The EFF Reflects On ICE Seizing a Tor Exit Node

An anonymous reader writes "Marcia Hofmann, senior staff attorney at the EFF, gives more information on the first known seizure of equipment in the U.S. due to a warrant executed against a private individual running a Tor exit node. 'This spring, agents from Immigration and Customs Enforcement (ICE) executed a search warrant at the home of Nolan King and seized six computer hard drives in connection with a criminal investigation. The warrant was issued on the basis of an Internet Protocol (IP) address that traced back to an account connected to Mr. King's home, where he was operating a Tor exit relay.' The EFF was able to get Mr King's equipment returned, and Marcia points out that 'While we think it's important to let the public know about this unfortunate event, it doesn't change our belief that running a Tor exit relay is legal.' She also links to the EFF's Tor Legal FAQ. This brings up an interesting dichotomy in my mind, concerning protecting yourself from the Big digital Brother: Running an open Wi-Fi hotspot, or Tor exit node, would make you both more likely to be investigated, and less likely to be convicted, of any cyber crimes."

don't let your stuff be used for criminal stuff

[alen]

seizing anything that is suspected of being used for criminal activity has been perfectly legal for hundreds of years. and there is no excuse that you were running some service or other and didn't know what other people were doing. if the cops get a hunch they will seize your stuff to look for evidence and impound it if there is evidence of a crime

Re:don't let your stuff be used for criminal stuff

[pseudocode]

You're right - it's like lending someone a car which they then commit a crime with; you're not guilty of a crime, but it's still fair enough for them to impound the car as evidence.

Re:don't let your stuff be used for criminal stuff

[betterunixthanunix]

Right, that's why ISPs constantly have their routers and DNS servers seized, because so many people are using those computers for criminal activity.

Oh, wait -- ISPs are corporations, so we treat them differently. When it is some guy running a service out of his home, then the other set of rules applies, where the service operator is harassed by ICE and threatened when his equipment is returned.

Re:don't let your stuff be used for criminal stuff

[cheekyjohnson]

and there is no excuse that you were running some service or other and didn't know what other people were doing

So just make sure you're watching what every single one of your users/customers are doing at all times. I know I'd want to use such a service.

Re:don't let your stuff be used for criminal stuff

[Zerth]

Hardware is so inexpensive now a days; a participatory, community-building point of view suggests you should be running two sets of hardware. One set for your open WiFi and Tor exit node, and the other for your personal use.

Except they won't bother to check, they'll just take everything you own. Although I suppose you could go the "True Names" route and bury your personal equipment.

Re:don't let your stuff be used for criminal stuff

[ofc]

And when they come to seize your hardware, they will simply leave your for personal use equipment alone, because you told them that it hasn't been used for illegal activities.

Re:don't let your stuff be used for criminal stuff

[biodata]

Quite a few corporations do this routinely and are never prosecuted for it. Individuals are unlikely to take the risk due to the personal cost of a mistake, against which they can't insure. Carrying parcels for people on aeroplanes is not the same as sharing your spare computer capacity with anyone who needs some at the time. You are not carrying anything for anyone.

Re:don't let your stuff be used for criminal stuff

[betterunixthanunix]

Traffic through ISPs is expected to originate with the customers

A provably false assumption even when Tor is not involved. I share an Internet connection with several other people, and my name is not the name of the account holder. When I was in high school, my (nerdier) friends and I used to grant ssh access to each other -- someone who was not even a resident of my home could have been using my Internet connection. I once discovered that a network administrator had not changed the default password on a router; I could have used that router to relay any traffic I wanted. Then there is this:

http://www.itworld.com/security/84077/child-porn-malwares-ultimate-evil

As the EFF said, an IP address does not identify a human being, and it does not necessarily identify a specific computer. An IP address may be helpful in an investigation as a clue, but a lot more evidence is needed before you can claim that any person or residence is responsible for the traffic originating at an IP address.

Running an exit node is like volunteering yourself for anything. You might end up helping someone commit a crime.

Parking your car in the right spot on the street might help someone commit a crime. So what? Even the police use Tor, when for example they are investigating illegal websites and don't want to reveal that they are law enforcement. Exit node operators should not face this sort of harassment, especially not in the United States (the country that started the Tor project).

