[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: What will happen to Tor after the new German data retention law takes effect?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eugen Leitl wrote:
> Do you have a link to the draft? You don't mention private individuals,
> just organisations.

Draft and comments sent via private email.
Private individuals: It seems to me that private individuals fall under
the same rule when providing services to the public.

> I'm not sure Tor is a "telecommunication service" in the sense of the law,
> IANAL, of course. As a middleman, I'm just stripping the skin and
> passing on an encrypted payload to somebody else. I do not offer any
> access to any web site, etc. This is different from exit nodes.
> The difference might be significant enough.

In the sense of the law both middlemen and exit nodes provide
"telecommunication services". The concept of relaying communication is
enough already. Though for middlemen nodes one could take your argument
and say that it is an internal service (that means not affected by the
law) if it doesnt accept connections by any senders accept other Tor
nodes. I am pretty sure that if middlemen dont relay any traffic to/from
non-Tor IPs then they should be pretty safe. Unless however the Tor
network is seen as being ONE service (not many, i.e. per node).

> Assuming our interpretation of a yet unpassed law is correct, it would
> depend very much whether this is going to be actively enforced against
> middleman nodes, which do not draw direct complaints. 

I have made some daunting experiences with German law enforcement
(anonymizing only servers being stolen, home and office searched in very
early morning, direct charges against me as operator) even today. I do
NOT think that this is going to become better. So far non of their
assaults was successful because we had still some law to protect us. But
with data retention in the books we will loose that protection. I
imagine several LKA and BKA people already waiting for the day to f***
us/me.

> In the end, if (note the conditional) the criminalization of anonymizing 
> mix cascades is complete in a certain jurisdiction, or most jurisdictions, 
> I suggest utilizing the few advantages of illegality: deploying Tor as a 
> self-propagating and self-updating botnet vector -- as benign as humanly
> possible, of course. It would be very important that whoever is to do 
> that is in no ways connected to the Tor project. By posting to this
> list this my purely private (I speak only for myself and nobody
> else) opinion, I am of course completely disqualified to do that.
> I would also expect and welcome any Tor developers to condemn and
> distance themselves from this particular idiotic suggestion here.

I hereby distance myself without being a core Tor developer or otherwise
affiliated with them.

> How about adding more hops, and/or use jurisdictional compartments
> who can't/won't persecute and/or do not cooperate well with each
> other. I'm cure we can think of a few tuples off-hand.

Seems to be the most effective way for me. But it would leave the Tor
node ops with the problem of having to store the connection data. Which
can be some substantial cost to bear.

>> "connection data" is. I am pretty sure that they will claim that streams
> 
> Connection data is who is talking to whom, when. It does not
> include the contents of the communication.

I meant that they might qualify streams as connections as well which
means that not only TCP/IP connection parameters are to be stored but
also connection data that is created by the protocol (e.g. being in the
stream). They already claim that for VoIP.
The problem with all that is that the exact technicalities are not part
of the law but are decided on level of bureaucracy and can be changed
every so often. The politicians have no clue about the Internet at all
and they don't have to because they leave the details to non-elected
"consultants" and other <put in curse>.

> I think at this point a few of German Tor operators need to think
> whether we should pool funds, and consult a lawyer sufficiently competent
> with German/EU online law. Maybe the EFF can recommend sombody, or even
> offer a more competent interpretation? 

I think the best organisation to call for that would be the CCC.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGcW2UOMmnRrmEoQkRAlpIAJ4iXhCrzNBOkvxSRXWM5gypMB439ACgqN86
bYZzT0OCvXpewg6/CMvqs5M=
=3er1
-----END PGP SIGNATURE-----