Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Face Jail Risk For Tor Snooping Study

CmdrTaco posted more than 6 years ago | from the learning-is-dangerous-business dept.

Privacy 121

An anonymous reader writes "A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project (PDF) in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act. The researchers neither sought legal review of the project nor ran it past their Institutional Review Board. The Electronic Frontier Foundation, which has written a legal guide for Tor admins, strongly advises against any sort of network monitoring."

Sorry! There are no comments related to the filter you selected.

You can't jail them@ (3, Funny)

wvdmc (1227780) | more than 6 years ago | (#24318681)

They did it in the name of SCIENCE!

Re:You can't jail them@ (4, Funny)

tritonman (998572) | more than 6 years ago | (#24318747)

I guess if they get jail time, the lesson to learn is "Do as I say, not as I do."

Re:You can't jail them@ (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#24321187)

Don't worry, they'll get retroactive immunity... even if it is an Obama-nation.

Re: You can't jail them (4, Insightful)

Squeamish Ossifrage (3451) | more than 6 years ago | (#24322233)

Something that the CNET article failed to address was this: This work was _exactly_ in line with the norms and standards of networking research. It is quite normal for network operators to collect partial or full traffic traces, for both operational and research purposes.

If you believe that this study was inappropriate, then so is a very large fraction of networking measurement research. Consider at the very least:

    * Just about everything done by CAIDA [caida.org] .
    * The papers at IMC [imconf.net] - the Internet Measurement Conference.
    * Data at CRAWDAD [dartmouth.edu] - the Community Resource for Archiving Wireless Data at Dartmouth.

A large part of computer science research consists of observing how systems are used and how they work or don't work. You can do some small-scale studies on a private system with the explicit agreement of all users, but for something as large and complicated as the Internet, the only way to do meaningful research is to observe the real thing, which necessarily means that you can't identify and get the consent of all the users involved. That's the way this field works. Responsible researchers collect the least invasive information possible for their purposes, use it benignly, and anonymise anything they release so that individual users cannot be identified. The authors of this study did exactly those things.

Now, if you want to ban all observation-based networking research, I suppose that's a legitimate position. But you have to be willing to forgo the benefits of that research. Otherwise, you should accept that the authors acted responsibly and within the norms of the field. Moreover, the purpose of this research was to understand and thereby _improve_ TOR. The researchers identified several serious problems which were already being exploited by "black hats" for malicious purposes. Research like this enables those problems to be addressed before actual harm results.

Re:You can't jail them@ (0)

Anonymous Coward | more than 6 years ago | (#24318833)

It involved students trying to climb the social ladder. It was more like--in the name of some corporate jobs and the fourth kid.

Re:You can't jail them@ (0, Redundant)

ObsessiveMathsFreak (773371) | more than 6 years ago | (#24318847)

Albeit in a very unprofessional manner.

Re:You can't jail them@ (4, Funny)

elrous0 (869638) | more than 6 years ago | (#24319319)

Of course we should jail them. According to the Bush administration, science is a major threat to our country!

Re:You can't jail them@ (4, Insightful)

zoogies (879569) | more than 6 years ago | (#24320711)

Speaking of the Bush administration and violating wiretapping laws...

Re:You can't jail them@ (1)

praedor (218403) | more than 6 years ago | (#24322337)

To get off they'd either have to be part of the Administration, a Banker, or one of his major donors.

Re:You can't jail them@ (1)

elrous0 (869638) | more than 6 years ago | (#24322753)

Science is great--just as long as you're using it to look for oil.

Re:You can't jail them@ (1)

FrozenFOXX (1048276) | more than 6 years ago | (#24322717)

Science is a lie sent by liberals to kill us!

But seriously the way the administration treats scientific pursuit you'd think we were at war with it.

Re:You can't jail them@ (2, Insightful)

sm62704 (957197) | more than 6 years ago | (#24319597)

If you do a legitimate study on the effects of different strains of marijuana, and control the genetics by growing the pot yourself, without all the impossible to get paperwork and permissions, you're going to prison.

Why should these guys be any different? In the case of the reefer nobody's hared, in these guys' cases they invaded innocent people's privacy. Not only were their actions illegal, they were highly unethical.

Re:You can't jail them@ (4, Interesting)

smallfries (601545) | more than 6 years ago | (#24321693)

How is their study either unethical, or illegal as you have claimed? Ignoring your hypothetical marijuana study as completely irrelevant you seem to have missed the key points in what they did.

They did not run a "wiretap" as claimed. They monitored the traffic at a tor node that they controlled. People willingly sent them the information that was supposed to be private.

Their study is a scientific investigation into whether the privacy claims of Tor can be sustained. They cannot - the system is open to abuse. This is an entirely ethical study into the claims made by Tor, and furthermore this is exactly how good empirical science should work.

No good deed goes unpunished (1, Insightful)

acheron12 (1268924) | more than 6 years ago | (#24322017)

They should have just secretly used the data for nefarious purposes, instead of publicizing the security hole. When will these people learn?

Re:You can't jail them@ (2, Interesting)

scipiodog (1265802) | more than 6 years ago | (#24319881)

I may be missing something, but isn't the whole point of tor that something like this isn't possible?

