Re: Brainstorming about Tor, Germany, and data retention

[Lexi Pimenidis <lexi@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>]

On Wed, Oct 08, 2008 at 03:12:01PM CEST, Roger Dingledine wrote:

Hej,

> Now, part of the challenge here is that there's so much misinformation
> (and lack of information) floating around. Some questions we need
> answered:
> 
> 1) Will ISPs be required to log connection timing information of their
> users? What exactly will the information be -- destination IP address,
> port, timestamp of beginning of connection, timestamp of end? Or more
> than that? Or less?

Less. The logging is rather strict for e-mail and VoIP, but for any other
purpose only the user's real identity and his IP-address has to be logged.
No logging of TCP connections, no logging of HTTP, no logging of IP packets.

> 2) Are there ISPs that plan to not log? If so, how many?

I wondered about this one, too - there are some ISPs how filed law-suites
because logging costs them really a lot of money. There has been recently a
case in Berlin where the ISP won this law suit.

http://www.heise.de/newsticker/Gericht-TK-Anbieter-muss-Vorratsdatenspeicherung-voraussichtlich-nicht-umsetzen-Update--/meldung/116372
(in German)

> 5) Will Tor relays be required by law to log "stuff" too? If so, is it
> the same stuff as in question #1?

The Jondos people are investing a huge amount of time and effort into gaining
a legal clearing or the situation. I suggest to join them in order to
avoid double work and have a better stand against governmental agencies.

I think the current bottomline is that the effect of the law will be delayed 
for anonymizing nodes for some more time.

> 6) Are there Tor relays that plan to not log? E.g. CCC or Foebud or GPF?
> Is fighting a law by not following it even a normal way of fighting a
> law in Germany? :)

The problem ist that following: if you think that a law is not justified you
can file a law suit against it. But up you still have to adhere to the law
until you won the law suit you filed against it. BTW, there is already a class
act suit against the data retention law on-going (the biggest in German
history).

> The first defense that comes to mind is to never set the Guard flag on
> German Tor relays.

The problem is that you'd have to avoid setting flags on nodes *operated* by
germans. Because the (german) law is valid for nodes operated by germans even
if the nodes are outside germany. Of course - physical location might
correlate.

> Note that German users contacting German websites are always going to
> have a problem; we can't do anything about it if the ISP of the user
> and the ISP of the website both log, and later compare notes.

Taking into account the law, I don;t 

> If we truly believed that the databases these ISPs build will be kept
> secure against all attackers, and we truly believed that the databases
> would never be used for trawling (see question #3 at the top), then it
> might not be so bad. But that's a lot to ask.

The databases at the ISPs will IMHO not harming the anonymity of Tor users
a huge big lot. It looks differently if nodes were forced to log, though.

> Speaking of which, there's another lesson we can learn from the distant
> past. Once upon a time, in my first congress talk about Tor back in
> 21c3, the Wikipedia people stood up and asked how they were supposed to
> deal with anonymous users. My answer at the time was basically "there
> are effectively anonymous users on the Internet already, sorry, you'll
> just have to deal." Their eventual answer was to build a big list of
> anything ever associated with Tor, and block edits from it. If we had
> worked with them from the start, we could have saved a lot of grief by
> giving them precise lists of current exit IP addresses, etc. The lesson
> here is that we need a better answer for both German Tor relay operators
> and for German law enforcement than "sorry, you'll just have to deal",
> since otherwise they *will* come up with answers that we don't like.

I totally agree with this one. IMHO a huge part of the blamingshould not only
be done to the politicians (poor people, they know nothing about technology),
but rather the privacy people -- if they suggested a trade-off which would
have been acceptable to both sides, we were better off right now. Proposing
"any logging is eavil" was for sure destined to bring us the current laws.

> That said, my first reaction is still "Tor relays must not log, even in
> Germany. If you're planning to log, please shut down your relay instead."
> Is there some approach we can take that doesn't result in 1/3 of the Tor
> network disappearing in January?

Hm, making them to middle men nodes and hope that law enforcement will never
show up and ask for some data? Hm, no....

> One thing I missed in the analysis is Internet connections that traverse
> Germany, for example the connection from an Austrian Tor user to a Danish
> Tor entry guard. I don't know how common these paths are, and I don't know
> whether such connections are proposed to be logged under the proposed law.

The DE-CIX in Frankfurt is the second biggest point of data
exchange in Germany => http://en.wikipedia.org/wiki/DE-CIX
If you want to avoid Germany, you'd effectively cancel out 1/2 of Europe or
so.

But as I said: there will be no logging of single TCP-connections - hence I
don't think that passing Germany is a big problem.