Re:don't let your stuff be used for criminal stuff

[Sarten-X]

I didn't say that traffic always originates with customers. I said it's expected to. That's a reasonable expectation, because the vast majority of home internet connections are for one household and not shared. The US Constitution only protects against unreasonable search and seizure.

These days, more connections are being shared across multiple computers, but still rarely outside the same household. Malware does happen, but it's also rare. Similarly, picking people out of a lineup isn't perfect. DNA evidence degrades over time, and can be contaminated very easily. Firearms can be altered to change their striations. Every kind of evidence used has a level of uncertainty to it, and that's why we have trials to determine whether the amount of evidence supporting a theory is sufficient to show guilt.

The purpose of any investigation is to look for evidence. In this case, the investigation found nothing substantial connecting Mr. King to the crime, so he's not being investigated anymore. Rant all you like about how unreasonable ICE is, but it doesn't change the fact that they did their job perfectly ethically and in accordance with the Constitution. How do you think the investigation should have been conducted, balancing the need to check all potential sources of evidence with the need to respect privacy? Bear in mind, any evidence left in the possession of the suspect after he knows he's under investigation is tainted, and cannot be trusted.

Re:don't let your stuff be used for criminal stuff

[betterunixthanunix]

How do you think the investigation should have been conducted

• Police get logs related to CP investigation.
• Mr. King's IP address shows up; the police check if it is a known proxy or Tor exit.
• It is a Tor exit. The police ask Mr. King for any logs he might have, and leave him alone while they continue looking for the real criminal.

Oh no, you mean that while we are busy respecting the rights of our citizens, some criminals might go free?! Yes, that is what I mean.

Re:don't let your stuff be used for criminal stuff

http://en.wikipedia.org/wiki/Ryan_Holle

Re:ICE is doing what now?

[betterunixthanunix]

Immigration and Customs Enforcement. If you are downloading child pornography across US borders, it falls under the jurisdiction of ICE. Of course, harassing Tor exit node operators should not fall under the jurisdiction of any agency, but in Soviet America, harassing service operators who are not registered corporations is what we do.

Re:ICE is doing what now?

[Speare]

Isn't ICE supposed to be dealing with illegal immigrants?

While I decry ICE's decision-making process and think it's reaching beyond its authority, I think it's silly to say that TOR investigation is entirely outside of ICE's domain. Immigration and Customs Enforcement. We still live in a USA where some software and data imports and exports are considered unlawful, whether it's controlled technology (cryptology, espionage, classified data) or the more pedestrian types like child pornography.

Investigated == not good

[SirGarlon]

Running an open Wi-Fi hotspot, or Tor exit node, would make you both more likely to be investigated, and less likely to be convicted, of any cyber crimes

Unfortunately there is a lot the authorities can do under the name of "investigation" to harass, abuse, intimidate, and even detain you. Seizing computers is bad enough but if they really want to play hardball they can haul you in "for questioning" ... on a daily basis ... and pick you up at inconvenient times like when you're at the office or in the middle of the night. So really being investigated is the thing you don't want, because it can make your life hell and in the end the cops can just smile and say "No charges. Have a nice day, citizen."

Re:Intimidation

[maxwell+demon]

What information regarding their case can ICE hope to get from the seized computer?

For example if the traffic in question really came from someone else through the TOR exit node as claimed. After all, he could well have downloaded the file himself but then claimed "oh, it was coming through TOR, I'm not guilty!" If the file is on his hard drive, he'll have a hard time to explain it.

Unfortunately...

[fuzzyfuzzyfungus]

'Mere' investigation can be made rather unpleasant, depending on the crime in question, the enthusiasm of the cops running after it, and your access to legal representation...

There are the practical difficulties: Having everything vaguely resembling a computer siezed and held for who-knows-how-long, potentially quite signifcant legal costs, etc.

And there are the ones arising from the common, but troublesome, opinion that investigation is a sort of lesser degree of guilt. The taint by mere association is worst with kiddie-porn related matters; but the touchier types seem to consider "Police Record: Checked, found absolutely nothing." to simply be a subspecies of "Police Record" and act accordingly. Fan-tastic.