If this actually points out flaws in tor that may have been missed, and the info is made publicly available, won't this help strengthen the system?

Re:You can't jail them@ (1, Informative)

skinfaxi (212627) | more than 6 years ago | (#24321821)

TFA explains that Tor itself doesn't do encryption. If you are using protocols that send name/pwd in clear text (like, FTP, POP, etc.), then Tor cheerfully passes those along. The most interesting thing they did IMO is seed the Tor traffic with honeypot clear text username/pwd combos and then watch for attempts to log in using those credentials, which happened almost immediately. There are hackers out there that are scooping up logins, taking advantage of the fact that people don't know (or don't care) how Tor works.

Re:You can't jail them@ (0)

Anonymous Coward | more than 6 years ago | (#24323073)

Tor traffic is NOT encrypted. It is only made anonymous. So when these guys monitored traffic going over their Tor router, they were able to observe the types and amounts of the traffic, and when they were an exit node, the destination.

Tor never says your traffic will not be handled/observed by others. In fact, it has to be handled by others. (And asking someone not to observe what you hand them is pretty naive.) These researchers did NOT link senders and receivers. I don't see privacy being broken. I see people trusting the Tor network to generate more privacy than it can. This research is definitely not completely ethical, but it is most certainly NOT akin to wiretapping. The charges are overly harsh.

Re:You can't jail them@ (5, Funny)

TheRaven64 (641858) | more than 6 years ago | (#24320923)

No problem, they just need to argue that, as operators of a Tor exit node, they are a telecoms company, then they get free retroactive immunity.

Re:You can't jail them@ (1)

praedor (218403) | more than 6 years ago | (#24322355)

Game, set, match.

Re:You can't jail them@ (1)

davester666 (731373) | more than 6 years ago | (#24322475)

For them to get immunity, they need a magic letter.

Hmm, I'm sure I've got one somewhere around here, as the FBI were handing out blank pre-signed ones a couple of weeks back.

Re:You can't jail them@ (1)

n1ckml007 (683046) | more than 6 years ago | (#24322603)

Look at me; still talking when there's science to do! When I look out there, it makes me GLaD I'm not you. I've experiments to run. There is research to be done, on the people who are still alive. And believe me I am still alive. I'm doing science and I'm still alive. I feel fantastic and I'm still alive. While you're dying I'll be still alive. And when you're dead I will be still alive. Still alive. Still alive.

Correct link to study (5, Informative)

miraboo (1164359) | more than 6 years ago | (#24318695)

The link to the study is borked. Correct link: http://www.cs.washington.edu/homes/yoshi/papers/Tor/PETS2008_37.pdf [washington.edu]

Re:Correct link to study (4, Informative)

Anonymous Coward | more than 6 years ago | (#24320425)

I don't wonder that the Tor people are upset by this study, because it makes some credible-looking claims that Tor does not adequately provide the anonymity it claims to. Amongst other things, the researchers warn that the design of the network can allow different actions by the same user to to be associated.

They also warn about things that have led many to doubt the project from the start: that (in their language) 'misbehaving' nodes can be set up that could take a range of actions detrimental to users.

Lest this be thought to be a hypothetical threat, consider this from their conclusion:

>we developed a method for detecting malicious
>logging exit routers, and provided evidence that
>there are such routers that
>speciïcally log insecure protocol exit traïfc

They also note that while they ran their node, they received numerous accusations of illegal activity, traced to their node's IP address. This has always been a danger for node operators - this test confirms it is a real threat.

Frankly, a reader of this report would be wise to reconsider Tor usage.

Yeah, who do those "researchers" think they are... (5, Funny)

jeffb (2.718) (1189693) | more than 6 years ago | (#24318699)

...music publishers?

Re:Yeah, who do those "researchers" think they are (0)

Anonymous Coward | more than 6 years ago | (#24319187)

...or the CP branch of the FBI?

Re:Yeah, who do those "researchers" think they are (0)

Anonymous Coward | more than 6 years ago | (#24320375)

...or Comcast for that matter...

not to worry (4, Insightful)

pak9rabid (1011935) | more than 6 years ago | (#24318703)

...the researchers could also face up to 5 years in jail for violating the Wiretap Act.

I'm sure they'll be granted retroactive immunity for this. Seems to be the latest fad in Congress these days.

Nope (4, Insightful)

dreamchaser (49529) | more than 6 years ago | (#24318775)

Not unless they have millions to spend on lobbyists.

Re:not to worry (3, Insightful)

MBGMorden (803437) | more than 6 years ago | (#24318785)

I'm sure they'll be granted retroactive immunity for this. Seems to be the latest fad in Congress these days.

One could only hope. Fads tend to run their course and then quickly fade away. I have a bad feeling this is more of a long term trend.

Re:not to worry (4, Insightful)

oahazmatt (868057) | more than 6 years ago | (#24318905)

...the researchers could also face up to 5 years in jail for violating the Wiretap Act.

I'm sure they'll be granted retroactive immunity for this. Seems to be the latest fad in Congress these days.

For that to work there's a preset number of times that you must use "terrorist", "nine" and "eleven" in your reasoning.

