How Boing Boing Handled an FBI Subpoena Over Its Tor Exit Node

An anonymous reader writes: Cory Doctorow has posted an account of what happened when tech culture blog Boing Boing got a federal subpoena over the Tor exit node the site had been running for years. They received the subpoena in June, and the FBI demanded all logs relating to the exit node: specifically, "subscriber records" and "user information" for everybody associated with the exit node's IP address. They were also asked to testify before a federal grand jury. While they were nervous at first, the story has a happy ending. Their lawyer sent a note back to the FBI agent in charge, explaining that the IP address in question was an exit node. The agent actually looked into Tor, realized no logs were available, and cancelled the request. Doctorow considers this encouraging for anyone who's thinking about opening a new exit node: "I'm not saying that everyone who gets a federal subpoena for running a Tor exit node will have this outcome, but the only Tor legal stories that rise to the public's attention are the horrific ones. Here's a counterexample: Fed asks us for our records, we say we don't have any, fed goes away."

A service to the community: release the text

[Rinisari]

I think it would be a great service to the Tor community to release the text of what Boing Boing sent to the FBI as a shining example of how to handle such requests. It may need to be specifically tailored to the sender, but something to go off of might be of benefit to folks running a node who don't have the funds to see legal help outside of /r/legaladvice.

Re:A service to the community: release the text

From the article, literally the first link in the summary:

Special Agent XXXXXX.

I represent Boing Boing. I just received a Grand Jury Subpoena to Boing Boing dated June 12, 2015 (see attached).

The Subpoena requests subscriber records and user information related to an IP address. The IP address you cite is a TOR exit node hosted by Boing Boing (please see: http://tor-exit.boingboing.net/). As such, Boing Boing does not have any subscriber records, user information, or any records at all related to the use of that IP address at that time, and thus cannot produce any responsive records.

I would be happy to discuss this further with you if you have any questions.

Re:A service to the community: release the text

[quantaman]

I think it would be a great service to the Tor community to release the text of what Boing Boing sent to the FBI as a shining example of how to handle such requests. It may need to be specifically tailored to the sender, but something to go off of might be of benefit to folks running a node who don't have the funds to see legal help outside of /r/legaladvice.

From the article:

  We contacted our lawyer, the hard-fightin' cyber-lawyer Lauren Gelman, and she cooled us out. She sent the agent this note:

Special Agent XXXXXX.

        I represent Boing Boing. I just received a Grand Jury Subpoena to Boing Boing dated June 12, 2015 (see attached).

        The Subpoena requests subscriber records and user information related to an IP address. The IP address you cite is a TOR exit node hosted by Boing Boing (please see: http://tor-exit.boingboing.net...). As such, Boing Boing does not have any subscriber records, user information, or any records at all related to the use of that IP address at that time, and thus cannot produce any responsive records.

        I would be happy to discuss this further with you if you have any questions.

And that was it.

Re:A service to the community: release the text

I think it would be a great service to the Tor community to release the text of what Boing Boing sent to the FBI

Seems unlikely, considering that it being a single click away was a sufficient deterrent to you reading it.

Re:A service to the community: release the text

[Actually,+I+do+RTFA]

Probably fairly similar. Or at least no worse than it would be otherwise. Most of the times your read about the feds jumping up and down on someone, it's when they decided to be "clever" or belligerent, or similar. Nothing is more likely to get a good response than a calm, respectful response.

Re:A service to the community: release the text

[tlhIngan]

Note the FBI asked for logs and stuff - they were assuming the IP address in question was loaned out - either they were an ISP, or maybe a VPN provider, or some other thing.

Presumably Boing Boing owns enough IP addresses that they can dedicate it just for TOR exit nodes. And nothing else - I mean, if they had a webserver on it, they presumably they would have logs to hand over.

If it was you or I with a leaf connection to our ISP, then most likely things will not be so easy - since they will go after the ISP, who will happily give up your information. Unless of course, you decide you want to give Comcast more money and buy a connection just to run Tor on.

So the trick may work in the limited case where yes, it's a dedicated Tor exit node and not used for anything else. But if there's a chance it was used for personal reason or there were logs for some other service, then maybe things won't be so good.

Re:A service to the community: release the text

If you have the personal cell phones of the EFF's lawyers, you're most likely a thief and in need of some jail time.

