The EFF Reflects On ICE Seizing a Tor Exit Node

An anonymous reader writes "Marcia Hofmann, senior staff attorney at the EFF, gives more information on the first known seizure of equipment in the U.S. due to a warrant executed against a private individual running a Tor exit node. 'This spring, agents from Immigration and Customs Enforcement (ICE) executed a search warrant at the home of Nolan King and seized six computer hard drives in connection with a criminal investigation. The warrant was issued on the basis of an Internet Protocol (IP) address that traced back to an account connected to Mr. King's home, where he was operating a Tor exit relay.' The EFF was able to get Mr King's equipment returned, and Marcia points out that 'While we think it's important to let the public know about this unfortunate event, it doesn't change our belief that running a Tor exit relay is legal.' She also links to the EFF's Tor Legal FAQ. This brings up an interesting dichotomy in my mind, concerning protecting yourself from the Big digital Brother: Running an open Wi-Fi hotspot, or Tor exit node, would make you both more likely to be investigated, and less likely to be convicted, of any cyber crimes."

don't let your stuff be used for criminal stuff

[alen]

seizing anything that is suspected of being used for criminal activity has been perfectly legal for hundreds of years. and there is no excuse that you were running some service or other and didn't know what other people were doing. if the cops get a hunch they will seize your stuff to look for evidence and impound it if there is evidence of a crime

Re:don't let your stuff be used for criminal stuff

[pseudocode]

You're right - it's like lending someone a car which they then commit a crime with; you're not guilty of a crime, but it's still fair enough for them to impound the car as evidence.

Investigated == not good

[SirGarlon]

Running an open Wi-Fi hotspot, or Tor exit node, would make you both more likely to be investigated, and less likely to be convicted, of any cyber crimes

Unfortunately there is a lot the authorities can do under the name of "investigation" to harass, abuse, intimidate, and even detain you. Seizing computers is bad enough but if they really want to play hardball they can haul you in "for questioning" ... on a daily basis ... and pick you up at inconvenient times like when you're at the office or in the middle of the night. So really being investigated is the thing you don't want, because it can make your life hell and in the end the cops can just smile and say "No charges. Have a nice day, citizen."

Re:don't let your stuff be used for criminal stuff

[betterunixthanunix]

Right, that's why ISPs constantly have their routers and DNS servers seized, because so many people are using those computers for criminal activity.

Oh, wait -- ISPs are corporations, so we treat them differently. When it is some guy running a service out of his home, then the other set of rules applies, where the service operator is harassed by ICE and threatened when his equipment is returned.

Unfortunately...

[fuzzyfuzzyfungus]

'Mere' investigation can be made rather unpleasant, depending on the crime in question, the enthusiasm of the cops running after it, and your access to legal representation...

There are the practical difficulties: Having everything vaguely resembling a computer siezed and held for who-knows-how-long, potentially quite signifcant legal costs, etc.

And there are the ones arising from the common, but troublesome, opinion that investigation is a sort of lesser degree of guilt. The taint by mere association is worst with kiddie-porn related matters; but the touchier types seem to consider "Police Record: Checked, found absolutely nothing." to simply be a subspecies of "Police Record" and act accordingly. Fan-tastic.

Re:Intimidation

[pseudocode]

Not at all - just because it's a TOR endpoint and any traffic there is a dead end doesn't invalidate checking all the other forensic options like browser cache etc, running TOR could just be a way of hiding in data volume. It's probably not the case, but if they don't follow a piece of evidence then that's bad.

Re:ICE is doing what now?

[Anonymous Coward]

Isn't ICE supposed to be dealing with illegal immigrants? Oh, right. I forgot. This is the Barry administration, where the Justice Department doesn't prosecute the Black Panthers for voter intimidation (even though they already won the case) and ICE has been tasked with ensuring that illegals are allowed to remain here, as long as they are registered Democrats.

No, ICE (which was renamed during the reorganization of INS that took place under the Bush II administration, you partisan hack) stands for Immigrations and Customs Enforcement.

Sovereign states have the right to control what passes over their borders. It's part of the definition of statehood. Immigration is about who, Customs is about what.

Back on topic, EFF's "Tor is Legal" sounds an awful lot like the arguments made to justify Freenet back in the day. Ultimately, they all rely on notions like "in any sane legal system", or "in any free country". Problem is, by those sorts of definitions of "free" or "sane", the country hasn't been free since Patriot I, and its legal system has never been sane.

With the end of the Cold War and the demise of the USSR, we lost any motivation for claiming the moral high ground. From printers that identify their owners (like the Romanian archives of individual keystrokes from every manual typewriter), to widespread and omnipresent surveillance (decades before it became a meme, "In Soviet Russia, television watches YOU" was a joke about how much more free we were than the Russians), we ended up becoming what we fought against.

Re:ICE is doing what now?

[dreemernj]

You are acting like the fact this guy was running a Tor exit node somehow means it was impossible for him to commit the crime. That is a ridiculous line of thought and if things operated that way, every criminal could simply operate a Tor exit node and be out of reach of investigation.

Re:Intimidation

[cheekyjohnson]

Between letting a criminal get away and harming an innocent, I'd rather let the criminal get away, to be honest.

Re:don't let your stuff be used for criminal stuff

[biodata]

Quite a few corporations do this routinely and are never prosecuted for it. Individuals are unlikely to take the risk due to the personal cost of a mistake, against which they can't insure. Carrying parcels for people on aeroplanes is not the same as sharing your spare computer capacity with anyone who needs some at the time. You are not carrying anything for anyone.