Re:Intimidation

[pseudocode]

Not at all - just because it's a TOR endpoint and any traffic there is a dead end doesn't invalidate checking all the other forensic options like browser cache etc, running TOR could just be a way of hiding in data volume. It's probably not the case, but if they don't follow a piece of evidence then that's bad.

Re:This is why we need COMMUNISM!

[Hazel+Bergeron]

Straight from today to communism? That's an unlikely sequence.

As long as you have a capitalist welfare state supporting by a local labour aristocracy, you won't have a local exploited proletariat in which to raise united consciousness. The anarchists a century ago were already arguing this and it's come true. You would be better campaigning for better conditions abroad or for the sort of trade protectionism against abusive states which caused South Africa to be shunned in the '80s.

Re:ICE is doing what now?

Isn't ICE supposed to be dealing with illegal immigrants? Oh, right. I forgot. This is the Barry administration, where the Justice Department doesn't prosecute the Black Panthers for voter intimidation (even though they already won the case) and ICE has been tasked with ensuring that illegals are allowed to remain here, as long as they are registered Democrats.

No, ICE (which was renamed during the reorganization of INS that took place under the Bush II administration, you partisan hack) stands for Immigrations and Customs Enforcement.

Sovereign states have the right to control what passes over their borders. It's part of the definition of statehood. Immigration is about who, Customs is about what.

Back on topic, EFF's "Tor is Legal" sounds an awful lot like the arguments made to justify Freenet back in the day. Ultimately, they all rely on notions like "in any sane legal system", or "in any free country". Problem is, by those sorts of definitions of "free" or "sane", the country hasn't been free since Patriot I, and its legal system has never been sane.

With the end of the Cold War and the demise of the USSR, we lost any motivation for claiming the moral high ground. From printers that identify their owners (like the Romanian archives of individual keystrokes from every manual typewriter), to widespread and omnipresent surveillance (decades before it became a meme, "In Soviet Russia, television watches YOU" was a joke about how much more free we were than the Russians), we ended up becoming what we fought against.

Re:Intimidation

[betterunixthanunix]

An employee at an ISP could download child pornography and disguise it as traffic from a customer. Why, then, does ICE not seize the ISP's equipment as part of their investigation, just to see whether or not that is the case?

The way you know that this has nothing to do with legitimate investigatory techniques is that ICE threatened the guy when they returned his equipment, telling him that he have to deal with more law enforcement harassment in future should he continue operating a Tor exit. This is a straightforward case of harassing the exit node operator because ICE was unable to defeat Tor. Aside from the minority of law enforcement officers who understand that law enforcement agencies benefit from Tor, law enforcement officers in general disdain Tor and think that it is a tool for criminals.

Re:Intimidation

[betterunixthanunix]

So why not treat corporate ISPs the same way -- after all, one of the ISP's employees might be using the ISP's equipment to download child pornography, and attempting to disguise that as if it were one of the ISP's customers. Why is ICE not seizing routers and other equipment from ISPs as part of its investigation?

Right, because individual citizens are not supposed to be providing communication services, only registered corporations are supposed to be doing that sort of thing.

Answer To This.

[bjamesv]

Is registering as a business the answer to "confiscate everything in sight that looks like a computer?"

Maybe paying for a business line will frame the cops expectations correctly before they roll up on your residence. Make them more willing to listen to your network setup and only take the publicly accessible _half of your kit.

Re:Answer To This.

[rainsford]

I imagine a better solution would be to get a virtual or dedicated server at some hosting company, clearly labeled as a TOR exit node (have it host a webpage explaining that fact) and if you can, ONLY use it for that. If you set up a separate corporate entity that owns the server, even better. The law protects you no matter where you run the exit node, but if you want to avoid even being personally investigated at all, you definitely need some significant separation between your home and your exit node.

Re:Answer To This.

[Riceballsan]

I don't believe simply registering as a company, you need to be a corporation large enough to be capable of contributing at least a few hundred thousand to re-election funds, or have lobyests to get any kind of legal grace. A small company of 100 or less people, really doesn't bother them if it goes bankrupt while they spend a few months checking the equipment to see if they possibly were used as a tool for a crime.

Re:Answer To This.

