Researchers Face Jail Risk For Tor Snooping Study

An anonymous reader writes "A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project (PDF) in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act. The researchers neither sought legal review of the project nor ran it past their Institutional Review Board. The Electronic Frontier Foundation, which has written a legal guide for Tor admins, strongly advises against any sort of network monitoring."

not to worry

[pak9rabid]

...the researchers could also face up to 5 years in jail for violating the Wiretap Act.

I'm sure they'll be granted retroactive immunity for this. Seems to be the latest fad in Congress these days.

Re:not to worry

[oahazmatt]

...the researchers could also face up to 5 years in jail for violating the Wiretap Act.

I'm sure they'll be granted retroactive immunity for this. Seems to be the latest fad in Congress these days.

For that to work there's a preset number of times that you must use "terrorist", "nine" and "eleven" in your reasoning.

Re:not to worry

[AmonEzhno]

It does seem excruciatingly telling how scientists are threatened with prosecution whereas Illegal Domestic spies are treated with what almost seems like respect by the Federal Government. Kind of a reflection on the state of science vs military these days. Though in all honestly they should not have been doing this in the first place, but it's not easy to know 100% where the line is in research sometimes. So it would seem to me the best idea would be to reprimand them think some kind of appropriate fine, and set a precedent. That way it would be clear for later issues. I don't want to be monitored without my permission, I Don't know about you guys, even if it is for science.

Should have tried to get jobs at telco, first.

[denis-The-menace]

Apparently, US Telcos can snoop all they want and it's perfectly legal, now!

Nope

[dreamchaser]

Not unless they have millions to spend on lobbyists.

if it is your equipment...

[damonlab]

What is the difference between what they did and say leaving your wifi access point open to snoop on anybody that might connect to that? Either way, the other people chose to actively connect to YOUR equipment. If it is your equipment, you should have every right to monitor it in any way you see fit.

Re:They can't be stupid.

[somersault]

If the info is passing through their own network interface - by actual design of the Tor system, and not because they have done something devious - how is this analogous to wiretapping?

Illegal wiretapping surely involves breaking into private communications that you are not intended to be part of, through either physical means, or perhaps via software - but by its nature, Tor allows anyone to connect into the network, and people know that what they are sending/receiving is going to travel through other poeple's computers (but can be fairly confident that nobody can trace anything back to them easily).

I don't see how researching into the protocol and viewing the packets that pass through your own node are illegal, unless you accept some kind of contract not to snoop when you install Tor.

Re:All this proves is...

[exley]

...that Tor is in and of itself not secure enough. Any traffic passing over it needs intermediary obfuscation of origination and destination of traffic as well as encryption of traffic by the origination and destination separate from the Tor network similar to anonymous remailer chains.

Tor does encrypt data passing through the network, and it does obfuscate the source and destination... That's kind of the whole point. But unless the traffic is inherently encrypted (e.g. SSL), the exit node has to spit out unencrypted data, otherwise the final destination would have no idea as to what it was receiving.

Re:You can't jail them@

[zoogies]

Speaking of the Bush administration and violating wiretapping laws...

Re: You can't jail them

[Squeamish+Ossifrage]

Something that the CNET article failed to address was this: This work was _exactly_ in line with the norms and standards of networking research. It is quite normal for network operators to collect partial or full traffic traces, for both operational and research purposes.

If you believe that this study was inappropriate, then so is a very large fraction of networking measurement research. Consider at the very least:

    * Just about everything done by CAIDA.
    * The papers at IMC - the Internet Measurement Conference.
    * Data at CRAWDAD - the Community Resource for Archiving Wireless Data at Dartmouth.

A large part of computer science research consists of observing how systems are used and how they work or don't work. You can do some small-scale studies on a private system with the explicit agreement of all users, but for something as large and complicated as the Internet, the only way to do meaningful research is to observe the real thing, which necessarily means that you can't identify and get the consent of all the users involved. That's the way this field works. Responsible researchers collect the least invasive information possible for their purposes, use it benignly, and anonymise anything they release so that individual users cannot be identified. The authors of this study did exactly those things.

Now, if you want to ban all observation-based networking research, I suppose that's a legitimate position. But you have to be willing to forgo the benefits of that research. Otherwise, you should accept that the authors acted responsibly and within the norms of the field. Moreover, the purpose of this research was to understand and thereby _improve_ TOR. The researchers identified several serious problems which were already being exploited by "black hats" for malicious purposes. Research like this enables those problems to be addressed before actual harm results.