Re: What will happen to Tor after the new German data retention law takes effect?

[Eugen Leitl <eugen@xxxxxxxxx>]

On Thu, Jun 14, 2007 at 03:07:25PM +0100, Smuggler wrote:

> Actually it is a up to 500k EURO fine for the company/organisation and
> additionally up to 1 year in prison for the directors/managers of the
> company.

Do you have a link to the draft? You don't mention private individuals,
just organisations.
 
> The law says "anyone providing telecommunication services to the public".

I'm not sure Tor is a "telecommunication service" in the sense of the law,
IANAL, of course. As a middleman, I'm just stripping the skin and
passing on an encrypted payload to somebody else. I do not offer any
access to any web site, etc. This is different from exit nodes.
The difference might be significant enough.

> There is no mention of organisational form, number of users, profit
> motive or anything else.

That's not so good.

> From the current law proposal standpoint every Tor node operator will
> have to comply to the law or face charges.

Assuming our interpretation of a yet unpassed law is correct, it would
depend very much whether this is going to be actively enforced against
middleman nodes, which do not draw direct complaints. 

In the end, if (note the conditional) the criminalization of anonymizing 
mix cascades is complete in a certain jurisdiction, or most jurisdictions, 
I suggest utilizing the few advantages of illegality: deploying Tor as a 
self-propagating and self-updating botnet vector -- as benign as humanly
possible, of course. It would be very important that whoever is to do 
that is in no ways connected to the Tor project. By posting to this
list this my purely private (I speak only for myself and nobody
else) opinion, I am of course completely disqualified to do that.
I would also expect and welcome any Tor developers to condemn and
distance themselves from this particular idiotic suggestion here.
 
> Law says any change of connection data (replacing IP/Port) has to be
> logged in conjunction with the old connection. So you would have a list
> of IP/port (original) and IP/Port (new). Depending on the multiplexing
> of the Tor connections that _could_ lead to a connection being

How about adding more hops, and/or use jurisdictional compartments
who can't/won't persecute and/or do not cooperate well with each
other. I'm cure we can think of a few tuples off-hand.

> traceable. Furthermore it does not does not fully specify what
> "connection data" is. I am pretty sure that they will claim that streams

Connection data is who is talking to whom, when. It does not
include the contents of the communication. Again, IANAL, but this
is what I've heard so far everywhere. (And I really doubt that
e.g. BKA is well-equipped to deal with several TBytes of opaque
traffic every month).

> have to be identified. In that case even the multiplexing wont help us
> anymore. An additional problem could be when they define Tor as being
> _one_ service and not something provided by many service_s_. In that
> case there would be some end-to-end logging that they require.
> The bureaucrats comments of the law proposal are pretty telling and it
> seems like they want all the tools for total oppression.

That looks like a safe bet. 
 
> One thing however that could help us is that the logging requirements
> don't seem to affect every kind of traffic but only certain types
> (Web,Mail,Voip). If they forget to put Tor in the list specifically it
> could create a loophole for us.

I think at this point a few of German Tor operators need to think
whether we should pool funds, and consult a lawyer sufficiently competent
with German/EU online law. Maybe the EFF can recommend sombody, or even
offer a more competent interpretation?