Researchers Face Jail Risk For Tor Snooping Study

An anonymous reader writes "A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project (PDF) in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act. The researchers neither sought legal review of the project nor ran it past their Institutional Review Board. The Electronic Frontier Foundation, which has written a legal guide for Tor admins, strongly advises against any sort of network monitoring."

You can't jail them@

[wvdmc]

They did it in the name of SCIENCE!

Re:You can't jail them@

[tritonman]

I guess if they get jail time, the lesson to learn is "Do as I say, not as I do."

Re:You can't jail them@

[elrous0]

Of course we should jail them. According to the Bush administration, science is a major threat to our country!

Re:You can't jail them@

[zoogies]

Speaking of the Bush administration and violating wiretapping laws...

Re:You can't jail them@

[TheRaven64]

No problem, they just need to argue that, as operators of a Tor exit node, they are a telecoms company, then they get free retroactive immunity.

Re:You can't jail them@

[smallfries]

How is their study either unethical, or illegal as you have claimed? Ignoring your hypothetical marijuana study as completely irrelevant you seem to have missed the key points in what they did.

They did not run a "wiretap" as claimed. They monitored the traffic at a tor node that they controlled. People willingly sent them the information that was supposed to be private.

Their study is a scientific investigation into whether the privacy claims of Tor can be sustained. They cannot - the system is open to abuse. This is an entirely ethical study into the claims made by Tor, and furthermore this is exactly how good empirical science should work.

Correct link to study

[miraboo]

The link to the study is borked. Correct link: http://www.cs.washington.edu/homes/yoshi/papers/Tor/PETS2008_37.pdf

Re:Correct link to study

I don't wonder that the Tor people are upset by this study, because it makes some credible-looking claims that Tor does not adequately provide the anonymity it claims to. Amongst other things, the researchers warn that the design of the network can allow different actions by the same user to to be associated.

They also warn about things that have led many to doubt the project from the start: that (in their language) 'misbehaving' nodes can be set up that could take a range of actions detrimental to users.

Lest this be thought to be a hypothetical threat, consider this from their conclusion:

>we developed a method for detecting malicious
>logging exit routers, and provided evidence that
>there are such routers that
>speciïcally log insecure protocol exit traïfc

They also note that while they ran their node, they received numerous accusations of illegal activity, traced to their node's IP address. This has always been a danger for node operators - this test confirms it is a real threat.

Frankly, a reader of this report would be wise to reconsider Tor usage.

Yeah, who do those "researchers" think they are...

[jeffb+(2.718)]

...music publishers?

not to worry

[pak9rabid]

...the researchers could also face up to 5 years in jail for violating the Wiretap Act.

I'm sure they'll be granted retroactive immunity for this. Seems to be the latest fad in Congress these days.

Re:not to worry

[MBGMorden]

I'm sure they'll be granted retroactive immunity for this. Seems to be the latest fad in Congress these days.

One could only hope. Fads tend to run their course and then quickly fade away. I have a bad feeling this is more of a long term trend.

Re:not to worry

[oahazmatt]

...the researchers could also face up to 5 years in jail for violating the Wiretap Act.

I'm sure they'll be granted retroactive immunity for this. Seems to be the latest fad in Congress these days.

For that to work there's a preset number of times that you must use "terrorist", "nine" and "eleven" in your reasoning.

Re:not to worry

[AmonEzhno]

It does seem excruciatingly telling how scientists are threatened with prosecution whereas Illegal Domestic spies are treated with what almost seems like respect by the Federal Government. Kind of a reflection on the state of science vs military these days. Though in all honestly they should not have been doing this in the first place, but it's not easy to know 100% where the line is in research sometimes. So it would seem to me the best idea would be to reprimand them think some kind of appropriate fine, and set a precedent. That way it would be clear for later issues. I don't want to be monitored without my permission, I Don't know about you guys, even if it is for science.

Re:not to worry

[Kingrames]

No, you just have to hand over $9.11 to Congress.
They're cheap now.

They can't be stupid.

[Hyppy]

How could these researchers not know that they were engaging in illegal wiretapping?

On the other hand, the story is hypothetical. No charges have been filed, and there's no real evidence that the government could give a flying flip.

Re:They can't be stupid.

[faloi]

It sounds like, from the very cut down version of the story that's available at the link, they didn't want to go to the effort to find out. They probably figured (correctly) it'd be a huge hassle to go through all the hurdles to get the approvals they might need. Rather than dig into it, they talked amongst themselves and decided it wasn't a big deal. Regardless of FAQ containing legal advice to the contrary. They sought minimal outside advice, and may or may not have provided enough information for the third party to make a determination, but didn't pursue it.

When engaging in activities that might be legal, but might be a felony...I'll go for safe over sorry any day.

Re:They can't be stupid.

[somersault]

If the info is passing through their own network interface - by actual design of the Tor system, and not because they have done something devious - how is this analogous to wiretapping?

Illegal wiretapping surely involves breaking into private communications that you are not intended to be part of, through either physical means, or perhaps via software - but by its nature, Tor allows anyone to connect into the network, and people know that what they are sending/receiving is going to travel through other poeple's computers (but can be fairly confident that nobody can trace anything back to them easily).

I don't see how researching into the protocol and viewing the packets that pass through your own node are illegal, unless you accept some kind of contract not to snoop when you install Tor.

Re:They can't be stupid.

[Deagol]

I, too, think this is a lame precedent. However, ownership of one end of the means of communication is no defense, as in some states where both parties must consent to recording phone calls. I'm not saying it's right, just that this is how it is in other cases.

