Researchers Face Jail Risk For Tor Snooping Study 121
An anonymous reader writes "A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project (PDF) in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act. The researchers neither sought legal review of the project nor ran it past their Institutional Review Board. The Electronic Frontier Foundation, which has written a legal guide for Tor admins, strongly advises against any sort of network monitoring."
They can't be stupid. (Score:5, Interesting)
On the other hand, the story is hypothetical. No charges have been filed, and there's no real evidence that the government could give a flying flip.
OT factoid... (Score:5, Interesting)
Interestingly, I was once banned from /. for running a tor node. When I found out and emailed the admins they asked if I was running a tor server - I replied in the affirmative but had since taken the node down because my SOHO router wasn't up to the task.
The /. admins were very nice and restored my access almost immediately but I found the whole process interesting.
Re:OT factoid... (Score:3, Interesting)
Y'know, it's entirely possible you were banned for volume of traffic related to the tor node, and that they would have restored your access anyway, once it became apparant that that volume was due to tor and not due to you having dozens of sock puppets.
No possible jail (Score:2, Interesting)
These researchers are never going to be arrested or charged with anything.
They didnt do anything illegal.
All they did was copy data of packets passing THROUGH their Tor servers they had setup. They didnt compromise other's systems. This may be a moral question, ala reading emails that pass through your relay.
For 4 days in December 2007, they logged and stored the first 150 bytes of each network packet that crossed their network...
Re:if it is your equipment... (Score:4, Interesting)
The problem is monitoring the communication itself. You can't just pick up the phone and tape record someone without their permission, or pick up a camera and videotape them. By saving the first 150b of each transmission, they were technically doing this.
TFA does a pretty good job of explaining all the varies angles - from participation without permission to individuals under 18 to international issues - but they're coming up against a number of laws, such as the Wiretap Act, which is specifically aimed at this sort of thing.
What I'm wondering though is, and I'm no tor expert, since it was so easy for these folk to set up their exit and entry nodes to log the data, what's stopping the others running tor nodes to do the same? If they can do it, surely the Chinese government could be doing the same, using it to catch all those pro-democracy bloggers. The US could (and would) definitely use this, so what's stopping them, assuming they aren't already doing it?
Re:They can't be stupid. (Score:2, Interesting)
> Regardless of FAQ containing legal advice to the contrary.
Well heck! It was in an FAQ? Goodness! They ignored an FAQ. This must be the first time ever in the history of the net.
But seriously. The Tor people put a little note on their software saying: "Please don't monitor the network traffic of our uber-secret software", presumably because of a fear that publicity about the nature of the websites visited by Tor users would undermine support of the project.
Quite frankly, that is a little like S/MIME vendors saying "you may be breaking laws if you try to crack this software."
Of course Tor is going to be a target for security researchers. Quite right too.
And as others have noted, there is no suggestion that anyone is actually looking to file charges.
I wonder if this story isn't a plant by the Tor people.
Re:You can't jail them@ (Score:3, Interesting)
I may be missing something, but isn't the whole point of tor that something like this isn't possible?
If this actually points out flaws in tor that may have been missed, and the info is made publicly available, won't this help strengthen the system?
Re:not to worry (Score:3, Interesting)
Except for one blogger, no scientists have been threatened with prosecution. The article just says that they could be prosecuted, maybe, and that they should have run this by some lawyers and/or some oversight commitee.
I hope they are not reprimanded and not fined because they clearly had no intention of wiretapping anyone and made no attempt to identify individuals or correlate their actions. 150 bytes of exit data barely gets them past the TCP/UDP and IP layers.
IRB? (Score:3, Interesting)
As a social science undergrad,
Which means most of your research probably involves human subjects (assuming it involves some new data collection), so of course you have to get approval. I know all about IRB from psych courses for the same reason.
Most comp sci prof rarely run human subjects (or consider that they data they're looking at comes from human subjects) and therefore often don't need to get IRB approval. The only comp sci field that I can think of that regularly would run human subjects is HCI, and even most of those studies could get an IRB waiver pretty easily (assuming they even need oversight.) I think these guys were security's people, so they mostly deal in algorithms. I doubt they thought much beyond the various data collection. Granted, they all should have known better, but I've yet to here a comp sci prof mention IRB (even in courses where it's relevant, like ethics.)
Re:They can't be stupid. (Score:3, Interesting)
Well its not really illegal! All the data is being sent over the researchers computers unencrypted!
Just because a medium is not encrypted doesn't mean it's legal to listen in on it. Your phone line is unencrypted.
Tor even states that the communication isn't secure after it hits the last "exit node" and warns users that they should not use it for security but anonymity!
"Isn't secure" in this context refers to the fact that it is not encrypted in any way. Refer to the previous argument.
It is perfectly legal to capture data which is sent to or from your personal computer/network!!!
When did TOR become your personal network?
Are they really not covered, though? (Score:4, Interesting)
IANAL, but following the link from the article to
18 USC 2511, reading 2(d)
"It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State."
Couldn't it be argued that since they are running the TOR server, they are a 'party to the communication', and are thus covered by this exception?
I mean, the client connects to them, they're a party to that communication, they connect to the server, they're a party to that communication ...
Re:You can't jail them@ (Score:5, Interesting)
How is their study either unethical, or illegal as you have claimed? Ignoring your hypothetical marijuana study as completely irrelevant you seem to have missed the key points in what they did.
They did not run a "wiretap" as claimed. They monitored the traffic at a tor node that they controlled. People willingly sent them the information that was supposed to be private.
Their study is a scientific investigation into whether the privacy claims of Tor can be sustained. They cannot - the system is open to abuse. This is an entirely ethical study into the claims made by Tor, and furthermore this is exactly how good empirical science should work.
Re:You can't jail them@ (Score:1, Interesting)
Tor makes no implication that exit node operators cannot read anything out the exit node, the only option for anyone using they system is to encrypt the traffic outside the scope of Tor.