[fuzzyfuzzyfungus]

I am neither a lawyer nor your lawyer; but I suspect that once the boys in blue are knocking on or down your door, you have a problem. It is unlikely that you'll manage to convince them to take your word for how your network is set up and just seize part of the potential evidence. Even if you do strike it lucky and get a techie with a gun and badge, rather than a cop who can pretty much handle dealing with physical evidence, why would he trust you, or do the fiddly forensics on site instead of just hauling it all off and doing the work back at the office?

You might have better luck with the seedy-but-legalish-if-often-a-cover-for-dodgy-activities techniques adopted by besuited scammers and corporations with creative accountants. A shell company, incorporated in one of the states with virtually bulletproof corporate veils and lax reporting requirements(scenic Nevada, for instance) with a vaguely telcomm-related name and no assets aside from a cheap hosted server somewhere, is no more immune to a raid than you are; but might encourage the investigators to finish picking over the raid evidence before deciding whether or not to try to hunt up the corporate officers/owners...

Re:ICE is doing what now?

[dreemernj]

You are acting like the fact this guy was running a Tor exit node somehow means it was impossible for him to commit the crime. That is a ridiculous line of thought and if things operated that way, every criminal could simply operate a Tor exit node and be out of reach of investigation.

Re:Intimidation

[cheekyjohnson]

Between letting a criminal get away and harming an innocent, I'd rather let the criminal get away, to be honest.

Re:Intimidation

[elrous0]

An employee at an ISP could download child pornography and disguise it as traffic from a customer. Why, then, does ICE not seize the ISP's equipment as part of their investigation, just to see whether or not that is the case?

Because very few police organizations would have the forensic skills to even determine that (outside of the FBI, most police agencies are lucky to have a copy of EnCase and maybe one or two guys on staff who know a little about computers). And a prosecutor would have an almost impossible time proving the case because of the nature of it being an ISP. So they don't waste their time.

Real life law enforcement isn't about being fair. Most of the time they're just going after the low-hanging fruit and the shit they can't ignore.

Re:ICE is doing what now?

[betterunixthanunix]

every criminal could simply operate a Tor exit node and be out of reach of investigation.

Or they could just use Tor, and avoid being investigated in the first place. Which is what happened in this case.

The "every criminal will use this excuse" theory is baseless. If an IP address is the only evidence that someone committed a crime, then that person should not be convicted -- and we should be examining what sort of laws led to a situation where IP addresses are the only evidence needed for a search or arrest warrant. I share an Internet connection with several other people; should we all be arrested if the IP address happened to be an endpoint of illegal data? There are dozens of people who have SSH access to my research group's server, and it is possible that any of them could use that server as a proxy -- should the server and all of our computers be confiscated, and all of us arrested, if the IP address shows up during an investigation?

IP addresses are not a form of identification, and even less so when a Tor exit node has that IP address. Anyone could be a criminal, but we should have higher standards for evidence when it comes to issuing warrants and confiscating equipment.

Re:ICE is doing what now?

[rainsford]

IP addresses don't definitively identify individuals (and I'm not aware of any case where that alone was used to convict someone), but disallowing their use as probable cause for a search warrant would seem to set an unreasonably high legal bar.

Re:ICE is doing what now?

[DanTheStone]

I share an Internet connection with several other people; should we all be arrested if the IP address happened to be an endpoint of illegal data?

Don't be silly, only the men would be arrested.

Re:ICE is doing what now?

[zeroshade]

I don't think he's disallowing their use, he's disallowing their use as the ONLY basis for probable cause. If your investigation leads to a specific IP address which multiple people could possibly have used to commit the crime, an arrest warrant should not be given for EVERYONE. A search warrant should be given for the end point, but only if the operator will not respond to a subpeona for the logs.

IP Addresses alone are used to definitively identify copyright infringement all the time, frequently it is wrong but has been allowed to go through.

Re:ICE is doing what now?

[betterunixthanunix]

disallowing their use as probable cause for a search warrant would seem to set an unreasonably high legal bar.

No, it would set the legal bar exactly where it should be: requiring the police to actually identify a person as a suspect. If the police are unable to do so, then they should not be granted a warrant -- this is not a country where we grant the police general search warrants, and it is better to let some criminals walk free than to harass innocent people.