Having said that, anyone using TOR who actually trusts the exit nodes needs their head examined. There are exit nodes which are known to be hostile, and some operators have even publicly stated they have monitored traffic and captured login/password pairs. One should never, NEVER access anything via TOR that may correlate to their meatspace life. Either use the web read-only, or set up nym accounts on sites that require registration.

Should have tried to get jobs at telco, first.

[denis-The-menace]

Apparently, US Telcos can snoop all they want and it's perfectly legal, now!

OT factoid...

Interestingly, I was once banned from /. for running a tor node. When I found out and emailed the admins they asked if I was running a tor server - I replied in the affirmative but had since taken the node down because my SOHO router wasn't up to the task.

The /. admins were very nice and restored my access almost immediately but I found the whole process interesting.

Re:OT factoid...

Nope. Slashdot banned tor openly, as do most online discussion systems that don't want to be flooded by endless bots.

You either ban all tor users or you allow all tor users, since any one user can just reconnect through every tor node to evade ip bans(allowing them to create new accounts if their old one was banned). Most places would rather be able to ban users, so they disallow tor exit nodes.

Nope

[dreamchaser]

Not unless they have millions to spend on lobbyists.

if it is your equipment...

[damonlab]

What is the difference between what they did and say leaving your wifi access point open to snoop on anybody that might connect to that? Either way, the other people chose to actively connect to YOUR equipment. If it is your equipment, you should have every right to monitor it in any way you see fit.

Re:if it is your equipment...

[Amorymeltzer]

The problem is monitoring the communication itself. You can't just pick up the phone and tape record someone without their permission, or pick up a camera and videotape them. By saving the first 150b of each transmission, they were technically doing this.

TFA does a pretty good job of explaining all the varies angles - from participation without permission to individuals under 18 to international issues - but they're coming up against a number of laws, such as the Wiretap Act, which is specifically aimed at this sort of thing.

What I'm wondering though is, and I'm no tor expert, since it was so easy for these folk to set up their exit and entry nodes to log the data, what's stopping the others running tor nodes to do the same? If they can do it, surely the Chinese government could be doing the same, using it to catch all those pro-democracy bloggers. The US could (and would) definitely use this, so what's stopping them, assuming they aren't already doing it?

Update to the old saying...

[Snap+E+Tom]

Don't wiretap. The government hates competition.

Re:All this proves is...

[exley]

...that Tor is in and of itself not secure enough. Any traffic passing over it needs intermediary obfuscation of origination and destination of traffic as well as encryption of traffic by the origination and destination separate from the Tor network similar to anonymous remailer chains.

Tor does encrypt data passing through the network, and it does obfuscate the source and destination... That's kind of the whole point. But unless the traffic is inherently encrypted (e.g. SSL), the exit node has to spit out unencrypted data, otherwise the final destination would have no idea as to what it was receiving.

Are they really not covered, though?

[void*]

IANAL, but following the link from the article to
18 USC 2511, reading 2(d)

"It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State."

Couldn't it be argued that since they are running the TOR server, they are a 'party to the communication', and are thus covered by this exception?

I mean, the client connects to them, they're a party to that communication, they connect to the server, they're a party to that communication ...

Re: You can't jail them

[Squeamish+Ossifrage]

Something that the CNET article failed to address was this: This work was _exactly_ in line with the norms and standards of networking research. It is quite normal for network operators to collect partial or full traffic traces, for both operational and research purposes.

If you believe that this study was inappropriate, then so is a very large fraction of networking measurement research. Consider at the very least:

    * Just about everything done by CAIDA.
    * The papers at IMC - the Internet Measurement Conference.
    * Data at CRAWDAD - the Community Resource for Archiving Wireless Data at Dartmouth.

A large part of computer science research consists of observing how systems are used and how they work or don't work. You can do some small-scale studies on a private system with the explicit agreement of all users, but for something as large and complicated as the Internet, the only way to do meaningful research is to observe the real thing, which necessarily means that you can't identify and get the consent of all the users involved. That's the way this field works. Responsible researchers collect the least invasive information possible for their purposes, use it benignly, and anonymise anything they release so that individual users cannot be identified. The authors of this study did exactly those things.

Now, if you want to ban all observation-based networking research, I suppose that's a legitimate position. But you have to be willing to forgo the benefits of that research. Otherwise, you should accept that the authors acted responsibly and within the norms of the field. Moreover, the purpose of this research was to understand and thereby _improve_ TOR. The researchers identified several serious problems which were already being exploited by "black hats" for malicious purposes. Research like this enables those problems to be addressed before actual harm results.

Article is misleading

[BitterOak]

The headline of the article certainly implies, even if it doesn't actually state, that these researches are actually facing charges. According to the article referenced, there is no mention whatsoever of any criminal investigation, or any evidence that these researchers have even been contacted by authorities. As far as I can tell, the entire article is based on speculation by the EFF and others. It is hard to imagine that wiretapping laws would apply here since (a) the researchers running the exit node are offering a free service and are not in the networking "business", (b) people running Tor voluntarily send their data out to Tor nodes, (c) as an exit node operator, these researchers probably cannot identify the actual people engaging in this communication (at least that should be the case if Tor is running properly), and (d) the study they released only shows aggregate data, and doesn't reveal the private communications of individual users. Doesn't there have to be a specific victim in order for wiretapping charges to apply? (IANAL, I'd love to hear from lawyers on this point.) How is this different from any other network usage study?