How Tor Helps Both Dissidents and the Police

Al writes "Technology Review has a in-depth article about the anonymous networking software Tor and how it is helping dissidents spread information in oppressive regimes such as Syria, Zimbabwe and Mauritania, and opening up the unfiltered web for users in many more countries. In China, for instance, the computers found in some web cafes are configured to use Tor automatically. Interestingly, some police agencies even use the software to hide their activity from suspects. As filtering becomes ever more common in democratic countries such as the US, perhaps Tor (and similar tools such as I2P), will become even more valuable."

Great article but

[island_earth]

I'd like to see a discussion of the legal ramifications of letting your system be used as a Tor relay. Suppose I volunteer some of my home network capacity to Tor.

Putting aside the fact that it's probably a violation of my broadband provider's agreement to share my connection in this way, what if someone uses Tor for kiddie porn and happens to make the final connection to the police honeypot (so to speak) from my IP address?

If anyone can point to a good discussion of this, it would be great. I'd like to let my system be a relay for Tor, but the risk seems large.

Is TOR really make web surfing anonymous?

[ogrisel]

I always wondered whether it is not possible to attack TOR with statistical analysis provided you can dedicate significant resources to it. Suppose you are a big brother-style government agency with many computers and bandwith pipes dedicated to your goals. Could you not register a significant amounts of output and intermediate nodes (like say 10% of all nodes) that are specially improved to cooperatively log output HTTP traffic along with various web services session cookies, headers and originating IP addresses in a centralized DB and then use statistical analysis to identify the candidate source IP addresses of suspicious HTTP traffic?

Re:As with most technology

[interkin3tic]

But the more problematic criminals are also the ones that are most likely to be aware of this and be careful with what and who they trust.

I'd rather have problematic criminals than problematic government/corporate censorship, and anyway the two are never mutually exclusive. Government filtering the internet doesn't seem to be getting rid of all child porn. What's the point then of censorship if the stuff they mean to censor is still out there?

Re:Is TOR really make web surfing anonymous?

[ogrisel]

So it is actually dangerous to market TOR to non tech savy people who do not systematically check that they are surfing only on https websites or orther encrypted protocols. I guess you can harvest a great amount of passwords and other sensitive data by sniffing the http traffic of a single exit node.

Re:Is TOR really make web surfing anonymous?

[Anonymous Coward]

Correct. The exit nodes doing this are opening themselves up to legal liability. But that means nothing in practice.

They can sniff passwords and other private information from people who don't really understand how Tor works.

Law enforcement agencies can monitor for fools who are doing illegal communications and leak identifying clues in their messages.

Tor is great, but it's not magic. You are still using a proxy. Even though the intermediaries cannot see, the final server has to.

Website providers that care about anonymity should run Tor on their servers and provide a .onion tunnel to their regular websites.

They don't have to be exit nodes, they will just allow direct encrypted access to their site. It's like SSL, but beefier and easier.

Re:Fine Line

[Hatta]

As long as the police arrest more people for having Cannabis than they do all violent crimes combined [stopthedrugwar.org], they ARE the criminals. The police victimize more people than they protect. It's that simple.

Re:As with most technology

[One Monkey]

Interestingly this makes a relevant point about the nature of human society.

If you imagine human society as performing a function that function is blanket growth and development. A good citizen is happy and/or quiet. A bad citizen is unhappy and/or not quiet.

By "or not quiet" I mean to say that in order for society to measure its own success we apply statistical measures to features of our society to look for noise. Noise, in this case, meaning people whose metrics do not conform to the metrics of a happy, quiet citizen. This is a technique for finding societal "cheats", e.g. criminals, outlaws, societal parasites. One of the metrics of the good society is a low incidence of these cheats, or, apparently, a good rate of societally mandated effective punishment for cheating.

Of course one of the problems of the definition of this paradigm is that it relies on statistical noise as a factor in determining a citizen's likelihood of being a "cheat". In these circumstances the mere fact the police are talking with you indicates that you have broken the covenant of silence. You are creating some sort of a noise. The police are talking to you because there is a problem in your statistics.

In these circumstances it is probably enough to most governmental bodies that you are loud whether you appear to be a "happy" citizen or not. It's a society where if you are noticed you are probably guilty.

What we would need to do to change this is change the way we fundamentally define a "good" society. After all not everyone who is loud and unhappy is a cheat. Someone can abide by the law even if they don't like it.

The problem remains, cheats cheat in secrecy. So if a society wants to reduce cheating it has to have some method of cheat detection. This is a problem of defining what that method is. Until we can detect cheats without relying on their statistical non-conformity (or have some profiling mechanism that is more reliable than a guess) we're stuck with this attitude from authority.