
As a social science undergrad, I had it drilled into my brain the importance of IRB's. Not following the review process can threaten your schools federal funding. Any grad student or professor should know better, regardless of their discipline.
They probably realized there will be no such prosecution, because prosecution would draw attention to how easily Tor activity can be monitored and conclusions drawn from it. That kind of attention is a Bad Thing: any government would instead prefer that citizens believe that they have access to something which is secret and anonymous (but which is actually not).
It's good to disrupt enemy communications. It's better to intercept enemy communications. It's best to eavesdrop on enemy communications when the enemy thinks eavesdropping is impossible.
FATMOUSE + YOU = FATMOUSE
They didnt do anything illegal. All they did was copy data of packets passing THROUGH their Tor servers they had setup. They didnt compromise other's systems. This may be a moral question, ala reading emails that pass through your relay.
At which point did it become legal to read emails that were being passed through your relay?
Having said that, anyone using TOR who actually trusts the exit nodes needs their head examined. There are exit nodes which are known to be hostile, and some operators have even publicly stated they have monitored traffic and captured login/password pairs. One should never, NEVER access anything via TOR that may correlate to their meatspace life. Either use the web read-only, or set up nym accounts on sites that require registration.
Method of processing duck feet
It depends on the information. Can I have your Social Security number, your bank account number and debit card PIN number? You don't even wat your name posted; not even your slashdot user name!
Sharing SOME knowedge is good, sharing other knowledge is bad. Your anonymous cries of slashdot hypocricy ring hollow.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
...that Tor is in and of itself not secure enough. Any traffic passing over it needs intermediary obfuscation of origination and destination of traffic as well as encryption of traffic by the origination and destination separate from the Tor network similar to anonymous remailer chains.
Oh well, thanks to the government, the **AA people, and idiots like this, such networks are coming... and where once terrorists, organized crime, and other ne'er do wells had to pay some geeks for serious work to make secure communications a done deal, they will be able to download an open source package off the net with point and click simplicity that does everything they need and more. Just because the aforementioned dipsticks pushing the trend refused to listen to Princess Leia in Star Wars when she told off Grand Moff Tarkin.
You remember, tighter grip, more systems through your fingers. As in, oppression is counterproductive and carries the seeds of your downfall, and everyone else's...
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
If you do a legitimate study on the effects of different strains of marijuana, and control the genetics by growing the pot yourself, without all the impossible to get paperwork and permissions, you're going to prison.
Why should these guys be any different? In the case of the reefer nobody's hared, in these guys' cases they invaded innocent people's privacy. Not only were their actions illegal, they were highly unethical.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
The thing is that you pay your phone company and have a contract with them, and at least in those states you will know that you have the chance of being monitored as it will be part of the contract. You also know that they won't just give out those recordings to just anyone (though the government or police will probably want it at some point).
With TOR you have no contract or promise that no undesirables are listening in. There is no way of stopping someone snooping on exit nodes, so if these guys are punished for this (and in the paper they show that they haven't even recorded anything beyond the application headers, so their data is completely anonymised and contains nothing beyond what apps are being used) it won't help justice at all - it will punish those who were just interested in the protocol and researching it, while letting those who are actively recording things like usernames/passwords off scot-free.
which is totally what she said
Speaking of the Bush administration and violating wiretapping laws...
They should have just secretly used the data for nefarious purposes, instead of publicizing the security hole. When will these people learn?
there is no god but truth, and reality is its prophet
Something that the CNET article failed to address was this: This work was _exactly_ in line with the norms and standards of networking research. It is quite normal for network operators to collect partial or full traffic traces, for both operational and research purposes.
If you believe that this study was inappropriate, then so is a very large fraction of networking measurement research. Consider at the very least:
* Just about everything done by CAIDA.
* The papers at IMC - the Internet Measurement Conference.
* Data at CRAWDAD - the Community Resource for Archiving Wireless Data at Dartmouth.
A large part of computer science research consists of observing how systems are used and how they work or don't work. You can do some small-scale studies on a private system with the explicit agreement of all users, but for something as large and complicated as the Internet, the only way to do meaningful research is to observe the real thing, which necessarily means that you can't identify and get the consent of all the users involved. That's the way this field works. Responsible researchers collect the least invasive information possible for their purposes, use it benignly, and anonymise anything they release so that individual users cannot be identified. The authors of this study did exactly those things.
Now, if you want to ban all observation-based networking research, I suppose that's a legitimate position. But you have to be willing to forgo the benefits of that research. Otherwise, you should accept that the authors acted responsibly and within the norms of the field. Moreover, the purpose of this research was to understand and thereby _improve_ TOR. The researchers identified several serious problems which were already being exploited by "black hats" for malicious purposes. Research like this enables those problems to be addressed before actual harm results.
Anyone who assumes that Tor exit nodes aren't heavily monitored by lots of three letter agencies, private companies, and researchers is a fool.
If Tor's utility depended on legal protections, it would be a lost cause. What Tor actually does for you is obscure your IP address, nothing more and nothing less. That is very useful. But you still need to make sure that your content is clean. That's why Tor is often used with software like Privoxy.
If anybody actually goes after these security researchers, it's not to protect the privacy of Tor users, it's to prevent the researchers for alerting Tor users to protecting their identity better, because once 99.9% of the Tor traffic is encrypted, listening in becomes much less useful.
Note also it doesn't have any backup to its (misleading) headline. Usually "could face legal..." means some law enforcement agency has noticed the issue. The only one stirring up the pot here (and working pretty hard at it) seems to be the article's author.
The headline of the article certainly implies, even if it doesn't actually state, that these researches are actually facing charges. According to the article referenced, there is no mention whatsoever of any criminal investigation, or any evidence that these researchers have even been contacted by authorities. As far as I can tell, the entire article is based on speculation by the EFF and others. It is hard to imagine that wiretapping laws would apply here since (a) the researchers running the exit node are offering a free service and are not in the networking "business", (b) people running Tor voluntarily send their data out to Tor nodes, (c) as an exit node operator, these researchers probably cannot identify the actual people engaging in this communication (at least that should be the case if Tor is running properly), and (d) the study they released only shows aggregate data, and doesn't reveal the private communications of individual users. Doesn't there have to be a specific victim in order for wiretapping charges to apply? (IANAL, I'd love to hear from lawyers on this point.) How is this different from any other network usage study?
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
I don't wonder that the Tor people are upset by this study, because it makes some credible-looking claims that Tor does not adequately provide the anonymity it claims to.
I don't know where you get that idea. TOR developers are perfectly aware of TOR's limitations. They even warn you on their website.
They say specifically,
3. No anonymity system is perfect these days, and Tor is no exception: you should not rely solely on the current Tor network if you really need strong anonymity.
And in the list of warnings,
5. While Tor blocks attackers on your local network from discovering or influencing your destination, it opens new risks: malicious or misconfigured Tor exit nodes can send you the wrong page, or even send you embedded Java applets disguised as domains you trust.
Nothing in this study is new or ground-breaking. While I am not familiar enough with TOR to say whether if it will even be marginally useful, but I won't be surprised if there is nothing in this study that TOR developers didn't know or suspect already.
testing