Re:not to worry (1)

Whalou (721698) | more than 6 years ago | (#24319151)

42 times to be exact.

Re:not to worry (3, Funny)

Kingrames (858416) | more than 6 years ago | (#24319153)

No, you just have to hand over $9.11 to Congress.
They're cheap now.

Re:not to worry (1)

strelitsa (724743) | more than 6 years ago | (#24319437)

They make it up on volume.

Re:not to worry (0)

Anonymous Coward | more than 6 years ago | (#24321869)

You need to add an "m" after that .11
 
I can't be bothered to sign in.

Re:not to worry (1)

cstdenis (1118589) | more than 6 years ago | (#24320447)

"protect" and "children" together also works.

Re:not to worry (5, Insightful)

AmonEzhno (1276076) | more than 6 years ago | (#24318959)

It does seem excruciatingly telling how scientists are threatened with prosecution whereas Illegal Domestic spies are treated with what almost seems like respect by the Federal Government. Kind of a reflection on the state of science vs military these days. Though in all honestly they should not have been doing this in the first place, but it's not easy to know 100% where the line is in research sometimes. So it would seem to me the best idea would be to reprimand them think some kind of appropriate fine, and set a precedent. That way it would be clear for later issues. I don't want to be monitored without my permission, I Don't know about you guys, even if it is for science.

Re:not to worry (2, Interesting)

huckamania (533052) | more than 6 years ago | (#24320063)

Except for one blogger, no scientists have been threatened with prosecution. The article just says that they could be prosecuted, maybe, and that they should have run this by some lawyers and/or some oversight commitee.

I hope they are not reprimanded and not fined because they clearly had no intention of wiretapping anyone and made no attempt to identify individuals or correlate their actions. 150 bytes of exit data barely gets them past the TCP/UDP and IP layers.

Re:not to worry (1)

FinchWorld (845331) | more than 6 years ago | (#24319129)

I don't think they'll get it, there are no mentions of "Think of the children", "Child Pornography", "Terrorism" or "For The Great And Glorious Freedom(TM) Of The USA!" within the study...

Re:not to worry (1)

spazdor (902907) | more than 6 years ago | (#24320539)

Consistent with the 'Common Carrier' gambit we used to enforce on our telcos, perhaps the right answer is: yes they can snoop, but if they do, they are accessories to any criminal activity the exit node engages in.

Cue the hypocrites (0)

Anonymous Coward | more than 6 years ago | (#24318711)

Sharing knowledge here == bad

Sharing knowledge other places == good

Maybe the correct answer is pay attention to what you agree to.

Re:Cue the hypocrites (1, Insightful)

sm62704 (957197) | more than 6 years ago | (#24319407)

It depends on the information. Can I have your Social Security number, your bank account number and debit card PIN number? You don't even wat your name posted; not even your slashdot user name!

Sharing SOME knowedge is good, sharing other knowledge is bad. Your anonymous cries of slashdot hypocricy ring hollow.

They can't be stupid. (4, Interesting)

Hyppy (74366) | more than 6 years ago | (#24318715)

How could these researchers not know that they were engaging in illegal wiretapping?

On the other hand, the story is hypothetical. No charges have been filed, and there's no real evidence that the government could give a flying flip.

Re:They can't be stupid. (4, Informative)

faloi (738831) | more than 6 years ago | (#24318845)

It sounds like, from the very cut down version of the story that's available at the link, they didn't want to go to the effort to find out. They probably figured (correctly) it'd be a huge hassle to go through all the hurdles to get the approvals they might need. Rather than dig into it, they talked amongst themselves and decided it wasn't a big deal. Regardless of FAQ containing legal advice to the contrary. They sought minimal outside advice, and may or may not have provided enough information for the third party to make a determination, but didn't pursue it.

When engaging in activities that might be legal, but might be a felony...I'll go for safe over sorry any day.

Re:They can't be stupid. (2, Insightful)

inviolet (797804) | more than 6 years ago | (#24319247)

They probably realized there will be no such prosecution, because prosecution would draw attention to how easily Tor activity can be monitored and conclusions drawn from it. That kind of attention is a Bad Thing: any government would instead prefer that citizens believe that they have access to something which is secret and anonymous (but which is actually not).

It's good to disrupt enemy communications. It's better to intercept enemy communications. It's best to eavesdrop on enemy communications when the enemy thinks eavesdropping is impossible.

Re:They can't be stupid. (4, Insightful)

somersault (912633) | more than 6 years ago | (#24319021)

If the info is passing through their own network interface - by actual design of the Tor system, and not because they have done something devious - how is this analogous to wiretapping?

Illegal wiretapping surely involves breaking into private communications that you are not intended to be part of, through either physical means, or perhaps via software - but by its nature, Tor allows anyone to connect into the network, and people know that what they are sending/receiving is going to travel through other poeple's computers (but can be fairly confident that nobody can trace anything back to them easily).

I don't see how researching into the protocol and viewing the packets that pass through your own node are illegal, unless you accept some kind of contract not to snoop when you install Tor.