Re:A service to the community: release the text

[Anon-Admin]

Not true, I ran an anonymous service for years. (Long before TOR became popular)

I was visited by the FBI and Secret Service. I was also served warrants and subpoenas.

The truth is, there is no law requiring that you track users or maintain logs of user activity. (In the USA)

If you respond politely that let them know that it is part of an anon service and there are no logs available, they normally drop the request.

Re:A service to the community: release the text

[bkr1_2k]

"Special Agent XXXXXX.

I represent Boing Boing. I just received a Grand Jury Subpoena to Boing Boing dated June 12, 2015 (see attached).

The Subpoena requests subscriber records and user information related to an IP address. The IP address you cite is a TOR exit node hosted by Boing Boing (please see: http://tor-exit.boingboing.net...). As such, Boing Boing does not have any subscriber records, user information, or any records at all related to the use of that IP address at that time, and thus cannot produce any responsive records.

I would be happy to discuss this further with you if you have any questions."

Bold emphasis mine. The "at that time" portion is what is relevant here. What it has been used for at other times is irrelevant, if they're asking for a specific point or period of time. You can provide logs all day long about the activities during other times without it implying anything about the activities during the time the address was used as an exit node. It may still implicate YOU as someone who runs an exit node but there's currently nothing illegal about that.

That's where my concern would be. How many times will this happen before some jackass tries to make logs a requirement or makes it illegal to even host such a thing in the USA.

logs?

[ganjadude]

what logs?

would be funny if they sent them literal wood logs

Re:logs?

[FatdogHaiku]

all logs relating to the exit node

Now I'm thinking about building a rack frame out of some thin lodgepole pines...
Then you could take the frame apart and FedEX it to them as...
wait for it...
Support Logs!

Re:logs?

You just gave me the idea of a nerd costume party outfit...

A guy with shirt that says "cron" who is holding a big log and looking at his watch, when it hits the minute mark he rotates the log and then goes back to looking at the watch waiting for the next minute.

The right people would laugh their ass off...

Re:logs?

[Actually,+I+do+RTFA]

would be funny if they sent them literal wood logs

This is the kind of "clever" response that gets contempt charges.

When dealing with a subpena, don't be clever. Don't be witty. Don't be funny. Don't ignore it (like lavalbit did). Just comply or fight it. Cause you are allowed to fight them. You just have to do so within a certain framework.

Re:logs?

[dweller_below]

Actually, we got the same response when we offered to send the actual logs.

A very similar thing happened to USU. We received a summons from Homeland/ICE to produce 3 months of records (plus identifying info) for an IP that was one of our TOR exit nodes.

I eventually managed to contact the Special Agent in charge of the investigation. He turned out to be a reasonable person. I explained that the requested info was for an extremely active TOR exit node. I said that we had extracted and filtered the requested data, it was 90 4 gig files (for a total of 360 gigs of log files) or about 3.2 billion log entries. I asked him how he wanted us to send the info. He replied that all he needed to know was that it was a TOR exit node. I then asked again if he wanted the data. He said something like: "Oh God no! Somebody would have to examine it. It won't tell us anything. It would greatly increase our expenditures. Thanks anyway."

And that was the end of it.

YMMV. All Rights Reserved. Not Available In All States. It helps if your institution has it's own Police, Lawyers, and (an extremely active and effective) department of Journalism. And, it doesn't hurt if it is cheaper (and easier) for you to respond to the summons/subpoena, than it is for the Authority to issue it and deal with the result.

There's a lot of fantasy in that last line...

[He+Who+Has+No+Name]

"Fed asks us for our records, we say we don't have any, fed goes away"

Normally the response is "Fed finds some way to screw with you until you cry uncle, end up in Club Fed, or both".

Federal prosecutors don't enjoy a conviction rate higher than the Spanish Inquisition because they're reasonable.

Re:There's a lot of fantasy in that last line...

[AHuxley]

The US gov at a federal level has had a lot of success on onion routing due to its design, years of US funding and popularity.
If subscriber records at both ends can be presented thats great for parallel construction in open court.
The "who" is hard to find as a user at first, but working out when, how much data and the entire onion routing path is not hard.
So watch the first hop, the exit node and :)
Metadata and time is another key. Watch the user go online and appear on the other end of onion routing.
A traffic confirmation attack then helps with that drops on the logs..

Re:There's a lot of fantasy in that last line...

Except that in EVERY case where a tor related "takedown" occurred, it only occurred because some aspect of basic operational security was neglected.