Re:Intimidation

[betterunixthanunix]

There's nothing stopping an individual getting their access mechanisms and machine audited,

The police never asked for Mr. King's logs, they just busted in and seized his equipment. They simply assumed that because his home address was listed on the account that the IP address was assigned to, he was the person they were looking for. The most optimistic view is that this was bad police work.

Re:What about in Europe?

[delinear]

2. You can prove that the use of your connection was unauthorized (and that you were not negligent in securing access to your equipment).

Well that's pretty much everyone with an unpatched Windows botnet zombie going to jail, then.

Re:ICE is doing what now?

[hairyfeet]

I'd say the truly sad part is all this Gestapo crap is a complete waste of time because the cops know that isn't where the target is. I have a friend that works state crime lab and according to him after those big busts around 5 years ago actual predators simply stopped using the Internet for CP. he said the only ones you catch that way now are social retards that touch nobody but themselves and are whacking off to the same shit that has been floating around since the 80s.

So what do the real child molesters use? USPS of all things. They only use the net long enough to set up a trade on a back alley board which according to my friend there is ZERO chance of a cop infiltrating because the entrance fee is video of you molesting a kid with an object of their choosing and they don't give enough time to fake the video.

After that it is all encrypted DVDs and mail dumps. So many DVDs go through media mail nobody is ever gonna notice and if they don't get a response within x amount of time they consider that link dead and move on. According to my friend they are quite worried that terrorist types are taking notes from the CP scum as their system is damned near foolproof. the only reason they even know of it is every once in a while a kid that one of them was abusing will tell and they'll find the discs, not that they can read them of course. And with guys looking at 500+ years for all the abuse and no prosecutor EVER gonna make a deal with a serial child rapist good luck on getting one to flip.

So in the end all you get is what my friend calls the "Social retards" that are completely harmless. One they busted had been so isolated from humans, even going so far as to have all his food delivered, that they had to tranc him like an animal to get him out of the building. According to him the ones they get now are a complete waste of money as you are throwing guys that if you threw them in a room with a kid would go hide in a corner into a cell for 60 years at taxpayer expense while the ones who actually rape children are nowhere near there. but the politicos want the "catch a predator" style headlines so they waste the cash.

So just as in TFA we piss money down a rathole all in the cause of "doing something" even if that something is completely fucking pointless and doesn't actually solve anything. Welcome to Amerika, where your rights can be shot to shit as long as its "for teh childrenz!"

I've gotten a call from the police about TOR

[hawkeyeMI]

I run an exit node on a VPS. Apparently it'd been used by some guy to try to get a teenaged girl to send him naked pics. They subpoenaed everything back to my business cable connection at home and then called up my company (i.e. me) about it citing a scary amount of information about me. I explained to the detective what TOR was (I already have the standard exit node info page up as recommended on the web server), and he'd already heard it from someone else (a civil lib organization running TOR exits used by the same guy). They dropped it there. Scared me a little and I contacted the EFF, who did not hesitate to offer support should something worse happen in the future. EFF is one of the only organizations I donate to, ever, and I donate a decent chunk of change every month. I'm a proud supporter and it's good to know they're there to support me too.

Re:I've gotten a call from the police about TOR

[hawkeyeMI]

Unfortunately it seems in order to protect the good you have to protect some of the bad as well. EFF discusses this a bit on their site.

Re:Intimidation

[dbet]

Unfortunately, for both police and prosecutors, they don't get any pay raise, recognition, or good points on their record for letting innocent people get away.

Re:ICE is doing what now?

[FredFredrickson]

If you had access to a child to molest yourself.. why would you need access to the porn?

Re:What about in Europe?

[nosferatu1001]

None of the above is true, and there is no singular "European law" that would enable it; each country has to have primary legislation enabling such a thing, and the implementation in each country can be very different.

Re:ICE is doing what now?

[Bob9113]

You are acting like the fact this guy was running a Tor exit node somehow means it was impossible for him to commit the crime.

No, he is acting like the fact that this guy's IP address appeared in somebody's log is not probable cause for search and seizure. He is acting like running a Tor node is not probable cause for search and seizure. He is acting like common carriage of Tor traffic does not imply responsibility for the content of the packets -- something that was found to be critical to the protection of First Amendment rights when the telephone companies were treading this very ground.

Re:ICE is doing what now?