Re:They can't be stupid. (3, Insightful)

Deagol (323173) | more than 6 years ago | (#24319305)

I, too, think this is a lame precedent. However, ownership of one end of the means of communication is no defense, as in some states where both parties must consent to recording phone calls. I'm not saying it's right, just that this is how it is in other cases.

Having said that, anyone using TOR who actually trusts the exit nodes needs their head examined. There are exit nodes which are known to be hostile, and some operators have even publicly stated they have monitored traffic and captured login/password pairs. One should never, NEVER access anything via TOR that may correlate to their meatspace life. Either use the web read-only, or set up nym accounts on sites that require registration.

Re:They can't be stupid. (0)

Anonymous Coward | more than 6 years ago | (#24319459)

So you're fine with your phone company listening in on your calls? That's exactly the same thing.

Re:They can't be stupid. (1)

Deagol (323173) | more than 6 years ago | (#24320289)

No, it's not the same thing.

On the one hand, we have an oligopoly of carriers that the public should be able to safely assume is honest and watched over closely by regulators. Due to their power and reach and (presumed) government oversight, we should be able to trust the telcos to do no harm (recent legislation aside). And on the other hand, we have a rag-tag confederation of volunteered servers with no specific charter, ethic, no terms of service, and no oversight -- nobody with an ounce of common sense should truly trust the TOR network 100% and the exit nodes even less so.

And, no, I don't think these researchers (or anyone else outside of the infrastructure providers) should be prevented from mangling/monitoring their packets in any way they choose. I also believe that any *person* should be able to record anything that comes over their phone lines. If this witch hunt gets out of hand, we can expect to see prosecutions for "wiretapping" in cases where suspicious wives install keyloggers to snare their husbands.

Re:They can't be stupid. (1)

PlusFiveTroll (754249) | more than 6 years ago | (#24321843)

If this witch hunt gets out of hand, we can expect to see prosecutions for "wiretapping" in cases where suspicious wives install keyloggers to snare their husbands.

From my understanding, it is legal for the wife to 'monitor' the usage of the computer because it is a shared property, aka while they are married she claims ownership of it. Now if she installed the keylogger on a computer (laptop for example) that was owned by his company, but he carried around, she would be in violation.

Re:They can't be stupid. (0)

Anonymous Coward | more than 6 years ago | (#24319775)

I think the laws in most states require notification of recording to the other party only if the recording is done by a third party. In other words, I can record a phone conversation between me another person without notification of recording. However, if I hire someone to do the recording for me, I have to give notification to the party on the other end of the line. At least, that how my state statute reads.

Re:They can't be stupid. (2, Insightful)

somersault (912633) | more than 6 years ago | (#24320019)

The thing is that you pay your phone company and have a contract with them, and at least in those states you will know that you have the chance of being monitored as it will be part of the contract. You also know that they won't just give out those recordings to just anyone (though the government or police will probably want it at some point).

With TOR you have no contract or promise that no undesirables are listening in. There is no way of stopping someone snooping on exit nodes, so if these guys are punished for this (and in the paper they show that they haven't even recorded anything beyond the application headers, so their data is completely anonymised and contains nothing beyond what apps are being used) it won't help justice at all - it will punish those who were just interested in the protocol and researching it, while letting those who are actively recording things like usernames/passwords off scot-free.

Re:They can't be stupid. (2, Interesting)

Anonymous Coward | more than 6 years ago | (#24319509)

> Regardless of FAQ containing legal advice to the contrary.

Well heck! It was in an FAQ? Goodness! They ignored an FAQ. This must be the first time ever in the history of the net.

But seriously. The Tor people put a little note on their software saying: "Please don't monitor the network traffic of our uber-secret software", presumably because of a fear that publicity about the nature of the websites visited by Tor users would undermine support of the project.

Quite frankly, that is a little like S/MIME vendors saying "you may be breaking laws if you try to crack this software."

Of course Tor is going to be a target for security researchers. Quite right too.

And as others have noted, there is no suggestion that anyone is actually looking to file charges.

I wonder if this story isn't a plant by the Tor people.

Re:They can't be stupid. (0)

Anonymous Coward | more than 6 years ago | (#24319863)

I don't see how researching into the protocol and viewing the packets that pass through your own node are illegal, unless you accept some kind of contract not to snoop when you install Tor.

Careful, your ISP might say the same thing.

Re:They can't be stupid. (1)

somersault (912633) | more than 6 years ago | (#24320235)

I don't get why people are comparing Tor to paid-for services and networks like ISPs and Telcos at all, it's like comparing a professional sports match with a professional referee to a game out in a public place that has no referee. You can't apply the same laws to it when it is just a bunch of people getting together without any contractual obligements or governing authority.

Presumably if they are monitoring you then it will say in your contract. The whole net neutrality thing is an ongoing debate at the moment anyway, I don't know what the law says about whether your ISP is allowed to monitor your traffic (though I don't see why not, I still thing the data-moving-through-my-network thing applies). Some ISPs seem to be good at not just handing out information about their clients, some aren't so good. If you don't like how your ISP operates, you move to a different one (or buy your own line - or, better yet, how about just starting your own country out in the middle of the ocean and make up your own perfect little utopia).

