[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: philosophical issues



On Wed, Apr 13, 2005 at 11:46:05AM -0300, alexyz@xxxxxxxxxx wrote:
> Generally speeking, the strongest defense with Tor ops is that servers
> only act as a conduit for other people´s doings. Thus you
> are not the perpetrator of those doings and are not liable for them. But
> people are also creative... What happens if an attacker
> decides to run a server to disguise his own wrong-doing? When
> questioned, he could just point to the server and say it came from
> Tor network. As it is anonymous, he can´t detect the source, blah blah
> blah, he walks. Or, he is demanded to prove his innocense.
> In either case, the outcome is unacceptable, they are both wrong! The
> thought of this situation really scares me, what do you
> think?

It is already the case that accusers need more proof than "it came
from your computer." As more and more computers on the net are running
vulnerable operating systems, it is becoming almost the norm to tell
somebody "hey, your computer is compromised" rather than to accuse them
of actually doing the activity.

So people already need more evidence, such as finding the bad files on
your computer, before they can believe that you're doing bad things. Tor
doesn't change the situation as much as you might think.

> Another issue has to do with abuse. Yes, I know it has been battered
> before, and everyone at Tor is commited to fighting this. But
> what exactly is being done? My concern is that the law (and I refer
> to it here only generically since it varies considerably from
> country to country), suggests that service providers should have means
> to fight abuse (at a reasonable level) and terminate service
> to repeat offenders. A Tor server is a service provider, are we not? So
> it seams to me that we would be REQUIRED (I know it is
> desirable to developers but is that enough?) to have reasonable means
> to fight abuse. Do you agree with my assessment? IS
> there anything? SHOULD there be something? Do we HAVE to have something?

You're right that this depends on laws which may differ from country to
country. If it is the case that operating a Tor server isn't breaking
any laws, then it would seem that no, we are not required to do anything.

We have four broad approaches to combatting the abuse complaints issue:

1) Educate people generally. Explain about the good uses of Tor, and get
people to understand that anonymity has many positive social values. Also
get them to understand that the abuses they're seeing can happen many
other ways, and Tor isn't really introducing new classes of abuse.
2) Educate people specifically. When we find a site like wikipedia
that has decided allowing its users to retain privacy is not worth the
hassle, we need to work with them to help them understand the issues,
design better authentication mechanisms, etc. We've had nice success
with this with Freenode, for example.
3) In cases where we can, we should take technological measures to limit
the abuse potential in Tor. For example, our default exit policy rejects
port 25, which could be used to draw bad attention to Tor servers.
4) We must become a larger network, and become more mainstream. Google
produces plenty of abuse by running Google Groups, but nobody is clamoring
to have them shut it down.

Hope this helps,
--Roger