[Mordok-DestroyerOfWo]

What more evidence than an IP address is possible, given the architecture of the Internet at this point?

Serious? If you don't know the answer to that question then you have absolutely zero business posting on a tech site like this one. Just another pro-jackboot shill willing to sell civil liberties for the illusion of security.

Re:ICE is doing what now?

[ifiwereasculptor]

If you had access to a wife/girlfriend/boyfriend/husband/dog yourself.. why would you need access to porn? Same reason.

Re:This is why we need COMMUNISM!

[darthdavid]

Communism means one thing and one thing only: the workers own the means of production. Citing a failed state that did just about everything wrong that it's possible to do wrong within a system no more disproves the value of communism that doing the same with a similar capitalist state would for capitalism.

Re:ICE is doing what now?

[SETIGuy]

It takes time. And if you know any detective rank cops,you know that the one thing that kills an investigation is time. If it takes more than a few days, forget about it. There are other crimes to work. The boss will tell you that it's a numbers game.... The DA wants convictions. That's all. Work the easy cases.

Re:ICE is doing what now?

[hairyfeet]

Because they have to upload the CP video FIRST before they are given the address. According to my friend it is maddening because trying to catch these guys is like trying to catch ghosts. they use fake IDs for mail dumps, some even pay a flunky to simply pick up the DVD and stick it in another envelope and mail it somewhere completely different, it is really maddening.

As for why they would want more CP if they have a kid to molest? Because the sick fucks collect CP the way some collect baseball cards, and it lets them show off their latest fucktoys? Remember we aren't talking the social retards here, the one they caught that let them learn of this in the first place is accused of over 27 molestations over a 16 year period.

As for seeing their faces on the videos? not gonna happen because after the "Mr Swirly" case they all invested (or pirated) video editing software and screw the hell out of their voices and faces. That is why the cops often pass around pics of an abused kid and not the abuser, because while they obscure the fuck out of their faces seeing the face of the child is a turn on for those sick fucks so they never obscure that.

Anyway I get to hear all about it since we "talk shop" around 3 times a year when I'm in the state capital, I let him know I'm gonna be in town and we set up lunch somewhere. the bitch is he is trying like hell to recruit me because they are seriously short handed and he knows I've always been damned good at data recovery, but honestly? I don't think I could take it.

I mean i'm glad there are guys like him trying to bust the sick fuckers but I think having to look at raped kids all day would fuck my head seriously up. I know he sees a shrink 3 times a week paid for by the state to help him "data dump" as he calls it but I don't think that would help. I have always been very visually oriented and seeing kids getting raped day after day AFTER DAY? And how he stays so cool on the stand is beyond me. I have watched the man work and he is like ice, all facts, never rattled. Sitting there while some smarmy lawyer tries to cover for a guy I KNOW has fucked his 9 year old, because I saw the video? I couldn't be that cool. I'd end up saying something like "Well maybe if your client would quit raping his 9 year old we wouldn't be here huh?"

So while I give the man credit I don't think I could do his job. I have only seen that crap one time, when a computer I was working on was infected with a link slammer bug that would fill the screen with pop ups including to CP sites. Man that shit was sick. I did write down the addresses and send them to that place John Walsh always recommended on AMW, but even looking at the crap long enough to get an address made me want to hurl. How he can do that 5 days a week? I don't care how much money he makes, it ain't enough.

Re:This is why we need COMMUNISM!

[Mashiki]

Yeah. And people in positions of power in communist states never expand, consolidate, or take over said 'workers' who own production. In turn claiming that they're working, for the works, to strengthen them. How about the USSR, well I realize that's another failed state. Or Cambodia? China? Look at that, the blood of millions.

So here's a family story. My mothers father was a farmer in the Ukraine. The government decides to take all of the food and livestocks that's been produced in order to give it to the central state. They leave him with 2 cows, and tell him he needs to have an additional 187 cows the following year. Which is what they took from him. Of course being that he didn't have it, they tossed him in a gulag for 25 years.

I'm sure that the reality of those of us who had family suffer under the "justice" of communism, are just peachy with your idea. Right behind the mass starvation that the government caused. A communist state is a very nice wonderful utopian idea, that fails in reality because the communist system has no balances, or checks against the inherent greed of a person for power.