Re:They can't be stupid. (1)

Arccot (1115809) | more than 6 years ago | (#24320287)

Illegal wiretapping surely involves breaking into private communications that you are not intended to be part of, through either physical means, or perhaps via software - but by its nature, Tor allows anyone to connect into the network, and people know that what they are sending/receiving is going to travel through other poeple's computers (but can be fairly confident that nobody can trace anything back to them easily).

I don't see how researching into the protocol and viewing the packets that pass through your own node are illegal, unless you accept some kind of contract not to snoop when you install Tor.

Think about that applied to your ISP's routers. You know your data is going through their routers. Should they be able to legally snoop on your VOIP calls, data transfers, and anything else you send through them?

Re:They can't be stupid. (1)

somersault (912633) | more than 6 years ago | (#24320567)

Depends if it's in the contract, or if it's legal. I actually don't mind whether they're legally allowed to or not. It doesn't make much sense that they wouldn't be allowed to, seeing as it's their own hardware being used. If it's illegal for them to do so, that's nice, but I don't particularly see why it should be. It should be illegal for them to do anything malicious with the information, but why shouldn't they monitor what is going on in their own network?

On the other hand, I wouldn't particularly want the postman reading my mail, but that's probably because the postman is a more human concept than the very generic 'ISP'. Besides, when I get stuff like my credit card and PIN through the mail they aren't encrypted, while things like online financial transactions are.

Re:They can't be stupid. (1)

jgtg32a (1173373) | more than 6 years ago | (#24320561)

Actually there is a chance that if someone breaks into your machine and you log their activities that they can hit you with the wiretapping act. Which is why the MOTD is usually something along the lines of authorized access only blah blah, which will help your case. http://www.honeynet.org/book/Chp8.pdf [honeynet.org] (page 4)

Re:They can't be stupid. (0)

Anonymous Coward | more than 6 years ago | (#24322015)

There's no contractual piece to this. It's a particular wiretapping law that's a part of title 18 (undoubtedly the section's on slashdot somewhere).

This is the same law that makes it illegal for the phone company to listen to your calls. There are a few exceptions, for instance doing maintenance on a network (sysadmins you're safe) or if the person's given consent. I'd suggest you read the actual statute. I would point out though, there's no test in the law for your motives. If you're doing it for good or evil, it doesn't matter. Interception is the crime, unless of course you're within an exception.

And while I've seen the argument thrown around on here that using tor grants consent to the person to monitor your packets, I seriously doubt that argument gets anyone very far.

I'm sure there are other defenses available, but you should understand that how these laws are written is not always reasonable.

This is a problem in lots of areas of law, but especially in the area of computers. Congresspeople and their staffs simply don't have the complete understanding of how systems work. I don't doubt they can have a presentation and actually learn how some discrete system works, but they didn't grow up with it and they don't have the big picture that is necessary when writing laws like this. I hope this will change as computer knowledge becomes more widespread.

It's important for this reason we make explanations of how systems work as simple and straight forward as possible, and educated everyone we can about them. That and run for congress.

Re:They can't be stupid. (1)

Henry V .009 (518000) | more than 6 years ago | (#24319061)

If you are reading this, then you are illegally wiretapping my Slashdot messages by intercepting them with your eyes. Hope you like jail time.

Re:They can't be stupid. (0)

Anonymous Coward | more than 6 years ago | (#24320249)

Well its not really illegal! All the data is being sent over the researchers computers unencrypted! Tor even states that the communication isn't secure after it hits the last "exit node" and warns users that they should not use it for security but anonymity! It is perfectly legal to capture data which is sent to or from your personal computer/network!!!
-rmx

Re:They can't be stupid. (2, Interesting)

Hyppy (74366) | more than 6 years ago | (#24320353)

Well its not really illegal! All the data is being sent over the researchers computers unencrypted!

Just because a medium is not encrypted doesn't mean it's legal to listen in on it. Your phone line is unencrypted.

Tor even states that the communication isn't secure after it hits the last "exit node" and warns users that they should not use it for security but anonymity!

"Isn't secure" in this context refers to the fact that it is not encrypted in any way. Refer to the previous argument.

It is perfectly legal to capture data which is sent to or from your personal computer/network!!!

When did TOR become your personal network?

Re:They can't be stupid. (1)

Squeamish Ossifrage (3451) | more than 6 years ago | (#24321387)

Something that the CNET article failed to address was this: This work was _exactly_ in line with the norms and standards of networking research. It is quite normal for network operators to collect partial or full traffic traces, for both operational and research purposes.

If you believe that this study was inappropriate, then so is a very large fraction of networking measurement research. Consider at the very least:

  * Just about everything done by CAIDA [caida.org] .
  * The papers at IMC [imconf.net] - the Internet Measurement Conference.
  * Data at CRAWDAD [dartmouth.edu] - the Community Resource for Archiving Wireless Data at Dartmouth.

A large part of computer science research consists of observing how systems are used and how they work or don't work. You can do some small-scale studies on a private system with the explicit agreement of all users, but for something as large and complicated as the Internet, the only way to do meaningful research is to observe the real thing, which necessarily means that you can't identify and get the consent of all the users involved. That's the way this field works. Responsible researchers collect the least invasive information possible for their purposes, use it benignly, and anonymise anything they release so that individual users cannot be identified. The authors of this study did exactly those things.

