[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: German data rentention law




Am 20.10.2008 um 00:06 schrieb Roger Dingledine:


So it will be very interesting how this will continue, since it
is assumed by many, that the data retention law violates the German
constitution.

Quite so. Good thing all the German laws are so clear. :)

As long as the constitution has the higher priority, I'm fine with it. ;-)

And we do not want to see any Tor relays that log traffic information. So should Tor's role for now be to simply say "the only risk from the German
data retention law is if its vague wording convinces Tor operators
to install backdoors in their relays. If you think your new law is
enforceable, and would like to backdoor your relay, please shut it down
instead.", and then wait to see how the people fighting the law fare?

Shouldn't we differentiate what is being logged before making such a statement? Regarding that a large amount of Tor bandwidth is provided by German nodes, it is IMHO too hasty to generally claim that no Tor node is better than a logging Tor node.

I claim, that even if a node follows the DR law it will almost not impair the security of the Tor users, since Tor is somehow "DR proof". The law-authors didn't have concepts like Tor in mind, when they wrote the specific stuff for anonymization services. They were thinking of simple one-hop anonymizers (if they were thinking at all).

So, what the law asks for, is that if you change any information, which has to be logged by another party because of the DR law, you have to log that change as well. Since Tor works on TCP level, the _only_ DR relevant information it changes is the source IP address (ports and destination are NOT DR relevant). So in order to fulfill the DR law you only have to log at which time you had incoming connections from which IP. Since the connections are persistent, these are a lot. For my node that would be 4000-5000 at any time. I'm happy to give the investigators a list of 5000 IP addresses for a given time, since they will not have the slightest chance to get any useful information out of this. Even if we assume perfect worldwide cooperation and they are able to get this data from any Tor node, they will end up with nothing more than a list of _all_ Guard nodes, and there are far easier ways of getting it, and as a result of that _all_ Tor users at a given time. So even this unrealistic scenario would just reveal very useless information.

So if the german courts and prosecutors don't realize this beforehand, and really demand Tor logging, I'd just say: ok, do it. They will soon realize that they will not get any useful information out of this and drop the regulation for Tor again. It's "just" a cost issue for Tor operators (because of necessary HD space), but not really an privacy issue.

So even in the worst-case-scenario, please don't let the usability of Tor decrease even more by switching off the German nodes, just for a questionable and theoretical privacy improvement. But I still hope, that somebody will tell them before, and we will never have to log at all.

Are there actually any design changes in Tor that are needed for now?
Assuming ISPs don't suddenly start becoming logging stations, and assuming
not very many Tor relays become compromised, there really aren't any
new threats for Tor users.

Exactly.


Regards,

Sven

Attachment: smime.p7s
Description: S/MIME cryptographic signature