Re:don't let your stuff be used for criminal stuff

[betterunixthanunix]

Traffic through ISPs is expected to originate with the customers

A provably false assumption even when Tor is not involved. I share an Internet connection with several other people, and my name is not the name of the account holder. When I was in high school, my (nerdier) friends and I used to grant ssh access to each other -- someone who was not even a resident of my home could have been using my Internet connection. I once discovered that a network administrator had not changed the default password on a router; I could have used that router to relay any traffic I wanted. Then there is this:

http://www.itworld.com/security/84077/child-porn-malwares-ultimate-evil [itworld.com]

As the EFF said, an IP address does not identify a human being, and it does not necessarily identify a specific computer. An IP address may be helpful in an investigation as a clue, but a lot more evidence is needed before you can claim that any person or residence is responsible for the traffic originating at an IP address.

Running an exit node is like volunteering yourself for anything. You might end up helping someone commit a crime.

Parking your car in the right spot on the street might help someone commit a crime. So what? Even the police use Tor, when for example they are investigating illegal websites and don't want to reveal that they are law enforcement. Exit node operators should not face this sort of harassment, especially not in the United States (the country that started the Tor project).

Re:Intimidation

[elrous0]

An employee at an ISP could download child pornography and disguise it as traffic from a customer. Why, then, does ICE not seize the ISP's equipment as part of their investigation, just to see whether or not that is the case?

Because very few police organizations would have the forensic skills to even determine that (outside of the FBI, most police agencies are lucky to have a copy of EnCase and maybe one or two guys on staff who know a little about computers). And a prosecutor would have an almost impossible time proving the case because of the nature of it being an ISP. So they don't waste their time.

Real life law enforcement isn't about being fair. Most of the time they're just going after the low-hanging fruit and the shit they can't ignore.

Re:ICE is doing what now?

[betterunixthanunix]

disallowing their use as probable cause for a search warrant would seem to set an unreasonably high legal bar.

No, it would set the legal bar exactly where it should be: requiring the police to actually identify a person as a suspect. If the police are unable to do so, then they should not be granted a warrant -- this is not a country where we grant the police general search warrants, and it is better to let some criminals walk free than to harass innocent people.

Re:don't let your stuff be used for criminal stuff

[Sarten-X]

I didn't say that traffic always originates with customers. I said it's expected to. That's a reasonable expectation, because the vast majority of home internet connections are for one household and not shared. The US Constitution only protects against unreasonable search and seizure.

These days, more connections are being shared across multiple computers, but still rarely outside the same household. Malware does happen, but it's also rare. Similarly, picking people out of a lineup isn't perfect. DNA evidence degrades over time, and can be contaminated very easily. Firearms can be altered to change their striations. Every kind of evidence used has a level of uncertainty to it, and that's why we have trials to determine whether the amount of evidence supporting a theory is sufficient to show guilt.

The purpose of any investigation is to look for evidence. In this case, the investigation found nothing substantial connecting Mr. King to the crime, so he's not being investigated anymore. Rant all you like about how unreasonable ICE is, but it doesn't change the fact that they did their job perfectly ethically and in accordance with the Constitution. How do you think the investigation should have been conducted, balancing the need to check all potential sources of evidence with the need to respect privacy? Bear in mind, any evidence left in the possession of the suspect after he knows he's under investigation is tainted, and cannot be trusted.

Re:Answer To This.

[fuzzyfuzzyfungus]

I am neither a lawyer nor your lawyer; but I suspect that once the boys in blue are knocking on or down your door, you have a problem. It is unlikely that you'll manage to convince them to take your word for how your network is set up and just seize part of the potential evidence. Even if you do strike it lucky and get a techie with a gun and badge, rather than a cop who can pretty much handle dealing with physical evidence, why would he trust you, or do the fiddly forensics on site instead of just hauling it all off and doing the work back at the office?

You might have better luck with the seedy-but-legalish-if-often-a-cover-for-dodgy-activities techniques adopted by besuited scammers and corporations with creative accountants. A shell company, incorporated in one of the states with virtually bulletproof corporate veils and lax reporting requirements(scenic Nevada, for instance) with a vaguely telcomm-related name and no assets aside from a cheap hosted server somewhere, is no more immune to a raid than you are; but might encourage the investigators to finish picking over the raid evidence before deciding whether or not to try to hunt up the corporate officers/owners...

Re:don't let your stuff be used for criminal stuff

[betterunixthanunix]

How do you think the investigation should have been conducted

• Police get logs related to CP investigation.
• Mr. King's IP address shows up; the police check if it is a known proxy or Tor exit.
• It is a Tor exit. The police ask Mr. King for any logs he might have, and leave him alone while they continue looking for the real criminal.

Oh no, you mean that while we are busy respecting the rights of our citizens, some criminals might go free?! Yes, that is what I mean.

Re:ICE is doing what now?

[Sarten-X]

They wanted any computer equipment that may have had evidence relating to the investigation. The probable cause was that the IP address used was assigned to Mr. King's Internet connection, and Mr. King had entered into a legal agreement taking responsibility for the use of that connection, so it's probable that he knows what happened.

I guess because of OMGPRIVACY and OMGFUCKTHEPOLICE those sorts of facts get the boot.

Re:ICE is doing what now?

[Bob9113]

You are acting like the fact this guy was running a Tor exit node somehow means it was impossible for him to commit the crime.

No, he is acting like the fact that this guy's IP address appeared in somebody's log is not probable cause for search and seizure. He is acting like running a Tor node is not probable cause for search and seizure. He is acting like common carriage of Tor traffic does not imply responsibility for the content of the packets -- something that was found to be critical to the protection of First Amendment rights when the telephone companies were treading this very ground.

Re:This is why we need COMMUNISM!

[Mashiki]

Funny that. Wasn't it communism that gave east germans the STASI and a few hundred million dead, along with mass starvation now?

Yeah...