Now, if you want to ban all observation-based networking research, I suppose that's a legitimate position. But you have to be willing to forgo the benefits of that research. Otherwise, you should accept that the authors acted responsibly and within the norms of the field. Moreover, the purpose of this research was to understand and thereby _improve_ TOR. The researchers identified several serious problems which were already being exploited by "black hats" for malicious purposes. Research like this enables those problems to be addressed before actual harm results.

Do as I say, not as I do (0)

Anonymous Coward | more than 6 years ago | (#24318723)

So telcom executives are OK, but let's lock up the academics. All your civil libertarians are belonging to us!

Should have tried to get jobs at telco, first. (4, Insightful)

denis-The-menace (471988) | more than 6 years ago | (#24318731)

Apparently, US Telcos can snoop all they want and it's perfectly legal, now!

Re:Should have tried to get jobs at telco, first. (1)

sm62704 (957197) | more than 6 years ago | (#24320113)

We have the best legislators money can buy!

OT factoid... (5, Interesting)

Anonymous Coward | more than 6 years ago | (#24318763)

Interestingly, I was once banned from /. for running a tor node. When I found out and emailed the admins they asked if I was running a tor server - I replied in the affirmative but had since taken the node down because my SOHO router wasn't up to the task.

The /. admins were very nice and restored my access almost immediately but I found the whole process interesting.

Re:OT factoid... (2, Interesting)

zippthorne (748122) | more than 6 years ago | (#24318839)

Y'know, it's entirely possible you were banned for volume of traffic related to the tor node, and that they would have restored your access anyway, once it became apparant that that volume was due to tor and not due to you having dozens of sock puppets.

Re:OT factoid... (0)

Anonymous Coward | more than 6 years ago | (#24318917)

Y'know, it's entirely possible you were banned for volume of traffic related to the tor node, and that they would have restored your access anyway, once it became apparant that that volume was due to tor and not due to you having dozens of sock puppets.

That's possible. Hadn't thought of that.

Re:OT factoid... (5, Informative)

Anonymous Coward | more than 6 years ago | (#24319473)

Nope. Slashdot banned tor openly, as do most online discussion systems that don't want to be flooded by endless bots.

You either ban all tor users or you allow all tor users, since any one user can just reconnect through every tor node to evade ip bans(allowing them to create new accounts if their old one was banned). Most places would rather be able to ban users, so they disallow tor exit nodes.

if it is your equipment... (4, Insightful)

damonlab (931917) | more than 6 years ago | (#24318801)

What is the difference between what they did and say leaving your wifi access point open to snoop on anybody that might connect to that? Either way, the other people chose to actively connect to YOUR equipment. If it is your equipment, you should have every right to monitor it in any way you see fit.

Re:if it is your equipment... (0)

Anonymous Coward | more than 6 years ago | (#24318967)

If it is your equipment, you should have every right to monitor it in any way you see fit.

Does that apply to companies also? Telco companies?

Re:if it is your equipment... (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24319001)

Yeah and in the AT&T wiretap scandal, the callers chose to actively send electrons through the snooping device.

Re:if it is your equipment... (3, Interesting)

Amorymeltzer (1213818) | more than 6 years ago | (#24319175)

The problem is monitoring the communication itself. You can't just pick up the phone and tape record someone without their permission, or pick up a camera and videotape them. By saving the first 150b of each transmission, they were technically doing this.

TFA does a pretty good job of explaining all the varies angles - from participation without permission to individuals under 18 to international issues - but they're coming up against a number of laws, such as the Wiretap Act, which is specifically aimed at this sort of thing.

What I'm wondering though is, and I'm no tor expert, since it was so easy for these folk to set up their exit and entry nodes to log the data, what's stopping the others running tor nodes to do the same? If they can do it, surely the Chinese government could be doing the same, using it to catch all those pro-democracy bloggers. The US could (and would) definitely use this, so what's stopping them, assuming they aren't already doing it?

Re:if it is your equipment... (0)

Anonymous Coward | more than 6 years ago | (#24319513)

What's stopping them? A number of laws, such as the Wiretap Act, which is specifically aimed at this sort of thing.

Re:if it is your equipment... (1)

compro01 (777531) | more than 6 years ago | (#24319589)

You can't just pick up the phone and tape record someone without their permission

Actually, you can do just that in a majority of the US. Only California, Connecticut, Delaware, Florida, Massachusetts, Maryland, Michigan, Montana, New Hampshire, Pennsylvania, and Washington require 2 party notification when recording a phone call.

Though in this case, all they have are "many people who use tor are from these places" and "people using tor often do these things", but no way to link who is doing what, as per the design of the network, as they would have to control all 7(?) nodes

Update to the old saying... (4, Funny)

Snap E Tom (128447) | more than 6 years ago | (#24318837)

Don't wiretap. The government hates competition.

Resume (1)

Wiarumas (919682) | more than 6 years ago | (#24318989)

Hey, with the way our country has been heading, this would be great resume material - even if convicted. Its not like they lost a database of SSNs...