OPSEC fucking matters, above all else.

While it might make conspiracy nuts sad

[Sycraft-fu]

That is actually how it works. The FBI it not, by and large, dumb about investigations. They are arguably one of the best in the business. Part of that is they know that you can't always get the evidence you want. So they'll subpoena records, but so long as you make a good faith effort to comply, they tend to be happy.

At work (a university) we get FBI subpoenas once and awhile. Quite often it is for shit that we don't have, like someone's e-mail from a long time ago. We look, see if we have a backup, and if not let them know. They are then on their way.

When people get in trouble is when they try to jam them up or break their own rules. Like if you have a company rule that says you keep all documents of X type for Y years, and they are asking for something that is Y-3 years old, they may well get miffed and go after you if you don't have it. However if you do not retain document type X, and there is no law requiring it, simply letting them know that will make them happy.

This isn't to say nobody ever gets a bad/vindictive/whatever agent that tries to create problems, but if you were to do a study, I bet you'd find that most of the interactions are very professional and they are perfectly understanding if you don't have the information they want. In the cases where a hissing match started it was because someone had the information and refused (or made it sound like that) or otherwise jammed them up.

Re: While it might make conspiracy nuts sad

And this, kiddies, is why we don't keep records any longer than we have to. Not keeping them at all is even better.

And if you're not BoingBoing?

[SuperBanana]

It's amazing that Doctorow is so thick as to not understand his privilege.

The FBI agent probably dropped it as soon as he realized who Boing Boing was.

Your average home user or small business running a tor exit node is not going to be treated with anywhere near that kind of kindness.

Re:And if you're not BoingBoing?

I have received a scary call from a random police department investigating a case of a guy blackmailing an underage girl for nude pictures, connected with my Tor exit node. I explained to the guy what Tor is, he researched it, they said thanks that's all.

I immediately contacted the EFF after they called me and they said if anything more came up they'd be happy to help me out. It's not just Doctorow.

Re:And if you're not BoingBoing?

[Dutch+Gun]

Are you kidding me? Hell, I don't know who Boing Boing is. No, seriously, I'd heard the name mentioned once or twice, but I had no idea what it was until I just now took a quick peek at the site. And I still don't know exactly what it is.

I'd also bet the vast majority of US citizens have never heard of Boing Boing.

This only works for larger companies.

[SuricouRaven]

It's not subpoenas that worry node operators. A company gets subpoenas. An individual gets a squad arriving to smash the door down, throw everyone in the house to the floor and confiscate anything with a battery. All done for very good reason: If a suspect had any warning they may use that time to destroy evidence. Still disruptive enough to discourage operating an exit node.

Ummm, kinda the opposite

[Sycraft-fu]

The reason they have a high conviction rate is because they very rarely go to court frivolously. They go in ready. They are methodical about their evidence collection and they make sure they have someone 100% before they indict. A friend sat on a federal grand jury and he was stunned by the amount of evidence they presented. This was just a grand jury, the standard is much, much lower than trial but it didn't matter, they went in fully prepared all the time.

That's a good thing. A low conviction rate is not something we want to see in a court because it means either that the prosecutors are incompetent, or that they are abusing the court system and hauling in innocent people just to fuck up their lives. Ideally conviction rate would be 100%: They'd never bring in anyone unless they had iron clad proof of guilt, and they'd never make any mistakes. Of course we don't have that, but we should try to be as close to it as we can.

A high conviction rate does not imply a kangaroo court that just convicts anyone. Certainly those have high conviction rate, but a well functioning justice system does as well.

Re:Ummm, kinda the opposite

[Inoen]

A friend of mine who used to as a prosecutor (in a different country) told they aimed for an 80% conviction rate (ie. conviction in 80% of the cases that went to court).

If they got less than 80 it would be a sign that they were generally taking cases to court with insufficient evidence. More than 80 meant they were being too cautious.

That was their reasoning anyway. 100% was explicitly not their aim.

Don't log or track too much in general

[uniquegeek]

Are we capable of logging information at our workplace that would give concrete answers about some legal issues that could arise? Yes.
Do we do it? Oh, hell no.

We log some stuff, but we're careful not to do too much as we don't want to be accused as being "responsible" for the behaviour of some idiot or jerk because "we should have known what was happening".

A desire to nail someone for being naughty could be one of your own undoing.