Fire them (2, Insightful)

thesaurus (1220706) | more than 6 years ago | (#24319063)

As a social science undergrad, I had it drilled into my brain the importance of IRB's. Not following the review process can threaten your schools federal funding. Any grad student or professor should know better, regardless of their discipline.

IRB? (2, Interesting)

story645 (1278106) | more than 6 years ago | (#24320191)

As a social science undergrad,

Which means most of your research probably involves human subjects (assuming it involves some new data collection), so of course you have to get approval. I know all about IRB from psych courses for the same reason.

Most comp sci prof rarely run human subjects (or consider that they data they're looking at comes from human subjects) and therefore often don't need to get IRB approval. The only comp sci field that I can think of that regularly would run human subjects is HCI, and even most of those studies could get an IRB waiver pretty easily (assuming they even need oversight.) I think these guys were security's people, so they mostly deal in algorithms. I doubt they thought much beyond the various data collection. Granted, they all should have known better, but I've yet to here a comp sci prof mention IRB (even in courses where it's relevant, like ethics.)

No possible jail (2, Interesting)

tshetter (854143) | more than 6 years ago | (#24319073)


These researchers are never going to be arrested or charged with anything.

They didnt do anything illegal.

All they did was copy data of packets passing THROUGH their Tor servers they had setup. They didnt compromise other's systems. This may be a moral question, ala reading emails that pass through your relay.

For 4 days in December 2007, they logged and stored the first 150 bytes of each network packet that crossed their network...

Re:No possible jail (2, Insightful)

wild_quinine (998562) | more than 6 years ago | (#24319263)

They didnt do anything illegal. All they did was copy data of packets passing THROUGH their Tor servers they had setup. They didnt compromise other's systems. This may be a moral question, ala reading emails that pass through your relay.

At which point did it become legal to read emails that were being passed through your relay?

Re:No possible jail (1)

Zerth (26112) | more than 6 years ago | (#24320275)

At what point did it become illegal to inspect data coming through your network?

Cause I'd like to use that law against my ISP when they use deep packet inspection to filter my connection or insert ads into webpages I'm viewing.

Re:No possible jail (0)

Anonymous Coward | more than 6 years ago | (#24319667)

All they did was copy data of packets passing THROUGH their Tor servers they had setup. They didnt compromise other's systems. This may be a moral question, ala reading emails that pass through your relay.

Or tapping communications over wires running through your state/infrastructure.. wait what?

captcha, ironically enough: intercom

From TFA.... (1)

martin_henry (1032656) | more than 6 years ago | (#24319219)

I thought this section was particularly funny:

Since we are forwarding traffic on behalf of Tor users, our routerâ(TM)s IP address appears to be the source of sometimes malicious traffic. The large amount of exit bandwidth that we provided caused us to receive a large number of complaints ranging from DMCA Â512 notices related to allegations of copyright infringement, reported hacking attempts, IRC bot network controls, and web page defacement. However, an enormous amount of malicious client activity was likely unreported.

Did they really not see that one coming??

Re:From TFA.... (1)

Machtyn (759119) | more than 6 years ago | (#24320453)

Stating the obvious is a very good way to pad those reports. Especially when the professor is looking for pages of documentation. Plus, this was a finding that may have supported or contradicted a theory. In any case, it's worthy of being included in a report.

Should have said they were looking for terrorists (0)

Anonymous Coward | more than 6 years ago | (#24319259)

Would get them right off the hook...

grammar: nor (1)

cathector (972646) | more than 6 years ago | (#24319281)

"The researchers neither sought legal review of the project nor ran it past their Institutional Review Board."

Illegal Wiretapping? (0)

Anonymous Coward | more than 6 years ago | (#24319393)

If the government and telecoms don't have to obey the law, neither do I.

All this proves is... (1, Insightful)

suitepotato (863945) | more than 6 years ago | (#24319493)

...that Tor is in and of itself not secure enough. Any traffic passing over it needs intermediary obfuscation of origination and destination of traffic as well as encryption of traffic by the origination and destination separate from the Tor network similar to anonymous remailer chains.

Oh well, thanks to the government, the **AA people, and idiots like this, such networks are coming... and where once terrorists, organized crime, and other ne'er do wells had to pay some geeks for serious work to make secure communications a done deal, they will be able to download an open source package off the net with point and click simplicity that does everything they need and more. Just because the aforementioned dipsticks pushing the trend refused to listen to Princess Leia in Star Wars when she told off Grand Moff Tarkin.

You remember, tighter grip, more systems through your fingers. As in, oppression is counterproductive and carries the seeds of your downfall, and everyone else's...

Re:All this proves is... (1)

huckamania (533052) | more than 6 years ago | (#24319903)

I fail to see how the government or any of the others you named are responsible for Tor being insecure.

Tor is an example of why layers of security are not cumalative. The weakest link is not strengthened by putting a plastic sleeve around the chain or putting a bigger lock on the end.

Could you please provide a link to the coming open source secure network, cause I've never heard of such a thing and would love to take a look at it.

Re:All this proves is... (4, Insightful)

exley (221867) | more than 6 years ago | (#24319915)

...that Tor is in and of itself not secure enough. Any traffic passing over it needs intermediary obfuscation of origination and destination of traffic as well as encryption of traffic by the origination and destination separate from the Tor network similar to anonymous remailer chains.

Tor does encrypt data passing through the network, and it does obfuscate the source and destination... That's kind of the whole point. But unless the traffic is inherently encrypted (e.g. SSL), the exit node has to spit out unencrypted data, otherwise the final destination would have no idea as to what it was receiving.

Maybe the Feds broke the encryption (1)

iminplaya (723125) | more than 6 years ago | (#24319949)

and don't want to be found out, so it can be patched. Then they would have to start all over.

They have more than the law to worry about . . . (2, Informative)

matantisi (803144) | more than 6 years ago | (#24320155)

Failing to submit this study to the Institutional Review Board is a *huge* professional no-no! One of the major functions of the IRB is to ensure that research doesn't violate subjects rights -- particularly confidentiality and privacy rights (which could, I suppose, be why they didn't submit it). Even if the government decides to the let them slide (unlikely with a case of wiretapping), this has ramifications for the Universities. It can lead to the US Dept. of Education shutting down *all* of their research activities. They will be extremely unpopular where they are, and they'll have the devil's own time getting hired anywhere else.

Re:They have more than the law to worry about . . (1)

MikeURL (890801) | more than 6 years ago | (#24320621)

I think IRB is only required when there is a chance that the subjects could be individually identified or harmed. In this case the nature of the TOR network makes that virtually impossible. I don't see the IRB issue. Wiki has the relevant exemption:

2. Research involving the use of educational tests (cognitive, diagnostic, aptitude, achievement), survey procedures, interview procedures or observation of public behavior, unless:

1. information obtained is recorded in such a manner that human subjects can be identified, directly or through identifiers linked to the subjects; and

2. any disclosure of the human subjects' responses outside the research could reasonably place the subjects at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, or reputation.

But they didn't "tap" any "wires"... (1)

pseudorand (603231) | more than 6 years ago | (#24320217)

That's ridiculous! Wiretaping should be strictly defined as actually physically connecting your equipment to a wire you don't own or lease. TCP/IP is strictly point-to-point. If they got your information via Tor, it's because you ran software that specifically sent information to their IP address (or some other IP the subsequently passed it to them). If you used Tor not knowing this, that's your own fault, not theirs. If you assumed the information was undecipherable but they found that it wasn't, that's also your fault, not theirs.

Some of you will argue "but what about cable modem?". I think it's the same issue. If you subscribe to cable modem instead of DSL and a neighbor on your hub reads your data (I've read this is possible, but I have DLS, so I haven't tried it), well, buyer beware. If you use an access point without encryption, that's also your own fault.

There was a time when we referred to the Internet as the "public network" and assumed that all traffic traveling over it was fair game and potentially accessible by anyone. Those who needed more security were responsible for encrypting their own traffic and had to either trust their encryption algorithms or find another way to communicate. It's this mentality that will keep the Internet secure. Assuming there's some sort of expectation of privacy and forking over large sums of cash to lawyers to fight about it later spells doom for privacy.

Tor... Snooping? (1)

Tetsujin (103070) | more than 6 years ago | (#24320361)

Joseph Javorski. Respected scientist. Touch a button. Things happen. A scientist becomes a beast. Shockwaves of an A-bomb. A once powerful, humble man. Reduced toâ¦nothing. Joseph Javorski. Respected scientist. Now a fiend. Prowling the wastelands. A prehistoric beast in a nuclear age. Kill. Kill, just to be killing.

My defense is unstoppable (1, Troll)

mattwarden (699984) | more than 6 years ago | (#24320999)

Bush made me do it.

So does this mean I can't wargang at the UW? (1)

WillAffleckUW (858324) | more than 6 years ago | (#24321059)

I like to take my wireless laptop and check the nodes in the UW Tower as I climb the stairs.

Are you saying it's not research?

Because I work in research at the UW, so it must be science ...

Right?

Are they really not covered, though? (4, Interesting)

void* (20133) | more than 6 years ago | (#24321475)

IANAL, but following the link from the article to
18 USC 2511, reading 2(d)

"It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State."

Couldn't it be argued that since they are running the TOR server, they are a 'party to the communication', and are thus covered by this exception?

I mean, the client connects to them, they're a party to that communication, they connect to the server, they're a party to that communication ...

stupidity (2, Insightful)

speedtux (1307149) | more than 6 years ago | (#24322859)

Anyone who assumes that Tor exit nodes aren't heavily monitored by lots of three letter agencies, private companies, and researchers is a fool.

If Tor's utility depended on legal protections, it would be a lost cause. What Tor actually does for you is obscure your IP address, nothing more and nothing less. That is very useful. But you still need to make sure that your content is clean. That's why Tor is often used with software like Privoxy.

If anybody actually goes after these security researchers, it's not to protect the privacy of Tor users, it's to prevent the researchers for alerting Tor users to protecting their identity better, because once 99.9% of the Tor traffic is encrypted, listening in becomes much less useful.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?